Ethical Hacking Course - Practice 2 - How to

recognize a goal
Ethical Hacking Course, Computer Security

It is likely that you have finished Module 2 - Objective recognition, now we will see the practice
of it. We will learn to audit a DNS server to try to obtain relevant information from the network,
search for metadata from the IP, analyze a website in search of the structure and technologies
used, then we will make a complete copy, obtain possible email addresses and we will also see if
we find vulnerabilities of the website through Google Hacking.

Responsibility:
This course of ethical hacking is oriented to educational purposes to improve your computer
security skills to plan and design safer networks, does not encourage illegal activities in systems
or networks of third parties, if you commit an illegal activity in a system or network. You will do
at your own risk. If you want to practice and improve your skills in ethical hacking, do it under
systems where you have a legal permit or are yours, I recommend using images of operating
systems installed in virtual machines in a controlled environment.

Themes Index:

1. Structure of the practice

2. Scenario 1: Obtain the IP of a domain
3. Scenario 2: Get DNS information
4. Scenario 3: Analyze the target IP for metadata
5. Scenario 4: Analyze the website
6. Scenario 5: Make a complete copy of the website
7. Scenario 6: Get email addresses and hosts
8. Scenario 7: search for vulnerabilities or information leaks from the target, by means of
daily search engines

Structure of the practice

In this practice we will have different scenarios, each one will have a objective, the
requirements and the action where the procedure will be carried out to fulfill the objective that
arises in each scenario of this practice. ethical hacking course.

Scenario 1: Obtain the IP of a target domain

Objective: in this scenario you need to obtain the IP of the domain "vulnweb.com", to be able to
continue with satisfaction the following scenario that will come later.
Requirements: have access to a terminal of any operating system.

Action

1. Open a terminal, in this case cmd of Windows, in the same type: ping vulnweb.com,
and we will obtain our objective.

Scenario 2: Get DNS information

Objective: in this scenario you need to obtain as much information as possible about the DNS
servers of "vulnweb.com".

Requirements: access any web browser, or install dnsenum.

Action

1. Open any web browser, and enter dnsstuff.com

2. Once the DNS recognition is done via the web, it will give us the information we are
looking for:

We provide a lot of important information such as: the list of DNS servers and they do
not have DNSSEC enabled.
3. This can be done with an automated tool, which in this case will be dnsenum already
installed by default in Kali
4. We run dnsenum in the following way: dnsenum -d vulnweb.com:

The information you give us is the same

Action 2: Get all subdomains of a domain

We will obtain all the subdomains of a target domain using an automated tool called "recon-ng",
this tool will use a module that obtains information from Google.

1. Run recon-ng in Kali, and look for modules for DNS with search domains, it will look
for recognition modules that specialize in DNS:

2. We will use the module, and configure a target domain that will be "vulnweb.com"
finally run it with the command "run":
 3. Once the recon-ng module is executed, we will see that we obtained 34 subdomains, and
the objective does not know anything because the work Google did is a passive
acknowledgment:

Scenario 3: Analyze the target IP for metadata

Objective: in this scenario it is necessary to obtain as much information as possible about the IP
obtained in scenario 1 "176.28.50.165".

Requirements: access to any web browser.

Action

1. Open the web browser and enter: https://www.ipalyzer.com/176.28.50.165

He gave us relevant information about the IP

Scenario 4: Analyze the website

Objective: in this scenario, we will investigate with specialized tools such as this website
conformed without attracting attention, these tools allow us to have vital information of the site
being normal visitors like any other.

Requirements: access any web browser, install Wappalyzer in Chrome or Firefox.

Action

1. Open http://vulnweb.com in Chrome or Firefox and run Wappalyzer

Scenario 5: Make a complete copy of the website

Objective: in this scenario we seek to obtain a complete copy of a target website on our local
machine, generally the attackers perform this procedure for phishing.

Requirements: install HTTrack Website Copier on your local machine.

Action
 1. Run HTTrack and start copying the website:

We already have an exact copy of the target website on our local machine.

Scenario 6: Get email addresses and hosts

Objective: in this scenario we will look for information such as emails and IP addresses of the
host belonging to the subdomains, using automated tools.

Requirements: have access to theharvester.

Action

1. Open the terminal in Kali and configure theharvester in the following way theharvester
-d vulnweb.com -b google -h:

This will search for email addresses available through Google and with -h we will search
the IP addresses of the subdomains with Shodan

Scenario 7: Search for vulnerabilities or leaks of target information, using

everyday search engines

Objective: in this scenario we will look for information such as vulnerabilities or information
leaks with search engines that we use daily in our days.

Requirements: install SearchDiggity.

Action

1. Open SearchDiggity

2. Add our target domain:

 3. We select Google Hacking Database (GHDB), and we started scanning, it is possible that
Google detected bot activity, that is, an automated tool and canceled our scan:

The result of the scan will tell us if our target domain has vulnerabilities or problems
against Google Hacking.

With this we finish the practice of Module 2 - Objective recognition of the ethical hacking.

You can also perform the same steps applied in this practice with this website:

 http://testhtml5.vulnweb.com/#/popular

en.gburu.net

 Home
 Courses
 FREE $10 in DigitalOcean
 about
 contact
 gburu.net

Subscribe
9 February 2018

Ethical Hacking Course - Practice 3 -

Network Scanning
Ethical Hacking Course, Computer Security

If you finished the Module 3 - Network Scanning of the free ethical hacking course, now let's see
the practice, where we are going to see how to look for open ports, the services that work in
them, the vulnerabilities that they may have and how to connect to the Internet anonymously.

Full course: en.gburu.net/hack, here you will find all the topics of this free ethical hacking
course, in one place.

Responsibility:
This ethical hacking course is aimed at educational purposes to improve your computer security
skills to plan and design safer networks, does not encourage illegal activities in systems or
networks of third parties, if you commit an illicit activity in a system or network. You will do at
your own risk. If you want to practice and improve your skills in ethical hacking, do it under
systems where you have a legal permit or are yours, I recommend using images of operating
systems installed in virtual machines in a controlled environment.

Themes Index:

1. Structure of the practice

o Short introduction to network scanning
2. Scenario 1: Get information from connected devices on the network
3. Scenario 2: Find open ports of a specific goal
4. Scenario 3: Implement Banner Grabbing
5. Scenario 4: Monitor incoming and outgoing connections from our local TCP/IP network
6. Scenario 5: Perform a vulnerability scan with OpenVAS to our goal
7. Scenario 6: Search vulnerabilities manually with Exploit-DB
8. Scenario 7: Surfing the Internet anonymously with Psiphon
9. Scenario 8: Scanning networks with Nmap
o TCP/Connect() scan with Nmap
o Stealth Scan with Nmap
o Xmas Scan with Nmap
o TCP/Null scanning with Nmap
o IDLE Scan with Nmap
o ACK Scan with Nmap
o UDP Scan with Nmap
o Stealth, anonymous scanning by TOR and IP packets fragmented with Nmap
10. Scenario 9: Detect a Web Application Firewall (WAF)

Structure of the practice

In this practice we will have different scenarios, each one will have a objective, the
requirements, the action and the result where the procedure will be carried out to fulfill the
objective that arises in each scenario of this ethical hacking course practice.

The objective will be our virtual Metasploitable machine that we saw how to install it in the first
practice, and the attacker who will be us and we will use Linux Kali, I have to mention that
having Kali is not necessary for this course of ethical hacking simply used it because it has all
the tools or at least most of them installed by default saving us time to install them, you can
simply install the tools that we will use in your environment that you like more I have no
problem with that, in Windows for example there are many tools with a very good graphical
interface in case you do not like the Linux terminal, the important thing is to understand the
mechanism of attack, the theory and how to defend ourselves the tool to use comes later, when
you master the theory you will know what tool to use in each situation, that's why I recommend
you look at module 3 of this ethical hacking course.

Short introduction to the scanning of computer networks

We will see a brief introduction to the phase of network scanning in the pentesting, I remind you
that if you want to delve into the theory look module 3 of this computer security course. Well
let's continue, about what we learned from our information gathering, now we can start to
actively test our targets for vulnerabilities that can lead to a successful attack. We have
significantly reduced our attack surface since we started the penetration test.

It must be taken into account that not all the vulnerabilities that we find will result in a successful
attack. When looking for known vulnerabilities, you will encounter more problems that reveal
sensitive information or that cause a denial of service than vulnerabilities that lead to remote
code execution. These can still be very interesting in a penetration test. in fact, even a seemingly
innocuous misconfiguration can be the highlight of a penetration test, because by that simple
error we can have access to the target system or network.

Let's see a fairly common example, we are auditing a network and we found an open service on
port 21 turns out to be FTP and when we try to access it we achieve it through an account with
anonymous access, this is a very normal configuration in these services. Although FTP is a very
insecure protocol and in general we should guide our clients towards the use of more secure
options such as SFTP that encrypts all traffic, the use of FTP with anonymous user access does
not lead to a compromise of the network . If you encounter an FTP server that allows anonymous
user access, but read access is restricted to an FTP directory that does not contain any files that
are interesting to an attacker, then the risk associated with the anonymous user option is minimal
. But, if you can read the entire file system using the anonymous FTP account, or possibly even
worse, someone wrongly left the client's business secrets, or user passwords in the FTP directory
that can be read for anonymous users. This configuration becomes a very serious problem.

Vulnerability scanners are very useful in a penetration test, and it is certainly good to know some
of them well. Vulnerability scanners can help you quickly obtain a large amount of potentially
interesting information about a target environment or network. In this practice of the ethical
hacking course we will see several forms of vulnerability analysis, in addition we will see quite
familiar tools.

Before starting it is necessary to turn on our target virtual machine that is Metasploitable, of
course we already saw this in the first module of this ethical hacking course, now we are going to
start the practice. Enjoy!

Scenario 1: Obtain information from devices connected to the network

 Objective: a ping sweep will be carried out with nmap, to know which connected devices
are in the network to meet our objective.
 Requirements: have nmap installed in any operating system.

Action
 1. Run nmap with the following command nmap -sn 192.168.1.0-255 (this command
will make a simple ping scan to 256 possible hosts), the local network may vary in my
case is "192.168.1.xxx " The command "-sn" tells nmap to perform a scan without
looking for ports only hosts:

 Result: we have 6 active hosts in our local network, with information about the MAC and
its firmware.

Scenario 2: Find open ports of a specific goal

 Objective: Once the ping sweep is finished, we will select our target machine and
perform a port scan to find out how it communicates with the Internet.
 Requirements: have nmap installed in any operating system.

Action

1. Run nmap with the following command: nmap 192.168.1.6 --top-ports = 1024, this
will execute a port scan where it is indicated that it looks for the 1024 most used ports, if
you want to scan all the ports directly you can run: -p1-65535 65 thousand possible ports
will take a long time:

 Result: we have 23 open ports, this at the level of computer security is not a good
practice. We are moving forward on our goal

Scenario 3: Implement Banner Grabbing, in the open ports of our objective

 Objective: We already have information about open ports, now we have to carry out the
grabbing banner, which is basically to increase our information about the ports, seeking
to know precise details about the services that work in them.
 Requirements: have nmap installed in any operating system.

Action

1. Executing nmap with nmap -sV -O 192.168.1.6, "-sV" will help us to discover
information about port services and "-O" is to know which operating system has the
objective:

 Result: finally we have detailed information about the services that run in the ports and
the operating system we have clues that can be between Linux 2.6.9-2.6.33.

Scenario 4: Monitor incoming and outgoing TCP/IP network connections

  Objective: In this case we consider knowing which connections perform all the services
that are executed in our network where we are currently connected, there is a very
interesting Windows software called CurrPorts that will give us detailed information
about all the connections that exist in our network, of all connected devices.
 Requirements: install CurrPorts in Windows to continue with this scenario.

Action

1. Once CurrPorts is downloaded, execute it and it will simply tell us the information we are
looking for:

Result: we can already monitor which port is open and who is occupying it throughout our
TCP/IP network.

Scenario 5: Perform a vulnerability scan with OpenVAS to our goal

 Objective: having information about which ports are open and which services work in
each one, it is time to analyze the objective system in search of vulnerabilities, we will
use a software called OpenVAS.
 Requirements: install and configure OpenVAS to continue with this scenario.

Installation of OpenVAS in Linux Kali

Before continuing this scenario, I will take the time to show you step by step the installation of
OpenVAS in Kali.

The most advanced open source explorer and vulnerability manager in the world, OpenVAS, is a
framework of several services and tools that offers a comprehensive and powerful solution for
vulnerability analysis and vulnerability management. The framework is part of the business
vulnerability management solution of Greenbone Networks, from which developments have been
made for the open source community since 2009.

 Open the terminal of our Kali and run: apt-get update and once the package repository
apt-get dist-upgrade is updated this command will check if an old version of a
package should be deleted by a newer one
 Run apt-get install openvas, this will download the corresponding packages to
OpenVAS and then install them in our Kali, OpenVAS requires downloading at least
about 150MB.
 After downloading it must be installed, openvas-setup will start its installation, it is
important that it will give us our user password:

, there is save it for the user, the user name is "admin", for more convenience you
must change the password.
  Run openvas with openvas-start, and open our control panel in the browser, enter and
go, usually start at port 9392 surely you have to add an exception for the certificate of
authority.

Action

1. Enter our control panel in localhost: 9392 it is usually there, go to Scans -> Tasks and
then to Task Wizard:

2. We set up our goal and start the scan:

3. Once the scan is finished we see that we have 138 possible vulnerabilities:

Result: we found about 145 vulnerabilities in the target system.

Scenario 6: Search vulnerabilities manually with Exploit-DB

 Objective: You can also search for possible vulnerabilities if you already have the name
of the service that is running on the open ports of the target, it is a large public access
database called Exploit Database, where will we enter to look for vulnerabilities this will
be our goal.
 Requirements: Internet access.

Action

1. Select a service that we have online in our target machine in my case: "vsftpd 2.3.4", you
can choose the one you want.
2. Enter exploit-db.com/search, and enter our service:

Result: the service "vsftpd 2.3.4" is vulnerable, and there is already a backdoor to be executed
and enter the target system remotely using the metasploit software.

Scenario 7: Surfing the Internet anonymously with Psiphon

  Objective: we need to surf the Internet anonymously, for that we will use Psiphon in
Windows.
 Requirements: install Psiphon.

Action

1. Download and install Psiphon.

2. Connecting to the Internet through Psiphon is easy, simply execute it and by default it
will connect to the United States, you can choose more places:

Scenario 8: Different types of network scanning with Nmap

 Objective: we are going to put into practice different types of scanning as we saw in the
theory, now with Nmap.
 Requirements: have Nmap installed.

TCP/Connect() scan with Nmap

nmap -sT 192.168.1.6

Stealth Scan with Nmap

nmap -sS 192.168.1.6

Xmas Scan with Nmap

nmap -sX 192.168.1.6

TCP/Null scanning with Nmap

nmap -sN 192.168.1.6

IDLE Scan with Nmap

nmap -sI example.org:445 192.168.1.6
nmap -sI <host-zombie: port> <target>
ACK Scan with Nmap
nmap -sA 192.168.1.6

UDP scan with Nmap

nmap -sU 192.168.1.6

Stealth, anonymous scanning by TOR and fragmented IP packets with Nmap

Requirements

1. Install GIT apt-get install git

2. clone the repository of Anonym8, git clone
https://github.com/HiroshiManRise/anonym8
3. Install anonym8, enter the directory that we created GIT, chmod + x INSTALL.sh, bash
INSTALL.sh.
4. Anonym8 already brings Tor and Proxychains, so if we run anonym8 start we will be
able to use the SOCKS4 with TOR in Nmap.

nmap -sS -f --proxies socks4://127.0.0.1:9050 192.168.1.6

Scan using TOR, it can be slow!

Result: we saw how to implement the different scanning techniques and also found open ports in
UDP.

Scenario 9: Detect a Web Application Firewall (WAF)

 Objective: detect a WAF on a website with wafw00f.
 Requirements: install wafw00f.

Action

1. Execute in Kali wafw00f example.org:

Results: no WAF was detected among 12 known brands of WAFs.

This practice ends here, we already found information about the ports that are open, what
services they use, and their vulnerabilities. Now we have to deepen our search for information
against the ports that are open with the so-called process of "enumaración" it is to scan specific
ports in search of user names, machine names and more about the network, of course the
enumeration will see it In depth in the next module of this computer security course, see you
soon!

en.gburu.net

 Home
 Courses
 FREE $10 in DigitalOcean
 about
 contact
 gburu.net

Subscribe
17 February 2018

Ethical Hacking Course - Practice 4 -

Enumeration of Systems
Ethical Hacking Course, Computer Security

If you finished Module 4 -Enumeration of Objective Systems of the free ethical hacking course,
now let's see the practice.

Full course: en.gburu.net/hack, here you will find all the topics of this free ethical hacking
course, in one place.

Responsibility:
This ethical hacking course is aimed at educational purposes to improve your computer security
skills to plan and design safer networks, does not encourage illegal activities in systems or
networks of third parties, if you commit an illicit activity in a system or network. You will do at
your own risk. If you want to practice and improve your skills in ethical hacking, do it under
systems where you have a legal permit or are yours, I recommend using images of operating
systems installed in virtual machines in a controlled environment.

Themes Index:

1. Structure of the practice

2. Brief introduction to the Enumeration of Systems
 3. Scenario 1: Detect open ports and services in Windows
4. Scenario 2: Auditing NetBIOS with NetBIOS Enumeration Tools
5. Scenario 3: Enumeration with default passwords
6. Scenario 4: Linux enumeration with enum4linux

Structure of the practice

In this practice we will have different scenarios, each one will have a objective, the
requirements, the action where the procedure will be carried out to fulfill the objective that
arises in each scenario of this practice. ethical hacking course.

Brief introduction to the Enumeration of Systems

Enumeration is the process of extracting user names, machine names, network resources, shared
resources and services from a system. The enumeration is done in a controlled environment and
previously established with a legal contract by the client that requested a computer security audit.

Penetration tests or pentesting, is much more than running exploits with different types of
systems or networks to enter a system. Generally the pentesting begins before the computer
security expert makes contact with the target system or network, there are many previous phases
before making a specific attack against a target, now we will see the practice of enumeration.

Scenario 1: Detect open ports and services in Windows

 Objective: we are going to audit an objective to know if it has NetBIOS activated.
 Requirements: have nmap installed in any operating system.

Action

1. Run Nmap against our target nmap 192.168.1.7:

 Result: NetBIOS is present in our objective therefore it is Windows who is on the other
side, also 4 other open ports are present.

Scenario 2: Audit NetBIOS with NetBIOS Enumeration

Tools
 Objective: we will audit an objective with NetBIOS activated to enumerate more
information, we will use nbtenum.
  Requirements: download and install nbtenum.
 Download and install nbtenum
 go to packetstormsecurity.com/files/download/52547/NBTEnum33.zip
 Once downloaded, unzip it in the place you want

Action

1. Run nbtenum against our goal nbtenum -q <ip_target>

Scenario 3: enumeration with default passwords

 Objective: once we have information about the operating system and its services, we
look for passwords by default.
 Requirements: Have an Internet connection.
 Action
In the previous practice we saw all the services that worked in our objective and we are
interested in its operating system that is "Metasploitable":

A simple search on the Internet revealed that the default configuration of your username
and password is "msfadmin: msfadmin":

 Result: We could access through a bad configuration by default of the target system, and
not only that, we also have the root user in our hand. This started as a simple enumeration
and ended with the access to the system with the root user, it is a complete attack.

Scenario 4: Linux enumeration with enum4linux

 Objective: once we have information about the operating system and its services, we list
possible information about users, passwords, user groups and their shared resources.
 Requirements: Have installed enum4linux.
 Action

1. Run enum4linux against our goal enum4linux -a -o 192.168.1.9:

 Result: enum4linux, gave us a lot of information.

This practice ends here was very summarized since in the previous modules we saw many ways
to get information we are ready for the next module of the ethical hacking course, which deals
with how to launch an effective attack against a target system or network through all the
information that we obtained in the steps prior to the attack. See you soon!

en.gburu.net

 Home
 Courses
 FREE $10 in DigitalOcean
 about
 contact
 gburu.net

Subscribe
10 March 2018

Free Ethical Hacking Course - Practice 5 -

System Hacking with Examples
Ethical Hacking Course, Computer Security

After the previous module (Ethical Hacking Course - Module 5 - System Hacking, where we talk
about the "Systems Hacking". Now we will see the practice, seeing different methods to
perform a successful computer intrusion on a target system or network, in order to improve the
security of our environment or client.

Full course: en.gburu.net/hack, here you will find all the topics of this free ethical hacking
course, in one place.

Responsibility:
This ethical hacking course is aimed at educational purposes to improve your computer security
skills to plan and design safer networks, does not encourage illegal activities in systems or
networks of third parties, if you commit an illicit activity in a system or network. You will do at
your own risk. If you want to practice and improve your skills in ethical hacking, do it under
systems where you have a legal permit or are yours, I recommend using images of operating
systems installed in virtual machines in a controlled environment.

Themes Index:

1. Structure of the practice

2. Password decryption
 3. Online attack: Default password attack
4. Offline Attack: Decrypt Linux Passwords with Hash Suite in Windows 10
5. Offline Attack: Decrypt passwords with John The Ripper
6. Offline attack: Decrypt MD5 with hashcat
7. Attack online: Attack with brute force to an SSH server with Hydra
8. Attack online: Attack with brute force to an SSH server with Medusa
9. Get passwords for Windows 10 users with PwDump7
10. Decrypt Windows 10 hashes with Ophcrack
11. Create our own rainbow table in Windows 10 with Winrtgen
12. Hide files behind others, thanks to the manipulation of the NTFS stream
13. Hide text in a Linux image, with Steghide
14. Get remote access to a system, attacking vulnerable FTP
15. Get remote access to a system, attacking UnrealIRCd
16. Get remote access to a system, attacking SAMBA

Structure of the practice

In this practice we will have different scenarios, each one will have a objective, the
requirements, the action where the procedure will be carried out to fulfill the objective that
arises in each scenario of this practice. computer security course.

Password decryption is one of the easiest and most common ways computer attackers gain illegal
access to a computer or computer network. The Internet user worries about having antivirus on
his computer or does not have security consciousness, that is why most of them do not worry
about using a secure password, for fear of not remembering it. Therefore, passwords are one of
the weakest links if we imagine computer security as a chain, due to the fact that they are directly
related to the security consciousness of the user, which is the weakest point in security.

The attacker can obtain passwords as follows:

 Use software in the system locally

 Through Internet
 Run a password decryption remote attack
 Deceiving the user through social engineering
 Listen to conversations

Online attack: Default password attack

The default passwords are a very serious problem in the security of a system and a very simple
attack to execute. For the reason of configuring as little as possible and leaving everything as
"factory" wine, many administrators, users of systems or devices use passwords by default, if
you are auditing a network or system. With the information you collected, it is good practice to
search the Internet for possible passwords by default of different devices or services that run on
the network.
  Objective: obtain unauthorized access to a system, using its default password.
 Requirements: audit the system with Nmap and then search the Internet.

Action

1. Audit a system in search of information with Nmap nmap -sS -sV 192.168.1.7:

2. We search the Internet for access to Metasploitable and we see that the user is msfadmin
and the msfadmin password, by default:

3. If we look closely at port 3306 the target has MySQL running, we know that by default
for MySQL can be accessed with the user: "root" and without password:

 MySQL (database service) is also configured by default, and for that reason. We have
access to 7 databases.

Offline Attack: Decrypt Linux Passwords with Hash Suite in

Windows 10
We have already been able to get access with the user "msfadmin", now that we are inside the
target system we are going to obtain the list of hashes of all the users to be able to execute a
Password offline attack and Rule-based attacks. To execute this attack in Windows 10 we will
need Hash Suite in its free version.

 What is Hash Suite?: Hash Suite is a program for Windows and it helps us to test the
security of password hashes, besides it supports Nvidia and ATI GPUs this allows us to
make the most of our hardware for audits of passwords and another important point is
that it is available for Linux, although it is not offered with support for GPUs.

1. In our SSH terminal, we will execute sudo cat /etc/shadow this command will show
us all the passwords hashes that belong to Linux users, then we will open any editor and
save it:

2. We already have the hashes in our computer, now we are going to

http://hashsuite.openwall.net/download and we download Hash Suite free version:
 3. We run it, now we have to import our file with the Linux hashes, Hash Suite will detect
what algorithm the hashes have:

4. We execute the attack, and we see that we got the password for 'user':

5. We need to see if the password for 'user' works:

 If we see the attack is configured for 'charset' and in the rules 'Lower' is random
characters in lowercase, this makes it a rule-based attack because we look for passwords
in lowercase.
 The attack lasted 25 minutes until I stopped him, we see that he used 2.4 million possible
passwords.
 We only see that we got the 'user' passwords, because I stopped the attack on my
computer it was going to take too long, and it was valid for the example of this practice
of the free ethical hacking course.

Offline Attack: Decrypt passwords with John The Ripper

In this scenario we are going to execute a password decryption attack with a dictionary
downloaded from the Internet, this makes it a attack based on dictionaries, we will use John The
Ripper in Windows 10. The procedure applied is the same from Linux, you can apply this attack
from the operating system that you like most in this case will be Windows.

 John the Ripper is a free and open source software, distributed mainly in the form of
source code. If you prefer to use a commercial product tailored to your specific operating
system, consider John the Ripper Pro, which is mainly distributed in the form of "native"
packages for the target operating systems and, in general, is meant to be easier to install
and use while delivering optimal performance.

1. Download John The Ripper for Windows, go to http://www.openwall.com/john/ and

download the binaries for windows:

2. Unzip where you like, now we are going to get a dictionary I recommend you download
mine that I uploaded to Mega
(https://mega.nz/#!z9s3lAIb!6Ebr6SoBVHISVM8QDsUiDm2w_VANTj0K6twFyp5Hm
6Q), weighs less than 2 MB, save the dictionary in a place that is agreed to then occupy
it, this dictionary contains approximately 900,000 possible passwords.
3. Run attack with John The Ripper john --wordlist=<dictionary-path> <hashes-
path>:
  John gave us 3 passwords with a dictionary of 900 thousand possible passwords, always
remember that on the left is the password, and on the right the user.

List of Dictionaries:

 https://wiki.skullsecurity.org/Passwords
 CrackStation's (15GB, 1.5B possible passwords)
 https://packetstormsecurity.com/Crackers/wordlists/
 http://infosecisland.com/blogview/11968-Brute-Forcing-Passwords-and-Word-List-
Resources.html

Offline attack: Decrypt MD5 with hashcat

We are going to use passwords created with MD5 on purpose for us, in order to demonstrate the
utility of hashcat by deciphering passwords.

 Hashcat was designed by Jens Steube as a system for recovering passwords from the
hash, in 2015 it was released as free software using the MIT License. The system allows
taking a hash string and comparing it with a precalculated list of values using threads and
running, if possible, on the graphical processing unit (GPU) for parallel processing.
Supports 195 types of ciphers with five types of attacks.

1. Create a list of MD5 hashes, for our example using echo -n "<name-hash>" | md5sum
| tr -d " -" >> <file-name>:

2. Let's unzip a dictionary that brings Kali by default:

3. Launch a password cracking attack with hashcat, using hashcat -m 0 hashes-test

/usr/share/wordlists/rockyou.txt:

 After waiting like most password cracking attacks, we see that hashcat and the dictionary
'rockyou'. They discovered 2 passwords: 'Password' and 'Secret'.

what hash is?

It is very possible that you find a hash and do not know what hashing algorithm was the one that
created it, for that we can enter https://tunnelsup.com/hash-analyzer:

Attack online: Attack with brute force to an SSH server with

Hydra
Now we are going to attack an objective service online, we must remember that when we interact
with an objective online (active) can detect and put into practice a counteroffensive to our attack,
especially brute force attacks generate a lot of noise especially in logging logs, there will be
many failed attempts this will wake up the alert of any network administrator or any defense
system that has implemented the network or target system where we launched the brute force
attack.

THC Hydra

Hydra was tested for compiling on Linux, Windows / Cygwin, Solaris 11, FreeBSD 8.1,
OpenBSD, OSX, QNX / Blackberry, and is available under GPLv3 with a special OpenSSL
license expansion.

Currently this tool supports:

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET,
HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-
FORM -GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-POST, HTTPS-HEAD, HTTP-
Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID,
Oracle , PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, S7-300,
SAP / R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion ,
Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

For HTTP, POP3, IMAP and SMTP, several login mechanisms are supported such as plain and
MD5 digest, etc.

Commands to use:

 It is always good to read the documentation of each tool.

 -l, username if we want a file with users: -L
 -P, dictionary file, if we want a single password: -p
 -t, working threads that Hydra will use, 4 is recommended for SSH.

1. Launch brute force attack with hydra -l service -P

/usr/share/wordlists/sqlmap.txt ssh://192.168.1.7:22 -t 4:

 Password detected successfully, (user:service - password:service)

Attack online: Attack with brute force to an SSH server with

Medusa
As the previous example was with Hydra, now we are going to use Medusa.
  Medusa is a tool for fast, parallel and modular password attacks. The goal is to support
as many services that allow remote authentication as possible. The author considers the
following elements as some of the key features of this application:
 Parallel test based on threads. Brute-force tests can be performed against multiple hosts,
users or passwords at the same time.
 Flexible user input. The destination information (host / user / password) can be specified
in several ways. For example, each element can be a single entry or a file that contains
multiple entries. In addition, a combined file format allows the user to refine their target
list.
 Modular design Each service module exists as an independent .mod file. This means that
there is no need to make changes to the main application to expand the list of compatible
services for gross forcing.
 Multiple compatible protocols. Currently, many services are supported (for example,
SMB, HTTP, POP3, MS-SQL, SSHv2, among others).

1. Launch brute force attack with Medusa medusa -u service -P

/usr/share/wordlists/sqlmap.txt -h 192.168.1.7 -M ssh:

Get passwords for Windows 10 users with PwDump7

We already saw how to obtain the hashes of the Linux users to carry out an attack of decryption
of passwords offline, now we will do the same process but with Windows 10 users. For that we
will need pwdump7 a great tool to carry out our task .

1. Download pwdump7 on 'http://www.tarasco.org/security/pwdump_7/', unzip the tool

where we want and then execute it pwdump7:

 We already have a target hash saved in the file 'win-hashes.txt', now we are going to try
to decipher it.

Decrypt Windows 10 hashes with Ophcrack

Now we are going to carry out an attack with rainbow tables against the hashes that we obtained
with pwdump7 and that we later save in a text file looking for the passwords that hide behind the
hashes thanks to the software Ophcrack, is a free Windows password cracker based on rainbow
tables. It is a very efficient implementation of rainbow tables made by the inventors of the
method. It comes with a graphical user interface and runs on multiple platforms.
characteristics:

 It runs on Windows, Linux / Unix, Mac OS X ...

 Cracker for LM and NTLM hash.
 Free tables available for Windows XP and Vista / 7.
 Brute force module for simple passwords.
 CSV audit and export mode.
 Real-time graphics to analyze passwords.
 LiveCD available to simplify cracking.
 Calculations of dumps and loads of SAM encryption recovered from a Windows
partition.
 Free and open source software (GPL).

1. Download and run Ophcrack on: http://ophcrack.sourceforge.net/download.php, you are

going to unzip the file and then choose your architecture x86 (32 bits) or x64 (64bits) and
execute it:

2. Upload the hashes file that we previously saved:

3. Download a rainbow table from http://ophcrack.sourceforge.net/tables.php, I will use the

"Vista free (461MB)", once the table is downloaded, we must unzip it in a folder that we
remember:

4. Use the rainbow table that we download:

5. Launch the attack:

Create our own rainbow table in Windows 10 with Winrtgen

It is good to know that on the Internet you can download the rainbow tables to perform password
decryption attacks, but it is also interesting to know how to create them ourselves, based on
hashing algorithms and other rules that we believe will be relevant to the success of the attack.
We will use the software called "Winrtgen", it is a graphic generator of Rainbow tables
(rainbow) compatible with LM, FastLM, NTLM, LMCHALL, HalfLMCHALL, NTLMCHALL,
MSCACHE, MD2, MD5, SHA1, RIPEMD160, MySQL323, MySQLSHA1, CiscoPIX,
ORACLE, SHA-2 (256), SHA-2 (384) and SHA-2 (512) hash.
 1. Download Winrtgen on http://www.oxid.it/projects.html, then execute it.
2. Configure our own rainbow table, it will have 1 million possible passwords and its size is
15MB, basic for the example:

3. Create table already configured:

Hide files behind others, thanks to the manipulation of the

NTFS stream
For this practice we will hide the Windows calculator behind a text file, and then create a
symbolic link with a fake application called "backdoor.exe", the idea is that when the backdoor is
run the calculator starts.

1. Run the Windows terminal, we will create a folder called 'test' and then we will create a
copy of 'calc.exe' inside our folder, after that we will create a text file called 'text.txt' in
the let's save the word 'test':

2. Let's check the file size 'test.tx':

 It is 4, it has very few letters inside.

3. Now let's associate the access of 'calc.exe' with the file 'test.txt', then we will see if the
size was modified:

 The size remains the same.

4. We will remove 'calc.exe', and we will associate with a symbolic link to backdoor.exe
and test.txt, then execute 'backdoor':

 We see that the calculator starts when calling the backdoor file, this means that we
successfully hide the executable of the calculator in another executable called backdoor,
but if it were the other way around. When we execute a calculator, a malware runs...

Hide text in a Linux image, with Steghide

Steganography is often used by attackers to hide vital information in a system they already
control. It is common to hide text in an image either to use it when they return or to transport it in
the network inside an image, in this practice we will use Steghide a tool that will allow us to hide
a text file inside a JPG image.

1. install steghide in Kali with apt-get install steghide

2. Download any JPG image, in my case "1.jpg", create a text file, and then hide that text
file inside the image with steghide embed -cf 1.jpeg -ef test.txt, then he would
ask us for a safe conduct that is a password:

3. Now we are going to extract the information that we hide in the image, with steghide
extract -sf 1.jpeg, is going to create an equal file of what is called the one that is
hidden inside, if we have a file with the same name it will ask us if we want to overwrite
it as in my case:

Get remote access to a system, attacking vulnerable FTP

In this practice we will obtain remote access to our target system, launching an exploit against
the vulnerable FTP service that is using our objective, thanks to this we will obtain a remote shell
with root access. In other words, full access to the system as administrator.

To achieve this we will use Metasploit, it is a framework to perform different tests oriented to
computer security. It is owned by rapid7, in Kali it comes by default can also be installed on
Windows, for free.

Objective system services: As we saw in previous modules, the objective system has several
open services, therefore we have more possibilities to get an intrusion successfully.:

 We are interested in port 21, where VSFTPD is executed.

 What is VSFTPD?: vsftpd, which means "Very Secure FTP Daemon", is an FTP server
for Unix-like systems, including Linux. He is licensed under the GNU General Public
License. It is compatible with IPv6 and SSL.

1. Run Metasploit in Kali (Applications -> Exploitation Tools -> Metasploit):

2. Search for an exploit for the VSFTPD service:

3. Configure exploit:
  use: use an exploit based on the 'name'
 show options: show the configuration options of an exploit
 set <option_name>: configure option for attack
 RHOST: remote host, is the IP of the target
 RPORT: remote port where the service is running on the target

4. Execute attack:

 To launch an attack with Metasploit, only 'exploit' is enough

 We see that it gives us root access
 Then it tells us that we have a remote shell, that is, we can execute commands in the
terminal of our objective, another important point is that it gives us the ports that are used
to have a remote connection, in our host the port '38019' is used and in the objective the
'6200'.
 Check with 'whoami' and tell us that our user is root
 We execute 'ls' and we already see all the directories by which we can, add, edit or delete
information of our objective.

We already have root access to the target system, thanks to a VSFTP vulnerability. Now we
could run sudo grep root /etc/shadow, to get the root user's hash and decrypt it and then log
in as root, without running this exploit. Among many things you can do...

Get remote access to a system, attacking UnrealIRCd

We see that on port 6667 has opened a vulnerable service called unrealircd, we are going to look
for an exploit in Metasploit and we will execute a computer attack against said service.

 What is UnrealRCd?: UnrealIRCd is an open source IRC daemon, originally based on

DreamForge, and is available for Unix and Windows operating systems. Since the
beginning of development in UnrealIRCd around May 1999, many new features have
been added and modified, including advanced security features and bug fixes, and it has
become a popular server.

1. Execute Metasploit in Kali: (Applications -> Exploitation Tools -> Metasploit)

2. Search for an exploit for unrealircd in Metasploit:

3. Configure exploit:

4. Execute attack:

Again we have root access in the system of our objective...

Get remote access to a system, attacking SAMBA
Now we are going to enter the target system through a vulnerability in port 139 where this
SAMBA, we will use Metasploit with the payload cmd/unix/reverse.

 What is Samba?: is the standard set of Windows interoperability programs for Linux
and Unix. Samba is Free Software licensed under the GNU General Public License, the
Samba project is a member of Software Freedom Conservancy. Since 1992, Samba has
provided secure, stable and fast file and printing services for all customers using the SMB
/ CIFS protocol, such as all versions of DOS and Windows, OS / 2, Linux and many
others.

Samba is an important component to seamlessly integrate Servers and Linux / Unix desktops into
Active Directory environments. It can function as a domain controller or as a regular domain
member.

1. Execute Metasploit in Kali: (Applications -> Exploitation Tools -> Metasploit)

2. Use the exploit for SAMBA:

3. Configure exploit:

 we are going to select a PAYLOAD 'cmd/unix/reverse'

 LHOST and LPORT, are our IP and our port that will have connection

4. We execute the attack:

Again we have root access to our target system, this practice of the ethical hacking course ends
here and we saw different types of attacks that we can perform against a target. See you soon!