I’m going to provide the common methodology that is followed when hacking a machine/network/server. This tutorial will give you a good understanding & an overview about professional penetration testing in a black box (attacker) point of view. It is designed to give you an idea on how an attacker can break into your system, what I am gonna say will increase your awareness & will open the door for you to go out & educate yourself easily. I gathered this information from various sources and tutorials, i have changed many things, clarified many parts, given some references, and put a lot of information together. I’m still a learner & on the way to my goal. However, this won’t prevent me from teaching others what i have learned so far & don’t worry, i’m not going to provide you with any info that i’m not sure about yet. It is not the best tutorial out there, but at least it is a good starter. I will speak in a hacker (attacker or blackbox) point of view. I write this tutorial for educational purposes only.
Before you hack a system, you must decide what your goal is. Are you hacking to put the system down, gaining sensitive data, breaking into the system and taking the ‘root’ access, screwing up the system by formatting everything in it, discovering vulnerabilities & see how you can exploit them, etc … ? The point is that you have to decide what the goal is first.
The most common goals are:
1. breaking into the system & taking the admin privileges.
2. gaining sensitive data, such as credit cards, identification theft, etc.
You should have all of your tools ready before you start taking the steps of hacking. There is a Unix version called backtrack. It is an Operating System that comes with various sets of security tools that will help you hack systems (penetration tests).
You should set the steps (methodology) that you plan to take in your journey before you do anything else. There is a common methodology followed
by hackers, i will mention it below. However, you can create your own methodology if you know what you are doing.
Common steps to be taken for hacking a system:
1. Reconnaissance (footprinting).
2. Scanning.
3. Ports & Services Enumeration.
4. Vulnerability Assessment.
5. Vulnerability Exploitation.
6. Penetration and Access.
7. Privilege Escalation & owning the box.
8. Erase tracks.
9. Maintaining access.
The above methodology can change based on your goals. Feel free m8!
Before you break into a system, you have to collect as much info as you can on the system and target. You have to study your target well before you hack. This step is called Reconnaissance. Reconnaissance is achieved by using techniques & tools that are undetectable by the target. You are gathering your target’s info that is publicly published, e.g. browse your target’s website & if they are looking for an SQL employee and Windows server admin, then you get a hint that they are running Windows Server & do SQL’s, this is called a “passive” action. Lets see an example of active action! Example of active action: call the company to obtain some info, visit the company, email employees to get some info, go to the target’s website & read its source code. In other words, passive action means you gather info in a non-intrusive manner. Active action is a step further, such as talking to the company as if you are a customer, things like that. It is not really important to know what action is passive & what is active, the main goal here to gather info! Simple huh? Good, let me go deeper little bit.
In passive reconnaissance, there is a 0% chance of getting caught
, as you only target publicly available info to give you the feel on what your target looks like. The type of info you can gather through Passive Recon. are, names, phones numbers, location addresses, partner networks, and much more. This can aid you when you want to do some social engineering! Hence, sometimes you can get some non-public info that’s revealed when you do passive reconnaissance. There are several tools helps you to do passive reconnaissance, such as whois (who is). Whois helps you obtain extensive info, such as names, domains of the target, etc. Other great tools are, Sam Spade, domaintools, and google(can reveal lots of target subdomians & many more).
Active reconnaissance goes beyond the passive nature, such as communicating with the target without being caught, such as scanning. Anything not discovered in IDS(Intrusion Detection System) is considered active. You have to think of ways to extract info of the company in a normal way, public by going a little bit deeper than passive recon. e.g. you can go to the physical location, do some social engineering, email staff, communicate with employees based on the info you’ve gotten on your passive recons. Things like that!
Example of some techniques for active reconnaissance, such as banner grabbing, view company’s public website source code and directory structure, social engineering, shoulder surfing, etc.
What the heck is banner grabbing?
You let the server send you a block of information that tells you OS version of your target system & various association with it
Banner tells OS version and various association. Anything listening on a “port” can determine the operating system (OS) “the port” is running on, this called fingerprinting. In other words, fingerprinting is the process of determining the operating system (OS) or applications used by a remote target.
Learn more about banner grabbing:
http://www.net-square.com/httprint/httprint_paper.html
Can you give a brief example of Social Engineering?
For example, you try to find out where IT admin goes after business hours, then start to go to the place he goes & build a relationship , start making a friend relationship to extract more info slowly but surely, things like that! you know what i mean.
[color]What is shoulder surfing?[/color]
Simply, stand behind a person’s shoulder and see what the guy is doing & typing on the keyboard. This can happen in a wireless network area where everyone is using a laptop in public areas.
In summary, reconnaissance is one of the most important steps in hacking. The main concept is to gather all the info that is publicly available or easily obtainable. Info that we gather will help us in social engineering and research purposes which will lead you to very critical info about the system. It starts by obtaining names, phones, emails, IP range, domain structure, and so on.
let me show you how banner grabbing is done, telnet into your target server on port 80 as the following, go to command line or terminal and type
telnet xx.xxx.xxx.xxx 80
Now the connection is established, that stupid server thinks you are a web browser connected to it, it waits you to enter commands so the server can you give you info about your request. In this situation, you have to write a command that says “Hey you web server, give me content of such and such website”. However, we do not really want to visit the website through telnet, do you? You can just go to web browser & request the website from there. Our purpose here is to freak the server out enough, so it spits back a code that says, hey! this doesn’t work but here is some info that might help you do some trouble shooting. This technique allows you to fingerprint various components of the target system.
Note: instead of telnet xxx.xx.xxx.xx 80, you can do nc xxx.xx.xxx.xxx 80! It’s the same thing … nc stands for netcat … xx.xxx.xx.xxx represents the IP address of the target system.
After you do telnet xxx.xx.xxx.xxx 80, the remote sever will wait you to enter a command. Type this:
HEAD / HTTP/1.0
Then you will get a reply looks similar to:-
HTTP/1.1 200 OK
Date: Sun, 02 Jan 2011 02:53:29 GMT
Server: Apache/1.3.3 (Unix) (Red Hat/Linux)
Last-Modified: Sun, 02 Jan 2011 11:18:14 GMT
ETag: “1813-49b-361b4df6″
Accept-Ranges: bytes
Content-Length: 1179
Connection: close
Content-Type: text/html
So the header response brought back some important info that says, the server runs: Apache/1.3.23 in UNIX OS for Red Hat distribution of Linux.
OR you might get header that looks similar to the following:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Expires: Wed, 29 Dec 2010 01:41:33 GMT
Date: Fri, 31 Dec 2010 01:41:33 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 28 May 2003 15:32:21 GMT
ETag: “b0aac0542e25c31:89d”
Content-Length: 7369
It means, the server runs: Microsoft-IIS/5.0 in Win 2000 or Win 2003 (we don’t the Windows version yet).
OR you might get header that looks similar to the following:
Date: Sta, 01 Jan 2011 02:18:46 GMT
Server: Apache/1.3.41 (Unix) PHP/4.4.8 mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_ssl/2.8.31 OpenSSL/0.9.8b
Last-Modified: Sun, 02 Jan 2011 23:34:28 GMT
ETag: “c9865b-d91-48769c84″
Accept-Ranges: bytes
Content-Length: 3473
Connection: close
Content-Type: text/html
It means, the server runs: Apache/1.3.41 in UNIX box, running PHP/4.4.8
Ok, you get it now?
lets say our target got the following version: the server runs: Apache/1.3.41 in UNIX box, running PHP/4.4.8
At this point if you know any vulnerabilities for this particular OS or this particular Apache or PHP. You can start the exploitation process …
Another example, use program called sam-spade which gives you alot of info about your target. The target does not know actually what we are doing against their server, since they haven’t seen anything been triggered by IDS or Firewall.
*What is the difference between IDS & Firewall?
An IDS (Intrusion Detection System) may only detect and warn you of a violation of your privacy. Although most block major attacks, some probes or other attacks may just be noted and allowed through. There’s also an evolution of the IDS called an IPS (Intrusion Prevention System) that watches for the same things an IDS does, but instead of just alerting, it blocks the traffic.
A good firewall will block almost all attacks unless specified otherwise or designed otherwise. The only problem is, the firewall might not warn you of the attacks and may just block them.
It may be a good idea to have both an IDS and a Firewall, because the IDS will warn you and then the firewall will block the attack. Over the years, firewalls gottten more complex and added more features. One of these features is actually IDS – today you can have a firewall that already has IDS (Firewall/IDS’s are combined into one internet security program).
Before you hack a system, you must decide what your goal is. Are you hacking to put the system down, gaining sensitive data, breaking into the system and taking the ‘root’ access, screwing up the system by formatting everything in it, discovering vulnerabilities & see how you can exploit them, etc … ? The point is that you have to decide what the goal is first.
The most common goals are:
1. breaking into the system & taking the admin privileges.
2. gaining sensitive data, such as credit cards, identification theft, etc.
You should have all of your tools ready before you start taking the steps of hacking. There is a Unix version called backtrack. It is an Operating System that comes with various sets of security tools that will help you hack systems (penetration tests).
You should set the steps (methodology) that you plan to take in your journey before you do anything else. There is a common methodology followed
by hackers, i will mention it below. However, you can create your own methodology if you know what you are doing.
Common steps to be taken for hacking a system:
1. Reconnaissance (footprinting).
2. Scanning.
3. Ports & Services Enumeration.
4. Vulnerability Assessment.
5. Vulnerability Exploitation.
6. Penetration and Access.
7. Privilege Escalation & owning the box.
8. Erase tracks.
9. Maintaining access.
The above methodology can change based on your goals. Feel free m8!
Before you break into a system, you have to collect as much info as you can on the system and target. You have to study your target well before you hack. This step is called Reconnaissance. Reconnaissance is achieved by using techniques & tools that are undetectable by the target. You are gathering your target’s info that is publicly published, e.g. browse your target’s website & if they are looking for an SQL employee and Windows server admin, then you get a hint that they are running Windows Server & do SQL’s, this is called a “passive” action. Lets see an example of active action! Example of active action: call the company to obtain some info, visit the company, email employees to get some info, go to the target’s website & read its source code. In other words, passive action means you gather info in a non-intrusive manner. Active action is a step further, such as talking to the company as if you are a customer, things like that. It is not really important to know what action is passive & what is active, the main goal here to gather info! Simple huh? Good, let me go deeper little bit.
In passive reconnaissance, there is a 0% chance of getting caught
, as you only target publicly available info to give you the feel on what your target looks like. The type of info you can gather through Passive Recon. are, names, phones numbers, location addresses, partner networks, and much more. This can aid you when you want to do some social engineering! Hence, sometimes you can get some non-public info that’s revealed when you do passive reconnaissance. There are several tools helps you to do passive reconnaissance, such as whois (who is). Whois helps you obtain extensive info, such as names, domains of the target, etc. Other great tools are, Sam Spade, domaintools, and google(can reveal lots of target subdomians & many more).Active reconnaissance goes beyond the passive nature, such as communicating with the target without being caught, such as scanning. Anything not discovered in IDS(Intrusion Detection System) is considered active. You have to think of ways to extract info of the company in a normal way, public by going a little bit deeper than passive recon. e.g. you can go to the physical location, do some social engineering, email staff, communicate with employees based on the info you’ve gotten on your passive recons. Things like that!
Example of some techniques for active reconnaissance, such as banner grabbing, view company’s public website source code and directory structure, social engineering, shoulder surfing, etc.
What the heck is banner grabbing?
You let the server send you a block of information that tells you OS version of your target system & various association with it
Banner tells OS version and various association. Anything listening on a “port” can determine the operating system (OS) “the port” is running on, this called fingerprinting. In other words, fingerprinting is the process of determining the operating system (OS) or applications used by a remote target.
Learn more about banner grabbing:
http://www.net-square.com/httprint/httprint_paper.html
Can you give a brief example of Social Engineering?
For example, you try to find out where IT admin goes after business hours, then start to go to the place he goes & build a relationship , start making a friend relationship to extract more info slowly but surely, things like that! you know what i mean.
[color]What is shoulder surfing?[/color]
Simply, stand behind a person’s shoulder and see what the guy is doing & typing on the keyboard. This can happen in a wireless network area where everyone is using a laptop in public areas.
In summary, reconnaissance is one of the most important steps in hacking. The main concept is to gather all the info that is publicly available or easily obtainable. Info that we gather will help us in social engineering and research purposes which will lead you to very critical info about the system. It starts by obtaining names, phones, emails, IP range, domain structure, and so on.
let me show you how banner grabbing is done, telnet into your target server on port 80 as the following, go to command line or terminal and type
telnet xx.xxx.xxx.xxx 80
Now the connection is established, that stupid server thinks you are a web browser connected to it, it waits you to enter commands so the server can you give you info about your request. In this situation, you have to write a command that says “Hey you web server, give me content of such and such website”. However, we do not really want to visit the website through telnet, do you? You can just go to web browser & request the website from there. Our purpose here is to freak the server out enough, so it spits back a code that says, hey! this doesn’t work but here is some info that might help you do some trouble shooting. This technique allows you to fingerprint various components of the target system.
Note: instead of telnet xxx.xx.xxx.xx 80, you can do nc xxx.xx.xxx.xxx 80! It’s the same thing … nc stands for netcat … xx.xxx.xx.xxx represents the IP address of the target system.
After you do telnet xxx.xx.xxx.xxx 80, the remote sever will wait you to enter a command. Type this:
HEAD / HTTP/1.0
Then you will get a reply looks similar to:-
HTTP/1.1 200 OK
Date: Sun, 02 Jan 2011 02:53:29 GMT
Server: Apache/1.3.3 (Unix) (Red Hat/Linux)
Last-Modified: Sun, 02 Jan 2011 11:18:14 GMT
ETag: “1813-49b-361b4df6″
Accept-Ranges: bytes
Content-Length: 1179
Connection: close
Content-Type: text/html
So the header response brought back some important info that says, the server runs: Apache/1.3.23 in UNIX OS for Red Hat distribution of Linux.
OR you might get header that looks similar to the following:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Expires: Wed, 29 Dec 2010 01:41:33 GMT
Date: Fri, 31 Dec 2010 01:41:33 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 28 May 2003 15:32:21 GMT
ETag: “b0aac0542e25c31:89d”
Content-Length: 7369
It means, the server runs: Microsoft-IIS/5.0 in Win 2000 or Win 2003 (we don’t the Windows version yet).
OR you might get header that looks similar to the following:
Date: Sta, 01 Jan 2011 02:18:46 GMT
Server: Apache/1.3.41 (Unix) PHP/4.4.8 mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_ssl/2.8.31 OpenSSL/0.9.8b
Last-Modified: Sun, 02 Jan 2011 23:34:28 GMT
ETag: “c9865b-d91-48769c84″
Accept-Ranges: bytes
Content-Length: 3473
Connection: close
Content-Type: text/html
It means, the server runs: Apache/1.3.41 in UNIX box, running PHP/4.4.8
Ok, you get it now?
lets say our target got the following version: the server runs: Apache/1.3.41 in UNIX box, running PHP/4.4.8
At this point if you know any vulnerabilities for this particular OS or this particular Apache or PHP. You can start the exploitation process
…Another example, use program called sam-spade which gives you alot of info about your target. The target does not know actually what we are doing against their server, since they haven’t seen anything been triggered by IDS or Firewall.
*What is the difference between IDS & Firewall?
An IDS (Intrusion Detection System) may only detect and warn you of a violation of your privacy. Although most block major attacks, some probes or other attacks may just be noted and allowed through. There’s also an evolution of the IDS called an IPS (Intrusion Prevention System) that watches for the same things an IDS does, but instead of just alerting, it blocks the traffic.
A good firewall will block almost all attacks unless specified otherwise or designed otherwise. The only problem is, the firewall might not warn you of the attacks and may just block them.
It may be a good idea to have both an IDS and a Firewall, because the IDS will warn you and then the firewall will block the attack. Over the years, firewalls gottten more complex and added more features. One of these features is actually IDS – today you can have a firewall that already has IDS (Firewall/IDS’s are combined into one internet security program).
0 comments:
Post a Comment