Vous êtes sur la page 1sur 59

Workshop Technical Manual

HACKENG
Workshop Technical Manual

Liability Disclaimer

The information Provided in this manual is to be used for educational purpose only. The
author is in no way responsible for any misuse of the information provided in this
manual. All of the information in this manual is meant to help the reader develop a
hacker defense attitude in order to prevent the attacks discussed. In no way should you
use the information in this manual to cause any kind of damage directly or indirectly. The
word hack or hacking in this manual should be regarded as Ethical hack or Ethical
hacking respectively.

YOU IMPLIEMENT THE INFORMATION GIVEN AT YOUR OWN RISK

HACKENG
Workshop Technical Manual

Acknowledgement

To Almighty whom I always ask for forgivness.

To Achan (Dad) and Amma (Mom) who has taught me many things than I ever learned
form a classroom.

To Sector X ( My partner in crime :-) . The one beside me when we were diving into the
unknown worlds of internet.

To My sister who has made cups of tea till I finished this book.

To the open source community, Without the tireless efforts of open source developers,
programs like Nmap, Metasploit, Hydra would not exist.

To Linus Trovalds and Richard stallman who gave us a wonderful OS.

To Kevin mitnik who inspired us.

To Anonymous to give us a mask

And last but not least to our Captain Crunch (John Draper) where it all began...

Karthik

HACKENG
Workshop Technical Manual

Anyone who can only think of one way to spell a word obviously lacks imagination.
Mark Twain

HACKENG
Workshop Technical Manual

About Us

HACKENG is a registered firm. We impart hi-technology training to students and


young proffessionals in niche areas such as Information Security & Ethical Hacking, Linux
Administration, Linux shell programming, Android Application Development , Java-SE7
Programming, Object-Oriented Analysis and Design Using UML and other emerging
technologies. We also offer Diploma programs in English, Personality development
programs and Journalism Course.

HACKENG
#19, Rahman's Grace, 4th Floor, Mosque Road, Frazer Town, Bangalore-560005
Tel : 080 32320105
Mob : +91 767 646 8636, +91 7829 020 105
www.hackeng.in
fb: www.facebook.com/hackengbglr

HACKENG
Workshop Technical Manual

Contents

Information Security

Mirroring a website.

Enumerating Websites

Gathering email accounts.

Recovering lost data.

Scanning for loopholes.

Cracking Windows login.

Cracking ftp/ssh login.

Hacking into Windows and droping a shell.

Exploiting using web browser vulnerablity.

Remote keystroke logging

Tampering files of a compromised system.

Gaining access using malicious pdf.

Hacking linux.

Hacking facebook login details.

HACKENG
Workshop Technical Manual

Information Security

Information security or INFOSEC is defined as protection of infomation or


information systems from unauthorized access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction during usage,storage or transit.

In this era of Information Technology all data are being meticulously converted to
electronic form which is not only efficient but also convenient. Information has become
the backbone of most of the organizations, an essential business asset in todays IT-
enabled world.

Information technology is on the way of expansion in all possible forms from e-mail
to transaction systems, to databases full of data. But as it says every rose has its thorns,
this advancement of technology, the Internet, and information sharing has its own
negative outcomes too. One of the very important of them is the large increase in new
information threats. There are malicious individuals who try to gain access to secure
information through perverted use of the same technology. Organizations that have
data in electronic formats or do tasks electronically are at risk, even smaller
organizations though they do not perceive themselves at risk because they think that
criminal hackers (crackers) and rogue insiders have no interest in them. But as a matter
of fact, everyone is at risk; crackers are proud of their nuisances even if they are small in
magnitude. They do not discriminate, if they can hack into a system they will.

An alarming statistics shows:


75 percent of all networks are vulnerable to an external attack, 95 percent with a
secondary exploit.
More than 65 percent of all networks are vulnerable to dial-in exploits.
100 percent of all networks are vulnerable to an internal exploit

This has been made easier due to the sharp increase in system vulnerabilities.
Unauthorized access to such confidential information is also due to weak or non-existent
information security practices. Not identifying and mitigating risks is a leading cause of
unauthorized access and the exploitation of vulnerabilities.

With crackers on the prowl, organizations need to be highly vigilant in the


protection of their systems. In such a critical condition, a threat to the security and
trustworthiness of information poses a threat to everybody concerned. The breach of
security is not only harmful for the organization and but also those who conduct
business with it. Governments, military, corporations, financial institutions, private
businesses, hospitals provide a great deal of confidential information about their
employees, customers, products, research, and financial status all through electronic
gateways and they are transmitted via networks. If those confidential information falls
into the hands of those malicious individuals (may be in the form of competitors), it can
lead to huge negative consequences.

Protecting confidential information does not only serve business purpose but in

HACKENG
Workshop Technical Manual

many cases also an ethical and legal requirement. In the present scenario a huge scale of
businesses, consumers, and also governments now maintain,share or transmit their
information mostly electronically. Systems that do not share information with other
systems are generally secure. Assuring backups and giving regard as physical assets are
the only treatment they need.

But connection with other systems in any format opens the floodgate of the
actual problem. There remains possibilities of a huge number of threats like
unauthorized access to information, its manipulation or destruction, misuse of
authorised access, introduction of malicious software programs (viruses/worms/trojans),
or falling prey to poorly designed information systems which allows too much access,
social engineering, system or communications disruptions (denial of service, hardware
failure) or improper handling of information. The extensive use of WWW(world wide
web)and its easy availability added with low cost of technology increases the chances of
these vulnerabilities to be exploited to many times.

So there comes the need of Information Security. It is a practice which involves


not only identifying all these threats but also helps in addressing them. It analyzes the
vulnerabilities, checks whether that can be exploited, the level of risk involved, the
potential cost wastage and also how to manage it with regular reviewing and updating.
All these processes help to mitigate risks to an acceptable level thus safeguarding
information, reputation, financial strength, relationships, business strategy, or/and any
other component that is critical to the viability of a person, business, or government.

The ultimate goal of Information Security is to ensure the CIA (confidentiality,


integrity, availability) of the information concerned. For this there is a huge necessity of
Information Security being an integral part of government, personal and commercial
information systems be it in usage, storage or transit. This lack of integration not only
causes a breach of security but also poses a huge problem in sustaining economy that is
information dependent. Contrary to the belief that Information Security procedures may
make an impression that the information system is insecure, it actually gains the trust of
the allied members. It increases the chances of a better decision making, and also the
company can edge over it's own competitors.

The necessity of information being secure can be actually perceived when we see
the magnitude of the negative impacts it can cause starting from illegally acquired
business secrets to loss of critical information (like defense information) or even their
unauthorised alteration leading to vicious outcomes.

Conclusion

With the advent of Web services and heterogeneous platform environments it is


being day by day more difficult to keep our information secure. There are not only
script kiddies but also organised criminal hacking in hunt for some fertile soil to attack.
Thus identity theft and real serious hacking had made the scenario worse with time.

So as it is said to patch up your holes till some intruder finds it and enters your

HACKENG
Workshop Technical Manual

arena through your self made hole; it's hightime we focus not only on this Information
Tehnology boost but also give equal stress on these loop holes and mend them before
we sit still dumb-struck that our valued possessions (informations) have already been
missiled and attacked from some distant unknown place and person. Let's rather make
the crackers feel utterly helpless when they come across the impenetrable shielded
armour we have already made to keep all our information the most secure and safe
guarded.

HACKENG
Workshop Technical Manual

Mirroring Websites

A mirror is a clone of a set of data. Websites are cloned for many reasons like, to
hav a backup of the website, live mirrors increased the speed with which the file or
websites can be accessed, for offline browsing, to counter censorship and provide
freedom of the information etc.
There are many softwares available to mirror a website here in our tutorial we will
focus on installation and usage of the WebHTTrack website copier on Ubuntu or any
Debian based Linux operating system .The WebHTTrack is one of the popular website
copier which runs on various operating systems like Linux, Windows and Mac.

Installation

To install the application run this command on your terminal

$sudoaptgetinstallwebhttrack

To access the application on ur system simply type $webhttrack on ur terminal


and the application opens in your browser.

Usage

Here we will look at some of the screenshot about The WebHTTrack in action as a
picture worth more than thousand words :-)

HACKENG
Workshop Technical Manual

HACKENG
Workshop Technical Manual

Conclusion

The WebHTTrack is a simple application which allows you to locally store the
entire website on your hard disk. It can perform multiple download at the same time and
can even resume a previously stopped download. Hope you guys enjoyed this tutorial.
Do try this tool .

HACKENG
Workshop Technical Manual

Enumerating Websites

So you guys must be little bit fired up when you mirrored a website, keep it up!
All that keep us going is that little peice of satisfaction when things goes according to
our taughts.
Website enumeration is a technique of finding out the information about the web
servers such as server information, services running, operating system information,
vulnerable services, enumeration of users etc. In this tutorial we will look into two such
tools which will help us to pull such information from a web server.

Nikto

According to the Nikto website http://cirt.net/Nikto2


Nikto is an Open Source (GPL) web server scanner which performs comprehensive
tests against web servers for multiple items, including over 6500 potentially dangerous
files/CGIs, checks for outdated versions of over 1250 servers, and version specific
problems on over 270 servers.

You can find nikto in your backtrack at location #cd/pentest/web/nikto

Nikto is designed to perform very powerful scans against webservers, so its


potentially dangerous to test on websites without legal permission. In our exercise we
will be using mutillidae which is a vulnerable webserver specially desgined for
educational purpose.

HACKENG
Workshop Technical Manual

Lets see what all options are available in Nikto by simply giving the command

#perlnikto.pl

Why perl in front of nikto? Now we understood that Nikto is a program written in
perl. Intersting!!! we are getting to know more about our Nikto. By giving the above
command we will be shown an error message along with options available in Nikto. Does
that make it user friendly ? :-)

HACKENG
Workshop Technical Manual

So here we got a little bit of help on how to use Nikto. Now its time to perform
our first scan with Nikto by specifying a host ( options can be set according to the scope
of your test). Let us perform a test on our web server located at 20.20.20.132/mutillidae
by giving the command

#perlnikto.plhosthttp://20.20.20.132/mutillidae

In the results we get many informations such as server name, server version,
opetating system in which the server is running, directory location which you would find
intresting etc.
This is a basic scan with Nikto, you can always add more option to make your scans
more specific. Always keep in mind that Nikto is just a program, so there is always a
possiblity of a false positive entries in your results.

Nikto also gives you graphical output other than the results given in the terminal
by specifying the output option in your scan.

# perl nikto.pl host http://20.20.20.132/mutillidae output


nikto_result.html

HACKENG
Workshop Technical Manual

Conclusion

Nikto is a Web Server enumeretion tool which is used to enumerate various


information about a webserver as we have seen in our tutorial. Hope you guys enjoyed
the time with Nikto. Before giving a full stop we have only one advice for you USE IT
WISELY.

Uniscan

How was your experience playing around Nikto? We will be looking to one more
such tool. Uniscan is also a web server enumeration tool which will help us to enumerate
a web server.
Uniscan can be found in your backtrack at location

#cd/pentest/web/uniscan

HACKENG
Workshop Technical Manual

Uniscan also have various options to make your scans specific. By giving the help option
in your command you can view various uniscan options.

#perluniscan.plh

Now we will see a scan by giving host url with -u option in uniscan. -qwedsgj
options are also being included to enable server fingerprint, directory, file, robot.txt,
sitemap.xml, dynamic and static checks

#perluniscan.pluhttp://20.20.20.135/mutillidae/qwedsgj

HACKENG
Workshop Technical Manual

Uniscan GUI is also available but i recommend the cli version. Uniscan output will
give you a clear understanding of the target web server and its vulnerablities that you

HACKENG
Workshop Technical Manual

can use in testing your target. Uniscan also includes google hacks which can be used in
your scans by giving -o option along with your google hack syntax.

Conclusion

Uniscan is a tool to find information about web server amined at information


security. It has helped hackers to find out the vulnerablities so that your information is
secure. Hope you guys enjoyed this session. Explore more about uniscan, you always
have google :-)

HACKENG
Workshop Technical Manual

Scanning for Loopholes

Scanning is very importent phase in a penetration test. For a hacker sucess only
depends upon how vulnerable the target is. We will hav to know what OS is being used,
what services is running, what are versions of thoses services etc. There are many
automated tools available to scan the vunlera blity of a target network.

Here in our exercise we will be looking on nmap which is a very powerfull network
scanner and when used with appropriat options will show us with the some loopholes in
the target.

Nmap is preinstalled in your backtrack and can be launched by giving the


command.
#nmap

With this command nmap is launched showing the usage syantax and various
options. First let us see a basic scan without any options. Nmap by default scans only the
first 10000 ports. The scan output shows all the open ports in the target machine.

HACKENG
Workshop Technical Manual

Now we will do a basic scan by giving the command.

#nmap192.168.1.101

In the output we can see all the open ports in the target machine. Nmap includes
nmap script which is used for advanced sanningwe will discuss two such scans here, to do
an OS fingerprint scan we can use the command.

#nmapAPnsSscript=smbosdiscovery192.168.1.101

HACKENG
Workshop Technical Manual

In the results we can see the OS fingerprint under the host script results. N map
can also be used as a vulnerablity scanner we will try one of such scans here we will try
to find out smb vulnerablities in our target machine by giving the command.

#nmapPnsSscript=smbcheckvulns192.168.1.101script
args=unsafe=1

In the scan optput we can see that nmap has found tat the target is vulnerable to MS08-
067 vulnerablity.

Conclusion

Nmap is one of its kind which can never be replaced by another. Its powerful, neat,
simple and gives a clean output. Explaining about nmap is beyond the scope of this
manual. I recommend you guys to try this tool with various options.

HACKENG
Workshop Technical Manual

Recovering Lost Data

How was your experience with nmap. We know that this hellboy won't dissapoint
you. Now we will look into some forensics side. We will see how to recover lost or
deleted data drom a storage device. In this exercise we will be recovering deleated data
from a pendrive. For this we will be using a tool called scalpel.
Scalpel is a tool for recovering deleted data. To install scalpel in ubuntu/backtrack
machine by giving the command

#aptgetinstallscalpel

Scalpel comes with various options we can view the options by simply giving the
command
#scalpel

HACKENG
Workshop Technical Manual

To know the mount location of your desired storage device you can use the
command
#mount

This command will show all the mounted device in your machine

In this particular exercise we am going to recover the deleted data of a pendrive


located at /dev/sdb1

Before starting the recovery process we will hav to uncomment the types of files
that we have to recover in the scalpel.conf file located at
/etc/scalpel/scalpel.conf by giving the command .

$sudonano/etc/scalpel/scalpel.conf

HACKENG
Workshop Technical Manual

Now we will start the basic recovery process by giving the command with -o
option to specify the output directory.

$sudoscalpel/dev/sdb1/o/home/hellsangel/Desktop/recover

Note that scalpel shud always be run as root if you are loged in as a standard user
you will hav to execute the command with sudo privilige. And the output directory will
be created by scalpel.

HACKENG
Workshop Technical Manual

Once the recovery process is complete you can go to the output directory to view
the recovered file. Note that the output directory shud be opend by root privileges.

Conclusion

Scalpel is a good tool to recover your lost data, but a little resourse greedy, will
slow down your system a little bit and expect a 50gb revovery from a 4gb pendrive so
free some space in your drive where you point your output directory :-)

HACKENG
Workshop Technical Manual

Gathering Email Accounts

In order to conduct a sucessfull penetration test a hacker shud gather as much


information as possible of the target. Emails are one such platforms where he can send
malicious codes on to a victims system. theHarvester is one such tools were he can
gather emails. theHarvester tool can gather email accounts, usernames,
hostnames/subdomains from different search engines and social networking sites.
theHarvested used many sources for gathering information like google and bing
for emails and hostnames, google profiles and linkedin for employee names etc.
Theharvested can be found in your backtrack at location.

#cd/pentest/enumeration/theharvester/

To know the options used in theHarvester simply run the script by giving the
command #./theHarvester

Now we can run this tool with some basic options to gather some email accounts.
Here in our example we are gathering some emails of columbia.edu (no offence, for
educational purpose only).

HACKENG
Workshop Technical Manual

We can do this by running theHarvester by giving a domine name and can also
limit the number of results by giving the dand loptions respectively. We also have
to instruct theharvester , from were to search the data by giving b option.

#./theHarvesterdcolumbia.edul500bgoogle

Conclusion

TheHarvester is a wonderful tool to collect emails of the target. Try its yourself
with various options. Hope you guys enjoyed this session.

HACKENG
Workshop Technical Manual

Cracking Windows Login

What are you going to do with those emails fellas, Common! Let's break some
windows. Just kidding :-). Now we will be learning to crack windows login passwords. In
this session we will be looking into a tool called ophcrack. ophcrack is a very powerfull
tool using rainbow tables to crack windows passwords. Now you guys might be thinking
'what the heck is this rainbow tables?
Windows does not store the login passwords in plain text, it convert the plain text
to a hash value and then stores it in the SAM file. A Rainbow table is a lookup table to
find the plain text passwords from one way hash. Its a huge set of precomputed hashes
of every possible combination of letters, symbols and special characters.
Ophcrack is preinstalled in your backtrack. And can be launched by simply giving
the command
#ophcrack

To make use of ophcrack you need to have rainbow tables. Rainbow tables can be
download at http://ophcrack.sourceforge.net/tables.php. The rainbow tables can be
loaded into ophcrack by clicking on the 'Tables' tab and then giving the location to your
desired rainbow tables.

HACKENG
Workshop Technical Manual

Now we need to load the password dump file that we hav extracted form our
compromised windows machine. A password dump file is where the usernames and
passwords of a compromised windows machine is dumped. A password dump file look
like the below image.

To load the password dump file click on the 'Load' tab and select 'PWDUMP file'
and give the location of your password dump file.

HACKENG
Workshop Technical Manual

Once your password dump file is loaded all you hav to do is to click that tiny little
button which says Crack :-)

Conclusion
ophcrack is a real rascal isn't it ? Ophcrack also comes in live cds and is mainly
used to recover the password when you have physical access to the machine. Its
efficiency depends upon the strength of your rainbow table.

HACKENG
Workshop Technical Manual

Cracking ftp/ssh Login

Cracking here reffers to hacking itself. I hav used the term cracking just because
its little offensive in nature. During a penetration test a hacker will have to check for
weak passwords by brute forcing the login. Hydra or Xhydra (GUI version) is one such
tool which can be used for online as well as offline password cracking. To perform this
attack we require a good password dictionary which is avaialable on the internet for
download.
First let us do an nmap scan to find the open ports and services running on our
host 20.20.20.132 by giving the command
#nmap20.20.20.132

In the output we can see that ftp and ssh ports are open. Now let's try a dictionary
attack on the target. To do so we will launch xhydra (GUI version) by simply giving the
command xhydra. We can launch xhydra from any location, since it is there in the root's
bin directory.
#xhydra

HACKENG
Workshop Technical Manual

This will launch the GUI version of hydra

In the xhydra window you can see many informations to be filled on diffrent tabs.
Here we will have to provide various details like the target ip or if you hav a target list in
a text format. You can give the location to the target list, port number, protocol options
can be set according to your needs.

HACKENG
Workshop Technical Manual

Conclusion
Xhydra is a very powerfull password cracking tool. It can be used against many
other protocols. Use this tool wisely and use it only to test the security of a system. You
might be able to break passwords but definitly not jails :-)

HACKENG
Workshop Technical Manual

Hacking into Windows and Droping a Shell


METASPLOIT- The mother of all arsenal

If you are new to this tool then this tutorial is just for you. You must have digged
in internet on tutorials on this tool and must hav faced some difficulty in understanding
this tool. Here i will try to put this before you as simple as possible. If you are already
know how to use metasploit, this document may not be much help to you but still please
feel free to read.
What is this Stuff?
You can say that this is a platform where an attacker (bad guys ofcource) or a
penetration tester (the good guys) can launch an attack to compromise a victim or a test
machine making use of the vulnerabilities which is left unpatched.
If you want to hear it in a professional way well Metasploit is a free open-source
exploitation framework. Metasploit can run a number of exploits to make use of the
vulnerability of an unpatched system. Metasploit is aslo an environment for creating new
exploits.
Hey wait What is this exploit?
Exploit is a piece of code which is specialy written for making use of a particular
vulnerablity to gain access to a vulnerable system.
Where do i run metasploit?
Metasploit runs on Linux, Mac OS X and Windows but Linux is the most
recommended platform. You know why ;-)
Ok i have installed metasploit on my Linux box. So whats next?
Before testing metasploit on a target we will see its components. We will travel
inside metasploit and find out what is there inside it. please note that we will not go
through all the components but we will see the basic ones which we need right now. We
will travel through some of the directories inside the metasploit framwork3 directory
and explore.
Oh oh till now you were telling metasploit what is this new tail 'framework3' ?
Framework3 represents nothing but the version of the metasploit framework. A
good penetration tester use diffrent virsions of framework to conduct his test, because
certain backtrack tutorialin exploits work well with diffrent frameworks and some of the
exploits are only available in certain framework. Metasploit 2.X is mostly written in pearl
whereas framework 3.X is mostly written in ruby.
In this course we have used backtrack 5 security distro which include version 2 and
3 of metasploit framework which is located in /pentest/exploits/ directory and we
will be focusing on framework3.
Before we start let me tell you what is an exploit and a payload and how it is used
to test a target. EXPLOIT is a piece of code which make use of the vulnerability to gain
access and PAYLOAD is the code which do somthing that the attacker or pentester wants

HACKENG
Workshop Technical Manual

in the target system such as opening a command shell or controling the target system,
opening a GUI access etc..
So this is how it is done
EXPLOIT + PAYLOAD -------(injected)------->TARGET
hope now you got an idea how an attack is done.For understanding it more clearly we
will dive inside and see some components inside the framework directory.
So lets start Exploring
Before we start i recommend you to try everything what we go through from this
point onwards as we move forward. take your time to explore other directories too.
So take your terminal and go to location /pentest/exploits/ here you can see
different versions of framework.

Now we move to framework3 directory. Here we can see different user interface
like msfconsole, msfcli, msfgui, msfweb and we can see directories like modules, plugins,
lib, documentation, scripts, data ect.. and exploit creation tools like msfpescan,
msfopcode etc..

Framework gives us many options to interact with it, but in this course we will be
focusing only on msfconsole once you get the idea you can move on and try different
user interface. Documentation directory contain all the documentations of metasploit.
Exploit creation tools like msfpescan, msfopcode are very useful for exploit writers.
Modules directory contain exploits and payload which we are going to look into.
So we will move into modules directory by giving the command #cdmodules/
(# is just the terminal prompt) .

HACKENG
Workshop Technical Manual

Here we can see different components like auxiliary, encoders, exploits, payloads
etc.. auxiliary contains different tools for scanning, Denial of service tools and many
other tools. Encoders contains tools that converts exploits and payload into different
forms to bypass IDS signatures and antivirus or similar tools.
Exploit directory contains the whole set of exploits that the framework has and
the payload directory contain the whole set of payload. Now lets look into the exploit
and payload directories. first we will explore exploit directory. You can navigate by
giving #cdexploits/ command.

Here you can see exploits are sorted by operating systems like bsdi, osx, unix,
linux, windows , multi etc.. multi directory contains exploits that can hit multiple
operating systems. Now we will take a look at windows directory. You can navigate to
windows directory by giving #cd/windows command

Here we can see the exploits for windows is again classified into exploits for
programs and exploits for certain services that is used in windows. Now lets look into
the smb directory which contain exploit which make use of vulnerablity of window's
server message block implementation. Navigate to smb directory by giving the
command #cdsmb/

HACKENG
Workshop Technical Manual

Here you can see the exploit files, all of them written in ruby. All of the exploit are
well documented. It is recommended to open a exploit and go through it and understand
it before running an exploit. It's a good pratice. We will be using one of the exploit later
in our course
Now we will explore the payload directory inside the framwork. you will hav to
navigate backward until you reach payload directory by giving #cd.. command

Here we come across some new terms. We find 3 directories singles, stagers,
stages. we will see what each one of them is.
Before that we will once again see what is a Payload. A payload is the code which
does certain function on the victim/target system like giving a command shell access or
giving a GUI access to the attacker or pentester. Payload has two parts one which does
the function and other which allows the communication with the attacker or pentester.
Singles are those which has both function binded together. Stages is the one
which does the functions that attacker or pentester wants and stagers are the one which
help stages to communicate with the attacker or pentester. Hope you clearly got the
idea.
Now we will look into the singles directory. You can navigate to singles directory
by giving #cdsingles/ command

HACKENG
Workshop Technical Manual

Here you can see that it is again sorted by operating systems like bsdi, osx, linux,
windows etc...
let us look into the windows directory you can navigate by giving # cd windows/
command

Inside you can see the payload codes all written in ruby. It recommended to go
through the code before using it as i said for exploits.
By this we will end our tour exploring the directories inside the framework3
directory. do spare some time exploring more making yourself comfortable with the
terminal and navigate back to framework3 directory. now i hope you konw how to
navigate back ;-)
Is that all, Now whats next?
No, we are not finished now we have a lot to go. By this time i guess you will be in
the framework directory. As i said earlier that we will be focusing on msfconsole user
interface in this course. Lets see how msfconsole looks like. To launch msfconsole give
the command ./msfconsole from your /pentest/exploits/framework3/
directory. You will see a console like this.

Now we will see metasploit from inside msfconsole. What will you do when u find
yourself in an unknown land? 'call for help' . Do the same thing here. The first command
you learn is help. You can get the list of commands used inside the msfconsole by giving

HACKENG
Workshop Technical Manual

the command help or ?. lets try this.

HACKENG
Workshop Technical Manual

Here you will find various commands used in metasploit. Right now we will see
some of them which we will be using later.
show: we use this command to display exploit/payloads of a given type.
use : we use this command to select a module/exploit by name.
set : we use this command to set a payload/options.
unset : we use this command to unset a payload/options.
exploit: we use this command to exploit the target/test machine.
exit : we use this command to exit from msfconsole.
Note that we have shown above only few commands. Its recommended that you
go through other commands also.
Now we will see how to get a remote shell access on a windows target system
using metasploit. In our exercice we have used backtrack5 security distro and a windows
xp sp2 system.

We will be using Microsoft Server Service Relative Path Stack Corruption exploit
(ms08_067_netapi). This exploit gives the attacker/pentester remote command shell of
the target system.
Note that we are just testing a target/test system. You can never gurauntee that a
particular exploit will work sucessfully, but if you are sucessful please try not to make
any changes on target system.
To list out the currently available exploits in metasploit framework 3 we give msf
>showexploits command (msf>isthepromptinmsfconsole).

HACKENG
Workshop Technical Manual

To use an exploit we give the command useexploit(locationofexploit)


here in our exercice we give the command
msf>useexploit/windows/smb/ms_08_067_netapi

Now we need a compatible payload for our exploit. To see the compatible payload
simply give the command msf>showpayload

The next step is to select a compatible payload and set that payload. Here we
have used bind_tcp payload. We set the payload by giving the command

HACKENG
Workshop Technical Manual

msf>setPAYLOADwindows/shell/bind_tcp

Now the payload is also loaded. Now we will have to set some options like remote
host, local host, remote port, local port etc.. we will see what all options we will have to
set by giving the command msf>showoptions

Here we see that we have to set only RHOST in this case. We will have to give the
IP of the target system. Lets let us see what is the IP of the target system.

HACKENG
Workshop Technical Manual

Now we can set the RHOST by giving the command


msf>setRHOST192.268.3.128

Now we are ready for the attack. To exploit the target system we use the master
command exploit to lunch the attack. We will see what happens.

HACKENG
Workshop Technical Manual

If the target is compromised we will see the command shell of our remote target
in our terminal. Now an attacker can interact with the remote command shell he can give
any command into it here we have used hostname and ipconfig command.

Finally we can exit the remote shell by giving the command exit or Ctrl+C

when we exit the remote shell we come back to the msfconsole and to exit from
the msfconsole we can give exit command and return to our framwork3 directory.

HACKENG
Workshop Technical Manual

Hope you have understood how to use metasploit framework to launch an attack on a
target system.

Are we done?
As far as this article is concerned, Yes we are done, but as far metasploit is
concerned, no we are not. There still many other features you can use in metasploit. I
have just introduced you to this wonderful tool. While exploring you may still find some
diffuculty but then i have read somewhere else that there is nothing more satisfying
than solving the problem yourself ;-)
Hope you enjoyed reading this article as much as i enjoyed writing this.

HACKENG
Workshop Technical Manual

Exploiting Using Web Browser Vulnerablity

Now tat we have droped a shell of the target machine we will look little more
deep into exploitation using a meterpreter payload.In this excercise we will be creating a
malicious webserver and the target accessing that webserver will be exploited if the its
browser is vulnerable to the exploits injected to it.

To create a malicious webserver open the msfconsole and load the


browser_autopwn module from the location

cdauxiliary/server/browser_autopwn

msf>auxiliary/server/browser_autopwn

Set the required options as shown is the above image and run exploit. This will
start a server loaded with exploit to inject it into any browser which is trying to connect
to it.
When a browser connects to the server the server will automatically try to inject a
set of exploits and if sucessfull creat a meterpreter sessions with each successful
exploitation.

HACKENG
Workshop Technical Manual

In this particular excercise we hav got 5 meterpreter sessions. To list the no of sessions
we can give the command
>sessionsl
To get into a particular session we can give the command.
>sessionsi<sessionno>
Now we will be placed into a meterpreter shell. We can get the victim info by giving the
command.
>sysinfo

Remote Keystroke logging

Once we get the meterpreter session we will be able to do various task in the
compromised machine like keystroke logging, tampering with files etc. Here we will see

HACKENG
Workshop Technical Manual

how to sniff the remote keystroke from our meterpreter shell


To achieve this start the keyscan by giving the command

>keyscan_start

Now the victims keystrock will be logged and can be displayed by giving the command

>keyscan_dump

once the keylogging is done you can gracefully stop the sniffer by giving the command

>keyscan_stop

Tampering files of a compromised system

Here tampering reffers to downloading a remote file changing its contents and
uploading it to the target machine. To achieve this we can use download and upload
command in our meterpreter shell.

HACKENG
Workshop Technical Manual

Once downloades the file can be found at location

#cd/pentest/exploits/framework3/

Now we can change the content of the file using a text editor and then upload the
courrupted file on to the target machine with upload command

HACKENG
Workshop Technical Manual

Editing the downloaded file

The uploaded file opened in the victim machine

HACKENG
Workshop Technical Manual

Conclusion

meterpreter sessions undoubtfully gives us a great control over the victim


machine. There are many other commands in meterpreter shell. Play around with it and
use it wisely

HACKENG
Workshop Technical Manual

Gaining Access Using Malicious PDF


In this session we will see a client side attack. We will be gaining access to the
target machine using a malicious pdf file. Now that we are familiar with metasploit and
meterpreter session i hope that there will be no need of much explantion. In this
exercise we will be using adobe_utilprintf exploit which is located at
exploits/windows/fileformat/
This (CVE-2008-2992) module exploits a buffer overflow in Adobe Reader and Adobe
Acrobat Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed
util.printf() entry, an attacker may be able to execute arbitrary code.

The malicious pdf generated can be send to the victim through emails, removable drives
or any other modes. Hacker will have to start a metasploit listner to listen to any connection to
that particular port. Once the victim opens the pdf the hacker will get a meterpreter session.

Conclusion

Try diffrent payloads for this attack. Hope you guys enjoyed this session.do not use this
technique for any malicious purpose, because remember everything can be tracked back to
you. Unless you are a good player. :-)

HACKENG
Workshop Technical Manual

Hacking Linux

So by this time all of you must be feeling excited. Thats exactly a hacker feels 24x7
the sense of power over other, an addiction of control. Wait dont take all your excitment
out keep somthing for our linux, yes your read it right LINUX. In this session we will be
hacking linux using a backdoor executable.
In this exercice we would be using a linux elf (executable and linkable format)
binary file generator to create our backdoor executable and a listner to listen to the port
it connects back to.

Linux elf generator can be found at cd/pentest/exploits/framework3/


directory now we can run the linuxelf tool by giving the command #./linuxelf

By default a linux executable named 'Executive' we can change the name of the
executable file, and send it to victim or upload it to our server where the victim can
download it. Once the victim download and execute the file a connection is made to the
hackers system.

HACKENG
Workshop Technical Manual

Conclusion
linux also hav got vulnerablities which can be exploited. This exercise can also be
done manually using metasploit, insted of using the script. Try it at home buddies. This
exercise is just to show that even linux can be hacked.

HACKENG
Workshop Technical Manual

Hacking Facebook Login Details

How was your game with metasploit framework? Yeah i got the answer in your
smile;-) now we will see another little rascal which helps you to launch your social
engineering attacks. (SET) social engineering toolkit is a framework created by David
Kennedy aka ReL1K. Its gives you a wide verity of attack vectors we will be seeing a few
in our comming exersices. For now we will see how this tool can be used to creat a
phishing page and steal the facebook credentials from a target. SET can be found at
location cd /pentest/exploit/set/

To launch set use the command ./se-toolkit. You will be greeted with a nice SET logos
and author details and the main menu.

HACKENG
Workshop Technical Manual

In the main menu we ca see many options of acttack vectors in which we will be
selecting option 1 which gets us into social engineering attack mode and puts us into
another sub menu.

In our exercise we will be selecting option 2 Website attack vectors which will
direct us into another submenu which gives us list various attack

HACKENG
Workshop Technical Manual

Here we will be using option 3 Crediantial harvesting attack in which we will be


cloning the facebooks index.html page and then cerate a webserver and harvest loging
credientials of the victim who logs in into our phishing page.

After getting into the crediantial harvester attack mode you get three options
one is that you select among already existing web templates or you can clone a website
index page or you can cerat your own custom webpage. In our exersice we will clone the
facebook page. By selecting option 2 Site Cloner. Now SET will ask us to put in the ip
where the phishing page has to be hosted. When your phishing site is ready you just hav
to wait for the victim to log in to the site and the SET will display the the crediantials as it
arrives.

HACKENG
Workshop Technical Manual

Conclusion
SET is a wonder full tool which makes a hackers job easy with all those nice
menus :-), but keep in mind that you should be able to do these attack even without SET.
This tool saves a lot of time and any script kiddy can use it.:-) But I want you to be a real
hacker. So play around it, i know it takes time even i took my time. But finally when you
do it, that's where you get addicted to hack.

HACKENG