Fingerprinting a web server with httprecon

| 0 comments

Web applications unfortunately are vulnerable and for this reason they are often the gateway for attacks. An attacker is going to perform reconnaissance to understand where a weakness may reside. Of course understand what web server platform is running is critical to understand what type attack may or may not be successful. In other word, knowing the application server one can then begin investigation into what vulnerabilities may exist. There are a variety of tools and mechanisms you may employ to fingerprint your target. One such tool is httprecon and the user interface is very simple and provides a wealth of information. If you are not interested in installing software then Port80 Software has a number of tools that can be used all from a browser and one such tool is ServerMask. There are other online options to include NetCraft and Shodan. Finally is the tried and true Nmap. nmap -sV www.somewhere.com If you are running a Windows machine you can drop out to a command prompt and use telnet to perform banner grabbing. Be sure to enter the desired IP address and the appropriate port number. telnet 127.0.0.1 80 At this stage you should see an empty command prompt …

Continue reading

How to be sneaky and hide data using alternate data streams

| 0 comments

Have you heard of Alternate Data Streams (ADS)? If not, sit back and relax and learn what you can do with ADS. Before I get to far into the subject it is important to understand what ADS is used for. In short, ADS was introduced with the Microsoft NTFS file system and allows for more than a single stream of data to be associated with a file. So what does this really mean? Have you ever looked at the properties on a given file? If so, you have likely noticed the data entry areas for the author or title attributes. Of course there are number of additional attributes, but my point is this is where ADS comes into the picture. Keeping in mind this example you can see the benefit of ADS. It is also important to understand that when you leverage ADS it does not change the the file size and it is virtually impossible to know if the data stream has been exploited. Note that I said virtually impossible. In Windows XP Service Pack 2 Microsoft introduced what is known as Attachment Execution Service (AES) which provides warnings to the end users concerning files that may received. Of …

Continue reading

Create a penetration testing lab and let the hacking begin

| 0 comments

If you are interested in sharpening your skills or simply interested in getting started with penetration testing this this article will be of interest. The hard cold truth is that under no circumstances should you ever perform penetration testing on any network or resource that you do not own or have explicit written permission. There are a number of virtual solutions out there which include VMWare, Parallels, and VirtualBox just to name a few. I leave the decision up to you as to what works best in your given environment. For me that answer is Virtualbox and I am running this solution on a MacBook Pro with 8 Gig of RAM. I have ran anywhere from 3-4 virtual operating systems at the same time and to be honest I have noticed little to no performance issues. VirtualBox is a Virtualization product from Oracle. The advantage of VirtualBox is that it is free and Open-Source. It supports resizing the guest Operating System screen according to the VirtualBox window. You need to have scale mode enabled for this purpose. If you have not caught on yet, I am a fan of Kali Linux in terms of hacking penetration testing. This being said …

Continue reading

20 introductory Nmap command examples for the technology professional

| 0 comments

I’m not going to attempt to cover what Nmap is and what it can do. Rather the author states: Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping). #1 Target a Single Host or IP Address nmap 192.168.173.130 nmap …

Continue reading

WiFi WPA2 Hacking 101

| 0 comments

I want to introduce the idea of breaking WPA2 security by obtaining the password defined by a given network. The reason I am writing about this is both for educational reasons and from the perspective of strengthening security. In many ways I wish I could say that I surprised about just how easy it is cracking a WiFi password, but many people I talk with seem to think that Wi-Fi Protected Access II (WPA2) itself is he gatekeeper. Of course this is not true and just like anything else where a password is involved the password itself is the gatekeeper. Stepping back for a moment, a look at WPA2 is needed to understand what this is and what it provides.  As of 2006 all WiFi devices must support this security protocol. After seven years this in itself likely means that the security of this protocol is far outdated. The fact is, at least from my point of view, is that nothing is truly secure and the moment the public is involved it is simply a matter of time before an exploit occurs. In the case of WPS2 I use the term password, but the technical term is pre-shared key. This …

Continue reading