Author: kanishka10

Posted on by

Popular Firewall bypass techniques

Hello, aspiring ethical hackers. In this blogpost, you will learn about most common firewall bypass techniques used by hackers and pen testers in real world. In our previous blogposts on Firewalls and IDS and IPS, you learnt in detail what are firewalls, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), types of Firewalls, IDS and IPS and various techniques used by them to do what they do best. Please read them first to better understand how firewall bypass techniques described below work.

Why do hackers and pen testers bypass Firewalls and IDS and IPS?

Before you learn about different techniques hackers and pen testers use to bypass firewalls, IDS ad IPS, you need to understand why it is important to bypass them. In real-world networks of organizations, firewall, IDS and IPS are the most common devices or software that are employed by organizations to keep their network secure. So, in order to reach the actual network, a penetration tester or hacker has to bypass the firewalls. The result of a successful pen test depends on the bypass techniques they use.

Common firewall bypass techniques

Firewall Bypass 1

Pen tester or hackers employ various techniques to bypass firewalls, IPS and IDS. They are,

  1. Spoofing the IP address.
  2. Proxies.
  3. Fragmenting packets.
  4. Source routing.
  5. Source port manipulation.

Let’s learn about each of these techniques in detail.

1. Spoofing the IP address:

If firewalls detect malicious traffic coming from a particular IP address or IP range, they just block the IP address to prevent malicious activity. This is one of the simplest functions of a Firewall or IPS. However, hackers or pen testers can bypass this by spoofing the source IP address. Learn more about IP address spoofing.

2. Proxies:

Hackers in real world and pen testers always hack their targets routing through another machine or computer. This is known as proxy. Hackers do this for covering tracks and do this to hide their activity. They also do this to bypass firewalls especially when the IP address is blocked by the firewall. They can also use proxy server for this purpose.

3. Packet fragmentation:

Data through network is transferred in the form of network packets. Each packet contains all the information needed for data transmission like the source IP address, destination IP address, source port and destination port etc. Firewalls and IDS analyses these packets for information. Each packet can be fragmented into small chunks and then transmitted. Fragmented packets are reassembled at the target machine. Reassembling the fragmented packets take lot of time and consume lot of resources. Most Firewalls and IPS are configured to ignore packets that are fragmented.

4. Source routing:

When a network packet is sent from the source system to the destination system, it hops through a number of devices before it reaches the destination machine. If a firewall or IDS is present in the route taken by the packet, it is blocked. So, hackers try to send this packet through a different route that doesn’t have a firewall or IDS. This is known as source routing.

5. Source port manipulation:

Firewalls allow traffic through some ports by default, say for example, HTTP port. If the source port is manipulated in the network packet, then it can bypass the firewall.

Posted on by

Beginners guide to Metasploit payloads

Hello, aspiring ethical hackers. Payloads play a very important role in ethical hacking. In this blogpost, you will learn everything about Metasploit payloads beginning from what is a payload, how many types of payloads are there and various functions of payloads etc.

What is a payload?

A payload in cyber security is a piece of code that is executed after successfully running an exploit to take advantage of a vulnerability. When a Proof Of Concept (POC) for a vulnerability is disclosed, this allows most hackers around the world to execute their chosen payloads. This payload can be anything from malware, reverse shell, RAT, ransomware etc or their own custom payload.

For example, ms08_067 vulnerability was exploited in real-world to deploy Conficker worm, but while pen testing, a meterpreter payload is used most probably.

Types of Metasploit payloads

Metasploit Payloads 1

Payloads in Metasploit can be classified into three types based on their function. They are.

  1. Staged payloads or stagers.
  2. Stageless or Non-staged (Inline) payloads or Single payloads.
  3. Stages

1. Single or Stageless / Non-staged or Inline payload:

A single payload s self-contained as it contains in itself all the code required to do what it does. This is one of the easiest payloads to create but its size is a bit large. This may increase suspicions.

2. Stager payload:

Stager payloads also known as stagers set the stage for another payload. Their purpose is to establish a network connection between the target system and attacker system.

3. Stages:

This is the payload that is downloaded by stager payload.

Posted on by

Beginners guide to pen testing

Hello, aspiring ethical hackers. In this blogpost, you will learn about what is pen testing, types of pen tests, the purpose of a pen test etc.

What is pen testing?

Pen testing also known as penetration testing is the testing done to exploit the vulnerabilities and weakness in the applications, system, device and network. The aim of pen testing is to find out about any vulnerabilities in the target and patch or fix them so that malicious hackers cannot exploit them and compromise the security of the organization.

Different approaches to pen testing

Pen Testing 1

Pen tests can be classified based on the information that is provided to the pen testers. They are,

1. Black Box Pen test:

In a Black box pen test, no information about the target is provided to the pen tester. This pen test is performed to simulate the Real-World Black Hat hacking attacks that usually start from the phase of reconnaissance.

2. Grey Box Pen test:

In a Grey Box pen test, the pen tester is provided limited information about the target network or organization. For example, this information is something like that gives basic login access to the pen tester. This pen test saves the elaborate time that takes to perform a Black box pen test.

3. White Box Pen test:

In this type of pen test, the maximum information needed about the target is provided to the pen tester as much as possible. This test is done to simulate the hacking attack in which the hacker knows about the target organization, someone like an internal employee. This test saves time and expenses.

Pen Testing 2

Based on the location of the pen test being done, pen tests are classified as Internal & External pen tests.

4. Internal Pen testing:

This pen test is performed from inside the organization. This is to simulate the inside threats, who have extensive knowledge about the organization and its resources.

5. External Pen testing:

As you might have already expected, this pen test is performed from outside the organization. This test is usually performed to test the perimeter security of the network.

Types of pen testing

Pen Testing 3

There are different types of pen tests. They are,

  1. Network Penetration Testing.
  2. Wireless Penetration Testing.
  3. Social engineering Pen test.
  4. Physical pen test.
  5. Red Team pen test.
  6. Web app pen test.
  7. Mobile Pen test.
  8. IOT Pen test.
  9. Cloud Pen test.

Posted on by

Beginners guide to Hacking

Hello, aspiring ethical hackers. In this blogpost, you will learn about the foundation concept of this blog and magazine, Hacking. Yes, in this blogpost, you will learn everything about hacking.

What is hacking?

Hacking is a term that is mostly used in the realm of cybersecurity nowadays. Hacking is the art of gaining access to a device or a network or a resource through other means than the usual means of access. This unauthorized way of gaining access is mostly considered illegal.

History of hacking

Nowadays, you can see the term “Hacking” being thrown around in the content of cyber security but the beginning of hacking had nothing to do with computers at all.

Yes, you read that right. Hacking, usually began as phreaking. Phreaking is the illegal practice of hacking into telephone systems to make free calls way back in 1970’s. A person who did phone phreaking was called a Phone phreak. Although, there were many phone phreaks at that time, the most famous (or infamous) among them would be John Draper, popularly known as “Captain Crunch”. John Draper used a toy whistle to mimic & manipulate tones of telephone systems to fool them to make free long-distance calls. The toy whistle he used was found in a box of “Captain Crunch” cereal and hence his other name.

The term ‘hacking’ was used as early as 1950’s and it was used to define any person that explored the limits of a computer system. But computer hacking started spreading its wings after the personal PC era began in 1980’s.

The most notorious hacker at that time was Kevin Mitnick who performed many hacking attacks on some of the world’s largest companies at that time. As internet evolved in 1990s and 2000s, you know what hackers can do now.

Terminology of hacking

To understand hacking, you need to have a basic understanding of some of the terms related to hacking. They are,

Hacking 1 2

1. Asset:

In an organization, anything of value is considered as an asset. For example, employee records of the organization, employee credentials, records of its customers, the servers, computers etc are considered of value to the organization.

2. Threat:

Any action or event that can disrupt the organization’s activities can be termed as threat. For example, these actions can be deleting the user accounts of employees of the organization, making their services unavailable to their customers etc.

3. Vulnerability:

A vulnerability is a weakness in the system application or network of the organization.

4. Exploit:

The programing code written to take advantage of this vulnerability is known as exploit. (A zero-day vulnerability is a vulnerability which doesn’t have any patch yet).

5. Patch:

Code written to mitigate the vulnerability in the system, application or network is known as a patch. (You should have heard of Exploit Database. As the name of the website implies, it hosts all the exploits or POC’s. A proof of Concept is the exploit code written to demonstrate the vulnerability.

6. Payload:

In hacking, exploit takes advantage of the vulnerabilities. After exploiting the vulnerability, hackers usually run specific code. This code is known as payload. For example, ms_08_067 is a vulnerability which is exploited by the exploit module of same name, while meterpreter is the payload. Learn more about the payloads here.

7. Impact:

The damage done to the asset due to exploitation of vulnerability is known as impact.

    Types of hackers

    You have learnt that a person performing hacking is known as a hacker. Based on the type of hacking they perform; hackers can be classified into different types. They are,

    Hacking 2

    1. Black Hat Hacker:

    A Black Hat Hacker is a hacker who performs all illegal hacking attacks. These are the villains in the domain of hacking.

    2. White Hat Hacker:

    If there are bad guys of hacking, there are bound to be good guys of hacking. White Hat hackers are the good guys of hacking. They protect the organizations from the Black Hat Hackers.

    3. Grey Hat Hacker:

    Like the Grey zone, these hackers are in the group of ambiguous zone, who cannot be necessarily called Black Hat or White Hat hackers. For example, a person working as a White Hat Hacker in day and taking Black Hat assignments at night.

    4. Green Hat Hacker:

    Green Hat Hackers are those hackers who have no knowledge but are “experts” at using readymade tools and exploits made by Elite Hackers.

    5. Red Hat Hacker:

    Red Hat Hackers are White Hat Hackers that try to take down or prevents Black Hat Hackers. They sometimes use aggressive tactics to achieve their goal.

    6. Blue Hat Hacker:

    Blue Hat Hackers (also known as Blue Teams) are hired to test the organization for any vulnerabilities or weaknesses. They are similar to White Hat Hackers but are extreme.

    7. Hacktivist:

    A hacktivist is a type of hacker who hacks to promote a political or social or environmental cause.

    8. Elite Hackers:

    At the opposite ends of Green Hat Hacker or script kiddie, we have the Elite Hackers who have deep knowledge of hacking. He/she likes to write his/her own exploits, find zero-days etc.

    9. Advanced Persistent Threats (APTs):

    APT’s are state-sponsored hackers (more rightly hacker groups) that are specifically used to target enemy nations, perform cyber espionage, collect information etc.

    Posted on by

    Data-Link layer attacks

    Hello, aspiring ethical hackers. In this blogpost, you will learn about various Data-Link Layer attacks (various hacking attacks that take place on the Data-Link layer).

    The Data-link layer is the second layer of the seven-layer OSI model. This layer is the protocol layer that transports data between network nodes in a wide Area Network or nodes in the same Local Area Network (LAN). It is responsible for ensuring and confirming that the bits and bytes received are similar to the bits and bytes being transmitted. In this layer, data is transferred in frames and communication takes place using MAC addresses instead of IP addresses. The attacks in the Data-link Layer take place in a LAN.

    Data Link Layer Attacks 1 1

    What is a Network Hub?

    A network hub is a hardware device that connects multiple devices to a network and allows them to communicate with each other and share resources.

    Just imagine, you have a router with 5 LAN ports. Using LAN cables, you can connect 5 devices to this router. Now, what if you want to connect 10 devices to the same network. This is where the use of network hub comes. You can connect a network Hub to one of the ports of a router. Let’s say this network hub has 10 LAN ports. So you can connect 10 computer devices to the same network. Similarly you can connect Network Hub to all ports of the routers to extend the network.

    Data Link Layer Attacks 3
    Network Hub
    Image Source: Wikipedia

    The only disadvantage with Hub is that it sends traffic intended to be between two machines to all the devices of the network. Other than consuming bandwidth, it also poses security threats like sniffing.

    For example, let’s say someone from machine “B” in a network is logged into telnet server on machine “A”. You have seen in our packet sniffing blogpost that in telnet protocol, data is transferred in plain text format. So in a Hub based network, the network traffic intended to be between “A” and “B” will even go to another machine in the network “C”. If a hacker is on machine “C” he can view the telnet credentials by sniffing.

    What is a Network Switch?

    Data Link Layer Attacks 2 1
    Fig: Network Switch
    Image source: Wikipedia

    The above reasons are why, network Hubs have been replaced by Network Switches. A Switch, similar to a Network Hub in a hardware device that connects all the device of a network. The only difference in switch sends the traffic to the intended device instead of all the devices in the network

    What is a MAC address?

    Just now, you have read that communication between devices in a LAN takes place using MAC addresses. But what is a MAC address? Every computing device on Internet (Desktop, Laptop and Mobiles etc) has a Network Interface Card (NIC). This Network Interface Card (NIC) is a hardware circuit in the computing devices that enables the devices to be able to connect to a network.

    Each NIC is given a unique hardware address that is also popularly known as a Media Access Control (MAC) address. A MAC addresses is a 48-bit number consisting of six groups of two hexadecimal digits. To learn how MAC addresses are assigned to devices and how to find MAC address of your device, you can read this blogpost.

    Data Link Layer Attacks 4

    Types of Data-Link layer attacks

    Since now you have understood how Data-Link layer works and what is a MAC address, let’s learn about various Data-link layer attacks.

    1. MAC spoofing
    2. MAC flooding
    3. ARP spoofing or poisoning
    4. DNS spoofing
    5. DHCP starvation

    Let’s learn about each attack in detail.

    1. MAC spoofing:

    Although every computing device has its unique MAC address, it can be spoofed. Normally, when a MAC address of a device (say A) is spoofed to that of another device (say B) all the traffic that is intended to move toward device B goes to device A and the attacker can view all the traffic belonging to device B.

    2. MAC flooding:

    You have just now learnt about what is a Hub and what is a Switch and the differences between a Hub and Switch. You also learnt about CAM table or ARP table. In a MAC flooding attack, the CAM table is bombarded with a number of fake MAC addresses disabling the Switch’s ability to detect which MAC address belongs to which port.

    To overcome this problem, a network Switch uses its broadcast address to transmit frames to the intended destination. In typical sense, the network switch here behaves like a Hub and you know about the dangers of using a Hub. A hacker already in the network can monitor the network traffic he wants via packet sniffing.

    3. ARP spoofing and poisoning:

    In this type of attack, the attacker sends fake ARP packets to the network from the attacker-controlled system (System A). Here, the attacker-controlled system acts as the gateway. This leads to all other devices querying the attacker-controlled system resulting in the attackers using packet sniffing again to sniff on traffic.

    4. DNS spoofing:

    This attack requires ARP spoofing to work. In this type of attack, attacker responds to DNS queries of the target system instead of the legitimate DNS server.