Prior to hack a system, you must decide what your goal is. Are you first in order to hack the system, involving sensitive data, enter the system and take the "root" access to deceive the system by formatting everything in it, to discover vulnerabilities and see how we may use, etc.
The most common goals are:
enter the system involving sensitive data such as credit cards, identity theft, etc.
You must have all your tools ready before you start. There is a Unix version called back. It is an operating system that comes with different sets of security tools to help you hack the system (penetration testing).
You must define the steps (methodology) that you plan to take in your journey before you do anything else. There is a common method of monitoring
I mention below. How many times, you can create your own method if you know what you are doing.
Common Steps to take to hack a system:
I. Recognition (fingerprints).
II. Scan
III. Ports & Services Enumeration.
IV. Vulnerability
V. Exploiting vulnerabilities.
VI. Penetration and access.
VII. Clear the tracks.
The above methodology may change depending on your goals and on your knowledge.
I. Recognition (Fingerprint)
Before breaking a system, you must collect as much information as you can about the system and target. You should study your target well before the hack. This step is called recognition. It is made using techniques and tools that are undetectable by the target. You collect information about your target that is published publicly, for example, consult the website of your target and if they are looking for an employee and Windows SQL Server Admin, you'll get a hint that they are running Windows Server C & SQL, it is called a "passive" action. Here is an example of action active! Example of active action: call the company to get some information, visit the company's employees email to get some information, visit the Web site of the target and read its source code. In other words, passive action means that you collect information in a non intrusive way. Action force is an additional step, such as talking to the company as if you are a customer, things like that.
When performing a passive recognition, there is a 0% chance of getting caught, as you the sole purpose of publicly available information to give you the feeling of what your target looks like. The type of information you can gather through passive Recon. are the names, phone numbers, addresses, location, networks of partners, and much more. This can help you when you want to do a little social engineering or sometimes you can get non-public information that showed when you do passive recognition. There are several tools to help you make passive recognition as Whois.
Whois helps you get important information, like names, areas of the target, etc. The others are great tools, Sam Spade, DomainTools, and Google (can reveal a great target subdomians & many more).
To know what is really whois briefly
http://fr.wikipedia.org/wiki/Whois
Active recognition goes beyond the passive nature, such as communication with the target without getting caught, such as scanning. What is not found in the IDS (Intrusion Detection System) is considered active. You must think of ways to extract information from the company in a normal way, the audience going a bit deeper than passive Recon. For example, you can go to physical location, do a little social engineering, staff email, communicate with employees based on the info you received on your Recons passive. Things like that!
Example of some active recognition techniques, such as banners, mpg, public company to view the site's source code and directory structure, social engineering, shoulder surfing, etc.
1-What is-grabbing banner?
You leave the server will send a block of information that tells you your OS target system and association with various
Banner tells the OS version and different association. All that listens on a port "can not determine the operating system (OS)" port "is running on the tracks, this called. In other words, the fingerprint is the process of determining the operating system (OS) or applications used by a remote target.
Learn more about seizing the banner:
http://www.net-squar...rint_paper.html
Can you give a brief example of social engineering?
For example, you try to find where the director goes after office hours, and then start going to a place and it will build a relationship, start a friend relationship to extract more information, slowly but surely , things like that! you know what I mean.
2-What is shoulder surfing?
Simply stand behind the shoulder of a person and see what the guys are doing and typing on the keyboard. This can occur in an area of wireless network where everyone uses a laptop in public places.
In summary, the recognition is one of the most important steps in the Hack Ing. The main concept is to gather all the information that is publicly available or easily obtainable. Information that we gather to help us in social engineering and research that will lead you to info on the system critical. It begins by obtaining the names, phones, emails, IP wide, the domain structure, and so on.
eg unban grabbing
, Telnet to your target server on port 80 that follows, go to the command line or a terminal and type
telnet xx.xxx.xxx.xxx 80
Now, the connection is established, the server thinks you're stupid a web browser connected to it, it awaits you to enter commands that the server can you give you information about your request. In this situation, you must write a command that says: "Hey you web server, give me the contents of such and such a site. How ever, we do not really want to visit the site via Telnet, do you? You can just go to the Web browser and request the website from there. Our goal here is to freak out quite the server, then it spits back a code that says: hey! this does not work, but here is some information that might help you do a little troubleshooting. This technique allows you to fingerprint various components of the target system.
Note: instead of telnet XXX.XX.XXX.XX 80, you can xxx.xx.xxx.xxx nc 80! It's the same thing ... netcat nc stands for ... xx.xxx.xx.xxx represents the IP address of the target system.
After you telnet xxx.xx.xxx.xxx 80, the remote ser0ver will wait to enter a command. Type this:
HEAD / HTTP/1.0
Then you will receive a response like: -
Date: Thu, 04 Dec 2008 2:18:46 GMT
Server: Apache/1.3.41 (Unix) PHP/4.4.8 mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_ssl/2.8.31 OpenSSL/0.9.8b
Last-Modified: Fri, 10 Jul 2008 11:34:28 p.m. GMT
ETag: "c9865b-D91-48769c84"
Accept-Ranges: bytes
Content-Length: 3473
Connection: close
Content-Type: text / html
This means the server is running: Apache/1.3.41 Unix in box on PHP/4.4.8
say our target got the following version: The server is running: Apache/1.3.41 Unix in the box on PHP/4.4.8
At this point, if you know of vulnerabilities for this particular system or that individual, Apache or PHP. You can start the process of exploitation ...
Another example, the application program used sam-spade gives you much information about your target. The target does not really know what we are doing against their server because they saw nothing was triggered by IDS or firewall.
3 - What is the difference between IDS and firewall?
An IDS (Intrusion Detection System) may only detect and warn you of a breach of your privacy. Although most major block attacks, several probes or other attacks in May has been identified and allowed to pass. There is also an evolution of the IDS called an IPS (Intrusion Prevention System) that monitors the same things that an IDS, but instead of just alerting, blocking traffic.
A good firewall blocks almost all attacks, unless otherwise specified or designed differently. The only problem is the firewall might not warn you against attacks and may just block them.
it's a good idea to get both an IDS and a firewall, because the IDS will alert you and then the firewall will block the attack. Over the years, firewalls gottten more complex and added more features. One such feature is actually IDS - Now you can have a firewall that has IDS (Firewall / IDS 's are combined into a single program for Internet security.
Learn more about seizing the banner:
http://www.net-squar...rint_paper.html
To learn how to do it via Google, you need the following book:
http://www.amazon.co.../1.../ref=nosim
Note: the book in Amazon is just an example for you to give you an idea of what kind of book you should look for - if you're interested.
Okay, now you at least have an idea of what the recognition ...
II-SCANNING
When you analyze the network of your target, you start to actually touch system. Scanning a network determines what is inside, scanning network gives you the feeling of how the network of your target is prepared, if there are multiple subnets, hosts that are alive, ports check to see if the system is alive, discovering available hosts and get info on the hosts discovered. There are thousands of tools can be used to scan the networks! Scanning a network can easily detected by IDS. Anyway, no attention will be paid unless you do it again and again because the scan is happening on such a regular basis on the Internet. Therefore, people who read newspapers, I designate the webmaster will not really pay attention to any single scan that happens, you do not have to worry much. There are ways to avoid being taken over by IDS :-). After the scan is complete, you will get a list of network nodes that are out there.
"Node" is an active electronic device that is attached to a network, and is able to send, receive or transmit information on a communication channel. If you want to know more, google or visit
http://en.wikipedia.org/wiki/Node_ (networking) ...
Ok now we want to discover hosts live via scanning. This is the first action taken against the network of your target. Depending on which analysis method you use, you can be detected by the IDS. Most administrators will ignore detections, because it often happens that if something unusual happens.
There are various tools to scan, for example, nmap, superscan, metasploit and much more. There are different methods of scanning, some stealth, others are not.
Before talking about various methods of scanning, let me explain the basics of TCP connections. When you scan your target using TCP communication, there are six TCP flags can be used during the transmission of packets (packets get transmitted during the scanning process).
A flag to indicate if the packets are sent SYN, ACK, FIN, URG, PSH, or packages of the RST. These packages puts you in position on how you want to communicate with the remote host. You can get different information depending on the flag as you choose to scan.
TCP establishes three handshakes, SYN, SYN-ACK ACK. What are they?
When you scan your target using TCP communication, you send a SYN packet (SYN request), then target that you back an ACK packet with SYN packet. Now, you send an ACK packet to the target. So now both machines connect well, as they have established a tunnel to ensure adequate communication without losing all packets during the communication with the other. A first hack can easily get caught if they use this method to hack into the systems of other unlawfully.
Hackers use the non-standard combination of these six flags, which gives them information that are not normally accessible to the public.
Have you heard about SYN flood?
syn flood is made using three handshake by sending "SYN" calls on the target, so the target receives an application and send a SYN SYN-ACK to the sender (you). You know the goal of syn-ack request - when you ignore it, then the three handshake is not complete, this is called half open TCP connection - In theory, when the target sends SYN-ACK, the target allocates some RAM on his machine.
The amount of RAM executed on the target machine must be opened until the response (ACK packet) back to you because until now only two handshake has been made, so that the process TCP connection is not yet complete. How ever, there is always a time limit of RAM to be opened, if adopted by 30 secs and the goal has not received the ACK of you, the connection will abort (failure TCP handshake - timeout) and RAM will be deallocated.
The idea here is to send many packages to hell in a few seconds if in 30 seconds, you can send 40 million packets (say, a packet size is 1kb), which is heavy on the RAM since the RAM may not have enough memory to carry 40 million packets. Therefore, you force the target to half open TCP connection attempts, so definitely the target machine will stop responding to legitimate requests. In other words, if you send 40 million SYN requests to the remote host, it will allocate a hell of a lot of RAM for those applications. After a while, he eats all the RAM. Thus, the target system fails. This is known as SYN flood attack.
In short, the SYN flood attack makes the system (eg the IP stack or kernel) chokes on the allocation of memory (or simply works more memory) or the target application (Web server), chokes the processing load. Syn Flooding is an old technique i just mentioned here for illustration.
Background: These days, SYN floods are used to make systems inaccessible. They have a limited number of half open connections, you use all, and they can not accept any more SNY. But again, modern software throws SYNs old when the limit is reached. Note that different systems behave differently.
If you want to know more about syn flood, visit
http://tools.ietf.org/html/rfc4987
Lets talk about the most common types of TCP scanning. There are plenty of sweeping, half-open stealth scan, scanning, scan Xmas and ack scan.
complete analysis: what ends 3-way TCP. it is the most effective and deliver more accurate results. How many times, it is not safe and easy to locate and detected.
ajar Scan is the second most effective method of scanning, use only the first part of the handshake SYN-ACK for but does not send the third party (ACK) to the remote host. The idea here is whether the remote responses back to you after you have sent SYN request, it means that the port - we sent the SYN packet - should be opened.
stealth scan: the idea here is to scan ports randomly (not in sequential order) and reduce the scanning speed. If you scan all ports 1-65536 in the sequence, your most visible to be detected, and scanning usually happens so fast, that's unusual, because the regular programs do not connect to port quickly if it can make it easier to detect. So you have to scan ports randomly and reduce the scanning speed.
To avoid IDS, you should not use a login with full analysis stealth scan, you can use semi-open scan (SYN). SYN is considered a stealth scanning.
In fact, the scan is called SYN-SYN stealth scan, or you can use Xmas stealth scan with scanner that helps you to avoid detection, things like that! you get my point i guess.
Xmas Scan uses FIN, URG, and push the flags that are used to bypass some firewalls. Xmas scan works with a Unix system, it does not work with Windows.
ack scan: This allows you to evade IDS that you do not get detected. You just send an ACK packet at your target, your target will not know how to deal with it because there was no handshake. Thus, ACK scan causes open ports on your target machine to send a reset packet (RST) RST packet gives you an indication that the port or service is not filtered between point A and point B, which is Firewall usually between! Since the port you have answered RST packet This means that there is no firewall between A (your machine) and B (port or service on the target machine) and RST packet also gives you an overview the target port is open ;-). If there is a firewall, your ACK packet does not reach the target port and because of that, you get no RST packet. In addition, RST packet to help you identifying what system is running on the remote host.
This is the most common method of scanning, there are hundreds of methods of scanning! nmap you can define your own type of scan, for example, instead of sending only ACK flags, you can send ACK flag set and the RST flag and see what you get back from target ...
Now I will speak of UDP and ICMP Scanning ... Connections UDP and ICMP are mostly blocked at the firewall and even at the host in some cases. We will scan the hosts and ports that respond to UDP. When you scan your target via UDP, there are many problems occur during this process, for example, you can scan ports via UDP, assume that the scanned port 1 is closed, then send ICMP host unreachable to you, which gives an overview of the port is closed because you have not received a response UDP target! Make sense, right? Unfortunately, we will never get a response back to the target to make sure the port is open!
how does use UDP to send the packet and forget it. Let us fall on port 21, and 21 is open port 21 on the target machine will not respond back to you because UDP does not give you a guarantee that the packets delivered during the communication process, simply sending the packet and forget, unlike TCP guarantees delivery of packets without loss or corruption. Since we did not get the response back, then we can assume that port 21 is open * OR * Maybe port 21 is closed and ICMP reply got lost somewhere so we do not ! A rule of thumb, when you do not answer, you assume the port is open.
Some professionals in the person of high security you configure the ports so it does not respond to UDP scan. ICMP Scan is identical to UDP. ICMP scanning is noisy and can be easily detected by IDS sends ICMP pings for several random network instead of a single host (ICMP scanning is a "sweep ping - send ICMP packets - to the entire network instead one host). After completing the scan ICMP, based on the answers you get back from the live host, then you can determine your target network is listening for ICMP traffic, and you might have to make due to an exploit it. Unfortunately, there is not much of ICMP exploits that is now circulating, if you simply use ICMP for the enumeration of network, you can just to see what hosts are up, the machine A is increasing, the Host B & C up care is rising, they are my response to ICMP. Thus, let us know of these three cottages are available on the target network and can potentially be a target for us. IDS are always listening for network scans and a large number of network scanners offer support for ICMP scanning, but has no way to make it stealthy! Therefore, ICMP can turn the IDS alert that tells the security guard, someone scans your entire network.
NMAP is a great tool that is very popular, it is usually used to scan networks, hosts, ports, and a lot of other things. It is very intrusive tools and considered a hacking tool. Using Nmap cons' own systems or you do not have permission to scan can be considered illegal. Let's see some examples of how scan!
Example ICMP scanning (-SP) - the so-called ping scan
nmap-v-sP xx.xxx.xxx.xx> filename
nmap: is the program we are running that nmap.
-V: for his volubility increased, which brings me further details of the targeted system. (Optional - as far as I know)
-SP: the flag that determines the scanning method.
x: a target IP address.
> Filename: output the results to the newly specified file name. In other words, save the results to a file (optional)
Here is an example of scan UDP, UDP, not the scanning speed as well.
nmap-v-sU xx.xxx.xxx.xx
The results of UDP scan (-sU) give more information than ping scan (-SP). Keep in mind that there could be hundreds of other ports are listening on the system that simply does not respond to the UDP.
Useful sources relates to methods of scanning through nmap:
http://www.nmap-tuto...ap-tutorial.pdf
http://www.petri.co....g-with-nmap.htm
Okay, now you have a good basic understanding of scanning! Then I will talk about fingerprinting! So keep learning.
we are ready to gather broad information on living systems, we discovered during the previous steps. Okay! Now you need to discover what services (application) are running on your target host. All (or at least many) port has a service running on it. For example, the Web server are usually running on port 80. What we have to do is to scan all ports, to see what kind of services (applications) are running on them, try to retrieve the versions of services, this will help you determine the operating system. This is called "Port and Service Enumeration (fingerprinting). We must do this step to understanding what the potential vulnerabilities and your goal is how to exploit them.
Suppose that after we have scanned our target system, we found our target is launched "IIS 5.0 Server" on "Port 80". Based on the results of the scan, we can say TARGE the server running IIS 5.0 (IIS is set to Internet-based services, IIS is the second most popular Web server - IIS is a Microsoft product), it is known IIS 5.0 . has too many loopholes and IIS 5.0 runs on Windows 2000, Windows 2000, by which it has hundreds of vulnerabilities.
In other words, can scan ports and services and does OS fingerprinting, can identify the services on those hosts live in our target network. Once we know what services are running and what OS is running so we can start using these services!
- Ping / port / service scans are performed together using the same tool.
NOTE: ports and the identification of services is the most critical part in ING hack ... PERIOD
III-Ports & Services Enumeration
OS fingerprinting is used to determine the type of operating system and version, and then we exploit vulnerabilities in the OS resides.
When a target fingerprint your OS targets "may be known to the TCP / IP, to fingerprint happens on the TCP / IP stack. Why? Because each OS has a unique implementation of TCP / IP, TCP / IP is implemented differently from OS to OS, and exact the same query sent to a computer to meet the outcome will be different from the other machine. Therefore, based on the response that the scanner can help determine the OS of the target, because each OS has its own unqiue answer calls when you do OS fingerprinting.
When you perform a default installation of the OS, some services will be installed by default, services that are needed for this OS is working properly, eg ports
137,138,139 and 445 all combined together to produce OS Win 2000 or higher. Another example, a combination of 139 and 445 may determine a certain version of Windows, such as Win XP or Win 2003, there are many ways to determine OS. Another example, if you see an MS SQL service is running on a given port, you can determine the target OS is not in the family * nix, it is a family issue Win the target is running of a product Microsoft SQL. Thus, we can say census or enumeration of shipping service can help you determine OS.
There are tons of popular scanners out there:
SuperScan - good works on Win OS.
Nmap - Runs on Windows
IV VULNERABILITY
Most scanners offer full, half, UDP and stealth scans.
You're going to spend most of your time scanning your target machine to know, so that you can exploit vulnérabilitéss & enter the system. Therefore, you have to do some exploration work on the methods and decide to scan the scanning method you feel most comfortable with ...
Here is an example of style census scanning.
It is a kind of stealth scan:
nmap-v-SS-A-SV xx.xxx.xx.xx> filename
The above claim gives you precise details on your target. SV is to identify the version information. Check the manual to know what these flags do - "man nmap" to see the manual ...
after we Fingerprinting Services & OS, now its time to test various vulnerabilities against the application (services) and OS is available on the target system. This is called the assessment of vulnerability. To do this vulnerability assessment, you can use the tools available, such as nessus. Nessus is a free vulnerability assessment, huge database, its best assessment tool.
Allows you to scan vulnerabilities on the target system. Let the target System is Win 2000 SP1 IIS 5.0, nessus back to ITS database and verify the vulnerability to win2000 and IIS 5.0. If there are no vulnerabilities discovered, tool for assessing vulnerability can actually catch it. How often, if not able to find nessus vulnerability for the target system, you will know if the system can be some security problem or not. These tools are considered as automated tools for vulnerability assessment. You need to know about the target system OS so you can make the assessment vuln on it. There are OS specific vuln assessment, for example (MBSA scans only Win OS).
NOTE: You can do the vulnerability assessment in hand, it depends on you and your skills. In doing so manually, you can discover vuln. nobody knows about it, and you can use for your own use. It is a powerful and very discreet.
After we determine what systems and services that contain vulnerabilities, so we can use it (afford to take the risk of this vulnerability to achieve what you want).
Common Vulnerabilities there are the following:
OS vulnerabilities
Webserver vulnerabilities
Database Vulnerabilities
TCP Vulnerabilities
Application vulnerabilities
Malware, viruses, Trojan horses, can be used to exploit vulnerabilities.
Several automated vulnerability scanners such as Nessus, Nikto. Websites of security is a good resource for vulnerabilities, for example
Bugtraq, CVE (Common Vulnerabilities and Exposures) sites, etc. Another good source for finding vulnerabilities is first hack websites.
We talk about the tools:
* Nessus - it is an excellent tool for vulnerability assessment. How often, in many cases it will be exploits to see if the OS or service is really vulnerable or not.
* Metasploit Framework - this is not vulnérabilté evaluation tool. It is a tool of exploitation, it contains exploits hundrands helps you exploit the system using a fine selection of tools.
I will soon explain vulnérabiltés common ...
Vulnerable OS: OS exploits are used to access the system. Exploits OS can be used for DoS attacks as well. watch the video tutorial. Most holes have existed since the OS default configuration, services and applications.
Webserver Vulnerabilities: web servers are the most trageted section. All persons to contact the web server, so you never know the hack as normal user first. Examples of Web servers, Apache, IIS, Tomcat. Once you exploit the vulnerability of your target Web server, you can save a lot of different things, such as root access (mostly), the alteration site, DoS (put the server down), theft or alteration of data on the server, or penetration further into the network.
Webserver is an excellent starting point when you want to do a penetration test!
Database vulnerabilities: software applications that create databases such as SQL, Oracle, etc. - they have security in mind, they were more interested in efficiency and how to make easy for users to manipulate the database. They want to make on their customers happy without much attention to security issues!
Vulnerabilities of the TCP stack: it is not a common method used to penetrate systems. Google it!
Application Vulnerabilities: Some examples of application vulnerability, Buffer overflows, weak authentication mechanisms, poor data validation (most common), and poor error checking.
to discover these vulnerabilities on target machine, you need to do the assessment of vulnerability. This can be done in two ways, either manually or automatically. Means manually, you try to discover a vulnerability. for yourself that eventually you will have vulnerabilities that nobody else knows and you can use for yourself or post it on security sites. Automatically means that you rely on a tool that you searched for a vulnerability in the target machine, this tool has a comprehensive database of vulnerability. if this "tool" do you inform the vulnerability found in the target machine based on "his" database. We'll talk about vulnerability assessment of the automobile. The most common and wonderful tool is Nessus is free open source!
Another resource, OVAL - gives you a good foundation and basis vuln assess. methodology, FrSIRT - keeps track of and vulnerability to exploits of these vulnerabilities, you can join a paid subscription then browse avaialbe vulnerable in their database and download it exploits is a good source for ING hack or security, and Web sites for display as milw0rm exploits, hack sites Ing.
Closer Look tool Nessus, Nessus is a client / server. The process of its implementation is cumbersome. Nessus plugins have about 9000, so it takes time to peroform evaluation. The results can be examined in a report. The report includes the vulnerabilities on the target machine with a short description of the vulnerability.
Note: You can enable more plug-ins in the plugin tab. You can specify a range of ports through the scanning options. To specify the target, you should go to the Target tab.
Once we have assessed the vulnerability, and knew that the output of vulnerabilities. We start collecting exploits of vulnerabilities to penetrate the system.
VPénétration and access
After all the information we have collected previously, it is time to break the system with the feats that you have.
time to stop collecting information and begin destroying the system. The ultimate goal is to achieve the highest level of permissions. Try using unknown techniques and methods. Thinking outside the box!
Some exploits that allow the penetration are:
* Buffer overflows
* Stack exploits
* Web vulnerabilities
* The services / applications that allow unauthenticated access.
Apart from standard methods of penetration, reveals one of the methods of penetration, here are some examples:
* SQL Injection - possibility of change requests in the application before its sent to the database.
* Application Error Handling - which can cause DoS. Probably one of the most common vulnerabilities that you can find in the corporate arena.
* Directory Traversal - browse the directories that you will not be able to do so.
* Malformed packages - one of the most difficult of penetration, requires a very thorough knowledge of how TCP packets are assembled and disassembled. Means but once accustomed, its probably the most effective hack Ing.
* The circumvention of access controls - password cracking is most common means of access systems.
* Social engineering - I assume you know what that means.
* Sniffers - take the passwords immediately wire, many protocols and applications such as HTTP and FTP communication parrwods on the wire in plain text.
Session Hijacking - it is similar to sniffers, but you do not win a password because it removes the entire session, session hijacking of the victim and act like you are.
Usually when you get passwords, you get it is encrypted or hashed or hidden in one way or another. Password cracking can be done in several ways, examples:
* Brute Force Attack - Each password can be and will be broken by a brute force attack. This is the time. Depends on the size of the password.
* Hybrid Attack - combination of different tools. It is a combination of effectivence of brute force and dictionary attacks, often using mechanisms to attack others, such as a cryptanalysis attack (one attack hybird).
You should know that when you sniff, you often get user names and passwords in clear text. How ever, you can obtain encrypted passwords by sniffing as well. You will need to use cracking techniques discussed above. Sometimes, cracking encrypted passwords can be dry, hours, days, months or even more!
It is a great program called "Cain and Abel," he sniffs passwords over the wire, he cracks, etc. Once you install it, go in the "sniffer", then proceed to pass into the tab attacker to see what you found! There is much to her. You must know these techniques as a person because of security if you do not know, a black hat will take care of her.
Suppose now that we have already hacked the system. We'll try to do different things such as getting the roots, Penetration & compromise reached some differences in meaning. ING hack into the system does not mean you compromise (taking full control - take over) the system.
Once you enter the system, you can retrieve the session between the client and server, for example you keep listening on the login sessions, so when remote users connect to Google, the session is down to you Once you get the session, the remote user won 't be able to enter his account he / she will see the page goes blank (no load), then he / she may think its a problem connection, so he / she tries to connect again and everything works well! BUT you've already got the session, you will not have to go through the login page where you want to see his mailbox, cause its already among the entire session, you have taken.
Another approach, saying the attacker has compromised the system user and the attacker can drop the session on his machine, then take the session, reads and writes. After that, it redirects the user to the server, this step will make everything work properly as nothing bad happened.
Here is an example of the steps explained above, after installing aggressor "Cain & Abel" request, it moves to "basic system of attack" and click the button at the top sniffer and click the yellow button (APR Poisoning Button) Besides the sniffer button. This button April fool waving the attacked system to talk to the aggressor instead of which she speaks normally. The test purposes, go and add different addressing system (IP) list. Say you have a user among those targeted logon IP 'google', during the authentication process, you will notice varying pieces of info comes to you. You're collecting information by hacking into the middle of the communication process. Now check the files you have obtained the list, you can see the lines between the username and password from users "Google" account in the text Gross! So how can this be dangerous for your privacy: - /! Take care ....
Once the first hack is not accessing the system. It aims to admin (root). He moves up from the level of the user at the user level to root. Owning the box means accepting the system and prevent the system administrator to monitor and prevent other hack ERS So we usually get from level regularly, the level of government so they can have full control. Hack er need privileges to compromise the system well. Some exploits enable buffer / stack overflows to obtain administrative access. All it takes is a visitor, then a hack er can perform operations locally and there he goes to the root.
At this stage, we have all given way to the possession of the box. Now, our goal is to protect our access. Thus, we want to maintain our access to this system ed hack, so we can use it later. You can maintain a system using such tools, backdoor accounts, software backdoor, rootkits, etc. These tools help you maintain access. Some hack ERS own box to close all other accounts except his own account, so that the person to stop the security system, the system reformat and start over again.
In so doing, hack account first party. Once we ensure that we maintained our access to the system, then we want to expand to other parts of the network. Remember, if you do not do it on your own network, someone else will take care of him. If he does, I do not think you will be too happy! Once you have obtained access, and could be maintained with success. You want to prevent detection or loss of access. There are several ways to maintain access, such as rootkits, OS exploits, erase tracks, install Trojan backdoor that you visit, to allow null sessions (webmaster usually go to the registry and disable sessions NULL to keep this vuln. To be exploited, webmasters usually do it once and never return to it. You can go there and enable it - NOTE: by the null sessions, you can give others hack ers a chance to hack too), and much more.
There are different ways to compromise the system, compromising the system usually depends on your objective, examples of system compromise are access root (ultimate goal), data access / theft, DOS, and more. Keep in mind, compromised systems can be detected after some time.
Today, after a hack breaks in the ER system, it tries to hack what he portect ed & his tracks. During the attack process try not to be detected if the webmaster does not close off the server and do not forget to cover your tracks, for example you do not want the webmaster to see many logon failed in the log files, so you erase the tracks to avoid detection future. As a rule, get in the network as a shadow or a ghost.
There are many methods to escape the IDS so that they do not cut your attack roll. Current methods for evading the defenses could be fragmenting packets (some programs do fragroute, for example), port redirectors, encoders (change speed, the look and feel of various trades to pass firewall ). Once you get in and fool the defense, you want to go in the log files and erase your tracks. Remember: Sometimes you get in a user account, then you enter a root by changing the permissions of the user account, you must remember to set the permissions of the user back to this it was, things like that - you know what I mean, you put in a hack ERS shoe. Do not remove the entire newspaper, which may make the person more questionable safety. We want to leave everything as it was so nobody can get an idea here was an intruder.
To be sure, you need to know where your shares are registered, delete the log files and other evidence that may make you, steganography (google), and evading IDS and firewall. All shares are registered in a location on the system or network. Suppose you IDS detects what security people? Usually when you get detected, they may cut off all means to you so you do not have the chance to enter, they are likely to follow in May or holding you down, they decided to let you go but beware all time.
Where are your shares registered and that things can not let anyone know you security hack ed his system? they are stored in log files for various applications (eg Apache and IIS log files), the access time of file (note: there are tools to hack ERS which allow you to change the file access time ), Windows registry entries, er hacking tools left behind (be aware of the residual configuration you have left behind them - make sure you set all settings back as it was), performance statistics OS , IDS, proxy servers (be sure how you send and receive data. If you use proxy server, set up a tunnel through the proxy to the remote host is compromised), and firewall (in usually very rich with logs).
There are different types of IDS, IDS can be defined anywhere in the network. Some network IDS, host based IDS, and implementation of IDS.
VII. Clear the tracks.
Remove evidence of your hack is extremely difficult, one must have a very high knowledge of the system you are trying to compromise (all the preliminary steps that we have done, such as scanning, printing off, etc. will be helpful compromising the system). It is easy to cover the logs renowned, such as Web logs, firewall, IDS logs, etc. How ever, it is important to know how the default log work. Highly skilled hack ERS study of the target and thus take the time in everything Fingerprints and footprints correctly. It may take him until a week before his hack s target, but when he enters his work is done more smoothly and quietly. In contrast, others who only a few tools to break the system as quickly as possible, without considering the target well.
It is possible to delete log files! It is simple but usually requires administrator access. Some files / logs in May removed automatically reboot. Do not delete the log files, it raises suspicions. If you do this, the individual security can not hack it very clear that first broke into the system.
The most common way to hide your tracks is using a rootkit. Rootkit is a set of tools used by an attacker after attacker gets the root-system access. Rootkits cache (to avoid being observed) activities on the attacker hack system ed. Once defined rootkit on the system, its almost impossible to get rid of him because rootkit uses a technology called "hooks", it's usually mostly embed itself into various components of the OS and effectively the operating system will be a toaster when the rootkit is all set and done. Safety, the person must rebuild his machine rootkit is detected when we look after properly.
Steganography's about hiding a file in another file. As malware hidden in a normal software which makes it difficult for the firewall and AV to detect malware. Thats the basic concept of steganography. There are many tools out there allow us to hide files in other files.
You can evade IDS and firewall on the sly, using random scanning technique slow if the traffic goes unnoticed, it takes time to travel, but also makes detection more difficult. Try to use non-standard techniques, thinking outside the box.
Remember, not everyone there is a safety expert. To secure your system correctly, you need a hack to put you first set of mind.
Now you've learned the basic methodology that would hack ERS used to break into the system. Do everything, lets take a closer look at the techniques ING hack, such as encryption, SQL injection, sniffers and many more.
Encryption: Files can be encrypted in storage. The communication channels can be encrypted, so the communication channel encryption encrypts the entire communication path, if all traffic sent and received is encrypted, for example, SSL technology encrypts the entire communication path. There are several ways to hack away ERS encrypted traffic and get information unencrypted. If you use your own encryption method, you should always test your encryption crackability before using it officially.
"Sniffers" Sniffers "is a standard tool used by ERS hack. Sniffer listens on all traffic that passes over the target system, listening ins and outs of the trades. Promiscuous mode is a mode that is listening to all traffic that passes through the wire. Standard sniffer promiscuous mode is a basic technique. There is more advanced techniques other than promiscuous mode. Sniffing allows the attacker to take a plain text, and other sensitive data that goes 'from' or 'to' the target. Sniffers record traffic captured, then after you sniff, you can go offline and start analyzing the captured traffic. Sniffers are popular ethereal etherape, ettercap, and network monitor (for Win OS only - not as effective).
ING Wireless Hack: This is a new technology begins to take place today. Easy to install, but frequently not guaranteed as not many people understand the security configuration, so they decide not to install or implement it poorly. There are various tools that can detect wireless networks, people's war driving is Netstumbler software, Airsnort, AiroPeek, Kismet, and much more. What is the engine of war? Google it!
SQL Injection: SQL injection is a technique that allows an attacker to steal valuable information database. This attack is based on poor data validation and error checking poor.
Buffer Overflows: Buffer overflow is common, the cause of buffer overflow is poor coding. Buffer overflows can be noticed during encoding. Buffer overflow occurs when the programmer does not clearly define the boundaries for buffers or variables. We use linked data to insert malicious code or execute command on the remote host. Buffer overflow can cause programs to freeze or crash, can cause machine breakdown, or you can use exploits and leads you to compromise the system. To construct the buffer overflows, we need a good programming skills, good knowledge of the stack and the buffer vulnerable.
You must have the ability to research, analyze and apply an exploit vulnerable to achieve what you want. Buffer overflow is a very common and difficult to produce an application without buffer overflow at all. There is nothing programmers can do about it, they just write the code with the intent of the overall security. If buffer overflow unexpected occurs later, by chance, programmers will still fix it. Programmers should test their code for vulnerabilities as they can before publishing the application.
Rootkits: it is a common first technical hack. Rootkit is a malicious program that replaces the components of the OS. It does work of stealth. Rootkit requires root permissions, you can install. Linux Rootkits are common and you can find them everywhere, unlike Windows. It is very difficult to detect a rootkit, as it sinks so deeply into the target system. Removing rootkits from a system is also very hard, if the security officer trying to remove the rootkit outside the system, it will destroy the system from the rootkit is deeply rooted in the system (in components OS). The right solution is to format the entire system and install it again.
Spoofing Spoofing word defined as making you appear as someone else. Examples of identity theft, you can spoof an IP address and make yourself appear to be elsewhere, MAC addresses and emails (very easy to spoof, you send an email to someone changing them headers, and stuff like that). Spoof based on the generally poor implementation of TCP / IP itself or poor performance of applications. The tools that are used for identity theft vary from one platform to another. For example, tools, utilities, IP spoofing, the modifiers of the MAC address, etc. Spoofing is more in using your skills rather than using a tool.
Denial of Service (DoS) DoS is very common. The ultimate idea is to prevent legitimate users from using the system. On the DOS is very simple, you do not win to DoS. ERS hack it do to business threats, things like that. Many methods / level of DoS attacks exist. Examples of some ways to DOS, ping of death, Windows overflow size, smurf, teardrop attacks, and much more. There are many different ways to do it!
evening to more(attaque DDOS): http://projet7.org/releases/DDoS.txt
Hacking: web hack ING attacks are the most popular. It is based on ING hack individual sites, servers or components based on the site. Step st just a hack, list the services (applications) on the target machine, then determine what web server software (Apache, IIS, etc.) is executed on the target system. After that, the first hack exploits against vulnerable. found in the target system. It will be easier to hack if the hack first known version of the service / software race.
A web server attack led to a deeper penetration of the network (moving in the internal network of the target). Attack methods are popular XXS (cross-site scripting) vulnerabilities DLL IIS (IIS is very frequently used), a directory traversal, attack Unicode, and many more.
What is the Unicode attack?
Here is the brief description of rough Unicode attack, say you want to spend the space in a URL. If you put a space in the URL, web server will not take your URL, the web server does not consider that the URL is not valid. So if you want to put spaces between the URL, you must put the number 20 in an area of space (the number 20 represents the space), so when the URL is the web server, web server says OK ! thats a valid URL, can treat and if so. Unicode attack uses this technique in a non-standard (negative) to attack the web server. Thats a quick explanation on the Unicode attack.
Nmap is the most popular first Outhere hack tool. Linux command line nmap works better and is better supervised. Nmap comes with utility ping, port scanning utility, enumeration Service & OS fingerprinting.
SuperScan is a Windows-based tool developed by Foundstone Inc. Its easy to use and a good tool for Windows.
Nessus is used for vulnerability assessment. This is an open source software kit, available with the retail version. Nessus uses client / server architecute. Server will be installed on a central location. Nessus is available in GUI and command line interface. Nessus uses the database which covers the latest exploits in progress for all types of OS and application. Databases in Nessus plug-ins are called, hundrends vulnerability plug-ins exist and are updated daily to include the latest exploits. Nessus requires a high level of knowledge to use the tool very effectively. You can go out on the web and download a feat and then add it to the database. Nessus can take a long time to make the assessment of vulnerability.
By Kaila Piyush HackingArticles4all.blogspot.com
The most common goals are:
enter the system involving sensitive data such as credit cards, identity theft, etc.
You must have all your tools ready before you start. There is a Unix version called back. It is an operating system that comes with different sets of security tools to help you hack the system (penetration testing).
You must define the steps (methodology) that you plan to take in your journey before you do anything else. There is a common method of monitoring
I mention below. How many times, you can create your own method if you know what you are doing.
Common Steps to take to hack a system:
I. Recognition (fingerprints).
II. Scan
III. Ports & Services Enumeration.
IV. Vulnerability
V. Exploiting vulnerabilities.
VI. Penetration and access.
VII. Clear the tracks.
The above methodology may change depending on your goals and on your knowledge.
I. Recognition (Fingerprint)
Before breaking a system, you must collect as much information as you can about the system and target. You should study your target well before the hack. This step is called recognition. It is made using techniques and tools that are undetectable by the target. You collect information about your target that is published publicly, for example, consult the website of your target and if they are looking for an employee and Windows SQL Server Admin, you'll get a hint that they are running Windows Server C & SQL, it is called a "passive" action. Here is an example of action active! Example of active action: call the company to get some information, visit the company's employees email to get some information, visit the Web site of the target and read its source code. In other words, passive action means that you collect information in a non intrusive way. Action force is an additional step, such as talking to the company as if you are a customer, things like that.
When performing a passive recognition, there is a 0% chance of getting caught, as you the sole purpose of publicly available information to give you the feeling of what your target looks like. The type of information you can gather through passive Recon. are the names, phone numbers, addresses, location, networks of partners, and much more. This can help you when you want to do a little social engineering or sometimes you can get non-public information that showed when you do passive recognition. There are several tools to help you make passive recognition as Whois.
Whois helps you get important information, like names, areas of the target, etc. The others are great tools, Sam Spade, DomainTools, and Google (can reveal a great target subdomians & many more).
To know what is really whois briefly
http://fr.wikipedia.org/wiki/Whois
Active recognition goes beyond the passive nature, such as communication with the target without getting caught, such as scanning. What is not found in the IDS (Intrusion Detection System) is considered active. You must think of ways to extract information from the company in a normal way, the audience going a bit deeper than passive Recon. For example, you can go to physical location, do a little social engineering, staff email, communicate with employees based on the info you received on your Recons passive. Things like that!
Example of some active recognition techniques, such as banners, mpg, public company to view the site's source code and directory structure, social engineering, shoulder surfing, etc.
1-What is-grabbing banner?
You leave the server will send a block of information that tells you your OS target system and association with various
Banner tells the OS version and different association. All that listens on a port "can not determine the operating system (OS)" port "is running on the tracks, this called. In other words, the fingerprint is the process of determining the operating system (OS) or applications used by a remote target.
Learn more about seizing the banner:
http://www.net-squar...rint_paper.html
Can you give a brief example of social engineering?
For example, you try to find where the director goes after office hours, and then start going to a place and it will build a relationship, start a friend relationship to extract more information, slowly but surely , things like that! you know what I mean.
2-What is shoulder surfing?
Simply stand behind the shoulder of a person and see what the guys are doing and typing on the keyboard. This can occur in an area of wireless network where everyone uses a laptop in public places.
In summary, the recognition is one of the most important steps in the Hack Ing. The main concept is to gather all the information that is publicly available or easily obtainable. Information that we gather to help us in social engineering and research that will lead you to info on the system critical. It begins by obtaining the names, phones, emails, IP wide, the domain structure, and so on.
eg unban grabbing
, Telnet to your target server on port 80 that follows, go to the command line or a terminal and type
telnet xx.xxx.xxx.xxx 80
Now, the connection is established, the server thinks you're stupid a web browser connected to it, it awaits you to enter commands that the server can you give you information about your request. In this situation, you must write a command that says: "Hey you web server, give me the contents of such and such a site. How ever, we do not really want to visit the site via Telnet, do you? You can just go to the Web browser and request the website from there. Our goal here is to freak out quite the server, then it spits back a code that says: hey! this does not work, but here is some information that might help you do a little troubleshooting. This technique allows you to fingerprint various components of the target system.
Note: instead of telnet XXX.XX.XXX.XX 80, you can xxx.xx.xxx.xxx nc 80! It's the same thing ... netcat nc stands for ... xx.xxx.xx.xxx represents the IP address of the target system.
After you telnet xxx.xx.xxx.xxx 80, the remote ser0ver will wait to enter a command. Type this:
HEAD / HTTP/1.0
Then you will receive a response like: -
Date: Thu, 04 Dec 2008 2:18:46 GMT
Server: Apache/1.3.41 (Unix) PHP/4.4.8 mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_ssl/2.8.31 OpenSSL/0.9.8b
Last-Modified: Fri, 10 Jul 2008 11:34:28 p.m. GMT
ETag: "c9865b-D91-48769c84"
Accept-Ranges: bytes
Content-Length: 3473
Connection: close
Content-Type: text / html
This means the server is running: Apache/1.3.41 Unix in box on PHP/4.4.8
say our target got the following version: The server is running: Apache/1.3.41 Unix in the box on PHP/4.4.8
At this point, if you know of vulnerabilities for this particular system or that individual, Apache or PHP. You can start the process of exploitation ...
Another example, the application program used sam-spade gives you much information about your target. The target does not really know what we are doing against their server because they saw nothing was triggered by IDS or firewall.
3 - What is the difference between IDS and firewall?
An IDS (Intrusion Detection System) may only detect and warn you of a breach of your privacy. Although most major block attacks, several probes or other attacks in May has been identified and allowed to pass. There is also an evolution of the IDS called an IPS (Intrusion Prevention System) that monitors the same things that an IDS, but instead of just alerting, blocking traffic.
A good firewall blocks almost all attacks, unless otherwise specified or designed differently. The only problem is the firewall might not warn you against attacks and may just block them.
it's a good idea to get both an IDS and a firewall, because the IDS will alert you and then the firewall will block the attack. Over the years, firewalls gottten more complex and added more features. One such feature is actually IDS - Now you can have a firewall that has IDS (Firewall / IDS 's are combined into a single program for Internet security.
Learn more about seizing the banner:
http://www.net-squar...rint_paper.html
To learn how to do it via Google, you need the following book:
http://www.amazon.co.../1.../ref=nosim
Note: the book in Amazon is just an example for you to give you an idea of what kind of book you should look for - if you're interested.
Okay, now you at least have an idea of what the recognition ...
II-SCANNING
When you analyze the network of your target, you start to actually touch system. Scanning a network determines what is inside, scanning network gives you the feeling of how the network of your target is prepared, if there are multiple subnets, hosts that are alive, ports check to see if the system is alive, discovering available hosts and get info on the hosts discovered. There are thousands of tools can be used to scan the networks! Scanning a network can easily detected by IDS. Anyway, no attention will be paid unless you do it again and again because the scan is happening on such a regular basis on the Internet. Therefore, people who read newspapers, I designate the webmaster will not really pay attention to any single scan that happens, you do not have to worry much. There are ways to avoid being taken over by IDS :-). After the scan is complete, you will get a list of network nodes that are out there.
"Node" is an active electronic device that is attached to a network, and is able to send, receive or transmit information on a communication channel. If you want to know more, google or visit
http://en.wikipedia.org/wiki/Node_ (networking) ...
Ok now we want to discover hosts live via scanning. This is the first action taken against the network of your target. Depending on which analysis method you use, you can be detected by the IDS. Most administrators will ignore detections, because it often happens that if something unusual happens.
There are various tools to scan, for example, nmap, superscan, metasploit and much more. There are different methods of scanning, some stealth, others are not.
Before talking about various methods of scanning, let me explain the basics of TCP connections. When you scan your target using TCP communication, there are six TCP flags can be used during the transmission of packets (packets get transmitted during the scanning process).
A flag to indicate if the packets are sent SYN, ACK, FIN, URG, PSH, or packages of the RST. These packages puts you in position on how you want to communicate with the remote host. You can get different information depending on the flag as you choose to scan.
TCP establishes three handshakes, SYN, SYN-ACK ACK. What are they?
When you scan your target using TCP communication, you send a SYN packet (SYN request), then target that you back an ACK packet with SYN packet. Now, you send an ACK packet to the target. So now both machines connect well, as they have established a tunnel to ensure adequate communication without losing all packets during the communication with the other. A first hack can easily get caught if they use this method to hack into the systems of other unlawfully.
Hackers use the non-standard combination of these six flags, which gives them information that are not normally accessible to the public.
Have you heard about SYN flood?
syn flood is made using three handshake by sending "SYN" calls on the target, so the target receives an application and send a SYN SYN-ACK to the sender (you). You know the goal of syn-ack request - when you ignore it, then the three handshake is not complete, this is called half open TCP connection - In theory, when the target sends SYN-ACK, the target allocates some RAM on his machine.
The amount of RAM executed on the target machine must be opened until the response (ACK packet) back to you because until now only two handshake has been made, so that the process TCP connection is not yet complete. How ever, there is always a time limit of RAM to be opened, if adopted by 30 secs and the goal has not received the ACK of you, the connection will abort (failure TCP handshake - timeout) and RAM will be deallocated.
The idea here is to send many packages to hell in a few seconds if in 30 seconds, you can send 40 million packets (say, a packet size is 1kb), which is heavy on the RAM since the RAM may not have enough memory to carry 40 million packets. Therefore, you force the target to half open TCP connection attempts, so definitely the target machine will stop responding to legitimate requests. In other words, if you send 40 million SYN requests to the remote host, it will allocate a hell of a lot of RAM for those applications. After a while, he eats all the RAM. Thus, the target system fails. This is known as SYN flood attack.
In short, the SYN flood attack makes the system (eg the IP stack or kernel) chokes on the allocation of memory (or simply works more memory) or the target application (Web server), chokes the processing load. Syn Flooding is an old technique i just mentioned here for illustration.
Background: These days, SYN floods are used to make systems inaccessible. They have a limited number of half open connections, you use all, and they can not accept any more SNY. But again, modern software throws SYNs old when the limit is reached. Note that different systems behave differently.
If you want to know more about syn flood, visit
http://tools.ietf.org/html/rfc4987
Lets talk about the most common types of TCP scanning. There are plenty of sweeping, half-open stealth scan, scanning, scan Xmas and ack scan.
complete analysis: what ends 3-way TCP. it is the most effective and deliver more accurate results. How many times, it is not safe and easy to locate and detected.
ajar Scan is the second most effective method of scanning, use only the first part of the handshake SYN-ACK for but does not send the third party (ACK) to the remote host. The idea here is whether the remote responses back to you after you have sent SYN request, it means that the port - we sent the SYN packet - should be opened.
stealth scan: the idea here is to scan ports randomly (not in sequential order) and reduce the scanning speed. If you scan all ports 1-65536 in the sequence, your most visible to be detected, and scanning usually happens so fast, that's unusual, because the regular programs do not connect to port quickly if it can make it easier to detect. So you have to scan ports randomly and reduce the scanning speed.
To avoid IDS, you should not use a login with full analysis stealth scan, you can use semi-open scan (SYN). SYN is considered a stealth scanning.
In fact, the scan is called SYN-SYN stealth scan, or you can use Xmas stealth scan with scanner that helps you to avoid detection, things like that! you get my point i guess.
Xmas Scan uses FIN, URG, and push the flags that are used to bypass some firewalls. Xmas scan works with a Unix system, it does not work with Windows.
ack scan: This allows you to evade IDS that you do not get detected. You just send an ACK packet at your target, your target will not know how to deal with it because there was no handshake. Thus, ACK scan causes open ports on your target machine to send a reset packet (RST) RST packet gives you an indication that the port or service is not filtered between point A and point B, which is Firewall usually between! Since the port you have answered RST packet This means that there is no firewall between A (your machine) and B (port or service on the target machine) and RST packet also gives you an overview the target port is open ;-). If there is a firewall, your ACK packet does not reach the target port and because of that, you get no RST packet. In addition, RST packet to help you identifying what system is running on the remote host.
This is the most common method of scanning, there are hundreds of methods of scanning! nmap you can define your own type of scan, for example, instead of sending only ACK flags, you can send ACK flag set and the RST flag and see what you get back from target ...
Now I will speak of UDP and ICMP Scanning ... Connections UDP and ICMP are mostly blocked at the firewall and even at the host in some cases. We will scan the hosts and ports that respond to UDP. When you scan your target via UDP, there are many problems occur during this process, for example, you can scan ports via UDP, assume that the scanned port 1 is closed, then send ICMP host unreachable to you, which gives an overview of the port is closed because you have not received a response UDP target! Make sense, right? Unfortunately, we will never get a response back to the target to make sure the port is open!
how does use UDP to send the packet and forget it. Let us fall on port 21, and 21 is open port 21 on the target machine will not respond back to you because UDP does not give you a guarantee that the packets delivered during the communication process, simply sending the packet and forget, unlike TCP guarantees delivery of packets without loss or corruption. Since we did not get the response back, then we can assume that port 21 is open * OR * Maybe port 21 is closed and ICMP reply got lost somewhere so we do not ! A rule of thumb, when you do not answer, you assume the port is open.
Some professionals in the person of high security you configure the ports so it does not respond to UDP scan. ICMP Scan is identical to UDP. ICMP scanning is noisy and can be easily detected by IDS sends ICMP pings for several random network instead of a single host (ICMP scanning is a "sweep ping - send ICMP packets - to the entire network instead one host). After completing the scan ICMP, based on the answers you get back from the live host, then you can determine your target network is listening for ICMP traffic, and you might have to make due to an exploit it. Unfortunately, there is not much of ICMP exploits that is now circulating, if you simply use ICMP for the enumeration of network, you can just to see what hosts are up, the machine A is increasing, the Host B & C up care is rising, they are my response to ICMP. Thus, let us know of these three cottages are available on the target network and can potentially be a target for us. IDS are always listening for network scans and a large number of network scanners offer support for ICMP scanning, but has no way to make it stealthy! Therefore, ICMP can turn the IDS alert that tells the security guard, someone scans your entire network.
NMAP is a great tool that is very popular, it is usually used to scan networks, hosts, ports, and a lot of other things. It is very intrusive tools and considered a hacking tool. Using Nmap cons' own systems or you do not have permission to scan can be considered illegal. Let's see some examples of how scan!
Example ICMP scanning (-SP) - the so-called ping scan
nmap-v-sP xx.xxx.xxx.xx> filename
nmap: is the program we are running that nmap.
-V: for his volubility increased, which brings me further details of the targeted system. (Optional - as far as I know)
-SP: the flag that determines the scanning method.
x: a target IP address.
> Filename: output the results to the newly specified file name. In other words, save the results to a file (optional)
Here is an example of scan UDP, UDP, not the scanning speed as well.
nmap-v-sU xx.xxx.xxx.xx
The results of UDP scan (-sU) give more information than ping scan (-SP). Keep in mind that there could be hundreds of other ports are listening on the system that simply does not respond to the UDP.
Useful sources relates to methods of scanning through nmap:
http://www.nmap-tuto...ap-tutorial.pdf
http://www.petri.co....g-with-nmap.htm
Okay, now you have a good basic understanding of scanning! Then I will talk about fingerprinting! So keep learning.
we are ready to gather broad information on living systems, we discovered during the previous steps. Okay! Now you need to discover what services (application) are running on your target host. All (or at least many) port has a service running on it. For example, the Web server are usually running on port 80. What we have to do is to scan all ports, to see what kind of services (applications) are running on them, try to retrieve the versions of services, this will help you determine the operating system. This is called "Port and Service Enumeration (fingerprinting). We must do this step to understanding what the potential vulnerabilities and your goal is how to exploit them.
Suppose that after we have scanned our target system, we found our target is launched "IIS 5.0 Server" on "Port 80". Based on the results of the scan, we can say TARGE the server running IIS 5.0 (IIS is set to Internet-based services, IIS is the second most popular Web server - IIS is a Microsoft product), it is known IIS 5.0 . has too many loopholes and IIS 5.0 runs on Windows 2000, Windows 2000, by which it has hundreds of vulnerabilities.
In other words, can scan ports and services and does OS fingerprinting, can identify the services on those hosts live in our target network. Once we know what services are running and what OS is running so we can start using these services!
- Ping / port / service scans are performed together using the same tool.
NOTE: ports and the identification of services is the most critical part in ING hack ... PERIOD
III-Ports & Services Enumeration
OS fingerprinting is used to determine the type of operating system and version, and then we exploit vulnerabilities in the OS resides.
When a target fingerprint your OS targets "may be known to the TCP / IP, to fingerprint happens on the TCP / IP stack. Why? Because each OS has a unique implementation of TCP / IP, TCP / IP is implemented differently from OS to OS, and exact the same query sent to a computer to meet the outcome will be different from the other machine. Therefore, based on the response that the scanner can help determine the OS of the target, because each OS has its own unqiue answer calls when you do OS fingerprinting.
When you perform a default installation of the OS, some services will be installed by default, services that are needed for this OS is working properly, eg ports
137,138,139 and 445 all combined together to produce OS Win 2000 or higher. Another example, a combination of 139 and 445 may determine a certain version of Windows, such as Win XP or Win 2003, there are many ways to determine OS. Another example, if you see an MS SQL service is running on a given port, you can determine the target OS is not in the family * nix, it is a family issue Win the target is running of a product Microsoft SQL. Thus, we can say census or enumeration of shipping service can help you determine OS.
There are tons of popular scanners out there:
SuperScan - good works on Win OS.
Nmap - Runs on Windows
IV VULNERABILITY
Most scanners offer full, half, UDP and stealth scans.
You're going to spend most of your time scanning your target machine to know, so that you can exploit vulnérabilitéss & enter the system. Therefore, you have to do some exploration work on the methods and decide to scan the scanning method you feel most comfortable with ...
Here is an example of style census scanning.
It is a kind of stealth scan:
nmap-v-SS-A-SV xx.xxx.xx.xx> filename
The above claim gives you precise details on your target. SV is to identify the version information. Check the manual to know what these flags do - "man nmap" to see the manual ...
after we Fingerprinting Services & OS, now its time to test various vulnerabilities against the application (services) and OS is available on the target system. This is called the assessment of vulnerability. To do this vulnerability assessment, you can use the tools available, such as nessus. Nessus is a free vulnerability assessment, huge database, its best assessment tool.
Allows you to scan vulnerabilities on the target system. Let the target System is Win 2000 SP1 IIS 5.0, nessus back to ITS database and verify the vulnerability to win2000 and IIS 5.0. If there are no vulnerabilities discovered, tool for assessing vulnerability can actually catch it. How often, if not able to find nessus vulnerability for the target system, you will know if the system can be some security problem or not. These tools are considered as automated tools for vulnerability assessment. You need to know about the target system OS so you can make the assessment vuln on it. There are OS specific vuln assessment, for example (MBSA scans only Win OS).
NOTE: You can do the vulnerability assessment in hand, it depends on you and your skills. In doing so manually, you can discover vuln. nobody knows about it, and you can use for your own use. It is a powerful and very discreet.
After we determine what systems and services that contain vulnerabilities, so we can use it (afford to take the risk of this vulnerability to achieve what you want).
Common Vulnerabilities there are the following:
OS vulnerabilities
Webserver vulnerabilities
Database Vulnerabilities
TCP Vulnerabilities
Application vulnerabilities
Malware, viruses, Trojan horses, can be used to exploit vulnerabilities.
Several automated vulnerability scanners such as Nessus, Nikto. Websites of security is a good resource for vulnerabilities, for example
Bugtraq, CVE (Common Vulnerabilities and Exposures) sites, etc. Another good source for finding vulnerabilities is first hack websites.
We talk about the tools:
* Nessus - it is an excellent tool for vulnerability assessment. How often, in many cases it will be exploits to see if the OS or service is really vulnerable or not.
* Metasploit Framework - this is not vulnérabilté evaluation tool. It is a tool of exploitation, it contains exploits hundrands helps you exploit the system using a fine selection of tools.
I will soon explain vulnérabiltés common ...
Vulnerable OS: OS exploits are used to access the system. Exploits OS can be used for DoS attacks as well. watch the video tutorial. Most holes have existed since the OS default configuration, services and applications.
Webserver Vulnerabilities: web servers are the most trageted section. All persons to contact the web server, so you never know the hack as normal user first. Examples of Web servers, Apache, IIS, Tomcat. Once you exploit the vulnerability of your target Web server, you can save a lot of different things, such as root access (mostly), the alteration site, DoS (put the server down), theft or alteration of data on the server, or penetration further into the network.
Webserver is an excellent starting point when you want to do a penetration test!
Database vulnerabilities: software applications that create databases such as SQL, Oracle, etc. - they have security in mind, they were more interested in efficiency and how to make easy for users to manipulate the database. They want to make on their customers happy without much attention to security issues!
Vulnerabilities of the TCP stack: it is not a common method used to penetrate systems. Google it!
Application Vulnerabilities: Some examples of application vulnerability, Buffer overflows, weak authentication mechanisms, poor data validation (most common), and poor error checking.
to discover these vulnerabilities on target machine, you need to do the assessment of vulnerability. This can be done in two ways, either manually or automatically. Means manually, you try to discover a vulnerability. for yourself that eventually you will have vulnerabilities that nobody else knows and you can use for yourself or post it on security sites. Automatically means that you rely on a tool that you searched for a vulnerability in the target machine, this tool has a comprehensive database of vulnerability. if this "tool" do you inform the vulnerability found in the target machine based on "his" database. We'll talk about vulnerability assessment of the automobile. The most common and wonderful tool is Nessus is free open source!
Another resource, OVAL - gives you a good foundation and basis vuln assess. methodology, FrSIRT - keeps track of and vulnerability to exploits of these vulnerabilities, you can join a paid subscription then browse avaialbe vulnerable in their database and download it exploits is a good source for ING hack or security, and Web sites for display as milw0rm exploits, hack sites Ing.
Closer Look tool Nessus, Nessus is a client / server. The process of its implementation is cumbersome. Nessus plugins have about 9000, so it takes time to peroform evaluation. The results can be examined in a report. The report includes the vulnerabilities on the target machine with a short description of the vulnerability.
Note: You can enable more plug-ins in the plugin tab. You can specify a range of ports through the scanning options. To specify the target, you should go to the Target tab.
Once we have assessed the vulnerability, and knew that the output of vulnerabilities. We start collecting exploits of vulnerabilities to penetrate the system.
VPénétration and access
After all the information we have collected previously, it is time to break the system with the feats that you have.
time to stop collecting information and begin destroying the system. The ultimate goal is to achieve the highest level of permissions. Try using unknown techniques and methods. Thinking outside the box!
Some exploits that allow the penetration are:
* Buffer overflows
* Stack exploits
* Web vulnerabilities
* The services / applications that allow unauthenticated access.
Apart from standard methods of penetration, reveals one of the methods of penetration, here are some examples:
* SQL Injection - possibility of change requests in the application before its sent to the database.
* Application Error Handling - which can cause DoS. Probably one of the most common vulnerabilities that you can find in the corporate arena.
* Directory Traversal - browse the directories that you will not be able to do so.
* Malformed packages - one of the most difficult of penetration, requires a very thorough knowledge of how TCP packets are assembled and disassembled. Means but once accustomed, its probably the most effective hack Ing.
* The circumvention of access controls - password cracking is most common means of access systems.
* Social engineering - I assume you know what that means.
* Sniffers - take the passwords immediately wire, many protocols and applications such as HTTP and FTP communication parrwods on the wire in plain text.
Session Hijacking - it is similar to sniffers, but you do not win a password because it removes the entire session, session hijacking of the victim and act like you are.
Usually when you get passwords, you get it is encrypted or hashed or hidden in one way or another. Password cracking can be done in several ways, examples:
* Brute Force Attack - Each password can be and will be broken by a brute force attack. This is the time. Depends on the size of the password.
* Hybrid Attack - combination of different tools. It is a combination of effectivence of brute force and dictionary attacks, often using mechanisms to attack others, such as a cryptanalysis attack (one attack hybird).
You should know that when you sniff, you often get user names and passwords in clear text. How ever, you can obtain encrypted passwords by sniffing as well. You will need to use cracking techniques discussed above. Sometimes, cracking encrypted passwords can be dry, hours, days, months or even more!
It is a great program called "Cain and Abel," he sniffs passwords over the wire, he cracks, etc. Once you install it, go in the "sniffer", then proceed to pass into the tab attacker to see what you found! There is much to her. You must know these techniques as a person because of security if you do not know, a black hat will take care of her.
Suppose now that we have already hacked the system. We'll try to do different things such as getting the roots, Penetration & compromise reached some differences in meaning. ING hack into the system does not mean you compromise (taking full control - take over) the system.
Once you enter the system, you can retrieve the session between the client and server, for example you keep listening on the login sessions, so when remote users connect to Google, the session is down to you Once you get the session, the remote user won 't be able to enter his account he / she will see the page goes blank (no load), then he / she may think its a problem connection, so he / she tries to connect again and everything works well! BUT you've already got the session, you will not have to go through the login page where you want to see his mailbox, cause its already among the entire session, you have taken.
Another approach, saying the attacker has compromised the system user and the attacker can drop the session on his machine, then take the session, reads and writes. After that, it redirects the user to the server, this step will make everything work properly as nothing bad happened.
Here is an example of the steps explained above, after installing aggressor "Cain & Abel" request, it moves to "basic system of attack" and click the button at the top sniffer and click the yellow button (APR Poisoning Button) Besides the sniffer button. This button April fool waving the attacked system to talk to the aggressor instead of which she speaks normally. The test purposes, go and add different addressing system (IP) list. Say you have a user among those targeted logon IP 'google', during the authentication process, you will notice varying pieces of info comes to you. You're collecting information by hacking into the middle of the communication process. Now check the files you have obtained the list, you can see the lines between the username and password from users "Google" account in the text Gross! So how can this be dangerous for your privacy: - /! Take care ....
Once the first hack is not accessing the system. It aims to admin (root). He moves up from the level of the user at the user level to root. Owning the box means accepting the system and prevent the system administrator to monitor and prevent other hack ERS So we usually get from level regularly, the level of government so they can have full control. Hack er need privileges to compromise the system well. Some exploits enable buffer / stack overflows to obtain administrative access. All it takes is a visitor, then a hack er can perform operations locally and there he goes to the root.
At this stage, we have all given way to the possession of the box. Now, our goal is to protect our access. Thus, we want to maintain our access to this system ed hack, so we can use it later. You can maintain a system using such tools, backdoor accounts, software backdoor, rootkits, etc. These tools help you maintain access. Some hack ERS own box to close all other accounts except his own account, so that the person to stop the security system, the system reformat and start over again.
In so doing, hack account first party. Once we ensure that we maintained our access to the system, then we want to expand to other parts of the network. Remember, if you do not do it on your own network, someone else will take care of him. If he does, I do not think you will be too happy! Once you have obtained access, and could be maintained with success. You want to prevent detection or loss of access. There are several ways to maintain access, such as rootkits, OS exploits, erase tracks, install Trojan backdoor that you visit, to allow null sessions (webmaster usually go to the registry and disable sessions NULL to keep this vuln. To be exploited, webmasters usually do it once and never return to it. You can go there and enable it - NOTE: by the null sessions, you can give others hack ers a chance to hack too), and much more.
There are different ways to compromise the system, compromising the system usually depends on your objective, examples of system compromise are access root (ultimate goal), data access / theft, DOS, and more. Keep in mind, compromised systems can be detected after some time.
Today, after a hack breaks in the ER system, it tries to hack what he portect ed & his tracks. During the attack process try not to be detected if the webmaster does not close off the server and do not forget to cover your tracks, for example you do not want the webmaster to see many logon failed in the log files, so you erase the tracks to avoid detection future. As a rule, get in the network as a shadow or a ghost.
There are many methods to escape the IDS so that they do not cut your attack roll. Current methods for evading the defenses could be fragmenting packets (some programs do fragroute, for example), port redirectors, encoders (change speed, the look and feel of various trades to pass firewall ). Once you get in and fool the defense, you want to go in the log files and erase your tracks. Remember: Sometimes you get in a user account, then you enter a root by changing the permissions of the user account, you must remember to set the permissions of the user back to this it was, things like that - you know what I mean, you put in a hack ERS shoe. Do not remove the entire newspaper, which may make the person more questionable safety. We want to leave everything as it was so nobody can get an idea here was an intruder.
To be sure, you need to know where your shares are registered, delete the log files and other evidence that may make you, steganography (google), and evading IDS and firewall. All shares are registered in a location on the system or network. Suppose you IDS detects what security people? Usually when you get detected, they may cut off all means to you so you do not have the chance to enter, they are likely to follow in May or holding you down, they decided to let you go but beware all time.
Where are your shares registered and that things can not let anyone know you security hack ed his system? they are stored in log files for various applications (eg Apache and IIS log files), the access time of file (note: there are tools to hack ERS which allow you to change the file access time ), Windows registry entries, er hacking tools left behind (be aware of the residual configuration you have left behind them - make sure you set all settings back as it was), performance statistics OS , IDS, proxy servers (be sure how you send and receive data. If you use proxy server, set up a tunnel through the proxy to the remote host is compromised), and firewall (in usually very rich with logs).
There are different types of IDS, IDS can be defined anywhere in the network. Some network IDS, host based IDS, and implementation of IDS.
VII. Clear the tracks.
Remove evidence of your hack is extremely difficult, one must have a very high knowledge of the system you are trying to compromise (all the preliminary steps that we have done, such as scanning, printing off, etc. will be helpful compromising the system). It is easy to cover the logs renowned, such as Web logs, firewall, IDS logs, etc. How ever, it is important to know how the default log work. Highly skilled hack ERS study of the target and thus take the time in everything Fingerprints and footprints correctly. It may take him until a week before his hack s target, but when he enters his work is done more smoothly and quietly. In contrast, others who only a few tools to break the system as quickly as possible, without considering the target well.
It is possible to delete log files! It is simple but usually requires administrator access. Some files / logs in May removed automatically reboot. Do not delete the log files, it raises suspicions. If you do this, the individual security can not hack it very clear that first broke into the system.
The most common way to hide your tracks is using a rootkit. Rootkit is a set of tools used by an attacker after attacker gets the root-system access. Rootkits cache (to avoid being observed) activities on the attacker hack system ed. Once defined rootkit on the system, its almost impossible to get rid of him because rootkit uses a technology called "hooks", it's usually mostly embed itself into various components of the OS and effectively the operating system will be a toaster when the rootkit is all set and done. Safety, the person must rebuild his machine rootkit is detected when we look after properly.
Steganography's about hiding a file in another file. As malware hidden in a normal software which makes it difficult for the firewall and AV to detect malware. Thats the basic concept of steganography. There are many tools out there allow us to hide files in other files.
You can evade IDS and firewall on the sly, using random scanning technique slow if the traffic goes unnoticed, it takes time to travel, but also makes detection more difficult. Try to use non-standard techniques, thinking outside the box.
Remember, not everyone there is a safety expert. To secure your system correctly, you need a hack to put you first set of mind.
Now you've learned the basic methodology that would hack ERS used to break into the system. Do everything, lets take a closer look at the techniques ING hack, such as encryption, SQL injection, sniffers and many more.
Encryption: Files can be encrypted in storage. The communication channels can be encrypted, so the communication channel encryption encrypts the entire communication path, if all traffic sent and received is encrypted, for example, SSL technology encrypts the entire communication path. There are several ways to hack away ERS encrypted traffic and get information unencrypted. If you use your own encryption method, you should always test your encryption crackability before using it officially.
"Sniffers" Sniffers "is a standard tool used by ERS hack. Sniffer listens on all traffic that passes over the target system, listening ins and outs of the trades. Promiscuous mode is a mode that is listening to all traffic that passes through the wire. Standard sniffer promiscuous mode is a basic technique. There is more advanced techniques other than promiscuous mode. Sniffing allows the attacker to take a plain text, and other sensitive data that goes 'from' or 'to' the target. Sniffers record traffic captured, then after you sniff, you can go offline and start analyzing the captured traffic. Sniffers are popular ethereal etherape, ettercap, and network monitor (for Win OS only - not as effective).
ING Wireless Hack: This is a new technology begins to take place today. Easy to install, but frequently not guaranteed as not many people understand the security configuration, so they decide not to install or implement it poorly. There are various tools that can detect wireless networks, people's war driving is Netstumbler software, Airsnort, AiroPeek, Kismet, and much more. What is the engine of war? Google it!
SQL Injection: SQL injection is a technique that allows an attacker to steal valuable information database. This attack is based on poor data validation and error checking poor.
Buffer Overflows: Buffer overflow is common, the cause of buffer overflow is poor coding. Buffer overflows can be noticed during encoding. Buffer overflow occurs when the programmer does not clearly define the boundaries for buffers or variables. We use linked data to insert malicious code or execute command on the remote host. Buffer overflow can cause programs to freeze or crash, can cause machine breakdown, or you can use exploits and leads you to compromise the system. To construct the buffer overflows, we need a good programming skills, good knowledge of the stack and the buffer vulnerable.
You must have the ability to research, analyze and apply an exploit vulnerable to achieve what you want. Buffer overflow is a very common and difficult to produce an application without buffer overflow at all. There is nothing programmers can do about it, they just write the code with the intent of the overall security. If buffer overflow unexpected occurs later, by chance, programmers will still fix it. Programmers should test their code for vulnerabilities as they can before publishing the application.
Rootkits: it is a common first technical hack. Rootkit is a malicious program that replaces the components of the OS. It does work of stealth. Rootkit requires root permissions, you can install. Linux Rootkits are common and you can find them everywhere, unlike Windows. It is very difficult to detect a rootkit, as it sinks so deeply into the target system. Removing rootkits from a system is also very hard, if the security officer trying to remove the rootkit outside the system, it will destroy the system from the rootkit is deeply rooted in the system (in components OS). The right solution is to format the entire system and install it again.
Spoofing Spoofing word defined as making you appear as someone else. Examples of identity theft, you can spoof an IP address and make yourself appear to be elsewhere, MAC addresses and emails (very easy to spoof, you send an email to someone changing them headers, and stuff like that). Spoof based on the generally poor implementation of TCP / IP itself or poor performance of applications. The tools that are used for identity theft vary from one platform to another. For example, tools, utilities, IP spoofing, the modifiers of the MAC address, etc. Spoofing is more in using your skills rather than using a tool.
Denial of Service (DoS) DoS is very common. The ultimate idea is to prevent legitimate users from using the system. On the DOS is very simple, you do not win to DoS. ERS hack it do to business threats, things like that. Many methods / level of DoS attacks exist. Examples of some ways to DOS, ping of death, Windows overflow size, smurf, teardrop attacks, and much more. There are many different ways to do it!
evening to more(attaque DDOS): http://projet7.org/releases/DDoS.txt
Hacking: web hack ING attacks are the most popular. It is based on ING hack individual sites, servers or components based on the site. Step st just a hack, list the services (applications) on the target machine, then determine what web server software (Apache, IIS, etc.) is executed on the target system. After that, the first hack exploits against vulnerable. found in the target system. It will be easier to hack if the hack first known version of the service / software race.
A web server attack led to a deeper penetration of the network (moving in the internal network of the target). Attack methods are popular XXS (cross-site scripting) vulnerabilities DLL IIS (IIS is very frequently used), a directory traversal, attack Unicode, and many more.
What is the Unicode attack?
Here is the brief description of rough Unicode attack, say you want to spend the space in a URL. If you put a space in the URL, web server will not take your URL, the web server does not consider that the URL is not valid. So if you want to put spaces between the URL, you must put the number 20 in an area of space (the number 20 represents the space), so when the URL is the web server, web server says OK ! thats a valid URL, can treat and if so. Unicode attack uses this technique in a non-standard (negative) to attack the web server. Thats a quick explanation on the Unicode attack.
Nmap is the most popular first Outhere hack tool. Linux command line nmap works better and is better supervised. Nmap comes with utility ping, port scanning utility, enumeration Service & OS fingerprinting.
SuperScan is a Windows-based tool developed by Foundstone Inc. Its easy to use and a good tool for Windows.
Nessus is used for vulnerability assessment. This is an open source software kit, available with the retail version. Nessus uses client / server architecute. Server will be installed on a central location. Nessus is available in GUI and command line interface. Nessus uses the database which covers the latest exploits in progress for all types of OS and application. Databases in Nessus plug-ins are called, hundrends vulnerability plug-ins exist and are updated daily to include the latest exploits. Nessus requires a high level of knowledge to use the tool very effectively. You can go out on the web and download a feat and then add it to the database. Nessus can take a long time to make the assessment of vulnerability.
By Kaila Piyush HackingArticles4all.blogspot.com
No comments:
Post a Comment