Hacking

whois, nslookup
Methodology Footprinting

(Steps) Scanning
Nmap, fping

 An dumpACL, showmount
excellent Enumeration
legion, rpcinfo
description Tcpdump, Lophtcrack
Gaining Access
inside of NAT
the back Escalating Privilege Johntheripper, getadmin
cover page
Rhosts, userdata
of Pilferting Config files, registry
“Hacking
zap, rootkits
Exposed” Covering Tracks
text by Cron,at, startup folder
netcat, keystroke logger
McClure et Creating Back Doors
remote desktop
al.
Denial of Service Synk4, ping of death
tfn/stacheldraht
chow
cs591 1
 Footprinting
 Information gathering. Sam Spade is window-based network query
tool.
 Find out target IP address/phone number range
 Why check phone numbers?
 Namespace acquisition. Network Topology (visualRoute).
 It is essential to a “surgical” attack.
 The key here is not to miss any details.
 Note that for penetration tester, this step is to avoiding testing others
instead of your client and to include all systems to be tested
(sometime the organization will not tell you what their systems
consist of).
Technique Open NIDS
 Defense: deploy Source(snort),Find domain name, DNS zone
RotoRouter
s search admin, IP transfer
addresses name
servers
Tools Google, search Whois Nslookup (ls –
engine, Edgar (Network solution; d)
arin)
dig
cs591 2 Sam Spade chow
 Scanning
 Bulk Target assessment
 Which machine is up and what ports (services) are open
 Focus on most promising avenues of entry.
 To avoid being detect, these tools can reduce frequency of
packet sending and randomize the ports or IP addresses to be
scanned in the sequence.
 Note that some machine does not respond to ping but responds
to requests to ports that actually open. Ardor is an example.
Technique Ping sweep TCP/UDP port OS detection
s scan

Tools Fping, icmpenum Nmap Nmap

WS_Ping ProPack Superscan queso
nmap fscan siphon
cs591 3 chow
 Enumeration
 Identify valid user accounts or poorly protected resource
shares.
 Most intrusive probing than scanning step.
Techniques list user list file shares identify
accounts applications

Tools Null sessions Showmount Banner

DumpACL NAT grabing with
Sid2usre legion telnet or
onSiteAdmin netcat,
rpcinfo

cs591 4 chow
 Gaining Access
 Based on the information gathered so far, make an informed
attempted to access the target.

Techniq Password File share Password Buffer

ues eavesdroppin brute File grab overflow
g forcing

Tools Tcpdump/ssld NAT Tftp Ttdb, bind

ump legion Pwddump2(NT IIS
L0phtcrack ) .HTR/ISM.
readsmb DLL

cs591 5 chow
 Escalating Privilege
 If only user-level access was obtained in the last step, seek to
gain complete control of the system.

Techniques Password Known Exploits

cracking

Tools John the ripper Lc_messages,

L0phtcrack Getadmin,
sechole

cs591 6 chow
 Pilfering
 Webster's Revised Unabridged Dictionary (1913)
 Pilfer \Pil"fer\, v. i. [imp. & p. p. Pilfered; p. pr. & vb. n. Pilfering.]
[OF. pelfrer. See Pelf.]
To steal in small quantities, or articles of small value; to practice
petty theft.
 Gather info on identify mechanisms to allow access of trusted
systems.
Techniques Evaluate Trusts Search for
cleartext
passwords

Tools rhosts User data,

LSA secrets Configuration files
Registry

cs591 7 chow
 Covering Tracks
 Once total ownership of the target is secured, hiding this fact
from system administrators become paramount, less they
quickly end the romp.

Techniques Clear Logs Hide tools

Tools Zap, Event Log Rootkits

GUI file streaming

cs591 8 chow
 Creating Back Doors
 Trap doors will be laid in various parts of the system to
ensure that privilege access is easily regained whenever the
intruder decides.
Technique Create rogue Schedule batch Infect startup files
s user accounts jobs
Tools Members of Cron, AT rc, startup folder,
wheel, admin registry keys
Technique Plant remote Install monitoring Replace appls with
s control mechanisms Trojans
Tools services
Netcat, Keystroke Login, fpnwcint.dll
remote.exe loggers, add acct.
VNC, B02K to secadmin mail
remote aliases
desktop
cs591 9 chow
 Denial of Services
 If atacker is unsuccessful in gaining access, they may use
readily available exploit code to disable a target as a last resort.
Technique Syn flood ICMP techniques Identical src/dst
s SYN requests
Tools synk4 Ping to death Land
smurf Latierra
Technique Overlapping Out of bounds DDoS
s fragment/offse TCP options
t bugs (OOB)
Tools Netcat, Keystroke Trinoo
remote.exe loggers, add acct. TFN
VNC, B02K to secadmin mail stacheldraht
remote aliases
desktop chow
cs591 10