mile2
How to validate DDoS defenses?
Validating DDoS defenses is essential for every organization. There are number of solutions that organizations can use to their DDoS defense and protection services they receive mitigation providers validate issued. Organizations must work closely with their DDoS mitigation providers to complete an organized provisioning and service validation. The only way to be sure that DDoS protection will be effectively assured by means of proactive validation against various kinds of attack scenarios.
Following best practices would help in defense:
The DDoS mitigation service is running, make sure that all applications to perform well.
Ensure that all routing and DNS works.
Tips to validate defense:
Work with your mitigation service provider, generating several gigabits of controlled traffic to the alarm, activation and mitigation features of the service.
Test small levels of traffic without scrubbing and validate that your on-premise monitoring systems function properly.
Without any DDoS protection This action will also help to identify. Stress points on your network
Perform baseline testing and calibration systems to remediate any network vulnerabilities.
Plan validation testing to validate that the service configuration is still working properly on a regular basis (monthly or quarterly) with your DDoS mitigation service provider – and eliminate the risk of network element failures due to DDoS.
If network problems during testing, may need to make changes based on recent changes in your network, as amended firewall rules, router firmware updates and reconfiguration. Changes your service.
Banner Grabbing Techniques
In this tutorial we will see some Banner grabbing techniques & tools and before this we will discuss what banner grabbing is? Why hackers use it? How it could be useful to improve network security? and methods to prevent this attack.
What Banner Grabbing is?
To understand banner gabbing, it is necessary to understand the term “Banner” first, banner in actual refers to a text embedded in a message sent by someone, this message usually contain information about applications involve in sending this message. A banner for an HTTP service mostly contains the type of operating system, web server, version number and other application running on a target host.
So, banner grabbing is basically a technique to extract information from the banner which helps hackers in identifying weaknesses and important information regarding targeted system. For OS and web server detection, we can grab a banner of HTTP. Since HTTP works on port 80, the following command would do the trick.
C:\>telnet target_IP 80
HEAD/HTTP/1.1
As you can see in the example, our request is vague and invalid. On a good day the result would be something like:
HTTP/1.1 200 OK
Date: Mon, 20 April 2013 13:00:10 EST
Server: Apache/2.6.01 (Unix) (Red Hat/Linux)
Last-Modified: Thu, 06 Sep 2010 17:55:40 PST
ETag: “2247-12b-449h4bd3″
Accept-Ranges: bytes
Content-Length: 1110
Connection: close
Content-Type: text/html
And there it is, The OS and the web server.
To grab a banner for SMTP (Send Mail Transfer Protocol): C: >telnet target_mailserver 25
Banners can also be grabbed from the famous 404 error page. Just messing with the URL could reveal some valuable information. Try, www.somewebsite.com/anyrandomtext. On an improperly configured system, the 404 page could be an attacker’s gold mine.
Except Telnet and Nmap, following tools can also be used for banner grabbing:
NetCat: Net-Cat or Ncat is the most preferable tool for banner grabbing, it is basically TCP/IP debugging tool but used for banner grabbing purpose too. It can be downloaded from NetCat official website: http://www.downloadnetcat.com/, it is free of cost and available in both windows and Linux versions.
Httprint: Httprint is a web server finger printing tool. It uses server signature to identify the version of a web application running on the server. It is very easy to use and available for both windows and Linux operating systems.
Miart HTTP Header: Miart HTTP Header tool identifies banner information from HTTP Header and response type. To use this tool you don’t need to have super skills, just enter the URL in the input box and press enter, your task will be complete in minutes.
Protection against banner grabbing:
- Preventing Apache Server & Its Derivative
- Preventing IIS Server
- IIS Lockdown
- Server Mask
- Page Xchanger
Also, we need to thoroughly analyze what information is leaked, change default settings, Turn off services that we don’t need such as telnet and windows features as well.
DNS Enumeration with Backtrack
When it comes to web server’s penetration-testing, a DNS server is always on the top of the list because DNS server is the core gateway of an internal enterprise to the mighty internet. Information gathering, as we all know is an important part of Penetration, so gathering information about the DNS is just as important as the DNS server. Even if an attacker can enumerate a DNS server it can prove very lethal to the Organization whose information is stored on the server.
In this tutorial we will be looking at several tools and their usage by which we can enumerate a DNS server in several ways.
For this we will open CMD shell in BT and type cd /pentest/enumeration/dns
Then type ls
The list of DNS enumeration tools will appear and we will take a look at the use of all tools. 
First we will use dnsenum tool.
It is very easy to use this tool, just type the command in the format perl dnsenum.pl 
It will generate results as shown in below picture. 
It provided us with the list of entire IPs used by the website including the mail servers. 
Now the trick to extract information that we need for further phases of Pen-testing e.g if you want to test the mail server you can telnet it and exploit it by foot-printing (will be explained in upcoming tutorials). The next tool that we will use is dnswalk. 
It is also a very good tool for enumerating and provides with filtered information of the target.You can access it by cd dns command in dns folder. Only the difference in the input is In Dnswalk the target ends with a “.” 
We got the results here, as we have mentioned earlier dnswalk only provides basic information like SOA server and warnings. It is a partial enumeration testing tool. 
Next tool we will be digging is called dnsrecon, You can find this in the dns folder, It is a tool written python scripting.
Now as you can see below that we have performed multiple operations with dnsrecon which will be explained further. You can retrieve SRV records of the target also query SOA etc.
For retrieving SRV records you have to type the command ./dnsrecon.py –t srv –d target name.
Now here is how the result of the srv records look like:
And here’s how we query the SOA, NS and MX of the servers using the command ./dnsrecon.py –t std –d
And here how the result will look like:
By DNS enumeration you can gather a lot of information about the target and it can prove to be very helpful in a penetration test.
How little fight between two rivals caused ‘Largest DDOS attack in the history’?
You must be exhausted by the fact that your browser is performing like a turtle? Well it is not so surprising, because the internet as we all know is being targeted by the largest Distributed Denial of Service in its documented history ever.
How & Why did this happen?
It all started with a little incident between organizations, one known as Cyber-Bunker a web hosting company and another called Spamhaus a content filtration company. Spamhaus is a non-profit organization provides a list of IPs for spam filters to most of the huge money makers and ISPs all around the world. Recently Spamhaus blacklisted Cyber-bunker for exceptional hosting of child pornography and terrorism related material. This incident sparkled a fire and Spamhaus started getting DDOS attacks at random rates on 15th March 2013 but the intensity of these attacks rapidly increased and reached at 50 to100 GBPS, in the beginning the bandwidth consumption reached to a staggering proportions of 300 GBPS which is basically like pushing an elephant through a water hose. Suppose you have a router which supports 100 MBPS data transfer if you transfer 101 MBPS at any instant your router will become a flowerpot for gardening. Similar events are occurring now days.
First these attacks were just up for Spamhaus but now the whole internet is at stake where it is affecting the infrastructure of the internet. Google is providing its services to help mitigate these attacks. Five large investigation agencies are currently investigating the origin of these attacks. Spamhaus claims that Cyber-bunker is in co-operation with criminal elements and is behind this attack. However, it is not proven yet. Spamhaus has hired Cloudflare, an Internet security provision to strengthen its defense. Spamhaus with over 80 branches all around the globe is making itself one of the largest giant on internet. These attacks are Layer 3 DDOS attacks, making it difficult to tolerate.
Gradually these attacks are being mitigated and investigated by experts desperately trying to identify the source of these attacks. Now the one thing is proved after this attack that security industry is not ready for such kind of large attacks and if it can get up to 300 Gbps it might even go to 1Tbps……
References:
Reconnaissance with Maltego (A guide for beginners)
One of the most complex steps in Penetration-Testing is information gathering about the target. It is also necessary because as much as accurate information the Pen-tester would have the more efficient the pen-test would be. In this article we will be looking into a tool that is very popular among Pen-Testers when it comes to Information Gathering. This tool is called Maltego. We will be looking into several aspects that how Maltego works? Maltego comes with both Linux and windows versions, it is also built in Backtrack.
Once we get registered on Matelgo, we will be seeing a graph on our screen. We will look at the possibilities of Information gathering through this tool. On the left hand you will see a palette which contains transforms you can run. Here’s how it will look like.
Now here you can see a number of transforms that used for information gathering. First, we will gather information about a website. In the palette we will look under the Infrastructure and then a website. We will put the name of the website in the information and click “Run all Transforms”. And this is what we will get.
Now as you can see we have got quite a bit of information here about Mile2 including its Public IP, the websites it’s connected to, and e-mail addresses etc. Now this information can be very helpful if you are an out-bound Penetration-Tester. Next, we will look at how we can use Maltego as a search engine to find certain entities for us that normal search engines won’t provide publicly on the web. For this example we will select the Document Entity in palette. Let suppose we want to search a document named Pentest-mag.
Now as you can see in above image it has provided me some links of different articles given Pen test-mag. Having seen that it has also given us a direct link to those articles without wasting our time on searching them out. Now let’s assume that during a critical Pentest we want to gather information about a particular person, Maltego can help us with that as well. We will have to select the Person Entity in the Palette and it will provide us with all the information on the web related to that person instantly. 
As the result on the graph we have some useful information about the particular person including telephone number, associated social networks, accounts and some emails. Now the accuracy of this information is not often guaranteed but it can be a handy tool.
These are just a few drills that Maltego can perform, it depends on your objective that what information you want to extract about what entity. This tool can make quite a difference sometimes during an operation while its uses are dependent upon the Pen-tester.
Kaspersky Internet Security bug – Still susceptible
Kaspersky Internet Security 2013 (all Kaspersky products which include the firewall functionality) is still susceptible to a remote system freeze. As reported on the 3rd March 2013, the bug is still not fixed. This bug can be exploited by Potential attackers by sending specifically crafted IPv6 packets to the targeted systems.
If IPv6 connectivity to a victim is possible (which is always the case on local networks), a fragmented packet with multiple but one large extension header leads to a complete freeze of the operating system. No log message or warning window is generated, nor the system is able to perform any task.
To Test:
1. Download the thc-ipv6 IPv6 protocol attack suite for Linux from www.thc.org/thc-ipv6
2. Compile the tools with “make”
3. Run the following tool on the target: firewall6 19
Where the interface is network interface (e.g. eth0) target is the IPv6 address of the victim (e.g. ff02::1) port is any TCP port, doesn’t matter which (e.g. 80) and 19 is the test case number. The test case numbers 18, 19, 20 and 21 lead to a remote system freeze.
Solution:
Remove the Kaspersky Antivirus NDIS 6 Filter from all network interfaces or uninstall the Kaspersky software until a fix is provided. The bug was reported to Kaspersky first on the 21st January 2013, and then reminded on the 14th Feburary 2013. No feedback was given by Kaspersky, and the remainder contained a warning that without feedback the bug would be disclosed on this day.
SMS Spoofing with new KALI-Linux
The new Kali-Linux (BT6) comes with many advance and increasing features and one of its incredible feature is its SMS spoofing weapon. So today we will have fun with this feature and see how easily we can spoof SMS.
This is an amazing and improved feature that has made many security professionals think. Anyone can easily spoof sms from various numbers and there is no chance to be caught. This feature is located in the SET (Social Engineering toolkit). For this go to
Applications>>Kali Linux>>Exploitation tools>>se-toolkit
Now after selecting it you will be prompted a dialogue box then in this select Social Engineering toolkit.
Next select option 7: SMS spoofing attacks
Then select the option no 1: Perform SMS spoofing attack
After that again select option no 1: SMS Attack single phone number
Now enter the victim’s Phone-number with its country code
Now select a template or use predefined templates as shown in below image
I am selecting a fake police SMS option 19
Now it’s almost done, from here you can choose the predefined android emulator or use your the SMS accounts. Thus, either you can start a war or stop it by sending SMS from fake locations.
Do remember this tutorial is just for your learning purpose, do not use these tricks in unethical way. Have fun!
Hack Linux with Armitage
Armitage is a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-operation functions below:
• Use the same sessions
• Sharing hosts, recorded data and downloaded files
• Communicate via a shared event log
• Run bots to red team to automate tasks
Armitage has 3 interfaces. We will work in GUI form of Metasploit framework. Vulnerable targets are displayed in its session’s windows. Below the modules and targets are the tabs. Each exploited has been highlighted and can be further exploited to use queries. So here we will perform a few steps to hack LINUX.
Step 1: Scanning
As you know the first step is reconnaissance for any type of attack. Armitage is integrated with all tools. Port and vulnerability scans can also be done within the tool. First let’s scan using Nmap and import the results. The following command is used to launch port scan specifically against Linux targets.
nmap -p 1-65535 -T5 -A -v 172.16.146.0/24 -oX scan.xml
You can type any IP address but for testing purpose I am using my own. You can also import Nmap results in Armitage and also use the built-in Nmap scanner. Let us now get to the main part.
To view the particular results follow NMap scan: right-click the host and select Services. A tab will be shown to you similar to the one below will bring up the Linux IP services. The results are grouped into name, port, proto, and info columns.
Step 2: Simple Remote Exploitation
Metasploit has over 650 exploits. We are generally not sure which one to use for it. Armitage helps is that it can select the attack by itself. Right click on the target select options then find attacks. It will select the attacks by itself and prompt you with windows. From there you can carry on your Pen-Test
Right-click on the target and you’ll see an attack menu. It will have sub-categories containing some attacks but not all of these exploits are applicable, but these are the best candidates.
From the above report we can see that the Metasploit ProFTPD service is running on the target. Go to Attack -> ftp and select one of the ProFTPD exploits. By doing this you will be prompted with a dialogue box for your adjustment purposes. But wait we also have to see for the version now here’s the tricky part the version is not vulnerable for the exploit.
Let’s try another way. Right click target and select samba. We observed that exploit version ranges from 3.0.20-25 and the target in the same side is running Samba 3.x. Even if don’t have the exact version but it’s worth giving a shot so let’s try it. Let’s exploit. We do not need to change any settings for this matter.
If the target is exploited then there will be a red lightning bolt around it. Well we have exploited the target. Now we can have a shell session or do whatever we want with the data use its resources.
The best advantage of Armitage is that it is automated and that’s also the biggest flaw it sometimes gives false positives as well but it’s a resource we can use and proves to be helpful in many things like the one we done above.
Logic bomb, Trojan horses & Trap doors – Programmer’s getaways
Many enterprise level companies always remain conscious about their data privacy and its movements around their employees and customers. To overcome on this insecurity they usually prefer to develop their own programs and applications instead of acquiring third party vendors’ applications. That’s where the Programming comes in.
It is very rare that 8 out of 10 programmers plant Logic bombs and Trap-doors in their applications. The first case of data leakage via logic bombs was recorded in September 1987. A programmer named Donald Burleson was working in Fort Worth based insurance Company; he was fired allegedly being quarrelsome and difficult to work with. After his termination, huge of confidential data was erased from the company’s backup storage and leaked all over.
Let’s assume that Bob is a programmer who has made data management software for XYZ Company and the company has not yet done software maintenance, now if Bob would plant a logic bomb in the code of software, he can easily steal data that is being transferred or he can even make the software self-destruct at some point.
Trap doors are similar to logic bombs only they are in the code and can perform limited functions. Let’s assume another example XYZ company has provided premium software to its clients if someone tries to crack the software or modify its code then software automatically gets deleted.
A Trojan horse is not a program or a coded file but instead it is a malicious code which can be attached with any program for different purposes. A Trojan can include a key logger within it. It is also malfunction programs and also the OS to do certain unintended functions but its basic function is to multiply and increase disk space usage thus slowing down the processor and ultimately crashing the computer. For making Trojans you are not supposed to be professional programmer you just need to have some basic knowledge about C language or Visual Basic and you can easily make one. Additionally, Trojan’s signatures can easily be altered that is why it is so hard for antivirus programs to detect.
The threat of Trojans has been ever-growing and at the most we can do is increase the efficiency of our Anti-Trojan software in order to reduce their effect.
Drone Technology & Hacking
In this article we are going to discuss about the possibilities of intercepting the frequency bandwidth of drones. First, we will take a look on small introduction about drones.
What actually the drones are & how do they work? A Drone’s original name was UAV (Unmanned Aerial Vehicle) which clearly presents the fact that it is an autopilot aircraft and that it is controlled by remote device. Drones can be categorized and given different names but they mainly are divided into two of these; one type of drone is that which is used for monitoring and surveillance and another for firing missiles. The original stabilization of drones were for monitoring and informing bases for several purposes But after much research they were specifically designed to be used as fighter aircraft.
A recent Drone named Zephyr has managed to stay 82 hours non-stop in the air. A drone can operate on a mission once it is programmed into it. This means that once given the co-ordinates it can fly right up there and accomplish its mission. Drones are controlled indirectly via satellite. The main command center of drone operation is located outside of LA at USAF base. Ground crews launch drones from the conflict zone, then the operation is handed over to controllers at video screens in specially designed trailers in the Nevada desert. One person ‘flies’ the drone, another operates and monitors the cameras and sensors, while a third person is in contact with the “customers”, ground troops and commanders in the war zone. While armed drones were first used in the Balkans war, their use has dramatically escalated in Afghanistan, Iraq and in the CIA’s undeclared war in Pakistan. The flight time and efficiency of drones has increased by 600 percent in a while.
How drones can be hacked? After huge research and experiments by scientists, various methods have discovered that can be used to intercept into drones. The interface of a drone is connected to its command center via the space probe which also enlightens the possibility that the drones must have some unique identification addresses which may be MACs or IP as we don’t yet know. These unique addresses are basically identifiers of the sensors installed within the drones’ navigation system. These sensors have a GPS system. This GPS system in the drone was tested for accountability at the University of Texas and found vulnerable to some particular attacks after that some tests were carried out upon live Predator drones.
The Programmers were easily able to intercept the drone and control it in midair. Now we’ll see in detail that how this attack executes? The drone gets its signal from the satellite and responds back to it which then forwards it to the CC. The personnel at the University of Texas created a fake satellite signal and at the same instant jamming the original signal thus giving the flyer fake codes. They were somehow able to stealth themselves by responding to the satellite with fake responses and also giving the drone legitimate signals for use at the same time. This is kind of similar to a de-auth attack in Wi-Fi cracking.
By the start 2020 The US Government tends to have 30000 drones in the airspace of USA for protection purposes but keeping that fact in mind that drones also are vulnerable they may have to give it a second thought.
