Hacking cybersecurity

From Wikibooks, open books for an open world
Jump to navigation Jump to search


Hacking

The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Hacking

Permission is granted to copy, distribute, and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 3.0 License.


Introduction

Hacking is the art of exploiting computers to get access to otherwise unauthorized information. The interpretation of what constitutes unauthorized access is relative to the party in question, however. Now that the world is using IT systems to gather, store and manipulate important information there is also a need to make sure that data is secure. However, no system is without its problems. Holes are often present within security systems which, if exploited, allow hackers to gain access to this otherwise restricted information. The following Wikibook aims to give you the fundamental information required to grasp a foundational understanding of what constitutes hacking and the various methodologies under which it is performed, both ethically and unethically.

Hacking and information security are continuously adapting fields and as such, the relevance of material presented in this book should be cross referenced with more timely sources to insure proper guidance.

Hacking is a controversial and divided topic, with varying interpretations of what constitutes ethical hacking. This book will attempt to maintain a neutral and unbiased presentation of fact, not favoring any one side. For a further discussion of one interpretation of "ethical hacking" see Hacker Ethic.



Introduction/Conventions

Conventions used in this Wikibook:

Italic
Used for file names and directory names. Also used to introduce new terms.
Constant width
Used to indicate commands, command lines, and command line switches.
Constant width italic
Used to indicate user-defined input; the user creates the text.
Constant doremon width bold
Used in interactive examples to indicate literal user input.
Preformatted text blocks
Used for code blocks and multi-line shell output examples where whitespace matters
[ ]
Brackets surround optional inputs; omit the brackets when supplying these inputs.



Introduction/The hacker ethic

It is important that hackers follow The Hacker Ethic in the same way that it is important that police follow their code of conduct. An abuse of skill within the hacking world causing harm to others. Remember: It is almost impossible to gain respect at the expense of others.

The Original Ethic[edit | edit source]

Back when computers just started to reach universities and students had access to open systems, curious users began to show a certain disregard for the rules. These users would enter areas of the system without authorization, gaining access to privileged resources. With no Internet and no copies of Hacking Exposed or Security Warrior to assist them, they had to figure out how to enter the systems on their own.

Although these young students represented the first hackers, they had no malicious intent; they simply wanted knowledge, information, a deeper understanding of the systems which they had access to. To justify and eventually distinguish their efforts, the hacking community developed The Hacker Ethic as a core part of their subculture. The Hacker Ethic states two basic principles:

  • Do no damage.
  • Make no one pay for your actions.

These two principles fall hand in hand. The original hackers had an intention to learn about the systems they invaded, not to destroy them or steal valuable confidential information. They wanted to know how they worked, their flaws, their strengths, interesting functions of their design. They had no authorization; at the time, they made up for this by making a point of neither interfering with anyone's work nor costing anyone any money in the process of exploring the system.

Unfortunately this mantra does not provide a fully effective cover for your actions. Even disregarding the legal ramifications, such as the Computer Fraud and Abuse Act of 1986, your actions will have devastating unintentional consequences if not carefully controlled. Robert Morris created the Morris Worm to gauge the size of the Internet harmlessly; unfortunately, it loaded down the systems it infected due to exponential re-infection, causing tens of millions of dollars of financial damage. You must always remember to carefully consider the short and long term impact of your actions on any system.

Today's Ethic[edit | edit source]

Today we need to add one more rule to The Hacker Ethic, a rule that we should have added long ago. The Morris Worm illustrates why this rule exists, even beyond legality.

  • Always get permission ahead of time.

Please remember to always get permission before acting. Your actions cause a major disruption to the targets you attack. Networks become slow, servers crash or hang, and you create spurious log entries. Any institution with a useful IA sector will notice your attack and panic, believing you to have malicious intent; they will invariably expend resources searching for back doors and trying to determine what confidential information you stole. All of this, even if you don't get caught, demands that you acquire permission ahead of time.

You always have authorization to hack into servers you own; likewise, if you participate in a Capture the Flag game or as Red Cell in a Red vs Blue competition, you implicitly have the right to hack into whatever you can get your hands on. In all other cases, you need to ask the owners of the machines for authorization; you can even ask them to pay for it, selling your services as penetration tests and giving them a comprehensive outline of their network's vulnerabilities and proper mitigation steps to improve their security. As long as you have permission ahead of time, and you remember the first two rules of The Hacker Ethic, you can do as you please with the network and the affected machines.



Background knowledge

Scientia potentia est
"Knowledge is Power"


Programming
AutoIt
C Programming, C
Python
A Glimpse At Assembly, 6502 : Assembly
Security testing
Networking
TCP/IPv4
HTTP Strict Transport Security
MAC address
Packet analyzer
Promiscuous mode, Monitor mode
eapol
NAT — Network address translation
Wi-Fi
Wi-Fi, Wireless security, Wireless access point, SSID
AES-CCMP
WPA 2003 — 2018-WPA2 — current
TKIP 2002 — 2012
WEP 1997 — 2004
Encryption
Plaintext
Initialization vector
Pre-shared key
Password strength
Hash function
Message authentication code


See also

Basic Computer Security/Further Reading



Reconnaissance

A network reconnaissance methods can be passive or active.

Passive methods: bug bounty program, sniffing attack, monitor mode, promiscuous mode, TCP/IP stack fingerprinting, Footprinting, honeypots.

Active methods: network enumeration, network scanning, port scanning, idle scaning. Crackers strive to minimize Digital footprint


Sniffing[edit | edit source]

A 'wireless' sniffer can find IP addresses, which is helpful for network mapping.[1]

Access points usually connect the nodes of a wireless network to a wired network as a bridge or a router.[2] Both a bridge and a router use a routing table to forward packets.[3]

Footprinting[edit | edit source]

Finding relevant and reachable IP addresses is the objective of the reconnaissance phase of attacking an organization over the Internet. The relevant IP addresses are determined by collecting as many DNS host names as possible and translating them to IP addresses and IP address ranges. This is called footprinting.[4]

A search engine is the key for finding as much information as possible about a target.[5] In many cases, organizations do not want to protect all their resources from internet access. For instance, a web server must be accessible. Many organizations additionally have email servers, FTP servers, and other systems that must be accessible over the internet.[6] The IP addresses of an organization are often grouped together. If one IP address has been found, the rest probably can be found around it.[7]

Name servers store tables that show how domain names must be translated to IP addresses and vice versa.[8] With Windows, the command NSLookup can be used to query DNS servers. When the word help is entered at NSLookup's prompt, a list of all commands is given.[9] With Linux, the command dig can be used to query DNS servers. It displays a list of options when invoked with the option -h only. And the command host reverses IP addresses to hostnames.[10] The program nmap can be used as a reverse DNS walker: nmap -sL 1.1.1.1-30 gives the reverse entries for the given range.[11]

ARIN, RIPE, APNIC, LACNIC, and AFRINIC are the five Regional Internet Registries that are responsible for the assignment and registration of IP addresses. All have a website with which their databases can be searched for the owner of an IP address. Some of the Registries respond to a search for the name of an organization with a list of all IP address ranges that are assigned to the name. However, the records of the Registries are not always correct and are in most cases useless.[12]

Probably most computers with access to the internet receive their IP address dynamically by DHCP. This protocol has become more popular over the last years because of a decrease of available IP addresses and an increase of large networks that are dynamic. DHCP is particularly important when many employees take a portable computer from one office to another. The router/firewall device that people use at home to connect to the internet probably also functions as a DHCP server.[13]

Nowadays many router/DHCP devices perform Network Address Translation (NAT). The NAT device is a gateway between the local network and the internet. Seen from the internet, the NAT device seems to be a single host. With NAT, the local network can use any IP address space. Some IP address ranges are reserved for private networks. These ranges are typically used for the local area network behind a NAT device, and they are: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255.[14]

The relevant IP addresses must be narrowed down to those that are reachable. For this purpose, the process of scanning enters on the scene.[15]

Host scanning[edit | edit source]

Once access to a wireless network has been gained, it is helpful to determine the network's topology, including the names of the computers connected to the network. Nmap can be used for this, which is available in a Windows and a Linux version. However, Nmap does not provide the user with a network diagram. The network scanner Network View that runs on Windows does. The program asks for one IP address or an IP address range. When the program has finished scanning, it displays a map of the network using different pictures for routers, workstations, servers, and laptops, all with their names added.[16]

The most direct method for finding hosts on a LAN is using the program ping. When using a modern flavour of Unix, shell commands can be combined to produce custom ping-sweeps. When using Windows, the command-line can also be used to create a ping-sweep. Examples are given in the reference.[17]

Ping-sweeps are also known as host scans. Nmap can be used for a host scan when the option -sP is added: nmap -n -sP 10.160.9.1-30 scans the first 30 addresses of the subnet 10.160.9, where the -n option prevents reverse DNS lookups.

Ping packets could reliably determine whether a computer was on line at a specified IP address. Nowadays these ICMP echo request packets are sometimes blocked by the firewall of an operating system. Although Nmap also probes TCP port 80, specifying more TCP ports to probe is recommended when pings are blocked. Consequently, nmap -sP -PS21,22,23,25,80,139,445,3389 10.160.9.1-30 can achieve better results. And by combining various options as in nmap -sP -PS21,22,23,25,80,135,139,445,1025,3389 -PU53,67,68,69,111,161,445,514 -PE -PP -PM 10.160.9.1-30, superb host scanning is achieved.

Nmap is available for Windows and most Unix operating systems, and offers graphical and command-line interfaces.[18]

Port scanning[edit | edit source]

The purpose of port scanning is finding the open ports on the computers that were found with a host scan.[19] When a port scan is started on a network without making use of the results of a host scan, much time is wasted when many IP addresses in the address range are vacant.[20]

Open ports[edit | edit source]

Most programs that communicate over the Internet use either the TCP or the UDP protocol. Both protocols support 65536 so called ports that programs can choose to bind to. This allows programs to run concurrently on one IP address. Most programs have default ports that are most often used. For example, HTTP servers commonly use TCP port 80.

Network scanners try to connect to TCP or UDP ports. When a port accepts a connection, it can be assumed that the commonly bound program is running.

TCP connections begin with a SYN packet being sent from client to server. The server responds with a SYN/ACK packet. Finally, the client sends an ACK packet. When the scanner sends a SYN packet and gets the SYN/ACK packet back, the port is considered open. When a RST packet is received instead, the port is considered closed. When no response is received the port is either considered filtered by a firewall or there is no running host at the IP address.

Scanning UDP ports is more difficult because UDP does not use handshakes and programs tend to discard UDP packets that they cannot process. When an UDP packet is sent to a port that has no program bound to it, an ICMP error packet is returned. That port can then be considered closed. When no answer is received, the port can be considered either filtered by a firewall or open. Many people abandoned UDP scanning because simple UDP scanners cannot distinguish between filtered and open ports.[21]

Common ports[edit | edit source]

Although it is most thorough to scan all 65536 ports, this would take more time than scanning only the most common ports. Therefore, Nmap scans 1667 TCP ports by default (in 2007).[22]

Specifying ports[edit | edit source]

The -p option instructs Nmap to scan specified ports, as in nmap -p 21-25,80,100-160 10.150.9.46. Specifying TCP and UDP ports is also possible, as in nmap -pT:21-25,80,U:5000-5500 10.150.9.46.[23]

Specifying targets[edit | edit source]

Nmap always requires the specification of a host or hosts to scan. A single host can be specified with an IP address or a domain name. Multiple hosts can be specified with IP address ranges. Examples are 1.1.1.1, www.company.com, and 10.1.50.1-5,250-254.[24]

Specifying scan type[edit | edit source]

TCP SYN scan Nmap performs a TCP SYN scan by default. In this scan, the packets have only their SYN flag set. The -sS option specifies the default explicitly. When Nmap is started with administrator privileges, this default scan takes effect. When Nmap is started with user privileges, a connect scan is performed.

TCP connect scan The -sT option instructs Nmap to establish a full connection. This scan is inferior to the previous because an additional packet must be sent and logging by the target is more likely. The connect scan is performed when Nmap is executed with user privileges or when IPv6 addresses are scanned.

TCP null scan The -sN option instructs Nmap to send packets that have none of the SYN, RST, and ACK flags set. When the TCP port is closed, a RST packet is sent in return. When the TCP port is open or filtered, there is no response. The null scan can often bypass a stateless firewall, but is not useful when a stateful firewall is employed.

UDP empty packet scan The -sU option instructs Nmap to send UDP packets with no data. When an ICMP error is returned, the port can be assumed closed. When no response is received, the port can be assumed open or filtered. No differentiation between open and filtered ports is a severe limitation.

UDP application data scan The -sU -sV options instruct Nmap to use application data for application identification. This combination of options can lead to very slow scanning.[25]


Other options[edit | edit source]

Specifying scan speed When packets are sent to a network faster than it can cope with they will be dropped. This leads to inaccurate scanning results. When an intrusion detection system or intrusion prevention system is present on the target network, detection becomes more likely as speed increases. Many IPS devices and firewalls respond to a storm of SYN packets by enabling SYN cookies that make appear every port to be open. Full speed scans can even wreak havoc on stateful network devices.

Nmap provides five templates for adjusting speed and also adapts itself. The -T0 option makes it wait for 5 minutes before the next packet is sent, the -T1 option makes it wait for 15 seconds, -T2 inserts 0.4 seconds, -T3 is the default (which leaves timing settings unchanged), -T4 reduces time-outs and retransmissions to speed things up slightly, and -T5 reduces time-outs and retransmissions even more to speed things up significantly. Modern IDS/IPS devices can detect scans that use the -T1 option. The user can also define a new template of settings and use it instead of a provided one.[26]


Application identification The -sV option instructs Nmap to also determine the version of a running application.[27]


Operating system identification The -O option instructs Nmap to try to determine the operating systems of the targets. Specially crafted packets are sent to open and closed ports and the responses are compared with a database.[28]


Saving output The -oX <filename> option instructs Nmap to save the output to a file in XML format.[29]


See also

Nmap

Vulnerability scanning[edit | edit source]

Vulnerability scanning determines whether known vulnerabilities are present on a target. A vulnerability is a bug in an application program that affects security. They are made public on places such as the Full-Disclosure mailing list. The Computer Emergency Response Team (CERT) brings out a statistical report every year.

Vulnerability databases:

http://www.PacketStormSecurity.org/Packet Storm
http://www.exploit-db.com/The Exploit Database

Tools[edit | edit source]

https://www.offensive-security.com/metasploit-unleashed/information-gathering/
https://docs.rapid7.com/metasploit/discovery-scan
https://www.bettercap.org/modules/ethernet/net.recon/
https://www.bettercap.org/modules/ethernet/net.sniff/
https://www.bettercap.org/modules/ethernet/net.probe/



Attack

A cyberattack is a hidden unauthorized access or use of information system.

One of most simple attacks is email spoofing. Notorious kind of attack is website defacement. Common method to make some money by hacking is click fraud. Ransomware is an example of expensive attack. Authorized simulation of cyberattack is called penetration test.


General stages[edit | edit source]

Preparation[edit | edit source]

As white hat hacker as permission for penetration test. Follow ethical hacking. Then anticipate possible problems. Prepare what needed before it is too late. Black hat hackers probably start with setting up anonymous communication with Onion routing.

Tools:

https://docs.rapid7.com/metasploit/installing-metasploit-pro
https://www.offensive-security.com/metasploit-unleashed/metasploit-fundamentals/


Reconnaissance[edit | edit source]

See Reconnaissance

Creative[edit | edit source]

Develop exploits.

Aggressive[edit | edit source]

See Penetration

Post exploitation[edit | edit source]

The unified kill chain [30][edit | edit source]

1. Reconnaissance - Researching, identifying and selecting targets using active or passive reconnaissance.
2. Weaponization - Preparatory activities aimed at setting up the infrastructure required for the attack.
3. Delivery - Techniques resulting in the transmission of a weaponized object to the targeted environment.
4. Social engineering - Techniques aimed at the manipulation of people to perform unsafe actions.
5. Exploitation - Techniques to exploit vulnerabilities in systems that may, amongst others, result in code execution.
6. Persistence - Any access, action or change to a system that gives an attacker persistent presence on the system.
7. Defense evasion - Techniques an attacker may specifically use for evading detection or avoiding other defenses.
8. Command & control - Techniques that allow attackers to communicate with controlled systems within a target network.
9. Pivoting - Tunneling traffic through a controlled system to other systems that are not directly accessible.
10. Discovery - Techniques that allow an attacker to gain knowledge about a system and its network environment.
11. Privilege escalation - The result of techniques that provide an attacker with higher permissions on a system or network.
12. Execution - Techniques that result in execution of attacker-controlled code on a local or remote system.
13. Credential access - Techniques resulting in the access of, or control over, system, service or domain credentials.
14. Lateral movement - Techniques that enable an adversary to horizontally access and control other remote systems.
15. Collection - Techniques used to identify and gather data from a target network prior to exfiltration.
16. Exfiltration - Techniques that result or aid in an attacker removing data from a target network.
17. Impact - Techniques aimed at manipulating, interrupting or destroying the target system or data.
18. Objectives - Socio-technical objectives of an attack that are intended to achieve a strategic goal.

References[edit | edit source]

  1. Wireless Security Handbook by Aaron E. Earle, Auerbach Publications, 2006, page 301.
  2. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 102.
  3. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, page 167.
  4. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 2-3, 5-6.
  5. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 36.
  6. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, page 178.
  7. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 19, 25.
  8. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, page 15.
  9. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 201-202.
  10. Linux in a Nutshell, 6th edition, by Ellen Siever and others, O'Reilly Media, Inc., 2009, pages 116-117, 197.
  11. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 29.
  12. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 26-27.
  13. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 215-217.
  14. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 61, 223-224.
  15. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 3, 7.
  16. WarDriving & Wireless Penetration Testing by Chris Hurley and others, Syngress Publishing, Inc., 2007, pages 112-115.
  17. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 87-88.
  18. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 34-37.
  19. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 37.
  20. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 35-36.
  21. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 32-33.
  22. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 37-39.
  23. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 38-39.
  24. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 40-42.
  25. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 42-44.
  26. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 45-47.
  27. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 49.
  28. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 49-50.
  29. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 51.
  30. Pols, Paul (May 17, 2021). "The Unified Kill Chain". UnifiedKillChain.com. https://www.unifiedkillchain.com/. 
List of cyberattacks
List of security hacking incidents
Known AES attacks
https://www.wikihow.com/Hack
https://www.imperva.com/learn/
https://attack.mitre.org/ - adversary tactics and techniques (MITRE ATT&CK®)



Attack/Wireless networks

Cracking a wireless network is defeating the security of a wireless local-area network. A commonly used wireless LAN is a Wi-Fi network. Wireless LANs have inherent security weaknesses from which wired networks are exempt.

Two frequent types of vulnerabilities in wireless LANs are those caused by poor configuration, and those caused by weak or flawed security protocols.


Wi-Fi basics[edit | edit source]

Wi-Fi is brand name of family wireless LAN protocols based on IEEE 802.11 standards.
Service set is a group of wireless devices which share a service set identifier (SSID).
802.11 networks are either infrastructure networks or ad hoc networks. By default, people refer to infrastructure networks.
  • Infrastructure networks are composed of one or more access points (AP) that coordinate the wireless traffic between the nodes and often connect the nodes to a wired network, acting as a bridge or a router.
    Each access point constitutes a network that is named a basic service set or BSS. A BSS is identified by a BSSID, usually the MAC address of the access point.
    Each access point is part of an extended service set or ESS, which is identified by an ESSID or SSID in short, usually a character string.
    A basic service set consists of one access point and several wireless clients. An extended service set is a configuration with multiple AP and roaming capabilities for the clients. An independent basic service set or IBSS is the ad hoc configuration. This configuration allows wireless clients to connect to each other directly, without an access point as a central manager.
    AP broadcast a signal regularly to make the network known to clients. They relay traffic from one wireless client to another. AP may determine which clients may connect, and when clients do, they are said to be associated with the access point. To obtain access to an access point, both the BSSID and the SSID are required.
  • Ad hoc networks have no access point for central coordination. Each node connects in a peer-to-peer way. This configuration is an independent basic service set or IBSS. Ad hoc networks also have an SSID.


Frames[edit | edit source]

802.11 networks use data frames, management frames, and control frames. Data frames convey the real data, and are similar to those of Ethernet. Management frames maintain both network configuration and connectivity. Control frames manage access to the ether and prevent AP and clients from interfering with each other in the ether. Some information on management frames will be helpful to better understand what programs for reconnaissance do.

  • Beacon frames are used primarily in reconnaissance. They advertise the existence and basic configuration of the network. Each frame contains the BSSID, the SSID, and some information on basic authentication and encryption. Clients use the flow of beacon frames to monitor the signal strength of their access point.
  • Probe request frames are almost the same as the beacon frames. A probe request frame is sent from a client when it wants to connect to a wireless network. It contains information about the requested network.
  • Probe response frames are sent to clients to answer probe request frames. One response frame answers each request frame, and it contains information on the capabilities and configurations of the network. Useful for reconnaissance.
  • Authentication request frames are sent by clients when they want to connect to a network. Authentication precedes association in infrastructure networks. Either open authentication or shared key authentication is possible. After serious flaws were found in shared key authentication, most networks switched to open authentication, combined with a stronger authentication method applied after the association phase.
  • Authentication response frames are sent to clients to answer authentication request frames. There is one answer to each request, and it contains either status information or a challenge related to shared key authentication.
  • Association request frames are sent by clients to associate with the network. An association request frame contains much of the same information as the probe request contains, and it must have the SSID. This can be used to obtain the SSID when a network is configured to hide the SSID in beacon frames.
  • Association response frames are sent to clients to answer an association request frame. They contain a bit of network information and indicate whether the association was successful.
  • Deauthentication and disassociation frames are sent to a node to notify that an authentication or an association has failed and must be established anew.

Reconnaissance of wireless networks[edit | edit source]

Reconnaissance is performed by network detectors and based on monitor mode aka rfmon of wireless network controller.


Wardriving is a common method of wireless network reconnaissance. A well-equipped wardriver uses a laptop computer with a wireless card, an antenna mounted on the car, a power inverter, a connected GPS receiver, and a way to connect to the Internet wirelessly. The purpose of wardriving is to locate a wireless network and to collect information about its configuration and associated clients.


Basic tools[edit | edit source]

linssid - GUI
wavemon - TUI
iwlist scan
iw dev $w scan
nmcli dev wifi
airodump-ng $w

Bettercap[edit | edit source]

Bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi and other networks.

https://www.bettercap.org/modules/wifi/
https://www.bettercap.org/modules/ble/
https://www.bettercap.org/modules/hid/


inSSIDer[edit | edit source]

inSSIDer uses the current wireless card or a wireless USB adapter and supports most GPS devices (namely those that use NMEA 2.3 or higher). Its graphical user interface shows MAC address, SSID, signal strength, hardware brand, security, and network type of nearby Wi-Fi networks. It can also track the strength of the signals and show them in a time graph.

Kismet[edit | edit source]

Kismet is a multi-platform wireless network traffic analyzer.

Wireshark[edit | edit source]

Wireshark is a packet sniffer and network traffic analyser that can run on all popular operating systems, but support for the capture of wireless traffic is limited. It is free and open source. Decoding and analysing wireless traffic is not the foremost function of Wireshark, but it can give results that cannot be obtained with programs. Wireshark requires sufficient knowledge of the network protocols to obtain a full analysis of the traffic, however.[1]

Analysers of AirMagnet[edit | edit source]

AirMagnet Laptop Analyser and AirMagnet Handheld Analyser are wireless network analysis tools made by AirMagnet. The company started with the Handheld Analyser, which was very suitable for surveying sites where wireless networks were deployed as well as for finding rogue access points. The Laptop Analyser was released because the hand-held product was impractical for the reconnaissance of wide areas. These commercial analysers probably offer the best combination of powerful analysis and simple user interface. However, they are not as well adapted to the needs of a wardriver as some of the free programs.[2]

Androdumpper[edit | edit source]

Androdumpper is an Android APK that is used to test and hack WPS Wireless routers which have a vulnerability by using algorithms to hack into that WIFI network. It runs best on Android version 5.0 to 8.0

Airopeek[edit | edit source]

Airopeek is a packet sniffer and network traffic analyser made by Wildpackets. This commercial program supports Windows and works with most wireless network interface cards. It has become the industrial standard for capturing and analysing wireless traffic. However, like Wireshark, Airopeek requires thorough knowledge of the protocols to use it to its ability.[3]

KisMac[edit | edit source]

KisMac is a program for the discovery of wireless networks that runs on the OS X operating system. The functionality of KisMac includes GPS support with mapping, SSID decloaking, deauthentication attacks, and WEP cracking.[3]

Penetration to wireless networks[edit | edit source]

There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by poor encryption. Poor configuration causes many vulnerabilities. Wireless networks are often put into use with no or insufficient security settings. With no security settings – the default configuration – access is obtained simply by association. Without sufficient security settings, cloaking and MAC address filtering can easily be defeated. Poor encryption causes the remaining vulnerabilities. Wired Equivalent Privacy (WEP) is defective and can be defeated in several ways. Wi-Fi Protected Access (WPA) and Cisco's Lightweight Extensible Authentication Protocol (LEAP) are vulnerable to dictionary attacks. Some attacks starts from Wi-Fi deauthentication attack.


Recent attacks:

KrØØkWPA2 security vulnerability. Data in transmit buffers is sent with keys, zeroed by disassociation. Discovered in 2019.
KRACK — Key Reinstallation Attacks. Breaks WPA2 by forcing nonce reuse. Discovered in 2016.


Encryption types and their attacks[edit | edit source]

Wired Equivalent Privacy (WEP)[edit | edit source]

WEP [1997 — 2004] was the encryption standard firstly available for wireless networks. It can be deployed in 64 and 128 bit strength. 64 bit WEP has a secret key of 40 bits and an initialisation vector of 24 bits, and is often called 40 bit WEP. 128 bit WEP has a secret key of 104 bits and an initialisation vector of 24 bits, and is called 104 bit WEP. Association is possible using a password, an ASCII key, or a hexadr cracking WEP: the FMS attack and the chopping attack. The FMS attack – named after Fluhrer, Mantin, and Shamir – is based on a weakness of the RC4 encryption algorithm . The researchers found that 9000 of the possible 16 million initialisation vectors can be considered weak, and collecting enough of them allows the determination of the encryption key. To crack the WEP key in most cases, 5 million encrypted packets must be captured to collect about 3000 weak initialisation vectors. (In some cases 1500 vectors will do, in some other cases more than 5000 are needed for success.) The weak initialisation vectors are supplied to the Key Scheduling Algorithm (KSA) and the Pseudo Random Generator (PRNG) to determine the first byte of the WEP key. This procedure is then repeated for the remaining bytes of the key. The chopping attack chops the last byte off from the captured encrypted packets. This breaks the Cyclic Redundancy Check/Integrity Check Value (CRC/ICV). When all 8 bits of the removed byte were zero, the CRC of the shortened packet is made valid again by manipulation of the last four bytes. This manipulation is: result = original XOR certain value. The manipulated packet can then be retransmitted. This method enables the determination of the key by collecting unique initialisation vectors. The main problem with both the FMS attack and the chopping attack is that capturing enough packets can take weeks or sometimes months. Fortunately, the speed of capturing packets can be increased by injecting packets into the network. One or more Address Resolution Protocol (ARP) packets are usually collected to this end, and then transmitted to the access point repeatedly until enough response packets have been captured. ARP packets are a good choice because they have a recognizable size of 28 bytes. Waiting for a legitimate ARP packet can take awhile. ARP packets are most commonly transmitted during an authentication process. Rather than waiting for that, sending a deauthentication frame that pushes a client off the network will require that client to reauthenticate. This often creates an ARP packet.[4]

Wi-Fi Protected Access (WPA/WPA2)[edit | edit source]

WPA was developed because of the vulnerabilities of WEP. WPA uses either a pre-shared key (WPA-PSK) or is used in combination with a RADIUS server (WPA-RADIUS). For its encryption algorithm, WPA uses either the Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption Standard (AES). WPA2 was developed because of some vulnerabilities of WPA-PSK and to strengthen the encryption further. WPA2 uses both TKIP and AES, and requires not only an encryption piece but also an authentication piece. A form of the Extensible Authentication Protocol (EAP) is deployed for this piece.[5] WPA-PSK can be attacked when the PSK is shorter than 21 characters. Firstly, the four-way EAP Over LAN (EAPOL) handshake must be captured. This can be captured during a legitimate authentication, or a reauthentication can be forced by sending deauthentication packets to clients. Secondly, each word of a word-list must be hashed with the Hashed Message Authentication Code – Secure Hash Algorithm 1 and two so called nonce values, along with the MAC address of the client that asked for authentication and the MAC address of the access point that gave authentication. Word-lists can be found at.[6] LEAP uses a variation of Microsoft Challenge Handshake Protocol version 2 (MS-CHAPv2). This handshake uses the Data Encryption Standard (DES) for key selection. LEAP can be cracked with a dictionary attack. The attack involves capturing an authentication sequence and then comparing the last two bytes of a captured response with those generated with a word-list.[7] WPA-RADIUS cannot be cracked.[8] However, if the RADIUS authentication server itself can be cracked, then the whole network is imperilled. The security of authentication servers is often neglected.[9] WPA2 can be attacked by using the WPA-PSK attack, but is largely ineffective.[8]

See also

WPA security issues

Aircrack-ng[edit | edit source]

Aircrack-ng runs on Windows and Linux, and can crack WEP and WPA-PSK. It can use the Pychkine-Tews-Weinmann and KoreK attacks, both are statistical methods that are more efficient than the traditional FMS attack. Aircrack-ng consists of components. Airmon-ng configures the wireless network card. Airodump-ng captures the frames. Aireplay-ng generates traffic. Aircrack-ng does the cracking, using the data collected by airodump-ng. Finally, airdecap-ng decrypts all packets that were captured. Thus, aircrack-ng is the name of the suite and also of one of the components.[10]

CoWPAtty[edit | edit source]

CoWPAtty automates the dictionary attack for WPA-PSK. It runs on Linux. The program is started using a command-line interface, specifying a word-list that contains the passphrase, a dump file that contains the four-way EAPOL handshake, and the SSID of the network.[11]

Void11[edit | edit source]

Void11 is a program that deauthenticates clients. It runs on Linux.[12]

MAC address filtering and its attack[edit | edit source]

MAC address filtering can be used alone as an ineffective security measure, or in combination with encryption. The attack is determining an allowed MAC address, and then changing the MAC address of the attacker to that address.


See also [[../../Tools/Network/Changing Your MAC Address|Changing Your MAC Address]]

Conclusion[edit | edit source]

Penetration testing of a wireless network is often a stepping stone for penetration testing of the internal network. The wireless network then serves as a so-called entry vector.[13][14] If WPA-RADIUS is in use at a target site, another entry vector must be investigated.[6]

Appendixes[edit | edit source]

Prevention and Protection[edit | edit source]

An unprotected wireless network is extremely insecure. From anywhere within broadcast range, someone can eavesdrop or start using the network. Therefore, the IEEE 802.11 standard for wireless networks was accompanied with Wired Equivalent Privacy (WEP). This security protocol takes care of the following:

  • authentication: assurance that all participants are who they state they are, and are authorized to use the network
  • confidentiality: protection against eavesdropping
  • integrity: assurance of data being unaltered

WEP has been criticized by security experts. Most experts regard it as ineffective by now.

In 2004 a draft for a better security protocol appeared, and it was included in the IEEE 802.11 standard in 2007. This new protocol, WPA2, uses an AES block cipher instead of the RC4 algorithm and has better procedures for authentication and key distribution. WPA2 is much more secure than WEP, but WEP was still in wide use in 2009.

Many wireless routers also support controlling the MAC addresses of computers that are authorized to use a wireless network. This measure can effectively stop a neighbour from using the network, but experienced intruders will not be stopped.[15] MAC filtering can be attacked because a MAC address can be faked easily.

In the past, turning off the broadcasting of the SSID has also been thought to give security to a wireless network. This is not the case however. Freely available tools exist that quickly discover an SSID that is not broadcast. Microsoft has also determined that switching off the broadcasting of the SSID leads to less security. Details can be found in Non-broadcast Wireless Networks with Microsoft Windows.

Returning to encryption, the WEP specification at any encryption strength is unable to withstand determined hacking. Therefore, Wi-Fi Protected Access (WPA) was derived from WEP. Software upgrades are often available. The latest devices that conform to the 802.11g or 802.11n standards also support WPA2. (WPA uses the TKIP encryption, WPA2 uses the stronger AES method.) It is recommended to use only hardware that supports WPA or WPA2.[16]

Installing updates regularly, disabling WPS, setting a custom SSID, requiring WPA2, and using a strong password make a wireless router more difficult to crack. Even so, unpatched security flaws in a router's software or firmware may still be used by an attacker to bypass encryption and gain control of the device. Many router manufacturers do not always provide security updates in a timely manner, or at all, especially for more inexpensive models.

WPS currently has a severe vulnerability in which the 8 pin numbered (0-9) passwords being used can easily be split into two sections, this means that each section can be brute-forced individually and so the possible combinations are greatly lessened (10^4 + 10^3, as opposed to 10^7). (WPS utilizes 7 digits + EAN8 checksum ;) This vulnerability has been addressed by most manufacturers these days by using a lock down mechanism where the router will automatically lock its WPS after a number of failed pin attempts (it can take a number of hours before the router will automatically unlock, some even have to be rebooted which can make WPS attacks completely obsolete). Without a lock down feature, a WPA2 router with WPS enabled can easily be cracked in 5 hours using a brute force WPS attack.

SSID's are used in routers not only to identify them within the mass of 2.4, 3.6, 5 and 60 GHz frequencies which are currently flying around our cities, but are also used as a "seed" for the router's password hashes. Standard and popular SSID's such as "Netgear" can be brute forced through the use of rainbow tables, however the use of a salt greatly improves security against rainbow tables. The most popular method of WPA and WPA2 cracking is through obtaining what's known as a "4 way handshake". when a device is connecting with a network there is a 4-stage authorization process referred to as a 4 way handshake. When a wireless device undergoes this process this handshake is sent through the air and can easily be monitored and saved by an external system. The handshake will be encrypted by the router's password, this means that as opposed to communicating with the router directly (which can be quite slow), the cracker can attempt to brute force the handshake itself using dictionary attacks. A device that is connected directly with the router will still undergo this very process, however, the handshake will be sent through the connected wire as opposed to the air so it cannot be intercepted. If a 4 way handshake has already been intercepted, it does not mean that the cracker will be granted immediate access however. If the password used contains at least 12 characters consisting of both random upper and lower case letters and numbers that do not spell a word, name or have any pattern then the password will be essentially uncrackable. Just to give an example of this, let's just take the minimum of 8 characters for WPA2 and suppose we take upper case and lower case letters, digits from 0-9 and a small selection of symbols, we can avail of a hefty choice of 64 characters. In an 8 character length password this is a grand total of 64^8 possible combinations. Taking a single machine that could attempt 500 passwords per second, this gives us just about 17,900 years to attempt every possible combination. Not even to mention the amount of space necessary to store each combination in a dictionary.

Note: The use of MAC filtering to protect your network will not work as MACs using the network can be easily detected and spoofed.

Detection[edit | edit source]

A network scanner or sniffer is an application program that makes use of a wireless network interface card. It repeatedly tunes the wireless card successively to a number of radio channels. With a passive scanner this pertains only to the receiver of the wireless card, and therefore the scanning cannot be detected.

An attacker can obtain a considerable amount of information with a passive scanner, but more information may be obtained by sending crafted frames that provoke useful responses. This is called active scanning or probing. Active scanning also involves the use of the transmitter of the wireless card. The activity can therefore be detected and the wireless card can be located.

Detection is possible with an intrusion detection system for wireless networks, and locating is possible with suitable equipment.

Wireless intrusion detection systems are designed to detect anomalous behaviour. They have one or more sensors that collect SSIDs, radio channels, beacon intervals, encryption, MAC addresses, transmission speeds, and signal-to-noise ratios. Wireless intrusion detection systems maintain a registry of MAC addresses with which unknown clients are detected.[17]

Legality[edit | edit source]

The Netherlands Making use of someone else's wireless access point or wireless router to connect to the internet – without the owner's consent in any way – is not punishable by criminal law in The Netherlands. This is true even if the device uses some form of access protection. To penetrate someone else's computer without the owner's consent is punishable by criminal law though.[18][19]

See also

Legality of piggybacking
Piggybacking (internet access) (parasitic use of wireless networks to obtain internet access)

Crackers and society[edit | edit source]

There is consensus that computer attackers can be divided in the following groups.

  • Adolescent amateurs. They often have a basic knowledge of computer systems and apply scripts and techniques that are available on the internet.
  • Adult amateurs. Most of them are motivated by the intellectual challenge.
  • Professionals. They know much about computers. They are motivated by the financial reward but they are also fond of their activity.[20]

Naming of crackers[edit | edit source]

The term hacker was originally used for someone who could modify a computer for his or her own purposes. Hacking is an intrusion combined with direct alteration of the security or data structures of the breached system. The word hacking is often confused with cracking in popular media discourse, and obfuscates the fact that hacking is less about eavesdropping and more related to interference and alteration.[21] However, because of the consistent abuse by the news media, in 2007 the term hacker was commonly used for someone who accesses a network or a computer without authorization of the owner.[22]

In 2011, Collins Dictionary stated that the word hacker can mean a computer fanatic, in particular one who by means of a personal computer breaks into the computer system of a company, government, or the like. It also denoted that in that sense the word hacker is slang. Slang words are not appropriate in formal writing or speech.[23]

Computer experts reserve the word hacker for a very clever programmer. They call someone who breaks into computers an intruder, attacker, or cracker.[24]


See also

Evil twin (wireless networks) — rogue Wi-Fi access point
Wireless intrusion prevention system
Wireless security
Mobile security
http://www.wigle.net/Wireless Geographic Logging Engine

References[edit | edit source]

Penetration Tester's Open Source Toolkit. Various editions.
  1. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 117-118.
  2. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 126.
  3. a b Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, page 129.
  4. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 284-288.
  5. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 285.
  6. a b Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 288.
  7. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 289.
  8. a b Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 281.
  9. Wireless Security Handbook by Aaron E. Earle, Auerbach Publications, 2006, page 196.
  10. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 226-227.
  11. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 306.
  12. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, pages 302-303.
  13. WarDriving & Wireless Penetration Testing by Chris Hurley and others, Syngress Publishing, Inc., 2007, page 150.
  14. Penetration Tester's Open Source Toolkit by Johnny Long and others, Syngress Publishing, Inc., 2006, page 311.
  15. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 161-162.
  16. Upgrading and repairing PC's, 19th edition, by Scott Mueller, Pearson Education, Inc., 2010, pages 900-901.
  17. "Hacking Techniques in Wireless Networks by Prabhaker Mateti, 2005.". http://www.cs.wright.edu/%7Epmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm. Retrieved 2 October 2014. 
  18. PC Plus (Dutch computer magazine), issue 04/2011, page 60.
  19. "Dutch courts: Wi-Fi 'hacking' is not a crime by John Leyden, 2011.". https://www.theregister.co.uk/2011/03/21/wi_fi_hacking_holland/. Retrieved 2 October 2014. 
  20. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, page 376.
  21. Running Linux, 5th edition, by Matthias Kalle Dalheimer and Matt Welsh, O'Reilly Media, Inc., 2005, pages 829-830.
  22. WarDriving & Wireless Penetration Testing by Chris Hurley and others, Syngress Publishing, Inc., 2007, page 4.
  23. Collins Dictionary, 11th edition, HarperCollins Publishers, 2011, pages xi, 741.
  24. "Ethics in Internet Security by Prabhaker Mateti, 2010.". http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/Ethics/index.html. Retrieved 2 October 2014. 



Attack/Exploits

  1. Research attack surface and vulnerabilities
  2. Develop attack vector
  3. Find or create an exploit
  4. Prepare or build a shellcode


An exploit takes advantage of a vulnerabilities. This can take effect in the execution of arbitrary commands by inserting them in the execution path of the program. Escalation of privileges, bypass of authentication, or infringement of confidentiality can be the result.


Metasploit[edit | edit source]

The Metasploit framework was released in 2003. This framework provided for the first time:

  • a single exploit database with easy updating,
  • freely combining of an exploit with a payload,
  • a consistent interface for setting options, and
  • integrated encoding and evasion,

where:

  • an exploit is a code module that uses a particular vulnerability,
  • a payload is code that is sent along with the exploit to take some action, such as providing a command-line interface,
  • options are used to select variants of exploits and payloads,
  • encoding is modifying the payload to circumvent limitations, whether they are caused by the logic of the vulnerability or an inadequate IPS, and
  • evasion is bypassing security devices by employing evasion techniques.

The basic procedure of using Metasploit is: choose an exploit, choose a payload, set the IP address and port of the target, start the exploit, evaluate, and stop or repeat the procedure.[1]

Metasploit is not suited for finding the vulnerabilities of a host; a vulnerability scanner is. Alternatively, when a port scanner has found an open port, all exploits for that port may be tried.[2]

Metasploit 3.0 provides the following payloads:

  • VNC injection. This payload for targets that run Windows gives a graphical user interface to the target that is synchronized with the graphical user interface of the target.
  • File execution. This payload for targets that run Windows uploads a file and executes it.
  • Interactive shell. This payload gives a command-line interface to the target.
  • Add user. This payload adds a user with specified name and password that has administrator access.
  • Meterpreter. This payload gives a rich command-line interface to targets that run Windows.[3]

VNC connections need a relatively large bandwidth to be usable, and if someone is in front of the compromised computer then any interaction will be seen very quickly. The command-line interfaces of Linux and OS X are powerful, but that of Windows is not. The Meterpreter payload remedies these shortcomings. The reference gives a list of Meterpreter commands.[4]


Appendixes[edit | edit source]

See also:

Computer security exploits
Injection exploits
Log4Shell
Web security exploits
Cross-site scripting
Cross-site request forgery
Web Application Security Guide
PHP Programming/SQL Injection Attacks


Tools:

https://docs.rapid7.com/metasploit/validating-a-vulnerability
https://www.offensive-security.com/metasploit-unleashed/exploit-development/



Attack/Penetration

Examples

Denial-of-service attack
Downgrade attack to impose usage of weaker protection. For example POODLE attack.
Brute-force attack
Exploit vulnerabilities
Crack authorization
Cracking of wireless networks
Session hijacking by theft of a session key
Spoofing attacks: DNS spoofing, ARP spoofing, MAC spoofing
Fuzzing to crack trust boundaries
Man-in-the-middle attack.
Privilege escalation


Stages of The unified kill chain related to penetration stage:

3. Delivery - Techniques resulting in the transmission of a weaponized object to the targeted environment.
4. Social engineering - Techniques aimed at the manipulation of people to perform unsafe actions.
6. Persistence - Any access, action or change to a system that gives an attacker persistent presence on the system.
7. Defense evasion - Techniques an attacker may specifically use for evading detection or avoiding other defenses.
8. Command & control - Techniques that allow attackers to communicate with controlled systems within a target network.
11. Privilege escalation - The result of techniques that provide an attacker with higher permissions on a system or network.
12. Execution - Techniques that result in execution of attacker-controlled code on a local or remote system.
13. Credential access - Techniques resulting in the access of, or control over, system, service or domain credentials.
14. Lateral movement - Techniques that enable an adversary to horizontally access and control other remote systems.


Tools:

https://docs.rapid7.com/metasploit/listeners
https://www.bettercap.org/modules/ethernet/spoofers/
https://www.bettercap.org/modules/ethernet/proxies/
bettercap net.fuzz


See also:

Cyberattacks



Attack/Post exploitation

Goals[edit | edit source]

Pivoting
Manipulation. For example phishing, email fraud, click fraud.
Altering or destroying any kind of information. For example browser hijacking, domain hijacking, website defacement.
Stealing private information. For example : spyware, keystroke logging, data breach.
Finance. For example credit card hijacking, ransomware.
Access for physical resources. For example car hacking, Stuxnet.
Advanced persistent threat
Penetration test report

Maintaining control[edit | edit source]

The ultimate gratification for a network intruder always is to obtain administrator privileges for a network. When an intruder is inside, one of his or her first undertakings is often to install a so-called rootkit on a target computer. This is a collection of programs to facilitate durable influence on a system. Some of these programs are used to compromise new user accounts or new computers on the network. Other programs are to obscure the presence of the intruder. These obscuring programs may include false versions of standard network utilities such as netstat, or programs that can remove all data from the log files of a computer that relate to the intruder. Yet other programs of a rootkit may be used to survey the network or to overhear more passwords that are travelling over it. Rootkits may also give the means to change the very operating system of the computer it is installed on.

The network intruder then proceeds with creating one or more so called back doors. These are access provisions that are hard to find for system administrators, and they serve to prevent the logging and monitoring that results from normal use of the network. A back door may be a concealed account or an account of which the privileges have been escalated. Or it may be a utility for remote access, such as Telnet, that has been configured to operate with a port number that is not customary.

The network intruder then proceeds with stealing files, or stealing credit card information, or preparing a computer to send spam emails at will. Another goal is to prepare for the next intrusion. A cautious intruder is protective against discovery of his or her location. The method of choice is to use a computer that already has been attacked as an intermediary. Some intruders use a series of intermediate computers, making it impracticable to locate them.[5]


Back doors[edit | edit source]

The purpose of a back door is to maintain a communication channel and having methods to control a host that has been gained entry to. These methods include those for file transfer and the execution of programs. It is often important to make sure that the access or communication remains secret. And access control is desirable in order to prevent others from using the back door.[6]

Back Orifice 2000 was designed as a back door. The server runs on Windows, and there are clients for Windows, Linux and other operating systems. The server is configured easily with a utility. After configuration, the server needs to be uploaded to the target and then started. Back Orifice 2000 supports file transfer, file execution, logging of keystrokes, and control of connections. There is also an AES plug-in for traffic encryption and an STCPIO plug-in for further obfuscation of the traffic. The first plug-in adds security and the combination of these plug-ins makes it much harder for an IDS to relate the traffic to a back door. More information can be found at http://www.bo2k.com.[7]


Rootkits[edit | edit source]

Rootkits specialize in hiding themselves and other programs.

Hacker Defender (hxdef) is an open source rootkit for Windows. It can hide its files, its process, its registry entries, and its port in multiple DLLs. Although it has a simple command-line interface as a back door, it is often better to use its ability to hide a more appropriate tool.[8]


Tools[edit | edit source]

https://docs.rapid7.com/metasploit/about-post-exploitation
https://www.offensive-security.com/metasploit-unleashed/msf-post-exploitation/
https://www.offensive-security.com/metasploit-unleashed/maintaining-access/
  1. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 193-194, 219.
  2. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 200-201.
  3. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 203-205, 325.
  4. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 215-218.
  5. Sams Teach Yourself TCP/IP in 24 Hours, 4th edition, by Joe Casad, Sams, 2009, pages 87, 275, 376-377, 385.
  6. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 323-324.
  7. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 334-335, 355-358.
  8. Security Power Tools by Bryan Burns and others, O'Reilly Media, Inc., 2007, pages 363-365.



Tools

General tools[edit | edit source]

Kali Linux, Pentoo are operating systems for penetration testing.
Metasploit Project — provides information about security vulnerabilities and aids in penetration testing and IDS signature development
Metasploit Unleashed – Free Ethical Hacking Course
Armitage — GUI for Metasploit
Veil generates Metasploit payloads that bypass common anti-virus solutions
Nessus is a proprietary vulnerability scanner.
NASL — The Nessus Attack Scripting Language — a scripting language that is used by vulnerability scanners like Nessus and OpenVAS.
https://beefproject.com/ The Browser Exploitation Framework.
Burp Suite
https://NoDistribute.com/ — privately scans files online with multiple different anti-viruses
Maltego for open-source intelligence and forensics
Google hacking — advanced search
Shodan — search engine for the Internet of Everything

Network tools[edit | edit source]

nmap discovers hosts and services on a computer network by sending packets and analyzing the responses.
traceroute displays route and measures transit delays of packets across an IP network.
nslookup queries the DNS to obtain the mapping between domain name and IP address, or other DNS records.
dig — a network administration command-line tool for querying the Domain Name System (DNS)
iproute2 — collection of userspace utilities for controlling and monitoring various aspects of networking in the Linux kernel, including routing, network interfaces, tunnels, traffic control, and network-related device drivers
netdiscover — arp based network address discovering tool
EtherApe is a packet sniffer/network traffic monitoring tool.
netsniff-ng is a free Linux network analyzer and networking toolkit.
Ettercap is a free and open source network security tool for MITM attacks on LAN.
Xerosploit — MITM framework. Powered by bettercap and nmap.
cloudflare-scrape to bypass Cloudflare's anti-bot page
dSniff — set of password sniffing and network traffic analysis tools
BDFProxyBackdoorFactory + mitmProxy
Netcraft
https://www.robtex.com/
OWASP ZAP — open-source web application security scanner

General purpose tools

packet analyzers: tcpdump, Wireshark
iptables — packet filter rules configuration


Defense

http://www.XArp.net — advanced ARP spoofing detection
HTTPS Everywhere
VPN

Wi-Fi tools[edit | edit source]

https://github.com/ZerBea/hcxtools converts Wi-Fi dump files to hashcat formats
https://github.com/brannondorsey/wifi-cracking cracks WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat

Password[edit | edit source]

Hashcat
John the Ripper
Hydra
https://sourceforge.net/projects/crunch-wordlist/ - wordlist generator

Other[edit | edit source]

https://github.com/laramies/theHarvester — E-mails, subdomains and names Harvester - OSINT
dirb — Web Content Scanner
https://sqlmap.org/ — detecting and exploiting SQL injection
https://app.any.run/ — interactive online malware analysis service

Targets[edit | edit source]

https://www.vulnhub.com/
https://www.root-me.org/?lang=en
http://www.vulnweb.com/
https://dvwa.co.uk/ - Damn Vulnerable Web Application
https://github.com/rapid7/metasploitable3 - target for testing exploits with Metasploit
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/


Further reading

https://sectools.org/
Decoding Obfuscated JavaScript Using Google Chrome.
Phishing.
Social engineering (security).
https://github.com/topics/security
https://outpost24.com/blog/wps-cracking-with-reaver
https://kalilinuxtutorials.com/mdk3/
25 Best Ethical Hacking Tools & Software for Hackers (2021)
https://medium.com/hacker-toolbelt