Ethical Hacking

3. Tools & Techniques Used to Compromise Computer Systems

Hacking Tools

Kali Linux is a special collection of hacking tools built upon a Debian distribution of Linux. Linux is based on Unix, a cross platform language which can work with different architectures.

Many of these tools can be separated out into various categories according to their function with each category is relevant according to the phase of the hacking cycle. An almost comprehensive list of these tools can be seen at Kali Tools

Some of these tools are themselves a collection of other programs. Zenmap for example includes element of Nmap and Nikto. Other tools like Metasploit, Armitage, Beef and Burpsuite are frameworks of different 'sub-programs' which can be called upon when needed.

While Kali Linux is perhaps the most widely used and regarded pentesting framework, there are other Linux distributions that can be use for pentesting. Other popular ones include:-

  • Parrot Security OS:
  • BackBox:
  • Samurai Web Testing Framework:
  • Pentoo Linux:
  • DEFT Linux:
  • Caine:
  • Network Security Toolkit (NST):

Many of the Linux tools are available in a Windows version. However these tools can only work with a Windows operating system, and White Hat hackers and Digital Forensic investigators can always be guaranteed to be working on Windows based devices.

Scanning

Reconnaissance of the target (for the ethical hacker this will be the client paying for the pentesting) will reveal information that might be useful to black hat hackers who could use it as a starting point, perhaps through a social engineering attack, for gaining entry into the target system.

Tools used so far for this have included Maltego, Dmitry, Zenmap, Recon-ng and The Harvester.

The next step is vulnerability testing i.e using tools to scan for weaknesses or ways into the target, perhaps through backdoors or open ports. It is at this point, our own ethical standards come into play.

It is illegal to scan sites, servers and organisations for which permission has not been granted. Ethical hackers can only scan for vulnerabilities on servers, sites and machines for which they have been permission as agreed under the Rules of Engagement.

Vulnerability
Tasks
Zenmap

Zenmap is the same as the very popular network mapping tool NMap, except that it comes with a Graphical User Interface (GUI).

As a network mapping tool, it is excellent at revealing ip-addresses of devices on a network. Obtaining the ip address is key to allowing the targeting of specific devices thanks to the unique character of ip-address.

Zenmap can also enable the mapping of the topology or shape of the network, allowing users to see the relationship between devices. Useful if an attack plan involves 'jumping' from one device to another.

Some scans are more active than others. Intense scans or 'pings' involves sending a packet of information to a host, is sure to trigger alarms, so use with care.

Zenmap has the ability for fingerprinting. This is where scans can reveal specific details such the operating systems type and version. Essential for planning to exploit software weaknesses and even open ports available for possible access routes in.

The Harvester

Now for something a little easier. Ever wondered how email spammers get all those email addresses or how those phishing emails arrive in your inbox? Well wonder no more!

The following video shows how a reconnaissance tool, The Harvester can automate the process of email gathering.

Usually a hacker, especially if they were into social engineering, would use this tool to uncover important email addresses of people working for a target organisation who might be worth approaching. The video ,for example shows up a possible net admin address and sub domain for security.

The Harvester is a passive tool in that it searches the internet for addresses and severs associated with whatever being looks for. All this information is publically available and so it legal and ethically ok to use.

  1. Watch and work along with the video to learn how easy it is to gather email addresses. Get a screen shot of your practice results and paste it in to your notebook.
  2. Conduct your own search on an organisation name of your choice. Again take a screenshot and include it in your notebook.

A Legal Reminder

Reconnaissance is legal. All reconnaissance tools do, is automate the information gathering stage from publically available sources.

Scanning on the other hand involves looking at servers and devices for weaknesses. This is an ILLEGAL activity unless you have the device owner's permission.

Scanning only becomes legal when you have the owners explicit permission..

Permission has to be granted by the device's owner, not just the owner of the website. A server may be supporting multiple websites owner by different organisations and scans may reveal weaknesses in other websites. So it would be unethical to include these in pentesting

Will you get caught?

Scanning is a 'noisy' activity. Some vulnerability tests involve 'pinging' or sending a message to a server and examining the response (the equivalent of pinging a submarine with sonar to find out where it is).

Any system administrator watching traffic on a server will easily pick this up and the IP address of the sender can be quickly established.

So unless you are operating within the Rules of Engagement, scanners will be detected and could be prosecuted.

Scanning with Uniscan

Uniscan is a popular scanning tool the comes with Kali Linux. One its main strangths is that it is very easy to use. Essentially, uniscan is started, a website url is provided, some parameters are set and then its allowed to run its stuff.

The perl based program can either be run from the command line in a terminal window or through a very simple gui interface. The program also produces good looking reports which could be included in an overall pentest report.

The route to these reports is:-

Home > Other Locations > Computer > user > share > uniscan > report

In your notebook add a new heading 2. Scanning

  1. Under what law is it illegal http://scanme.nmap.org/to scan for vulnerabilties?
  2. www.scanme.nmap.org is a website that invites users to scan its servers for vulnerabilities - it does have a few. Watch the video and use Uniscan to generate a report.
  3. Examine the report for any open ports. Take screen shots and include them in your notebook.
Scanning with Sparta

Sparta is one of the more recent scanners. It comes with a user friendly interface and works through established networking tools like nmap and nikto. Both of tools can work alone via the command line.

One of the nice things about Sparta, is that it can map out the topology of the network, similar to Recon-ng as it allows a scan across multiple IP addresses, revealing vulnerabilities on each machine.

To understand Sparta watch the video. It's very comprehensive and you can fast forward through it in parts. It also covers serveral things you can do with Sparta not covered in shorter videos. Try to see if you can brute force into your own metasploitable machine - make sure you start it.

So let's practice using scame.nmap.org

  1. Look at your Uniscan report. Find the IP address of scanme.nmap.org
  2. Fire up your version of Sparta. Add it to the scan target list.
    • Use a IP address range that includes server address uncovered with the Uniscan.
    • This is to make sure you include all other devices on the same network
  3. From the results, see if you can discover any open ports. Remember open ports are possible routes of entry.
  4. Take screen shots of your results and include them in your notebook.
Metasploitable

From the legal and ethical standpoint, there are few sites that can be scanned legally. Fortunetely kind guys at rapid7.com have created a virtual machine (VM) full of vulnerabilities for people to practice on.

Called Metaploitable this virtual machine can be downloaded at Repid7.Com

Watch the short video below which explains a little more about it.

The aim then, is to have Virtual Box run two virtual machines. One running Metasploitable acting as the target machine and the other, running Kali Linux which we going to use to hack Metasploitable.

Watch the video to see how set up Metasploitable in Virtual Box. If want to set up a testing lab on your computer You will have to download Metaploitable and install it following these instructions.

Using Metasploit

Metasploit is popular hacking framework of tools brought together through a common command line interface. Like Sparta, it is capable of scanning for vulnerabilities but goes further by containing a growing database of ready made exploits which can take advantage of loop holes found in scanned systems and networks.

A list of these can be seen once Metasploit has started by using the command show exploits. Wait a while until they are gathered.

Metasploit also contains a bundle of 'payloads' which can be delivered into vulnerable systems through loop holes discovered by scanning and taken advantage of by an 'exploit'.

Guess what! A list of these payloads can be seen by using the command show payloads.

Both exploits and payloads are short programmes designed to acommplish somethin specific. Exploits to open things up; payloads to deliver something like malware, or code to open other backdoors to maintain access or code to cover up access.

  1. As scanning for weaknesses is illegal to do on systems without explicit permission, we are going to use Metasploit on a virtual machine running Metaploitable.
  2. Start up Kali Linux and Metasploitable (the target) VM's.
  3. Watch the video below to see how to grab the IP address of your target and conduct a scan.
  4. Use the internet and record in your notebook the:
    1. meaning of RHOST and what you would use it with.
    2. meaning of LHOST and again what would you use it with in a command line.
  1. Use the exploit to 'break' into the Metasploitable machine. Using the tab key will complete the autocomplete feature as you get close to the end.
  2. From the Kali Linux host, use the pwd (print working directory) command followed by ls (list) to see which folder you are in.
  3. Find out how to use the command cd (Change Directory) to get to the msfadmin folder. Use the command ls to see the content of any folder. Open the folder called vulnerable
  4. IRC is one of the services run by the Metasploitable machine in which the exploit uses to open a backdoor for access. Explain what IRC stands for and what it does.
  5. Take a screen shot and include it in your notebook.

Well done you've 'pawned' your first machine.

You should be able to:-
  • Provide examples of Pentesting toolkits that are suitable alternatives to Kali Linux.
  • Use common Kali Linux tool for scanning networks and for gathering information from the internet.
  • Set up a small testing lab with Metasploitable and use the popular Metasploit framework to access and exploit 'remote' machines

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee