Category: Hacking

Posted on by

Complete guide to DNSenum

Hello, aspiring ethical hackers. In the previous blogpost on DNS enumeration, you learnt what DNS service is used for, different types of records it has, what information can DNS enumeration reveal to hackers or pentesters. In this blogpost you will learn about a tool named DNSenum that can be used to enumerate DNS. DNSenum is a multithreaded perl script that is used to gather information from target DNS servers.

The features of DNSenum are,

  1. Get the host’s address (A record).
  2. Get the nameservers (NS).
  3. Get the MX record (MX).
  4. Perform axfr queries on nameservers and get BIND VERSION.
  5. Get extra names and subdomains via google scraping (google query = “-www site:domain”).
  6. Brute force subdomains from file, can also perform recursion on subdomain that have NS records.
  7. Calculate C class domain network ranges and perform whois queries on them.
  8. Perform reverse lookups on netranges (C class or/and whois netranges).

Let’s see how to perform DNS enumeration with DNSenum. DNSenum is included by default in Kali Linux. If you want to enumerate a domain with DNSenum. all you have to do is supply a domain name as shown below.

dnsenum <domain>

When run in default mode, DNSnum first enumerates the host address, then the name servers, then MX records, ACFR queries, extra names and subdomains via google scraping, brute forces subdomains from them, calculates the class C IP network ranges from the results and performs whois queries on them and performs reverse lookup on these IP addresses.

–dnsserver

In some cases, the result from the enumeration can vary depending on the server that is queried. Using DNSenum, we can perform a query by using another DNS server as shown below.

When you first use dnsenum on a domain to perform enumeration, you will notice that there will be a considerable delay at some stages. The delay occurs while dnsenum is brute forcing the subdomain names and then while performing reverse lookup on the IP address range.

While brute forcing the subdomain names, there is a delay because the file used by DNSenum (“/usr/share/dnsenum/dns.txt”) has over 1506 entries. So, until the tool checks all the entries, there will definitely be a delay. Can we reduce this data? Yes, by using another file instead of the default one. For example, we can create our own “dns.txt” file with entries of subdomains gathered from other type of enumeration.

–file(f)

We can specify this custom file with the (-f) option as shown below.

–subfile

We can also save the output of subdomain brute forcing in a file using the subfile option as shown below.

–noreverse

Coming to reverse lookup, while performing reverse lookup on 512 IP addresses (in this case) definitely takes time. But don’t worry. We can skip the reverse lookup by using the normal option.

–private

This option enumerates and saves the private IP addresses of a domain in the file named <domain_name>_ips.txt.

–timeout (-t)

The default timeout option of TCP queries and UDP queries for dnsenum is 10 seconds. The timeout option allows us to change it.

–threads (va)

This option is used to specify the number of threads to perform different queries.

–verbose (-v)

You already know what this option does. It reveals more information. See the differences.

–scrape (-s)

Used to specify the number of subdomains to be scraped from Google.

Here’s the result.

–page (-p)

While scraping the subdomain with dnsenum above, you should have noticed that it queries Google search pages for subdomains related to the domain. By default, it is 20 pages. Using this option, it can be changed. For example, lets set it to 10.

–recursion (-r)

This option can be used to perform recursion on subdomain gathering.

–whois (-w)

As you might have expected, this option is used to perform whois queries on class C network ranges. It can be time consuming. Use wisely. Learn what is whois footpriting.

–delay (-d)

This option is used to specify the maximum delay between each whois query. The default delay is 3 seconds.

That’s all about DNSenum.

Posted on by

Beginners guide to footprinting websites: Part 2

Hello aspiring ethical hackers. In Part-1 of website footprinting, you learnt how to gather information about a website by using methods like grabbing banners, directory scanning and spidering. In this Part-2, you will learn about some more techniques for footprinting websites.

4. Website mirroring

Either you are directory scanning or spidering, you are sending a lot of requests to the website (especially if the website is very large) which may raise suspicions or on the target side or you will be blocked. What if there was an effective workaround for this. Actually, there is. Instead of sending requests to the target website, we can download the entire website to your local device. This is known as website mirroring. For example, let’s mirror a website using wget as shown below.

5. Footprinting websites using online services

A website is constantly updated. The information that is displayed on the website last year may not be there today. What if there was a way to go back in time to view the past versions of a website for gathering information. Actually, there is a way for this. By using the website archive.org. Archive.org collects the snapshot of the website at different points in time from the time the website existed and stores it. So, you can go there and view how the website looked 10 years back ago or three years ago. For example, this is how our website looked way back in 2018.

Better, you can constantly monitor the updates being made to the websites using a website known as website watcher.

Website watcher automatically checks webpages for any updates and changes.

Posted on by

Beginners guide to DoS attack

Hello, aspiring ethical hackers. In this blogpost you will learn about DoS attack. In April 2007, the government services, financial institutions and various media outlets of Estonia, a nation in eastern Europe were hit with a massive Denial of service attacks. The attack that almost crippled Estonia (almost all services of Estonia are based only online) coincided with the relocation of “Bronze soldier of Tallinn” a world war II monument which Russia objected to.

What is DoS attack?

DoS or Denial-of-Service attack is an attack that makes a website, service, network or software inaccessible to legitimate users. For example, imagine you are a user of Gmail. When you are trying to access Gmail to check an important mail sent from your office, you are unable to reach the servers of Gmail as there is a DoS attack on Gmail servers.

Types of DoS attacks

DoS attacks can be classified into three types. They are Volumetric attacks, Protocol attacks and Application layer attacks.

Volumetric attacks

In volumetric attacks, the bandwidth of the target network or service is exhausted, thus denying any legitimate users access to bandwidth. The magnitude of the attack is measured in bits-per-second (bps). Examples of these types of attacks are Ping of Death attack, UDP Flood attack, ICMP flood attack and Smurf attack.

1. Ping Of Death attack:

According to RFC791 IP, the maximum size of the packet should not exceed 65,535 bytes. In the Ping of Death attack, an attacker sends an oversized packet of size more than the prescribed limit with a ping request. (For example, a packet of size 65,550 bytes). The target system may crash while trying to reassemble this packet.

2. UDP Flood attack:

In this type of attack, an attacker sends a number of spoofed UDP packets to random ports of the target system. Target server tries to check for these applications (some of which are nonexistent) repeatedly. This causes exhaustion of the bandwidth in use thus replying to legitimate connections with a ICMP destination unreachable message.

3. ICMP Flood attack:

In the ICMP flood attack, the attacker sends a large volume of ICMP request (ping) messages to the target server either from a single IP or multiple IP addresses. The target server is bound to reply to these packets with a ICMP echo reply message thus exhausting the bandwidth.

4. Smurf attack:

In a smurf attack, the attacker sends ICMP echo request message to the broadcast network address spoofing the IP address of the target server. This makes all the devices in the network to reply to this echo request message with a echo reply message. Since the address of the target server is used in the echo request message, all the devices reply with this IP thus, making the target server inaccessible to the legitimate users.

Protocol attacks

In this type of DoS attacks, instead of exhausting the bandwidth, attackers try to exhaust resources available on the target network or website thus making it inaccessible to the legitimate users. Examples of these DoS attacks are SYN Flood attack, ACK Flood attack, TCP connection flood attack, Fragmentation attack and RST attack. This DoS attack is measured in Packets-per-second (pps).

1. SYN Flood attack:

In our blogpost on port scanning techniques, you learnt about the 3-way handshake.

In this attack, attackers exploit this 3-way handshake. How? The attacker sends multiple TCP SYN requests to the target server. When the target server responds to these SYN requests with a SYN/ACK packet, the attacker never sends a ACK message in response. This creates a partially open connection. By default, the target server or machines should track a partially opened connection for 75 seconds.

This is known as SYN flood. In these 75 seconds, the attacker can send large volume of SYN requests thus overloading the target system which eventually makes it inaccessible to the legitimate users.

2. Fragmentation attack:

Network or IP layer of OSI model allows packet fragmentation in order to overcome the problem of any higher-level protocol creating a packet larger than the size any particular local network supports. Attackers exploit this feature to send a large number (1500+bytes) of fragmented packets to the target server. The size of each fragment is usually reduced and small packet rate is used. This forces the target server to utilize a large number of resources to reassemble these fragmented packets thus causing DoS attack.

Application Layer attacks

In this type of DoS attacks, attackers exploit any vulnerabilities in the target server to prevent its access to the legitimate users. These vulnerabilities include cross site scripting, CSRF, File upload but most probably a Buffer overflow vulnerability. The magnitude of this attack is measured in requests-per-second (rps). Examples of this attacks include HTTP flood attacks and Slowloris attack.

1. HTTP GET/POST attack:

Browsers connect to the web server using HTTP requests. These requests can be either HTTP GET or HTTP POST. In this type of attack, attackers exploit these requests to perform DoS attacks.

In a HTTP GET DoS attack, attackers use time delayed HTTP headers to exhaust resources of webserver whereas in HTTP POST DoS attack the attacker sends HTTP requests with complete headers and without a message body or an incomplete message body.

Posted on by

Beginners guide to Social Engineering

Hello, aspiring ethical hackers. In this blogpost you will learn about Social Engineering. Social Engineering is one of the most important techniques in Black Hat Hacking. It is used by APTs and Threat Actors even now.

What is Social Engineering?

Social Engineering is the art in which a human is convinced to perform actions which he is not intended to or shouldn’t be performing under normal circumstances. Hackers use social engineering to grab credentials, gather any required information about the organization or to gain initial access etc. It exploits human emotions like intention to trust, curiosity and other emotions.

Types of Social Engineering

Social Engineering can be classified into three types. They are: Human based, Computer based and Mobile based.

social_engineering

Human based Social Engineering

In human based social engineering, hacker interacts with a human personally to perform the attack. There are many types of social engineering attacks. Some of them are,

1. Dumpster diving:

Dumpster diving is a technique in which a hacker searches the dump or dustbin to gather any information about the organization.

2. Impersonation:

In this attack, attacker impersonates as another user to gather important information about any organization or performing hacking attacks. Any information obtained in dumpster diving can be useful in this stage. Obviously, an attacker will impersonate as a legitimate user of the organization or a person of authority or anyone else who has a chance to enter a company physically or virtually.

In June 2023, hacking group tracked as “Pink Drainer” impersonated journalists in phishing attacks to gain access to 1932 Discord and Twitter accounts. They stole approximately $29,97,707 worth of cryptocurrency.

3. Piggybacking:

Piggybacking is used to gain access to the premises of a company or organization. In piggybacking, a genuine employee of an organization allows access to the attacker because he/she thinks that the attacker has genuine reason to be on the organization’s premises. It usually happens when the hacker impersonates as anyone who is allowed into company’s premises. For example, delivery boy, technician etc.

4. Tailgating:

In tailgating, which is another social engineering techniques to gain illegal access to the company’s premises, a hacker tries to gain access to the company’s premises by quickly following behind a legitimate or genuine user immediately after he/she gains access into company’s premises.

5. Eavesdropping:

Eaves dropping is secretly listening to the conversation of employees of the organization etc. This can happen anywhere but mostly happens at recreational spots.

6. Shoulder surfing:

Shoulder surfing is the technique in which an attacker spies on the legitimate users of the organization by staying behind them. Shoulder surfing is normally used to see the legitimate user is entering his credentials but it can also be used to gather any valuable information.

7. Vishing:

In vishing, also known as voice phishing, a hacker uses voice over a phone or a VOIP call to perform social engineering.
In July 2020, hackers used vishing to trick Twitter employees into revealing account credentials of 130 Twitter account including that of Barack Obama, Joe Biden and Kanye West. The share value of Twitter plummeted by 7% after this incident.

8. Pretexting:

In pretexting, attacker creates specific scenarios or events by which the user he is targeting reveals information he/she makes.

Computer based Social Engineering

When a computer is used in an engineering attack, it is known as computer based social engineering attack. There are two types of computer based social engineering attacks. They are,

1. Phishing:

In phishing, attackers create a fake website (impersonating a genuine website) and divert the target users to this fake website to grab their credentials or make them download malware. There are multiple examples of hackers creating a fake phishing website to steal credentials, credit card information or other sensitive information. In August 2023, Supreme Court (the highest court of India) warned users about a fake website impersonating website of the Supreme Court trying to solicit personal details and confidential information from users.

2. Spear Phishing:

In spear phishing, a hacker selects specific users as targets and sends them an email with malware attached to the email and luring them to download and execute the attached payloads or take some other action. In February 2022, Russian hacking group known as Gamaredon, targeted Ukrainian government agencies and NGO’s with a spear phishing email campaign with malware laden emails.

Mobile based Social Engineering

If an engineering attack uses mobile it is known as mobile based social engineering. SMishing is a type of mobile based social engineering attack.

1. SMishing:

SMishing or SMS phishing is a phishing attack which is performed by sending a SMS to the target user’s mobile phone with a link to the fake website attacker created. In 2020, cyber criminals sent SMS messages to various user’s mobile phones asking them to click on a link to view important information about an upcoming delivery from United States Post Office (USPS). When users clicked on the links in these SMS, it took them to a malicious website that was designed to steal user’s Google account credentials.

Posted on by

Password sniffing tutorial for beginners

Hello, aspiring Ethical hackers. In this article, you will learn about password sniffing. You should have observed that almost all the websites you have visited recently have a padlock sign and begin with HTTPS now. Google started giving minor ranking boost to websites with HTTPS enabled since year 2014. As you will learn by the end of the blogpost, there is a good security reason behind this.

What is Password sniffing?

Password sniffing or Credential sniffing is sniffing or capturing of credentials (or any other data) while they are in transit from one machine to another machine (usually from client to server). Password sniffing is only possible when plain text protocols are in use. Plain text protocols are those protocols in which confidential information like usernames and passwords are passed to the server in complete plain text and without any encryption.

This allows anyone in middle to sniff on these usernames and passwords. Examples of plain text or clear text protocols are FTP, Telnet, SMTP, HTTP, IMAP, POP3, TFTP etc. Let’s see password sniffing practically. In this article, we will demonstrate the basic level of password sniffing on plaintext protocols. For this, we will be using three virtual machines which are on the same network.

They are Metasploitable 2 which acts as server, Ubuntu which acts as client and of course Kali as our Attacker system. As you can see, the IP addresses of the three machines are

Metasploitable2 – 192.168.64.128 (Server)

Ubuntu – 192.168.64.132 (Client)

Kali – 192.168.64.132 (Attacker system)

Let’s start Wireshark on the attacker machine (on interface eth0). It starts capturing packets on the network.

The reason why we are using Metasploitable 2 as our target is that it already has many services that we need for this tutorial preinstalled. The first service we will be using is Telnet. It is a protocol that is used for remote access on another system. On most Linux systems, Telnet clients are installed by default.

So we open a terminal and log into the Metasploitable 2 Telnet server with the credentials shown below.

The login is successful. Now on the Attacker system, we can observe the traffic being captured by the Wireshark sniffer. You can see data related to Telnet being transferred.

We can Right Click on that Telnet data stream and click on “Follow” as shown below.

In the sub menu that opens when we click on the only option “TCP stream” a new window opens that will show only the TCP stream.

In this window, you can see the credentials we just used to login into the target system. Telnet is a plain text protocol which transfers credentials and other sensitive data in plain text. This allows sniffing of data. That’s the reason it has been mostly replaced by Secure Shell (SSH) nowadays.

Let’s see another protocol. File Transfer Protocol (FTP) is a protocol that is used to share files. It is another protocol that transfers data in plain text. From our client, we login into the FTP server with credentials “anonymous:anonymous”.

Anonymous account in FTP is used to share files to anyone without the need for them to know credentials.

On the Wireshark interface, you can see FTP data being transferred.

We can view the TCP stream

This once again shows credentials.

Instead of observing LIVE data transfer and following TCP stream from there, we can also just save the packet capture file and open the file later for analysis.

After opening the file, we can search for specific terms as shown below.

packet sniffing

Then following the TCP stream gives us the credentials.

Seeing the vulnerability due to sniffing, many protocols have been replaced with secure protocols which transfer data in encrypted form instead of plain text form. These are given below.