www.Ebook777.

com
 HACKING
17 Must Tools
Every Hacker Should Have

Volume 2
by
ALEX WAGNER

www.Ebook777.com
 Copyright
All rights reserved. No part of this book may be reproduced in any form or by
any electronic, print or mechanical means, including information storage and
retrieval systems, without permission in writing from the publisher.

Copyright © 2017 Alex Wagner

www.Ebook777.com
 Disclaimer
This Book is produced with the goal of providing information that is as
accurate and reliable as possible. Regardless, purchasing this Book can be
seen as consent to the fact that both the publisher and the author of this book
are in no way experts on the topics discussed within and that any
recommendations or suggestions that are made herein are for entertainment
purposes only.
Professionals should be consulted as needed before undertaking any of the
action endorsed herein.
Under no circumstances will any legal responsibility or blame be held against
the publisher for any reparation, damages, or monetary loss due to the
information herein, either directly or indirectly.
This declaration is deemed fair and valid by both the American Bar
Association and the Committee of Publishers Association and is legally
binding throughout the United States.
The information in the following pages is broadly considered to be a truthful
and accurate account of facts and as such any inattention, use or misuse of the
information in question by the reader will render any resulting actions solely
under their purview. There are no scenarios in which the publisher or the
original author of this work can be in any fashion deemed liable for any
hardship or damages that may befall the reader or anyone else after undertaking
information described herein.
Additionally, the information in the following pages is intended only for
informational purposes and should thus be thought of as universal. As befitting
its nature, it is presented without assurance regarding its prolonged validity or
interim quality. Trademarks that are mentioned are done without written
consent and can in no way be considered an endorsement from the trademark
holder.

www.Ebook777.com
 Table of Contents

Chapter 1 – Basic (System) requirements

Chapter 2 – Virtualization
Chapter 3 – BackTrack / Kali Linux
Chapter 4 - Wireshark
Chapter 5 – nMAP + ZenMAP
Chapter 6 – Hydra
Chapter 7 - Metasploit
Chapter 8 – Armitage
Chapter 9 - Maltego
Chapter 10 – S.E.T
Chapter 11 - Burp Suite
Chapter 12 - H-ping_3
Chapter 13 – EtterCAP
Chapter 14 - Xplico
Chapter 15 – Scapy
Chapter 16 – Parasite6
Introduction
Congratulations and Thank you for purchasing this book.
The following chapters will focus on some of the most dangerous hacker tools
that are favourite of both, White Hat and Black Hat hackers. First I will
explain some of the fundamentals of networking, and technologies that are vital
to be aware for every hacker. Next it will cover some studying techniques that
I have used and still do in order to be able to follow today’s fast growing
technologies, and then will recommend additional study materials and what
certification path you should be aiming in order to become an IT Professional.
The focus of this book will be to introduce some of the best well known
software that you can use for free of charge, furthermore where to find them,
how to access them, and finally in every chapter I will demonstrate examples
step-by-step using those hacker tools. The discussions and implementation
examples will provide not only how to use hacking tools, but how to become a
Man in the Middle in multiple ways. Additionally I will demonstrate how to
create a Denial of Service Attack, how to manipulate the network
infrastructure by creating fake packets, as well how to replicate any
networking device, and fool end users to install backdoors on demand. In order
to understand hackers and protect the network infrastructure you must think like
a hacker in today’s expansive and eclectic internet and you must understand
that nothing is fully secured.
There are many step by step method on how to plan a successful penetration
test and examples on how to manipulate or misdirect trusted employees using
social engineering. The intention of this content is to benefit readers by
reviewing detailed facts as well as my personal experience. Your reading of
this book will boost your knowledge on what is possible in today’s hacking
world and help you to become an Ethical Hacker.
This book is not a beginner’s guide, however it’s written for those who are
new to hacking.
Every effort was made to ensure it is full of as much useful information as
possible. Please enjoy!
Chapter 1 – Basic (System) requirements

First of all, I would like to give a few major points on what this book is about.
The tools that will be described in this book can be used for both white hat and
black hat hacking. When applied the outcome will be the same in both cases.
However, it can lead to a very bad situation for the person using such hacking
tools in any unauthorized manner, which might cause system damage or any
kind of system outage.
If you attempt to use any of this tools on a network without being authorized
and you disturb or damage any systems, that would be considered illegal black
hat hacking. So, I would like to encourage all readers to deploy any tool
described in this book for WHITE HAT USE ONLY.
In volume 1 I explained what white hat use is and who white hat hackers are;
however, a quick recap on that subject is that anything legally authorized for
the purposes of helping people or companies to find vulnerabilities and
identify potential risks is fine.
All tools as described should be used for improving security posture.

I should sound a warning here. If you are eager to learn about hacking and
penetration testing it’s recommended to build a home lab and practice using
these tools in an isolated network that you have full control over, and it’s not
connected to any production environment or the internet.

On the other hand, if you use these tools for black hat purposes and you get
caught, it will be completely on you and you will have no one to blame. So,
again I would highly recommend you stay behind the lines and anything you do
should be completely legit and fully authorized.

Lastly, if you are not sure about anything that you are doing and don’t have a
clue on the outcome, simply ask your manager or DO NOT DO IT.

This book is for education purposes. It is for those who are interested in
learning and knowing what is really behind the curtains and would like to
become an IT professional, or white hat hackers.
In addition to legal issues, before using any of the tools it is recommended that
you have fundamental knowledge of networking concepts.
Bare minimum networking fundamentals are:

What is an:
IP Address
IP Subnet
MAC Address
DHCP
DNS
Ping
ARP

I will touch on each of these; however, there are some great courses out there
that can help you gain additional knowledge, and my personal recommendation
would be to start with:

CompTIA Network+
This course would be excellent for people who are new to networking. But, if
you have finished it, you should go for Cisco courses and your first should be
ICND1 – Interconnecting Cisco Networking Devices. This course, after
completion and taking a successful exam, will provide a CCENT Certification
-- Cisco Certified Entry Network Technician.

Then you should attempt:

ICND2 – Interconnecting Cisco Networking Devices Part 2
After a successful exam this course itself will not provide any certification;
however, if you already passed an exam on ICND1 you automatically become
a CCNA – Cisco Certified Network Associate.

If you want to become a CCNA, Cisco provides one exam only, although that is
for people who are already certified and have to recertify.
Cisco Certifications must be renewed every 3 years since the technology
changes so rapidly that there are always new content that a CCNA should be
aware of.
It makes sense when you think about the fact that Windows 95 was the latest
and greatest 20+ years ago, however today some of us don’t even remember if
there was ever a product like that due to a rapid growth of the technology.
Of course you can take it further and attempt to pass the CCNP -- Cisco
Certified Network Professional. This is a 3x exams. Each is twice as difficult
as the whole CCNA together, and the top Certification is CCIE – Cisco
Certified Internetwork Expert. The CCIE is only 2 Exams, but you have to
renew it every 2 years. However, CCIE is so difficult that as of today only
55620 people have passed the exam and become one.

Hall of fame: http://www.cciehof.com/

Cisco Systems only shares information on the CCIE certifications and the
success rate is 2% on the first attempt.

My personal Experience to achieve some certifications is as follows:

CompTIA Network+: 3Months

ICND1 – CCENT: 6Months
ICND2 - CCNA: 4Months
CCDA (Design Associate): 3Months
CompTIA Security+: 3Months
CCNA Security: 7Months
CCSA (CheckPoint Certified Security Administrator): 5Months
CCNP: 11Months (3x Exams)

These achievements took place with continuous study every day for an average
of 4-5 hours for nearly 4years, and an average of 6-8 hours on weekends.
You might wonder, and think that you don’t have that much time. Consider the
following.

Activities that I have completely avoided:

TV, News,
Newspaper,
Any kind of games, even my Favourite which is HALO from XBOX
Facebook – actually avoided any social networking sites
Basically anything that could waste my time…
My personal study technique:
I used to wake up 1 hour earlier than I should to study - reading
On my way to work I usually study for 30Minutes – Watching
Information Video courses
I spent my break studying: 1hour - reading
On my way home I study for 30 Minutes – Watching Information Video
courses
After taking a shower I study for 1.5hour – Hands on, building home labs
using GNS3 and Cisco Packet tracer
After dinner, just before sleep I study for at least another 45minutes,
sometimes 2 more hours or until my head landed on my laptop. –
Watching Information Video courses

We all have 24 hours a day and we get to decide what to do with it.
In recent years I have not gone after any new certifications, instead I am
studying additional resources that have no certifications, such as:
Cisco ACS – Cisco Secure Access Control Server
Cisco ISE– Cisco Identity Services Engine
Cisco Prime Infrastructure
Cisco APIC-EM – Cisco Application Policy Infrastructure Controller
Enterprise Module

I don’t want to bore you, so let’s get on with the fun stuff beginning with some
basic networking terms.

The reason why I had to add this little introduction about myself and techniques
on ways I study is to help those who are interested in acquiring knowledge,
and to say it out loud that learning is always great, especially in today’s digital
age, and of course it’s always preferable to know what you are doing and the
reason behind it.

Also, I would like to point out that I have read many other books on these
topics that are great books to read; however, I realized in many of them that the
author has no idea about networking protocols or virtual installation
procedures, and absolutely no clue about network security.
As I am a proud Network Engineer, who specializes in Cisco and Checkpoint
Firewalls, I believe this content will be a great material for anyone interested
in hacking at the basic level.

IP Address
This is an abbreviation for Internet Protocol Address. Each computer, server,
Router… has an IP Address and that’s what identifies each device one from the
other.
In fact when you look at your PC you can simply check your IP Address using
your command prompt and type: ipconfig

In plain English: Imagine that I am sending a letter to you using the post office.
In order to get the letter delivered, I will need your address. Computers are
working with IP Addresses in order to be networked. Therefore, every device
must have an IP Address.

In case you are wondering, I am using a software called Cisco Packet Tracer,
this is a free network simulator and visualization tool that works on Linux as
well as on any PC, recently even on mobile devices.
Download link:
https://www.netacad.com/about-networking-academy/packet-tracer/
IP Subnet
As I mentioned, every device must have an IP Address; however, for two
devices to be on the same network, they should be on the same subnet.
Subnet stands for: Subdivided Networks.
For example, if PC-1 has an IP Address of 10.10.10.1, and PC-2 has an
address of 192.168.1.2 they would be in different subnets as the addresses are
completely different.
So, in order to make those two networks communicate with each other we need
to have a Router that would route traffic between multiple networks.

MAC Address
This stands for Media Access Control.
As I mentioned, every device should have an IP Address in order to connect;
however, IP Addresses can be assigned and changed anytime statically by
human hands or virtually using DHCP Server.
On the other hand, MAC Addresses are the physical addresses of the devices
and they are not changeable. Of course this book is about hacking, and I will
show you how easy it is to manipulate the network by changing the mac
address of any device.
Well, we can’t actually change them, but we can fake them and make other
Authorization Servers or Firewalls to believe otherwise.

DHCP
Dynamic Host Configuration Protocol, at least that’s what it stands for. Its job
is to dynamically assign IP Addresses to PC-s, but why would we do that?

Well, imagine that you have 200 PC-s that require IP Addresses and they
should be on different subnets, for example 20 PC’s for HR Department, 20
PC’s for the Sales Department, 20 PC’s for Marketing, 40 PC’s for the
Management (to many managers), and for the sake of conversation another 100
PC’s for the rest of the employees. Instead of walking to each PC and manually
assign them the correct IP, we can connect them to a DHCP server and
automate this process by letting the DHCP assign the correct IP’s to the correct
PC’s.
DNS
This is called Domain name system.Some refer to it as Domain Name Server,
and geeks just DNS Server
Remember that I explained before that PC’s are communicating with each other
using IP addresses. We are humans and we just can’t remember each of our
favourite websites IP’s so we are using DNS servers to translate our request in
order to find the servers that we are looking for.
For example, you type www.google.com but your PC has no clue what you
want, so it will tell your router:
Hey router! This human is looking for www.google.com . The router will have
no clue either at first. The router will then ask the next hop, which is your ISP’s
router (Internet Service Provider) that will transfer this request to the DNS
Server.
The DNS server will look at its database that has probably millions of IP
Addresses matched to different URL-s (Uniform Resource Locator). That
would be examples like:
www.facebook.com – 2.3.4.5
www.yahoo.com – 6.7.8.9
www.bbc.com – 10.11.29.37
www.google.com – 12.24.36.48
…
Once the request is translated by the DNS Server, it would answer to the ISP’s
router as: yes I have it here as an IP Address of 12.24.36.48.
(Note: This is not Google’s IP Address, I just picked a random number. I
have heard that Google controls more than 200K IP Addresses worldwide)
Then the ISP’s router would go to that address that is the Server of
www.google.com and ask for it to be viewed.
The Google server would reply to the ISP’s router, then the ISP’s router would
reply to your router at home, and that would give your PC the address so you
would see www.google.com home page.
Of course, in reality there are multiple hops, maybe even 100’s of hops, still
the average response time is between 1-3 milliseconds.
The internet is based on high end routers, and servers; however, without DNS
translation we would have to remember and browse with IP Addresses,
instead of words.
Ping
Packet INternet Groper
It’s a software utility that once it is issued as a command in the form of ping ip
address, for example, Ping 192.168.1.3, it sends an echo request to the
address that we want to reach and that address, if it exist, hopefully, will send
back an echo reply.
Taking a previous example from a PacketTracer, I will attempt to ping ( to
reach ) from PC-2 to PC-3

In this example, from PC-2 I issued a command -- ping 192.168.1.3, which is

the IP Address of PC-3. Below, I can see that a Reply from 192.168.1.3 is
coming back to PC-2.

Furthermore, I have sent 4 packets (Echo requests) that each contains 32bytes
and the reply was 0 milliseconds (very fast because it’s on the same network).
TTL means Time to live and it’s been specified by the PC as 128. So, if there
is no reply in 128 milliseconds, it would try to send another request and list the
first as dropped.
Also, there are Ping statistics for the IP address of 192.168.1.3 that shows the
packets sent (4), the packets received (4), lost packets (0), and the
approximate round trip times in milliseconds (0).

That’s great, but what if there is no IP reachability? Well, that would mean the
website is unreachable, and I will ping now an address that I know doesn’t
exist. I will try to ping 10.10.10.10 in order to demonstrate it:

I have sent an echo request to 10.10.10.10 using ping utility, but, since it’s a
none existing address, there was no reply, and my requests were timed out.
Therefore, I have received 100% packet loss.

ARP
This stands for Address Resolution Protocol, but what it really does is
providing a mac address for known IP Address, or vice versa.
This is another great utility and goes both ways for IP Address and MAC
Address.
On a PC the command would be in a form of: arp –a
Please be aware that for each of the above mentioned topics I could have a
dedicated book written, in fact multiple books; however, my intention was to
have a touch-base in order to have a better understanding for those who are
completely a beginner to networking.

My last statement on this chapter is a friendly advice and that is, if you are
willing to become a great white hat hacker you must know networking
protocols upside down, inside out, day and night in your dreams too, because it
is the network that allows us any remote access, and that is what we utilize to
get in and out, and move from one device to another.
Chapter 2 – Virtualization

This is a fancy word indeed, but it’s also really cool.

In plain English, Virtualization in a form of software would help to run an
additional operation system on an existing operating system.
Before you take it the wrong way please do not mix up a simulator with an
emulator.

Simulator:
What the simulator does in a software form is simulating an operating system
as close as it can; however, it’s not the real deal, it’s not as fast as the real
system would be. It will also not provide all the feature sets as the original
software would. Nevertheless, there are many great simulators that are very
helpful for practicing, building home labs and trying out stuff.

Cisco Packet Tracer (introduced in Chapter 1) is actually a network simulator,

and you can build large networks on your laptop by using it. Virtually you have
everything in one lab, such as multiple Switches, servers, routers, and PC’s
connected together, and you can have multiple labs built with it, although they
will have limitations once you move on with your studies. You will find out
and eventually have to stop using it as it’s not as advanced as your knowledge
can become after time passes and wish to try out and implement advanced
technology.

Emulator:
Emulators on the other hand are still not exactly the real deal, as they are
virtualized with a software such as GNS3, VIRL, Virtual Box, NETLAB+,
VMware; however, they are running the real software and they are not trying to
simulate or trying to be similar. Instead, they are emulating the real softwares
with all the feature sets there is to them.
Virtual Box:
Virtual Box is a piece of software that specializes in virtualizing hundreds of
operating systems and currently you can install it on Windows, Macintosh, and
any Linux or Solaris operating systems.
It’s free to download by using the link: https://www.virtualbox.org/

Once you have reached the site you can choose to download different platform
packages. After you have downloaded according to your own requirements,
you will be able to build and run multiple VM-s (Virtual machines).
In regards to the user manuals or how to install Virtual box, it’s all on the
website, and it’s relatively simple.
This is what I most recommend to use, especially at first, as once we install
Linux Back Track on it, it will run very smoothly.
Chapter 3 – Kali Linux / BackTrack

Backtrack is a Linux Distribution of operating system that you are able to use
both as your main operating system or run virtually in Virtual Box.
You can run it in form of a DVD, or even from USB. Once you have
downloaded this free software as an ISO file, you might install it Virtually on
the top of your existing operating system.

BackTrack is a favorite of both White hat and Black hat hackers. It’s one of the
best software out there that has literally hundreds, if not thousands, of tools
built into it that are ready to use for penetrations testing against any network
out there.
The main purpose of Back Track is to test an existing network and try to find
possible vulnerabilities, so the overall security can also be improved.

BackTrack is free to download at the following link: http://www.backtrack-

linux.org/

BackTrack has hundreds of userfriendly tools built into it. The main categories
are:

Information gathering
Stress testing
Forensics
Reporting tools
Privilidge esculation
Volnerability assessment
Explotation tools
Reverse engineering
Maintaining access

After you have downloaded BackTrack and ready to install it in a virtual

environment, there are a couple of details that you should be aware of.
When you create a new Virtual machine for BackTrack you should allocate at
least 3 Gb of space, and another 20 Gb for the Virtual hard drive.
Once you have a new Virtual machine built, you should head to settings and
make sure you adjust the Network settings by choosing bridging the VM
(Virtual machine) to your router.

When you are ready with the settings, you should be able to boot the image.The
command “startx” will start installing the GUI (Graphical User Interface) from
the hard drive, that would be recommended. While the GUI gets installed, there
will be few questions that require answer, such as language, keyboard,
location and clock settings for the time zone. Once installation is complete, you
must restart the image in order to boot from the hard drive.

After the reboot of the image BackTrack will ask for logon details on the CLI,
and those are:
Username: root
Password: toor

In case you are new to the CLI, and wouldn’t know what to do, you can switch
easlily anytime to the GUI by typing the command “startx”. This will open the
userfriendly GUI that will allow you to have access to all the hacking tools that
we will further discuss in this book.

In regards to some more basic settings that are a must such as IP address, what
BackTrack does by default is to look for an IP Address through DHCP.
However, it’s always better to assign a static IP Address, so we would always
know what that is.

The command that we could use to set an IP Address on a BackTrack is:

Ifconfig eth0 10.10.10.2/24 up
To configure the default gateway ( the router’s IP Address) use the command:
Route add default gw 10.10.10.1

After these settings you might try to ping your router’s address by using the
command: Ping 10.10.10.1

Now that you have reachability to your router and you can access the internet
with that router, you can try to reach out to the internet by using a command:
Ping www.google.com. If this is successful that means your virtual BackTrack
is connected to the internet.

Kali Linux
Kali Linux is basically the new version of BackTrack; however, for many
hackers BackTrack is still more preferable. If you choose to install Kali
instead of BackTrack, the steps are the same, and Kali is also a free software
that can be downloaded through the following link:
https://www.kali.org/downloads/
Chapter 4 – Wireshark

This piece of software is a packet analyser, and once you are capturing traffic
using these tool you will see everything that goes through between computer A
and B.

Let me ellaborate on the possibilities and why Wireshark might be your best
and only option to use.

Imagine that there is a DHCP Server and a PC is connected, therefore the

DHCP Server is supposed to provide an IP Address to the PC, however, for
some reason there is no IP Address assigned to the PC.

After closely examining the issue, you can tell that the connection is
estabilished, and the underlying cable infrastructure is fine, but because you
can not see what is actually happening between the two devices, you might be
in doubt.

In cases like these you can use Wireshark by installing it on the PC and start
monitoring the interface that leads to the DHCP Server. What you will find is
that wireshark becomes a MIM (man in the middle) and start capturing
everything, that includes every communication that’s taking place between the
two devices.

What you can capture with Wireshark is anything that might be a request or a
reply from one to another device. Also, if authentication is required, such as a
username or password in order to logon and the server asks for such
information, wireshark would capture them all in a plain text format.

All captured formats would be recorded and they can be replayed as many
times as you want, or you might delete it; however, the logs are very accurate
and very detailed, infact the most accurate they can be. So, in case of an issue
there would be nothing hidden from Wireshark.

Wireshark is able to filter traffic that you specify, such as:

Capture a specific interface only,

Filter and view traffic only destined to a certain website like
www.facebook.com,
Filter and view traffic that is https only
And many many more.
Chapter 5 – NMAP / ZenMAP

Network Mapper is a wildly implemented tool that allows you to scan the
ports that are connected to the network.

NMAP is a free open source software, meaning that it’s freely available to
anyone and users are allowed to modify the original code. In order to install it,
first you might want to download it from https://nmap.org/. NMAP is
considered to be one of the 5 most important software due to it’s power for
security scans.

Lets take an example. You are applying for a Job as a PEN tester (Penetration
Tester) and your task is to find volnaribilities in the system. Your first request
should be that you want to see the company diagrams in order to see what type
of devices the company has. They might not have any diagram, or even if they
do have, all of them could be outdated. Once you have access to the system,
what NMAP can do is to run a security port scan and identify all the devices
residing on the network.
Earlier I have discussed PING, and the way that would work is once PC-A
sends an echo request to PC-B, PC-B should reply with an echo reply to PC-A,
but that would only work if you know the IP Address of PC-B, and even when
you do, the only information that you would find out about PC-B is that it is up
and working. Also, some devices are up and working but have been configured
not to respond for PING requests, even if you know the IP Address of the
device.

NMAP is not only sending a PING but a SYN request (Synchronization

Request) that is a part of a TCP 3-way handshake (Transfer Control Protocol).
Every device that has an IP Address is running TCP protocol, and the
handshake would continue by answering to the SYN request with an ACK
reply (short for Acklowledge), then the third part of the hand shake would be a
SYN/ACK that is a Synchronized Acknowledgement.

While NMAP is running a security scan it would broadcast a SYN request on

the network and every device with an IP Address would reply with an ACK,
and NMAP would discover information on those devices such as:
Operating system, examples: Linux Ubuntu, Microsoft Windows 2012,
Cisco 3650 Catalyst Switch, or Juniper SRX 500…
Identify services based on ports, examples: port 80 web server, port 25
e-mail server, port 547 DHCP Server, port 546 DHCP client…
Mac address (physical address) of the endpoint

NMAP can be used in CLI (Command Line Interface) by issuing the command
such as:
Nmap 10.10.10.1 > this command would specifically look at the address that
we have used. However, if you would like to see other devices on the same
network there is another command that you can issue:
Nmap 10.10.10.* > here the * would represent any number so it would scan
the whole network for responses, such as open ports and system details.

One thing that you should know is that NMAP scans nearly 1000 possible ports
and larger your search criteria more time it consumes, maybe minutes to get
response, so you might want to be more specific when issuing such commands.
Another thing is that large companies, even small companies with good
security measurements in place, propably have IPS-s (Intrusion Prevention
Systems), IDS-s (Intrusion Detection Systems) or both in place, and their job is
to identify softwares like port scanners, so they would fire up e-mail alerts to
IT Infrastructure Administrators, Engineers and Infrastructure Management.

That would be another reason to make sure you have written authorizaton to
use NMAP in production Environment before every IT staff starts running
around scared, screeming what to do as they think they have been attacked.
When you run NMAP to scan for open ports, in the meanwhile IDS would trace
the IP Address of the origin of the scanner’s PC, then IPS would prevent
further scannings.

However, there is a cool command that would confuse IDS and it would have a
hard time tracing your IP Address, and that is:
Nmap 10.10.10.* -D
the –D stands for decoy, and so there would be so much data fired up that
would make it very difficult to identify the source of the attacker.

ZenMAP
NMAP is awesome, however if you prefer to see the outputs in a GUI
(Graphical User Interface) instead of the CLI, you might launch it by issuing a
command:
Zenmap > this command would bring up the GUI that would be ready for you
to put the targeted details:

The results can be achieved in the same way as with the CLI; however, some
people prefer to use the GUI as this would be more helpful to explain what
each command does, instead of figuring them out on the CLI.
Chapter 6 – Hydra

Before explaining what Hydra is, let’s first understand of the pupose we may
use such software, which is another very powerful hacking tool.

In order to access a high end production router or firewall, at first the most
common is a console cable. Once an administratror has a brand new router that
needs to be fully configured for production environment for a company’s new
office, console access is required. An administrator would turn on such device
manually, and look at the default configuration that comes, straight out of the
box.

The first thing to do is to check the version to see if an upgrade is requred to

run the latest firmware, and most famous brands would listen to a command
like: Show version. Such command would tell us the uptime, and the available
space on the device.

The next thing to check in a brand new device is the time. That, of course,
should be set accordingly. To synchronize it properly we would use NTP
(Network Time Protocol) and to check the time the command we could use is:
Show clock

In order to see the configuration on every interface we could use many

diffferent commands and see multiple ways of the outputs:
Show ip interface brief > this command would show the state of all the
interfaces briefly. It would tell us if the interfaces are ready to be in production
if someone connects a device like a PC or a Server. Out of the box by default,
the interfaces are always in up state. So, the best practices is to close them
before someone gains unauthorized access by the command:
Shutdown

To see everything that has been configured on the interfaces you can use a
command:
Show interfaces. This command would present the output on details like the
set speed that is allowed on the interface, mac address and ip address of any
connected device, as well as if there were any inbound or outbound errors
detected, or there is any interface resets, and many more.

In order to see every configuration on all interfaces there is another command

that can be used:
Show running-configuration, aka show run, aka sh r.
This command would show more than just an interface configuration, and
because the output of this comand would be more than 50 pages long normally
it would not be used; however, due to a brand new device it’s always best
practices to make sure that the device is indeed ready for production.

Lastly, the CPU (Central Processing Unit) utilization shoud be checked, and
make sure it is not more than 10% high, especially when it’s still brand new.
When you turn on a brand new device at first, while it is booting the CPU
would rise up to 80-90%. So, to check the CPU as the first thing is not
recommended, as it might be a false information. Command is:
Show processes cpu > lists every application and it’s cpu usage
show processes cpu history > lists the cpu in a historical view
show processes cpu sorted > lists the cpu sorted by the applications
that are using the most cpu.

I hope you understand that if you buy 2x brand new high end production router
from Cisco Systems that is capable of forwarding a speed of 10GB/sec, each
could costs as $25,000, therefore a bare minimum to check the default
configuration on them and log it in case there is a problem with them in the
near future and need a replacement. So, by logging all the outputs at the
beginning would be for your protection. In case the shop you purchased from
wouldn’t take it back, having the logs when it was brand new would prove that
the issue existed since out of the box.

What I can tell you from experience is that some cheap devices might fail but I
have not seen any Cisco device failing over the years; however, basic checks
using show commands is the minimum.

Once the show commmands have been successfully logged, the only
configuration would be to create a username and password for future access.
Every company would pretty much ship these devices to their Data Centre,
rack them up and configure them on a later date. So, for now the only
configuration that would be required, is a username and password for admin
access.

Normally, Data Centres are far away from the companies (or at least they
should be) so console access will not be possible to do further configuration.
Instead of console access, another way to access devices are using telnet or
Secure Shell.

Telnet
In order to log in remotely to a device that you know it’s IP Address, you may
use telnet. Telnet uses port number 23, and it is still an excellent way to be
used for remote access, especially for testing purposes.

Unfortunately telnet is not secured, it has no built-in encryption, and simply

using plain text. Using Wireshark, anyone can see clearly the username and
password if you choose to telnet into a device.

Usually, after testing is complete, telnet would be turned off and administrators
would use Secure Shell.

Secure Shell
This is also known as SSH or Secure Socket Shell. It is a secured way to
access remote devices as this protocol strongly encrypts the username and
password. Therefore, it’s everyones favorite and the most wildly implemented
remote access tool.

SSH uses another well known port number 22, and this port is also the favorite
port to attack for black hat hackers as it’s always open.

I already explained how to find the IP address of a device using NMAP. I also
explained how to use Wireshark and see every packet that goes through
between devices (hopefully, in a plain text). However, if the flow that you
want to eavesdrop is secured and encrypted, you will not be able to see the
username or password.

With the knowledge that port number 22 is always open and waiting for a
connection, we might try to authenticate using a dictionary attack.

Dictionary attack sounds easy, as all you have to do is try loging on using
different combination of usernames or passwords to the device,and hoping to
get access one day

You might start with the username of admin and try to guess the password, or
you could use the username of administrator. Again, there could be so many
possibilities, so using this method could take a really long time.

What if it could be automated, and what if, I could just use a software and ask
for it to use multiple combinations of passwords with all possiblilies out there,
however, only want to gain access using Secure Shell on port 22. Well, there is
a software that could help you, and it’s called Hydra.

Hydra has over 14 millions possible password combinatons that would run
through automatically, and it would try first the most common passwords by
default, instead of alphabetic order.

You could set up Hydra in the evening, and by the morning (well, maybe even
in 5 minutes) it would tell you the username and password to any device out
there, and the best thing is that you don’t even need physical access to the
device.

Hydra is accessible on Kali Linux, and BackTrack on the command line

interface; however, in case you want to run the GUI (Graphical User Interface),
all you have to do is use a command: Xhydra.
Once you launch xHydra you have to choose from the following:

Single target or target list > put the IP address here

Targeted Protocol > Here you should select SSH
Targeted Port number > select port 22 exclusively
Username list > Here you can type: admin, administrator, and root as
these are the most common usernames
Password > Here you can select the one called: Choose password list

Once you are ready to launch xhydra, it will begin to attempt to logon using all
those 14 million possibilities until there is a hit.
This hacking method is also known as Dictonary attack, and the reason is that it
keeps on trying until it succeeds, using it’s own dictionary.

As a white hat hacker you might decide to have a centralized security system
that oversees such attempts and create a security alert for it or, even better,
block the account for 10 minutes after every 3x failed logon attempt.

Such centalized security systems can be used for protection are:

ISE – Identity Services Engine

ACS – Cisco Secure Access Control System ( old version of ISE)

Security systems are great to have, however, by default not everything

configured, and if you are able to launch xHydra and begin to run it, that
indicates that the security mechanisms are yet to be implemented.
Chapter 7 - Metasploit

As I explained before, BackTrack itself contains hundreds of tools that are

ready to be used for certain attack methods, in order to find vulnerabilities and
exploit. Metasploit is one of the tools that BackTrack has built in by default.
Each tool might serve a purpose; however, when it comes to Metasploit, we
are talking about a whole different level of exploits.

Metasploit itself contains hundreds of tools that are used together. Therefore, it
is also known as Metasploit Framework.

What we can achieve with this excellent software at first is to identify the
systems similar to nMAP, then it would scan for open ports, and identify
potential volnaribilities and weaknesses, eventually it would allow us to
exploit those in multiple ways.
Metasploit itself contains many different kind of exploits, due to it’s frequent
updates for latest vulnerabilities, literally it updates itself every day.
When I mention exploit, I mean this could cause a serius damage to the victim’s
PC. Therefore, another warning for you: Please, only use metasploit once you
have written authorization to do so.

Of course a lab environment can be your other option; however, try to keep this
software away from any Internet connection, especially if you are a newbie.

In order to launch Metasploit Framework Command Line Interface you shall

issue a command: Msfconsole
Once you issue this command the following banner would pop up:

In addition to exploit, metasploit is also able to send a payload to the victim’s

system. Popular payloads might be a redirected link, or misdirection for the
end user, such might be that once the end user clicks on, it would open up a
webpage where the webpage would launch a code to the victim’s PC, and that
code or software would begin to run on it.

Other payload could be used to create a communication channel, also known as

covert channel, that would allow us to type any command on the attacker PC,
and the victim’s PC would run those commands while the end user would not
even be aware of it.

Metasploit has several versions nowadays and the one called Metasploit
Framework Community is free to use by anyone; however, there are other two
versions that you should be aware of, but they are not free.

Metaslpoit Express
Metaslpoit Pro

These two are not free to use; however, they are very powerful, and many
White hat hacker’s favorite tools, as they are simplified in so many ways that
with a click of a button you can use it.
Chapter 8 – Armitage

I have explained some basics on Metasploit, and that is not exactly a free
software unless you are a command line junkie; however, many newbies might
want to try it out for free, as well rather using a Graphical User Interface, then
Armitage is what you are looking for.

In order to lauch armitage, you should click on the following links:

Backtrack> Exploitation Tools >Network Exploitation Tools > Metasploit
Framework > Armitage

You might just type the command armitage on your command line interface and
you can end up with the Graphical User Interface, but there are other options.
Either way you go about it you should have your GUI up and running.
Once you have launched the Graphical User Interface, you should be able to
run a synflood attack.
I have explained in one of the earlier chapters what the SYN packet does, but I
will give you a hint.

Syn packet would be sent from one device to another in order to start to
communicate, but in order to have the communication up and running the 3-way
handshake should be complete.

What you can achieve with a synflood attack is that armitage would send
thousands of syn request to a victim’s PC, but when it receives a reply, it
would drop all those packets, so the communication would never come
through.

Using armitage to launch a synflood attack, you can also specify the sender’s IP
Address. You might spoof a different address. Actually you could begin to
damage 2 end hosts, one that you would set to be a destination as a victim, and
the other that you would set to appear to be the source of the SYN request.

Lastly, in case you are not specifying the source address of the attacker, the one
who sends the syn requests, what armitage does is randomyzing the source IP
Addresses at each time it when sends a new syn requests. While a synflood
attack is on, this could mean thousands of syn requests every second that also
means thousands of fake random IP Addresses as a source. Therefore, if you
have an open connection to the internet while you are running armitage, there is
a big chance that you might start to damage your own internet service provider,
and believe me they will not be happy.

If your internet service provider has good security system implemented like an
Intrusion Detection System, or an Intrusion Prevention System, and I am sure
they have, they will shut down your internet connection as a minimum, and flag
you for suspicious malware activities. Then you can call them and explain that
you don’t know what you are doing and just trying out some hacking
techniques.

So I would suggest you specify a source address, but either way, if you want to
test out armitage, your best bet is to disconnect your home router at first, and
make sure that you have no internet connection whatsoever in order to avoid
any unplesent event.
Chapter 9 - Maltego

Lets assume that you as a white hat hacker / penetration tester gets assigned by
a certain organization for a task that involves data collection. It is common for
large organizations to penetration test as well as hire someone for the purpose
of finding out how much data can be leaked, then analyzing, if that could be
used against themselves.

When you are required to collect data on a company, it may include:

What webservers they have
What domains do they own
What mail servers do they have
What are the ip addresses of each servers
What are the locations of each server, and so on…

Maltego would do all the collection for you without a fuss. The beauty of this
software is that all the data you collect are clearly visible in it’s graphical user
interface that has been built into both, BackTrack and Kali Linux operating
system, and again it’s another free software that can be used by anyone.
What Maltego does is simple really, and for the sake of coversation let’s take
an example of www.google.com. Of course, google.com has a huge server
farm, propably one of the biggest in the world; however, once we provide the
website’s name to Maltego, it would begin to look for any other associated
server under that top domain such as www.google.co.uk, www.google.de,
www.google.ca, and so on…

Then it would begin to collect each of their IP Addresses, followed by creating

a collection of mail servers, like gmail.com, gmail.de, and their ip addresses
and so on.

Maltego uses a process called Transforms, and what it does is a simple DNS
lookup that is publicly available; however, if you do this manually that could
take forever, but Maltego has a built in auto system. Therefore, it would do it
in few minutes, instead of days, if not weeks. You don’t have to manually
collect data, as Maltego would create a wonderful diagram within it’s
graphical user interface.

Just to make myself clear, Maltego does collect data that is publicly available;
however, if you are not authorised to do so, or you don’t have a good enough
reason for it, the company that you are after might look at your activities as
Malicious. Some companies might have Intrusion Detection Systems built in,
and it would fire up alerts, in a form of e-mails to the management for
suspected malicious scanning of their systems, and that would cause an issue if
you didn’t hide your source IP address.

In order to launch Maltego you can follow the menu as discribed:

BackTrack > Information Gathering > Network Analysis >SMTP Analysis >
maltego
Maltego Graphical User Interface can also be launched by typing a command:
Maltego

Once the software has been launched, you have to register to be able to use it,
and you have to provide an e-mail address. So, once you have received an e-
mail for successful registration, you have to confirm it and you are ready to go.

Once you are ready to start, click on a menu icon Investigate, then it will
provide a blank page titled: New Graph. On the left side you will have a
palette where you are able to identify multiple information gathering on each
individual subject.

Any of the following you can choose from, then simply drag and drop it in the
blank field, then right click and select run transforms. In order to choose what
data you want to gather, select one of the below options, and their subcategory:

Devices:
A device such as a phone or a camera

Infrastructure:
AS – Internet Autonomous System Number
 DNS –Domain name system server name
IPv4 Address – IP Address of the Internet domain
MX Record – DNS mail exchange record
NS Record – DNS name server record
URL – An internet uniform resource locator
Website – an Internet website

Locations:
Location on Mother Earth

Penetration Testing for Personal Data:

Alias – An alias for a person
Document – A document on the internet
E-mail Address – An e-mail mailbox
Image – A visual representation of something
Person – Entity representing a human
Phone number – A telephone number

Social Network:
Facebook Object – Facebook Profile pages
Twit – Twitter entity
Facebook Affiliation – Membership of the Facebook social network
Twitter Affiliation – Membership of Twitter

Let me remind you again, once you start gathering information on a website,
Maltego will ask you to confirm that you are aware of the potentials by running
a data equiry, and you will be confronted with the pop-up window where you
have to accept all the disclaimers.

So, basically if you have no premisison for data enquiry, and still carry on
using Maltego, be aware of the potentials, as you might be red flagged in the
system, and you might also have to face accusations of illegal activities.
Again, if you choose to carry on data enquiries without written authorization,
your behavior will reflect as a Black Hat hacker. Therefore, I highly advise
you to not run any scan that you are unfamiliar with, especially because of the
potential damages that you might cause.
I will advise you that if you do decide to practice with this tool, try it on a
domain that you are in charge of or an affiliate with , and certainly positive that
you will not get into trouble for gathering information on it.
Chapter 10 – S.E.T

SET stands for Social engineering toolkit. Do not confuse it with the concept of
actual Social Engineering.

Social Engineering is a method of tricking someone into a position to reveal

the username and password to a certain system or device; however, it may
mean many other things. Social engineering comes in many forms. Therefore, I
will provide some examples.

Spear-Phishing( e-mail)
For example, we send an e-mail to someone who we want to trick and
make it look like it comes from someone they know and trust. The e-mail
may be sent from an already compromised system, so it might come from
an e-mail address they really know.

We would provide a link in the e-mail and an attachment that once they
click on or download, it would trigger the execution of a code that we
have sent as an attachement or if they click on the link it might redirect
them to the website that will execute a code, and as a result that device
would be comprimised too.

Cloned web browsing:

This method is to create a website of BackTrack and trick the user to
visit it, and while visiting it, SET would launch a malicious code and
compromise the visiting PC.

Another option might be to replicate an actual website. If we know the

favorite website of our victim, or know some of the websites that they
often visit, we could make a replica of the websites and send link to
them that would redirect them to those trusted websites that is actually a
BackTrack device. This is very powerful as the victim wouldn’t ever
realize that they might have gone to browse the wrong website.

Web browsing misdirection

 This method is similar to the cloned browsing, and you can use them
together. This time you would infect a website by injecting the URL by
adding an additional code to it. When the victim clicks on it, there will
be a pop-up message. One of the most famous pop-up message is:
## JAVA UPDATE REQUIRED ##
So, in order to proceed to the website the victim must update the Java on
the PC, and of course this would be a fake Java update. While the victim
is busy of downloading the latest Java, a malicious code would be
installed instead, and the PC would be comprimised.

Infected media
This is carried out by injecting a code into a flashdrive and program that
flashdrive to auto execute once it’s installed, or trick the system to auto
execute after 5 minutes of the installation. This method is also known as
delayed auto execute. We could even trick the victim to click on it to
execute the malicious code and we could compromise the PC that way.
This malicious code could be opening a listening port and notify us once
done, then we would be able to connect to it and create a covert channel.

These methods are all configured within SET, and each has an assigned
number. Therefore, instead of continue typing commands for each social
engineering methods, we only have to use the number that is assigned to each
of the technique.
I agree it’s insane; however, if you still didn’t understand how SET works,
imagine that you go to a restaurant ready to order a main course, but on the
menu what you found is called: Roasted Fillet of Orkney Salmon & Steamed
Shetland mussels with wilted spinach. You may also realize that each food
item has a number assigned to it, so once you are ready to order you can just
use the number to make the order by saying: Can I have number 2 as a main
course. That’s exactly how SET works too.

SET works within a command line interface, but you don’t need to worry too
much about remembering the commands. As I mentioned, SET works by typing
numbers.

In order to launch SET you may type the command:

Set

Next you would be prompted for disclosure agreement that you must accept in
order to continue. The agreement would explain that they are not liable for
anything. Furhtermore, SET is not meant to be an attacking tool, but a
penetration test tool whose purpose is to help fortify the security environment
of a certain system.

Once you accept the terms and ready to launch SET click on “ok”. That would
bring up the front page that actully looks like a menu, and your options are the
following:

Select from the menu:

1. Social Engineering Attacks

2. Fast Track Penetration Testing
3. Third Party Modules
4. Update the Metasploit Framework
5. Update the Social Engineering Toolkit
6. Update SET Configuration
7. Help, Credits, and About
99. Exit the Social Engineering Toolkit
We want to choose number 1 and select Social Engineering Attacks. Simply
after typing 1, the next screen would show a new set of menu with more
options:

1. Spear-Phishing Attack Vectors

2. Website Attack Vectors
3. Infectious Media Generator
4. Create a Payload and Listener
5. Mass mailer Attack
6. Arduino-Based Attack Vectors
 7. SMS Spoofing Attack Vectors
8. Wireless Access Point Attack Vector
9. QRCode Generator Attack Vector
10. Powershell Attack Vectors
11. Third Party Modules

Let’s go on and select a Website Attack Vector by typing the number 2, and
look for further options within the next sub-menu:

1. Java Applet Attack Method

2. Metasploit Browser Exploit Method
3. Credential Harvester Attack Method
4. Tabnabbing Attack Method
5. Man Left In the Middle Attack Method
6. Web Jacking Attack Method
7. Multi-Attack Web Method
8. Victim Web Profiler
9. Create or import a CodeSigning Certificate

This time we also have some basic explanation about some of the menu
options, for example:
The Man Left in the Middle Attack method was introduced by Kos and utilizes
HTTP REFERER’s in order to intercept fields and harvest data from them.

The Web Jacking Attack method was introduced by white_sheep, Emgent and
the Back Track team. This method utilizes inframe replacements to make the
highlighted URL link to appear legitimate; however, when clicked a window
pops up, then it is replaced with the malicious link. You can edit the link
replacement setting in the set_config, if it’s too slow or fast.

The Multi-Attack Method will add a combination of attacks through the web
attack menu.
For example you can utilize the Java Applet, Metasploit Browser, Credential
Harvester/Tabnabbing, and the Man Left in the Middle Attack all at once to see
which is successful.

Now we can go ahead and choose the type of Website Attack method we want
to use, and I will now choose Metasploit Browser Exploit Method by clicking
the number 2 again, and that would take me to the next page of choice:

1. Web Templetes
2. Site Cloner
3. Custom Import

Each has it’s own meaning, so let me elaborate on these:

Web Templates means that you might choose to use one of the Web
Templetes that already built into SET.

Site Cloner would be your choice of cloning an existing website.

Custom Import would refer to your own customised Web Template.

I will go ahead and choose option number 1 and select a built in Web
Template:

There are some nice Web Templates I could choose from that are indeed very
popular:

1. Java Required
2. Gmail
 3. Google
4. Facebook
5. Twitter

Any of these are very powerful to use for the purpose of fooling the victim
while our malicious code installs on their system; however, I will choose
option 1 – Java Required by typing number 1.

Next page would ask me what type of payload I want to install to the victim’s
PC. There are 33 different types that SET has built in by befault.

The last one on the list is called: Metasploit Browser Autopwn

This type even has a warning to use it at your own risk, but while I am
demonstrating this, I am in a test environment, therefore I am happy to go with
it; however, I would not suggest you try it out in production environment
because you can cause a very serius damage. In my case, since I am in a none
production environment I am ok.
At the next page you might choose otherwise; however, I am choosing option
number 2 > Windows Reverse_TCP Meterpreter, since I have tested it before
and it worked well.
The next page will ask you what port you want to use for the webserver. So,
you just hit return by accepting the default port for web server services: port
443.

Once you have done that, it will take several minutes to create a webserver at
the background
After few minutes of waiting SET has now created a link for us to send to the
victim’s PC.

SET has also found 34 exploit modules that can be used and the URL that has
been created is:
http://192.168.1.23:8080/

We could use any of the previously mentioned method to deliver this address to
the victim, and once it has been clicked, all 34 payload would try to exploit the
victim’s PC and as a result it would create a covert channel for us.
Chapter 11 - Burp Suite

There are certain assigments that might include analysing a session between
browser and the website that is about to be reached. The reasons can be
endless but the most common is to be sure there are no man in the middle
attacks and there are nobody intercepting our sessions.
You may only be curious, or want to troubleshoot something; however, in order
to be sure there are no vulnerabilities, you might want to use a toolset called
Burp Suite.

I have talked about an https request previously and as I explained there are
many activities going on once someone types a website address to the browser,
and if we do a buttom up approach, there are multiple requirements that has to
be in place in order to receive an answer from a website.

We need connectivity first, such as wireless or wired network, then the IP

Addresses must be able to communicate with each other. DNS would take
place, as well as creating a TCP 3-way handshake in order to estabilish a
connection oriented session between the source and the destination address.
One thing that I have not talked about is another layer that actually sits on the
top of all networking layers, called: Application Layer.
The Application Layer’s responsibility is to get the end user services right
between the Networking Layers and human users.

Why is it of any importance? Well, if your Application team is about to build,

or already built a Web-based application and you want to make sure it’s
correct by checking the security and the details of this application and
eliminate all vulnerability, you must have a very clear visibility of each
specific block in it and it’s functions.

There are many softwares that will help you get the most activity and full
visibility, but the only one out there that is still free is Burp Suite, aka Burp.
Burp has a professional version too, that requires purchasing a license to use
and that would give you even more visibility, but that is recommended for
experienced Penetration Testers only.

Burp is a Web Application Security toolkit and it has a Proxy functionality.

That makes it able to take requests and forward them to the destination,
meaning that any traffic has been generated by the source, and goes through
Burp Proxy will be analysed fully. Burp will be able to see all the requests and
replies. It will also be able to pause the sessions as well as fully intercept
them. In addition to that, Burp provides anytime replay in different manners so
that we can test the response and the reaction from the Webserver based on
different types of requests going out.

Burp is included in both, Kali Linux and Back Track and it has many other
advance functions such as:

Application Aware Spider

Intruder
Scanner
Repeater

In order to launch Burp Suite follow the link as described:

BackTrack > Vulnerability Assesment > Web Application Assesment > Web
Applicatioin Proxies > burpsuite

If you are launching it for the very first time, like other penetration testing
tools, it will ask you to agree and accept the end user licence agreement for
Burp Suite. Once you click on “yes” you will be presented with menu where
you can literally start to add all the details in regards to:

Target
Proxy
Spider
Scanner
Repeater
Sequencer
Decoder
Comparer
Burp by default is a proxy server, therefore any clients and browsers in the
same machine or same network which points to this proxy server, is going to
have all traffic sent through this device.
Indeed it’s a MITM ( Man in the Middle) as it will intercept every traffic with
an attitute of forwarding to the destination if we want to; but we can change the
details or simply stop forwarding any traffic from any source or to any
destination.

Burp is very powerful for sure, and another thing is you should be aware, that
intercept functionality is on by default. Burp will not forward any traffic until
you change it by heading to the menu options of:
Proxy > Intercept > Intercept on/off buttom > then click on forward or stop.

Again it’s not intended to be a MIM, but more like an analysis tool, a proxy, so
we could strategically go to websites and analyse the responces that comes
back from those servers.
Chapter 12 - H-ping_3

If we wish to discover networking devices, whatever they are, local or remote,

and they are not responding directly to ICMP ping request, we can still verify
that they exist by using TCP and UDP options. H-ping3 has all those options
and many more.

In case you have no response from a device that you are certain is out there, it
might be that the firewall has been configured not to allow ping requests in
order to elliminate Denial of Service Attack, and that’s understandable;
meawhile, you still want to verify that device.

Large organizations disable ping replies by filtering them on their firewalls.

However, if we still want to validate that the device we are trying to ping is
up, we can use many other tools that we already discussed, such as nMAP and
ZenMAP. I would like to introduce H-ping3 as well.

H-ping3 replaced the previous version –ping2 -- and now it has additional
functions besides ICMP ping, such as:

Ping request with TCP

Ping request with UDP
Fingerprinting
Sniffer and spoofer tool
Advance port scanning
Firewall testing
Remote uptime measuring
TCP/IP aka OSI model stack auditing
Advance Flooding tool
Covert Channel Creations
File transfer purposes

This excellent device discovery tool is built into both Kali Linux and Back
Track by default.
H-ping3 is operating on a command line interface, and it has many
functionality. To see them you should issue a command:
Hping3 – h
h stands for help. Therefore, you will be provided with the output of
possibilities using hping3.

Using H-ping3 you can specify pinging not only one address, but hundreds of
addresses at the same time, and you can manipulate your own source address
and any IP address that you want it to look like.
In addition, you can manipulate your source interface where the ping originated
from. Therefore, it’s nearly impossible to trace it back to it’s real source.

I will not get into every possibilities that you can do with H-ping; however, I
will mention that it’s very easy to create a DoS (Denial of Service) attack.
I have explained before, in order to estabilish a connection between two
networking devices, there should be a TCP 3-way handshake and it’s first step
must be a SYN request. SYN stands for Synchronization. What we can initiate
is a continious SYN request to a device that would be flooded of requests and
eventually the CPU of the victim’s PC or any other networking device would
not be able to handle it anymore, it would eventually shutdown.

The command would look like:

hping3 –S 10.10.10.1 –a 192.168.1.1 22 --flood

-S > represents the SYN request

10.10.10.1 > would be a victim’s address
-a > would represent that the following address I will specify will be
the source
192.168.1.1 > is the fake source address instead of providing my own
address, therefore also will be the second victim as the first victim will
try to reply to the SYN requests to the second victim’s address
22 > represents the ssh port, or you might specify any port that has been
identified as an open port
--flood > I am telling Kali Linux to send out the SYN requests as fast as
possible

This is certanly no fun. You can seriously damage any device’s CPU if you run
such command even for a few seconds. If you choose to let it run for minutes, I
promise you many devices would propably give up and shutdown.
I would like to warn you to make sure you have a written authorization before
you use this command in production environment. Besides that, even if you
want to practice within your home lab environment, do not let it run for more
then a few seconds as it may cause some very serious damage to your own
networking devices too.
Chapter 13 – EtterCAP

Imagine that you have been assigned to carry out a MITM (Man in the Middle)
attack against a specific host or server, and the choice of tools to use are up to
you.

I have discussed already how to carry out a MITM attack using Burp Suite.
There is another excellent tool that you might consider, it is called EtterCAP.

EtterCAP is another great way of going about MITM attack as it has user
friendly Graphical User Interface that provides a so called click, select and go
method.

It’s always better to have more knowledge on additional tools in case they
wouldn’t work or wouldn’t have access. You should be aware that in order to
achieve the same result there are other options that you can go for.

EtterCAP is another built in tool on Back Track platform. In order to launch it

you can issue a command:
ettercap –G.
Once it’s launched it will wait for us to provide further instructions, and you
should first click on a menu option: Sniff > then choose unified sniffing

Next, you should specify the network interface that you will use for sniffing. In
my case it’s ethernet0.

This will create some additional menu options and now you should click on the
menu option: Host > then click on Scan for hosts.

This should not take more then 5 seconds to discover all hosts that are on the
same network.

Once complete, go back to the menu icon; Host > then click on host lists in
order to see all the hosts IP Addresses and the MAC addresses associated to
them.
Once ou have a list of hosts, you can simply highlight the source address and
click on Add to target 1, then highlight the destination address and click on
Add to target 2.

The method we use is called ARP POISONING.

We have discussed in Chapter 1 what ARP stands for and it’s functionality.
Let’s have a quick recap. ARP stands for Address Resolution Protocol. It has
an ARP table that contains all IP Addresses and their associated Mac
Addresses
(Physical Addresses).

However, if we use an ARP Poisoning we could basically fake the real source
address by telling the destination that we have the IP Address and the mac
address of the source, so every traffic that is planned to reach the real source
host, from now on would first come to us.

In addition, all traffic that is planned to reach the destination host would come
to us as we would also poison the real source and tell it that the destination IP
Address and Mac address is now our machine.

Using ARP Poisoning is one of the best method to create a Man in the Middle
attack as now every traffic that is going back and forth between the source and
the destination is actully coming through us and we decide if we just want to
analyse it, capture it, modify it, forward to a different destination, or simple
stop the communication between those devices.

So, the final piece to launch such attack is to click on the menu icon: MITM >
then select ARP poisoning:

Once you finished and want to stop ARP Poisoning simply click on Stop
MITM attack(s).

Lastly, I will ask you again to make sure that you have written authorization for
using this method in a live production environment, as any type of Man in the
Middle attack is very dangerous, especially when you manipulate routed traffic
through poisoning the ARP tables by feeding fake mac addresses.

If you are only practicing in your home lab, a non production environment, that
should cause no issue to anyone; however, I would suggest you turn off your
router and practice with care without any connection to the internet.
Chapter 14 - Xplico

If you have been been paying attention to our earlier discussions in this book,
hopefully, you already understood that we can launch a Man in the Middle
attack in multiple ways, either using Burp suite or EtterCAP; however, we
have never discussed how we can actually collect the data and analyse them
and what tool we may use for that purpose.

We have discussed a software called Wireshark previously and how we can

capture data with it, yet there is another utility that we can use for the same
purpose, it is called Xplico.

Xplico can take even Wireshark files and analyse them for you. It also has the
ability to do a direct feed into Xplico so we can capture all the traffic and it
can give another great view of what is happening within that session that we
are eavesdropping on.

Xplico also comes as a default built in tool within both Kali Linux and Back
Track. To launch the Graphical User Interface you can follow the menu options
as:

BackTrack > Forensics > Network Forensics > xplico web gui
Once you have selected the mentioned menu options it will launch a webserver
on BackTrack.
For your information, in case Apache webserver is not running yet, you
normally have to start it manually; however, in the case of Backtrack it will
automatically start it for you. If Apache is already running in the background,
Xplico will use that server function in order to launch itself.

Next, it would tell us to use a specific URL in order to open Xplico using a
webserver
You might choose to click on the provided link in order to open Xplico, or you
can just copy and paste the address to yor browser session. The link is:
http://localhost:9876/

Another method to launch is to right click on the provided link, then select
Open Link, and it would open it within the default browser; however, it’s fair
to mention that some of the menu functions do not always work within the
default browser. I would therefore suggest you to use Firefox browser by copy
pasting the provided link.

Next, it would open up a web based Graphical User Interface that would
require you to be logged on using the following details:

Username: xplico
Password: xplico
Once logged on as xplico, in order to analyse the data that I have previously
captured using EtterCAP on the network interface ethernet 0, I would go ahead
and create a new case by clicking on a menu option: Case > new case > Live
acquisition

In case you want to analyse an existing file that you have saved previously, you
can choose to click the radio bar called: Uploading PCAP capture file/s

Once you create a case, you might name it whatever project it is you are doing,
then you can create multiple sessions within each project and start to view
them.

Xplico will provide clear visibility of any website as well as Images or

videos that the victim has visited, either as a live capture format or by
replaying them at any other date at any time. Also, we can capture VOIP (Voice
over IP) traffic, that we can also spoof, delete or listen to at any time in the
future.
As you can see, Xplico is more like a data capture tool, but due its power it is
also known as a very good hacking tool.
Chapter 15 – Scapy

Scapy is more like an advanced packet manipulating tool that is not necessarily
a newbie’s best choice to play with. However, it’s fair to mention that this tool
exists and certainly can act like the King of all hacking tools out there.

Scapy can assist us to craft virtually any packet that we want to, without a fuss.
Imagine that we are about to administer and validate a configuration on a
Firewall, and one of the policies dictates that we implement the following
rule:

Any packet initiated from inbound direction to outbound direction are not
allowed, therefore should be dropped if the destination address is the same
as the source address.

For some of you might make sense right away; however it sounds a bit
unrealistic. In fact, why on earth would a PC send a request to the outbound
direction if the destination address would be the exact same address as itself?

Well, if you haven’t seen enough yet, and you just started reading this book,
starting with this chapter, then I can tell you that it could be a malicious packet.
Someone may be about to run some sort of port scan within the organization in
order to gain data on networking devices and their vulnerabilities, in order to
launch a strategic attack that could potentially damage, disable, clone or even
shutdown the whole system, and it would seem that originated from inside
private network.

How can that be done you might ask? The tool is called Scapy.
Scapy is very likely the most powerful and flexible packet manipulation tool
that is built into both Back Track and Kali Linux written by Phyton.

Using Scapy, by opening the command line interface we can launch it and
create a packet, and the best part is that we can specify virtually anything:

Any source address

 Any destination address
Type of service
We can create IPv4 Address or IPv6 Address
Change any of the header field
Change the destination port number
Change the source port number

In addition, to craft a unique packet, Scapy is also able to:

Capture any Traffic

Play or replay any traffic
Scan for ports
Discover networking devices

Scapy works in both Kali Linux and Back Track, and to launch it on the
command line interface, you shall issue a command: scapy

Because there are so many possibilities with scapy, let’s begin by starting
something straight forward and that would be a basic send command:

send(IP(src=’’10.10.10.10’’ ,dst=’’10.10.10.1’’)/ICPM()/’’OurPayload’’#)
What this packet creation command means here is that, I want to send a ping
from the source address of 10.10.10.10, to the destination address of
10.10.10.1. Furthermore, I want this packet to look like an ICMP echo request,
but I want it to include a Payload that is called OurPayload.

Scapy is a rule breaker. Therefore, we don’t have to do anything exactly as it

should be according to proper networking protocols, instead we can create
packets that logically would never be found in the network. By sending them to
multiple destinations we could just wait for the responses and take a look at
them and see if we might have created some weird behavior, and we could
discover a vulnerability in this process.

In order to exit from Scapy you have to use a command Ctrl+d that would take
you back to a normal command prompt. But, if you want to initiate another
command you must start Scapy again by typing a command Scapy.

Another command that is very interesting, or we should say dangerous, is when

we turn Scapy to become a sniffer.

sniff(iface=’’eth0’’, prn=lambda x: x.show())

What it means is that: I want you to sniff all traffic that goes through the
interface ethernet0, and I want you to display every single packet as it comes
and goes through you.

After you press enter, the output would propably fill this book; however, I
wanted to share with you that Scapy is not only capable of crafting packets, it
can become an intruder or sniffer if we wanted to.
Chapter 16 – Parasite6

Imagine that you have a new assignment for penetration testing, and the
company has two networks that require being broken into. However, one of
them is very likely easy as there are no firewalls in place, but the second
network seems like it’s more secured and it might take the whole day to figure
out the possible volnaribility in order to exploit them.
Some people may start with the easy one that could be done under an hour.
However, if you ask the right questions in regards to the current network
implementation that is running within the company, you may save yourself and
have an easy day.

IPv6 is running as a valid protocol in most computers in companies today. So,

by taking certain steps in order to disable it, we could leverage IPv6 according
to its operation and compromise the network by a Man in the Middle attack.

If we are aware of that and how to crack it, we may be able to finish our
penetration testing within a short period of time, as the company possibly has
not enabled all the security features on the network as they should have.

Man in the Middle attack is achievable by many tools and we have discussed
some of them previously. Once we are approaching an IPv6 network we can
use another great tool called: Parasite6.

Let’s get back to basics and think of what happens when the PC boots the first
time. You guessed it right. It would ask for an IP address. In this case, an IPv6
address from the router that is on the same network, or if there is a DHCP
Server, then the DHCP server would assign that address to that PC.

Next, if that PC begins to communicate with the outside network aka Internet,
first it should learn the Mac address of the router, and that would happen by
using ARP (Address Resolution Protocol), but in IPv6 there is no such thing as
ARP. What happenes in IPv6 network instead of ARP is that the PC would use
Neighbour discovery, specifically called NDP (Neighbour Discovery
Protocol).
What would happen next is that the PC would send out a nighbour discovery, to
be more detailed, a neighbour solicitation to it’s router, then the router would
reply by a neighbour advertisement.

Solicitations are asking, and advertising is giving the address that has been
asked for. That’s great, but how would we use Parasite6 here?
Well, we would join the network with either Kali Linux or Back Track
machine that is running Parasite6 on, then begin to listen to the network. Once
Parasite6 is enabled, it would start to listen to every solicited message that
goes through the network, and then it would begin to answer. However, instead
of answering with the correct details, it would answer with it’s own Mac
Address to everyone on the network, making every network device on the
network believe that itself is the router.

We don’t have a Man in the Middle attack yet, instead we have a DoS (Denial
of Service) attack as every network device that wants to get out to the internet
would reach our Back Track machine, thanks to Parasite6 being enabled.
In order to turn this DoS attack to be a MITM attack we would have to turn on
IPv6 forwarding on our Back Track machine.

Launching Parasite6 on our Back Track is simple, all you have to do is type the
command:
parasite6 interface1 (fake mac address)

Basically type parasite6, then specify what interface you want to connect to the
network and become a Man in the Middle, then type the fake mac address that
you want. For the fake mac address, any address would work just fine.
Other useful commands is:

parasite6 -l interface1 (fake mac address)

This time I have added “–l” that would represent a loop, meaning it would
create a loop and refresh the solicitation message in every 5 seconds in order
to keep the poisoned information current.

parasite6 -r interface1 (fake mac address)

This time using “–r” representing that it would also try to inject the destination
of the solicitation.

However, to use both by keeping all the poisoned fake infomation current as
well as poison even the destination of the solicitation we could use a
command:

parasite6 -lr interface1 (fake mac address)

Next, by launching this command, it would listen to all the neighbour

solicitation messeges that it sees, and begin to respond to them all with it’s
own fake address that we have specified.

Please make sure you have written authorization before using this command, or
any of the commands related to Parasite6, as it could cause a serious harm to
all networking devices that are connected to the network.
Conclusion
I hope this book was able to get you started on your pursuit of becoming an
Elite hacker and hopefully you will choose to become a n Ethical Hacker.
In case you found some of the techniques and strategies I have demonstrated
being advanced at first, it’s ok, however repetition and on-going practice will
help you to become an IT Professional in no time.
In case you wish to check out my first book, feel free to look up:
Volume 1 – Hacking – beginners guide

Some of my upcoming books:

Volume 3 – Wireless Hacking
Volume 4 – 17 Most dangerous hacking attacks

Thanks again for purchasing this book.

Lastly, if you enjoyed the content, please take some time to share your thoughts
and post a review. It’d be highly appreciated!