Contents

1 Lecture 1: Basis of ethical hacking, general information gathering 9

1.1 Why ethical hacking? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1.1 What is the reason for having so many security issues? . . . . . . . . . . . . . . . . . . . . . . . 9

1.1.2 Why ethical hacking is necessary at all? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1.3 The motivation behind hacking - Why? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1.1.4 Type of hackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.2 Difference between ethical and non-ethical hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.3 Main steps of hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.3.1 Detailed steps of hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.3.2 Type of ethical hacking projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3.3 General information gathering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1.3.4 Methods to do information gathering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2 Lecture 2: Technical Information Gathering 14

2.1 Technical information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.1.1 Domain names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.1.2 Domain name registration data - whois (e.g. http://who.is . . . . . . . . . . . . . . . . . . . . 15

2.1.3 Domain name owner examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.2 IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.2.1 IP ranges - classful networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.2.2 IP Ranges: Classless InterDomain Routing (CIDR) . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.2.3 IP Ranges CIDR - examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.3 IP range owners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.4 Network range examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.5 Hosted websites - Cloud services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.6 Finding network ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.6.1 Finding network ranges example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.7 Domain to ip options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.8 Robtex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3 Lecture 3: Network reconnaissance, port scanning 22

3.1 Circuit switched vs Packet switched networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1
 3.2 Packet switched networks – avoiding infinite loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.3 Network mapping - answer options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.4 Internet Control Message Protocol (ICMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.4.1 Layer 3 – Internet Control Message Protocol (ICMP) . . . . . . . . . . . . . . . . . . . . . . . 24

3.5 Nmap basic usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.5.1 Nmap - ping scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.5.2 Nmap - List scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.6 Layer 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.6.1 Data transmission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.6.2 UDP protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.6.3 TCP protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.6.4 TCP typical services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.6.5 TCP 3-way handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.7 Reverse scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3.8 Ack scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.9 Decoy scan - hide ourselves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.10 Service version detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

3.11 Hping2, hping3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.12 Port scanning summary: inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.12.1 Special port scanners: Firewalk, Zmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4 Lecture 4: Get in touch with services 30

4.0.1 Where are we in the process of ethical hacking? . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

4.1 How to start compromising a service? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.2 Brute-forcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.3 Service specific attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.3.1 What is an exploit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4.4 Attacking ftp service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.4.1 anonymous login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4.5 Attacking SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.5.1 open relay access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4.6 DNS service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2
Learning outcome

After completing the course you will be able to:

• have knowledge about the theoretical basis for security testing

• have the ability to protect systems against modern cyber attacks

• have information on the legal aspects of performing ethical hacking and to judge what is within and outside

permitted activities

• be able to perform practical penetration testing using up-to-date tools and techniques

• be able to evaluate the security status of systems and suggest solutions for removing security vulnerabilities

• be able to use publicly available resources for verifying the status of vulnerabilities and for applying patches

8
1 Lecture 1: Basis of ethical hacking, general information gathering

Lecture Overview

• What is ethical hacking?

• Steps of penetration testing

• Information gathering techniques

1.1 Why ethical hacking?

1.1.1 What is the reason for having so many security issues?

• Lack of money • Convenience

• Lack of time • Old systems

• Lack of expertise • Too complex systems
• Negligence • 3rd party components
And many others...

1.1.2 Why ethical hacking is necessary at all?

• Checking the system from the attacker’s perspective can reveal serious security deficiencies

• The "attacker" thinks like a real hacker (but not totally) / understand the black hat hacker, mindset.

9
 – Do we use the same methodology as the real hackers? – What makes hacking ethical?
– Do we have the same goals? – What is allowed and what is not?
– Do we have to hide ourselves when ethically hacking?

• The system security cannot be guaranteed without deep and regular penetration testing

– Can it be guaranteed with penetration testing? Unfortunately not always perfectly, the keyword is the

appropriate mitigation

• Computer systems have several security problems

• Understand the black

1.1.3 The motivation behind hacking - Why?

To understand the real hackers, first we have to understand the motivations:

• What a cool thing to be a hacker

• Because I can

• Money

• Revenge

• Annoyance

• Protesting against something

• Organized and well-paid professional groups (mafia and governmental groups)

The goal of hacking Break the information security triple (confidentiality, integrity, availability)

• Steal confidential information

• Modify data

• Make services unavailable (Denial Of Service)

To promote security? YES

10
1.1.4 Type of hackers

• Black hat hackers: with malicious intent • Grey hat hackers: usually white hat, but can be
black hat
• White hat hackers: perform penetration testing
to promote the security • Red hat hackers: Stopping black hat hackers by
attacking them
• Script kiddies: amateurs (usually young kids) us-
ing publicly available software tools to attack • Blue hat hackers: Hacking in order to take revenge
• Protest hackers (protest against something e.g. • Green hat hackers: beginners to hacking
anonymous)

1.2 Difference between ethical and non-ethical hacking

Task: Find the admin password of "NonExistingBank AS"

How do I start? Which one of these will be used by the black hat and the white hat hackers?

• Try the websites, maybe there’s a server side scripting flow?

• Try to apply for an account to have access to password protected sites?

• Try with low level exploitation against the server?

• Try to access the DMZ through a less controlled service?

• Try to sneak inside the building to have access to the internal network?

• Try social engineering emails against the employees?

• Try to make friendship with the system admin?

11
1.3 Main steps of hacking

• Information gathering

• Identifying the target domain

• Finding vulnerabilities
• Exploiting the vulnerabilities
• Lateral movements

• Carry out goal

1.3.1 Detailed steps of hacking

1. General information gathering: collecting collecting all available information from the target and systemize the

information

2. Technical information gathering: collecting network and system specific information like target ip ranges

3. Identifying available hosts in the target network (which computer can be attacked)

4. Identifying available services in the target network (which service can be attacked)

5. Manual mapping of the services (to check how it looks like, the impressions, system reactions, mitigations, etc.)

6. Automatic vulnerability scanning (intelligent tools with huge vulnerability database)

7. Manual verification of the findings (to check if the previous findings are real – true positive)

8. Exploitation

9. Lateral movements (to move through the network)

10. Ensure access until the end of the project

11. Achieve primary and secondary goals

12. Remove clues

13. Reporting and presentation

14. Removing the attacking files!!! (tools, data, script created temporarily during the pentest)

12
1.3.2 Type of ethical hacking projects

From the attacker’s location point of view: From the attacker’s access (right) point of view:

• External penetration testing • Black box testing

• Web tracking • Grey box testing
• Internal penetration testing • White box testing

• Wireless penetration testing

• Social Engineering

1.3.3 General information gathering

• Usually the first step of every attack

• Before getting contact with the target we need to prepare for the attack

• General information gathering covers all the efforts that is done for collecting all the information from the

target

• The collected information should be analyzed as well in order to filter the important information

• Sometimes it is not obvious which information will be useful later, all information should be systemized

• The result of the information gathering is a huge dataset with dedicated information (e.g. user lists, etc.)

1.3.4 Methods to do information gathering

• Google and all search engines are best friends

– Simple search engine queries

– Specific search engine queries (google hacking, see later)

– Cached data (data that are not online right now, but can be restored)

• The social media is another best friend

• Companies and persons spread lots of information from themselves.

• We can create personal and company profiles

• We can identify key persons and other key information

13
2 Lecture 2: Technical Information Gathering

Lecture Overview

• What are the technical information of the target

• How to collect the technical information

• Typical network layouts

• Identifying the network range of the target

2.1 Technical information

• Domain names of the target

• Domain owner(s) of the target

• Domain registrants

• Ip addresses associated with the target websites

• Ip ranges of the target

• Ip range owner(s)

• List of hosted websites

• Hosting companies

• Etc

2.1.1 Domain names

A domain name is an identification string that defines a realm of administrative autonomy, authority or control

within the Internet.

Domain names are formed by the rules and procedures of the Domain Name System (DNS). Any name registered in

the DNS is a domain name.

Top level domain can be (com, net, info, edu, org and country code) Second and third level domains can be any

string. The full length of the domain cannot be longer than 255 characters.

14
 • A hostname is a domain name that has at least one associated IP address

• The first domain was registered in 1985 (symbolics.com)

• Domains are registered by the domain registrators that are accredited by the Internet Corporation for Assigned

Names and Numbers (ICANN)

• each TLD is maintained and serviced technically by an administrative organization operating a registry

(UNINETT Norid AS for .no)

• All data has to be published and accessible with the whois protocol

2.1.2 Domain name registration data - whois (e.g. http://who.is

The whois database must contain the following informa-

tion:
• Administrative contact
• Technical contact
• Billing contact

• Name servers
Name servers are computers that provide subdomain in-
formation for the particular domain using the dns protocol

• Unique name with country code (TLD)

• Domain names belong to private individuals or com-
panies
• Everyone can register a domain (for trademarks
there’s a priority)

• A domain name is only the right to use a special

string, it is not an ip and not a computer!

15
2.1.3 Domain name owner examples

Find the owner of the following domains:

• nrk.no

• dyreparken.no

• horsepro.n

Find a contact pone number for the following domains:

• footish.se

• termesangiovanni.it

When is the expiration date of the following domains:

• timeanddate.com

2.2 IP addresses

• IPv4: 32bit (232 =4 294 967 296 combinations)

• IPv6: 128bit (2128 =3.4*1038 combinations)

• IP addresses are for the identification of computers during the communication (OSI 3rd layer, see later).

• In order to be easy to memorize it, 8bit (byte) blocks are used for ipv4 e.g. 129.240.171.52

• For ipv6 addresses are represented as eight groups of four hexadecimal digits

e.g. 2001:0db8:0000:0042:0000:8a2e:0370:7334

16
2.2.1 IP ranges - classful networking

IP ranges contain more ip addresses. e.g. 12.240.171.56-129.240.171.63 (8 addresses)

In 1981 the classfull networking was created. It consisted of the A, B, and C class of network ranges. The idea

was to divide the ip into network and subnet part:

2.2.2 IP Ranges: Classless InterDomain Routing (CIDR)

• CIDR was created in 1993

• Network address length is arbitrary (not only 8, 16, 24 bits)

2.2.3 IP Ranges CIDR - examples

• What is the first and last address of the /23 network range that contains: 194.172.10.10?

• What is the first and last address of the /18 network range that contains: 164.44.20.52?

• How many addresses does a /25 network range have?

17
2.3 IP range owners

The whois protocol is also used to get the owner a

particular ip range. The records are stored in different
databases according to the continents.

2.4 Network range examples

Who is the owner of the following ips and how big is the related network range?

• 5.44.65.150 • 198.62.101.225
• 195.88.55.16 • 194.61.183.124
• 188.44.50.103

2.5 Hosted websites - Cloud services

• In several cases a website is hosted. That means it is stores on a webserver

– that does not belong to the target organization

– which can contain several other websites

In those cases the webpage cannot be attacked or separate permission is needed from the owner of the server computer

(Example: elektronikmesse.dk )

18
2.6 Finding network ranges

• Search for all domains including second and third level

• Look for the corresponding ips

• Check which database contains the ip owner (whois)

• Check the ip ranges (ripe, arin, etch...)

2.6.1 Finding network ranges example

• Practice: Find the network ranges of the owner of dn.no

• Solution (demo)

– dn.no belongs to the DAGENS NÆRINGSLIV AS

– www.dn.no has the ip 87.238.54.132

– ripe ncc says it is a part of the network range: 87.238.54.128-143

– the owner of the range is the NHST media group

– dn.no has the following second level domains: s1,s2,s3,s4, arkiv, multimedia, investor, hotell, idn, ww5,

sjakk, pad

– All the domains are associated with the same ip (87.238.54.132), except the pad.dn.no which is: 87.238.53.121,

and the hosted websites (sjakk, )

– The pad.dn.no is in the range of 87.238.53.0-143

19
2.7 Domain to ip options

• One domain to one ip - A web server with one website

• Multiple domain to one ip - A web server hosts mul-
tiple websites
• One domain to multiple ip - load balancer, cloud ser-
vice

2.8 Robtex

20
21
3 Lecture 3: Network reconnaissance, port scanning

Lecture Overview

• Identifying hosts in a network

• Identifying services on a host

• What are the typical services

• Ordinary and special port scanning methods

3.1 Circuit switched vs Packet switched networks

In circuit switched network a virtual line is allocated

between the communicating parties. The line is busy until
the communication ends.

In packet switched networks the caller sends packets to

the direction of the receiver. There’s no planned route,
each network device chooses the most appropriate device
as next considering routing tables and traffic.

22
3.2 Packet switched networks – avoiding infinite loops

• As there’s no planned route between the sender and

the receiver it can happen that a packet gets stuck
in the network following an infinite loop
• Messages are placed in network packets according to
the OSI model
• Every packet should contain a ttl value (Time to
Live) that is decreasing when arriving to the next
network device (network hop)
• When ttl is 1 the packet has to be dropped

3.3 Network mapping - answer options

positive answer
• In case of icmp we get an echo reply for our echo
request
Negative answer
• In case of icmp we get destination unreachable / host
unreachable message

No answer
• In case of icmp, we have no response from the host
that was addressed by the echo request

23
3.4 Internet Control Message Protocol (ICMP)

3.4.1 Layer 3 – Internet Control Message Protocol (ICMP)

Since ICMP contains the ttl value, it is possible to guess the receiver host’s operating system by its ttl. Initial ttl

values:

Windows: 128 since Windows2000

Linux: 64 for 2.0.x kernel

Solaris: 255

ICMP practice examples:

Find a host with 64 as initial ttl

Find a host with 128 as initial ttl

3.5 Nmap basic usage

Nmap is an universal port scanner. It is able to carry out ordinary and specific host and service discoveries. Nmap

has a scripting engine which makes it capable of carrying out complex scanning as well as vulnerability discovery,

fuzzing, etc. tasks

For one simple ping the following command has to be used:

Host(s) to be scanned can be set in multiple ways:

With domain: www.uio.no

With ip: 129.240.171.52

With ip range (CIDR): 129.240.171.0/24

With ip range (from-to) 129.240.171.2-6, 129.240.170-175.1

With list: 129.240.171.1,129.240.171.2

24
The main parameter is the scanning type that can be set with the –s switch, e.g. -sP: ping scan

Example task: How many hosts are alive in our current local network range? E.g. nmap –sP 192.168.0.0/24

With nmap it can be set:

• Type of scan (see detailed list later)

• Additional tests (e.g. version detection)

• Timing option (how many tries, how many parallel requests, max retries, scan delay, etc.)

• Hosts / host input

• Output result format (flat file, xml, etc.)

• Filtering (e.g. show only open ports)

• Scripts to run

3.5.1 Nmap - ping scan

• With the –sP switch

• Nmap pings all the specified hosts
• The available hosts are listed with their MAC ad-
dress
• ICMP messages are not always allowed in a network

3.5.2 Nmap - List scan

• With the –sL switch

• Has no connection with the hosts
• The DNS server is asked if a specific domain is re-
gistered in its database

25
3.6 Layer 4

3.6.1 Data transmission

Apart from sending short simple messages, bigger data blocks can be transmitted between the hosts. The data

transfer is carried out in the 4th layer by using 2 different approaches:

• UDP : streaming the data (no guarantee that all data will arrive, but fast)

• TCP : the arrival of all data is guaranteed in the right order (trustworthy transmission, slower than UDP )

In addition, the data transmission is carried out using port numbers. One host can send and receive data in multiple

channels using different port numbers for different services.

3.6.2 UDP protocol

The port number is a 2-byte value, it can be between 0-

65535(=232 )
Typical UDP ports with services:

• UDP 53 DNS
• UDP 111 RPC (Remote Procedure Call)
• UDP 123 NTP (Network Time Protocol)

3.6.3 TCP protocol

In order to ensure that the packages arrived in the right

order the sequence number and the acknowledgement num-
ber are used.
TCP flags are for maintaining the connection status (urg,
ack, psh, rst, syn, fin).

3.6.4 TCP typical services

• TCP 80: web http • TCP 137,13,445: netbios

• TCP 443: web https • TCP 3306: mysql
• TCP 20,21: ftp • TCP 3389: remote desktop

• TCP 22: ssh • TCP 5900: VNC

• TCP 25: smtp

Remember that any service can be used in any port, these are only recommendations

26
3.6.5 TCP 3-way handshake

TCP handshake is the process when a connection is about to be established in a specific port.

3.7 Reverse scans

In case of reverse scanning, Nmap looks for closed ports. The results of a reverse scan can be either open/filtered or

closed. It cannot be determined if a port is filtered or open. According to TCP if a port is closed the receiver sends

rst answer no matter which status flag is set:

-sN Null scan (no flags)

-sF Fin scan (only fin flag is set)

-sX Xmas scan (push, fin and rst flags are set)

-sM Maimon scan (fin and ack are set)

With hping we can set any flag (more reverse scan options, see later)

27
3.8 Ack scan

Ack scan is to determine if a firewall is stateful or stateless.

• The stateless firewall examines a packet as it is independent of the previous packets.

• The stateful firewall can follow packet streams considering previous packets.

For a stateless firewall an ack package seems like the third step of the handshake. For the stateful firewall it is

pointless (no syn and syn+ack before). nmap -sA

3.9 Decoy scan - hide ourselves

If a TCP connection is established it will be logged by the firewalls – this is noisy (in a network with huge internet

traffic there are several port scans by robots).

Decoy scan uses the «needle in the haystack» theory: it sends out each request in multiple copies with different

source ip.

Questions: Can we modify our source ip in the packet? If so, why don’t we modify it all the time?

Decoy scan example: nmap –sT –p80 –D5.44.65.150,195.88.55.16, 194.61.183.124 www.uio.no

3.10 Service version detection

Version detection interrogates the ports to determine more

about what is actually running. The nmap-service-probes
database contains probes for querying various services and
match expressions to recognize and parse responses.
Nmap tries to determine the service protocol, the ver-
sion number, hostname, device, the OS family. With ban-
ner grabbing completely exact version numbers can be re-
trieved (Banner info can be modified).

28
3.11 Hping2, hping3

See detailed examples here: http : //0daysecurity.com/articles/hping3e xamples.html

3.12 Port scanning summary: inventory

• The result of the port scanning has to be summarized in a table (Inventory)

• The inventory should be part of the final pentest report

• The table contains all the discovered hosts with all discovered services in separate rows

• Each service has a comment field if it was compromised during the pentest

• The client can evaluate each service if it should be closed or assign a responsible person for all operating services

3.12.1 Special port scanners: Firewalk, Zmap

Firewalk was a special internal network scanner in the beginning of the 2000s (cannot be used today). It was able to

exploit of a flow of the TCP implementation and scan the internal network with one hop behind a firewall (it used

customized ttl values).

Zmap is a superfast layer2 port scanner. It is able to map the whole ipv4 network range within 45 minutes for one

port. (https : //zmap.io/)

29
4 Lecture 4: Get in touch with services

Lecture Overview

• Trying out default credentials

• Brute-forcing techniques and mitigations

• What are the exploits and how to use them

• Using open-relay SMTP

• DNS enumeration and zone transfer

4.0.1 Where are we in the process of ethical hacking?

• We have several general information about the target

• We have the technical details (domains, ip ranges)

• We mapped the target network and have an inventory (live hosts, responding services)

• What’s next?

• We try to compromise services

– Find a vulnerability

– Exploit the vulnerability

How to start compromising a service?

What kind of services do we have to face from outside?
Web, Ftp, ssh, dns, mail (SMTP, POP3, IMAP, Ex-
change), VPN and many others

Typical services inside: Netbios, SMB, Printer, RDP, DB

services, LDAP, etc.

30
4.1 How to start compromising a service?

What kind of errors (vulnerabilities) can we expect?

• Configuration related errors • Software vulnerability related error

– Default credentials – No input validation

– Easy to guess credentials (we had information – Memory handling errors
gathering before) – Several others (see later)
– No or inappropriate protection against guessing
(brute-force)
– Unnecessary function
– Privilege misconfigurations
– Other configuration errors

4.2 Brute-forcing 4.3 Service specific attacks

• Trying out multiple combinations We cannot cover all services, but we’re going to focus on:
Ftp SSH SMTP DNS Web (Lecture 5,6,7)
• How to generate the options? Exploits in general (The theory and practice of exploits
– Random will be on Lecture 8,9 but we’re going to use some of the
available exploits now.)
– Trying out all combinations ARP, Netbios, SMB, etc. Lecture 10 (Internal network
– Using a list or dictionary hacking)

• Brute forcing tools

– THC Hydra (ssh, ftp, http)
Hydra was created by a hacker group The
Hacker’s choice. It is an universal brute-force
tool that can be used for several protocols.
– Ncrack
– Medusa

4.3.1 What is an exploit?

An exploit (from the English verb to exploit, meaning "to use something to one’s own advantage") is a piece

of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause

unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually

computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege

escalation, or a denial-of-service (DoS or related DDoS) attack

31
4.4 Attacking ftp service

4.4.1 anonymous login

If anonymous login is enabled, anyone can log in

(username: anonymous, password: arbitrary email)
anonu ploade nable, anono therw ritee nable settings are also
important: e.g. if upload is enabled and the webroot is
accessible attacking scripts can be uploaded.

32
4.5 Attacking SMTP

The main SMTP commands are:

HELO: Sent by a client to identify itself

EHLO: The same as HELO but with ESMTP (multimedia support)

MAIL FROM: Identifies the sender of the message

RCPT TO: Identifies the message recipients

DATA: Sent by a client to initiate the transfer of message content. Note there are no Subject, CC, BCC fields. All

these data are placed in the data section (these are not part of the smtp)

VRFY: Verifies that a mailbox is available for message delivery. If it’s allowed user enumeration is possible.

4.5.1 open relay access

How to find open-relay SMTP?

• If one of the client’s SMTP allows open-relay access then any email can be written unseeingly

• Spamboxes will probably contain some open-relay SMTP server

33
 How can the users make sure that an email arrived from the right person?

• Check the email header

• There’s no 100

Email– brute force with THC-Hydra

hydra smtp.victimsemailserver.com smtp -l victimsaccountname -P ‘pass.lst’ -s portnumber -S -v –V

hydra –l username -P pass.txt my.pop3.mail pop3

hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN

Supported protocols by THC-Hydra

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-

POST, HTTP-GET, HTTPHEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPSFORM-POST,

HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTPProxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP,

NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin,

Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY,

Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

4.6 DNS service

• DNS servers are all around the world

• Organized in tree structure (13 root servers)

• The top level domains (.com, .net, .edu, .no, .de, etc.)
are directly under the root servers
• DNS data are stored redundantly (master and slave
server)

34
35