Category: Uncategorized

Hello, aspiring ethical hackers. This blogpost is a beginner guide to IDS (Intrusion Detection System) and IPS (Intrusion Preventions System). IDS and IPS are two of the security technologies used for securing the network of any organization from hackers.

What is an IDS and what is an IPS?

Intrusion Detection system (IDS) is an appliance or software that detects any malicious activity on the network and reports it. Intrusion Prevention System (IPS) on the other hand acts just like Intrusion Detection System but, unlike it doesn’t just make a report but tries to prevent its occurrence. This malicious activity can be anything like modification of system or important files, suspicious network traffic and execution of some files etc. Both Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are useful in enhancing the security of the network.

Based on the mode of operation, Intrusion Detection System and Intrusion Prevention System can be classified into two types. They are, 1) Host based (Software) 2) Network based (Hardware).

1. Host based Intrusion Detection and Prevention Systems: They work by detecting or preventing threats on a single system.
2. Network based Intrusion Detection and Prevention Systems: These are most probably a hardware appliance that detects or prevents threats on the entire network.

Types of IPS and IDS

Based on the techniques they use to identify and prevent threats, Intrusion Detection Systems and Intrusion Prevention Systems can be classified into two types. They are,

1. Signature-based :

This type of Intrusion Prevention Systems and Intrusion Detection Systems detect threats by comparing actions with predefined signatures. For example, If action of an executable matches with a pre-defined signature of an IDS or IPS, it is classified as a threat.

2. Anomaly based:

Anomaly based Intrusion Detection Systems and Intrusion Prevention Systems detect threats by observing the behavior of the assumed threat. If the IDS and IPS see any different behavior than that is considered to be normal, it classifies it as a threat. For example, if a program being installed is trying to alter system files, this can be considered as an anomaly.

Hello, aspiring ethical hackers. In this blogpost, you will learn about covering tracks which is the last of the 5 phases of ethical hacking.

What is Covering tracks?

Covering tracks or clearing tracks is the phase of ethical hacking in which a hacker tries to erase all the evidence on the target system that can lead back to the hacker. For covering tracks, hackers perform various actions. They are,

1. Uninstalling executables and scripts:

Hackers install many scripts and executables on the target system as part of their hacking attack. These scripts may help hackers cracking passwords, privilege escalation, maintaining access etc. Detection of these scripts and executables on the target system can lead the investigators to the hacker. So, hackers uninstall or delete any scripts or executables they have used in carrying the hacking attack.

2. Clearing logs:

Every operating system has its own logs that record different operational activities being performed on the operating system. They also record any actions performed by hackers. When an incident investigator observes these logs, he can easily deduce what the hacker did on the target system. To prevent this, hackers clear these logs to hide whatever they did on the target system.

3. Timestamping files:

Every file on the operating system has a time stamp which reveals information about the file like the date of its creation, last modified time etc. Hackers change this timestamp of the files appropriately to prevent detection of the modifications they made to files inadvertently while hacking.

4. Modifying registry values:

The Windows Registry in the Windows operating system is a hierarchical database that contains information, settings, options, and other values for programs and hardware installed on the Windows operating system. Changes made to some program can also be detected by viewing this registry. So, hackers also modify these registry values to hide their malicious activity.

Hello, aspiring ethical hackers. In this blogpost you will learn about web shell. In our previous blogpost you learnt what is a shell, what it does and the types of shell. A web shell is a type of shell but it is used in relation to websites and web server.

What is a web shell?

A web shell is a type of shell that gives attacker access to a website or web server. It is usually uploaded after already the website is compromised as a means to have persistent access to the website in future.

Web shells have various features. Most important of them are,

1. Persistent access.
2. Uploading additional files to the web server.
3. Downloading files from the web server.
4. Executing additional scripts on the web server.
5. Dumping databases of the web server.
6. Pivoting to other devices on the network.
7. Privilege escalation etc.

We can say that once a web shell is uploaded to the website, it gives complete control over the website to the attackers.

How are web shells uploaded?

Some vulnerabilities and attack allow hackers to upload web shells to the website to keep having persistent access. Some of these vulnerabilities are.

1. File upload vulnerabilities:

File upload or Remote file inclusion (RFI) vulnerabilities allow attackers to upload arbitrary files to the web servers. These arbitrary files are most probably web shells.

2. Path traversal vulnerabilities:

In some cases, path traversal or Local File Inclusion (LFI) vulnerabilities also allow attackers to upload web shells.

3. XSS vulnerability:

Not just file inclusion vulnerabilities, even cross site scripting (XSS) vulnerabilities in some cases allow uploading of web shells.

4. Password cracking:

After the password of the website is successfully cracked, attackers can upload web shells to a website for future access.

Types of web shells

Web shells are easily available on internet. There are various types of web shells with variety of features in various languages. Needless to say, the web shell being uploaded to the website should be of same languages as the server-side scripting language used on the web server or website. Now, let’s study about some web shells.

1. Weevely:

Weevely is a web shell designed for POST-exploitation with almost 30 modules to assist in administrative tasks, maintaining access, elevate privileges and spreading over the network. Learn more about it here.

2. Web shells in Kali Linux

Kali Linux itself has some web shells ready to be deployed. Although their functionality is simple, they are quite good for beginners. Learn about them here.

3. Metasploit/MSFvenom

Is there anything Metasploit can’t create? Yes, you can create your own web shell with msfvenom. Learn how.

4. C99 shell

Peering to the Black Hat side, C99 shell or its variants are still being used by Black Hat Hackers in real world. Learn more about C99 shell here.

Hello, aspiring ethical hackers. In this blogpost, you will learn about the most basic BUT most important concept in ethical hacking. What is it? What else, SHELLS. Shells in hacking or ethical hacking are a very important topic because any hack or pen test is not considered complete without acquiring a shell. But what exactly is a shell?

What is a shell?

In world of computing, a shell is a program or a tool that allows users with an interface to interact with the operating system directly. Shell is not an alien concept to you as you have might already used it at least once in your life no matter what operating system you use. If you are a Windows user, CMD and PowerShell are two examples of a shell.

Linux users almost use shell in their daily life to perform each and every operation. You are familiar with it as “terminal”. In Kali Linux, zshell is the default shell.

There are other types of shells in Linux like Bourne again shell (BASH) etc.

Now, you may ask what does this have to do with ethical hacking. In ethical hacking, a hacker or pen tester gains access to a machine, the first thing he tries to gain access to on the target system is a shell.

Types of shells in hacking

There are two types of shells in hacking and cyber security. They are Bind shell and Reverse shell.

1. Bind shell

A bind shell is a shell in which the connection is initiated by the attacker machine towards the target system. When a payload is executed on the target system, it opens a port to which the attacker system connects to. Let us demonstrate this. To do this, we will be exploiting the ms08_067 vulnerability using metasploit. Here, I will just focus on payloads we have already discuss about the ms08_067 vulnerability in our previous blogpost. First, we set a bind_tcp payload with LPORT option.

This payload when executed opens a port 4444 on the target system to which our attacker system would connect.

2. Reverse Shell

In a reverse shell, the shell is initiated from the target system and connects to a listening port on the attacker system. This type of shell is generally used by hackers to bypass Firewals. Let’s see an example. For this, I turn on the Firewall on the target system. When we try to use the same bind shell payload we used earlier, you can see that it fails to grab a shell.

This is because Firewall is dropping the packets. Let’s try to exploit it with a reverse shell now.

As you can see, this time we successfully got a shell.

Hello, aspiring ethical hackers. In this blogpost, you will learn about Firewalls. A firewall is a software or a hardware device that acts as a wall between the internet and the internal networks or between any two networks. The main purpose of the firewall is to prevent malicious traffic from entering the internal network.

Based on the delivery method, a firewall can be classified into three types. They are,

1. Hardware
2. Software
3. Cloud based

There are two types of firewalls based on the method of operation. They are, Host-based and Network based firewalls.

1. A host-based firewall is a software that is installed on a computer or network. Ex: Windows Firewall.
2. Network based firewall is a software or hardware firewall that acts as a barrier for the entire network.

Types of Firewalls

Different types of firewalls use different methods of operation to block malicious traffic. Before you learn about how firewalls operate, let’s first see how network traffic travels from one computer to another computer.

When one computer (let’s say computer A) sends data to another computer (let’s say computer B), the data is first split into differ parts which are known as packets. These packets are sent to computer B. Before being transmitted, a header is added at the beginning of each packet. This header contains information like source IP address, destination IP address, source and destination ports, network ports etc. Once these packets reach the computer B, they are reassembled. Now, let’s learn about the different types of firewalls.

1. Circuit level gateway:

The simplest types of firewall, it operates at the session layer of the OSI model. This type of firewall monitors TCP handshakes between two machines.

Based on the configured settings of the firewall, it accepts or blocks traffic. Circuit level gateways don’t inspect the packets.  So as long as there is a handshake, even malware laden requests are allowed.

2. Packet filtering firewalls:

As the name of the firewall says, this firewall inspects the packet’s header for information about source and destination IP address, port etc. It operates on the network layer of OSI model. Note that it doesn’t inspect the actual payload.

3. Stateful Inspection firewall:

Stateful Inspection firewalls work on network and transport layer of the OSI models. It uses both TCP handshakes and packet filtering to detect malicious traffic. It specifies traffic as malicious after observing the traffic for a particular period of time which is known as state. Then it compares the network traffic to the observed state to classify traffic as malicious or not.

4. Proxy firewall:

A proxy firewall is mostly used to hide or make the IP address of the client’s system or network IP. It operates at the application layer and checks both header of the payload and the payload to classify traffic as malicious.

5. Next Generation firewall:

A next-generation firewall uses the features of all the above-mentioned firewalls to classify traffic as malicious or not.