Hacking Website & Server

Hacking  Website & Server  

hacked2hiet1


This tutorial is meant for beginners. Anyhow, it might be useful for intermediate/experts too!


I'm going to provide the common methodology that is followed when hacking a machine/network/server. This tutorial will give you a good understanding & an overview about professional penetration test in ablack box (attacker) point of view. It is designed to give you the idea on how an attacker can break into your system, what am gonna say will increase your awareness & will open the door for you to go out & educate yourself easily. I gathered these info from various sources and tutorials, i have changed many stuff, clarified many parts, gave some references, and put many information together. I'm still a learner & on the way to my goal. However, this won't prevent from teaching others what i have learned so far & don't worry i'm not going to provide you any info that i'm not sure about yet. It is not the best tutorial out there, but at least it is a good starter. I will speak in a hacker (attacker or blackbox) point of view. I Am writing  this tutorial for educational purposes only.

Before you hack a system, you must decide what is your goal. Are you hacking to put the system down, gaining sensitive data, breaking into the system and taking the 'root' access, screwing up the system by formatting everything in it, discover vulns & see how you can exploit them, etc ... The point is you have to decide the goal.

The most common goals are:

1. breaking into the system & taking the admin privileges.
2. gaining sensitive data, such as credit cards, identification theft, etc.

You should have all the tools ready before you start taking the steps of hacking. There is a *nix version called backtrack. It is an OS that comes various set of security tools that helps you hacking systems (doing penetration test).
You should set the steps (methodology) that you have to take in your journey. There is a common methodology followed by hackers i will mention it below. However, you can create your own methodology if you know what u r doing.

Common steps to be taken for hacking a system:

1. Reconnaissance(footprinting).
2. Scanning.
3. Ports & Services Enumeration.
4. Vulnerability Assessment.
5. Vulnerability Exploitation.
6. Penetration and Access.
7. Privilege Escalation & owning the box.
8. Erase tracks.
9. Maintaining access.

The above methodology can change referring to your goals. Feel free comrades!

Before you break into a system, you have to collect as much info as you can. You have to study your target well before you hack. This step is called Reconnaissance. Reconnaissance is achieved by you using techniques & tools that undetectable by a target. You are gathering your target info that is publicly published, e.g. browse your target website & if they are looking for a SQL employee and Windows server admin, then you get a hint that they are running Windows Server & do SQL's, this is called a "passive" action. Lets an example of active action! Example of active action, call the company to obtain some info, visit the company, email employees to get some info, go to the target website & read its source code. In other words, passive action means you gather info in non-intrusive manner. Active action is a step further, such as talking to the company as you are a customer, things like that. It is not really important to know what action is passive & what is active, the main goal here to gather info! Simple ha? Good, let me go deeper little bit.

In passive reconnaissance, there is 0 chance of getting caught ;-), as you only target publicly available info to give you the feel on how your target look like. Type of info you can gather through passive recon. are, names, phones numbers, location address, partner networks, and many more. This can aid you when you want to do some social engineering! Hence, sometimes you can get some non-public info is revealed when you do passive reconnaissance. There are several tools helps you to do passive reconnaissance, such as whois (who is). Whois helps you obtain extensive info, such as names, domains of the target, etc. Other great tools are, Sam Spad, domaintools, and google(can reveal lots of target subdomians & many more).

Active reconnaissance goes beyond the passive nature, such as communicating with target without being caught, such as scanning. Anything not discovered in IDS(Intrusion Detection System) is considered active. You have to think of ways to extract info of the company in a normal way, public way by going deeper little bit than passive recon. e.g. you can go to the physical location do some social engineering, email staff, communicate with employees based on info's you have got in passive recons. Things like that!

Example of some techniques for active reconnaissance, such as banner grabbing, view company's public website source code and directory structure, social engineering, shoulder surfing, etc.

What the heck is banner grabbing?
You let the server sends you a block of information that tells you OS version of your target system & various association with it. Banner tells OS version n various association. Anything listens on a "port" can determine the operating system (OS) "the port" is running on, this called fingerprinting. In other words, fingerprinting is the process of determining the operating system (OS) or applications used by a remote target.

Quote:
Learn more about banner grabbing:

http://www.net-square.com/httprint/httprint_paper.html

Can you give a brief example of Social Engineering?

For example, you try to know where IT admin goes after business hours, then start go to the place he goes & build a relationship , start making a friend relationship to extract more info slowly but surely, things like that! you know what i mean.

What is shoulder surfing?
Simply, stands behind a person shoulder and see what the guy is doing & typing on keyboard. This can happen in wireless network area where everyone is using a laptop in public areas.

In summary, reconnaissance is one of the most important steps in hacking. The main concept is to gather all info that publicly available or easy obtainable. Info that we gather will help us in social engineering and research purpose which will lead you to very critical info about the system. It starts by obtaining names, phones, emails, IP range, domain structure, and so on.

Let me show you how banner grabbing is done, telnet on your target server on port 80 as following, go to command line or terminal and type

telnet xx.xxx.xxx.xxx 80

Now connection is established, that stupid server thinks you are web browser connected to it, it waits you to enter commands so the server can you give you info about your request. In this situation, you have to write a command that says "Hey you web server, give me a content of sucn and such website". However, we do not really want to visit the website through telnet, do you? You can just go to web browser & request the website from there. Our purpose here is to freak the server out enough, so it spits back a code that says, hey! this doesn't work but here is some info that might help you do some trouble shooting. This technique allows you to finger print various component of the target system.

Note: instead telnet xxx.xx.xxx.xx 80, you can do nc xxx.xx.xxx.xxx 80! Same thing ... nc stands for netcat ... xx.xxx.xx.xxx represents IP address of the target system.

After you do telnet xxx.xx.xxx.xxx 80, the remote sever will wait you to enter a command.

Type this:

HEAD / HTTP/1.0

Then you will get a reply looks similar to what you see in this link:

http://www.net-square.com/httprint/httprint_paper.html

Ok, you get it now?

lets say our target got the following version: the server runs: Apache/1.3.41 in UNIX box, running PHP/4.4.8

At this point if you know any vulnerability for this particular OS or this particular Apache or PHP. You can start doing the exploitation process ;-) ...

Another example, use program called sam-spade which gives you alot of the info about your target. The target does not know actually what we are doing against their server, since they haven't seen anything been triggered by IDS or Firewall.
*What is the difference between IDS & Firewall?
An IDS (Intrusion Detection System) may only detect and warn you of a violation of your privacy. Although most block major attacks, some probes or other attacks may just be noted and allowed through. There's also an evolution of the IDS called an IPS (Intrusion Prevention System) that watches for the same things an IDS does, but instead of just alerting, it blocks the traffic.

A good firewall will block almost all attacks unless specified otherwise or designed otherwise. The only problem is, the firewall might not warn you of the attacks and may just block them.

It may be a good idea to have both an IDS and a Firewall, because the IDS will warn you and then the firewall will block the attack. Over the years, firewalls got more complex and added more features. One of these features is actually IDS - today you can have a firewall that already has ID(Firewall/IDS's are combined into one internet security program).


Learn more about banner grabbing:

http://www.net-square.com/httprint/httprint_paper.html

To learn how to do through Google, you need like the following book:
http://www.amazon.com/exec/obidos/ASIN/ ... /ref=nosim

Note: the book in amazon is just an example for you to give you an idea of what kind of book you should be looking for - if you are interested.

Alright, now you at least have an idea of what reconnaissance is! lets talk about scanning...

When you scan your target's network, you actually start touching the system. Scanning a network determines whats in there, scanning network gives you the feel how is your target network is laid out such as if there are multiple subnets, which hosts are alive, check ports, see if system is alive, discover available hosts & get info about the discovered hosts. There are thousands of tools can be used to scan networks! Scanning a network can easily get picked up by IDS. Anyhow, no one will pay attention except if you do it over and over because scans happens on such a regular basis on the internet. Therefore, people who read the logs, i means the webmaster won't really pay attention to every single scan occurs, so you don't have to worry a lot. There are ways to avoid being picked up by IDS :-). After you finish scanning, you will gain a list of network nodes that exists there.

"Node" is an active electronic device that is attached to a network, and is capable of sending, receiving, or forwarding information over a communications channel. If you want to learn more, google it or visit http://en.wikipedia.org/wiki/Node_(networking) ...

Ok now we want to discover live hosts via scanning. This is the first action taken against your target network network. Depending on method of scanning you use, you can be detected by IDS. Most admins will ignore detections because it happens a lot unless something abnormal happens.

There are various scanner tools, e.g. nmap, superscan, and many more. There are various scan methods, some are stealthy, others are not.

Before i talk about various scanning methods, let me explain to you about TCP connections basics. When you scan your target using TCP communication, there are six TCP flags can be utilized during packet transmission(packets get transmitted during scanning process). A flag will indicate whether the sent packets are syn, ack, fin, urg, psh, or rst packets. These packets sets you in a position on how you want to communicate with the remote host. You can get different info depending on the flag you choose for the scanning.

TCP establishes three handshakes, syn, syn-ack, ack. What are they?
When you scan your target using TCP communication, you send a syn packet(syn request), and then target sends you back an ack packet with syn packet. Now, you send an ack packet to the target. So now both machines establish the connection well, like they have made a well established tunnel for a proper guaranteed communication without losing any packets during communicating with each other. A hacker can get caught easily if he uses this method to hack other systems illegally.

Hackers use non-standard combination of these six flags, which gives them info that are not normally available to the public.

Have you heard about syn flood?

syn flood is done by utilizing three handshake by sending "syn" request to the target, so the target receives a syn request and send an a syn-ack back to the originator(you). You ignore the target syn-ack request - when you ignore it, then the three handshakes is not completed, this is called half open TCP connection - In theory, when the target sends you syn-ack, the target allocates some RAM on its machine.

The amount of RAM on the target machine must be open until it gets response (ack packet) back from you because till now only two handshake has been made,so the TCP connection process is not completed yet. However, there is always a time limit for the RAM to be opened, so if 30 secs passed by & the target did not get the ack from you, the connection will abort(failed TCP handshake - timeout) & RAM will be reallocated.

The idea here is to send hell a lot of packets in few secs so in 30 secs, you can send 40 million packets(lets say one packet size is 1kb) which is heavy on the RAM since the RAM might not have enough memory to carry 40 million packets. Therefore, you force the target to make half open TCP connection attempts, so definitely the target machine will stop responding to legitimate request. In other words, if you send 40 million syn requests to that remote host, it's going to allocate a hell of a lot of ram for those requests. After a while, it's going to eat up all of the ram. Thus, target system goes down. This is called syn flood attack.

In short, syn flood attack makes the system (i.e. the IP stack or kernel) chokes on the memory allocations (or simply runs out of memory) or the target application (i.e. web server) chokes on the processing load. You got it? Or not yet?! Syn flood is an old technique i just mentioned it here for illustration purposes.

General Information: these days, SYN floods are used to make systems inaccessible. They have a limited number of half open connections, you use them all, and they can't accept any more SYNs. But again, modern software throws away old SYNs once the limit is reached. Note that different systems will behave differently.

If you interested in learning more about syn flood, visit

http://tools.ietf.org/html/rfc4987


Lets talk about the most common TCP Scan types. There are full scan, half open scan, stealth scan, Xmas scan, and ack scan.

full scan: this completes 3 way TCP. it is the most effective & gives more accurate results. However, it is not safe and easily traced and detected.

half open scan: it is the second most effective scanning method, only uses first part of the handshake to get syn-ack but does not send 3rd part (ack) back to the remote host. The idea here is if the remote replies back to you after you have sent syn request, this means the port - we sent the syn to - must be open.

stealth scan: the idea here is to scan ports randomly(not in sequential order) & reduce the speed of scanning. If you scan all port from 1 to 65536 in sequence, your more visible to be detected, and usually scanning happens so fast, which is unusual since regular program does not connect to port that fast, so this can make it easier to be detected. Therefore you have to scan ports randomly & reduce the speed of scanning. To avoid IDS, you should not use full connection scan with stealth scan, you can use half-open scan(syn). syn is considered a stealth scan. In fact, syn scan is called syn-stealth scan, or you can use Xmas scan with stealth scan which helps you to evade detection, things like that! you get my point i guess.

Xmas scan: uses fin, urg, and push flags which are used to bypass some firewalls. Xmas scan works with UNIX system, it does not work with Windows system.

ack scan: this helps you evading IDS not to get you detected. You send only an ack packet to your target, your target won't know how to deal with it since there was no handshake. Thus, ack scan causes open ports in your target machine to return a reset packet(rst), rst packet gives you a hint that the port or service is not filtered between point A and point B, which usually firewal resides in between! Since the port replied you with rst packet this means there is no firewall between A(your machine) & B(port or service on the target machine) and rst packet also gives you an insight that the target port is open ;-). If there is a firewall, your ack packet would not reach to the target port & because of that you won't get any rst packet. In addition, rst packet helps you indentify what system is running on the remote host.

These are the most common method of scans, there are hundreds of scanning methods! nmap allows you to set your own custom scan type e.g. instead of sending ack flags only, you can send ack flag and rst flag together and see what you get back from target ...

OK! we have talked about how TCP scanning works in general. Now, i will be talking about UDP & ICMP Scanning ... UDP and ICMP connections most of the times are blocked at the firewall level & even at the host level in some cases. We are going to scan on hosts & ports that respond via UDP. When you scan your target via UDP, there are many problem will occur during that process e.g. you can scan over the ports via UDP, assume you scanned port 1, and port 1 is closed, then host will send ICMP unreachable back to you, which gives an insight that port is closed because you didn't get any UDP response back from target! Making sense,right? Unfortunately, we will never get a response back from target to ensure you that port is open!

Thats how UDP call works, send the packet & forget it. Lets say we come across port 21, and 21 is open, then port 21 on target machine will not reply back to you because UDP does not give you the guarantee the delivery packets during communication process, it just send the packet and forget, unlike TCP which guarantees the delivery of packets with no loss or corruption. Since we didn't get reply back, then we can assume the port 21 is open *OR* maybe port 21 is closed and ICMP reply got lost somewhere so we didn't get it! A general rule, when you don't get a reply you assume port is open.

Some high professionals security person purposely configure ports to not to respond a UDP scanning. ICMP scanning is as same as UDP. ICMP scanning is noisy & can be picked by IDS very easily because ICMP sends random several pings to the network instead of a single host(ICMP scanning does a 'ping scanning' - sends ICMP packets - to the whole network instead of a single host). After you finish ICMP scanning, based on the replies you get back from the live hosts, then you can determine that your target network is listening for ICMP traffic and you might to do some exploit based on that. Unfortunately, there aren't alot of ICMP exploits going around, so you are just going to use ICMP for network enumeration, you just do it to see what hosts are up, host A is up , host B is up & host C is up, they are replying for my ICMP. Thus, this let us know these 3 hosts are running on the targeted network and potentially can be a target for us. IDS's are always listening for network scans & alot of network scanners provide a support for ICMP scanning, but do not have a way to make it stealthy! Therefore, ICMP can turn on the IDS alert which tells the security person there is somebody scans your whole network.

nmap is a great tool that is very popular, it is usually used to scan networks, hosts, ports, and does a lot of other stuff. It is very intrusive tool and considered a hacking tool. Using nmap against systems you dont own or don't have permission to scan can be considered illegal. Lets see examples of some scanning method!

Example of ICMP Scanning(-sP) - this is called ping scan

nmap -v -sP xx.xxx.xxx.xx > filename

nmap: represents the program we are running which nmap.
-v: for increased verbosity, which means bring me extra details of the targeted system. (Optional - as far as i know)
-sP: the flag that determines the scanning method.
x's: target IP address.
> filename: output the results to the newly specified filename. In other words, save results in a file (Optional)

This above command shows you the systems that are up and running, so this shows what available to us on the targeted network. As a result, you will get simple info that shows you there are number of IP addresses that responded to ping request - Note: there could be a lot more machines out there that are not responding to ICMP scanning.

Lets see an example of UDP scan, UDP scan not so speed.

nmap -v -sU xx.xxx.xxx.xx

Results of UDP scan(-sU) give more info than ping scan(-sP). Keep in mind there could be hundreds of other ports are listening on the system which simply don't respond to UDP connection.


Useful sources relates to scanning methods via nmap:

http://www.nmap-tutorial.com/pdf/nmap-tutorial.pdf


http://www.petri.co.il/port-scanning-with-nmap.htm


ALRIGHT, now you have a good basic understanding about scanning! Next, i will be talking about fingerprinting! So keep learning :-)

Now lets get deeper! By now we have determined what nodes are running up on the network. So we are ready to gather large info on those live systems we discovered in the previous steps. Ok! now you need to discover what services (application) are running on your target's host. Every (or at least many) port has a service running on it. For example, web server usually are running on port 80. What we have to do is scan ports, see what kind of services(applications) are running on them, try to grab the versions of the services, this will help you to determine the OS as well. This is called 'Port & Service Enumeration(fingerprinting)'. We have to do this step to understand what potential vulnerabilities your target has & how to exploit them.

Assume after we have scanned our target system, we found our target runs "IIS 5.0 Server" on "port 80". Based on the scanning result, you can say the target server is running IIS 5.0(IIS is set of Internet-based services, IIS is the second most popular web server - IIS is a Microsoft product), it is known IIS 5.0. has too many vulnerabilities & IIS 5.0 runs on Windows 2000, which Windows 2000 by itself has hundreds of vulns.

In other words, lets scan ports and services, and do OS fingerprinting, lets identify services on those live host in our target network. Once we know what services are running and what OS are running then we can start exploiting these services! - 'ping/port/service' scans are frequently run together using the same tool.

NOTE: identifying ports & services is the most critical part in hacking ... PERIOD

OS fingerprinting is used for determining OS type and version, then we exploit vulnerability. that resides into the OS. When you fingerprint a target, your targets' OS can be known from the TCP/IP stack, so fingerprinting happens on TCP/IP stack. Why? Because each OS has a unique implementation of TCP/IP, so TCP/IP stack is implemented differently from OS to OS, so an exact same query sent to one machine the respond of the result will be different than the other machine. Therefore, based on the response this can help the scanner determines the OS of the target, because every OS has its own unqiue response when you do OS fingerprinting request.

When you do a default install of OS, certain services will be installed by default, services that are needed for that OS to work properly, e.g. ports
137,138,139,and 445 which all combined together to produce Win 2000 OS or above. Another example, a combination of 139 and 445 can determine a certain version of windows such as Win XP or Win 2003, there are lots of ways to determine OS. Another example, if you see a service MS SQL is running on a certain port, you can determine the target OS is not in *nix family, it is in a Win family cause the target is running a Microsoft sql product. Thus, we can say port enumeration or service enumeration can help you in determining OS.

There tons of popular scanners out there:
SuperScan - Works good on Win OS.
Nmap - Works on *nix & Windows, *nix version is much more stable than Win version.

Most scanners offer full, half, stealth, and UDP scans.

You are going to spend most of your time scanning your target machine to know whats available there, so you can exploit the vulnerability & penetrate the system. Therefore, you have to do some exploration on scanning methods & decide which method of scanning you feel more comfortable with...

Lets see an example of enumeration style scanning. Just keep in mind, this can be considered hacking! Make sure you do to your system, not somebody's else.

This is kind of a stealth scan:
nmap -v -sS -A -sV xx.xxx.xx.xx > filename

This above request gives you very specific details about your target. sV is for version information identification. Check out the manual to know what these flags do - type "man nmap" to see the manual...

Alright, after we have fingerprinted services & OS, now its the time to check for various vulns against application(services) & OS running on the target system. This is called vulnerability assessment. To do vulnerability assessment, you can use the tools available, such as nessus. Nessus is free vulnerability assessment, huge database, its the best assessment tool.

Lets scan vulnerability on the target system. Lets say target system is win 2000 SP1 IIS 5.0, nessus goes back to its database and check the vulnerability for win2000 & IIS 5.0. If there is vulns not discovered, vulnerability assessment tool actually can't vulnerability it. However, if nessus couldn't find matching vulnerability for the target system, it will let you if the system can have some security issues or not. Such tools are considered as Automated Vulnerability Assessment Tools. You have to know about the target system OS so you can do vulnerability assessment on it. There are vulnerability assessment OS specific, e.g. MBSA tool(only scans Win OS).

NOTE: you can do vulnerability assessment manually, this depends on you and your skills. By doing it manually, you can discover vulnerability . that nobody knows about it, and you can use it for your own use. It is a powerful and very discrete.

After we determined what systems & what services contain vulnerability, then we can exploit it(means take a chance of this vulnerability to achieve what you want).
common vulnerabilities out there are:

OS vulnerabilities

Webserver vulnerabilities

Database vulnerabilities

TCP stack vulnerabilities

Application vulnerabilities

Malwares, viruses, trojans, can be used to exploit vulnerabilities.

There are several automated vulnerability scanners, such as Nessus, Nikto. Security websites is a good resource for vulnerabilities as well, e.g.
bugtraq, CVE(Common Vulnerabilities and Exposures) sites, etc. Another good source to find vulnerabilities is hacker web sites.


Lets talk about the tools:

tools+pes+2013



*Nessus - this is a great vulnerability assessment tool. However, in alot of cases it will perform exploits to see if the OS or service is actually vulnerable or not.

*Metasploit Framework - this is not vulnerability assessment tool. It is an exploitation tool, it contains hundrands of exploits helps you to exploit the system by using a nice selection of tools.

No comments:

Post a Comment


© [Ritik banger] and [Hacker ritz], [2017]. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to [Ritik banger] and [Hacker ritz] with appropriate and specific direction to the original content.
Designed by Ritik Banger . All rights reserved . Powered by Blogger.
© Copyright 2017. Website by Hacker Ritz