Introduction

Network security concerns attacking and defending networks from others.
The current contents are:

• Introduction
• Onion Routing
• Packet Sniffing
• Using NMap
• Using Metasploit
• TCP Based Exploits
• HTTP Based Exploits
• ARP Poisoning
• SSL Stripping
• Hacking WiFi WPA2-PSK
• Vulnerability Scanning with OpenVAS

Any questions or comments should be directed to: The creator's email

NMap

NMap is a network reconnaissance tool.

To get help.

To see the list of options available on NMap, type:

nmap -h

NMap has an official site.

To list machines and their nature on a subnet.

nmap -sn -sL <network node IP>/<mask>

The mask must be in CIDR prefix notation (i.e., with the slash) and must not be separated from the network node by a space.

This will list all devices in the subnet and their domain names.

To list operating system, open ports, services and versions

nmap -sV -O <target IP>

The -sV option will identify all open TCP ports within the port range 1-1000, services and versions. The -O option will identify the operating system.

To expand on the ports searched, do:

nmap -sV -p T:1-65535,U:1-65535 <target IP>

This will search all open TCP and UDP ports (from 1-65535). Note this takes a long time.

Vulnerability Scanning

NMap comes with two vulnerability testing scripts: (1) vuln and (2) vulners. In addition, you can download a third vulnerability testing script, vulscan by saying:

sudo git clone https://github.com/scipag/vulscan

Each of the scans will check for different, but overlapping vulnerabilities. Vulners will attempt to report discovered vulnerabilities to vulners.com

To run the vuln scan, type:

nmap -sV -script vuln <target IP>

To run the vulners scan, type:

nmap -sV -script vulners <target IP>

To run the vulscan scan, type:

nmap -sV -script ./vulscan/vulscan.nse <target IP>

This assumes vulscan was stored in the vulscan directory off of your home directory.

A list of NMap scripts can be found here.

Any questions or comments should be directed to: The creator's email

Metasploit

Metasploit is a framework for attacking a machine. It comes with a large array of built-in attack scripts. Metasploit can be linked to NMap such that the result of an NMap vulnerability scan is stored in the Metasploit database.

The Metasploit database is in PostgreSQL. To start PostgreSQL, type:

systemctl start postgresql

To create the Metasploit database (only need to do once), type:

sudo msfdb init

To start Metasploit, type:

msfconsole

Getting help in Metasploit

To get help in Metasploit, type:

help

Using NMap in Metasploit

Once the Metasploit database is created, you can invoke any NMap command in Metasploit using the db_nmap command. This works just like NMap, except any identified vulnerability will be stored in the vulnerabilities database.

To see the vulnerabilities, type:

vulns

Searching For and Using Exploits in Metasploit

The "search" command is used in Metasploit to retrieve modules to attack a system with. Common things to search for are:

• app: The app that you want to hack. Examples are apache, samba, and ftp.
• bid: The bugTraq ID of the exploit you want to use. If you know a machine is vulnerable to a particular module and know its bugTraq ID, you can summon it straight.
• cve: The Common Vulnerabilities and exposure ID of the module you want to use. If you know a machine is vulnerable to a particular module and know its CVE ID, you can summon it straight.
• edb: Every module in Metasploit has a unique EDB ID. If you know the ID, you can summon it straight.
• name: Search for a module by name.
• platform: Search for a module by platform. Example platforms are linux, windows.
• type: Search for a module by type. The types are exploit, auxillary and post.
  • Exploits are modules made in an attempt to utilize a vulnerability in the app.
  • Auxillary modules are not tied to a specific vulnerability. Examples of auxillary modules are modules that throw random things at an app to see if the app breaks, and scanners.
  • Post modules are used after an exploit has been successful. Keyloggers, or things that delete users would be examples of post modules.

For example:

search platform:linux type:exploit app:ftp

Will search for exploits that target FTP on Linux.

The search will enumerate the various modules by number. Once you identify the module, you can summon the module by saying "use <module number>.

In many cases, the module will require you to fill out one or more options before it can be executed. To see what the options are, type:

options

Options labeled Required- Yes must be filled. To set a value for an option, type " set <option> <value>. For example, one common option is the rhosts option which is the IP address of the target machine:

set rhosts 192.168.0.45

Many modules can change payloads. A payload is the actual task you want to execute once you have successfully penetrated a machine. For example, you might want to install a backdoor. To see the list of available payloads for a module, type:

show payloads

This will list all payloads for the module, with each payload being assigned a number. To change payloads, type "set payload <number> where the number is the number assigned to that payload.

Once you are ready, type "run" to execute that module.

Any questions or comments should be directed to: The creator's email

Onion Routing

Onion routing is a way to prevent a third party from intercepting communication between you and the recipient. The third party cannot read your communication unless the third party is tapping your machine, or the final destination machine.

In onion routing, the sending machine identifies a set of intermediary routers between itself and the final recipient. The sending machine knows all the intermediary routers. However, each intermediary router only knows the router it receives messages from and the router it is to send a message to. All intermediary routers are able to perform asymmetric key cryptography.

Every intermediary router sends the sender a public key, which the sender uses to encrypt the message. The message is encrypted multiple times, once for every intermediate router. The message is sent to the first intermediate router, which uses its private key to decrypt the message. The first router discovers the revealed message remains encrypted and thus sends the message to the next router in the sequence. The final router is the destination router. It decrypts the final layer to receive its message (e.g., an HTTP GET command), which it executes.

That there are multiple layers of encryption, each of which is peeled back by a router is why this is called onion routing. If the third party taps any onion router, the third party cannot determine the contents of the message, because it is wrapped in layers of encryption.

Note the sender and recipient must always know who each other is- otherwise messages can't be sent! As a result, onion routing cannot protect messages when the third party taps either the sender or recipient.

The standard browser used for the onion protocol is The Onion Routing (TOR) browser.

The two common ways to defeat onion routing are to block the onion protocol and to block onion routers. If either the protocol or router is blocked, the message can't be sent, and the sender has to use a more open protocol.

Pluggable Transports are a layer on top of TOR used to defeat blocks on the onion protocol. Pluggable transports attempt to disguise onion messages as (for example) junk messages or HTTP messages.

Bridges are secret onion routers. Onion routers have to be manually identified to be blocked. Volunteers set up onion routers, but don't advertise that they have set up a router. People connect to bridges via word-of-mouth.

The below video demonstrates TOR browsing and what an onion URL looks like:

Any questions or comments should be directed to: The creator's email