Minggu, 08 Juni 2014

Power of Social Engineering

First of all, what is social engineering ? Social engineering is art of deception to harvest information from human vector or exploiting human weakness in order to gain information. In hacking cycle, social engineering is an optional step. It means it is not necessary to be done in order to hack into a system. Even though it is optional, social engineering holds a very important aspect which allow the hacker to gain an easier way to hack or when all step in hacking cycle fails, social engineering might be the last option in order to hack the system.

There are top 5 social engineering exploit that can be used :

1) Familiarity Exploit - Making yourself familiar to those you want to exploit and lower their guard. In a world of psychology, people react differently to other people according how close those people are. You can make yourself closer to your target by making yourself familiar to the target such as increasing the number of encounter, getting same interest and the most important thing is to not create a mindset of "Who is that and why is he here ?".

2) Creating a Hostile Situation - What it means by hostile situation is to create a situation which the atmosphere is tense such as angriness. This situation can be easily created or faked by a simple technique like when you have a phone cal with your target you fake a tense fight with someone else while still on the phone. By basic psychology, people will not like an angriness and will try to get rid of it, so people tends to follow your order when you are mad. Use this chance to exploit your target

3) Gathering and Using Information - Gather info as much as possible of your target. The more info you have about your target, the more possibilities that your social engineering to works. There are a lot of ways to gather information such as : Online site ( Facebook, Linked in, etc ), The target work place,  asking target's friends or colleague.

4) Get a Job at your Target Workplace - If the payment of the penetration job is worth it, just get a job there. Most small to medium sized company will not do any background check on you, so you can easily get a job there without being afraid of your identity being compromised. Once inside, you can climb your way to earn their trust so you can get access to sensitive information. Once you get the information it wont'be hard for you to exploit it.

5) Reading Body Language - To be able to read a body language, you may need an advanced knowledge in psychology. But it is worth it. The basic explanation is to make your target comfortable as much as possible. When people get comfortable they will be talk more easily and they will feel more eager to help you without questioning your motives. By making them comfortable, you can basically exploit information from them.

According to this technique, someday maybe you can be the initiator of the social engineering or maybe you can be the target of social engineering. With this in mind, be careful about what information you share and do not give any information to people that is not authorised to know those information.

Threat of SQL Injection

What is SQL injection ? SQL Injection is a code injection technique, used to attack data-driven application. in which malicious SQL statements are inserted into an entry field for execution. According to Open Web Application Security Project (OWASP) SQL injection is rated to be the top threat to web application.

By using SQL injection technique, a hacker can easily enumerate the target database to gain sensitive information such as username, password, etc. SQL injection is not always successful. Not all website is vulnerable to SQL injection. Some website with input validation in their form will not be easily injectable.

An SQL injectable website will result in following pages (or similar) when you input " ' " (Single Quotation Mark). This is the example of SQL injection vulnerable website :

This website do not have input validation in their log in form so when a " ' " (Single Quotation Mark) is inputed, the code will consider this input to be an SQL query which result in the above error page. 

This means the hacker can exploit the database and in worst case scenario the hacker can take the ownership of the website. 

With this SQL injection threat, it is highly encouraged for web developer to develop a web site with SQL injection defines such as :
- Input Validation in Log in Form
- Use Web Application Firewall
- Limit Database Privileges

Selasa, 20 Mei 2014

Phishing Attack Using SETOOLKIT

     Phishing an attack that intended to acquire private information such as user name, password, credit card detail, etc. The most common way of phishing attack is make a "fake" site that require you to login to those "fake" site. After you login, your input such as user name and password will be recorded or key logged by the hacker.

     This time I will explain how to make "fake" website using setoolkit. In Kali Linux, setoolkit is already installed so to run it just open the terminal and type setoolkit. In case you can't run it, use 
su - root first to attain root privilege. 

     This is the main menu of :

Input 1 and hit enter to select Social-Engineering Attack :


Input 2 and hit enter to select Website Attack Vector, after that input 2 and hit enter again to select the harvester attack. After that you will be prompted to enter the host IP address for the "fake" website. In this image below, I inputed my Kali Linux IP 192.168.5.131. Hit enter again and you will be prompted to input the URL of the "real" link to be cloned by setoolkit and the view will be like below image. YOU HAVE TO KEEP THIS TERMINAL RUNNING AND DON'T STOP THE SETOOLKIT  :

Now open the "fake" page in other VM (I used my XP) and it will just like real Facebook login page:

Note the IP is my Kali Linux IP and not the real URL Facebook.com. Next i tried to input random user name and password. I used test@test.com for username and testiest for password :

And when I submitted the user name and password this is what will happen in setoolkit terminal :


Every input is recorded by the terminal. The user name and password is perfectly key logged.

So with this in mind I will advice you to be careful when you get an e-mail that redirect you to such website and prompt you to log in. Please check the URL of the website first and DO NOT OPEN LINK PROVIDED BY UNKNOWN SENDER !

Selasa, 13 Mei 2014

How to Know Open, Closed, Filtered Port from Wireshark Packet Capture


In port scanning there are 3 port status, open, closed, filtered port.

Open port means the port is open and running a service for the machine.

Closed port means the port is close and not running any services.

Filtered port means that your probe to these specific port is filtered or dropped by the firewall.

For this test, I used mmap -F 172.16.128 command to scan fewer port to only show you guys the result in wireshark.

This is the result of closed port in wireshark :

As you can see, there are many SYN request to the target port and the target port immediately reply with RST,ACK. From this result we know that the port is closed.

This is the result of open port in wireshark :


From this wireshark packet capture, you can see at packet number 63 sent a SYN packet to http port of the target. At Packet number 65, the target http port sent a SYN,ACK reply which means the port is open and running a service.

And this is the result of filtered port in wireshark :


There is no reply at all from the target machine. This means the probe packet we sent is not even reach the target port because the packet is dropped by the firewall.

Zenmap, GUI version of NMAP

NMAP is a tools used to gathering information on your target. NMAP can give you a lot of your target such as open port, target OS, target database, etc. NMAP is a very powerful tools because it has so many modes that can be used for scan the target which will give you ability too fool firewall, etc.

Zenmap is an NMAP with Graphical User Interface(GUI) support for easier use. To execute Zenmap in Kali Linux it is very simple. It is recommended to run Zenmap by using root privileges or some NMAP scan will not be available.

This will pop-up if you're not running Zenmap using root privileges :


And this is the fully running Zenmap will look like :

Notice in this Picture, I used my windows XP Virtual Machine(172.16.1.128) as the target. And we can select a scan profile. This scan profile will provide us with NMAP scan command. Here are some of the Scan Profile :

Intense Scan


-T4 : Scan Timing Mode 4 (See Description Below)
-A : Enable OS detection, Version Detection, Script Scanning, and traceroute
-v : Verbose mode, it will give detailed info of what the mmap is currently doing

Intense Scan with all TCP port scanned


-p 1-65535 : Scan the port range from port 1 to 65535
-T4 : Scan Timing Mode 4 (See Description Below)
-A : Enable OS detection, Version Detection, Script Scanning, and traceroute
-v : Verbose mode, it will give detailed info of what the mmap is currently doing

Quick scan

-T4 : Scan Timing Mode 4 (See Description Below)
-F : Fast Mode, will scan fewer port than the regular scan


If you notice, all of the scan above use -T4 which is Timing Mode 4. You can use from -T0 to -T5 (but only one at a time), and here are the description:

-T0 : Paranoid Scan
-T1 : Sneaky Scan,
-T2 : Polite Scan
This Scan will slow down the scan to use less bandwidth and target machine resources. This modes is used in IDS evasion.

-T3 : Normal Scan
This is the default scan used by NMAP if the timing mode is not declared in the command.

-T4 : Aggressive Scan
This Scan will speed up the scan with assumption that you are in a reliable network

-T5 : Insane Scan
This mode will scan with assumption that you are on a extremely fast network and willing to sacrifice accuracy for speed


Kamis, 10 April 2014

WireShark "TCP Port Number Reused" Entry

For the continuation of my previous blog entry, I will explain about "TCP Port Number Reused" entry in my wireshark data record.

The simplest explanation would be there are so many same TCP SYN Packet from the same IP address with same port which already been captured by the wireshark before.

The more technical explanation is because in port scanning, my Kali Linux sent a lot of packet to the windows XP and it keeps trying to open new port every time.Wireshark does not simply forget the source address and port it has seen or captured before. Because I used port 445 alot from the same IP (250.250.250.250 in last picture.) Wireshark display the TCP Port Number Reused because wireshark captured the similar connection source before (In relatively short time). It won't Display this entry if the same connection isn't happened in relatively short time.




Port Scanning

Port Scanning is a very important step in Hacking and Penetration Testing. Port Scanning is used to find which port is vulnerable in the target system to be exploited. We need to find vulnerable port because in the end, we need an open unfiltered port to send packet to the target system. Open port is not always exploitable. Open port may be filtered. A filtered port is an open port that are guarded by the firewall.

There are many tools for port scanning. One of the tools is the same tools I posted on my previous blog entry, hping3. While hping3 is a very powerful tools to do a penetration testing, this week I will explore other tools, UnicornScan. UnicornScan is a built-in tools in Kali Linux. But if the tools is not there yet, you can use this command :

sudo apt-get install UnicornScan

This is a normal scan using UnicornScan :

Notice I used -B 445 in my Command Line. -B is to determine the source port of the packet. In this Case the packet is originated from port 445. I was targeting my Windows XP machine. As you can see my Windows XP have some port opened. It's the http, epmap, netbios-ssn, https, microsoft-ds. 

This is the wireshark record in my Windows XP target machine :

See the record number 48 and 49. My Kali Linux (172.16.1.130) sent TCP SYN Packet to my Windows XP (172.16.1.128). Maybe you can't see the packet detail in this screenshot (Kinda My Fault, Sorry) but the specific port it targeting is port 80 (http port). The port is opened so the Windows XP sent back the TCP SYN,ACK Packet to my Kali Linux.

The Protocol used is TCP, but UnicornScan can also use another protocol mode by using --mode command line. There are several mode to be used such as --mode U for UDP, --A for ARP.
This is the Screen Shot of UnicornScan in UDP mode :

This is the result of UDP port scan. It will return the result of open UDP port such as tftp, and netbios-ns. 

There are also sniff mode. Like this :

There are so many information in sniff mode. I'm sorry I myself still can't explain all of the information but I'll promise I'll learn about it and post the explanation once I fully understand.

There are some issues if you use the same source port again and again. In this case I used port 445 as source port again and again. This is the result in the target machine's wireshark :

You can see in the wireshark are specified that there are a lot of port reuse (port 445)

Before I forget, UnicornScan can also spoof your IP address by using --source-addr (IP).
In my devious picture I spoofed my IP to 250.250.250.250.

That's all for this week. I hope this will help you all.

Selasa, 01 April 2014

DDoS attack using hping Command in Kali Linux

First of all, what is hping command in linux ? Hping is a command-line oriented TCP/IP packet assembler/analyzer. There are many uses of hping in the world of IT security.

Usage of Hping :
  • Firewall Testing
  • Advanced Port Scanning
  • Network testing using different protocol
  • Manual Path MTU discovery
  • Advanced trace route
  • Remote OS fingerprinting
  • Remote uptime guessing
  • TCP/IP stack auditing

In this case, i will show the hping usage in performing DDoS attack. Please note that in this example I will use hping3 and all the command is executed in VM attacking another VM. The main command to use hping as DDoS is :

hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 --flood --rand-source (Victim IP)

-V : Verbose Mode is an option to provides additional details as to what the computer is doing and     what drivers and software it is loading

-c : packet count (in this case the packet count is 1000000)

-d : data size, in this case the data size is 120

-S : set SYN flag

-w : windows size, in this case the windows size is 64

-p : port, in this case the destination port is 445

-s : base source port, in this case the source port displayed will be port 445

--flood : flood mode, send packets as fast as possible and will not show replies

--rand-source : random the source address mode (Spoofing)

Preview :



This is hping DDoS attack in action. In this screen shot you can see i made many mistake in typing the first 5 command but this is learning process so mistake will only make you better.

As you can see, the target OS(Windows XP SP3) process reach 100% and it will give the victim very heavy work load (slow PC, lagging).

This is the WireShark preview in the target OS :

As you can see in the wireshark log, there are massive connection to 192.168.5.129 (victim IP) from many source targeting the port 445 of the target. In this case, the source is randomised by the hping (using --rand-source) command. The default protocol while using hping DDoS is NBNS protocol.

However, hping can use another protocol of attacking such as:

UDP : hping3 --flood --rand-source --udp -p 445 (Victim IP)    <-- Stated by --udp command



ICMP : hping3 --flood --rand-source --icmp -p 445 (Victim IP)   <-- Stated by --icmp command



Thats all for this week. Hope this will help all of you out there who want to learn how to use hping to perform DDoS attack.

Kamis, 27 Maret 2014

Kali Linux and Wireshark

In doing hacking process, the most important thing to do is prepare the tool and understand how to configure the tools correctly. Most of the time when the tools not working properly, it is caused by misconfiguration of the tools. In this class, i’m using Kali Linux as the main tools for hacking. Kali Linux not only have hacking and penetration testing tools but also has a built in forensic tools. Forensic is focus on evidence while penetration testing focus on testing the vulnerability of the target. 

Most of the tools in kali linux runs on Terminal or Command Prompt and most of the script uses python script. So another important thing to do in this class is to LEARN PYTHON. There are a lot of online tutorial about how to learn python. And python is usually used as prototype to test the hacking tools so it is very important to minimize the mistake while doing the actual hacking.

These are example of tools in Kali Linux



















This week i’ll try to explore one of the tools. One of the most useful tool in Kali Linux is wireshark. Wireshark is  a networks sniffer used to read the packet received and sent from and to the host computer. This is the network capture of the wireshark while listening to ethernet connection.





























In this capture, you can see the source, destination, protocol, length, etc. 

Time, determines when the packet is received/sent from when the wireshark is started.

Source, the source IP of the packet.

Destination, the destination of the packet.

Protocol, the protocol used by the packet.

Length, the length of the packet being sent/received.

Info, additional info of the packet.

If you want to follow the pacific packet, you can right click on the packet and follow the packet stream.



The image above is the content of the packet, and wireshark will now only display the packet sent/received by those specific source of the packet.

There are a lot of features of wireshark to be explored, but this is the basic of wireshark. Once again, wireshark is a very important tools mainly used in forensic to analyse the malicious packet, etc.





Kamis, 20 Maret 2014

First Week in Ethical Hacking and Penetration Testing Class

     In the first week, the most important thing to do is to install the VMWare in your preferred machine. I'm using a MacBookPro as my host machine. I'm currently using VMWare Fusion. The plus features of VMWare Fusion is that it can enable a seamless connection from the Emulated OS or VM with the host machine (My Mac). With seamless connection, everything in the mac will be synced to the VM so you can install application on the mac and use it in the VM.

     VMWare Fusion also has isolated install feature. With isolated install, you can install a perfectly isolated VM so anything in that VM will not affect the host OS and vice versa. This is the screenshot of the main interface of VMWare Fusion.


     I installed 2 Windows XP Service Pack 3 so i can try the network adapter of the virtual machine.
Network Adapter determines how the VM connect with other VM or the host. The first Adapter i tried is the NAT (Network Address Translation). NAT networks employ NAT to connect virtual machines to a physical network. This is achieved by using the host's IP address. NAT is responsible for tracking and delivering data between VMs and the physical LAN. 
This is screenshot of a VM pinging another VM using NAT connection.


     The second one I used Host Only Connection to try pinyin each VMs. With host only connection entire virtual networks can be created that run in a "sandboxed" environment. These networks are considered sandboxed because the virtual network doesn't contact existing physical networks. The virtual network isn't mapped to a physical interface and is called host-only networking. This is the screen shot of a VM pinging another VM using Host Only connection.


     Thats it for the first week in the class. Next week we will try using Kali Linux to do the hacking. But the first thing we need to prepare is the proper and right tools and VMWare is the perfect tool for testing this kind of thing because using VM you can create "SandBoxed" Environment.