Contents

Contents

Chapter1–IntroductionWhatitTakestoBecomeaGoodHacker

Chapter2-AnOverviewofHackingChapter3–AttackTypesandFamousViruses1.CodeRed2.Sasser3.Zeus4.TheILoveYouAttack5.Melissa6.TheConfickerWorm7.MyDoom8.Stuxnet9.CryptoLocker10.FlashbackInSummary

Chapter4–EthicalConsiderationsandWarningsChapter5–NetworkingFundamentalsUnderstandingtheOSIModelandNetworkingTerminologyIPAddressingEssentialsSubnetMasksTwoSpecialNetworkAddressesMACAddressesARP(AddressResolutionProtocol)PortsandFirewallsInSummary

Chapter6-TheHacker’sToolBeltVulnerabilityScannersPortScannersLayer4Scanners

PacketSniffersPasswordCrackingUtilities

Chapter7–UtilizingVMWareChapter8–IntroductiontoPingSweeps,PortScanning,andNMAPPingSweepsOperatingSystemIdentificationPortScanningNMAPFootprintingProcedures:InstallingNMAPNMAPFootprintingProcedures:PingSweepsNMAPFootprintingProcedures:PortScanningNMAPFootprintingProcedures:OperatingSystemIdentificationInSummary

Chapter9–UsingMetasploittoHackDevicesBasicMetasploitCommands

Chapter10–WirelessPasswordHackingVMWareWirelessPasswordCrackingCaveatsDockerDemonstrationUsingReavertoCrackPasswordsInSummary

Chapter11–Web-BasedVulnerabilitiesSQLandSQLiAttacksCross-SiteScriptingTechniques(XSS)XSSDetailsandWebBrowsersWaystoPreventSQLiandXSSInSummary

Chapter12–OpenVASInstallingOpenVASUserandPortConfiguration

Chapter13–SocialEngineeringTypesofSocialEngineeringAttacksAnEmailfromaTrustedPartyAFalseRequestforHelpBaitingTargetsHowtoProtectYourselffromSocialEngineering

Chapter14–Man-In-The-MiddleAttacksHowtoPerformaMan-In-The-MiddleAttack

Chapter15:CrackingPasswordsPasswordCrackingPasswordCrackingUtilitiesJohntheRipperOphcrackL0phtcrackCain&AbelInSummary

Chapter16–ProtectingYourselffromHackersSoftwareUpdatesChangeDefaultUsernamesandPasswordsUseStrongPasswordsProperlyConfigureYourFirewallsAntivirusandAntimalwareSoftwareSolutionsUsingVPNsBackingUpYourDataWebBrowserSecurityFinalThoughts

HowtoHackComputersAGuidetoHackingComputersfor

Beginners

JoelTope

Copyright©2015JoelTope

Allrightsreserved.

Chapter1–Introduction

Thegeneralpublicusuallyhastwocompetingviewpointsofhackers.Somepeoplereverethemasbrilliantlymindedindividualswhileotherslookdownonthemaspettycriminals.Whilebothperceptionscouldbetrueformanyexperthackers,thepublic’sperceptionhasbeentwistedandcontortedbywhattheyseeontelevisiondramasandinthemovies.Becauseyouraverageuserdoesn’tunderstandhowacomputerortheInternetworksfromatechnicalperspective,theycan’thopetobegintounderstandwhathackersactuallydo.

Infact,theterm‘hacker’usuallycarriesanegativeconnotationtoit.Askanynon-technicalpersonwhatahackeris,andthey’llgiveyouaresponsesuchas,“They’rethebadguysthatstealpeople’screditcards,listentomyphonecalls,andworkwithterroristorganizations.”Forsomereason–likelyaccreditedtoentertainmentmedia–hackersgetabadrapandmostpeoplewouldinstantlyassumethattheirbehaviorsareillegal.Thesestigmascouldn’tbefurtherfromthetruth,becausetherealityisthattherearemanytypesofhackers.Someofthemaregood,someofthemarebad,andsomeliesomewhereinbetween.Thereisnosinglemotivationthatdriveseveryhackerandnoblanketstatementthatyoucanusetoaccuratelydescribeeveryhackerintheworld.Alsoconsiderthathackingisn’taninherentlyevilpracticeandyoucandoitlegally.Somepeopleevenliketodoitforahobby.Morepractically,however,somepeoplegetpaidbigbucksasconsultantstotrytohackintoacorporatenetworkinanefforttofindsecurityholes.Beforewarned,though.Ifyoustartabusingyourknowledgeitisaslipperyslopetothedarkside,andnothinggoodeverhappensonceyou’rethere.

Ifyourcuriosityhasgottenthebetterofyou,ifyoujustwanttobeabletounderstandwhat’sgoingoninthemoviesandthenews,oryouhaveagoalofbecomingacompetenthacker,Iwanttopersonallyintroduceyoutohackingandguideyoutoachievingyourgoals.Theproblemmostpeoplehavewhentheywanttostarthackingisthattheyfindmaterialthatisn’twrittenfornovitiates.Onceyougetthebasicsunderyourbeltandyoucanactuallyapplytheknowledgeyouwilllearninthisbook,you’llfindthatyouaremuchmoreeducatedthanyourpeersandthattechnologyisactuallyprettyexciting.Asthetoolshackersusehavechangedoverthelastcoupledecades,peoplethattakeaninterestanddevelopapassionforhackinghavechangedaswell.Thoughtechnologyisonlygettingmorecomplexwitheachpassingyear,thetoolshackersutilizearebecomingmoresophisticated–makingthelearningcurvemuchlesssteepfornewbies.

Inthisguide,Iamgoingtoteachyoualotofvaluableinformationabouthackingsuchas:

-Whathackingisandwhathackingisn’t.

-Hackingterminologyandhackerculture.

-Typesofattacksandthemostfamoushacksofalltime.

-Ethicalconsiderationsandfairwarningsaboutbecomingahacker.

-Fundamentalconceptsthatwillserveasafoundationtobuildhackingskills.

-HowtoinstallLinuxoperatingsystemsusingVMWaretosetuphackingtools.

-Step-by-stepguidesforpingsweepsandportscanning.

-Howtomapnetworktopologiesandperformreconnaissancetechniques.

-Howtouseadvancedsoftwaretofindsecurityholes.

Thisisdesignedtobeanall-inclusiveguidethatwillnotonlygiveyouanunderstandingofthebasictechnicalconceptsyouwillneedtobecomeahacker,butalsointroduceyoutosomefascinatingsoftwareandshowyoustep-by-stephowtouseit.I’msuremostofyouwanttogetstartedhackingrightaway,butIurgeyoutospendtimelearningthebasicsbeforemovingontosomeofthemorechallengingattacksdiscussedinthisbook.

WhatitTakestoBecomeaGoodHacker

Oneofthereasonssomehackersbecomesosuccessfulisbecausetheyhaveapassionforwhattheyaredoing.Theirpersonalitydrivesthemtotackleextremelydifficultchallenges,whichiswhysomehackersbreaksystemsjusttoseeiftheycan.Ifyouaregoingtowanttobecomeaprolifichacker,ittakesthesametwothingsasanyotherskillyouwanttobuild:timeandpractice.Ifyoucan’tfiguresomethingoutinthefirsttwominutes,don’tgiveup.Someoftheproswillspendweeksorevenmonthsplanningandexecutingtheirattacks.Andonceyougetthebasicsunderyourbelt,you’regoingtobeabletoimplementthesetechniquesinamatterofminutes.Arguably,Iwouldsaythehardestpartforanewbieisgettingtheirenvironmentsetup.Pastthat,thingsstarttogeteasierandyoucanreallystarttosinkyourteethintohowthetechnologyworks.Beforewegettothejuicydetails,weshouldbeginwithanoverviewofhackingsoyouunderstandsomerudimentaryconceptsandperceptionsabouthacking.

Chapter2-AnOverviewofHacking

Toyouraveragecomputeruserwhodoesn’tunderstandmuchaboutInternetandnetworksecurity,hackersareshroudedinacloudofmystery.Mostpeopledon’tunderstandwhattheydoorhowtheydoit.Andthemoviesdon’thelptodemystifythem,either.Countlessactionmoviesportrayacharacterthattakestheroleofahackerthatcanbreakintotopsecretcomputersystemstosavetheworld.Whenthecamerapansovertheircomputerscreens,youseethemtypingstrangelettersandnumbersintoacommandpromptthat,forallyouknow,isaforeignlanguage.Humorouslyenough,thehackersinthemoviesfrequentlyuseatoolcalledNMAP,whichIwillshowyouhowtouselaterinthisbook.Ifyou’veseenTheMatrixReloaded,Dredd,FantasticFour,BourneUltimatum,DieHard4,orTheGirlWithTheDragonTattoo(amongcountlessothers),youhavealreadyseenactorsusingNMAPtofacilitatetheirhackingendeavorsinthemovies.

Butwhatexactlyishacking?Hackingmeansalotofdifferentthingstoalotofdifferentpeople.Itisanumbrellatermusedtodescribehundreds,ifnotthousands,ofvarioustechniquesthatcanbeutilizedtousecomputersandinformationsystemsinunintendedways.Atitscore,hackingmeansusingacomputertogainunauthorizedaccesstoanothercomputersystemordatathatisprotectedorrestricted.Thisisthemostconventionalmeaningofthewordhacking.Onceahackerhasgainedaccesstoanunauthorizedsystem,heorshethenhastheabilitytostealinformation,changeconfigurations,alterinformation,deleteinformation,andinstallfurthermaliciouscodetocaptureevengreatercontroloverthetargetsystem.Thelistgoesonandtheskyisthelimitregardingwhatanexperiencedhackercandooncetheyfindawayintoacomputersystem.

However,thereisalotmoretohackingthanclickingabuttontoattackacomputer.Youwillneedtousetoolsandscannerstomapthelocalnetworktopologyandusereconnaissancetechniquestogatherinformationandlookforvulnerabilities.Thegoodnewsfornewbiesisthatthesetoolsarehighlyautomatedtoday.Inthepast,hackingsoftwarehadn’tbeencreatedthataggregatedvastamountsofcodeandtoolsintosimpleandeasytousecommands.Assuch,hackersinthepastneededhighlyintimateunderstandingsofthetechnologiestheyweretryingtobreakanditwasdifficulttodoso.Havinganextremelydeepunderstandingoftechnologytodaywillcertainlyhelpyoubecomeabetterhacker,butmypointisthatthesetoolsarebecomingincreasinglyeasytouse.Infact,thereareyoungkidsandteenagersthataretoocuriousfortheirowngoodandtakeadvantageofhighlysophisticatedtoolstobreakintosystemstheyhavenobusinessaccessing.Understandthatthesetoolssimplifythehackingprocessconsiderably.Ifateenagercanhackintoasystemusingsimpletools,guesswhat?Youcantoo!

Butwhatdoesittaketoexcelasahacker?Well,mosthackershaveseveralthingsin

common.Firstofall,theyareexperiencedsoftwaredevelopersandcancraftmaliciousprogramsandvirusesthatfurthertheircause.Furthermore,mosthackersarecompetentLinuxusers.Linuxoperatingsystemsareextremelysecureandprovidevirtuallylimitlessaccesstothelatestpenetrationandsecuritytools–forfree!Inaddition,someLinuxoperatingsystemssuchasKaliLinuxweredesignedforthesolepurposeofhackingandnetworkpenetration.Linuxcanbescaryfornewbies,butIwillshowyouhowtorunLinuxandusesomespecialtoolslaterinthisbookinasimplifiedandeasytounderstandmanner.Lastly,hackersalmostalwayshaveaworkingknowledgeofnetworkingtopicssuchasIPaddresses,ports,andthedirtydetailsofhowdifferentnetworkingprotocolsoperate.Sometoolsevenexploitvulnerabilitiesinthesenetworkprotocols,andtheknowledgeoftheseexploitscombinedwiththeabilitytocraftcomputerprogramsiswhatmakessomehackerstrulyformidable.

Someofthesetechniquesareoutsidethescopeofthisbooksincethisguidewascreatedforbeginners,butifyoureallywanttoexcelasahackeryouwoulddowelltostudyandpracticetheseconcepts.Thoughwewon’ttouchonsoftwaredevelopmentinthisguide,Iwillcertainlyshowyoustep-by-stephowtoinstallandusesomevarioushackingtoolsthattheprostakeadvantageofandteachyouthebasicsofnetworkingaddressesandprotocols.

Chapter3–AttackTypesandFamousViruses

Mostofyouhaveprobablyheardofviruses,worms,malware,keyloggers,rootkits,andTrojansbefore,butwhattheheckarethesethingsandhowtohackersutilizethemtostealpeople’sdataanddisrupttheircomputersystems?Eachofthesetoolsarealittlebitdifferentfromeachother,buttheyallhaveonesimilargoal:toenteratarget’ssystemtoprovidetheattackerwithinformationheorshedoesn’talreadyhaveaccessto.No,I’mnotgoingtoshowyouhowtocraftnefariouscomputersoftware,butyoushouldhaveawell-roundedunderstandingofthesetopicsifyouhaveanyhopeofcallingyourselfahacker.

Firstandforemost,youneedtounderstandtheconceptofcomputervirusesbecausetheyareoneofthemostpopulartermsthrownaroundindiscussionsaboutcybersecurityandhacking.Acomputervirusisapieceofmaliciouscodeorsoftwareprogramthatisabletoinfectatargetsystemandthenmakecopiesofitselfonotherlocalcomputers.Theyareaptlynamedbecausetheyreproducemuchlikeavirusinreallife,andtheyfacilitatetheiroperationsbyattachingthemselvestocomputerprograms.Typicallytheyeitherrenderacomputingsystemcompletelyuselessortheyseektodestroydata.Again,you’llhearaboutcomputervirusesinthemoviesalot,sowe’lltakealookatsomeofthemostfamouscomputervirusesofalltimeafterdefiningtheotherterminology.

Awormisverysimilartoavirus,andit’struethatthelinebetweenavirusandwormgetsmuddiedandblurred.Thelargestdifferenceisthatwormsarenotattachedtoacomputerprogram.Theyexistindependentlyonthehostsystem,andtheyoftentakeadvantageofnetworkresourcestospreadtootherhostsonthenetworktheyhavecompromised.Sometimeswormsarealsoclassifiedasmalware,becausethereareonlyminutedifferencesintheterminology.Colloquially,thesetermsareinterchangeablebuttheirmeaningsvaryslightlyinacademicsettings.

Perhapsyouhavealreadyexperiencedthenegativeconsequencesofmalware.Oneofthemostpopularwaysthatmalwareisdistributedisthroughthemediumofonlinedownloads,wherebyadownloadablefilehasbeencorruptedwithmalwarethattheuserthendownloadsandinstalls.You’llseethisfrequentlywithmostfileshostedwithP2P(Peer-to-Peer)filesharingprogramssuchasBitTorrent.Malwaregetsitsnamebycombingtwootherterms:MALicioussoftWARE.Itcanalsobeusedasanumbrellatermusedtodescribemanydifferenttypesofattacks,anditcouldmeananysoftwarethatisusedbyanattackertocreateaccesstoatarget’sdata,blockthemfromtheirdata,orchangeinformationontheircomputer.

Furthermore,akeyloggerisyetanothertypeofmaliciousprogram,andasyoumighthaveguesseditssolepurposeistologthekeystrokesoftheuserwhohasbeeninfected.

Thisisabsolutelydisastrousforthetargetuser,becauseanattackerwillbeabletorecordandvieweverysinglekeythatthetargettypesontheirhostsystem.Thisincludesusernamesandpasswords,Googlesearches,privateinstantmessagingconversations,andevenpaymentcarddata.Ifanattackerhassuccessfullyinstalledakeylogger,thetargetisatthemercyoftheattacker.There’snotellingwhattheattackercoulddonext–theycouldhackintothetargetsystembyusingtheinformationtheygatheredsuchasusernamesandpasswords,stealmoneyusingtheirpaymentcarddata,orusetheirhostsystemtocarryoutattacksonotherhostsonthesamenetwork.

Next,youshouldalsobefamiliarwiththeideaofarootkit.Rootkitsareextremelydangerousbecausetheyservetoeditbackgroundprocessesinanefforttohidethemaliciousactivitiesofanattacker.Thiswillhelpviruses,keyloggers,andothermaliciouscodeexistforextendedperiodsoftimewithoutdetectiononthetargetsystem.Theycanevenservetohidesoftwarethatwouldhavebeenotherwisedetectedandquarantinedbysecuritysoftware.

LastbutnotleastistheinfamousTrojanhorse,sometimescalledaTrojanvirusorabackdoorvirus.Theyareextremelyproblematicbecausetheycanbeslippedintoinnocent-lookingapplicationsandtheyareveryhardtodetectwithouttherightsecuritysoftware.TherecouldevenbeaTrojanhorselurkinginthedepthsofyourpersonalcomputerrightnow,andtheyarefrequentlyusedtogaincompletecontrolofatargetsystem.

Nowthatyouhaveabasicunderstandingofthedifferenttypesofmaliciouscodehackersemploytodotheirbidding,youshouldknowaboutsomeofthelargestandmostfamouscomputervirusesofalltime.SomeofthemareactuallyothertypesofmaliciouscodesuchasTrojanhorses,butpeoplestillrefertothemasviruses.Anyexperthackerwillhaveheardofthesefamousattacksbefore,soyoushouldknowthemaswell.

Also,ifyougettheinklingtotryyourhandatusingoneofthesemethodsonyourownbyhuntingaroundontheInternetforfreelydistributablecodethatwillallowyoutoattackatargetsystem,justknowthatyou’resettingyourselfupforadisaster.Humorouslyenough,somehackingnewbiestrytofindrootkitsandkeyloggerstoattackhosts.Buthere’sthecatch–somehackersactuallyfacilitatetheirattackbytakingadvantageofpeoplewhowantaccesstothesetypesofprograms.

Andtheendresultisn’tpretty.Intheend,thenewbiehackermightactuallyinstallanexperthacker’svirusandunknowinglyinfecttheirownoperatingsystem!Anddon’tforgetthatthereareethicalandlegalimplicationsaswell.Many,ifnotall,ofthepeopleresponsibleforthesefamousattackswereseverelypunished.Sodon’ttrytoresearchand

implementthesetypesofvirusesathome!

1.CodeRed

Iknowwhatyoumaybethinking,andno,thishasnothingtodothemovies.Whenpeoplethinkofhackinginthemovies,theythinkoftopsecretmilitarybasesgettinghackedbyateenagerandraisingtheiralertlevelto‘codered.’Believeitornot,itisrumoredthatthetwoengineerswhodiscoveredandnamedthisattackweremerelydrinkingthedisgustingcherry-flavoredsodawhentheyfirstidentifiedthewormbackin2001.Thiswormwasprettydarnnasty,anditstargetswereserversthatwererunningtheMicrosoftIISsoftwareforwebservers.

Thisattackreliedheavilyonanexploitfoundinthecodethatleftserversvulnerabletoabufferoverflowissueinanolderversionofcode.However,itwasahugeproblemandverydifficulttodetectbecauseithadtheabilitytorunsolelyinmemory(RAM,orshorttermstorageasopposedtolongtermstoragesuchasaharddiskdrive).Andthingsgotoutofhandprettyquickly,too.Afterithadcompromisedasystem,itwouldthentrytomakehundredsofcopiestoinfectotherwebservers.Notonlythat,butitgobbledupatonoflocalserverresourcesthatallbutcrippledsomeofthetargetsystems.

2.Sasser

SasserisanotherwormdesignedtotargetWindows(noticingapatternhere?).Itfirstfounditswayintothespotlightbackin2004andwascreatedbyalegendaryandinfamoushackernamedSvenJaschanwhowasalsoresponsibleforanotherfamouswormnamedNetsky.OnereasonthiswormmadeInternetsecurityheadlineswasthatithadaffectedmorethanamilliontargets!Yetagain,thiswormtookadvantageofabufferoverflowvulnerabilitythatcausedtargetsystemstocrash.

Italsomadeitnearlyimpossibletorebootyourcomputerwithoutremovingthepowercableanditcausedmanycomputerstocrashcompletely.Tobefair,mostpeoplesawthiswormasanuisanceasopposedtoaseriousthreat.Butitcannotbedeniedthatitcausedmassiveandwidespreaddisruption.Iteveninfectedcriticalinfrastructuredevicesthatcausednetworkstoperformverypoorly.Likeothertypesofworms,ituseditstargetcomputerstopropagateandmultiplyitselftoothercomputers.

Butoneofthebiggestproblemswiththiswormisthatusersdidn’tupgradetheiroperatingsystemsafterapatchhadbeencreated.Bothpublicandprivatesectororganizationswereaffectedlikenewsstations,transportationsystems,healthcareorganizations,andevensomeairlinecompanies.Butwhatwastheendresult?Thedamageswerecollectivelychalkeduptobeapproximately$18billiondollars!WhathappenedtotheinfamousJaschan,youask?Fortunatelyforhim,hewasstillyoungsohereceivedaslaponthewristconsideringhowmuchdamagehedid.Heendedupwithasuspendedsentencelasting21months.

3.Zeus

TheZeusviruswasreallyaTrojanhorsecreatedtoinfect(canyouguesswhichoperatingsystem?)Windowsmachinesinanefforttoforcethemtocarryoutvaryingproceduresthatweredeemedtobecriminalactivity.Mosttypically,itwouldbeusedtocarryoutkeyloggingactivitiesandman-in-the-middleattacksthatwouldallowanattackertofirstsiftthroughwebbrowsinginformationbeforesendingittotheintendedwebserver.Itmostfrequentlyinfectedhostsbyutilizinginnocent-lookingapplicationsasatransportmediumintotheintendedtargets,buttheattackalsoemployedphishingtechniques.

Afterithadbeendiscoveredin2009,ithadruinedthousandsofindividualfiledownloadandFTPaccountsfromthelargestbanksandcorporations.ThoseinvolvedincludeAmazon,BankofAmerica,Oracle,andevenCisco.Theattackalsoallowedthehackerstostealusernamesandpasswordstosocialmediasites,emailaccounts,andbankinginformation.

4.TheILoveYouAttack

The‘ILoveYou’attackissoimpressiveandreveredinhackercommunitiesbecauseitcreatedawhopping$10billiondollarsinestimateddamages.What’smoreimpressiveisthatresearchersbelievethat10%ofeverycomputerconnectedtotheInternetatthetimewasinfectedwiththisvirus.Infecting10%oftheInternetwithacomputervirusisstaggeringtosaytheleast.Thingsstartedbecomingsoterriblethatsomeofthelargerorganizationsaswellasgovernmentalagenciesaroundtheworldstartedshuttingdowntheirmailingsystemsinanefforttoavoidbecominginfected.

5.Melissa

Thisnaughtyviruswassupposedlynamedafteranexoticdancerthecreator,DavidL.Smith,hadonceknown.Supposedly,theveryrootoftheviruswasaninfectedtextdocumentthatwasuploadedtothealt.sexUsenetgroupwiththeappearanceofbeingacollectionofusernamesandpasswordsforsubscriptionandmembership-onlypornographicwebsites.ButonceauserdownloadedthisWorddocument,allhellwouldbreaklooseandtheviruswouldactivate.

Tostart,theviruswouldlookatthefirst50addressesintheinfectedhost’semailaddressbookandstartsendingthoseaddressesemails.Inturn,thiswouldseverelydisruptemailservicesoflargeenterprisesandgovernmentalbodies.Furthermore,theviruswouldevencorruptdocumentsbyaddingreferencestothetelevisionshowTheSimpsons.However,theoriginalWorddocumentwaseventuallytracedbacktoSmithandhewasarrestedwithinaweekofthevirus’spropagation.AlthoughSmithonlyendedupserving20monthsofprisontimeanda$5,000fine(heoriginallyhada10yearsentence)becauseheturnedsnitchonotherhackersandhelpedtheFBImakemorearrests.Totopitalloff,itwasestimatedthatthedamagesfromhisvirustotaledapproximately$80milliondollars.

6.TheConfickerWorm

TheConfickerwormfirstappearedin2008anditcomesfromanunknownorigin.Thiswormwasespeciallytroublesomebecauseitcreatedabotnet(agroupofinfectedcomputersnetworkedtogether)ofmorethan9milliondifferenthoststhatharmedgovernmentalagencies,largeenterprises,andsimpleindividualusersalike.Thiswormmakesthetop10listbecauseitcauseddamagesestimatedatastaggering9billiondollars.ItwasabletoinfectWindowsmachinesduetoanunpatchedvulnerabilitydealingwithbackgroundnetworkservices.

Afterahosthadbeeninfectedwiththeworm,thewormwouldwreakhavocbypreventingaccesstoWindowsupdatesandantivirusupdates,anditcouldevenlockuseraccountstopreventpeoplefromlogginginandcleaninguptheworm.Ifthatweren’tbadenough,thewormwouldthencontinueitsattackbyinstallingmaliciouscodethatwouldmakethetargetcomputerpartofthebotnetandscamusersintosendingtheattackermoneybyholdingtheircomputerransom.Microsoftandthirdpartyantivirussoftwareproviderseventuallyreleasedupdatestocombatandpatchthisworm,butitdidmassiveamountsofdamagebeforeasolutioncouldbereached.

7.MyDoom

MyDoomwasfirstseenbackin2004,anditwasoneofthefastestemailwormstoinfectmassesofcomputerssincetheILoveYouattack.Thecreatorofthisattackisstillunknown,butitisrumoredthatthecreatorwaspaidbigmoneytocarryoutthisattackduetothemessageincludedinthevirusthatread,“Andy,I’mjustdoingmyjob.Nothingpersonal,sorry.”

Thiswormwasincrediblyslybecauseittookontheappearanceofanemailerror.Afterauserhadclickedonthe“error”toviewtheproblemthewormwouldsendcopiesofitselftopeoplefoundintheemailaddressbookoftheinfectedsystem.Furthermore,itwouldcopyitselfintopeer-to-peerdirectoriesontheinfectedhoststospreadthroughoutthenetwork.ItisalsobelievedthatthewormisstilllurkingontheInternettothisday,anditcausedapproximately$38billiondollars’worthofdamages.

8.Stuxnet

ThisattackhasasomewhatpoliticalbackgroundasitisthoughttohavebeencreatedbytheIsraeliDefenseForceinconjunctionwiththeAmericangovernment.Whilesomeofthepastviruseswerecreatedoutofmalice,contempt,orthecuriositytoseejusthowmuchdamageaprolifichackercouldcreate,thisviruswascreatedforthepurposeofcyberwarfare.ThegoalwastostymytheinitiativesoftheIranianstocreatenuclearweapons,andalmosttwothirdsofhostsinfectedbythisviruswerelocatedinIran.

Infact,itisestimatedthattheviruswassuccessfulindamaging20%ofthenuclearcentrifugesinIran.Morespecifically,thisvirustargetedPLC(ProgrammingLogicControllers)componentswhicharecentraltoautomatinglargemachineryandindustrialstrengthequipment.ItactuallytargeteddevicesmanufacturedbySiemens,butifitinfectedahostthatdidn’thaveaccesstoSiemensproductsitwouldlurkonthehostsysteminadormantstate.Essentially,itwouldinfectthePLCcontrollersandcausethemachinerytooperatefartoofast–whichwouldultimatelybreakthemachinery.

9.CryptoLocker

ThisvirusisanotherexampleofaTrojanhorsethatinfectedWindowsmachines,andthegoalwastoransomtargetcomputersinexchangeformoney.ThisTrojanwasverycunningbecauseithadseveraldifferentwaystospreadtoothercomputers.However,itwasincrediblytroublesomebecauseafterithadinfectedahost,itwouldthenproceedtoencrypttheharddrivewithanRSAkeythattheownerofthecomputerneverhadaccessto.Ifyouwantedyourfilestobeunencrypted,youwouldhavetopaymoneywithprepaidmethodsorbitcoinstotheinitiatorsoftheattack.

ManypeopleweresuccessfulinremovingtheTrojanfromtheircomputers,buttheystillhadonegargantuanproblem:thefilesontheirharddrivewerestillinaccessiblebecausetheycouldnotbedecryptedwithoutthekey.Fortunatelytheleaderoftheattack,EvgeniyBogachev,wascaughtandthekeysusedtoencryptthetargets’harddriveswerereleasedtothepublic.Apparently,theattackwassuccessfulingarnering$3millionfromtheransoms,anditinfectedabouthalfamilliontargets.

10.Flashback

IalwaysloveitwhenAppleevangelistsclaimtoPCusersthattheircomputersaresuperiortoWindowsmachinesbecausetheircodeisinfallibleandthereisnowaytogetavirusonaMac.Whileit’struethatWindowsmachinesaremoresusceptibletoviruses,Macsaren’tperfecteither.SuchwasthecasewiththeFlashbackTrojanthatwasfirstobservedin2011.ThisTrojanusedinfectedwebsitestoinjectfaultyJavaScriptcodeintothehostbrowser,anditmadeinfectedMachostspartofabotnet.Believeitornot,thisTrojanhadinfectedover600,000MaccomputersandafewofthosewereevencontainedatAppleHQ.Also,thoughnumerouswarningsandsolutionshavebeencreatedforthisTrojan,manybelieveitisstilllurkinginthedepthsoftheInternetandthatthousandsofMacsarestillaffected.

InSummary

Viruses,malware,andTrojanhorsesarejustonefacetofhacking,though.Thetruthisthattheseviruseswerecreatedbyexpertswhohadadeeperknowledgeofcomputingsystemsthanmanyofthesecurityexperts.Allofthepeoplewhocarriedouttheseattackswereexpertsoftwaredevelopersandcoders.Ifyouthinkyouwanttobecomeasinfamousasthesetypesofhackers,you’regoingtoneedtobecomeanexpertsoftwaredeveloper.There’snowayaroundit.However,Iwouldhopethatthissectiononlyopenedyoureyestothepotentialsomeoftheseattackshavetocausewidespreaddevastationandcostlydamages.

Again,pleaseunderstandthatthepurposeofthisguideisn’ttoteachyouhowtocreateaprogramthatwillharmotherpeople’scomputers,rackupmassivemultimilliondollardamages,andleaveyouwithheavyconsequencessuchasprisontimeandungodlyfines.However,asawhitehathacker,youneedtobeawarethatthesetypesofattacksexistsoyouhaveabasichackingvocabularyandsomefoundationknowledge.

Iwill,however,showyouhowtocrackvariouspasswords,mapnetworktopologies,exploitvulnerabilities,andscantargetsforsecurityflaws.Inthesetypesofexamples,wewillbefocusedonhackingintoasingletargethostornetworkinsteadoftryingtoreleaseaplagueupontheglobalInternet.Allofthatingoodtime,however,becausefirstyouneedtounderstandthedifferenttypesofhackersthatlurkontheInternet,ethicalconsiderationsregardingyouruseoftheknowledgeinthisbook,andtheconsequencesofyouractionsshouldyoumisusethisinformationandgetcaughtred-handed.

Chapter4–EthicalConsiderationsandWarnings

Abookabouthackingwouldbeirresponsiblyincompletewithoutachaptergivingyouafairwarningontheconsequencesofmisusingthesetechniquesaswellastheethicalconsiderationsofhacking.Tobeginthisdiscussion,youneedtobefamiliarwithtwodifferentterminologiesthatdescribedifferenttypesofhackers:blackhatandwhitehat.IliketheimagerythesetermsbringtomindbecausetheyalwaysseemtoremindmeofSpyvsSpy.

Blackhathackersarewhatmostpeopletypicallythinkofwhentheyheartheword“hacker.”AblackhathackeristhetypeofnefariousInternetuserwhoexploitsweaknessesincomputingsystemsforpersonalgainorinordertodisruptanorganization’sinformationsystemstocausethemharm.He’stheguywearingahighcollaredshirt,sunglasses,andafedorabehindanarrayof20orsocomputermonitorsorthenerdinthemovieswhocanbreakintoatopsecretsystemillegally.

Therereallyisn’tanygoodthatcancomeoutofadoptingablackhatapproachtohacking,either.Whenyouhearinthemediathatafinancialinstitutionjustlostthousandsofusernamesandpasswordsorthatasocialmediadatabasewascompromisedthatcausedvastamountsofpeopletolosesensitivepersonalinformation,theattackwascarriedoutbyablackhathacker.Recently,therewasevenamoduleofcodecontainedinaWordPresspluginthatwassusceptibletoanXSSvulnerability(atypeofsecurityflawinwebsiteswithcachingplugins)thatwasbeingexploitedworldwidebytheextremistgroupISIS.Ifyouarereadingthisbookbecauseyouhavedreamsofcausingmassdisruptionandchaos,Iwouldhighlyadviseyoutoreconsider.However,understandthatsecurityandpenetrationtoolsaren’tinherentlygoodorevil.Onecouldarguethattheyaremuchlikefirearmsinthesensethattheweaponisaninanimateobjectanditisonlyasgoodorevilasthepersonwieldingit.

Whitehathackers,ontheotherhand,arethecompleteopposite.They’rethegoodguyswhodoeverythingintheirpowertofindpotentialsecurityflawsandcorrecttheerrorssotheblackhathackerscan’tbreakasystem.Asyoureadthisbook,youneedtoconsiderallofthetoolsandtechniquesIshowyoufromtheperspectiveofawhitehathackerandusethemresponsibly.Ifyoupursuewhitehathackingprofessionally,youcanaddtremendousvaluetotheorganizationyouworkforandmakebigmoneydoingso.SomewhitehathackersthathavetheCEH(CertifiedEthicalHacker)certificationmakesalarieswellintothesixfigurerange.Internetsecurityisonlybecomingmoreimportantwitheachpassingyear,andatalentedwhitehathackercanusepenetrationtestingtoolsandfootprintingmethodstoidentifydisastroussecurityflawsontheorganization’snetworkandinformationinfrastructureandpatchthembeforetheybecomeaproblemthatwouldcost

theorganizationobsceneamountsofmoney.

Furthermore,youneedtobeawareoftheconsequencesofmisusingtheknowledgeyoulearninthisbook.Thoughyoulikelywon’tgetcaughtsnoopingaroundanetworkattachedtoanunsecuredSOHO(SmallOffice/HomeOffice)wirelessnetworkinyourneighborhoodoratyourfavoritelocalcoffeeshop,youneedtorespectotherpeople’srightstoprivacy.Thinkaboutit–howwouldyoufeelifyouweresittingdownforacupofcoffeewhilereadingabookonlytofindoutlaterthatsomeonehadattackedyourKindleoverthecoffeeshop’snetworkandstoleyourdata?Youwouldfeelenraged,irritated,andviolated.Sorememberthegoldenruleasyougrowintoawhitehathacker.

Alsoconsiderthatusingpenetrationtoolsonnetworkswhereyoudon’thaveanyauthoritytodosocouldleadtosomeextremelynegativeconsequences.Let’sfaceit,youdon’thavetherighttostealotherpeople’spersonalinformation–it’sillegal.Notonlycouldyouprovokecivillawsuits,butyoucouldevenfacejailorprisontimedependingonthenatureofyouroffense.Ifyouchoosetodoitonyouremployer’snetworkandyougetcaught,thebestcasescenarioisthatyouwouldhavesomeextremelyuncomfortablequestionstoanswerandtheworstcasescenarioisthatyouwouldbecomefired.It’sjustnotworthit,sokeepthatinmindmovingforward.

Insteadoftestingoutthesetechniquesonpublicorcorporatenetworks,myadvicewouldbetotrytheseinyourveryownhome.Evenasmallhomenetworkwillprovideadigitalplaygroundforyoutotestoutyournewsecurityskills.Allyouwouldneedtorunthroughsomeofthesedemoswouldbeapersonalcomputer,awirelessrouter,andpreferablyafewotherdevicesthatyoucanattachtoyournetwork.InthefootprintingsectionIwillshowyouhowtorunpingsweepsandotherutilitiestoperformreconnaissanceandinformationgatheringmethods,sohavingseveralotherdeviceswillgiveyoumore“toys”toplaywithonyourlocalareanetwork(LAN).

BynowIhopeyouunderstandthattheword“hacker”isratherambiguous.Yearsago,itrightfullymeantablackhathacker.Todayhowever,itcouldrefertoanynumberofdifferenttypesofpeoplewhoareextremelyknowledgeableabouttechnology,andtheterm“hacker”doesn’tnecessarilymeansomeonewhoistryingtostealintellectualpropertyorbreakintoarestrictednetwork.Callingsomeoneahackeristhelayman’sapproachtodescribingadigitalthief,butsecurityprofessionalswilloftendrawthelinebetweenthewhitehatsandtheblackhats.

Withallofthedirewarningsoutoftheway,wecannowproceedtothejuicerandmorepragmaticsectionsofthebookyouhaveallbeenwaitingforandwecanbegintolearnhowyoupersonallycangetyourfeetwetwithhacking.Tobegin,understandthatthis

bookiswrittenwiththeassumptionthatyouhavelittletonounderstandingofrudimentarynetworkingandsecurityconcepts.BecausethisbookiswrittenforbeginnersasopposedtoseasonedInternetsecurityprofessionalsandexperthackers,youneedtofirsthaveabasicunderstandingofnetworkterminology,addressingconcepts,andotherfundamentalsthatyouwillbeabletouseasafoundationtobuildyourhackingskillsupon.So,let’sgetstartednetworkingfundamentals!

Chapter5–NetworkingFundamentals

UnderstandingtheOSIModelandNetworkingTerminology

TheOSIModel(OpenSystemsInterconnection)isoneofthebestplacestobeginifyouarelackingaworkingknowledgeofnetworkingconcepts.JustabouteveryoneofthedemoswewillrunthroughtogetherisheavilybasedontheOSImodelandnetworksecurityprofessionalsoftenthrowaroundterminologyandjargonrelatedtodifferentcomponentsofthismodel.Also,itwillbenefityoupersonallyifyouunderstandwhatleveloftheOSImodelvariousattackstargetandthisknowledgeisfundamentaltounderstandingIPaddressesandports,whichwewillcoverlaterinthischapter.

Tobegin,understandthattheOSImodelconsistsofsevendifferentlayersasfollows:

7.Application–Acomputerapplicationthatcreatesdatasuchasanemailorinstantmessagingprogram

6.Presentation–Themethodofencodingdata,suchasASCIItext

5.Session–TCPports(FTP,POP,HTTP,HTTPS,etc.)

4.Transport–TCPorUDPconnections(amongothers)

3.Network–IPaddressesandpackets

2.Data-Link–MACaddressesandframes

1.Physical–onesandzeros(bits)transmittedacrossacable

(*Note:Ifyoudon’tunderstandsomeoftheterminologydescribedabove,takeadeepbreathandrelax.We’llgettothatlater.*)

Irealizethatthislistmaylookoddbecauseitstartswiththenumber7,butthefirstlayerofthemodelisalwaysrepresentedonthebottomsinceeachadditionallayerisdependentonitssubordinatelayertoencapsulateandtransmitdata.Youcanrememberthefirstletterofeachlayerwiththepneumonic‘PleaseDoNotThrowSausagePizzaAway’.Wewon’tgointogreatdetailaboutthefinerpointsofthismodelaswewillreallymainlybeconcernedwithlayers2,3,4,and5fromahackingperspective,butyouneedahighlevelunderstandingoftheOSImodelregardless.

Eachlayerhasitsownspecificfunctiontofacilitatedatatransmissionsbetweentworemotesystems.Asdata(likethetextinaninstantmessagingapplication)isgeneratedononedevice,itstartsatthetopoftheOSImodelintheapplicationlayerandgetspusheddownthrougheachsubordinatelayeruntilitbecomes0’sand1’sonacableatthephysicallayer.Eachlayerencapsulatesdatafortransmissionbeforesendingitontothenextlayerforfurtherencapsulation.TheprocessworksmuchlikeRussiannestingdolls.Oncethe

datahasreachedthephysicallayer,itgetstransmittedasbinarybitsoveracablemedium.Then,thereceivinghostunpackstheencapsulateddatafromeachlayerusingthereverseprocess.

Thismodelisfundamentaltounderstandingdatatransmission,buthowwillthishelpyoubuildaskillsetforhacking?Firstofall,itisessentialtounderstandthismodelifyouhopetolearnaboutdifferentnetworkprotocolsandTCP/IPports.Also,terminologyisoftenthrownaroundregardingadevice’sorprotocol’sfunctionandwhatlayeroftheOSImodelitbelongsto.Forexample,MACaddressesarealayer2addresswhileIPaddressesarealayer3address.Andports–whichIamsureyouhaveheardofbefore–belongtolayer5.Wewilldigintoalloftheseconceptsshortly,butfirstyouneedtoknowaboutIPaddressessoyoucanidentifyvarioushostswhenyouarehacking!

IPAddressingEssentials

Ofthefundamentalconceptswearediscussinginthisbook,IPaddressingisbyfarthemostimportant.ButwhatisanIPaddress?Well,andIPaddressisanumberthatservesasauniqueidentifierthathelpscomputersdifferentiatebetweenhostsconnectedtotheirnetwork.Themostcommonanalogytodescribethisconceptisthatofthepostsystem.Ifyouwantedtomailalettertosomeone(sendthemdata),youwouldfirstneedtoknowtheirhome’saddress(IPaddress)beforeyourmessagecouldbedelivered.

Whetheryouknowitornot,youhaveundoubtedlyseenIPaddressesalready.Theyconsistoffournumbersrangingfrom0-255thatareseparatedbyperiodsasinthefollowingexample:

-192.168.1.1

AlsounderstandthatanIPaddressis32bitslong.Wewon’tdigintobinarymathbecauseitwon’tdomuchforournetworkpenetrationexampleslaterinthisbook,butknowthateachnumberseparatedbyaperiodintheaddressiscalledanoctet.Itiscalledthisbecauseeachofthefournumbersare8bits(1byte)inlength.However,thisIPaddresslackssomethingcalledasubnetmask,sowedon’tknowwhatnetworkitbelongsto.

SubnetMasks

EachIPaddressiscomposedoftwoportions:thenetworkportionoftheaddressandthehostportion.AsubnetmaskdetermineshowmuchoftheIPaddressdefinesanetworkandhowmuchoftheaddressidentifiesahostonthatnetworksubnet.Fortheremainderofthisbook,justnoteIwillusethetermsLAN(LocalAreaNetwork)andsubnetinterchangeably.Considerthefollowingfourexamplesofsubnetmasks:

1.255.0.0.0(/8)–8bits(thefirstoctet)definethenetworkportionoftheaddress.

2.255.255.0.0(/16)–16bits(thefirsttwooctets)definethenetworkportionoftheaddress.

3.255.255.255.0(/24)–24bits(thefirstthreeoctets)definethenetworkportionoftheaddress.

4.255.255.255.255(/32)–Thissubnetmaskindicatesahostaddress.Itdoesnotindicateanetworksubnet.

Notethatsubnetmaskscanbewrittenusingtwodifferentnotations.Considerthefirstexample.255.0.0.0isjustanotherwayofwriting“/8”becausetheybothindicatethatthefirstoctetintheIPaddress(thefirstbyteorthefirst8bits)describesthenetworkportionoftheaddress.

Didyounoticehowthesefoursubnetmasksareinmultiplesof8?Thatwasintentionalbecauseitmakesourexamplemucheasier.Thetruthisthattherearemanymorecomplexsubnetmaskssuchas/17,/21,or/30thatlieoutsidethescopeofthisbookbecausetheyrequirebinarymath.However,onprivatehomenetworkssuchastheenvironmentwhereyouwillbetestingourdemos,a/24subnetmaskisbyfarthemostcommon.I’devenbetbigmoneythatyourhomenetworkdeviceusesa/24subnetmask.Thatis,unlessyouchangedit–inwhichcaseyouwouldalreadyknowaboutIPsubnets!

So,nowit’stimetoputtwoandtwotogether.WearegoingtoconsideranIPaddressandasubnetmasktogether,determinethehostandnetworkportionoftheaddress,andthendeterminethecompleterangeofusableIPaddressesforthatsubnet.Considerthefollowing:

-IPAddress:192.168.1.1-SubnetMask:255.255.255.0

Allright,solet’schopuptheIPaddressanddefinethenetworkportionoftheaddress.Canyouworkitout?WhenthesubnetmaskisappliedtotheIPaddress,weseethatthefirst3octetsdeterminethenetworksubnet.So,192.168.1.0/24isthenetworkonwhichthehostwiththeIPaddress192.168.1.1resides.Thatmeansthatthelastoctetdetermines

thehostportionoftheaddress.Onthe192.168.1.0/24networksubnet,thishosthastheaddressof“1.”Furthermore,wecanconcludethatbecauseeachoctetcanrangefrom0–255thatotherhostsonthe192.168.1.0/24subnetcanuseaddressesfrom2-254(youneverusethe0or255thaddress).Usableaddressesonthissubnetinclude192.168.1.2–192.168.1.254.Understandthatifthe192.168.1.1hostwassendingdatatothehostusingthe192.168.1.2address,theyarecommunicatingovertheirLANsincetheybelongtothesamenetwork.

TwoSpecialNetworkAddresses

Sowhydon’tweusethe0orthe255thaddressesonasubnetashostaddresses?Becausethesetwoaddressesarespecial.Thefirstoneiscalledthenetworkaddress.Thisaddresscan’tbeassignedtoahostbecauseitdefinesanentirenetwork.Inourexampleabove,thisaddresswas192.168.1.0.Also,notethatthelastaddressonanetworksubnetisthebroadcastaddress.Thisaddressisusedtosendinformationtoeveryhostresidingonthatnetworkatthesametime,sothisaddresscan’tbeusedforasinglehostaddresseither.Inourpreviousexample,thebroadcastaddressis192.168.1.255.

MACAddresses

MAC(MediaAccessControl)addressesarelayer2addresses,andtheyaregloballyunique.EachMACaddressiscontainedonthenetworkcardofyourcomputer,anditiscomposedoftwelvehexadecimaldigits(0-9,A,B,C,D,E,F)whichtotal48bitsinlength.ThefollowingisanexampleofaMACaddress:

-B8EE:6525:7EA6

Thefirsthalfoftheaddress–thefirst6digits–indicatetheOUI(OrganizationallyUniqueIdentifier).Thisisjustafancywayofsayingthatitmarkswhomanufacturedthenetworkcardhardwareinyourcomputer.Thelast6digitsareauniqueidentifierforthatmanufacturer’snetworkcards.

BecauseMACaddressesarelayer2addresses,theycannotberoutedontheInternet.Theybelonginthedata-linklayeroftheOSImodel,andtheycanonlyhelpdevicesspeaktooneanotheronthesameLANviaalayer2networkswitch.Inorderforlayer2addressesandlayer3addressestooperatetogether,weneedamechanismthatbindsthemtogether.

ARP(AddressResolutionProtocol)

ARPisanetworkprotocolthatbindslayer2addressestolayer3addresses.BothnetworkingdevicesandcomputersalikekeeptablesthatrecordARPinformationontheLANsotheycankeeptrackofwhichMACaddressesarepairedwithwhichIPaddresses.Thisinformationisconstantlychangingeverytimeyoutakeyourlaptopormobiledevicetoanewwirelessnetwork,andthisinformationiscriticaltofacilitatingtypesofattackssuchasamaninthemiddleattack.

Basically,whenahostwantstosenddatatoanothercomputer,ithassomedecisionstomakeregardinghowitwillsendthedata.Here’showitworks.ThehostfirsttakesalookatitsownIPaddressanddeterminesifthedestinationhostresidesonthesamesubnet.Ifnot,thehostsendsthatinformationtoitsdefaultgatewaytoberoutedtotheappropriatenetwork.ThehostwilllookatitsARPtable,findthematchingentryforthedefaultgateway,andaddressitsdatatothedefaultgateway’sMACaddress.However,ifthedestinationhostisonthesamesubnet,allitneedstodoisfindthematchingMACaddressforthedestinationIPandsenditdirectlytotheintendedparty.

IfyouuseaWindowscomputer,youcanusethearp–acommandfromthecommandprompttoviewthecontentsofyourARPcache.ARPisanintegralpartofmodernnetworks,andtherearemanyadvancedexploitsthatrevolvearoundmanipulatingthisprotocol,soyouneedtohaveabasicunderstandingofit.

PortsandFirewalls

Ports,whicharealsosometimescalledsockets,wereoneofthehardestfundamentalconceptsformetowrapmyheadaroundwhenIfirststartedlearningnetworkingengineeringandcomputerhackingyearsago.Basically,theyarenumericvaluesthatarepartoftheTCP/IPprotocolsuitethatareusedtotagdifferenttypesoftraffic.Bytaggingtraffic,deviceslikefirewallscantakedifferentactionswhendifferentdatastreamsflowthroughanetwork.

Thereareliterallythousandsofdifferentportsthatareeachusedfordifferenttypesoftrafficandapplications,butonlyafewofthesearewell-knownprotocols.Somesoftwaredevelopersreservecertainportsfortheircustomapplicationtraffic,butyouonlyneedtobeconcernedwiththewell-knownportstogetyourfeetwetwithhacking.Itiscrucialthatyouhaveabasicunderstandingofportsbecauselaterwewillgothroughtheprocessofportscanningonyourlocalnetworktoascertainwhichoftheseportsareopenandwhichareclosed.

Thefollowingaresomeofthemostcommonportsandtheirrespectiveprotocolsandtraffictypes:

-Port80:HTTP(HyperTextTransferProtocol–usedforwebbrowsingandwebpages)

-Port20/21:FTP(FileTransferProtocol–usedtodownloadfilesremotely)

-Port443:HTTPS(HyperTextTransferProtocolSecure–encryptedHTTP)

-Port22:SSH(SecureSHell–usedtoremotelyruncommandlineprocedures)

-Port53:DNS(DomainNameSystem–usedtobindIPaddressestoURLs)

-Port547:DHCPServer(DynamicHostConfigurationProtocol–automaticIPaddressassignment)

Asyoucansee,eachnetworkprotocolisassigneditsownuniqueportnumber.Theseportsprovideawaytohandlevarioustypesoftrafficdifferently.Forexample,ifIdidn’twantanyonetodownloadfilesfromapersonalfileserverIwashostingonmynetwork,Iwouldblockconnectionattemptsonport20and21(FTP).Thisisanextremelybasicexample,butunderstandthatifyouseeahostwithanopenport,thathostwillacceptconnectionsusingthatspecifictypeoftraffic.Asanotherexample,considerawebserverthathostsawebsite.Itwillhaveeitherport80(HTTP)orport443(HTTPS)open,andclientscanmakeaconnectiononthoseportswiththeservertodownloadthewebpagestotheirbrowser.

Theseideasbringustothenextimportantconcept:firewalls.

Theterm‘firewall’isthrownaroundinthemoviesalot,butmostpeopledon’tunderstandwhattheydo.Thoughtheyhavemanyadvancedfeatures,oneofafirewall’smostbasicfunctionsistopermitordenytraffictoanetwork.Firewallsinhomeenvironmentsactasasinglepointoffailure–meaningthatallofthedataintransitto/fromthelocalnetworkneedstofirstpassthroughthefirewall.Becauseitactsastheonlywayintoanetwork,thefirewallcanpreventhackersfrommakingconnectionsonspecifiedportstoprotectthelocalnetwork.

Thisconceptreferstoahardwarefirewall,buttherearesoftwarefirewallsaswell.Forexample,justconsidertheprogramadequatelynamedWindowsFirewall.Itisapieceofsoftwarethatwillpreventthenetworkingcardinyourcomputerfrommakingconnectionsonanyoftheportsyouchoosetoblock.Wewillseehowtoscanatargetsystemlaterwithaportscannertoseewhichportsareopenandpotentiallyexploitable.

YoushouldalsoknowhowtorunapingaswellasviewyourIPaddress,subnetmask,andMACaddress.Theseareextremelysimplecommands,andtheyareusedfrequentlybynetworkingsecurityprofessionals.Theyareallrunfromthecommandprompt,soinWindowsopenupthecommandpromptbysearchingforitorhittingyourWindowskeyandtyping‘cmd.’Theapplication’siconisablackbox,andonceyourunthisprogramyouseeapromptwithablinkingunderscore.

ToviewyourIPaddress,subnetmask,anddefaultgateway,justtypeipconfigintothecommandprompt.Ontheotherhand,ifyouwanttoseeyourMACaddress,justtypeipconfig/allintothecommandprompt.IfyouareusingaMacorLinuxcomputer,thecommandisonlyslightlydifferent.Onthesesystemsthecommandisifconfig.

InSummary

Pleaseunderstandthatwecouldgomuchdeeperintothesetopics.Infact,therehavebeenentirebookswrittenaboutsomeofthesesubjects,buttheyaretooadvancedforabeginnerandlieoutsidethescopeofthisbook.Theideaistogiveyouaworkingknowledgeoftheseideastofacilitateyourhackingandpenetrationtestingendeavors.However,ifyouwanttofurtheryourknowledgeontheseconcepts,itwillonlyhelpyoubecomeabetterhacker.NowthatyouknowwhatIPaddresses,MACaddresses,ports,andfirewallsare,wecanmoveontomoreadvancedtopics.

Chapter6-TheHacker’sToolBelt

Hackershavealotoftoolsintheirtoolbeltthattheaverageuserhasn’tevenheardof.Thesetoolsaren’tincrediblyspecialorsecretive,butmostpeoplesimplydon’tunderstandwhattheyareorhowtousethem.Thehonesttruthisthatthereareboatloadsofdifferenttoolsouttherethatcanbeusedtobreakintoasystemorbeusedtoidentifyvulnerabilities.

Oh,andguesswhat?Surprisinglyenough,manyofthemarecompletelyfreetouse.PartofthereasonmanyofthesetoolsarefreetousestemsfromthefactthatmanyofthetoolswerewrittenforLinux,andthevastmajorityofLinuxsoftwareisfreeofchargebecauseitisprotectedbytheGNUlicense.

Someofthemostpopulartypesofhackingtoolsthatwe’lltakeahands-onlookatinthisguideinclude:

-Vulnerabilityscanners-we’lltakealookatonecalledOpenVASlaterinthisbook

-Portscanners–we’llalsoseehowtouseaportscannercalledNMAP

-Packetsniffers–thissoftwarelistenstoandrecordsalloftheinformationflowingoveryournetwork,andwe’lluseonelaterforaman-in-the-middleattack-demonstration

-Passwordcrackers–thesetoolsareusedtouncoverthepasswordtoasystem

Whilethiscertainlyisn’tacomprehensivelistofthetoolsahackerhasintheirtoolbelt,thesearecertainlysomeofthemostpopularandmostimportanttoolsyouneedtobeawareof.Let’stakeacloserlookateachoneofthesetypesoftoolsindetail.

VulnerabilityScanners

Vulnerabilityscannerswereoriginallydesignedtohelpwhitehathackersfindpotentialsecurityholesintheircomputingsystemstoplugupthesecurityholesbeforeablackhathackercouldfindawaytopenetratethesystem.However,thesescannerscanbeusedforbothgoodandevil.

Blackhathackerscaneasilyleverageavulnerabilityscannertofindaweaknessinanetwork,server,orhosttofacilitateanattack.Andthesescannersareprettyeasytouse,too.Thoughsomeofthefine-tuningandtweakingofthescanyouwanttoperformcangetalittlecomplex,byandlargeallyouneedtodoispointthescanneratatargetandclickabutton.Butavulnerabilityscanneronitsownisn’tverydangerous.Ablackhathackerwillthenneedtouseothertypesofsoftwareinordertotakeadvantageofthevulnerabilitiesfoundwiththescanner.Vulnerabilityscannersarereallyonlyusedtoidentifyweaknesses,plainandsimple.

Laterinthisbookwe’regoingtogothroughtheinstallationprocessofonesuchscannernamedOpenVAS.WewillbeinstallingitinaLinuxenvironment,andtheinstallationprocessisthehardestpart.Afterwerunthroughthedemolaterinthebook,allyouneedtodoissupplyanIPaddressandclickasinglebutton.Oncethescannerisupandrunning,itisridiculouslyeasytouse.

ProsofVulnerabilityScanners:

-Helpmakesystemsmoresecurebyidentifyingweaknessesthatanadministratororsecurityexpertcanthenaddressandtakecareof

-Mitigatestheriskofhackerstakingadvantageofasystem

-Theyarefuntouse!

ConsofVulnerabilityScanners:

-Sometimestheyarenotperfectandhavethepotentialtomissthelatestsystemvulnerabilities

-Theyrelypartiallyonadatabaseofvulnerabilitiesthatneedstobecontinuouslyupdated

-Hackerscantakeadvantageofthemtofindwaystobreakintoasystem

PortScanners

Aportscannerisbasicallyasoftwareutilitythatcanbeusedtodeterminewhichportsahostisacceptingconnectionson.Forexample,ifIwantedtoseeifIcouldpullupawebpagefromanyhostsonmynetwork,Iwouldscanmysubnettoseeifanyhostshaveport80open.Butthisisabasicexample.

Theinformationobtainedfromaportscannercanhelpattackersreadbetweenthelinesanddeterminethepurposeofahostontheirnetwork.Forexample,ifaportscannershowedthatahosthadport9100open,youcouldreasonablyassumethatthehostyouscannediseitheraprinteroraprintserversinceport9100isusedforprinting.Iknow,Iknow,printersareboring.Butitisamusingtothinkthatyoucouldsendprintjobstoyourneighbor’sprinterandprintanythingyouwantedtoafteridentifyingtheirprinterwithaportscanner(don’tactuallydothat,it’sjustfunnytothinkabout).

Butthinkhowfaranattackercouldtakethisconcept.Byidentifyingtheservicesthatarerunningonahost,theycandeterminewhattypeofservertheyaredealingwith,whetherornottheyhavefoundaninfrastructuredevicelikearouter,switch,orfirewall,orfindwaystoattackendusercomputersbymakingconnectionsontheiractiveports.

Nowtakeamomenttoconsiderthingsfromawhitehatperspective.Anethicalhackercoulduseaportscannertoverifythatalloftheportsonanetworkthatshouldbeclosedareactuallyclosed.Itisausefulverificationtoolthatcanbeusedtopreventvulnerabilities.

Layer4Scanners

RememberhowimportantItoldyoutheOSImodelis?Wellthereisawholeclassofscannersthattargetslayerfour(thetransportlayer)oftheOSImodelspecifically.Thesescannerslookforminutedetailsintheoperationoflayer4protocolssuchasTCP(TransmissionControlProtocol)andUDP(UserDatagramProtocol)tofindweaknessesinhosts.Theinnerworkingsoftheseprotocolsareactuallyquitecomplex,butrealizethatthereisaprocesscalledahandshakethattwohostsmakebeforetheyformaconnection.Bytrickingandmanipulatingthehandshakeprocess,attackerscancauseseriousharmtosystemsintheformofaDoS(DenialofService)wherebyanattackerbreaksthelogicintheseprotocolstocauseahostorservicetostopfunctioningorseverelyunderperform.

PacketSniffers

Packetsniffersareinvaluabletoolsthatareabletocapture,store,anddisplayalloftheinformationthatisflowingoveracableortransmissionmediumsuchasawirelessinterface.Byusingapacketsniffer,you’llbeabletoseeingreatdetailalloftheconversationsthatcomputersarehavingwitheachother.

Youcanseeconnectionattempts,filetransfers,andevenGooglesearches.Packetsniffersareespeciallydangerouswhendataisbeingsentinplaintext,whichisanotherwayofsayingthatthedataisn’tencryptedbeforeitissenttoanotherhost.So,forexample,ifyourusernameandpasswordweren’tencryptedbeforebeingsenttoaserver,andattackercanleverageapacketsniffertocapturethatdataandstealyourusernameandpassword.

Butsomepacketsniffers,suchasWireshark,aredifficultfornewbiestoreadbecausetheysimplydon’tunderstandhowthevariousprotocolsoperate.Apacketsnifferwillshowanattackerthenitty-grittydetailsofatrafficstream’srawdata.Morespecifically,itcanshowyoutheIPaddressofahostthatinitiatedaconnection,howanotherhostrespondedtotheconnectionattempt,anydatathatwassentduringthesession,andwhattypeofdataisflowingovertheconnectionviaitsportnumber.

HaveyoueverwonderedhowISPscanseewhattypeofdataisflowingovertheirnetworkanddeterminewhichhostsarevisitingspecificwebsites?Packetsniffersarebutonetoolamongmanythattheyuseachievethisgoal.

PasswordCrackingUtilities

Hackersfrequentlyusetoolscalledpasswordcrackerstogainunauthorizedaccesstocomputersystems.Crackingisbasicallyatermusedtodescribetheprocessofobtainingapasswordthatishiddenorstoredinaprotectedformat.Forexample,therearewirelesspasswordcrackingtoolsthatallowanattackertogainthepasswordtoaWi-Finetworkwithoutneedingtoknowthesecuritykeyupfront.

Buttherearemanyothertypesofpasswordsandmethodsusedbytheseutilities.Somepeoplehaveheardofabruteforcepasswordattackbefore,andthesecanalongtimetoperform.Inthebruteforceprocess,acomputerwilltrytoguesseveryconceivablepasswordtogainaccesstoasystembytryingeveryuniquecombinationofcharacters.

Inaddition,therearealsodictionarybasedattacksthatareusefulforbreakingweakpasswords.Thesetypesofattackstakeamorepragmaticapproachtocrackingapasswordbecausetheytrypasswordsbaseduponadictionaryofcommonandpopularphrases.Typicallyanattackerwilltryadictionaryattackbeforeabruteforceattackbecausethereisahigherchanceofcrackingapasswordwithadictionarybasedattack.Bruteforceattackshaveonecolossaldownfall:theycanbeextremelyslowduetothemillionsandmillionsofcombinationstheyneedtotrytobesuccessfulcrackingpasswords.Theprocesscanlastfordays.Dictionarybasedattacks,ontheotherhand,aretypicallymuchfasterbecausetheydon’thavenearasmanypasswordcombinationstoattempt.

Chapter7–UtilizingVMWare

OneoftheeasiestwaysforyoutobuilddifferentenvironmentsthatyoucanlearntohackinisbyusingVMWare.Butwhatdoesthissoftwareactuallydo?VMWareallowsyoutoruncodecalled‘virtualmachines.’Essentiallyithasthepowertovirtualizeentireoperatingsystemssoyoudon’thavetowipetheoperatingsystemoffyourhostcomputerandinstallacompletelynewonetogetstartedhacking.SometimesnewbieswhowanttogetstartedhackingmaytrytoinstallanoperatingsystemsuchasKaliLinuxinadditiontotheirhostoperatingsystemsuchasWindows.TheonlyproblemisthatoneconfigurationmistakewiththeinstallationcouldcauseausertolockthemselvesoutoftheirWindowsoperatingsystemcompletely.

Othertimestheymayevenaccidentallyrepartitiontheirharddriveandwipeoutalloftheiroldfiles.Thisisahugeheadache,butinstallingVMWarewillsolvetheseproblemsandallowyoutorunmultipleoperatingsystemssimultaneously.ThegoodnewsisthatVMWarePlayerisfreetouseandeasytoinstall.YoucanfindthereleasenotesanddownloadlinkforVMWarePlayeronVMWare’swebsite,andyouwillwanttodownloadandinstallthisprogramforsomeofthedemoslaterinthisbook.

Itisassumedthatyouhavetheabilitytoinstallbasicsoftware,sowewon’tgetintotheVMWareinstallationprocess.It’sprettydarnsimple,andallyouneedtodoisfollowtheinstallationwizard.Alsoyoucouldbeinstallingthissoftwareondifferentplatforms,andtheinstallationstepswouldchange.Ifyouneedhelpinstallingthissoftware,youcanfindhelpontheVMWarewebsiteforyourgivenoperatingsystem.

AfteryouhavedownloadedandinstalledVMWare,youneedtodownloadoperatingsystemimagestoruninVMWare.Morespecifically,youshouldgoaheadanddownloadUbuntuLinuxandKaliLinuximages.YoucanfindKaliLinuximagesforVMWareandUbuntuimagesforVMWareforfreeonline.Afteryouhavedownloadedanimage,toinstallityouneedrunVMWarePlayer.ThenclickonPlayer=>File=>NewVirtualMachineandbrowsetotheimageyoudownloaded.Alternativelyyoucanjusthitctrl+NafteryouhaveopenedVMware.WhenyoufirstinstallanewimageinVMWare,itwillaskyoutonameit.Personally,Ijustnamethevirtualmachinethesamenameastheoperatingsystemtokeepthingsstraight.

OncetheimagehasbeensuccessfullydownloadedandyouinstallitinVMWare,theVMWareapplicationwillgothroughtheinstallationprocedureexactlyasifyouweretryingtoinstallthatoperatingsystemonyourcomputer,butitwillinstallitwithinyourhostenvironment.Asyouproceedthroughtheinstallationprocess,portionsoftheprocedurewillaskyouifyouwanttoinstallavarietyofpackages.Makesurethatyouselectallofthepackagesthataredescribedas‘security’or‘penetrationtesting’packages.

Ifyoufailtoinstallthesepackages,youwillneedtogothroughtheinstallationprocessesindividuallyforthedemonstrationsthatIwalkyouthroughlatersuchasNMAP.IfyouhaveanytroubleinstallingyouroperatingsysteminVMWare,allyouneedtodoisfollowtheguideontheKaliLinuxorUbuntusites.

Youshouldalsohaveanideaoftheintendedusesforeachoperatingsystem.UbuntuisdesignedtobeaneasytousereplacementforotherdesktopoperatingsystemssuchasWindows.Itiswell-suitedforeverydayuse,andyoudon’tneedtobeaLinuxexperttouseit.Assuch,itisagreatenvironmenttoexpandyourLinuxskillsanditoffersplentyofdifferentpenetrationtestingtools,scanners,andhackingprograms.However,youshouldalsoknowaboutKaliLinux.Kaliwasspecificallydesignedwithhackinginmind,andthesecuritypackagescontainedintheVMWareimagearemostlygearedtowardsprovidinguserswithtoolsthatfacilitatehacking.However,itisalittlemorechallengingtouseifyouhaven’tbeenexposedtoLinuxalready,andmuchofitspowerisfoundatthecommandline.

EachdifferentVMWareimageandLinuxdistributionhasdifferentdefaultusernamesandpasswords.Youcancheckthedefaultsonthewebsitewhereyoudownloadedthecodeimage,buttheyaremosttypically‘root’and‘toor’or‘username’and‘password.’Ifyouwish,youcancreateadditionaluseraccountsbutthisisn’tnecessaryaswewillonlybeusingtheseoperatingsystemstorunsomedemos.

ThoughIwouldpersonallyrecommendthatyoutakefulladvantageofVMWaretovirtualizeLinuxoperatingsystemstoprovideyouwithhackingtools,youdohaveanalternative.ManyLinuxdistributionscanbedownloadedandburnedtoaCDorDVD.Thesearecalled‘liveboot’imagesbecauseallyouneedtodoispopthediskinyourcomputer,rebootit,andvoila.YourcomputerwillboottotheLinuxoperatingsystemcontainedonthedisc.SomeversionsofLinuxaresosmallandlightweightthatyoucanevenbootfromaflashdrive.However,thereisonecaveatwiththeselivebootimages.YourcomputermayormaynotbeconfiguredtobootfromtheharddrivebeforethediscdriveorUSBport.Ifthisisthecaseforyourcomputer,youwouldfirstneedtochangethebootorderofthesedevices.Itisalittledifficulttoexplainthisproceduresinceeverymakeandmodelofcomputersandlaptopshaveaslightlydifferentprocess,butyoucanGooglethisprocedureforyourmakeandmodelofcomputingdevicetochangethebootordertoaccommodatealiveLinuxCDorDVD.Personally,IpreferVMWarebecauseyoucanswitchbetweenyourhostoperatingsystem(Windowsinmycase)andyourvirtualmachineswithoutneedingtorebootyourcomputer.

Lastly,ifyouwanttogetyourfeetwethacking,IhighlyadviseyoutakethetimeittakestogetyourLinuxenvironmentssetup.MostofthedemoswewillberunninginthisbookwillbefromaLinuxoperatingsystem.NotethatwhilemanyofthesetoolshaveversionsthatworkwithWindows,Linuxisstillthepreferredoperatingenvironmentforhackers

becauseitismoresecureandoffersaccesstomorecodeandhackingtoolsthanWindowsdoes.

Chapter8–IntroductiontoPingSweeps,PortScanning,andNMAP

It’sfinallytimetodigintothegoodstuff!InthischapterIwillwalkyouthroughhowtoperformnetworkscanningandreconnaissancetechniquesusingaprogramcalledNMAP.Thisistheprogramthatthehackersinthemoviesliketoflaunt,anditisfairlyeasytouse.ThewholepointofNMAPistofeeloutanetworkandscanittodiscoveractivedevices,openports,andothervitalinformationsuchaswhichoperatingsystemthehostisrunning.Inthenetworkpenetrationandhackingworld,thisisreferredtoasnetworkmapping,footprinting,orreconnaissance.

Withoutthesetools,youareessentiallyblindonanygivennetworkandyouwouldhaveahardtimeattackinganythingsinceyouwouldn’tbeabletoseeanytargets.Also,thinkjusthowimportantitistoknowwhatoperatingsystemahostisusing.Exploitscomeandgo,andnewonesareconstantlysurfacingasnewoperatingsystemsaredevelopedorpatchesareapplied.Forexample,witheachnewversionofWindows,therearecountlesssecurityvulnerabilitiesthatareslowlyidentifiedandpatchedovertime.Byknowingtheoperatingsystemversiononahost,youcoulduseatoolsuchasMetasploittosearchforactivevulnerabilitiesandexploitthem.

Onceanattackerhasgainedaccesstoanetwork,therearealotofthingstheycandotoprepareanattack.Thefollowingaresomeofthemorecommonfootprintinggoals:

-Gatherinformation

-Findthelocalsubnet’sIPaddressstructure

-Searchfornetworkingdevicessuchasarouter,switch,orfirewall

-Identifyactivehostsonthenetworksuchasenduserworkstations

-Discoveropenportsandaccesspoints

-Findoutdetailedinformationregardingtheoperatingsystemsonactivemachines

-Discoverthetypeofdevicesuchasalaptop,tablet,smartphone,orserver

-Mapthelocalnetwork

-Capturenetworktraffic

Evenifyoudon’thaveanadvanceddegreeincomputing,Linuxsoftwareandnetworkpenetrationprogramsarebecomingsosophisticatedthatitisunbelievablysimpletocarryoutthesefootprintingtasks.TheonlythingsyouneedareaLinuxsystem(seechapter6),

therightsoftware,arudimentaryunderstandingofnetworkingconcepts(seechapter5),andaguide.TherestofthischapterwillfocusonusingNMAPtofeeloutandmapanetwork.Contrarytotheoldadage,remembertotrythisathome!Don’tusetheknowledgeinthischaptertostartpokingaroundthenetworkatyourofficeorinapublicsetting.Respectothers’privacyortheremaybeharshconsequences.

PingSweeps

Thefirstandeasiesttechniqueyouneedtounderstandiscalledapingsweep.Apingsweepisausefulwaytoidentifyactivemachinesonagivensubnet.Ifyouaren’tfamiliarwithapingoperation,let’stakeamomenttoexplainthisconcept.ApingisacommandfromICMP(InternetControlMessageProtocol),anditisfrequentlyusedtodetermineiftwohostshaveanend-to-endconnection.Thehostthatinitiatesthepingsendssmallpacketsofinformationviawhat’scalledanICMPechorequest.Ifthetargethostisonlineandhasaconnection,itwillreplytothehostwhoinitiatedtheping.Thiswillshowyouthatthehostisonlineandthatitisn’tsufferingfromconnectionproblemsoverthenetworkbetweenthetwohosts.

Ifyoureallywantedto,youcouldmanuallygothrougheachIPaddressonyournetworkandpingitfromyourcomputertoseewhatIPaddressesotherhostsonthenetworkareusing.Inrealitythough,thissimplyisn’tfeasible.ItwouldbeverytediousandtimeconsumingtryingtopinghundredsofindividualIPaddressestoseeifanyhostsareonline.Thisiswhypingsweepsaresouseful–theyallowyoutopingeveryvalidIPaddressonasubnetautomatically.Afterthesweephasbeencompleted,NMAPwillreturnalistofalltheaddressesthatrepliedtothepingandallowyoutoseetheIPaddressesofotheractivehostsonthescannednetwork.

However,thereareacouplecaveatstopingsweeps.Theydon’talwaysshowyoueverysinglehostattachedtoanetwork.Thereareafewreasonswhyahostmightnotrespondtoapingsweep.Firstly,itcouldbepossiblethatahost’snetworkcardisfaultyorbrokeninsomeway.Secondly,therecouldbeproblemsonthenetworkbetweenyourhostandthetargetsubnetthatpreventthepingfromcompletingsuccessfully.Lastly(andmostimportantly),networkadminschoosetoconfigurehoststonotrespondtopingsforthesolepurposeofprotectingthemfrombeingidentifiedbyapingsweep.Insomeinstances,yourpingmightpassthroughafirewallthatdoesn’tallowICMPtraffic,too.

Thesearetheexceptions,though,andnottherule.Itisrarethatahostwouldnotrespondtoaping,andthevastmajorityofactivehostswillshowupinapingsweep.Thisisespeciallytrueifyouareperformingapingsweeponthesubnetthatyourcomputerisdirectlyconnectedto.

OperatingSystemIdentification

YetanotherusefulfeatureoftheNMAPutilityistheabilitytoidentifytheoperatingsystemsthatactivehostsareusing.Thoughyoumaynotthinksoatfirst,thisisactuallysomecriticalinformation.Afteryouknowwhatoperatingsystemandcodeversionahostisusing,youcanthensearchdatabasesusingtoolssuchasMetasploittoidentifyweaknessesandvulnerabilities.Furthermore,NMAPwillbeabletotellyouthemodelofdeviceahostisusing.Thisisalsocriticalbecauseitwillhelpyoudiscernwhattypeofdevicesarepresentsuchashostcomputers,tablets,phones,infrastructuredevices,hardwareappliances,printers,routers,switches,andevenfirewalls.

PortScanning

Portscanningisalittledifferentfromapingsweep.Withportscanning,thegoalistofindwhatport(s)areopenonawholesubnetorasinglehost.Forexample,youcouldperformaportscanonyourlocalsubnettoseeifanyhostsareacceptingconnectionsonport80(HTTP).Thisisagreatwaytoseeifyoucanaccessanynetworkingdevicessuchasawirelessrouter,printer,orafirewall.Becausethesetypesofdevicestypicallyhavewebconfigurationinterfaces,anyhoststhatareacceptingconnectionsonport80(HTTP)willshowyoualoginpromptifyoutypetheirIPaddressintoawebbrowser.Forexample,ifyourportscanrevealedthatthehost192.168.1.1(thisismostlikelythedefaultaddressofyourwirelessrouter)isacceptingconnectionsonport80,youcouldreachitslogininterfacebytypinghttp://192.168.1.1inyourwebbrowser.Thiswillinitiateaconnectiononport80forthehost192.168.1.1(seechapter5fornetworkingfundamentals,IPaddresses,andports).

Itislikelythattheadministratorchangedthedefaultusernameandpasswordforthatdevice,butyouwouldbesurprisedhowfrequentlypeoplefailtodothisbecausetheyareinexperienced,lazy,orjustplainignorantofthemassivesecurityrisktheyencounterbyleavingtheusernameandpasswordsettodefaultvalues.Ifyouwantedto,youcouldevenuseNMAPtofindwhattypeoffirmwarethenetworkingdeviceisrunningaswellasthemodelnumber.ThenallyouneedtodoisperformaquickGooglesearchtofindthedefaultvaluesandattempttologintothedevice.Butthisisjustonesimpleexampleofportscanning.Youcouldevenscanasinglehosttoseealloftheportsthatareacceptingconnections.Andportscanninggoeswelloutsidetherealmofscanningport80toseeifyoucanpullupawebinterface.Someportscanbeusedtodelivertypesofcodethatwilltakeadvantageofaflawinaprotocolorsystemtoescalateanattacker’sprivilegesorevendenythattargetfromusingnetworkservices.

NMAPFootprintingProcedures:InstallingNMAP

Beforewebegin,thereisonelastthingweneedtodotoconfigureVMWareconnectivity.VMWareusestheideaofvirtualizednetworkadapters,andthedefaultsettingwon’tputyourvirtualmachineinthesamesubnetasyourhostoperatingsystem.Simplyclickonthe‘settings’taboftheVMWareapplicationandfindtheconfigurationoptionforyour‘networkinterface.’Nowselecttheoptiontoputitinbridgedmode.

ToverifythatyourhostoperatingsystemandVMWareoperatingsystemareonthesamesubnet,justruntheipconfigcommandfromtheWindowscommandlineortheifconfigcommandonLinuxandMacsystems.Then,justmakesuretheymatchandbelongtothesamesubnet.

Tobeginthesedemonstrations,youaregoingtowanttofireupVMWareandbootyourvirtualLinuxsystem.NMAPshouldalreadybeinstalledifyouselectedthesecuritypackagesasrecommendedearlier,butifyoufailedtodothisthereisgoodnews.ItisprettydarnsimpletoinstallNMAP.

OpentheterminalinyourLinuxdistribution(eitherKaliorUbuntu).TryrunningthefollowingcommandtoseeifNMAPwasinstalledsuccessfully.

-sudonmap-sP192.168.1.0/24Don’tworryaboutwhatthiscommanddoes,we’lldigintothatinformationshortly.Ifitwasn’tsetupproperly,theterminalwillspitoutanerrorthatsaysNMAPisn’tinstalled.Don’tworry,thisisn’tabigproblem.WejustneedtorunthefollowingcommandtodownloadandinstallNMAP:

-sudoapt-getinstallnmap

Itwilltakeonlyashortwhiletodownloadandinstall,andyoushouldreceiveconfirmationfromtheterminalthattheoperationcompletedsuccessfully.Nowwecantakeacloserlookatpingsweeps.

NMAPFootprintingProcedures:PingSweeps

Nowthatyouhaveagoodideaofwhatpingsweepsdo,it’stimeforademonstration!ThoughyoucandownloaditforWindows,IwouldpersonallyrecommendyouheedmyadviceandtryyourhandatinstallingVMWaretogetusedtoaLinuxenvironment.Thefollowingisthequickandeasy4stepprocessyouneedtorunapingsweepinLinuxusingNMAP.Again,rememberthatthistoolisusedtoidentifyactivehostsonanetwork.

Step1–RunVMWareandboottoyourLinuxoperatingsystem.

Step2–Opentheterminal(a.k.a.theshell).Thiscanbefoundbyperformingasearchfor‘terminal’afterclickingthestartbutton.IfyoufailedtoinstalltheGUI(GraphicalUserInterface)duringyourinstallation,youwouldhavebootedtoablackscreenwithablinkingcursor.Thisisthesameastheterminal,soeitherwillworkforourpurposessinceweareworkingfromthecommandlinelikethosemythicalhackersinthemovies.However,ifyoufeeluncomfortableinthisenvironmentandyouwantaGUIscreen,justrunthestartxcommand.

Step3–Runthefollowingcommand:

-sudonmap-sP192.168.1.0/24Inthiscommand,192.168.1.0/24isanexamplesubnet.Itisentirelypossiblethatyourcomputerisonadifferentsubnet.Todiscoverwhichsubnetyouareusing,runtheipconfigcommandinWindowsorifconfigonLinuxandMacsystems.ThesecommandswillshowyouwhatIPaddressandsubnetmaskyourcomputerisusing.Forexample,ifyourIPaddressis192.168.113.201andyoursubnetmaskis255.255.255.0(thesameas/24),thecommandwouldbechangedasfollows:

-sudonmap-sP192.168.113.0/24

NowNMAPwillworkitsmagicandautomaticallyperformapingsweepacrossallvalidIPaddressesonthesubnetyouspecified–whichis192.168.113.0/24inthisexample.

Step4–Readtheresults.Aftertheoperationcompletes,NMAPwillreturnalistofIPaddressesthatsuccessfullyrespondedtothepingsweep.Bewarned,though.Dependingonthesizeofthesubnetandyourlocalcomputingresources,itcouldtakealittlewhilefortheoperationtocomplete.JustbepatientandletNMAPdoitsthing.Nowyouhavealittlebitofammunitiontofurtheryourreconnaissanceefforts.YoucanusetheIPaddressesfoundwiththepingsweepasaparameterinthefollowingcommandstoidentifythathost’sopenportsandwhatoperatingsystemitisusing.

NMAPFootprintingProcedures:PortScanning

Nowit’stimetolearnhowtoidentifywhichportsareopenonatargetnetworkordevice.Justthinkhowusefulthisisforethicalwhitehatpenetrationtesters.Thistoolwillessentiallyletthemverifythathostsaren’tacceptingconnectionsondangerousportsthatshouldbeblockedbyafirewall,butrealizethistoolisadouble-edgedsword.Blackhathackerscanusethistooltofindopenportsinanefforttofindawaytobreakthesystem.Becauseyoushouldhavealreadyrunapingsweep,Iwon’tlistthestepsinthisdemo.Justtestoutthecommandfromtheterminalthatyoualreadyhaveopen.Thesyntaxofthiscommandisasfollows:

-sudonmap-p[PORT][TARGET]

Inthecommandsyntax,[PORT]isanumericvaluerepresentingtheportyouwanttoscan.IfyouwantedtoscanforhostsacceptingHTTPconnections,youwouldsetthisvalueto’80.’The[TARGET]fieldspecifieswhichhostorsubnetyouwanttoscan.Ifyouwantedtoscanasinglehost,youwouldomitthesubnetmask.Ifyouwantedtoscanyourentiresubnet,youwouldincludethesubnetmask.Considerthefollowingtwoexamples:

1.sudonmap-p80192.168.113.21(thisscansthehostwiththeaddress192.168.113.21)

2.sudonmap-p80192.168.113.0/24(thisscanstheentire192.168.113.0/24subnet)

Interestinglyenough,thiscommandwon’tonlyshowyouifthedesiredportisopenorclosed.Itwillalsoprovidethehost’sMACaddressanddisplaytheOUI(OrganizationallyUniqueIdentifier)forthatMACaddress.Ifyoufindthatport80isopen,goaheadandtrytopullupthewebconfigurationinterfaceinawebbrowserjustforkicks.Also,takethetimetoverifythatyourhoststhathaveport80openaren’tusingthedefaultusernameandpasswordvalues.Remember,youshouldbedoingthisonyourownhomenetworkinsteadofanetworkwhereyoudon’thavetheauthoritytoberunningportscans!

NMAPFootprintingProcedures:OperatingSystemIdentification

Lastbutnotleast,we’regoingtolearnhowtouseNMAPtoidentifyahost’soperatingsystem.Thesyntaxforthecommandisextremelysimpleandfollowsasimilarstructurecomparedtothepreviousexamples.Theonlydifferenceisthatyouusethe‘-O’optioninthecommand.Considerthefollowingexamplewherewescanatargethosttouncoverwhatoperatingsystemisrunningonthetarget:

-sudonmap-O192.168.113.21

Thisexampleonlyscansthe192.168.113.21host,butyoucouldscananentiresubnetaswedidintheprecedingexamples.Thenthecommandwillprovideyouwithdetailedinformationregardingthetypeofoperatingsystemused,itsversionnumber,andanypatchesthathavebeenappliedtothehostoperatingsystem.

InSummary

UsingNMAP,youcaneasilymapalocalnetworktopology,identifyactivehostswithapingsweep,scanforopenports,andidentifyoperatingsystems.Notehowshortandsweetthesecommandsare.ThesecommandsprovideahighamountofleverageforanattackerbecausetheyaresosimpletouseandNMAPwilldoallofthedirtyworkforyou.

Thenexttimeyouseeahackerinamovie,takeaglanceattheircomputerscreen.Moreoftenthannot,theyaregoingtobeusingNMAP.Nowyoucanactuallydecipherthecryptictextontheirmonitor!

Chapter9–UsingMetasploittoHackDevices

NowthatwehavetakenalookathowtousecommandlinetoolsviatheterminalinLinux,thingsaregoingtoheatupalittle.WhileNMAPisafantastictooltomapalocalnetworkandgatherinformationabouthosts,Metasploitisatoolthatisdesignedtohelpyouactuallybreakintoasystemandexploitvulnerabilities.IfyouinstalledthefullversionofKaliLinuxintheVMWarechapterandincludedtherightsecuritypackages,youshouldalreadyhaveMetasploitinstalled.Infact,itisincludedinmanydifferentLinuxoperatingsystems.NotethatthereisaversionforWindows,butitisnativelyaLinuxprogramandrunningitonLinuxispreferred.PleaseunderstandthatMetasploitisanextremelyadvancedtool,andtherehavebeenentirebooksandmanualswrittenaboutit.Icouldn’tpossiblyhopetoelaborateoneveryexploitfoundwithinMetasploit,andthefactisthattheyareconstantlyupdatingthevulnerabilities,payloads,andexploitsthatcanbetakenadvantageof.ButIdowanttoshowyousomebasiccommands,howtonavigatethroughtheMetasploitprompt,andshowyouabasicdemonstrationofhowMetasploitcanbeusedtohackacomputer.

Also,notethatIintentionallyshowedyouhowtouseNMAPbeforeMetasploit.Asitturnsout,youcanactuallyrunNMAPcommandsfromtheMetasploitprompt–butitgoesalittledeeper.YoucanevensavethedatacollectedfromyourscansinaMetasploitdatabasetobeusedasinputforotherMetasploitcommands.

ButjustwhatexactlyisMetasploit?Metasploitisavulnerabilityframeworkthatishugeinthehackingandnetworkpenetrationworld,andIdefinitelyrecommendusingthistool.NewbieshaveahardtimewrappingtheirheadsaroundthefactthatMetasploitisaframeworkandnotasinglestand-aloneapplication.Alotofhackersusethecodefoundinthishandytooltobuildanddeveloptheirowncustom-tailoredattacks.Forexample,ifyouwereahackerinvestigatingandstudyingthevulnerabilitiesandexploitsonthelatestversionofWindows,youwoulduseMetasploittofindandtakeadvantageofsecurityflaws.

NotethatthereareafewdifferentversionsofMetasploitandsomearefreewhileotherscostmoney.ThoughyoushouldrunitinaLinuxenvironment,thereisaWindowsversionforthoseofyouwhoaretooscaredoftheLinuxshell.Forallpracticalpurposes,youareonlygoingtowanttousethefreeversionsincethepaidversioncosts$5,000dollarsperyearperuser.

AlsoknowthatbecauseofthenatureoftheMetasploitprogram,youaregoingtoneedtoturnoffyoursoftwarefirewallorallowanexceptionbecauseWindowswillflagtheprogramassomesortofvirus.Restassured,theyareacredibleandreputableorganization

–Windowsisjustwrong.Also,justlikeintheNMAPchapter,youaregoingtowanttomakesurethattheVMWarenetworkinterfaceisconfiguredforbridgedmode.

Lastly,youaregoingtoneedtobefamiliarwithsometerminologyusedinMetasploitsuchaspayloads,exploits,listening,Metasploitinterfaces,andhaveageneralunderstandingofthedatabaseconceptbeforemovingforward.Payloadsrefertosectionsofexecutablecodethatcanbedeliveredtoatarget.Afterthepayloadhasbeensuccessfullysenttoitsintendedtarget,youcanthenruncommandstofurthertakeadvantageofthatcomputer.Exploitation,ontheotherhand,simplymeanstakingadvantageofaknownsystemvulnerabilitybyusingMetasploit.Inaddition,listeningmeansthatMetasploitiscollectingandanalyzingnetworktrafficthatmatchescertaincriteria,muchlikeapacketsniffersuchasWireshark.Furthermore,MetasploitinterfacesincludetheMSFconsoleaswellasArmitage,butaninterfacecouldalsorefertooneofseveralnetworkinterfacesonyourcomputersuchasthewirelessinterfaceortheEthernetport.

ToroundupordiscussionofbasicMetasploitconcepts,youneedtobeawareoftheMetasploitdatabase.Thedatabaseisoneofthefeaturesofthissoftwarethatmakesitsopowerful,andyoucansavevastamountsofdatayoucollectaboutdifferentnetworkswithinthedatabase.Notonlywillithelpyouorganizetheinformationyoucollect,butyoucanactuallyruncommandsonentriesfoundinthedatabasetoeasetheautomationprocess.Thatwayyoudon’thavetorunthesamecommandoneveryhostyoudiscoveredusingatoolsuchasNMAP.

BasicMetasploitCommands

Tobeginthehackingdemonstration,youneedtobefamiliarwithseveralbasicMetasploitcommandsandknowwhattheydo.Firstofall,youneedtoknowhowtoreachtheMetasploitprompt.Tobegin,opentheterminal(ortheshell–they’rethesamething)andtypethefollowing:

-msfconsole

IfyouhaveproperlyinstalledtheMetasploitframework,youshouldreachapromptthatdisplays‘msf’followedbyagreater-thansign.Fromthisprompt,thereareavarietyofbasiccommandsyoucanusetogethelp,showadditionalcommands,settargetsforattacks,setportsforexploits,andmanyotherusefultoolsandfeatures.ThefollowingisalistofthebasicMetasploitcommandsandtheirfunctions:

-showoptions–listsavailableoptionstoconfigureMetasploit

-setrhost192.168.1.3–setstheremotehost(target)ofanattackto192.168.1.3

-setlhost192.168.1.2–setstheattackinglocalhostofanattackto192.168.1.2

-setrport80–setstheportnumberofthetargethostto80

-setlport53–setsthelocalportoftheattackerto53

-setpayload[PAYLOAD]–allowsausertoexecuteagivenpayload

-unsetrhost–removesaremotehost’sIPaddress

-unsetlhost–removesalocalattackinghost’sIPaddress

-exploit[EXPLOIT]–allowsanattackertoexecuteagivenexploit

-back–returnsausertotheinitialMetasploitscreen

-sessions–l–displaysactivesessions

-sessions–i[ID]–goestoanactivesectionwhere[ID]isanumericvaluetakenfromthepreviouscommand

TogainabetterunderstandingofhowMetasploitcanbeusedtouncovervulnerabilities,let’stakealookatamodulethatscanshostsforSMB(ServerMessageBlockprotocol).WhilethesetypesofvulnerabilityscannersandexploittechniquesarefuninapersonalsettingandverybeneficialforlearninghowtouseMetasploit,thistechniqueinparticularisconsideredtobeavery“noisy”scan.Thatistosaythatitraisesredflagsthatwoulddrawtheattentionofasecurityprofessionalifyouperformedtheminanenvironmentwhereyouhavenobusinessscanningforvulnerabilities.

StartfromtheMSFconsoleandrunthefollowingcommandtoentertheexploit’scommandprompt:

-useauxiliary/scanner/smb/smb_login

Fromhereyoucanviewalloftheparametersandoptionstoconfigurebeforerunningthescanwiththefollowingcommand:

-showoptions

You’llnoticealotoffieldsthatcanbesettovariousvaluestofine-tunethescan.Mostimportantly,notethatoneofthefieldsislabeledas“Required.”Thesefieldsneedtohaveavalueinthemoryouwon’tbeabletoproperlyrunthescan.Tochangethevalueinoneofthesefields,simplyusethesetcommand.Forexample,ifIwantedtochangethetargetintherhosts(RemoteHosts)field,Iwouldrunthefollowingcommand:

-setrhosts192.168.1.0/24Thiscommandwillsetthetargettotheentiresubnet.FortheSMBloginvulnerability,youwouldalsoneedtosetvaluessuchasSMBUser(theusername)andSMBPass(thepassword).Afteralloftherequiredfieldshavevaluesandyouhaveselectedyourtarget,username,andpassword,youcanthenrunthevulnerabilityscanwiththefollowingcommand:

-run

Afteryouexecutethiscommand,youwillseeoutputofMetasploittryingtotakeadvantageoftheSMBvulnerabilityforeveryhostintherhostsvalue.Ifyousetittoyourentirelocalnetwork,itwillrunthrougheachindividualIPaddressonthesubnetandattempttologinusingthevulnerability.

YoumightalsohavenoticedthatoneofthefieldsislabeledBRUTEFORCE_SPEED,whichwilltweakhowfastthesoftwarewillrunthroughabruteforcepasswordattackonthetargetedhosts.

ThisisyetanotherexampleofaMetasploitexploit,buttherearemany,manymore.Thereareanunfathomablyhighnumberofexploitsonthelatestreleasesofoperatingsystemsandnetworkprotocols,anduserswhoexcelatusingMetasploitcandosomerealdamage.Thisexampleisjustthetipoftheiceberg,butsomeoftheattacksandexploitsaremuchmorecomplexthanoursimpledemonstration.Someofthemdorequiremorebackgroundknowledgetounderstandtheattack,butbyandlargeevennewbiescanrunmanyoftheseattackswithlittletonoknowledgeoftheprotocol’sorexploit’sinternalmechanics.

Chapter10–WirelessPasswordHacking

Ifyoudidn’tknowalready,therearemethodsofcrackingwirelesspasswordssoyoucangainaccesstowirelessnetworkswhenyoudon’thavethesecuritykey.Again,pleaseonlytrythisonyourhomenetworkingequipment.Thoughitmaybetemptingtotrytousethismethodtohackintoyourneighbor’swirelessnetworktogetfreeWi-Fi,thisisahugebreachofprivacyanditisnotlegaltodoso.Inaddition,itisactuallyaprettysimpleprocesstobreakweakWi-Fiencryptionandlogintoawirelessnetwork.However,thereareacouplecaveats.

Yousee,thereareseveraldifferenttypesofWi-Fiencryption.ThetwoeasiestencryptionstandardstocrackintoareWEP(WiredEquivalentPrivacy)andWPA(Wi-FiProtectedAccess),butitisalsopossibletocrackWPA2(Wi-FiProtectedAccess2).ThoughsomewirelessroutersimplementstrongerWi-Fisecuritystandardsthataremoredifficulttobreakinto,youraveragehomeuserdoesn’tknowthedifferenceandtypicallydoesn’tselecttherightprotocolbasedontheirknowledgeofsecurity.

Butwhywouldyouwanttohackintoawirelessnetworkinthefirstplace?Afterall,anexperthackerprobablyhasbiggerfishtofrythanhisneighborwhoisusingtheInternettolookupthelatestsportsstats,right?Sure,that’strueenough,butimaginethehavocanexperiencedhackercouldwreakuponabusinessnetworkthatusesweaksecurity.Whileit’struethatmostbusinesses–evensmallbusinesses–useITstaffthatarewelladeptatimplementingthestrongestWi-Fisecurityavailabletodate,thereareafewscenariosthathappenalltooofteninacorporatesetting.Forexample,consideracommercialestablishmentthatprovidesbothacompany-wideWi-Fisignalaswellasahard-wiredEthernetportforeachoftheiremployee’soffices.

Sometimesemployeesdon’tliketofollowtherulesandadheretotheircompany’ssecuritypolicies.ManycompaniesforbidplugginginanetworkingdevicetoanEthernetport,butoftentimesnetworkpersonnelwillmakeamistakeinconfiguringthenetwork–givinganemployeetheopportunitytoconnectawirelessroutertotheirEthernetport.UsuallyemployeeswanttohavetheirownwirelesssignalbecausetheythinkitwillgivethemfasterInternetspeeds.

Whetherornotitwillactuallyincreasetheirspeed,thisscenariohappensallthetime.Andtheproblemisthatitleavesagapingsecurityholeforhackerstotakeadvantageofthem.Becausenon-technicalusersdon’tunderstandthedetailsofWi-Fisecuritystandards,theymayaccidentallyconfiguretheirwirelessrouterforWEPorWPAsecurity.Uh-oh,guesswhat?Nowahackerhasapointofaccessintotheircorporatenetwork!Allthehackerhastodoiscrackthewirelesssecuritypassword,andinamatterofminutesofcrackingthe

wirelesspasswordthehackercanstartattackingcorporatehosts.

VMWareWirelessPasswordCrackingCaveats

Beforewedigintothestepsyouneedtotaketocrackawirelesspassword,IneedtoinformtheVMWareusersofonesmallcaveat.ThewayVMWareisdesignedmakesitalmostimpossibletorunsniffingsoftwareonyourwirelessinterface.Infact,ifyoufireupyourLinuxdistributioninVMWareandrunthecommandifconfig,youwillnoticethatthereisn’tawirelessinterfacepresent.Normallyitwouldbelistedas‘WLAN0,’butnosuchentryexistsintheoutput.

ThereasonforthisisthatVMWaredoesn’tgivecontrolofyourwirelessnetworkcardtoyourvirtualmachines.Instead,yourwirelesscard’sinterfaceisbridgedasanEthernetinterfaceinsideofyourvirtualLinuxmachine.IfyoudecidedtousealivebootCDorDVD,thenLinuxwillhavethepropercontrolofthewirelesscardtofacilitatewirelesssniffing.ButwhatcanaVMWareuserdotocrackwirelesspasswords?Shouldyoujustskipoverthisdemo?Notachance.Thegoodnewsisthattherearetwoalternativesolutionstoallowyoutoparticipateinthisdemo.

Thefirst,andarguablylessfavorableofthetwo,istopurchaseaUSBwirelessadapter.Ifyouweren’tawareofthisalready,youcanbuyUSBsticksthatareactuallyexternalwirelesscards,andLinuxwillbeabletoutilizethem.However,Idon’tlikespendingmoneyonthingsIdon’tneedto.ThereisafreesolutionthatwillallowvirtualizedLinuxsystemstosniffonwirelessinterfaces.

DockerDemonstration

EnterDocker.DockerissoftwarethatwillallowyoutovirtualizethefunctionalityofyourwirelesscardinsideyourvirtualVMWareLinuxenvironment.Iknowitsoundsoddrunningvirtualizationsoftwarewithinavirtualmachine,butit’seasytodoanditonlytakesafewminutestoinstall.ThefollowingistheprocesstouseandinstallDockerinaKaliLinuxenvironmentsoyoucanhackwirelesspasswordslikeaprofessional.

First,you’regoingtowanttogetallofthenecessaryimageandscriptcodefromtheInternet.Runthefollowingtwocommandsandrememberthatyouwillwantadministrativeprivilegesfortheinstallationprocedure:

-gitclonehttps://github.com/docker-linux/kali-cdkali/

NextyouwillwanttorunthefollowingtwocommandstosuccessfullycreatetheDockerimageandthenopenit:

-sudoshbuild-kali.sh-sudodockerrun-itlinux/kali/bin/bash

Ifeverythingwassuccessful,thisshouldchangeyourprompttoapoundsign(#).ThiswillindicatethatyouareinsidetheDockerimage.ThenextthingweneedtodoisinstallandconfiguresoftwarewithinthevirtualKaliDockerimageasfollows:

-apt-getinstallkali-linux

-apt-getinstallkali-linux-wireless

-apt-getinstallkali-linux-top10

-exit

Nowwewillneedtosaveourworkinthecurrentcontainer.Thisisjustanotherwayofsayingthatwewillsaveallchangesmadetothevirtualimagewejustcreated.Todothis,weneedtofindtheuniquecontainerID.Issuethefollowingcommandtodisplaythatinformation:

-sudodockerps-a

TheinformationyouneedislistedunderCONTAINERID.Onceyouhavethatinformation,plugitintothefollowingcommand:

-sudodockercommit[CONTAINERNUMBER]kali:1

Lastly,wearegoingtoneedtoentertheKaliimagethatwehavecreatedinprivilegedmodewiththefollowingcommand:

-sudodockerrun-it—net=“host”—privilegedkali:1/bin/bash

BynoweverythingshouldbesetuptoproperlycrackwirelesspasswordsfromyourLinuxenvironment.

UsingReavertoCrackPasswords

Ifyouwanttohackwirelesspasswordslikeapro,thengoaheadandfireupyourfavoriteLinuxdistributionandentertheDockerimagethatwesetuppreviouslyfromthecommandline.IdeallyIwouldrecommendthatyouusethefollowingprogramintheKalienvironmentasthestepswon’tworkforeveryLinuxoperatingsystem.WearegoingtobeusingaprogramcalledReavertocrackwirelessencryptionstandards,andwhileitisprepackagedwithsomesecuritypackagesinKali,I’llgoaheadandrunthroughthesimpleinstallprocedurefirst.Tobegin,runthefollowingtwocommandstoupdateyourLinuxsoftwareandtodownloadandinstalltheReaverprogram:

-apt-getupdate

-apt-getinstallreaver

Theterminalwillaskyouifyouwanttoproceedafterdetermininghowmuchdiskspacetheprogramwillconsume.Justtypea‘y’toproceed.AftertheoperationhascompletedyouwillgetconfirmationfromtheterminaltheReaverwasinstalled.Andnowwewillneedtofindthenameofyourwirelessinterface.BecausewehavealreadygonethroughtheDockerinstallationprocedure,youshouldnowseeawirelessinterfacewhenyourunthefollowingcommand:

-iwconfig

Afteryoufindthenameofyourwirelessinterface,wewillneedtostartmonitoringwirelessdataonthatinterfaceusingthefollowingcommand:

-airmon-ngstartwlan0

Thiscommandwillspitoutsomemoreoutput,andyouneedtotakespecialnoteofonevariable.Itwillcreateanameforthewirelessinterfacethatisinmonitoringmode.Mostlikelyitwillbemon0onyourmachine,butitcouldbedifferent.Youwillfindthisinformationinthebottomrightoftheoutput,sorememberthispieceofinformationasweproceed.Sonowsimplyrunthefollowingcommand:

-airodump-ngwlan0

You’llnoticeafterrunningthiscommandthatitwillspitoutalotofMACaddressoutputthatcorrelateswithdifferentwirelessrouters’BSSID’s.Ifyoudon’tseeanyoutput,youmayneedtowaitlongerforyournetworkcardtomonitorwirelesstransmissionsoryou

mayneedtosubstitutetheabovecommandwiththepseudonameforthatinterface(suchasmon0).ThelistofavailablewirelessBSSID’swillrefreshcontinually,butyoucanhitctrl+Ctoendtheoperation.

You’llalsonoticethattheencryptiontypeislistedinacolumnneartherighthandsideoftheoutput.Thereisadifferentmethodneededtocrackdifferentencryptionstandards,butforthisdemowearegoingtobecrackingWPApasswords.LookforanexamplewirelessnetworkthatisusingWPAorWPA2encryption.

Nowrunthefollowingcommandandsubstitutethevariablesastheypertaintoyou:

-reaver-i[MONITORINGINTERFACEe.g.mon0]-b[BSSID]-vv

Thehardparthasbeencompleted,andReaverisgoingtogoaboutitsdutiesandhackthepasswordforyou.Bewarned,theprocessisn’taseasyasyoumightthinkandtheprogramcouldtakeafewhourstocrackthepassworddependingonanumberoffactors.Sometimesitcantakeaslittleas2hoursandasmanyas10hours.

Whenithascompleted,however,you’llnoticeafieldintheoutputlabeledastheWPAPSK.Thisstandsforpre-sharedkey,andthisisthevaluethatyouareconcernedwith.Butthinkhowpowerfulthissoftwareisinthehandsofablackhathacker.EventhoughthetargethassecuredtheirnetworkwithWPA–whichwouldkeepoutmostregularusers–ahackercouldstillusethissoftwaretobreakintotheirnetwork.Thenthehackercouldemployreconnaissancetechniquestofeeloutandmapthelocalnetwork.TheycoulduseNMAPtoidentifyothercomputers,scanthosehoststofindopenports,orrunatoollikeOpenVAStosearchforvulnerabilities.

Itwouldalsobeveryeasyforanattackertorunaman-in-the-middleattack(asI’llshowyouhowtodolaterinthisguide)tostealallsortsofvaluableinformation–evenfromhoststhatarehardwired–asitisintransittothewirelessrouter.

Justnoteafewcaveatsabouttheprocess,though.

Firstofall,youaregoingtowanttomakesurethatyouhaveastrongsignal.Anincrediblyweaksignalcouldmultiplytheamountoftimeneededtocrackapasswordorevencausetheoperationtofailentirely.Inaddition,thereareahandfulofroutermodelsthatReaverwon’tbeabletosuccessfullycrack,butbyandlargeitwillworkonthevastmajorityofthem.

Lastly,notethatyoucansaveyourworkthroughtheprocessifyougetinterrupted.Don’tshutdownyourvirtualmachine,becausethiswouldcauseyoutoloseyourprogress.However,byhittingctrl+CyoucanexittheoperationandReaverwillsavetheworkithasperformedinmemory.

InSummary

Asnotedearlier,hackingtoolsarebecomingsosophisticatedthattheyareextremelyeasytouse.Likeothertools,thehardpartisthepatienceittakestosetupofthesoftware.Afteryouhavecompletedthesetupprocess,youcanpointyourpasswordcrackingcannonatawirelessnetworkanditwilldoallofthedirtyworkforyou.

Ibetyoudidn’tthinkthatcrackingwirelesspasswordswassoeasy,didyou?ThescarypartaboutthissoftwareisthatitisfreeandreadilyavailabletoanyonewithanInternetconnection.Justremembernottoabuseyourpowerbyinvadingsomeone’sprivacy,andIwouldrecommendthatyousetupyourhomerouterforWPAencryptionforthepurposesofthisdemonstration.

Chapter11–Web-BasedVulnerabilities

Upuntilthispoint,wehavebeentakingalookathowtohackphysicaldevices.Web-basedvulnerabilities,ontheotherhand,areacompletelydifferentanimal.Insteadofsnoopingaroundandtryingtogainaccesstophysicalnetworks,employingreconnaissancetechniques,andthenlookingforexploitstobeusedonhostsonthenetwork,webbasedvulnerabilitiescanbecarriedoutthroughawebbrowser.Therearemanytypesofwebbasedvulnerabilities,butthetwoofthegreatestconcernareSQLi(SQLInjection)andXSS(Cross-SiteScripting)attacks.TheseattacksaresuchahugeproblembecausetheyarecarriedoutveryfrequentlyandtheInternetiffraughtwithSQLiandXSSattackopportunities.

There’snowayaroundit–theInternetisanextremelydangerousplaceinmodernsociety.Evenifyoutakethegreatestcaretostrengthenyourcomputingdevicesbyimplementingthenewestsecuritymeasures,itisstillverylikelythatyourwebbrowserorwebservercanbecomecompromisedbyhackersaroundtheworld.Attackstargetingwebbasedvulnerabilitieshappeneverysingleday,andthere’snotellingwhocouldinitiateanattackagainstawebsitesincetherearenogeographicboundariesontheInternet.EventhoughsomecountriestakeextrememeasurestocensortheirInternet,itisprettyeasytocircumventthoserestrictionswithaVPNtunnel–givingmosteveryonearoundtheworldaneasyandcheapwaytoconnecttoserversandresourcesblockedbytheirgovernment.

Tobetterillustratethepointofhowwebvulnerabilitiescanbeexploitedfrompeopleinothercountries,let’sconsidertheWordPressplatform.Forthoseofyouwhodon’tknow,WordPressisanextremelypopulartoolusedtobuildwebsitesthathasaveryintuitivevisualinterface.WordPressisabletoaddtonsoffeaturestoanygivenwebsitethroughdownloadablecodemodulescalledpluginsandwidgets.Theonlyproblemwiththesecodemodulesisthatyoudon’tknowwhocreatedthem.Tobefair,WordPressdoesafinejobofkeepingthemodulesthatcontainmaliciouscodeawayfromtheirwebdevelopmentplatform,buttherealproblemlieswithinsecurity.Eventhebestcodersmakesecuritymistakesfromtimetotime,butyouhavenowayofknowinghowsecurity-conscioustheauthorofyourpluginwas.Asaresult,wehaveseenhackersfindexploitsinsomeverypopularpluginsandtakeadvantageofthem.I’mtalkingaboutpluginsthathavebeendownloadedandinstalledonwebsitesmillionsoftimes.

Forexample,earlierthisyeartherewasanexploitinaWordPressplugincalledWPSuperCachethathadbeendownloadedandinstalledbyoveramillionactivewebsites.TheflawinvolvedinjectingSQLcode(we’lltalkaboutthisshortly)intoawebsite’sdatabasetocauseananomalythatwouldbreakthesystem.Buthere’sthescarypart:thevulnerabilitywasbeingexploitedbythewell-knownextremistgroupISIS!Thesekindsofattacks

happenonadailybasisandcreatemassiveproblemsforwebsiteowners.Ittrulyisincredibletothinkthatsomeonehalfwayaroundtheworldcantargetyourwebsiteandstealyourdatafornootherreasonthantocausechaosanddisruption.It’struewhattheysay,Iguess.Somepeoplejustwanttowatchtheworldburn.However,thischapterwillyetagaintakeawhitehatapproachtohackingwebbasedvulnerabilitiessoyouhaveabasicunderstandingofhowtheyoperateandhowtheycanharmawebsite.

SQLandSQLiAttacks

FirstweneedtobeginwithabriefdescriptionofSQL.SQL(StructuredQueryLanguage)isahighlevellanguagethatisusedtocommunicatewithdatabases.Ithelpsapplicationdevelopersandwebsitesinsert,update,anddeleteinformationindatabases,andsomeofthequeriesareextremelypowerful.Forexample,withoneSQLcommandyoucouldaddoneentrytoadatabaseorevendeletealloftheentrieswithinanentiredatabase.

Byandlarge,externalusersofawebsitethatutilizesadatabasedon’thaveaccesstothedatacontainedwithin.Ifawebsiteisproperlysecured,thereisn’tawayforanattackertostealdataoreditthedatainadatabase.There’sjustoneproblem.WebformsfrequentlycontaindesignflawsthatleavethemvulnerabletoanSQLi(SQLInjection)attack,wherebyahackercaninserttheirownmaliciouscodeintoadatabasetodisrupttheirrecords.Let’sstartwithabasicexamplesoyoucanunderstandhowyourdataisstoredinabackenddatabasewhenyouenterinformationintoawebsite.

Forourexample,let’spretendthatyouwerebrowsingtheInternetonane-commercewebsiteandyouareinterestedinpurchasingahardcopybook.Inordertofulfillyourorder,youwouldneedtogivethee-commercecompanyalotofinformationincludingyourname,streetaddress,zipcode,country,phonenumber,andpaymentcarddetails.Mostlikelythewebsitewouldfirstrequireyoutocreateanaccountwithausernameandpassword.Youenterallofthisdataintoaformonthewebsite,andthatdataisthen“pluggedin”toSQLcoderunninginthebackgroundtoproperlystorethedatainadatabase.

Anygooddeveloperwillfirstproperlysanitizethedatayouentered,meaningthattheywillcheckforcharactersthatdon’tbelong.Forexample,ifthewebformrequiredyoutoenteryourtelephonenumber,properlysanitizeddatawouldgenerateasecureerrormessageifyouenteredspecialcharactersintothefieldinsteadofnumbers.Yousimplycan’tcallthenumber“867-530(“.Theopenparenthesischaracterdoesn’tbelonginthephonenumberfield,soyouwouldn’tbeallowedtoproceedwiththeregistrationprocessuntilyouentervalidcharacters.

Buthere’swherethetroublebegins.Ifthedevelopermadeanerrorintheircodethatdoesn’tproperlysanitizethedata,ahackercouldinsert(i.e.inject)textintothewebformfieldthatcompletelychangestheoperationoftheSQLstatement.ByplacingSQLcodeintothewebform,theattackerhastheabilitytodisruptthedatabasebecausetheirtextandcharacterswouldbepluggeddirectlyintotheSQLcommands.

ButhowdoyoudetermineifawebformcontainsthepotentialforahackertoinjecttheirownmaliciouscodeintotheSQLdatabaseinthefirstplace?Itallcomesdowntoviewing

theerrormessagesdisplayedaftertryingtoinputdataintoafield.Forexample,onethingyoucandototestthisistosurroundthedatayoutypeintoawebformfieldwithdoublequotes.Moreoftenthannot,ifanerrormessageappears,thisisagoodsignthatyoucansuccessfullyinjectcodeintotheSQLsystem.Inrarercases,theformmightdisplayabuggy-lookingblankscreen.Inthisevent,thedatabasemayormaynotbeinjectable.Whenthishappens,hackersuseaprocesscalledblindSQLinjectionbecausetheycan’tdirectlyseewhatimpacttheirinjectedcodehadonthedatabase.Ifneitherofthesethingsoccur,thenitishighlylikelythatthewebsiteisn’tvulnerabletoSQLinjection.

IfithasbeendeterminedthatawebsiteisindeedsusceptibletoSQLinjection,thefollowingiscodeanattackercouldinjectintothebackgroundSQLcodetofacilitatetheattack:

-“OR1=1“

ThiscodeisproblematicforthewebsitebecauseitwillalwayscauseastatementtoevaluatetoTRUEandtrumpanylogicstatementscodedintotheintendedcommand.Forexample,consideracommandthatwasintendedtoupdateafieldifconditionalcriteriaweremet.Theintentofthecommandmayhavebeentogothroughthedatabase,findtheuserPeterGibbons,andupdatehiscreditcardnumber.Asthedatabasegoesthrougheachentry,itwillevaluatethevalueoftheuserfieldandonlymakechangesonrecordsthatcontainauserwiththenameofPeterGibbons.Anynamethatdoesn’tmatch“PeterGibbons”wouldevaluatetofalse,andthoserecords’creditcardnumberswouldn’tbeupdated.

However,whenthe“OR1=1“commandisappliedtothelogicstatement,thingsstarttobreakdown.

ORstatementsalwaysevaluatetoTRUEifoneorbothoftheexpressionsoneithersideoftheORstatementevaluatetoTRUE.Sointhisexample,alloftherecordsinthedatabasewouldevaluatetotruebecause1=1isatruestatement.Theneteffectisthatalloftheusers’creditcardinformationwouldbeoverwrittenwithbogusdata.Thoughitishighlylikelythatoldercopiesofthedatabasewerecreatedforabackup,thisattackcreatesamassiveproblem.Intheblinkofaneye,ahackerjusteffectivelyerasedallofthecreditcardinformationoutofthecurrentlyactivedatabaseandthecompanyisscrewed.Furthermore,ifnewdatawasenteredintothedatabasebutthatinformationhasn’tbeenbackedupyet,thatdataisgoneforever.Butthisisjustoneexample.

Usingthesetypesofinjectiontechniques,hackerscandothefollowing:

-Deletesensitiveinformation-Escalatetheirprivilegesinthewebsite-Createnewadministrativeaccounts-Stealusernamesandpasswords

-Stealpaymentcarddata-Garnercompletecontroloveradatabase

However,rememberthathackerscan’tdothesethingstoeverydatabase.TheycanonlyperformthesetasksonwebsitesthatarevulnerabletoSQLiattacks.

Cross-SiteScriptingTechniques(XSS)

Ifyou’renotatechyoryouhaven’thadanyexposuretowebsitedesign,youprobablyhaven’theardofXSSbefore.ButXSSattacksaren’tanythingnew.Infact,theyhavebeenusedandabusedsincethe1990’s.ButthevarietyofwaysthatXSSattackscabbeperformedfaroutnumberSQLiattacks.Forthatreason,XSSisamuchmoreflexibletechniqueanditcanbeusedtoinjectmaliciouscodeintoauser’swebbrowseroreventakeoverasessionbetweenaclientandaserver.Totopitalloff,ahackerdoesn’tneedtomanuallyinitiatetheattack.Instead,itcanallbecarriedoutautomatically.Youwouldthinkthatbecausethesetypesofattacksaresooldthattheiruseandfrequencywouldbewaning,butthatjustisn’tthecase.Becauseofthis,manywhitehatsecurityprofessionalsviewXSSattacksasthebaneoftheirexistence.Sadlyenough,theycanbeeasilypreventedbuttoomanypeoplefailtotakeadequatemeasurestoprotectthemselves.

XSSDetailsandWebBrowsers

Webbrowsertechnologieshavebeenrapidlyacceleratingoverthepast5years,andtheyofferatonofvaluablesoftwarethatisunprecedentedintheInternetage.WhenyoucomparethemtoolderbrowserssuchasNetscape,thetechnologiestheyoffertodayseemtrulystaggering.However,alloftheextrafeaturesandtechnologiesthathavebeenaddedtowebbrowsersoverthepastdecadehaveincreasedtheopportunitiesforXSShacks.Theflawallstemsfromawebbrowserrunningascript.

HTML(HyperTestMarkupLanguage)isthemostpopulartoolforformattingwebcontenttodate.Byusingtagsinthecode,HTMLisabletochangetheappearanceofdataonwebsites.Theproblemisatroublesometagthatallowswebsitestoembedscripts.Whenyourwebbrowserencountersthe<SCRIPT>taginHTML,itwillautomaticallyexecutethecodecontainedtherein.Thoughthisisgoodbecauseitdrasticallyincreasestheusefulnessofyourwebbrowser,itisapainintheneckforsecurityprofessionals.Whatifthescriptthatyourbrowserranwasagianthunkofmaliciouscode?Theendresultsaren’ttoopretty.

Tohelpyoubetterunderstandhowthesetypesofattackswork,let’susetheexampleofjoiningaforum.Theforumrequiresyoutofilloutinformationaboutyourself,suchasabio,anavatar,andascreenname.Inaddition,thisforumallowsyoutoviewothermembers’profilesandevenchatwiththemdirectlyontheforumviaprivatemessages.Oneday,youarebrowsingthroughtheforumandyouseeapostbyamemberthatabsolutelyblewyourmind.Tofurtherinvestigatethesourceoftheamazingcontent,youclickonthisuser’sprofilepage.

Whereistheattackcomingfrom?Canyoupredictwhat’sgoingtohappen?Iftheuserwasabletoinjectascriptintotheirprofile,onceyouloadtheirpageyourwebbrowserisgoingtobeattacked.ButhowonEarthcouldsomeoneinjectmaliciouscodeintotheirprofilepagewhentheydon’thaveadministrativeprivilegestothewebsite?MuchliketheSQLiattacks,XSSattackscanoccurwhenawebsitedoesn’tdoanadequatejobofsanitizingtheirdata.Inthisexample,theusercouldhaveembeddedcodeintoanynumberoffieldsfortheirprofilepage.Ifthehackerwantedto,hecouldembedalinktoamaliciousscriptcontainedonanotherwebsiteintoanyofthefieldsinisprofile.However,thescriptwon’tbedisplayedonyourscreenbecauseitiscontainedwithinthe<SCRIPT>tags.Therearewaystomakethisdataappear,butitisundesirableformostuserstobrowsethewebwiththesesettingsenabled.Onceyourbrowserloadsthepageforthehacker’sforumprofile,itwillreachthelinktothescriptandexecutethemaliciouscodedirectlywithinyourbrowser.

Furthermore,becauseyouhavealreadyauthenticatedyourselfwiththeforumsite,thecodecouldbeconstructedtotakeactionsinyourname.Althoughthescriptcouldeasilybewrittenwithotherobjectivesinmind.Perhapsitwillstealcookiesfromyourbrowser,whichcontainsensitiveinformationsuchaslogincredentialstoothersites.Maybetheattackerwillstealyourbrowsinghistorywhilehe’satit.Iftheinformationfoundinthecookiesisrelatedtoonlinepayments,theymightevenbeabletostealyouridentityandcreditcardinformation.Theskyisthelimit,becausethatscriptthatyourbrowserexecutedcouldbewrittentodonearlyanything.

WaystoPreventSQLiandXSS

FortunatelytherearefewthingspeoplecandotomitigateXSSattacks.Firstofall,asawebsurferyoushouldbesurethatyoudisablecookies.Theyarenecessaryforafewsites,buttherearemanytypesofmaliciouscookiesthatcanbeusedagainstyou.Don’tmakethemistakeofbecomingtoolazytorememberyourpasswordsbyrelyingoncookiestoautomaticallylogyouintoyourfavoritesites.Thisisahugemistake,andthosecookiesarealow-hangingfruittoahacker.Youwouldalsocertainlywanttodisableflashcookies,astheyhavebeentakenadvantageoftimeandtimeagaintostealinformationfromnaïveandinnocentusers.

Fromtheperspectiveofawebdesigner,propermitigationofXSSattacksbeginswithsanitizingyourdata.Astheysay,anounceofpreventionisworthapoundofcure.Ifwebdesignersalwaystookappropriatemeasurestosanitizedatathenwewouldseefew(ifany)XSSattacksatall.Eventhoughitsoundslikeasimpleconcept,youwouldbeshockedtolearnsomeofthecorporationsthathavebeenexploitedwithanXSSvulnerability.ManyofthelargestcorporationsintheworldsuchasFacebook,Google,Twitter,andothermega-corporationshavebeenvictimizedbythesetypesofattacksbecausetheymadeamistakewithdatasanitization.

InSummary

Whenyouthinkofhacking,youprobablydidn’tthinkofinjectingdatabasecodeintoawebsiteviaawebformorascript.Butthesetypesofhacksarebecomingincreasinglymorecommon.Thesetwotechniquesareincrediblydangerousbecausetheydon’tthrowasmanyantivirussoftwareoroperatingsystemwarningswhentheyoccur,allowingthemtohackatargetwithoutleavingatraceofevidence.

Chapter12–OpenVAS

OpenVAS,ortheOpenVulnerabilityAssessmentsystemisagreattoolforbothblackhatandwhitehathackersalike.However,itismorepopularinthewhitehatrealmasitwasdesignedforprofessionalpenetrationtestersanditallowsthemtoscanserversorcomputers,uncoveranypotentialsecurityflaws,andthenprovidesolutionstopatchthesystem.Essentially,itisanauditingtoolthatcanprovideawealthofinformationaboutthevulnerabilitiesfoundinanygivenhost.OpenVASisreallyacollectionofprogramsthatworktogethertofacilitatetestingproceduresthatarecatalogedinamassivedatabaseoflistedexploits–muchliketheMetasploitdatabase.However,thisprogramcanbeusedforgoodorevildependingonthemotivationsofitswielder.

InstallingOpenVAS

YouhavetheoptionofinstallingOpenVASonaserver–whichisusuallywhat’sdoneinthecorporateworld–oryoucansimplyinstallitinthevirtualVMWareenvironmentthatyouhadsetupearlier.IfyouaregoingtobeusingthissoftwarewithinLinux,thiswillbetheperfectopportunitytofurtherfamiliarizeyourselfwiththeLinuxcommandprompt.However,knowthatavirtualapplianceexiststhatyoucaninstallasitsownindependentVMWaremachine.Inthisexample,wearegoingtobeinstallingOpenVASwithinUbuntuLinuxsinceitisafavoriteforLinuxnewbies.

Thereareacoupleprerequisitesforthissoftwareasyoulikelydon’talreadyhaveitinstalledonyoursystem.Tobegin,youwillneedtoinstallthepython-software-propertiestools.Furthermore,youwillwanttorunanupdatecommandtomakesurethatnoneofitsdependenciesareoutofdate.Tobegin,runthefollowingtwocommands:

-sudoapt-getupdate-sudoapt-getinstallpython-software-properties

NowyouwillwanttoinstalltheactualOpenVASsoftwarefromtheInternetbyusingthefollowingterminalcommand:

-sudoadd-apt-repositoryppa:openvas/openvas6

Thoughthesecommandsmaylookalittlehairy,theyarejustdownloadingandinstallingthenecessarysoftware.Toputitsimply,thisishowyouwouldinstallandconfigurethesoftwarefromthecommandline.Nextonthelist,wewillneedtorebuildaportionoftheOpenVASsoftwareasfollows:

-sudoadd-apt-repositoryppa:openvas/openvas6

AndnowwewillneedtoinstalltheOpenVASsoftwarebyusingthefollowingcommands:

-sudoapt-getupdate

-sudoapt-getinstallopenvas-manageropenvas-scanneropenvas-administrator

openvas-cligreenbone-security-assistantsqlite3xsltproctexlive-latex-

basetexlive-latex-extratexlive-latex-recommendedhtmldocalienrpmnsis

fakeroot

Nowthatwehavefinisheddownloadingandinstallingthesoftware,wewill

needtoproceedbyconfiguringitbeforewecanstartscanninghostsfor

vulnerabilities.Thoughthatprocessmayhaveseemeddifficultifyouare

newtoLinux,itwasactuallyveryautomated.Byenteringinafew

commands,Linuxwilldoallthedownloadingandinstallationprocedurefor

youbyitself.ComparethistoaGUIenvironmentwhereyouneedtobrowse

thewebtofindsoftware,downloadit,runthroughtheinstallation

procedure,andrebootyourmachinebeforeyoucanuseyournewprogram.The

realvalueinLinuxforhackerscomesfromthepowerofthecommandline

becauseitislightweight(itdoesn’tconsumelargeamountsofCPUand

memoryasaGUIapplicationwould),extremelypowerful,andcontainsways

tomanipulatedatathatGUIversionsofsoftwaresimplydon’tallow.

Regardless,wedoneedtoenterafewmorecommandstocompletetheOpenVAS

setup.

FirstwearegoingtowanttocreateSSLcertificates.AnSSLcertificate

isasmallfilehostedonaserverthatprovidesacryptographickeythat

matchesandidentifiesauniqueorganization.Also,itallowsforsecure

datatransmissionsonport443.Wearegoingtowanttogothroughsome

stepstoconfigurethewebinterfaceincaseyouwanttoactuallyinstall

thissoftwareonaserverforpenetrationdemos.Ifyouaresettingthisup

inaLinuxenvironmentwithinavirtualmachine,itwillstillgiveyou

anothernotchonyourgeekbeltbylearningalittlebitmoreaboutthe

commandline.Beginwiththefollowingcommand:

-sudoopenvas-mkcert

Nowyouaregoingtoseeamyriadofoptionsintheterminaltoallowyou

toconfigureyourcertificate.Ifyouwish,youcansimplyleavethe

settingsattheirdefaultvalues,butitisoftenbettertocustomizethem

forpersonaluse.Thisisuptoyourdiscretionsincethesevaluesdon’t

havealargeimpactonourconfiguration.Butnowyouaregoingtoneedto

makeaclientcertificateforauserasfollows.

-sudoopenvas-mkcert-client-nom-i

Toproceed,wewillneedtobuildandupdatetheOpenVASdatabasetomake

sureitcontainsthelatestvulnerabilities.Ifwedon’t,itcouldeasily

missexploitopportunitieswhenwescanindividualhosts.Runthefollowing

threecommandsinorder:

-sudoopenvas-nvt-sync

-sudoserviceopenvas-managerstop

-sudoserviceopenvas-scannerstop

Thenextportionoftheconfigurationcantakeawhiletocomplete,sobepatient.Weneedtoconfigurethescannercomponentofthesoftwareanditwillhavealotofdatatodownloadandsync.Usethefollowingtwocommands:

-sudoopenvassd

-sudoopenvasmd—rebuild

Forournextstep,wewillwanttoproceedbydownloadingtheSCAPprotocol

(SecurityContentAutomationProtocol)whichissimplyanothercomponentof

thebackgroundservicesthatwillidentifyweaknessesintargethosts.

Again,thisparticularcommandcantakequiteawhiletocompletesoyou

willneedtoplaytheroleofababysitterasthesoftwaredoesitsthing.

Usethefollowingtwocommand:

-sudoopenvas-scapdata-sync

-sudoopenvas-certdata-sync

Sometimesthesecondcommandlistedabovewillfailandthrowtheerror

thatthereisnosuchtablefoundinthesoftwareconfiguration.Iyouhave

encounteredthisproblem,youroperatingsystemdoesn’thaveallofthe

dependenciesforOpenVASupdatedtotheirlatestversion.Thegoodnewsis

thatwecaninstallthemwithacoupleofeasycommands.

-wget

http://www6.atomicorp.com/channels/atomic/fedora/18/i386/RPMS/openvas-

manager-4.0.2-11.fc18.art.i686.rpm

-rpm2cpioopenvas*|cpio-div

NowrunthefollowingcommandstomakeOpenVASuseallofthefilesfroma

centraldirectory.Thiswillimprovethespeedandefficiencyofthe

OpenVASsoftware.

-sudomkdir/usr/share/openvas/cert

-sudocp./usr/share/openvas/cert/*/usr/share/openvas/cert

Nowyourdependencyproblemsshouldvanishandyoushouldbeableto

successfullysyncthedata.Runthefollowingtwocommands:

-sudoopenvas-certdata-sync

-rm-rf~/openvas*~/usr~/etc

UserandPortConfiguration

Asweneartheendofthesetupandconfigurationprocess,Iwantedtoshow

youanotherexampleofaport.InthenetworkfundamentalssectionIhad

shownyouthebasicideaofusersandports,andnowwehavethe

opportunitytocatchanotherglimpseofthatinformationinactionaswe

configureOpenVAS.Tostartwewillneedtoconfigureauseraccountwith

thefollowingcommand:

-sudoopenvasad-cadd_user-nadmin-rAdmin

Thiscommandwillcreateauseraccountwithfullandunrestricted

administratorprivileges.Theusernamewillbe‘admin’andthepassword

willbeofyourownchoosing.Nowweneedtoconfigurewhathostorhosts

canaccessthesoftware.IfyouareinstallingOpenVASinavirtualLinux

environment,thedefaultwillsufficebecauseitonlyallowsaccessfrom

thelocalmachine.However,incorporateenvironmentsorhomeenvironments

whereyouwanttoinstallOpenVASonaserver,youwillneedtochangethe

defaultconfigurationsoitwillallowaccesstoremoteusers.Ifyouare

usingyourownvirtualLinuxenvironment,youcanskipthisstep.Tochange

thissetting,issuethefollowingcommandtoopentheconfigurationfilein

atexteditor:

-sudonano/etc/default/greenbone-security-assistant

Atthetopofthisfileyouwillnoticealinethatindicateswhich

address(es)areallowedaccesstotheOpenVASsoftware.Bydefault,itis

settotheloopbackaddress(meaningthelocalhost)withtheaddressof

127.0.0.1.Youcanallowaccesstoanyhostyouwant,butitisbesttoset

thisvaluetoyourlocalsubnet’saddress.Forexample,ifyouusethe

defaultsonyourwirelessrouteryournetworkislikely192.168.1.0/24.

Nowthatwehaveallthetediumoutoftheway,wecanstartthesoftware

andstartscanninghosts.Themostdifficultpartofgettingyourfeetwet

withOpenVASistheinstallationprocess,asallittakestoscanahostis

anIPaddressandtheclickofabutton.Firstwewillneedtokillthe

currentlyrunningOpenVASprocessesandrestarttheservices.So,let’s

finallyfireupthisamazingvulnerabilityscanningtoolwiththefollowing

commands:

-sudokillallopenvassd

-sudoserviceopenvas-scannerstart

-sudoserviceopenvas-managerstart

-sudoserviceopenvas-administratorrestart

-sudoservicegreenbone-security-assistantrestart

RunningtheSoftwareandScanningHostsforVulnerabilities

Oncetheserviceshavebeenrestartedyoushouldbeabletologintothe

webinterface.Whetheryouareusingaremoteserveroralocalmachine,

youaregoingtoneedtousethefollowingURLsyntaxinawebbrowserto

reachtheloginprompt:

-https://server_domain_or_IP_address:9392

Youwilllikelybepresentedwithacertificatewarning,butthisisok.

Ignorethewarningandproceedtotheloginscreen.Next,enterthe

usernameandpasswordyouhadconfiguredearliertologin.Afteryouhave

loggedin,youwillseeapromptforthedefaultscanningwizard.Allyou

needtodonowispointyourOpenVASvulnerabilitycannonatanIPaddress

andyouwillbeabletofindanycurrentflawsorexploitscontainedwithin

thathost.So,enteranIPaddressandclick‘StartScan’toseeareport

ofsecurityvulnerabilities.

Inmostrealworldscenarios,anattackerwouldmostlikelyuseNMAP

combinedwithMetasploittohackaroundanetworkandlookforweakpoints.

However,OpenVASisagreattoolfornewbiesbecauseitissosimpletouse

afterithasbeeninstalled.AllyouneedisanIPaddressandtheclickof

amousetoseedetailedinformationregardingvulnerabilitiesfoundinany

hostyouscan.Furthermore,thescanningsoftwareranksthecriticalityof

differentvulnerabilitiessoyouwillknowwhichoneswillcausemore

damageiftheyareexploited.Whenyouclickonthemagnifyingglasson

eachvulnerability,youwillbeabletoseegreaterdetailsregardingthe

flawandevenwaystopatchthatvulnerability.

Keepinmindthattheflawsandvulnerabilitiesfoundonscannedtargetsis

alwaysbeingupdatedviathedatabase,sotheychangeastimeprogresses.

Thatmakestheexploitsyoufindverytemporal.Forexample,ifanew

vulnerabilityisfoundnextweekandaddedtotheOpenVASdatabase,youcan

restassuredthatyouhaveinformationregardingthemostcutting-edge

exploittrends.Ontheflipside,oldervulnerabilitiesthatarenolonger

validwillberemovedfromthesoftware.

Thougheachvulnerabilityandexploitistrulyitsownanimal,youcanlook

forinformationinMetasploitthatwouldhelpyoutakeadvantageofthe

vulnerability.Metasploitisalsocontinuallyupdated,anditislikely

thatyouwillbeabletofindandexecuteapayloadorexploitafteryou

havediscovereditwithOpenVAS.

Chapter13–SocialEngineering

Whileyoumayhaveerroneouslythoughtthattheonlywayhackersstealpasswordsisbyenteringcrypticcommandsintoatextbasedoperatingsystemlikeyouseeinthemovies,therearesomemuchsimplertechniqueshackersuseregularlytostealpeople’sinformation.Socialengineeringisatechniquefrequentlyusedbysophisticatedhackerstogainaccesstonetworks,andyouneedtohaveasolidunderstandingofthesetechniquestoprotectyourselffromtheirblackhatendeavors.

Let’sstartbydefiningthetermsocialengineering.Basically,itisawayforhackerstomanipulatetargetsintounknowinglyforfeitingtheirinformation.Mosttypicallythisinformationisaccountdatasuchasusernamesandpasswordsthatablackhathackercovetstogainaccesstoacomputingsystemornetwork.Oncetheyhaveapointofentrytothenetwork,thentheywillproceedwithreconnaissancetechniquesandscanningprocedures.However,sometimeshackersemploysocialengineeringtoacquirebankingcredentialsorlocalcomputercredentialsinordertoinstallavirusorTrojan.Thepointisthatsocialengineeringistypicallyoneofthefirststepsanattackertakestocarryoutagranderscheme.

Andguesswhat?It’soneheckofaloteasierforahackertotricksomeoneintogivinguptheirinformationthanitistohackintotheircomputersandtakeitbyforce.Partofthisisjustduetopsychology.You’llfindthatpeoplearealwaysquicktoguardthepersonalinformationandquestionwheretheirpersonaldatagoeswhentheyenteritonline,butwhentalkingwithareal-lifehumanbeingtheyarealotmorelax.Sure,youmayhavemisgivingsaboutgivingyourSocialSecurityNumbertoastrangeroverthephone,butconsiderashortscenario.Let’ssayyouareanaccountantworkinginamedium-sizedfirmandyousimplydon’tknoweveryonewhoworksatyourcompanypersonally.Onedayyougetacallexplainingthatthereweresomenetworkissuesyesterdayandeveryaccountneedstobereset(orsomeotherbelievableyetbogusexcuse)oryouraccountwillgetlockedoutofthecorporatenetworkresources.Ifthesocialengineerdidagoodjobofimpersonatingsomeonefromyourfirm’sITdepartment,chancesareyouwouldgivethemyourusernameandpassword.

Thatbringsustooneofthemostfundamentalaspectsofsecurity.Yousimplyneedtoknowwhototrustandwhatonlineresourcestotrust.There’sanoldadagethatwillensurethatyounevermisplaceyourtrustagain:trust,butverify!Youhavenoideawhetherornotthatpersononthephoneislegitimate.Thebiggestchallengelargeorganizationsfacewithsocialengineeringisthetrustfactor,becausetheirentirenetworkcouldbecompromisedbyoneindividualwhojusttakeseverythingatfacevalue.

Takephysicalsecurityanddefenseasananalogy.Itdoesn’tmatterhowhighyourcastlewallsare,howmanytroopsyouhavedeployed,howlargeyourspearinfantryis,orhowstrongyourmountedcavalryunitsare;itonlytakesoneidiottoseeawoodenhorseasawoodenhorseandthenextthingyouknowyourempirehascrumbled.Onasidenote,IwouldprobablysaythatthemodernequivalentexampleofaTrojanhorseisaburglarwhopretendstobeapizzaman,butIthinkyouseethepoint.Onceahackergatherscriticalinformationwithsocialengineering,anentirebusinessnetworkcouldeasilybeinjeopardy.

TypesofSocialEngineeringAttacks

Thereareseveralcommonattackmethodsthatcriminalsandhackerslovetouseforsocialengineeringpurposesbecausetheyhaveahighsuccessrate.You’dthinkthegeneralpublicwouldhavelearnedtheirlessonsbynow,buttheuglytruthisthatsomepeoplestillfallvictimtothesetypesofattacksbecausetheyarenaïve,gullible,orovertrustworthy.Thefollowingaresomeofthemostpopularsocialengineeringmethodshackerslovetouse.

AnEmailfromaTrustedParty

Don’tofferupyourcredentialstoanyone,andImeananyone,includingyourclosefriends.Unfortunately,hackershavebeenabletoexpandtheiraccesstoanetworkaftersuccessfullyhackingacomputerbydupingusersontheattackedPC’semaillistintoforfeitingmoreinformation.Byusinganemailaccountfromthecomputertheyhacked,thehackerisabletotakeadvantageofthetrustrelationshipbetweenthepersontheyareemailingandthepersontheyhavehacked.

Butwatchout!Attacker’sattemptstogatherinformationareusuallyalotmoresophisticatedthananemailsayingsomethingtotheeffectof,“HeySteve,canyougiveyourusernameandpasswordforwww.example.com?Iforgotmypassword.”Sometimestheywillincludealinktoanothersiteinanefforttoemployaphishingattack.Othertimestheymaysendatoxiclinktoaresourcetheycontrolthatlooksgenuine,buttheyincludeavaguemessagesuchas,“HeyJohn,yougottacheckthisthingout!”Onceyouclickonthebadlink,avirusorsomesortofmalwarecouldeasilybedownloadedtoyourcomputer.

Evenmoreworrisomeisanemailthatcontainsalinktoadownload.Itcouldlooklikeacontentdownloadsuchasmusic,videocontent,orpictures,butthedownloadlinkwillactuallypointtoamaliciouscodedownload.Afterasuccessfulattack,thehackerwillbeabletoaccessyourcomputer,emailprogram,andothersensitiveinformation.Andnowtheattackerhasawholenewemailaddressbooktousetofacilitatefurtherattacks,andtheviciouscyclerepeatsitself.

Bewarned.Hackerslovetomanipulateandtakeadvantageoftheemotionsofhumanbeingsbyurgentlyaskingforhelpthatisneededimmediately.Sometimestheywillappealtoyourgoodnatureandaskyoutomakeacharitablecontributiontosomeoneinneed.Thoughitisheartbreakingtotrytoseparatethewheatfromthechaffandknowifyouaretrulyhelpingsomeoneout,youneedtoprotectyourselfandnotdonateanymoneyifyoucan’tverifythecompanyandlinkasareputableorganization.

AFalseRequestforHelp

Sometimeshackerswillsendmessagesthatappeartobefromalegitimatecompanythatclaimtheyarerespondingtoarequestthatyounevermade.Oftentheywillimitatealargeandreputablecorporationwiththousandsuponthousandsofuserstoincreasetheirchanceofsuccess.Ifyouneverrequestedaidfromthem,youneedtoavoidthatemailliketheplague.Therealproblemhereisthescenariowhereyoudouseaproductorservicefromthecompanytheyareimitating,though.

Eventhoughyoudidn’toriginallyaskfortheirhelp,youmaystillbeenticedintowantingwhattheyoffer.Forexample,let’ssaythatthehackerisimpersonatingarepresentativeofalargebankandthattherewasareportingerrorthatcausedthebanktomakeanerrorthatneedstobeverified.Becauseyouwanttomakesurethatyourmoneyissafe,youdecidetotrustthisfalserepresentative.Butherecomesthecatch.Thehackerisgoingtoclaimthattheyneedtofirst“authenticateyourinformation”toseeifyouraccountwasaffectedbythe“error.”Yougivethemyourcredentials,andthenextthingyouknowyouhavebeenrobbedblind.

Othertimesahackerorbottom-feedingInternethucksterwilltrytoclassupafalseclaimthatseemsbelievableinordertotakeyourmoney.Theseemailsalmostalwaysemployurgencytomotivatetheirtargetstotakeaction.Myperceptionoftheseattemptsisthattheyarenothingshortofunadulteratedknee-slappinggut-bustinglaugh-until-you-pass-outhilarity.Butthesadtruthisthattheywork,andsomepeoplemistakenlyplacetrustinastrangertheyhavenevermetbefore.Toillustratethesetypesofattacks,let’sturntotheiconicNigerianPrincescam.

Thisscamwasinfullswingduringthe80’sandtheearly90’s,buttherehavebeenmanyothercopycathuckstersthatcreatedtheirownvariationsofthescam.Initsinfancy,thescamwasactuallysentthroughthepublicmailsystem.However,atthetimeemailwasanemergingtrendandsinceitwasalltherage,itonlyfollowsnaturallythatthesescamsstartedfindingtheirwayintoemailinboxes.IntheclassicNigerianPrincescam,animpersonatorofahigh-rankingNigerianofficial(sometimesabusinessman,othertimesmembersoftheroyalfamily)wouldsendanemailclaimingthathewishedtosendmillionsofdollarsintotheaccountofthetarget.Butwhywouldanyonewanttogiveawaythatmuchmoney?Thethinliethatsomanypeopleateuplikecandywasthatthemoneywasreservedforapoliticalbudgetbutitwasneveractuallyspent.Asasidenote,haveyoueverheardofapoliticianthatfailedtospendtheirentirebudget(andthensome)?Ofcoursenot!ButifyouwouldbesokindastohelpthisNigerianPrince,youwouldgettokeepaquarterorathirdofthetotalvalueofthebanktransfer.Intheend,alotofpoor,gullible,unfortunatesoulsbecameevenpoorerwhentheyoffereduptheirbankingcredentials.

BaitingTargets

Anybaitingschemeisgoingtorevolvearoundtheappearancethattheattackerisofferingsomethingofvalue.Manytimesyouwillseethesetypesofsocialengineeringattacksinpop-upadsorontorrentwebsites.Thebaitisfrequentlyafreebook,movie,orgamethatthetargetthinksislegitimatewheninreality,itisalinktomaliciouscode.Unfortunately,someoftheseofferslookveryreal–theycantaketheformofahotdealinaclassifiedadoradealfoundinanInternetmarketplaceorfalsee-commercesite.Thesearehardtospotasscamsbecausetheattackerhasfoundwaystomanipulatethesystemtogivethemselvesafavorableandtrustworthyrating.Onceyouhavebeendupedintofollowingthelinkordownload,theattackerhassuccessfullyinjectedamaliciousprogram,virus,ormalwareontoyourcomputerandhasafootholdtocarryoutfurtherattacks.

HowtoProtectYourselffromSocialEngineering

Socialengineeringisahugeproblembecauseitevolveswithtechnology,andyoucan’talwaysknowwhetherornotsomeoneislegitimate.Fortunately,therearealotofthingsyoucandotoreducethechancethatyouarevictimizedbyanattackerusingthesetechniques.

Firstofall,besuretotakeyourtimeandthinkabouttheconsequencesofyouractionsbeforehand.Attackerwouldloveitifyoujustreactedtoasituationwithoutthinkingaboutwhatyouaredoing,buttakeamomenttothinkahead–evenifthemessageclaimsanurgentscenario.

Alsomakesurethatyoutaketimetoverifyandvalidateanyinformationthatlooksoddorsuspicious.Gothroughtheirclaimswithafinetoothcombandremembertoremainskeptical.Evenifyougetamessagefromacompanyyoudobusinesswith,makesuretheURLlinkmatchesthecompany’swebsiteverbatim.Iftheyprovidetheirphonenumber,youcandoareversephonelookupontheInternettocross-checktheirvalidity.Makesurethatyouneverrespondtoanemailthatrequestsinformationsuchasyourusernameorpassword.Reputablecompanieswouldneveraskforyourpersonalinformationinanemail.

Inaddition,makecertainthatyouneverrespondtofalsemessagesclaimingtobearesponseforthehelpyouneverrequested.Deletethesebeforeeveropeningthembecausetheycouldcontainlinkstomalwarethatwoulddestroyyourcomputer.Thebestwaytocombatbadlinksistouselegitimatemeanstofindthem.Forexample,don’tfollowthelinkinanemailifyouwanttoverifyit.Instead,useaGooglesearchbecauseitextremelyunlikelythatanattackerwithafacewebsitehasbeatenlegitimatewebsitesinSEOendeavorstorisetothetopofthesearchrankings.

Chapter14–Man-In-The-MiddleAttacks

Man-in-the-middleattacksareextremelydangerousforendusersbecauseasuccessfulattackwillallowahackertoviewallofthedatathatauserissendingoverthenetwork.IftheuserissettingupaconnectiontoaVPNserver,thehackerwillbeabletocapturetheirkeytodeciphertheirencryptedmessages.Inaddition,thehackerwillbeabletoseeallofthewebsitestheuservisitsaswellasstealinformationsuchasusernames,passwords,andevenpaymentcarddata.

Anattackerperformsthisexploitbytrickingthetarget’scomputerintothinkingthattheattacker’scomputeristhedefaultgatewayorintendeddestinationfordatatransmissions.Forexample,let’ssaythatyouwantedtodoaGooglesearch.Normally,yourdatawouldbesenttoyourdefaultgateway(e.g.yourwirelessrouter),routedthroughthepublicInternet,andthenreachoneofGoogle’sservers.However,withaman-in-the-middleattack,yourdatawouldfirstbesenttoahackersomewhereinthemiddleoftheprocessbeforereachingGoogle’sservers.

Theseattacksareextremelyproblematicbecauseitisverydifficulttodeterminethatyourdataisbeingsenttoahackerbeforeitreachestheintendeddestination.Hackersknowthis,andtheirgoalistositbackquietlyanddiscretelylistentoallofthetrafficyouaresendingwithoutyourknowledge.

Thoughtherearemanywaystoinitiatethistypeofattack,suchaswithaDNSattackthatredirectsinformationtoahacker’sIPaddress,theyaremostfrequentlycarriedoutwithaprocesscalledARPspoofing.Ifyouremember,IhadintroducedyoutotheconceptofARPinchapter5.Ifyoudon’tremember,realizethatARPistheprocessthatlinksalayer2address(MACaddress)withalayer3address(IPaddress).

WithARPspoofing,thegoalistotrickthetargethostintothinkingthatthehacker’sMACaddressisboundtothedefaultgateway’sIPaddress.Thatwaythetargetwillsendanydatathatisnotdestinedforadeviceonthelocalnetworktothehackerfirst.Inturn,thehackerwillthensendthetarget’sdatatothedefaultgatewayandouttothepublicInternet.

Whilethebasicsofunderstandingaman-in-the-middleattackusingARPspoofingareratherbasicandstraightforward,ARPspoofingisonlyhalfofthebattle.Onceyouhavetrickedaclientintosendingyoutheirdata,howdoyouseeandreadwhattheyhavesent?Thisbringsustotheideaoftoolscalledpacketsniffers.Apacketsnifferwillbeabletoshowyouallofthedataflowingoveryourcomputer’snetworkinterfacecard.Thedetailsoftheinformationcontainedinthepacketsnifferdataarerathercomplex,butyoucansortthroughallofthedatausingfilters.OneoftheeasiestpacketsnifferstouseisWireshark

onWindows,butLinuxalsocontainssomegreatpacketsniffingprogramsthatintegratewiththeterminal.Youevenhavetheabilitytostoreandsaveallofthedatayouhavecollectedfromatargetandyoucansiftthroughtheinformationatyourownleisure.

Asthisisanadvancedtopic,youlikelywon’tunderstandallofthevariousprotocolsyouseeinthedatacollectedfromyourpacketsniffer.However,asademoaimedatbeginners,youcansortthroughthedatabyfilteringresultsforport80(HTTP)whichwillshowyoutheIPaddressesofthewebserversthetargetisconnectingto.Basically,thiswillshowyoueverywebsitethevictimvisitedaswellasotherinformationsuchasusernamesandpasswords.

Thoughsomearesentinplaintextandyoucanreadthemfromyourpacketsniffer,manywillbeencrypted.Yourpacketsniffercanrecordthesekeysandthenyoucanuseotherutilitiestocracktheirpasswords,butthisisalittleharderanimpracticalunlessyouwanttobecomeablackhathacker.So,forthosereasons,Iwillshowyouhowtoinitiateaman-in-the-middleattackwithARPspoofingandhowtouseapacketsniffertoseewhatwebsitesatargetisconnectingto.Also,understandthatpacketsniffingonawirelessinterfaceisalittledifferentthansniffingonanEthernetinterface.Forthatreason,thisdemowillshowyouhowtoperformtheattackonawiredEthernetinterface.

HowtoPerformaMan-In-The-MiddleAttack

Tostarttheattack,wefirstneedtosuccessfullyspoofanARPbinding.Todoso,wearegoingtouseatoolonKaliLinuxcalled‘arpspoof.’Thesyntaxforthiscommandisasfollows:

-sudoarpspoof–ieth0–t[TARGETADDRESS][DEFAULTGATEWAYADDRESS]

So,ifyouwantedtotrickahostonyourlocalnetworkwiththeaddressof192.168.1.10intothinkingyouwerethedefaultgateway,thecommandwouldlooklikethis:

-sudoarpspoof–ieth0–t192.168.1.10192.168.1.1

Ifyoudon’tknowyourdefaultgatewayaddress,justusetheipconfigcommandinWindowsorifconfiginLinux.Ifyoudidn’tknowofanyvalidhostIPaddressestotarget,youcouldsimplyissueasimplepingsweepusingNMAPaswedidinchapter7.Thecommandlistedabovewilltrickthe192.168.1.10hostintobelievingyourcomputer’sMACaddressisassociatedwiththedefaultgateway’sIPaddressof192.168.1.1.Atthispointyourterminalwindowwillcontinuallyspitoutlinesofcodeensuringthatthespoofingprocessissucceeding,soyouwillneedtoopenanotherterminalwindowtoproceedwiththeattack.

Butthere’sjustoneproblem.Youhaveonlydonehalfofthespoofingattack.Atthispoint,yourtargetthinksthatyouarethedefaultgateway,butthisisn’ttrueinthereverseprocess.Thatistosaythatthedefaultgatewaydoesn’tthinkyouarethetargethost!So,inyournewterminalwindowwearegoingtoneedtostartanotherARPspoofingprocedure.Thesyntaxwillbethesame,exceptthetargetanddefaultgatewayaddresseswillbeswappedasfollows:

-sudoarpspoof–ieth0–t192.168.1.1192.168.1.10

Atthispointintheattack,youhavefooledboththedefaultgatewayintothinkingthatyouarethetargethostandyouhavefooledthetargetintothinkingthatyouarethedefaultgateway.Nowallyouneedisforthetargettotransmitdataandtoinspectthatdataonyourcomputer.Therearesomehigherleveltoolsthatwillactuallycapturethedatayoucatchduringtheprocessinsteadofdumpingitasrawdataintoatextfile,butpacketsniffersofferawealthofinformationtoo.RemembertokeepbothofthepreviousterminalwindowsopenastheyarestillconstantlyrunningtheARPspoofingprocess.

Ifyouwanttouseahighleveltooltoseethedataatargetissearchingforonlinethatisn’ttoocomplex,youmightbeinterestedindriftnet.Driftnetisatoolthat–whilefarfrom

perfect–isagreatwayfornewbiestotrytheirhandataman-in-the-middleattackandviewdatasuchasaudiofiles,graphics,andMPEG4imagesandautomaticallydisplaythemintheGUI.Tousedriftnet,whichispackagedwithKali,runthefollowingcommand:

-sudodriftnet–ieth0

Ifyouaredoingthisdemoinyourhomenetworkenvironment(asIinstructedyoutodomanytimesalready),tryrunningthedriftnetcommand.ThendoaquickGoogleimagesearchonthetargetdevice.Theattackingcomputerthatsitsinthemiddleshouldbeabletoseealloftheimagesthatthetargetdeviceisviewing.Prettyneat,huh?Theproblemthoughisthatpeoplecanabusethesetypesofattackstogetawaywithmurderandstealsometrulysensitiveinformation.Again,Icautionyounottousethistechniqueoutsideofyourownhomebecausetheconsequencescouldbeverysevere!

Lastly,ifyouwanttodigalittledeeperwiththesetypesofattacks,youwouldwanttouseapacketsnifferanddigintotherawdatathatyourattackingcomputerisgathering.Youcanseealotmorethansimpleimages,andonceyoudigintothetransmissionprotocolsyoucanfinddatasuchaslogininformation,dataauserhasenteredintofieldsonawebform,andjustabouteverysinglethingtheydoonline!

Chapter15:CrackingPasswords

Thoughyoumightnotthinksoatfirst,youremailisactuallyoneofthemostdangerousaccountstolosetoahacker.Thereasonbeingthatthereissomuchpersonalinformationstoredinyourinbox.Onceanattackerhasaccesstoyouremailaccount,you’reinforaworldofhurtbecausetheywillbeabletoseeandinterceptallofthemessagesthatreachyourinbox.Worseyetistheideathattheynowhaveawaytoimpersonateyou.Iftheywantedto,anattackercouldtrickotherpeopleinyouraddressbookintoforfeitingadditionalinformationbyusingyouridentitytorequestthatinformation.

Furthermore,thereisgoingtobeatonofsensitivedatalinkedwithyouremailaccount.Websitestodayaregettingprettycomplex,andtherearealotofwaystolinkauser’slogincredentialsandwebactivitywiththeiremailaddress.Forexample,therewilllikelybeemailsandpromotionsfromsitesthatyouhavealreadydonebusinesswithsittinginyourinboxorspamfolder.Thisgivesanattackercluesastowhereheorshecanlooktouncoveradditionalinformation.TheymayalsobeabletoseewhatpurchasesyouhavemadewithonlinesitessuchasAmazon.

PasswordCracking

Whileallofthesescenariosareterrible,byfartheworstadvantageanattackergainsistheabilitytofurtherhackyourpasswords.Thereareseveraltechniquesanattackercanemploy,buttheyallexisttostealyourcredentialstoescalatetheirprivileges.Forexample,whoknowswhatanattackermightpurchaseifheorshehadaccesstoyourAmazonaccountandpaymentcarddata?

Nowthatyouhaveabasicunderstandingofhowcriticalsecurepasswordsareandtheconsequencesofwhatanattackercandooncetheygetyourpassword,let’slookatthebasics.Isurethatcrackingpasswordssoundscoolandreallycomplicated,butsomeofthemethodsusedareunbelievablysimpleandevenalittleanticlimactic.

Ascommonlymentionedthroughoutthisbook,don’ttrytohacksomeoneelse’spasswordsbecausetheconsequencescanterribleifyougetcaught.Don’ttrytohackintoaperson’semailandseehowmanyoftheiraccountsyoucanbreakintojustforthehellofit;thatwouldbeahugebreachofprivacyandIshuddertothinkwhatmighthappenifyougetcaughtstealingsomeone’spaymentcarddata.

Tobehonest,itwouldbeprettydifficultforasingleuserwhodoesn’thaveknowledgeofinformationtechnologytodiscoverhowtheiraccountwashackedinthefirstplace,butinacorporateorprofessionalsettingtheI.T.departmentwouldhavenumeroustoolstotrackelectronictransactionsanddiscernwhatIPaddresstheattackorattemptwasmadefrom.

Thefirst,andsimplesttechniqueforgainingauser’spasswordassumesthatyoualreadyhaveaccesstotheiremailaccount.Mostuserstypicallyonlyhave1mainemailaccountthattheyuse,buttherecouldbeseveral.Anyway,afteryouhaveobtainedaccesstotheiremailyoucanusethepasswordrecoverymechanismsbuiltintomostonlineaccount.Whilemostpeoplechoosetocachetheirusernamesintheirbrowsersotheydon’tneedtoreenterthemeverytimetheylogintoawebsite,youdon’tevenneedtoknowtheirusername.Yousee,mostwebsitesprovideanaccountrecoveryfeaturethatallowsausertoinputtheiremailaddresstoreceivetheirusernameandpassword.

Somesitesrequirethattheaccountrecoveryfeatureerasestheoldpasswordandgeneratesanewandrandompassword,butallofthisinformationiscommunicatedviaemail.So,ifanattackercontrolledanduser’semailaccountandwantedaccesstotheirbank’swebsite,Amazonaccount,socialmediaaccounts,orjustaboutanythingelse,alltheattackerhastodoisbrowsetothegivenwebsiteandperformthestepsnecessaryforaccountrecovery.Thisisanextremelyquickprocess,andinamatterofminutesanattackercouldeasilygainaccesstothemostcriticalsitesthattheuservisits.

Whilethismaynotbeasexyprocess,itsuregetsthejobdoneandcanruinanindividual’spersonalsecurity.However,thisisjustthesimplestmeasuretocrackpasswordsandit

presentsaproblem.Howdidyougainaccesstotheiremailinthefirstplace?Therearecountlessotherwaysthatanattackercancrackpasswordstofirstgainaccesstotheemailaccount.Forexample,ifauserisn’tverytechnicallyinclined,itisasafebetthattheydon’tunderstandanythingaboutpasswordcomplexity.Thoughtheythinktheyarebeingclever,usersaremakingahugemistakewhentheymaketheirpasswordstheirbirthday,thenameoftheirdog,orothereasytoguesspiecesofinformation.

Othertimes,thesesimplemindeduserswillactuallywritetheirpasswordsdownneartheircomputerorplasterastickynotontheirmonitor.Itisevenpossibletotrickthesepeopleintoforfeitingtheiremailpasswordswithsocialengineering.Allofthesemethodsareeasiertousethanyoumightthink,anditgivesanattackerafootholdintotherestoftheiruseraccounts.

PasswordCrackingUtilities

Therearemanydifferentpasswordcrackingutilitiestotakeadvantageof,butwearegoingtotakeabrieflookatthemostpopularpiecesofsoftware.Hackerswillemployseveralofthesetoolsinconjunctionwithoneanothertofacilitatetheirattacks.Theysimplydon’tstartwithabruteforceattackbecausepasswordscanoftenbefoundusingquickermethods.Withthatsaid,abruteforceattackisusuallythelastresortwhenothermethodshavealreadyfailed.

JohntheRipper

JohntheRipperisprobablyoneofthemostfamousandreveredpasswordcrackingutilitiesinhackercommunities.Itishighlyefficientandeffective,butitdoessufferfromonefatalflawthatoftenkeepsitoutofthehandsandmindsofnewbies:itwasdevelopedforLinux.Thoughitdoeshaveportedversions,keepinmindthatitisnativelyaLinuxapplication.

BecausesomeofthesetoolsareexclusivelybuiltwithLinuxinmind,youwillsurelyneedtogetyourfeetwetwiththeLinuxoperatingsystemtobecomeacompetenthacker.BynowyoushouldhavealreadysetupaLinuxenvironmenttorunthroughsomeofthedemonstrationsinthisbookusingVMWare.Ifyouhaven’talready,itishightimetobuildyourfirstLinuxenvironment.

AswithmostpowerfulLinuxsoftware,thisprogramisrunfromthecommandlineandcanbealittlescaryifyouaren’talreadyusedtoworkingfromthecommandline.Butthat’sjustpartofthelearningcurve;onceyougetcomfortableinthisenvironment,you’llbeabletorunallkindsofsoftwarethatisfarmorepowerfulthanbasicGUIsoftwarelikeyoumightfindinaWindowsenvironment.However,thereisaversionofthissoftwareonMacdevicessinceMacsderivefromanoldandpowerfulUNIXdistributioncalledBSD.

Oneextremelyhandyfeatureofthissoftwareisthemethodwithwhichitusestocrackpasswordsbyautomatingtheprocess.Tostart,itwillbeginwithadictionarybasedattack.Ifthatfails,itwillmoveontouseahybridapproachtocrackpasswords.Ifeventhehybridapproachfailsaswill,itwillresorttoabruteforceattack.

Ophcrack

Ophcrackisthefirstofthepasswordcrackingtoolswewilldiscuss,andlikemanyofthesetool,itisfreetodownloadanduse.Itcanbeusedtocrackpasswordsonavarietyofoperatingsystems,butthistoolhasgainedmostfavorfromhackersthatareattemptingtocrackWindowspasswords.However,itcanstillbeusedtofacilitateattacksonLinuxandMacpasswords.Thoughitdoeshavesimplerandmoreeffectivealgorithms,thispieceofsoftwarewillallowausertoperformabruteforceattack.Lastly,itevenhasafeaturethatwillallowyoutocreatealivebootimage.

L0phtcrack

L0phtcrackisreallyasuiteofsoftwarethatallowsyoutoperformmanydifferentpasswordfunctions.Forexample,itcanbeusedtoauditpasswordstrengthandcomplexitytobolsteryoursecurityefforts.Giventherangeoffunctionsthissoftwareprovides,itisfrequentlyusedwithcomputersecurityfirmsaswellasgovernmentalorganizationssuchasmilitaryapplications.NotonlycanitrunonversionsofWindowsthatarehigherthanWindowsXP,itcanalsorunonsomeLinuxandBSDdistributions.Likeotherpasswordcrackingutilities,itwillallowanattackerorsecurityexperttorunbothdictionarybasedattacksandbruteforceattacks.

Cain&Abel

Cain&Abelisanotherpopularpasswordcrackingutility.Itsfeaturesexceedonlytheabilitytocrackbasicpasswordsoroperatingsystempasswords,anditevenhassomefeaturesthataidintheprocessofwirelesssecurity-keycracking.However,itcanonlybeusedexclusivelyinaWindowsenvironmentanditallowsuserstocrackpasswordsthathavebeenencryptedandencodedinvariousformatsandprotocolssuchasMySQL,Oracle,MD5,SHA1,SHA2,andvariouswirelessencryptionalgorithms.

Aswiththeotherutilities,thissoftwarewillperformavarietyofdifferentpasswordcrackingmethodssuchasdictionaryattacks,rainbowattacks,andbruteforceattacks.Oneextremelyusefulfeatureofthissoftwareisthatyoucansetparameterstofine-tunethebruteforceattacksuchasthelengthofthepasswordyouaretryingtocrack.Thishastheabilitytoeliminatemillionsofpotentialpasswordcombinationsthatwouldotherwisedrasticallymultiplythelengthoftimeneededtocarryouttheattack.

InSummary

Thesetoolsaren’tincrediblydifficulttouse,butmostusersdon’thaveanycluethattheyexist.Really,allofthehardworkhasbeendonealreadybytheexpertprogrammerswhocreatedthissoftware.Allthat’slefttodoisforittobeusedbyanexperiencedhacker.Toolslikethesearesoeasytousethatteenagerswithlittleexperienceintherealworldcanfindwaystousethemtohackintootherpeople’scomputers.ThoughIwouldn’trecommendusingthesetoolsforevil,theyarecertainlyfuntouseinahomeenvironment.

Chapter16–ProtectingYourselffromHackers

Atthispointinthebookyouhaveprobablyalreadyaskedyourselfatleastonce,“WhatcanIdotoprotectmyselffromhackers?”ThegoodnewsisthattherearealotofeasyandsimplemeasuresyoucantakethatwilldrasticallyreduceyourchanceofbeinghackedbyanefariousblackhathackerontheInternet.Thischapterfocusesonthedifferentstrategiesyoucanusetomakeyourcomputerandhomenetworkmoresecure.Forthoseofyouwhoareverytechnologicallysavvy,afewofthesemightseemlikeno-brainers.However,youwouldbesurprisedhowmanypeoplefailtoimplementeventhesimplestmeasuresregardingtheirInternetsecurity.

SoftwareUpdates

Softwareupdatesarecrucialtoprotectingyourselffromhackers,buttoomanypeopleignoreupdates.Mostoperatingsystemshaveanautomaticupdatesettingthatwillautomaticallydownloadandinstallpatchestotheoperatingsystem.Theproblemisthatmostpeopleareapatheticorjustplainlazyandtheydon’twanttotakethetimetoinstalltheupdates.Andwhynot?Tobehonest,it’sabitofaninconveniencetosomepeople.Youmightberightinthemiddleofalargeprojectoryourworkday,andinstallingupdatesrequiresthatyourebootyourcomputerandwaitforanunknownamountoftimewhiletheoperatingsysteminstallthepatches.ButI’vegotnewsforyou–youneedtotakegreatcaretoinstallupdatesassoonashumanlypossible.

Evenaftersomeofthevirusesmentionedinchapter3werediscoveredandpatched,therewerestillmillionsofcomputersthatwerestillcontainedvulnerabilitiesallbecausetheusersfailedtoupdatetheirsoftware.Ifeveryonehadinstalledtheupdatesastheycameout,theviruseswouldhavebeenstoppeddeadintheirtracks.

ChangeDefaultUsernamesandPasswords

Toomanypeopledon’tthinktwiceaboutchangingthedefaultusernamesandpasswordsontheirnetworkingequipment.Whilemostpeopletrytocreateuniqueusernamesandpasswordsfortheirpersonalcomputers,theyoftenforgettosecurenetworkdevices,wirelessrouters,andeventheirprinters.Wakeuppeople,hackersnotonlyhavewaystoperformpasswordattacksbuttheyalreadyknowhowtofindthedefaultusernamesandpasswordstoyourwirelessrouterinamatterofseconds.

Furthermore,somepeoplefailtosecuretheirWi-Finetwork.Insteadofusingasecurityalgorithmthatwillmakeithardforattackerstojointheirnetworksubnet,theygivethemanopendoorandinvitethemtocomeinside.Some,butnotall,wirelessroutersdon’tincludeadefaultwirelesspassword.

Worseyet,whenpeopleareinitiallyconfiguringtheirwirelessrouters,theyfailtoaddapasswordtotheirWi-Fi.Yousimplycan’tleavethesevaluesattheirdefaultsifyouhopetoprotectyourselffromonlineattacks.Lastly,mostwirelesshomeroutershaveanoptionintheconfigurationthatdetermineswhocanremotelymanagethedevice.IfyoulockdownthissettingtoaspecificIPaddress,hackerswon’tbeabletologintoyourwirelessroutereveniftheyknowtheusernameandpassword!

UseStrongPasswords

Notonlyshouldyoucreateuniqueusernamesandpasswordsforyourdevicesthataredifferentfromthedefaultvalues,butyoushouldalsomakeyourpasswordsstrong.Youcandothisbymakingthemaslongaspossibleandbyincludingnumbers,letters,andspecialcharacters.Thoughit’struethathackershavewaystoperformdictionaryandbruteforceattackswherebytheytrytogothrougheverypossiblecombinationtofindthecorrectpasswordforasystem,knowthatthesetechniquesdon’tworkineverysituation.Somewebsitesandnetworkingdeviceshavebuilt-inprotectionagainstbruteforceattacksthatdon’tallowyoutoattempttologinforacertaintimeperiodafteraspecifiednumberoffailedloginattempts.Passwordsecurityisahugeareaofstudy,andmosthackersknowwhattypesofdatausersincorporateintotheirpasswordstorememberthemeasier.Sodon’tmakeyourstreetaddress,familypet’sname,orbirthdayspartofyourpasswords.

Oh,anddon’tbeoneofthosejokersthathastheirpasswordwrittenonastickynotethatisattachedtoyourmonitor.Ahackerimplementingsocialengineeringwouldn’tevenhavetotry.You’remakingittooeasyforthembydisplayingyourpasswordsforalltheworldtosee.Inaddition,makesurethatyoudon’tstoreyourpasswordsinplaintextfilesorothertypesoffilesthataren’tencrypted.Ifahackerdoesstealsomeofyourdataandtheygettheirhandsonafilethatcontainsusernamesandpasswordstoothersitesandservices,you’reinforaworldofhurt.

ProperlyConfigureYourFirewalls

Firewallsareacriticalpartofanysecuritysolutiondesignedtoprotectusersfromhackers,andyouneedtomakesurethatyourfirewallisconfiguredcorrectly.Inthepast,Ihaveseensomepeoplestrugglewithopeningtherightportstogettheirsoftwareconfiguredcorrectly.Oneareathishappensalotiswithgaming.

Manygamesneedspecificportsopenedthataren’twellknown,andinafitofmadnessandfrustration,userschoosetoopenalltheportsontheirfirewalltomaketheirgameworkcorrectly.Thisisacolossalmistake,becauseitwillallowhackerstopenetrateyournetworkfirewallifnoneoftheportsareblocked.Ifyouhaveproblemsgettingagametoworkonyourhomenetwork,justdoaquickgooglesearchtoseewhichportneedstobeopened!

Furthermore,manypeoplefailtotakeadvantageofsoftwarefirewalls.Whilemanyhardwarefirewallshavemostoftheportsblockedbydefaultanddoagoodjobofprotectingalocalareanetwork,butfewpeopleprotectthemselveswithafirewallontheirhostcomputer.IfyouareaWindowsuser,whetheryouknowitornotyoualreadyhaveasoftwarefirewallthatwilladdanextralayerofprotectionbetweenyouandblackhathackers.Thoughsometimesitisappropriatetodisableyoursoftwarefirewalltoallowaprogramtofunctioncorrectly,youalwaysneedtoremembertore-enableitafteryouhavefinishedyourwork.

AntivirusandAntimalwareSoftwareSolutions

IfyoudogethackedandahackermanagestohackyoursystemwithavirusoraTrojan,howwillyouknowitexistswithoutantivirusandantimalwaresoftware?Usingacomputerwithoutsecuritysoftwareislikebeggingforanattackertostealyourpersonalinformation.

Butitdoesn’tstopthere.Ithasbeensaidmanytimesbefore,butunderstandthattorrentsarefrequentlyusedasadistributionsystemforviruses.Toomanypeoplehavefallenvictimtoahacker’svirusbecausetheywantedtowatchsomevideocontentwithoutpayingforit.Ifyoudownloadtorrentswithoutantivirussoftware,you’rejustaskingfortrouble.Ifyoudohaveantivirussoftware,youcanscanthefilesyoudownloadbeforeopeningthemtodetectanypotentialmaliciouscodeembeddedinyourdownloadandavoidacomputingcrisis.Forthatmatter,youshouldscaneverydownloadbeforeyouopenit.Youneverknowwhatcouldbehidinginaninnocent-lookingfile.

UsingVPNs

Ifyouaren’tawareofVPNtunnels,youneedtoknowtheimmensevaluetheybringtothetable.AVPN(VirtualPrivateNetwork)isessentiallyaservicethatencryptsalldatacommunicationsbetweentwoendpoints–effectivelymakingitimpossibleforahacker,governmentalagency,orpettyInternetcrooktounscrambleanddecipherthedata.Thisguideisn’tpromotionalmaterialforVPNproviders,butthefactofthematteristhattheycanpreventyoufromgettinghacked.Notonlythat,buttheycanstopthegovernmentfromstealingyourdata.AsaresultoftheinformationleakedbyEdwardSnowden,theUSgovernmentandtheN.S.A.havebeenfoundtobecapturingemails,photos,telephonecalls,instantmessages,andmanyothertypesofdatatransmissionsinanefforttopreventterrorist-relatedactivities.However,theN.S.A.hasstatedthattheyhaven’tfoundanyinformationthathasstoppedevenoneterrorist-relatedevent.Byencryptingyourdata,youwillmakeitsafefromhackersaroundtheworldwhileitisintransitthroughthepublicInternet.

BackingUpYourData

Youmightthinkthatbackingupyourdataisonlyameasuretoprotectyourselffromhardwarefailure.Whileitdoescertainlyhelpyououtatonifyourcomputerfries,youshouldknowthatusingbackupsoftwarewillprotectyoufromblackhatattacksaswell.Someofthemoresophisticatedattacksdamageandcorruptfiles,orevenembedmaliciouscodeintocommoneverydayfilessuchasworddocuments.Bykeepingabackupcopy,youcanrestassuredthatyouwillhaveacleanandvirusfreecopyofyourdataintheeventofanattack.RemembertheCryptoLockervirusinchapter3?Ifonlytheusershadbackeduptheirdata,theywouldn’thavehadtoworryaboutpayinganInternethucksterloadsofmoneytoreclaimtheirdatabymeansofransom.

WebBrowserSecurity

Therearealsoalotofthingsyouchangeinyourwebbrowserthatwilldrasticallyreducethechanceofasuccessfulattack.Aswediscussedearlier,hackerscanusemaliciousscriptstostealcookieandwebbrowserdatatostealthepasswordstovarioussites.

Makesureyoudon’tsaveandcacheallofyourusernameandpasswordinformationinyourwebbrowserwhenvisitingyourfavoritesitesontheInternet.ThisisahugeNo-No,becauseyouareleavinglow-hangingfruitripeforthepickingwithinthegraspofblackhathackersandInternetthieves.You’realsoalotbetteroffifyoudisablecookiesinthefirstplace.Bydisablingcookies,youcancircumventawholerangeofdifferentonlineattacksandniptheminthebudbeforetheybecomearealproblem.

It’sbesttokeepyourwebbrowseraslightandstreamlinedaspossible,andthemoredatayousaveinyourbrowserthegreaterthechancethatsomeonewillbeabletostealyourinformation.Alsoconsiderthatyoushouldfrequentlyclearyourhistoryaswell.Thisprovidesaveritableaudittrail,andanattackercouldusethisinformationtoseeeverywebsiteyouhavevisitedontheInternet.

FinalThoughts

Iwanttomakesureyouunderstandthatnocodewilleverbe100%infallible.Computersarecreatedandmanufacturedbyhumanswhoareanythingbutperfect,andmistakesarealwaysmade.Thatistosayyouruntheriskofbeingattackedeverytimeyoufireupyourcomputerandopenyourwebbrowser–regardlessofwhetherornotyouhaveimplementedthesesecuritypractices.

Infact,theysaythatthemostsecurecomputingsystemisonethatdoesn’thavetheabilitytoconnecttotheInternetatall.However,implementingthesesecuritymeasureswillmakeitmuchmoredifficultforanattackertosuccessfullycompromiseyourcomputer.Thinkofusingthesesecuritypracticesinthesamelightasriskaversion.Forexample,ifsomeoneisavegetariantheirwholelifeandtheyabstainfromalcoholandsmoking,thechancethattheywilldevelopachronicorlife-threateningdiseaseisslimtonone.

Thoughitisstillpossible,theirlifestylechoicesseverelyreducetheirriskofdisease.Likewise,implementingthesesecurityproceduresworksinmuchthesameway.Theuglytruthisthatoperatingsystemsandwebsitescontainflawsanderrorsthatcanbeexploitedbyhackers.It’sjustafactoflife.Butbystrengtheningyoursecurity,youmakeitmuchmoredifficult–ifnotimpossibleinsomecases–foranattackertosuccessfullyhackintoyourcomputer.