Hacking – Tools – Robert Karamagi

We will discuss in brief some of famous tools that are widely used to prevent hacking and getting unauthorized access to a computer or network system.

NMAP

Nmap (Network Mapper) is a free and open-source security scanner, originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich), used to discover hosts and services on a computer network, thus building a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host(s) and then analyzes the responses.

Lyon is is a network security expert, open source programmer, writer, and hacker. He authored the open source Nmap Security Scanner and numerous books, web sites, and technical papers focusing on network security. Lyon is a founding member of the Honeynet Project and was Vice President of Computer Professionals for Social Responsibility.

The software provides a number of features for probing computer networks, including host discovery and service and operating-system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan. The Nmap user community continues to develop and refine the tool.

Nmap started as a Linux-only utility, but porting to Windows, Solaris, HP-UX, BSD variants (including macOS), AmigaOS, and IRIX have followed. Linux is the most popular platform, followed closely by Windows.

Nmap features include:

Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
Port scanning – Enumerating the open ports on target hosts.
Version detection – Interrogating network services on remote devices to determine application name and version number.
OS detection – Determining the operating system and hardware characteristics of network devices.
Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua programming language.

Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.

Typical uses of Nmap:

Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.
Identifying open ports on a target host in preparation for auditing.
Network inventory, network mapping, maintenance and asset management.
Auditing the security of a network by identifying new servers.
Generating traffic to hosts on a network, response analysis and response time measurement.
Finding and exploiting vulnerabilities in a network.
DNS queries and subdomain search

Metasploit

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework.

Metasploit was created by H. D. Moore in 2003 as a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.

HD Moore is network security expert, open source programmer, and hacker. He is the developer of the Metasploit Framework, a penetration testing software suite, and the founder of the Metasploit Project.

He served as Chief Research Officer at Boston, MA based security firm Rapid7, a provider of security data and analytics software and cloud solutions. He remained the chief architect of the Metasploit Framework until his departure from Rapid7 in 2016. In Jan 2016, Moore announced his departure from Rapid7 to join a venture capital firm.

He has been referred to as “the industry’s most famous white hat hacker.”

The basic steps for exploiting a system using the Framework include:

Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and Mac OS X systems are included);
Optionally checking whether the intended target system is susceptible to the chosen exploit;
Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server);
Choosing the encoding technique so that hexadecimal opcodes known as “bad characters” are removed from the payload, these characters will cause the exploit to fail.
Executing the exploit.

This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers.

Metasploit runs on Unix (including Linux and Mac OS X) and on Windows. The Metasploit Framework can be extended to use add-ons in multiple languages.

To choose an exploit and payload, some information about the target system is needed, such as operating system version and installed network services. This information can be gleaned with port scanning and OS fingerprinting tools such as Nmap. Vulnerability scanners such as Nexpose, Nessus, and OpenVAS can detect target system vulnerabilities. Metasploit can import vulnerability scanner data and compare the identified vulnerabilities to existing exploit modules for accurate exploitation.

Burp Suite

Burp or Burp Suite is a graphical tool for testing Web application security. The tool is written in Java and developed by PortSwigger Web Security.

The tool has three editions. A Community Edition that can be downloaded free of charge, a Professional Edition and an Enterprise edition that can be purchased after a trial period. The Community edition has significantly reduced functionality. It was developed to provide a comprehensive solution for web application security checks. In addition to basic functionality, such as proxy server, scanner and intruder, the tool also contains more advanced options such as a spider, a repeater, a decoder, a comparer, an extender and a sequencer.

The company behind Burp suite has also developed a mobile application containing similar tools compatible with iOS 8 and above.

Creator of the Burp Suite, the leading toolkit for Web application security testing, and founder of PortSwigger Web Security, Dafydd Stuttard is an expert in Web security and is also the author of the popular book, “The Web Application Hacker’s Handbook.”

Stuttard believes an extra step in security is necessary for all communications. “Use Strict Transport Security. This helps protect against some SSL man-in-the-middle attacks,” said Stuttard.
When discussing one thing never to do, Stuttard jokes to never “assume a vulnerability isn’t dangerous because it doesn’t have a logo.”

HTTP Proxy – It operates as a web proxy server, and sits as a man-in-the-middle between the browser and destination web servers. This allows the interception, inspection and modification of the raw traffic passing in both directions.
Scanner – A web application security scanner, used for performing automated vulnerability scans of web applications.
Intruder – This tool can perform automated attacks on web applications. The tool offers a configurable algorithm that can generate malicious HTTP requests. The intruder tool can test and detect SQL Injections, Cross Site Scripting, parameter manipulation and vulnerabilities susceptible to brute-force attacks.
Spider – A tool for automatically crawling web applications. It can be used in conjunction with manual mapping techniques to speed up the process of mapping an application’s content and functionality.
Repeater – A simple tool that can be used to manually test an application. It can be used to modify requests to the server, resend them, and observe the results.
Decoder – A tool for transforming encoded data into its canonical form, or for transforming raw data into various encoded and hashed forms. It is capable of intelligently recognizing several encoding formats using heuristic techniques.
Comparer – A tool for performing a comparison (a visual “diff”) between any two items of data.
Extender – Allows the security tester to load Burp extensions, to extend Burp’s functionality using the security testers own or third-party code (BAppStore)
Sequencer – A tool for analyzing the quality of randomness in a sample of data items. It can be used to test an application’s session tokens or other important data items that are intended to be unpredictable, such as anti-CSRF tokens, password reset tokens, etc.

Angry IP Scanner

Angry IP scanner is a very fast IP address and port scanner.

It can scan IP addresses in any range as well as any their ports. It is cross-platform and lightweight. Not requiring any installations, it can be freely copied and used anywhere.

Angry IP scanner simply pings each IP address to check if it’s alive, then optionally it is resolving its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be extended with plugins.

It also has additional features, like NetBIOS information (computer name, workgroup name, and currently logged in Windows user), favorite IP address ranges, web server detection, customizable openers, etc.

Scanning results can be saved to CSV, TXT, XML or IP-Port list files. With help of plugins, Angry IP Scanner can gather any information about scanned IPs. Anybody who can write Java code is able to write plugins and extend functionality of Angry IP Scanner.

Anton Keks is a software craftsman, co-founder of Codeborne, the only extreme programming shop in the region, frequent speaker at conferences, and a lecturer in Tallinn Technical University. He is also a strong believer in open-source software and agile development methodologies, author of a popular network tool – Angry IP Scanner, and a regular contributor to other open-source projects. Before founding Codeborne, Anton has led a team of developers of the award-winning internet-bank of Swedbank for 5 years, gradually introducing agile methods. During this time he has also co-founded Agile Estonia non-profit organization that organizes regular agile conferences in Estonia. During spare time he plays guitar, rides motorbike and travels to remote corners of the world.

Features

Scans local networks as well as Internet
IP Range, Random or file in any format
Exports results into many formats
Extensible with many data fetchers
Provides command-line interface
Over 23 million downloads
Free and open-source
Works on Windows, Mac and Linux
Installation not required

Cain & Abel

Cain and Abel is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel. Massimiliano Montoro is the mastermind behind Cain & AbelCain and maintains it with Sean Babcock.

Features

WEP cracking
Speeding up packet capture speed by wireless packet injection
Ability to record VoIP conversations
Decoding scrambled passwords
Calculating hashes
Traceroute
Revealing password boxes
Uncovering cached passwords
Dumping protected storage passwords
ARP spoofing
IP to MAC Address resolver
Network Password Sniffer
LSA secret dumper

Ability to crack:

LM & NTLM hashes
NTLMv2 hashes
Microsoft Cache hashes
Microsoft Windows PWL files
Cisco IOS – MD5 hashes
Cisco PIX – MD5 hashes
APOP – MD5 hashes
CRAM-MD5 MD5 hashes
OSPF – MD5 hashes
RIPv2 MD5 hashes
VRRP – HMAC hashes
Virtual Network Computing (VNC) Triple DES
MD2 hashes
MD4 hashes
MD5 hashes
SHA-1 hashes
SHA-2 hashes
RIPEMD-160 hashes
Kerberos 5 hashes
RADIUS shared key hashes
IKE PSK hashes
MSSQL hashes
MySQL hashes
Oracle and SIP hashes

Ettercap

Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Its original developers later founded Hacking Team.

Ettercap works by putting the network interface into promiscuous mode and by ARP poisoning the target machines. Thereby it can act as a ‘man in the middle’ and unleash various attacks on the victims. Ettercap has plugin support so that the features can be extended by adding new plugins.

Ettercap supports active and passive dissection of many protocols (including ciphered ones) and provides many features for network and host analysis. Ettercap offers four modes of operation:

IP-based: packets are filtered based on IP source and destination.
MAC-based: packets are filtered based on MAC address, useful for sniffing connections through a gateway.
ARP-based: uses ARP poisoning to sniff on a switched LAN between two hosts (full-duplex).
PublicARP-based: uses ARP poisoning to sniff on a switched LAN from a victim host to all other hosts (half-duplex).

In addition, the software also offers the following features:

Character injection into an established connection: characters can be injected into a server (emulating commands) or to a client (emulating replies) while maintaining a live connection.
SSH1 support: the sniffing of a username and password, and even the data of an SSH1 connection. Ettercap is the first software capable of sniffing an SSH connection in full duplex.
HTTPS support: the sniffing of HTTP SSL secured data—even when the connection is made through a proxy.
Remote traffic through a GRE tunnel: the sniffing of remote traffic through a GRE tunnel from a remote Cisco router, and perform a man-in-the-middle attack on it.
Plug-in support: creation of custom plugins using Ettercap’s API.
Password collectors for: TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, MSN, YMSG
Packet filtering/dropping: setting up a filter that searches for a particular string (or hexadecimal sequence) in the TCP or UDP payload and replaces it with a custom string/sequence of choice, or drops the entire packet.
OS fingerprinting: determine the OS of the victim host and its network adapter.
Kill a connection: killing connections of choice from the connections-list.
Passive scanning of the LAN: retrieval of information about hosts on the LAN, their open ports, the version numbers of available services, the type of the host (gateway, router or simple PC) and estimated distances in number of hops.
Hijacking of DNS requests.

Ettercap also has the ability to actively or passively find other poisoners on the LAN.

OmniPeek

Omnipeek is a packet analyzer software tool from Savvius, a LiveAction company, for network troubleshooting and protocol analysis. It supports an application programming interface (API) for plugins.

Savvius (formerly WildPackets) was founded in 1990 as The AG Group by Mahboud Zabetian and Tim McCreery. They soon changed their name to WildPackets. The first product by Savvius was written for the Mac and called EtherPeek. It was a protocol analyzer for Ethernet networks. It was later ported to Microsoft Windows, which was released in 1997. In 2001, AiroPeek was released, which added support for wireless IEEE 802.11 (marketed with the Wi-Fi brand) networks. In 2003, the OmniEngine Distributed Capture Engine was released as software, and as a hardware network recorder appliance.

On the morning of July 15, 2002, Savvius’ building in Walnut Creek, California burnt to the ground. However, the company survived the fire.

Mid-April 2015, the company changed its name from WildPackets to Savvius and broadened its focus to include network security.

In June 2018, Savvius was acquired by LiveAction, a company that provides network performance management, visualization and analytics software.

Mr. Zabetian served as President and CEO of Savvius for 10 Years before taking the role of Chairman. Prior to founding Savvius, Inc., Mr. Zabetian held several different technical roles at Princeton University, Kinetics, Excelan, and Novell where he developed a number of network management, performance, and productivity tools including the EtherPeek program. He was also Founder and Chairman of Timestamp.com. Mr. Zabetian came to the U.S. from Iran and received his EECS degree from Princeton University with a special interest in computer networking.

Tim McCreery co-founded Savvius, Inc. as AG Group with Mahboud Zabetian in 1990. He has served in a variety of executive roles within the company and overseen its transition to WildPackets in 2000 and then Savvius in 2015. Tim’s 30 years of experience in the networking industry includes founder and president of Kinetics, a leading Macintosh networking company; founder and CEO of SilkStream, makers of network monitoring software; and VP of Marketing and Business Development at Excelan, a network equipment manufacturer. Tim has served on the boards of Clear Ink and Tut Systems and is currently on the board of Youth Homes, a non-profit agency serving at-risk foster care children in Contra Costa County, California.

Tim graduated from the University of California, Berkeley with bachelor’s degrees in Computer Science, Mathematics, and Psychology, and a Master’s degree in EECS.

Omnipeek has APIs on the front-end for automation, on the back-end for analysis, as well as other mechanisms to extend and enhance the program.

There are 40 plug-ins available for the Omnipeek Platform. These plug-ins range from logging extensions to full-blown applications that are hosted by OmniPeek.

Remote Adapters: provide a means to capture packets and stats. There are remote adapters to capture from RMON, NetFlow, SFlow, Cisco AP’s, Aruba AP’s, and Linux boxes. Adapters are available to aggregate packets from multiple network segments and wireless channels at the same time.

The most notable decoders are the protospecs and decoder files, which are interpreted text files that can be extended by the user to enhance the display and analysis of existing protocols, and add knowledge of completely new protocols, without releasing new versions of the application.

The plugin Wizards for the Omnipeek Console and the OmniEngine are Microsoft Visual Studio Project Templates that generate working plug-ins. When the wizard is run, a dialog appears providing options for types of functionality that sample code will be generated for. When the wizard is complete, the user is left with a working plugin with entry points for adding application logic. These plug-in wizards enable the development of extensions to Omnipeek.

The MyPeek Community Portal is a website dedicated to the extension of Omnipeek. It provides plug-ins, scripts, adapters, tools, and various levels of support for the plug-ins posted there, and expertise for those interested in extending Omnipeek themselves.

PlaceMap: is a freely available standalone Google Maps Packet sniffer application for Windows that captures network traffic and maps nodes to the Google Map. PlaceMap is a notable example of extensibility in that it uses exactly the same Google Map plugin that is also available for the Omnipeek, and is uses the peek driver API to capture packets.

Example Plugin

Google Map Plugin – map nodes to a Google Map
SQLFilter Plugin – save and query packets from a database
PeekPlayer Plugin – send packet an adapter or a capture window
PowerBar Plugin – write scripts that process packets
Decoder Plugin – decode packets
WatchMe Plugin – display web sites in real-time from URLs
Browser Plugin – construct and display web pages from packets
IM Plugin – display instant message screen names and chat
WebStats Plugin – collect and report web statistics
Remote TCPDump Adapter Plugin – stream packets from any machine with SSH and tcpdump
Cisco Remote Adapter Plugin – stream packets from Cisco Access Points
Aruba Remote Adapter Plugin – stream packets from Aruba Networks Air Monitors