Intercept client-side requests 

Burp Suite, a framework of web application pentesting tools, is widely regarded as the de facto tool to use when performing web app testing. Throughout this room, we'll take a look at the basics of installing and using this tool as well as it's various major components. Reference links to the associated documentation per section have been provided at the bottom of most tasks throughout this room. full tutorial of burp suite

we will learn how to use Burp to intercept browser network traffic.

Once the web browser opens, navigate to the following site:

http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F

 

Once there, go back to Burp and turn ON intercept mode. Then, enter any username and password combination into the site and click “Login”. As you will see, the page will remain in a loading state. This is because Burp has now intercepted the request we sent to the server, and is holding it for us to manipulate.

Now, we will start FoxyProxy in our browser.

Go back to Burp and you will find the intercepted request, along with the username and password data that we entered. To navigate through the different requests Burp is intercepting, simply press the “Forward” button to send the request to the server and view the next request.

Full Tutorial of Burp Suite

  to you by Hacking Truth

Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

ARP Poisoning is a protocol that associates a given IP Address with the Link Layer address of the relevant physical machine. Since IPv4 is still the most commonly used internet protocol. ARP generally bridges the gap between 32 bit IPv4 address and 48 bit mac addresses. It works in both direction. ARP Poisoning Attack to defend

ARP is a stateless protocol that is used within a broadcast domain to ensure the communication by resolving the IP address to MAC address maping. The relationship between a given MAC address and its IP address in kept in  a table known as the ARP cache. ARP protocol ensure the binding of IP address and mac address. By borad casting the ARP request with IP addresses, the switch can learn the associated MAC Address information form the reply of the specific host.

In the event that there is a no map or the map is unknown, the source will send a  broadcast to all nodes just the node with a coordinating MAC address for that IP will answer to the demand with the packet that involves the MAC address mapping. The switch will learn the MAC address and its connected port information into its fixed length CAM table.

As shown in the figure, the source generates the ARP query by broadcasting the ARP packet, A node  having the MAC address, the query is destined for will reply only to the packet. The frames  is floaded out all ports (other than the port on which the frame was received). If CAM table entries are full this also happen when the destination MAC Address in the frame is the broadcast address. MAC flooding technique is used to turn a switch into a hub in which switch starts broadcasting each and every packet. In the scenario,  each user can catch the packet even those packets which is not intende.

ARP Code Poisoning

Defend ARP Poisoning Attack

Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

All About NTP Enumeration

NTP stands for network time protocol design to synchronise clock of networked computers. NTP can achieve accuracy of 200 million seconds or better in local area networks under ideal condition. NTP can maintain time to within 10 milli seconds ( 1/100 ) over the internet. Ntp based on agent server architecture where agent queries the ntp server and it works on user Dataram Protocol (UDP) and well known Port 123.

NTP Enumeration

An attacker can eliminate the following information by querying NTP server.

1) List of hosts connected to the NTP server.
2) internal client IP addresses, host name and operating systems used.


 

NTP Enumeration Tools

The following table shows the list of tools to perform NTP enumeration.

Name the tools and description/wab links

1) NTP Trace

Query to determine from the NTP server update its time and tresses the chain of the NTP server from a sources.


2) ntpdc

Where is the ntp deamon about its current state and to request changes in the state.


3) ntpq

Monitor NTP daemon ntpd operations and determine performance.


4) Cisco ntpd packet tracer download

https://www.computernetworkingnotes.com/ccna-study-guide/download-packet-tracer-for-windows-and-linux.html

NTP Security Controls

The following are the security controls to prevent ntp enumeration attack.


# restrict the uses of NTP and enable the use of NTPsec where possible.

# filter and the traffic with IPtables.

# enable logging for the messages and events.

Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
 

LDAP Enumeration

LDAP stands for light weight directory access protocol and it is an internet protocol for accessing disturbed directory services like active directory or openLDAP etc. A directory service is a hirerchical and logical structure for storing records of users. LDAP is based on client and server transmitted b/w client and server using basic encoding rules (BER).


LDAP Enumeration - LDAP  supports anonymous remote query on the server. The query will disclose sensitive information such as username, address, contact details, department details etc.

LDAP Enumeration Tools

The following table shows the list of tools to perform LDAP enumeration.

1) Softerra LDAP

http://www.idapadministrator.com/


2) Jxplorer

http://jsxplorer.org/


3) Active directory domain services management pack for system center

https://www.microsoft.com/en-in/download/details.aspx?id=21357


4) LDAP Admin Tool

http://www.idapadmin.org/


5) LDAP adminstrator tool

https://sourceforge.netprojects/idapadmin/

LDAP Security Controls

The following are the security controls to prevent LDAP enumeration attacks.

# Use SSL to encrypt LDAP communication.

# Use kerberos to restrict the access to known users.

# Enable account lockout to restrict brute forcing.

Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
 

NetBIOS  Enumeration

NetBIOS stands for network basic input output system. IBM developed it along with sytek. The primary intention of NetBIOS was developed as application programming interfae (API) to enable access to LAN resources by the client's software.

NetBIOS naming convention start with 16-ASCII character string used to identify the network devices over TCP/IP. 15 characters are used for the device name and the 16 characters is reserved for the service or name record type.

NetBIOS enumeration explained

NetBIOS software runs on PORT 139 on windows operating system file and printer service needs to be enabled to enumerate NetBIOS over windows operating system.

An attacker can perform the below on the remote machine.


1) Choose to read or write to a remote machine depending on the availability of shares.
2) Launch a Denial of Service (DOS) attack on the remote machine.
3) Enumerate password policies on the remote machine.

NetBIOS Enumeration Tools

The following tables shows the list of toolls to perform NetBIOS Enumeration.

Name of the tools and web links.

1) Nbstat - www.technet.microsoft.com

2) Superscan - https://www.mcafe.com/in/downloads/free-tools/superscan.aspx

3) Hyena - http://www.systemtools.com/hyena

4) winfingerprint - http://packetstormsercurity.com/files/38356/winfingerprint-0.6.2.zip.html

NetBIOS security controls 

The following are the security controls to prevent NetBIOS enumeration attacks.

# Minimize the attack surface by minimizing the unnecessary service like server message block (SMB).

# Remove file and printer sharing in windows OS.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Enumeration Using SNMP

SNMP stands for simple network management protocol is an application layer protocol which uses UDP protocol to maintain and manages routers, switch, hubs other devices on an IP network. SNMP is a very common protocol found enabled on a variety of operating system like windows server, linux and unix server as well as network devices like routers, switches etc.


SNMP enumeration is used to enumerate user accoundts, passwords, group, system names, devices on a target system.


It consists of three major elements :


1) SNMP Manager (Managed Devices) - A managed device is a device or a host (technically known as node) which has the SNMP services enabled. These devices could be routers, switches, hubs, bridges computer etc.

OR

It is a contralised system used to monitor-network. It is also known as network management station (NMS).


2) SNMP Agent - It is a software management devices can be network devices. Managed devices can be network devices like PC, routers, switches server etc.

3) Management information Base - MIB consists of information of resources that are to tbe managed. These infromation is organised hi-erachically. It consists of objects instances which are essentially variables.

SNMP Messages

In snmp there are different variables are -


1) GetRequest - SNMP manager sends from SNMP agent. It is simply used to retieve data from snmp agent. In response to this, snmp agent responds with requested value thorugh response messages.

2) GetNextRequest - This message can be sent to discover what data is available on a SNMP agent. The snmp manager can request for data continuously until no more data is left. In this way, SNMP manager can take knowledege of all the available data on SNMP agent.


3) GetBulkRequest - This message is used to retrieve large data at once by the SNMP agent. It is introduced in SNMPv2c

4) SetRequest - It is used to SNMP manager to set the value of an obbject instance an the SNMP agent.

5) Response - It is a message send from agent upon a request from manager. When sent in response to set messages, it will contain the newly set value as confirmation that the value has been set.

6) Trap - These are messages send by the agent without being requested by the manager. It is sent when a fault has occured.

7) InformRequest - It was introduced in SNMPv2c, used to identify if the trap message has been received by the manager or not. The agent can be configured to set up trap continuously until it receives an inform messages. It is same as trap but adds an acknowledge that trap doesn't provide.



SNMP Versions - There are 3 version  of SNMP.


1) SNMPv1 - It uses community strings for authentication. It uses UDP but can be configured to use TCP.

2) SNMPv2 - It uses community strings for authentication. It uses UDP but can configured to use TCP.

3) SNMPv3 - It uses Hash based MAC with MD5 or SHA for authentication and DES-56 for privacy. This version uses TCP. Therefor conclusion is the higher the version for SNMP, more secure it will be.



SNMP Security Levels -  It defines the type of security algorithm performs on SNMP packets. There are used in only SNMPv3. There are 3 security leveles namely.


1) NoAuthentication - This ( no authentication no privacy ) security level uses community string for authentication and no encryption for privacy.

2) authNopriv - This security level (authentication, no privacy) uses HMAC and MD5 or SHA for authentication and encryption uses DES-56 Algorithm.



SNMP Enumeration - Default SNMP to view or modify then SNMP can configuration settings. Attackers can enumerate SNMP on remote network devices for the following -

# Information about network resources such as routers, share, devices etc.

# ARP and routing tables.

# Device specific information

# Traffic statistic etc.

SNMP Enumeration Tools

The following table shows the list of tools to perform SNMP Enumeration.


Name of the Tool and weblinks

1) Oputils


www.manageengine.com/products/oputils


2) Solarwinds

www.solarwinds.com

 

3) SNScan

www.mcafee.com/us/downloads/free-tools/scscan.aspx

4) SNMP Scanner

http://www.secure-bytes.com/snmp-scanner.php

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Taxonomy of Reconnaissance

In a red team operation, you might start with no more than a company name, from which you need to start gathering information about the target. This is where reconnaissance comes into play. Reconnaissance (recon) can be defined as a preliminary survey or observation of your target (client) without alerting them to your activities. If your recon activities create too much noise, the other party would be alerted, which might decrease the likelihood of your success.

Reconnaissance (recon) can be classified into two parts:

# Passive Recon: can be carried out by watching passively
# Active Recon: requires interacting with the target to provoke it in order to observe its response.


Passive recon doesn't require interacting with the target. In other words, you aren't sending any packets or requests to the target or the systems your target owns. Instead, passive recon relies on publicly available information that is collected and maintained by a third party. Open Source Intelligence (OSINT) is used to collect information about the target and can be as simple as viewing a target's publicly available social media profile. Example information that we might collect includes domain names, IP address blocks, email addresses, employee names, and job posts. In the upcoming task, we'll see how to query DNS records and expand on the topics from the Passive Reconnaissance room and introduce advanced tooling to aid in your recon.


Active recon requires interacting with the target by sending requests and packets and observing if and how it responds. The responses collected - or lack of responses - would enable us to expand on the picture we started developing using passive recon. An example of active reconnaissance is using Nmap to scan target subnets and live hosts. Other examples can be found in the Active Reconnaissance room. Some information that we would want to discover include live hosts, running servers, listening services, and version numbers.



Active recon can be classified as:


# External Recon: Conducted outside the target's network and focuses on the externally facing assets assessable from the Internet. One example is running Nikto from outside the company network.

# Internal Recon: Conducted from within the target company's network. In other words, the pentester or red teamer might be physically located inside the company building. In this scenario, they might be using an exploited host on the target's network. An example would be using Nessus to scan the internal network using one of the target’s computers.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.