From Zero To Hero | Part 2: My journey through an ethical hackers course.
--
As you may have guessed from my username, I am a junior hacker in training and halfway through an ethical hackers course I am taking. It is a summary of the most interesting lessons, disregarding the uninteresting things.
I wanted to share my journey here with you, in the hope that you guys out there can learn something from it, also so I can remember what I learned :)
Please note that this is Part Two of a series, if you have not yet read part one, then please go and read that first by clicking here.
Table of contents:
7. Crack password.
8. Trojans, viruses and worms.
9. ARP poisoning.
10. Network sniffer.
7. Crack password.
Password cracking has different approaches to achieve the goal. For example, it can be using some dictionary or algorithm for generating passwords.
Password strength determines how easy will be to crack the password.
It includes:
- Length of the password.
- Complexity: containing numbers, special symbols, uppercase and lowercase letters.
- Unpredictability.
Let’s investigate three different passwords:
1. password
2. password1
3. #password1$
Let’s check their complexity with simple password strength checker.
Let’s suppose that we have to store our above passwords using md5 encryption. We will use simple online MD5 generator:
1. password — 5f4dcc3b5aa765d61d8327deb882cf99
2. password1 — 7c6a180b36896a0a8c02787eeafb0e4c
3. #password1$ — 29e08fb7103c327d68327f23d8d9256c
And now we will use free online hash cracker:
As we can see, the password with strong complexity wasn’t cracked with this tool. Also, you can read how this tool works. It is described on their site.
Common password cracking techniques:
- Dictionary attack. It is using wordlist to compare against user password.
- Brute force attack. It is algorithm that uses all possible character combinations.
- Rainbow table attack. It is using pre-computed hashes. If target stores password as md5 hashes, we can take database with lots of pre-computed hashes and search for match. If we found match — we found the password.
- Guess. It is guessing password like default password as admin, common password for company, etc.
- Spidering. Most organizations use passwords that contain company information. This information can be found on company websites, social media such as facebook, twitter, etc. Spidering gathers information from these sources to come up with word lists. The word list is then used to perform dictionary and brute force attacks.
Password cracking counter measures:
1. Use passwords with high strength.
2. Do not use passwords with can be easily guessed, predicted or spidered.
3. Store only password only in encrypted form. If it is MD5 hashing, use salt. Salt is additional input to avoid compromising passwords with dictionary and rainbow table attack.
8. Trojans, viruses and worms.
This things involves gaining un-authored access to target system.
What is a trojan?
Trojan is a malicious program that allows attacker to control the target system remotely. Once it was installed, it has ability to create backdoors, install malicious payloads and install other unwanted applications.
What attacker can perform with trojan:
- Use the system as part of the botnet for Distributed Denial of Service.
- Damage system: crash it, cause Blue Screen Of Death, etc.
- Steal sensitive data: stored passwords, credit card information, etc.
- Modify files of the system.
- Electronic money theft by performing unauthorized money transfer transactions and steal cryptocurrency purse.
- Use keylogger to send to attacker all keys pressed on the target keyboard. It is used to harvest passwords, ids, logins and other sensitive information.
- View screenshots.
- Send to attacker browsing history data.
What is a worm?
Worm is a malicious program that that replicates itself usually over a system network.
What attacker can perform with worm:
- Create backdoor which can be used to send spam emails, perform DDoS or used by another malware.
- Slowdown the network by consuming bandwidth.
- Install harmful payload code carried within the worm.
What is a virus?
Virus is a malicious program that attaches itself to legitimate programs and files without user’s consent.
What attacker can perform with virus:
- Use target system resources such as memory and CPU time.
- Access sensitive data such as passwords and ids.
- Corrupt data in system.
- Use keylogger.
Also viruses are used with social engineering, used to infect normal files such as Word or Exel documents. Once file is opened, malicious code is executed.
Countermeasures:
- A policy that prohibits users from downloading unnecessary files such games, unknown programs, spam email attachments, etc.
- Anti-virus software on all systems with regular scans and updating anti-virus database.
- Regularly update systems (OS).
- Regular backups.
- Scanning all email attachments before downloading them.
9. ARP poisoning.
What is IP and MAC Addresses?
IP Address stands for Internet Protocol Address. An internet protocol address is used to uniquely identify a computer or device such as printers, storage disks on a computer network. There are currently two versions of IP addresses. IPv4 uses 32-bit numbers. Due to the massive growth of the internet, IPv6 has been developed, and it uses 128-bit numbers.
IPv4 addresses are formatted in four groups of numbers separated by dots in range [0–255]. Example: 127.0.0.1
IPv6 addresses are formatted in groups of six numbers separated by full colons. Each group contains four hexadecimal digits. Example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
To simplify the text representation, leading zeros can be omitted and groups of zeros can be completely omitted. Simplified example:
2001:db8:85a3:::8a2e:370:7334
MAC Address stands for Media Access Control Address. MAC addresses are used to uniquely identify network interfaces for communication at the physical layer of the network. MAC addresses are usually embedded into the network card.
A MAC address is like a serial number of a phone while the IP address is like the phone number.
MAC address also can be called physical address.
To see information about your addresses you can open console and type these commands:
- For windows: ipconfig /all
- For linux: $ ifconfig -a
In windows you will see the following:
What is ARP Poisoning?
ARP stands for Address Resolution Protocol. It is used to convert IP address to physical addresses on a switch. The host sends an ARP broadcast on the network, and the recipient computer responds with its physical address. The resolved IP/MAC address is then used to communicate.
ARP poisoning is sending fake MAC addresses to the switch so that it can associate the fake MAC addresses with the IP address of a genuine computer on a network and hijack the traffic.
Traffic hijacking is intentional redirection of internet traffic to attacker.
ARP Poisoning Countermeasures:
- Static ARP entries. All auto ARP reply packets will be ignored. Disadvantage: it’s hard to maintain large networks.
- ARP poisoning detection software. The software uses certificates to authenticate IP/MAC address resolution.
10. Network sniffer.
Computers communicate via networks: Local Area Network or the internet. Network Sniffers are programs that capture low-level package data that is transmitted over a network. An attacker can analyze this information to discover valuable information such as user ids and passwords.
Computers communicate by broadcasting messages on a network using IP addresses. Once a message has been sent on a network, the recipient computer with the matching IP address responds with its MAC address.
Sniffing can be used for:
- Capturing sensitive data such as login credentials.
- Eavesdrop on chat messages.
- Capture files have been transmitted over a network.
List of vulnerable protocols to sniffing:
- Telnet
- Rlogin
- HTTP
- SMTP
- NNTP
- POP
- FTP
- IMAP
It’s very easy to get passwords if they were send in plain text.
Passive and active sniffing.
Before we look at passive and active sniffing, let’s look at two major devices used to network computers: hubs and switches.
A hub works by sending broadcast messages to all output ports on it except the one that has sent the broadcast. The recipient computer responds to the broadcast message if the IP address matches.
A switch works differently: it maps IP/MAC addresses to physical ports on it. Broadcast messages are sent to the physical ports that match the IP/MAC address configurations for the recipient computer. This means broadcast messages are only seen by the recipient computer.
Passive sniffing is intercepting packages transmitted over a network that uses a hub. It is called passive sniffing because it is difficult to detect. It is also easy to perform as the hub sends broadcast messages to all the computers on the network.
Active sniffing is intercepting packages transmitted over a network that uses a switch. There are two main methods used to sniff switch linked networks: ARP Poisoning and MAC flooding.
Practice: sniffing the network using Wireshark.
Wireshark for all OSes can be downloaded here.
- You can prepare account on any site which uses http or use our example.
Otherwise you can use prepared account on http://www.techpanda.org/
with email admin@google.com and password Password2010.
- Open your site login page.
- Then open Wireshark and start sniffing.
- Log into http site.
- Stop sniffing in Wireshark, set filer to http and find POST package.
What is MAC flooding?
MAC flooding is a network sniffing technique that floods the switch MAC table with fake MAC addresses. This leads to overloading the switch memory and makes it act as a hub. Once the switch has been compromised, it sends the broadcast messages to all computers on a network. This makes it possible to sniff data packets as they sent on the network.
Counter measures against MAX flooding:
- Port security feature of switch. This feature can be used to limit the number of MAC addresses on the ports.
- Using Authentication, Authorization and Accounting servers to filter discovered MAC addresses.
Sniffing counter measures:
- Restriction to network physical media highly reduces the chances of a network sniffer been installed.
- Encrypting messages as they are transmitted over the network greatly reduces their value as they are difficult to decrypt.
- Changing the network to a Secure Shell(SSH) network also reduces the chances of the network been sniffed.
Thus concludes the second part of my notes and this course.
Take a look of a part three. Let’s DDoS somebody?
