Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
recognize a goal
Ethical Hacking Course, Computer Security
It is likely that you have finished Module 2 - Objective recognition, now we will see the practice
of it. We will learn to audit a DNS server to try to obtain relevant information from the network,
search for metadata from the IP, analyze a website in search of the structure and technologies
used, then we will make a complete copy, obtain possible email addresses and we will also see if
we find vulnerabilities of the website through Google Hacking.
Responsibility:
This course of ethical hacking is oriented to educational purposes to improve your computer
security skills to plan and design safer networks, does not encourage illegal activities in systems
or networks of third parties, if you commit an illegal activity in a system or network. You will do
at your own risk. If you want to practice and improve your skills in ethical hacking, do it under
systems where you have a legal permit or are yours, I recommend using images of operating
systems installed in virtual machines in a controlled environment.
Themes Index:
Objective: in this scenario you need to obtain the IP of the domain "vulnweb.com", to be able to
continue with satisfaction the following scenario that will come later.
Requirements: have access to a terminal of any operating system.
Action
1. Open a terminal, in this case cmd of Windows, in the same type: ping vulnweb.com,
and we will obtain our objective.
Objective: in this scenario you need to obtain as much information as possible about the DNS
servers of "vulnweb.com".
Action
2. Once the DNS recognition is done via the web, it will give us the information we are
looking for:
We provide a lot of important information such as: the list of DNS servers and they do
not have DNSSEC enabled.
3. This can be done with an automated tool, which in this case will be dnsenum already
installed by default in Kali
4. We run dnsenum in the following way: dnsenum -d vulnweb.com:
We will obtain all the subdomains of a target domain using an automated tool called "recon-ng",
this tool will use a module that obtains information from Google.
1. Run recon-ng in Kali, and look for modules for DNS with search domains, it will look
for recognition modules that specialize in DNS:
2. We will use the module, and configure a target domain that will be "vulnweb.com"
finally run it with the command "run":
3. Once the recon-ng module is executed, we will see that we obtained 34 subdomains, and
the objective does not know anything because the work Google did is a passive
acknowledgment:
Objective: in this scenario it is necessary to obtain as much information as possible about the IP
obtained in scenario 1 "176.28.50.165".
Action
Objective: in this scenario, we will investigate with specialized tools such as this website
conformed without attracting attention, these tools allow us to have vital information of the site
being normal visitors like any other.
Action
Objective: in this scenario we seek to obtain a complete copy of a target website on our local
machine, generally the attackers perform this procedure for phishing.
Action
1. Run HTTrack and start copying the website:
We already have an exact copy of the target website on our local machine.
Objective: in this scenario we will look for information such as emails and IP addresses of the
host belonging to the subdomains, using automated tools.
Action
1. Open the terminal in Kali and configure theharvester in the following way theharvester
-d vulnweb.com -b google -h:
This will search for email addresses available through Google and with -h we will search
the IP addresses of the subdomains with Shodan
Objective: in this scenario we will look for information such as vulnerabilities or information
leaks with search engines that we use daily in our days.
Action
1. Open SearchDiggity
The result of the scan will tell us if our target domain has vulnerabilities or problems
against Google Hacking.
With this we finish the practice of Module 2 - Objective recognition of the ethical hacking.
You can also perform the same steps applied in this practice with this website:
http://testhtml5.vulnweb.com/#/popular
en.gburu.net
Home
Courses
FREE $10 in DigitalOcean
about
contact
gburu.net
Subscribe
9 February 2018
If you finished the Module 3 - Network Scanning of the free ethical hacking course, now let's see
the practice, where we are going to see how to look for open ports, the services that work in
them, the vulnerabilities that they may have and how to connect to the Internet anonymously.
Full course: en.gburu.net/hack, here you will find all the topics of this free ethical hacking
course, in one place.
Responsibility:
This ethical hacking course is aimed at educational purposes to improve your computer security
skills to plan and design safer networks, does not encourage illegal activities in systems or
networks of third parties, if you commit an illicit activity in a system or network. You will do at
your own risk. If you want to practice and improve your skills in ethical hacking, do it under
systems where you have a legal permit or are yours, I recommend using images of operating
systems installed in virtual machines in a controlled environment.
Themes Index:
The objective will be our virtual Metasploitable machine that we saw how to install it in the first
practice, and the attacker who will be us and we will use Linux Kali, I have to mention that
having Kali is not necessary for this course of ethical hacking simply used it because it has all
the tools or at least most of them installed by default saving us time to install them, you can
simply install the tools that we will use in your environment that you like more I have no
problem with that, in Windows for example there are many tools with a very good graphical
interface in case you do not like the Linux terminal, the important thing is to understand the
mechanism of attack, the theory and how to defend ourselves the tool to use comes later, when
you master the theory you will know what tool to use in each situation, that's why I recommend
you look at module 3 of this ethical hacking course.
It must be taken into account that not all the vulnerabilities that we find will result in a successful
attack. When looking for known vulnerabilities, you will encounter more problems that reveal
sensitive information or that cause a denial of service than vulnerabilities that lead to remote
code execution. These can still be very interesting in a penetration test. in fact, even a seemingly
innocuous misconfiguration can be the highlight of a penetration test, because by that simple
error we can have access to the target system or network.
Let's see a fairly common example, we are auditing a network and we found an open service on
port 21 turns out to be FTP and when we try to access it we achieve it through an account with
anonymous access, this is a very normal configuration in these services. Although FTP is a very
insecure protocol and in general we should guide our clients towards the use of more secure
options such as SFTP that encrypts all traffic, the use of FTP with anonymous user access does
not lead to a compromise of the network . If you encounter an FTP server that allows anonymous
user access, but read access is restricted to an FTP directory that does not contain any files that
are interesting to an attacker, then the risk associated with the anonymous user option is minimal
. But, if you can read the entire file system using the anonymous FTP account, or possibly even
worse, someone wrongly left the client's business secrets, or user passwords in the FTP directory
that can be read for anonymous users. This configuration becomes a very serious problem.
Vulnerability scanners are very useful in a penetration test, and it is certainly good to know some
of them well. Vulnerability scanners can help you quickly obtain a large amount of potentially
interesting information about a target environment or network. In this practice of the ethical
hacking course we will see several forms of vulnerability analysis, in addition we will see quite
familiar tools.
Before starting it is necessary to turn on our target virtual machine that is Metasploitable, of
course we already saw this in the first module of this ethical hacking course, now we are going to
start the practice. Enjoy!
Objective: a ping sweep will be carried out with nmap, to know which connected devices
are in the network to meet our objective.
Requirements: have nmap installed in any operating system.
Action
1. Run nmap with the following command nmap -sn 192.168.1.0-255 (this command
will make a simple ping scan to 256 possible hosts), the local network may vary in my
case is "192.168.1.xxx " The command "-sn" tells nmap to perform a scan without
looking for ports only hosts:
Result: we have 6 active hosts in our local network, with information about the MAC and
its firmware.
Objective: Once the ping sweep is finished, we will select our target machine and
perform a port scan to find out how it communicates with the Internet.
Requirements: have nmap installed in any operating system.
Action
1. Run nmap with the following command: nmap 192.168.1.6 --top-ports = 1024, this
will execute a port scan where it is indicated that it looks for the 1024 most used ports, if
you want to scan all the ports directly you can run: -p1-65535 65 thousand possible ports
will take a long time:
Result: we have 23 open ports, this at the level of computer security is not a good
practice. We are moving forward on our goal
Objective: We already have information about open ports, now we have to carry out the
grabbing banner, which is basically to increase our information about the ports, seeking
to know precise details about the services that work in them.
Requirements: have nmap installed in any operating system.
Action
1. Executing nmap with nmap -sV -O 192.168.1.6, "-sV" will help us to discover
information about port services and "-O" is to know which operating system has the
objective:
Result: finally we have detailed information about the services that run in the ports and
the operating system we have clues that can be between Linux 2.6.9-2.6.33.
Action
1. Once CurrPorts is downloaded, execute it and it will simply tell us the information we are
looking for:
Result: we can already monitor which port is open and who is occupying it throughout our
TCP/IP network.
Objective: having information about which ports are open and which services work in
each one, it is time to analyze the objective system in search of vulnerabilities, we will
use a software called OpenVAS.
Requirements: install and configure OpenVAS to continue with this scenario.
Before continuing this scenario, I will take the time to show you step by step the installation of
OpenVAS in Kali.
The most advanced open source explorer and vulnerability manager in the world, OpenVAS, is a
framework of several services and tools that offers a comprehensive and powerful solution for
vulnerability analysis and vulnerability management. The framework is part of the business
vulnerability management solution of Greenbone Networks, from which developments have been
made for the open source community since 2009.
Open the terminal of our Kali and run: apt-get update and once the package repository
apt-get dist-upgrade is updated this command will check if an old version of a
package should be deleted by a newer one
Run apt-get install openvas, this will download the corresponding packages to
OpenVAS and then install them in our Kali, OpenVAS requires downloading at least
about 150MB.
After downloading it must be installed, openvas-setup will start its installation, it is
important that it will give us our user password:
, there is save it for the user, the user name is "admin", for more convenience you
must change the password.
Run openvas with openvas-start, and open our control panel in the browser, enter and
go, usually start at port 9392 surely you have to add an exception for the certificate of
authority.
Action
1. Enter our control panel in localhost: 9392 it is usually there, go to Scans -> Tasks and
then to Task Wizard:
3. Once the scan is finished we see that we have 138 possible vulnerabilities:
Action
1. Select a service that we have online in our target machine in my case: "vsftpd 2.3.4", you
can choose the one you want.
2. Enter exploit-db.com/search, and enter our service:
Result: the service "vsftpd 2.3.4" is vulnerable, and there is already a backdoor to be executed
and enter the target system remotely using the metasploit software.
Action
Requirements
Result: we saw how to implement the different scanning techniques and also found open ports in
UDP.
Action
en.gburu.net
Home
Courses
FREE $10 in DigitalOcean
about
contact
gburu.net
Subscribe
17 February 2018
If you finished Module 4 -Enumeration of Objective Systems of the free ethical hacking course,
now let's see the practice.
Full course: en.gburu.net/hack, here you will find all the topics of this free ethical hacking
course, in one place.
Responsibility:
This ethical hacking course is aimed at educational purposes to improve your computer security
skills to plan and design safer networks, does not encourage illegal activities in systems or
networks of third parties, if you commit an illicit activity in a system or network. You will do at
your own risk. If you want to practice and improve your skills in ethical hacking, do it under
systems where you have a legal permit or are yours, I recommend using images of operating
systems installed in virtual machines in a controlled environment.
Themes Index:
Penetration tests or pentesting, is much more than running exploits with different types of
systems or networks to enter a system. Generally the pentesting begins before the computer
security expert makes contact with the target system or network, there are many previous phases
before making a specific attack against a target, now we will see the practice of enumeration.
Action
Result: NetBIOS is present in our objective therefore it is Windows who is on the other
side, also 4 other open ports are present.
Action
A simple search on the Internet revealed that the default configuration of your username
and password is "msfadmin: msfadmin":
Result: We could access through a bad configuration by default of the target system, and
not only that, we also have the root user in our hand. This started as a simple enumeration
and ended with the access to the system with the root user, it is a complete attack.
en.gburu.net
Home
Courses
FREE $10 in DigitalOcean
about
contact
gburu.net
Subscribe
10 March 2018
After the previous module (Ethical Hacking Course - Module 5 - System Hacking, where we talk
about the "Systems Hacking". Now we will see the practice, seeing different methods to
perform a successful computer intrusion on a target system or network, in order to improve the
security of our environment or client.
Full course: en.gburu.net/hack, here you will find all the topics of this free ethical hacking
course, in one place.
Responsibility:
This ethical hacking course is aimed at educational purposes to improve your computer security
skills to plan and design safer networks, does not encourage illegal activities in systems or
networks of third parties, if you commit an illicit activity in a system or network. You will do at
your own risk. If you want to practice and improve your skills in ethical hacking, do it under
systems where you have a legal permit or are yours, I recommend using images of operating
systems installed in virtual machines in a controlled environment.
Themes Index:
Password decryption is one of the easiest and most common ways computer attackers gain illegal
access to a computer or computer network. The Internet user worries about having antivirus on
his computer or does not have security consciousness, that is why most of them do not worry
about using a secure password, for fear of not remembering it. Therefore, passwords are one of
the weakest links if we imagine computer security as a chain, due to the fact that they are directly
related to the security consciousness of the user, which is the weakest point in security.
Action
1. Audit a system in search of information with Nmap nmap -sS -sV 192.168.1.7:
2. We search the Internet for access to Metasploitable and we see that the user is msfadmin
and the msfadmin password, by default:
3. If we look closely at port 3306 the target has MySQL running, we know that by default
for MySQL can be accessed with the user: "root" and without password:
MySQL (database service) is also configured by default, and for that reason. We have
access to 7 databases.
What is Hash Suite?: Hash Suite is a program for Windows and it helps us to test the
security of password hashes, besides it supports Nvidia and ATI GPUs this allows us to
make the most of our hardware for audits of passwords and another important point is
that it is available for Linux, although it is not offered with support for GPUs.
1. In our SSH terminal, we will execute sudo cat /etc/shadow this command will show
us all the passwords hashes that belong to Linux users, then we will open any editor and
save it:
4. We execute the attack, and we see that we got the password for 'user':
If we see the attack is configured for 'charset' and in the rules 'Lower' is random
characters in lowercase, this makes it a rule-based attack because we look for passwords
in lowercase.
The attack lasted 25 minutes until I stopped him, we see that he used 2.4 million possible
passwords.
We only see that we got the 'user' passwords, because I stopped the attack on my
computer it was going to take too long, and it was valid for the example of this practice
of the free ethical hacking course.
John the Ripper is a free and open source software, distributed mainly in the form of
source code. If you prefer to use a commercial product tailored to your specific operating
system, consider John the Ripper Pro, which is mainly distributed in the form of "native"
packages for the target operating systems and, in general, is meant to be easier to install
and use while delivering optimal performance.
2. Unzip where you like, now we are going to get a dictionary I recommend you download
mine that I uploaded to Mega
(https://mega.nz/#!z9s3lAIb!6Ebr6SoBVHISVM8QDsUiDm2w_VANTj0K6twFyp5Hm
6Q), weighs less than 2 MB, save the dictionary in a place that is agreed to then occupy
it, this dictionary contains approximately 900,000 possible passwords.
3. Run attack with John The Ripper john --wordlist=<dictionary-path> <hashes-
path>:
John gave us 3 passwords with a dictionary of 900 thousand possible passwords, always
remember that on the left is the password, and on the right the user.
List of Dictionaries:
https://wiki.skullsecurity.org/Passwords
CrackStation's (15GB, 1.5B possible passwords)
https://packetstormsecurity.com/Crackers/wordlists/
http://infosecisland.com/blogview/11968-Brute-Forcing-Passwords-and-Word-List-
Resources.html
Hashcat was designed by Jens Steube as a system for recovering passwords from the
hash, in 2015 it was released as free software using the MIT License. The system allows
taking a hash string and comparing it with a precalculated list of values using threads and
running, if possible, on the graphical processing unit (GPU) for parallel processing.
Supports 195 types of ciphers with five types of attacks.
1. Create a list of MD5 hashes, for our example using echo -n "<name-hash>" | md5sum
| tr -d " -" >> <file-name>:
After waiting like most password cracking attacks, we see that hashcat and the dictionary
'rockyou'. They discovered 2 passwords: 'Password' and 'Secret'.
It is very possible that you find a hash and do not know what hashing algorithm was the one that
created it, for that we can enter https://tunnelsup.com/hash-analyzer:
THC Hydra
Hydra was tested for compiling on Linux, Windows / Cygwin, Solaris 11, FreeBSD 8.1,
OpenBSD, OSX, QNX / Blackberry, and is available under GPLv3 with a special OpenSSL
license expansion.
For HTTP, POP3, IMAP and SMTP, several login mechanisms are supported such as plain and
MD5 digest, etc.
Commands to use:
We already have a target hash saved in the file 'win-hashes.txt', now we are going to try
to decipher it.
1. Run the Windows terminal, we will create a folder called 'test' and then we will create a
copy of 'calc.exe' inside our folder, after that we will create a text file called 'text.txt' in
the let's save the word 'test':
3. Now let's associate the access of 'calc.exe' with the file 'test.txt', then we will see if the
size was modified:
4. We will remove 'calc.exe', and we will associate with a symbolic link to backdoor.exe
and test.txt, then execute 'backdoor':
We see that the calculator starts when calling the backdoor file, this means that we
successfully hide the executable of the calculator in another executable called backdoor,
but if it were the other way around. When we execute a calculator, a malware runs...
3. Now we are going to extract the information that we hide in the image, with steghide
extract -sf 1.jpeg, is going to create an equal file of what is called the one that is
hidden inside, if we have a file with the same name it will ask us if we want to overwrite
it as in my case:
To achieve this we will use Metasploit, it is a framework to perform different tests oriented to
computer security. It is owned by rapid7, in Kali it comes by default can also be installed on
Windows, for free.
Objective system services: As we saw in previous modules, the objective system has several
open services, therefore we have more possibilities to get an intrusion successfully.:
3. Configure exploit:
use: use an exploit based on the 'name'
show options: show the configuration options of an exploit
set <option_name>: configure option for attack
RHOST: remote host, is the IP of the target
RPORT: remote port where the service is running on the target
4. Execute attack:
We already have root access to the target system, thanks to a VSFTP vulnerability. Now we
could run sudo grep root /etc/shadow, to get the root user's hash and decrypt it and then log
in as root, without running this exploit. Among many things you can do...
3. Configure exploit:
4. Execute attack:
What is Samba?: is the standard set of Windows interoperability programs for Linux
and Unix. Samba is Free Software licensed under the GNU General Public License, the
Samba project is a member of Software Freedom Conservancy. Since 1992, Samba has
provided secure, stable and fast file and printing services for all customers using the SMB
/ CIFS protocol, such as all versions of DOS and Windows, OS / 2, Linux and many
others.
Samba is an important component to seamlessly integrate Servers and Linux / Unix desktops into
Active Directory environments. It can function as a domain controller or as a regular domain
member.
3. Configure exploit:
Again we have root access to our target system, this practice of the ethical hacking course ends
here and we saw different types of attacks that we can perform against a target. See you soon!