how to hack computers how to h joel tope
TRANSCRIPT
Contents
Contents
Chapter1–IntroductionWhatitTakestoBecomeaGoodHacker
Chapter2-AnOverviewofHackingChapter3–AttackTypesandFamousViruses1.CodeRed2.Sasser3.Zeus4.TheILoveYouAttack5.Melissa6.TheConfickerWorm7.MyDoom8.Stuxnet9.CryptoLocker10.FlashbackInSummary
Chapter4–EthicalConsiderationsandWarningsChapter5–NetworkingFundamentalsUnderstandingtheOSIModelandNetworkingTerminologyIPAddressingEssentialsSubnetMasksTwoSpecialNetworkAddressesMACAddressesARP(AddressResolutionProtocol)PortsandFirewallsInSummary
Chapter6-TheHacker’sToolBeltVulnerabilityScannersPortScannersLayer4Scanners
PacketSniffersPasswordCrackingUtilities
Chapter7–UtilizingVMWareChapter8–IntroductiontoPingSweeps,PortScanning,andNMAPPingSweepsOperatingSystemIdentificationPortScanningNMAPFootprintingProcedures:InstallingNMAPNMAPFootprintingProcedures:PingSweepsNMAPFootprintingProcedures:PortScanningNMAPFootprintingProcedures:OperatingSystemIdentificationInSummary
Chapter9–UsingMetasploittoHackDevicesBasicMetasploitCommands
Chapter10–WirelessPasswordHackingVMWareWirelessPasswordCrackingCaveatsDockerDemonstrationUsingReavertoCrackPasswordsInSummary
Chapter11–Web-BasedVulnerabilitiesSQLandSQLiAttacksCross-SiteScriptingTechniques(XSS)XSSDetailsandWebBrowsersWaystoPreventSQLiandXSSInSummary
Chapter12–OpenVASInstallingOpenVASUserandPortConfiguration
Chapter13–SocialEngineeringTypesofSocialEngineeringAttacksAnEmailfromaTrustedPartyAFalseRequestforHelpBaitingTargetsHowtoProtectYourselffromSocialEngineering
Chapter14–Man-In-The-MiddleAttacksHowtoPerformaMan-In-The-MiddleAttack
Chapter15:CrackingPasswordsPasswordCrackingPasswordCrackingUtilitiesJohntheRipperOphcrackL0phtcrackCain&AbelInSummary
Chapter16–ProtectingYourselffromHackersSoftwareUpdatesChangeDefaultUsernamesandPasswordsUseStrongPasswordsProperlyConfigureYourFirewallsAntivirusandAntimalwareSoftwareSolutionsUsingVPNsBackingUpYourDataWebBrowserSecurityFinalThoughts
HowtoHackComputersAGuidetoHackingComputersfor
Beginners
JoelTope
Copyright©2015JoelTope
Allrightsreserved.
Chapter1–Introduction
Thegeneralpublicusuallyhastwocompetingviewpointsofhackers.Somepeoplereverethemasbrilliantlymindedindividualswhileotherslookdownonthemaspettycriminals.Whilebothperceptionscouldbetrueformanyexperthackers,thepublic’sperceptionhasbeentwistedandcontortedbywhattheyseeontelevisiondramasandinthemovies.Becauseyouraverageuserdoesn’tunderstandhowacomputerortheInternetworksfromatechnicalperspective,theycan’thopetobegintounderstandwhathackersactuallydo.
Infact,theterm‘hacker’usuallycarriesanegativeconnotationtoit.Askanynon-technicalpersonwhatahackeris,andthey’llgiveyouaresponsesuchas,“They’rethebadguysthatstealpeople’screditcards,listentomyphonecalls,andworkwithterroristorganizations.”Forsomereason–likelyaccreditedtoentertainmentmedia–hackersgetabadrapandmostpeoplewouldinstantlyassumethattheirbehaviorsareillegal.Thesestigmascouldn’tbefurtherfromthetruth,becausetherealityisthattherearemanytypesofhackers.Someofthemaregood,someofthemarebad,andsomeliesomewhereinbetween.Thereisnosinglemotivationthatdriveseveryhackerandnoblanketstatementthatyoucanusetoaccuratelydescribeeveryhackerintheworld.Alsoconsiderthathackingisn’taninherentlyevilpracticeandyoucandoitlegally.Somepeopleevenliketodoitforahobby.Morepractically,however,somepeoplegetpaidbigbucksasconsultantstotrytohackintoacorporatenetworkinanefforttofindsecurityholes.Beforewarned,though.Ifyoustartabusingyourknowledgeitisaslipperyslopetothedarkside,andnothinggoodeverhappensonceyou’rethere.
Ifyourcuriosityhasgottenthebetterofyou,ifyoujustwanttobeabletounderstandwhat’sgoingoninthemoviesandthenews,oryouhaveagoalofbecomingacompetenthacker,Iwanttopersonallyintroduceyoutohackingandguideyoutoachievingyourgoals.Theproblemmostpeoplehavewhentheywanttostarthackingisthattheyfindmaterialthatisn’twrittenfornovitiates.Onceyougetthebasicsunderyourbeltandyoucanactuallyapplytheknowledgeyouwilllearninthisbook,you’llfindthatyouaremuchmoreeducatedthanyourpeersandthattechnologyisactuallyprettyexciting.Asthetoolshackersusehavechangedoverthelastcoupledecades,peoplethattakeaninterestanddevelopapassionforhackinghavechangedaswell.Thoughtechnologyisonlygettingmorecomplexwitheachpassingyear,thetoolshackersutilizearebecomingmoresophisticated–makingthelearningcurvemuchlesssteepfornewbies.
Inthisguide,Iamgoingtoteachyoualotofvaluableinformationabouthackingsuchas:
-Whathackingisandwhathackingisn’t.
-Hackingterminologyandhackerculture.
-Typesofattacksandthemostfamoushacksofalltime.
-Ethicalconsiderationsandfairwarningsaboutbecomingahacker.
-Fundamentalconceptsthatwillserveasafoundationtobuildhackingskills.
-HowtoinstallLinuxoperatingsystemsusingVMWaretosetuphackingtools.
-Step-by-stepguidesforpingsweepsandportscanning.
-Howtomapnetworktopologiesandperformreconnaissancetechniques.
-Howtouseadvancedsoftwaretofindsecurityholes.
Thisisdesignedtobeanall-inclusiveguidethatwillnotonlygiveyouanunderstandingofthebasictechnicalconceptsyouwillneedtobecomeahacker,butalsointroduceyoutosomefascinatingsoftwareandshowyoustep-by-stephowtouseit.I’msuremostofyouwanttogetstartedhackingrightaway,butIurgeyoutospendtimelearningthebasicsbeforemovingontosomeofthemorechallengingattacksdiscussedinthisbook.
WhatitTakestoBecomeaGoodHacker
Oneofthereasonssomehackersbecomesosuccessfulisbecausetheyhaveapassionforwhattheyaredoing.Theirpersonalitydrivesthemtotackleextremelydifficultchallenges,whichiswhysomehackersbreaksystemsjusttoseeiftheycan.Ifyouaregoingtowanttobecomeaprolifichacker,ittakesthesametwothingsasanyotherskillyouwanttobuild:timeandpractice.Ifyoucan’tfiguresomethingoutinthefirsttwominutes,don’tgiveup.Someoftheproswillspendweeksorevenmonthsplanningandexecutingtheirattacks.Andonceyougetthebasicsunderyourbelt,you’regoingtobeabletoimplementthesetechniquesinamatterofminutes.Arguably,Iwouldsaythehardestpartforanewbieisgettingtheirenvironmentsetup.Pastthat,thingsstarttogeteasierandyoucanreallystarttosinkyourteethintohowthetechnologyworks.Beforewegettothejuicydetails,weshouldbeginwithanoverviewofhackingsoyouunderstandsomerudimentaryconceptsandperceptionsabouthacking.
Chapter2-AnOverviewofHacking
Toyouraveragecomputeruserwhodoesn’tunderstandmuchaboutInternetandnetworksecurity,hackersareshroudedinacloudofmystery.Mostpeopledon’tunderstandwhattheydoorhowtheydoit.Andthemoviesdon’thelptodemystifythem,either.Countlessactionmoviesportrayacharacterthattakestheroleofahackerthatcanbreakintotopsecretcomputersystemstosavetheworld.Whenthecamerapansovertheircomputerscreens,youseethemtypingstrangelettersandnumbersintoacommandpromptthat,forallyouknow,isaforeignlanguage.Humorouslyenough,thehackersinthemoviesfrequentlyuseatoolcalledNMAP,whichIwillshowyouhowtouselaterinthisbook.Ifyou’veseenTheMatrixReloaded,Dredd,FantasticFour,BourneUltimatum,DieHard4,orTheGirlWithTheDragonTattoo(amongcountlessothers),youhavealreadyseenactorsusingNMAPtofacilitatetheirhackingendeavorsinthemovies.
Butwhatexactlyishacking?Hackingmeansalotofdifferentthingstoalotofdifferentpeople.Itisanumbrellatermusedtodescribehundreds,ifnotthousands,ofvarioustechniquesthatcanbeutilizedtousecomputersandinformationsystemsinunintendedways.Atitscore,hackingmeansusingacomputertogainunauthorizedaccesstoanothercomputersystemordatathatisprotectedorrestricted.Thisisthemostconventionalmeaningofthewordhacking.Onceahackerhasgainedaccesstoanunauthorizedsystem,heorshethenhastheabilitytostealinformation,changeconfigurations,alterinformation,deleteinformation,andinstallfurthermaliciouscodetocaptureevengreatercontroloverthetargetsystem.Thelistgoesonandtheskyisthelimitregardingwhatanexperiencedhackercandooncetheyfindawayintoacomputersystem.
However,thereisalotmoretohackingthanclickingabuttontoattackacomputer.Youwillneedtousetoolsandscannerstomapthelocalnetworktopologyandusereconnaissancetechniquestogatherinformationandlookforvulnerabilities.Thegoodnewsfornewbiesisthatthesetoolsarehighlyautomatedtoday.Inthepast,hackingsoftwarehadn’tbeencreatedthataggregatedvastamountsofcodeandtoolsintosimpleandeasytousecommands.Assuch,hackersinthepastneededhighlyintimateunderstandingsofthetechnologiestheyweretryingtobreakanditwasdifficulttodoso.Havinganextremelydeepunderstandingoftechnologytodaywillcertainlyhelpyoubecomeabetterhacker,butmypointisthatthesetoolsarebecomingincreasinglyeasytouse.Infact,thereareyoungkidsandteenagersthataretoocuriousfortheirowngoodandtakeadvantageofhighlysophisticatedtoolstobreakintosystemstheyhavenobusinessaccessing.Understandthatthesetoolssimplifythehackingprocessconsiderably.Ifateenagercanhackintoasystemusingsimpletools,guesswhat?Youcantoo!
Butwhatdoesittaketoexcelasahacker?Well,mosthackershaveseveralthingsin
common.Firstofall,theyareexperiencedsoftwaredevelopersandcancraftmaliciousprogramsandvirusesthatfurthertheircause.Furthermore,mosthackersarecompetentLinuxusers.Linuxoperatingsystemsareextremelysecureandprovidevirtuallylimitlessaccesstothelatestpenetrationandsecuritytools–forfree!Inaddition,someLinuxoperatingsystemssuchasKaliLinuxweredesignedforthesolepurposeofhackingandnetworkpenetration.Linuxcanbescaryfornewbies,butIwillshowyouhowtorunLinuxandusesomespecialtoolslaterinthisbookinasimplifiedandeasytounderstandmanner.Lastly,hackersalmostalwayshaveaworkingknowledgeofnetworkingtopicssuchasIPaddresses,ports,andthedirtydetailsofhowdifferentnetworkingprotocolsoperate.Sometoolsevenexploitvulnerabilitiesinthesenetworkprotocols,andtheknowledgeoftheseexploitscombinedwiththeabilitytocraftcomputerprogramsiswhatmakessomehackerstrulyformidable.
Someofthesetechniquesareoutsidethescopeofthisbooksincethisguidewascreatedforbeginners,butifyoureallywanttoexcelasahackeryouwoulddowelltostudyandpracticetheseconcepts.Thoughwewon’ttouchonsoftwaredevelopmentinthisguide,Iwillcertainlyshowyoustep-by-stephowtoinstallandusesomevarioushackingtoolsthattheprostakeadvantageofandteachyouthebasicsofnetworkingaddressesandprotocols.
Chapter3–AttackTypesandFamousViruses
Mostofyouhaveprobablyheardofviruses,worms,malware,keyloggers,rootkits,andTrojansbefore,butwhattheheckarethesethingsandhowtohackersutilizethemtostealpeople’sdataanddisrupttheircomputersystems?Eachofthesetoolsarealittlebitdifferentfromeachother,buttheyallhaveonesimilargoal:toenteratarget’ssystemtoprovidetheattackerwithinformationheorshedoesn’talreadyhaveaccessto.No,I’mnotgoingtoshowyouhowtocraftnefariouscomputersoftware,butyoushouldhaveawell-roundedunderstandingofthesetopicsifyouhaveanyhopeofcallingyourselfahacker.
Firstandforemost,youneedtounderstandtheconceptofcomputervirusesbecausetheyareoneofthemostpopulartermsthrownaroundindiscussionsaboutcybersecurityandhacking.Acomputervirusisapieceofmaliciouscodeorsoftwareprogramthatisabletoinfectatargetsystemandthenmakecopiesofitselfonotherlocalcomputers.Theyareaptlynamedbecausetheyreproducemuchlikeavirusinreallife,andtheyfacilitatetheiroperationsbyattachingthemselvestocomputerprograms.Typicallytheyeitherrenderacomputingsystemcompletelyuselessortheyseektodestroydata.Again,you’llhearaboutcomputervirusesinthemoviesalot,sowe’lltakealookatsomeofthemostfamouscomputervirusesofalltimeafterdefiningtheotherterminology.
Awormisverysimilartoavirus,andit’struethatthelinebetweenavirusandwormgetsmuddiedandblurred.Thelargestdifferenceisthatwormsarenotattachedtoacomputerprogram.Theyexistindependentlyonthehostsystem,andtheyoftentakeadvantageofnetworkresourcestospreadtootherhostsonthenetworktheyhavecompromised.Sometimeswormsarealsoclassifiedasmalware,becausethereareonlyminutedifferencesintheterminology.Colloquially,thesetermsareinterchangeablebuttheirmeaningsvaryslightlyinacademicsettings.
Perhapsyouhavealreadyexperiencedthenegativeconsequencesofmalware.Oneofthemostpopularwaysthatmalwareisdistributedisthroughthemediumofonlinedownloads,wherebyadownloadablefilehasbeencorruptedwithmalwarethattheuserthendownloadsandinstalls.You’llseethisfrequentlywithmostfileshostedwithP2P(Peer-to-Peer)filesharingprogramssuchasBitTorrent.Malwaregetsitsnamebycombingtwootherterms:MALicioussoftWARE.Itcanalsobeusedasanumbrellatermusedtodescribemanydifferenttypesofattacks,anditcouldmeananysoftwarethatisusedbyanattackertocreateaccesstoatarget’sdata,blockthemfromtheirdata,orchangeinformationontheircomputer.
Furthermore,akeyloggerisyetanothertypeofmaliciousprogram,andasyoumighthaveguesseditssolepurposeistologthekeystrokesoftheuserwhohasbeeninfected.
Thisisabsolutelydisastrousforthetargetuser,becauseanattackerwillbeabletorecordandvieweverysinglekeythatthetargettypesontheirhostsystem.Thisincludesusernamesandpasswords,Googlesearches,privateinstantmessagingconversations,andevenpaymentcarddata.Ifanattackerhassuccessfullyinstalledakeylogger,thetargetisatthemercyoftheattacker.There’snotellingwhattheattackercoulddonext–theycouldhackintothetargetsystembyusingtheinformationtheygatheredsuchasusernamesandpasswords,stealmoneyusingtheirpaymentcarddata,orusetheirhostsystemtocarryoutattacksonotherhostsonthesamenetwork.
Next,youshouldalsobefamiliarwiththeideaofarootkit.Rootkitsareextremelydangerousbecausetheyservetoeditbackgroundprocessesinanefforttohidethemaliciousactivitiesofanattacker.Thiswillhelpviruses,keyloggers,andothermaliciouscodeexistforextendedperiodsoftimewithoutdetectiononthetargetsystem.Theycanevenservetohidesoftwarethatwouldhavebeenotherwisedetectedandquarantinedbysecuritysoftware.
LastbutnotleastistheinfamousTrojanhorse,sometimescalledaTrojanvirusorabackdoorvirus.Theyareextremelyproblematicbecausetheycanbeslippedintoinnocent-lookingapplicationsandtheyareveryhardtodetectwithouttherightsecuritysoftware.TherecouldevenbeaTrojanhorselurkinginthedepthsofyourpersonalcomputerrightnow,andtheyarefrequentlyusedtogaincompletecontrolofatargetsystem.
Nowthatyouhaveabasicunderstandingofthedifferenttypesofmaliciouscodehackersemploytodotheirbidding,youshouldknowaboutsomeofthelargestandmostfamouscomputervirusesofalltime.SomeofthemareactuallyothertypesofmaliciouscodesuchasTrojanhorses,butpeoplestillrefertothemasviruses.Anyexperthackerwillhaveheardofthesefamousattacksbefore,soyoushouldknowthemaswell.
Also,ifyougettheinklingtotryyourhandatusingoneofthesemethodsonyourownbyhuntingaroundontheInternetforfreelydistributablecodethatwillallowyoutoattackatargetsystem,justknowthatyou’resettingyourselfupforadisaster.Humorouslyenough,somehackingnewbiestrytofindrootkitsandkeyloggerstoattackhosts.Buthere’sthecatch–somehackersactuallyfacilitatetheirattackbytakingadvantageofpeoplewhowantaccesstothesetypesofprograms.
Andtheendresultisn’tpretty.Intheend,thenewbiehackermightactuallyinstallanexperthacker’svirusandunknowinglyinfecttheirownoperatingsystem!Anddon’tforgetthatthereareethicalandlegalimplicationsaswell.Many,ifnotall,ofthepeopleresponsibleforthesefamousattackswereseverelypunished.Sodon’ttrytoresearchand
implementthesetypesofvirusesathome!
1.CodeRed
Iknowwhatyoumaybethinking,andno,thishasnothingtodothemovies.Whenpeoplethinkofhackinginthemovies,theythinkoftopsecretmilitarybasesgettinghackedbyateenagerandraisingtheiralertlevelto‘codered.’Believeitornot,itisrumoredthatthetwoengineerswhodiscoveredandnamedthisattackweremerelydrinkingthedisgustingcherry-flavoredsodawhentheyfirstidentifiedthewormbackin2001.Thiswormwasprettydarnnasty,anditstargetswereserversthatwererunningtheMicrosoftIISsoftwareforwebservers.
Thisattackreliedheavilyonanexploitfoundinthecodethatleftserversvulnerabletoabufferoverflowissueinanolderversionofcode.However,itwasahugeproblemandverydifficulttodetectbecauseithadtheabilitytorunsolelyinmemory(RAM,orshorttermstorageasopposedtolongtermstoragesuchasaharddiskdrive).Andthingsgotoutofhandprettyquickly,too.Afterithadcompromisedasystem,itwouldthentrytomakehundredsofcopiestoinfectotherwebservers.Notonlythat,butitgobbledupatonoflocalserverresourcesthatallbutcrippledsomeofthetargetsystems.
2.Sasser
SasserisanotherwormdesignedtotargetWindows(noticingapatternhere?).Itfirstfounditswayintothespotlightbackin2004andwascreatedbyalegendaryandinfamoushackernamedSvenJaschanwhowasalsoresponsibleforanotherfamouswormnamedNetsky.OnereasonthiswormmadeInternetsecurityheadlineswasthatithadaffectedmorethanamilliontargets!Yetagain,thiswormtookadvantageofabufferoverflowvulnerabilitythatcausedtargetsystemstocrash.
Italsomadeitnearlyimpossibletorebootyourcomputerwithoutremovingthepowercableanditcausedmanycomputerstocrashcompletely.Tobefair,mostpeoplesawthiswormasanuisanceasopposedtoaseriousthreat.Butitcannotbedeniedthatitcausedmassiveandwidespreaddisruption.Iteveninfectedcriticalinfrastructuredevicesthatcausednetworkstoperformverypoorly.Likeothertypesofworms,ituseditstargetcomputerstopropagateandmultiplyitselftoothercomputers.
Butoneofthebiggestproblemswiththiswormisthatusersdidn’tupgradetheiroperatingsystemsafterapatchhadbeencreated.Bothpublicandprivatesectororganizationswereaffectedlikenewsstations,transportationsystems,healthcareorganizations,andevensomeairlinecompanies.Butwhatwastheendresult?Thedamageswerecollectivelychalkeduptobeapproximately$18billiondollars!WhathappenedtotheinfamousJaschan,youask?Fortunatelyforhim,hewasstillyoungsohereceivedaslaponthewristconsideringhowmuchdamagehedid.Heendedupwithasuspendedsentencelasting21months.
3.Zeus
TheZeusviruswasreallyaTrojanhorsecreatedtoinfect(canyouguesswhichoperatingsystem?)Windowsmachinesinanefforttoforcethemtocarryoutvaryingproceduresthatweredeemedtobecriminalactivity.Mosttypically,itwouldbeusedtocarryoutkeyloggingactivitiesandman-in-the-middleattacksthatwouldallowanattackertofirstsiftthroughwebbrowsinginformationbeforesendingittotheintendedwebserver.Itmostfrequentlyinfectedhostsbyutilizinginnocent-lookingapplicationsasatransportmediumintotheintendedtargets,buttheattackalsoemployedphishingtechniques.
Afterithadbeendiscoveredin2009,ithadruinedthousandsofindividualfiledownloadandFTPaccountsfromthelargestbanksandcorporations.ThoseinvolvedincludeAmazon,BankofAmerica,Oracle,andevenCisco.Theattackalsoallowedthehackerstostealusernamesandpasswordstosocialmediasites,emailaccounts,andbankinginformation.
4.TheILoveYouAttack
The‘ILoveYou’attackissoimpressiveandreveredinhackercommunitiesbecauseitcreatedawhopping$10billiondollarsinestimateddamages.What’smoreimpressiveisthatresearchersbelievethat10%ofeverycomputerconnectedtotheInternetatthetimewasinfectedwiththisvirus.Infecting10%oftheInternetwithacomputervirusisstaggeringtosaytheleast.Thingsstartedbecomingsoterriblethatsomeofthelargerorganizationsaswellasgovernmentalagenciesaroundtheworldstartedshuttingdowntheirmailingsystemsinanefforttoavoidbecominginfected.
5.Melissa
Thisnaughtyviruswassupposedlynamedafteranexoticdancerthecreator,DavidL.Smith,hadonceknown.Supposedly,theveryrootoftheviruswasaninfectedtextdocumentthatwasuploadedtothealt.sexUsenetgroupwiththeappearanceofbeingacollectionofusernamesandpasswordsforsubscriptionandmembership-onlypornographicwebsites.ButonceauserdownloadedthisWorddocument,allhellwouldbreaklooseandtheviruswouldactivate.
Tostart,theviruswouldlookatthefirst50addressesintheinfectedhost’semailaddressbookandstartsendingthoseaddressesemails.Inturn,thiswouldseverelydisruptemailservicesoflargeenterprisesandgovernmentalbodies.Furthermore,theviruswouldevencorruptdocumentsbyaddingreferencestothetelevisionshowTheSimpsons.However,theoriginalWorddocumentwaseventuallytracedbacktoSmithandhewasarrestedwithinaweekofthevirus’spropagation.AlthoughSmithonlyendedupserving20monthsofprisontimeanda$5,000fine(heoriginallyhada10yearsentence)becauseheturnedsnitchonotherhackersandhelpedtheFBImakemorearrests.Totopitalloff,itwasestimatedthatthedamagesfromhisvirustotaledapproximately$80milliondollars.
6.TheConfickerWorm
TheConfickerwormfirstappearedin2008anditcomesfromanunknownorigin.Thiswormwasespeciallytroublesomebecauseitcreatedabotnet(agroupofinfectedcomputersnetworkedtogether)ofmorethan9milliondifferenthoststhatharmedgovernmentalagencies,largeenterprises,andsimpleindividualusersalike.Thiswormmakesthetop10listbecauseitcauseddamagesestimatedatastaggering9billiondollars.ItwasabletoinfectWindowsmachinesduetoanunpatchedvulnerabilitydealingwithbackgroundnetworkservices.
Afterahosthadbeeninfectedwiththeworm,thewormwouldwreakhavocbypreventingaccesstoWindowsupdatesandantivirusupdates,anditcouldevenlockuseraccountstopreventpeoplefromlogginginandcleaninguptheworm.Ifthatweren’tbadenough,thewormwouldthencontinueitsattackbyinstallingmaliciouscodethatwouldmakethetargetcomputerpartofthebotnetandscamusersintosendingtheattackermoneybyholdingtheircomputerransom.Microsoftandthirdpartyantivirussoftwareproviderseventuallyreleasedupdatestocombatandpatchthisworm,butitdidmassiveamountsofdamagebeforeasolutioncouldbereached.
7.MyDoom
MyDoomwasfirstseenbackin2004,anditwasoneofthefastestemailwormstoinfectmassesofcomputerssincetheILoveYouattack.Thecreatorofthisattackisstillunknown,butitisrumoredthatthecreatorwaspaidbigmoneytocarryoutthisattackduetothemessageincludedinthevirusthatread,“Andy,I’mjustdoingmyjob.Nothingpersonal,sorry.”
Thiswormwasincrediblyslybecauseittookontheappearanceofanemailerror.Afterauserhadclickedonthe“error”toviewtheproblemthewormwouldsendcopiesofitselftopeoplefoundintheemailaddressbookoftheinfectedsystem.Furthermore,itwouldcopyitselfintopeer-to-peerdirectoriesontheinfectedhoststospreadthroughoutthenetwork.ItisalsobelievedthatthewormisstilllurkingontheInternettothisday,anditcausedapproximately$38billiondollars’worthofdamages.
8.Stuxnet
ThisattackhasasomewhatpoliticalbackgroundasitisthoughttohavebeencreatedbytheIsraeliDefenseForceinconjunctionwiththeAmericangovernment.Whilesomeofthepastviruseswerecreatedoutofmalice,contempt,orthecuriositytoseejusthowmuchdamageaprolifichackercouldcreate,thisviruswascreatedforthepurposeofcyberwarfare.ThegoalwastostymytheinitiativesoftheIranianstocreatenuclearweapons,andalmosttwothirdsofhostsinfectedbythisviruswerelocatedinIran.
Infact,itisestimatedthattheviruswassuccessfulindamaging20%ofthenuclearcentrifugesinIran.Morespecifically,thisvirustargetedPLC(ProgrammingLogicControllers)componentswhicharecentraltoautomatinglargemachineryandindustrialstrengthequipment.ItactuallytargeteddevicesmanufacturedbySiemens,butifitinfectedahostthatdidn’thaveaccesstoSiemensproductsitwouldlurkonthehostsysteminadormantstate.Essentially,itwouldinfectthePLCcontrollersandcausethemachinerytooperatefartoofast–whichwouldultimatelybreakthemachinery.
9.CryptoLocker
ThisvirusisanotherexampleofaTrojanhorsethatinfectedWindowsmachines,andthegoalwastoransomtargetcomputersinexchangeformoney.ThisTrojanwasverycunningbecauseithadseveraldifferentwaystospreadtoothercomputers.However,itwasincrediblytroublesomebecauseafterithadinfectedahost,itwouldthenproceedtoencrypttheharddrivewithanRSAkeythattheownerofthecomputerneverhadaccessto.Ifyouwantedyourfilestobeunencrypted,youwouldhavetopaymoneywithprepaidmethodsorbitcoinstotheinitiatorsoftheattack.
ManypeopleweresuccessfulinremovingtheTrojanfromtheircomputers,buttheystillhadonegargantuanproblem:thefilesontheirharddrivewerestillinaccessiblebecausetheycouldnotbedecryptedwithoutthekey.Fortunatelytheleaderoftheattack,EvgeniyBogachev,wascaughtandthekeysusedtoencryptthetargets’harddriveswerereleasedtothepublic.Apparently,theattackwassuccessfulingarnering$3millionfromtheransoms,anditinfectedabouthalfamilliontargets.
10.Flashback
IalwaysloveitwhenAppleevangelistsclaimtoPCusersthattheircomputersaresuperiortoWindowsmachinesbecausetheircodeisinfallibleandthereisnowaytogetavirusonaMac.Whileit’struethatWindowsmachinesaremoresusceptibletoviruses,Macsaren’tperfecteither.SuchwasthecasewiththeFlashbackTrojanthatwasfirstobservedin2011.ThisTrojanusedinfectedwebsitestoinjectfaultyJavaScriptcodeintothehostbrowser,anditmadeinfectedMachostspartofabotnet.Believeitornot,thisTrojanhadinfectedover600,000MaccomputersandafewofthosewereevencontainedatAppleHQ.Also,thoughnumerouswarningsandsolutionshavebeencreatedforthisTrojan,manybelieveitisstilllurkinginthedepthsoftheInternetandthatthousandsofMacsarestillaffected.
InSummary
Viruses,malware,andTrojanhorsesarejustonefacetofhacking,though.Thetruthisthattheseviruseswerecreatedbyexpertswhohadadeeperknowledgeofcomputingsystemsthanmanyofthesecurityexperts.Allofthepeoplewhocarriedouttheseattackswereexpertsoftwaredevelopersandcoders.Ifyouthinkyouwanttobecomeasinfamousasthesetypesofhackers,you’regoingtoneedtobecomeanexpertsoftwaredeveloper.There’snowayaroundit.However,Iwouldhopethatthissectiononlyopenedyoureyestothepotentialsomeoftheseattackshavetocausewidespreaddevastationandcostlydamages.
Again,pleaseunderstandthatthepurposeofthisguideisn’ttoteachyouhowtocreateaprogramthatwillharmotherpeople’scomputers,rackupmassivemultimilliondollardamages,andleaveyouwithheavyconsequencessuchasprisontimeandungodlyfines.However,asawhitehathacker,youneedtobeawarethatthesetypesofattacksexistsoyouhaveabasichackingvocabularyandsomefoundationknowledge.
Iwill,however,showyouhowtocrackvariouspasswords,mapnetworktopologies,exploitvulnerabilities,andscantargetsforsecurityflaws.Inthesetypesofexamples,wewillbefocusedonhackingintoasingletargethostornetworkinsteadoftryingtoreleaseaplagueupontheglobalInternet.Allofthatingoodtime,however,becausefirstyouneedtounderstandthedifferenttypesofhackersthatlurkontheInternet,ethicalconsiderationsregardingyouruseoftheknowledgeinthisbook,andtheconsequencesofyouractionsshouldyoumisusethisinformationandgetcaughtred-handed.
Chapter4–EthicalConsiderationsandWarnings
Abookabouthackingwouldbeirresponsiblyincompletewithoutachaptergivingyouafairwarningontheconsequencesofmisusingthesetechniquesaswellastheethicalconsiderationsofhacking.Tobeginthisdiscussion,youneedtobefamiliarwithtwodifferentterminologiesthatdescribedifferenttypesofhackers:blackhatandwhitehat.IliketheimagerythesetermsbringtomindbecausetheyalwaysseemtoremindmeofSpyvsSpy.
Blackhathackersarewhatmostpeopletypicallythinkofwhentheyheartheword“hacker.”AblackhathackeristhetypeofnefariousInternetuserwhoexploitsweaknessesincomputingsystemsforpersonalgainorinordertodisruptanorganization’sinformationsystemstocausethemharm.He’stheguywearingahighcollaredshirt,sunglasses,andafedorabehindanarrayof20orsocomputermonitorsorthenerdinthemovieswhocanbreakintoatopsecretsystemillegally.
Therereallyisn’tanygoodthatcancomeoutofadoptingablackhatapproachtohacking,either.Whenyouhearinthemediathatafinancialinstitutionjustlostthousandsofusernamesandpasswordsorthatasocialmediadatabasewascompromisedthatcausedvastamountsofpeopletolosesensitivepersonalinformation,theattackwascarriedoutbyablackhathacker.Recently,therewasevenamoduleofcodecontainedinaWordPresspluginthatwassusceptibletoanXSSvulnerability(atypeofsecurityflawinwebsiteswithcachingplugins)thatwasbeingexploitedworldwidebytheextremistgroupISIS.Ifyouarereadingthisbookbecauseyouhavedreamsofcausingmassdisruptionandchaos,Iwouldhighlyadviseyoutoreconsider.However,understandthatsecurityandpenetrationtoolsaren’tinherentlygoodorevil.Onecouldarguethattheyaremuchlikefirearmsinthesensethattheweaponisaninanimateobjectanditisonlyasgoodorevilasthepersonwieldingit.
Whitehathackers,ontheotherhand,arethecompleteopposite.They’rethegoodguyswhodoeverythingintheirpowertofindpotentialsecurityflawsandcorrecttheerrorssotheblackhathackerscan’tbreakasystem.Asyoureadthisbook,youneedtoconsiderallofthetoolsandtechniquesIshowyoufromtheperspectiveofawhitehathackerandusethemresponsibly.Ifyoupursuewhitehathackingprofessionally,youcanaddtremendousvaluetotheorganizationyouworkforandmakebigmoneydoingso.SomewhitehathackersthathavetheCEH(CertifiedEthicalHacker)certificationmakesalarieswellintothesixfigurerange.Internetsecurityisonlybecomingmoreimportantwitheachpassingyear,andatalentedwhitehathackercanusepenetrationtestingtoolsandfootprintingmethodstoidentifydisastroussecurityflawsontheorganization’snetworkandinformationinfrastructureandpatchthembeforetheybecomeaproblemthatwouldcost
theorganizationobsceneamountsofmoney.
Furthermore,youneedtobeawareoftheconsequencesofmisusingtheknowledgeyoulearninthisbook.Thoughyoulikelywon’tgetcaughtsnoopingaroundanetworkattachedtoanunsecuredSOHO(SmallOffice/HomeOffice)wirelessnetworkinyourneighborhoodoratyourfavoritelocalcoffeeshop,youneedtorespectotherpeople’srightstoprivacy.Thinkaboutit–howwouldyoufeelifyouweresittingdownforacupofcoffeewhilereadingabookonlytofindoutlaterthatsomeonehadattackedyourKindleoverthecoffeeshop’snetworkandstoleyourdata?Youwouldfeelenraged,irritated,andviolated.Sorememberthegoldenruleasyougrowintoawhitehathacker.
Alsoconsiderthatusingpenetrationtoolsonnetworkswhereyoudon’thaveanyauthoritytodosocouldleadtosomeextremelynegativeconsequences.Let’sfaceit,youdon’thavetherighttostealotherpeople’spersonalinformation–it’sillegal.Notonlycouldyouprovokecivillawsuits,butyoucouldevenfacejailorprisontimedependingonthenatureofyouroffense.Ifyouchoosetodoitonyouremployer’snetworkandyougetcaught,thebestcasescenarioisthatyouwouldhavesomeextremelyuncomfortablequestionstoanswerandtheworstcasescenarioisthatyouwouldbecomefired.It’sjustnotworthit,sokeepthatinmindmovingforward.
Insteadoftestingoutthesetechniquesonpublicorcorporatenetworks,myadvicewouldbetotrytheseinyourveryownhome.Evenasmallhomenetworkwillprovideadigitalplaygroundforyoutotestoutyournewsecurityskills.Allyouwouldneedtorunthroughsomeofthesedemoswouldbeapersonalcomputer,awirelessrouter,andpreferablyafewotherdevicesthatyoucanattachtoyournetwork.InthefootprintingsectionIwillshowyouhowtorunpingsweepsandotherutilitiestoperformreconnaissanceandinformationgatheringmethods,sohavingseveralotherdeviceswillgiveyoumore“toys”toplaywithonyourlocalareanetwork(LAN).
BynowIhopeyouunderstandthattheword“hacker”isratherambiguous.Yearsago,itrightfullymeantablackhathacker.Todayhowever,itcouldrefertoanynumberofdifferenttypesofpeoplewhoareextremelyknowledgeableabouttechnology,andtheterm“hacker”doesn’tnecessarilymeansomeonewhoistryingtostealintellectualpropertyorbreakintoarestrictednetwork.Callingsomeoneahackeristhelayman’sapproachtodescribingadigitalthief,butsecurityprofessionalswilloftendrawthelinebetweenthewhitehatsandtheblackhats.
Withallofthedirewarningsoutoftheway,wecannowproceedtothejuicerandmorepragmaticsectionsofthebookyouhaveallbeenwaitingforandwecanbegintolearnhowyoupersonallycangetyourfeetwetwithhacking.Tobegin,understandthatthis
bookiswrittenwiththeassumptionthatyouhavelittletonounderstandingofrudimentarynetworkingandsecurityconcepts.BecausethisbookiswrittenforbeginnersasopposedtoseasonedInternetsecurityprofessionalsandexperthackers,youneedtofirsthaveabasicunderstandingofnetworkterminology,addressingconcepts,andotherfundamentalsthatyouwillbeabletouseasafoundationtobuildyourhackingskillsupon.So,let’sgetstartednetworkingfundamentals!
Chapter5–NetworkingFundamentals
UnderstandingtheOSIModelandNetworkingTerminology
TheOSIModel(OpenSystemsInterconnection)isoneofthebestplacestobeginifyouarelackingaworkingknowledgeofnetworkingconcepts.JustabouteveryoneofthedemoswewillrunthroughtogetherisheavilybasedontheOSImodelandnetworksecurityprofessionalsoftenthrowaroundterminologyandjargonrelatedtodifferentcomponentsofthismodel.Also,itwillbenefityoupersonallyifyouunderstandwhatleveloftheOSImodelvariousattackstargetandthisknowledgeisfundamentaltounderstandingIPaddressesandports,whichwewillcoverlaterinthischapter.
Tobegin,understandthattheOSImodelconsistsofsevendifferentlayersasfollows:
7.Application–Acomputerapplicationthatcreatesdatasuchasanemailorinstantmessagingprogram
6.Presentation–Themethodofencodingdata,suchasASCIItext
5.Session–TCPports(FTP,POP,HTTP,HTTPS,etc.)
4.Transport–TCPorUDPconnections(amongothers)
3.Network–IPaddressesandpackets
2.Data-Link–MACaddressesandframes
1.Physical–onesandzeros(bits)transmittedacrossacable
(*Note:Ifyoudon’tunderstandsomeoftheterminologydescribedabove,takeadeepbreathandrelax.We’llgettothatlater.*)
Irealizethatthislistmaylookoddbecauseitstartswiththenumber7,butthefirstlayerofthemodelisalwaysrepresentedonthebottomsinceeachadditionallayerisdependentonitssubordinatelayertoencapsulateandtransmitdata.Youcanrememberthefirstletterofeachlayerwiththepneumonic‘PleaseDoNotThrowSausagePizzaAway’.Wewon’tgointogreatdetailaboutthefinerpointsofthismodelaswewillreallymainlybeconcernedwithlayers2,3,4,and5fromahackingperspective,butyouneedahighlevelunderstandingoftheOSImodelregardless.
Eachlayerhasitsownspecificfunctiontofacilitatedatatransmissionsbetweentworemotesystems.Asdata(likethetextinaninstantmessagingapplication)isgeneratedononedevice,itstartsatthetopoftheOSImodelintheapplicationlayerandgetspusheddownthrougheachsubordinatelayeruntilitbecomes0’sand1’sonacableatthephysicallayer.Eachlayerencapsulatesdatafortransmissionbeforesendingitontothenextlayerforfurtherencapsulation.TheprocessworksmuchlikeRussiannestingdolls.Oncethe
datahasreachedthephysicallayer,itgetstransmittedasbinarybitsoveracablemedium.Then,thereceivinghostunpackstheencapsulateddatafromeachlayerusingthereverseprocess.
Thismodelisfundamentaltounderstandingdatatransmission,buthowwillthishelpyoubuildaskillsetforhacking?Firstofall,itisessentialtounderstandthismodelifyouhopetolearnaboutdifferentnetworkprotocolsandTCP/IPports.Also,terminologyisoftenthrownaroundregardingadevice’sorprotocol’sfunctionandwhatlayeroftheOSImodelitbelongsto.Forexample,MACaddressesarealayer2addresswhileIPaddressesarealayer3address.Andports–whichIamsureyouhaveheardofbefore–belongtolayer5.Wewilldigintoalloftheseconceptsshortly,butfirstyouneedtoknowaboutIPaddressessoyoucanidentifyvarioushostswhenyouarehacking!
IPAddressingEssentials
Ofthefundamentalconceptswearediscussinginthisbook,IPaddressingisbyfarthemostimportant.ButwhatisanIPaddress?Well,andIPaddressisanumberthatservesasauniqueidentifierthathelpscomputersdifferentiatebetweenhostsconnectedtotheirnetwork.Themostcommonanalogytodescribethisconceptisthatofthepostsystem.Ifyouwantedtomailalettertosomeone(sendthemdata),youwouldfirstneedtoknowtheirhome’saddress(IPaddress)beforeyourmessagecouldbedelivered.
Whetheryouknowitornot,youhaveundoubtedlyseenIPaddressesalready.Theyconsistoffournumbersrangingfrom0-255thatareseparatedbyperiodsasinthefollowingexample:
-192.168.1.1
AlsounderstandthatanIPaddressis32bitslong.Wewon’tdigintobinarymathbecauseitwon’tdomuchforournetworkpenetrationexampleslaterinthisbook,butknowthateachnumberseparatedbyaperiodintheaddressiscalledanoctet.Itiscalledthisbecauseeachofthefournumbersare8bits(1byte)inlength.However,thisIPaddresslackssomethingcalledasubnetmask,sowedon’tknowwhatnetworkitbelongsto.
SubnetMasks
EachIPaddressiscomposedoftwoportions:thenetworkportionoftheaddressandthehostportion.AsubnetmaskdetermineshowmuchoftheIPaddressdefinesanetworkandhowmuchoftheaddressidentifiesahostonthatnetworksubnet.Fortheremainderofthisbook,justnoteIwillusethetermsLAN(LocalAreaNetwork)andsubnetinterchangeably.Considerthefollowingfourexamplesofsubnetmasks:
1.255.0.0.0(/8)–8bits(thefirstoctet)definethenetworkportionoftheaddress.
2.255.255.0.0(/16)–16bits(thefirsttwooctets)definethenetworkportionoftheaddress.
3.255.255.255.0(/24)–24bits(thefirstthreeoctets)definethenetworkportionoftheaddress.
4.255.255.255.255(/32)–Thissubnetmaskindicatesahostaddress.Itdoesnotindicateanetworksubnet.
Notethatsubnetmaskscanbewrittenusingtwodifferentnotations.Considerthefirstexample.255.0.0.0isjustanotherwayofwriting“/8”becausetheybothindicatethatthefirstoctetintheIPaddress(thefirstbyteorthefirst8bits)describesthenetworkportionoftheaddress.
Didyounoticehowthesefoursubnetmasksareinmultiplesof8?Thatwasintentionalbecauseitmakesourexamplemucheasier.Thetruthisthattherearemanymorecomplexsubnetmaskssuchas/17,/21,or/30thatlieoutsidethescopeofthisbookbecausetheyrequirebinarymath.However,onprivatehomenetworkssuchastheenvironmentwhereyouwillbetestingourdemos,a/24subnetmaskisbyfarthemostcommon.I’devenbetbigmoneythatyourhomenetworkdeviceusesa/24subnetmask.Thatis,unlessyouchangedit–inwhichcaseyouwouldalreadyknowaboutIPsubnets!
So,nowit’stimetoputtwoandtwotogether.WearegoingtoconsideranIPaddressandasubnetmasktogether,determinethehostandnetworkportionoftheaddress,andthendeterminethecompleterangeofusableIPaddressesforthatsubnet.Considerthefollowing:
-IPAddress:192.168.1.1-SubnetMask:255.255.255.0
Allright,solet’schopuptheIPaddressanddefinethenetworkportionoftheaddress.Canyouworkitout?WhenthesubnetmaskisappliedtotheIPaddress,weseethatthefirst3octetsdeterminethenetworksubnet.So,192.168.1.0/24isthenetworkonwhichthehostwiththeIPaddress192.168.1.1resides.Thatmeansthatthelastoctetdetermines
thehostportionoftheaddress.Onthe192.168.1.0/24networksubnet,thishosthastheaddressof“1.”Furthermore,wecanconcludethatbecauseeachoctetcanrangefrom0–255thatotherhostsonthe192.168.1.0/24subnetcanuseaddressesfrom2-254(youneverusethe0or255thaddress).Usableaddressesonthissubnetinclude192.168.1.2–192.168.1.254.Understandthatifthe192.168.1.1hostwassendingdatatothehostusingthe192.168.1.2address,theyarecommunicatingovertheirLANsincetheybelongtothesamenetwork.
TwoSpecialNetworkAddresses
Sowhydon’tweusethe0orthe255thaddressesonasubnetashostaddresses?Becausethesetwoaddressesarespecial.Thefirstoneiscalledthenetworkaddress.Thisaddresscan’tbeassignedtoahostbecauseitdefinesanentirenetwork.Inourexampleabove,thisaddresswas192.168.1.0.Also,notethatthelastaddressonanetworksubnetisthebroadcastaddress.Thisaddressisusedtosendinformationtoeveryhostresidingonthatnetworkatthesametime,sothisaddresscan’tbeusedforasinglehostaddresseither.Inourpreviousexample,thebroadcastaddressis192.168.1.255.
MACAddresses
MAC(MediaAccessControl)addressesarelayer2addresses,andtheyaregloballyunique.EachMACaddressiscontainedonthenetworkcardofyourcomputer,anditiscomposedoftwelvehexadecimaldigits(0-9,A,B,C,D,E,F)whichtotal48bitsinlength.ThefollowingisanexampleofaMACaddress:
-B8EE:6525:7EA6
Thefirsthalfoftheaddress–thefirst6digits–indicatetheOUI(OrganizationallyUniqueIdentifier).Thisisjustafancywayofsayingthatitmarkswhomanufacturedthenetworkcardhardwareinyourcomputer.Thelast6digitsareauniqueidentifierforthatmanufacturer’snetworkcards.
BecauseMACaddressesarelayer2addresses,theycannotberoutedontheInternet.Theybelonginthedata-linklayeroftheOSImodel,andtheycanonlyhelpdevicesspeaktooneanotheronthesameLANviaalayer2networkswitch.Inorderforlayer2addressesandlayer3addressestooperatetogether,weneedamechanismthatbindsthemtogether.
ARP(AddressResolutionProtocol)
ARPisanetworkprotocolthatbindslayer2addressestolayer3addresses.BothnetworkingdevicesandcomputersalikekeeptablesthatrecordARPinformationontheLANsotheycankeeptrackofwhichMACaddressesarepairedwithwhichIPaddresses.Thisinformationisconstantlychangingeverytimeyoutakeyourlaptopormobiledevicetoanewwirelessnetwork,andthisinformationiscriticaltofacilitatingtypesofattackssuchasamaninthemiddleattack.
Basically,whenahostwantstosenddatatoanothercomputer,ithassomedecisionstomakeregardinghowitwillsendthedata.Here’showitworks.ThehostfirsttakesalookatitsownIPaddressanddeterminesifthedestinationhostresidesonthesamesubnet.Ifnot,thehostsendsthatinformationtoitsdefaultgatewaytoberoutedtotheappropriatenetwork.ThehostwilllookatitsARPtable,findthematchingentryforthedefaultgateway,andaddressitsdatatothedefaultgateway’sMACaddress.However,ifthedestinationhostisonthesamesubnet,allitneedstodoisfindthematchingMACaddressforthedestinationIPandsenditdirectlytotheintendedparty.
IfyouuseaWindowscomputer,youcanusethearp–acommandfromthecommandprompttoviewthecontentsofyourARPcache.ARPisanintegralpartofmodernnetworks,andtherearemanyadvancedexploitsthatrevolvearoundmanipulatingthisprotocol,soyouneedtohaveabasicunderstandingofit.
PortsandFirewalls
Ports,whicharealsosometimescalledsockets,wereoneofthehardestfundamentalconceptsformetowrapmyheadaroundwhenIfirststartedlearningnetworkingengineeringandcomputerhackingyearsago.Basically,theyarenumericvaluesthatarepartoftheTCP/IPprotocolsuitethatareusedtotagdifferenttypesoftraffic.Bytaggingtraffic,deviceslikefirewallscantakedifferentactionswhendifferentdatastreamsflowthroughanetwork.
Thereareliterallythousandsofdifferentportsthatareeachusedfordifferenttypesoftrafficandapplications,butonlyafewofthesearewell-knownprotocols.Somesoftwaredevelopersreservecertainportsfortheircustomapplicationtraffic,butyouonlyneedtobeconcernedwiththewell-knownportstogetyourfeetwetwithhacking.Itiscrucialthatyouhaveabasicunderstandingofportsbecauselaterwewillgothroughtheprocessofportscanningonyourlocalnetworktoascertainwhichoftheseportsareopenandwhichareclosed.
Thefollowingaresomeofthemostcommonportsandtheirrespectiveprotocolsandtraffictypes:
-Port80:HTTP(HyperTextTransferProtocol–usedforwebbrowsingandwebpages)
-Port20/21:FTP(FileTransferProtocol–usedtodownloadfilesremotely)
-Port443:HTTPS(HyperTextTransferProtocolSecure–encryptedHTTP)
-Port22:SSH(SecureSHell–usedtoremotelyruncommandlineprocedures)
-Port53:DNS(DomainNameSystem–usedtobindIPaddressestoURLs)
-Port547:DHCPServer(DynamicHostConfigurationProtocol–automaticIPaddressassignment)
Asyoucansee,eachnetworkprotocolisassigneditsownuniqueportnumber.Theseportsprovideawaytohandlevarioustypesoftrafficdifferently.Forexample,ifIdidn’twantanyonetodownloadfilesfromapersonalfileserverIwashostingonmynetwork,Iwouldblockconnectionattemptsonport20and21(FTP).Thisisanextremelybasicexample,butunderstandthatifyouseeahostwithanopenport,thathostwillacceptconnectionsusingthatspecifictypeoftraffic.Asanotherexample,considerawebserverthathostsawebsite.Itwillhaveeitherport80(HTTP)orport443(HTTPS)open,andclientscanmakeaconnectiononthoseportswiththeservertodownloadthewebpagestotheirbrowser.
Theseideasbringustothenextimportantconcept:firewalls.
Theterm‘firewall’isthrownaroundinthemoviesalot,butmostpeopledon’tunderstandwhattheydo.Thoughtheyhavemanyadvancedfeatures,oneofafirewall’smostbasicfunctionsistopermitordenytraffictoanetwork.Firewallsinhomeenvironmentsactasasinglepointoffailure–meaningthatallofthedataintransitto/fromthelocalnetworkneedstofirstpassthroughthefirewall.Becauseitactsastheonlywayintoanetwork,thefirewallcanpreventhackersfrommakingconnectionsonspecifiedportstoprotectthelocalnetwork.
Thisconceptreferstoahardwarefirewall,buttherearesoftwarefirewallsaswell.Forexample,justconsidertheprogramadequatelynamedWindowsFirewall.Itisapieceofsoftwarethatwillpreventthenetworkingcardinyourcomputerfrommakingconnectionsonanyoftheportsyouchoosetoblock.Wewillseehowtoscanatargetsystemlaterwithaportscannertoseewhichportsareopenandpotentiallyexploitable.
YoushouldalsoknowhowtorunapingaswellasviewyourIPaddress,subnetmask,andMACaddress.Theseareextremelysimplecommands,andtheyareusedfrequentlybynetworkingsecurityprofessionals.Theyareallrunfromthecommandprompt,soinWindowsopenupthecommandpromptbysearchingforitorhittingyourWindowskeyandtyping‘cmd.’Theapplication’siconisablackbox,andonceyourunthisprogramyouseeapromptwithablinkingunderscore.
ToviewyourIPaddress,subnetmask,anddefaultgateway,justtypeipconfigintothecommandprompt.Ontheotherhand,ifyouwanttoseeyourMACaddress,justtypeipconfig/allintothecommandprompt.IfyouareusingaMacorLinuxcomputer,thecommandisonlyslightlydifferent.Onthesesystemsthecommandisifconfig.
InSummary
Pleaseunderstandthatwecouldgomuchdeeperintothesetopics.Infact,therehavebeenentirebookswrittenaboutsomeofthesesubjects,buttheyaretooadvancedforabeginnerandlieoutsidethescopeofthisbook.Theideaistogiveyouaworkingknowledgeoftheseideastofacilitateyourhackingandpenetrationtestingendeavors.However,ifyouwanttofurtheryourknowledgeontheseconcepts,itwillonlyhelpyoubecomeabetterhacker.NowthatyouknowwhatIPaddresses,MACaddresses,ports,andfirewallsare,wecanmoveontomoreadvancedtopics.
Chapter6-TheHacker’sToolBelt
Hackershavealotoftoolsintheirtoolbeltthattheaverageuserhasn’tevenheardof.Thesetoolsaren’tincrediblyspecialorsecretive,butmostpeoplesimplydon’tunderstandwhattheyareorhowtousethem.Thehonesttruthisthatthereareboatloadsofdifferenttoolsouttherethatcanbeusedtobreakintoasystemorbeusedtoidentifyvulnerabilities.
Oh,andguesswhat?Surprisinglyenough,manyofthemarecompletelyfreetouse.PartofthereasonmanyofthesetoolsarefreetousestemsfromthefactthatmanyofthetoolswerewrittenforLinux,andthevastmajorityofLinuxsoftwareisfreeofchargebecauseitisprotectedbytheGNUlicense.
Someofthemostpopulartypesofhackingtoolsthatwe’lltakeahands-onlookatinthisguideinclude:
-Vulnerabilityscanners-we’lltakealookatonecalledOpenVASlaterinthisbook
-Portscanners–we’llalsoseehowtouseaportscannercalledNMAP
-Packetsniffers–thissoftwarelistenstoandrecordsalloftheinformationflowingoveryournetwork,andwe’lluseonelaterforaman-in-the-middleattack-demonstration
-Passwordcrackers–thesetoolsareusedtouncoverthepasswordtoasystem
Whilethiscertainlyisn’tacomprehensivelistofthetoolsahackerhasintheirtoolbelt,thesearecertainlysomeofthemostpopularandmostimportanttoolsyouneedtobeawareof.Let’stakeacloserlookateachoneofthesetypesoftoolsindetail.
VulnerabilityScanners
Vulnerabilityscannerswereoriginallydesignedtohelpwhitehathackersfindpotentialsecurityholesintheircomputingsystemstoplugupthesecurityholesbeforeablackhathackercouldfindawaytopenetratethesystem.However,thesescannerscanbeusedforbothgoodandevil.
Blackhathackerscaneasilyleverageavulnerabilityscannertofindaweaknessinanetwork,server,orhosttofacilitateanattack.Andthesescannersareprettyeasytouse,too.Thoughsomeofthefine-tuningandtweakingofthescanyouwanttoperformcangetalittlecomplex,byandlargeallyouneedtodoispointthescanneratatargetandclickabutton.Butavulnerabilityscanneronitsownisn’tverydangerous.Ablackhathackerwillthenneedtouseothertypesofsoftwareinordertotakeadvantageofthevulnerabilitiesfoundwiththescanner.Vulnerabilityscannersarereallyonlyusedtoidentifyweaknesses,plainandsimple.
Laterinthisbookwe’regoingtogothroughtheinstallationprocessofonesuchscannernamedOpenVAS.WewillbeinstallingitinaLinuxenvironment,andtheinstallationprocessisthehardestpart.Afterwerunthroughthedemolaterinthebook,allyouneedtodoissupplyanIPaddressandclickasinglebutton.Oncethescannerisupandrunning,itisridiculouslyeasytouse.
ProsofVulnerabilityScanners:
-Helpmakesystemsmoresecurebyidentifyingweaknessesthatanadministratororsecurityexpertcanthenaddressandtakecareof
-Mitigatestheriskofhackerstakingadvantageofasystem
-Theyarefuntouse!
ConsofVulnerabilityScanners:
-Sometimestheyarenotperfectandhavethepotentialtomissthelatestsystemvulnerabilities
-Theyrelypartiallyonadatabaseofvulnerabilitiesthatneedstobecontinuouslyupdated
-Hackerscantakeadvantageofthemtofindwaystobreakintoasystem
PortScanners
Aportscannerisbasicallyasoftwareutilitythatcanbeusedtodeterminewhichportsahostisacceptingconnectionson.Forexample,ifIwantedtoseeifIcouldpullupawebpagefromanyhostsonmynetwork,Iwouldscanmysubnettoseeifanyhostshaveport80open.Butthisisabasicexample.
Theinformationobtainedfromaportscannercanhelpattackersreadbetweenthelinesanddeterminethepurposeofahostontheirnetwork.Forexample,ifaportscannershowedthatahosthadport9100open,youcouldreasonablyassumethatthehostyouscannediseitheraprinteroraprintserversinceport9100isusedforprinting.Iknow,Iknow,printersareboring.Butitisamusingtothinkthatyoucouldsendprintjobstoyourneighbor’sprinterandprintanythingyouwantedtoafteridentifyingtheirprinterwithaportscanner(don’tactuallydothat,it’sjustfunnytothinkabout).
Butthinkhowfaranattackercouldtakethisconcept.Byidentifyingtheservicesthatarerunningonahost,theycandeterminewhattypeofservertheyaredealingwith,whetherornottheyhavefoundaninfrastructuredevicelikearouter,switch,orfirewall,orfindwaystoattackendusercomputersbymakingconnectionsontheiractiveports.
Nowtakeamomenttoconsiderthingsfromawhitehatperspective.Anethicalhackercoulduseaportscannertoverifythatalloftheportsonanetworkthatshouldbeclosedareactuallyclosed.Itisausefulverificationtoolthatcanbeusedtopreventvulnerabilities.
Layer4Scanners
RememberhowimportantItoldyoutheOSImodelis?Wellthereisawholeclassofscannersthattargetslayerfour(thetransportlayer)oftheOSImodelspecifically.Thesescannerslookforminutedetailsintheoperationoflayer4protocolssuchasTCP(TransmissionControlProtocol)andUDP(UserDatagramProtocol)tofindweaknessesinhosts.Theinnerworkingsoftheseprotocolsareactuallyquitecomplex,butrealizethatthereisaprocesscalledahandshakethattwohostsmakebeforetheyformaconnection.Bytrickingandmanipulatingthehandshakeprocess,attackerscancauseseriousharmtosystemsintheformofaDoS(DenialofService)wherebyanattackerbreaksthelogicintheseprotocolstocauseahostorservicetostopfunctioningorseverelyunderperform.
PacketSniffers
Packetsniffersareinvaluabletoolsthatareabletocapture,store,anddisplayalloftheinformationthatisflowingoveracableortransmissionmediumsuchasawirelessinterface.Byusingapacketsniffer,you’llbeabletoseeingreatdetailalloftheconversationsthatcomputersarehavingwitheachother.
Youcanseeconnectionattempts,filetransfers,andevenGooglesearches.Packetsniffersareespeciallydangerouswhendataisbeingsentinplaintext,whichisanotherwayofsayingthatthedataisn’tencryptedbeforeitissenttoanotherhost.So,forexample,ifyourusernameandpasswordweren’tencryptedbeforebeingsenttoaserver,andattackercanleverageapacketsniffertocapturethatdataandstealyourusernameandpassword.
Butsomepacketsniffers,suchasWireshark,aredifficultfornewbiestoreadbecausetheysimplydon’tunderstandhowthevariousprotocolsoperate.Apacketsnifferwillshowanattackerthenitty-grittydetailsofatrafficstream’srawdata.Morespecifically,itcanshowyoutheIPaddressofahostthatinitiatedaconnection,howanotherhostrespondedtotheconnectionattempt,anydatathatwassentduringthesession,andwhattypeofdataisflowingovertheconnectionviaitsportnumber.
HaveyoueverwonderedhowISPscanseewhattypeofdataisflowingovertheirnetworkanddeterminewhichhostsarevisitingspecificwebsites?Packetsniffersarebutonetoolamongmanythattheyuseachievethisgoal.
PasswordCrackingUtilities
Hackersfrequentlyusetoolscalledpasswordcrackerstogainunauthorizedaccesstocomputersystems.Crackingisbasicallyatermusedtodescribetheprocessofobtainingapasswordthatishiddenorstoredinaprotectedformat.Forexample,therearewirelesspasswordcrackingtoolsthatallowanattackertogainthepasswordtoaWi-Finetworkwithoutneedingtoknowthesecuritykeyupfront.
Buttherearemanyothertypesofpasswordsandmethodsusedbytheseutilities.Somepeoplehaveheardofabruteforcepasswordattackbefore,andthesecanalongtimetoperform.Inthebruteforceprocess,acomputerwilltrytoguesseveryconceivablepasswordtogainaccesstoasystembytryingeveryuniquecombinationofcharacters.
Inaddition,therearealsodictionarybasedattacksthatareusefulforbreakingweakpasswords.Thesetypesofattackstakeamorepragmaticapproachtocrackingapasswordbecausetheytrypasswordsbaseduponadictionaryofcommonandpopularphrases.Typicallyanattackerwilltryadictionaryattackbeforeabruteforceattackbecausethereisahigherchanceofcrackingapasswordwithadictionarybasedattack.Bruteforceattackshaveonecolossaldownfall:theycanbeextremelyslowduetothemillionsandmillionsofcombinationstheyneedtotrytobesuccessfulcrackingpasswords.Theprocesscanlastfordays.Dictionarybasedattacks,ontheotherhand,aretypicallymuchfasterbecausetheydon’thavenearasmanypasswordcombinationstoattempt.
Chapter7–UtilizingVMWare
OneoftheeasiestwaysforyoutobuilddifferentenvironmentsthatyoucanlearntohackinisbyusingVMWare.Butwhatdoesthissoftwareactuallydo?VMWareallowsyoutoruncodecalled‘virtualmachines.’Essentiallyithasthepowertovirtualizeentireoperatingsystemssoyoudon’thavetowipetheoperatingsystemoffyourhostcomputerandinstallacompletelynewonetogetstartedhacking.SometimesnewbieswhowanttogetstartedhackingmaytrytoinstallanoperatingsystemsuchasKaliLinuxinadditiontotheirhostoperatingsystemsuchasWindows.TheonlyproblemisthatoneconfigurationmistakewiththeinstallationcouldcauseausertolockthemselvesoutoftheirWindowsoperatingsystemcompletely.
Othertimestheymayevenaccidentallyrepartitiontheirharddriveandwipeoutalloftheiroldfiles.Thisisahugeheadache,butinstallingVMWarewillsolvetheseproblemsandallowyoutorunmultipleoperatingsystemssimultaneously.ThegoodnewsisthatVMWarePlayerisfreetouseandeasytoinstall.YoucanfindthereleasenotesanddownloadlinkforVMWarePlayeronVMWare’swebsite,andyouwillwanttodownloadandinstallthisprogramforsomeofthedemoslaterinthisbook.
Itisassumedthatyouhavetheabilitytoinstallbasicsoftware,sowewon’tgetintotheVMWareinstallationprocess.It’sprettydarnsimple,andallyouneedtodoisfollowtheinstallationwizard.Alsoyoucouldbeinstallingthissoftwareondifferentplatforms,andtheinstallationstepswouldchange.Ifyouneedhelpinstallingthissoftware,youcanfindhelpontheVMWarewebsiteforyourgivenoperatingsystem.
AfteryouhavedownloadedandinstalledVMWare,youneedtodownloadoperatingsystemimagestoruninVMWare.Morespecifically,youshouldgoaheadanddownloadUbuntuLinuxandKaliLinuximages.YoucanfindKaliLinuximagesforVMWareandUbuntuimagesforVMWareforfreeonline.Afteryouhavedownloadedanimage,toinstallityouneedrunVMWarePlayer.ThenclickonPlayer=>File=>NewVirtualMachineandbrowsetotheimageyoudownloaded.Alternativelyyoucanjusthitctrl+NafteryouhaveopenedVMware.WhenyoufirstinstallanewimageinVMWare,itwillaskyoutonameit.Personally,Ijustnamethevirtualmachinethesamenameastheoperatingsystemtokeepthingsstraight.
OncetheimagehasbeensuccessfullydownloadedandyouinstallitinVMWare,theVMWareapplicationwillgothroughtheinstallationprocedureexactlyasifyouweretryingtoinstallthatoperatingsystemonyourcomputer,butitwillinstallitwithinyourhostenvironment.Asyouproceedthroughtheinstallationprocess,portionsoftheprocedurewillaskyouifyouwanttoinstallavarietyofpackages.Makesurethatyouselectallofthepackagesthataredescribedas‘security’or‘penetrationtesting’packages.
Ifyoufailtoinstallthesepackages,youwillneedtogothroughtheinstallationprocessesindividuallyforthedemonstrationsthatIwalkyouthroughlatersuchasNMAP.IfyouhaveanytroubleinstallingyouroperatingsysteminVMWare,allyouneedtodoisfollowtheguideontheKaliLinuxorUbuntusites.
Youshouldalsohaveanideaoftheintendedusesforeachoperatingsystem.UbuntuisdesignedtobeaneasytousereplacementforotherdesktopoperatingsystemssuchasWindows.Itiswell-suitedforeverydayuse,andyoudon’tneedtobeaLinuxexperttouseit.Assuch,itisagreatenvironmenttoexpandyourLinuxskillsanditoffersplentyofdifferentpenetrationtestingtools,scanners,andhackingprograms.However,youshouldalsoknowaboutKaliLinux.Kaliwasspecificallydesignedwithhackinginmind,andthesecuritypackagescontainedintheVMWareimagearemostlygearedtowardsprovidinguserswithtoolsthatfacilitatehacking.However,itisalittlemorechallengingtouseifyouhaven’tbeenexposedtoLinuxalready,andmuchofitspowerisfoundatthecommandline.
EachdifferentVMWareimageandLinuxdistributionhasdifferentdefaultusernamesandpasswords.Youcancheckthedefaultsonthewebsitewhereyoudownloadedthecodeimage,buttheyaremosttypically‘root’and‘toor’or‘username’and‘password.’Ifyouwish,youcancreateadditionaluseraccountsbutthisisn’tnecessaryaswewillonlybeusingtheseoperatingsystemstorunsomedemos.
ThoughIwouldpersonallyrecommendthatyoutakefulladvantageofVMWaretovirtualizeLinuxoperatingsystemstoprovideyouwithhackingtools,youdohaveanalternative.ManyLinuxdistributionscanbedownloadedandburnedtoaCDorDVD.Thesearecalled‘liveboot’imagesbecauseallyouneedtodoispopthediskinyourcomputer,rebootit,andvoila.YourcomputerwillboottotheLinuxoperatingsystemcontainedonthedisc.SomeversionsofLinuxaresosmallandlightweightthatyoucanevenbootfromaflashdrive.However,thereisonecaveatwiththeselivebootimages.YourcomputermayormaynotbeconfiguredtobootfromtheharddrivebeforethediscdriveorUSBport.Ifthisisthecaseforyourcomputer,youwouldfirstneedtochangethebootorderofthesedevices.Itisalittledifficulttoexplainthisproceduresinceeverymakeandmodelofcomputersandlaptopshaveaslightlydifferentprocess,butyoucanGooglethisprocedureforyourmakeandmodelofcomputingdevicetochangethebootordertoaccommodatealiveLinuxCDorDVD.Personally,IpreferVMWarebecauseyoucanswitchbetweenyourhostoperatingsystem(Windowsinmycase)andyourvirtualmachineswithoutneedingtorebootyourcomputer.
Lastly,ifyouwanttogetyourfeetwethacking,IhighlyadviseyoutakethetimeittakestogetyourLinuxenvironmentssetup.MostofthedemoswewillberunninginthisbookwillbefromaLinuxoperatingsystem.NotethatwhilemanyofthesetoolshaveversionsthatworkwithWindows,Linuxisstillthepreferredoperatingenvironmentforhackers
becauseitismoresecureandoffersaccesstomorecodeandhackingtoolsthanWindowsdoes.
Chapter8–IntroductiontoPingSweeps,PortScanning,andNMAP
It’sfinallytimetodigintothegoodstuff!InthischapterIwillwalkyouthroughhowtoperformnetworkscanningandreconnaissancetechniquesusingaprogramcalledNMAP.Thisistheprogramthatthehackersinthemoviesliketoflaunt,anditisfairlyeasytouse.ThewholepointofNMAPistofeeloutanetworkandscanittodiscoveractivedevices,openports,andothervitalinformationsuchaswhichoperatingsystemthehostisrunning.Inthenetworkpenetrationandhackingworld,thisisreferredtoasnetworkmapping,footprinting,orreconnaissance.
Withoutthesetools,youareessentiallyblindonanygivennetworkandyouwouldhaveahardtimeattackinganythingsinceyouwouldn’tbeabletoseeanytargets.Also,thinkjusthowimportantitistoknowwhatoperatingsystemahostisusing.Exploitscomeandgo,andnewonesareconstantlysurfacingasnewoperatingsystemsaredevelopedorpatchesareapplied.Forexample,witheachnewversionofWindows,therearecountlesssecurityvulnerabilitiesthatareslowlyidentifiedandpatchedovertime.Byknowingtheoperatingsystemversiononahost,youcoulduseatoolsuchasMetasploittosearchforactivevulnerabilitiesandexploitthem.
Onceanattackerhasgainedaccesstoanetwork,therearealotofthingstheycandotoprepareanattack.Thefollowingaresomeofthemorecommonfootprintinggoals:
-Gatherinformation
-Findthelocalsubnet’sIPaddressstructure
-Searchfornetworkingdevicessuchasarouter,switch,orfirewall
-Identifyactivehostsonthenetworksuchasenduserworkstations
-Discoveropenportsandaccesspoints
-Findoutdetailedinformationregardingtheoperatingsystemsonactivemachines
-Discoverthetypeofdevicesuchasalaptop,tablet,smartphone,orserver
-Mapthelocalnetwork
-Capturenetworktraffic
Evenifyoudon’thaveanadvanceddegreeincomputing,Linuxsoftwareandnetworkpenetrationprogramsarebecomingsosophisticatedthatitisunbelievablysimpletocarryoutthesefootprintingtasks.TheonlythingsyouneedareaLinuxsystem(seechapter6),
therightsoftware,arudimentaryunderstandingofnetworkingconcepts(seechapter5),andaguide.TherestofthischapterwillfocusonusingNMAPtofeeloutandmapanetwork.Contrarytotheoldadage,remembertotrythisathome!Don’tusetheknowledgeinthischaptertostartpokingaroundthenetworkatyourofficeorinapublicsetting.Respectothers’privacyortheremaybeharshconsequences.
PingSweeps
Thefirstandeasiesttechniqueyouneedtounderstandiscalledapingsweep.Apingsweepisausefulwaytoidentifyactivemachinesonagivensubnet.Ifyouaren’tfamiliarwithapingoperation,let’stakeamomenttoexplainthisconcept.ApingisacommandfromICMP(InternetControlMessageProtocol),anditisfrequentlyusedtodetermineiftwohostshaveanend-to-endconnection.Thehostthatinitiatesthepingsendssmallpacketsofinformationviawhat’scalledanICMPechorequest.Ifthetargethostisonlineandhasaconnection,itwillreplytothehostwhoinitiatedtheping.Thiswillshowyouthatthehostisonlineandthatitisn’tsufferingfromconnectionproblemsoverthenetworkbetweenthetwohosts.
Ifyoureallywantedto,youcouldmanuallygothrougheachIPaddressonyournetworkandpingitfromyourcomputertoseewhatIPaddressesotherhostsonthenetworkareusing.Inrealitythough,thissimplyisn’tfeasible.ItwouldbeverytediousandtimeconsumingtryingtopinghundredsofindividualIPaddressestoseeifanyhostsareonline.Thisiswhypingsweepsaresouseful–theyallowyoutopingeveryvalidIPaddressonasubnetautomatically.Afterthesweephasbeencompleted,NMAPwillreturnalistofalltheaddressesthatrepliedtothepingandallowyoutoseetheIPaddressesofotheractivehostsonthescannednetwork.
However,thereareacouplecaveatstopingsweeps.Theydon’talwaysshowyoueverysinglehostattachedtoanetwork.Thereareafewreasonswhyahostmightnotrespondtoapingsweep.Firstly,itcouldbepossiblethatahost’snetworkcardisfaultyorbrokeninsomeway.Secondly,therecouldbeproblemsonthenetworkbetweenyourhostandthetargetsubnetthatpreventthepingfromcompletingsuccessfully.Lastly(andmostimportantly),networkadminschoosetoconfigurehoststonotrespondtopingsforthesolepurposeofprotectingthemfrombeingidentifiedbyapingsweep.Insomeinstances,yourpingmightpassthroughafirewallthatdoesn’tallowICMPtraffic,too.
Thesearetheexceptions,though,andnottherule.Itisrarethatahostwouldnotrespondtoaping,andthevastmajorityofactivehostswillshowupinapingsweep.Thisisespeciallytrueifyouareperformingapingsweeponthesubnetthatyourcomputerisdirectlyconnectedto.
OperatingSystemIdentification
YetanotherusefulfeatureoftheNMAPutilityistheabilitytoidentifytheoperatingsystemsthatactivehostsareusing.Thoughyoumaynotthinksoatfirst,thisisactuallysomecriticalinformation.Afteryouknowwhatoperatingsystemandcodeversionahostisusing,youcanthensearchdatabasesusingtoolssuchasMetasploittoidentifyweaknessesandvulnerabilities.Furthermore,NMAPwillbeabletotellyouthemodelofdeviceahostisusing.Thisisalsocriticalbecauseitwillhelpyoudiscernwhattypeofdevicesarepresentsuchashostcomputers,tablets,phones,infrastructuredevices,hardwareappliances,printers,routers,switches,andevenfirewalls.
PortScanning
Portscanningisalittledifferentfromapingsweep.Withportscanning,thegoalistofindwhatport(s)areopenonawholesubnetorasinglehost.Forexample,youcouldperformaportscanonyourlocalsubnettoseeifanyhostsareacceptingconnectionsonport80(HTTP).Thisisagreatwaytoseeifyoucanaccessanynetworkingdevicessuchasawirelessrouter,printer,orafirewall.Becausethesetypesofdevicestypicallyhavewebconfigurationinterfaces,anyhoststhatareacceptingconnectionsonport80(HTTP)willshowyoualoginpromptifyoutypetheirIPaddressintoawebbrowser.Forexample,ifyourportscanrevealedthatthehost192.168.1.1(thisismostlikelythedefaultaddressofyourwirelessrouter)isacceptingconnectionsonport80,youcouldreachitslogininterfacebytypinghttp://192.168.1.1inyourwebbrowser.Thiswillinitiateaconnectiononport80forthehost192.168.1.1(seechapter5fornetworkingfundamentals,IPaddresses,andports).
Itislikelythattheadministratorchangedthedefaultusernameandpasswordforthatdevice,butyouwouldbesurprisedhowfrequentlypeoplefailtodothisbecausetheyareinexperienced,lazy,orjustplainignorantofthemassivesecurityrisktheyencounterbyleavingtheusernameandpasswordsettodefaultvalues.Ifyouwantedto,youcouldevenuseNMAPtofindwhattypeoffirmwarethenetworkingdeviceisrunningaswellasthemodelnumber.ThenallyouneedtodoisperformaquickGooglesearchtofindthedefaultvaluesandattempttologintothedevice.Butthisisjustonesimpleexampleofportscanning.Youcouldevenscanasinglehosttoseealloftheportsthatareacceptingconnections.Andportscanninggoeswelloutsidetherealmofscanningport80toseeifyoucanpullupawebinterface.Someportscanbeusedtodelivertypesofcodethatwilltakeadvantageofaflawinaprotocolorsystemtoescalateanattacker’sprivilegesorevendenythattargetfromusingnetworkservices.
NMAPFootprintingProcedures:InstallingNMAP
Beforewebegin,thereisonelastthingweneedtodotoconfigureVMWareconnectivity.VMWareusestheideaofvirtualizednetworkadapters,andthedefaultsettingwon’tputyourvirtualmachineinthesamesubnetasyourhostoperatingsystem.Simplyclickonthe‘settings’taboftheVMWareapplicationandfindtheconfigurationoptionforyour‘networkinterface.’Nowselecttheoptiontoputitinbridgedmode.
ToverifythatyourhostoperatingsystemandVMWareoperatingsystemareonthesamesubnet,justruntheipconfigcommandfromtheWindowscommandlineortheifconfigcommandonLinuxandMacsystems.Then,justmakesuretheymatchandbelongtothesamesubnet.
Tobeginthesedemonstrations,youaregoingtowanttofireupVMWareandbootyourvirtualLinuxsystem.NMAPshouldalreadybeinstalledifyouselectedthesecuritypackagesasrecommendedearlier,butifyoufailedtodothisthereisgoodnews.ItisprettydarnsimpletoinstallNMAP.
OpentheterminalinyourLinuxdistribution(eitherKaliorUbuntu).TryrunningthefollowingcommandtoseeifNMAPwasinstalledsuccessfully.
-sudonmap-sP192.168.1.0/24Don’tworryaboutwhatthiscommanddoes,we’lldigintothatinformationshortly.Ifitwasn’tsetupproperly,theterminalwillspitoutanerrorthatsaysNMAPisn’tinstalled.Don’tworry,thisisn’tabigproblem.WejustneedtorunthefollowingcommandtodownloadandinstallNMAP:
-sudoapt-getinstallnmap
Itwilltakeonlyashortwhiletodownloadandinstall,andyoushouldreceiveconfirmationfromtheterminalthattheoperationcompletedsuccessfully.Nowwecantakeacloserlookatpingsweeps.
NMAPFootprintingProcedures:PingSweeps
Nowthatyouhaveagoodideaofwhatpingsweepsdo,it’stimeforademonstration!ThoughyoucandownloaditforWindows,IwouldpersonallyrecommendyouheedmyadviceandtryyourhandatinstallingVMWaretogetusedtoaLinuxenvironment.Thefollowingisthequickandeasy4stepprocessyouneedtorunapingsweepinLinuxusingNMAP.Again,rememberthatthistoolisusedtoidentifyactivehostsonanetwork.
Step1–RunVMWareandboottoyourLinuxoperatingsystem.
Step2–Opentheterminal(a.k.a.theshell).Thiscanbefoundbyperformingasearchfor‘terminal’afterclickingthestartbutton.IfyoufailedtoinstalltheGUI(GraphicalUserInterface)duringyourinstallation,youwouldhavebootedtoablackscreenwithablinkingcursor.Thisisthesameastheterminal,soeitherwillworkforourpurposessinceweareworkingfromthecommandlinelikethosemythicalhackersinthemovies.However,ifyoufeeluncomfortableinthisenvironmentandyouwantaGUIscreen,justrunthestartxcommand.
Step3–Runthefollowingcommand:
-sudonmap-sP192.168.1.0/24Inthiscommand,192.168.1.0/24isanexamplesubnet.Itisentirelypossiblethatyourcomputerisonadifferentsubnet.Todiscoverwhichsubnetyouareusing,runtheipconfigcommandinWindowsorifconfigonLinuxandMacsystems.ThesecommandswillshowyouwhatIPaddressandsubnetmaskyourcomputerisusing.Forexample,ifyourIPaddressis192.168.113.201andyoursubnetmaskis255.255.255.0(thesameas/24),thecommandwouldbechangedasfollows:
-sudonmap-sP192.168.113.0/24
NowNMAPwillworkitsmagicandautomaticallyperformapingsweepacrossallvalidIPaddressesonthesubnetyouspecified–whichis192.168.113.0/24inthisexample.
Step4–Readtheresults.Aftertheoperationcompletes,NMAPwillreturnalistofIPaddressesthatsuccessfullyrespondedtothepingsweep.Bewarned,though.Dependingonthesizeofthesubnetandyourlocalcomputingresources,itcouldtakealittlewhilefortheoperationtocomplete.JustbepatientandletNMAPdoitsthing.Nowyouhavealittlebitofammunitiontofurtheryourreconnaissanceefforts.YoucanusetheIPaddressesfoundwiththepingsweepasaparameterinthefollowingcommandstoidentifythathost’sopenportsandwhatoperatingsystemitisusing.
NMAPFootprintingProcedures:PortScanning
Nowit’stimetolearnhowtoidentifywhichportsareopenonatargetnetworkordevice.Justthinkhowusefulthisisforethicalwhitehatpenetrationtesters.Thistoolwillessentiallyletthemverifythathostsaren’tacceptingconnectionsondangerousportsthatshouldbeblockedbyafirewall,butrealizethistoolisadouble-edgedsword.Blackhathackerscanusethistooltofindopenportsinanefforttofindawaytobreakthesystem.Becauseyoushouldhavealreadyrunapingsweep,Iwon’tlistthestepsinthisdemo.Justtestoutthecommandfromtheterminalthatyoualreadyhaveopen.Thesyntaxofthiscommandisasfollows:
-sudonmap-p[PORT][TARGET]
Inthecommandsyntax,[PORT]isanumericvaluerepresentingtheportyouwanttoscan.IfyouwantedtoscanforhostsacceptingHTTPconnections,youwouldsetthisvalueto’80.’The[TARGET]fieldspecifieswhichhostorsubnetyouwanttoscan.Ifyouwantedtoscanasinglehost,youwouldomitthesubnetmask.Ifyouwantedtoscanyourentiresubnet,youwouldincludethesubnetmask.Considerthefollowingtwoexamples:
1.sudonmap-p80192.168.113.21(thisscansthehostwiththeaddress192.168.113.21)
2.sudonmap-p80192.168.113.0/24(thisscanstheentire192.168.113.0/24subnet)
Interestinglyenough,thiscommandwon’tonlyshowyouifthedesiredportisopenorclosed.Itwillalsoprovidethehost’sMACaddressanddisplaytheOUI(OrganizationallyUniqueIdentifier)forthatMACaddress.Ifyoufindthatport80isopen,goaheadandtrytopullupthewebconfigurationinterfaceinawebbrowserjustforkicks.Also,takethetimetoverifythatyourhoststhathaveport80openaren’tusingthedefaultusernameandpasswordvalues.Remember,youshouldbedoingthisonyourownhomenetworkinsteadofanetworkwhereyoudon’thavetheauthoritytoberunningportscans!
NMAPFootprintingProcedures:OperatingSystemIdentification
Lastbutnotleast,we’regoingtolearnhowtouseNMAPtoidentifyahost’soperatingsystem.Thesyntaxforthecommandisextremelysimpleandfollowsasimilarstructurecomparedtothepreviousexamples.Theonlydifferenceisthatyouusethe‘-O’optioninthecommand.Considerthefollowingexamplewherewescanatargethosttouncoverwhatoperatingsystemisrunningonthetarget:
-sudonmap-O192.168.113.21
Thisexampleonlyscansthe192.168.113.21host,butyoucouldscananentiresubnetaswedidintheprecedingexamples.Thenthecommandwillprovideyouwithdetailedinformationregardingthetypeofoperatingsystemused,itsversionnumber,andanypatchesthathavebeenappliedtothehostoperatingsystem.
InSummary
UsingNMAP,youcaneasilymapalocalnetworktopology,identifyactivehostswithapingsweep,scanforopenports,andidentifyoperatingsystems.Notehowshortandsweetthesecommandsare.ThesecommandsprovideahighamountofleverageforanattackerbecausetheyaresosimpletouseandNMAPwilldoallofthedirtyworkforyou.
Thenexttimeyouseeahackerinamovie,takeaglanceattheircomputerscreen.Moreoftenthannot,theyaregoingtobeusingNMAP.Nowyoucanactuallydecipherthecryptictextontheirmonitor!
Chapter9–UsingMetasploittoHackDevices
NowthatwehavetakenalookathowtousecommandlinetoolsviatheterminalinLinux,thingsaregoingtoheatupalittle.WhileNMAPisafantastictooltomapalocalnetworkandgatherinformationabouthosts,Metasploitisatoolthatisdesignedtohelpyouactuallybreakintoasystemandexploitvulnerabilities.IfyouinstalledthefullversionofKaliLinuxintheVMWarechapterandincludedtherightsecuritypackages,youshouldalreadyhaveMetasploitinstalled.Infact,itisincludedinmanydifferentLinuxoperatingsystems.NotethatthereisaversionforWindows,butitisnativelyaLinuxprogramandrunningitonLinuxispreferred.PleaseunderstandthatMetasploitisanextremelyadvancedtool,andtherehavebeenentirebooksandmanualswrittenaboutit.Icouldn’tpossiblyhopetoelaborateoneveryexploitfoundwithinMetasploit,andthefactisthattheyareconstantlyupdatingthevulnerabilities,payloads,andexploitsthatcanbetakenadvantageof.ButIdowanttoshowyousomebasiccommands,howtonavigatethroughtheMetasploitprompt,andshowyouabasicdemonstrationofhowMetasploitcanbeusedtohackacomputer.
Also,notethatIintentionallyshowedyouhowtouseNMAPbeforeMetasploit.Asitturnsout,youcanactuallyrunNMAPcommandsfromtheMetasploitprompt–butitgoesalittledeeper.YoucanevensavethedatacollectedfromyourscansinaMetasploitdatabasetobeusedasinputforotherMetasploitcommands.
ButjustwhatexactlyisMetasploit?Metasploitisavulnerabilityframeworkthatishugeinthehackingandnetworkpenetrationworld,andIdefinitelyrecommendusingthistool.NewbieshaveahardtimewrappingtheirheadsaroundthefactthatMetasploitisaframeworkandnotasinglestand-aloneapplication.Alotofhackersusethecodefoundinthishandytooltobuildanddeveloptheirowncustom-tailoredattacks.Forexample,ifyouwereahackerinvestigatingandstudyingthevulnerabilitiesandexploitsonthelatestversionofWindows,youwoulduseMetasploittofindandtakeadvantageofsecurityflaws.
NotethatthereareafewdifferentversionsofMetasploitandsomearefreewhileotherscostmoney.ThoughyoushouldrunitinaLinuxenvironment,thereisaWindowsversionforthoseofyouwhoaretooscaredoftheLinuxshell.Forallpracticalpurposes,youareonlygoingtowanttousethefreeversionsincethepaidversioncosts$5,000dollarsperyearperuser.
AlsoknowthatbecauseofthenatureoftheMetasploitprogram,youaregoingtoneedtoturnoffyoursoftwarefirewallorallowanexceptionbecauseWindowswillflagtheprogramassomesortofvirus.Restassured,theyareacredibleandreputableorganization
–Windowsisjustwrong.Also,justlikeintheNMAPchapter,youaregoingtowanttomakesurethattheVMWarenetworkinterfaceisconfiguredforbridgedmode.
Lastly,youaregoingtoneedtobefamiliarwithsometerminologyusedinMetasploitsuchaspayloads,exploits,listening,Metasploitinterfaces,andhaveageneralunderstandingofthedatabaseconceptbeforemovingforward.Payloadsrefertosectionsofexecutablecodethatcanbedeliveredtoatarget.Afterthepayloadhasbeensuccessfullysenttoitsintendedtarget,youcanthenruncommandstofurthertakeadvantageofthatcomputer.Exploitation,ontheotherhand,simplymeanstakingadvantageofaknownsystemvulnerabilitybyusingMetasploit.Inaddition,listeningmeansthatMetasploitiscollectingandanalyzingnetworktrafficthatmatchescertaincriteria,muchlikeapacketsniffersuchasWireshark.Furthermore,MetasploitinterfacesincludetheMSFconsoleaswellasArmitage,butaninterfacecouldalsorefertooneofseveralnetworkinterfacesonyourcomputersuchasthewirelessinterfaceortheEthernetport.
ToroundupordiscussionofbasicMetasploitconcepts,youneedtobeawareoftheMetasploitdatabase.Thedatabaseisoneofthefeaturesofthissoftwarethatmakesitsopowerful,andyoucansavevastamountsofdatayoucollectaboutdifferentnetworkswithinthedatabase.Notonlywillithelpyouorganizetheinformationyoucollect,butyoucanactuallyruncommandsonentriesfoundinthedatabasetoeasetheautomationprocess.Thatwayyoudon’thavetorunthesamecommandoneveryhostyoudiscoveredusingatoolsuchasNMAP.
BasicMetasploitCommands
Tobeginthehackingdemonstration,youneedtobefamiliarwithseveralbasicMetasploitcommandsandknowwhattheydo.Firstofall,youneedtoknowhowtoreachtheMetasploitprompt.Tobegin,opentheterminal(ortheshell–they’rethesamething)andtypethefollowing:
-msfconsole
IfyouhaveproperlyinstalledtheMetasploitframework,youshouldreachapromptthatdisplays‘msf’followedbyagreater-thansign.Fromthisprompt,thereareavarietyofbasiccommandsyoucanusetogethelp,showadditionalcommands,settargetsforattacks,setportsforexploits,andmanyotherusefultoolsandfeatures.ThefollowingisalistofthebasicMetasploitcommandsandtheirfunctions:
-showoptions–listsavailableoptionstoconfigureMetasploit
-setrhost192.168.1.3–setstheremotehost(target)ofanattackto192.168.1.3
-setlhost192.168.1.2–setstheattackinglocalhostofanattackto192.168.1.2
-setrport80–setstheportnumberofthetargethostto80
-setlport53–setsthelocalportoftheattackerto53
-setpayload[PAYLOAD]–allowsausertoexecuteagivenpayload
-unsetrhost–removesaremotehost’sIPaddress
-unsetlhost–removesalocalattackinghost’sIPaddress
-exploit[EXPLOIT]–allowsanattackertoexecuteagivenexploit
-back–returnsausertotheinitialMetasploitscreen
-sessions–l–displaysactivesessions
-sessions–i[ID]–goestoanactivesectionwhere[ID]isanumericvaluetakenfromthepreviouscommand
TogainabetterunderstandingofhowMetasploitcanbeusedtouncovervulnerabilities,let’stakealookatamodulethatscanshostsforSMB(ServerMessageBlockprotocol).WhilethesetypesofvulnerabilityscannersandexploittechniquesarefuninapersonalsettingandverybeneficialforlearninghowtouseMetasploit,thistechniqueinparticularisconsideredtobeavery“noisy”scan.Thatistosaythatitraisesredflagsthatwoulddrawtheattentionofasecurityprofessionalifyouperformedtheminanenvironmentwhereyouhavenobusinessscanningforvulnerabilities.
StartfromtheMSFconsoleandrunthefollowingcommandtoentertheexploit’scommandprompt:
-useauxiliary/scanner/smb/smb_login
Fromhereyoucanviewalloftheparametersandoptionstoconfigurebeforerunningthescanwiththefollowingcommand:
-showoptions
You’llnoticealotoffieldsthatcanbesettovariousvaluestofine-tunethescan.Mostimportantly,notethatoneofthefieldsislabeledas“Required.”Thesefieldsneedtohaveavalueinthemoryouwon’tbeabletoproperlyrunthescan.Tochangethevalueinoneofthesefields,simplyusethesetcommand.Forexample,ifIwantedtochangethetargetintherhosts(RemoteHosts)field,Iwouldrunthefollowingcommand:
-setrhosts192.168.1.0/24Thiscommandwillsetthetargettotheentiresubnet.FortheSMBloginvulnerability,youwouldalsoneedtosetvaluessuchasSMBUser(theusername)andSMBPass(thepassword).Afteralloftherequiredfieldshavevaluesandyouhaveselectedyourtarget,username,andpassword,youcanthenrunthevulnerabilityscanwiththefollowingcommand:
-run
Afteryouexecutethiscommand,youwillseeoutputofMetasploittryingtotakeadvantageoftheSMBvulnerabilityforeveryhostintherhostsvalue.Ifyousetittoyourentirelocalnetwork,itwillrunthrougheachindividualIPaddressonthesubnetandattempttologinusingthevulnerability.
YoumightalsohavenoticedthatoneofthefieldsislabeledBRUTEFORCE_SPEED,whichwilltweakhowfastthesoftwarewillrunthroughabruteforcepasswordattackonthetargetedhosts.
ThisisyetanotherexampleofaMetasploitexploit,buttherearemany,manymore.Thereareanunfathomablyhighnumberofexploitsonthelatestreleasesofoperatingsystemsandnetworkprotocols,anduserswhoexcelatusingMetasploitcandosomerealdamage.Thisexampleisjustthetipoftheiceberg,butsomeoftheattacksandexploitsaremuchmorecomplexthanoursimpledemonstration.Someofthemdorequiremorebackgroundknowledgetounderstandtheattack,butbyandlargeevennewbiescanrunmanyoftheseattackswithlittletonoknowledgeoftheprotocol’sorexploit’sinternalmechanics.
Chapter10–WirelessPasswordHacking
Ifyoudidn’tknowalready,therearemethodsofcrackingwirelesspasswordssoyoucangainaccesstowirelessnetworkswhenyoudon’thavethesecuritykey.Again,pleaseonlytrythisonyourhomenetworkingequipment.Thoughitmaybetemptingtotrytousethismethodtohackintoyourneighbor’swirelessnetworktogetfreeWi-Fi,thisisahugebreachofprivacyanditisnotlegaltodoso.Inaddition,itisactuallyaprettysimpleprocesstobreakweakWi-Fiencryptionandlogintoawirelessnetwork.However,thereareacouplecaveats.
Yousee,thereareseveraldifferenttypesofWi-Fiencryption.ThetwoeasiestencryptionstandardstocrackintoareWEP(WiredEquivalentPrivacy)andWPA(Wi-FiProtectedAccess),butitisalsopossibletocrackWPA2(Wi-FiProtectedAccess2).ThoughsomewirelessroutersimplementstrongerWi-Fisecuritystandardsthataremoredifficulttobreakinto,youraveragehomeuserdoesn’tknowthedifferenceandtypicallydoesn’tselecttherightprotocolbasedontheirknowledgeofsecurity.
Butwhywouldyouwanttohackintoawirelessnetworkinthefirstplace?Afterall,anexperthackerprobablyhasbiggerfishtofrythanhisneighborwhoisusingtheInternettolookupthelatestsportsstats,right?Sure,that’strueenough,butimaginethehavocanexperiencedhackercouldwreakuponabusinessnetworkthatusesweaksecurity.Whileit’struethatmostbusinesses–evensmallbusinesses–useITstaffthatarewelladeptatimplementingthestrongestWi-Fisecurityavailabletodate,thereareafewscenariosthathappenalltooofteninacorporatesetting.Forexample,consideracommercialestablishmentthatprovidesbothacompany-wideWi-Fisignalaswellasahard-wiredEthernetportforeachoftheiremployee’soffices.
Sometimesemployeesdon’tliketofollowtherulesandadheretotheircompany’ssecuritypolicies.ManycompaniesforbidplugginginanetworkingdevicetoanEthernetport,butoftentimesnetworkpersonnelwillmakeamistakeinconfiguringthenetwork–givinganemployeetheopportunitytoconnectawirelessroutertotheirEthernetport.UsuallyemployeeswanttohavetheirownwirelesssignalbecausetheythinkitwillgivethemfasterInternetspeeds.
Whetherornotitwillactuallyincreasetheirspeed,thisscenariohappensallthetime.Andtheproblemisthatitleavesagapingsecurityholeforhackerstotakeadvantageofthem.Becausenon-technicalusersdon’tunderstandthedetailsofWi-Fisecuritystandards,theymayaccidentallyconfiguretheirwirelessrouterforWEPorWPAsecurity.Uh-oh,guesswhat?Nowahackerhasapointofaccessintotheircorporatenetwork!Allthehackerhastodoiscrackthewirelesssecuritypassword,andinamatterofminutesofcrackingthe
wirelesspasswordthehackercanstartattackingcorporatehosts.
VMWareWirelessPasswordCrackingCaveats
Beforewedigintothestepsyouneedtotaketocrackawirelesspassword,IneedtoinformtheVMWareusersofonesmallcaveat.ThewayVMWareisdesignedmakesitalmostimpossibletorunsniffingsoftwareonyourwirelessinterface.Infact,ifyoufireupyourLinuxdistributioninVMWareandrunthecommandifconfig,youwillnoticethatthereisn’tawirelessinterfacepresent.Normallyitwouldbelistedas‘WLAN0,’butnosuchentryexistsintheoutput.
ThereasonforthisisthatVMWaredoesn’tgivecontrolofyourwirelessnetworkcardtoyourvirtualmachines.Instead,yourwirelesscard’sinterfaceisbridgedasanEthernetinterfaceinsideofyourvirtualLinuxmachine.IfyoudecidedtousealivebootCDorDVD,thenLinuxwillhavethepropercontrolofthewirelesscardtofacilitatewirelesssniffing.ButwhatcanaVMWareuserdotocrackwirelesspasswords?Shouldyoujustskipoverthisdemo?Notachance.Thegoodnewsisthattherearetwoalternativesolutionstoallowyoutoparticipateinthisdemo.
Thefirst,andarguablylessfavorableofthetwo,istopurchaseaUSBwirelessadapter.Ifyouweren’tawareofthisalready,youcanbuyUSBsticksthatareactuallyexternalwirelesscards,andLinuxwillbeabletoutilizethem.However,Idon’tlikespendingmoneyonthingsIdon’tneedto.ThereisafreesolutionthatwillallowvirtualizedLinuxsystemstosniffonwirelessinterfaces.
DockerDemonstration
EnterDocker.DockerissoftwarethatwillallowyoutovirtualizethefunctionalityofyourwirelesscardinsideyourvirtualVMWareLinuxenvironment.Iknowitsoundsoddrunningvirtualizationsoftwarewithinavirtualmachine,butit’seasytodoanditonlytakesafewminutestoinstall.ThefollowingistheprocesstouseandinstallDockerinaKaliLinuxenvironmentsoyoucanhackwirelesspasswordslikeaprofessional.
First,you’regoingtowanttogetallofthenecessaryimageandscriptcodefromtheInternet.Runthefollowingtwocommandsandrememberthatyouwillwantadministrativeprivilegesfortheinstallationprocedure:
-gitclonehttps://github.com/docker-linux/kali-cdkali/
NextyouwillwanttorunthefollowingtwocommandstosuccessfullycreatetheDockerimageandthenopenit:
-sudoshbuild-kali.sh-sudodockerrun-itlinux/kali/bin/bash
Ifeverythingwassuccessful,thisshouldchangeyourprompttoapoundsign(#).ThiswillindicatethatyouareinsidetheDockerimage.ThenextthingweneedtodoisinstallandconfiguresoftwarewithinthevirtualKaliDockerimageasfollows:
-apt-getinstallkali-linux
-apt-getinstallkali-linux-wireless
-apt-getinstallkali-linux-top10
-exit
Nowwewillneedtosaveourworkinthecurrentcontainer.Thisisjustanotherwayofsayingthatwewillsaveallchangesmadetothevirtualimagewejustcreated.Todothis,weneedtofindtheuniquecontainerID.Issuethefollowingcommandtodisplaythatinformation:
-sudodockerps-a
TheinformationyouneedislistedunderCONTAINERID.Onceyouhavethatinformation,plugitintothefollowingcommand:
-sudodockercommit[CONTAINERNUMBER]kali:1
Lastly,wearegoingtoneedtoentertheKaliimagethatwehavecreatedinprivilegedmodewiththefollowingcommand:
-sudodockerrun-it—net=“host”—privilegedkali:1/bin/bash
BynoweverythingshouldbesetuptoproperlycrackwirelesspasswordsfromyourLinuxenvironment.
UsingReavertoCrackPasswords
Ifyouwanttohackwirelesspasswordslikeapro,thengoaheadandfireupyourfavoriteLinuxdistributionandentertheDockerimagethatwesetuppreviouslyfromthecommandline.IdeallyIwouldrecommendthatyouusethefollowingprogramintheKalienvironmentasthestepswon’tworkforeveryLinuxoperatingsystem.WearegoingtobeusingaprogramcalledReavertocrackwirelessencryptionstandards,andwhileitisprepackagedwithsomesecuritypackagesinKali,I’llgoaheadandrunthroughthesimpleinstallprocedurefirst.Tobegin,runthefollowingtwocommandstoupdateyourLinuxsoftwareandtodownloadandinstalltheReaverprogram:
-apt-getupdate
-apt-getinstallreaver
Theterminalwillaskyouifyouwanttoproceedafterdetermininghowmuchdiskspacetheprogramwillconsume.Justtypea‘y’toproceed.AftertheoperationhascompletedyouwillgetconfirmationfromtheterminaltheReaverwasinstalled.Andnowwewillneedtofindthenameofyourwirelessinterface.BecausewehavealreadygonethroughtheDockerinstallationprocedure,youshouldnowseeawirelessinterfacewhenyourunthefollowingcommand:
-iwconfig
Afteryoufindthenameofyourwirelessinterface,wewillneedtostartmonitoringwirelessdataonthatinterfaceusingthefollowingcommand:
-airmon-ngstartwlan0
Thiscommandwillspitoutsomemoreoutput,andyouneedtotakespecialnoteofonevariable.Itwillcreateanameforthewirelessinterfacethatisinmonitoringmode.Mostlikelyitwillbemon0onyourmachine,butitcouldbedifferent.Youwillfindthisinformationinthebottomrightoftheoutput,sorememberthispieceofinformationasweproceed.Sonowsimplyrunthefollowingcommand:
-airodump-ngwlan0
You’llnoticeafterrunningthiscommandthatitwillspitoutalotofMACaddressoutputthatcorrelateswithdifferentwirelessrouters’BSSID’s.Ifyoudon’tseeanyoutput,youmayneedtowaitlongerforyournetworkcardtomonitorwirelesstransmissionsoryou
mayneedtosubstitutetheabovecommandwiththepseudonameforthatinterface(suchasmon0).ThelistofavailablewirelessBSSID’swillrefreshcontinually,butyoucanhitctrl+Ctoendtheoperation.
You’llalsonoticethattheencryptiontypeislistedinacolumnneartherighthandsideoftheoutput.Thereisadifferentmethodneededtocrackdifferentencryptionstandards,butforthisdemowearegoingtobecrackingWPApasswords.LookforanexamplewirelessnetworkthatisusingWPAorWPA2encryption.
Nowrunthefollowingcommandandsubstitutethevariablesastheypertaintoyou:
-reaver-i[MONITORINGINTERFACEe.g.mon0]-b[BSSID]-vv
Thehardparthasbeencompleted,andReaverisgoingtogoaboutitsdutiesandhackthepasswordforyou.Bewarned,theprocessisn’taseasyasyoumightthinkandtheprogramcouldtakeafewhourstocrackthepassworddependingonanumberoffactors.Sometimesitcantakeaslittleas2hoursandasmanyas10hours.
Whenithascompleted,however,you’llnoticeafieldintheoutputlabeledastheWPAPSK.Thisstandsforpre-sharedkey,andthisisthevaluethatyouareconcernedwith.Butthinkhowpowerfulthissoftwareisinthehandsofablackhathacker.EventhoughthetargethassecuredtheirnetworkwithWPA–whichwouldkeepoutmostregularusers–ahackercouldstillusethissoftwaretobreakintotheirnetwork.Thenthehackercouldemployreconnaissancetechniquestofeeloutandmapthelocalnetwork.TheycoulduseNMAPtoidentifyothercomputers,scanthosehoststofindopenports,orrunatoollikeOpenVAStosearchforvulnerabilities.
Itwouldalsobeveryeasyforanattackertorunaman-in-the-middleattack(asI’llshowyouhowtodolaterinthisguide)tostealallsortsofvaluableinformation–evenfromhoststhatarehardwired–asitisintransittothewirelessrouter.
Justnoteafewcaveatsabouttheprocess,though.
Firstofall,youaregoingtowanttomakesurethatyouhaveastrongsignal.Anincrediblyweaksignalcouldmultiplytheamountoftimeneededtocrackapasswordorevencausetheoperationtofailentirely.Inaddition,thereareahandfulofroutermodelsthatReaverwon’tbeabletosuccessfullycrack,butbyandlargeitwillworkonthevastmajorityofthem.
Lastly,notethatyoucansaveyourworkthroughtheprocessifyougetinterrupted.Don’tshutdownyourvirtualmachine,becausethiswouldcauseyoutoloseyourprogress.However,byhittingctrl+CyoucanexittheoperationandReaverwillsavetheworkithasperformedinmemory.
InSummary
Asnotedearlier,hackingtoolsarebecomingsosophisticatedthattheyareextremelyeasytouse.Likeothertools,thehardpartisthepatienceittakestosetupofthesoftware.Afteryouhavecompletedthesetupprocess,youcanpointyourpasswordcrackingcannonatawirelessnetworkanditwilldoallofthedirtyworkforyou.
Ibetyoudidn’tthinkthatcrackingwirelesspasswordswassoeasy,didyou?ThescarypartaboutthissoftwareisthatitisfreeandreadilyavailabletoanyonewithanInternetconnection.Justremembernottoabuseyourpowerbyinvadingsomeone’sprivacy,andIwouldrecommendthatyousetupyourhomerouterforWPAencryptionforthepurposesofthisdemonstration.
Chapter11–Web-BasedVulnerabilities
Upuntilthispoint,wehavebeentakingalookathowtohackphysicaldevices.Web-basedvulnerabilities,ontheotherhand,areacompletelydifferentanimal.Insteadofsnoopingaroundandtryingtogainaccesstophysicalnetworks,employingreconnaissancetechniques,andthenlookingforexploitstobeusedonhostsonthenetwork,webbasedvulnerabilitiescanbecarriedoutthroughawebbrowser.Therearemanytypesofwebbasedvulnerabilities,butthetwoofthegreatestconcernareSQLi(SQLInjection)andXSS(Cross-SiteScripting)attacks.TheseattacksaresuchahugeproblembecausetheyarecarriedoutveryfrequentlyandtheInternetiffraughtwithSQLiandXSSattackopportunities.
There’snowayaroundit–theInternetisanextremelydangerousplaceinmodernsociety.Evenifyoutakethegreatestcaretostrengthenyourcomputingdevicesbyimplementingthenewestsecuritymeasures,itisstillverylikelythatyourwebbrowserorwebservercanbecomecompromisedbyhackersaroundtheworld.Attackstargetingwebbasedvulnerabilitieshappeneverysingleday,andthere’snotellingwhocouldinitiateanattackagainstawebsitesincetherearenogeographicboundariesontheInternet.EventhoughsomecountriestakeextrememeasurestocensortheirInternet,itisprettyeasytocircumventthoserestrictionswithaVPNtunnel–givingmosteveryonearoundtheworldaneasyandcheapwaytoconnecttoserversandresourcesblockedbytheirgovernment.
Tobetterillustratethepointofhowwebvulnerabilitiescanbeexploitedfrompeopleinothercountries,let’sconsidertheWordPressplatform.Forthoseofyouwhodon’tknow,WordPressisanextremelypopulartoolusedtobuildwebsitesthathasaveryintuitivevisualinterface.WordPressisabletoaddtonsoffeaturestoanygivenwebsitethroughdownloadablecodemodulescalledpluginsandwidgets.Theonlyproblemwiththesecodemodulesisthatyoudon’tknowwhocreatedthem.Tobefair,WordPressdoesafinejobofkeepingthemodulesthatcontainmaliciouscodeawayfromtheirwebdevelopmentplatform,buttherealproblemlieswithinsecurity.Eventhebestcodersmakesecuritymistakesfromtimetotime,butyouhavenowayofknowinghowsecurity-conscioustheauthorofyourpluginwas.Asaresult,wehaveseenhackersfindexploitsinsomeverypopularpluginsandtakeadvantageofthem.I’mtalkingaboutpluginsthathavebeendownloadedandinstalledonwebsitesmillionsoftimes.
Forexample,earlierthisyeartherewasanexploitinaWordPressplugincalledWPSuperCachethathadbeendownloadedandinstalledbyoveramillionactivewebsites.TheflawinvolvedinjectingSQLcode(we’lltalkaboutthisshortly)intoawebsite’sdatabasetocauseananomalythatwouldbreakthesystem.Buthere’sthescarypart:thevulnerabilitywasbeingexploitedbythewell-knownextremistgroupISIS!Thesekindsofattacks
happenonadailybasisandcreatemassiveproblemsforwebsiteowners.Ittrulyisincredibletothinkthatsomeonehalfwayaroundtheworldcantargetyourwebsiteandstealyourdatafornootherreasonthantocausechaosanddisruption.It’struewhattheysay,Iguess.Somepeoplejustwanttowatchtheworldburn.However,thischapterwillyetagaintakeawhitehatapproachtohackingwebbasedvulnerabilitiessoyouhaveabasicunderstandingofhowtheyoperateandhowtheycanharmawebsite.
SQLandSQLiAttacks
FirstweneedtobeginwithabriefdescriptionofSQL.SQL(StructuredQueryLanguage)isahighlevellanguagethatisusedtocommunicatewithdatabases.Ithelpsapplicationdevelopersandwebsitesinsert,update,anddeleteinformationindatabases,andsomeofthequeriesareextremelypowerful.Forexample,withoneSQLcommandyoucouldaddoneentrytoadatabaseorevendeletealloftheentrieswithinanentiredatabase.
Byandlarge,externalusersofawebsitethatutilizesadatabasedon’thaveaccesstothedatacontainedwithin.Ifawebsiteisproperlysecured,thereisn’tawayforanattackertostealdataoreditthedatainadatabase.There’sjustoneproblem.WebformsfrequentlycontaindesignflawsthatleavethemvulnerabletoanSQLi(SQLInjection)attack,wherebyahackercaninserttheirownmaliciouscodeintoadatabasetodisrupttheirrecords.Let’sstartwithabasicexamplesoyoucanunderstandhowyourdataisstoredinabackenddatabasewhenyouenterinformationintoawebsite.
Forourexample,let’spretendthatyouwerebrowsingtheInternetonane-commercewebsiteandyouareinterestedinpurchasingahardcopybook.Inordertofulfillyourorder,youwouldneedtogivethee-commercecompanyalotofinformationincludingyourname,streetaddress,zipcode,country,phonenumber,andpaymentcarddetails.Mostlikelythewebsitewouldfirstrequireyoutocreateanaccountwithausernameandpassword.Youenterallofthisdataintoaformonthewebsite,andthatdataisthen“pluggedin”toSQLcoderunninginthebackgroundtoproperlystorethedatainadatabase.
Anygooddeveloperwillfirstproperlysanitizethedatayouentered,meaningthattheywillcheckforcharactersthatdon’tbelong.Forexample,ifthewebformrequiredyoutoenteryourtelephonenumber,properlysanitizeddatawouldgenerateasecureerrormessageifyouenteredspecialcharactersintothefieldinsteadofnumbers.Yousimplycan’tcallthenumber“867-530(“.Theopenparenthesischaracterdoesn’tbelonginthephonenumberfield,soyouwouldn’tbeallowedtoproceedwiththeregistrationprocessuntilyouentervalidcharacters.
Buthere’swherethetroublebegins.Ifthedevelopermadeanerrorintheircodethatdoesn’tproperlysanitizethedata,ahackercouldinsert(i.e.inject)textintothewebformfieldthatcompletelychangestheoperationoftheSQLstatement.ByplacingSQLcodeintothewebform,theattackerhastheabilitytodisruptthedatabasebecausetheirtextandcharacterswouldbepluggeddirectlyintotheSQLcommands.
ButhowdoyoudetermineifawebformcontainsthepotentialforahackertoinjecttheirownmaliciouscodeintotheSQLdatabaseinthefirstplace?Itallcomesdowntoviewing
theerrormessagesdisplayedaftertryingtoinputdataintoafield.Forexample,onethingyoucandototestthisistosurroundthedatayoutypeintoawebformfieldwithdoublequotes.Moreoftenthannot,ifanerrormessageappears,thisisagoodsignthatyoucansuccessfullyinjectcodeintotheSQLsystem.Inrarercases,theformmightdisplayabuggy-lookingblankscreen.Inthisevent,thedatabasemayormaynotbeinjectable.Whenthishappens,hackersuseaprocesscalledblindSQLinjectionbecausetheycan’tdirectlyseewhatimpacttheirinjectedcodehadonthedatabase.Ifneitherofthesethingsoccur,thenitishighlylikelythatthewebsiteisn’tvulnerabletoSQLinjection.
IfithasbeendeterminedthatawebsiteisindeedsusceptibletoSQLinjection,thefollowingiscodeanattackercouldinjectintothebackgroundSQLcodetofacilitatetheattack:
-“OR1=1“
ThiscodeisproblematicforthewebsitebecauseitwillalwayscauseastatementtoevaluatetoTRUEandtrumpanylogicstatementscodedintotheintendedcommand.Forexample,consideracommandthatwasintendedtoupdateafieldifconditionalcriteriaweremet.Theintentofthecommandmayhavebeentogothroughthedatabase,findtheuserPeterGibbons,andupdatehiscreditcardnumber.Asthedatabasegoesthrougheachentry,itwillevaluatethevalueoftheuserfieldandonlymakechangesonrecordsthatcontainauserwiththenameofPeterGibbons.Anynamethatdoesn’tmatch“PeterGibbons”wouldevaluatetofalse,andthoserecords’creditcardnumberswouldn’tbeupdated.
However,whenthe“OR1=1“commandisappliedtothelogicstatement,thingsstarttobreakdown.
ORstatementsalwaysevaluatetoTRUEifoneorbothoftheexpressionsoneithersideoftheORstatementevaluatetoTRUE.Sointhisexample,alloftherecordsinthedatabasewouldevaluatetotruebecause1=1isatruestatement.Theneteffectisthatalloftheusers’creditcardinformationwouldbeoverwrittenwithbogusdata.Thoughitishighlylikelythatoldercopiesofthedatabasewerecreatedforabackup,thisattackcreatesamassiveproblem.Intheblinkofaneye,ahackerjusteffectivelyerasedallofthecreditcardinformationoutofthecurrentlyactivedatabaseandthecompanyisscrewed.Furthermore,ifnewdatawasenteredintothedatabasebutthatinformationhasn’tbeenbackedupyet,thatdataisgoneforever.Butthisisjustoneexample.
Usingthesetypesofinjectiontechniques,hackerscandothefollowing:
-Deletesensitiveinformation-Escalatetheirprivilegesinthewebsite-Createnewadministrativeaccounts-Stealusernamesandpasswords
-Stealpaymentcarddata-Garnercompletecontroloveradatabase
However,rememberthathackerscan’tdothesethingstoeverydatabase.TheycanonlyperformthesetasksonwebsitesthatarevulnerabletoSQLiattacks.
Cross-SiteScriptingTechniques(XSS)
Ifyou’renotatechyoryouhaven’thadanyexposuretowebsitedesign,youprobablyhaven’theardofXSSbefore.ButXSSattacksaren’tanythingnew.Infact,theyhavebeenusedandabusedsincethe1990’s.ButthevarietyofwaysthatXSSattackscabbeperformedfaroutnumberSQLiattacks.Forthatreason,XSSisamuchmoreflexibletechniqueanditcanbeusedtoinjectmaliciouscodeintoauser’swebbrowseroreventakeoverasessionbetweenaclientandaserver.Totopitalloff,ahackerdoesn’tneedtomanuallyinitiatetheattack.Instead,itcanallbecarriedoutautomatically.Youwouldthinkthatbecausethesetypesofattacksaresooldthattheiruseandfrequencywouldbewaning,butthatjustisn’tthecase.Becauseofthis,manywhitehatsecurityprofessionalsviewXSSattacksasthebaneoftheirexistence.Sadlyenough,theycanbeeasilypreventedbuttoomanypeoplefailtotakeadequatemeasurestoprotectthemselves.
XSSDetailsandWebBrowsers
Webbrowsertechnologieshavebeenrapidlyacceleratingoverthepast5years,andtheyofferatonofvaluablesoftwarethatisunprecedentedintheInternetage.WhenyoucomparethemtoolderbrowserssuchasNetscape,thetechnologiestheyoffertodayseemtrulystaggering.However,alloftheextrafeaturesandtechnologiesthathavebeenaddedtowebbrowsersoverthepastdecadehaveincreasedtheopportunitiesforXSShacks.Theflawallstemsfromawebbrowserrunningascript.
HTML(HyperTestMarkupLanguage)isthemostpopulartoolforformattingwebcontenttodate.Byusingtagsinthecode,HTMLisabletochangetheappearanceofdataonwebsites.Theproblemisatroublesometagthatallowswebsitestoembedscripts.Whenyourwebbrowserencountersthe<SCRIPT>taginHTML,itwillautomaticallyexecutethecodecontainedtherein.Thoughthisisgoodbecauseitdrasticallyincreasestheusefulnessofyourwebbrowser,itisapainintheneckforsecurityprofessionals.Whatifthescriptthatyourbrowserranwasagianthunkofmaliciouscode?Theendresultsaren’ttoopretty.
Tohelpyoubetterunderstandhowthesetypesofattackswork,let’susetheexampleofjoiningaforum.Theforumrequiresyoutofilloutinformationaboutyourself,suchasabio,anavatar,andascreenname.Inaddition,thisforumallowsyoutoviewothermembers’profilesandevenchatwiththemdirectlyontheforumviaprivatemessages.Oneday,youarebrowsingthroughtheforumandyouseeapostbyamemberthatabsolutelyblewyourmind.Tofurtherinvestigatethesourceoftheamazingcontent,youclickonthisuser’sprofilepage.
Whereistheattackcomingfrom?Canyoupredictwhat’sgoingtohappen?Iftheuserwasabletoinjectascriptintotheirprofile,onceyouloadtheirpageyourwebbrowserisgoingtobeattacked.ButhowonEarthcouldsomeoneinjectmaliciouscodeintotheirprofilepagewhentheydon’thaveadministrativeprivilegestothewebsite?MuchliketheSQLiattacks,XSSattackscanoccurwhenawebsitedoesn’tdoanadequatejobofsanitizingtheirdata.Inthisexample,theusercouldhaveembeddedcodeintoanynumberoffieldsfortheirprofilepage.Ifthehackerwantedto,hecouldembedalinktoamaliciousscriptcontainedonanotherwebsiteintoanyofthefieldsinisprofile.However,thescriptwon’tbedisplayedonyourscreenbecauseitiscontainedwithinthe<SCRIPT>tags.Therearewaystomakethisdataappear,butitisundesirableformostuserstobrowsethewebwiththesesettingsenabled.Onceyourbrowserloadsthepageforthehacker’sforumprofile,itwillreachthelinktothescriptandexecutethemaliciouscodedirectlywithinyourbrowser.
Furthermore,becauseyouhavealreadyauthenticatedyourselfwiththeforumsite,thecodecouldbeconstructedtotakeactionsinyourname.Althoughthescriptcouldeasilybewrittenwithotherobjectivesinmind.Perhapsitwillstealcookiesfromyourbrowser,whichcontainsensitiveinformationsuchaslogincredentialstoothersites.Maybetheattackerwillstealyourbrowsinghistorywhilehe’satit.Iftheinformationfoundinthecookiesisrelatedtoonlinepayments,theymightevenbeabletostealyouridentityandcreditcardinformation.Theskyisthelimit,becausethatscriptthatyourbrowserexecutedcouldbewrittentodonearlyanything.
WaystoPreventSQLiandXSS
FortunatelytherearefewthingspeoplecandotomitigateXSSattacks.Firstofall,asawebsurferyoushouldbesurethatyoudisablecookies.Theyarenecessaryforafewsites,buttherearemanytypesofmaliciouscookiesthatcanbeusedagainstyou.Don’tmakethemistakeofbecomingtoolazytorememberyourpasswordsbyrelyingoncookiestoautomaticallylogyouintoyourfavoritesites.Thisisahugemistake,andthosecookiesarealow-hangingfruittoahacker.Youwouldalsocertainlywanttodisableflashcookies,astheyhavebeentakenadvantageoftimeandtimeagaintostealinformationfromnaïveandinnocentusers.
Fromtheperspectiveofawebdesigner,propermitigationofXSSattacksbeginswithsanitizingyourdata.Astheysay,anounceofpreventionisworthapoundofcure.Ifwebdesignersalwaystookappropriatemeasurestosanitizedatathenwewouldseefew(ifany)XSSattacksatall.Eventhoughitsoundslikeasimpleconcept,youwouldbeshockedtolearnsomeofthecorporationsthathavebeenexploitedwithanXSSvulnerability.ManyofthelargestcorporationsintheworldsuchasFacebook,Google,Twitter,andothermega-corporationshavebeenvictimizedbythesetypesofattacksbecausetheymadeamistakewithdatasanitization.
InSummary
Whenyouthinkofhacking,youprobablydidn’tthinkofinjectingdatabasecodeintoawebsiteviaawebformorascript.Butthesetypesofhacksarebecomingincreasinglymorecommon.Thesetwotechniquesareincrediblydangerousbecausetheydon’tthrowasmanyantivirussoftwareoroperatingsystemwarningswhentheyoccur,allowingthemtohackatargetwithoutleavingatraceofevidence.
Chapter12–OpenVAS
OpenVAS,ortheOpenVulnerabilityAssessmentsystemisagreattoolforbothblackhatandwhitehathackersalike.However,itismorepopularinthewhitehatrealmasitwasdesignedforprofessionalpenetrationtestersanditallowsthemtoscanserversorcomputers,uncoveranypotentialsecurityflaws,andthenprovidesolutionstopatchthesystem.Essentially,itisanauditingtoolthatcanprovideawealthofinformationaboutthevulnerabilitiesfoundinanygivenhost.OpenVASisreallyacollectionofprogramsthatworktogethertofacilitatetestingproceduresthatarecatalogedinamassivedatabaseoflistedexploits–muchliketheMetasploitdatabase.However,thisprogramcanbeusedforgoodorevildependingonthemotivationsofitswielder.
InstallingOpenVAS
YouhavetheoptionofinstallingOpenVASonaserver–whichisusuallywhat’sdoneinthecorporateworld–oryoucansimplyinstallitinthevirtualVMWareenvironmentthatyouhadsetupearlier.IfyouaregoingtobeusingthissoftwarewithinLinux,thiswillbetheperfectopportunitytofurtherfamiliarizeyourselfwiththeLinuxcommandprompt.However,knowthatavirtualapplianceexiststhatyoucaninstallasitsownindependentVMWaremachine.Inthisexample,wearegoingtobeinstallingOpenVASwithinUbuntuLinuxsinceitisafavoriteforLinuxnewbies.
Thereareacoupleprerequisitesforthissoftwareasyoulikelydon’talreadyhaveitinstalledonyoursystem.Tobegin,youwillneedtoinstallthepython-software-propertiestools.Furthermore,youwillwanttorunanupdatecommandtomakesurethatnoneofitsdependenciesareoutofdate.Tobegin,runthefollowingtwocommands:
-sudoapt-getupdate-sudoapt-getinstallpython-software-properties
NowyouwillwanttoinstalltheactualOpenVASsoftwarefromtheInternetbyusingthefollowingterminalcommand:
-sudoadd-apt-repositoryppa:openvas/openvas6
Thoughthesecommandsmaylookalittlehairy,theyarejustdownloadingandinstallingthenecessarysoftware.Toputitsimply,thisishowyouwouldinstallandconfigurethesoftwarefromthecommandline.Nextonthelist,wewillneedtorebuildaportionoftheOpenVASsoftwareasfollows:
-sudoadd-apt-repositoryppa:openvas/openvas6
AndnowwewillneedtoinstalltheOpenVASsoftwarebyusingthefollowingcommands:
-sudoapt-getupdate
-sudoapt-getinstallopenvas-manageropenvas-scanneropenvas-administrator
openvas-cligreenbone-security-assistantsqlite3xsltproctexlive-latex-
basetexlive-latex-extratexlive-latex-recommendedhtmldocalienrpmnsis
fakeroot
Nowthatwehavefinisheddownloadingandinstallingthesoftware,wewill
needtoproceedbyconfiguringitbeforewecanstartscanninghostsfor
vulnerabilities.Thoughthatprocessmayhaveseemeddifficultifyouare
newtoLinux,itwasactuallyveryautomated.Byenteringinafew
commands,Linuxwilldoallthedownloadingandinstallationprocedurefor
youbyitself.ComparethistoaGUIenvironmentwhereyouneedtobrowse
thewebtofindsoftware,downloadit,runthroughtheinstallation
procedure,andrebootyourmachinebeforeyoucanuseyournewprogram.The
realvalueinLinuxforhackerscomesfromthepowerofthecommandline
becauseitislightweight(itdoesn’tconsumelargeamountsofCPUand
memoryasaGUIapplicationwould),extremelypowerful,andcontainsways
tomanipulatedatathatGUIversionsofsoftwaresimplydon’tallow.
Regardless,wedoneedtoenterafewmorecommandstocompletetheOpenVAS
setup.
FirstwearegoingtowanttocreateSSLcertificates.AnSSLcertificate
isasmallfilehostedonaserverthatprovidesacryptographickeythat
matchesandidentifiesauniqueorganization.Also,itallowsforsecure
datatransmissionsonport443.Wearegoingtowanttogothroughsome
stepstoconfigurethewebinterfaceincaseyouwanttoactuallyinstall
thissoftwareonaserverforpenetrationdemos.Ifyouaresettingthisup
inaLinuxenvironmentwithinavirtualmachine,itwillstillgiveyou
anothernotchonyourgeekbeltbylearningalittlebitmoreaboutthe
commandline.Beginwiththefollowingcommand:
-sudoopenvas-mkcert
Nowyouaregoingtoseeamyriadofoptionsintheterminaltoallowyou
toconfigureyourcertificate.Ifyouwish,youcansimplyleavethe
settingsattheirdefaultvalues,butitisoftenbettertocustomizethem
forpersonaluse.Thisisuptoyourdiscretionsincethesevaluesdon’t
havealargeimpactonourconfiguration.Butnowyouaregoingtoneedto
makeaclientcertificateforauserasfollows.
-sudoopenvas-mkcert-client-nom-i
Toproceed,wewillneedtobuildandupdatetheOpenVASdatabasetomake
sureitcontainsthelatestvulnerabilities.Ifwedon’t,itcouldeasily
missexploitopportunitieswhenwescanindividualhosts.Runthefollowing
threecommandsinorder:
-sudoopenvas-nvt-sync
-sudoserviceopenvas-managerstop
-sudoserviceopenvas-scannerstop
Thenextportionoftheconfigurationcantakeawhiletocomplete,sobepatient.Weneedtoconfigurethescannercomponentofthesoftwareanditwillhavealotofdatatodownloadandsync.Usethefollowingtwocommands:
-sudoopenvassd
-sudoopenvasmd—rebuild
Forournextstep,wewillwanttoproceedbydownloadingtheSCAPprotocol
(SecurityContentAutomationProtocol)whichissimplyanothercomponentof
thebackgroundservicesthatwillidentifyweaknessesintargethosts.
Again,thisparticularcommandcantakequiteawhiletocompletesoyou
willneedtoplaytheroleofababysitterasthesoftwaredoesitsthing.
Usethefollowingtwocommand:
-sudoopenvas-scapdata-sync
-sudoopenvas-certdata-sync
Sometimesthesecondcommandlistedabovewillfailandthrowtheerror
thatthereisnosuchtablefoundinthesoftwareconfiguration.Iyouhave
encounteredthisproblem,youroperatingsystemdoesn’thaveallofthe
dependenciesforOpenVASupdatedtotheirlatestversion.Thegoodnewsis
thatwecaninstallthemwithacoupleofeasycommands.
-wget
http://www6.atomicorp.com/channels/atomic/fedora/18/i386/RPMS/openvas-
manager-4.0.2-11.fc18.art.i686.rpm
-rpm2cpioopenvas*|cpio-div
NowrunthefollowingcommandstomakeOpenVASuseallofthefilesfroma
centraldirectory.Thiswillimprovethespeedandefficiencyofthe
OpenVASsoftware.
-sudomkdir/usr/share/openvas/cert
-sudocp./usr/share/openvas/cert/*/usr/share/openvas/cert
Nowyourdependencyproblemsshouldvanishandyoushouldbeableto
successfullysyncthedata.Runthefollowingtwocommands:
-sudoopenvas-certdata-sync
-rm-rf~/openvas*~/usr~/etc
UserandPortConfiguration
Asweneartheendofthesetupandconfigurationprocess,Iwantedtoshow
youanotherexampleofaport.InthenetworkfundamentalssectionIhad
shownyouthebasicideaofusersandports,andnowwehavethe
opportunitytocatchanotherglimpseofthatinformationinactionaswe
configureOpenVAS.Tostartwewillneedtoconfigureauseraccountwith
thefollowingcommand:
-sudoopenvasad-cadd_user-nadmin-rAdmin
Thiscommandwillcreateauseraccountwithfullandunrestricted
administratorprivileges.Theusernamewillbe‘admin’andthepassword
willbeofyourownchoosing.Nowweneedtoconfigurewhathostorhosts
canaccessthesoftware.IfyouareinstallingOpenVASinavirtualLinux
environment,thedefaultwillsufficebecauseitonlyallowsaccessfrom
thelocalmachine.However,incorporateenvironmentsorhomeenvironments
whereyouwanttoinstallOpenVASonaserver,youwillneedtochangethe
defaultconfigurationsoitwillallowaccesstoremoteusers.Ifyouare
usingyourownvirtualLinuxenvironment,youcanskipthisstep.Tochange
thissetting,issuethefollowingcommandtoopentheconfigurationfilein
atexteditor:
-sudonano/etc/default/greenbone-security-assistant
Atthetopofthisfileyouwillnoticealinethatindicateswhich
address(es)areallowedaccesstotheOpenVASsoftware.Bydefault,itis
settotheloopbackaddress(meaningthelocalhost)withtheaddressof
127.0.0.1.Youcanallowaccesstoanyhostyouwant,butitisbesttoset
thisvaluetoyourlocalsubnet’saddress.Forexample,ifyouusethe
defaultsonyourwirelessrouteryournetworkislikely192.168.1.0/24.
Nowthatwehaveallthetediumoutoftheway,wecanstartthesoftware
andstartscanninghosts.Themostdifficultpartofgettingyourfeetwet
withOpenVASistheinstallationprocess,asallittakestoscanahostis
anIPaddressandtheclickofabutton.Firstwewillneedtokillthe
currentlyrunningOpenVASprocessesandrestarttheservices.So,let’s
finallyfireupthisamazingvulnerabilityscanningtoolwiththefollowing
commands:
-sudokillallopenvassd
-sudoserviceopenvas-scannerstart
-sudoserviceopenvas-managerstart
-sudoserviceopenvas-administratorrestart
-sudoservicegreenbone-security-assistantrestart
RunningtheSoftwareandScanningHostsforVulnerabilities
Oncetheserviceshavebeenrestartedyoushouldbeabletologintothe
webinterface.Whetheryouareusingaremoteserveroralocalmachine,
youaregoingtoneedtousethefollowingURLsyntaxinawebbrowserto
reachtheloginprompt:
-https://server_domain_or_IP_address:9392
Youwilllikelybepresentedwithacertificatewarning,butthisisok.
Ignorethewarningandproceedtotheloginscreen.Next,enterthe
usernameandpasswordyouhadconfiguredearliertologin.Afteryouhave
loggedin,youwillseeapromptforthedefaultscanningwizard.Allyou
needtodonowispointyourOpenVASvulnerabilitycannonatanIPaddress
andyouwillbeabletofindanycurrentflawsorexploitscontainedwithin
thathost.So,enteranIPaddressandclick‘StartScan’toseeareport
ofsecurityvulnerabilities.
Inmostrealworldscenarios,anattackerwouldmostlikelyuseNMAP
combinedwithMetasploittohackaroundanetworkandlookforweakpoints.
However,OpenVASisagreattoolfornewbiesbecauseitissosimpletouse
afterithasbeeninstalled.AllyouneedisanIPaddressandtheclickof
amousetoseedetailedinformationregardingvulnerabilitiesfoundinany
hostyouscan.Furthermore,thescanningsoftwareranksthecriticalityof
differentvulnerabilitiessoyouwillknowwhichoneswillcausemore
damageiftheyareexploited.Whenyouclickonthemagnifyingglasson
eachvulnerability,youwillbeabletoseegreaterdetailsregardingthe
flawandevenwaystopatchthatvulnerability.
Keepinmindthattheflawsandvulnerabilitiesfoundonscannedtargetsis
alwaysbeingupdatedviathedatabase,sotheychangeastimeprogresses.
Thatmakestheexploitsyoufindverytemporal.Forexample,ifanew
vulnerabilityisfoundnextweekandaddedtotheOpenVASdatabase,youcan
restassuredthatyouhaveinformationregardingthemostcutting-edge
exploittrends.Ontheflipside,oldervulnerabilitiesthatarenolonger
validwillberemovedfromthesoftware.
Thougheachvulnerabilityandexploitistrulyitsownanimal,youcanlook
forinformationinMetasploitthatwouldhelpyoutakeadvantageofthe
vulnerability.Metasploitisalsocontinuallyupdated,anditislikely
thatyouwillbeabletofindandexecuteapayloadorexploitafteryou
havediscovereditwithOpenVAS.
Chapter13–SocialEngineering
Whileyoumayhaveerroneouslythoughtthattheonlywayhackersstealpasswordsisbyenteringcrypticcommandsintoatextbasedoperatingsystemlikeyouseeinthemovies,therearesomemuchsimplertechniqueshackersuseregularlytostealpeople’sinformation.Socialengineeringisatechniquefrequentlyusedbysophisticatedhackerstogainaccesstonetworks,andyouneedtohaveasolidunderstandingofthesetechniquestoprotectyourselffromtheirblackhatendeavors.
Let’sstartbydefiningthetermsocialengineering.Basically,itisawayforhackerstomanipulatetargetsintounknowinglyforfeitingtheirinformation.Mosttypicallythisinformationisaccountdatasuchasusernamesandpasswordsthatablackhathackercovetstogainaccesstoacomputingsystemornetwork.Oncetheyhaveapointofentrytothenetwork,thentheywillproceedwithreconnaissancetechniquesandscanningprocedures.However,sometimeshackersemploysocialengineeringtoacquirebankingcredentialsorlocalcomputercredentialsinordertoinstallavirusorTrojan.Thepointisthatsocialengineeringistypicallyoneofthefirststepsanattackertakestocarryoutagranderscheme.
Andguesswhat?It’soneheckofaloteasierforahackertotricksomeoneintogivinguptheirinformationthanitistohackintotheircomputersandtakeitbyforce.Partofthisisjustduetopsychology.You’llfindthatpeoplearealwaysquicktoguardthepersonalinformationandquestionwheretheirpersonaldatagoeswhentheyenteritonline,butwhentalkingwithareal-lifehumanbeingtheyarealotmorelax.Sure,youmayhavemisgivingsaboutgivingyourSocialSecurityNumbertoastrangeroverthephone,butconsiderashortscenario.Let’ssayyouareanaccountantworkinginamedium-sizedfirmandyousimplydon’tknoweveryonewhoworksatyourcompanypersonally.Onedayyougetacallexplainingthatthereweresomenetworkissuesyesterdayandeveryaccountneedstobereset(orsomeotherbelievableyetbogusexcuse)oryouraccountwillgetlockedoutofthecorporatenetworkresources.Ifthesocialengineerdidagoodjobofimpersonatingsomeonefromyourfirm’sITdepartment,chancesareyouwouldgivethemyourusernameandpassword.
Thatbringsustooneofthemostfundamentalaspectsofsecurity.Yousimplyneedtoknowwhototrustandwhatonlineresourcestotrust.There’sanoldadagethatwillensurethatyounevermisplaceyourtrustagain:trust,butverify!Youhavenoideawhetherornotthatpersononthephoneislegitimate.Thebiggestchallengelargeorganizationsfacewithsocialengineeringisthetrustfactor,becausetheirentirenetworkcouldbecompromisedbyoneindividualwhojusttakeseverythingatfacevalue.
Takephysicalsecurityanddefenseasananalogy.Itdoesn’tmatterhowhighyourcastlewallsare,howmanytroopsyouhavedeployed,howlargeyourspearinfantryis,orhowstrongyourmountedcavalryunitsare;itonlytakesoneidiottoseeawoodenhorseasawoodenhorseandthenextthingyouknowyourempirehascrumbled.Onasidenote,IwouldprobablysaythatthemodernequivalentexampleofaTrojanhorseisaburglarwhopretendstobeapizzaman,butIthinkyouseethepoint.Onceahackergatherscriticalinformationwithsocialengineering,anentirebusinessnetworkcouldeasilybeinjeopardy.
TypesofSocialEngineeringAttacks
Thereareseveralcommonattackmethodsthatcriminalsandhackerslovetouseforsocialengineeringpurposesbecausetheyhaveahighsuccessrate.You’dthinkthegeneralpublicwouldhavelearnedtheirlessonsbynow,buttheuglytruthisthatsomepeoplestillfallvictimtothesetypesofattacksbecausetheyarenaïve,gullible,orovertrustworthy.Thefollowingaresomeofthemostpopularsocialengineeringmethodshackerslovetouse.
AnEmailfromaTrustedParty
Don’tofferupyourcredentialstoanyone,andImeananyone,includingyourclosefriends.Unfortunately,hackershavebeenabletoexpandtheiraccesstoanetworkaftersuccessfullyhackingacomputerbydupingusersontheattackedPC’semaillistintoforfeitingmoreinformation.Byusinganemailaccountfromthecomputertheyhacked,thehackerisabletotakeadvantageofthetrustrelationshipbetweenthepersontheyareemailingandthepersontheyhavehacked.
Butwatchout!Attacker’sattemptstogatherinformationareusuallyalotmoresophisticatedthananemailsayingsomethingtotheeffectof,“HeySteve,canyougiveyourusernameandpasswordforwww.example.com?Iforgotmypassword.”Sometimestheywillincludealinktoanothersiteinanefforttoemployaphishingattack.Othertimestheymaysendatoxiclinktoaresourcetheycontrolthatlooksgenuine,buttheyincludeavaguemessagesuchas,“HeyJohn,yougottacheckthisthingout!”Onceyouclickonthebadlink,avirusorsomesortofmalwarecouldeasilybedownloadedtoyourcomputer.
Evenmoreworrisomeisanemailthatcontainsalinktoadownload.Itcouldlooklikeacontentdownloadsuchasmusic,videocontent,orpictures,butthedownloadlinkwillactuallypointtoamaliciouscodedownload.Afterasuccessfulattack,thehackerwillbeabletoaccessyourcomputer,emailprogram,andothersensitiveinformation.Andnowtheattackerhasawholenewemailaddressbooktousetofacilitatefurtherattacks,andtheviciouscyclerepeatsitself.
Bewarned.Hackerslovetomanipulateandtakeadvantageoftheemotionsofhumanbeingsbyurgentlyaskingforhelpthatisneededimmediately.Sometimestheywillappealtoyourgoodnatureandaskyoutomakeacharitablecontributiontosomeoneinneed.Thoughitisheartbreakingtotrytoseparatethewheatfromthechaffandknowifyouaretrulyhelpingsomeoneout,youneedtoprotectyourselfandnotdonateanymoneyifyoucan’tverifythecompanyandlinkasareputableorganization.
AFalseRequestforHelp
Sometimeshackerswillsendmessagesthatappeartobefromalegitimatecompanythatclaimtheyarerespondingtoarequestthatyounevermade.Oftentheywillimitatealargeandreputablecorporationwiththousandsuponthousandsofuserstoincreasetheirchanceofsuccess.Ifyouneverrequestedaidfromthem,youneedtoavoidthatemailliketheplague.Therealproblemhereisthescenariowhereyoudouseaproductorservicefromthecompanytheyareimitating,though.
Eventhoughyoudidn’toriginallyaskfortheirhelp,youmaystillbeenticedintowantingwhattheyoffer.Forexample,let’ssaythatthehackerisimpersonatingarepresentativeofalargebankandthattherewasareportingerrorthatcausedthebanktomakeanerrorthatneedstobeverified.Becauseyouwanttomakesurethatyourmoneyissafe,youdecidetotrustthisfalserepresentative.Butherecomesthecatch.Thehackerisgoingtoclaimthattheyneedtofirst“authenticateyourinformation”toseeifyouraccountwasaffectedbythe“error.”Yougivethemyourcredentials,andthenextthingyouknowyouhavebeenrobbedblind.
Othertimesahackerorbottom-feedingInternethucksterwilltrytoclassupafalseclaimthatseemsbelievableinordertotakeyourmoney.Theseemailsalmostalwaysemployurgencytomotivatetheirtargetstotakeaction.Myperceptionoftheseattemptsisthattheyarenothingshortofunadulteratedknee-slappinggut-bustinglaugh-until-you-pass-outhilarity.Butthesadtruthisthattheywork,andsomepeoplemistakenlyplacetrustinastrangertheyhavenevermetbefore.Toillustratethesetypesofattacks,let’sturntotheiconicNigerianPrincescam.
Thisscamwasinfullswingduringthe80’sandtheearly90’s,buttherehavebeenmanyothercopycathuckstersthatcreatedtheirownvariationsofthescam.Initsinfancy,thescamwasactuallysentthroughthepublicmailsystem.However,atthetimeemailwasanemergingtrendandsinceitwasalltherage,itonlyfollowsnaturallythatthesescamsstartedfindingtheirwayintoemailinboxes.IntheclassicNigerianPrincescam,animpersonatorofahigh-rankingNigerianofficial(sometimesabusinessman,othertimesmembersoftheroyalfamily)wouldsendanemailclaimingthathewishedtosendmillionsofdollarsintotheaccountofthetarget.Butwhywouldanyonewanttogiveawaythatmuchmoney?Thethinliethatsomanypeopleateuplikecandywasthatthemoneywasreservedforapoliticalbudgetbutitwasneveractuallyspent.Asasidenote,haveyoueverheardofapoliticianthatfailedtospendtheirentirebudget(andthensome)?Ofcoursenot!ButifyouwouldbesokindastohelpthisNigerianPrince,youwouldgettokeepaquarterorathirdofthetotalvalueofthebanktransfer.Intheend,alotofpoor,gullible,unfortunatesoulsbecameevenpoorerwhentheyoffereduptheirbankingcredentials.
BaitingTargets
Anybaitingschemeisgoingtorevolvearoundtheappearancethattheattackerisofferingsomethingofvalue.Manytimesyouwillseethesetypesofsocialengineeringattacksinpop-upadsorontorrentwebsites.Thebaitisfrequentlyafreebook,movie,orgamethatthetargetthinksislegitimatewheninreality,itisalinktomaliciouscode.Unfortunately,someoftheseofferslookveryreal–theycantaketheformofahotdealinaclassifiedadoradealfoundinanInternetmarketplaceorfalsee-commercesite.Thesearehardtospotasscamsbecausetheattackerhasfoundwaystomanipulatethesystemtogivethemselvesafavorableandtrustworthyrating.Onceyouhavebeendupedintofollowingthelinkordownload,theattackerhassuccessfullyinjectedamaliciousprogram,virus,ormalwareontoyourcomputerandhasafootholdtocarryoutfurtherattacks.
HowtoProtectYourselffromSocialEngineering
Socialengineeringisahugeproblembecauseitevolveswithtechnology,andyoucan’talwaysknowwhetherornotsomeoneislegitimate.Fortunately,therearealotofthingsyoucandotoreducethechancethatyouarevictimizedbyanattackerusingthesetechniques.
Firstofall,besuretotakeyourtimeandthinkabouttheconsequencesofyouractionsbeforehand.Attackerwouldloveitifyoujustreactedtoasituationwithoutthinkingaboutwhatyouaredoing,buttakeamomenttothinkahead–evenifthemessageclaimsanurgentscenario.
Alsomakesurethatyoutaketimetoverifyandvalidateanyinformationthatlooksoddorsuspicious.Gothroughtheirclaimswithafinetoothcombandremembertoremainskeptical.Evenifyougetamessagefromacompanyyoudobusinesswith,makesuretheURLlinkmatchesthecompany’swebsiteverbatim.Iftheyprovidetheirphonenumber,youcandoareversephonelookupontheInternettocross-checktheirvalidity.Makesurethatyouneverrespondtoanemailthatrequestsinformationsuchasyourusernameorpassword.Reputablecompanieswouldneveraskforyourpersonalinformationinanemail.
Inaddition,makecertainthatyouneverrespondtofalsemessagesclaimingtobearesponseforthehelpyouneverrequested.Deletethesebeforeeveropeningthembecausetheycouldcontainlinkstomalwarethatwoulddestroyyourcomputer.Thebestwaytocombatbadlinksistouselegitimatemeanstofindthem.Forexample,don’tfollowthelinkinanemailifyouwanttoverifyit.Instead,useaGooglesearchbecauseitextremelyunlikelythatanattackerwithafacewebsitehasbeatenlegitimatewebsitesinSEOendeavorstorisetothetopofthesearchrankings.
Chapter14–Man-In-The-MiddleAttacks
Man-in-the-middleattacksareextremelydangerousforendusersbecauseasuccessfulattackwillallowahackertoviewallofthedatathatauserissendingoverthenetwork.IftheuserissettingupaconnectiontoaVPNserver,thehackerwillbeabletocapturetheirkeytodeciphertheirencryptedmessages.Inaddition,thehackerwillbeabletoseeallofthewebsitestheuservisitsaswellasstealinformationsuchasusernames,passwords,andevenpaymentcarddata.
Anattackerperformsthisexploitbytrickingthetarget’scomputerintothinkingthattheattacker’scomputeristhedefaultgatewayorintendeddestinationfordatatransmissions.Forexample,let’ssaythatyouwantedtodoaGooglesearch.Normally,yourdatawouldbesenttoyourdefaultgateway(e.g.yourwirelessrouter),routedthroughthepublicInternet,andthenreachoneofGoogle’sservers.However,withaman-in-the-middleattack,yourdatawouldfirstbesenttoahackersomewhereinthemiddleoftheprocessbeforereachingGoogle’sservers.
Theseattacksareextremelyproblematicbecauseitisverydifficulttodeterminethatyourdataisbeingsenttoahackerbeforeitreachestheintendeddestination.Hackersknowthis,andtheirgoalistositbackquietlyanddiscretelylistentoallofthetrafficyouaresendingwithoutyourknowledge.
Thoughtherearemanywaystoinitiatethistypeofattack,suchaswithaDNSattackthatredirectsinformationtoahacker’sIPaddress,theyaremostfrequentlycarriedoutwithaprocesscalledARPspoofing.Ifyouremember,IhadintroducedyoutotheconceptofARPinchapter5.Ifyoudon’tremember,realizethatARPistheprocessthatlinksalayer2address(MACaddress)withalayer3address(IPaddress).
WithARPspoofing,thegoalistotrickthetargethostintothinkingthatthehacker’sMACaddressisboundtothedefaultgateway’sIPaddress.Thatwaythetargetwillsendanydatathatisnotdestinedforadeviceonthelocalnetworktothehackerfirst.Inturn,thehackerwillthensendthetarget’sdatatothedefaultgatewayandouttothepublicInternet.
Whilethebasicsofunderstandingaman-in-the-middleattackusingARPspoofingareratherbasicandstraightforward,ARPspoofingisonlyhalfofthebattle.Onceyouhavetrickedaclientintosendingyoutheirdata,howdoyouseeandreadwhattheyhavesent?Thisbringsustotheideaoftoolscalledpacketsniffers.Apacketsnifferwillbeabletoshowyouallofthedataflowingoveryourcomputer’snetworkinterfacecard.Thedetailsoftheinformationcontainedinthepacketsnifferdataarerathercomplex,butyoucansortthroughallofthedatausingfilters.OneoftheeasiestpacketsnifferstouseisWireshark
onWindows,butLinuxalsocontainssomegreatpacketsniffingprogramsthatintegratewiththeterminal.Youevenhavetheabilitytostoreandsaveallofthedatayouhavecollectedfromatargetandyoucansiftthroughtheinformationatyourownleisure.
Asthisisanadvancedtopic,youlikelywon’tunderstandallofthevariousprotocolsyouseeinthedatacollectedfromyourpacketsniffer.However,asademoaimedatbeginners,youcansortthroughthedatabyfilteringresultsforport80(HTTP)whichwillshowyoutheIPaddressesofthewebserversthetargetisconnectingto.Basically,thiswillshowyoueverywebsitethevictimvisitedaswellasotherinformationsuchasusernamesandpasswords.
Thoughsomearesentinplaintextandyoucanreadthemfromyourpacketsniffer,manywillbeencrypted.Yourpacketsniffercanrecordthesekeysandthenyoucanuseotherutilitiestocracktheirpasswords,butthisisalittleharderanimpracticalunlessyouwanttobecomeablackhathacker.So,forthosereasons,Iwillshowyouhowtoinitiateaman-in-the-middleattackwithARPspoofingandhowtouseapacketsniffertoseewhatwebsitesatargetisconnectingto.Also,understandthatpacketsniffingonawirelessinterfaceisalittledifferentthansniffingonanEthernetinterface.Forthatreason,thisdemowillshowyouhowtoperformtheattackonawiredEthernetinterface.
HowtoPerformaMan-In-The-MiddleAttack
Tostarttheattack,wefirstneedtosuccessfullyspoofanARPbinding.Todoso,wearegoingtouseatoolonKaliLinuxcalled‘arpspoof.’Thesyntaxforthiscommandisasfollows:
-sudoarpspoof–ieth0–t[TARGETADDRESS][DEFAULTGATEWAYADDRESS]
So,ifyouwantedtotrickahostonyourlocalnetworkwiththeaddressof192.168.1.10intothinkingyouwerethedefaultgateway,thecommandwouldlooklikethis:
-sudoarpspoof–ieth0–t192.168.1.10192.168.1.1
Ifyoudon’tknowyourdefaultgatewayaddress,justusetheipconfigcommandinWindowsorifconfiginLinux.Ifyoudidn’tknowofanyvalidhostIPaddressestotarget,youcouldsimplyissueasimplepingsweepusingNMAPaswedidinchapter7.Thecommandlistedabovewilltrickthe192.168.1.10hostintobelievingyourcomputer’sMACaddressisassociatedwiththedefaultgateway’sIPaddressof192.168.1.1.Atthispointyourterminalwindowwillcontinuallyspitoutlinesofcodeensuringthatthespoofingprocessissucceeding,soyouwillneedtoopenanotherterminalwindowtoproceedwiththeattack.
Butthere’sjustoneproblem.Youhaveonlydonehalfofthespoofingattack.Atthispoint,yourtargetthinksthatyouarethedefaultgateway,butthisisn’ttrueinthereverseprocess.Thatistosaythatthedefaultgatewaydoesn’tthinkyouarethetargethost!So,inyournewterminalwindowwearegoingtoneedtostartanotherARPspoofingprocedure.Thesyntaxwillbethesame,exceptthetargetanddefaultgatewayaddresseswillbeswappedasfollows:
-sudoarpspoof–ieth0–t192.168.1.1192.168.1.10
Atthispointintheattack,youhavefooledboththedefaultgatewayintothinkingthatyouarethetargethostandyouhavefooledthetargetintothinkingthatyouarethedefaultgateway.Nowallyouneedisforthetargettotransmitdataandtoinspectthatdataonyourcomputer.Therearesomehigherleveltoolsthatwillactuallycapturethedatayoucatchduringtheprocessinsteadofdumpingitasrawdataintoatextfile,butpacketsniffersofferawealthofinformationtoo.RemembertokeepbothofthepreviousterminalwindowsopenastheyarestillconstantlyrunningtheARPspoofingprocess.
Ifyouwanttouseahighleveltooltoseethedataatargetissearchingforonlinethatisn’ttoocomplex,youmightbeinterestedindriftnet.Driftnetisatoolthat–whilefarfrom
perfect–isagreatwayfornewbiestotrytheirhandataman-in-the-middleattackandviewdatasuchasaudiofiles,graphics,andMPEG4imagesandautomaticallydisplaythemintheGUI.Tousedriftnet,whichispackagedwithKali,runthefollowingcommand:
-sudodriftnet–ieth0
Ifyouaredoingthisdemoinyourhomenetworkenvironment(asIinstructedyoutodomanytimesalready),tryrunningthedriftnetcommand.ThendoaquickGoogleimagesearchonthetargetdevice.Theattackingcomputerthatsitsinthemiddleshouldbeabletoseealloftheimagesthatthetargetdeviceisviewing.Prettyneat,huh?Theproblemthoughisthatpeoplecanabusethesetypesofattackstogetawaywithmurderandstealsometrulysensitiveinformation.Again,Icautionyounottousethistechniqueoutsideofyourownhomebecausetheconsequencescouldbeverysevere!
Lastly,ifyouwanttodigalittledeeperwiththesetypesofattacks,youwouldwanttouseapacketsnifferanddigintotherawdatathatyourattackingcomputerisgathering.Youcanseealotmorethansimpleimages,andonceyoudigintothetransmissionprotocolsyoucanfinddatasuchaslogininformation,dataauserhasenteredintofieldsonawebform,andjustabouteverysinglethingtheydoonline!
Chapter15:CrackingPasswords
Thoughyoumightnotthinksoatfirst,youremailisactuallyoneofthemostdangerousaccountstolosetoahacker.Thereasonbeingthatthereissomuchpersonalinformationstoredinyourinbox.Onceanattackerhasaccesstoyouremailaccount,you’reinforaworldofhurtbecausetheywillbeabletoseeandinterceptallofthemessagesthatreachyourinbox.Worseyetistheideathattheynowhaveawaytoimpersonateyou.Iftheywantedto,anattackercouldtrickotherpeopleinyouraddressbookintoforfeitingadditionalinformationbyusingyouridentitytorequestthatinformation.
Furthermore,thereisgoingtobeatonofsensitivedatalinkedwithyouremailaccount.Websitestodayaregettingprettycomplex,andtherearealotofwaystolinkauser’slogincredentialsandwebactivitywiththeiremailaddress.Forexample,therewilllikelybeemailsandpromotionsfromsitesthatyouhavealreadydonebusinesswithsittinginyourinboxorspamfolder.Thisgivesanattackercluesastowhereheorshecanlooktouncoveradditionalinformation.TheymayalsobeabletoseewhatpurchasesyouhavemadewithonlinesitessuchasAmazon.
PasswordCracking
Whileallofthesescenariosareterrible,byfartheworstadvantageanattackergainsistheabilitytofurtherhackyourpasswords.Thereareseveraltechniquesanattackercanemploy,buttheyallexisttostealyourcredentialstoescalatetheirprivileges.Forexample,whoknowswhatanattackermightpurchaseifheorshehadaccesstoyourAmazonaccountandpaymentcarddata?
Nowthatyouhaveabasicunderstandingofhowcriticalsecurepasswordsareandtheconsequencesofwhatanattackercandooncetheygetyourpassword,let’slookatthebasics.Isurethatcrackingpasswordssoundscoolandreallycomplicated,butsomeofthemethodsusedareunbelievablysimpleandevenalittleanticlimactic.
Ascommonlymentionedthroughoutthisbook,don’ttrytohacksomeoneelse’spasswordsbecausetheconsequencescanterribleifyougetcaught.Don’ttrytohackintoaperson’semailandseehowmanyoftheiraccountsyoucanbreakintojustforthehellofit;thatwouldbeahugebreachofprivacyandIshuddertothinkwhatmighthappenifyougetcaughtstealingsomeone’spaymentcarddata.
Tobehonest,itwouldbeprettydifficultforasingleuserwhodoesn’thaveknowledgeofinformationtechnologytodiscoverhowtheiraccountwashackedinthefirstplace,butinacorporateorprofessionalsettingtheI.T.departmentwouldhavenumeroustoolstotrackelectronictransactionsanddiscernwhatIPaddresstheattackorattemptwasmadefrom.
Thefirst,andsimplesttechniqueforgainingauser’spasswordassumesthatyoualreadyhaveaccesstotheiremailaccount.Mostuserstypicallyonlyhave1mainemailaccountthattheyuse,buttherecouldbeseveral.Anyway,afteryouhaveobtainedaccesstotheiremailyoucanusethepasswordrecoverymechanismsbuiltintomostonlineaccount.Whilemostpeoplechoosetocachetheirusernamesintheirbrowsersotheydon’tneedtoreenterthemeverytimetheylogintoawebsite,youdon’tevenneedtoknowtheirusername.Yousee,mostwebsitesprovideanaccountrecoveryfeaturethatallowsausertoinputtheiremailaddresstoreceivetheirusernameandpassword.
Somesitesrequirethattheaccountrecoveryfeatureerasestheoldpasswordandgeneratesanewandrandompassword,butallofthisinformationiscommunicatedviaemail.So,ifanattackercontrolledanduser’semailaccountandwantedaccesstotheirbank’swebsite,Amazonaccount,socialmediaaccounts,orjustaboutanythingelse,alltheattackerhastodoisbrowsetothegivenwebsiteandperformthestepsnecessaryforaccountrecovery.Thisisanextremelyquickprocess,andinamatterofminutesanattackercouldeasilygainaccesstothemostcriticalsitesthattheuservisits.
Whilethismaynotbeasexyprocess,itsuregetsthejobdoneandcanruinanindividual’spersonalsecurity.However,thisisjustthesimplestmeasuretocrackpasswordsandit
presentsaproblem.Howdidyougainaccesstotheiremailinthefirstplace?Therearecountlessotherwaysthatanattackercancrackpasswordstofirstgainaccesstotheemailaccount.Forexample,ifauserisn’tverytechnicallyinclined,itisasafebetthattheydon’tunderstandanythingaboutpasswordcomplexity.Thoughtheythinktheyarebeingclever,usersaremakingahugemistakewhentheymaketheirpasswordstheirbirthday,thenameoftheirdog,orothereasytoguesspiecesofinformation.
Othertimes,thesesimplemindeduserswillactuallywritetheirpasswordsdownneartheircomputerorplasterastickynotontheirmonitor.Itisevenpossibletotrickthesepeopleintoforfeitingtheiremailpasswordswithsocialengineering.Allofthesemethodsareeasiertousethanyoumightthink,anditgivesanattackerafootholdintotherestoftheiruseraccounts.
PasswordCrackingUtilities
Therearemanydifferentpasswordcrackingutilitiestotakeadvantageof,butwearegoingtotakeabrieflookatthemostpopularpiecesofsoftware.Hackerswillemployseveralofthesetoolsinconjunctionwithoneanothertofacilitatetheirattacks.Theysimplydon’tstartwithabruteforceattackbecausepasswordscanoftenbefoundusingquickermethods.Withthatsaid,abruteforceattackisusuallythelastresortwhenothermethodshavealreadyfailed.
JohntheRipper
JohntheRipperisprobablyoneofthemostfamousandreveredpasswordcrackingutilitiesinhackercommunities.Itishighlyefficientandeffective,butitdoessufferfromonefatalflawthatoftenkeepsitoutofthehandsandmindsofnewbies:itwasdevelopedforLinux.Thoughitdoeshaveportedversions,keepinmindthatitisnativelyaLinuxapplication.
BecausesomeofthesetoolsareexclusivelybuiltwithLinuxinmind,youwillsurelyneedtogetyourfeetwetwiththeLinuxoperatingsystemtobecomeacompetenthacker.BynowyoushouldhavealreadysetupaLinuxenvironmenttorunthroughsomeofthedemonstrationsinthisbookusingVMWare.Ifyouhaven’talready,itishightimetobuildyourfirstLinuxenvironment.
AswithmostpowerfulLinuxsoftware,thisprogramisrunfromthecommandlineandcanbealittlescaryifyouaren’talreadyusedtoworkingfromthecommandline.Butthat’sjustpartofthelearningcurve;onceyougetcomfortableinthisenvironment,you’llbeabletorunallkindsofsoftwarethatisfarmorepowerfulthanbasicGUIsoftwarelikeyoumightfindinaWindowsenvironment.However,thereisaversionofthissoftwareonMacdevicessinceMacsderivefromanoldandpowerfulUNIXdistributioncalledBSD.
Oneextremelyhandyfeatureofthissoftwareisthemethodwithwhichitusestocrackpasswordsbyautomatingtheprocess.Tostart,itwillbeginwithadictionarybasedattack.Ifthatfails,itwillmoveontouseahybridapproachtocrackpasswords.Ifeventhehybridapproachfailsaswill,itwillresorttoabruteforceattack.
Ophcrack
Ophcrackisthefirstofthepasswordcrackingtoolswewilldiscuss,andlikemanyofthesetool,itisfreetodownloadanduse.Itcanbeusedtocrackpasswordsonavarietyofoperatingsystems,butthistoolhasgainedmostfavorfromhackersthatareattemptingtocrackWindowspasswords.However,itcanstillbeusedtofacilitateattacksonLinuxandMacpasswords.Thoughitdoeshavesimplerandmoreeffectivealgorithms,thispieceofsoftwarewillallowausertoperformabruteforceattack.Lastly,itevenhasafeaturethatwillallowyoutocreatealivebootimage.
L0phtcrack
L0phtcrackisreallyasuiteofsoftwarethatallowsyoutoperformmanydifferentpasswordfunctions.Forexample,itcanbeusedtoauditpasswordstrengthandcomplexitytobolsteryoursecurityefforts.Giventherangeoffunctionsthissoftwareprovides,itisfrequentlyusedwithcomputersecurityfirmsaswellasgovernmentalorganizationssuchasmilitaryapplications.NotonlycanitrunonversionsofWindowsthatarehigherthanWindowsXP,itcanalsorunonsomeLinuxandBSDdistributions.Likeotherpasswordcrackingutilities,itwillallowanattackerorsecurityexperttorunbothdictionarybasedattacksandbruteforceattacks.
Cain&Abel
Cain&Abelisanotherpopularpasswordcrackingutility.Itsfeaturesexceedonlytheabilitytocrackbasicpasswordsoroperatingsystempasswords,anditevenhassomefeaturesthataidintheprocessofwirelesssecurity-keycracking.However,itcanonlybeusedexclusivelyinaWindowsenvironmentanditallowsuserstocrackpasswordsthathavebeenencryptedandencodedinvariousformatsandprotocolssuchasMySQL,Oracle,MD5,SHA1,SHA2,andvariouswirelessencryptionalgorithms.
Aswiththeotherutilities,thissoftwarewillperformavarietyofdifferentpasswordcrackingmethodssuchasdictionaryattacks,rainbowattacks,andbruteforceattacks.Oneextremelyusefulfeatureofthissoftwareisthatyoucansetparameterstofine-tunethebruteforceattacksuchasthelengthofthepasswordyouaretryingtocrack.Thishastheabilitytoeliminatemillionsofpotentialpasswordcombinationsthatwouldotherwisedrasticallymultiplythelengthoftimeneededtocarryouttheattack.
InSummary
Thesetoolsaren’tincrediblydifficulttouse,butmostusersdon’thaveanycluethattheyexist.Really,allofthehardworkhasbeendonealreadybytheexpertprogrammerswhocreatedthissoftware.Allthat’slefttodoisforittobeusedbyanexperiencedhacker.Toolslikethesearesoeasytousethatteenagerswithlittleexperienceintherealworldcanfindwaystousethemtohackintootherpeople’scomputers.ThoughIwouldn’trecommendusingthesetoolsforevil,theyarecertainlyfuntouseinahomeenvironment.
Chapter16–ProtectingYourselffromHackers
Atthispointinthebookyouhaveprobablyalreadyaskedyourselfatleastonce,“WhatcanIdotoprotectmyselffromhackers?”ThegoodnewsisthattherearealotofeasyandsimplemeasuresyoucantakethatwilldrasticallyreduceyourchanceofbeinghackedbyanefariousblackhathackerontheInternet.Thischapterfocusesonthedifferentstrategiesyoucanusetomakeyourcomputerandhomenetworkmoresecure.Forthoseofyouwhoareverytechnologicallysavvy,afewofthesemightseemlikeno-brainers.However,youwouldbesurprisedhowmanypeoplefailtoimplementeventhesimplestmeasuresregardingtheirInternetsecurity.
SoftwareUpdates
Softwareupdatesarecrucialtoprotectingyourselffromhackers,buttoomanypeopleignoreupdates.Mostoperatingsystemshaveanautomaticupdatesettingthatwillautomaticallydownloadandinstallpatchestotheoperatingsystem.Theproblemisthatmostpeopleareapatheticorjustplainlazyandtheydon’twanttotakethetimetoinstalltheupdates.Andwhynot?Tobehonest,it’sabitofaninconveniencetosomepeople.Youmightberightinthemiddleofalargeprojectoryourworkday,andinstallingupdatesrequiresthatyourebootyourcomputerandwaitforanunknownamountoftimewhiletheoperatingsysteminstallthepatches.ButI’vegotnewsforyou–youneedtotakegreatcaretoinstallupdatesassoonashumanlypossible.
Evenaftersomeofthevirusesmentionedinchapter3werediscoveredandpatched,therewerestillmillionsofcomputersthatwerestillcontainedvulnerabilitiesallbecausetheusersfailedtoupdatetheirsoftware.Ifeveryonehadinstalledtheupdatesastheycameout,theviruseswouldhavebeenstoppeddeadintheirtracks.
ChangeDefaultUsernamesandPasswords
Toomanypeopledon’tthinktwiceaboutchangingthedefaultusernamesandpasswordsontheirnetworkingequipment.Whilemostpeopletrytocreateuniqueusernamesandpasswordsfortheirpersonalcomputers,theyoftenforgettosecurenetworkdevices,wirelessrouters,andeventheirprinters.Wakeuppeople,hackersnotonlyhavewaystoperformpasswordattacksbuttheyalreadyknowhowtofindthedefaultusernamesandpasswordstoyourwirelessrouterinamatterofseconds.
Furthermore,somepeoplefailtosecuretheirWi-Finetwork.Insteadofusingasecurityalgorithmthatwillmakeithardforattackerstojointheirnetworksubnet,theygivethemanopendoorandinvitethemtocomeinside.Some,butnotall,wirelessroutersdon’tincludeadefaultwirelesspassword.
Worseyet,whenpeopleareinitiallyconfiguringtheirwirelessrouters,theyfailtoaddapasswordtotheirWi-Fi.Yousimplycan’tleavethesevaluesattheirdefaultsifyouhopetoprotectyourselffromonlineattacks.Lastly,mostwirelesshomeroutershaveanoptionintheconfigurationthatdetermineswhocanremotelymanagethedevice.IfyoulockdownthissettingtoaspecificIPaddress,hackerswon’tbeabletologintoyourwirelessroutereveniftheyknowtheusernameandpassword!
UseStrongPasswords
Notonlyshouldyoucreateuniqueusernamesandpasswordsforyourdevicesthataredifferentfromthedefaultvalues,butyoushouldalsomakeyourpasswordsstrong.Youcandothisbymakingthemaslongaspossibleandbyincludingnumbers,letters,andspecialcharacters.Thoughit’struethathackershavewaystoperformdictionaryandbruteforceattackswherebytheytrytogothrougheverypossiblecombinationtofindthecorrectpasswordforasystem,knowthatthesetechniquesdon’tworkineverysituation.Somewebsitesandnetworkingdeviceshavebuilt-inprotectionagainstbruteforceattacksthatdon’tallowyoutoattempttologinforacertaintimeperiodafteraspecifiednumberoffailedloginattempts.Passwordsecurityisahugeareaofstudy,andmosthackersknowwhattypesofdatausersincorporateintotheirpasswordstorememberthemeasier.Sodon’tmakeyourstreetaddress,familypet’sname,orbirthdayspartofyourpasswords.
Oh,anddon’tbeoneofthosejokersthathastheirpasswordwrittenonastickynotethatisattachedtoyourmonitor.Ahackerimplementingsocialengineeringwouldn’tevenhavetotry.You’remakingittooeasyforthembydisplayingyourpasswordsforalltheworldtosee.Inaddition,makesurethatyoudon’tstoreyourpasswordsinplaintextfilesorothertypesoffilesthataren’tencrypted.Ifahackerdoesstealsomeofyourdataandtheygettheirhandsonafilethatcontainsusernamesandpasswordstoothersitesandservices,you’reinforaworldofhurt.
ProperlyConfigureYourFirewalls
Firewallsareacriticalpartofanysecuritysolutiondesignedtoprotectusersfromhackers,andyouneedtomakesurethatyourfirewallisconfiguredcorrectly.Inthepast,Ihaveseensomepeoplestrugglewithopeningtherightportstogettheirsoftwareconfiguredcorrectly.Oneareathishappensalotiswithgaming.
Manygamesneedspecificportsopenedthataren’twellknown,andinafitofmadnessandfrustration,userschoosetoopenalltheportsontheirfirewalltomaketheirgameworkcorrectly.Thisisacolossalmistake,becauseitwillallowhackerstopenetrateyournetworkfirewallifnoneoftheportsareblocked.Ifyouhaveproblemsgettingagametoworkonyourhomenetwork,justdoaquickgooglesearchtoseewhichportneedstobeopened!
Furthermore,manypeoplefailtotakeadvantageofsoftwarefirewalls.Whilemanyhardwarefirewallshavemostoftheportsblockedbydefaultanddoagoodjobofprotectingalocalareanetwork,butfewpeopleprotectthemselveswithafirewallontheirhostcomputer.IfyouareaWindowsuser,whetheryouknowitornotyoualreadyhaveasoftwarefirewallthatwilladdanextralayerofprotectionbetweenyouandblackhathackers.Thoughsometimesitisappropriatetodisableyoursoftwarefirewalltoallowaprogramtofunctioncorrectly,youalwaysneedtoremembertore-enableitafteryouhavefinishedyourwork.
AntivirusandAntimalwareSoftwareSolutions
IfyoudogethackedandahackermanagestohackyoursystemwithavirusoraTrojan,howwillyouknowitexistswithoutantivirusandantimalwaresoftware?Usingacomputerwithoutsecuritysoftwareislikebeggingforanattackertostealyourpersonalinformation.
Butitdoesn’tstopthere.Ithasbeensaidmanytimesbefore,butunderstandthattorrentsarefrequentlyusedasadistributionsystemforviruses.Toomanypeoplehavefallenvictimtoahacker’svirusbecausetheywantedtowatchsomevideocontentwithoutpayingforit.Ifyoudownloadtorrentswithoutantivirussoftware,you’rejustaskingfortrouble.Ifyoudohaveantivirussoftware,youcanscanthefilesyoudownloadbeforeopeningthemtodetectanypotentialmaliciouscodeembeddedinyourdownloadandavoidacomputingcrisis.Forthatmatter,youshouldscaneverydownloadbeforeyouopenit.Youneverknowwhatcouldbehidinginaninnocent-lookingfile.
UsingVPNs
Ifyouaren’tawareofVPNtunnels,youneedtoknowtheimmensevaluetheybringtothetable.AVPN(VirtualPrivateNetwork)isessentiallyaservicethatencryptsalldatacommunicationsbetweentwoendpoints–effectivelymakingitimpossibleforahacker,governmentalagency,orpettyInternetcrooktounscrambleanddecipherthedata.Thisguideisn’tpromotionalmaterialforVPNproviders,butthefactofthematteristhattheycanpreventyoufromgettinghacked.Notonlythat,buttheycanstopthegovernmentfromstealingyourdata.AsaresultoftheinformationleakedbyEdwardSnowden,theUSgovernmentandtheN.S.A.havebeenfoundtobecapturingemails,photos,telephonecalls,instantmessages,andmanyothertypesofdatatransmissionsinanefforttopreventterrorist-relatedactivities.However,theN.S.A.hasstatedthattheyhaven’tfoundanyinformationthathasstoppedevenoneterrorist-relatedevent.Byencryptingyourdata,youwillmakeitsafefromhackersaroundtheworldwhileitisintransitthroughthepublicInternet.
BackingUpYourData
Youmightthinkthatbackingupyourdataisonlyameasuretoprotectyourselffromhardwarefailure.Whileitdoescertainlyhelpyououtatonifyourcomputerfries,youshouldknowthatusingbackupsoftwarewillprotectyoufromblackhatattacksaswell.Someofthemoresophisticatedattacksdamageandcorruptfiles,orevenembedmaliciouscodeintocommoneverydayfilessuchasworddocuments.Bykeepingabackupcopy,youcanrestassuredthatyouwillhaveacleanandvirusfreecopyofyourdataintheeventofanattack.RemembertheCryptoLockervirusinchapter3?Ifonlytheusershadbackeduptheirdata,theywouldn’thavehadtoworryaboutpayinganInternethucksterloadsofmoneytoreclaimtheirdatabymeansofransom.
WebBrowserSecurity
Therearealsoalotofthingsyouchangeinyourwebbrowserthatwilldrasticallyreducethechanceofasuccessfulattack.Aswediscussedearlier,hackerscanusemaliciousscriptstostealcookieandwebbrowserdatatostealthepasswordstovarioussites.
Makesureyoudon’tsaveandcacheallofyourusernameandpasswordinformationinyourwebbrowserwhenvisitingyourfavoritesitesontheInternet.ThisisahugeNo-No,becauseyouareleavinglow-hangingfruitripeforthepickingwithinthegraspofblackhathackersandInternetthieves.You’realsoalotbetteroffifyoudisablecookiesinthefirstplace.Bydisablingcookies,youcancircumventawholerangeofdifferentonlineattacksandniptheminthebudbeforetheybecomearealproblem.
It’sbesttokeepyourwebbrowseraslightandstreamlinedaspossible,andthemoredatayousaveinyourbrowserthegreaterthechancethatsomeonewillbeabletostealyourinformation.Alsoconsiderthatyoushouldfrequentlyclearyourhistoryaswell.Thisprovidesaveritableaudittrail,andanattackercouldusethisinformationtoseeeverywebsiteyouhavevisitedontheInternet.
FinalThoughts
Iwanttomakesureyouunderstandthatnocodewilleverbe100%infallible.Computersarecreatedandmanufacturedbyhumanswhoareanythingbutperfect,andmistakesarealwaysmade.Thatistosayyouruntheriskofbeingattackedeverytimeyoufireupyourcomputerandopenyourwebbrowser–regardlessofwhetherornotyouhaveimplementedthesesecuritypractices.
Infact,theysaythatthemostsecurecomputingsystemisonethatdoesn’thavetheabilitytoconnecttotheInternetatall.However,implementingthesesecuritymeasureswillmakeitmuchmoredifficultforanattackertosuccessfullycompromiseyourcomputer.Thinkofusingthesesecuritypracticesinthesamelightasriskaversion.Forexample,ifsomeoneisavegetariantheirwholelifeandtheyabstainfromalcoholandsmoking,thechancethattheywilldevelopachronicorlife-threateningdiseaseisslimtonone.
Thoughitisstillpossible,theirlifestylechoicesseverelyreducetheirriskofdisease.Likewise,implementingthesesecurityproceduresworksinmuchthesameway.Theuglytruthisthatoperatingsystemsandwebsitescontainflawsanderrorsthatcanbeexploitedbyhackers.It’sjustafactoflife.Butbystrengtheningyoursecurity,youmakeitmuchmoredifficult–ifnotimpossibleinsomecases–foranattackertosuccessfullyhackintoyourcomputer.