Thursday, 20 September 2018

Ethical Hacking - Password Hacking

We have passwords for emails, databases, computer systems, servers, bank accounts, and virtually everything that we want to protect. Passwords are in general the keys to get access into a system or an account.
In general, people tend to set passwords that are easy to remember, such as their date of birth, names of family members, mobile numbers, etc. This is what makes the passwords weak and prone to easy hacking.
One should always take care to have a strong password to defend their accounts from potential hackers. A strong password has the following attributes −
  • Contains at least 8 characters.
  • A mix of letters, numbers, and special characters.
  • A combination of small and capital letters.

Dictionary Attack

In a dictionary attack, the hacker uses a predefined list of words from a dictionary to try and guess the password. If the set password is weak, then a dictionary attack can decode it quite fast.
Hydra is a popular tool that is widely used for dictionary attacks. Take a look at the following screenshot and observe how we have used Hydra to find out the password of an FTP service.
Dictionary Attack

Hybrid Dictionary Attack

Hybrid dictionary attack uses a set of dictionary words combined with extensions. For example, we have the word “admin” and combine it with number extensions such as “admin123”, “admin147”, etc.
Crunch is a wordlist generator where you can specify a standard character set or a character set. Crunch can generate all possible combinations and permutations. This tool comes bundled with the Kali distribution of Linux.
Hybrid Attack

Brute-Force Attack

In a brute-force attack, the hacker uses all possible combinations of letters, numbers, special characters, and small and capital letters to break the password. This type of attack has a high probability of success, but it requires an enormous amount of time to process all the combinations. A brute-force attack is slow and the hacker might require a system with high processing power to perform all those permutations and combinations faster.
John the Ripper or Johnny is one of the powerful tools to set a brute-force attack and it comes bundled with the Kali distribution of Linux.
Brute Force

Rainbow Tables

A rainbow table contains a set of predefined passwords that are hashed. It is a lookup table used especially in recovering plain passwords from a cipher text. During the process of password recovery, it just looks at the pre-calculated hash table to crack the password. The tables can be downloaded from http://project-rainbowcrack.com/table.htm
RainbowCrack 1.6.1 is the tool to use the rainbow tables. It is available again in Kali distribution.
Rainbow Table

Quick Tips

  • Don’t note down the passwords anywhere, just memorize them.
  • Set strong passwords that are difficult to crack.
  • Use a combination of alphabets, digits, symbols, and capital and small letters.
  • Don’t set passwords that are similar to their usernames.

Ethical Hacking - Email Hijacking

Email Hijacking, or email hacking, is a widespread menace nowadays. It works by using the following three techniques which are email spoofing, social engineering tools, or inserting viruses in a user computer.

Email Spoofing

In email spoofing, the spammer sends emails from a known domain, so the receiver thinks that he knows this person and opens the mail. Such mails normally contain suspicious links, doubtful content, requests to transfer money, etc.
Example

Social Engineering

Spammers send promotional mails to different users, offering huge discount and tricking them to fill their personal data. You have tools available in Kali that can drive you to hijack an email.
Social Engineering
Email hacking can also be done by phishing techniques. See the following screenshot.
Phishing
The links in the email may install malware on the user’s system or redirect the user to a malicious website and trick them into divulging personal and financial information, such as passwords, account IDs or credit card details.
Phishing attacks are widely used by cybercriminals, as it is far easier to trick someone into clicking a malicious links in the email than trying to break through a computer’s defenses.

Inserting Viruses in a User System

The third technique by which a hacker can hijack your email account is by infecting your system with a virus or any other kind of malware. With the help of a virus, a hacker can take all your passwords.

How to detect if your email has been hijacked?

  • The recipients of spam emails include a bunch of people you know.
  • You try to access your account and the password no longer works.
  • You try to access the “Forgot Password” link and it does not go to the expected email.
  • Your Sent Items folder contains a bunch of spams you are not aware of sending.

Quick tips

In case you think that your email got hijacked, then you need to take the following actions −
  • Change the passwords immediately.
  • Notify your friends not to open links that they receive from your email account.
  • Contact the authorities and report that your account has been hacked.
  • Install a good antivirus on your computer and update it.
  • Set up double authentication password if it is supported.

Ethical Hacking - TCP/IP Hijacking

TCP/IP Hijacking is when an authorized user gains access to a genuine network connection of another user. It is done in order to bypass the password authentication which is normally the start of a session.
In theory, a TCP/IP connection is established as shown below −
TCP/IP
To hijack this connection, there are two possibilities −
  • Find the seq which is a number that increases by 1, but there is no chance to predict it.
  • The second possibility is to use the Man-in-the-Middle attack which, in simple words, is a type of network sniffing. For sniffing, we use tools like Wireshark or Ethercap.

Example

An attacker monitors the data transmission over a network and discovers the IP’s of two devices that participate in a connection.
When the hacker discovers the IP of one of the users, he can put down the connection of the other user by DoS attack and then resume communication by spoofing the IP of the disconnected user.

Shijack

In practice, one of the best TCP/IP hijack tools is Shijack. It is developed using Python language and you can download it from the following link − https://packetstormsecurity.com/sniffers/shijack.tgz
Here is an example of a Shijack command −
root:/home/root/hijack# ./shijack eth0 192.168.0.100 53517 192.168.0.200 23
Shijack
Here, we are trying to hijack a Telnet connection between the two hosts.

Hunt

Hunt is another popular tool that you can use to hijack a TCP/IP connection. It can be downloaded from − https://packetstormsecurity.com/sniffers/hunt/
Hunt

Quick Tip

All unencrypted sessions are vulnerable to TCP/IP session hijacking, so you should be using encrypted protocols as much as possible. Or, you should use double authentication techniques to keep the session secured.

Ethical Hacking - Trojan Attacks

Trojans are non-replication programs; they don’t reproduce their own codes by attaching themselves to other executable codes. They operate without the permissions or knowledge of the computer users.
Trojans hide themselves in healthy processes. However we should underline that Trojans infect outside machines only with the assistance of a computer user, like clicking a file that comes attached with email from an unknown person, plugging USB without scanning, opening unsafe URLs.
Trojans have several malicious functions −
  • They create backdoors to a system. Hackers can use these backdoors to access a victim system and its files. A hacker can use Trojans to edit and delete the files present on a victim system, or to observe the activities of the victim.
  • Trojans can steal all your financial data like bank accounts, transaction details, PayPal related information, etc. These are called Trojan-Banker.
  • Trojans can use the victim computer to attack other systems using Denial of Services.
  • Trojans can encrypt all your files and the hacker may thereafter demand money to decrypt them. These are Ransomware Trojans.
  • They can use your phones to send SMS to third parties. These are called SMS Trojans.

Trojan Information

If you have found a virus and want to investigate further regarding its function, then we will recommend that you have a look at the following virus databases, which are offered generally by antivirus vendors.

Quick Tips

  • Install a good antivirus and keep it updated.
  • Don’t open email attachments coming from unknown sources.
  • Don’t accept invitation from unknown people in social media.
  • Don’t open URLs sent by unknown people or URLs that are in weird form.

Ethical Hacking - Metasploit

Metasploit is one of the most powerful exploit tools. Most of its resources can be found at: https://www.metasploit.com. It comes in two versions − commercial and free edition. There are no major differences in the two versions, so in this tutorial, we will be mostly using the Community version (free) of Metasploit.
As an Ethical Hacker, you will be using “Kali Distribution” which has the Metasploit community version embedded in it along with other ethical hacking tools. But if you want to install Metasploit as a separate tool, you can easily do so on systems that run on Linux, Windows, or Mac OS X.
The hardware requirements to install Metasploit are −
  • 2 GHz+ processor
  • 1 GB RAM available
  • 1 GB+ available disk space
Matasploit can be used either with command prompt or with Web UI.
To open in Kali, go to Applications → Exploitation Tools → metasploit.
Exploitation Tools
After Metasploit starts, you will see the following screen. Highlighted in red underline is the version of Metasploit.
Highlighted Metaspolit

Exploits of Metasploit

From Vulnerability Scanner, we found that the Linux machine that we have for test is vulnerable to FTP service. Now, we will use the exploit that can work for us. The command is −
use “exploit path”
The screen will appear as follows −
Exploit Path
Then type mfs> show options in order to see what parameters you have to set in order to make it functional. As shown in the following screenshot, we have to set RHOST as the “target IP”.
Show Options
We type msf> set RHOST 192.168.1.101 and msf>set RPORT 21
Set Report
Then, type mfs>run. If the exploit is successful, then it will open one session that you can interact with, as shown in the following screenshot.
Open Session

Metasploit Payloads

Payload, in simple terms, are simple scripts that the hackers utilize to interact with a hacked system. Using payloads, they can transfer data to a victim system.
Metasploit payloads can be of three types −
  • Singles − Singles are very small and designed to create some kind of communication, then move to the next stage. For example, just creating a user.
  • Staged − It is a payload that an attacker can use to upload a bigger file onto a victim system.
  • Stages − Stages are payload components that are downloaded by Stagers modules. The various payload stages provide advanced features with no size limits such as Meterpreter and VNC Injection.

Payload Usage − Example

We use the command show payloads. With this exploit, we can see the payloads that we can use, and it will also show the payloads that will help us upload /execute files onto a victim system.
Payload
Payload Usage
To set the payload that we want, we will use the following command −
set PAYLOAD payload/path
Set the listen host and listen port (LHOST, LPORT) which are the attacker IPand port. Then set remote host and port (RPORT, LHOST) which are the victim IP and port.
Victim IP
Type “exploit”. It will create a session as shown below −
Create Session
Now we can play with the system according to the settings that this payload offers.

Ethical Hacking - Enumeration

Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”. This is a process where the attacker establishes an active connection with the victim and try to discover as much attack vectors as possible, which can be used to exploit the systems further.
Enumeration can be used to gain information on −
  • Network shares
  • SNMP data, if they are not secured properly
  • IP tables
  • Usernames of different systems
  • Passwords policies lists
Enumerations depend on the services that the systems offer. They can be −
  • DNS enumeration
  • NTP enumeration
  • SNMP enumeration
  • Linux/Windows enumeration
  • SMB enumeration
Let us now discuss some of the tools that are widely used for Enumeration.

NTP Suite

NTP Suite is used for NTP enumeration. This is important because in a network environment, you can find other primary servers that help the hosts to update their times and you can do it without authenticating the system.
Take a look at the following example.
ntpdate 192.168.1.100 01 Sept 12:50:49 ntpdate[627]: 
adjust time server 192.168.1.100 offset 0.005030 sec 

or 
ntpdc [-ilnps] [-c command] [hostname/IP_address] 
  
root@test]# ntpdc -c sysinfo 192.168.1.100 
***Warning changing to older implementation 
***Warning changing the request packet size from 160 to 48 
system peer: 192.168.1.101 

system peer mode: client
leap indicator: 00 
stratum: 5  

precision: -15 
root distance: 0.00107 s 
root dispersion: 0.02306 s 
reference ID: [192.168.1.101] 
reference time: f66s4f45.f633e130, Sept 01 2016 22:06:23.458 
system flags: monitor ntp stats calibrate 
jitter: 0.000000 s 
stability: 4.256 ppm 
broadcastdelay: 0.003875 s 
authdelay: 0.000107 s

enum4linux

enum4linux is used to enumerate Linux systems. Take a look at the following screenshot and observe how we have found the usernames present in a target host.
enum4linux

smtp-user-enum

smtp-user-enum tries to guess usernames by using SMTP service. Take a look at the following screenshot to understand how it does so.
SMTP

Quick Fix

It is recommended to disable all services that you don’t use. It reduces the possibilities of OS enumeration of the services that your systems are running.

Ethical Hacking - Exploitation

Exploitation is a piece of programmed software or script which can allow hackers to take control over a system, exploiting its vulnerabilities. Hackers normally use vulnerability scanners like Nessus, Nexpose, OpenVAS, etc. to find these vulnerabilities.
Metasploit is a powerful tool to locate vulnerabilities in a system.
Metasploit
Based on the vulnerabilities, we find exploits. Here, we will discuss some of the best vulnerability search engines that you can use.

Exploit Database

www.exploit-db.com is the place where you can find all the exploits related to a vulnerability.
Exploit

Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVE) is the standard for information security vulnerability names. CVE is a dictionary of publicly known information security vulnerabilities and exposures. It’s free for public use. https://cve.mitre.org
CVE

National Vulnerability Database

National Vulnerability Database (NVD) is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance. You can locate this database at − https://nvd.nist.gov
NVD includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics.
National Vulnerability
In general, you will see that there are two types of exploits −
  • Remote Exploits − These are the type of exploits where you don’t have access to a remote system or network. Hackers use remote exploits to gain access to systems that are located at remote places.
  • Local Exploits − Local exploits are generally used by a system user having access to a local system, but who wants to overpass his rights.

Quick Fix

Vulnerabilities generally arise due to missing updates, so it is recommended that you update your system on a regular basis, for example, once a week.
In Windows environment, you can activate automatic updates by using the options available in the Control Panel → System and Security → Windows Updates.
Windows Environment
In Linux Centos, you can use the following command to install automatic update package.
yum -y install yum-cron