Posts Tagged Ethical Hacking
TRANCHULAS Ethical-Hacking Online Training
Posted by Mourad Ben Lakhoua in Pentesting, Security Training on July 18, 2010
Tranchulas is an international consulting firm that started a new e-learning services launched from Pakistan. Training includes different IT Security topics from:
1- Web Application Security Workshop
2- PCI-Data Security Standard Training
3- Hands-On Ethical Hacking
4-ISO/IEC 27001 – ISMS Implementation
Before attending the training courses a test are conducted to evaluate the knowledge of attendees and according to the result the student will be associated to the required level.
Today I have attended a small demonstration on the Ethical Hacking course .The course teaches advanced techniques on arp spoofing and scanning the network using Backtrack. There is a very nice scenarios that are made on live to help student deeply understand how it is simple to conduct a Man In the middle attack on a real working environment even if the traffic are encrypted using SSL.
Zubair Khan Chief Executive Officer has conducted security trainings at various forums in Pakistan and abroad. He has previously presented at renowned security conferences including Hack.lu Luxembourg, Hack In The Box Malaysia and Infosek Slovenia. Chairman of Pakistan Engineering Development Board and Chairman of Pakistan Engineering Council recognize his research and work.
This is a cutting-edge course and currently outline: Basic Bash Scripting, Information Gathering (Google Hacking and Harvesting, Netcraft, DNS Reconnaissance…), Port scanning, ARP spoofing, Buffer overflow Exploitation ,Bind shells and reverse shells etc..
For more information and details on next trainings you can visit the official website.
make sure you subscribe to my RSS feed!
Hacking Lotus Domino
Posted by Mourad Ben Lakhoua in Password Security, Pentesting, Vulnerabilities on July 12, 2010
IBM Lotus Domino Server is a solution for the corporate environment that provides different services to manage electronic documents, and it includes many models such as Mail server, Http server and Data base. The current version is Lotus Domino 8.5.1.
To detect the server we start by scanning the network, usually the server runs a web interface Lotus Domino httpd, so we run Nmap and scan the targeted network as follows:
Nmap –sV 172.16.1.0.24 –p 80
Nmap scan report for 172.16.1.7
Host is up (0.017s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80 open http Lotus Domino httpd
Now as you can see the IP address of the Domino server is found and you can open your web browser to check some nice Domino web pages with the version: http://serverip/homepage.nsf.
You can use the Google Hack method to find all web servers running on Domino by searching for inurl:homepage.nsf. In the results you will find thousands of Domino based web pages. Now it is very important to note that you should not attempt training yourself on these sites.
Usually when you install Lotus client you need to connect as a user to the server, and a screen for authentication appears to make non experienced hackers terrified, but if you concentrate and check everything slowly you will find the gaps and admin faults.
First you start by learning the important resources on the server, on Domino most important files are with the .NSF extension, so we have:
/Names.nsf File in Domino server contains file name and path (Most important database in the Domino environment)
You can find other files using DominoHunter which provides you a list on all .nsf files. But what we need is the names.nsf database which includes all mail addresses, users information, users operating systems, security applications on Lotus notes and other important information.
What is interesting that on most Domino servers this file can be accessed by anonymous users =-).
Now the kind of information that we will need take care of:
1. List of user’s login so we can guess there passwords also which user account is the admin.
2. All information can be used in the social engineering to trick non trained personal.
3. In the names.nsf you will find also OS version as lotus notes client version this will be very helpful to find the 0-days for all users and application and OS. Here an attacker can use even vulnerability in Internet explorer to compromise some accounts.
Gathering information is not all what is possible – in 2005 there someone discovered a vulnerability allows an attacker to get Internet users password hash. The vulnerability is not difficult to exploit because all users hash passwords are stored in Hidden HTTPPassowrd or dspHTTPPassword files, depending on the version.
What is strange that this vulnerability remains unfixed.
Now the number of users can be hundreds or thousands, so you will need to have all hashes in automatic way. On 2007 an exploit has been released for Dumping Password Hash Raptor_dominohash that allows downloading of all users’ hashes.
DominoHashBreaker is also an important tool that tries to find the clear text form of the password by utilizing a dictionary attack. The goal is to make it possible for an administrator to check the robustness of the passwords of its users.
But for the best results, John the Ripper with Jumbo patch – which adds modern password hashes – and all you need is give HASH.txt to JohnTheRipper (in the form username:hash). If you find one account password you will be able to know the password policy for all users and will not consume much time to have all passwords list. And these passwords are for Domino web access.
If we have the administrator password account, then its ok, if not we should repeat the previous steps. Something interesting is that the admin password will allow attacker to open webadmin.nsf (servername/webadmin.nsf) this is for administrating Lotus Domino webserver interface, and by getting access to this resource you can add, remove or modify users.
On domino there is another protocol which is NRPC using port 1352, and this allows users to have client Lotus notes and Lotus designer, and the client should have a certificate to approve his identity with extension ID. There is also a password authentication mechanism.
Passwords are used to decrypt the ID file, so to have access to any Domino account we will need 2 things: an ID file and password for this file. This is more complicated than the Web access but it is always possible.
To get the ID file you can exploit a vulnerability in Lotus Domino where the server keeps a copy of the ID stored on the server, so if you have users login as shown using names.nsf. you will have the ID for the password there is 3 tools that can search for the ID password which is ( ID Password recovery, Lotus Notes Password Recovery or Notes Password Recovery by following this link ,all three tools for free.
This post presents a clear idea about the different configuration faults that can exist in a Domino server with a small vulnerability that can allow an outsider to take full control of the server and manipulate a corporation’s very sensitive information.
Reference: http://dsecrg.com/pages/pub/show.php?id=2
make sure you subscribe to my RSS feed!
Ways for Effective Network Penetration Testing
Posted by Mourad Ben Lakhoua in Pentesting on September 27, 2009
Any security professional has his own way in conducting a penetration testing mission but the whole plan and method for performing the pentest should be in accordance with the security standards recommendations and regulations.
The first thing is to start with defining a framework for the several part of pentest this will involve obtaining comprehensive information about the Internal system that can help to map the infrastructure. The required information includes:
- Network segmentation.
- Firewall rules (Access list… ).
- Web based applications and databases if exist.
- Wireless network if exist.
- Any other security details that should be taken into account during the mission (for example login lockdown when Number of authentication attempt fails that helps to prevent brute force password discovery).
To start the network pentest you will need a good tool for packet analyzing this can be Wireshark or Commview. You just need to implement the sniffer for a period of 2 hours to intercept the needed traffic and analyze them.
We will need to care about the following protocols:
- Switching protocols (STP, DTP …)
- routing protocols (RIP, EIGRP…)
- Dynamic Host configuration protocols (DHCP, BOOTP)
- Open protocols that do not use encryption (Telnet, rlogin…)
Well these protocols can show if there is a problems in the network and what we have to test in the network for example:
- If we found DHCP/RIP protocol we should test Man in the middle attack.
- For the Spanning-Tree Protocol (STP), testing the root bridge electing which allows intercepting all neighbors segment.
- On the DTP it is also possible to change port mode to trunk and intercept legitimate traffic.
To test these attacks you can use Yersinia. Yersinia is a network tool designed to take advantage of some weakness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
This is for the datalink layer, next we can move to the ARP-poisoning attack, we can choose for this attack one of two tools or both (Cain & Abel or Ettercap ) a successful ARP-poisoning attack can allows pentester to get in the clear passwords of various information resources – database, Active directory domain name and others but it’s very important to lunch the tool on a single target to do not Dosing the system.
For the network layer we can add other tools but globally that can do a good job to include in the main report.
make sure you subscribe to my RSS feed!
HTTP DoS-attack tool on Apache web server
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking on June 22, 2009
Robert Hansen, a guru in the field of security, has released a new tool for DoS-attacks, exposing serious Web server’s vulnerabilities including Apache and other servers.
Hansen called his tool Slowloris , the most interesting in this utility that it can cause a DoS attack without using a huge amount of traffic as we usually find in other DoS tools.
According to Hansen typically 1000 machine are required to crash down a web server by bombarding the site with traffic but for Slowloris is not the case because it takes up all the available connection for the server by sending unlimited http requests without closing those connections and this makes Apache waiting for the response too long. Apache web servers do have a limit for number of threads which can be used to deplete the memory and cause defacement.
This vulnerability concerns Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, and Squid, but still not subject to IIS6,IIS7 and lighttpd because these systems deal with the number of open connections.
This tool is available for free on http://ha.ckers.org/slowloris/ but it is important to note that the attack will not work against the large Web sites with load balancing mechanisms 
so just try it locally and it should be used just for the educational purposes.
Phrack #66 is out
Posted by Mourad Ben Lakhoua in News on June 16, 2009
Phrake magazine 66 is released, in this number you can find these topics:
• Abusing the Objective C runtime
• Backdooring Juniper Firewalls
• Exploiting DLmalloc frees in 2009
• Persistent BIOS infection
• Exploiting UMA : FreeBSD kernel heap exploits
• Exploiting TCP Persist Timer Infiniteness
• Malloc Des-Maleficarum
• A Real SMM Rootkit
• Alphanumeric RISC ARM Shellcode
• Power cell buffer overflow
• Binary Mangling with Radare
• Linux Kernel Heap Tampering Detection
• Developing MacOS X Kernel Rootkits
• How close are they of hacking your brain
For those who are not familiar with it, Phrack is an ezine written by and for hackers first published November 17, 1985.Described by Fyodor as “the best, and by far the longest running hacker zine,” the magazine is open for contributions by anyone who desires to publish remarkable works or express original ideas on the topics of interest. It has a wide circulation which includes both hackers and computer security professionals.
You can read more here.
Hackers are making the Mac a 'first-class target' for Metasploit toolkit
Posted by Mourad Ben Lakhoua in News on March 21, 2009
Two well-known Mac hackers are updating a widely used hacking toolkit, making it easier to take control of a Macintosh computer.
Over the past few days, the researchers have been quietly adding new software to the Metasploit toolkit, used by security researchers and criminals alike. Metasploit already supported Mac attacks, but until recently the Mac code hadn’t been as good as Metasploit’s Windows and Linux tools, said Dino Dai Zovi, an independent security researcher who talked about the new tools with his collaborator Charlie Miller at the CanSecWest conference Friday. “Our goal was to make Mac OS X a first-class target for Metasploit.”
Metasploit is an open-source toolkit that makes it easy for hackers to launch a barrage of attacks against a computer system.
Miller and Dai Zovi earned fame in previous years for hacking Macintosh computers at CanSecWest’s annual Pwn2Own hacking contest. On Wednesday, Miller, a researcher with Independent Security Evaluators, won US$5,000 and a Mac laptop by using a previously unknown Safari vulnerability to hack into a Mac system.
They have also ported a Windows tool, called Meterpreter, to the Mac. Meterpreter is a stealth tool that can be used to gain information from and import more software onto a hacked computer.
In the next few days they plan to add exploit code to Metasploit for a handful of previously patched Mac software bugs. Exploit code must be used to first hack into the computer before any payload software can be installed.
Although there are still many more exploits available for Windows software than for Macs, the new payload code means there is now “more or less the same functionality if you want to target a Mac box or a Windows box,” Miller said.
The presentation is available here and you can find more here.
Damn Vulnerable Linux – DVL – Another V.A Platform
Posted by Mourad Ben Lakhoua in Pentesting on March 11, 2009
Damn Vulnerable Linux is another interesting platform for pen testing and vulnerability assessment, it is created for training purposes to IT-Security professional during a university lessons by the IITAC (International Institute for Training, Assessment, and Certification) and secure software Engineering in cooperation with the French Reverse Engineering Team.
It is freely available for download here:
Damn Vulnerable Linux
And you can find more about it in the official site.
Damn Vulnerable Linux (DVL) is for educational purposes only!
BackTrack 4 Beta released 2009
Posted by Mourad Ben Lakhoua in News on February 11, 2009
The Remote Exploit Development Team has just announced BackTrack 4 Beta and they consider the version to be stable and usable, there are a lot of new features including:
* Kernel 2.6.28.1 with better hardware support.
*Native support for Pico e12 and e16 cards is now fully functional, making BackTrack the first pentesting distro to fully utilize these awesome tiny machines.
* Support for PXE Boot – Boot BackTrack over the network with PXE supported cards!
* SAINT EXPLOIT – kindly provided by SAINT corporation for our users with a limited number of free IPs.
* MALTEGO – The guys over at Paterva did outstanding work with Maltego 2.0.2 – which is featured in BackTrack as a community edition.
* The latest mac80211 wireless injection pacthes are applied, with several custom patches for rtl8187 injection speed enhancements. Wireless injection support has never been so broad and functional.
* Unicornscan – Fully functional with postgress logging support and a web front end.
* RFID support
* Pyrit CUDA support…
* New and updated tools – the list is endless!
The BackTrack ISO and VMWare images are available here.
BackTrack 4 Beta – Shmoo release
Posted by Mourad Ben Lakhoua in Pentesting on February 8, 2009
Backtrack needs no introduction in the security and hacking world. It is an excellent bootable live-CD Linux distribution, with a huge collection of security and hacking tools. After seven months of effort here comes the Remote Exploit Dev team with changes in the PXE booting, and WPA table generation and can be read about on the BackTrack 4 blog.
SUBSCRIBE
Latest Comments