Penetration Testing & Hacking Tutorials · PDF filePenetration Testing & Hacking Tutorials ... 1.1 Finding your way around Kali ... 1.5 Wireshark for Sniffing Packets

Penetration Testing & Hacking Tutorials

Professor Kevin Curran

Contents 1. Linux & Pen Testing Environment Basics ........................................................................................................ 5

1.1 Finding your way around Kali .................................................................................................................... 5 1.2 Linux Basic & Linux Services ...................................................................................................................... 9

1.2.1 Linux basic commands ....................................................................................................................... 9 1.2.2 Text viewers and editors for Linux Newbies ..................................................................................... 10 1.2.3 SSHD ................................................................................................................................................ 11 1.2.4 Apache ............................................................................................................................................. 16

1.3 Parsing with Grep ................................................................................................................................... 17 1.3.1 Sample Solution ............................................................................................................................... 17

1.4 Netcat .................................................................................................................................................... 19 1.4.1 Connecting to a TCP/UDP port with Netcat ...................................................................................... 19 1.4.2 Listening on a TCP/UDP port with Netcat ......................................................................................... 22 1.4.3 Transferring files with Netcat ........................................................................................................... 24 1.4.4 Remote Administration with Netcat – Bind Shell .............................................................................. 26

1.5 Wireshark for Sniffing Packets ................................................................................................................ 28 1.5.1 Wireshark & Packet Sniffing Background ......................................................................................... 28 1.5.2 Wireshark Step by Step ................................................................................................................... 28

1.6 Cross-site scripting ................................................................................................................................ 35 1.6.1 A basic example .............................................................................................................................. 35 1.6.2 Persistent XSS payload ................................................................................................................... 37 1.6.3 Reflected XSS.................................................................................................................................. 38 1.6.4 Preventing XSS Attacks ................................................................................................................... 39

1.7 Creating a Keylogger to Snoop (on your home PC) ................................................................................. 41 2. Information Gathering Techniques ............................................................................................................. 44

2.1 Open Web Information Gathering ........................................................................................................... 44 2.1.1 Google Hacking ................................................................................................................................ 44

2.2 Netcraft & Goohost ................................................................................................................................ 50 2.2.1 Netcraft............................................................................................................................................ 50 2.2.2 Goohost ........................................................................................................................................... 52 2.2.3 Whois Reconnaissance ..................................................................................................................... 54

2.3 OWASP Joomla! Vulnerability Scanner .................................................................................................. 56 2.3.1 Joomla! Command Line Scan .......................................................................................................... 56 2.3.3 WPScan-Wordpress Security Scanner ............................................................................................. 62 2.3.4 Plecost............................................................................................................................................ 66 2.3.5 WhatWeb ....................................................................................................................................... 68 2.3.6 BlindElephant-Web Application Fingerprinter ................................................................................ 71 2.3.7 Intrusion Detection Systems Detection ........................................................................................... 72

2.4 Snort for sniffing and logging packets ..................................................................................................... 74 2.4.1 Snort Overview ............................................................................................................................... 75 2.4.2 Run Snort in Sniffer Mode .............................................................................................................. 76 2.4.3 Run Snort in Packet Logger Mode ................................................................................................... 78 2.4.4 Running snort in network intrusion detection system mode ........................................................... 80 2.4.5 Setting Alert Rules .......................................................................................................................... 82

2.5 Homework: How to Change Your MAC Address ..................................................................................... 85 2.5.1 How to change your MAC address on Windows .............................................................................. 85 2.5.2 How to change your MAC address on Linux ..................................................................................... 88

2.6 Documentation of Penetration Tests ..................................................................................................... 89

3. Port Scanning .............................................................................................................................................. 90 3.1 Port Scanning Basics............................................................................................................................... 91 3.2 Nmap ...................................................................................................................................................... 91

3.2.1 Network Sweeping .......................................................................................................................... 93 3.2.2 Fingerprinting .................................................................................................................................. 95 3.2.3 Banner Grabbing / Service Enumeration.......................................................................................... 97 3.2.4 Nmap Scripting Engine .................................................................................................................... 98 3.2.5 FTP Brute Force Attack .................................................................................................................. 101 3.2.6 Exploiting an IRC Server ................................................................................................................. 103

3.3 Unicornscan .......................................................................................................................................... 107 3.4 Root Kit Hunter ..................................................................................................................................... 108

3.4.1 Root Kit Hunter ............................................................................................................................. 108 3.4.2 Check Rootkit ................................................................................................................................ 110

3.5 Load Balancing Detection ..................................................................................................................... 112 3.6 OWASP ZAP – Web Application Testing ............................................................................................... 113

3.6.1 MitM Proxy Attack ....................................................................................................................... 116 3.6.2 Fuzzing with ZAP........................................................................................................................... 119

4. Debugging and Exploit Development ......................................................................................................... 122

4.1 Debugging Fundamentals .................................................................................................................... 122 4.1.1 Opening and Attaching to the debugging target application ......................................................... 123 4.1.2 The OllyDbg CPU view .................................................................................................................. 126 4.1.3 The 20 second guide to X86 assembly language for exploit writers............................................... 126

4.2 Exploit Development with OllyDbg ..................................................................................................... 132 4.2.1 Methods for directing code execution in the debugger ................................................................ 132 4.2.2 The SEH Chain .............................................................................................................................. 139 4.2.3 Searching for commands .............................................................................................................. 141 4.2.4 Searching through memory .......................................................................................................... 144 4.2.5 Working in the memory dump ...................................................................................................... 146 4.2.6 Editing code, memory and registers ............................................................................................. 148

5. Automated Information Gathering ......................................................................................................... 153

5.1 Shodan ................................................................................................................................................. 153 5.1.1 The Basics ..................................................................................................................................... 154 5.1.2 Banners ........................................................................................................................................ 159 5.1.3 Default Passwords ........................................................................................................................ 160 5.1.4 Filters ........................................................................................................................................... 161

5.2 Remaining Anonymous on the Internet with the Tor Browser .............................................................. 163 5.3 HTML5 Security ................................................................................................................................... 165

5.3.1 Browser History ............................................................................................................................ 165 5.3.2 SVG .............................................................................................................................................. 166

5.4 FOCA .................................................................................................................................................... 168 6. ARP Spoofing & Tunnelling ........................................................................................................................ 171

6.1 Ettercap Snooping on other traffic in Lab through ARP Poison Attack ................................................... 171 6.2 Denial of Service Attacks (For outside University Trial Only) .................................................................. 179

7. Web Application Attack vectors ................................................................................................................ 181

7.1 Abusing File Upload on a Vulnerable Web Server ................................................................................. 183 7.2 Cross-site Request Forgery ................................................................................................................... 190 7.3 SQL & Cross-Site Scripting Vulnerabilities ............................................................................................. 196

7.3.1 SQL Injection Vulnerabilities ......................................................................................................... 196 7.3.3 Testing Web Applications to Find SQL Injection Vulnerabilities ..................................................... 200

7.4 Cross Site Scripting (XSS) Reflected Attack ........................................................................................... 204

8. Web Application Testing .......................................................................................................................... 209 8.1 Web Application Testing with Burpsuite .............................................................................................. 209

8.1.2 Proxy .............................................................................................................................................. 211 8.1.2 Spider............................................................................................................................................. 214 8.1.3 Intruder .......................................................................................................................................... 217 8.1.4 Repeater ....................................................................................................................................... 222 8.1.5 Comparer ...................................................................................................................................... 224

8.2 Generating a PHP Shell with Weevely .................................................................................................. 226 9. Password Attacks ...................................................................................................................................... 229

9.1 Password Cracking with Wordlists - Crunch .......................................................................................... 230 9.2 Dictionary attacks with John the Ripper ............................................................................................... 236 9.3 Cracking Passwords with the Rockyou.txt Wordlist .............................................................................. 241 9.4 Online Password Attacks ....................................................................................................................... 244 9.5 Hydra .................................................................................................................................................... 246

9.5.1 FTP Brute force .............................................................................................................................. 246 9.6 Password profiling ................................................................................................................................ 247

9.6.1 CeWL ............................................................................................................................................. 247 9.7 Dictionary Attack with Burp Suite ......................................................................................................... 248

9.7.1 Setup Burpsuite to intercept traffic ............................................................................................... 248 9.7.2 Dictionary Attack Demo with Burp Intruder................................................................................... 249

9.8 CPU & GPU Password Cracking ............................................................................................................ 254 9.8.1 CPU Password Cracking with Cain & Abel ...................................................................................... 256

9.9 NTLM Hash Password Cracking ............................................................................................................ 260 9.10 Hashing ............................................................................................................................................. 264

9.10.1 MD5 Hash Calculation ................................................................................................................ 264 9.10.2 SHA1 Hash Calculation ................................................................................................................ 265

9.11 GPG Public Key Generation ................................................................................................................ 266 9.11.1 Encrypting and Decrypting a message ........................................................................................ 268

10 Metasploit ............................................................................................................................................. 269

10.1 Metasploit Fundamentals .................................................................................................................. 270 10.1.1 Msfcli ......................................................................................................................................... 270 10.1.2 Msfconsole ................................................................................................................................. 271

10.1.3 Samba Server Exploit ...................................................................................................................... 272 10.1.4 Exploits & Payloads .................................................................................................................... 274 10.1.5 Databases ................................................................................................................................... 274

10.2 Information Gathering ...................................................................................................................... 276 10.2.1 Port Scanners ............................................................................................................................. 276 10.2.2 Service Identification .................................................................................................................. 280 10.2.3 Password Sniffing ....................................................................................................................... 282 10.2.4 SNMP Sweeping ......................................................................................................................... 283

10.3 Vulnerability Scanning ...................................................................................................................... 284 10.3.1 VNC Authentication .................................................................................................................... 284 10.3.2 WMAP Web Scanner .................................................................................................................. 285

10.4 Hacking Apache Tomcat ................................................................................................................... 288 10.5 Dictionary Attack on Metasplotable FTP & DVWA ............................................................................ 291

11. Steganography ....................................................................................................................................... 293

11.1 Hiding an image inside an image ........................................................................................................ 293 11.2 Hiding information inside files ........................................................................................................... 296

11.2.1 Encoding information inside a PDF file ........................................................................................ 296 11.2.2 Decoding the stego file ................................................................................................................ 299

11.3 Breaking Steganography – Detecting hidden information .................................................................. 301 11.4 Inspecting Windows Auto-Start .......................................................................................................... 310

11.4.1 Autoruns ................................................................................................................................... 310 11.4.2 Using Autoruns to Speed up a PC ............................................................................................... 313

12. Web Application Security ......................................................................................................................... 317 1. Environment Setup 2 ......................................................................................................................... 317

1.1 Launching the training application 5............................................................................................ 317 2. Enabling HTTPS step-by-step 7 ............................................................................................................ 317

13. Wireless .................................................................................................................................................. 318

13.1 Cracking WEP with Backtrack ............................................................................................................ 318 13.2 Man-in-the-Middle (MITM) Attack using Wireless Bridging on Backtrack Linux ................................ 323 13.3 Cracking WPA with Reaver ................................................................................................................ 325

Appendix A - How to Change Your MAC Address ........................................................................................... 330

A.1 How to change your MAC address on Windows ................................................................................... 330 A.2 How to change your MAC address on Linux ......................................................................................... 332

Appendix B - Tunneling : I2P Anonymous Network ........................................................................................ 333 Appendix C - Password Cracking with GPU ..................................................................................................... 338

Documents

Penetration Testing & Hacking Tutorials · PDF filePenetration Testing & Hacking Tutorials ... 1.1 Finding your way around Kali ... 1.5 Wireshark for Sniffing Packets