Professional Documents
Culture Documents
Sooji
Bloggerhacking.com
This article is strictly from Ankit Fadia Course on 5.0
Videos are Not Published along this PDF file. Only Valuable Notes with Images are descirbed in this Book. This Book contains Important Questions and FAQ from afceh. For any Query related to this E-Book , You are Kindly EMAIL me at mail@Bloggerhacking.com
For Example : 203.14.12.11 An IP address reveal a Lot of Information about a Network that it Belongs. Class A: Class B: Class C: Class D: Class E: 0.0.0.0 128.0.0.0 192.0.0.0 224.0.0.0 240.0.0.0 to 126.255.255.255 to 191.255.255.255 to 223.255.255.255 to 239.255.255.255 to 255.255.255.255
Class A : First 8 Bit reveals Network ID nd Last 24 Bits Reveals Host ID. Class B : First 16 Bits : Network ID and Last 16 Bits reveals host ID. Class C : First 24 Bits Reveals Network ID and Last 8 Bits reveals Host ID. Class D : 32 Bits Muticast Group ID Class E : Not in Use.
Fport
FPort is a Tool used to find out all Open Port and it is a fabulous way to identify wether trojan working or Not. You can download this tool from www.foundstone.com/us/resources/prodesc/fport.htm Install Fport in your System and run through Command Prompt. Now Type fport
It provide you What Process is Running,Port Number,Protocol,Running programs Path . Hence,we can check which Port are Open are running nd what daemon are using etc.
Ping Sweeping
Ping Tool is using to determine wether the target system is connected to Internet or Not. It make use of Internet Control Message Protocol(ICMP). Here Attcker Sends an ICMP Echo Request to Host Host Replays an ICMP Echo Request to Attacker This conclude Target is connected to Internet. If Hosts Haven't response to Attacker, then we can conlude the Target system is not connected to Internet.
How to Ping ?
Open Command Prompt and Type Ping [Website] and Hit [Enter] .
If the System alives it will Display the Replays in the Above Image.
Tools Available
Cping SuperScan Nmap ws_ping ProBack
Ping Seep:Detection
Manual or automated traffic monitoring should be able to easily detect a ping sweep
http://oldsite.precedence.co.uk/nc/putty.html
Lets assume that you are connected to the inernet and are behind a firewall that doesn't allow you to make outgoing connections to Port 25 (SMTP) and Port 80 (HTTP) of remote computers. However , you really need yo establish such connections.
What do you need to do ?
It may be possible that the firewall has not blocked outgoing connection to Port 22(SSH). This means that you can use Putty to create a SSH tunnel connection through the firewall (port 22) to a SSH server that you have access to and then use it to connect to the blocked remote systems.
-Setup your own or register for free on a SSH server that has unblocked access to internet. -Use Putty to create an encrypted SSH connection to the remote SSH server, (Outgoing port 22 , encrypted communication is allowed by local firewall ). Putty opens a local port that you can now connect to in order to access the remote SSH server. -This SSH server then connects to the blocked systems that you want to access.!
HTTP Tunneling
Many times we find ourselves in networks that have blocked access to certain websites or doesn't allow to use certain HTTP applications (Like chat,gaming etc.) to communicate . HTTP Tunneling allows users who are beind such restrictions (Like firewall or Proxy servers) to hide thier real activity /data inside unsuspicious looking HTTP traffic , hence fooling the restrictions that are in place .
Port Forwarding
Typically in a home or office environment,most users access the inernet through a router. The router has public IP Address and can be seen by everybody on the internet. All users behind the router are invisible to the internet since all of them have an interal IP address which cannot be accessed to allow remote computers on the internet to be able to connect to internal systems behind a router . This is where Port Forwarding comes into the picture . Port Forwading allows you to remotely access your computer behind a router from anywhere on he internet . Normally from the internet you can only access the router, but port forwading allows you to acess all computers router . For Example,you may wish to access files on your computer while you are traveling abroad or are at work. Port Forwading is also used to setup a web server at home,setup online game, to speed up p2p file sharing tools,share an IP address and to do other useful things.
DNS Attacks
A DNS (Domain Name server) lookup is a query sent by a user (browser ot IM or email client) to a DNS server to convert a particular domain name into its respective IP address. A reverse DNS lookup is a Query sent by a user to a DNS server to convert an IP address into it respective domain.
WebTools
There are various websites that allow you to play arounf DNS: www.dnsstuff.com www.dnstools.com www.zoneedit.com/lookup
Video Tutorial
http://www.youtube.com/watch?v=1d1tUefYn4U
one of the expected reply IDs. The Probability of guessing the correct ID is (Number of spoofed requests /65535).However , If you apply birthday paradox to this attack,then the probability is significantly improved. Research has shown that at around 700 data packets , the probability of guessing the correct ID is 100%. If the ID matches,then successful DNS cache poisoning Birthday attack gets executed. Step 4 : Attacker has to guess the correct ID faster than the Victim DNS server gets a reply from othe DNS servers. It is Possible to slow down the reply frm other DNS server by flooding thm with bogus packets. Step 5: The victim DNS server stores the false DNS query reply in its cache. Now whenever any real user requests that particular domain, then false replies will be sent to them!
Note : Its important to note that for a DNS cache poisoning Birthday attack to work properly, along with the ID field,the source & Destination IP address and ports should also match! Getting the IP address of the victim & other DNS servers is easy , destination port is usually UDP 53 and source port can either be guessed or find out using a data sniffer.
DNSSEC stands for domain name system security extensions is a modified version of DNS that allows encypted responces. Hence making it quite difficult for attackers to carry out any attacks.
If we were to use brute force,then to crack the above type of encryption then 2 2n attempts would have to be made as opposed to 2 2n attempts if only 1 Key encryption was being used. So it seems that a 2 Key encryption algorithms is more secure. In the Meet in the Middle attack, such a 2 key enctyption algorithm is attacked from both sides using brute Attacker tries to encrypted the plain text using different keys to get an intermediate encrpted value(that has been passed through only any one of the Keys. Simultaneosly,attacker also tries to decypt the encypted value using different keys to get n intermediate encrypted value (That has been passed only through only any one of the Keys. For Whcih ever case the intermediate value matches,it is highly likely that the Key used to encrypt the plaintext and the Key used to decrypt the encrypted value are the two keys of the 2 Key encyption algorithm being used .Voila/..!
Such an attacker works against successive 2 Key encryption algorthm like Double DES, Twofish,AES ?
SSID: (Sometimes known as ESSID) is short service set identifier. It is public name of Wireless Networkwhich is used to identify a particular network.Usually , SSIDs are case sensitive and are a sequence of alphanumeric characters(letters or numbers). SSIDs have a maximum length of 32 characters. SSIDs are almost like the domain name for a Wireless Network. Different Wireless Networks in the same geographical area ue different SSIDs for differentaition. BSSID: BSSID stands for Basic service set identifier is the 48-bit MAC address of the Access Point of a Wireless Network. Wireless Access Point (WAP) is a device that allows devices (Like Laptop,MOBILE) to connect to a Wireless Network using WI-FI & others wirless standards. Usually an AP can serve multiple users within a specific area and as the users move beyond the range, then they are automatically handed over to the next AP.So a large physical room (Like a conference center) may require a large number of APs.
MAC Address : Short for Media Access Control addess is a 48 bit unique address that identifies every node in a network.Usually MAC addresses are assigned at the time of manufacture itself,how ever, they can be changed. In Wireles Networks ,even APS have MAC addresses. PSK : Stands for pre Shared key and is commonly used in encryption systems. It is a password or secret key that is shared amongst all the users using that particular encryption system.In Wireless Networks ,it refers to the password that is shared between all users and APs without which nobody can connect to the Wireless network. PSK is vulnerable to dictionary and brute force attacks.
WEP (Wired Equilent Privacy) WEP: is a security protocol that encrypts data transmission over wireless networks using secret keys .There are typically settings of WEP. In the WEP protocol , the AP & all the clients (users) connected to a wireless network should know the same secret key or password(PSK). When a user connects to a WEP encrypted wireless network,then he needs to enter this PSK. This secret Key or password is then used by WEP to encrypt all data transmission. It is a common misconception that WEP passwords are used for authentication & to control access to the WIFI network,.Actually WEP was originally designed to encrypt wireless communication & not to authenticate users. It is important to know that if a user doesnot know the PSK key , then he can't connect to the Network.However WEP has been cracked and that too very easily.This led to creation of better and more secure wireless encryption standards. WEP doesnot provide for any way to share the Keys between the AP and Clients,which makes it difficultfor the KEY to be chaged regularly over te wireless network automatically. Hence , most system admins and users tend to use the same wireless networks for long periods of time. This static nature of the wireless Keys in WEP is its biggest weaknes. Hence this gives an attacker plenty of time to find out the encryption key of the network.
WPA
WPA Stands for WI-FI protected Access and it is the more secure & impoved version of WEP. It provides for better data ecryption using the TKIP (Temporal Key Integrity protocol) protocol that scrambles the key using a hashing algorith and checks the integrity of the key to detect any tampering. It also provied better user authentication through the extensible autheentication protool(EAP) which uses a robust public key encryption system to ensure only authorized users can connect to the network.
WPA2 Upgraded version of WPA and has increased levels of security. It uses advanced Encryption Stanford(AES) to provide stronger ecrypion. WPA2 uses unique keys for each cliet to encrypt every data packet sent over the network and avoids resuse.It is as of now the most secure implementation of encryption over wireless. RSSI Recieved Signal Strength indication and represents the signal strength of a wireless network. RSSI values can range 0 to -100 . The closer thae RSSI value is -100 ,the better is its signal strength and the closer the RSSI value is ,the wore is teh signal.
War Driving
War Drivig is the technique of earching for accessible wireless networks by a person using a laptop or PDA and sitting in a moving car or by ust walking around. Typically,in a war driving a user can find out the following information about WAN in range. SSID MAC address Type of Security being Used (WEP,WAP,WAP2) Signal Streght & Location
There are usually 2 ways in which war driving tools are able to discover wireless networks. Beacons Beacons :All APs periodically transmit beacons to announce its presence every 1/10 th of a second and the contain important network information(especially SSID). Many war driving tools constantly passively listen for such beacons to discover WAN. This technique doesnot require the war driver to send any data to any wireless network and hence is a passive scanning technique.Some APs don't include thier SSID s in their beacons to war drivers! But such APs are still detected by war driver albeit without thier SSID Probe Requests & Responses They are packets that are sent by a computer asking for a specific SSID APs to repond or all APs to respond. If a probe request packet has a particular SSID mentioned then it is known as a 'directed probe request' and it requires that APs that support the same SSID should reply. If a NULL or empty probe request is sent then all APs (of all SSIDs) that can hear the request are required to reply with a probe reply. All types of probe replies must contain the SSID of the network they came from. This is an active scanning technique of war driving.
War Driving Tools There are variuos tools that allow War Driving : inSSIDER (Windows Based) Vistnumbler (Vista Tool) NetStumbler (Windows based) Kismet (Linux) AirMagnet (Expensive Tool)
Re-Association :
Re-Association packets Must contain the SSID of the Network. Hence,they help criminals to dicover the SSID of even those network, hat donot broadcast the SSID in their beacons packets. This is another example of passive war driving.
De-Authentication Attack :
In case particular AP is not broadcasting its SSID in its beacon packets, then normally you have to wait for one of the clients to send re-association request to AP or maybe a new client to send an association request to the AP. Instead it is possible to send a de-authentication packet to the broadcast address of the target WLAN with a spoofed source adress as the AP. This will lead to all the clients getting disconnected & they would then try to reconnect by sending a re-association request,which allows you to grab te SSID This can easily be executed with the help of a very interesting tool called Aireplay-ng which is a part of the popular Air crack toolkit. We will learn more anout this toolkit in detail later. You can use this tool to kick active users off the network and then force them to send a re-association request and find out their SSID. If you are connected to a wireless network and are getting low speeds since there are too many active users on it.,then it possible to executer a de-authentication attack and kick active users off the network and get more bandwidth for youreself. aireplay-ng -0 50 - AP_MAC -c you_MAC_interface_name This will temporarily kick all users (50) from the wireless network.! airepla-ng -0 1 -a AP_MAC -c your_MAC ath where : -0 means de-authentication packet -1 is the number of de-authentication packets ,0 means nonstop - AP MAC ,specifies client MC addres that needs to deauthenticate . If not mentioned ,then all clients get de-authenticated. -ath specifies interface name .