Author: kanishka10

Posted on by

Network scanning guide for beginners

Hello, aspiring Ethical Hackers. In this blogpost, you will learn about Network Scanning. Network Scanning is the second stage in a Penetration Test and is the first step where an Ethical Hacker directly interacts with the target network.

What is Network Scanning?

Network scanning is the technique in which the target network is scanned for LIVE systems (Active Systems), open ports and vulnerabilities. Network Scanning is of three types.

Network Scanning 0

They are,

  1. LIVE Host Scanning or Host Scanning.
  2. Port Scanning.
  3. Vulnerability Scanning.

LIVE Host Scanning

In LIVE Host Scanning, a range of IP addresses (obtained earlier from Network Footprinting) are scanned for LIVE systems or active systems (systems that are turned on) as a system that is shut down is safe from hacking. Network Scanning can be done manually but when we have to scan an entire range of IP addresses, it is best to use a network scanner.

How do network scanners detect if a system is LIVE or not? Although, they use a variety of methods to scan for LIVE systems, one of the most common method any network scanner uses is Ping.

Ping is a network diagnostic tool that helps users determine if a destination system is active or not. Ping works by sending a “echo request” to the target destination IP. If the destination system is LIVE, it will send a “echo reply” message. Ping is available in both Windows and Linux systems. It works by using ICMP (Internet Control Message Protocol).

Network Scanning 1

In LIVE Host Scanning, a range of IP addresses (obtained earlier from Network Footprinting) are scanned for LIVE systems or active systems (systems that are turned on) as a system that is shut down is safe from hacking.

Network Scanning can be done manually but when we have to scan an entire range of IP addresses, it is best to use a network scanner.

How do network scanners detect if a system is LIVE or not? Although, they use a variety of methods to scan for LIVE systems, one of the most common method any network scanner uses is Ping.

Ping is a network diagnostic tool that helps users determine if a destination system is active or not. Ping works by sending a “echo request” to the target destination IP. If the destination system is LIVE, it will send a “echo reply” message. Ping is available in both Windows and Linux systems. It works by using ICMP (Internet Control Message Protocol)

Apart from Ping, Network scanners also use ARP scanning to determine if a system is LIVE or not.

Network Scanning 2
Network Scanning 3
Network Scanning 4
Network Scanning 5

2. Port Scanning

A port is a virtual point where all network connection start and end. Ports are software based virtual addresses where all network connections start and end. Each service is given one separate port and it is managed by the computer’s Operating System. Given below are some important port numbers and services associated with them.

Network SCanning 6 383x1024

Just like Host scanners, Port scanners are used to perform port scanning. NMAP is the most popular and versatile port scanner. But how does port scanning work. A port scanning sends a TCP or UDP network packet to a specific port to enquire about its status. Learn about Port scan results here. Attackers use various techniques of port scanning before coming to a conclusion about a particular port of interest. Learn about various port scanning techniques here.

Port Scanning 1

3. Vulnerability Scanning

Vulnerability scanning identifies vulnerabilities in network, applications and services. A Vulnerability scanner use a database to compare details about version of software running on target system to detect and identify vulnerabilities. This database used by vulnerability scanner has common programming bugs, default credentials, default configurations, common username & passwords etc.

Vulnerability Scan Example
Posted on by

Website footprinting for beginners

Hello, aspiring Ethical Hackers. In our previous article, you have learnt what is Foot printing, why it is important and how many types of Foot printing techniques are there. Website Footprinting is one type of Foot printing.

Website Footprinting 0

What is Website Footprinting?

Website Footprinting is the process of analyzing target’s website to gather as much information as possible that may prove helpful in penetration testing or hack depending on which Hat you wear.

What information does Website Footprinting reveal?

Website Footprinting Aa

Website Footprinting reveals the following information.

  1. Webserver software and its version.
  2. Types of CMS being used and its version.
  3. Contact details.
  4. Sub directories of the website.
  5. Operating System of the target hosting the web server.
  6. Scripting languages used to code the website.
  7. Types of Database being used by the target website.
  8. Misconfigured files.
  9. Parameters used.
  10. Misplaced files.

How is Website Foot printing performed?

There are multiple methods to perform Website Footprinting. They are,

  1. Banner Grabbing
  2. Web Directory scanning
  3. Web spidering
  4. Website Mirroring
  5. Website Header Analysis.

1. Banner Grabbing

Website Footprinting B

A Banner is a small piece of information that is displayed by services, programs or systems. This banner sometimes even consists of types of software used, its version and some other information related to the software and sometimes even the operating system behind it. Banner Grabbing is the method used to gain information about the services running on target system by grabbing this banner. Learn more about Banner Grabbing here.

2. Web Directory Scanning

Website directories are the folders present in website. Sometimes these directories contain sensitive files either placed there due to misconfiguration or by mistake. Not just that, there may be some hidden directories that cannot be accessed using the browser.

For example, earlier this year, the Brazilian retail arm of Swedish luxury vehicle manufacturer, Volvo, exposed sensitive files mistakenly on their website. These exposed files include their database’s authentication system (both MySQL and Redis), open ports, credentials and even website’s Laravel application key.

There are many tools to perform Website directory scanning. Let’s look at one tool that is installed by default in Kali Linux, dirb. Since I don’t want to spend my rest of my life in prison, I will not test this tool on any live website but on web services of Metasploitable 2.

The command to run “dirb” tool is very simple. It is as shown below.

Website Footprinting 1

Just give it an URL and it starts scanning.

Website Footprinting 2
Website Footprinting 3

After the scan is finished, we can analyze the URLs one by one. Very soon, I found an interesting one.

Website Footprinting 4

I first open the passwords directory and find a file named “accounts.txt” in it.

Website Footprinting 5

As I open it, I found some credentials. These appear to be users of Mutillidae web app.

Website Footprinting 6

Then I open the phpMyAdmin page. phpMyAdmin is a database manager. Although I don’t get access to databases, I get some server and OS information of target.

Website Footprinting 7

Next interesting thing to check out is ‘robots.txt’ file. What is robots.txt? Robots.txt is a file specifically used to ask search engines not to index some files and paths. Any entry or path given in this robots.txt file is not indexed or crawled by a search engine spider. But here we can access it. Let’s see what it contains.

Website Footprinting 8

It has disallowed some six paths and files from indexing. Normally in these cases, any configuration file is a prized catch. So, let’s check out “config.inc” file.

Website Footprinting 9

Once again, some credentials. But these appear to be belonging to a database.

3. Web Spidering or Crawling

Website crawling or spidering is a technique used to crawl through the links of a website to understand the structure of the website. This crawling sometimes reveal interesting links and pages on which Pen testers can focus on.

A crawler or spider works this way. When you give it an URL or webpage, it visits the URL and makes a list of all the hyperlinks present on that page. Then it visits the hyperlinks and repeat the process again recursively. In this way a website spider builds the structure of the entire website for hackers to get a better picture of their target.

There are many website spidering tools. For this tutorial, we will use the Web directory scanner module of Metasploit.

Website Footprinting 10

I will use it to scan mutillidae on Metasploitable 2.

Website Footprinting 10a
Website Footprinting 11

Set the target IP or URL and set the path.

Website Footprinting 12

After all options are set, execute the module after loading some required modules to run, it starts crawling the target website.

Website Footprinting 13
Website Footprinting 14
Website Footprinting 15
Website Footprinting 16

If the target website is too large, spidering can take a lot of time. That’s all in this blogpost. Readers will learn about website mirroring and how to gather information about target website using web services. Read Part 2 now.

Posted on by

Metadata for Pen testers

Hello aspiring Ethical Hackers. In our previous blog post, you learnt what is Footprinting, why it is important and different types of Footprinting techniques. In this blog post, you will learn about performing Footprinting using Metadata.

What is Metadata?

Metadata is a set of data that provides information about other data. Simply put, it is data about the data. Everyone knows data is very important but metadata is often ignored but equally important. But how is metadata helpful to Ethical Hackers. Before going there, let us see how to extract Metadata.

How to extract Metadata?

There are various tools and online resources that extract metadata from different files. For this article, let’s use one tool that is inbuilt in Kali Linux, exiftool. Exiftool extracts metadata from a number of file types.

Metadata 1

Let’s extract metadata of a docx file.

Metadata 34
Metadata 6

Now, let’s extract it from a PDF file.

Metadata 5

Let’s see another PDF file.

Metadata 78

Last and final, let’s use it on an image file.

Metadata 910

How is it useful in pen testing?

If you have noticed, we have performed metadata extraction from 3 types of files: Docx, PDF and an Image. That’s because these are the most common types of files that are available online. Any organization uses these types of files on their websites or anywhere else to convey information.

While extracting information of the docx file revealed the names of creators of the file (Admin, Kalyan). This revelation can help in gaining access later (i.e username is admin etc) or to perform a spear phishing attack targeted at the target user. We can also see that the document was created using Microsoft Word software. So, we can target these users with a malicious macro attack.

While observing the information extracted from a PDF file, we can see that this PDF was created using Microsoft Word. In this case, the version of the MS Word software is also very clear (2019) along with the creator’s name.

The second PDF file was created using Microsoft PowerPoint. So, we can figure out that these users need to be targeted with PowerPoint attack.

Images are another most common types of files found on a website or any other company’s property. We can see that the image I downloaded from a website is either edited or created with Photoshop along with its specific version. So, we can search for any vulnerabilities in this particular software or use this software themed lure to target this organization.

That’s how Metadata can help Pen testers in gaining information about the target organization.

Posted on by

Network footprinting for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost Footprinting Guide, you learnt about different types of Footprinting that is performed by hackers and pen testers to gather information about their target. One of the important types of footprinting is Network Footprinting.

What is Network Footprinting?

It is gathering information about the target’s network like ranges of IP addresses used by the target organization, IP address blocks etc. This Footprinting can be considered as a last step before making initial contact with the target using network scanning. This also allows attackers to map the target network.

How to perform Network Footprinting?

Information like range of IP addresses can and their subnet masks can be found out from the Regional Internet Registries (RIR’s) and some other sites given below.

  1. Whois.arin.net – ARIN whois search
  2. Apnic.net/about-apnic/whois_search (APNIC)
  3. AFRINIC whois
  4. LACNIC whois
  5. RIPE whois search
  6. Bgp.he.net.

Apart for these, there is also a tool called Samspade that can be used to perform this footprinting.

Nw Footprint 1 1024x582
Nw Footprint 2 1024x581

traceroute and tracert

Traceroute and tracert are computer network diagnostic commands that display possible route (or path), the packets take to reach their intended target on network. These commands utilize the TTL field in the header of ICMP packets to discover the routes on the path of a target network or system.

Nw Footprint 3
Nw Footprint 4

That’s all in gathering information about Network.

Posted on by

Email analysis for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost, you have learnt what is footprinting and various methods to perform footprinting. One such type of Footprinting is Email Footprinting or Email analysis.

What is Email Footprinting?

Email analysis is gathering information from emails. This can be done in two ways. Email Tracing and Email Tracking.

Email Tracking: Email tracking is done when we send an email to a target and then track them.
Email Tracing: Email racing is performed on an email that we receive from our target.

This article deals with Email tracing.

What information does Email Footprinting reveal?

Email Footprinting can reveal information like

  1. Email address of the sender.
  2. Name of the sender.
  3. IP address of the sender
  4. Posts active sender
  5. Geo location
  6. Mail server
  7. Mail server authentication system being used etc. and much more information that can be useful in a pen test.

How to perform Email Footprintig?

Email Footprinting can be performed either manually or using tools or other online sources. For this blogpost, let’s focus on manual analysis as automated tools can be used by script kiddies too. To perform email footprinting, we need to view the header of the received email. How to view the header of any email? Let’s see an example of a mail received on Gmail. Go to your Inbox and open a mail.

Go to the vertical dots (move button) at the top right of the email and click on it.

Email Footprinting 1 1

Click on “show original”.

Email Footprinting 2

This should show you the entire Email headers of the mail.

Email Footprinting 3

Let’s learn about each header.

Email Footprinting 4

Delivered To: Email address to whom the mail has been delivered.

Received: This header indicates all the SMTP servers through which this email has passed through before reaching to your Inbox. This contains server’s IP address, SMTPID etc.

X-Google-SMTP-source: shows the transferring email using a Gmail SMTP server. If this header is present then it means this was transferred by GMAIL SMTP server.

X-Received-BY: This header indicates the last visited SMTP server before reaching your Inbox. It contains Server IP address, SMTP ID of the visited server and Date & time when the email was received by the SMTP server.

Email Footprinting 5

ARC-Seal, ARC-Message-Signature, ARC-Authentication-Results: ARC stands for Authenticated Receiver Chain (ARC). This is used to preserve email authentication results and to verify the identity of email intermediaries that forward a manage to its final destination (i.e. your Inbox).

Email Footprinting 6

Smtp-mailfrom: You can see the IP address of the sender of the email.

Return-Path: This is the path specified to go when email is bounced or not sent.

Received SPF: SPF stands for Sender Policy Framework. This is used to prevent sender address forgery. It SPF is set to PASS, the Email source is valid, if it is softfail, it is likely the email source is fake and if it is having value Fail, source is invalid.

This is how Email analysis is performed.