Introduction to hacking and Basic Info gathering and recon tools.
I-Introduction to hacking
1.Type of hackers: (I know this section is over-discussed but I felt the need to include it)
-Suicide Hacker: Hacks without hiding himself, and generally wants to be caught the internet’s attention whore.
-Spy Hacker: Works alone or with a team , steals sensitive info to sell it (secrets of fabrication for example)
-Cyber-Terrorist: Causes damage to anything (DOS, DDOS, leak sensitive info)
- State Sponsored Hacker: Works for his country to hack other governments to steal intel (We all heard about Chinese hackers)
2.Hacktivism
The use of hacking skills to promote political or religious views (deface websites for delivering a message for example)3. Computer Crimes:
- Fraud
- Obscene or offensive content
- Harassment
- Threats
- Drug Trafficking
- Cyber Terrorism
- Cyber Warfare
- Phishing
- Dumpster Diving
- Hacking WiFi or Bluetooth without permission
- Using public exploits
- Hacking someone’s PC
- Spam
4.Ethical Hacking
Ethical Hacking is not Penetration testing,
Hacking is forcing a system or network to do things it’s not supposed to do, so Ethical Hacking is Attacking but with PERMISSION.
Penetration Testing will allow the owner of the network to know if vulnerabilities can be exploited. So EXPLOITING not finding the vulnerabilities.
- Vulnerability Assessment
Only scan and find the vulnerabilities without exploiting
- Security Auditing:
Evaluate a checklist to comply with certain standards.
5. Penetration testing types:
-Net Services/devices: Try to get access to physical components on the target’s network to get sensitive info or simply to breach the network
-Client Side: The human being is always the weakest part of a network so the attacker can use social engineering techniques to get access to sensitive info (Spear Phishing is a great way to do that)
-Web App: Exploit vulnerabilities in the target’s website, this can be used to both get access to sensitive content and compromise the website
- Wireless (Including DOS): Wirelessly try to get access or compromise to the network via target’s Wi-Fi or wireless devices this can include jamming, MITM, spoofing, and a big range of attacks
- Physical: Physically penetrate the location to access the network, or breach the security to steal intel, equipment, or sabotage.
II-Reconnaissance and Info Gathering
1. Info Gathering
a-Intel about the client/target:Use:1
- Search Engines: To find general information and have an idea of the target2
- Website: Usually the website is a great place to look into, locations, numbers, emails are important info publicly available .3
- Tech Support forums: The IT guy may have left some info about some issue he have, hardware used, intel that can be used later.4- Financial Business Article: Will give you an idea of the size of the company, and an idea about their IT spending.
b- The tools:
Organizing the info:
- Dradis (http://dradisframework.org/) (integrated in Kali)
Copy the website:
- wget (http://www.gnu.org/software/wget/) (LUI)
- HTTrack (http://www.httrack.com/) (GUI windows only)
-Harvesting Company emails:
- The Harvester (https://evilzone.org/www.edge-security.com/theharvester.php): it's a very interesting tool which will allow the use of engines like google, bing, linkedin, PGP key server to find company emails as well as mini hosts. it can be used to evaluate the footprint of the target on the internet.
-Custom Wordlists
- CEWL (https://evilzone.org/tutorials/introduction-to-hacking-and-basic-info-gathering-and-recon-tools/digi.ninja/projects/cewl.php) is a tool that will spider the target website and create a custom wordlist which can be useful
-Info Intelligence:
Maltego (https://www.paterva.com/) is an awesome tool, it gives you the possibility of seeing the link between the services, people, locations and much more.
-GOOGLE:
Google is your bestfriend the subject is over-discussed I won't detail it.-Search strategies
- Google Dorking
- People Search
This can be very useful to find out more about the people in the company
- Pipl (http://pipl.com/)
- Whitepages (http://whitepages.com/)
Are the most known and reliable for people search.
2. Reconnaissance
a- Metadata:
It's basically the data within the data, check more here (https://evilzone.org/tutorials/introduction-to-hacking-and-basic-info-gathering-and-recon-tools/en.wikipedia.org/wiki/Metadata)
Tools:
- FOCA (https://www.elevenpaths.com/labs/philosophy/index.html): Excellent tool with a GUI u can save all the data and organizes everything. Unfortunately it's only available on windows.
-Metagoofil (http://www.edge-security.com/metagoofil.php): Delivers the same but under a LUI and is available on Linux and comes loaded with Kali
Image Metadata Extractor:
-Jeffrey's (http://regex.info/exif.cgi) Exifviewer is very reliable.
-Metadata in images may include: Location, Camera, User, etc..
b-Gathering info about web server
For info like server type, script type etc.
-The best tool on Linux is whatweb (http://www.morningstarsecurity.com/research/whatweb)
-On windows there is an awesome GUI: HttpReco (https://w3dt.net/tools/httprecon)n
-SSLscan (http://sourceforge.net/projects/sslscan/) is good for websites using Https
-Who.is (http://who.is/) or whois is of course at the base of any recon :p
c-For IP Geolocation:
-There is lots of web based tools but as a nice tool that combines the results of multiple services.
-It's a python script called Geoedge.py (http://www.edge-security.com/soft/geoedge.py)
-Load Balancing
Load Balancing is using software or hardware to distribute workload on multiple computers, CPU's, HDD's. For more about load balancing click here (http://en.wikipedia.org/wiki/Load_balancing_(computing))Some tools for finding load balancers:
-Dig command
- Lbd.sh (http://pastebin.com/gszAqZtJ) is a shell that will check for load balancers in my opinion it's better than Dig and of course finds DNS/HTTP load balancers too.
-Halberd (http://infosecplatform.com/2013/10/19/load-balance-detector-halberd/) is also a nice tool which displays the results in a nice manner:)
e-For Firewall detection:
I usually use WafW00f (https://github.com/sandrogauci/wafw00f), it's the most wide spread WAF detector and it's very reliable.
f-DNS Enumeration
DNS is very important but there is a lot of tutorials out there and I did not feel the need to cover it here, but if you guys want I can fill this section.