Hacking Techniques: 2011

বুধবার, ২২ জুন, ২০১১

ScanLine

ScanLine from Foundstone is arguably the fastest, most robust port-scanning tool ever built. The tool has a myriad of options, but one of its most valuable features is its ability
to scan very large ranges quickly and to include both TCP and UDP scanning in a single
run of the product. Take a look at this example:
C:\ >sl -t 21,22,23,25 -u 53,137,138 192.168.0.1
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2010
http://www.foundstone.com
Scan of 1 IP started at Fri Nov 22 23:09:34 2010
----------------------------------------------------------
192.168.0.1
Responded in 0 ms.
1 hop away
Responds with ICMP unreachable: No
TCP ports: 21 23
UDP ports:
----------------------------------------------------------
Scan finished at Fri Nov 22 23:09:46 2002
1 IP and 7 ports scanned in 0 hours 0 mins 12.07 secs

সোমবার, ১৩ জুন, ২০১১

Netcat Port Scanning

Despite the “old school” nature of this raw tool, another excellent utility is netcat (or nc),
written by Hobbit. This utility can perform so many tasks that everyone in the industry
calls it the Swiss Army knife of security.nc provides basic TCP and UDP port-scanning capabilities.
The –v and –vv options provide verbose and very verbose output, respectively. The –z
option provides zero mode I/O and is used for port scanning, and the –w2 option
provides a timeout value for each connection. By default, nc will use TCP ports. Therefore,
we must specify the –u option for UDP scanning, as a example shown next:

[root] nc -v -z -w2 192.168.1.1 1-140

[192.168.1.1] 139 (?) open
[192.168.1.1] 135 (?) open
[192.168.1.1] 110 (pop-3) open
[192.168.1.1] 106 (?) open
[192.168.1.1] 81 (?) open
[192.168.1.1] 80 (http) open
[192.168.1.1] 79 (finger) open
[192.168.1.1] 53 (domain) open
[192.168.1.1] 42 (?) open
[192.168.1.1] 25 (smtp) open
[192.168.1.1] 21 (ftp) open
[192.168.1.1] 135 (ntportmap) open
[192.168.1.1] 123 (ntp) open
[192.168.1.1] 53 (domain) open
[192.168.1.1] 42 (name) open

বুধবার, ৮ জুন, ২০১১

udp_scan

Because strobe covers only TCP scanning, we can use udp_scan, originally from SATAN
(Security Administrator Tool for Analyzing Networks), written by Dan Farmer and
Wietse Venema in 1995. Although SATAN is a bit dated, its tools still work quite well. In
addition, newer versions of SATAN, now called SAINT, have been released at http://
wwdsilx.wwdsi.com. Many other utilities perform UDP scans; however, to this day we
have found that udp_scan is one of the most reliable UDP scanners available. We should
point out that although udp_scan is reliable, it does have a nasty side effect of triggering
a SATAN scan message on major IDS products. Therefore, it is not one of the more
stealthy tools you could employ. Typically, we will look for all well-known ports below
1024 and specific high-risk ports above 1024. Here’s an example:
[root] udp_scan 192.168.1.1 1-1024
42:UNKNOWN:
53:UNKNOWN:
123:UNKNOWN:
135:UNKNOWN:

রবিবার, ৫ জুন, ২০১১

Port-scanning by strobe

strobe is a venerable TCP port-scanning utility written by Julian Assange (http://linux
.maruhn.com/sec/strobe.html). It has been around for some time and is one of the fastest
and most reliable TCP scanners available. Some of strobe’s key features include the
ability to optimize system and network resources and to scan the target system in an
efficient manner. In addition to being efficient, strobe (version 1.04 and later) will actually
grab the associated banner (if available) of each port it connects to. This may help identify
both the operating system and the running service.
The strobe output lists each listening TCP port:

[root] strobe 192.168.1.10
strobe 1.03 (c) 1995 Julian Assange (proff@suburbia.net).
192.168.1.10 echo 7/tcp Echo [95,JBP]
192.168.1.10 discard 9/tcp Discard [94,JBP]
192.168.1.10 sunrpc 111/tcp rpcbind SUN RPC
192.168.1.10 daytime 13/tcp Daytime [93,JBP]
192.168.1.10 chargen 19/tcp ttytst source
192.168.1.10 ftp 21/tcp File Transfer [Control]
[96,JBP]
192.168.1.10 exec 512/tcp remote process execution;
192.168.1.10 login 513/tcp remote login a la telnet;
192.168.1.10 cmd 514/tcp shell like exec, but automatic
192.168.1.10 ssh 22/tcp Secure Shell
192.168.1.10 telnet 23/tcp Telnet [112,JBP]
192.168.1.10 smtp 25/tcp Simple Mail Transfer [102,JBP]
192.168.1.10 nfs 2049/tcp networked file system
192.168.1.10 lockd 4045/tcp
192.168.1.10 unknown 32772/tcp unassigned
192.168.1.10 unknown 32773/tcp unassigned
192.168.1.10 unknown 32778/tcp unassigned
192.168.1.10 unknown 32799/tcp unassigned
192.168.1.10 unknown 32804/tcp unassigned

Although strobe is highly reliable, you need to keep in mind some of its limitations:
it is a TCP scanner only and does not provide UDP scanning capabilities. Therefore, in
the preceding scan we are only looking at half the picture. For additional scanning
techniques beyond what strobe can provide, we must dig deeper into our toolkit.

শুক্রবার, ৩ জুন, ২০১১

Different kind of scan

Port scanning is the process of sending packets to TCP and UDP ports on the target
system to determine what services are running or are in a LISTENING state. Identifying
listening ports is critical to determining the services running, and consequently the
vulnerabilities present from your remote system. Additionally, you can determine the
type and version of the operating system and applications in use. Active services that are
listening are akin to the doors and windows of your house. They are ways into the
domicile. Depending on the type of path in (a window or door), it may allow an
unauthorized user to gain access to systems that are misconfigured or running a version
of software known to have security vulnerabilities.

• TCP connect scan This type of scan connects to the target port and completes
a full three-way handshake (SYN, SYN/ACK, and ACK), as the TCP RFC
(Request for Comments) states. It is easily detected by the target system. Figure
2-4 provides a diagram of the TCP three-way handshake.
• TCP SYN scan This technique is called half-open scanning because a full TCP
connection is not made. Instead, only a SYN packet is sent to the target port.
If a SYN/ACK is received from the target port, we can deduce that it is in the
LISTENING state. If an RST/ACK is received, it usually indicates that the
port is not listening. An RST/ACK will be sent by the system performing the
port scan so that a full connection is never established. This technique has the
advantage of being stealthier than a full TCP connect, and it may not be logged
by the target system. However, one of the downsides of this technique is that
this form of scanning can produce a denial of service condition on the target by
opening a large number of half-open connections. But unless you are scanning
the same system with a high number of these connections, this technique is
relatively safe.
• TCP FIN scan This technique sends a FIN packet to the target port. Based on
RFC 793 (http://www.ietf.org/rfc/rfc0793.txt), the target system should send
back an RST for all closed ports. This technique usually only works on UNIXbased
TCP/IP stacks.• TCP Xmas Tree scan This technique sends a FIN, URG, and PUSH packet to
the target port. Based on RFC 793, the target system should send back an RST
for all closed ports.
• TCP Null scan This technique turns off all fl ags. Based on RFC 793, the target
system should send back an RST for all closed ports.
• TCP ACK scan This technique is used to map out fi rewall rulesets. It can
help determine if the fi rewall is a simple packet fi lter allowing only established
connections (connections with the ACK bit set) or a stateful fi rewall performing
advance packet fi ltering.
• TCP Windows scan This technique may detect open as well as fi ltered/
nonfi ltered ports on some systems (for example, AIX and FreeBSD) due to an
anomaly in the way the TCP windows size is reported.
• TCP RPC scan This technique is specifi c to UNIX systems and is used to
detect and identify Remote Procedure Call (RPC) ports and their associated
program and version number.
• UDP scan This technique sends a UDP packet to the target port. If the target
port responds with an “ICMP port unreachable” message, the port is closed.
Conversely, if you don’t receive an “ICMP port unreachable” message, you can
deduce the port is open. Because UDP is known as a connectionless protocol,
the accuracy of this technique is highly dependent on many factors related to
the utilization and fi ltering of the target network. In addition, UDP scanning is
a very slow process if you are trying to scan a device that employs heavy packet
fi ltering. If you plan on doing UDP scans over the Internet, be prepared for
unreliable results.
Certain IP implementations have the unfortunate distinction of sending back reset
(RST) packets for all ports scanned, regardless of whether or not they are listening.
Therefore, your results may vary when performing these scans; however, SYN and
connect() scans should work against all hosts.

মঙ্গলবার, ৩১ মে, ২০১১

Hacking start ICMP Queries

Ping sweeps (or ICMP ECHO packets) are only the tip of the iceberg when it comes
to ICMP information about a system. You can gather all kinds of valuable information
about a system simply by sending an ICMP packet to it. For example, with the UNIX tool
icmpquery (http://packetstormsecurity.org/UNIX/scanners/icmpquery.c) or icmpush
(http://packetstormsecurity.org/UNIX/scanners/icmpush22.tgz), you can request the
time on the system (to see the time zone the system is in) by sending an ICMP type 13
message (TIMESTAMP). Also, you can request the netmask of a particular device with
the ICMP type 17 message (ADDRESS MASK REQUEST). The netmask of a network
card is important because you can determine all the subnet of the target, and thereby
understand its default gateway and broadcast address. With the default gateway
identified you can target router attacks. And with the broadcast address you can target
denial of service attacks (DoS). With knowledge of the subnets, you can also orient your
attacks to only particular subnets and avoid hitting broadcast addresses, for example.
icmpquery has both a timestamp and an address mask request option:

icmpquery <-query> [-B] [-f fromhost] [-d delay] [-T time] targets where
is one of:
-t : icmp timestamp request (default)
-m : icmp address mask request
The delay is in microseconds to sleep between packets.
targets is a list of hostnames or addresses
-T specifies the number of seconds to wait for a host to respond.
The default is 5.
-B specifies ‘broadcast’ mode. icmpquery will wait for timeout seconds
and print all responses.
If you’re on a modem, you may wish to use a larger -d and –T

To use icmpquery to query a router’s time (typically in Greenwich Mean Time), you
can run this command:

[root] icmpquery -t 192.168.1.1
192.168.1.1 : 11:36:19

To use icmpquery to query a router’s netmask, you can run this command

[root] icmpquery -m 192.168.1.1
192.168.1.1 : 0xFFFFFFE0
Not all routers and systems allow an ICMP TIMESTAMP or NETMASK response, so
your mileage with icmpquery and icmpush may vary greatly from host to host.

রবিবার, ২৯ মে, ২০১১

Determining If The System Is Alive By Network Ping Sweeps

One of the most basic steps in mapping out a network is performing an automated ping
sweep on a range of IP addresses and network blocks to determine if individual devices
or systems are alive. Ping is traditionally used to send ICMP ECHO (ICMP Type 8)
packets to a target system in an attempt to elicit an ICMP ECHO_REPLY (ICMP Type 0)
indicating the target system is alive. Although ping is acceptable to determine the number
of systems alive in a small-to-midsize network (Class C is 254 and Class B is 65,534
potential hosts), it is inefficient for larger, enterprise networks. Scanning larger Class A
networks (16,277,214 potential hosts) can take hours if not days to complete. You must
learn a number of ways for discovering live systems.
Network pinging is the act of sending certain types of traffic to a target and analyzing
the results (or lack thereof). Typically, pinging utilizes ICMP (Internet Control Message
Protocol) and, although not the only packets available for this function, ICMP tends to be
the most heavily supported. Alternatively, one could use either TCP or UDP as well to
perform the same function of finding a host that is alive on the network.
To perform an ICMP ping sweep, you can use a myriad of tools available for both
UNIX and Windows. One of the tried-and-true techniques of performing ping sweeps in
the UNIX world is to use fping. Unlike more traditional ping sweep utilities, which
wait for a response from each system before moving on to the next potential host, fping
is a utility that will send out massively parallel ping requests in a round-robin fashion.
Thus, fping will sweep many IP addresses significantly faster than ping. fping can be
used in one of two ways: you can feed it a series of IP addresses from standard input
(stdin) or you can have it read from a file. Having fping read from a file is easy; simply
create your file with IP addresses on each line:
192.168.51.1
192.168.51.2
192.168.51.3
...
192.168.51.253
192.168.51.254

Then use the –f parameter to read in the file:

[root]$ fping –a –f in.txt
192.168.1.254 is alive
192.168.1.227 is alive
192.168.1.224 is alive
...
192.168.1.3 is alive
192.168.1.2 is alive
192.168.1.1 is alive
192.168.1.190 is alive

The –a option of fping will show only systems that are alive. You can also combine
it with the –d option to resolve hostnames if you choose. We prefer to use the –a option
with shell scripts and the –d option when we are interested in targeting systems that
have unique hostnames. Other options such as –f may interest you when scripting ping
sweeps. Type fping –h for a full listing of available options. Another utility is nmap from Fyodor.

[root] nmap –sP 192.168.1.0/24

Starting nmap V. 4.68 by fyodor@insecure.org (www.insecure.org/nmap/)

Host (192.168.1.0) seems to be a subnet broadcast
address (returned 3 extra pings).
Host (192.168.1.1) appears to be up.
Host (192.168.1.10) appears to be up.
Host (192.168.1.11 ) appears to be up.
Host (192.168.1.15) appears to be up.
Host (192.168.1.20) appears to be up.
Host (192.168.1.50) appears to be up.
Host (192.168.1.101) appears to be up.
Host (192.168.1.102) appears to be up.
Host (192.168.1.255) seems to be a subnet broadcast
address (returned 3 extra pings).
Nmap run completed -- 256 IP addresses (10 hosts up) scanned in 21 seconds

For the Windows-inclined, we like the tried-and-true freeware product SuperScan
from Foundstone. It is one of the fastest ping sweep utilities
available. Like fping, SuperScan sends out multiple ICMP ECHO packets (in addition
to three other types of ICMP) in parallel and simply waits and listens for responses. Also like
fping, SuperScan allows you to resolve hostnames and view the output in an HTML file.
For those technically minded, here’s a brief synopsis of the different types of ICMP
packets that can be used to ping a host.

The primary ICMP types are
• Message Type: 0 – Echo Reply
• Message Type: 3 – Destination Unreachable
• Message Type: 4 – Source Quench
• Message Type: 5 – Redirect
• Message Type: 8 – Echo
• Message Type: 11 – Time Exceeded
• Message Type: 12 – Parameter Problem
• Message Type: 13 – Timestamp
• Message Type: 14 – Timestamp Reply
• Message Type: 15 – Information Request
• Message Type: 16 – Information Reply

Any of these ICMP message types could potentially be used to discover a host on the
network; it just depends on the target’s ICMP implementation and how it responds to
these packet types. How the different operating systems respond or don’t respond to the
various ICMP types also aids in remote OS detection.
You may be wondering what happens if ICMP is blocked by the target site. Good
question. It is not uncommon to come across a security-conscious site that has blocked
ICMP at the border router or firewall. Although ICMP may be blocked, some additional
tools and techniques can be used to determine if systems are actually alive. However,
they are not as accurate or as efficient as a normal ping sweep.
When ICMP traffic is blocked, port scanning is the first alternate technique to determine
live hosts. By scanning for common ports on every potential IP address, we can determine which hosts are alive
if we can identify open or listening ports on the target system. This technique can be
time-consuming, but it can often unearth rogue systems or highly protected systems.
For Windows, the tool we recommend is SuperScan. As discussed earlier, SuperScan
will perform both host and service discovery using ICMP and TCP/UDP, respectively.
Using the TCP/UDP port scan options, you can determine whether a host is alive or
not—without using ICMP at all. As you can simply select the check box
for each protocol you wish to use and the type of technique you desire, and you are off
to the races.
Another tool used for this host discovery technique is the UNIX/Windows tool
nmap. The Windows version, which is nmap with the Windows wrapper called Zenmap,
is now well supported so, for the truly command line challenged amongst you, you can
easily download the latest Windows version at nmap.org and get scanning quickly. Of
course, the product installs WinPcap so be prepared: if you haven’t installed this
application before on your Windows system, you should know that this is a packet filter
driver that allows nmap to read and write raw packets from and to the wire. nmap for Windows allows for a number of ping options
to discover hosts on a network. These host discovery options have long been available to
the UNIX world, but now Windows users can also leverage them.
As mentioned previously, nmap does provide the capability to perform ICMP sweeps.
However, it offers a more advanced option called TCP ping scan. A TCP ping scan is
initiated with the –PT option and a port number such as 80. We use 80 because it is a
common port that sites will allow through their border routers to systems on their
demilitarized zone (DMZ), or even better, through their main firewall(s). This option will
spew out TCP ACK packets to the target network and wait for RST packets indicating
the host is alive. ACK packets are sent because they are more likely to get through a
nonstateful firewall such as Cisco IOS. Here’s an example:

[root] nmap -sP -PT80 192.168.1.0/24
TCP probe port is 80
Starting nmap V. 4.68
Host (192.168.1.0) appears to be up.
Host (192.168.1.1) appears to be up.
Host shadow (192.168.1.10) appears to be up.
Host (192.168.1.11) appears to be up.
Host (192.168.1.15) appears to be up.
Host (192.168.1.20) appears to be up.
Host (192.168.1.50) appears to be up.
Host (192.168.1.101) appears to be up.
Host (192.168.1.102) appears to be up.
Host (192.168.1.255) appears to be up.
Nmap run completed (10 hosts up ) scanned in 5 seconds

As you can see, this method is quite effective in determining if systems are alive,
even if the site blocks ICMP. It is worth trying a few iterations of this type of scan with
common ports such as SMTP (25), POP (110), AUTH (113), IMAP (143), or other ports
that may be unique to the site.
For the advanced technical reader, Hping2 from www.hping.org is an amazing TCP
ping utility for UNIX that should be in your toolbox. With additional TCP functionality
beyond nmap, Hping2 allows the user to control specific options of the UDP, TCP, or
Raw IP packet that may allow it to pass through certain access control devices.
To perform a simple TCP ping scan, set the TCP destination port with the –p option.
By doing this you can circumvent some access control devices similar to the traceroute
technique. Hping2 can be used to perform TCP and UDP ping
sweeps, and it has the ability to fragment packets, potentially bypassing some access
control devices. Here’s an example:

[root]# hping2 192.168.0.2 -S -p 80 -f
HPING 192.168.0.2 (eth0 192.168.0.2): S set , 40 data bytes
60 bytes from 192.168.0.2: flags = SA seq=0 ttl=64 id=418 win=5840 time=3.2 ms
60 bytes from 192.168.0.2: flags=SA seq=1 ttl=64 id=420 win=5840 time=2.1 ms
60 bytes from 192.168.0.2: flags=SA seq=2 ttl=64 id=422 win=5840 time=2.0 ms

--- 192.168.0.2 hping statistic ---
3 packets tramitted, 3 packets received , 0% packet loss

In some cases, simple access control devices cannot handle fragmented packets
correctly, thus allowing our packets to pass through and determine if the target system
is alive. Notice that the TCP SYN (S) flag and the TCP ACK (A) flag are returned whenever
a port is open (flags=SA). Hping2 can easily be integrated into shell scripts by using the
–cN packet count option, where N is the number of packets to send before moving on.
Although this method is not as fast as some of the ICMP ping sweep methods mentioned
earlier, it may be necessary given the configuration of the target network.
The final tool we will analyze is icmpenum, from Simple Nomad. This UNIX utility
is a handy ICMP enumeration tool that allows you to quickly identify systems that are
alive by sending the traditional ICMP ECHO packets as well as ICMP TIMESTAMP
REQUEST and ICMP INFO REQUEST (similar to SuperScan). Thus, if ingress (inbound)
ICMP ECHO packets are dropped by a border router or firewall, it may still be possible
to identify systems using one of these alternate ICMP types:

[shadow] icmpenum –i 2 -c 192.168.1.0
192.168.1.1 is up
192.168.1.10 is up
192.168.1.11 is up
192.168.1.15 is up
192.168.1.20 is up
192.168.1.103 is up

In this example, we enumerated the entire 192.168.1.0 Class C network using an
ICMP TIME STAMP REQUEST. However, the real power of icmpenum is to identify
systems using spoofed packets to avoid detection. Spoofed packets means they do not
contain the true, legitimate IP address as its source address, thereby making it look like
the scan is coming from another host on the network. This technique is possible because
icmpenum supports the ability to spoof packets with the -s option and passively listen
for responses with the –p switch.
To summarize, this step allows us to determine exactly what systems are alive via
ICMP or through selective port scans. Out of 255 potential addresses within the Class C
range, we have determined that several hosts are alive and have now become our targets
for subsequent interrogation.

শনিবার, ২৮ মে, ২০১১

Determine Mail Exchange (MX) Records

Determining where mail is handled is a great starting place to locate the target
organization’s firewall network. Often in a commercial environment, mail is handled on
the same system as the firewall, or at least on the same network. Therefore, we can use
the host command to help harvest even more information:

[bash]$ host example.com

example.com has address 192.168.1.7
example.com mail is handled (pri=10) by mail.example.com
example.com mail is handled (pri=20) by smtp-forward.example.com

DNS Interrogation-Zone Transfers

Now we begin to query the DNS. DNS is a distributed database used to map IP addresses to hostnames, and vice versa. If DNS isconfigured insecurely, it is possible to obtain revealing information about the organization.
One of the most serious misconfigurations a system administrator can make is
allowing untrusted Internet users to perform a DNS zone transfer. While this technique
has become almost obsolete, we include it here for three reasons:

1. This vulnerability allows for signifi cant information gathering on a target.
2. It is often the springboard to attacks that would not be present without it.
3. Believe it or not, you can fi nd many DNS servers still allowing this feature.

A zone transfer allows a secondary master server to update its zone database from the
primary master. This provides for redundancy when running DNS, should the primary
name server become unavailable. Generally, a DNS zone transfer needs to be performed
only by secondary master DNS servers. Many DNS servers, however, are misconfigured
and provide a copy of the zone to anyone who asks. This isn’t necessarily bad if the only
information provided is related to systems that are connected to the Internet and have
valid hostnames, although it makes it that much easier for attackers to find potential
targets. The real problem occurs when an organization does not use a public/private
DNS mechanism to segregate its external DNS information (which is public) from its
internal, private DNS information. In this case, internal hostnames and IP addresses are
disclosed to the attacker. Providing internal IP address information to an untrusted user
over the Internet is akin to providing a complete blueprint, or roadmap, of an organization’s
internal network.
Let’s take a look at several methods we can use to perform zone transfers and the
types of information that can be gleaned. Although many different tools are available to
perform zone transfers, we are going to limit the discussion to several common types.
A simple way to perform a zone transfer is to use the nslookup client that is usually
provided with most UNIX and Windows implementations. We can use nslookup in
interactive mode, as follows:

[bash]$ nslookup
Default Server: ns1.example.com
Address: 10.10.20.2
> 192.168.1.1
Server: ns1.example.com
Address: 10.10.20.2
Name: gate.example.com
Address: 192.168.1.1
> set type=any
> ls -d example.com. >\> /tmp/zone_out

We first run nslookup in interactive mode. Once started, it will tell us the default
name server that it is using, which is normally the organization’s DNS server or a DNS
server provided by an ISP. However, our DNS server (10.10.20.2) is not authoritative for
our target domain, so it will not have all the DNS records we are looking for. Therefore,
we need to manually tell nslookup which DNS server to query. In our example, we want
to use the primary DNS server for example.com (192.168.1.1).
Next we set the record type to “any.” This will allow us to pull any DNS records
available (man nslookup) for a complete list.
Finally, we use the ls option to list all the associated records for the domain. The –d
switch is used to list all records for the domain. We append a period (.) to the end to
signify the fully qualified domain name—however, you can leave this off most times. In
addition, we redirect our output to the file /tmp/zone_out so that we can manipulate
the output later.
After completing the zone transfer, we can view the file to see whether there is any
interesting information that will allow us to target specific systems. Let’s review simulated
output for example.com:

bash]$ more zone_out
acct18 ID IN A 192.168.230.3
ID IN HINFO “Gateway2000” “WinWKGRPS”
ID IN MX 0 exampleadmin-smtp
ID IN RP bsmith.rci bsmith.who
ID IN TXT “Location:Telephone Room”
ce ID IN CNAME aesop
au ID IN A 192.168.230.4
ID IN HINFO “Aspect” “MS-DOS”
ID IN MX 0 andromeda
ID IN RP jcoy.erebus jcoy.who
ID IN TXT “Location: Library”
acct21 ID IN A 192.168.230.5
ID IN HINFO “Gateway2000” “WinWKGRPS”
ID IN MX 0 exampleadmin-smtp
ID IN RP bsmith.rci bsmith.who
ID IN TXT “Location:Accounting”

We won’t go through each record in detail, but we will point out several important
types. We see that for each entry we have an “A” record that denotes the IP address of
the system name located to the right. In addition, each host has an HINFO record that
identifies the platform or type of operating system running (see RFC 952). HINFO records
are not needed, but they provide a wealth of information to attackers. Because we saved
the results of the zone transfer to an output file, we can easily manipulate the results
with UNIX programs such as grep, sed, awk, or perl.
Suppose we are experts in SunOS/Solaris. We could programmatically find out the
IP addresses that have an HINFO record associated with Sparc, SunOS, or Solaris:

[bash]$ grep -i solaris zone_out |wc –l
388

We can see that we have 388 potential records that reference the word “Solaris.”
Obviously, we have plenty of targets.
Suppose we wanted to find test systems, which happen to be a favorite choice for
attackers. Why? Simple: they normally don’t have many security features enabled, often
have easily guessed passwords, and administrators tend not to notice or care who logs
in to them. They’re a perfect home for any interloper. Thus, we can search for test systems
as follows:

[bash]$ grep –I tes t /tmp/zone_out |wc –l
96

So we have approximately 96 entries in the zone file that contain the word “test.”
This should equate to a fair number of actual test systems. These are just a few simple
examples. Most intruders will slice and dice this data to zero in on specific system types
with known vulnerabilities.
Keep a few points in mind. First, the aforementioned method queries only one
nameserver at a time. This means you would have to perform the same tasks for all
nameservers that are authoritative for the target domain. In addition, we queried only
the example.com domain. If there were subdomains, we would have to perform the same
type of query for each subdomain (for example, greenhouse.example.com). Finally, you
may receive a message stating that you can’t list the domain or that the query was
refused. This usually indicates that the server has been configured to disallow zone
transfers from unauthorized users. Therefore, you will not be able to perform a zone
transfer from this server. However, if there are multiple DNS servers, you may be able to
find one that will allow zone transfers.
Now that we have shown you the manual method, there are plenty of tools that
speed the process, including host, Sam Spade, axfr, and dig.
The host command comes with many flavors of UNIX. Some simple ways of using
host are as follows:
host -l example.com
and
host -l -v -t any example.com
If you need just the IP addresses to feed into a shell script, you can just cut out the IP
addresses from the host command:

host -l example.com |cut - f 4 -d"" "" >\> /tmp/ip_out

Not all footprinting functions must be performed through UNIX commands. A
number of Windows products, such as Sam Spade, provide the same information.
The UNIX dig command is a favorite with DNS administrators and is often used to
troubleshoot DNS architectures. It too can perform the various DNS interrogations
mentioned in this section. It has too many command-line options to list here; the man
page explains its features in detail.
Finally, you can use one of the best tools for performing zone transfers: axfr (http://
packetstormsecurity.nl/groups/ADM/axfr-0.5.2.tar.gz) by Gaius. This utility will
recursively transfer zone information and create a compressed database of zone and host
files for each domain queried. In addition, you can even pass top-level domains such as
.com and .edu to get all the domains associated with .com and .edu, respectively.
However, this is not recommended due to the vast number of domains within each of
these TLDs.
To run axfr, you would type the following:

[bash]$ axfr example.com
axfr: Using default directory: /root/axfrdb
Found 2 name servers for domain ''example.com.'':
Text deleted.
Received XXX answers (XXX records).
To query the axfr database for the information just obtained, you would type the
following:

[bash]$ axfrcat example.com

শুক্রবার, ২৭ মে, ২০১১

Hacking start IP-Related Searches

That pretty well takes care of the domain-related searches, but what about IP-related
registrations? As explained earlier, IP-related issues are handled by the various RIRs
under ICANN’s ASO. Let’s see how we go about querying this information.
The WHOIS server at ICANN (IANA) does not currently act as an authoritative
registry for all the RIRs as it does for the TLDs, but each RIR does know which IP ranges
it manages. This allows us to simply pick any one of them to start our search. If we pick
the wrong one, it will tell us which one we need to go to.
Let’s say that while perusing your security logs (as I’m sure you do religiously,
right?), you run across an interesting entry with a source IP of 61.0.0.2. You start by
entering this IP into the WHOIS search at http://www.arin.net, which tells
you that this range of IPs is actually managed by APNIC. You then go to APNIC’s site athttp://www.apnic.net to continue your search. Here you find out that this
IP address is actually managed by the National Internet Backbone of India.
This process can be followed to trace back any IP address in the world to its owner,
or at least to a point of contact that may be willing to provide the remaining details. As
with anything else, cooperation is almost completely voluntary and will vary as you deal
with different companies and different governments. Always keep in mind that there are
many ways for a hacker to masquerade their true IP. In today’s cyberworld, it’s more
likely to be an illegitimate IP address than a real one. So the IP that shows up in your logs
may be what we refer to as a laundered IP address—almost untraceable.
We can also find out IP ranges and BGP autonomous system numbers that an
organization owns by searching the RIR WHOIS servers for the organization’s literal
name. For example, if we search for “Google” at http://www.arin.net, we see the IP
ranges that Google owns under its name as well as its AS number, AS15169.It might be useful to explain why finding BGP data would be useful. IP address
information is probably pretty obvious. BGP info is probably not obvious.
The administrative contact is an important piece of information because it may tell
you the name of the person responsible for the Internet connection or firewall. Our query
also returns voice and fax numbers. This information is an enormous help when you’re
performing a dial-in penetration review. Just fire up the war-dialers in the noted range,
and you’re off to a good start in identifying potential modem numbers. In addition, an
intruder will often pose as the administrative contact using social engineering on
unsuspecting users in an organization. An attacker will send spoofed e-mail messages
posing as the administrative contact to a gullible user. It is amazing how many users will
change their passwords to whatever you like, as long as it looks like the request is being
sent from a trusted technical support person.The record creation and modification dates indicate how accurate the information is.
If the record was created five years ago but hasn’t been updated since, it is a good bet
some of the information (for example, administrative contact) may be out of date.
The last piece of information provides us with the authoritative DNS servers, which
are the sources or records for name lookups for that domain or IP. The first one listed is
the primary DNS server; subsequent DNS servers will be secondary, tertiary, and so on.
We will need this information for our DNS interrogation.
Additionally, we can try to use the network range listed as a starting point for our
network query of the ARIN database.

Hacking start Domain-Related Searches

It’s important to note that domain-related items (such as sitewelder.com) are
registered separately from IP-related items (such as IP net-blocks, BGP autonomous
system numbers, etc.). This means we will have two different paths in our methodology
for finding these details. Let’s start with domain-related details, using keyhole.com as an
example.
The first order of business is to determine which one of the many WHOIS servers
contains the information we’re after. The general process flows like this: the authoritative
Registry for a given TLD, “.com” in this case, contains information about which Registrar
the target entity registered its domain with. Then you query the appropriate Registrar to
find the Registrant details for the particular domain name you’re after. We refer to these
as the “Three Rs” of WHOIS: Registry, Registrar, and Registrant.
There are many places on the Internet that offer one-stop-shopping for WHOIS
information, but it’s important to understand how to find the information yourself for
those times that the auto-magic tools don’t work. Since the WHOIS information is based
on a hierarchy, the best place to start is the top of the tree—ICANN. As mentioned above,
ICANN (IANA) is the authoritative registry for all of the TLDs and is a great starting
point for all manual WHOIS queries If we surf to http://whois.iana.org, we can search for the authoritative registry for all
of .com. This search shows us that the authoritative registry for .com is
Verisign Global Registry Services at http://www.verisign-grs.com. If we go to that site
and click the Whois link to the right, we get the Verisign Whois Search page where we
can search for keyhole.com and find that keyhole.com is registered through http://
www.markmonitor.com. If we go to that site and search their “Search Whois” field on the
right, we can query this registrar’s WHOIS server via their web interface to
find the registrant details for keyhole.com—voilà!
This registrant detail provides physical addresses, phone numbers, names, e-mail
addresses, DNS server names, IPs, and so on. If you follow this process carefully, you shouldn’t have too much trouble finding registrant details for any (public) domain name
on the planet. Remember, some domains like .gov and .mil may not be accessible to the
public via WHOIS.
To be thorough, we could have done the same searches via the command-line WHOIS
client with the following three commands:
[bash]$ whois com –h whois.iana.org
[bash]$ whois keyhole.com –h whois.verisign-grs.com
[bash]$ whois keyhole.com –h whois.omnis.com
There are also several websites that attempt to automate this process with varying
degrees of success:
• http://www.allwhois.comhttp://www.uwhois.com
• http://www.internic.net/whois.html
Last but not least, there are several GUIs available that will also assist you in your
searches:
• SamSpade http://www.samspade.org
• SuperScan http://www.foundstone.com
• NetScan Tools Pro http://www.nwpsw.com
Once you’ve homed in on the correct WHOIS server for your target, you may be able
to perform other searches if the registrar allows it. You may be able to find all the domains
that a particular DNS server hosts, for instance, or any domain name that contains a
certain string. These types of searches are rapidly being disallowed by most WHOIS
servers, but it is still worth a look to see what the registrar permits. It may be just what
you’re after.

Hacking start WHOIS & DNS Enumeration

While much of the Internet’s appeal stems from its lack of centralized control, in
reality several of its underlying functions must be centrally managed in order to ensure
interoperability, prevent IP conflicts, and ensure universal resolvability across
geographical and political boundaries. This means that someone is managing a vast
amount of information. If you understand a little about how this is actually done, you
can effectively tap into this wealth of information! The Internet has come a long way
since its inception. The particulars of how all this information is managed, and by whom,
is still evolving as well.
So who is managing the Internet today, you ask? These core functions of the Internet
are managed by a nonprofit organization, the Internet Corporation for Assigned Names
and Numbers (ICANN; http://www.icann.org).
ICANN is a technical coordination body for the Internet. Created in October 1998 by
a broad coalition of the Internet’s business, technical, academic, and user communities,
ICANN is assuming responsibility for a set of technical functions previously performed
under U.S. government contract by the Internet Assigned Numbers Authority (IANA;
http://www.iana.org) and other groups. (In practice, IANA still handles much of the
day-to-day operations, but these will eventually be transitioned to ICANN.)
Specifically, ICANN coordinates the assignment of the following identifiers that
must be globally unique for the Internet to function:
• Internet domain names
• IP address numbers
• Protocol parameters and port numbers
In addition, ICANN coordinates the stable operation of the Internet’s root DNS server
system.
As a nonprofit, private-sector corporation, ICANN is dedicated to preserving the
operational stability of the Internet; to promoting competition; to achieving broad
representation of global Internet communities; and to developing policy through privatesector,
bottom-up, consensus-based means. ICANN welcomes the participation of any
interested Internet user, business, or organization.
While there are many parts to ICANN, three of the suborganizations are of particular
interest to us at this point:
• Address Supporting Organization (ASO), http://www.aso.icann.org
• Generic Names Supporting Organization (GNSO), http://www.gnso.icann.org
• Country Code Domain Name Supporting Organization (CCNSO), http://www
.ccnso.icann.org
The ASO reviews and develops recommendations on IP address policy and advises
the ICANN board on these matters. The ASO allocates IP address blocks to various
Regional Internet Registries (RIRs) who manage, distribute, and register public Internet
number resources within their respective regions. These RIRs then allocate IPs to
organizations, Internet service providers (ISPs), or in some cases, National Internet
Registries (NIRs) or Local Internet Registries (LIRs) if particular governments require it
(mostly in communist countries, dictatorships, etc.):
• APNIC (http://www.apnic.net) Asia-Pacifi c region
• ARIN (http://www.arin.net) North and South America, Sub-Sahara Africa
regions
• LACNIC (http://www.lacnic.net) Portions of Latin America and the
Caribbean
• RIPE (http://www.ripe.net) Europe, parts of Asia, Africa north of the equator,
and the Middle East regions
• AfriNIC (http://www.afrinic.net, currently in observer status) Eventually
both regions of Africa currently handled by ARIN and RIPE
The GNSO reviews and develops recommendations on domain-name policy for all
generic top-level domains (gTLDs) and advises the ICANN Board on these matters. It’s
important to note that the GNSO is not responsible for domain-name registration, but
rather is responsible for the generic top-level domains (for example, .com, .net, .edu, .org,
and .info), which can be found at http://www.iana.org/gtld/gtld.htm.
The CCNSO reviews and develops recommendations on domain-name policy for all
country-code top-level domains (ccTLDs) and advises the ICANN Board on these
matters. Again, ICANN does not handle domain-name registrations. The definitive list
of country-code top-level domains can be found at http://www.iana.org/cctld/cctldwhois.
htm.
Here are some other links you may find useful:
• http://www.iana.org/assignments/ipv4-address-space IP v4 allocation
• http://www.iana.org/ipaddress/ip-addresses.htm IP address services
• http://www.rfc-editor.org/rfc/rfc3330.txt Special-use IP addresses
• http://www.iana.org/assignments/port-numbers Registered port numbers
• http://www.iana.org/assignments/protocol-numbers Registered protocol
numbers
With all of this centralized management in place, mining for information should be
as simple as querying a central super-server farm somewhere, right? Not exactly. While
the management is fairly centralized, the actual data is spread across the globe in
numerous WHOIS servers for technical and political reasons. To further complicate
matters, the WHOIS query syntax, type of permitted queries, available data, and
formatting of the results can vary widely from server to server. Furthermore, many of the
registrars are actively restricting queries to combat spammers, hackers, and resource
overload; to top it all off, information for .mil and .gov have been pulled from public
view entirely due to national security concerns.
You may ask, “How do I go about finding the data I’m after?” With a few tools, a little
know-how, and some patience, you should be able to mine successfully for domain- or
IP-related registrant details for nearly any registered entity on the planet!

Hacking start Search Engines, Usenet, and Resumes

The search engines available today are truly fantastic. Within seconds, you can find just
about anything you could ever want to know. Many of today’s popular search engines
provide for advanced searching capabilities that can help you home in on that tidbit
of information that makes the difference. Some of our favorite search engines are
http://www.google.com, http://search.yahoo.com, http://www.altavista.com, and
http://www.dogpile.com (which sends your search to multiple search engines such as
Google, Yahoo, Microsoft Live Search, and Ask.com). It is worth the effort to become
familiar with the advanced searching capabilities of these sites. There is so much sensitive
information available through these sites that there have even been books written on
how to “hack” with search engines—for example, Google Hacking for Penetration Testers
Vol. 2, by Johnny Long (Syngress, 2007).
Here is a simple example: If you search Google for “allinurl:tsweb/default.htm,”
Google will reveal Microsoft Windows servers with Remote Desktop Web Connection
exposed. This could eventually lead to full graphical console access to the server via the
Remote Desktop Protocol (RDP) using only Internet Explorer and the ActiveX RDP client
that the target Windows server offers to the attacker when this feature is enabled. There
are literally hundreds of other searches that reveal everything from exposed web cameras
to remote admin services to passwords to databases. We won’t attempt to reinvent the
wheel here but instead will refer you to one of the definitive Google hacking sites
available at http://johnny.ihackstuff.com. Johnny Long compiled the Google Hacking
Database (GHDB): http://johnny.ihackstuff.com/ghdb.php. Despite this hacking
database not being updated frequently, it offers a fantastic basic listing of many of the
best Google search strings that hackers will use to dig up information on the Web.
Of course, just having the database of searches isn’t good enough, right? A few tools
have been released recently that take this concept to the next level: Athena 2.0 by Steve
at snakeoillabs (http://www.snakeoillabs.com); SiteDigger 2.0 (http://www.foundstone.
com); and Wikto 2.0 by Roelof and the crew (http://www.sensepost.com/research/
wikto). They search Google’s cache to look for the plethora of vulnerabilities, errors,
configuration issues, proprietary information, and interesting security nuggets hiding
on websites around the world. SiteDigger allows you to target specific
domains, uses the GHDB or the streamlined Foundstone list of searches, allows you to
submit new searches to be added to the database, allows for raw searches, and—best of
all—has an update feature that downloads the latest GHDB and/or Foundstone searches
right into the tool so you never miss a beat.
The Usenet discussion forums or news groups are a rich resource of sensitive
information, as well. One of the most common uses of the news groups among IT
professionals is to get quick access to help with problems they can’t easily solve
themselves. Google provides a nice web interface to the Usenet news groups, complete
with its now-famous advanced searching capabilities. For example, a simple search for
“pix firewall config help” yields hundreds of postings from people requesting help with
their Cisco PIX firewall configurations. Some of these postings
actually include cut-and-pasted copies of their production configuration, including IP
addresses, ACLs, password hashes, network address translation (NAT) mappings, and
so on. This type of search can be further refined to home in on postings from e-mail
addresses at specific domains (in other words, @company.com) or other interesting search
strings.
If the person in need of help knows to not post their configuration details to a public
forum like this, they might still fall prey to a social engineering attack. An attacker could
respond with a friendly offer to assist the weary admin with their issue. If the attacker
can finagle a position of trust, they may end up with the same sensitive information
despite the initial caution of the admin.
Another interesting source of information lies in the myriad of resumes available
online. With the IT profession being as vast and diverse as it is, finding a perfect employeeto-
position match can be quite difficult. One of the best ways to reduce the large number
of false positives is to provide very detailed, often sensitive, information in both the job
postings and in the resumes.Imagine that an organization is in need of a seasoned IT security professional to
assume very specific roles and job functions. This security professional needs to be
proficient with this, that, and the other thing, as well as able to program this and that—
you get the idea. The company must provide those details in order to get qualified leads
(vendors, versions, specific responsibilities, level of experience required, etc.). If the
organization is posting for a security professional with, say, five or more years’ experience
working with CheckPoint firewalls and Snort IDS, what kind of firewall and IDS do you
think they use? Maybe they are advertising for an intrusion-detection expert to develop
and lead their IR team. What does this say about their current incident detection and
response capabilities? Could they be in a bit of disarray? Do they even have one currently?
If the posting doesn’t provide the details, maybe a phone call will. The same is true for
an interesting resume—impersonate a headhunter and start asking questions. These
kinds of details can help an attacker paint a detailed picture of security posture of the
target organization—very important when planning an attack!
If you do a search on Google for something like “company resume firewall,” where
company is the name of the target organization, you will most likely find a number of
resumes from current and/or past employees of the target that include very detailed
information about technologies they use and initiatives they are working on. Job sites
like http://www.monster.com and http://www.careerbuilder.com contain tens of
millions of resumes and job postings. Searching on organization names may yield
amazing technical details. In order to tap into the vast sea of resumes on these sites, you
have to be a registered organization and pay access fees. However, it is not too hard for
an attacker to front a fake company and pay the fee in order to access the millions of
resumes.

বৃহস্পতিবার, ২৬ মে, ২০১১

Privacy or Security Policies and Technical Details Indicating and Archived Information

Any piece of information that provides insight into the target organization’s privacy or
security policies or technical details regarding hardware and software used to protect the
organization can be useful to an attacker for obvious reasons. Opportunities will most
likely present themselves when this information is acquired.
It’s important to be aware that there are sites on the Internet where you can retrieve
archived copies of information that may no longer be available from the original source.
This could allow an attacker to gain access to information that has been deliberately
removed for security reasons. Some examples of this are the Wayback Machine at http://
www.archive.org, http://www.thememoryhole.org and
the cached results you see under Google’s cached results .

Hacking start Current Events

Current events are often of significant interest to attackers. Mergers, acquisitions,
scandals, layoffs, rapid hiring, reorganizations, outsourcing, extensive use of temporary
contractors, and other events may provide clues, opportunities, and situations that didn’t
exist before. For instance, one of the first things to happen after a merger or acquisition
is a blending of the organizations’ networks. Security is often placed on the back burner
in order to expedite the exchange of data. How many times have you heard, “I know it
isn’t the most secure way to do it, but we need to get this done ASAP. We’ll fix it later.”?
In reality, “later” often never comes, thus allowing an attacker to exploit this frailty in the
name of availability in order to access a back-end connection to the primary target.
The human factor comes into play during these events, too. Morale is often low
during times like these, and when morale is low, people may be more interested in
updating their resumes than watching the security logs or applying the latest patch. At
best, they are somewhat distracted. There is usually a great deal of confusion and change
during these times, and most people don’t want to be perceived as uncooperative or as
inhibiting progress. This provides for increased opportunities for exploitation by a skilled
social engineer.
The reverse of “bad times” opportunities can also be true. When a company
experiences rapid growth, oftentimes their processes and procedures lag behind. Who’s
making sure there isn’t an unauthorized guest at the new-hire orientation? Is that another
new employee walking around the office, or is it an unwanted guest? Who’s that with
the laptop in the conference room? Is that the normal paper-shredder company? Janitor?
If the company is a publicly traded company, information about current events is
widely available on the Internet. In fact, publicly traded companies are required to file
certain periodic reports to the Securities and Exchange Commission (SEC) on a regular
basis; these reports provide a wealth of information. Two reports of particular interest
are the 10-Q (quarterly) and the 10-K (annual) reports, and you can search the EDGAR
database at http://www.sec.gov to view them. When you find one of
these reports, search for keywords like “merger,” “acquisition,” “acquire,” and “subsequent
event.” With a little patience, you can build a detailed organizational chart of the entire
organization and its subsidiaries.
Business information and stock trading sites can provide similar data such as Yahoo
Finance message boards. For example, check out the message board for any company
and you will find a wealth of potential dirt—er, I mean information—that could be used
to get in the head of the target company. Comparable sites exist for major markets around
the world. An attacker can use this information to target weak points in the organization.
Most hackers will choose the path of least resistance—and why not?

Employees Phone Numbers, Contact Names, E-mail Addresses,

Attackers can use phone numbers to look up your physical address via sites like http://
www.phonenumber.com, http://www.411.com, and http://www.yellowpages.com.
They may also use your phone number to help them target their war-dialing ranges, or
to launch social-engineering attacks to gain additional information and/or access.
Contact names and e-mail addresses are particularly useful datum. Most organizations
use some derivative of the employee’s name for their username and e-mail address (for
example, John Smith’s username is jsmith, johnsmith, john.smith, john_smith, or smithj,
and his e-mail address is jsmith@example.com or something similar). If we know one of
these items, we can probably figure out the others. Having a username is very useful
later in the methodology when we try to gain access to system resources. All of these
items can be useful in social engineering as well (more on social engineering later).
Other personal details can be readily found on the Internet using any number of sites
like http://www.blackbookonline.info/, which links to several resources, and http://
www.peoplesearch.com, which can give hackers personal details ranging from home
phone numbers and addresses to social security numbers, credit histories, and criminal
records, among other things.
In addition to these personal tidbits gathered, there are numerous publicly available
websites that can be pilfered for information on your current or past employees in order
to learn more information about you and your company’s weaknesses and flaws. The
websites you should frequent in your footprinting searches include social networking
sites (Facebook.com, Myspace.com, Reunion.com, Classmates.com), professional networking
sites (Linkedin.com, Plaxo.com), career management sites (Monster.com, Careerbuilder
.com), family ancestry sites (Ancestry.com), and even online photo management sites
(Flickr.com, Photobucket.com) can be used against you and your company.
Once employees, contractor, and vendor names are discovered associated with your
company, hackers can then turn to these websites and look up boundless information
about the people and companies they are associated with. Given enough information,
they can build a matrix of data points to provide deductive reasoning that can reveal
much of the target’s configuration and vulnerabilities. In fact, there are so many websites
that spill information about your company’s assets and their relative security. Suffice it to say, almost anything about your company can be revealed from the data housed in those websites.
Attackers might use any of this information to assist them in their quests—extortion
is still alive and well. An attacker might also be interested in an employee’s home
computer, which probably has some sort of remote access to the target organization. A
keystroke logger on an employee’s home machine or laptop may very well give a hacker
a free ride to the organization’s inner sanctum. Why bang one’s head against the firewalls,
IDS, IPS, etc., when the hacker can simply impersonate a trusted user

Link Market - Free Link Exchange, Link Building and Link Trade Directory
Have you ever tried to exchange links, link building, or trade links? Was it hard? Use link market instead; - it is easy to use, free and very smart. It will save you hours of work.

মঙ্গলবার, ২৪ মে, ২০১১

Hacking start related organizations and location details

Related Organizations

Be on the lookout for references or links to other organizations that are somehow related
to the target organization. For example, many targets outsource much of their web
development and design. It’s very common to find comments from an author in a file
you find on the main web page. For example, we found the company and author of a
CSS file (Cascading Style Sheet) just recently, indicating that the target’s web development
was done outside the company. In other words, this partner company is now a potential
target for attack.
/*
Author: <company name here> <city the company resides in here>
Developer: <specific author1 name here>, <specific author2 name here>
Client: <client name here>
*/
Even if an organization keeps a close eye on what it posts about itself, its partners are
usually not as security-minded. They often reveal additional details that, when combined
with your other findings, could result in a more sensitive aggregate than your sites
revealed on their own. Additionally, this partner information could be used later in a
direct or indirect attack such as a social engineering attack. Taking the time to check out
all the leads will often pay nice dividends in the end.

Location Details

A physical address can prove very useful to a determined attacker. It may lead to
dumpster-diving, surveillance, social-engineering, and other nontechnical attacks.
Physical addresses can also lead to unauthorized access to buildings, wired and wireless
networks, computers, mobile devices, and so on. It is even possible for attackers to attain
detailed satellite imagery of your location from various sources on the Internet. Our
personal favorite is Google Earth (formerly KeyHole) and can be found at http://earth
.google.com/. It essentially puts the world (or at least most major metro
areas around the world) in your hands and lets you zoom in on addresses with amazing
clarity and detail via a well-designed client application.
Another popular source is http://terraserver.microsoft.com.
Using Google Maps (http://maps.google.com), you can utilize the Street View feature, which actually provides a “drive-by” series of images so you can
familiarize yourself with the building, its surroundings, the streets, and traffic of the
area. All this helpful information to the average Internet user is a treasure trove of
information for the bad guys.

Domains Names Registration And Website Hosting
Cheap domain names hosting services website design easy website solutions online shops and logo design

Hacking start: Company web pages

Perusing the target organization’s web page will often get you off to a good start. Many
times, a website will provide excessive amounts of information that can aid attackers.
Believe it or not, we have actually seen organizations list security configuration details
and detailed asset inventory spreadsheets directly on their Internet web servers.
In addition, try reviewing the HTML source code for comments. Many items not
listed for public consumption are buried in HTML comment tags, such as <, !, and --.
Viewing the source code offline may be faster than viewing it online, so it is often
beneficial to mirror the entire site for offline viewing, provided the website is in a format
that is easily downloadable—that is, HTML and not Adobe Flash, usually in a Shockwave
Flash (SWF) format. Having a copy of the targeted site locally may allow you to
programmatically search for comments or other items of interest, thus making your
footprinting activities more efficient. A couple of tried and true website mirroring tools are
• Wget (http://www.gnu.org/software/wget/wget.html) for UNIX
• Teleport Pro (http://www.tenmax.com) for Windows
It may cost money .You can also download it free from above sites.By Teleport or Wget,
find your desired company's web pages detail.
First,after download Teleport Pro,Click on file,then click new project wizard,then click
next,then in adress bar, type an internet adress to serve as the starting location for this
project.Examples of valid internet adresses are like 'www.microsoft.com', 'www.google.com/
news/', or 'www.ibm.com/home/index.htm'.Then click next,Then click finish.then click
save.Then click on project,then click start.Be sure that your internet connection is on.
Be sure to investigate other sites beyond the main “http://www” and “https://
www” sites as well. Hostnames such as www1, www2, web, web1, test, test1, etc., are all
great places to start in your footprinting adventure. But there are others, many others.
Many organizations have sites to handle remote access to internal resources via a
web browser. Microsoft’s Outlook Web Access is a very common example. It acts as a
proxy to the internal Microsoft Exchange servers from the Internet. Typical URLs for this
resource are https://owa.example.com or https://outlook.example.com. Similarly,
organizations that make use of mainframes, System/36s or AS/400s may offer remote
access via a web browser via services like WebConnect by OpenConnect (http://www
.openconnect.com), which serves up a Java-based 3270 and 5250 emulator and allows for
“green screen” access to mainframes and midrange systems such as AS/400s via the
client’s browser.
Virtual Private Networks (VPN) are very common in most organizations as well, so
looking for sites like http://vpn.example.com, https://vpn.example.com, or http://www
. example.com/vpn will often reveal websites designed to help end users connect to their
companies’ VPNs. You may find VPN vendor and version details as well as detailed
instructions on how to download and configure the VPN client software. These sites may
even include a phone number to call for assistance if the hacker—er, I mean, employee—
has any trouble getting connected

Find the software you're looking for at arsoft-download. Com, the most comprehensive source for free-to-try software downloads on the web.
http://www.arsoft-downloads.com/directory/

Hacking plan

When thieves decide to rob a bank,they don’t just walk in and start demanding money
(not the high IQ ones, anyway).Instead, they take great pains to gather information about
the bank—the armored carroutes and delivery times, the security cameras and alarm
triggers, the number of tellersand escape exits, the money vault access paths and authorized personnel, and anythingelse that will help in a successful attack.
The same requirement applies to successful cyber attackers. They must harvest a
wealth of information to execute a focused and surgical attack (one that won’t be readily
caught). As a result, attackers will gather as much information as possible about all
aspects of an organization’s security posture. In the end, and if done properly, hackers
end up with a unique footprint, or profile of their target’s Internet, remote access, intranet/
extranet, and business partner presence. By following a structured methodology,
attackers can systematically glean information from a multitude of sources to compile
this critical footprint of nearly any organization.

About footprinting

The systematic and methodical footprinting of an organization enables attackers to create
a near complete profile of an organization’s security posture. Using a combination of
tools and techniques coupled with a healthy dose of patience and mind-melding,
attackers can take an unknown entity and reduce it to a specific range of domain names,
network blocks, subnets, routers, and individual IP addresses of systems directly
connected to the Internet, as well as many other details pertaining to its security posture.
Although there are many types of footprinting techniques, they are primarily aimed at
discovering information related to the following environments: Internet, intranet, remote
access, and extranet.

Technology Identifies

Internet Domain names
Network blocks and subnets
Specifi c IP addresses of systems reachab via the Internet
TCP and UDP services running on each system identifi ed
System architecture (for example, Sparc vs. x86)
Access control mechanisms and related access control lists
(ACLs)
Intrusion-detection systems (IDSs)
System enumeration (user and group names, system
banners, routing tables, and SNMP information)
DNS hostnames

Intranet Networking protocols in use (for example, IP, IPX, DecNET,
and so on)
Internal domain names
Network blocks
Specifi c IP addresses of systems reachable via the intranet
TCP and UDP services running on each system identifi ed
System architecture (for example, SPARC vs. x86)
Access control mechanisms and related ACLs
Intrusion-detection systems
System enumeration (user and group names, system
banners, routing tables, and SNMP information)

Remote access Analog/digital telephone numbers
Remote system type
Authentication mechanisms
VPNs and related protocols (IPSec and PPTP)

Extranet Domain names
Connection origination and destination
Type of connection
Access control mechanism

Cheap domain names hosting services website design easy website solutions online shops and logo design
http://ldms.domains-names-registration.com/links.php

সোমবার, ২৩ মে, ২০১১

Use the direct adress of yahoo

Even better, almost every Yahoo! service has its own unique URL that you can
enter directly into your browser’s address box, or bookmark as necessary. You
might think that remembering dozens of unique URLs would be difficult. And,
of course, you’d be right—if you actually had to memorize the URLs.
Fortunately, Yahoo! uses an address scheme that’s easy on the old memory,
thanks to its common-sense nature.
Yahoo!’s address scheme is simple. Just take the yahoo.com domain and add
the service name in front of it, like this: service.yahoo.com. So, for example, if
you want to go to Yahoo! News, you enter news.yahoo.com. If you want to go to
Yahoo! Mail, enter mail.yahoo.com.

The only major exception to this rule is the children’s site Yahooligans!,
which has the address www.yahooligans.com.

Yahoo! Web Site Directory
Yahoo! Site/Service URL
Yahoo! home page www.yahoo.com
Yahooligans! www.yahooligans.com
My Yahoo! my.yahoo.com
Yahoo! Address Book address.yahoo.com
Yahoo! Astrology astrology.yahoo.com
Yahoo! Auctions auctions.yahoo.com
Yahoo! Autos autos.yahoo.com
Yahoo! Banking Center banking.yahoo.com
Yahoo! Bookmarks bookmarks.yahoo.com
Yahoo! Briefcase briefcase.yahoo.com
Yahoo! Buzz Index buzz.yahoo.com
Yahoo! by Phone phone.yahoo.com
Yahoo! Calendar calendar.yahoo.com
Yahoo! Chat chat.yahoo.com
Yahoo! Classifieds classifieds.yahoo.com
Yahoo! Companion (toolbar) companion.yahoo.com
Yahoo! Education education.yahoo.com
Yahoo! Entertainment entertainment.yahoo.com
Yahoo! Fantasy Sports fantasysports.yahoo.com
Yahoo! Finance finance.yahoo.com
Yahoo! Games games.yahoo.com
Yahoo! GeoCities geocities.yahoo.com
Yahoo! Get Local local.yahoo.com
Yahoo! Greetings greetings.yahoo.com
Yahoo! Groups groups.yahoo.com
Yahoo! Health health.yahoo.com
Yahoo! HotJobs hotjobs.yahoo.com
Yahoo! Insurance Center insurance.yahoo.com
Yahoo! Launch (music) launch.yahoo.com
Yahoo! Loan Center loan.yahoo.com
Yahoo! Lottery Results lottery.yahoo.com
Yahoo! Mail mail.yahoo.com
Yahoo! Mail Plus mailplus.yahoo.com
Yahoo! Maps maps.yahoo.com
Yahoo! Message Boards messages.yahoo.com
Yahoo! Messenger messenger.yahoo.com
Yahoo! Mobile mobile.yahoo.com
Yahoo! Movies movies.yahoo.com
Yahoo! News news.yahoo.com
Yahoo! PayDirect paydirect.yahoo.com
Yahoo! People Search people.yahoo.com
Yahoo! Personals personals.yahoo.com
Yahoo! Pets pets.yahoo.com
Yahoo! Photos photos.yahoo.com
Yahoo! Picture Gallery gallery.yahoo.com
Yahoo! Products Search products.yahoo.com
Yahoo! Real Estate realestate.yahoo.com
Yahoo! Shopping shopping.yahoo.com
Yahoo! Small Business smallbusiness.yahoo.com
Yahoo! Sports sports.yahoo.com
Yahoo! Store store.yahoo.com
Yahoo! Tax Center taxes.yahoo.com
Yahoo! Travel travel.yahoo.com
Yahoo! TV tv.yahoo.com
Yahoo! Wallet wallet.yahoo.com
Yahoo! Weather weather.yahoo.com
Yahoo! Web Hosting webhosting.yahoo.com

Speed up your Mozilla FireFox

1. Type "about :config" in the adress field.
2. Set the value of network.http.pipelining to "true".
3. Set the value of network.http.pipelining.maxrequests to "100".
4. Set the value of network.http.proxy.pipelining to "true"
5. Set the value of nglayout.initialpaint.delay to "0" (It's not availible in newer versions)

শনিবার, ২১ মে, ২০১১

Intrusion into system within 15 seconds

First connect to the internet.
Then click Start,
Then click Run,
Type command.com and then press ENTER,
Type netstat -n in the command window.

Then you find your IP adress.

That looks something like this.
207.175.1.1(The number will be different)

Once you have the IP address,write it down,
then close that window by clicking(ok) and
do the following.

click start,
go to run(click on run),
type 'command', then click ok.

Now type the following
nbtstat-A IP address
for example: nbtstat-A 207.175.1.1
(please note that you must type the A in capital letters.)
This will give you a read out that looks like this

NetBIOS Remote Machine Name Table

Name Type Status
-------------------------------------------
J-1 <00> UNIQUE Registered
WORK <00> GROUP Registered
J-1 <03> UNIQUE Registered
J-1 <20> UNIQUE Registered
WORK <1E> GROUP Registered
WORK <1D> UNIQUE Registered
__MSBROWSE__.<01>GROUP Registered

The numbers in the<>are hex code values.
What we are interested in is the"Hex Code"
number of <20>.
If there have a hex code<20>,that's a good
thing.
A hex code of <20> means you have file and
printer sharing turned on.
I’ll show you now how that information can be
used to gain access to your system.
A potential hacker would do a scan on a range
of IP address for systems with “File and Printer
Sharing” turned on. Once they have encountered
a system with sharing turned on the next step
would be to find out what is being shared.
This is how:

Net view \\<insert ip_address here>
Our potential hacker would then get a response
that looks something like this.
Shared resources at \\ip_address

Sharename Type Comment
MY DOCUMENTS Disk
TEMP Disk

The command was completed successfully.
This shows the hacker that his potential victim
has their My Documents Folder shared and their
Temp directory shared. For the hacker to then get
access to those folders his next command will be.

Net use x: \\<insert IP address here>\temp

If all goes well for the hacker, he/she will then
get a response of(The command was completed successfully.)
At this point the hacker now has access to the TEMP
directory of his victim.

Punchanywhere is a web time clock / punch clock software that allows employees to punch in and punch out in a simple and easy way. This attendance system software allows you to automatically calculate worked time of your employees. Logiciel pointeuse
http://PunchAnyWhere.com/punch/links-net.html

সোমবার, ১৬ মে, ২০১১

Enter any computer without knowing password

First you need a software,thats name konboot.You can download it from this site.
http://www.piotrbania.com/all/kon-boot/
And your password will be "kon-boot"

Now burn this software in a blank cd.
And make it bootable.
In Nero, for example,select "data CD" and there's a pull down option that says "make bootable CD" or something similar.
Now you need to setup on victims comp is in BIOS,set boot priority so the first boot will be your CD.

Now login to the admin account,put any password you wish.Now you enter your victims computer.You can do anything you want.
In windows 7

click start.In search option type cmd.Then click on cmd.
In cmd, write "net user"
Then press enter.It will show all the users of that computer.
If you want to change password , type in cmd
net user Administrator 123456 or your choice.

You can also add a user.
In cmd , type
net user maniac/add
You can also use another name .
You can also delete any user.
In cmd , type
net user maniac/del

If you change nothing, no one find any intrusion.

রবিবার, ১৫ মে, ২০১১

Ms-IIS servers website hacking

In windows 7

click start>click computer
In the following dialog box click Map Network Drive
Then click “Connect to a Web site that you can use to store your documents and Pictures”
Then click Next
Then click Next
Now type the web folder address what you want to access or you can type ftp://ftp.microsoft.com
Then click Next>click Next
Now enter a name that will help you identify the web folder later and click Next
Now checkmark on ‘Open this network location when I click finish‘.
And now at end click finish.
Now you can explore on that web folder or microsoft files.

Have a nice day.Good by for today.

শনিবার, ১৪ মে, ২০১১

Crash a small website

To crash a small website you need two tools.
1.a port scanner soft (download any port scanner software from the net)
2.a rDos soft,you can download this soft by here-http://www.mediafire.com/?emnmitkmmqz
First we need our victim websites IP adress.This is a very easy task.
You can go first this site- http://www.ip-adress.com/ip-tracer
Then type your victims websites adress and you easily find your IP adress.
Now we need to see if port 80 is opened or not.So we need now port scanner.We now type IP in port scanner.
It then ask us to do a range scan or a full scan.We select range scan.then It will ask for conformation to you having to use a capital Y or a capital N! Now enter 79 for lowest port and 81 for highest.Then hit enter.And then next hit cap Y.
[X] = Closed
[X] Vulnerable = Open
If port 80 is closed go for a new site.If port 80 is opened,then you can crash the website.
Now open rDos soft.Enter victims IP that we got.It then ask us what port we now attack.Enter 80.Then hit enter.Then it start to crashing.
Wish for your happy hacking.