Sie sind auf Seite 1von 5

to download TOR n its bundles- http://www.torproject.org/ download.html.en to test tor is working-(https://check.torproject.org) intitle:Test.Page.for.Apache It worked!

running in apache site-resricts to domain Inurl-find strings in title of a page FiletypeLink Inanchor this Web site! -put in google to list servers

host "name" gives IP address but to keep it anonymous we use tor-resolve http://proxychains.sourceforge.net/)- use it to run nmap anonymously proxychains nmap -sT -PN -n -sV -p 21,22,53,80,110,139,143,443 10.10.10.100 here 10.10.10.100 is the IP address -st for to specify full connect -PN to skip host discovery -n to see to that no DNS req is made -sV server version n all -p common set of ports to scan here juicy ports 21-FTP control 22-Secure Shell SSh 23-telnet 25-smtp 53-DNS here TCP is used fr zone transfer 80-HTTP 110-POP3 139-NetBios Session Service 143-IMAP 156-SQL service 443-HTTPS 1720-VPN socat-(http://www.dest-unreach.org/socat/)- Allows bidirectional interaction thr u the privoxy socat TCP4-LISTEN:8080,fork SOCKS4a:127.0.0.1:10.10.10.100:80,socksport=9050 & to return the exact version after secure connect to the server is by nc 127.0.0.1 8080 HEAD / HTTP/1.0 FOOTPRINTING: Look into site archives to see wht is deleted delibrately See Cached version SiteDigger searches Google s cache using the Google Hacking Database use nmap -sL iprage [DNS] -sL lookup no intrusion .nmap does grep patter matching (GHDB) to look for vulnerable systems. start our domain lookup at http://whois.iana.org.And for IP use ARIN queries DNS Interrogation- DNS updates zone servers from primary if not done properly it is succeptible to attacks. Here name lookup is UDP n zone transfer is TCP HINFO record in DNS gives a description of the type of computer/OS a host uses

NEtwork Reconnaisance: Determine mail exchange records- look into the host handling mail as it more oft en the same one with the firewall use traceroute to see wht path the IP takes to reach the destination based on th e TTL and the hops they make. Use -p here to specify specific ports. tracert TCPtraceroute Scanning: Scanning large networks will take days using ping sweep ( Sending ICMP ty-8 and getting back ICMP ty-0) For Unix we use nmap sP 192.168.1.0/24 or fping nmap -sP -PT80 for specific port There are various ICMP message types fr each reply For windows use Superscan or nmap using TCP - send syn and wait for rst to see if alive to bypassACL use hping2 Use ICMP query to leverage on the ICMP type messages SCAN TYPES: 1.TCP connect scan- Full 3way handshake -sT 2.TCP SYN scan- oly SYN is sent. Dangerous as it leaves ports half open.But nw N MAP sends back RST to close that open port -sS 3.TCP FIN -similar to above bt wrks in unix oly waits fr RST , to check fr firew all-sF 4.TCP xmas tree - sends FIN URG n PUSH waits fr RST to check firewall -sX 5.TCP Null scan- turns off all flags and fools firewall -sN 6.TCP Ack scan - Maps firewall rule sets -sA 7.TCP RPC scan- prog an its version -sV 8.UDP Scan- Unreliable and time consuming due to packet loss and filtering -sU 9.TCP window Scan- based on window size 10.Idle scan We use strobe for TCP scanning . It also supports banner grabbing( Getting servi es version and OS details) use udp_scan fr scanning just default ports 1-1024 use wireshaRK SNIFFER fr UDP since time consuming we use default scan which checks fr select ports PORT SCAN EVASION !! fragment packets -f Decoy sccan -D delay time -T change data length ncat or nc ( used to create shells) Shell-own commands ask a service to listen i n another port , reverse shell-open NC in a diff port (inside to outside opens a port fr the system to speak with the attacker ) nc -v -z -w2 192.168.1.1 1-140 here -v verbose n vv fr very verbose -z zero mode i/o just emit a packet without payload -w2 for time out details -u fr UDP NMAP Typical command used in EY nmap -sS -P0 -p1-65535 -iL IPs_1-4.txt -oN IPs_1-4_TC Pfull.txt -vv - A

-sS Stealth scan -p specific ports -PO takes off ping operations -oN to give the results in an human readable format -oM to save a delimitted file -oX to sae in xml format all this can be done together too -iL Read list of targets frm txt file -A turns on OS and version detection -sA find out if protected by firewall -PN scan when protected by firewall 445, 139, and 135 -sP scans for servers and devices up and running -F fast scan --open show only open ports -TF fastest way to scan for open ports -sV detect remote services version number -PS -PA used when icmp msgs are blocked PA fr tcp ack and PS fr tcp syn -sO scan for ip protocols FTP SERVER FLAW : FTP BOUNCE ATTACK - can send untraceable mails n news -b can be used to bypass access control must have r/w dir /incoming PORT command to feed bogus port info SPECIFIC OS LISTENS TO SPECIFIC PORTS ( Good PRobability ) 445, 139, and 135 chance high fr Windows ( Vulnerable POrts ) portmapper (111), Berkeley R services ports (512 514), NFS (2049), and high-number ports (3277X and above) means UNIX or u'll see the error packet and decide the os . this is wht NMAP does in -o STACK FINGERPRINTING Finding about the OS from the ports open 1. Windows vista n below respond with a FIN ACK fr Fin msg 2. Bogus flag fr linux 3.TCP initial window size 4.ICMP msg quoting -O for operating sys guessing queso can also be used fr the same passive finger printing using TTL frangmentation and window size ENUMERATION: LOOK FR SERVICES VULNERABILITIES IN BUGTRAQ AND CVE then look into or milworm to look into the xploit methodology. Use telnet and nc( netcat) for banner grabbing FTP(21) TELNET(23) and SMTP(25) have typical error messages that cann be used fo r finding out accounts and other useful info ppl nw use ssh instead of vulnerable telnet VRFY and EXPN command in smpt can be used to validate users. vrfy.pl is a tool w ith list of entries of users and validates it For DNS we can track Zone transfers by using nslookup, ls d <domainname> same fr linux can be done using the dig command BIND is a DNS server with list of trgt server versions in version.bind , dig @10 .219.100.1 version.bind txt chaos will gain acess to it DNS cache can also be snooped using dig command to see if it is in cache or nt For HTTP USe HTTP HEAD method nc v www.example.com 80 ** Hit Enter ** **then**

HEAD / HTTP/1.1 For SSL openssl s_client quiet -connect www.example.com:443 HEAD / HTTP/1.1 For MSRPC (135) use epdump to find out abt the attached IPs fr linux side we use rpcdump.py NetBios UDP 137 net view /domain -lists domains available on the network Dumping the NetBIOS Name Table with nbtstat and nbtscan Use enum and nete fr getting more commands and their usage For SNMP use snmputil walk 192.168.202.33 public .1.3.6.1.4.1.77.1.2.25 also use onesixtyone or SNscan For LDAP TCP/UDP 389 and 3268 use ldapenum has default guest/guest uthentication, Jexplorer nd LUMA are the other For HTTP vul methodds put delete trace { ONCE THE SERVICE IS IDENTIFIED SEARCH FOR VARIOS ENUMERATION METHODOLOGY FR IT } DNS CACHE POISONING THE NEXT LEVEL OF ATTACKS HACKING: Remote password Guessing: Can be done by using SMB(Server Message Block) is accessed via two TCP ports: TC P 445 and 139 Using FOR command to brute force passwords ater creating a txt file with default credentials C:\>FOR /F "tokens=1, 2*" %i in (credentials.txt) do net use \\target\IPC$ %i /u :%j same feature using enum enum -D -u administrator -f Dictionary.txt mirage here mirage is the name of the server for SMB best tool to guess passsword is tsgrinder tsgrinder 192.168.230.244 SQL Server passwords can be performed with sqlbf Sniffing can also be used to crack passwords soe tools used fr this purpose are: Cain Sniff, KerbSniff and KerbCrack Man in the middle attacks can be done using SMBRelay Metasploit can remotely exploit Windows vulnerability. It has a GUI version too EXPLOIT : we use Metasploit canvas Adhoc - fr free style

Hacking Windows: PsExec to run remote commands . usually in 139 . Similar to unix R commands