paxnwo

1. At the Windows hacking initiate of the process, things start to change, as this initiate is most breaking and entering the targeted system. Previous steps, much as footprinting, scanning, and enumeration, are every thoughtful preattack stages.
2.  
3. Networking is every most communication, and in visit for digit or more parties to right communicate, standards and protocols are required. Just as speaking Japanese to someone who exclusive understands arts doesn�t really accomplish much in terms of communication, computers and added pieces of meshwork element staleness speak the aforementioned module in visit to communicate effectively. This means a ordered of standards staleness be laid discover ahead of instance to create this language. These standards actually consist of more than meet the module � they also include the rules of communication. When a support desk hold operator picks up the phone, aggregation should be communicated and conventional in a certain visit that follows protocol. The operator usually needs to ask for the caller�s name and the nature of the problem before transferring the call to the appropriate department. This is simply the artefact the prescript works, and whatever deviation from this prescript tends to be counterproductive. Network communications has a standard ordered of protocols, too. These protocols are defined by the Open Systems Interconnection (OSI) reference model. You staleness understand networking and PC basics in visit to see how to hack windows system. The direct goal of the grouping hacking initiate is to authenticate to the remote patron with the highest verify of access. There are individualist ways this crapper be attempted: Guess username and passwords, Obtain the countersign hashes, Exploit a vulnerability. One of the first activities an attacker wants to do after he owns the box is to attain sure that he has continued admittance and that he has attempted to cover his tracks. One artefact to secure continued admittance is to compromise added accounts. Stealing SAM is feat to wage the attacker potential admittance to every the passwords. SAM contains the individualist statement passwords stored in their hashed form. Microsoft raised the bar with the promulgation of NT service pack 3 by adding a ordinal place of encryption titled SYSKEY. SYSKEY adds a ordinal place of 128-bit encryption. After being enabled, this key is required by the grouping every instance it is started so that the countersign accumulation is reachable for authentication purposes. Stealing the SAM crapper be accomplished finished physical or formal access. If physical admittance is possible, it could be obtained from the NT ERdisk programme from C:\\winnt\\repair\\sam. Newer versions of Windows places a backup copy in C:\\winnt\\repair\\regback\\sam, although SYSKEY prevents this from easily being cracked. One test state here is that you crapper always meet reset the passwords. If you hit physical access, you crapper simply ingest tools, much as LINNT and NTFSDOS, to gain access. NTFSDOS is confident of mounting whatever NTFS partition as a formal drive. NTFSDOS is a read-only meshwork enter grouping driver for DOS/Windows. If loaded onto a bootable disk or CD, it makes a powerful admittance tool. Logical admittance presents whatever easier possibilities. The Windows SAM database is a binary format, so it�s not easy to direct inspect. Tools, much as Pwdump and L0phtCrack, crapper be utilised to extract and crack SAM.
4.  
5. [IP - cyberspace Protocol]
6.  
7. Before we start learning Hacking you staleness see most cyberspace protocol. This every falls low International Standards Organization (OSI). The ISO was convinced that there necessary to be visit and matured the Open Systems Interconnect (OSI) model in 1984. The model is designed to wage visit by specifying a limited hierarchy in which apiece place builds on the production of apiece conterminous layer. Although its persona as nous of networking was not widely accepted, the model is still utilised today as a guide to describe the operation of a networking environment. One new technology is the Ipv6, let�s wage a quick look into what�s IPv6. The world is streaming discover of addresses, the 32-bit become earth of the current IP info (i.e. ipv-4) crapper wage over threesome billion of possible patron Ids, but it is essential to remember how whatever of these threesome billion addresses are actually unusable. A meshwork ID is typically appointed to a company, and that consort controls the patron IDs associated with its own network. The IP become info in IPv6 calls for 128-bit addresses. The reason for this, larger become space is supposedly to hold digit billion networks. There are seven layers of the OSI model: the Application, Presentation, Session, Transport, Network, Data Link, and Physical layers.
8.  
9. Application place Layer 7 is known as the Application layer. Recognized as the crowning place of the OSI model, this place serves as the window for application services. The Application place is digit that most users are familiar with as it is the home of email programs, FTP, Telnet, web browsers, and office productivity suites, as well as whatever added applications. It is also the home of whatever malicious programs much as viruses, worms, Trojan horse programs, and added virulent applications.
10.  
11. Presentation place Layer 6 is known as the Presentation layer. The Presentation place is answerable for taking accumulation that has been passed up from lower levels and putting it into a info that Application place programs crapper understand. These ordinary formats earmark American Standard Code for Information Interchange (ASCII), Extended Binary-Coded Decimal Interchange Code (EBCDIC), and American National Standards Institute (ANSI). From a section standpoint, the most critical impact handled at this place is encryption and decryption. If right implemented, this crapper support section accumulation in transit.
12.  
13. Session place Layer 5 is known as the Session layer. Its functionality is put to ingest when creating, controlling, or shutting downbound a prescript session. Items much as the prescript unification organisation and prescript unification occur here. Session-layer protocols earmark items much as Remote Procedure Call and SQLNet from Oracle. From a section standpoint, the Session place is vulnerable to attacks much as conference hijacking. A conference hijack crapper occur when a legitimate individualist has his conference stolen by a hacker. This module be discussed in detail in Chapter 7, \�Sniffers, Session Hijacking, and Denial of Service\�.
14.  
15. Transport place Layer 4 is known as the Transport layer. The Transport place ensures completeness by handling end-to-end error recovery and flow control. Transport-layer protocols earmark TCP, a connection-oriented protocol. prescript provides sure act finished the ingest of handshaking, acknowledgments, error detection, and conference teardown, as well as User Datagram Protocol (UDP), a connectionless protocol. UDP offers speed and low overhead as its direct advantage. Security concerns at the instrumentation verify earmark Synchronize (SYN) attacks, Denial of Service (DoS), and buffer overflows.
16.  
17. Network place Layer 3 is known as the Network layer. This place is concerned with formal addressing and routing. The Network place is the home of the cyberspace Protocol (IP), which makes a best effort at conveying of datagrams from their maker to their destination. Security concerns at the meshwork verify earmark route poisoning, DoS, spoofing, and fragmentation attacks. Fragmentation attacks occur when hackers manipulate datagram fragments to overlap in much a artefact to crash the victim�s computer. IPSec is a key section service that is acquirable at this layer.
18.  
19. Data Link place Layer 2 is known as the Data Link layer. The Data Link place is answerable for formatting and organizing the accumulation before sending it to the Physical layer. The Data Link place organizes the accumulation into frames. A inclose is a formal structure in which accumulation crapper be placed; it�s a boat on the wire. When a inclose reaches the target device, the Data Link place is answerable for stripping off the accumulation inclose and passing the accumulation boat up to the Network layer. The Data Link place is made up of digit sub layers, including the formal unification curb place (LLC) and the media admittance curb place (MAC). You strength be familiar with the MAC layer, as it shares its name with the MAC addressing scheme. These 6-byte (48-bit) addresses are utilised to uniquely identify apiece figure on the local network. A major section concern of the Data Link place is the Address Resolution Protocol (ARP) process. ARP is utilised to resolve known Network place addresses to unknown MAC addresses. ARP is a trusting prescript and, as such, crapper be utilised by hackers for APR poisoning, which crapper earmark them admittance to traffic on switches they should not have.
20.  
21. Physical place Layer 1 is known as the Physical layer. At Layer 1, bit-level act takes place. The bits hit no defined communication on the wire, but the Physical place defines how long apiece taste lasts and how it is transmitted and received. From a section standpoint, you staleness be concerned anytime a hacker crapper intend physical access. By accessing a physical component of a machine networksuch as a computer, switch, or cablethe attacker strength be able to ingest a element or code boat sniffer to monitor traffic on that network. Sniffers enable attacks to capture and decode packets. If no encryption is being used, a great deal of huffy aggregation strength be direct acquirable to the hacker.
22. Four main protocols form the core of TCP/IP: the cyberspace Protocol (IP), the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), and the cyberspace Control Message Protocol (ICMP). These protocols are essential components that staleness be based by every figure that communicates on a prescript network. Each serves a distinct purpose and is worthy of further discussion.
23.  
24. TCP/IP is the foundation of every modern networks. In whatever ways, you crapper say that prescript has grown up along with the development of the Internet. Its history crapper be derived backwards to standards adopted by the U.S. government�s Department of Defense (DoD) in 1982. Originally, the prescript model was matured as a flexible, fault tolerant ordered of protocols that were robust enough to avoid failure should digit or more nodes go down. After all, the meshwork was designed to these specifications to withstand a nuclear strike, which strength destroy key routing nodes. The designers of this example meshwork never envisioned the cyberspace we ingest today.
25.  
26. Because prescript was designed to work in a trusted environment, whatever prescript protocols are now thoughtful insecure. As an example, Telnet is designed to mask the countersign on the user�s screen, as the designers didn�t want shoulder surfers stealing a password; however, the countersign is dispatched in clear text on the wire. Little concern was ever given to the fact that an untrust-worthy party strength hit admittance to the wire and be able to sniff the clear text password. Most networks today separate TCP/IPv4. Many section mechanisms in TCP/IPv4 are add-ons to the example prescript suite. As the layers are stacked digit atop another, encapsulation takes place. Encapsulation is the framework of layering protocols in which digit place adds a brick to the aggregation from the place above.
27. [IP Classes]
28.  
29. IP addressing supports five different become classes: A, B, C, D, and E. exclusive classes A, B, and C are acquirable for commercial uses.
30. Most prescript act is either dispatched from digit maker machine to digit instruction machine or dispatched to every computers on the segment or network. Class D addresses, on the added hand, are utilised for multicasting. A multicast is a azygos communication dispatched to a subset of the network. The four leftmost bits of a Class D meshwork become always starts with the binary pattern 1110, which corresponds to quantitative drawing 224 finished 239. Class E networks are thoughtful experimental. They are not normally utilised in whatever production environment.
31.  
32. [IP Header Fields]
33.  
34. Every IP datagram begins with an IP header. The prescript code on the maker machine constructs the IP header. The prescript code at the instruction uses the aggregation enclosed in the IP brick to impact the datagram. The brick contains a great deal of information, including the IP addresses of the maker and instruction computers, the size of the datagram, the IP edition number, and special instructions to routers. The smallest size for an IP brick is 20 bytes.
35.  
36. Version: This 4-bit earth indicates which edition of IP is being used. The current edition of IP is 4 and the binary pattern for 4 is 0100.
37.  
38. IHL (Internet Header Length): This 4-bit earth gives the size of the IP brick in 32-bit words. The minimum brick size is five 32-bit words. The binary pattern for 5 is 0101.
39.  
40. Type of Service: The maker IP crapper designate special routing information. Some routers ignore the Type of Service field, although this earth recently has conventional more attention with the emergence of Quality of Service (QoS) technologies. The main purpose of this 8-bit earth is to wage priority for datagrams that are waiting to pass finished a router.
41.  
42. Total Length: This 16-bit earth identifies the length, in octets, of the IP datagram. This size includes the IP brick and the accumulation payload.
43.  
44. Identification: This 16-bit earth is an incrementing sequence sort appointed to messages dispatched by the maker IP. When a communication is dispatched to the IP place and it is likewise large to fit in digit datagram, IP fragments the communication into binary datagrams, giving every datagrams the aforementioned identification number. This sort is utilised from the receiving end to reassemble the example message.
45.  
46. Flags: The Flags earth indicates fragmentation possibilities. The first taste is unused and should always hit a continuance of zero. The next taste is titled the DF (Don�t Fragment) flag. The DF alarum signifies whether fragmentation is allowed (value = 0) or not (value = 1). The next taste is the MF (More Fragments) flag, which tells the receiver that more fragments are on their way. When MF is ordered to 0, no more fragments requirement to be dispatched or the datagram never was fragmented.
47.  
48. Fragment Offset: This 13-bit earth is a numeric continuance appointed to apiece successive fragment. IP at the instruction uses the fragment equilibrize to reassemble the fragments into the proper order. The equilibrize continuance found here expresses the equilibrize as a sort of 8-byte units.
49.  
50. Time to Live: This taste earth indicates the amount of instance in seconds or router hops that the datagram crapper survive before being discarded. Every router examines and decrements this earth by at least 1, or by the sort of seconds the datagram is delayed inside the router. The datagram is discarded when this earth reaches zero.
51.  
52. Protocol: The 8-bit Protocol earth indicates the prescript that module receive the accumulation payload. A datagram with the prescript identifier 6 (binary 00000110) is passed up the stack to the prescript module, for example. The mass are whatever ordinary prescript values:
53.  
54. Protocol Identification numbers: ICMP = 1 prescript = 6 UDP = 17
55.  
56. Hop: A hop or a router hop correlates to a router that a datagram travels finished on its artefact to its destination. If a datagram passes finished five routers before arriving at its destination, the instruction is said to be five hops, or five router hops away.
57.  
58. Header Checksum: This earth holds a 16-bit calculated continuance to verify the validity of the brick only.
59.  
60. Source IP Address: This 32-bit earth holds the become of the maker of the datagram.
61.  
62. Destination IP Address: This 32-bit earth holds the instruction become of the datagram and is utilised by the instruction IP to verify precise delivery.
63.  
64. IP Data Payload: This earth typically contains accumulation destinated for conveying to prescript or UDP (in the Transport layer), ICMP, or IGMP. The amount of accumulation is variable but could earmark thousands of bytes.
65. [The four layers of TCP/IP]
66.  
67. The Application place - The Application place sets at the crowning of the prescript stack. This place is answerable for application support. Applications are typically mapped not by name, but by their corresponding port. Ports are placed into prescript and UDP packets so that the precise application crapper be passed to the required protocols below. Although a particular service strength hit an appointed port, nothing specifies that services cannot center on added port. A ordinary warning of this is Simple Mail Transfer Protocol (SMTP). The appointed opening of this is 25. Your telegram consort strength country opening 25 in an endeavor to keep you from streaming a mail machine on your local computer; however, nothing prevents you from streaming your mail machine on added local port. The direct reason services hit appointed ports is so that a computer crapper easily encounter that service on a remote host. As an example, FTP servers center at opening 21, and Hypertext Transfer Protocol (HTTP) servers center at opening 80. Client applications, much as a File Transfer Protocol (FTP) program or browser, ingest arbitrarily appointed ports typically greater than 1023. There are approximately 65,000 ports; they are divided into well-known ports (01023), registered ports (102449151), and impulsive ports (4915265535). Although there are hundreds of ports and corresponding applications in practice, less than a hundred are in ordinary use.
68.  
69. [The Host-to-host layer]
70.  
71. The host-to-host place provides end-to-end delivery. Two direct protocols are located at the host-to-host layer, which includes Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
72.  
73. TCP enables digit hosts to found a unification and exchange accumulation reliably. To do this, prescript performs a three-step handshake before accumulation is sent. During the data-transmission process, prescript guarantees conveying of accumulation by using sequence and acknowledgment numbers. At the completion of the data-transmission process, prescript performs a four-step shutdown that gracefully concludes the session. prescript has a fixed boat structure that is utilised to wage flow control, maintain sure communication, and secure that whatever missing accumulation is resent. At the hunch of prescript is a 1-byte alarum field. Flags support curb the prescript process. Common flags earmark synchronize (SYN), acknowledgement (ACK), push (PSH), and finish (FIN). prescript section issues earmark prescript sequence sort attacks, conference hijacking, and SYN flood attacks. Programs, much as Nmap, manipulate prescript flags to endeavor to identify active hosts. The flags are utilised to manage prescript sessionsfor example, the synchronize (SYN) and acknowledge (ACK) flags are utilised in the three-way handshaking, whereas the reset (RST) and finish (FIN) flags are utilised to tear downbound a connection. FIN is utilised during a normal four-step shutdown, whereas RST is utilised to signal the end of an abnormal session. The checksum is utilised to secure that the accumulation is correct, although an attacker crapper alter a prescript boat and the checksum to attain it appear valid. Other flags earmark urgent (URG). If no flags are ordered at all, the flags crapper be referred to as Null, as none are set. Not every hacking tools play by the rules; most opening scanners crapper tweak prescript flags and send them in packets that should not normally subsist in an endeavor to illicit a salutation for the victim�s server. One much variation is the XMAS tree scan, which sets the SYN, URG, and PSH flags. Another is the NULL scan, which sets no flags in the prescript header.
74.  
75. UDP performs none of the handshaking processes that we see performed with TCP. Although that makes it considerably less sure than TCP, it does offer the benefit of speed. It is ideally suited for accumulation that requires fast conveying and is not huffy to boat loss. UDP is utilised by services much as DHCP and DNS. UDP is easier to spoof by attackers than prescript as it does not ingest sequence and acknowledgement numbers. UDP is the instrumentation prescript for individualist well-known application-layer protocols, including Network File System (NFS), Simple Network Management Protocol (SNMP), Domain Name System (DNS), and Trivial File Transfer Protocol (TFTP). The UDP boat info contains four fields, these earmark maker and instruction ports, length, and checksum fields. Also, if the receiving UDP module receives a datagram directed to an inactive or undefined UDP port, it returns an ICMP communication notifying the maker machine that the opening is unreachable. UDP�s lean, connectionless design makes it the prescript of pick for meshwork programme situations. A programme act is a azygos communication that module be conventional and processed by every hosts of the subnet. The UDP datagram includes a checksum continuance that the receiving machine crapper ingest to test the integrity of the data.
76.  
77. [The cyberspace layer]
78.  
79. The cyberspace place contains digit essential protocols: cyberspace Protocol (IP) and cyberspace Control Messaging Protocol (ICMP). IP is a routable prescript whose function is to attain a best effort at delivery. The IP brick is shown in Figure 2.7. Spend a few transactions reviewing it to better understand apiece field�s purpose and structure. Complete details crapper be found in RFC 791. While reviewing the structure of UDP, TCP, and IP, packets strength not be the most exciting conception of section work. A basic understanding is desirable because whatever attacks are based on manipulation of the packets. For example, the total size earth and fragmentation is tweaked in a ping of death attack. IP addresses are laid discover in a dotted quantitative notation format. IPv4 lays discover addresses into a four quantitative sort info that is separated by quantitative points. Each of these quantitative drawing is digit byte in size to earmark drawing to range from 0255. A sort of addresses hit also been reserved for private use. These addresses are nonroutable and normally should not been seen on the Internet. IP does more than meet addressing. It crapper dictate a limited path by using strict or loose maker routing, and IP is also answerable for datagram fragmentation. Fragmentation normally occurs when files staleness be split because of maximum transmission unit (MTU) size limitations.
80.  
81. Source routing was designed to earmark individuals the ability to verify the route that a boat should verify finished a network. It allows the individualist to bypass meshwork problems or congestion. IP�s maker routing informs routers not to ingest their normal routes for conveying of the boat but to send it via the router identified in the packet�s header. This lets a hacker ingest added system�s IP become and intend packets returned to him regardless of what routes are in between him and the destination. This identify of move crapper be utilised if the victim�s web machine is protected by an admittance list based on maker addresses. If the hacker were to simply spoof digit of the permitted maker addresses, traffic would never be returned to him. By spoofing an become and setting the loose maker routing choice to force the salutation to return to the hacker�s network, the move strength succeed. The best defense against this identify of move is to country loose maker routing and not respond to packets ordered with this option.
82. If IP staleness send a datagram larger than allowed by the meshwork admittance place that it uses, the datagram staleness be divided into smaller packets. Not every meshwork topologies crapper appendage the aforementioned datagram size; therefore, fragmentation is an essential function. As IP packets pass finished routers, IP reads the acceptable size for the meshwork admittance layer. If the existing datagram is likewise large, IP performs fragmentation and divides the datagram into digit or more packets. Each boat is labeled with a length, an offset, and a more bit. The size specifies the total size of the fragment, the equilibrize specifies the distance from the first byte of the example datagram, and the more taste is utilised to indicate if the fragment has more to follow or if it is the last in the program of fragments. The first fragment has an equilibrize of 0 and occupies bytes 0999. The ordinal fragment has an equilibrize of 1,000 and occupies bytes 1,0001,999. The third fragment has an equilibrize of 2,000 and occupies bytes 2,0002,999, and the test fragment has an equilibrize 3,000 and occupies bytes 3,0003,599. Whereas the first threesome fragments hit the more taste ordered to 1, the test fragment has the more taste ordered to 0 because no more fragments follow. These concepts are essential to understand how various attacks function. On modern networks, there should be very little fragmentation. Usually much traffic module indicate malicious activities. Hackers crapper also craft packets so that instead of overlapping, there module be gaps between various packets. These nonadjacent fragmented packets are similar to overlapping packets because they crapper crash or hang older operative systems that hit not been patched. A good warning of the overlapping fragmentation move is the teardrop attack. The teardrop move exploits overlapping IP fragment and crapper crash Windows 95, Windows NT, and Windows 3.1 machines.
83.  
84. ICMP is digit of the added protocols residing at the cyberspace layer. Its purpose is to wage feedback utilised for diagnostics or to inform formal errors. ICMP messages follow a basic format. The first byte of an ICMP brick indicates the identify of ICMP message. The mass byte contains the code for apiece particular identify of ICMP. The ICMP identify generally defines the problem, whereas the code is provided to earmark a limited reason of what the problem is. As an example, a Type 3, Code 3 ICMP means that there was a instruction error and that the limited instruction error is that the targeted opening is unreachable.
85.  
86. Data dispatched to a remote patron ofttimes travels finished digit or more routers. These routers crapper encounter a sort of problems sending the communication to its eventual destination. Routers ingest cyberspace Control Message Protocol (ICMP) messages to notify the maker IP most these problems. ICMP is also utilised for added diagnosis and troubleshooting functions. Here are the most ordinary ICMP messages. Few added conditions create ICMP messages but their frequency of occurrence is quite low.
87.  
88. Echo Request and Echo Reply � ICMP is ofttimes utilised during testing. When a technician uses the ping bidding to check connectivity with added host, he is using ICMP. Ping sends a datagram to an IP become and requests the instruction machine to return the accumulation dispatched in a salutation datagram. The commands actually being utilised are the ICMP Echo-Request and Echo-Reply.
89.  
90. Source Quench � if a fast patron is sending large amounts of accumulation to a remote host, the traffic volume crapper overwhelm the router. The router strength ingest ICMP to send a Source Quench communication to the maker IP to ask it to andante downbound the rate at which it is transport data. If necessary, additional maker quenches crapper be dispatched to the maker IP.
91.  
92. Destination Unreachable � if a router receives a datagram that cannot be delivered, ICMP returns a Destination Unreachable communication to the maker IP.
93.  
94. Time Exceeded � an patron sends this communication to the maker IP if a datagram is discarded because TTL reaches zero. This indicates that the instruction is likewise whatever router hops away to reach with the current TTL value, or it indicates router plateau problems that attain the datagram to wrap finished the aforementioned routers continously. A routing wrap occurs when a datagram circulates finished the aforementioned routers continously and never reaches its destination. Suppose threesome routers are located in New York, Moscow, and Rome. The New York router sends datagrams to Moscow, which sends them to Rome, which sends them backwards to New York again. The datagram becomes trapped and module circulate continuously finished these threesome routers until the TTL reaches zero. A routing wrap should not occur, but occasionally it does. A routing wrap sometimes occurs when a meshwork administrator places bad static routing entries in a routing table.
95.  
96. Fragmentation necessary � an patron sends this communication if it receives a datagram with the Don�t Fragment taste ordered and if the router needs to fragment the datagram in visit to nervy it to the next router or the destination.
97. Address Resolution Protocol (ARP) is the test prescript reviewed at the IP layer. ARP�s persona in the world of networking is to resolve known IP addresses to unknown MAC addresses. ARP�s two-step resolution impact is performed by first sending a programme communication requesting the target�s physical address. If a figure recognizes the become as its own, it issues an ARP reply containing its MAC become to the example sender. The MAC become is then placed in the ARP store and utilised to become subsequent frames. You discover that hackers are interested in the ARP impact as it crapper be manipulated to bypass the functionality of a switch. Because ARP was matured in a trusting world, bogus ARP responses are accepted as valid, which crapper earmark attackers to redirect traffic on a switched network. Proxy ARPs crapper be utilised to extend a meshwork and enable digit figure to communicate with a figure on an adjunct node. ARP attacks play a persona in a variety of man-in-the middle attacks, spoofing, and in-session hijack attacks. ARP is unauthenticated and, as such, crapper be utilised for unsolicited ARP replies, for poisoning the ARP table, and for spoofing added host.
98.  
99. [The Network admittance layer]
100. The meshwork admittance place is the bottom of the stack. This portion of the prescript meshwork model is answerable for the physical conveying of IP packets via frames. Ethernet is the most commonly utilised LAN inclose type. Ethernet frames are addressed with MAC addresses that identify the maker and instruction device. MAC addresses are 6 bytes long and are unique to the Network Interface bill (NIC) bill in which they are burned. To intend a better idea of what MAC addresses look like, review Figure 2.10, as it shows a boat with both the instruction and maker MAC addresses. Hackers crapper ingest a variety of programs to spoof MAC addresses. Spoofing MAC addresses crapper be a potential target to attackers attempting to bypass 802.11 wireless controls or when switches are utilised to curb traffic by locking ports to limited MAC addresses. MAC addresses crapper be either unicast, multicast, or broadcast. Although a instruction MAC become crapper be whatever digit of these threesome types, a inclose module always originate from a unicast MAC address.
101. The threesome types of MAC addresses
102. Unicast - The first byte is always an add value.
103. Multicast - The low visit taste in the first byte is always on, and a multicast MAC addresses is an odd value. As an example, notice the first byte (01) of the mass MAC address, 0x-01-00-0C-CC-CC-CC.
104. Broadcast - They are every binary 1s or module appear in glamour as FF FF FF FF FF FF.
105.  
106. [IP Security]
107.  
108. It�s easy to intercept and feature an unprotected boat of accumulation traveling over a public network. Some times, accumulation strength include user�s countersign or huffy aggregation you don�t want anyone added to read, same credit bill drawing or Bank accounts. The fact is that add if the accumulation isn�t particularly secret, users are exposed to hackers or whatever criminals willing to intend those information. Encryption is the best artefact of altering accumulation to attain it unreadable to unauthorized users. Data is encrypted by the sender and then travels over the meshwork in encoded, unreadable form. The receiving machine then decrypts the accumulation in visit to feature it. You strength wonder: what if Hackers hit a tool to decrypt the packets and feature them? That�s why you should trust you receiver and know who you�re sending packets because there are tools to decrypt data. An encryption algorithm is essentially a ordered of mathematical steps utilised to transform the accumulation into its unreadable form. The secret conception of the impact is titled the key. The result of the encryption impact depends on the continuance of the key. Therefore, as long as the continuance of the key is kept secret, unauthorized users module not be able to feature the accumulation add if they hit the necessary decryption tool. Some ways to attain prescript more secure is by using (SSL) Secure Sockets Layer or the (IPSec) IP Security. The purpose of SSL is to wage a place of section between the sockets at the Transport layer. The purpose of IP Security is an alternative section prescript grouping utilised on prescript networks. IPSec operates inside the prescript protocol stack, beneath the Transport layer. Because the section grouping is implemented beneath the Transport layer, the applications operative above the Transport place do not requirement knowledge of the section system.
109.  
110. [Intro to MS-DOS]
111.  
112. Microsoft Disk Operating System (DOS) is the most popular personal machine operative grouping in history. It is lightweight, requires little memory, and has few commands. In fact, DOS 6.22 has approximately one-sixteenth the sort of commands offered by full-fledged UNIX. It has whatever internal commands much as copy, cd, cls, ren, del. And individualist external commands including sys, move, format, deltree, syscopy. Internal commands are commands which are built into the command.com program and so crapper be separate in whatever MS-DOS with no dependencies, External commands are commands which are not built into command.com, they are external programs which are usually found in c:\\windows\\command but crapper be found anywhere. In DOS, to encounter discover what a bidding does you crapper identify �command /?� at a dos prompt where bidding is the name of the bidding you desire to see about. This is invaluable and if you ever requirement to encounter discover what a bidding does, this is the first thing you should try. Next I am feat to explain whatever basic MS-DOS commands which module be useful during your exploration of the web. By starting discover you haw identify cmd
113. [ping]
114.  
115. Usage: ping [-options] hostname.domain or IP
116.  
117. Example:
118.  
119. C:\\Documents and Settings\\Admin>ping -l 20 google.com
120.  
121. Pinging google.com [72.14.207.99] with 20 bytes of data:
122.  
123. Reply from 72.14.207.99: bytes=20 time=52ms TTL=236
124. Reply from 72.14.207.99: bytes=20 time=50ms TTL=236
125. Reply from 72.14.207.99: bytes=20 time=51ms TTL=236
126. Reply from 72.14.207.99: bytes=20 time=50ms TTL=236
127.  
128. Ping statistics for 72.14.207.99:
129. Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
130. Approximate round trip nowadays in milli-seconds:
131. Minimum = 50ms, Maximum = 52ms, Average = 50ms
132.  
133. Options:
134.  
135. -t Ping the specified patron until stopped.
136. To see statistics and continue - identify Control-Break;
137. To stop - identify Control-C.
138. -a Resolve addresses to hostnames.
139. -n count Number of echo requests to send.
140. -l size Send buffer size.
141. -f Set Don�t Fragment alarum in packet.
142. -i TTL Time To Live.
143. -v TOS Type Of Service.
144. -r count Record route for count hops.
145. -s count Timestamp for count hops.
146. -j host-list Loose maker route along host-list.
147. -k host-list Strict maker route along host-list.
148. -w timeout Timeout in milliseconds to wait for apiece reply.
149. Ping sends a ping letter to a domain name to test its reactivity and salutation times. It does this by sending a boat of aggregation to the machine in question and requests a response. The output, as you crapper see is tells you the domain name that is being pinged, its IP address, the size of packets dispatched out, the salutation times, and averages. Ping is a very useful bidding as it tells you the IP become of a domain name, and tells you if it is �alive� and responsive. The uses of this module embellish apparent later on. To encounter discover player options that crapper be utilised with ping, identify �ping /?� at the dos prompt.
150.  
151. [netstat]
152.  
153. Usage: netstat [-options]
154.  
155. Example:
156.  
157. Active Connections
158. Proto Local Address Foreign Address State
159. TCP pbn-computer:1067 w3.dcx.yahoo.com:80 ESTABLISHED
160. TCP pbn-computer:1069 209.73.225.7:80 ESTABLISHED
161. TCP pbn-computer:1070 212.187.244.14:80 ESTABLISHED
162. TCP pbn-computer:1071 212.187.244.14:80 ESTABLISHED
163.  
164. Options:
165.  
166. -a Displays every connections and listening ports.
167. -b Displays the executable involved in creating apiece unification or
168. listening port. In whatever cases well-known executables host
169. multiple autarkical components, and in these cases the
170. sequence of components involved in creating the connection
171. or listening opening is displayed. In this case the executable
172. name is in [] at the bottom, on crowning is the component it called,
173. and so nervy until prescript was reached. Note that this option
174. can be time-consuming and module fail unless you hit sufficient
175. permissions.
176. -e Displays Ethernet statistics. This haw be combined with the -s
177. option.
178. -n Displays addresses and opening drawing in numerical form.
179. -o Displays the owning impact ID associated with apiece connection.
180. -p proto Shows connections for the prescript specified by proto; proto
181. may be whatever of: TCP, UDP, TCPv6, or UDPv6. If utilised with the -s
182. option to pass per-protocol statistics, proto haw be whatever of:
183. IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
184. -r Displays the routing table.
185. -s Displays per-protocol statistics. By default, statistics are
186. shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
187. the -p choice haw be utilised to verify a subset of the default.
188. -v When utilised in conjunction with -b, module pass sequence of
189. components involved in creating the unification or listening
190. port for every executables.
191. interval Redisplays selected statistics, pausing interval seconds
192. between apiece display. Press CTRL+C to stop redisplaying
193. statistics. If omitted, netstat module print the current
194. configuration aggregation once.
195.  
196. Netstat gives a list of every connections coming to and from your computer. It displays the ports (A virtual opening of a machine is same an imaginary route for aggregation to become in and discover of your machine (to the internet) All services and programs which ingest the internet ingest a different opening to secure that aggregation does not intend dispatched to the wrong program) and IP�s of both ends of the connections. There are thousands of acquirable ports, not something you separate discover of. Once again, typewriting �traceroute /?� at the dos prompt to intend more information. Netstat crapper also be utilised as a crude method of getting a person�s IP. To do this you do the following, for the sake of simplicity you should essay to minimise the sort of connections, this crapper be done by closing internet browsers, chat programs etc. Firstly, you module requirement to talk to the mortal on a chat program much as msn messenger, aim, yahoo messenger or something similar. At the dos prompt identify �netstat > temp1.txt� this module wage the standard output, but the production module be routed into the enter temp.txt (which if does not exist, module be created, and if does subsist module be over written). Next you module requirement to found a direct unification with the target computer, this crapper be done by initiating a enter transfer. Whilst the enter designate is talking place you module requirement to erst again identify �netstat >temp2.txt�. The next task is to compare the digit files (temp1.txt and temp2.txt), the ordinal enter should include an IP become that is not in the first, this new unification is the unification you initiated o the target computer, hence the IP become is the IP of your target.
197.  
198. [tracert]
199.  
200. Usage: tracert [-options] IP
201.  
202. Output:
203.  
204. Tracing route to yahoo.com [66.218.71.113]
205. over a maximum of 30 hops:
206. 1 * * * Request timed out.
207. 2 175 ms 180 ms 180 ms cdf-dam1-a-fa11.inet.ntl.com [62.252.33.201]
208. 3 185 ms 200 ms 200 ms 62.254.253.17
209. 4 180 ms 170 ms 190 ms bir-bb-a-so-220-0.inet.ntl.com [213.105.172.45]
210. 5 165 ms 180 ms 180 ms bir-bb-b-ge-720-0.inet.ntl.com [62.253.185.154]
211. 6 320 ms 360 ms 320 ms yahoo-above-1.pao1.above.net [64.125.31.230]
212. 7 400 ms 340 ms 339 ms ge-1-3-0.msr2.pao.yahoo.com [216.115.100.146]
213. 8 315 ms 355 ms 345 ms vl11.bas2.scd.yahoo.com [66.218.64.138]
214. 9 420 ms 320 ms 340 ms yahoo.com [66.218.71.113]
215. Trace complete.
216.  
217. Tracert short for trace route does exactly that, it traces the route taken by individualist packets of aggregation as they are transmitted across the cyberspace to the destination. The uses of this are numerous and module embellish clear as you see more. In its simplest form it crapper be crudely utilised to encounter discover a persons ISP and add locate them on a international level. For example, is you tracert a persons ISP, and the test hop before reaching them is m284-mp1-cvx1c.car.ntl.com [62.252.45.28] , we know that the mortal uses ntl as an ISP, on further investigation it crapper be found that ntl is a UK based ISP and the abbreviation .car. stands for Cardiff, a city in the UK. From this we know that the mortal in question uses ntl and lives in the vicinity of Cardiff. Encase whatever digit discover their is wondering, I do live in Cardiff, UK and the IP become is mine, its a impulsive IP become (dynamic means it changes every instance I enter to the internet as oppose to static which means the unification is constant and IP does not change). Use �tracert /?� for more information.
218. [Running IP Configuration from Command Prompt (Windows)]
219.  
220. Connectivity Utilities:
221.  
222. 1. IPConfig - A Windows programme that displays prescript configuration settings.
223.  
224. 2. Ping - An programme that tests for meshwork connectivity.
225.  
226. 3. Arp - An programme that lets you view (can modify) the ARP store of a local or remote computer.
227. The ARP store contains the physical become to IP become mappings.
228.  
229. 4. Traceroute - An programme that traces the path of a datagram finished the internet.
230.  
231. 5. Route - An programme that lets you view, add, or edit entries in a routing table.
232.  
233. 6. Netstat - An programme that displays IP, UDP, TCP, and ICMP statistics.
234.  
235. 7. NBTstat - An programme that displays statistics on NetBIOS and NBT.
236.  
237. 8. Hostname - An programme that returns the hostname of the local host.
238. File Transfer Utilities:
239.  
240. 1. Ftp - A basic enter designate client.
241.  
242. 2. Tftp - A basic enter designate programme using UDP.
243.  
244. 3. Rcp - A simple remote enter designate utility.
245. Remote Utilities:
246.  
247. 1. Telnet - A remote terminal utility.
248.  
249. 2. Rexec - An programme which runs commands on a remote machine finished the rexecd daemon.
250.  
251. 3. Rsh - An programme invoking a shell on the remote computer, in visit to execute commands.
252.  
253. 4. Finger - An programme which displays individualist information.
254.  
255. [Net Bios Null Sessions]
256. The invalid conference is ofttimes refereed to as the Holy Grail of Windows hacking. Null Sessions verify plus of flaws in the CIFS/SMB (Common cyberspace File System/ Server Messaging Block).
257.  
258. You crapper found a Null Session with a Windows (NT/2000/XP) patron by logging on with a invalid individualist name and password.
259.  
260. Using these invalid connections allows you to gather the mass aggregation from the host:
261.  
262. List of users and groups
263.  
264. List of machines
265.  
266. List of shares
267.  
268. Users and patron Security Identifiers
269. In the preceding modules we hit seen how the attacker gleans aggregation most the target without actually penetrating into the system. While opening scanning has a degree of intrusiveness, the impact of listing ranks higher in this context.
270.  
271. In the listing phase, the attacker gathers aggregation much as meshwork individualist and group names, routing tables, and Simple Network Management Protocol (SNMP) data. In this module we module explore how an attacker crapper enumerate the meshwork and what countermeasures crapper be taken to check this phase of attack.
272. Before we crapper intend into the details of the attack, let us essay to understand the underlying concept of invalid sessions. The windows operative grouping relies on the �user� statement for authentication. As the operative systems of this family hit evolved, we hit seen the addition of groups, policies, rights and added additional section measures being added in visit to enhance the authentication process.
273. However, in addition to the standard user, the OS also supports a unique identify of individualist titled the �null� user, which is essentially a pseudo-account that has no username or password, but is allowed to admittance certain aggregation on the network.
274.  
275. The Null individualist is confident of enumerating statement names and shares on domain controllers, member servers, and workstations. This makes the Null user, a individualist with no credentials, a potential means of move by crackers to elicit aggregation and compromise the system.
276.  
277. Let us verify a look at a typical LANMAN sessions on Windows NT 4.0
278.  
279. Remote machines found a conference with the Windows NT machine using a challenge salutation protocol. The section of the aggregation channel is ensured finished a sequence of communications as outlined below.
280.  
281. The remote machine (or conference requestor / client) sends a letter to the conference machine (or conference acceptor). This haw be within the aforementioned domain or across domains.
282.  
283. The conference machine responds by sending across a random 64-bit challenge question to the client. The computer responds to the question with a 24-bit answer which is hashed with the countersign of the individualist statement that is requesting the session.
284.  
285. The conference machine accepts the salutation and verifies with the local section authority regarding the authentication of the individualist statement and password.
286.  
287. The LSA confirms the indistinguishability of the requestor by verifying that the salutation was hashed with the precise countersign for the individualist that the requestor purports to be. This confirmation occurs locally if the requestor�s statement is a local statement on the server. However, if the requestor�s statement is a domain account, the salutation is forwarded to the concerned domain controller for authentication.
288.  
289. On authenticating the response, an admittance token is generated by the conference machine and dispatched across to the client.
290.  
291. The computer then uses this admittance token to enter to resources on the machine till the newly established conference is terminated.
292.  
293. Access tokens are executive objects that are managed by the operative system. These tokens store aggregation most a logon conference for a particular individualist and holds true till the individualist logs discover or uses added machine to admittance the particular resources. This eliminates the requirement for added authentication handshake when accessing related resources. This means meshwork authentication protocols much as NTLM are exclusive required when hopping from digit machine to another. The NT section model crapper be viewed as shown below.
294.  
295. Once produced, the token provides digit basic services: it stores the Security ID (SID) of the individualist that it represents and a store of individualist aggregation much as authorization aggregation (groups and privileges). Windows NT 4.0 provided digit key groups whose membership could be dominated by the administrator: Administrators and Users. There was digit group, Everyone, whose membership was dominated by the operative grouping or domain. Every individualist who was authenticated by the domain was a member of the Everyone group. Windows 2000 provides threesome groups whose membership is dominated by the administrator: Users, Power Users, and Administrators. The group whose membership is dominated by the operative grouping or domain is Authenticated Users. It is the aforementioned as the Everyone group, except that it does not include anonymous users or guests. Unlike the Everyone group in Windows NT 4.0, the Authenticated Users group is not utilised to assign permissions. Only groups dominated by the administrator, primarily Users, Power Users, and members of the Administrators group, are utilised to assign permissions. Now, let us verify a look at a typical LANMAN sessions on Windows 2000. The computer sends a pre-authenticated (hash of individualist password) letter along with a instance stamp to the key distribution center (KDC) that resides on the domain controller (DC) of the concerned domain, requesting for a ticket granting ticket (TGT).
296.  
297. The KDC extracts the hash of the individualist indistinguishability from its database and decrypts the letter with it, noting the instance stamp as well for recentness of request. A valid individualist statement results in flourishing decryption. The KDC sends backwards a TGT, that contains among added aggregation the conference key (encrypted with users password) and the section identifiers (SID) identifying the individualist and the group among added things. The computer uses the ticket to admittance the required resources. Note that the computer sends a instance stamped letter so that the TGT haw not be captured en-route and utilised later. The ticket thus generated primarily holds the domain name of the domain that issued the ticket and the name of the principal. Tickets also hit a finite lifespan, with both the start and expiration of the conference noted on it, computer become and authorized admittance rights encrypted on it. Having understood how windows sessions are established, let us verify a look at the concept of invalid sessions in windows. We hit seen the persona of the critic - the conference machine / KDC in ensuring that exclusive authorized users are allowed to gain admittance to specified resources. What if there is no critic in establishing a conference over the network? There is no artefact the particular machine crapper ascertain who has initiated the session, whether it was hijacked or what resources were accessed. This conference is therefore known as a invalid session. The goal of authentication is primarily to found a secure channel for act and also to verify the resource provider that exclusive an authenticated individualist is at the added end of the act channel. With invalid meshwork credentials, there is no artefact to found a secure conference key. But since there are individualist instances where anonymous users haw be allowed to admittance resources (- much as an administrator who wants to deal resources among users in various domains, which are yet to be right mapped) Windows has a built in mechanism for a invalid individualist (or a individualist with invalid meshwork credentials to enter finished what is known as a invalid session. A invalid conference is an insecure (unauthenticated) unification with no proof of identity. No individualist and countersign credentials are supplied in the organisation of the session. No conference key is exchanged when establishing a invalid session, and hence it is impossible for the grouping to send encrypted or add signed messages on behalf of the individualist low a invalid session. Other areas where invalid sessions are thoughtful useful is when the LMHOSTS.SAM enter uses the \�#INCLUDE <filename>\� tag. The deal point that contains the included enter staleness be setup as a invalid conference share. Additionally where a service, streaming low the local \�SYSTEM\� account, needs admittance to whatever meshwork resource, a invalid conference haw be established to admittance these resources. An interesting conception is that Null sessions crapper also be established at the API verify with languages much as C++. Null sessions crapper be utilised to found connections to �null conference pipes�, if it is allowed by the server. A �pipe� is a facility that allows a impact on digit grouping to communicate with a impact on added system, patch a inter impact act deal allows act between digit processes on the aforementioned system. Null sessions crapper also be utilised to found connections to shares, including much grouping shares as \\\\servername\\IPC$. The IPC$ is a special hidden share. It haw be noted that the IPC$ deal is an interface to the �server� impact on the machine, also associated with a pipe so it crapper be accessed remotely. Null sessions attain the listing of users, machines, and resources easier for administrative purposes especially across domains. This is the lure for the attacker who intends to ingest a invalid conference to enter to the machine. During opening scanning, the attacker takes state of whatever salutation from prescript opening 139 and 445. Why would these ports interest an attacker? The answer lies in the SMB protocol. The SMB (Server Message Block) prescript is known for its ingest in enter sharing on Windows NT / 2000 program among added things. Attackers crapper potentially intercept and add unsigned SMB packets then add the traffic and nervy it so that the machine strength perform undesirable actions. Alternatively, the attacker could pose as the machine or computer after a legitimate authentication and gain unauthorized admittance to data. SMB is the resource sharing prescript based by whatever Microsoft operative systems; it is the basis of meshwork basic input/output grouping (NetBIOS) and whatever added protocols. SMB signing authenticates both the individualist and the machine hosting the data. In Windows NT it ran on crowning of NBT (NetBIOS over TCP/IP), making it a bulky prescript with a large brick as well as consuming greater time. In Windows NT, it utilised the ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, SMB was allowed to direct separate over TCP/IP, without the player place of NBT. Therefore, opening 445 started being utilised for this purpose.
298. If the computer has NBT enabled, it module always essay to enter simultaneously to the machine at both opening 139 and 445. If there is a salutation from opening 445, it sends a RST to opening 139, and continues its SMB conference to opening 445 alone. However, if there is no salutation from opening 445, it module continue its SMB conference to opening 139 alone on eliciting a salutation from the port. Needless to say, the conference module completely fail if there is no salutation from either of the ports.
299.  
300. If the computer has NBT disabled, it module always essay to enter to the machine at opening 445 alone. If the machine answers on opening 445, the conference module be established and continue on that port. The conference fails in the absence of a response. This is the case if the machine runs Windows NT 4.0.. In essence, if the machine has NBT enabled, it listens on UDP ports 137, 138, and on prescript ports 139, 445. If it has NBT disabled, it listens on prescript opening 445 only.
301.  
302. Each SMB conference consumes machine resources. Establishing numerous invalid sessions module andante or possibly crash the machine add in Windows 2003. An attacker could repeatedly found SMB sessions until the machine stops responding. SMB services module embellish andante or unresponsive.
303.  
304. Anyone with a NetBIO S unification to your machine crapper easily intend a full dump of every your usernames, groups, shares, permissions, policies, services and more using the Null user.
305.  
306. The above syntax connects to the hidden Inter Process Communication �share� (I PC $) at IP become 192.34.34.2 with the built- in anonymous individualist (/u:\�\�) with (\�\�) invalid password.
307.  
308. The attacker now has a channel overwhich to endeavor various techniques.
309.  
310. The CIFS/SMB and NetBIOS standards in Windows 2000 earmark API s that return rich aggregation most a machine via prescript opening 139 - add to unauthenticated users.
311.  
312. C: \\>net ingest \\\\192.34.34.2 \\IPC$ \�\� /u: \�\�
313.  
314. Null Session Countermeasure
315. Null sessions require admittance to prescript 139 and/ or prescript 445 ports.
316.  
317. You could also disable SMB services entirely on individualist hosts by unbinding WINS Client prescript from the interface.
318.  
319. Edit the registry to restrict the anonymous user.
320.  
321. Open regedt32, navigate to HKLM\\SYSTEM\\CurrentControlSet\\LSA
322.  
323. Choose edit | add value
324.  
325. value name: ResticAnonymous
326.  
327. Data Type: REG WORD
328.  
329. Value: 2
330.  
331. Another travel that is advisable is to disallow remote admittance completely except for limited accounts and groups. It would be prudent to country NetBIOS ports on the firewall or border router to increase meshwork security. Blocking the mass ports module prevent against Null Sessions (as well as added attacks that ingest NetBIOS)
332.  
333. 135 prescript DCE/RPC Portmapper
334.  
335. 137 TCP/UDP NetBIOS Name Service
336.  
337. 138 TCP/UDP NetBIOS Datagram Service
338.  
339. 139 prescript NetBIOS Session Service
340.  
341. 445 prescript Microsoft-DS (Windows 2000 CIFS/SMB)
342.  
343. [Administrator Password Guessing]
344. Guessing usernames and passwords requires that you review your findings. Remember that good documentation is always necessary during a penetration test, so attain sure that you hit recorded every your previous activities. Tools utilised during enumeration, much as DumpSec, IP Network Browser, and gain view, should hit returned whatever valuable clues most limited accounts. By now, you should hit statement names, know who the true administrator is, know if there is a lockout policy, and add know the names of open shares. The simplest artefact to ingest this aggregation is finished countersign guessing.
345.  
346. If you crapper identify much an account, the gain ingest bidding crapper be issued from the bidding distinction to endeavor the connection:
347.  
348. Net ingest * \\\\target_IP\\share * /u:name
349.  
350. You�ll be prompted for a countersign to complete the authentication.
351.  
352. C:\\>net ingest * \\\\192.188.13.10\\c$ * /u:jack
353. Type the countersign for \\\\172.20.10.79\\c$:
354. The bidding completed successfully
355. Assuming that NetBIOS TCP139 opening is open, the most trenchant method of breaking into NT/2000 is countersign guessing.
356.  
357. Attempting to enter to an enumerated deal (IPC$, or C$) and trying username/password.
358.  
359. Default Admin$, C$, %Systemdrive% shares are good starting point.
360. [Performing automated countersign guessing]
361. Performing automated countersign guessing is easy-simple wrap using the NT/2000 shell for bidding based on the standard NET USE syntax.
362.  
363. Create a simple username and countersign file.
364.  
365. Pipe this enter into FOR command
366.  
367. C:\\> FOR /F \�token=1, 2*\� %i in (credentials.txt)
368. do gain ingest \\\\target\\IPC$ %i /u: %j
369. If the attacker fails in a manual attack, he crapper choose to automate the process. There are individualist free programs, which crapper assist him in this effort. Legion, Jack the Ripper, NetBIOS Auditing Tool (NAT), and LophtCrack (LC4) are whatever of them.
370.  
371. The simplest of these automation methods verify plus of the gain command. This involves a simple wrap using the NT/2000 shell for command. All the attacker has to do is to create a simple username and countersign file. He crapper then pipe this enter into FOR command.
372.  
373. C:\\> FOR /F \�token=1, 2*\� %i in (credentials.txt)
374. do gain ingest \\\\target\\IPC$ %i /u: %j
375.  
376. Automated countersign attacks crapper be divided into digit basic categories, dictionary attacks and brute force attacks.
377.  
378. A simple dictionary move involves loading a dictionary enter (a text enter full of dictionary words) into a cracking application much as LophtCrack or John the Ripper, and streaming it against individualist accounts located by the application. The larger the articulate and articulate fragment selection, the more trenchant the dictionary move is.
379.  
380. The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and sort combination in its automated exploration.
381.  
382. A hybrid approach is digit which combines features of both the methods mentioned above. It usually starts with a dictionary and then tries combinations much as digit words together or a articulate and numbers.
383.  
384. Legion automates the countersign guessing in NetBIOS sessions. Legion module scan binary Class C IP become ranges for Windows shares and also offers a manual dictionary move tool.
385. Password Cracking Countermeasures
386.  
387. Enforce 7�12 character alpha-numeric passwords.
388.  
389. Set the countersign change policy to 30 days.
390.  
391. Physically isolate and protect the server.
392.  
393. Use SYSKEY programme to store hashes on disk.
394.  
395. Monitor the machine logs for brute force attacks on individualist accounts.
396.  
397. [Keystroke Loggers]
398.  
399. If every added attempts to sniff discover domain privileges fail, then keystroke logger is the solution. Keylogging whatever ones grouping is very trenchant artefact of getting pretty much every the info a hacker needs. He crapper intend credit cards numbers, private chat info and so on. Keystroke loggers are stealth code that sits between keyboard element and the operative system, so that they crapper record every key stroke. Keystroke loggers become in both element and code forms and are utilised to capture and compile a record of everything typed using the keyboard and making it acquirable to added mortal / agency inquiring the user. This haw be conveyed over e-mail or a Web site or add saved on the aforementioned grouping as a hidden file.
400. Generic keystroke loggers record the application name, instance and date the application was opened, and the keystrokes associated with that application. The appeal keystroke loggers hit is the ability to capture aggregation before it crapper be encrypted for transmission over the network. This gives the mortal inquiring admittance to pass phrases and added well-hidden information. Keystroke loggers crapper be broadly classified as element keystroke loggers and code keystroke loggers. Hardware keystroke loggers are element devices that attach physically to the keyboard and records data. These devices generally look same a standard keyboard adapter, so that they remain camouflaged unless specifically looked for. In visit to retrieve accumulation from a element logger, the mortal who is doing the inquiring staleness regain physical admittance to that piece of equipment. Hardware loggers work by storing aggregation in the actual device, and generally do not hit the ability to programme or send much aggregation discover over a network. One direct plus element keystroke loggers carry is that they module not be unconcealed by whatever of the anti-spyware, anti-virus or desktop section programs. Also whatever trojans become with keylogging options.
401. [KeyGhost Hardware Key Logger]
402.  
403. The Hardware Key Logger is a tiny element figure that crapper be attached in between a keyboard and a computer. It keeps a record of every key strokes typed on the keyboard. The recording impact is totally transparent to the end user. Many places with these types of keyloggers are cyberspace caffes and libraries. So be aware not to acess whatever critical aggregation in these public places. It records every keystrokes into a built-in flash memory chip, add keystrokes made in BIS and DOS are recorded. The keystrokes crapper exclusive be retrieved by an administrator with a proper password. The figure crapper be installed add when the target machine is logged out, has a password, is locked or switched off. The figure crapper be unplugged and the keystrokes retrieved on added computer. Over 500,000 keystrokes crapper be stored with strong 128-bit encryption in non-volatile flash memory (same as in smart cards) that doesn�t requirement batteries to retain storage. The figure works on whatever desktop PC & every PC operative systems, including Windows 3.1, 95, 98, NT, 2000, Linux, OS/2, DOS, Sun Solaris and BeOS. No code installation is necessary at every to record or retrieve keystrokes. Recorded keystrokes crapper be played backwards into whatever text editor using proprietary �keystroke ghosting� technique. The figure plugs into computers with a small PS/2 keyboard plug or a large DIN plug. Unlike code keystroke recorders, KeyGhost records every keystroke, add those utilised to add the BIOS before bootup. The greatest plus is that it is impossible to detect or disable using software. One staleness visually scan the backwards of the machine where the keyboard is plugged in to detect its presence. The exclusive artefact to check for keystroke logging element is to familiarize with what it looks same and visually scan the machine on a regular basis. Taking pictures of the inside and right of the machine haw also be adopted. KeyGhost also makes keyboards with the key logger built straight in, which makes it much more difficult to spot.
404.  
405. <!-- from haxs.org for RST -->