1

Ermin Kreponic Hacking Notes:

Introduction to Ethical Hacking:
Black hats bad hackers, money or political statements
White hats good hackers, get paid to test security systems for companies
Grey hats not necessarily bad, but act out in selfish motives
Threat exists in applications, may potentially harm the application, black hat
hackers find threats
Threat agents someone who attack applications (black hats)
Vulnerability black hat finds vulnerability in application to exploit
Flaw wrong design decisions in applications (i.e. verification not implemented)
or a misconfiguration
Issue generalise flaws and vulnerabilities, something that can decrease
security in a system is known as an issue
Exploit automated or manual way to take advantage of a vulnerability, threat
agents (black hats) use exploits in order to exploit vulnerabilities
Attack Threats becoming actualized to the target through exploiting a
vulnerability, for an attack to happen there needs to be a threat, a threat agent (if
it is intentional), a vulnerability, use an exploit (automated or manually)
Risk a product of two values (probability and impact), probability the risk that
something might happen and the impact it could cause
Incident when an attack happens/happening or something goes wrong
(someone trying to brute force their way into the system)
Countermeasures physical, logical or organizational. Aim to lower the risk of
an incident happening or lowering the impact or they do both.
Control To lower the risk (transfer the risk by redirecting the losses to
insurance companies or avoid the risk (patching or security update, might remove
THAT risk all together))
Security Audit not a pen-test, previous history, make conclusions the prove
that something was going on during a period of time
Security Assessment understanding whats going on right now, not interested
in what happened before only whats going on right now, see if theres progress
from a previously issued pen-test, not interested in whether if everything is fixed
its a work-in-progress right now
Penetration Testing a test to see how systems and/or people are reacting to
them, producing and assessing and observing results, interacting with an object
with the target to see how to reacts to different types of attacks and
understanding how the system reacts, to see if the security posture is okay or not
in which case you dig deeper to see the probability of an attack on that problem
and create a recommendation on how to deal with it, a pen-test is interactively
testing the system and endurance of resilience and resistance too security
threats/attacks
Assessment Scope defines whats going to be tested, could be that any IT
asset of the company is within scope or is just a well-guarded DNS name or a list
of IP addresses/URLs/API codes, could be broad could be narrow, the broader it
is the more high quality results ethical hackers can produce, large scopes are
quite time consuming
 2

Black box testing zero knowledge about the scope when you start the
assessment, implies you will use a methodology with a perception that implies
you have zero knowledge
White box testing do not spend time on reconnaissance, know about the
scope at the beginning, have knowledge about systems or code
Grey box testing partial knowledge
Pentest Report statement about the scope and limitations, what was the goal,
what was the threat model, what level of attack was imitated, executive summary
of what happened (the scope, is everything ok/bad or expectation were met),
executive summary should be a short summary (bout a page long), if something
is wrong then list solutions, if it is critical it should be fixed or if it hasnt been then
it should be reported straight away before it is written in the report, report should
be about what you did and tested as well recommendations
CIA triad stands for Confidentiality, Integrity and Availability
Confidentiality secrecy, absence of unauthorized access, ensure no
unauthorized access is happening to information or system, privacy of business
data
Integrity validity and correctness, unauthorized change, hasnt be modified
Availability access when we need it, authorized users can access at any given
time, if you cant get it then some kind of DOS attack is happening and the
availability is broken
Non-repudiation cannot deny the authorship of information, cant say its not
me if Ive issued a digital signature for a document or an email or a message
Accountability have to account all the changes and actions in the system and
to have clear picture of what is wrong and investigate an incident when it
happens
Triple A triad Authentication, Authorization and Accounting
Accounting logging, providing accountability that everything is recorded and
there is a log that cannot or hasnt been changed
Authentication ID, verifying that the users are who they claim they are, show
that it is verifiable (authentication factor; something you can forgot, lose or cannot
change. Something you know(password, passphrase), something you
have(phone, smart card) and something I am(biometric, fingerprint, iris scan))
Authorization providing permissions, once authenticated you have to be
authorized so you can be given your role in the system (general user,
administrator)
Rules of Engagement what can be done, what dates, what systems, scope of
the assessment, legal agreement, invoice, list of actions that can/cannot be done
Scope Validation assured that what is in the engagement letter actually
belongs to this client, client might make mistakes(i.e. something they dont own)
Incident Response report to the client if something happens during testing
(pause testing and wait for further instructions), might discover security incident
already in action (someone else is already in the system), dont tamper with
evidence, dont change anything, gather all the evidence(conclusion) and retreat
immediately
Reporting doesnt have to be linked to you, all information should be in it (no
need for interpretation), should be written in a way so it can be understood so
there is no need to consult with you afterwards for clarification
 3

Professional/Contractual Liability insurance, in-case something happens,

rare but might still happen, could be penalties or compensation in-case of a
mistake

Reconnaissance - Surveying the Attack Surface:

Reconnaissance first step in an attack, collect information/data, better recon
means things will go more smoothly
Enumeration - a network enumerator or network scanner is a computer program
used to retrieve usernames and info on groups, shares, and services of
networked computers. This type of program scans networks for vulnerabilities in
the security of that network
Gaining access - is the most important phase of an attack in terms of potential
damage, although attackers don't always have to gain access to the system to
cause damage. For instance, denial-of-service attacks can either exhaust
resources or stop services from running on the target system
Privilege escalation - is the act of exploiting a bug, design flaw or configuration
oversight in an operating system or software application to gain elevated access
to resources that are normally protected from an application or user
Maintaining access - once an attacker gains access to the target system, the
attacker can choose to use both the system and its resources and further use the
system as a launch pad to scan and exploit other systems, or he can keep a low
profile and continue exploiting the system
Passive recon non-interaction with client systems
Active recon interaction with client systems
Data types:
Technical data:
Network rangers
DNS names, URLs
Special servers: NS, MX, webmail etc.
Software and configurations
People data:
Full names
Email
Phone numbers
Social media accounts
Geodata
Interests, hobbies, life stories
Skills and work history
80/20 rule - 80% of the effects come from 20% of the causes
Passive Recon (OSINT) - Open Source Intelligence:
Data sources:
Internet footprint:
Search engines
Social media
Client web-sites
Metadata
Job search web-sites
Web forums
 4

Mailing lists and user groups

Special resources:
Internet databases
Internet archives
Specialized search engines
Web-service APIs
Tools and methods:
Google, Bing, Yahoo, local engines
LinkedIn, Facebook, Twitter, Instagram
Archive.org
Maltego
Recon-NG
Active Recon:
Input Sources:
Internet DBs: DNS, whois etc.
Client systems: servers, web-sites, product web-sites etc.
Cloud considerations
Client networks (once inside)
Client personnel
Direct observation
Tools and Automation:
Kali recon tools
nc, netcat, ncat
Recon-NG
BurpSuite
SecLists
Python or any scripting language
Nmap
FOCA
Passive Recon Walkthrough:
Map the scope:
Maltego or Recon-NG
Google hacking site:, inurl: etc.
Find more hosts:
dig, dnsrecon, dnsenum, fierce
Browse shares, visit web-sites
Collect names and contacts:
LinkedIn, Facebook
Collect hosts, emails
theHarvester
GOTO 1
Active Recon Walkthrough:
Collect metadata
FOCA
Find more hosts
Nmap sn
Identify more networks
Whois, Maltego
Validate emails
 5

Netcat scripting, Maltego

GOTO 1
Identifying active machines within network ranges that have been figured out,
have to understand what runs there and what can actively interacted with,
possible avenues for an attack
Finding open ports and access points that can be interacted with in order to
exact potential attack, closed ports are also valuable information, if its filtered
can give idea what services are there
Identifying active hosts:
Active:
Common S/A tools:
ping, telnet, traceroute, netstat
nbtscan, shareEnum
Protocol scanners:
ICMP scanning (ping sweeps)
o ping, ping b, nmap sn
ARP scanning
o arp, arp a, arp-scan
TCP scanning
o nmap p, masscan, zmap
Custom tools:
hping/nping, scapy
Passive:
Sniffing and analyzing broadcast traffic
Wireshark, tcpdump, p0f
Identifying active services:
Manual observation:
Web-browser, file managers
Manual TCP connection:
nc, netcat, ncat
telnet, ncat [-t] [-C]
openssl s_client, ncat ssl
Automated scanning:
amap, unicornscan, superscan
masscan, zmap
NMap:
SYN vs. Connect
UDP issues
OS and services fingerprinting:
Difference in OSes
TCP/IP stack: TTL, TCP window etc.
Connection open/close/reset timing
Difference in services
Banners
Protocol nuances
Universal
nmap -O -sV -p-
Protocol-centric:
snmpwalk
 6

nbtscan
enum4linux
Network mapping:
Topology mapping:
Zenmap
Maltego
Visio
Evidence handling:
Excel
CherryTree
Growly Notes
Evernote
OneNote
Network issues:
Use of VPN on external pentests
Use of VPN on internal pentests
Use of Tor and HTTP proxies
Firewall evasion techniques
Sniffing and Spoofing:
Sniffing:
Passively or actively capturing network traffic
Can be done on received traffic or passed through/routed traffic
Can be done anywhere on the internet
Routers/gateways are more risky
Mitigated by SSL/TLS or other E2E crypto
Spoofing:
Actively tampering with other hosts network config to intercept
network traffic
Then, sniffing or tampering with intercepted traffic
Very common in LAN:
Port security, traffic signing, SSL/TLS are possible means of
protection
Sniffing tools:
Wireshark:
Actively sniffing and analyzing
Processing external pcap files
Powerful GUI
Extendable and scriptable
Really slow sometimes
Security issues
Cain and Abel:
Windows only
Spoof, sniff, reverse passwords etc.
tcpdump (or other CLI tools):
The power of console
Present in most *NIX distros
tshark:
Console version of Wireshark
Comes with it by default
 7

scapy:
BYOD: build your own dump
Easy as Python + StackOverflow
Spoofing tools:
arpspoof:
arpspoof t <target>
arpspoof t <gateway>
tcpdump
Remember to enable forwarding:
#echo 1 > /proc/sys/net/ipv4/ip_foward
ettercap and bettercap:
Scanning, spoofing, and sniffing
Crypto and WiFi considerations:
Intercepting encrypted traffic:
SSL/TLS:
SSLStrip+
Burp Proxy, OWASP ZAP etc.
Strong E2E crypto
WiFi spoofing and sniffing:
Hardware tools:
Packet injection
Alfa
Software tools:
aircrack-ng universal framework
Mana rogue AP toolkit
Kali tools
Windows security overview:
Windows Architecture:
Bootstrap process
Memory segments
File systems
Processes
Protection rings
Permissions
Credentials Security:
Security Accounts Manager (SAM)
LANMAN (LM) and NTLMv2
Memory Corruption:
Stack corruption (buffer overflow)
Use-after-free
Heap corruption, heap overflow, type confusion
DEP and ASLR
Memory or binary exploitation:
OllyDbg, GDB, Immunity Debugger, IDA Pro
Metasploit
Public/private exploits
Windows Hacking Basics:
Windows enumeration specifics:
IPC
 8

SNMP
Windows hacking:
Password guessing
Dumping password hashes
Dumping cleartext passwords
Privilege escalation
Remote exploitation
Post-exploitation
Key-loggers
Enumeration tools:
nbstat a
enum4linux
snmpwalk
Password cracking tools:
John(the Ripper), Cain, L0phtcrack
HashDump
WEC
Metasploit Framework (MSF)
Manual exploitation
Legit tools:
Windows Sysinternals
PowerShell
Local Access and Privilege Escalation:
Privilege escalation:
Horizontal and vertical
Local exploits if not fixed
Unattended install leftovers
Group policy snooping
Service permissions misuse
Covering tracks:
auditpol \\IP/ disable
eslave s \\IP I Security C
Tools for lateral movement:
Metasploit Meterpreter post-modules
Public exploits
Windows command-line tools:
wmic, sc
net view/use/session/service
powershell
Physical access considerations:
Kon-Boot
Dumping Hashes and Cracking Passwords:
LM vs NTLM:
Case (in)sensitivity
Alphabets of 142 and 65536 (all Unicode) characters respectively
NTLM calculates the hash for entire password, LM splits the
password into two 7-character chunks, padding as necessary
Active Directory specifics:
Kerberos and LDAP
 9

Sessions caching
Password hacking principles:
Online and offline password attacks
Dumping from SAM and RAM
Rainbow tables
Brute force
Tools:
JTR, WCE, mimikatz, MSF post-
Volatility
Linux Attacking Basics:
Linux vs. Windows (architecture):
Differences in file systems structure
Differences in memory and process execution
Device files
Differences in access control
Differences in user environment
Attack paths:
Password guessing
Remote exploitation
Local privesc exploits
Rootkits
Web security architecture overview:
Web Software:
Web-application architecture tiers:
Back-end
Front-end
Thin, thick, heavy clients
Web-applications (GUI):
Human interface
Forms, controls, dynamic content
Web-services (API):
Machine interface
Simple Object Access Protocol (SOAP) and XML
RESTfull API and JSON
Web Platform:
Operating Systems
Web-Servers
Application Servers:
o Tomcat, JBOSS, WebSphere
Database Management Software:
o Relational (SQL)
o Non-relational (No-SQL)
Cloud environments:
o SaaS, PaaS, IaaS
o Amazon AWS, DigitalOcean
Attacking the web-server:
Attack phases:
Server software identification
Finding known vulnerabilities
 10

Finding indicators of compromise

Probing for default/simple passwords
Preparing and uploading the web-shell
Breaking out of jail
Automatically vulnerability scanners:
Pros: routine automation
Cons: need for manual control and fine tuning
Attack narrative example:
Identifying Apache Tomcat on LAN
Accessing management console with default credentials
OR
Exploiting a known Tomcat vulnerability
Preparing and uploading JSP web-shell in WAR format
Accessing JSP shell for Tomcat-level access
Getting access to DB, data exfiltration
Optional: escalating access
Attacking the platform:
Programming languages:
Java, .NET, PHP, JavaScript, Python, Ruby
Programming frameworks:
JS: AngularJS, jQuery, React
PHP: Symphony, Zend, Slim
Python: Django, Flask
Ruby: Rails, Sinatra
Java: Play, Spark
SQL databases:
MySQL, MariaDB
MS SQL
Oracle Express
NoSQL databases:
MongoDB document (JSON)
Redis key-value (hash)
Data exchange:
XML (SOAP)
JSON (REST)
Attacking the technology:
Risk points:
Machine-to-machine
Human-to-machine
Attack entry points:
Access handling
Input handling
Storage
Transport
Logic
Configuration
Trust abuse
Types of attacks:
 11

AAA bypass:
Authentication bypass
Session hijacking
Vertical and horizontal escalation
Cross-Site Request Forgery
Cookie stealing
Injections:
XSS, SQLi, RCE, L/RFI etc.
Sensitive data leakage:
Transport security bypass
IDOR
Misconfiguration abuse

References:
12
13