Penetration Testing

NMAP Detection and Countermeasures

noreply@blogger.com (Hayman Ezzeldin) — Wed, 05 Mar 2008 11:44:00 +0000

Who is still enjoying the freedom? :)
Good, it seems like my lessons didn’t work yet :)
Just kidding. I want you always to be safe, you heard that?

We dived into the scanning phase by learning nmap scans techniques, and today we’ll see how these scans can be detected using the filters on Wireshark and what the countermeasures are.

For this article I created a lab with 2 PCs; 1 XP machines and 1 BackTrack beta 3.0
I also ran the wireshark for 1 hour and 10 minutes of capturing traffic, this traffic included Web browsing and NMAP Scans.

As you can see, Wireshark captured 213633 Packets in 4354 seconds. But on a real functional network these numbers are very humble; the real numbers will be scary. You have to try it yourself.

So imagine with me that you put Wireshark on your network which consists of 50 PCs all connected to the Internet, all of them are online all of the time, and your network has been scanned by a bad guy, how can you check that using Wireshark (assuming you don’t have an Intrusion Detection installed and assuming you don’t know what type of scan the bad guy used)?

Before we start, there are just 2 things I want to clarify:
1- Each protocol has a number assigned to it, these numbers are assigned by an organization called IANA (Internet Assigned Numbers Authority), IANA is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
For example TCP is assigned the decimal number 6; UDP is assigned the decimal number 17, while IP is assigned the decimal number 4, and so on.
For the whole list of the Assigned Internet Protocol Number, please visit the IANA website http://www.iana.org/assignments/protocol-numbers

2- Remember, in the Whois article we talked about the TCP flags, and that there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR
These flags have decimal numbers as well assigned to them:
FIN = 1
SYN = 2
RST = 4
PSH = 8
ACK = 16
URG = 32
ECE = 64
CWR = 128

So for example, if we want the SYN/ACK flag decimal value, we add 2 (which is the decimal value of the SYN flag) to 16 (which is the decimal value of the ACK flag), so the result would be 18.
What about the XMAS scan? From the article “Scanning using Nmap - Part 1” we learned that the XMAS scan sets the FIN, PSH and URG flags, so if we add 1 + 8 + 32, then the decimal values of the flags is 41.

Don’t worry about these numbers; we will understand them as soon as we start analyzing the traffic.

TCP Connect Scan (Plain Vanilla)
“TCP Connect Scan” or “Plain Vanilla” attempts to complete the whole 3-Way handshake with each target host.
The attacker sends a SYN to the target, if the target’s port is open and it responded with a SYN/ACK, and then the attacker will send the last ACK and tear down the connection using the RST.

Threshold:
The TCP 3-Way handshake is very normal to see a lot on your network’s traffic, but if this kind of traffic is explosive and the number of them is extremely high per second on the network, then you have to investigate it and check the IP responsible for these scans.
You are the only one who can specify this threshold, because you are the only one who knows your network’s traffic.

Keep Wireshark running for a whole working day, this will give you an average idea about the traffic on your network, and I said average because one day the network users might be busy working :) so the traffic gets less, or the opposite.

Filter:
The filter we are going to apply to check if a TCP Connect Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 18

We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 18 for the tcp.flags because 18 represents the decimal value of the SYN/ACK flag

TCP Connect Scan on Wireshark:

Because my lab is small compared to a real network, the filter is not so obvious, but as you can that the target (192.168.2.64) sends responses back within (1 second) to the attacker (192.168.2.68) telling him what ports are open.

TCP SYN Scan (Half Open)
TCP SYN scan is a little bit stealthier than the previous scan, because it uses a different technique. The attacker sends a SYN to the targets, if the target’s port is open and it responded with a SYN/ACK, then the attacker will immediately tear down the connection using the RST.

Threshold:
As we know, SYN Scan starts as the 3-Way handshake, but instead of completing the handshake, it terminates the connection with a RST flag. So this kind of traffic might appear to be normal, but you have to notice the number of the Half Open connections, if the SYN packets are greater than the SYN/ACK packets, then there is something wrong.

Filter:
The filter we are going to apply to check if a TCP SYN Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 2

We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 2 for the tcp.flags because 2 represents the decimal value of the SYN flag.

TCP SYN Scan on Wireshark:

The attacker here is 192.168.2.64, and he is sending the target 192.168.2.68 a lot of SYN packets in a very small time zone, this for sure indicates a SYN Scan.

Let’s compare the number of SYN flagged packets to the SYN/ACK flagged ones.

Wow, did you see that? When I applied the SYN flag filter, Wireshark displayed 63018 packets.
While when I applied the SYN/ACK flag filter, Wireshark displayed 542 packets. There is a huge difference between both numbers, this difference indicates the huge amount of Half Open connections.

TCP FIN Scan
The FIN Scan breaks the rule of TCP connection establishment because it sends an unexpected packet at the start of the connection, which is the FIN flag.

Threshold:
FIN flags are part of any communication between 2 hosts, because this communication has to be ended at a moment, but if you see an explosive number of FIN flagged packets without a previous established connection, then take care of that.

Filter:
The filter we are going to apply to check if a TCP FIN Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 1

We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 1 for the tcp.flags because 1 represents the decimal value of the SYN flag.

TCP FIN Scan on Wireshark:

The attacker here is 192.168.2.64, and he is sending the target 192.168.2.68 a lot of FIN packets in a very small time zone, this for sure indicates a FIN Scan.

TCP XMAS Scan
The XMAS Scan breaks the rule of TCP connection establishment because it sends an unexpected packet at the start of the connection, by setting the FIN, PSH and URG flags.

Threshold:
XMAS packets should never be seen on your network, so if you see a single XMAS flagged packet, then someone is scanning your network.

Filter:
The filter we are going to apply to check if a TCP XMAS Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 41

We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 41 for the tcp.flags because 41 represents the decimal value of the (FIN + PSH + URG flags).

TCP XMAS Scan on Wireshark:

As we said, you should never ever see an XMAS packet on your network for any reason, and as you can see in the picture the attacker 192.168.2.64 is doing an XMAS Scan against 192.168.2.68.

TCP NULL Scan
The NULL Scan breaks the rule of TCP connection establishment because it sends an unexpected packet at the start of the connection, by all flags from the packets.

Threshold:
NULL packets should never be seen on your network, so if you see a single NULL flagged packet, then someone is scanning your network.

Filter:
The filter we are going to apply to check if a TCP XMAS Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 0

We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 0 for the tcp.flags because 0 means that all flags are removed.

TCP NULL Scan on Wireshark:

As we said, you should never ever see an NULL packet on your network for any reason, and as you can see in the picture the attacker 192.168.2.64 is doing an NULL Scan against 192.168.2.68.

TCP ACK Scan
The idea behind the TCP ACK scan is very simple and very smart; I will give you an analogy to get how it is working.
We don’t know each other, right?
Imagine I met you once in the street, and suddenly I went to you and said “hey man, where have you been all of this time? Not even a single mail, shame on you?” :)
What will you think? You will say “This man knows me for sure, but probably I don’t remember him”, and then you will start answering me “Oh, I’m fine, and sorry for not sending you mails but I was very busy the last few weeks. I got a baby and…” and you will start talking friendly.

TCP ACK Scan almost works the same, it sends an ACK to the target’s ports, the target will think “it seems like I started a connection with this computer before, let’s answer him”

Threshold:
As we know, ACK is the last packet in the 3-Way handshake, thus seeing ACK packet on the network is normal, but if you see an extreme high number of them, then an ACK scan is occurring.

Filter:
The filter we are going to apply to check if a TCP SYN Scan occurred on our network is:
ip.proto == 6 and tcp.flags == 16

We chose 6 for the ip.proto because this is the Assigned Internet Protocol Number for the TCP protocol, and we chose 16 for the tcp.flags because 16 represents the decimal value of the ACK flag.

TCP ACK Scan on Wireshark:

The attacker here is 192.168.2.64, and he is sending the target 192.168.2.68 a lot of ACK packets in a very small time zone, this for sure indicates an ACK Scan.

UDP Scan
Because UDP is simpler than TCP; no 3-Way handshaking, no Flags, no Sequence numbers, so the UDP scan is very simplified.
The attacker sends a UDP packet to each port on the Target. There might be here 3 responses; an ICMP Port Unreachable (which indicates a closed port), no response (which means the port might be open or filtered by firewall), or a UDP response

Threshold:
These packets are not supposed to be seen on the network, so whenever you see them, they mean something bad.

Filter:
The filter we are going to apply to check if a TCP SYN Scan occurred on our network is:
ip.proto == 17 and ip.len = 28
Or you can change the equal sign to “Greater Than”, the reason is that some scans can add junk data after the UDP packet, instead of sending an IP datagram with no data.

We chose 17 for the ip.proto because this is the Assigned Internet Protocol Number for the UDP protocol, and an IP Total Length (Specifies the length, in bytes, of the entire IP packet, including the data and header) equal or greater than 28, and we chose 28 because the length of the IP header is 20 bytes and the length of the UDP header is 8 bytes, so 20+8=28.

TCP UDP Scan on Wireshark:

The attacker here is 192.168.2.64, and he is sending the target 192.168.2.68 a lot of UDP packets in a very small time zone, this for sure indicates an UDP Scan.
And the target 192.168.2.68 kept responding with an ICMP message “Destination Unreachable – Port Unreachable” which indicates a closed port.

After we learned how to detect a Scan, we have to know how can we defend or avoid these kind of attacks.

Port Scanning Countermeasures:
1- The first and most obvious countermeasure is to close all of the unwanted ports, most of the administrators (whether Sysadmins or Netadmins) install by default, this type of installation is popular because it’s the easiest, why should I bother myself by trying to find the open ports? How to close these ports? What if closing a port causes me problems with the big boss because something suddenly stopped? And a lot of these excuses.

First, we have to detect the open ports, and to do that:
For Windows users, I like to use Fport (ex Foundstone, McAfee recently) and TCPview (ex Sysinternals, Microsoft recently)

For Linux users, I like the command line lsof “List Open Files”

After finding the unwanted ports, now it’s time to close the process which is using this port (if the process or service not needed).
On Windows, you can use Pskill (ex Sysinternals, Microsoft recently), the command line kill or taskkill, or use “Services” management console from the “Administrative Tools” in the “Control Panel”
On Linux, you can use the kill command line with the specified PID (Process ID), this command line is exactly like the Windows taskkill command, used to kill the chosen process till the next restart.
If you want to close the process permanently, then use the “Services” management console on Windows or edit the /etc/xinited.d/[service] on Linux and include this line disable = yes

2- The second way that will help you defend yourself is to attack yourself before the hacker does. What I mean here is to try using the scanning tools yourself against your network, this way you will be able to see in reality how your network is reacting towards attacks.
BUT, 2 things you have to notice before doing that:
The first is to make sure that you have an approval for doing that, your boss might not be as kind as my boss :)
The second thing to notice, is that scanning tools are creating extra traffic on your network, because they are sending and receiving packets, this will eat from your traffic bandwidth, thus slowing down your network performance. So for that, just monitor your network performance while you are scanning.

3- Use Stateful Packet filter and Proxy devices
Normally, there are 3 types of filtering devices: Static Packet filter, Stateful Packet filter, and Proxy.
The Static Packet firewalls (such as Cisco Routers) are used to block simple traffic depending on simple filters, such as filtering according to the IP address.

While Stateful (such as Cisco PIX Firewall and Checkpoint Firewall) and Proxies keep records of earlier packets, for example if I’m sending you an ACK flagged packet, the Stateful filter device will check the records of the already-opened connections, if it finds that the ACK packet doesn’t belong to a previous communication, then this packet will be dropped.

I hope that you are still enjoying our long journey in Penetration Testing.
Till next article
Take care.

Installing VMware Server on Linux

noreply@blogger.com (Hayman Ezzeldin) — Wed, 27 Feb 2008 06:37:00 +0000

For the Linux lovers – whom I belong to :)
It’s our turn today to learn the steps for installing VMware Server on a Linux OS

Note: I’m going to copy parts from my previous article “Installing VMware Server on Windows”; it’s the parts that should be common

Because we don’t want to be sent to jail, or lose our jobs – because you might get the idea of testing your knowledge against live networks, right? :) And because we want to practice our hacking techniques, so we have to start with creating a VIRTUAL lab :)

First we’ll create a virtual machine using VMware Server, which is free software that can be downloaded from here http://www.vmware.com/download/server/

A virtual machine is a simulated computer that runs on a real physical computer but acts as if it is a separate computer, so you can have your PC or laptop that has one of the Linux distributions installed and at the same time you can run various Operating systems without the need to format or dual boot.

Here for example, my computer is running Windows, but I was able by using VMware to create a Virtual Machine that has various operating systems installed like Apple, Solaris, and Linux…
Almost any operating system can be installed

In this lab we will learn how to install VMware server on a Linux Fedora Core 8, which is the latest version at the moment of typing :)

Prerequisites:
But before we start downloading and installing VMware, there are some prerequisites needed:
1- Development Libraries
2- Development Tools
3- Kernel-Devel
4- Xinetd

1- The 4 packages needed can be installed in one step which is through the “Add/Remove Software”, but I will do it in more steps using the “Add/Remove Software” and the “Terminal” (for the Terminals lovers) :)
Go to “Applications”, and then from the menu choose the “Add/Remove Software”

2- To install these packages you need to have the ROOT privilege (it’s like ADMINISTRATOR for Windows users)
So, if you are logged as a normal user, you will be prompted to enter a “root” password, but if you are logged already as a “root” then you will go directly to the “Package Manager”

3- In the “Package Manager”, from the “Browse” tab, highlight “Development” and choose from the listed packages:
a- Development Libraries
b- Development Tools

These development packages are required because we’ll need to compile few pieces of the VMware Server package.
Click “Apply” to complete installing the packages.

4- To install the Kernel-Devel and the Xinetd, we need to open a Terminal and type the following commands
a- su (This su command is required if you are logged in as a normal user and not a root, and you will be prompted afterwards to enter the “root” password)

b- yum install kernel-devel (“yum” is an automatic updater and package installer and it stand for “Yellowdog Updater Modified”)
Kernel-devel is required because it includes of the compatible C language headers needed for compiling few pieces of the VMware server package

c- yum install xinetd (“xinetd” is an eXtended Internet service Daemon, and it’s needed to be able to deal with running network services)

Now we are ready for starting the VMware server installation process.

1- On the Download page of VMware Server, click the “Download Now” button, this will take you to the “End User License Agreement” or EULA.
EULA is very important to read because it gives you a general idea about the software you are about to download or install, it also includes your rights and your responsibilities; it tells what you are allowed to do with this piece of software and what you are not allowed to do.
And I’m sorry, but if you want to download or install VMware Server on your machine, then you have to accept the EULA (Take it or leave it)

2- At the bottom of the EULA page, you will see 2 buttons; “Yes” and “No”, to be taken to the download links you have to click the “Yes” button

3- We can see 2 binaries for the Linux OS; “.tar.gz” and “.rpm”
TAR stands for “Tape Archive”, GZ stands for “GNU Zip”, while RPM stands for “Redhat Package Manager”
Both the “tar gz” and the “rpm” are package management systems for Linux, windows users can consider it as a zipped exe (it’s not exactly like that, but it’s the closest to make it clear for windows users)

I’m going to choose the “.tar.gz”, because this is compatible with all Linux distros and Unix OS

4- You will be prompted for the download location, save the file wherever you like.

5- Write the commands as follow:
a- su
b- tar xvfz ‘xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx’ (Where the multi X line represents the path of the “.tar.gz” file)
tar is the command used to extract or zip
The x option is to “extract”
The v option is to verbose; to output the name of each file extracted
The f option is to specify the name of the file
The z option is used when you are extracting gzip files

c- ls (this command is just to list the contents of a directory, and I just typed it to check the name of the extracted folder)
d- cd vmware-server-distrib (cd stands for “Change Directory”)
e- ls
f- ./vmware-install.pl (this is the command that will start the VMware Server installation)
The installer will ask a lot of questions; choose the defaults always by hitting the “Enter” button.

Because at this moment, VMware Server is not ready for the latest Linux Kernel (the kernel I’m doing my lab is 2.6.1-42.fc8), you might get this error when it comes to the part of building the vmmon module:
“Unable to build the vmmon module”

Now, we need to solve this problem by installing a patch file.

5- The patch file is called vmware-any-any-updatexxx, where xxx is 115 at the moment. This file can be downloaded from http://knihovny.cvut.cz/ftp/pub/vmware/vmware-any-any-update115.tar.gz
The command used is:
Wget http://knihovny.cvut.cz/ftp/pub/vmware/vmware-any-any-update115.tar.gz

6- We’ll use the tar command to extract the zipped file
tar xvfz vmware-any-any-update115.tar.gz

f- Change directory to the vmware-any-any-update115 and run the runme.pl file
a- cd vmware-any-any-update115
b- ./runme.pl

The patch will start updating the non compatible VMware modules.
Then it will start the process of completing the VMware Server installation which failed before. You will get a lot of questions; all you have to do is accept the defaults by hitting the “Enter” button

Now we are done successfully :) and VMware is installed successfully as well.
To start your VMware console, go to “Applications”, “Other”, and from the submenu select “VMware Server Console”

And to start creating your first virtual machine, all you have to do is to read another article :)
The article is “Creating you first virtual machine”

I hope I made the steps in an easy way that everyone can follow, and please if you have any recommendations or comments don’t hesitate to contact me.
Also don’t forget to update us all if anything is changed :)

Till next article,
Take care.

Creating the first virtual machine

noreply@blogger.com (Hayman Ezzeldin) — Sat, 23 Feb 2008 07:35:00 +0000

By installing VMware, we are finished with the first step. Our second step is to create our first virtual machine in our lab. The choice of the operating system depends on you and the way you want to design your lab, and the steps to create a virtual machine are the same for every operating system.

For our blog’s lab, this will vary according to the attack we are practicing. For example, in the Scanning using Nmap - Part 2, we discussed a scanning technique called “Idle Scan”, in this scan we were in need for 3 machines; Attacker, Target, and a Zombie
You can choose to have the 3 machines with Windows OS or Linux or whatever operating system you feel comfort with; you can even make a mix of operating systems; 1 Windows, 1 Linux, 1 Live CD…
It’s all your choice.

Now, to the steps of creating our first machine in our lab.
After installing VMware on your computer, you should see this icon on your desktop

1- Double click this icon to start your “VMware Server Console”

2- The first screen asks you if you want to use the VMware Console that is installed locally, or do you have another console that is installed on another computer and you would like to use it remotely?
Because this is our first and the only VMware Server Console that we will need and use, then we will keep the default choice “Local host” radio button, and click “OK”

3- This is the main window which you will see all the time when you are dealing with your virtual machines.
For creating any new machines, we have to click the “New Virtual machine” link, this will lead you to the “New Virtual machine Wizard”

4- Click “Next >”

5- Now we are going to configure the virtual machine we want to create, there are 2 options here; “Typical” and “Custom”
With “Typical” configuration, you are going to create a machine with the default components (such as a Floppy Disk, Hard Disk, Network Card, 1 Processor…), while with “Custom” configuration you create your machine with additional devices and settings according to your needs (such as number of processors required, size of memory, Type of hard disk IDE or SCSi…)
By the way, all of these settings can be changed later. For example if you created a machine using the “Typical” configuration, you still can change the number of processors, the amount of memory, and the type of hard disk… Everything.
So don’t worry about your choice here.
For our first machine, we will choose the “Typical” radio button, and click “Next >”

6- In the “Select a Guest Operating System” windows, you will be able to choose the operating system that you will install on your virtual machine.
For every operating system vendor you will see a list of the supported virtual machines. For example, in the Linux vendor, you will see Redhat, SuSe, Novell, Mandrake (Mandriva), TurboLinux, Ubuntu, and Others.
Let’s say you are a Gentoo Linux fan, does this mean that you can’t install Gentoo as a virtual machine?
Definitely you can, you can install almost any operating system. For example, Apple Mac is not mentioned here, but you still can choose the “Other” Radio button and start the process of installation (but with little tricks), Open BSD is not mentioned here but again it can be installed with little tricks.

VMware is always updating the list of supported operating systems, and it’s few times when you want to install an operating system and it’s not supported by VMware.

I chose “Windows XP Professional” as the first OS, you choose the virtual machine operating system you prefer and click “Next >”

7- Give a name and a location for your virtual machine, this name will be the folder name of your machine that includes all of the files and settings.

8- Choose the type of the Network you need:
Use bridged networking: If you use bridged networking, the virtual machine is a full participant in the network. It has access to other machines on the network and can be contacted by other machines on the network as if it were a physical computer on the network.
Use network address translation (NAT): If you use NAT, your virtual machine does not have its own IP address on the external network. Instead, a separate private network is set up on the host computer. Your virtual machine gets an address on that network from the VMware virtual DHCP server. The VMware NAT device passes network data between one or more virtual machines and the external network. It identifies incoming data packets intended for each virtual machine and sends them to the correct destination.
Use host-only networking: If you use host-only networking, your virtual machine and the host virtual adapter are connected to a private Ethernet network. Addresses on this network are provided by the VMware DHCP server.

These settings can be changed later as well according to your needs.
For our Lab we’ll select “Use host-only networking”, because you might be connected at the moment to an operational network, and I don’t want you to mess up with this network.
Click “Next >”

9- What is the size of the hard disk of the virtual machine you are creating now? This depends on 2 things:
a- The size of your real hard disk, because it doesn’t make sense if your hard disk is 10GB and you are creating a virtual hard disk with size 8GB
b- What is the virtual machine going to be used for? What are the applications that will be installed on this machine?
For example, if you are just installing a Windows OS, this will be about 2GB maximum, while it might reach 8GB if you are installing Linux, it all depends on the OS and the applications installed.

Decide the size yourself and click “Finish”

10- Here we can see the first empty virtual machine, I say empty because we didn’t install the operating system yet :)
Let’s examine the settings we configured first, and then I will leave you alone with your virtual machine :)
To view or edit the virtual machine settings, click the “Edit virtual machine settings” link

11- Now if you want you can change the memory size, the CD drive, number of processors, add or remove hardware components…

12- If you feel that everything is fine with the settings, then let’s start our OS installation process.
Click “Ok” to go back to the main window “VMware Server Console”.

If you are going to install your operating system from a CD, then put the CD in the CD drive and make sure that you choose the right CD driver in the virtual machine settings

If you are installing from an ISO image, then choose the “Use ISO image” radio button, and click the “Browse…” button to direct it to the ISO file. Click “OK” to go back to the “VMware Server Console”

13- Click the “Start this virtual machine” link to start installing your OS on your first virtual machine

You can follow the same steps before in installing any OS you need.
Have fun :)

Till next article
Take care

Installing VMware Server on Windows

noreply@blogger.com (Hayman Ezzeldin) — Sat, 23 Feb 2008 05:30:00 +0000

Because we don’t want to be sent to jail, or lose our jobs – because you might get the idea of testing your knowledge against live networks, right? :) And because we want to practice our hacking techniques, so we have to start with creating a VIRTUAL lab :)

First we’ll create a virtual machine using VMware Server, which is free software that can be downloaded from here http://www.vmware.com/download/server/

A virtual machine is a simulated computer that runs on a real physical computer but acts as if it is a separate computer, so you can have your PC or laptop that has Windows operating system installed by default and at the same time you can run various Operating systems without the need to format or dual boot.

Here for example, my computer is running Windows, but I was able by using VMware to create a Virtual Machine that has various operating systems installed like Apple, Solaris, and Linux…
Almost any operating system can be installed

So let’s go ahead and install VMware Server (Free)

1- Download VMware Server from the VMware web site http://www.vmware.com/download/server/

2- You will be prompted for the download location, save the file wherever you like.

3- Double click the exe file downloaded to start the installation process. First, the VMware splash screen appears, then the installation wizard screens.

4- Here starts the installation wizard, telling you the software you are installing, and a warning that this software is owned by the company created it and that it’s copyrighted.
Click “Next >”

5- This is the End User License Agreement or EULA for abbreviation, the EULA is very important to read because it gives you a general idea about the software you are about to install, it also includes your rights and your responsibilities; it tells what you are allowed to do with this piece of software and what you are not allowed to do.
And I’m sorry, but if you want to install VMware Server on your machine, then you have to accept the EULA (Take it or leave it)
So if you want to install the software, select “I accept the terms in the license agreement” radio button and click “Next >”

6- These are the components that are included in the package:
VMware Server: This is the core of the software, without it you don’t have functionality.
VMware Management Interface: This is a web based management tool that allows you to connect to, manage and monitor your hosts from a web browser, this is very beneficial if you would like to manage your hosts remotely (IIS is required to be installed)
VMware VmCOM & VmPerl Scripting APIs: VMware Server includes two scripting modules, these scripting modules can be used for task automation (such as start, stop, suspend or reset a host), properties configurations (such as amount of memory dedicated for each machine, number of processors…)
VmCOM is an interface for programming languages such as Visual Basic, Visual C++, VBScript, and because it’s Microsoft related so it can only be installed on a Windows operating system.
VmPerl on the other side uses Perl as a programming language, thus it can be installed on Windows and Linux.

If you care for programming or scripting, you will enjoy this link http://www.vmware.com/support/pubs/sdk_pubs.html

VMware Diskmount Utility: With the VMware DiskMount utility, a VMware virtual disk file can be mounted as a Windows drive letter for read/write access to the files it contains.

7- Usually, when you put a CD in your CD Drive, it loads automatically. This will bother you if you work with virtual machines a lot, because whenever you load any CD or ISO image on your virtual host it will load as well on the physical computer.
So it would be better if you disable it.
And there is another point here, security wise it’s better to disable autorun, you know why?
What if you got an autorun CD and the autorun file runs a virus or a Trojan on your machine as soon as the CD is loaded.
For more information http://antivirus.about.com/od/securitytips/ht/autorun.htm
If you would like to disable autorun, check the “Yes disable autorun” checkbox, and then click “Next >”

8- To start the process of installing the files, click “Install”

9- Type in your name and the name of the organization, these 2 fields can be filled in with any data you like.
To get the serial number, you have to register yourself first. If you want to register, on the page of VMware Server http://www.vmware.com/download/server/ there is a link that says “register for your free serial number(s)”, click this link and follow the steps there. The serial numbers you requested will be emailed to you immediately.
After filling in all of the information required, click “Enter >”

By now, we have finished installing VMware; the next step for you is to start creating your virtual machines, and installing any operating system you would like to have.

Till next article
Take care

Labs Introduction

noreply@blogger.com (Hayman Ezzeldin) — Sat, 23 Feb 2008 03:48:00 +0000

Ed Macauley is a basketball player, I don’t know him because of basketball, I know him because of a quote he said once, and I would like to share it with you.
Ed Macauley said “When you are not practicing, remember, someone somewhere is practicing, and when you meet him he will win”

This quote touched me immediately, because we are learning new things every day in life, we know a lot of values that we should all apply, but we don’t practice them, we don’t apply them to life, we don’t enjoy the truth of seeing this knowledge comes true.

One of the Blog friends caught my attention when he talked about practicing and applying what we are learning here, and because of that I will add updated labs all the time for all of us to practice.

We will create a FREE virtual lab with FREE software and tools, so I will start today with a step by step installation process for Windows users followed by Linux users – only because as Linux users, we can use a Live CD that has almost everything we need, this Live CD is called Backtrack, and then it will be according to our needs.

So let's do it.

Scanning using Nmap - Part 2

noreply@blogger.com (Hayman Ezzeldin) — Tue, 19 Feb 2008 09:47:00 +0000

Hi guys,
How were you first scanning attacks? :)
I hope you all enjoyed getting your hands dirty.

Today, we are going to complete what we started in the last article, where we started talking about the steps of "Scanning and Enumeration", and our first step were to find the live hosts on our target's network, and then we started the second step which was port scanning.
Our main tool was Nmap, and because this tool is full of features so I found that 1 article won't be enough at all to cover the basics of Nmap. That's why we are here again to complete what we started.

TCP ACK Scan:
The idea behind the TCP ACK scan is very simple and very smart; I will give you an analogy to get how it is working.
We don’t know each other, right?
Imagine I met you once in the street, and suddenly I went to you and said “hey man, where have you been all of this time? not even a single mail, shame on you?” :)
What will you think? You will say “This man knows me for sure, but probably I don’t remember him”, and then you will start answering me “Oh, I’m fine, and sorry for not sending you mails but I was very busy the last few weeks. I got a baby and…” and you will start talking friendly.

TCP ACK Scan almost works the same, it sends an ACK to the target’s ports, the target will think “it seems like I started a connection with this computer before, let’s answer him”
The targeted port – if open – will check if there is an existing connection already with this computer, if there is no existing connection already (which is our case here) then the answer will be a RST, and if the port is closed then no responses will be sent back.

And because this scan type is just used to check Packet Filtering, so the response to nmap would be “Filtered” or “Unfiltered”
Filtered indicates that there is a Packet Filtering device (may be a firewall) that filters these type of packets, while unfiltered indicates that there is no Packet Filtering devices and that this port might be open or closed.
So the purpose of this scan is not to find open ports on our targets but to audit the rules of Packet Filtering.

The command used is
nmap –sA 192.168.2.31

IDLE Scan:
What was the main disadvantage of all the previous scans?
Whenever they are detected, they will lead to us, because our IP address will be logged, right?

So how can we avoid something like that? IDLE Scan is the ingenious solution for this problem.
IDLE Scan uses another machine (zombie) as an attacker, and spoofs its IP address whenever it communicates with the Target

* First, I choose a machine that will be the Scapegoat or Pivot Point for our attack. This machine has to be an IDLE machine, which means no active traffic on this machine.
Note – Every IP packet on the Internet has a "fragment identification" number or IPID. Many operating systems simply increment this number for every packet they send. So probing for this number can tell an attacker how many packets have been sent since the last probe.
* I will send the Zombie a SYN/ACK, the zombie will see that there is no existing connection established between itself and my machine, so it will send a RST (this RST will include the IPID number)
* I will send a forged packet (spoofed) from my computer to the target (it will appear to the target as if it came from the zombie)
* Please concentrate here very well. If the port on the Target is closed, the target will send the zombie a RST. And the zombie will not send further packets, so its IPID will remain as it is.
If the port on the Target is open, the target will send the zombie a SYN/ACK.
The zombie will find that there is no existing connection with the Target machine, so it will send the Target a RST (remember here that because the zombie is idle, so the IPID will be equal to the previous IPID plus 1.
* Now, it’s my turn again. I will send the zombie a SYN/ACK; the zombie will find that there is no existing connection established between itself and my machine, so it will send a RST.
If the IPID in this RST packet is increased by 1, then it means that the zombie didn’t send any packets back to the Target (which means that the port scanned is closed)
If the IPID in this RST packet is increased by 2, then it means that the zombie sent 1 packet back to the Target (which indicates an open port)

Let’s analyze the nmap command and the output on Wireshark
But before we start, I want you to notice the MAC Address for the machines I’m using

The Attacker’s IP is 192.168.2.47 – 00:0C:29:B0:BC:EF (Backtrack OS)
The Zombie’s IP is 192.168.2.45 – 00:0C:29:68:5A:DD (Windows OS)
The Target’s IP is 192.168.2.31 – 00:0C:29:C6:21:DC (OpenSuSe OS)

The command used is:
Nmap –sI 192.168.2.45 192.168.2.31

Here we will notice that there is not a single packet that shows “My Computer” talking to “My Target”; all the communication is between 192.168.2.45 (the zombie) and 192.168.2.31 (the target)

Let’s analyze one of these packets, to see what the truth is.

Aha, though the connection appeared to be from the zombie to the target, but the MAC address shows the truth, it shows that the MAC address of the source is 00:0C:29:B0:BC:EF (which is the MAC address for My Computer)

I liked this one :)

UDP Scan:
Let’s not forget other protocols as well :)
Because UDP is simpler than TCP; no 3-Way handshaking, no Flags, no Sequence numbers, so the UDP scan is very simplified.
The attacker sends a UDP packet to each port on the Target. There might be here 3 responses; an ICMP Port Unreachable (which indicates a closed port), no response (which means the port might be open or filtered by firewall), or a UDP response

Let’s see what we can get from Nmap:
The command used is
nmap –sU 192.168.2.45

Note – if your target is a Linux, be aware that your scan might take 18 hours or even more because on Linux when Nmap doesn’t receive a response for a UDP Scanning from the Target, Nmap keeps trying till it times out, then it tries to resend the UDP packets again in case of a lost connection. Another reason is that Linux is by design limiting Destination Unreachable messages to a message per second (which is a very long time), so imagine how long it would take to scan 65,536 ports on just 1 machine if every message takes 1 second.

From “Wireshark”, we can see that the attacker is sending a UDP packet to different random ports on our target (The cyan blue lines), and the target is responding with an ICMP Destination Port Unreachable if the port is closed (The black lines)
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as udp.port==123 (as in our case here). This will show only the NTP packets, and you will see no responses from the port (which indicates either open or filtered)

Version Scanning:
Do you think it would make any difference in your attack if your target’s web server is hosted on an Apache Server 2.2.8 or on Apache Server 2.0.0?
Sure there is a difference, a great difference, Apache 2.2.8 is one of the latest versions which means that it covered all of the bugs and vulnerabilities found in previous versions, while 2.0.0 means that it’s still includes all of the bugs and vulnerabilities found between version 2.2.8 and 2.0.0.
So it means a lot for an attacker to know what software versions is the target running. And here comes the Version Scanning.

First of all, Nmap installation folder contains a file called “nmap-services-probes”, if you open this file with WordPad (on Windows) or KWrite (on Linux) you will be able to see a series of software services and the expected responses. If there is a software service that is not listed there, then Nmap will not be able to support you in detecting the version of this software.

Version detection on nmap has to be accompanied with any of the port scans (TCP SYN scan, TCP FIN scan…), and if no scan type is mentioned in the command line then the default will be a TCP SYN scan.

When the attacker uses the Version detection scan, Nmap starts with a TCP SYN scan and gathers all of the open ports on the target, then it sends some probing traffic to the port trying to identify the service listening on this port. Each port will operate differently according to the service listening on this port.

Let’s see what we can get from Nmap:
The command used is
nmap –sV 192.168.2.31

From “Wireshark”, we can see that the attacker is sending a SYN to different random ports on our target (The grey lines), and the target is responding with RST if the port is closed (The red lines).
If the port is open, then the attacker completes the 3-Way handshake, then it starts generating some traffic to gather more information about the service running on this port.

In our example here, Nmap connects to the SSH service, completes the SSL handshake negotiation and then runs the detection scan to find that the real service behind the SSH is OpenSSH version 4.6.

Guys, what I mentioned in these 2 articles are few of the great options of Nmap; I can’t mention them all otherwise I will end up with a book :).
What I recommend at this moment is to go through a manual page for nmap extracted from a Unix/Linux machine, and start reading and applying what you are reading immediately.

I’m sure we are not finished with Nmap and its great capabilities, but all will come in time.

Till next article,
Take care.

Scanning using Nmap - Part 1

noreply@blogger.com (Hayman Ezzeldin) — Fri, 15 Feb 2008 09:51:00 +0000

A thief wanted to rob a bank; he started watching the bank since a week now, and he started to take notes about when the employees come, when they leave, when there is big cash in the bank, when this cash is gone, and he decided to rob the bank on the X day.
What do you think is missing here?

The thief has gathered his information from the outside, but he missed the inside part. He didn’t report where the entrances and exits are, where the guards are located, where the monitoring cameras are, and how to disable or evade them; he didn’t see where cash is, what kind of vault they have, how he will escape, what Plan B is…

Wow, this guy missed so many things, and this is what hackers try to avoid. And this is what we call “Scanning and Enumeration”.
In “Scanning and Enumeration” we are trying to gather more information – but this time by a partial delving into our target and grabbing the information that will help us prepare our attack.

From the previous phase, we were able to gather general information about our target, this time we will scan our system to find out:
1- Live systems
2- Open ports
3- Services running
4- Operating systems used
5- Vulnerabilities

Any “Penetration Testing” scanning starts with defining the live systems and drawing a network topology for your target, our mission here is to find host, routers, firewalls…
Both requirements can be achieved using some methods like “Tracerouting” – which we already discussed in a previous article; another method is “Ping Sweeping” – which is technique used by attackers where you send ICMP Echo Request to multiple hosts, trying to find who of these hosts are alive.
Some of the tools that can accomplish “Ping Sweeping” are Nmap, Hping3, netenum, Fping…

Let’s see what we can get from Nmap:

As we have seen, the command used was
nmap –sP 207.x.x.0/24
Or
nmap –sP 207.x.x.1-255
Both commands are the same, but in the first we used CIDR or Classless Inter-Domain Routing, while in the second we added manually the range we want to scan.

Let’s see the result in the Protocol Analyzer “Wireshark”

At the end of the Nmap command, you will see the result of the Ping Sweeping

The good thing about “Ping Sweeping” is:
* You will be able to detect all the live hosts (if ICMP Echo requests are allowed)
* You can run the ICMP scanning in parallel, which means you can scan so many hosts at the same time. And this will be very helpful if you are scanning an entire network

The bad thing about “Ping Sweeping” is:
* This technique is detectable; either by IDS or awaken administrators :), because of the huge amount of ICMP Echo Requests against so many machines at a small time range.
Would you like to know how to avoid that?
Search for “Nmap Timing Options” and enjoy reading :)

* If ICMP Echo Requests are blocked at the perimeter zone, then you are stuck, because Ping Sweeping using ICMP won’t work then.
Note – In this case, we will use a TCP Ping Sweep to scan our target’s network. What happens is that we send an ACK to the targets, and the live ones should respond with a RST.
For example with Nmap, the command will be:
nmap –sP –PT 207.x.x.0/24
Or
nmap –sP –PT80 207.x.x.0/24 (where 80 here is a port number that is allowable through the firewall, and it doesn’t mean that this port should be opened on the scanned machines)

Now after we were able to see the live hosts on the target network, let’s see which of these systems have open doors for our entry, and what services might be running on these systems.

I will tell you the types of scans, and with each scan I will describe how it is accomplished and what’s going on behind the scenes.

But before that, I would like to talk remind you about TCP connections.
We said before that all TCP connections are established using a 3 way handshake SYN, SYN / ACK and finally ACK. And we said that TCP is a Transport Protocol that is responsible for transferring data from one system to another, and it divides the data into pieces and label them with sequence numbers for proper order upon delivery.

“My Computer” sends a packet with Initial Sequence Number or ISN (Let’s call it A) and the SYN flag is set to 1.
“My Target” will respond with a packet that has both the SYN and ACK flags set to 1. The Acknowledgment will add 1 to the sequence it got from “My Computer”, and will create another ISN special for responses (Let’s call it B).
“My Computer” will establish now the 3-Way handshake by sending an ACK, using the ISN of “My Target and adding 1 to it.
From now on, whenever “My Computer” sends any packet to “My Target”, it will be based on the ISN(A)+1. While whenever “My Target” send any packet to “My Computer”, it will be based on the ISN(B)+1.

Now to the scan types :)

TCP Connect Scan (Plain Vanilla):

“TCP Connect Scan” or “Plain Vanilla” attempts to complete the whole 3-Way handshake with each target host.
The attacker sends a SYN to the target, if the target’s port is open and it responded with a SYN/ACK, then the attacker will send the last ACK and tear down the connection using the RST.

As we said previously, that this scan can be detected easily, because it will generate a huge amount of scan targeting all of the ports on our Target, trying to detect what the opened ports are.

Let’s see what we can get from Nmap:
The command used is
nmap –sT 192.168.2.31

From “Wireshark”, we can see that the attacker is sending a SYN to different random ports on our target (The yellow lines), and the target is responding with RST if the port is closed (The red lines), while it responds with a SYN/ACK if the port is opened (The green line)

TCP SYN Scan (Half Open):
TCP SYN scan is a little bit stealthier than the previous scan, because it uses a different technique.

The attacker sends a SYN to the targets, if the target’s port is open and it responded with a SYN/ACK, then the attacker will immediately tear down the connection using the RST.

The good thing about TCP SYN scan is:
* It doesn’t establish a connection (as it sends an immediate RST before the connection is established), therefore these scans are not logged
Note – Though the target itself doesn’t log these types of scans, the perimeter devices has the ability to report such scans, so be aware of that
* Speed, because it sends fewer packets than the previous scan.
Let’s see what we can get from Nmap:
The command used is
nmap –sS 192.168.2.31

From “Wireshark”, we can see that the attacker is sending a SYN to different random ports on our target (The yellow lines), and the target is responding with RST if the port is closed (The red lines), while it responds with a SYN/ACK if the port is opened (The green line).
Notice the Red line directly after the Green line; you will notice that the attacker sends an immediate RST after the SYN/ACK of the target.

TCP FIN, XMAS, NULL Scans (Stealth):
I decided to gather these 3 scans together because they are really working in the same manner; they break the rule of TCP connection establishment.
We have seen that the normal TCP connection establishment starts with a SYN, and then goes further, whether you complete the connection establishment (TCP Connect Scan) or terminate it (TCP SYN Scan).
But these 3 scans (FIN, XMAS, NULL), are acting totally in a different manner; they send an unexpected packet at the start of the connection.
The FIN Scan starts with a FIN packet, the XMAS Scan starts with a packet that has the Flags URG, ACK and PSH set to 1, while the NULL Scan starts with a packet that has all the Flags set to 0.
But why are they doing that? The reason is to confuse the targets, because each target expects a SYN packet for connection establishment. When the target receives a FIN packet (which indicates a normal TCP Connection termination), it will take it because it will think that it’s coming from a previous established connection. While the other 2 (XMAS and NULL) are violating the rules of flag settings, because the target is expecting a 1 flag packet which indicates 1 thing. So when the target receives a packet with all flags set, or all flags removed, then this is confusing.

Note – One important thing you have to know here, these scans are not going to work if your target is a WINDOS based.
Remember in the last article, our homework was to read the RFC793. In this RFC it is indicated that when a port is closed, then a RST is sent back. And no response is sent when the port is open.
Unfortunately, Microsoft doesn’t follow this RFC :) and whenever they receive any of these scans, the response is always RST. That’s why these scans will not work against Windows based systems.

Let’s start with the TCP FIN Scan:

The command used is
nmap –sF 192.168.2.31
Notice that the result indicates Open|Filtered, do you know why?
The reason is that some Firewalls (such as Stateful Firewalls) can drop this kind of packets without sending a response back (so the port might be open, or it might be filtered by the firewall)

From “Wireshark”, we can see that the attacker is sending a FIN to different random ports on our target (The White lines), and the target is responding with RST if the port is closed (The red lines), while it sends no response if the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as tcp.port==22 (as in our case here). This will show only the SSH packets, and you will see no responses from the port (which indicates either open or filtered)

Now, let’s examine the XMAS Scan

The command used is
nmap –sX 192.168.2.31
Notice that result indicates open|filtered, I’m sure you know why :)

From “Wireshark”, we can see that the attacker is sending a packet with all Flags set (FIN, PSH, URG) to different random ports on our target (The White lines), and the target is responding with RST if the port is closed (The red lines), while it sends no response if the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as tcp.port==22 (as in our case here). This will show only the SSH packets, and you will see no responses from the port (which indicates either open or filtered)

Now let’s examine the NULL Scan

The command used is
nmap –sN 192.168.2.31

From “Wireshark”, we can see that the attacker is sending a packet with no Flags set (can you see the 2 empty brackets []) to different random ports on our target (The White lines), and the target is responding with RST if the port is closed (The red lines), while it sends no response if the port is open or filtered (by Firewall).
Note – if you would like to see that the open|filtered ports didn’t respond, just add a filter to your Wireshark such as tcp.port==22 (as in our case here). This will show only the SSH packets, and you will see no responses from the port (which indicates either open or filtered)

Now I'm tired and need a break :)
Don't worry, our talking about Nmap is not finished. But you have to wait till Part 2 :)

Take care guys.

Scanning Basics

noreply@blogger.com (Hayman Ezzeldin) — Mon, 11 Feb 2008 13:47:00 +0000

Guys, did you study well?
I really mean it, if you didn’t study the previous lessons by heart, then please go back immediately and do it. Otherwise everything will be messed up!!

Today we are going to start the second phase in “Ethical Hacking”; this phase is called “Scanning and Enumeration”. “Scanning” is the phase where we have a direct contact with our target; because as we have seen before in the “Reconnaissance” phase that we never dealt direct with the target. All what we did was to gather information without our target knowing about it.

But as usual, before we start delving into our new phase, we have to learn some basics; our lesson today is about TCP/IP. And because TCP/IP is a huge subject that deserves encyclopedias to be written about, so I will just simplify few terms that will help us in this phase. And at the same time I will refer you to other links for more reference.

Basics:
1- Layering
Networking – from the design point of view would look like this:

The same network – from the telecommunication point of view would look like that:

When 2 computers are communication with each other, data enters so many processes till it goes from one computer to the other. These processes take part in imaginary network layers; each layer is responsible for a process or more.

Let’s take a practical example so that we understand it better.

Layer 7 = Application Layer
You open your Internet browser and type in the name of the website of your target which you want to visit.

Layer 6 = Presentation Layer
Your browser knows how to show pictures from different format, such as JPG, PNG…
Your browser knows how to handle different file types, for example if the target’s web site is created using HTML or ASP, your browser know how to open these file types.
Also if the web page is encrypted, and you have the authority to open this page, then your browser will know how decrypt the page and show a readable format.

Layer 5 = Session Layer
This is the first step of networking, where your browser establishes a session between your computer and the Web Server, and terminates the session at the end.

Layer 4 = Transport Layer
The web page you requested needs to be divided into small chunks to be transferred, and arranged in order to be sent through the network.

Layer 3 = Network Layer
Now, the page is ready, but it doesn’t know how to reach you because your address is xxx.xxx.xxx.xxx, which is wired for the web server because it doesn’t know where this address is located, so in this step Addressing occurs and data is sent to the Network Card.

Layer 2 = Data Link Layer
Now, the data is ready to be transferred out of the computer, so the Data Link Layer starts packaging the data + the address of delivery

Layer 1 = Physical layer
This is the step when data is transferred into electrical signals that is understood by the network cables and devices

I think with this diagram, you have no excuse :) right?

2- Protocols
Each layer contains Protocols or/and Services that are responsible for performing its role; let’s see an example of these protocols and services

Layer 7 = Protocols such as HTTP (HyperText Transfer Protocol), FTP (File Transfer Protocol), POP3 (Post Office Protocol), SMTP (Simple Mail Transfer Protocol)…
Layer 6 = Standards such as ASCII (American Standard Code for Information Interchange), JPEG (Joint Photographic Experts Group), MIDI (Musical Instrument Digital Interface)…
Layer 5 = APIs such as SQL (Structured Query language), RPC (Remote Procedure Call), NetBIOS (Network Basic Input/Output System)…
Layer 4 = Protocols such as TCP (Transmission Control Protocol), UDP (User Datagram Protocol), SPX (Sequenced Packet Exchange)…
Layer 3 = Protocols such as IP (Internet Protocol), ICMP (Internet Control Message Protocol), IPX (Novel Internetwork Packet Exchange)…
Layer 2 = Protocols such as ARP (Address Resolution Protocol), PPP (Point to Point Protocol)…
Layer 1 = Standards such as 10Base-T, T1…

Don’t worry; we won’t be talking about all of these :)
We will choose 4 of these, because that’s what we will need in this phase, at least :)

3- Definitions
Header = Protocols messages are build of a Header (which is a piece of information that is needed for the protocol to do its work) followed by data. Each layer’s protocol adds a piece of header to the payload (data) coming from the higher layer.

Transport Protocols = these are protocols that have the ability to transfer data from one computer to the other.
Port = check the Whois lesson
Flag = check the Whois lesson
Reliable Delivery = what will happen if you send a postcard to a friend and it didn’t arrive? Well, it’s not a big deal because my friend wouldn’t be upset, and he doesn’t care himself :)
What if you are sending money to someone through the post? Then, will you care or not? :)
Of course you will, delivery at this moment is so important, it’s money, right?
Some transport protocols uses this method, they make sure that the message arrived to the right recipient
Connection Oriented = how would you feel if you are dialing a phone number of a friend, and your friend picked up the phone and didn’t say a word? And you keep talking to him, but he is just listening without a single word. Would you stay cool or would you jump and hit him through the phone line? :)
Some transport protocols are connection oriented, they make sure that the recipient is speaking the same language, hearing well, got every single word said, correct what was misunderstood, or undelivered.

TCP:

* TCP or “Transmission Control Protocol” is a connection oriented protocol, which means that handshaking between the 2 machines occurs before any data is sent. If the handshake is successful, then a virtual connection is established between the 2 machines.
* TCP is a reliable protocol in delivery, which means it ensures that the data reached the destination as soon as it receives the ACK flag from the destination (for more information, reread the Whois lesson)
* We said before that one of the Transport Protocol roles is to divide data into chunks and arrange the chunks in order and numbers to make sure of right delivery, this step is called sequencing.
* If I’m talking to you very quickly, you would tell me “please, slow down, I can’t follow what you are saying”, this process is called “Congestion control”. And when TCP is used as the transport protocol, it can control the amount of data to be sent according to the limits of the destination.
* TCP is a slow protocol for 2 reasons:
The long process of handshaking, and waiting for the ACK flag whenever data is received, and sometimes the resend of data when loss
TCP uses a big amount of resources in establishing a lot of connections for the handshaking and the reliable delivery.

Homework: Read RFC number 973

UDP:

* UDP or “User Datagram Protocol” is a connectionless oriented protocol, which is the opposite of what the TCP does. UDP doesn’t use the handshake method, thus it doesn’t set up a virtual connection.
* UDP is an unreliable protocol, which means that it sends that data without any care or guarantee if the data reached the destination safely or not.
* As UDP doesn’t care for reliable delivery, then sequencing here would make no sense, because of that UDP doesn’t use sequencing.
* Once again, UDP doesn’t care if the destination got the data or not, it can understand it or not. Thus, there is no congestion control.
* UDP is a very quick protocol, because few resources are used in transferring data and no reliable delivery.

Homework: Read RFC number 768

ICMP:

We talked about ICMP before, so no need to repeat what we said. For more information read the article of Tracerouting

Homework: Read RFC number 792

IP:

IP or “Internet Protocol” is a connectionless protocol that is responsible for the addressing and routing of data. We always use the postal system as an analogy for the IP message, when you write a letter to someone and put this letter in an envelope and send it to the post office. The letter here is the data to be sent through the network, and the IP is the address you wrote on the envelope, while the post office is the network where data is transferred through.

Homework: Read RFC number 791

Guys, this part is very critical and it is a prerequisite for being a great hacker. Master it.
2 great books I would recommend you to read if you have a gap in Networking concepts and terms:
Computer Networks: Internet Protocols in Action
Interconnections: Bridges, Routers, Switches, and Internetworking Protocols (2nd Edition)

Till next article,
Please take care

Reconnaissance Countermeasures

noreply@blogger.com (Hayman Ezzeldin) — Sat, 02 Feb 2008 16:11:00 +0000

Because we are the good guys – hopefully – so our role is not to hack, but to prevent and defend, so today we are not going to study the attacks themselves as before, but the countermeasures.

Search Engines’ countermeasures:
We talked before about search engines, what they are and how they work, and in our discussions we talked about robots or web crawlers, and how they crawl all over our website gathering every single page and every single link.

First of all, how can we detect crawlers when they are accessing our website?
If you are monitoring your website’s log file, almost daily you would see entries similar to these ones

Let’s analyze what the log file says:
1- This is the IP Address of the machine that tried to access our website (by using the technique Whois, we can know to whom this IP Address belongs to)
2- The date and time when this entry was created.
3- The command issued (in our case, the command was to GET the webpage “search-engines-behind-scenes.htm”)
4- The protocol used and its version (in our case, the protocol used was HTTP)
5- The result status code, normally every request has a result, it might be successful, it might be failure, and it might be a lot of results. “200” here means “Success”, meaning that the HTTP request was fulfilled successfully. For more details about the “Result Status Codes” please visit here
6- This is the number of BYTES transferred, which is in our case 16056 BYTES. So, the page size is 16 kilobytes was transferred to the requester.
7- The “User Agent” or the software used by the requester to visit our site, in our case here it is Mozilla or a browser that is compatible with Mozilla.
8- This is the page the requester was on when he tried to access our site

To view a list of most popular or well known robots, please visit here

Now, how can we stop these crawlers from accessing our site?
There are 3 ways at the moment to do that:

1- Through robots.txt file:
Normally, before any Robot visits your website, it searches for a file on your web root called “robots.txt”; this file gives instructions to the robots about which pages the robot is allowed to access and which pages not.
Let’s examine a sample

In the sample above, the asterisk “*” means that the rule “Disallow” will apply to all robots
So, this means that all robots will not be allowed to access the 4 folders and the 2 files mentioned.

Let’s look at another example:

The first part, we are telling the bots, if you are “Googlebot” or “Msnbot” then you are allowed to access every page
While the second part, tells the bots, if you are anything else, then you are not allowed to access these 4 folders and the 2 files.

Did you get the idea? If you want to read more about robots.txt file, please visit here

2- Through META tags
META tags are special HTML tags that you add in the HEAD section of every HTML page you have, these tags have so many functions; one function is to instruct robots whether to ignore the page or not.
Concerning robots, there are 6 META tags:
INDEX: Instructs the robots to include this page in the Index created
NOINDEX: Instructs the robots NOT to include this page in the Index created, but just browse.
FOLLOW: Instructs the robots to follow every link in the page
NOFOLLOW: Instructs the robots NOT to follow any link in the page.

Let’s see an example:

In the example above, we are instructing all ROBOTS not to index our page and not to follow any link.
And if we want to allow some robots, then we have to put the allowed ones first, as in the following example

Here, we are allowing the Google bot to index and follow all of the links, while we are prohibiting all of the others.

3- Through Robot Traps
You might ask a question now; are all of the robots kind enough to follow either the robots.txt or the META tags?
Of course not, we are human beings, there are good ones, and there are bad ones, there are the ones who obey orders, and there are the ones who are looking for rules just to disobey them.
Robots are the same as well, there are the good ones that follow the rules such as “Googlebot”, and there are the bad ones that look for what’s inside the robots.txt just to access what’s inside.
For these bad ones, we are going to create a trap.
The idea behind the trap is create a folder that has nothing but a single page which is going to be our trap, and add this page in the robots.txt as disallowed.
What will happen when a bad robot accesses the robots.txt? He is curious enough to access what you disallowed, and the moment he accesses the page, an entry is created in a special report telling you WHO accessed WHAT and WHEN, then you can block this WHO from accessing your website completely.
Did you get the idea?
For more reading, search Google for (Robots traps)

Google Hacking Countermeasures:
Remember when we were discussing “Google Hacking” and how much information we can retrieve from Google using special operators such as “intitle:”, “inurl:”, and others
It’s very difficult for Google Hacking to be detected or defended, because the attacker is not actually attacking us, he is innocent, and he is just using a search engine, which is legal, and he is not affecting your network in anyway.

But, we still have few things that if we follow, we will be safer:
1- First of all, you have to make sure that your website has no sensitive information that is viewable to others, start removing all of the sensitive information such as: employees contact information, credit card numbers…
2- Although we have updated our website and removed all of the sensitive data, but some Search Engines have the capability to have cached version of your website.
Remember in the article “Hacking – The Terminology” I gave you 2 links for a page, the first is recent, and the second is 4 years old, this is shocking, because it means that though you updated your website and it’s so clean now, but there is a chance that one of the Search Engines still has a cached version for your site, right?
The solution here is to contact this Search Engine and follow their instruction to remove old Cached versions of your site
For example, to remove your cached version from Google, follow this link
While to remove your cached version from Archive.org, check the FAQ
BUT, you have to apply that for every single Search Engine that includes a cached version of your website, because hackers don’t just depend on Google’s engine. So take care.

Whois Countermeasures:
We talked about Whois as a protocol and a tool that gives the hacker a lot of information that can be considered the first step in hacking us.
You might say that when I register my website, when I buy a domain name I will give the Registrar fake information, I will give them wrong email address, wrong telephone number, everything will be wrong, so this way hackers will be mislead.
Although, you can really do that, but it’s not recommended at all, because these contact details are required for either the Registrars or any other important person that needs to deliver you an important message. So faking this information is not the right way.
But, there are few steps that we can follow to make sure we are on the safe side:
1- Make sure you are registering your domain with one of the Registrars who offer Anonymous Registration such as Network Solution, for extra 9$ you can hide your contact information from others, because Network Solutions will enter their contact information instead of yours.
Although you have protected your contact information from others, you have protected the good guys from reaching you quickly.
2- If you prefer not to hide your contact information, then at least try to put a telephone number that is similar to the “800 toll-free phone numbers” so that you don’t put a phone number that belongs to your real pool, and an email address that doesn’t show a naming pattern (firstname.lastname@mycompany.com shows a pattern for example) and is not an administrator account :)

DNS Zone Transfers Countermeasures:
1- First of all, make sure your Zone Transfer is restricted to the appropriate servers
For Windows, this can be managed from the DNS Manager

For BIND Servers, make sure that the “xfernets directive” in the file “etc/named.boot” for example is set to the right IP Address

xfernets 192.168.2.20&255.255.255.255 192.168.2.30&255.255.255.255

This command says that Zone Transfer is allowed from the host 192.168.2.20 to 192.168.2.30
2- Second, make sure that your firewall is blocking any unauthorized inbound connection to TCP port 53, TCP because DNS Zone Transfer uses TCP as a Transport protocol and Port 53 because this is the port of DNS communications.
3- Third, we can use a technique called “Split DNS”, let’s look at a figure to imagine how it is then we can describe it.

Here we create 2 Primary DNS servers, 1 external and 1 internal; on the external DNS server we just add the information for the Public Servers such as the Web Server, while on the internal one we add all of the information for the internal hosts.
So, if an attacker wants to make a Zone Transfer, he won’t be able to get any information about the internal network; he will only be allowed to access the public servers.
For more information about creating a Split DNS, please visit here

Tracerouting Countermeasures:
As we have seen in our Tracerouting lesson, that it was almost impossible to stop us from tracerouting our target, because we used different techniques
For example, in the beginning we used “tracert” and “Traceroute” which used ICMP messages, and our target was able to block these packets through filtering the ICMP Time Exceeded messages on the firewall
But when we tried to send TCP Packets (by using TCPtraceroute) instead of UDP and ICMP Echo, we were able to go through, because almost every computer on the network needs TCP ports to be opened for communication.
1- So our countermeasures for Tracerouting is to filter or block ICMP Time Exceeded messages (by this we will be able to block all traditional tracerouting tools that use ICMP”
2- Make sure that only required ports are opened on your clients, at least any attacker trying to traceroute or map your network will be able to reach only the external part.

Social Engineering Countermeasures:
I know that this is the most difficult part :) because none of us can control the users, right?
In fact it all depends on your Organization’s Management; if they do care for security then you are minimizing the risks so much. But if they are like “C’mon, we have a firewall”, then you are in great danger.
There is nothing technical you can do here, all you can do is considered soft defenses:
1- Security Policy, that addresses the behavior of all employees, partners and whoever falls under the authority of the organization, this policy dictates what actions are acceptable. This security policy must be available anytime to every person in your organization, it must be forced, there shouldn’t be any exceptions in applying the policy, and the policy should be signed annually by your employees.
2- We have seen through the examples in the Social Engineering article that users innocently can give sensitive information to attackers, just because they acted trustworthy. Users get confused, should I give my password or not, should I say my email address or not?
This behavior should change; users should feel the importance of security in their life and mostly in their business. Users should learn how to respond to security breaches. Users should practice scenarios to know more about hackers and what they can do.
This can never be known to nontechnical employees unless it’s delivered through a special training called “Security Awareness”
To read more about Security Awareness programs and what should be included in the program, please visit here

Now, we are finished with the first phase “Reconnaissance” or “Data Gathering”.
No, No, your role is not yet finished, you have to do your homework :)
All I’m asking at the moment is to reread the articles again, slowly, and with a lot of concentration. And if there is a point that you don’t understand, don’t say “It will come later”. NO, it has to come now; you have time and you have to understand it now. Search, search, and search for what you don’t understand.

Till next phase,
Please Take care

The Abandoned Art (Social Engineering)

noreply@blogger.com (Hayman Ezzeldin) — Sat, 26 Jan 2008 12:35:00 +0000

I’m sure that there was at least one time when you received these kind of emails which tell you about Mr. X who died somewhere and left a LOT of MONEY, and the lawyer or the family need your help and you will get MILLIONS of DOLLARS for your simple help.
Does it ring a bell? I’m sure it does. At least for me :)

Today’s lesson is about an art, an abandoned art in hacking. It’s the art of Social Engineering.

We all have hearts, we all have feelings, and there are a lot of moments when our feelings drive us. Our role as hackers is to pick and use the moments when others have feelings, to get the information we need out of them.

Do you remember our target, the company XYZ, who hired you to analyze their system? They spent millions of dollars to buy the latest technologies in everything and the most secure products at the moment, they have the best employees, the best administrators, everything we dream of.
C’mon, we have a firewall, intrusion prevention, VPN, our servers are the brand …, what else do we need, we are an arsenal?
The company ignored a very large vulnerability; the company ignored the “Human Factor”.
A mistake of one employee might cause the arsenal a lot.

I always liked stories, to read or to listen to. I hope you do too, coz I want to tell you 2 scenarios that were mentioned in the great book of social engineering “The Art of Deception”, written by the great social engineer “Kevin Mitnick”, so let’s see

Scenario 1: A LITTLE HELP FOR THE NEW GAL
New employees are a ripe target for attackers. They don't know many people yet, they don't know the procedures or the dos and don'ts of the company. And, in the name of making a good first impression, they're eager show how cooperative and quick to respond they can be.

Helpful Andrea
HR: "Human Resources, Andrea Calhoun."
Hacker: "Andrea, hi, this is Alex, with Corporate Security." (He started the conversation with a friendly tone)
HR: "Yes?"
Hacker: "How're you doing today?"
HR: "Okay. What can I help you with?"
Hacker: "Listen, we're developing a security seminar for new employees and we need to round up some people to try it out on. I want to get the name and phone number of all the new hires in the past month. Can you help me with that?" (The request of help always makes the requested person feel happy, coz it shows him how important he is and how valuable his help would be)
HR: "I won't be able to get to it 'til this afternoon. Is that okay? What's your extension?"
Hacker: "Sure, okay, it's 52 . . . oh, uh, but I'll be in meetings most of today. I'll call you when I'm back in my office, probably after four." (He started giving imaginary numbers just to make the HR believe that he was going to give it to her, but suddenly he remembered the meeting)
When Alex called about 4:30, Andrea had the list ready, and read him the names and extensions.

A Message for Rosemary
Rosemary Morgan was delighted with her new job. She had never worked for a magazine before and was finding the people much friendlier than she expected, a surprise because of the never-ending pressure most of the staff was always under to get yet another issue finished by the monthly deadline. The call she received one Thursday morning reconfirmed that impression of friendliness.
Hacker: "Is that Rosemary Morgan?"
New Employee: "Yes."
Hacker: "Hi, Rosemary. This is Bill Jorday, with the Information Security group."
New Employee: "Yes?"
Hacker: "Has anyone from our department discussed best security practices with you?"
New Employee: "I don't think so."
Hacker: "Well, let's see. For starters, we don't allow anybody to install software brought in from outside the company. That's because we don't want any liability for unlicensed use of software. And to avoid any problems with software that might have a worm or a virus." (Have you noticed that the hacker is always saying facts?)
New Employee: "Okay."
Hacker: "Are you aware of our email policies?" (And between the facts he gets to what he looks for)
New Employee: "No."
Hacker: "What's your current email address?"
New Employee: "Rosemary@ttrzine.net." (He got an email address)
Hacker: "Do you sign in under the username Rosemary?"
New Employee: "No, it's R underscore Morgan." (He got a username)
Hacker: "Right. We like to make all our new employees aware that it can be dangerous to open any email attachment you aren't expecting. Lots of viruses and worms get sent around and they come in emails that seem to be from people you know. So if you get an email with an attachment you weren't expecting you should always check to be sure the person listed as sender really did send you the message. You understand?" (He says facts again)
New Employee: "Yes, I've heard about that."
Hacker: "Good. And our policy is that you change your password every ninety days.
When did you last change your password?"
New Employee: "I've only been here three weeks; I'm still using the one I first set."
Hacker: "Okay, that's fine. You can wait the rest of the ninety days. But we need to be sure people are using passwords that aren't too easy to guess. Are you using a password that consists of both letters and numbers?"
New Employee: "No."
Hacker: “We need to fix that. What password are you using now?" (See how friendly he is, he is trying to fix a mistake she did, so he is offering help)
New Employee: "It's my daughter's name - Annette."
Hacker: "That's really not a secure password. You should never choose a password that's based on family information. Well, let's see.., you could do the same thing I do.
It's okay to use what you're using now as the first part of the password, but then each time you change it, add a number for the current month." (He is offering her a secure, easy to apply solution, no complications for new comers)
New Employee: "So if I did that now, for March, would I use three, or oh-three."
Hacker: "That's up to you. Which would you be more comfortable with?" (He cares for her comfort, not just giving orders like all Security Administrators)
New Employee: "I guess Annette-three."
Hacker: "Fine. Do you want me to walk you through how to make the change?" (Now, you might say, he should end the call, coz he got what he wants, but this is not right for 2 reasons: The New Employee might really not know how to change the password, so she might go to the IT department and tell them that the friendly security guy called her and she should change the password!!! The second reason is that Social Engineering attacks might fall coz of any suspicious feelings)
New Employee: "No, I know how."
Hacker: "Good. And one more thing we need to talk about. You have anti-virus software on your computer and it's important to keep it up to date. You should never disable the automatic update even if your computer slows down every once in a while. Okay?"
New Employee: "Sure."
Hacker: "Very good. And do you have our phone number over here, so you can call us if you have any computer problems?"
She didn't. He gave her the number, she wrote it down carefully, and went back to work, once again, pleased at how well taken care of she felt.

Scenario 2: MESSAGE FROM A FRIEND
Remember our lesson last week about Email forging. Imagine: You've decided not to take any chances. You will no longer download any files except from secure sites that you know and trust, such as SecurityFocus.com or Amazon.com. You no longer click on links in email from unknown sources. You no longer open attachments in any email that you were not expecting. And you check your browser page to make sure there is a secure site symbol on every site you visit for e-commerce transactions or to exchange confidential information.
And then one day you get an email from a friend or business associate that carries an attachment. Couldn't be anything malicious if it comes from someone you know well, right? Especially since you would know who to blame if your computer data were damaged.
You open the attachment, and... BOOM! You just got hit with a worm or Trojan Horse. Why would someone you know do this to you? Because some things are not as they appear. You've read about this: the worm that gets onto someone's computer, and then emails itself to everyone in that person's address book. Each of those people gets an email from someone he knows and trusts, and each of those trusted emails contains the worm, which propagates itself like the ripples from a stone thrown into a still pond.
The reason this technique is so effective is that it follows the theory of killing two birds with one stone: The ability to propagate to other unsuspecting victims, and the appearance that it originated from a trusted person.

Have you seen how easy was it to be inside your target without touching a tool?
But, what is this “Social Engineering” which will get us all the information we need, even without touching a tool?
Social Engineering is “A form of hacking that relies upon influence, deception and/or psychological manipulation to persuade unwitting people to comply with a request”
As you have seen in the previous 2 scenarios, how the way you influence people would get you into. With just some emotions that appear to the surface you was able to delve into your target, in 5 minutes or less, without paying a penny (unless you are bothered of paying the phone call), low risky (coz even if somebody knew that you are trying to social engineer them, all they can do is hang up), no log files show your attacks, and finally your attack would work no matter what Operating System or software is used. This is Social Engineering, don’t you think we should add it to our attacking arsenal?

You might say, Uhhh but I’m not a social person, I’m shy, I’m confident when I’m alone, but when it comes to phones and meeting people whom I don’t know, I’m sure I will mess up.
You know what is the answer to your dilemma?
It’s a word you heard so many times and you will keep hearing all the time: Practice, Practice, Practice, even if you are practicing “Social Engineering”

First start practicing with your relatives, brothers, sisters, parents, any family partner, talk about hobbies, talk about what you saw in the news, something you read, try to let them talk a lot (People make mistakes when they talk a lot), try to gather information you are not in need for (pets, birthdays, hobbies…).

Then, go to your friends, colleagues, whoever you meet. Failure in such situations won’t cost you anything. Sooner or later, you will notice that talents are not to be born with. Talents are to be developed.

Let’s now talk about the tactics used to Social Engineer someone:
1- Trust: People always are in need to find a trustworthy person; we all need someone to share our secrets, our feelings.
To create Trust for Social Engineering usage, don’t ask suspicious questions; don’t ask direct questions about secret information, don’t be in a rush to get the information you need coz it might take 2 or 3 or even more times.

2- Authority: “Boss” is always a scary word; employees are always in a competition to satisfy bosses, right? :)
Bosses’ orders always have the priority, for that it is very important to have the “Self Confident” to ACT like a boss when you do your Social Engineering.

3- Help: This is the tender heart we all have, we like to help others, and we feel proud when others need our help and feel prouder when we are able to help others
This technique is called “Reverse Social Engineering” because here you are the one who is pretending to “Offer Help”, though it’s not the case.
Remember, when I was talking about this kind of spams we get in our mailboxes all the time about Mr. X who has millions of dollars, and his family needs your help to get the money out of the country for political reasons or so?
Your tender heart will say, c’mon, this people need my help, and I won’t lose anything, and beside that I will get a lot of money, let’s do it. They got you!!

4- Gaining physical access: There is a very interesting book, called “No Tech Hacking” written by Johnny Long and Kevin Mitnick, there is a very interesting scenario there; where the hacker enters a company by acting like an employee and being friendly and talking about yesterday’s match and how it ended up. Employees thought he is one of them and they let him in, he got the drawings he wanted and left without anybody noticing him.

5- Dumpster diving: Although, Dumpster Diving is not a "Social Engineering" technique, but it is a great help because you can't imagine how much information you would get from what companies throw in their trash. I’m sure a lot of you are laughing now, garbage? What will I get from garbage?
Just read that: http://www.news.com/Oracle-chief-defends-Microsoft-snooping/2100-1001_3-242560.html
In the year 2000, there was this big case of Microsoft in court, Oracle hired a detective agency to buy Microsoft’s garbage, trying to expose what Microsoft is doing. Interesting :)

Talking about Social Engineering deserves books, 2 of the greatest books that are talking about this amazing technique are:
The Art of Deception, Authored by Kevin Mitnick
No Tech Hacking, Authored by Johnny Long and Kevin Mitnick
Try to get both books, they are full of scenarios and technique, for sure some will work for you.

Our next article is going to be the last in the “Data Gathering” or “Reconnaissance” phase, we will discuss the countermeasures of all of the attacks happened in this phase,
So stay with us :)

Till next article,
Take care.

Email and Tracking

noreply@blogger.com (Hayman Ezzeldin) — Thu, 24 Jan 2008 07:08:00 +0000

“You have got Mail”
Have you ever heard this sentence?
Right, it’s the American romantic comedy of Tom Hanks and Meg Ryan :)
Just kidding.

No, really what I mean here is the email system and the email message itself. We all receive emails every day, but have we ever thought about how it worked, what data is hidden in the emails, how the spammer knew about my email address, how he can forge his details all the time!!

This is our lesson today.

But first, let me ask you a question, why would we need to know this information?
An Email is a digital message that is stored on digital media (hard disks, flash memories…). An Email is the most common way of communication among people. An Email is the shuttle that transports almost all malwares to our computers. An Email is involved in a lot of high-tech crimes. Sometimes an Email is the only way to trace bad guys. For all of that; an Email means a lot in security.

For all of us, email is very simple; you just open your mail client (Outlook, Emacs…), type your message and click “send”, and BAM, “your email is gone”, another BAM, “and your email arrived to the recipient” :) right?

In real, this is not the case; it’s a little bit complicated, so let’s look at the real steps that happen starting from you typing your email, till it reaches its destination.

1- First you create an Email (which you want to send to xyz@xyz.com) in the MUA “Mail User Agent” (which is the email client or application where you send and read your emails, such as: Outlook, Thunderbird…), and click send.

2- Your message gets transferred to the MTA “Mail Transfer Agent” (which is the application that is responsible for transferring emails from one computer to another, normally we know that as Mail Server, such as: Microsoft Exchange Server, Postfix…)
Note1: For my computer to talk to the Mail Server about sending a message, they use a protocol called SMTP “Simple Mail Transfer Protocol” with port 25 opened on the Mail Server.

3- Now, the Mail Server holds the message but doesn’t know where to take it. So it starts asking the DNS Server about the MTA “Mail Transfer Agent” (which is the application that is responsible for receiving incoming emails) of the domain name (xyz.com). If available, then the DNS Server provides the Mail Server with the IP of the MTA of the destination (xyz.com).

4- The SMTP Server at your domain starts talking to the SMTP Server of the destined Domain (xyz.com) on port 25, and delivers the message.
Note1: The 2 Mail Servers communicate using the SMTP protocol on port 25

5- Now the message is at the Mail Server of the destined Domain (xyz.com), it delivers the message to another interface using either a POP3 Protocol (Post Office Protocol) or IMAP (Internet Message Access Protocol). These 2 protocols act exactly like the post office; they start filtering the emails and deliver each email to the accurate Mailbox.

6- For the recipient to read the Email he has to open his MUA (email client) and press “get mail” or “send and receive” or whatever the option called in your application.

7- The MUA starts talking to the Mail Server using either POP3 or IMAP, who retrieves immediately the Emails stored in the mailbox.

These are the steps that show how the email works. Let’s now dissect an Email.
An Email consists of 2 parts:
Header: And this part is mostly hidden from eyes of the user.
Body: And this is the message itself, and it’s the part which you see.

Let’s look at this email

Here we can see few fields and the body, but this information we all know about. And anyway, where is the header you talked about, and what is a header?
The Email Header is a piece of data contains several lines that are added by the email client to the email as it travels from the sender’s computer till it reaches its destination.
Remember in the figure which describes the email journey, we showed that the email passes through servers, routers, Internet, till it reaches its destination. Each server the mail passes through, stamps the email with its IP Address, date, time and more. This is what creates the Email Header.

Let’s have a look at an Email Header:

As you can see, it’s a lot of lines, with weird titles :)
Don’t worry, everything will be clear now.

1- Delivered-to: The Email address the message will be delivered to, if the sender for example is sending to mailinglist@xyz.com, then this field will include the Email mailinglist@xyz.com and not the every single user in the mailing list

2- Received: A received field is added to the header for each step of the mail delivery process. In our example you see the Received field 4 times
Can you guess which IP Address was the originator of the Email?
Hint: Received field is read from bottom to top
I deleted the IP address, but you can tell from the time stamp of the received field which shows “12:59:40 -0800”. The Received fields higher represent the hops the message had till it reached the destination.
The received field format differs from server to server, but generally you will see the IP address of the sending system, the host name of the system (if the host name doesn’t match the IP in real, then the message is forged), and the time stamp of the message sending.

The Received filed format and sequence is like that:
Received: From Machine 3 ([xxx.xxx.xxx.xxx]) by Machine 4
Received: From Machine 2 ([xxx.xxx.xxx.xxx]) by Machine 3
Received: From Machine 1 ([xxx.xxx.xxx.xxx]) by Machine 2 (the Last “Received” is the originator)

3- Return-Path: The Email address that should be used in case of any error occurred while the email is being sent and also it’s the Email you will use to send back a reply.

4- Received-SPF: SPF stand for “Sender Policy Framework”, it’s a feature that can be added to SMTP to discourage spammers from forging the “From” field. The administrator of an Internet domain can specify which machines are allowed to transmit emails from this domain by creating an SPF record in the DNS. When a spammer forge the “From” field of my domain, the SPF client queries my DNS to see if this email was really authorized through my Mail Server or not.
There are 7 results for this query, Pass (as in the header above), Fail, SoftFail, Neutral, None, Permerror, and Temperror.

5- Authentication-Results: There is an Email verification system called DomainKeys, is used to prevent forging email addresses. DomainKeys uses the concept of Public and Private Keys, let’s give an example for that. I have 2 encryption keys, 1 public and 1 private, the private is used to encrypt the messages, while the public is used by others to decrypt the messages. When the receiving Mail Server sees that the message is signed with my key, he will retrieve the public key from my DNS records, and decrypt the message. If the message is decrypted successfully, then the mail is valid. And if the public key wasn’t able to decrypt the message, then the message is forged or tampered.
The Authentication-Result is result of decrypting the message using the public key. And as you can see the result is “Pass”

6- Message-ID: This is a unique ID for the message that can never be duplicated, and is created by the mail system when the mail is created. The Message-ID can be used by administrator to locate the Email in a Log.
This field can be forged as well, but this can be detected by comparing the ID format to legitimate messages from the same site.
For example:
BAY125-W13FF6F07F710DD5CEBCE83D2440@phx.gbl (this is from the figure above)
BAY125-W42351024FF11B0771400CBEE860@phx.gbl (this is from another email)
The Message-ID format is UniqueID@SiteName

7- Content-Type: This field describes the data contained in the body of the message, so that the receiving application can choose the appropriate way to read the data (like Plain-Text, HTML…)
There are 7 types: Text, Multipart (like the figure above), Message, Image, Audio, Video, and Application

8- X-Originating-IP: This field tells you the IP address of the computer which the Email was sent from.

9- References: This field contains a list of Message-IDs, listing the Parent, Grandparent, Great-Grandparent… of the message, older first. The purpose of this field is to allow messages to be grouped into conversations by the user’s program. This is very helpful field if you are using Newsgroups for example, you might be involved in a conversation discussing something, and finally you want to close this discussion, this filed will be used in closing the discussion because it contains all of the parents involved.

10- MIME-Version: This shows the version of the standard MIME “Multipurpose Internet Mail Extension”, which is the standard that describes the format of Attachments and how they would be sent over the Internet.

11- X-OriginalArrivalTime: This is the time the message was submitted to the 1st Mail Server (Usually like the time stamp listed in the lowest “Received” field).

Note1: When you check your mail header, it's not a must you would find all of the fields mentioned above, it might be less, it might be more.

So now to points that will allow us to trace Spammers:
1- Don’t forget to use the tools we already learned in previous articles (DNS Lookup, Whois, Traceroute) they will be very helpful catching spammers.
2- Always start reading the header bottom first, coz headers are always added on top. So the first header is the one at the bottom.
3- Now you have the spammer’s IP address, by using Whois you can query the IP and get all the details required about the spammer’s ISP, or a company whom the spammer is using their mail server to send these spams.
4- Now you have to send an email to the ISP or the Company, providing them with the Email Header and the message that shows the spam.

Anyway, we didn’t talk today about this to start complaining :)
But to understand.

If you are bothered from reading and analyzing these headers, you can use a Web Site that provide the service of “Spam Locator”, and example is here http://www.geobytes.com/SpamLocator.htm

Now, how can these spammers forge their emails?
There are 2 important ways for doing that
1- Through Mail Relaying
Mail Relaying is an old interesting technique, due to the creation of high security products now, this technique is somehow obsolete (Not totally)
But, I would like to discuss coz for sure we will learn something from it.

2- The second way is through software that we use to call Bulk Mail or Mass Mail. And by the way, spammers call this software Bulk Marketing :)

Mail Relaying
Let’s discuss first Mail Relaying, and then check a piece of the Bulk Mail
Imagine you are sitting in the bus; a guy got on and sat on the seat behind you. He got money out of his pocket for the ticket and handled it to you to handle it yourself to the driver (because you are a kind person, and your bad luck put you behind the driver :))
What will happen is that you will take the money and give it to the driver, who will give you back the ticket, and then you will give it back to the guy sitting behind you.
Mail Relaying is exactly the step when you took the money from the guy and handled it to the driver (the driver didn’t take the money from the guy directly, but you)

Let’s look at this scenario and see how the bad guy (badguy@badguy.com) can send his target (mytargetuser@mytargetdomain.com) an email through using the SMTP or MTA of the domain innocentdomain.com as an “Open Relay”
The bad guy opens his command shell (“Command Prompt” for Windows users and “Konsole” for Linux users), and types the following:
1- First step, he will try to find the MX record responsible for the domain innocentdomain.com by using the nslookup command and query the MX record (remember the lesson)
nslookup
set type=mx
innocentdomain.com

2- After you figured out which mail server is published, we can start to use another command called telnet (this command will allow us to establish a connection on a remote server), and we will try to establish this connection on port 25 (the port responsible for SMTP communication)
telnet mx.innocentdomain.com 25

3- Now, the telnet DOS-Like window opens, welcoming you with a Banner (we will see in another lessons how these Banners can be beneficial)
I will write the command, and between brackets will describe what is happening)
Helo anythingwrittenhere (command helo is used like an introduction to yourself, and of course this can be fake, you can write anything)
Mail from: (Now you start typing in what fake email you want to appear to your target)
Rcpt to: (This is the email of your target, and of course no need to fake it, right?)
Any message to be typed here (Here you start typing the message you want to deliver, it can be a single line or a multi line field)
Any second line if you want
. (don’t forget the (.), coz simply it means that your message is finished)

Although open relays are not popularly used anymore since sometime, and are not used anymore by Bulk Marketing.
I just mentioned Mail Relaying for 2 reasons:
The first is that it was used for a long time, and it worked fine. And we need to think how the bad guys are looking for any mistakes in our systems, just to get use of it.
The second reason is that there are still people who believe in “Open relay” but from the Freedom point of view. There is a guy called John Gilmore, he argues that running an open relay is a free speech issue. And although his “Open Relay” server is blacklisted by antispammers, he is still running projects like this defending speech freedom.

Bulk Marketing
Spammers or Marketers use “Mail Crawlers” (do you remember the term Crawler) to gather emails from websites to be used in their spamming.
They do that in 4 simple steps:
1- Email Extraction, and this is the step where they start sending crawlers all over the web to gather all email address they can (did you notice now that some websites have changed their email addresses to the format “myname [at] mycompany [dot] com”?) they changed it to this format because crawlers were always looking for the sign “@”. By the way, some crawlers now know to search even if the @ sign is removed)
2- Emails List Creation, after they gather the emails, they start arranging these emails into lists according to their spamming aim (by alphabetical order, by industry…)
3- Emails List Maintenance, this step is the one of keeping the alive emails updated, and removing the non-existent emails.
4- Bulk Emails, this is the bothering step for us :) coz this is when we get these into our Junk box.

There is a third way of sending fake emails, which is using a software such as: “Email Forger” or “Phasma” or using a Web Site that offer these kind of services such as “Elitc0ders.net”

For the 100 Million times, this information is just for learning, and it’s not intended in any way to be taught for the reason of harming others, so please learn with attention and care for yourself and for others.

Till next article,
Take care.

Tracerouting and Lesson

noreply@blogger.com (Hayman Ezzeldin) — Sun, 20 Jan 2008 11:31:00 +0000

Today’s lesson is extremely important for me, and hopefully for you. Coz through this lesson, I want to send a message to every wannabe hacker. Although the lesson itself is easy, the message is so serious, so please follow me.

Our technique today is called “Tracerouting”!
Bing Bing, this “Tracerouting” is ringing a bell in my head, Oh ya, isn’t it the tool which is called “tracert” on windows and “traceroute” on Linux? I know it, I know it, it’s this tool which shows a list of routers between 2 systems, the first is my computer and the other is the target.

:) Well, you are right this time again “in a way” :)

Let’s discuss some terms as usual before we hop into “Tracerouting”
1- TTL (Time To Live): “If this guy didn’t give you his wallet in 6 seconds, KILL him”, “Man, your time to live is decreasing now, 6, 5, 4, 3, 2, 1, BANG” and the guy is dead. “TTL” in computers works almost the same, TTL for packets determine the time that the packet can stay alive, if the TTL for the packet reaches zero then it is discarded.

As you can see from the previous figure, the TTL is decreased by 1 on every router, the first hop went from “My computer” to the first router where the TTL is decreased by 1, and then the second hop went to the second router where the TTL reached 0, which means “Time Exceeded” or “This packet cannot live anymore, and it must die”.
Normally, when a packet leaves the host, the system by default gives it a TTL count that is high enough for the packet to reach its destination

2- ICMP (Internet Control Message Protocol): ICMP is a supportive protocol; it helps the IP protocol in maintaining communication between hosts, the ICMP main job is to send messages reporting errors that occurred to packets. There are so many types of ICMP messages
Let’s see an example:

We all know the command “Ping”, what we see here is a successful ping from my computer to my router. But let’s see how it appeared on the Wireshark:

In the top pane, we can see 4 “Echo requests” and 4 “Echo reply”. While in the bottom pane, we can see an “Internet Control Message Protocol” with “Type 8” and “Code 0”.
What is “Type 8”? And what is “Code 0”? And are there any more types or codes more than this?
There are 256 “ICMP Message types” starting from “Type 0” till “Type 255”, many of these types have codes, let’s see an example with “Type 8” which we just saw

Type 8, means an “Echo Message” or a request, and “Type 8” has no codes, that’s why we can see that the code here is “Code 0”

While in the reply, we can see “Type 0” and “Code 0”
Type 0, means an “Echo Reply”, and “Type 0” as well has no codes related to it, that’s why we see “Code 0”

Let’s try a ping that gives us an error, maybe we can see a different Type or Code

Here I disabled on the router the Interface that leads to the LAN 172.16.0.0, so the Router replied to my machine 10.0.0.10 that the host 172.16.0.10 is unreachable
Let’s see what ICMP message types and codes are generated here:

Here we can see ICMP message “Type 3” which means “Destination Unreachable”, but let me ask you something, what was our destination? Was it a computer? Was it a network? Was it a port?
This is what the code will indicate
As we can see “Code 1”, means “HOST unreachable”, there are more codes for ICMP message “Type 3”:
Code 0 = Net Unreachable
Code 1 = Host Unreachable
Code 2 = Protocol Unreachable
Code 3 = Port Unreachable and so on…

To see a list of all Types and all Codes, you can visit http://www.iana.org/assignments/icmp-parameters

NOW, we can start talking about our technique for today, Tracerouting, what is it? Why would I need it in hacking? How is it working?

What it Tracerouting?
Tracerouting is the operation of sending packets with low TTL starting from TTL=1 and increasing by 1, till it reaches the required target. Chinese, huh? :)
Let’s clarify that:
Remember, I said that as soon as the TTL reaches zero, the packet is discarded. Let’s follow these steps:

1- So, if “My computer” sends a packet with TTL=1, what will happen? The packet will make 1 hop to “router 01”, who will find that the TTL reached ZERO already, so the packet must be discarded at the first router and “My computer” will get an ICMP message “Type 11” which means “Time Exceeded”

2- Now, “My computer” will send another packet with TTL=2. What will happen is that the packet will hop to “router 01”, and then “router 02”, who will discard the packet because its TTL reached ZERO, and will send me the “Time Exceeded” message.

3- The same scenario will happen again and again till the packet reaches the destined computer “My Target”, who will finally reply to my request

Now, I know now that I will keep sending packets to routers, and receiving “Time Exceeded” messages from these routers, till I finally reach the Target

But, what will I gain from that? Why would a hacker need to use this technique?
For attackers; Tracerouting is very useful in learning the network topology of the target, because you know what the routes that lead to it are, which router leads your target to the internet, besides being a device that can be attacked.
For white hackers; Tracerouting can be used to track the attackers, know their location, and allow you to know which ISPs they use (in case you want to involve Law Enforcement)

Now, it’s the Tools time :)
There are 3 types of tools here:
1- DOS-Like interfaces such as Tracert (for Windows users) and Traceroute (for Linux users)
2- Graphical Interfaces such as VisualRoute (for Windows and Linux users) and GTrace (for Linux users)
3- Web Sites that provide the service of Tracerouting, such as DNSStuff.com and CentralOps.net

From the Command prompt (using Tracert)

From the Linux Konsole (using Traceroute)

So, what’s happening now? We gained nothing from using either Tracert or Traceroute, because there is a router that is blocking the ICMP Time exceeded messages
Before we start complaining, let’s Wireshark both of the command to see what is happening behind the scene

This is the result of Tracert:

While this is the result from Traceroute:

Tracert uses the ICMP protocol, and most of the Security Engineers know that ping and Tracert are 2 of the most important tools for hackers that are depending so much on the ICMP protocol, that’s why it is one of the first steps they do is to block ICMP messaging.
While, Traceroute uses UDP plus random high port number in sending its Tracerouting packet. The reason for that is to avoid any ICMP filtering.

But, what can we do, if our target is filtering both UDP and ICMP?
Then I will quit hacking and find another job :)

C’mon, let’s think a little bit, ICMP is blocked, and UDP is blocked as well.
What is the other protocol that we can use for sending our Tracerouting packet?
It’s TCP
Yes, we can use TCP instead of UDP, because in most cases these firewalls which blocked the ICMP and UDP packets are permitting inbound TCP packets on specific ports, right? By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, TCPtraceroute is able to bypass the most common firewall filters. Let’s try and see:

WOW, did you see that? It worked! That is amazing.

The Lesson:
Guys, do you remember when I said in the beginning of the article that there is an important lesson I want you to learn? Tracerouting was just 1 part of the lesson.
Now it’s time to talk about the second part.
Have you seen how are the hackers thinking?
They found that the Security Engineers started to block ICMP Echo requests, so they thought and figured out a way to make it UDP based.
And when they found that both are blocked now, they thought and developed a tool that uses TCP instead.
What would have happened if this tool TCPtraceroute doesn’t exist, will we wait till somebody creates it for us? Will we wait till somebody thinks for us?
Remember, my first article “Hacking – The Mindset”, I put a link there for an amazing article called “How to become a Hacker”. In this article, Eric Raymond said that the first basic skill for hackers is “Learn how to program”. Did you follow that? Did you start already? Or are you still a Script Kiddies?

Till next article,
Please take care.

DNS and Tools

noreply@blogger.com (Hayman Ezzeldin) — Mon, 14 Jan 2008 10:35:00 +0000

Do you have a good memory or a bad memory?
If you have a bad one like me, then you will need this lesson, coz it will make life easier.
And if you have a good one like me :), then you will need this lesson, to appreciate having one :).

Which is easier to remember, 207.46.193.254 or www.microsoft.com?
For sure it’s the second one, because human beings are comfort dealing and memorizing words other than digits.

Which is easier to write in your Internet browser, 198.133.219.25 or www.cisco.com?
Still the second, coz you still can remember few easy words more than remembering this long number, right?

On the Internet, every machine has its unique IP Address (acts like an ID), and to access any resources that belong to this machine, you have to request it using the IP Address. And as I said, because it’s difficult for humans to remember a lot of long numbers and it is easier to remember names, the idea of “Naming Servers” was the solution. The simple concept behind “Naming Servers” is to have a list (like a database) that relates the resources physical addresses (IP Address) to the name of this resource.
For example:
Microsoft.com
www 207.46.193.254
technet 207.46.16.252
support 64.4.52.254
And so on…

Open your Internet browser and instead of typing http://technet.microsoft.com, type http://207.46.16.252, you will find that both links direct you to the same link.

Before we talk about how this translation happens, let’s discuss few things.
1- You know these sites? (It’s not a must to know them; I’m just giving an example of the domains org, edu, gov, us…)
www.unesco.org
www.harvard.edu
www.whitehouse.gov
www.eccuni.us/
2- You know trees, it is a root in the ground, out of the root there is a trunk that has a lot of branches and out of the branches there are more branches, and out of the branches you find leaves -may be not in the lower tree :).

Let’s put this tree upside down (Just keep it upside down for now :))

3- Name Servers or Domain Name Servers have a tree structure (hierarchy), at the top of the tree you find the “Root”, out of the root there are “Top Level Domains or TLD”, then out of the TLDs there are “Second Level Domains or SLD”
The TLD is 2 types: gTLD which stand for “generic Top Level Domains”, and these are the domains .com (commercial), .edu (education), .gov (government), and so on. The second type is ccTLD which stand for “country code Top Level Domains”, and these are the domains that represents countries such as .de (Deutschland or Germany), .eg (Egypt), .us (USA), and so on.
I’m sure after looking at the following figure, you will understand what I mean:

As you can see in the previous figure, at the top of the hierarchy are the Root DNS Servers, they contain information about the next lower level which is TLD, there are 13 organization responsible for 13 Root DNS Servers around the world responsible for maintaining the DNS databases. To see the full list, visit the link http://www.root-servers.org/.

The second level in the hierarchy is the TLD, which represents the DNS servers for the .com, .edu, .gov, .de, .eg, .us, …
These servers contain information about the next lower level which is the SLD, such as microsoft, cisco, google, and so on. These SLDs are responsible themselves for maintaing their own DNS.

Let’s take an example of a simple query to understand how is the process of “Name resolving” occurs:
You are sitting at your computer in your office browsing the internet, when suddenly you got the idea to check what are the latest news of Microsoft. So you opened your browser and typed www.microsoft.com, here are the steps of what’s happening:

1- After you type “www.microsoft.com” in your web browser, your computer checks the local configuration file and the local cache to see if your machine already knows the IP address for the “www.microsoft.com”. If no information found, then your computer send a DNS request to the local DNS Server, asking “do you have the IP address for the machine “www.microsoft.com”? If the answer is “YES”, then we go immediately to step 8. If not, then step 2.
2- The local DNS server already knows the 13 “Root DNS Servers” we talked about before, so he send his request to the “Root DNS Server”, asking the same question “do you have the IP address for the machine “www.microsoft.com”?
3- If the “Root DNS Server” doesn’t have the information required, it sends a “Referral” to the next lower level (TLD) which in our case is the “com DNS Servers)
4- The local DNS server sends the request to the “Referral” asking “do you have the IP address for the domain “microsoft.com”? There are 2 possibilities here; either the domain name exist or it doesn’t. If it doesn’t exist (as if there is no daomain at all called microsoft.com), then it sends the reply “Non-Existent Domain”. If the domain exist, then proceed to step 5
5- If the “com DNS Server” doesn’t have the exact IP related to the request, it refers the local DNS server to the secondary level domain (which is microsoft.com).
6- Now we are at the latest request, when your local DNS Server asks “microsoft.com” the same question “do you have the IP address for the machine “www.microsoft.com”?
7- If the machine “www” exists in the DNS of Microsoft.com, then it immdeiately sends the IP resolution, and if this host doesn’t exist then it sends the reply “Non-Existent Domain”
8- Whatever the response was in the 7th step, the local DNS sends it to your computer.

OK, but how can this be beneficial for the hackers? What are they going to gain when they know the name resolving technique?
Well, we said that the DNS is like a database (let’s call it ZONE) that hold a lot of records (let’s call it Resource Records) such as hosts (names and IPs) and services (ftp, www…), imagine this information fell into the hands of the bad guys, a bad guy who has the names and the IPs of all my machines in my domain, and all of the services that are connected to the Internet :)
I think any hacker would burn to get such data.

Let’s look at these records closely:
1- SOA (Start Of Authority): This is a manadatory record that must exist in every zone. It tells you which server is the “Primary Server”, how do the “Secondary Servers” get updated, your contact information, and the default “Time To Live” for your DNS records.

2- NS (Name Server): These are the servers that contain a complete copy of the domain’s zone (Authoritative Servers)
3- MX (Mail eXvhange): These are the mail servers in the zone
4- A (Address): These are the records that represent the hosts in the zone and their related IP addresses.
5- AAAA (Quad A): These are the records that represent the hosts in the zone that use IPv6
6- CNAME (Canonical Name): DNS database can hold the real name of the host, or an alias (Canonical Name), for example you might have a host on your domain that is called in real WEB01.mydomain.com (this is the A record for example), this host holds the webpage of your company and you don’t want the people outside your company to access the website by typing web01.mydomain.com, you want them to access by typing www.mydomain.com. So in this case, your DNS holds web01 as an A record, and www as an alias (CNAME) for web01.

Now, how do we attack the DNS server of our target to resolve this information (or as it’s called “Zone Transfer”), which is so valuable for us?
Do you remember the last lesson (Whois), we were able to get the IP addresses of the DNS servers for any target (Primary and Secondary), right? So this is how we are going to start resolving the DNS records

2 of the common tools in this area are NSLookup and DIG (both can be used the same way on Windows and Linux), although DIG is not packaged with the Windows OS, but there is a workaround to have it on a Windows box.

Here’s an NSLookup output:

And the output in Wireshark (Protocol Analyzer) would be the following:

The first line represent the “Query”
Let’s look at it:

The second line represents the “Answer” of the query
Let’s look at it as well:

Here’s a DIG output:

And the output in Wireshark (Protocol Analyzer) would be the following:

The first line represent the “Query”
Let’s look at it:

The second line represents the “Answer” of the query
Let’s look at it as well:

I know, it’s a lot of outputs that need to be analyzed, but believe me, all you need is to practice it yourself and compare results, then you will be able to understand what is going behind the scenes.

2 things I would like to do after reading this article:
The first thing is to understand the first part (where I’m discussing how DNS works and the process of name resolving) of this article perfectly.
Second, try to understand the syntax of both command “NSLookup” and “DIG”, and try all the options till you master the 2 command (I would prefer if you master the “DIG” more than mastering “NSLookup”)

I created 1 video, that represents the usage of NSLookup and DIG (as a DNS zone transfer tools) and Wireshark (as a protocol analyzing tool) to see in details what happens behind the scenes

Download an AVI version here: http://www.megaupload.com/
Download a Flash version here: http://www.4shared.com/

DIG on Windows:
Because “DIG” is not included in the Windows OS, so we have to do it ourselves, and here are the steps to have “DIG” on your Windows OS:
1- Download the BIND Package (this is equal to the Windows DNS Software, but originally is for Linux) which is called “Windows 2000/XP/2003 Binary Kit” from the location http://www.isc.org/index.pl?/sw/bind/index.php
2- Create a Folder on your C:\ Drive and let’s name it “DIG”
3- Extract these 7 files from the package downloaded into the folder created in the previous step:
a- dig.exe
b- libbind9.dll
c- libdns.dll
d- libeay32.dll
e- libisc.dll
f- libisccfg.dll
g- liblwres.dll

4- Open your command prompt and change your directory to the Folder created in step 2, so that your command is “C:\DIG”
5- Type “dig –help” and start playing with the options.

Till next article,
Please take care.

Whois

noreply@blogger.com (Hayman Ezzeldin) — Thu, 10 Jan 2008 08:56:00 +0000

We all know now how to find the website for any hacking target; for example if I said “can you find the website for Microsoft?” :)
I’m sure you will be laughing and saying “HAHAHA, hey man, that’s a piece of cake, I’m the best penetration tester, remember?” :)

Now, we are going to get some more information that is so much valuable for any tester, it is information the target put it himself on the internet for you to use!!!
Can you believe that? Yes, the target put this information himself.

But, what kind of information is it? It might not be that important. Let’s see, and I will let you judge it yourself.

Our tool (or let’s call it Protocol) is Whois!!
You would say: “Oh ya, I heard about this tool before, I think there are websites that has a service called “Whois”, where you type the name of the target, and you get some information about it, right?”
So I would answer: “Ok, your answer includes a right part, but it’s not all right, let’s see why”

First, we will see what “Whois” exactly is :), and then analyze how it works, and then we can see one of these sites that afford the “Whois” service.
“Whois” is a TCP-based protocol that uses the Server/Client model, and this “Whois” is used to query databases to get us information about our target (Domain, IP, Networks, etc.)
I know that some of what I said is Chinese :), so let’s translate it.

Protocol: Originated from the Greek word “Protocollon” and this is a leaf of paper that is glued to a manuscript that describes its contents. So, for computers to communicate with each other they need a way to talk, this way of talking is described by the “Protocollon” which tells us what the rules that enable them to communicate and talk are.
TCP-based protocol: TCP is one of the protocols that provide reliable communication between computers. For example, imagine that you and I are computers, I want to teach you hacking, so I use a way of communication that makes me SURE that you understood what I am saying.
So I would say: “Hey you, here’s the lesson of today, it’s about Whois. Did you get it?
You would answer: “Yes, I did get it, it’s easy.”
So I would say: “Are you sure you understood it ALL?
If you say “Yes”, that I made SURE that my lesson got to you and that you have no problems, but if you said “NO” then I have to teach you again the missing part. This is how TCP (in an extremely simple way) works.
So, did you get my definition? :)
Are you sure? :)
Port: I will give you an analogy first, and then we will say the technical definition for port.
If I want to tell you something, how can I tell you? Phone, Email, Letter, Meeting you...
There are so many ways to reach you, but if I want to send you a letter, then the only way to send it is through the mail system that will deliver it to your mailbox (in this case, your mailbox acts like a port), but if I want to hear your voice then I would call you by phone (in this case, your phone acts like a port), but is it possible to hear you voice in a mail that will be delivered to your mailbox? NO, because the phone port is special for voice communication, while the mail system is used for writing communication.

This is the same with computers, if they want to communicate; they have to choose the right port for their communication, for example if my website located on a web server that is designed to let people access the website through port 80. Can you say “No, I want to access this website through port 81”? No you can’t, coz at this moment the server will not get your request. Got it?
Flag: Do you the “Punctuations” we use in writing? Yes, the “Commas”, “Fullstops”, “Question marks”…
If I want to “START” a sentence, I start with capital letters
If I want to add a small pause, I will put a comma, and then I will complete talking
If I want to finish my sentence, I will put a fullstop.
Flags are like that exactly, for computers to communicate, how does your computer know when my computer wants to transfer you a file? How does your computer know if my computer finished sending the file? Through flags, let’s look at this figure to understand how a TCP connection starts and ends

Here, we are discussing how the “Whois client” communicates with the “Whois server” to ask about a domain called “Cisco.com”.
1- My computer (Whois client) send a message from RANDOM PORT NUMBER flagged “SYN” or “Synchronize” to PORT 43 meaning “I want to Start a communication with you”
2- The (Whois server) replies from PORT 43 with a message flagged “SYN / ACK” or “Synchronize / Acknowledgment” meaning “OK, I Got your message. And I would like to make a communication with you as well on the RANDOM PORT you chose”
3- My machine (Whois client) send a message flagged “ACK” meaning “OK, I Got your approval”
At this moment, the TCP connection between the client and the server is established
4- My computer “Whois client” pushes its request flagged “PSH” or “Push” meaning “I have a question that is high Priority and deserves care”
5- The (Whois server) replies with an “ACK” confirming the receiving.
6- Then it starts pushing the answer of my request “PSH”, and using the PSH flag to show me priority.
7- After the (Whois server) finishes sending the answer, there is no need to keep the connection opened, so it sends a “FIN” flag meaning “I finished now, and I want to END”
8- My computer agrees for the termination in 2 steps, 1st is an “ACK” saying “OK, I got your request for terminating”, then the 2nd “FIN / ACK” says “I would like to terminate as well”
9- The “Whois server” confirms terminating the connection through an “ACK” flag.

By now, we know exactly what is going behind the scenes when we use the “Whois” query.

Now, let’s talk a little bit about something else; you decided to have your own company, and you want to have your own domain my-own-company.com, what are the steps to do that?
1- First, you have to see if this name is available or not, as it might be registered already for someone else
2- If you find it available, then you start the registration process, by paying the annual fees and registering your personal details (in case of any communication between you and the registries) with the registry you belong to, there are 5 international registries, and each one of them is responsible for IP Regions:
- American Registry for Internet Numbers (ARIN) – responsible for the North America region
- Réseaux IP Européens Network Coordination Centre (RIPE NCC) – responsible for the EMEA and Central Asia region
- Asia-Pacific Network Information Centre (APNIC) – responsible for Asia and Pacific region
- Latin American and Caribbean Internet Addresses Registry (LACNIC) – responsible for Latin America and Caribbean region
- African Network Information Centre (AfriNIC) – responsible for Africa region.
3- Now, you get your domain name and you can start using it, while the registry adds your info to a database (exactly, this is what we extract when we use Whois)

I know, I know, you are burning to start playing with the tools, right?
OK, Whois tools are 3 types:
1- DOS-Like interfaces (for Windows users), or Konsole (for Linux users)
2- Graphical interfaces (such as Smart Whois, or Sam Spade)
3- Web sites that provide the online Whois service (my favorite is “Domaintools.com”)

Let’s see the results of each one

From the command prompt (using the Whois tool from Sysinternals)

From the GUI of “Smart Whois”

Note1: When I was installing “Smart Whois” I got this message:

Have you noticed that the port used is TCP 43?

From the Web Site “domaintools”

From the Linux Konsole

Please compare the results, to see how much important we can get from just 1 tool (Whois)
IP addresses (can be used in almost every attack)
Email addresses (can be used for example in Social Engineering attacks, delivering viruses or Rootkits…)
Phone and Fax Numbers (can be used for example in Social Engineering attacks, Wardriving…)
Contact persons (can be used in Social Engineering, retrieving username naming methodology
Location Address (can be used for example in Physical Attacks, dumpster diving, Social Engineering…)
Naming Servers (can be used for example in DNS Flooding, IP Attacks…)
The more you search, the more information you would get to start the perfect attack :)

I created 2 videos, that represent the usage of Whois (as a Whois query tool) and Wireshark (as a protocol analyzing tool) to see in details what happens behind the scenes

For Linux users:

Download an AVI version here: http://www.megaupload.com/
Download a Flash version here: http://www.4shared.com/

For Windows users:

Download an AVI version here: http://www.megaupload.com/
Download a Flash version here: http://www.4shared.com/

Sorry for making it a long article, but I wanted to clarify every single bit.
Till next article,
Please take care.

Google Hacking

noreply@blogger.com (Hayman Ezzeldin) — Mon, 07 Jan 2008 11:52:00 +0000

No, No, don’t get me wrong, the title doesn’t mean that we are going to hack Google :) We are trying to use Google.com search engine in extracting important data that would help us in hacking. Do you remember last article when we were discussing “Search Engines” and the way they create indexes for any key word that resides on any website? Today, we are going to use these indexes in looking for some important information.

Normally, if you want to search for a “keyword”, all what you have to do is type the keyword in the “Search Box”; this will get us thousands and thousands of pages that include our “keyword”. The words which we typed in the “Search Box” are considered a “Query”. To improve this search technique, we are going to use special words or “Operators” in the “Search Box”

Before we start talking about these operators and how to use them in hacking, let’s look at the Google interface.

1- Page title
2- URL: The web address of the selected page.
3- Search Box: This is where you type your query.
4- Number Range: How many results to be shown per page.
5- File Type or Extension
6- Link to cached version of page: This is a clickable link that will show you the version of the web page that is saved in Google’s cache.
7- Link to similar pages: These are the pages that Google thinks have a lot in common with the listed page.
8- Text: This is an excerpt from the associated web page and it might be the first few lines of the text in the page.
9- Size: The size in Kilobytes for the selected page

Google used the previous definitions in creating some operators that would help us refining our search, the simplest format for using these operators is “Operator:Search_term”.

Let’s see an example:
We would like to search for the web pages that discuss hacking, and at the same time the word “Tutorial” is in the page’s title

1- We are searching for the word “Hacking”, so the first part of the query is (Hacking)
2- Second, we want to filter our search by selecting only the pages that contain the word (Tutorial) in the page title. So the second part of the query will be (intitle:tutorial)
3- Result: hacking intitle:tutorial

Note1: Open any of the results and check, you will see that the word “Hacking” is included in the page (anywhere), while the word “Tutorial” is in the “Page Title” of every single result.
Note2: Look at the number of results; you will see that the query refined our search result from 59,800,000 pages (the previous image) to 188,000 pages (the following image)

Let’s take another example:
We want to do the same last query, plus looking for the word “Windows” in the URL of our results

1- We will type in the search box the same query like the previous example (hacking intitle:tutorial)
2- Now we will add the part which will refine our search by selecting only the pages that contain the word (Windows) in the page URL. So the second part of the query will be (inurl:windows)
3- Result: hacking intitle:tutorial inurl:windows

Note1: You will notice now that the search is refined and the word “Windows” is in every URL of every single result
Note2: Look at the number of results; you will see that the query refined our search result from 188,000 pages (the previous image) to 1,320 pages (the following image)

So what are the “Operators” used, and how can they be used in “Penetration testing”?
There are a lot of “Operators”; I will try to mention the most important ones that will help us in our mission

1- intitle: We have seen already what it means in the first example
2- allintitle: The title will include ALL of the specified words – ex: allintitle:hacking tutorial
3- inurl: We have seen already what it means in the second example
4- allinurl: The URL will include ALL of the specified words – ex: allinurl:hacking tutorial
5- site: You use this “Operator” to limit your search to a specific domain – ex: hacking site:microsoft.com (it means, I want you to search for the word “hacking” that resides on “microsoft.com” and no other domains)
6- filetype: or ext: You use this “Operator” to limit your search to specific “File Extensions” such as .doc, .xls, .pdf, .php, .asp – ex: hacking tutorial ext:pdf
7- The double quotations “”: We use the double quotation marks to limit our search for an exact phrase, for example “Penetration Testing” – ex: “Penetration Testing”
Compare the difference between (Penetration Testing) and (“Penetration Testing”)
8- The plus sign + or The minus sign -: Normally Google ignores common words and character like “The”, “Where”, etc. So, if you would like your search to include any of these common words, you just have to add “+” before the specified word. Compare the difference between (the "penetration testing") and (+the "penetration testing")
And vice versa, if you want to avoid a word, for example, you want to search for “Penetration Testing” but at the same time you want the pages that don’t include the word “Windows”, so your query would be ("penetration testing" -windows)
9- The pipe line |: This is called the “Logical OR” operator, and simply it means OR :). For example, we are looking for the pages that contain the word “Login” OR “Logon”, so our query would be (login | logon)

These are the most important “Operators” for us at the moment.
But how can we use them in our attack?
I’ll give you some examples, and you can be creative and see what you can get us :)

Example using the “Site:” and “-” Operators
We all know that websites usually start with www.xxx.yyy, right? And this www is a host on the xxx domain, what if you have hosts other than www? How would we get them?

Let’s try that (site:microsoft.com -site:www.microsoft.com)

Note1: We were able to locate so many hosts on the Microsoft domain, such as “Advertising”, “Support”, “UDDI”, etc.

Example using the “allinurl:” and “” Operators
We know that there are a lot of companies are using “Microsoft Exchange Server” as their mail server, company XYZ is one of these companies, so we would like to see if we can find the logon page to try guessing the password of any user.
I used to have an exchange server, and I know that the URL of the logon page for the “Microsoft Outlook Web Access” always ends up with “exchange/logon.asp”.

Let’s try that (allinurl:"exchange/logon.asp")

Example using “intitle:” and “” Operators
There is a tool (that we will learn later how to use” called Nessus, one of the best free network vulnerability scanner available. This tool’s goal is to detect potential vulnerability in the tested system, and after every test; this tool generate a report in various formats (xml, pdf, etc.) that includes all of the vulnerabilities found.
What if a bad guy find these reports on the Internet? A bad guy, who has all of the vulnerabilities for a specified system, a DISASTER.
I know from previous experience that the report generated has a title “Nessus Scan Report” and the last line of the report generated indicates “The file was generated by Nessus”

Let’s try that (intitle:"Nessus Scan Report" "This file was generated by Nessus")

There are millions and millions of combinations, just be creative and don’t limit your mind.
If you want to widen your knowledge concerning Google Hacking:
http://johnny.ihackstuff.com/(includes a Google hacking database that phreaks me out :))
Google Hacking for Penetration Testers – Volume 1 (The authors are some of the best authors who write about Hacking, Johnny Ihackstuff is one of the authors by the way)
Google Hacking for Penetration Testers – Volume 2 (The second part, and it includes advanced techniques in using Google for Penetration Testing)

Guys, one thing I would like to say here, we all know that Information is power, so please don’t use this power in harming others.
We are learning these techniques to defend against the bad guys, not to be them.

Till next article,
Please take care.

Search Engines - Behind The Scenes

noreply@blogger.com (Hayman Ezzeldin) — Mon, 07 Jan 2008 07:03:00 +0000

For sure you had a time when you hear something or read something that you don’t understand, earlier you used to go to someone older to ask him/her about that, but that’s no more the case. Now, you can go to Google.com or any other Search Engine and type in what you are looking for, and with one click you get thousands of result in milliseconds!!

Wow, how did it happen? How can this search engine browse the whole Internet and get me links for every page that includes the words “Hacking” for example in less than 1 second?

Behind the scenes:

Before we start any discussions, we have to know some terms and definitions that will face us soon.
Search Engines: They are web sites that provide an interface to allow users to search for information on the “World Wide Web”.
Crawler, Spider, Bot or Robot: All terms have similar meaning, and this is a program or a script that browses the “World Wide Web” in an automated method.

This is how search engines work in general:

1- The search engine has a lot of “Crawler Servers”, where the “Crawler” is installed, this Crawler starts walking around the Web robotically, read every page, follow links to other pages and start downloading all the contents to the servers. New web pages or changed pages are detected the same way as well.
2- Now, these big blocks of data go to “Index Servers”, where they start extracting key words and making something like a catalogue. The result is a massive database of keywords and the related documentID.

3- So when you search for the word “Hacking” for example, your request is sent to the web server as query, the web server then sends your query to the index server, where all the documentID that contains “Hacking” should be listed in its catalogue or index. The results are passed from the massive database to the web server. The web server convert the data received from the database into readable format and send it back to you as the result page.

Now after knowing how search engines like Google works, it's time to see how we can benefit from Google as a "Data Gathering" Tool.

Till next article,
Please take care.

Hacking - The Scenario

noreply@blogger.com (Hayman Ezzeldin) — Fri, 04 Jan 2008 06:03:00 +0000

I want you to imagine with me this scenario:

You are a Penetration Tester, and there is a company “XYZ” that would like to hire your service as they would like to check how secure their system is. They said “Mr. X, we know that you are the best Penetration Tester ever, and we have paid thousands to secure our system, and we would like to see how DIFFICULT it is for a hacker to attack our system, we need your help”

Note 01: have you noticed that the word “DIFFICULT” is all uppercase? I’m sure you did.
I did it like that to send you a message saying that there is nothing ever called “a 100% secure system”, every secure system has a leak somewhere, and your role is to find where this leak is.

You got my idea? Never ever give up, be patient, be sure that there is a way to do it and be confident that you can do it.

Note 02: you know nothing yet about the system “XYZ”; will the company provide you with knowledge about their system, network infrastructure and policies? OR will they leave you alone to decide what you want to do and how do you want to do?

This leads us to another definition “Penetration Testing Types”; there are 3 types of testing. The first type assumes that you have no prior knowledge of the system or the infrastructure you are testing (hacking), so in such a testing, you have to do exactly what a cracker would do. And this type of testing is called “Black Box”. The second type, on the other hand, assumes that you are provided with complete knowledge of the system, infrastructure, source codes for software, etc... And this type of testing is called “White Box”. The third type and the last one - as you can guess - is a mix between the prior two types. Here you have partial knowledge of the system; you might know what services are running on the system, but no IP structure. You might know how the software is working, but you are not provided with the source code. This type is called “Gray Box”.

Note 03: as we are trying to test the system against hackers; we have to think like one. So, now you are a hacker and you want to attack the company “XYZ”. Think with me about it, what are the steps we conduct to be able to do that? The first Step, we have to prepare our attack by gathering as much information as possible about the target (“XYZ” company), system, infrastructure, etc… And this step is called “Reconnaissance” or “Foot Printing”. Now we know almost everything about the target; so the next step is to find where are the leaks in the security system, what are the vulnerabilities in the target. And this step is called “Scanning and Enumeration”. Now, after knowing the holes, it’s time to attack, and “Attacking the System” is our third step. I know you hope you would like to hop into this step immediately, right? But believe me, attacking before doing the first 2 steps, is kidding and a waste of time! The fourth step is optional, because you might be in need to access the hacked system again later, or you might not. To do that, you have to “Maintain Access”. In this step, you can open a port for later access, plant a Trojan; install a Rootkit, etc… Don’t worry, these terms and techniques will be detailed later. Now it’s time to leave the system and go away, BUT didn’t you forget something? Did you check if your attack left any traces that would lead to you, then lead you to jail :). So, our next step is the “Covering Tracks”. This is exactly how an attack could be.

To sum up, we learned few things:

1- No system is 100% secure

2- There are 3 types of Testing, “Black Box” which means “No Knowledge”, “White Box” which means “Full Knowledge”, and “Gray Box” which means “Partial Knowledge”.

3- There are 5 steps to conduct an attack against any system, “Reconnaissance” which means “Data Gathering”, “Scanning” which means “Finding Vulnerabilities”, “Attacking the system” and I think there is no need to say what it means :), “Maintain Access” which means “keep a Backdoor for a later access”, and last step is “Covering Tracks” which means “remove your attack traces”

Next, we will start the “bit by bit” section where we detail every single step to conduct an attack.

Till next time, Take care

Hacking - The Terminology

noreply@blogger.com (Hayman Ezzeldin) — Thu, 03 Jan 2008 09:31:00 +0000

Have you seen the “swordfish” movie?

There is a scene in the movie where the hacker (Hugh Jackman) is sitting in front of a Dell laptop with a gun pointed to his head, while Shear (John Travolta) explains to him that he's heard that "the best crackers in the world can do this in 60 minutes. Unfortunately, I need it done in 60 seconds." and in 60 seconds he was able to access information that is locked inside a multibillion-dollar account safeguarded by a security system that contains mountains of government secrets - and money :)

WOW, in 60 seconds, crack a system that needs 60 minutes to be cracked, get millions of dollars, and lot of secrets!!!

Man, I would like to be a CRACKER :)

But aside from the fantasy in the movie, why didn’t they say HACKER? why CRACKER? What is the difference between them? This will lead us to today’s lesson, Hacking Terminology according to the NSA (National Security Agency) glossary.

Note: There are some terms that are removed since 2004 from the NSA Glossary, but to find them you can check the archive at This Link.

Hacker: A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn on the minimum necessary.

Hacking: Unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network.

Penetration: Gaining unauthorized logical access to sensitive data by circumventing a system's protections.

Penetration Testing: Penetration testing is used to test the external perimeter security of a network or facility.

Cracker: One who breaks security on an Information System.

Cracking: The act of breaking into a computer system.

Phreak(er): An individual fascinated by the telephone system. Commonly, an individual who uses his knowledge of the telephone system to make calls at the expense of another.

Phreaking: The art and science of cracking the phone network.

Sneaker: An individual hired to break into places in order to test their security; analogous to tiger team.

Tiger Team: Government and industry - sponsored teams of computer experts who attempt to break down the defenses of computer systems in an effort to uncover, and eventually patch, security holes.

Threat: A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.

Attack: An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.

Vulnerability: Hardware, firmware, or software flow that leaves an Information System open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing.

There will be other terms mentioned during the lessons, but will be defined as needed, for now, these are the most required terms you need to understand to start Hacking !!

Please Take Care :)

Hacking - The Mindset

noreply@blogger.com (Hayman Ezzeldin) — Thu, 03 Jan 2008 04:24:00 +0000

When I was a kid, my father used to tell me “Take it easy, don't be always in a rush, your journey in life starts with ONE STEP”, I'm sure everybody heard a similar phrase sometime, and I'm sure you are thinking “Ahhh basics again!!! No way, what is “hacking” in that?”.

Ok, do you know how to spell the word “Hacking”?
Sure, it's H a c k i n g, right? Man, that was easy.
Yes, that's right, and yes it is easy, but it's easy because when you was a kid, you learned the ABCs, what are they and how to pronounce them. Without learning them, you can never understand what you are reading.

So please, if you want to be a real hacker, be patient, and learn ONE STEP a time.
And if you are in a hurry to know how to use the latest hacking tools without thinking, then go somewhere else.

For that, our first step is to create the mindset of a hacker!
Do you really know what a hacker is? What the hacker's attitude is? What the prerequisites for hacking are?
Eric S. Raymond, the Godfather of the Open Source, wrote an amazing article that is a must for any hacker to master before starting to hack, this article can be found here:
http://www.catb.org/~esr/faqs/hacker-howto.html.

Please read it, and read all the links I mention, you really need them.
And Take Care.

Introduction

noreply@blogger.com (Hayman Ezzeldin) — Mon, 31 Dec 2007 07:13:00 +0000

Hello everybody,
and Happy New Year,

Please allow me to introduce myself and the reason for creating this blog.

My name is Hayman Ezzeldin, an Information Security Analyst, and that's enough for now :)

The reason to start this blog:
Teach detailed hacking attacks and analyzing them. Not to crack others, but to know how crackers think. So please don't use any of the methods taught here against others, as I won't be responsible to get you out of jail :)

You might ask: why am I in need to analyze the attacks?
The answer is very simple, have you ever heard about a Script Kiddie?
According to wikipedia, these are inexperienced malicious cracker who uses programs developed by others to attack computer systems, and deface websites. They lack the ability to write sophisticated hacking programs on their own, and that their objective is to try to impress their friends or gain credit in underground cracker communities.I never wanted to be a script kiddie, I always wanted to understand how are these attacks happening, and what's going on behind the scenes.

Now it's time to get this knowledge out, and teach it others.

So let's START and please Take Care :)