Subscribe:

Ads 468x60px

Tuesday, 30 July 2013

Nessus On Windows

Nessus On Windows :


Nessus is one of the well known and most used vulnerability scanner program. Nessus was built for UNIX platform but now also supports Windows platform. Nessus runs as client server program and available as free and professional version. Download and register your e-mail with them and they will send you information about how to register and use it. Once installation is done you will have two icons one with name Nessus Server another with Nessus Client first of all open Nessus Server and add users in it. Then open Nessus Client and log in, after log in you will see interface as follows,


Please Open Images In New Tab

First of all you will have to define some scan policy to scan target system. For that click on “Policies” then “Add Policy”. Its not difficult to understand how to define general section in policy but if you don't know much about different OS and networking I would better suggest let other options to their defaults.


Next step is to add scan, click on “Scan” and then “Add Scan”, type IP address you want to scan else you can also insert a text file with IP addresses of targets but for now just scan your own computer. Once you press “Launch” button your scan will begin. After scan is complete have your look on vulnerabilities found in target system. 




 

For now don't bother about how to exploit vulnerabilities for hacking purpose that we will cover in “Enumeration” and “Gaining Access/System Hacking” phase. As an honest advice I would recommend you not to limit your self to this tutorial and find more tutorials on www.YouTube.com . Thanks for reading and keep visiting.

Create Con Folder In Windows

Create Con Folder In Windows 


Now many times you might have heard we can't make con folder in windows. The reason is “con” name acts as system device for windows shell. Where “con” means “Console” that is your keyboard its not just con but there are some other names too that are disallowed to use as folder name since they also act as device name. For example,

com1 : communication port-1

com2: communication port-2

lpt1: line printer-1

lpt2: line printer-2


that means is it impossible to create folders with these names, the answer is names. If it was impossible then why the hell I am writing this post for. You can't create con folder using windows GUI by right clicking and adding new folder entry for this you have to use command prompt.


Open command prompt and type,


C:\>mkdir \\.\\c:\con

where c:\con should be full path to the location where you want to create con folder. Once created you'll not be able to delete this directory as you normally delete other directories. To delete it type whole command as it is as you typed to create it and then replace mkdir with rmdir.


In same way you can also create and delete other folder names which windows does not allow by default.

Enumeration | Basic Terminologies

Enumeration | Basic Terminologies


What is Enumeration ?

It is process of identifying potential user account that can be used for hacking target system. It is not compulsory that you must get administrative account because in most of the cases privileges of a normal account can be raised to make it super user thus granting him administrative privileges therefore enumeration phase is also known as escalating privilege phase. It may also include identification of devices and shared files and folders.


NetBIOS:

Better known as Network Basic Input Output System it provides services to OSI model(specially session layer) allowing several computers to communicate in Local Area Network (LAN). Main services of NetBIOS includes registering a group name from computer connected in LAN and making them communicate with other computers in LAN and share devices.


Network Shares Or Just Shares:

It means any device or file that is connected in network for sharing. It may include file, folders, hard disks, printers etc. Shares play important role in remote system hacking, so information about shares can help you escalate privileges.


SNMP:

Better known as Simple Network Management Protocol used for managing different devices on network. It may include hubs, switches, routers, printers, hard disks, computers, servers etc.


SMB:

Better known as Server Message Block is Microsoft's protocol defined for sharing file and printing services. Though protocol is old it is still used in most of the systems.


Null Session:

It is process in which a person can log into computer without user-name and password. Though this situation is very rare today we will just have our look on it. NetBIOS null session is vulnerability found in Common Internet File System(CIFS) or SMB due to which a hacker can access computer or device without account and password. Once Null session is got we can find users, devices and policies defined for network.


network monitoring tool

Dear visitor if you have not yet created your lab setup then please set it up now. To know more about lab setup read Basic Lab Setup For Hacker. Because now onwards the tutorials that we will cover will need more than one PC. I know many of you might not be having multiple PC's for practice hence I have specially covered how to setup your Lab with single PC using VirtualBox. I urge you if you are serious about learning hacking in legal way then install at least two Windows-XP in it and two different Linux distro better if one of them is mini Linux distro. Better setup your lab in requested way so that we can cover enumeration easily. Thanks for reading, please don't forget to tell me about your difficulties be sure I 'll answer them, keep visiting.

Fingerprinting OS

Fingerprinting OS


Fingerprinting is a process in scanning phase in which an attacker tries to identify Operating System(OS) of target system. Fingerprinting can be classified into two types

-Active Stack Fingerprinting

-Passive Stack Fingerprinting


Active Stack Fingerprinting involves sending data to the target system and then see how it responds. Based on the fact that each system will respond differently, the response is compared with database and the OS is identified. It is commonly used method though there are high chances of getting detected. It can be performed by following ways.


Using Nmap: Nmap is a port scanning tool that can be used for active stack OS fingerprinting.

Syntax: nmap -O IP_address

Example: nmap -U 127.0.0.1


Using Xprobe: It is UNIX only active stack fingerprinting tool. Also runs on Linux, it can not only detect OS but also devices and their version numbers.

Syntax: xprobe2 -v IP_address

Example: xprobe -v 127.0.0.1


Passive Stack Fingerprinting involves examining traffic on network to determine the operating system. There is no guarantee that the fingerprint will be accurate but usually they are accurate. It generally means sniffing traffic rather than making actual contact and thus this method is stealthier and usually goes undetected. Passive stack fingerprinting can be performed in following ways.


Using p0f: It is passive fingerprinting tool. Both windows and Linux versions are available.

For Windows:

Open command prompt and type


C:\>ipconfig


it will list all Ethernet card available in your system, note the number of Ethernet on which your connection is running, in my case it is two. Now type “p0f -i card_number”




C:\p0f>p0f -i 2


Now try to connect to the system you want to fingerprint leaving command prompt open and p0f will detect OS.


For Linux:

In Linux you will need to install it first. If you are using Red Hat Linux and downloaded a rpm package then browse to the folder where you downloaded rpm package and run following command.


#rpm -i package_name


else if you have configured yum for download from repository type following commands.


# yum clean all

#yum list

#yum install p0f


If you are using Debian based or Gentoo based Linux and downloaded deb package then browse to the folder and type following commands,


#dpkg -i package_name


else if you want to install from repository then use following commands


#apt-get update

#apt-get install p0f


if you are using super user then don't forget to prefix “sudo” before type “ap-get” command.

Now open command prompt and type following commands,


#p0f -i eth0 -vt


where “i” means interface “eth0” is your communicating card “v” means show results in verbose mode and “t” means add timestamps to output. Now try to connect to remote system and fingerprint its OS.


Using NetCraft:

Go to the site of NetCraft and type IP address of target you want to fingerprint in “What's that site is running”. It'll give you its OS.


I hope that was quite easy, if you have any problems using any of the above tools then please don't hesitate to ask. I am here to help, thanks for reading and keep visiting.

Some More Methods To Grab Banners

Some More Methods To Grab Banners :

I hope you enjoyed reading last post on banner grabbing. Here in this post we will discus some tools that can be used to grab banners and we will also have our look on some of the tools that can be used for preventing our banners from getting grabbed. Following are some tools that helps in banner grabbing.

NetCat:

Net-Cat is TCP/IP debugging tool that can be used for banner grabbing. Download Netcat from its official site, its free. Have a look on its documentation about how to use it. Following command works same as telnet for netcat and helps grabbing banner.

C:\netcat\>nc ip_address 80

(Press enter twice and if it doesn't work then type following)

(HEAD /HTTP/1.0 and press enter twice)

Httprint:

Httprint is web server finger printing tool. It uses server signature to identify version of web application running on server. Download it from its official site again its free. I don't think there is need to explain how it works since their own help documentation is very small and easy to understand. Give it a try if you still don't understand how to use it ask me. I'll include a new post on it.

Miart HTTP Header:

Miart HTTP Header tool identifies banner information from HTTP Header and response type. Using it doesn't require any skill just enter URL in input box and press enter.

Prevention Against Banner Grabbing:

Preventing Apache Server And Its Derivative:

We can't say that there is some tool or specific method available via which we can stop banner of Apache from getting grabbed but if you'll have a look on its documentation, you'll find its not even difficult either. Actually full information about Apache and its derivative related problems and their solutions is included in their documentation and they differ for each version. Since they differ for each version I 'll recommend read its documentation to stop Apache giving out valuable information.

Preventing IIS Server:

IIS shares some advantages over Apache since various tools are available that help IIS server to defend itself against banner grabbing.

IIS Lockdown:

Its works by turning off unnecessary features thus providing multiple layer protection. Download it from www.microsoft.com .

Server Mask:

Server Mask removes every detail from website about it is using IIS server including removing all finger printing traces. It removes HTTP headers and also encrypts signatures thus providing protection against signature based banner grabbing.

Page Xchanger:

It is content negotiation tool. It cleans all URLs from extensions and hence make them appear more clear and navigable. It negotiates with every file and extension making site more secure since your site will show nothing about files, extensions and default error messages.

Banner Grabbing

Banner GrabbingBanner Grabbing is process in which an attacker tries to find out application version installed in victims PC. In this following tutorial I 'll try to elaborate in short how we can grab banners. Note that errors are best friends as well as worst enemies of programmers as well as hackers since they reveal enough information that can be used against victim for exploitation. After we cover banner grabbing we will have our look on how we can prevent from banner being grabbed.Banner Grabbing Using Telnet:Telnet(previously known as Telephone Port) is one of the robust inbuilt tool that every OS has can be used to grab banner. In fact banner is grabbed using this technique is successful just because when we send wrong information to wrong port the victim returns with error message which also has banner information. Type the following in command prompt but before that be sure that telnet port number 23 is open by scanning via nmap.C:\>telnet victim's_IP 80HEAD/HTTP/1.1  (now press enter twice)HTTP/1.1 200 OKDate: Mon, 11 May 2010 22:10:40 ESTServer: Apache/2.6.01 (Unix) (Red Hat/Linux)Last-Modified: Thu, 16 Apr 2009 11:20:14 PSTETag: "1986-69b-123a4bc6"Accept-Ranges: bytesContent-Length: 1110Connection: closeContent-Type: text/htmlAs you can see if the victim has not configured his/her system properly, we can get information like this which reveals our victim is using Apache server along with its version. Same  also applies to any other server.Banner Grabbing From Error Pages:Every server is configured to return some specific type of error message for known types of problems this can be used to grab exact type of server the victim is running. Please have a look on following error page,



In All:Development Tools: HTML + PHP v5 + MySQLMail Agent: Squirrel Mail v1.4.6-1Grabbing Banner From Page Extensions:This only means just have a look on URL to find out what application our victim might be using. Here you might need some good knowledge of programming to identify application version. To gain application version you have to save page on your hard disk and view page source then use your experience in programming to deduce version of application, once application is known. I am really sorry this type of version detection is not possible to be taught, it needs programming experience so for this kinda detection you need to be good in web development. .asp/.aspx: This sure-shot means victim is running Microsoft Active Server Pages technology..jsp:                 Java Based web technology. Most of the time database used is MySQL with JSP, this can be used as guess.PHP:              PHP + HTML.cfm:                Macromedia Cold Fusion.asmx              .Net/J2EE.jws                  Java web services.wsdl                Web Service Definition Language (WSDL)Note that extension may appear anywhere in URL so you must have keen look on it, next when extension doesn't seem familiar, Google with extension and you will surely get what kinda web development tools the victim has used.Banner Grabbing Using Net Craft:Net Craft is anti-phishing toolbar which also allows OS detection and banner grabbing. Browse to www.netcraft.com and type name of website you want information after “What's that site running”.

Now lets see what information it reveals,Server: Apache 2.0.63OS: Red Hat Enterprise Linux 5SSL Tool: OpenSSL 0.9.8Above page is displayed by Apache when you type URL that does not exist on victim's server.If you find any button with input, leave input blank and press button it'll reveal you programming language used for web development. Following error page is got when I pressed submit button leaving input fields blank.





The above error page shows victim is using external web mail program “Squirrel Mail v1.4.6-1” and also used PHP as development language now as per our knowledge is concerned Squirrel Mail needs PHP v5 as a intelligent guess “Squirrel Mail + PHP v5” we can conclude the victim must be running MySQL as its database server. But its just a guess but while port scanning you have found 3036 port open that means we can be 100% sure yes its MySQL server.

Saturday, 13 July 2013

Prevention Against Google Hacking

Prevention Against Google Hacking


Previous to this we saw google hacking basics and some advanced google hacking operators. In this section we will see how to provide protection to your website from google hacking queries.
Website Cloaking:
It is a method where website is programmed to give different output to different IP address. For this a programmer first finds out IP with which search engine bot search for web pages then gives it different output when it comes to their website. Please note that not all pages are cloaked just the pages of importance are cloaked.
Google Hack Honeypot:
Google hack honeypot(GHH) is reaction developed to malicious kind of web traffic that hackers use to get information. It is open source and also supported by google itself.
Proper Configuration:
Proper configuration of website is necessary. Companies should not link their internal networks with company website. If it is necessary then make sure there should be proper configuration which should not allow external entity to enter internal networks of company.
Backup Storage:
Backup storage of website should not be kept on same server where the website is running. Use external space to store backup because backup pages can reveal more information than regular information available online.


Take Privacy Registration For Website Domain:
Taking privacy for domain will disallow attacker's to gain domain and name information about your site. Many web hosting services now offer you online privacy, this step can hurt attackers information gathering phase very badly.