Ethical Hacking



========================
Intro to Ethical Hacking
========================

Introduction
------------
The Transmission Control Protocol/Internet Protocol (TCP/IP) suite is so dominant and important to ethical hacking that it is given wide coverage in this chapter. Many tools, attacks, and techniques that will be seen throughout this book are based on the use and misuse of TCP/IP protocol suite. Understanding its basic functions will advance your security skills. This chapter also spends time reviewing the attacker's process and some of the better known methodologies used by ethical hackers.

The Attacker's Process
----------------------

Objective: State the process or methodology hackers use to attack networks

Attackers follow a fixed methodology. To beat a hacker, you have to think like one, so it's important to understand the methodology. The steps a hacker follows can be broadly divided into six phases, which include pre-attack and attack phases:

Performing Reconnaissance

Scanning and enumeration

Gaining access

Escalation of privilege

Maintaining access

Covering tracks and placing backdoors

Note - A denial of service (DoS) might be included in the preceding steps if the attacker has no success in gaining access to the targeted system or network.

Let's look at each of these phases in more detail so that you better understand the steps.

Performing Reconnaissance
-------------------------

Reconnaissance is consideredthe first pre-attack phase and is a systematic attempt to locate, gather, identify, and record information about the target. The hacker seeks to find out as much information as possible about the victim. This first step is considered a passive information gathering. As an example, many of you have probably seen a detective movie in which the policeman waits outside a suspect's house all night and then follows him from a distance when he leaves in the car. That's reconnaissance; it is passive in nature, and, if done correctly, the victim never even knows it is occurring.

Hackers can gather information in many different ways, and the information they obtain allows them to formulate a plan of attack. Some hackers might dumpster dive to find out more about the victim. Dumpster diving is the act of going through the victim's trash. If the organization does not have good media control policies, many types of sensitive information will probably go directly in the trash. Organizations should inform employees to shred sensitive information or dispose of it in an approved way.

Don't think that you are secure if you take adequate precautions with paper documents. Another favorite of the hacker is social engineering. A social engineer is a person who can smooth talk other individuals into revealing sensitive information. This might be accomplished by calling the help desk and asking someone to reset a password or by sending an email to an insider telling him he needs to reset an account.

If the hacker is still struggling for information, he can turn to what many consider the hacker's most valuable reconnaissance tool, the Internet. That's right; the Internet offers the hacker a multitude of possibilities for gathering information. Let's start with the company website. The company website might have key employees listed, technologies used, job listings probably detailing software and hardware types used, and some sites even have databases with employee names and email addresses.

Tip - Good security policies are the number one defense against reconnaissance attacks. They are discussed in more detail in Chapter 13, "Social Engineering and Physical Security."

Scanning and Enumeration
------------------------

Scanning and enumeration is considered the second pre-attack phase. Scanning is the active step of attempting to connect to systems to elicit a response. Enumeration is used to gather more in-depth information about the target, such as open shares and user account information. At this step in the methodology, the hacker is moving from passive information gathering to active information gathering. Hackers begin injecting packets into the network and might start using scanning tools such as Nmap. The goal is to map open ports and applications. The hacker might use techniques to lessen the chance that he will be detected by scanning at a very slow rate. As an example, instead of checking for all potential applications in just a few minutes, the scan might take days to verify what applications are running. Many organizations use intrusion detection systems (IDS) to detect just this type of activity. Don't think that the hacker will be content with just mapping open ports. He will soon turn his attention to grabbing banners. He will want to get a good idea of what type of version of software applications you are running. And, he will keep a sharp eye out for down-level software and applications that have known vulnerabilities. An example of down-level software would be Windows 95.

One key defense against the hacker is the practice of deny all. The practice of the deny all rule can help reduce the effectiveness of the hacker's activities at this step. Deny all means that all ports and applications are turned off, and only the minimum number of applications and services are turned on that are needed to accomplish the organization's goals.

Note - Practice of the deny all rule can help reduce the effectiveness of the hacker's activities at this step. Deny all means that all ports and applications are turned off and only the minimum number of applications and services are turned on that are needed to accomplish the organization's goals.

Unlike the elite blackhat hacker who attempts to remain stealth, script kiddies might even use vulnerability scanners such as Nessus to scan a victim's network. Although the activities of the blackhat hacker can be seen as a single shot in the night, the script kiddies scan will appear as a series of shotgun blasts, as their activity will be loud and detectable. Programs such as Nessus are designed to find vulnerabilities but are not designed to be a hacking tool; as such, they generate a large amount of detectable network traffic.

Tip - The greatest disadvantage of vulnerability scanners is that they are very noisy.

Gaining Access
--------------

As far as potential damage, this could be considered one of the most important steps of an attack. This phase of the attack occurs when the hacker moves from simply probing the network to actually attacking it. After the hacker has gained access, he can begin to move from system to system, spreading his damage as he progresses.

Access can be achieved in many different ways. A hacker might find an open wireless access point that allows him a direct connection or the help desk might have given him the phone number for a modem used for out-of-band management. Access could be gained by finding a vulnerability in the web server's software. If the hacker is really bold, he might even walk in and tell the receptionist that he is late for a meeting and will wait in the conference room with network access. Pity the poor receptionist who unknowingly provided network access to a malicious hacker. These things do happen to the company that has failed to establish good security practices and procedures.

The factors that determine the method a hacker uses to access the network ultimately comes down to his skill level, amount of access he achieves, network architecture, and configuration of the victim's network.

Escalation of Privilege
-----------------------

Although the hacker is probably happy that he has access, don't expect him to stop what he is doing with only a "Joe user" account. Just having the access of an average user probably won't give him much control or access to the network. Therefore, the attacker will attempt to escalate himself to administrator or root privilege. After all, these are the individuals who control the network, and that is the type of power the hacker seeks.

Privilege escalation can best be described as the act of leveraging a bug or vulnerability in an application or operating system to gain access to resources that normally would have been protected from an average user. The end result of privilege escalation is that the application performs actions that are running within a higher security context than intended by the designer, and the hacker is granted full access and control.

Maintaining Access
------------------

Would you believe that hackers are paranoid people? Well, many are, and they worry that their evil deeds might be uncovered. They are diligent at working on ways to maintain access to the systems they have attacked and compromised. They might attempt to pull down the etc/passwd file or steal other passwords so that they can access other user's accounts.

Rootkits are one option for hackers. A rootkit is a set of tools used to help the attacker maintain his access to the system and use it for malicious purposes. Rootkits have the capability to mask the hacker, hide his presence, and keep his activity secret. They are discussed in detail in Chapter 5, "Linux and Automated Security Assessment Tools."

Sometimes hackers might even fix the original problem that they used to gain access, where they can keep the system to themselves. After all, who wants other hackers around to spoil the fun? Sniffers are yet another option for the hacker and can be used to monitor the activity of legitimate users. At this point, hackers are free to upload, download, or manipulate data as they see fit.

Covering Tracks and Placing Backdoors
-------------------------------------

Nothing happens in a void, and that includes computer crime. Hackers are much like other criminals in that they would like to be sure to remove all evidence of their activities. This might include using rootkits or other tools to cover their tracks. Other hackers might hunt down log files and attempt to alter or erase them.

Hackers must also be worried about the files or programs they leave on the compromised system. File hiding techniques, such as hidden directories, hidden attributes, and Alternate Data Streams (ADS), can be used. As an ethical hacker, you will need to be aware of these tools and techniques to discover their activities and to deploy adequate countermeasures.

Backdoors are methods that the hacker can use to reenter the computer at will. The tools and techniques used to perform such activities are discussed in detail in

The Ethical Hacker's Process

As an ethical hacker, you will follow a similar process to one that an attacker uses. The stages you progress through will map closely to those the hacker uses, but you will work with the permission of the company and will strive to "do no harm." By ethical hacking and assessing the organizations strengths and weaknesses, you will perform an important service in helping secure the organization. The ethical hacker plays a key role in the security process. The methodology used to secure an organization can be broken down into five key steps. Ethical hacking is addressed in the first:

Assessment—Ethical hacking, penetration testing, and hands-on security tests.
-----------------------------------------------------------------------------

Policy Development—Development of policy based on the organization's goals and mission. The focus should be on the organization's critical assets.

Implementation—The building of technical, operational, and managerial controls to secure key assets and data.

Training—Employees need to be trained as to how to follow policy and how to configure key security controls, such as Intrusion Detection Systems (IDS) and firewalls.

Audit—Auditing involves periodic reviews of the controls that have been put in place to provide good security. Regulations such as Health Insurance Portability and Accountability Act (HIPAA) specify that this should be done yearly.

All hacking basically follows the same six-step methodology discussed in the previous section: reconnaissance, scanning and enumeration, gaining access, escalation of privilege, maintaining access, and covering tracks and placing backdoors.

Is this all you need to know about methodologies? No, different organizations have developed diverse ways to address security testing. There are some basic variations you should be aware of. These include National Institute of Standards and Technology 800-42, Threat and Risk Assessment Working Guide, Operational Critical Threat, Asset, fand Vulnerability Evaluation, and Open Source Security Testing Methodology Manual. Each is discussed next.

Visit for National Institute of Standards and Technology (NIST) website for Standard process of testing

===================
Intro to Pentesting
===================

What is Pentesting?
-------------------
Penetration testing is the process of attempting to gain access to resources without knowledge of user-names, passwords and other normal means of access. If the focus is on computer resources, then examples of a successful penetration would be obtaining or subverting confidential documents, pricelists,
databases and other protected information.

The main thing that separates a penetration tester from an attacker is permission. The penetration
tester will have permission from the owner of the computing resources that are being tested and will be
responsible to provide a report. The goal of a penetration test is to increase the security of the comput-
ing resources being tested.

In many cases, a penetration tester will be given user-level access and in those cases, the goal would be
to elevate the status of the account or user other means to gain access to additional information that
a user of that level should not have access to.

Some penetration testers are contracted to find one hole, but in many cases, they are expected to keep
looking past the first hole so that additional vulnerabilities can be identified and fixed. It is important
for the pen-tester to keep detailed notes about how the tests were done so that the results can be veri-
fied and so that any issues that were uncovered can be resolved.

It’s important to understand that it is very unlikely that a pen-tester will find all the security issues. As
an example, if a penetration test was done yesterday, the organization may pass the test. However,
today is Microsoft’s “patch Tuesday” and now there’s a brand new vulnerability in some Exchange mail
servers that were previously considered secure, and next month it will be something else. Maintaining
a secure network requires constant vigilance.

Pen-Testing vs. Vulnerability Assessment
----------------------------------------

The main focus of this paper is penetration testing but there is often some confusion between penetration
testing and vulnerability assessment. The two terms are related but penetration testing has more of an
emphasis on gaining as much access as possible while vulnerability testing places the emphasis on identi-
fying areas that are vulnerable to a computer attack. An automated vulnerability scanner will often identi-
fy possible vulnerabilities based on service banners or other network responses that are not in fact what
they seem. A vulnerability assessor will stop just before compromising a system, whereas a penetration
tester will go as far as they can within the scope of the contract.

It is important to keep in mind that you are dealing with a ‘Test.’ A penetration test is like any other test in
the sense that it is a sampling of all possible systems and configurations. Unless the contractor is hired to
test only a single system, they will be unable to identify and penetrate all possible systems using all possi-
ble vulnerabilities. As such, any Penetration Test is a sampling of the environment. Furthermore, most
testers will go after the easiest targets first.


How Vulnerabilities Are Identified?
-----------------------------------
Vulnerabilities need to be identified by both the penetration tester and the vulnerability scanner. The steps
are similar for the security tester and an unauthorized attacker. The attacker may choose to proceed more
slowly to avoid detection, but some penetration testers will also start slowly so that the target company can
learn where their detection threshold is and make improvements.

The first step in either a penetration test or a vulnerability scan is reconnaissance. This is where the tester
attempts to learn as much as possible about the target network as possible. This normally starts with iden-
tifying publicly accessible services such as mail and web servers from their service banners. Many servers
will report the Operating System they are running on, the version of software they are running, patches and
modules that have been enabled, the current time, and perhaps even some internal information like an
internal server name or IP address.

Once the tester has an idea what software might be running on the target computers, that information
needs to be verified. The tester really doesn’t KNOW what is running but he may have a pretty good idea.
The information that the tester has can be combined and then compared with known vulnerabilities, and
then those vulnerabilities can be tested to see if the results support or contradict the prior information.
In a stealthy penetration test, these first steps may be repeated for some time before the tester decides to
launch a specific attack. In the case of a strict vulnerability assessment, the attack may never be launched
so the owners of the target computer would never really know if this was an exploitable vulnerability or not.


Why Pentesting?
---------------

There are a variety of reasons for performing a penetration test. One of the main reasons is to find vulnerabilities and fix them before an attacker does. Sometimes, the IT department is aware of reported vulnerabilities but they need an outside expert to officially report them so that management will approve the resources necessary to fix them. Having a second set of eyes check out a critical computer system is a good security practice. Testing a new system before it goes on-line is also a good idea.

Another reason for a penetration test is to give the IT department at the target company a chance to
respond to an attack. The Payment Card Industry (PCI) Data Security Standard, and other recent secu-
rity recommendations and regulations, require external security testing.

Find Holes Now Before Somebody Else Does
----------------------------------------
At any given time, attackers are employing any number of automated tools and network attacks looking for
ways to penetrate systems. Only a handful of those people will have access to 0-day exploits, most will be
using well known (and hence preventable) attacks and exploits. Penetration testing provides IT manage-
ment with a view of their network from a malicious point of view. The goal is that the penetration tester will
find ways into the network so that they can be fixed before someone with less than honorable intentions
discovers the same holes.
In a sense, think of a Penetration Test as an annual medical physical. Even if you believe you are healthy, your
physician will run a series of tests (some old and some new) to detect dangers that have not yet developed
symptoms.

Report Problems to Management
-----------------------------
If a CSO (or security team) has already pointed out to upper management the lack of security in the envi-
ronment, penetration testing results help to justify the resources to address those needs.
Often an internal network team will be aware of weaknesses in the security of their systems but will have
trouble getting management to support the changes that would be necessary to secure the system. By
having an outside group with a reputation for security expertise analyze a system, management will often
respect that opinion more. Furthermore, an outside tester has no vested interest in their results. Inside a
corporation of any size, there will be political struggles and resource constraints. Administrators and techies
are always asking for budget increases for new technology. By using an independent third party to verify
the need, management will have an additional justification for approving or denying the expenditure of
money on security technologies. Similarly, system administrators who know the intricacies of their environ-
ment are often aware of how to compromise their network. As such, it is not uncommon for management
to assume that without such knowledge, an attacker would be unable to gain unauthorized entry. By using
a third party who operates with no inside knowledge, the penetration testing team may be able to identi-
fy the same vulnerability and help convince management that it needs to be resolved. A penetration test-
ing team may also be able to prove that an exploit exists while the internal network staff “knew”it was there
but wasn’t quite able to pull all the pieces together to demonstrate the exploit effectively.
Remember that ultimate responsibility for the security of IT assets rests with Management. This responsi-
bility rests with management because it is they, not the administrators, who decide what the acceptable
level of risk is for the organization.

Verify Secure Configurations
----------------------------

If the CSO (or security team) are confident in their actions and final results, the penetration test report ver-
ifies that they are doing a good job. Having an outside entity verify the security of the system provides a
view that is devoid of internal preferences. An outside entity can also measure the team’s efficiency as secu-
rity operators. The penetration test doesn’t make the network more secure, but it does identify gaps
between knowledge and implementation.

Security Training For Network Staff
-----------------------------------

Penetration testing gives security people a chance to recognize and respond to a network attack. For exam-
ple, if the penetration tester successfully compromises a system without anyone knowing, this could be
indicative of a failure to adequately train staff on proper security monitoring. Testing the monitoring and
incident handling teams can show if they are able to figure out what is going on and how effective their
response is. When the security staff doesn’t identify hostile activity, the post-testing reporting can be used
to help them hone their incident response skills.

Discover Gaps In Compliance
---------------------------
Using penetration testing as a means to identify gaps in compliance is a bit closer to auditing than true
security engineering, but experienced penetration testers often breach a perimeter because someone did
not get all the machines patched, or possibly because a non-compliant machine was put up “temporarily”
and ended up becoming a critical resource. In today’s heavily regulated environment, many organizations
are looking for better ways to continually assess their compliance posture. Most regulations have multiple
components specifically related to system auditing and security.

Testing New Technology
----------------------

The ideal time to test new technology is before it goes into production. Performing a penetration test on
new technologies, applications and environments before they go into production can often save time and
money because it is easier to test and modify new technology while nobody is relying on it. Some examples
might include a new externally facing web server with SOAP enabled, a new wireless infrastructure, or the
introduction of mobile messaging gateways.

 There are a variety of reasons for performing a penetration test. One of the main reasons is to find vul-
nerabilities and fix them before an attacker does. Sometimes, the IT department is aware of reported
vulnerabilities but they need an outside expert to officially report them so that management will
approve the resources necessary to fix them. Having a second set of eyes check out a critical computer
system is a good security practice. Testing a new system before it goes on-line is also a good idea.
Another reason for a penetration test is to give the IT department at the target company a chance to
respond to an attack. The Payment Card Industry (PCI) Data Security Standard, and other recent secu-
rity recommendations and regulations, require external security testing.

Find Holes Now Before Somebody Else Does
----------------------------------------
At any given time, attackers are employing any number of automated tools and network attacks looking for
ways to penetrate systems. Only a handful of those people will have access to 0-day exploits, most will be
using well known (and hence preventable) attacks and exploits. Penetration testing provides IT manage-
ment with a view of their network from a malicious point of view. The goal is that the penetration tester will
find ways into the network so that they can be fixed before someone with less than honorable intentions
discovers the same holes.
In a sense, think of a Penetration Test as an annual medical physical. Even if you believe you are healthy, your
physician will run a series of tests (some old and some new) to detect dangers that have not yet developed
symptoms.

Report Problems to Management
-----------------------------
If a CSO (or security team) has already pointed out to upper management the lack of security in the envi-
ronment, penetration testing results help to justify the resources to address those needs.
Often an internal network team will be aware of weaknesses in the security of their systems but will have
trouble getting management to support the changes that would be necessary to secure the system.

By having an outside group with a reputation for security expertise analyze a system, management will often
respect that opinion more. Furthermore, an outside tester has no vested interest in their results. Inside a
corporation of any size, there will be political struggles and resource constraints. Administrators and techies
are always asking for budget increases for new technology. By using an independent third party to verify
the need, management will have an additional justification for approving or denying the expenditure of
money on security technologies.

Similarly, system administrators who know the intricacies of their environ-
ment are often aware of how to compromise their network. As such, it is not uncommon for management
to assume that without such knowledge, an attacker would be unable to gain unauthorized entry.

There are a wide variety of tools that are used in penetration testing. These tools are of two main types;
reconnaissance or vulnerability testing tools and exploitation tools. While penetration testing is more
directly tied to the exploitation tools, the initial scanning and reconnaissance is often done using less
intrusive tools. Then once the targets have been identified the exploitation attempts can begin.

The line between these tools is very muddy. For example CORE IMPACT is a penetration testing tool but
it also has a strong reconnaissance piece. Metasploit 2.5 is clearly a penetration testing tool with
almost not reconnaissance functionality but version 3.0 will be adding some reconnaissance features.
Nmap is clearly a reconnaissance tool and Nessus is mainly a reconnaissance tool but it has some pen-
etration testing functionality. Many of the single-purpose tools fall more cleanly into either the recon-
naissance or exploitation category.

Pentesting Tools and Reporting
------------------------------

“If I had eight hours to chop down a tree, I’d spend the first six of them sharpening my axe.”
 by Abraham Lincoln

EveryBody Loves tools right !!!
There are a wide variety of tools that are used in penetration testing. These tools are of two main types;
reconnaissance or vulnerability testing tools and exploitation tools. While penetration testing is more
directly tied to the exploitation tools, the initial scanning and reconnaissance is often done using less
intrusive tools. Then once the targets have been identified the exploitation attempts can begin.

The line between these tools is very muddy. For example CORE IMPACT is a penetration testing tool but
it also has a strong reconnaissance piece. Metasploit 2.5 is clearly a penetration testing tool with
almost not reconnaissance functionality but version 3.0 will be adding some reconnaissance features.

Nmap is clearly a reconnaissance tool and Nessus is mainly a reconnaissance tool but it has some
penetration testing functionality. Many of the single-purpose tools fall more cleanly into either the
reconnaissance or exploitation category.

Reconnaissance Tools:
---------------------
Reconnaissance often begins with searches of internet databases including DNS registries, WHOIS databases,
Google, on-line news sources, business postings, and many other on-line resources. The reconnaissance
phase often includes print media as well, specifically electronically searchable archives that would be found
at a college library or large public library.

Nmap
----
Nmap is a popular port scanning tool. Port scanning is typically a part of the reconnaissance phase of a pen-
etration test or an attack. Sometimes attackers will limit their testing to a few ports while other times they
will scan all available ports. To do a thorough job, a vulnerability scanner should scan all port and, in most
cases, a penetration tester will scan all ports. An actual attacker may chose to not scan all ports if he finds
a vulnerability that can be exploited because of the “noise” (excess traffic) a port scanner creates.
Another capability of nmap is its ability to determine the operating system of the target computer.
Different networking implementations will respond differently to different network packets. Nmap main-
tains a type of database and will match the responses to make a guess at what type of operating system the
target computer is running. This OS detection isn’t perfectly accurate but it can help the attacker tailor his
attack strategy, especially when coupled with other pieces of information.
=> yum install nmap or sudo apt-get install nmap

Nessus
------
Nessus is a popular vulnerability scanner that many security professionals use regularly. Nessus has a huge
library of vulnerabilities and tests to identify them. In many cases, Nessus relies on the responses from the
target computer without actually trying to exploit the system. Depending on the scope of a vulnerability
assessment, the security tester may choose an exploitation tool to verify that reported vulnerabilities are
exploitable.

Nessus includes port scanning and OS detection, so sometimes a vulnerability assessment will just use
Nessus and let Nessus call nmap or other scanners for these components of the test. For a stealthy scan, a
security professional or an attacker may choose to run these tools separately to avoid detection.
Download from nessus.org

Exploitation Tools
------------------
Exploitation tools are used to verify that an actual vulnerability exists by exploiting it. It’s one thing to have
vulnerability testing software or banners indicate the possibility of an exploitable service, but quite anoth-
er to exploit that vulnerability. Some of the tools in this category are used by both attackers and penetra-
tion testers.

There are many more exploitation tools than the ones listed here. Many tools in this category
are single-purpose tools that are designed to exploit one vulnerability on a particular hardware platform
running a particular version of an exploitable system. The tools that we’ve highlighted here are unique in
the fact that they have the ability to exploit multiple vulnerabilities on a variety of hardware and software
platforms.

Metasploit
----------
Metasploit is a relatively new addition to the penetration tester’s tool belt. It provides attack libraries attack
payloads that can be put together in a modular manner. The main purpose of Metasploit is to get to a com-
mand prompt on the target computer. Once a security tester has gotten to a command-line, it is quite pos-
sible that the target computer will be under his total control in a short time. The currently released version
of Metasploit Framework as of June, 2006 is version 2.5.

CORE IMPACT Commercial
----------------------
CORE IMPACT is a commercial penetration testing tool that combines a healthy dose of reconnaissance with
exploitation and reporting into one point and click penetration testing tool. The main purpose of CORE
IMPACT is to identify possible vulnerabilities in a program, exploit those vulnerabilities without causing sys-
tem outages, and clearly document every step along the way so that the entire procedure can be verified
by another party.
The CORE IMPACT penetration testing tool makes is easy for a network administrator or penetration tester
to run tests against a network or host without having a whole suite of security testing utilities. Overall, we
found the program to do a good job of scanning the network for vulnerabilities, successfully exploiting
them, and reporting on the results.
One really slick feature of CORE IMPACT is the ability to install an agent on a compromised computer and
then launch additional attacks from that computer. This proved useful in an actual penetration testing
assignment by allowing the tester to compromise one machine and from there run automated scans inside
the network looking for additional machines. Those scans weren’t quite as good as actually being on-site,
but it did allow us to discover internal hosts from outside the network.

Benefits of Pentesting?
-----------------------

Pentesting for mere mortals?
----------------------------

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
This is Stuff Working in Hacker Community Port. Set content gives following Stuffs.


Computer Based Social Engineering Tools: Social Engineer Toolkit (SET) Content
------------------------------------------------------------------------------

      Attack Vectors
        3.1 Spear-Phishing Attack Vector
        3.2 Java Applet Attack Vector
        3.3 Metasploit Browser Exploit Method
        3.4 Credential Harvester Attack Method
        3.5 Tabnabbing Attack Method
        3.6 Man Left in the Middle Attack Method
        3.7 Web Jacking Attack Method
        3.8 Multi-Attack Web Vector
        3.9 Infectious Media Generator
        3.10 Teensy USB HID Attack Vector

http://www.social-engineer.org/

Phone Based Social Engineering Tools(SET): Caller ID Spoofing Contents
----------------------------------------------------------------------

    1 Useful Situations
    2 SpoofCard
        2.1 Pros
        2.2 Cons
    3 Asterisk
        3.1 Pros
        3.2 Cons
    4 SpoofApp
    5 Voicemail
    6 Unmasking Caller ID
    7 References

http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_%28SET%29  


Frequently Asked Questions for SET
----------------------------------
Q. I’m using NAT/Port forwarding, how can I configure SET to support this scenario?

A. Edit the config/set_config file and turn AUTO_DETECT=ON to AUTO_DETECT=OFF. Once this option is you will be prompted with the following questions:
NAT/Port Forwarding can be used in the cases where your SET machine is not externally exposed and may be a different IP address than your reverse listener.

Are you using NAT/Port Forwarding? yes or no: yes
Enter the IP address to your SET web server (external IP or hostname): externalipgoeshere

In some cases you may have your listener on a different IP address, if this is the case the next question asks if your IP address is different for the reverse handler/listener. If that is the case, specify yes, and enter your separate IP address for the listener.

Is your payload handler (metasploit) on a different IP from your external NAT/Port FWD address (yes or no): yes
Enter the IP address for the reverse handler (reverse payload): otherexternalipgoeshere


Penetration Testing Was Easy....
--------------------------------

Step 1: Tell customer you are 31337 security professional
Customers only applied patches if it fixed something on the system It was common practice NOT to apply system updates that didn't fix a problem you were
experiencing on a system (WTF ARE YOU DOING - YOU MIGHT BREAK SOMETHING!!!!!)

Step 2: Scan customer network with ISS or Nessus if you were a renegade Customers didn't apply patches, and rarely even had firewalls and IDSs back then
You know you only ran ISS because it had nice reports...

Step 3: Break out your uber 31337 warez and 0wn it all!!!!!
You only kept an exploit archive to save time (Hack.co.za was all you needed back then)
If you could read the screen you could 0wn the network!!!!!!!

Conclusion
----------
Penetration testing is like the annual physical at your doctor’s office. CORE IMPACT and Metasploit
Framework are diagnostic tools, much like a blood test or an X-ray. A blood test will check for many
things, but it still takes a doctor to review the data, make inferences, perform additional tests and then
reach a diagnostic conclusion. Penetration testing is no different.

CORE IMPACT will test for many
things, but it will always take a human to review the results and make inferences based on knowledge
and experience that you will never be able to put in a tool. That being said, CORE IMPACT is an excellent
diagnostic tool. It lowers the barrier of entry for the vast majority of a penetration test through intelli-
gent automation.

Instead of taking a $400 an hour consultant to run nmap, Nessus and Metasploit Framework, it can be
done by a junior consultant or an in-house security expert running CORE IMPACT. Physicians manage
patients by ordering tests and interpreting the results. This process is made more efficient and accurate
through the use of diagnostic tests and support staff such as nurse practitioners.

CORE IMPACT helps automate a great deal of the penetration test and provides services and tools to the new penetration
testers as well as the seasoned veteran, allowing each to focus on the part of the test they excel at. This
creates a business process that allows for the performance of penetration tests in a more efficient and
standard way. By offloading the automatic work of scanning, penetration, clean up and reporting to

CORE IMPACT, a penetration tester can spend more time doing what humans do best: using their expe-
rience to make inferences and taking the penetration testing to places that only a human can go. As a
result, the tester can do better work in less time meaning they can secure more systems without sacri-
ficing the overall quality of their testing.

No comments:

Post a Comment