FOOTPRINTING (Gathering Information)
 ENUMERATE
PENETRATE Use the information acquired from the previous steps to:
|
or use following awesome framework
| Metasploit | msfconsole |
| Armitage | armitage |
ESCALATE PRIVILEGED
Any access is good...but root/Admin is where it's at! A little more digging may reveal a choice privilege escalation exploit! Remember, you may need to be interactive first...
www.securityfocus.com/bid (for starters)
PILLAGE
Once access is gained, there is much to do...
- Disable logging
- Clear logs and histories
- Grab password data
- Add yourself a user account
- Review system config files
- Memory contents?
- etc...
INTERACTIVE
To truly own the machine, one must gain interactive command execution
- Seek out services like telnet, rlogin, SSH, MS Terminal Services, etc
- Back channels rarely disappoint
- NetCat is the Swiss Army knife of hacking (or should we say Leatherman?)
- Don't forget about PSEXEC across and Admin connection to a Windows host
- etc...
INFLUENCE
Expand your influence...
- Start the methodology over again from your new vantage point
- Attack trusts
- Copy over tools to assist in your expansion efforts
- Crack passwords gathered thus far
- Rootkits, Trojans, backdoors
- Keystroke loggers
- Sniff traffic
- Memory contents
- Sensitive files
- Enumerate ACL's
- Use port re-direction to circumvent ACL's
- Hi-jack sessions
- Re-use passwords elsewhere!
- etc...
TRACKS
Covering your tracks well allows for extended stays with little interference
- Disable logging, IDS, and other security mechanisms
- Hide tools (obscure directory, attributes, streaming, etc.)
- Rootkits, Trojans, backdoors
- Covert channels (Loki, httptunnel, etc.)
- Spoofed sessions (i.e. STerm)
- etc...
WIRELESS
NetStumbler
External Antennas
- Decibel (dB) A decibel is the unit of measure for power ratios describing loss or gain, normally expressed in watts. A decibel is not an absolute value - it is the measurement of power gained or lost between two communicating devices. These units are usually given in terms of the logarithm to Base 10 of a ration
- dBi value This is the ratio of the gain of an antenna as compared to an isotropic antenna. The greater the dBi value, the higher the gain. If the gain is high, the angle of coverage will be more acute
Disable the TCP/IP Stack in Windows to prevent the wireless card from connecting to any network.
- Untick the checkbox of the Internet Protocol (TCP/IP) in the properties box of the wireless network card
NetStumbler (www.netstumbler.com) display
- MAC - Machine Address Code; a unique address for each Ethernet device. Preceding each MAC is a small circular icon showing signal strength
- SSID - Service Set Identifier; also known as the "Network Name"
- Name - Access point name. Often blank, as it is not used by all brands of wireless equipment
- Chan - Channel number the network is operating on. In 802.11b communications, 1 to 14
- Speed - The reported maximum speed of the network, in megabits per second (Mbps)
- Vendor - Equipment manufacturer's name or other brand identifier
- Type - Network type; either AP for access point, or peer for peer-to-peer
- Encryption - If the wireless traffic is encrypted on the network by the wireless devices, it is marked as WEP, which stands for "Wired Equivalency Privacy"
- SNR - The RF signal-to-noise ratio; measured in microvolt deciBels (dBm). Only active when in range of a network
- Signal+ - The maximum RF signal seen from the network device in dBm
- Noise- - The minimum RF noise reported at the device in dBm
- SNR+ - The maximum RF signal-to-noise ratio reported at the device in dBm
- IP Addr - The reported Internet Protocol address, if any
- Subnet - Any reported network IP subnet, if any
- Latitude - Latitude as reported by the GPS receiver when NetStumbler saw the network
- Longitude - Longitude as reported by the GPS receiver when NetStumbler saw the network
- First Seen - The time when NetStumbler first saw the network
- Last Seen - The time when NetStumbler last saw the network
- Signal - The current RF signal level in dBm. Only active when in range of a network
- Noise - The current RF noise level in dBm. Only active when in range of a network
- Flags - 802.11 flags from the network in hexadecimal (Base 16) code
- Beacon Interval - The interval of the beacon broadcast from the AP
- Distance - The distance to where you were when the best SNR was seen
WIRELESS DEFAULTS
WIRELESS ROUTERS
Default setups of common wireless routers available in the UK:| WIRELESS ROUTER | SSID | WEB INTERFACE | USERNAME | PASSWORD |
| 3Com Office Connect 3CRWE754G72-A | 3Com | http://192.168.1.1 | <blank> | <blank> |
| Belkin F5D7630-4A | belkin54g | http://192.168.2.1 | <blank> | <blank> |
| BT Voyager 2000 | BTVOYAGER | http://192.168.1.1 http://voyager.home | admin | admin |
| BT Voyager 2100 | BTVOYAGER2100 | http://192.168.1.1 http://voyager.home | ||
| BT Wireless Network 1250 | <blank> | http://192.168.0.1 http://gateway.2wire.net | <blank> | <blank> |
| Buffalo AirStation 54Mbps | http://192.168.11.1 | root | <blank> | |
| D-Link DSL-604+ | default | http://192.168.0.1 | admin | admin |
| Intertex IX66 AirSIP | wireless_gw | http://192.168.30.1 | ||
| Netgear DG814 | http://192.168.0.1 | admin | password | |
| Netgear DG824M | Wireless | http://192.168.0.1 | admin | password |
| Netgear DG834G | NETGEAR | http://192.168.0.1 | ||
| Linksys WAG-54G | linksys | http://192.168.1.1 | admin | admin |
| SMC ADSL Barricade 7404WBRA | hub | |||
| Solwise SAR-110 | http://192.168.7.1 | DSL | DSL | |
| Solwise SAR-715PVW | act1 | http://192.168.1.1 | admin | admin |
| U.S. Robotics SureConnect 9106 | USR9106 | http://192.168.1.1 | admin | admin |
| Vigor 2600 | http://192.168.1.1 | admin | <blank> | |
| Westell WireSpeed 2410 | Wireless LAN | http://192.168.1.1 | <blank> | <blank> |
No comments:
Post a Comment