I spend 8 weeks on IT security. Here’s my notes.

Main learning right up front: Little is as fascinating as tech security. Especially breaching it. I want to share the remarks I made on different topics ranging from just general overviews in a certain field to specific terminal commands and attack procedures.

Random hackerish looking image to draw attention. Thanks, Lewis Ngugi from Unsplash.

Procedures

Mapping a local network

  1. arp -a → Displays all devices which where recently connected to LAN (Alternative 1: nmap -sP 192.168.0.1–254 → Ping Sweep network from 1–254 with NMAP // Alternative 2: nmap 192.168.1.0/24 → Ping Sweep entired Subnet // Alternative 3 nmap -sP -PT80 192.168.0.1–30 → Ping Sweep if network has blocked ICMP via TCP 80 Request)
  2. nmap 192.168.1.157 → Show open ports on victim device
  3. sudo nmap -O — osscan-guess 192.168.1.157 → Detect OS of device

Package Injection

Only Kali Linux + airmon-ng

  1. airmon-ng → See current wlan adapters (doesn’t work on Mac OS X)
  2. ifconfig wlan2 down → Take down wireless adapter to put it into monitor mode afterwards
  3. airmon-ng start wlan2 → Starting adapter in monitor mode
  4. Adapter will create a new interface ‘mon0’ for packet injection
  5. aireplay-ng -9 mon0 → Testing how well packets are injected into AP, that are detected by ‘mon0’
  6. See result in % of how many packages were injected into which AP

DNS Spoofing

Setting up a DNS Spoofing Server on ec2 Instance (Detailed tutorial):

  1. yum install dnsmasq → Install dnsmasq on ec2 instance
  2. nano /etc/dnsmasq.conf → edit dnsmasq settings
  3. no-dhcp-interface= [ ENTER LINE BREAK ] server=8.8.8.8 [ ENTER LINE BREAK ] no-hosts [ ENTER LINE BREAK ] addn-hosts=/etc/dnsmasq.hosts → add these four lines (with line breaks!) at the very top of dnsmasq.conf
  4. nano /etc/dnsmasq.hosts → Create or Open file with spoofed domains (doesn’t exist directly after install
  5. 54.77.172.205 www.facebook.com facebook.com → Add IP of fake / own content and the domain, that will be spoofed to dnsmasq.hosts
  6. killall dnsmasq → To stop dnsmasq (if it is not running, you’ll get an error saying “dnsmasq: no process found”, that is fine
  7. dnsmasq — no-daemon — log-queries → To start dnsmasq
  8. Change local DNS Settings on computer to IP addresss of ec2 instance
  9. Check if dns Requests are still getting resolved to the websites and show up in the dnsmasq log in the ec2 Terminal window
  10. nano /etc/httpd/conf httpd.conf → To edit apache server settings: <VirtualHost *:80>[ ENTER LINE BREAK ] DocumentRoot “/var/www/html” [ ENTER LINE BREAK ] ServerName facebook.com [ ENTER LINE BREAK ]</VirtualHost> → Add virtual server with domain that’s will be spoofed at the very end of httpd.conf (below <VirtualHost *:80> section
  11. service httpd restart → Restart Apache Server
  12. Check in browser if spoofed Domain is redirected to fake / own website

Grabbing IP-address of a user (Link):

  1. Have a web server, whose access log you control, up and running.
  2. Send your chat partner a unique hyperlink pointing to that web server, have them click the link. For example: http://yourdomain.com/JohnDoe.html (the web page does not have to exist, throwing a 404 is fine).
  3. Check your web server’s access log to get the IP address of requests to /JohnDoe.html.
  4. You have your conversation partner’s IP address.

Terminal Tools

  • Aircrack-ng → http://www.aircrack-ng.org (Aircrack-ng suite has limited OS X support, but the following works: aircrack-ng, packetforge-ng, ivstools, makeivs)
  • KisMAC → GUI sniffer/scanner application for Mac OS X → http://kismac-ng.org/
  • tshark
  • mdk3 → only works on linux
  • Driftnet
  • Arpsoof → Intercept Packets on a switched LAN
  • urlsnarf → Returns all visited urls visited by victim IP in CLF Format
  • nmap

Terminal Commands:

  • arp -a → Displays all devices on local network
  • sudo airport en0 sniff 11 → Starts sniffing on channel 11
  • tcpdump -vr /tmp/nameOfReturnedFile.cap → Opens file with sniffed traffic
  • airport -s → Returns all available APs with SSID, BSSID, RSSI, CHANNEL and security
  • sudo ifconfig en0 down → turns airport off
  • sudo ifconfig en0 up → turns airport on
  • ifconfig en0 | grep ether → get MAC Address of Mac Airport
  • openssl rand -hex 6 | sed ‘s/\(..\)/\1:/g; s/.$//’ → create random MAC Address
  • sudo ifconfig en0 ether d4:33:a3:ed:f2:12 → change MAC Address
  • sudo sysctl -w net.inet.ip.forwarding=1 → Activate Package Forwarding
  • urlsnarf -i en0 → returns all visited urls in CLF format
  • diskutil list → List all drives (Internal and external)
  • diskutil unmount /dev/disk1 → unmounts external drive
  • diskutil unmountdisk /dev/disk1 → unmounts external partitioned drive

Attack Types

  • arc spoofing
  • SYN-Flood
  • Wifi DoS Attack in LAN (Tutorial)
  • dnsspoof
  • HID Keyboard Attack → Human Interface Device Attack
  • Man in the Middle Attack (Tutorial): dsniff (Explenation) → “dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data”

Conferences

Podcasts

Forums

Websites

Tools:

  • SNORT → https://www.snort.orgIt is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.”

Equipment

Groups

Hosting