Monday, 16 December 2013
Hack Using Default Password
Hack Using Default Password
Password hacking is complicated stage in hacking cycle since it is not only the step which allows you access in victim’s PC but it marks origin of real hacking. But before trying anything else an attacker will always try to exploit victim using default password of device used by victim. A unchanged default password is always held as misconfiguration as per hacking is concerned. An attacker at very first stage may try to crack BIOS passwords,
router passwords, switch passwords, dial-up passwords, modem passwords and passwords of other networking and communication devices by using their default password. There are several sites available which store huge database of default passwords. Following list shows some of them the list of password they store are more than sufficient, if you have this list you can breach any device with default password.
http://www.defaultpassword.com/:
So far as I know http://www.defaultpassword.com/ is biggest database of default passwords available online. You can browse through list of thousands of manufactures and their product. You can also search for specific manufacturer and its device and can also contribute list for newer default passwords.
http://cirt.net/passwords:
It is second biggest and much accurately sorted default password database as per my view is concerned. It has listed all vendors in their alphabetical order. When you click on vendors name it shows you device name, its default password and few word description about how to use it for attack.
http://www.virus.org/default-password:
Whenever you want to find out default password I will recommended try this site first. You can easily search for passwords using their navigation. Searching for password in their database is so easy you will hardly need any effort to search, since you can search by vendor name, product name and even by model number. Their database includes default password for equipments and software from many vendors including 3Com, Cisco, Nortel, IBM, HP, Compaq, Digital, D-link, Linksys, Oracle, Microsoft and many more.
http://www.routerpasswords.com/:
It is special database to search passwords for routers, select router manufacturer and press find password it will list all models along with their numbers, user-names and password.
Some other sites that store default password.
http://dopeman.org/default_passwords.html
http://www.default-password.info/
http://www.defaultpassword.us/
http://www.passwordsdatabase.com/
http://www.phenoelit-us.org/dpl/dpl.html
http://www.cyxla.com/passwords/passwords.html
http://defaultpasswords.in/
Types Of Password Attack
Types Of Password Attack
The next stage to Enumeration is system hacking and password hacking is one of the crucial part of hacking a system. Depending on how an attacker tries to attack password for hacking password attacks can be classified as follows,
Passive Online Attack
Active Online Attack
Offline Attack
Non-Technical Attack
Passive Online Attack:
In passive online attacks an attacker don’t contact with authorizing party for stealing password, in other words he attempts password hacking but without communicating with victim or victim account. Types of passive online attacks includes wire sniffing, Man in the middle attack and reply attack.
Active Online Attack:
This type of attack can be directly termed as password guessing. An attacker tries number of passwords one by one against victim to crack his/her password.
Offline Attack:
Offline password attacks are performed from a location other than the actual computer where the password reside or were used. Offline attacks requires physical access to the computer which stores password file, the attacker copies the password file and then tries to break passwords in his own system. Offline attacks include, dictionary attacks, hybrid attacks, brute force attack, precomputed hash attacks, syllable attacks, rule based attacks and rainbow attacks.
Non Technical Attacks:
This type of attacks does not require any technical knowledge hence termed as non-technical attacks. This kind of attacks may include, social engineering, shoulder surfing, keyboard sniffing and dumpster diving.
Password Hacking
Password Hacking
Password Hacking is a process of retrieving or stealing password from data in system or data that is transmitted via system. The most common way of password hacking is guessing password. In this tutorial we will try to cover most commonly used methods used by hackers to hack your passwords
.
Password Guessing:
If a hacker wants to hack your password, he may first of all take out all information about you like which is your favorite team, your girlfriend’s/boyfriend’s name, child name etc. whichever matters you most and you can remember easily. Then he creates dictionary of all those words and then tries it one by one against your account. If you want to prevent yourself from password guessing better never keep any guess-able password.
Default Password:
The most common mistake many people do is they never change default password of their accounts/devices. Even before guessing password a hacker may try default passwords only. He can get complete list of default password from www.defaultpassword.com .
Using Brute Force:
In this type of password hacking a hacker attempts to log-in with all possible combination of keys available on keyboard. This is very tedious task and a hacker may give up if he fails to crack that password for several days. Better keep long passwords with all type of characters mixed up in it.
Social Engineering:
An attacker can call as a person of importance or technical support asking for password. Social Engineering works because of human tendency to help and be kind. Whenever someone calls you for or as a technical help and as a person of importance better ask questions before you reveal sensitive information, remember world is not as good as you think. Your tendency to be kind and helpful to someone for no reason for your privacy may put you in serious trouble.
Rainbow Tables:
Rainbow table is dictionary of precompiled hashes of password. An attacker may try to compare hashes recovered from your system to the dictionary of precompiled hashes. If a match is found then that password will work against your account. A good password with characters, special symbols, letters and numbers can not be easily found in any dictionary and hence they will work defensively against hashes dictionary.
Phishing:
In this kind of password hacking an attacker creates a replica of site on which you have an account. Then anyhow he tries to make you click on link to that site and if you get fooled as it is the regular site that you visit and when you enter password he/she logs your password and even gets access to your original account. This is used for hacking email accounts, social networking accounts and even for stealing credit card numbers.
Sniffing Around Network:
Sniffing means capturing data that flows through network. Even if the attacker gets access to password hashes through network he/she can easily crack your password and if proper protection is not provided this password travel as plain text finally revealing your password to attacker without any effort.
Using Spy Software:
A spy software can not be only used to get key logs by can also be used by attacker to eye your networking habits, get complete access to your computer, download, move or delete files from your system and much more.
Computer Virus
Computer Virus
Computer VIRUS i.e Vital Information Resource Under Seize are considered as very first form of computer threats. Computer VIRUS usually replicate themselves, damage your files and are also able to distribute themselves on network. Virus is usually a executable file. It may be different or same for different Operating system.
Most of the times virus disguise themselves as system files so that they can avoid detection. Their detection prevention mechanism is so strong that a common user can never figure out, whether a file is virus or just another system file or data file.
Viruses can be classified as follows:
Boot Sector Virus:- Boot sector viruses or MBR Viruses are responsible for damaging boot records of a system. When executed they copy themselves in boot sector and load themselves every time the system starts.(MBR i.e Master Boot Record is the record stored on hard disk or bootable CD which stores information about startup of system. In other words files stored in MBR are the very first thing that is loaded in memory for execution.). Examples of boot sector virus are Form, Michelangelo, Stone, Disk Killer etc.
File Virus:- File virus, as its name suggests are made to damage your files. They can also damage your program files and hence also known as Program Virus. They usually infect executable files, system files and driver files. Example of file virus are Sunday, Cascade etc.
Multipartite Virus:- Multipartite virus are hybrid viruses. They have properties of both boot sector and file virus. So they are more dangerous than first two mentioned above because they not only infect boot sector but also system files. Common examples are Invader, Flip and Tequila.
Stealth Viruses:-Stealth viruses are able to hide themselves to avoid detection They can store themselves in memory during scanning by Anti-Virus Programs and get restored when scanning is over. Due to their this type of stealthy nature they are named as Stealth Virus. They are so well programmed that they can even hide themselves inside other files without increasing size of file. This is also one of the mechanism they use to survive from Anti-Virus Programs. These viruses are one of the most difficult viruses to detect. Common examples are Frodo, Joshi, Whale etc.
Polymorphic Viruses:- A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect. Common examples are Involuntary, Simulate, Cascade, Pheonix etc.
Macro Viruses: Virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the Normal template (Normal.dot)-a general purpose file that stores default document formatting settings. Every document you open refers to the Normal template, and hence gets infected with the macro virus. Since this virus attaches itself to documents, the infection can spread if such documents are opened on other computers. The very dangerous thing about these viruses is they are not platform specific that means a code once written can infect any OS. Common examples are DMV, Word Concept etc.
Active-X Virus: Active-X viruses are under emerging stage. They are usually executed on victims PC via web browser. The JAVA scripts, Perl scripts, Flash scripts enabled on victim's PC without any Firewall, Anti-Virus, Internet Security Suite can easily obtain access to PC. Keeping Video and Audio plug ins ready without protection can bring Active-X Virus to your party.
How you can keep your computer virus free:
Following are some simple tips that will help you keep your computer safe from viruses,
1.Never open any pen-drive by double clicking on it open it by address pane from my computer.
2.Always keep your auto play option off.
This is how you can do it, for windows xp from start menu, click on run command write "gpeit.msc" and press enter “group policy editor” will open in front of you, now navigate
user configuration-->administrative templates-->system, find out "turn off autoplay" and make it enabled. For vista and 7 you can directly turn it off by control panel.
3.If you are buying a computer make sure you buy only original OS for it, a legal system gets updated and also gets support from vendors. A pirated copy of OS may itself contain any malicious code that may even help viruses to stay hidden from anti-virus.
4.Always keep your system and anti-virus updated and use firewall while on Internet.
5.Always keep hidden folders option and hide file types disabled, to do this open any instance of "explorer.exe" goto
tools-->folder options-->view
now disable options "do not show hidden files and folders" and "hide extensions of known files". This will help you keep eye on suspicious files and folders.
Malware
Malware
Malware, the word itself is derived from two words malicious software. Thus a malware actually represents a malicious code. A malware can be defined as a software or firmware that is intended to perform unauthorized and unwanted process that will result in confidentiality, integrity and availability of information. A malware code can be written in any language and for any device including computers, PDA’s, mobile phones etc.
Though it is defined that a malware affects on confidentiality, integrity and availability of information, its adverse results are not only limited to information security. It may also result in loss of any digital/electronic property, stealing of information, penalizing dependability, usability, performance and privacy. Privacy is biggest factor that comes in play today due to malware . You may have noticed that malware is most of the times interchangeably used with virus, its just because virus was the very first type of malware, malware is also known as badware or harmware.
Classification Of Malwares:
VIRUS:
Better known as Vital Information Resource Under Seize(VIRUS) is very first form of computer threat. They can replicate themselves and can also cause severe damage to data and information. They can hide themselves in other files and can also go in stealthy mode to avoid detection. Most of the times a VIRUS is a executable code.
Worms:
Worms are just capable of everything that a virus is capable of but its main feature is it can easily replicate itself on network and hence worm is also known as network worm. A worm is able to creep easily among systems as hence known as worm. A worm always needs a vector for creeping like email attachments, IM chat clients or IRC.
Trojan:
Trojan is a malicious program/code which is used for remote access to target computer and then attack using unauthorized access to target or victim's computer and causes damage to the system. Trojan is a small hidden code inside another program that's why it easily enters system without knowledge of computer user.
Spyware:
A spy ware is a piece of malicious code installed in system to monitor activities of person using the system. Basically idea of spyware also came from system monitoring tools.A spyware is capable of logging key strokes, also it can take screen shots and if you have Internet connection then it can even mail logs to specified email-address or transfer logs via ftp to designated location. Beyond just monitoring it can record your computing habits including which site you browse more, at what time you prefer to be on system or amount of time you spend on computer. A spyware can be used to track all information about your social-networking and IRC(Internet Relay Chat) Clients including all major and minor chat clients example: Google Talk, Rediff Messenger, Yahoo Messenger, Microsoft Live Chat absolutely every thing related to IRC client is exposed to spyware.
Backdoor:
Backdoors can be termed as a malicious code which gives access to an intruder to your system. A backdoor can provide partial or complete access to an attacker to your system. A backdoor can provide an attacker almost unlimited rights as an administrator and allow him/her to install applications and malicious code in your system. A backdoor is generally used to access system remotely and steal personal information including e-mail id' s, members information and credit card numbers.
Rootkit:
Root-Kit grants almost unlimited rights to attacker and attacker has full access to all hardware, software and services running on victim's system. An attacker can use Root-Kit to install backdoor or key logger on remote system. Root-Kit hides itself as system program and some times may not even appear in process lists.
Embedded Malicious Code:
As stated earlier a malware can be software or firmware, it must be clear a system hardware or a software might be already embedded with malicious code.
Crimeware:
They are malicious codes used for performing crimes related to computers. It may include use of one or more malware already available in list.
LDAP Enumeration Tools And Counter Measures
LDAP Enumeration Tools And Counter Measures
When we covered LDAP enumeration we left tools part for discusing later. Now its time to have a look on every tool one by one. Lets start with LDAPminer, a free command line tool
.
LDAP Miner:
Download LDAP Miner from,
http://sourceforge.net/projects/ldapminer/
LDAP miner is free LADP enumeration tool. It is written in C and source code is also available for study and modification. It can collect information from different types of LDAP servers by identifying its type of server and then fetching specific information.
Syntax:
ldapminer.exe -h host/IP_address option
We have discussed options in LDAP Enumeration. Better use -d option
Example:
C:\Ldapminer>ldapminer.exe -h 127.0.0.1 -d
replace 127.0.0.1 with IP address you want to scan.
JXplorer:
JXplorer is a free general purpose LDAP browser used to read and search any LDAP directory. It needs Java virtual machine for installation and execution.
Some of the powerfull features of JXplorer includes,
-Supports standard LDAP operations {add,delete, modify}
-Can copy and delete tree structure
-SSL and SASL authentication
-Pluggable security providers
-Multiplatform support including Windows, Linux, Solaris, HPUX, BSD, AIX
-HTML type data display
JXplorer has many features that can not be easily included in scope of single post, I’ll better recommend you read their online manual for updated infomation on how to use JXplorer.
Softerra LDAP Browser/Administrator:
It is free LDAP client designed specially for windows. It is capable of detecting and accessing different types of LDAP directories and can support following Open Standards,
DSML
XML-RPC
XSLT
Since its functionalities are not limited as compared to JXplorer using it is not a kid’s job, better have a look on their online manul for more information on usage.
Prevention Against LDAP Enumeration:
Now that’s really tough job since preventing an Active Directory from LDAP enumeration is not quite piece of pie because its not really possible to prevent it from users accesing it from internal network. To solve this problem you will need a software named Citrix. Now as an intelligent question you might ask why Citrix? Because Citrix provides power of virtual computing and authentication that means none of the user will be allowed access to Active Directory unless he/she passes Citrix Session by disallowing anonymous LDAP queries. For more information visit www.citrix.com .
Understanding LDAP enumeration is little difficult from enumerating other things because there are lot of things that had to bought into condsideration and the attacker must have good knowlegde of at least Windows 2003 and Active directory configuration. If understanding LDAP enumeration is proving difficult for you don’t get disappointed, better read few tutorials about Windows 2003 configuration and Active Directory(can be easily found on by googling) you will surely get hands on it soon. Thanks for reading and keep visiting.
LDAP Enumeration
LDAP Enumeration
The Lightweight Directory Access Protocol(LDAP) is used to access directory listings within an active directory or from other services. A directory is compiled in hierarchical or logical form. It is suitable to attach with the Domain Name System(DNS) to allow quick lookup and fast resolution of queries. It generally runs on the port 389 and other similar
protocols.
Sometimes, it is possible to query LADP service anonymously. The query can reveal information like valid usernames that can be further used for performing attacks.
Both command line and graphical tools are available for enumerating LADP.
LdapMiner:
It is command line tool that collects information from different LADP servers by identifying its type of server and then fetching specific information.
Syntax: ldapminer.exe -h host_ip options
-p [port]: default is 389
-B [bind]: default user null
-w [password]: default user password null
-b [base search]: search user, group
-d [dump all]: get all information
Example:
C:\>ldapminer.exe -h 127.0.0.1 -d
We will cover how to use Graphical tools in next section to this. Till next post just remember JXplorer and Softerra LDAP Browser are graphical tools available to enumerate LADP.
DNS Zone Transfer
DTransferNS Zone
In this post we will learn about DNS zone transfer in windows 2000 server. Before we continue to zone transfer, lets clear some of our doubts about zone transfer. In windows 2000 server clients use service records known as (SRV) to locate domain name services. The service records may include services like Active Directory*. This means every windows 2000 domain must have a DNS server for its network to operate.
So in all a windows based domain has two DNS server, the one which keeps information is known as primary DNS and the one who updates its information from it is known as secondary DNS.
*Active Directory: Active Directory is a scalable directory service that stores information about networking components, and makes this information easy for administrators and users to find and utilize. A directory is a listing of objects that uses a hierarchical structure to store information about objects such as users, groups, computers, and applications. This structure is often referred to as a tree, as it starts with a root and develops from there. Active Directory acts as the central authority for security, and it brings together various systems as well as management tasks.
Now question arises why 2 DNS?
So here’s the answer, windows 2000 is very much integrated with DNS (Domain Name System) and Active Directory heavily relies on DNS for finding objects in directory. Since DNS is used for providing name resolution to IP addresses windows 2000 domains has to be kept compatible with them.
Windows server manages a Dynamic DNS specially for providing services via Active Directory, this is done because services can manage them-self if they operate dynamically whereas a static DNS has to be managed and monitored manually. While static DNS will work, Dynamic DNS should be used to maximize the benefits of Active Directory. Data is replicated to each DNS server when Active Directory’s replication is used. Redundancy and fault tolerance can also be provided when other domain controllers are configured as DNS servers and make changes to the DNS information.
Now what is zone transfer?Zone transfer is a method via which a secondary DNS server tries to update its information from primary DNS. An attacker can fake out its computer as secondary DNS and can retrieve information from primary DNS. Even a simple nslookup command can reveal lot of important network information.
How to perform zone transfer manually?:
Open command and type following commands one by one,
c:\>nslookup
>set all
>domain_name
>ls -a domain_name
In above image you can see I tried a zone transfer, the output shows that the remote server has refused DNS zone transfer. Output will be different when you’ll try it on a server that supports zone transfer.
Here I am listing out several tools that can be used for zone transfer but my choice is SuperScan.
Command Line Tools:
User2SID
ENUM
SID2User
UserInfo
Graphical User Interface:
GetAcc
SMBF
SuperScan
Counter Measures Against DNS Zone Transfer:
Configure the server to respond only to authorized IP address for zone transfer.
Add IP address that will be allowed for zone transfer.
Countermeasures Against SNMP Enumeration
Countermeasures Against SNMP Enumeration
In last section we saw how we can enumerate SNMP. Since SNMP can reveal plenty of information that can be used for hacking, it is quite necessary to prevent SNMP enumeration. In this post we will learn how we can create a strong defense against SNMP enumeration.
The best way to avoid SNMP enumeration is to remove SNMP agent from target system or turn off the SNMP service. If that is not possible then follow the following steps.
Enable the option in Group Policy Security option called Additional restrictions for anonymous connections. Also restrict access to null session pipes, null session shares and IPSec filtering.Additionally block access to TCP/UDP ports 161.
SNMP Enumeration
SNMP Enumeration
I know SNMP enumeration is not really a hot topic as per today but still I think we must cover it for educational purpose. So before we proceed lets have our look on some basic terminologies related to SNMP.
What is SNMP?: Simple Network Management Protocol i.e SNMP is an application layer protocol used to manage TCP/IP based networks.
SNMP Agent: A device that can communicate with SNMP protocol.
SNMP Manager: It is an entity which sends requests via SMNP to its SNMP agents.
MIB: Management Information Base (MIB) provides a standard representation of SNMP agents available information and where it is stored.
Traps: Traps let the SNMP manager know about activities at SNMP agent. Activity might be reboot, device failure or any other suspicious activity.
SNMP requests/response are sent over UDP port number 161 and notifications are sent over port number 162.
What is SNMP Enumeration?: It is process of using SNMP to enumerate user accounts and devices on a target system. SNMP has two passwords to access and configure the SNMP agent from the management station. The first is called a read community string. This password lets you view the configuration of the device or system. The second is called the read/write community string, its for changing or editing the configuration on the device.
By default read community string is public and read/write community string is private. If these passwords are not changed they can be used by an attacker to enumerate SNMP as SNMP Manager. If the default password is not as above other default passwords can be found on www.defaultpassword.com.
SNMP Enumeration Tools:
SNMP Util:
SNMPUtil is a command line tool which gathers Windows user accounts information via SNMP in Windows system. Information such as routing tables, ARP tables, IP Addresses, MAC Addresses, TCP/UDP open ports, user accounts and shares can be obtained using this tool.
Syntax:
C:\>snmputil {get|walk|getnext} {machine name} {Object Identifier}
get: This command gets the value of the requested object identifier.
getnext: This command gets the value of the next object that follows the specified object identifier.
walk: You use this command is used to step through (walk) the Management Information Base (MIB) branch that is specified by the object identifier.
Object Identifier: It specifies branch of MIB as defined in SNMP protocol. They are long, clumsy number which are really very difficult to remember. They all have their string equivalent but even they are hard to remember. Following is list of sting values,
ren’t they hard to remember therefore I would not recommend this tool to anyone because remembering all those stuff is damn difficult. We have an excellent graphical tool instead of this tool I’ll better advise you to opt it.
Example:
C:\>snmputil.exe walk 192.22.0.24 .server.svSvcTable.svSvcEntry.svSvcName
This will list services.
IP Network Browser:
IP Network Browser is tool from Solar Winds Engineers Tool Set. It is graphical tool and can be easily used for SNMP enumeration.
Solar Winds Engineers Toolset
IP Network Browser
I think there is no need to explain working of IP Network Browser because it is damn easy to use.
In upcoming post we will cover defenses against SMNP enumeration. Till then don’t forget to let us know about your views on this post and ask if you have any difficulty.
Restrict Anonymous On NetBIOS
Restrict Anonymous On NetBIOS
In previous posts we saw how we can enumerate NetBIOS manually then by using tools. Here we will have our look on how we can counter NetBIOS Enumeration and null session attacks on system. Null session attacks can be avoided by restricting anonymous connections over NetBIOS. It can be done in following manner.
Press “Win+R”, a “Run Window” will come up, type “regedit” in it and open registry editor, alternatively you can type “regedit” on command prompt and access registry editor.
For Windows XP/2000 create following registry key:
HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2
Now reboot your system.
For Windows XP Professional and Windows 2003:
HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=1
HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymousSAM=1
Now reboot your system.
For Windows NT 4.0 or further:
HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=1
Now reboot system.
Further remove hidden share IPC$, stop SMB services, to perform these tasks open command prompt and type,
C:\>net share IPC$/delete
C:\>net stop SMB
Now configure your firewall to disallow services asking for connection over NetBIOS by blocking ports 135, 137, 138, 139.
NetBIOS Enumeration Tools
NetBIOS Enumeration Tools
In our last section we covered how to enumerate NetBIOS manually. Now we will have our look on tools that can be used for NetBIOS Enumeration . There are several Graphical User Interface (GUI) tools as well as Command Line Interface (CLI) tools available, here I will list only some of them and tell you about my personal preferences.
GUI Tools:
SuperScan:
You might be knowing we have already covered superscan before leaving enumeration part for this post. Now since we covered basics of enumeration I hope you'll not encounter problem using “Windows Enumeration” option in superscan.
MAC Address: Media Access Control (MAC) is unique address given to Network Interface Card(NIC)
RPC Endpoint Dump: Remote Procedure Call (RPC) is a service that runs on a system and allows remote task execution. Every RPC service uses TCP/UDP protocol to communicate with clients. There might be case that an RPC is allocated port number dynamically with or without static IP address. Here RPC Endpoint service comes to play, it tells procedure about the port number RPC is using.
I hope we have already covered all other terminologies related to enumeration.
WinfingerPrint:
WinfingerPrint is tool of my choice for enumeration. It have nearly everything for enumerating a windows system and it also supports batch processing.
CLI Tools:
Please note that each command line tool provides its own switches for operation. Please have a look on their help pages for information on how they work. There is no unneccessary details available on help pages than swtiches and their use. They hardly make 15-20 lines, so please go through them to grasp material throughly.
THC-Amap:
It is next generation scanning and enumeration tool. It performs fast and reliable application protocol and port detection. Banner grabbing via amap is almost impossible to detect.
NBTScan:
As a command line tool NBTScan is my choice. It performs full test and creates HTML file as an output unlike other command line tools.
Other Tools For NetBIOS Enumeration
1.Hyena
2.Dumpsec
3.NetBIOS Auditing Tool
4.NBTEnum
Here we complete our NetBIOS enumeration, in further post we will discuss how to prevent NetBIOS enumeration and then pick up topic SNMP enumeration. Till then don't forget to tell how was the post and please feel free to ask if you have any difficulties.
NetBIOS Enumeration And Null Session
NetBIOS Enumeration And Null Session
Net BIOS null Sessions occurs when you connect any remote system without user-name and password. It is usually found in systems with Common Internet File System (CIFS) or Server Message Block (SMB) depending on operating system. Once attacker is in with null session he/she can explore information about groups, shares, permissions, policies and even password hashes.
Null session attack uses vulnerability in SMB protocol for creating connection because it uses SMB uses trust for any kind of relationship between devices available in network.
By default null sessions are enabled in Windows 2000 and Windows NT. Actually it is also enabled by default in Windows XP and Windows 2003 Server but they don't allow enumeration of user accounts. Any of the following port must be open to perform NetBIOS enumeration and null session attacks because they represent SMB and NetBIOS is supported by network.
Port 135 - Remote Procedure Call (RPC)
Port 137 - NetBIOS Name Service
Port 138 - NetBIOS Datagram Service
Port 139 - NetBIOS Session Service
Please note that all above services may use any of the TCP or UDP protocol.
The method to connect to remote system via null session requires you to connect to any device or share. By default in all windows systems Inter Process Communication (IPC$) runs as hidden share($ denotes share on remote system). We can say that IPC is null session share.
Now to check whether the system is vulnerable to null session or not type following commands.
C:\>net use \\IP_Address\IPC$
For example
C:\>net use \\192.168.56.1\IPC$
Next type
C:\>net use \\IP_Address\IPC “”/u:“”
where “”/u:“” denotes you want to connect without user-name and password. Now explore further information.
C:\>net view \\IP_Address
will show you list of shares, computers, devices, etc.
So here we complete how we can manually perform NetBIOS Enumeration and Null Session attack. In further posts we will cover some tools that are used for the above purpose and then available countermeasures. Till then practice above method of enumerating NetBIOS and tell me if you have any difficulty. You can try your own IP address(127.0.0.1) to enumerate if you want. Please ask if you have any problem using above commands and please practice hacking is practical thing you can never learn without practicing.
Nessus On Linux
Nessus On Linux
In last tutorial we saw how to use nessus on Windows. But as told earlier nessus is multi-platform vulnerability scanning/assessment tool. In this section we will cover how we can use nessus on Linux platform. The installation process in Linux is not as straight forward as in Windows. So lets cover it first.
Since Nessus is supported by number of Linux distros we will list some most commonly used Linux distros to demonstrate installation process. Download nessus for your respective Linux Distro.
For Red Hat, Fedora, Suse Slackware:
#rvm -ivh <nessus_package_name>
For Debain, Gentoo, Ubuntu and its varients:
#dpkg -i <nessus_package_name>
Next step will be adding users since nessus runs as client-server even on Linux box, to add user type following command without any option.
# /opt/nessus/sbin/nessus-adduser
After typing above command it will ask you about details of user you want to add. Provide details and password. Next type the command as it is, sent for nessus registration by Tenable to your inbox. To start nessus server type,
# /etc/init.d/nessusd start
Once your nessus server starts connect to it via browser typing following command,
https://127.0.0.1:8834
If you are connecting nessus for first time your browser will surely give error as faulty SSL connection select “continue anyway” or “add to exception”. Whichever appears on your browser screen. Rest you can continue as you did in Windows
Tuesday, 30 July 2013
Nessus On Windows
Nessus On Windows :
Nessus is one of the well known and most used vulnerability scanner program. Nessus was built for UNIX platform but now also supports Windows platform. Nessus runs as client server program and available as free and professional version. Download and register your e-mail with them and they will send you information about how to register and use it. Once installation is done you will have two icons one with name Nessus Server another with Nessus Client first of all open Nessus Server and add users in it. Then open Nessus Client and log in, after log in you will see interface as follows,
Please Open Images In New Tab
First of all you will have to define some scan policy to scan target system. For that click on “Policies” then “Add Policy”. Its not difficult to understand how to define general section in policy but if you don't know much about different OS and networking I would better suggest let other options to their defaults.
Next step is to add scan, click on “Scan” and then “Add Scan”, type IP address you want to scan else you can also insert a text file with IP addresses of targets but for now just scan your own computer. Once you press “Launch” button your scan will begin. After scan is complete have your look on vulnerabilities found in target system.
For now don't bother about how to exploit vulnerabilities for hacking purpose that we will cover in “Enumeration” and “Gaining Access/System Hacking” phase. As an honest advice I would recommend you not to limit your self to this tutorial and find more tutorials on www.YouTube.com . Thanks for reading and keep visiting.
Create Con Folder In Windows
Create Con Folder In Windows
Now many times you might have heard we can't make con folder in windows. The reason is “con” name acts as system device for windows shell. Where “con” means “Console” that is your keyboard its not just con but there are some other names too that are disallowed to use as folder name since they also act as device name. For example,
com1 : communication port-1
com2: communication port-2
lpt1: line printer-1
lpt2: line printer-2
that means is it impossible to create folders with these names, the answer is names. If it was impossible then why the hell I am writing this post for. You can't create con folder using windows GUI by right clicking and adding new folder entry for this you have to use command prompt.
Open command prompt and type,
C:\>mkdir \\.\\c:\con
where c:\con should be full path to the location where you want to create con folder. Once created you'll not be able to delete this directory as you normally delete other directories. To delete it type whole command as it is as you typed to create it and then replace mkdir with rmdir.
In same way you can also create and delete other folder names which windows does not allow by default.
Enumeration | Basic Terminologies
Enumeration | Basic Terminologies
What is Enumeration ?
It is process of identifying potential user account that can be used for hacking target system. It is not compulsory that you must get administrative account because in most of the cases privileges of a normal account can be raised to make it super user thus granting him administrative privileges therefore enumeration phase is also known as escalating privilege phase. It may also include identification of devices and shared files and folders.
NetBIOS:
Better known as Network Basic Input Output System it provides services to OSI model(specially session layer) allowing several computers to communicate in Local Area Network (LAN). Main services of NetBIOS includes registering a group name from computer connected in LAN and making them communicate with other computers in LAN and share devices.
Network Shares Or Just Shares:
It means any device or file that is connected in network for sharing. It may include file, folders, hard disks, printers etc. Shares play important role in remote system hacking, so information about shares can help you escalate privileges.
SNMP:
Better known as Simple Network Management Protocol used for managing different devices on network. It may include hubs, switches, routers, printers, hard disks, computers, servers etc.
SMB:
Better known as Server Message Block is Microsoft's protocol defined for sharing file and printing services. Though protocol is old it is still used in most of the systems.
Null Session:
It is process in which a person can log into computer without user-name and password. Though this situation is very rare today we will just have our look on it. NetBIOS null session is vulnerability found in Common Internet File System(CIFS) or SMB due to which a hacker can access computer or device without account and password. Once Null session is got we can find users, devices and policies defined for network.
network monitoring tool
Dear visitor if you have not yet created your lab setup then please set it up now. To know more about lab setup read Basic Lab Setup For Hacker. Because now onwards the tutorials that we will cover will need more than one PC. I know many of you might not be having multiple PC's for practice hence I have specially covered how to setup your Lab with single PC using VirtualBox. I urge you if you are serious about learning hacking in legal way then install at least two Windows-XP in it and two different Linux distro better if one of them is mini Linux distro. Better setup your lab in requested way so that we can cover enumeration easily. Thanks for reading, please don't forget to tell me about your difficulties be sure I 'll answer them, keep visiting.
Fingerprinting OS
Fingerprinting OS
Fingerprinting is a process in scanning phase in which an attacker tries to identify Operating System(OS) of target system. Fingerprinting can be classified into two types
-Active Stack Fingerprinting
-Passive Stack Fingerprinting
Active Stack Fingerprinting involves sending data to the target system and then see how it responds. Based on the fact that each system will respond differently, the response is compared with database and the OS is identified. It is commonly used method though there are high chances of getting detected. It can be performed by following ways.
Using Nmap: Nmap is a port scanning tool that can be used for active stack OS fingerprinting.
Syntax: nmap -O IP_address
Example: nmap -U 127.0.0.1
Using Xprobe: It is UNIX only active stack fingerprinting tool. Also runs on Linux, it can not only detect OS but also devices and their version numbers.
Syntax: xprobe2 -v IP_address
Example: xprobe -v 127.0.0.1
Passive Stack Fingerprinting involves examining traffic on network to determine the operating system. There is no guarantee that the fingerprint will be accurate but usually they are accurate. It generally means sniffing traffic rather than making actual contact and thus this method is stealthier and usually goes undetected. Passive stack fingerprinting can be performed in following ways.
Using p0f: It is passive fingerprinting tool. Both windows and Linux versions are available.
For Windows:
Open command prompt and type
C:\>ipconfig
it will list all Ethernet card available in your system, note the number of Ethernet on which your connection is running, in my case it is two. Now type “p0f -i card_number”
C:\p0f>p0f -i 2
Now try to connect to the system you want to fingerprint leaving command prompt open and p0f will detect OS.
For Linux:
In Linux you will need to install it first. If you are using Red Hat Linux and downloaded a rpm package then browse to the folder where you downloaded rpm package and run following command.
#rpm -i package_name
else if you have configured yum for download from repository type following commands.
# yum clean all
#yum list
#yum install p0f
If you are using Debian based or Gentoo based Linux and downloaded deb package then browse to the folder and type following commands,
#dpkg -i package_name
else if you want to install from repository then use following commands
#apt-get update
#apt-get install p0f
if you are using super user then don't forget to prefix “sudo” before type “ap-get” command.
Now open command prompt and type following commands,
#p0f -i eth0 -vt
where “i” means interface “eth0” is your communicating card “v” means show results in verbose mode and “t” means add timestamps to output. Now try to connect to remote system and fingerprint its OS.
Using NetCraft:
Go to the site of NetCraft and type IP address of target you want to fingerprint in “What's that site is running”. It'll give you its OS.
I hope that was quite easy, if you have any problems using any of the above tools then please don't hesitate to ask. I am here to help, thanks for reading and keep visiting.
Some More Methods To Grab Banners
Some More Methods To Grab Banners :
I hope you enjoyed reading last post on banner grabbing. Here in this post we will discus some tools that can be used to grab banners and we will also have our look on some of the tools that can be used for preventing our banners from getting grabbed. Following are some tools that helps in banner grabbing.
NetCat:
Net-Cat is TCP/IP debugging tool that can be used for banner grabbing. Download Netcat from its official site, its free. Have a look on its documentation about how to use it. Following command works same as telnet for netcat and helps grabbing banner.
C:\netcat\>nc ip_address 80
(Press enter twice and if it doesn't work then type following)
(HEAD /HTTP/1.0 and press enter twice)
Httprint:
Httprint is web server finger printing tool. It uses server signature to identify version of web application running on server. Download it from its official site again its free. I don't think there is need to explain how it works since their own help documentation is very small and easy to understand. Give it a try if you still don't understand how to use it ask me. I'll include a new post on it.
Miart HTTP Header:
Miart HTTP Header tool identifies banner information from HTTP Header and response type. Using it doesn't require any skill just enter URL in input box and press enter.
Prevention Against Banner Grabbing:
Preventing Apache Server And Its Derivative:
We can't say that there is some tool or specific method available via which we can stop banner of Apache from getting grabbed but if you'll have a look on its documentation, you'll find its not even difficult either. Actually full information about Apache and its derivative related problems and their solutions is included in their documentation and they differ for each version. Since they differ for each version I 'll recommend read its documentation to stop Apache giving out valuable information.
Preventing IIS Server:
IIS shares some advantages over Apache since various tools are available that help IIS server to defend itself against banner grabbing.
IIS Lockdown:
Its works by turning off unnecessary features thus providing multiple layer protection. Download it from www.microsoft.com .
Server Mask:
Server Mask removes every detail from website about it is using IIS server including removing all finger printing traces. It removes HTTP headers and also encrypts signatures thus providing protection against signature based banner grabbing.
Page Xchanger:
It is content negotiation tool. It cleans all URLs from extensions and hence make them appear more clear and navigable. It negotiates with every file and extension making site more secure since your site will show nothing about files, extensions and default error messages.
Banner Grabbing
Banner GrabbingBanner Grabbing is process in which an attacker tries to find out application version installed in victims PC. In this following tutorial I 'll try to elaborate in short how we can grab banners. Note that errors are best friends as well as worst enemies of programmers as well as hackers since they reveal enough information that can be used against victim for exploitation. After we cover banner grabbing we will have our look on how we can prevent from banner being grabbed.Banner Grabbing Using Telnet:Telnet(previously known as Telephone Port) is one of the robust inbuilt tool that every OS has can be used to grab banner. In fact banner is grabbed using this technique is successful just because when we send wrong information to wrong port the victim returns with error message which also has banner information. Type the following in command prompt but before that be sure that telnet port number 23 is open by scanning via nmap.C:\>telnet victim's_IP 80HEAD/HTTP/1.1 (now press enter twice)HTTP/1.1 200 OKDate: Mon, 11 May 2010 22:10:40 ESTServer: Apache/2.6.01 (Unix) (Red Hat/Linux)Last-Modified: Thu, 16 Apr 2009 11:20:14 PSTETag: "1986-69b-123a4bc6"Accept-Ranges: bytesContent-Length: 1110Connection: closeContent-Type: text/htmlAs you can see if the victim has not configured his/her system properly, we can get information like this which reveals our victim is using Apache server along with its version. Same also applies to any other server.Banner Grabbing From Error Pages:Every server is configured to return some specific type of error message for known types of problems this can be used to grab exact type of server the victim is running. Please have a look on following error page,
In All:Development Tools: HTML + PHP v5 + MySQLMail Agent: Squirrel Mail v1.4.6-1Grabbing Banner From Page Extensions:This only means just have a look on URL to find out what application our victim might be using. Here you might need some good knowledge of programming to identify application version. To gain application version you have to save page on your hard disk and view page source then use your experience in programming to deduce version of application, once application is known. I am really sorry this type of version detection is not possible to be taught, it needs programming experience so for this kinda detection you need to be good in web development. .asp/.aspx: This sure-shot means victim is running Microsoft Active Server Pages technology..jsp: Java Based web technology. Most of the time database used is MySQL with JSP, this can be used as guess.PHP: PHP + HTML.cfm: Macromedia Cold Fusion.asmx .Net/J2EE.jws Java web services.wsdl Web Service Definition Language (WSDL)Note that extension may appear anywhere in URL so you must have keen look on it, next when extension doesn't seem familiar, Google with extension and you will surely get what kinda web development tools the victim has used.Banner Grabbing Using Net Craft:Net Craft is anti-phishing toolbar which also allows OS detection and banner grabbing. Browse to www.netcraft.com and type name of website you want information after “What's that site running”.
Now lets see what information it reveals,Server: Apache 2.0.63OS: Red Hat Enterprise Linux 5SSL Tool: OpenSSL 0.9.8Above page is displayed by Apache when you type URL that does not exist on victim's server.If you find any button with input, leave input blank and press button it'll reveal you programming language used for web development. Following error page is got when I pressed submit button leaving input fields blank.
The above error page shows victim is using external web mail program “Squirrel Mail v1.4.6-1” and also used PHP as development language now as per our knowledge is concerned Squirrel Mail needs PHP v5 as a intelligent guess “Squirrel Mail + PHP v5” we can conclude the victim must be running MySQL as its database server. But its just a guess but while port scanning you have found 3036 port open that means we can be 100% sure yes its MySQL server.
Saturday, 13 July 2013
Prevention Against Google Hacking
Prevention Against Google Hacking
Previous to this we saw google hacking basics and some advanced google hacking operators. In this section we will see how to provide protection to your website from google hacking queries.
Website Cloaking:
It is a method where website is programmed to give different output to different IP address. For this a programmer first finds out IP with which search engine bot search for web pages then gives it different output when it comes to their website. Please note that not all pages are cloaked just the pages of importance are cloaked.
Google Hack Honeypot:
Google hack honeypot(GHH) is reaction developed to malicious kind of web traffic that hackers use to get information. It is open source and also supported by google itself.
Proper Configuration:
Proper configuration of website is necessary. Companies should not link their internal networks with company website. If it is necessary then make sure there should be proper configuration which should not allow external entity to enter internal networks of company.
Backup Storage:
Backup storage of website should not be kept on same server where the website is running. Use external space to store backup because backup pages can reveal more information than regular information available online.
Take Privacy Registration For Website Domain:
Taking privacy for domain will disallow attacker's to gain domain and name information about your site. Many web hosting services now offer you online privacy, this step can hurt attackers information gathering phase very badly.
Tuesday, 4 June 2013
Track Email Delivery
Track Email Delivery
Read Notify:
www.ReadNotify.com is professional e-mail tracking service. Service is paid and hence when you'll register they will offer you only 25 credits for demo. Service is damn good and complete information about your e-mail is traced out. It not only returns information about your mail got read or not but also brings information about IP address, time, location, web browser used and OS used to read sent email. It will also send you information about the mail has been forwarded or not or how many times it got read by recipient. Read Notify is most trusted email tracking service and hence used by many companies and even spammers.
To check out how a receipt appears click here.
Get Notify:
www.GetNotify.com is free counter part to www.ReadNotify.com. It also tracks emails but details are not as detailed as Read Notify. I have heard from many people that its service is not good but believe me they are not as detailed as Read Notify but their service isn't that crap. I am using it since one year and I don't have any complaints just because it never gave me any chance, so if someone has defamed Get Notify in front of you, try it before you accept his/her words, I guarantee you'll find the defamer wrong.
As a personal judgment I don't deny Read Notify is better than Get Notify but its not that bad either and don't forget it's 100% free, you have to compromise a little on free stuff. As a final verdict I 'll say Read Notify is best email tracking service whereas Get Notify is best free email tracking service.
How They Work:
Both use a same kind of strategy they ask you to embed email with a mini image provided by them while sending e-mail(Please note that this image is so small to get detected). When email is opened, this image sends all information about email to the person asked for receipt. No matter images are enabled or disabled this image will surely send information.
Don't bother about how you gonna use service because after registration both provide a cool video that demonstrates how to use their service and get most of it.
Thanks for visiting. Have a nice time and please don't forget to tell me about what you feel about above information about tracking email delivery.
Browse Anonymously
Browse Anonymously
How can I browse anonymously or stay invisible online ? Is these among those questions which bother you for keeping your privacy online. Anonymizers, proxy servers, VPN and VPS are some options that can help you out. All above services are also offered as paid service but for here we will just have our look on free services.
Anonymizers(anonymity server):
Anonymizers are nothing but proxy servers which act as browsers inside browsers for surfing, their advantage is that they digest everything from the page you want to visit and hence can not only protect your privacy but can also prevent you from online malwares. I 'll not recommend you using some specific anonymizer since firewalls block them someday so better visit http://www.proxy4free.com/ which updates list of anonymizers every hour so that you must get a working anonymity server. Alternatively you can use a TOR browser which really guarantees 100% anonymity. Download TOR from http://www.torproject.org/.
Proxy Servers:
Proxy servers needs some manual settings from your internet configurations. Proxy server lift the limitation that anonymizers had of only being used in browser by making proxy IP available for every application that needs internet connection. Visit http://www.proxy-list.org/ for fresh list of proxies.
Alternatively you always have option of using a proxy generating software, following is brief list of proxy software with their download link have your pick.
Surf Anonymous Free
TOR
Proxy Way
Your Freedom
Ultra Surf
Free Gate
Gtunnel
Gapp Proxy
Hyk Proxy
Gpass
Hot Spot Sheild
Tunnelier
Please don't ask which is best among them, its hard to say since working of proxy depends upon load on proxy server and it may vary with time. As my personal preference I use TOR and Ultra Surf when need proxy level anonymity. Please don't use transactional type browsing like e-mail, social networking or financial transactions over proxy servers, its not safe and still anyhow you want to use them better not use anything else than TOR.
Virtual Private Network:
VPN's are most trusted way of hiding online even secure than proxy servers and anonymity servers. Following is list of some software that provide free VPN services.
Ultra VPN is one of the most used and most trusted free VPN service of world, if you have problem trusting any other free VPN service better opt this.
The Free VPN
Alone Web
Packetix
Always VPN
Cyber Ghost
Open VPN
Subscribe to:
Posts (Atom)