Hi!

I want to know you, please state

your:
• Name
• Work
• Address
• Age
 Schedule:

Aug. 24, 2019 (Saturday)

9:00AM – 5PM

Aug. 25, 2019 (Sunday)

9:00AM – 5:00PM
Ethical Hacking

By: Richard Reblando

 What is Kali?

• Kali Linux is a Debian-based Linux distribution aimed at

advanced Penetration Testing and Security Auditing.

• Kali contains several hundred tools which are geared

towards various information security tasks, such as
Penetration Testing, Security research, Computer Forensics
and Reverse Engineering. Kali

• Linux is developed, funded and maintained by Offensive

Security, a leading information security training company.

• Kali Linux was released on the 13th March, 2013

completely.
 Ethical Hacking

• Sometimes called as Penetration Testing is an act of

intruding/penetrating into system or networks to find out
threats, vulnerabilities in those systems which a malicious
attacker may find and exploit causing loss of data, financial
loss or other major damages.

• The purpose of ethical hacking is to improve the security of

the network or systems by fixing the vulnerabilities found
during testing.

• The primary benefit of ethical hacking is to prevent data

from being stolen and misused by malicious attackers.
 PROCEDURES OR COMMON TASKS

 Topology Discovery
 Knowing the network style.
 Discovering all devices in network that you are
connected to.
 Kali linux can determine the devices connected
in a network using “netdiscover --help”.
 netdiscover -i eth0
 OS fingerprinting
 OS Determination
 Finding which OS is running on the
victims computer.
• Active Fingerprinting
• Passive Fingerprinting
 Service Discovery
 Services running in an OS.
 Common Services; http [80], ftp [20], https
[443], ssh [22] , telnet [23].

 Packet Capture
 Copy the data between the client to
destination.
 Using Wireshark, Network TAP , SPAN or
mirror port , or built in packet capture
features of firewalls or routers.
 Log Review
 Examining all the attempted access:
successful and unsuccessful attempt.

 Router/firewall ACLs review

 Firewall
 List of control access will pass into router.
 Email harvesting
 Getting email addresses using several methods.
 Purpose: bulk message and spamming.
 Using “theharvester”.
 Theharvester –d google.com –b google –l 100.

 Social Media Profiling

 Gathering data of the target using publicly
shared social data.
 Name , interest , job , location , etc.
 Social Engineering
 Sales talking victim to reveal some
sensitive data.
 Convincing the victim to do a task.

 DNS Harvesting
 Gathering DNS records to map the
network.
 Hosts add, Servers, Mail Servers, etc.
 WIRESHARK

• open source network scanner and monitor.

• powerful and popular network analyser.
• inspect traffic or individual packets that are passing
thru NIC (network interface card); ethernet , wifi.
• has the ability to capture all of those fishy little
packets that are sent and received over your
network that can decode for analysis.
• pre-installed in kali linux.
• PACKET SNIFFING: looking through the packets that
are flowing along connection/network.
• Wireshark supports a whole bunch of protocol such
as TCP, ARP, HTTP, DNS, UDP, etc.
 FILTERING:(EXPRESSIONS)

 http.request
- filetering all http packets.
 ip.src == 192.168.254.136
-return packets that has a source ip of 192.165.254.136
 ip.dst == 192.168.254.136
-return packets that has a destination ip of 192.165.254.136
 ip.addr == 192.168.254.136
-return packets that has an ip of 192.168.254.136 either
src/desti.
 ip.addr == 192.168.254.0/24
-return packets within the given network.
 Tcp
-return all TCP's protocol.
 http.request.method=="POST"
InformationInformation
Gathering or Reconnaisance
Gathering
or Reconnaissance
 A. Footprinting

 Part of reconnaissance stage.

Information Gathering or Reconnaisance
 To gather as much info on a target system
(system, organization, person) as possible.

 Gathers info about:

• Employees
• Org activities
• Network infrastructure
• Security
  Can be ACTIVE or PASSIVE
• Passive
-requires
Information no direct contact
Gathering with organization.
or Reconnaisance
-Might use internet , databases to gather info.
• Active
-some kind of direct contact with organization
-Might use social engineering , entering premises
(disguise) , taking photos.
 Types of Information Gathered in Footprinting

• IP address range
• Types of system and equipment (firewalls, routers, etc)
Information Gathering or Reconnaisance
•
•
OS
Applications and Version
• Key personnel (security person or IT person)
• Phone numbers
• Business relationships (to another company , competitor)
• Products
• Contracts
• Financial Data
• Security methods and procedure
• Network infrastructure
 C. Footprinting Methods

 Internet Searching
• Where footprint start
Information Gathering or Reconnaisance
• DIG DEEPER than just the first few pages
• Search engines, people searches, blogs, websites,
partner websites, FB, Linkedin, Google earth, Bing Maps,
Company sites, Business Sites

 Google Hacking
- uses keywords to return specific information about
the target system.
- allinurl , inurl , allintitle, intitle
 C. Footprinting Methods

 Email Footprinting
- involves viewing headers to determine info about the
email as it has travelled from sender to receiver.
Information Gathering or Reconnaisance
- can give IP Add, server names, banners, username
format, etc.
 
 WHOIS and DNS Footprinting
- whois is uses domain name registration to search for
organizational network info.
- DNS FP is used to determine the name servers and
other information about an organization.
 NMAP (Network Mapper)

- It is an open source tool for network exploration and

Information Gathering or Reconnaisance
security auditing.

- It was designed to rapidly scan large networks.

- It uses raw IP packets in novel ways to determine what hosts

are available on the network, what services (application name
and version) those hosts are offering, what operating systems
(and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics.
 - Nmap is commonly used for security audits, many
systems and network administrators find it useful for
routine tasks.

Information Gathering
- has the power to giveor
youReconnaisance
a mapping of a network
system.

- You can see the OS version, and the open ports.

- Powerful active recon.

Common Nmap Result:

- host discovery, port scanning, version scanning, OS
Detection.
 Command:

 man nmap
-manual/guide for using nmap.
Information Gathering or Reconnaisance
 nmap -sn www.google.com
-ping scan of the given target, w/o ports shown.
 nmap -A www.google.com
-OS, version, script scan, trace route.
 nmap --top-ports 10 192.168.254.136
-display ports depending on given number; "10“.
 nmap -p 80 192.168.254.136
-display a specific port depending on a port number;
"80“.
  nmap -p T:80 192.168.254.136
-display a specific TCP port.
 nmap -p U: 192.168.254.136
-display a specific UDP port.
Information Gathering or Reconnaisance
 nmap --open 192.168.254.136
-display 4 open ports.
 nmap -A -T4 192.168.254.136
-"T4" is for faster execution.
 nmap -v 192.168.254.136
-"v" or verbose provides information while scanning.
 nmap -oG - 192.168.254.0-255 -v
-readable scan the whole network wd complete info
while scanninng // wdo "oG", the result is unorganize.
 DMITRY

Information
- can Gathering
get hostname or
andReconnaisance
ip address of the
target system.

- port scan, subdomains search, email gather,

whois module.
 Passive Option(RECON):

 -i - whois lookup on IP of host.

Information Gathering or Reconnaisance
 -w - whois lookup on Domain Name.
 -n - retrieve data on netcraft.
 -s - perform search for possible sub
domain.
 -e - search for email address on a host.
 Active Option(RECON):

-p - perform tcp port scan on host.

 -f - perform tcp port scan on host and include
filtered ports in results.
Information
-b - Gathering
attempt to read orbanner
Reconnaisance
info from each
port.
-t - set the TTL in sec when scanning a port.

Command:
 dmitry -wnseo "host“
-all passive recon command.
 dmitry -pbo "host“
-active recon command.
 WHOIS
- gives the detailed domain information of your target
system.

Information Gathering
Some of the
▪ Registrar
or Reconnaisance
attributes in domain details, are:

▪ Admin
▪ Tech
▪ Name Server
▪ Geographical Location
▪ IP history

Command:
 whois "domain name"
-ex. whois google.com
 ARMITAGE

• a GUI for Metasploit which makes penetration

testing easier.
• It was developed by Raphael Mudge.
• This tool helps to reduce the time and also gives a
good understanding of Metasploit to various
security professionals.
• It recommends the exploits, has advanced post-
exploitation features, and is a very good
visualization of the targets.
• It targets scanned or connected will be shown in a
visual manner.
Advantages:

• it gives the user much better idea on what’s going

on.
• a good understanding of Metasploit to various
security professionals.
• The number of targets scanned or connected will
be shown in a visual manner.
• to be able to understand the scan process and
how everything is being exploited.
• helps to reduce the time of exploitation.
• exploitation process is automated.
Disadvantages:
• easy to detect
• make noise

- Tabs in Armitage:
• Armitage
• View
• Hosts
• Attacks
• Workspaces
• Help

- The Target window shows the target systems.

There are two types of view:
• Graph view
• Table view
- 2 types of SCAN:

 NMAP scan which basically scans the target for open

ports and services,

 msfscans ; With the help of Metasploit auxiliary

modules, it enumerates several common services

- The compromised targets will be represented in Red

- Interface of armitage sorted in 3 sections.

 1st section (MODULES) - displayed the preconfigured

MSF modules; auxiliary, exploit, payload, post.
 2nd Section (TARGETS) - used to display the active
targets that can be exploited, in forms of computers
 3rd Section (TABS) - the metasploit console

-FIND ATTACKS ; all possible compatible exploits will

find automatically.

- Hail Mary; finds the recommended exploits for our

target; smart automatic exploitation against your targets.
 OPHCRACK

• based on rainbow tables and a popular Windows

password cracker freeware.
• A Graphical User Interface.
• runs on multiple platforms, including Windows, Unix,
Linux, Mac OS X.
• can crack password within minutes but can take time also
depending on the password strength.
• the pre-installed table can break password not more than
14 characters using only alpha numeric characters.
• opchrack liveCD is being download according to your OS ;
xp/vista/win7.
• it can boot in flash drive or cd.
Advantages:
• It is freely available for downloading online.
can work in windows, Mac, Unix, Linux.

• No software installation is necessary to recover

passwords.

• No knowledge of any existing passwords is necessary.

Disadvantages:

• memory trade off (more hard drive space to solve

problem faster).

• Unable to work on Windows 10, 8.1, 8.

• some antivirus treat ophcrack as trojan or virus.

• pwd longer than 14 cant recovered.

• LiveCD ISO image must be burned to a disc or USB

device before being used.
 RAINBOW TABLE (md5sum)

• Operating systems don’t store the user passwords

in plain text.
• RT is a precomputed table for reversing
cryptographic hash functions.
• Precomputed means; list of possible pwd including
their equivalent hash.
• A rainbow table is basically an enormous list of
passwords.
• process: the hash u want to crack is taken and
compared to each hash in the RT, if it matches, the
pwd will be given.
• tables size are massive.
RT consists of:

 Numeric - 0123456789
 alpha - ABCDEFGHI...Z
 alpha-numeric - ABCDEFGHI...Z0123456789
 loweralpha - abcdefghi...z
 loweralpha-nnumeric - abcdefghi...z0123456789
 mixalpha - abcdefghi...zABCDEFGHI...Z
 mixalpha-numeric -abcdefghi...zABCDEFGHI...Z0123456789
 DOWNLOADABLE TABLES:
- tables can downloaded from the Ophcrack website

Information Gathering
• For Windows or Reconnaisance
XP, Ophcrack supplies two alphanumeric
tables
• can crack 99.99% of all passwords under 14 characters,
consisting of a combination between letters and numbers —
"abcdefghijklmnopqrstuvwxyz0123456789"
• these hash tables contain 80 billion different hashes,
corresponding with 12 septillion possible passwords.
 - tables_XP (sample Rainbow table)

• can choose between the XP free small and the XP free

fast tables.
• The downside of both tables is their unability to crack
passwords with special characters

- For Windows Vista, which abandoned the weak LM

Information Gathering or Reconnaisance
hash, and moved on to the stronger NT hash, there are
less possibilities

- tables_Vista (sample Rainbow table)

• Ophcrack only gives away a table with dictionary-words

and variations (hybrids) for free
• they also provide alphanumerical tables – including
special characters. (about $99)

- Because the NT hash is subjective to

capitalization, and allows a much greater password length,
so these premium RT is better to use.