Ethical Hacking

Which is Better Ubuntu or Kali ?

Sunny Jovita – 2031939046

Week 13

Disclaimer: This blog is for educational purposes only.

Ubuntu is a Linux based Operating System and belongs to Debian family of Linux. Since it is Linux based, it is freely available for use and it’s open source.

Kali Linux is an open source open source operating system and it is freely available for use. Kali Linux comes packed with 100+ of penetration testing, security research, digital forensics, reverse engineering, and ethical hacking tools.

Differences between Ubuntu and Kali Linux from GeeksforGeeks

However, apart from the differences above, it is not fair to compare them on the same level. In my opinion, if you are looking for operating system for network security, penetration testing, etc, Kali Linux is the best choice. Nevertheless, if you want a user friendly, general purpose operating system with the best GUI, Kali Linux cannot compete Ubuntu.

In other words, we can describe Ubuntu and Kali Linux below:

  1. Ubuntu is more suited for personal uses and beginners who want to learn Linux. It is also used by many people who want their computer to be virus safe. I other words Ubuntu is user friendly general desktop/laptop operating system.
  2. Meanwhile, Kali Linux was Backtrack and Backtrack was Ubuntu with penetration packages installed. Kali comes with a number of penetration tools be it wifi or databases, build to be used instantly.

Port Scanning

Sunny Jovita – 2301939046

Week 12

Disclaimer: This blog is for educational purposes only.

Port scanning is a method of determining which ports on a network are open and could be receiving or sending data. It is also a process for sending packets to specific ports on a host and analyzing responses to identify vulnerabilities.

The goal behind port and network scanning is to identify the organization of IP addresses, hosts, and ports to properly determine open or vulnerable server locations and diagnose security levels. Both network and port scanning can reveal the presence of security measures in place such as a firewall between the server and the user’s device.

Here are some of the more prominent ports and their assigned services:

  1. Port 20 (UDP) holds File Transfer Protocol (FTP) used for data transfer
  2. Port 22 (TCP) holds Secure Shell (SSH) protocol for secure logins, ftp, and port forwarding
  3. Port 53 (UDP) is the Domain Name System (DNS) which translates names to IP addresses
  4. Port 80 (TCP) is the World Wide Web HTTP

In addition, numbers 1024 through 49151 are considered “registered ports” meaning they are registered by software corporations. Ports 49,151 through 65,536 are dynamic and private ports – and can be used by nearly everyone.

A port scanner generally sends a TCP or UDP network packet and asks the port about their current status. Below are three types of responses:

  1. Open, Accepted: The computer responds and asks if there is anything it can do for you.
  2. Closed, Not Listening: The computer responds that “This port is currently in use and unavailable at this time.”
  3. Filtered, Dropped, Blocked: The computer doesn’t even bother to respond.

Steps to do Penetration Testing

Sunny Jovita – 2301939046

Week 11

Disclaimer: This blog is for educational purposes only.

In this post today, I will explain the best steps on how to do a successful penetration testing.

Step 1 – Signing NDA

Before performing a penetration testing, it is important for your client and you to sign a NDA (Non Disclosure Agreement). Non-disclosure agreement is an important legal framework used to protect sensitive and confidential information from being made available by the recipient of that information. The purpose of signed NDA is to make the pentester commit to keeping all the confidential information and the findings safe.

Step 2 – Define the scope of the test

In here, you need to define the scope of the test, including the systems to be addressed, what testing method to be used, any data to provide to the tester, from where it will be tested, and by whom it will be tested. This stage is important for both tester and the client so they have a full understanding of what is expected and what information the tester will potentially have access to.

  1. Extend of the testing
  2. What will be tested
  3. From where it will be tested (internal, VPN, external)
  4. By whom it will be tested (personnel, 3rd party, internal)

Step 3 – Performing the penetration testing

Detail process:

  1. Tools (based on the type of the test)
  2. Scanning
  3. Getting access
  4. Maintaining access

Step 4 – Reporting and delivering results

Once the test is finished, the data is ready to be analyzed to determine what vulnerabilities could be exploited. With all of these information, we can go now to the last phase of pentesting. 

The final phase of pentesting is reporting. Inside the report, it includes all the findings and the processes conducted during the pentest mission. The tester submits the report to the client. The report will be the best communication tool for your pen test results. So the report must be very clear, meaningful, and understandable for both technical and non technical sides. A good report supports these following sections;

  1. Background or introduction -> explains the purpose of the pent testing. (goal: the client should gain a clear idea about the goal and the expected results of the pent testing)
  2. Information gathering
  3. Vulnerability assessment
  4. Vulnerability confirmation
  5. Post exploitation
  6. Risk/exposure
  7. Conclusion to give a final overview of the test.

With the right steps to pentest, hopefully it will succeed.

TCP Half Open Port Scan or SYN scan

Sunny Jovita – 2301939046

Week 10

Disclaimer: This blog is for educational purposes only.

One of the most popular port scanning techniques is TCP half open port scan or sometimes refereed to as an SYN scan. This type of scanning is fast and sneaky since it tries to find the open ports on the target computer. Furthermore, it is hard to detect because it never completed the full TCP e way handshake. The scanner sends a SYN message and just notes the SYN-ACK responses. In short, the scanner doesnt complete the connection by sending the final ACK, it just leaves the target hanging.

Here, below I will show you how to see if the connection is open or closed.

In the picture above, we can say that this is a SYN scan or TCP half open port scan. Why? because, as seen in the picture, from packet 7 until 19, it occurs between the source and target systems with these following steps:

Source = 192.168.223.171

Target destination = 192.168.223.172

Step 1

In packet number 7, 8, 9 the source starts sending a synchronization packet (SYN) to the server and waits for the target response.

Step 2

In the packet number 10, the target replies with a packet containing both an acknowledgment (ACK) and a (SYN) directed to the source and waits for the final ACK to arrive.

Step 3

However, as can be seen in the packet no 12, an RST is retrieved from the target. (in the packet no 11, the scanner/source doesn’t complete the connection by sending the final ACK, but it leaves the target hanging).

Conclusion

To summarize, from the packet no 10,  13, 19 SYN/ACK packets indicate that the port (5900) and (22) (127) are open. Rfb is for port 5900, and ssh is for port 22, and NETBIOS-ssn is for 137. However, in the packet no 12, an RST response appears and it means the port is closed, but the server is still alive. Those ports are considered open is a SYN packet is received a response.

Any SYN-ACK responses are possibly open ports. A RST (reset) response means the port is closed, but there is a live computer or device there. TCP half open scans are default scan in NMAP.

Idle/Zombie Scanning 🧟

Sunny Jovita – 2301939046

Week 9

Disclaimer: This blog is for educational purposes only.

During penetration testing, collecting information is the most important stage. Based on the collected information, we can effectively improve the success percentage of our penetration testing. Equally important, there are also various scanning that are used by attackers while scanning target.

Zombie scan or idle scan is one of it. Idle scan is a form of port scanning in which the attacker uses another PC called a zombie to hide themselves from the attacker, so the attacker can be hard to traced back.

PC or devices that are used commonly has been compromised or controlled by an attacker. It is used to carry out a variety of malicious attacks on the target under the remote control of the attacker.

For further explanation, I will show you how the zombie/idle scan works.

As shown in the picture above, it is a zombie scan where the victim’s port is open since the IPID is incremented by 2. Additionally, the status of port being scanned is open.

Step 1

The attacker sends a SYN|ACK segment to the zombie device or computer.

Step 2

The zombie responses to the attacker with RST segment and it IPID is 1765 (the IPID value of the zombie computer is 1765).

Step 3

The attacker sends a SYN segment through zombie to the target with the spoofed IP address of the zombie (the target will only know that the packer is from zombie, by changing the source to the zombie, not from the attacker).

Step 4

The target will response to the zombie with a SYN|ACK segment (which means that the port on the target computer is open). As shown in the step 4, the target is not sent the response directly to the attacker, instead to the zombie computer, because the attacker has controlled the zombie computer (the attacker hides behind the zombie, so the target won’t know the real IP address) and the attacker also has spoofed the IP address of the zombie computer.

Step 5

The zombie will get a SYN|ACK packet from the target and the zombie responds with RST segment to the target. The Zombie computer will increase its IPID by one (from 1765 become 1766).

Step 6

Now, in here the attacker sends a SYN|ACK segment to the zombie.

Step 7

Last, the zombie will respond to the SYN|ACK packet from the attacker and it will increase the IPID by one, which means the IPID will be 1767.

Conclusion

To conclude, the target’s port is open since the IPID is incremented by 2, from 1765 become 1767.

Vulnerability Mapping

Sunny Jovita – 2301939046

Week 7

Disclaimer: This blog is for educational purposes only.

Vulnerability mapping is commonly used for identifying or detecting of possible security risks and map them to their target.

Types of vulnerabilities mapping

  1. Design vulnerabilities = found in the software or protocol specification.
  2. Implementation vulnerabilities = found in code (error handling, exception, etc).
  3. Operational vulnerabilities = found due to the improper configuration and deployment in an environment.
  4. Local vulnerabilities = the attacker needs a local access to trigger vulnerability in the target.
  5. Remote vulnerabilites = different with the local one, the attacker doesn’t need local access to trigger or exploit the target’s vulnerabilities.

4 Vulnerability taxonomy

1. Gain access

  • smart bruteforcing
  • automated exploitation
  • manual exploitation
  • social engineering campaign
  • web app scanning and exploitation

2. Take control

  • command shell session
  • meterpreter session
  • manual authentication
  • proxy and vpn pivoting

3. Collect evidence

  • run evidence collection
  • live reporting
  • collect credentials

4. Discover devices

  • scan
  • import scan (nmap, nexpose, etc)
  • inititate nexpose scan
  • manually add device

Tools for vulnerability mapping

  1. openVAS
  2. w3af
  3. sqlmap
  4. metasploit
  5. uniscan
  6. nikto

I usually use nikto and uniscan while doing the vulnerability mapping because both of them give me detailed information as I expected. Recently, I have been trying to use openVAS, sqlmap, and w3af while performing penetration testing to fing the vulnerabilites.

OpenVAS = able to produce a powerful vulnerability platform.

These are the openVAS features:

  1. scanner
  2. manager
  3. assistance
  4. administrator

Sqlmap = detects and attemps to exploit sql injection issues in database server.

W3af = detects various vulnerabilties in web application.

Social Engineering

Sunny Jovita – 2301939046

Week 8

Disclaimer: This blog is for educational purposes only.

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data.

In this post, I am going to show you on how to implement social engineering attack in daily life, using the Social Engineering Toolkit which is called setoolkit.

The SocialEngineer Toolkit (SET) is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack in a fraction of time. These kind of tools use human behaviors to trick them to the attack vectors.

1. First, we can open up our Linux root terminal, and type this command:

setoolkit

You will see the welcome page like the picture above, and the options for the attack at the bottom.

2. At the bottom of the welcome page, we can see something like this. Since we are going to implement Social Engineering Attacks, choose number 1.

3. Third, the next options will be displayed, choose and hit enter to number 2, Website Attack Vectors.

4. For the next options, choose number 3, Credential Harvester Attack Method.

5. Choose number 1, Web Templates

6. As shown in the picture, it shows the IP address of the attacker, or our IP address. Since my device IP address is correct, so just hit enter.

note: to check IP address, type 'ipconfig' on terminal command prompt.
note: to check IP address, type 'ifconfig' on terminal kali linux.   

7. Since we already set our IP address. In this options, there are listed web phising templates such as Java Required, Google, Twitter. (another web templates can be found by using Site Cloner). Because in here we aimed Google Account, we choose number 2, Google.

After pressing the enter, the Social Engineering toolkit (SET) starts my Kali Linux Webserver on port 80, with the fake Google account login page.

Finally our setup is done, and now we are ready to share our IP address, which we have found in step number 6, (10.0.2.15).

By sending the IP address to the target, we can gain their information such as their google account (username and password). It looks so real, there are no security issues displayed on it. The URL bar showing the IP address instead the URL itself. However, we can modify the URL actually by generating hosting. We know that not all people will recognize this as the original Google page.

Enumerating Target

Sunny Jovita – 2301939046

Week 6

Disclaimer: This blog is for educational purposes only.

Enumerating target is a process that is used to find and collect information about ports, operating systems, valid usernames, folder shared, and services available on the target machines.

Enumeration Techniques

There are some techniques in enumeration that can be used to gather the target’s information:

  • Extracting user names using email ID’s
  • Extract information using the default password 
  • Brute Force Active Directory              
  • Extract user names using SNMP
  • Extract user groups from Windows
  • Extract information using DNS Zone transfer

Some tools that can be used for enumeration:

NBTScan

– NBTScan: this tool is usually utilized for finding the remote devices’ IP address.

  • nbtscan -r ipaddress/24
  • nbtscan -v -s -r ipaddress/24

Brute force password

  • Hydra

Hydra is a parallelized network login cracker built in various operating systems like Kali Linux, Parrot and other major penetration testing environments. Hydra works by using different approaches to perform brute-force attacks in order to guess the right username and password combination.

Hydra -L userfile -P password.txt ftp://ipaddress

Hydra -l username -p password smb://ipaddress

  • Medusa

Medusa is an online password-cracking tool similar to THC Hydra. It claims to be a speedy parallel, modular and login brute-forcing tool.

medusa -h hostname -u username -p password -M ssh -n port

medusa -h hostname -U userfile -P password.txt -M ssh -n port

Penetration Testing Tools

Sunny Jovita – 2301939046

Week 5

Disclaimer: This blog is for educational purposes only.

On the 19th March 2021, which was the 5th week of Ethical Hacking and Penetration Testing course, I learned about some great penetrating tools such as:

  1. TheHarvester
  2. Maltego
  3. CloudFail

TheHarvester

The purpose of this tool is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, and etc. It is really useful for anyone that wants to know what an attacker can see about their organization/company.

To use theharvester, we can use this syntax :

  • cd theHarvester
  • Python3 theHarvester.py -d domain.com -l range -b all

Maltego

Maltego is a platform or program that can be used to determine the relationships and real world links between :

  • People, social networks, companies, organiations
  • Websites, domains, DNS names, Ip addresses
  • Documents, files, etc

Maltego saves our time since it makes us work more accurately and smarter to gather all security related work.

CloudFail

It utilizes misconfigured DNS and old database records to find hidden IP’s behind the CloudFlare network.

Example:

In here, I tried to find the real ip address of hackme.pentest.id

  1. Firstly, I tried to find the ip address first, using mxtoolbox.com and I figured out that the ip address was from CloudFlare.
  2. Second, I used the CloudFail tool to discovered what is the real ip address.
  • Python3 cloudfail.py –target hackme.pentest.id –tor

It says that the hackme.pentest.id is part of the CloudFlare Network. By using this tool, it will show us the real ip address of a website behind CloudFlare.

Utilizing Search Engine

Sunny Jovita – 2301939046

Week 3

Disclaimer: This blog is for educational purposes only.

I did this for education only, not for illegal purposes.

Firstly, I figured out that by using google search operators, we can narrow down our searches, and find what we’re looking for. Those advanced operators are site:

  • link:
  • filetype:
  • cache:
  • intitle:
  • inurl:
  • etc

I tried to gather information that’s publicly available or in case it was made public by accident. I also discovered that google hacking database was incredibly cool. There’re a lot of databases and by using queries (if I look further into the matter) maybe I will find various potential vulnerabilities such as usernames, passwords to discover information.

I clicked some dorks there, and I found some strange stuff but those were interesting like webcams, username and passwords from .sql filetype, and others. I can also filter these dorks if I want to see more specific database from vulnerable servers, files containing passwords, or other categories.

filetype:env “DB_PASSWORD”
I tried on this query and found out some env file and if its publicly available, it can reveal database passwords, usernames which are a bad thing. (I didn’t try to use those passwords and usernames that I found from my findings)

intitle:”Nessus Scan Report” “This file was generated by Nessus”
I learnt deep down in these operators thingy and found some new things like this syntax. I searched a bit and figured out that Nessus is a vulnerability scanning tool, it will scan our system and tell us how the system is vulnerable. After that, I scrolling through some sites and tried to find some information that are vulnerable.

Last but not least, I did a syntax that I think it is pretty good to know, even though it’s a common query:
site:linkedin.com intitle:storenamehis/her job” “his/her name
By using this query, I can find some pretty revealing stuff. If I go further using theHarvester tool, maybe I can find few emails, subdomains, hosts, and others there.