sunnyjovita

Sunny Jovita – 2301939046

Week 10

Disclaimer: This blog is for educational purposes only.

One of the most popular port scanning techniques is TCP half open port scan or sometimes refereed to as an SYN scan. This type of scanning is fast and sneaky since it tries to find the open ports on the target computer. Furthermore, it is hard to detect because it never completed the full TCP e way handshake. The scanner sends a SYN message and just notes the SYN-ACK responses. In short, the scanner doesnt complete the connection by sending the final ACK, it just leaves the target hanging.

Here, below I will show you how to see if the connection is open or closed.

In the picture above, we can say that this is a SYN scan or TCP half open port scan. Why? because, as seen in the picture, from packet 7 until 19, it occurs between the source and target systems with these following steps:

Source = 192.168.223.171

Target destination = 192.168.223.172

Step 1

In packet number 7, 8, 9 the source starts sending a synchronization packet (SYN) to the server and waits for the target response.

Step 2

In the packet number 10, the target replies with a packet containing both an acknowledgment (ACK) and a (SYN) directed to the source and waits for the final ACK to arrive.

Step 3

However, as can be seen in the packet no 12, an RST is retrieved from the target. (in the packet no 11, the scanner/source doesn’t complete the connection by sending the final ACK, but it leaves the target hanging).

Conclusion

To summarize, from the packet no 10,  13, 19 SYN/ACK packets indicate that the port (5900) and (22) (127) are open. Rfb is for port 5900, and ssh is for port 22, and NETBIOS-ssn is for 137. However, in the packet no 12, an RST response appears and it means the port is closed, but the server is still alive. Those ports are considered open is a SYN packet is received a response.

Any SYN-ACK responses are possibly open ports. A RST (reset) response means the port is closed, but there is a live computer or device there. TCP half open scans are default scan in NMAP.

Sunny Jovita – 2301939046

Week 9

Disclaimer: This blog is for educational purposes only.

During penetration testing, collecting information is the most important stage. Based on the collected information, we can effectively improve the success percentage of our penetration testing. Equally important, there are also various scanning that are used by attackers while scanning target.

Zombie scan or idle scan is one of it. Idle scan is a form of port scanning in which the attacker uses another PC called a zombie to hide themselves from the attacker, so the attacker can be hard to traced back.

PC or devices that are used commonly has been compromised or controlled by an attacker. It is used to carry out a variety of malicious attacks on the target under the remote control of the attacker.

For further explanation, I will show you how the zombie/idle scan works.

As shown in the picture above, it is a zombie scan where the victim’s port is open since the IPID is incremented by 2. Additionally, the status of port being scanned is open.

Step 1

The attacker sends a SYN|ACK segment to the zombie device or computer.

Step 2

The zombie responses to the attacker with RST segment and it IPID is 1765 (the IPID value of the zombie computer is 1765).

Step 3

The attacker sends a SYN segment through zombie to the target with the spoofed IP address of the zombie (the target will only know that the packer is from zombie, by changing the source to the zombie, not from the attacker).

Step 4

The target will response to the zombie with a SYN|ACK segment (which means that the port on the target computer is open). As shown in the step 4, the target is not sent the response directly to the attacker, instead to the zombie computer, because the attacker has controlled the zombie computer (the attacker hides behind the zombie, so the target won’t know the real IP address) and the attacker also has spoofed the IP address of the zombie computer.

Step 5

The zombie will get a SYN|ACK packet from the target and the zombie responds with RST segment to the target. The Zombie computer will increase its IPID by one (from 1765 become 1766).

Step 6

Now, in here the attacker sends a SYN|ACK segment to the zombie.

Step 7

Last, the zombie will respond to the SYN|ACK packet from the attacker and it will increase the IPID by one, which means the IPID will be 1767.

Conclusion

To conclude, the target’s port is open since the IPID is incremented by 2, from 1765 become 1767.

Sunny Jovita – 2301939046

Week 7

Disclaimer: This blog is for educational purposes only.

Vulnerability mapping is commonly used for identifying or detecting of possible security risks and map them to their target.

Types of vulnerabilities mapping

1. Design vulnerabilities = found in the software or protocol specification.
2. Implementation vulnerabilities = found in code (error handling, exception, etc).
3. Operational vulnerabilities = found due to the improper configuration and deployment in an environment.
4. Local vulnerabilities = the attacker needs a local access to trigger vulnerability in the target.
5. Remote vulnerabilites = different with the local one, the attacker doesn’t need local access to trigger or exploit the target’s vulnerabilities.

4 Vulnerability taxonomy

1. Gain access

• smart bruteforcing
• automated exploitation
• manual exploitation
• social engineering campaign
• web app scanning and exploitation

2. Take control

• command shell session
• meterpreter session
• manual authentication
• proxy and vpn pivoting

3. Collect evidence

• run evidence collection
• live reporting
• collect credentials

4. Discover devices

• scan
• import scan (nmap, nexpose, etc)
• inititate nexpose scan
• manually add device

Tools for vulnerability mapping

1. openVAS
2. w3af
3. sqlmap
4. metasploit
5. uniscan
6. nikto

I usually use nikto and uniscan while doing the vulnerability mapping because both of them give me detailed information as I expected. Recently, I have been trying to use openVAS, sqlmap, and w3af while performing penetration testing to fing the vulnerabilites.

OpenVAS = able to produce a powerful vulnerability platform.

These are the openVAS features:

1. scanner
2. manager
3. assistance
4. administrator

Sqlmap = detects and attemps to exploit sql injection issues in database server.

W3af = detects various vulnerabilties in web application.

Sunny Jovita – 2301939046

Week 8

Disclaimer: This blog is for educational purposes only.

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data.

In this post, I am going to show you on how to implement social engineering attack in daily life, using the Social Engineering Toolkit which is called setoolkit.

The Social–Engineer Toolkit (SET) is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack in a fraction of time. These kind of tools use human behaviors to trick them to the attack vectors.

1. First, we can open up our Linux root terminal, and type this command:

setoolkit

You will see the welcome page like the picture above, and the options for the attack at the bottom.

2. At the bottom of the welcome page, we can see something like this. Since we are going to implement Social Engineering Attacks, choose number 1.

3. Third, the next options will be displayed, choose and hit enter to number 2, Website Attack Vectors.

4. For the next options, choose number 3, Credential Harvester Attack Method.

5. Choose number 1, Web Templates

6. As shown in the picture, it shows the IP address of the attacker, or our IP address. Since my device IP address is correct, so just hit enter.

note: to check IP address, type 'ipconfig' on terminal command prompt.
note: to check IP address, type 'ifconfig' on terminal kali linux.   

7. Since we already set our IP address. In this options, there are listed web phising templates such as Java Required, Google, Twitter. (another web templates can be found by using Site Cloner). Because in here we aimed Google Account, we choose number 2, Google.

After pressing the enter, the Social Engineering toolkit (SET) starts my Kali Linux Webserver on port 80, with the fake Google account login page.

Finally our setup is done, and now we are ready to share our IP address, which we have found in step number 6, (10.0.2.15).

By sending the IP address to the target, we can gain their information such as their google account (username and password). It looks so real, there are no security issues displayed on it. The URL bar showing the IP address instead the URL itself. However, we can modify the URL actually by generating hosting. We know that not all people will recognize this as the original Google page.

Sunny Jovita – 2301939046

Week 6

Disclaimer: This blog is for educational purposes only.

Enumerating target is a process that is used to find and collect information about ports, operating systems, valid usernames, folder shared, and services available on the target machines.

Enumeration Techniques

Some tools that can be used for enumeration:

NBTScan

– NBTScan: this tool is usually utilized for finding the remote devices’ IP address.

• nbtscan -r ipaddress/24
• nbtscan -v -s -r ipaddress/24

Brute force password

• Hydra

Hydra is a parallelized network login cracker built in various operating systems like Kali Linux, Parrot and other major penetration testing environments. Hydra works by using different approaches to perform brute-force attacks in order to guess the right username and password combination.

Hydra -L userfile -P password.txt ftp://ipaddress

Hydra -l username -p password smb://ipaddress

• Medusa

Medusa is an online password-cracking tool similar to THC Hydra. It claims to be a speedy parallel, modular and login brute-forcing tool.

medusa -h hostname -u username -p password -M ssh -n port

medusa -h hostname -U userfile -P password.txt -M ssh -n port

Sunny Jovita – 2301939046

Week 5

Disclaimer: This blog is for educational purposes only.

On the 19^th March 2021, which was the 5^th week of Ethical Hacking and Penetration Testing course, I learned about some great penetrating tools such as:

1. TheHarvester
2. Maltego
3. CloudFail

TheHarvester

The purpose of this tool is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, and etc. It is really useful for anyone that wants to know what an attacker can see about their organization/company.

To use theharvester, we can use this syntax :

• cd theHarvester

• Python3 theHarvester.py -d domain.com -l range -b all

Maltego

Maltego is a platform or program that can be used to determine the relationships and real world links between :

• People, social networks, companies, organiations
• Websites, domains, DNS names, Ip addresses
• Documents, files, etc

Maltego saves our time since it makes us work more accurately and smarter to gather all security related work.

CloudFail

It utilizes misconfigured DNS and old database records to find hidden IP’s behind the CloudFlare network.

Example:

In here, I tried to find the real ip address of hackme.pentest.id

1. Firstly, I tried to find the ip address first, using mxtoolbox.com and I figured out that the ip address was from CloudFlare.
2. Second, I used the CloudFail tool to discovered what is the real ip address.

• Python3 cloudfail.py –target hackme.pentest.id –tor

It says that the hackme.pentest.id is part of the CloudFlare Network. By using this tool, it will show us the real ip address of a website behind CloudFlare.

Sunny Jovita – 2301939046

Week 3

Disclaimer: This blog is for educational purposes only.

I did this for education only, not for illegal purposes.

Firstly, I figured out that by using google search operators, we can narrow down our searches, and find what we’re looking for. Those advanced operators are site:

• link:
• filetype:
• cache:
• intitle:
• inurl:
• etc

I tried to gather information that’s publicly available or in case it was made public by accident. I also discovered that google hacking database was incredibly cool. There’re a lot of databases and by using queries (if I look further into the matter) maybe I will find various potential vulnerabilities such as usernames, passwords to discover information.

I clicked some dorks there, and I found some strange stuff but those were interesting like webcams, username and passwords from .sql filetype, and others. I can also filter these dorks if I want to see more specific database from vulnerable servers, files containing passwords, or other categories.

filetype:env “DB_PASSWORD”
I tried on this query and found out some env file and if its publicly available, it can reveal database passwords, usernames which are a bad thing. (I didn’t try to use those passwords and usernames that I found from my findings)

intitle:”Nessus Scan Report” “This file was generated by Nessus”
I learnt deep down in these operators thingy and found some new things like this syntax. I searched a bit and figured out that Nessus is a vulnerability scanning tool, it will scan our system and tell us how the system is vulnerable. After that, I scrolling through some sites and tried to find some information that are vulnerable.

Last but not least, I did a syntax that I think it is pretty good to know, even though it’s a common query:
site:linkedin.com intitle:storename “his/her job” “his/her name“
By using this query, I can find some pretty revealing stuff. If I go further using theHarvester tool, maybe I can find few emails, subdomains, hosts, and others there.

Sunny Jovita – 2301939046

Week 2

Disclaimer: This blog is for educational purposes only.

Recently, I learnt something new in Ethical Hacking topic. It was about password cracker. It’s a common knowledge that password is hashed for security reasons. Hashing is used to verify the integrity of our password. Password hash works by turning the actual password into a short string of letters and/or number using an encryption algorithm. In case if a documents or website is hacked, the hackers don’t get access to our password. Instead, they just get access to the encrypted “hash” created by our password automatically.

There are a lot of programming languages that we can use for hacking (especially for password cracking). However, personally I like using Python because it has many important features, and provides great functionality as well which make it very useful for hacking.

How the program works

I already created a small python program that is used to crack password using dictionary attack method. (inside the dictionary, there are a lot of strings that are usually used for password)

First, I assigned a variable called pass_hash and an input to ask the MD5 hash. Secondly, I set a variable again called pass_list to input the .txt file which has a bunch of words within it.
Note : I took the password list from internet, and also the random hashes as well.

In here, I made a try and except block to handle conditions occur. The program will throw an exception (error) if the program can’t find the file location or incorrectly entered the file name.

As we can see, this is the logic where the program compares the hashes of different words inside the .txt file. To convert a word to an encoded format, we can use encode(‘utf-8’) to encode string. After that, I used a hash digest hexdigest() function to return a data into a string object, containing only hexadecimal digits (convert the word from the .txt file into MD5 hash format). The output commonly known as hash values.

Now, after creating the hashes, the program is going to compare the hash that we want to crack with all sorts of hashes that we produce from the words in the dictionary.

Finally, we can try to run the program which is PassCrack.py inside the command prompt.

This is the list of hashes that I found from internet, I am going to use it in the program. I will use one of these hashes to crack it.

After running it in the command prompt, the program will be like this, and it shows that the password has been found and it’s called sunnyjovita123.

Conclusion

Lastly but not least, I figured out that password cracking is really enjoyable to do if we know how to do it. It increases the sense of exploration and useful in figuring out the password. Maybe in the future I will explore this field further.

Sunny Jovita – 2301939046

Week 1

Disclaimer: This blog is for educational purposes only.

Kali Linux is widely used specially for security testers, ethical hackers and penetration testers. The tools included in Kali Linux are highly recommended by almost all security professionals. 
WSL is a tool aimed at enabling users who need them to run Bash and core Linux command-line tools on Windows.

Step 1. Installing Windows Subsystem For Linux

• Go to the Windows PowerShell as the administrator by pressing Windows + x
• Inside the PowerShell, type this following command:
• Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

After that press enter, it will start downloading. You can wait because it can take a few minutes. You will be asked to restart your computer, and you can just press Y and it will automatically reboot.

Step 2. Download Kali Linux

• You can find the Kali Linux in Microsoft Store, and click install/get.
• Once you finished installing the Kali Linux, just launch it.
• After that, you will be asked to create a UNIX username and password.

Step 3. Update and Upgrade Kali Linux

• Don’t forget to update Kali system regularly, by typing these following commands:
• sudo apt-get update
• sudo apt-get dist-upgrade

Step 4. Install penetration testing tools

• To begin the installation, use this command:
• sudo apt-get install name
• For example, if you want to install Wireshark, just type:
• sudo apt-get install wireshark

Step 5. Add Windows Defender Exclusion

Unfortunately, sometimes Windows Defender detects the tools in Kali as viruses/malware. For example, like Metasploit tool, Windows Defender will recognize that tool as a virus. Therefore, to prevent any errors, we can add a Windows Defender exclusion for the Kali Linux folder.

• First, go to the File Explorer and go to this following folder :
• C -> Users -> yourusername -> AppData -> Local -> Packages -> Linux Folder
• Inside the Packages folder, you will find a Kali Linux Folder, and then open it.
• Finally copy the Kali Linux folder location.

• Second, go to the windows security by typing ‘Windows Security’ in the search bar.
• Click Virus and Threat Protection.
• Click Manage Settings.
• Scroll down to add or remove exclusions.
• and add folder (+ sign).
• in the folder bar, you can paste the Kali folder location which is already copied before.
• It should be added already in the exclusion there.

Finally, you should be able to use tools like Metasploit now.