Network Hacking - Post-Connection Attacks - Information Gathering

3. Gathering Sensitive Info About Connected Devices (Device Name, Ports....etc)

The second programme that we'll use for network mapping is Nmap. In the previous lecture, we used Net Discover, and we've seen how nice it is to quickly discover all the devices connected to our network, see their Mac address, and maybe get the vendor. Nmap takes scanning to a whole new level. It might be a little bit slower than Net Discover, but it will show you much more information about the target. So you'll be able to see the open ports, and you'll be able to see the running programmes or running services on these open ports. You'll be able to determine the computer name and the operating system running on that computer. If you're on a network, you'll be able to discover all of the connected clients. You'll be able to bypass security,bypass firewalls, and so much more. Nmap is actually a huge tool, and there are books and complete courses done just to teach Nmap. The N Map book would actually be a really good read once you're done with this course. Because this tool is huge, we're not going to be able to cover all of its uses. But in this lecture, I'm going to show you the basics of this tool and how to use it to discover all the connected clients and see useful information about them. And we'll actually use it more when we get to the Gaining Access section. We're actually going to be using Zenmab, which is the graphical user interface of Nmap. So to run it in Terminal, you just have to type Zenmap, or you can find it under your Applications menu. Now, as you can see, it has a very, very simple interface. The first thing that we see is the target input box. Here you can put your target. You can scan any IP that you can reach. Whether it's a personal computer Whether it's a server Whether it's an IP for a web server for a website. For example, You want to discover all the open ports and all the running services on them. Or like what we're going to do right now. We can put a range similar to what we did with Net Discover and it'll scan this whole range. Discover all the live IPS of the connected machines on the same network and display information about them. Now we'll have a look at how to scan servers in the Gaining Access section. So for now, since we are still in the network hacking section, we're going to arrange to discover all the connected clients and see useful information about them. So right now, I'm actually connected to my wireless network. That's why I'm going to specify the whole range on that network. And we've seen how to get that in the previous lecture. So it's 192-1681, one over 24. At the bottom, you can see the command. This is actually the Nmap command that will be executed when I hit the scan button. So, like I said, zen map. What we're using right now is just a graphical interface that will run this Nmap command in the background and show me the results. So if you know of a custom Nmapcommand, you can put it here. Or if you just want to see Nmap in Terminal,you can literally copy this command, paste it in Terminal,and it will give you the same results that you would get if you run it here. Alternatively, if you don't really know much about Nmap and its commands, you can use one of the ready profiles here. So in this lecture, we're actually going to be using a number of these profiles, and we'll see the difference between them in terms of speed and the information gathered. So I'm going to start with the pink scan. This is a very quick scan. It literally just pings every possible IP in the range. And if it gets a response, it will record this response and it will show me the devices that gave me a response, which means that these are the devices connected to the network. A lot of devices do not respond to ping requests anymore, even if they are alive. So the list that you'll get in this scan might not include all the devices connected to your network. Now, once the scan is done, as you can see, we can see the list of all the connected devices here. And here, we can also see the Mac addresses for each of these devices. We can also see the vendor. So, for example, we can see that the device at 192.168.1 is a Cisco device. This is actually my router and it is made by Cisco. So this is correct. So we can begin looking for vulnerabilities in this device. The 19216 8110 is also an HTC device, as can be seen. And again, this is an HTC phone. This is correct. And since it's HTC, then we know that it's probably running on Android. So, as you can see, we're getting more information about the connected clients. Again, we can see that the 19216 8112 is an Apple device,so it could be a phone, a tablet, or a Mac. We can see the next device is Adele. So again, it was a very quick scan, but as you can see, it still gave us much more information than what we got from Net Discover. The next scan that I want to show you is the Quick scan. Now, this is going to be slightly slower than the pink scan, but it's going to show us more information. So right now you can see that the scan is showing us the same information that we've seen before with the pink scan, but it's also showing us the open ports on each one of the discovered devices. So it's able to discover the following ports in the Raptor: And we can see that port 80 is open. This is actually the port used for the router settings page because it runs on a web server. So this is correct again. We have our Apple device here that we said might be a phone, a computer, or a tablet,but we can see now it has port 22 open. So this is a port for a service called SSH, which is designed to allow remote access to the system it's running on. Again, if you go on all the other devices,you can see all the open ports and the services running on each one of these ports. Now, in the next lecture, we'll build on this. We'll see how to gather even more information, and you'll see how important information gathering is because we're going to use the gathered information to hack into an iPhone that is connected to the same network.

4. Gathering More Sensitive Info (Running Services, Operating System....etc)

In the previous lecture, we had a quick look at the Zen map and how it can be used to gather information. So in this lecture we will build up on that. And the main scan that I want to show you right now is the quick scan. Plus, this scan takes the quick scan one step further. So first of all, it'll be slower, but it's going to show us even more information. So first we're going to be able to see the operating system running on the discovered devices. We will also be able to see the device type,whether it's a phone or a laptop or a router. And we'll be able to discover the programme and the programme version running on the discovered ports. So before, for example, we were able to discover port 80 was open, but we didn't know what programme was running on this port or what version of this program. Getting the exact programme version is really helpful when we get to the Gaining Access section, and you'll see then how we can use that to exploitvulnerable services and gain full control over the computers that have these services installed. Now straight away, when you look at the results,you'll see that we got much more information than all of the scans we ran so far. So the first thing you'll notice is the icons beside the IPS of the discovered devices. These icons represent the operating systems running on these devices. So right now we have the operating system for all of the connected devices and now it's showing us the programmes running on each of the discovered ports and the versions of these programs. So for example, if we look at the 191 six 8112,the Apple device on the last scan, we knew that port22 was open and we knew that SSH was running on it,but we didn't know what version of SSH was running. Right now we can see that it's running open SSH version six one.So we can go on Google and look for exploits and vulnerabilities in this specific version and we might actually find something. We'll actually talk more about that in the Gaining Access section. Now if you look at the device type, you can see that it's a media device. It's a phone. So we knew it was an Apple device before, but we didn't know if it was a tablet, a phone, or a MacBook. Right now, we know that it is a phone. It's also discovered that it's running Apple iOS four, five, or six. Now it's actually running a newer version of iOS. I'm not entirely sure, I think nine or ten, but still, it's close enough. It's getting me. It's telling me that it's an Apple. It's telling me that it's a phone. It's running iOS. So this is really, really good. Now if we go to the next device here, the119 one, six, eighty-one, this is a Linux device. And when we ran the quick scan, we were able to identify port 80 and port 49152 as open. But again, we didn't know the programme running or the service version running on this port. So right now we know it's ApacheHttpd and two, it's running on Ubuntu. So again, now we have the operating system,the exact version of the service is running. So we can go and look for weaknesses and exploits in this specific version. And this port, we didn't even know what service was running on it. Right now we know it's an UPMP service and the server is Mediatone UPnP. We have the exact same version again. So again, we can go ahead and look for exploits in these specific versions, and if we discover any, we'll be able to gain full control of this computer. Again, if we go down to the 119 one-six 8122 machine, we can see that it's running the Microsoft Http API on port 5357. You can also browse the services. So from here on the left, if you click on Services, you'll be able to categorise the discovered clients based on the services. So if we click on Http, we'll see all the clients that have the Http service running. If you click on SSH, we can see the Apple device here. It's the only device that has SSH service running. So let me actually show you a quick and fun example. If we go back here to the hosts and go back to the Apple device, the 19216 8112, as we see, as I said, we know it's a phone, we know it's an Apple phone, and we know that it has an SSH service installed on it running on port 22. And we know that SSH is a service that allows you to remotely execute system commands on a computer that has the SSH service installed. Obviously, before you can use the service, you have to use a username and a password. Once you authenticate, it will allow you to execute system commands remotely on that computer or on that phone. By default, iOS devices do not have an SSH server. Usually, when you jailbreak the phone or device, it will automatically install an SSH server and the password for that server is set to Alpine by default. That's alpine. Now, since we know that this is an iPhone and it has port 22 open with an OpenSSH server,we know that this phone has been jailbroken. Now, since the phone is jailbroken, we know the password to login to SSH is Alpine unless the user changed it. Most users do not even know about this, and even the ones that know about this, like myself, are too lazy to change it. So it's always worth a try. If you discover a phone like this on the same network, it's always worth a try to go and try to connect to it with the default password. So I'm just going to go to my terminal and I'm going to try to connect to this phone using SSH. So I'm going to type SSH root, which is the username for the admin in Linux at 19216 8112. This is the IP of the phone. I'm going to hit enter. It's asking me if I should trust this connection. I'm going to say yes. And now it's asking me for the password. And like I said, when the phone is jailbroken, the password is set to Alpine. So I'm going to type Alpine. I'm going to hit Enter. And as you can see, I logged in as root. So, right now, I have the highest phone privileges and can do whatever I want with the system. And now we can use system commands to completely control the phone. Now this is a little bit ahead of time, this.We are still in the network hacking section,so don't worry too much about this. We'll talk more about it in the gaining access section. But it's just a quick example that I want to show you how powerful information gathering is because we literally did not exploit anything right here. We just relied on the information we gathered and were able to hack an iPhone that was connected to the same network as us. Now, like I said, Nmap is a huge tool. I highly recommend you go ahead and try the other profiles here. And like I said, once done with the chorus, I think the Nmap book would be a really, really good read. We'll also use Nmap much more in the GainingAccess section, and we'll see how we can use this information to gain full control over the computers' code execution, vulnerabilities, and so on. But in this lecture, I just wanted to give you a quick overview, and we'll build up on this as we go through the code.

Network Hacking - Post-Connection Attacks - MITM Attacks

1. What is ARP Poisoning ?

Now, in this lecture and the next few lectures,I want to start talking about maninthemiddle attacks. These are attacks that we can only launch if we are able to intercept the communication between two devices; hence the name "man in the middle" attacks. So normal communication would look like this,where the device is directly communicating with the entity that they want to communicate with. In a man in the middle attack, the hacker would be able to place themselves in the middle of the connection, allowing them to intercept and see everything that is being transferred between the two devices. Now, there are a number of ways to achieve this. The first method that we'll cover in this course is using an ARP spoofing attack. ARPA Spoofing allows us to redirect the flow of packets. So instead of it flowing, as shown in the diagram, it would flow through my own computer. So any requests sent and any responses received by the target computer will have to flow through the hacker's computer. This means that any messages, any websites, any images, any usernames and passwords entered by the target will have to flow through my computer. This allows me to read this, modify it, or drop it. So, as you can see, this is a very serious and very powerful attack. And the reason why it is possible is that ARP is not very secure. Now, for us to understand how this works, you need to have a basic understanding of what ARP is. ARP stands for Addressresolution Protocol, and it's a very simple protocol that allows us to link IP addresses to Mac addresses. So, for example, let's say we have a network here. We have devices A-B-C and D. They are all connected to the same network, and we have the router here for this network. We can see that each device has an IP and a Mac address. And let's assume that the device needs to communicate with the device. Now, we're also going to assume that device A knows the IP of device C. But as we know so far, in order for these devices to communicate within the same network, device A needs to know the Mac address of device C. Because, like we said before, the communication inside the network is carried out using the Macaddress and not the IP address. So this is a perfectly normal situation where we have a client that needs to know the Mac address of another client so that it can communicate with this client. So what does this client do? It uses the ARP protocol. What do I mean by that? Basically, it sends a broadcast message. As a result, it sends an ARP request to all clients on the network, asking who has 100 two six. Now, all of these devices will ignore this packet except the one that has this IP address, which is 100 two six, which is device C. So all the devices will not do anything. And the only device that will respond is device C, by sending an ARP response. In this response, device C is going to say, "I have ten 00:26 my Mac address is this Mac address." This way, device A will have the Mac address of device C, and now it will be able to communicate with device C and do whatever task that it wanted to do initially. So all of this communication is facilitated using the ARP protocol. Like I said, the ARP protocol is a very simple protocol. As you can see, all it has are requests and responses. And the whole point of it is that we can link IP addresses to Macaddresses or translate IP addresses to Mac addresses. So a device can send a request asking for a Mac address, and then the device that has the Mac address would respond with its Mac address. So each computer has an ARP table which links IP addresses on the same network to their Mac addresses. So if I go on the Kali machine and do ARPA, you can see my ARP table here. And as you can see, it's linking the router's IP to the router's Mac address. Now, if I go to the Windows machine and run my CMD and do ARPA, you'll see, again, it'slinking the router's IP to its Mac address. So this machine, anytime it needs to send any request to the Internet, will direct that request to thisMac address to the Mac address that's associated with the IP of the router, which is 100 to one. Now, this value here can be easily modified by exploiting the ARP protocol. So let me go back to my diagrams. And right here we have a diagram of a typical network. And you can see that normally, any device that's connected to the network, if it wants to send requests, it will send them to the router. The router will go and send that request to the Internet, wait for the response, and then forward the response to the device that requested it. So if the hacker or the victim or any other computer on the network wanted to send a request, they would send that request directly to the router. Now what we can do is we can exploit the ARP protocol and send two ARP responses, one to the gateway and one to the victim. We're going to tell the gateway that I am at the IP of the victim. So the access point will update its ARP table and will associate the IP of the target with my Mac address. We'll do the same with the victim. So we'll send it an ARP response. We're going to tell it that I am at 100, two, one. So it's going to update its ARP table and associate the IP of 100 to one with my own Mac address. So the result of this is that the victim is going to think that I am the router and the router is going to think that I am the victim. So anytime the victim wants to send any requests,the requests will have to flow through my computer, and I'm going to forward them to the router. And then any time the access point or the router wants to send responses, they're going to go to my machine because it thinks that I am the victim, and then I'm going to forward it to the victim. So as you can see, this puts me in the middle of the connection, and it gives me so much power, and we'll see all the things that we can do once we become the man in the middle. Now, the main reason why we can do all of this is that ARP is not secure. because, first of all, clients can accept responses even if they did not send a request. So as I said before, we're going to send a response to the access point and a response to the victim telling them that I am at a specific IP without them asking who I am. Or without them asking for this IP, I'm just going to send a response, and they're going to accept that response anyway. Not only that, but they're also going to verify who I am. So when I say that I am at 100 to seven, I am clearly not at that IP, because this computer is at this IP. But the access point will trust this,and it'll actually update its ARP table based on the information that I send. The victim is not the same. I'm going to tell it that I am at 100 to 1. It's going to trust and believe this, even though I am clearly not at this IP,because the access point is at this IP. So these are the two major flaws in the ARP protocol that allow us to conduct ARP spoofing attacks.

2. Intercepting Network Traffic

Now that we know how ARP spoofing works, let's see how we can run this attack and redirect the flow of data so it flows through our device. This will allow us to intercept data and see everything sent to and from a target computer, including usernames, passwords, and so on. Now, there are a number of tools that can be used to run an ARP spoofing attack. You can even build your own tool. And I covered this in my Python programming course. But in this lecture, I want to show you how to use a very simple yet reliable tool called ARP Spoof. Then in the next lectures, we'll use an app called Bettercap because it has more features. Basically, the main reason why I want to cover ARP Spoof in this lecture is that it is a very simple tool, but it's very reliable. It's also been ported to many operating systems, including iOS and Android. Therefore, if you learn how to use it, you'll be able to use this tool on all of the other operating systems. So, you can only use this tool to redirect the flow of data and make it flow through your computer. And then you'll have to use another tool, like a packet sniffer, like Wireshark, to analyse this data and do more stuff with it. And we'll cover all of this later on in the course. Using ARP Spoof is very simple. First we're going to have to type the name, so it's ARP Spoof. Then we're going to do I to specify the interface that is connected to the target network. And in my case, it's ETH Zero because that's the interface that's connected to the network. So if I do ifconfig, you'll see that Ethzero is the interface that's connected. Now, as you can see, I'm going to be running this attack against my Virtual Nat network. You can run this attack against any type of network, even WiFi networks, and I will cover that later on in the course. But for now, just until you properly understand how this works, I highly recommend you do what I'm doing right now and test the attack against the Virtual Nat network. So all you'll have to do is make sure the Kali machine and the target Windows machine are both configured to use the same Nat network. So we're going to do T to specify the target. And my target is at 100 two seven.As you can see here, that's the IP of my target. And I'm going to have to give it the IP of the gateway, which is at ten 00:21, as you can see here. Now, this will spoof the target, telling him that I am the router. We will also need to run this command once more here. So I'm going to clear the screen and again I'm going to do ARP Spoof IET zero. And the target this time is going to be 100, two to one, and ten at 00:27. So right now we're going to be telling the router that I am the victim. So the first one will fool the victim,the second one will fool the router. Now, keep in mind that this attack will work against both Ethernet and WiFi or wireless networks. I'm running it right now against a virtual network that acts as an Ethernet or a wired network. But the attack can be executed exactly the same way against wireless networks. All you have to do is connect a wireless adapter to the Kali machine, connect the adapter to the target network and use it. So the same concept as the network scanner applies. You need to have a wireless adapter that works well with Kali, and you need to have that adapter connected to Kelly and connected to the target network. So I'm going to hit enter here and I'm going to hit enter here. And now, if we go to the target machine and run the same command ARPA, you're going to see that the Mac address now for the router is different than what it was. And this is actually the mac address of the Kali machine. So right now, this Windows machine thinks the router is at this Mac address. And every time it needs to send requests, it will send them to this Mac address, which means that they will be sent to this computer right here. Now, this computer is not a router, so when it gets requests, it's actually going to stop them from flowing and going to the router. This is a security feature in Linux. So you need to enable port forwarding so that this computer will allow packets to flow through it just like a router. Now, to enable port forwarding, we're going to do echoone to proc sys net IP, version four, IP forward. And as you can see, this command gets executed with no issues. And right now, this computer still has Internet access. So we can go and browse any website we want. But all these requests are not going directly to the router, but they are going to this computer first, and then this computer forwards them to the router, as shown in this diagram. And then when the responses come back, they go to the hacker first, and then they go to the victim. So, as you can see, a very simple tool. It allows us to redirect the flow of data so it flows through our computer, allowing us to become the man in the middle. And once we're the man in the middle, we can inject code into the browser of the target. We can steal usernames and passwords, see all the information that the person sends and receives, replace downloaded files with Trojans, and much, much more.

ExamSnap's ECCouncil 312-50v11 Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, ECCouncil 312-50v11 Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.