Friday, November 21, 2014

Penetration Testing / Ethical Hacking Online Lab

You know learning Ethical Hacking or Pentest require knowledge and practice, right? Yes, and you visit all the forums and they will tell you: "You need to build your target lab and practice on it"

Yes, it is true, but many of us begin to build our lab and when we finish one target we already know the weakness, password, etc, etc, and you are tired to build something and now brake it.

Because we feel the same pain we created our Online Penetration Testing Lab or Ethical Hacking Pentest Lab online, in this place you can attack all you want, these are private targets with vulnerabilities and bad configuration.

We make it simple, just turn your attacker virtual machine, run OpenVPN and begin to attack, in 5 minutes you are running exploits, Metasploit, check web applications weakness, etc.

So now you focus in develop your attack techniques (you already know how to build servers and network).

Check: http:///www.thehost1.com/

 

Develop your attack techniques?

Yes, in the beginning your run all kind of exploits, then you try to run only the right ones, and the last one is you try to make it perfect and avoid to be discover, to do that you need to practice more, and a little more and just more.

So focus learning how to attack and how to protect your customers networks. Hack is fun.

Tuesday, June 3, 2014

Security Model CISSP The Biba

Biba Model is the oppose to Bell-LaPadula model. the Biba Model focuses in integrity, this is very important for the commercial companies, they are very interested to keep the integrity of the data.

For example an accounting firm need to be sure that the company send a check for $1000.00 and not for $100000, oh man I would like to receive that money, LOL It is a big different. Now this is the idea for the Biba model.

Again, this info I got it from Shon Harris book, this is a good book for CISPP (if you really wants to know the details).

This is the cream for the Biba model:

  • *-integrity axiom: A subject "cannot write up"

  • Simple integrity axiom: A subject cannot "read down"

  • Invocation property: A subject cannot request service (invoke) of higher integrity.


Lets say another example: What happen if I would begin to write anything I think about Biba model, would be the information corrected, who knows, but in this case I am taking details from Shon Harris book then the integrity of the information is right, remember that.



Security Model CISSP Bell-LaPadula

Ok guys, to be a good pen tester we need to have some knowledge, and I've been working with CISSP and there are some point that we normally tend to forget. So here we go with Bell-LaPadula Model for CISSP.

This info I got it from the Shon Harris book - Good book, it has many details

Focus: Confidentiality

Bell-LaPadula --- named Multilevel Security System: because users with different clearances access the system or processes with different classification levels.

This is the cream, three rules:


  • Simple Security rule: subject with a security level cannot read data in a higher security level.

  • *-proterty rule (star property rule) : No write down to a lower security level.

  • Strong start property rule: Subject can only read and write in the same security level.

Dominance relation: The subject has more privileges or right that the object.

Tuesday, October 1, 2013

NMAP with Flags and kind of responds

Everybody who ever study for CEH and other books will always find information to do some stealth scan with some flags and what kind of respond, lets do some basic analysis with TCPDUMP. Yes, tcpdump Wireshark is good but we need to be familiar with other tools:

Different scan and responds:

  1. SYN - half open - with this we only send SYN packets to the machine without going with the complete handshake, it is like we only say: Hi - We expect a RST in close ports and SYN/ACK in open ports, mean when we say Hi (between lips without seen the other person they can say Hi too without seen us).
  2. TCP Connect - This run with the full TCP handshake, it is like we say: Hi and the other person response Hello and look us. This is more reliable because we get the confirmation that the port is open or close - We expect SYN/ACK and RST/ACK.
  3. FIN - This is the flag where we expect to close the communication but there was not any communication, in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking.
  4. XMAS - The famous Christmas scan (easy to remember the name), in this scan we send FIN, URG AND PSH all at once. We get the same respond like FIN:  in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking.
  5. ACK  scan use the ICMP, if the scan see Destination Unreachable message will show the if the port is open in the firewall.  Now with this the open port will tell you: Wait a Minute (RST) when we begin to talk. Close ports will ignore you because they are close.
  6. NULL scan is like XMAS but without anything, like just go to a office without saying anything, depending of the OS you will get an answer. Close ports will RST/ACK
Why this type of scan

This type OS scan will help us to find out if the port is open in the firewall and also can help us to avoid detection with the IDS/IPS or any other monitoring software.


Now lest see some examples.

SYN Scan

SYN - half open - with this we only send SYN packets to the machine without going with the complete handshake, it is like we only say: Hi - We expect a RST/ACK

We will scan a device with the port 22 open

root@jojo-pc:~# nmap -sS -p22 192.168.123.1

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 18:37 CDT
Nmap scan report for 192.168.123.1
Host is up (0.0038s latency).
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 50:3D:E5:3C:68:03 (Cisco Systems)




 Did you notice:

192.168.123.212  to 192.168.123.1 with Flag S (SYN)
192.168.123.1 to 192.168.123.212 with Flag S (SYN) and ACK -- PORT IS OPEN
192.168.123.212 to 192.168.123.1 with Flag F (FIN) - Close the connection

This was half open, the ip .1 wanted to do the full Handshake but we just close the connection with FIN.

We will scan a device with the port 23 close.

root@jojo-pc:~# nmap -sS -p25 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:11 CDT
Nmap scan report for router.Belkin (192.168.1.1)
Host is up (0.0018s latency).
PORT   STATE  SERVICE
25/tcp closed smtp
MAC Address: 08:86:3B:D2:F9:00 (Belkin International)




 Did you notice I got from the router I got the Flag R (Reset), why? Because the port is close in that firewall and there were not any communication, it is like the router tell us: Forget it, I ignore you.

TCP Connect

TCP Connect - This run with the full TCP handshake, it is like we say: Hi and the other person response Hello and look us. This is more reliable because we get the confirmation that the port is open or close - We expect SYN/ACK and RST/ACK. In other words the full handshake.

Scan to port 3389 open

root@jojo-pc:~# nmap -sT -p3389 192.168.1.100

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:18 CDT
Nmap scan report for 192.168.1.100
Host is up (0.0026s latency).
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
MAC Address: 00:15:17:13:2B:4C (Intel Corporate)



The full TCP handshake

Now close port, in this case we simulate port 3390, I expect RST, the port is closed.

root@jojo-pc:~# nmap -sT -p3390 192.168.1.100

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:21 CDT
Nmap scan report for 192.168.1.100
Host is up (0.0099s latency).
PORT     STATE  SERVICE
3390/tcp closed dsc
MAC Address: 00:15:17:13:2B:4C (Intel Corporate)


FIN scan

FIN - This is the flag where we expect to close the communication but there was not any communication, in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking - THIS IS ONLY FOR LINUX

I am scanning a port 5800 VNC, it is open but I am sending with the FIN flag,  I got nothing.

root@jojo-pc:~# nmap -sF -p5800 192.168.1.24

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:27 CDT
Nmap scan report for 192.168.1.24
Host is up (0.0026s latency).
PORT     STATE         SERVICE
5800/tcp open|filtered vnc-http




If I send to a close port I got RESET, mean it is closed.

root@jojo-pc:~# nmap -sF -p5820 192.168.1.24

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:30 CDT
Nmap scan report for 192.168.1.24
Host is up (0.0033s latency).
PORT     STATE  SERVICE
5820/tcp closed unknown



This could be long blog, just keep testing and testing until you see the flags, it is a good learning process and you will be able to know what to expect with the scan.

Remember, if you have deep knowledge of your target you are increasing your success to own the box, patience is the key.



Monday, September 30, 2013

NMAP Protocol scan results

I am no sure about you guys but studying the NMAP Protocols scan results some times is very confusing.

This is the list of the normal respond recognize for NMAP:

Code 0 - Network Unreachable
Code 1 - Host Unreachable
Code 2 - Protocol Unreachable
Code 3 - Port Unreachable
Code 13 - Communication Administratively Prohibited

Let me give you some examples:

Code 0 - Network Unreachable

 nmap 192.168.14.1


Did you notice Type 13 Code: 0 , I could not reach the network 192.168.14.0 because there is not any route in my firewall to that network and it is not routed through internet.

Code 2 - Protocol Unreachable

In this occasion I will try to scan to a host that doesn't reply to ICMP in internet and we will get two different response, very interesting:

nmap 97.74.215.229


Did you notice Code 2 (Protocol unreachable)

Now at the same time we get this Type 3 Code 13 (Communication Administratively filtered)


Keep testing, nmap and Wireshark and applying filters using ICMP and you will get the types and codes, after you keep testing this will become familiar with you and you will begin to go deep with protocols, and remember the packet never lies.


Monday, August 5, 2013

HTTP Commands for Banner Grabbing

This is a short list of commands for banner grabbing from a Windows web server, you will need to type enter twice after the command

1. Connect using telnet and type: HEAD / HTTP/1.0

telnet www.test.com 80

Trying 10.10.10.10...
Connected to www.test.com.
Escape character is '^]'.
HEAD / HTTP/1.0


  HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1777
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACBATBQQ=MJOLBPPDBKPANIAKDMLCEOHF; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Aug 2013 03:42:18 GMT
Connection: close
Connection closed by foreign host.


2. Let's try the option command, I like this: OPTIONS / HTTP/1.0


Trying 10.10.10.10...
Connected to www.test.com.
Escape character is '^]'.
OPTIONS / HTTP/1.0

HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/7.0
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Tue, 06 Aug 2013 03:47:39 GMT
Connection: close
Content-Length: 0
Connection closed by foreign host.


What happen if I type wrong commands or lower case letters?:

Trying 10.10.10.10...
Connected to www.test.com.
Escape character is '^]'.

options / http/1.0      ---- I typed lower case

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 06 Aug 2013 03:50:08 GMT
Connection: close
Content-Length: 311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request</h2>
<hr><p>HTTP Error 400. The request is badly formed.</p>
</BODY></HTML>
Connection closed by foreign host.

Sunday, May 19, 2013

How to enable Desktop Sharing in Kali

I have my own pentest lab, I installed a second copy of Kali in Hyper-V to keep running any dictionary attack, directory or files enumeration in a web server, etc, etc. Sure using Kali over Hyper-V is a little slow, so I enabled Desktop Sharing.

So let's have fun:

Open Applications > Internet > Desktop Sharing



 When you open it you will find different options, sure the first thing I recommend is: Require the user to enter this password: ************    You do not want to leave it in blank and somebody take your hacking machine and begin to use it illegally, no.

In my case I selected the following options, you can desire the ones you desire. Look!!! I cleared the option you must confirm each access to this machine, why? Because I am not over the Hypver-V and I will be accessing from my laptop.




Now you will need to download VNC viewer and try to connect from any Windows/Linux (GUI) machine:














 From there you can do what ever you want, second machine is good, because allow you to run tools that require time and processor without slowing down your main laptop/computer.

Happy hacking fun.