IT Security Stuff

Snort is a free/paid intrusion detection system, which also does packet logging and packet sniffing as well. Snort comes with built in rules and community rules that the security industry has submitted. The paid version gives you more of these and more up to date: * SNORT: there are 3 modes, packet sniffer, packet logger and ids   * .To start snort in sniffer mode, start the snort service then open a terminal and type snort –v   * .Ping another computer and see it captures that icmp traffic   * SNORT RULES:   a.A very simple one to start with is: log tcp any any -> 192.168.3.0/24   23 , this states to: log any tcp packets from any ip and any port to destination network 192.168.3.0/24 and destination port 23 b.You can add messages too, so lets say someone is trying to get to telnet on your network: alert tcp any any -> any 23 (msg: “hey this fools trying to use telnet!”;) c.It can also be bi-directional as in any leaving or coming for tel...

 Ip tables is a command line firewall that comes with linux. Its essential to learn how to use the different parts of it for the scanning phase: IPTABLES: iptables has the following 4 built in tables:   i.FILTER table: it has 3 chains:           1.INPUT chain- incoming to the firewall           2.OUTPUT chain- outgoing from the firewall           3.FORWARD chain-packets for another NIC on the local server   ii.NAT table: it has 3 chains:           1.PREROUTING- alters packets before routing. (used for DNAT , destination nat)           2.POSTROUTING – alters packets after routing. (used for SNAT , source nat)           3.OUTPUT – used for packets generated locally    iii.MANGLE table: specialized packet alteration. It m...

 Now that you know some command line packet sniffing, lets go over some wireshark display filters: * If you want to filter by a protocol, just type it in, like arp, dns, etc.   * If you click the analyze tab you can filter here as well   * If you did it by tp, you can go to preferences/protocols/tcp and take the check out of “relative sequence numbers” and they will show the real seq numbers   * Right click a packet and follow tcp stream to see the whole conversation between the client and the server . if you do this and you close out of the window you will see that the filter is listed for these packets   * A source filter can be applied to restrict the packet view in wireshark to only those packets that have source IP as mentioned in the filter. The filter applied in the example below is: ip.src == 10.10.10.5   * A destination filter can be applied to restrict the packet view in wireshark to only those packets that have destination IP as m...

Wireshark is a very popular packet sniffing tool, but sometimes you may be on a pentest and you only have a linux shell, no gui, no wireshark. Good thing is a lot of linux and unix machines come with tcpdump installed which is essentially a command line wireshark. Lets look at some examples: * First off, I like to add a few options to the tcpdump command itself, depending on what I’m looking at. The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed. The second is -X, which displays both hex and ascii content within the packet. The final one is -S, which changes the display of sequence numbers to absolute rather than relative. The idea there is that you can’t see weirdness in the sequence numbers if they’re being hidden from you. Remember, the advantage of using tcpdump vs. another tool is getting manual interaction with the packets. * It’s also important to note that tcpdump only takes the first 6...

Basic Linux and Bash training is essential for any aspiring hacker. here a small beginners cheat sheet/lesson about Linux basics: Linux Operating System Linux File System /Root of the file system /varVariable data, log files are found here /binBinaries, commands for users /sbinSystem Binaries, commands for administration /rootHome directory for the root user /homeDirectory for all home folders for non-privileged users /bootStores the Linux Kernel image and other boot files /procDirect access to the Linux kernel /devdirect access to hardware storage devices /mntplace to mount devices on onto user mode file system Identifying Users and Processes: INIT process ID 1 Root UID, GID0 Accounts for services 1-999 All other users Above 1000 ring 0 in the security rings model, is where the kernel lies in linux ring 1 and ring 3 is where device drivers lie ring 3 is the users space and this is where init is and applications, etc. init executes scripts to setup all non-os services and structu...

Shodan is considered the world's most dangerous search engine. The site scans the internet and finds public facing devices, I even found my router on there before! You can sign up for free but it limits the searches. Heres some examples: •Shodanhq: http://www.shodanhq.com/?q=Fuji+xerox     some printers http://www.shodanhq.com/?q=RTU  scada http://www.shodanhq.com/search?q=sonicwall  sonicwall firewalls http://www.shodanhq.com/search?q=%22cisco-ios%22+%22last-modified%22   cisco ios devices   http://www.shodanhq.com/search?q=cisco-ios+200  cisco devices with no login required More specifically on that last one  http://209.56.171.1/xhome.htm Zhone MALC is a full-featured multi-service access platform optimized for delivering voice, data, and video services over a pure packet access network.    http://www.shodanhq.com/search?q=Zhone+SLMS  the default username is admin, default password is zhone   http://www.shoda...

Google hacking is a great way to do some recon using advanced operators in the google search engine. Heres some examples: google hacking lessons: * google queries are not case-sensitive   * google doesnt use wildcard like most, it sees it just as another character   * google ignores certain common words, characters, and single digits in a search, but you can force google into using them by including them in quotes. You can also precede the word with a + sign like +and with no spaces between the + and the word "and"   * google limits searches to 32 words, but we could use wildcards to omit common words and extend that limit. so a phrase like "we the people of the united states in order to form a more perfect union establish jusice" is 17 words, but if i omit the common words and replace with wildcards: we * people * * united states * order * form * more perfect * establish *  would be couonted as 9 words   * if i do a phrase search, which means ...

Its always good to know some common ports and protocol Ids that are used in attacks. Here is a list of some common ones: Protocols 1    ICMP 6    TCP 17  UDP 47  GRE 50  ESP 51  AH Ports 20 - 21      FTP 22             SSH 23             Telnet 25             SMTP 42             WINS 53             DNS 80, 81, 8080    HTTP 88              Kerberos 110            POP3 111            Portmapper (Linux) 119            NNTP 123            NTP 135            RPC-DCOM 137, 138, 139         SMB 143            IMAP 161, 162  ...

Netcat is known by most hackers as the swiss army knife of hacking. Its a great tool to setup backdoors or just plain and simple tcp or udp connections. Heres a few examples of how you can use netcat: Lets do some exercises with it in Kali linux. Our VMs today are a kali linux  and a windows 7. First start by looking at the help file nc -h  1. Lets check to see what ports are listening,(first start the apache2 service) type: nc -v 80  2. If you had started the apache service on kali linux you should see it shows there as open  3. You can also set up a listener port, type: nc -lvp 1234  4. The l here is for listen, the v is for verbose, the p is to specify the port to listen on  5. Lets open up a second terminal window and use netcat to connect to the listener  6. In the second terminal type: nc 10.0.0.100 1234 and hit enter  7. The first terminal should show you connected  8. Now lets chat from the second terminal b...

Nmap Nmap is the industry standard tool used mainly for port scanning. It also has scripting functionality using the LUA language to extend its capabilities into different types of port scans and exploits as well. Being cross platform, it is used as a major jumping point for exploiting machines that you have little information on outside of just an ip subnet or address. Below is a basic cheat sheet and examples for some common uses of it. Discovery Scans: Option    Description -------------------- -sP          Ping -sL          List Scan -sO         Protocol Scan -sV         Verify Common Switches: Option     Description -------------------------- -n        Skip DNS resolving -sn        Disable port scan -Pn        Skip host discovery -PO   ...