Friday, February 19, 2010

Certified Ethical Hacker 6

Common passwords are:-root

Password guessing can be done with automated tools. Tools like WebCracker takes a dictionary list to attempt at web logon attacks. A HTTP 302 Object Moved response means that an attack is successful. Similarly, Brutus can do a dictionary attack, but can also do brute force after exhausting the dictionary list.

You can generate your own dictionary file using Dictionary Maker.

The query strings of HTTP requests can be modified (recall x-www-form-urlencoded). A lot of cookies also store prices or other information, and similarly, you can alter their values through programs like Cookie Spy SE. SnadBoy's Revelation can expose asterisks like Cain and Abel.

SQL injection is the process whereby an attacker manipulates a field (e.g. a user name field or a password field) to inject valid SQL codes to cause damage. For example, we can shut down a server. If the logic is poorly coded, we can use something as easy as "1=1" to evaluate to a true. If the search uses "like" instead of "=", we can use wildcard characters like %.

To shut down an SQL server, we can inject in the user name field:
';shutdown with nowait;--

The shutdown command can be replaced with anything like inserts, updates, drops, alters or literally any valid SQL commands.

MSSQL has extended procedures that can cause harm to the server. For example, we can call the following to reset the server:
';exec master..xp_cmdshell'iisreset';--

IEEE's 802.11 working group defines WLAN standards. There are currently 4 varieties:
2.4GHz to 2.2835GHz (Used typically by wireless phones and other peripherals), 11Mbps.
5.15-3.35GHz to 5.725-5.825GHz, 54Mbps.
2.4GHz to 2.2835GHz, 54Mbps.
2.4GHz, 3.6GHz and 5GHz, 150Mbps.

WLANs are identified through a SSID. SSIDs are nothing but alphanumeric strings to differentiate networks. Channels 1 through 11 are usable, but clean channels are only 1, 6, and 11. SSID is used by clients to maintain network access. SSID is not a security feature, and hiding it will not help much in security as any communication with any legitimate host would result in a hacker obtaining the SSID.

WEP is a component of 802.11. It stands for Wired Equivalent Privacy. This is a layer 2 encryption which helps avoid eavesdropping. A long string of WEP packets would allow hackers to crack the packets. Programs like AirSnort can do this for us.

Even with WEP encryption, MAC addresses can be sniffed. It's easy for users to impersonate a legitimate client through MAC spoofing. Attackers also set up rogue access points near the target hoping that someone authenticates or connects to it.

WLANs are very vulnerable to RF DoS attacks. RF jamming is very easy to do, but it is illegal.

Network audit tools like NetStumbler can audit the network. It shows all the signal strength, SSID, and other information about the access points it has detected. Other audit tools include Airopeek and Kismet. Moving around with network audit tools to look for unsuspecting access points is known as War Driving.

Here's a video on War Driving and Social Engineering.

To learn more about Social Engineering, pick up this book, the Art of Deception, by Kevin Mitnick

No comments :

Post a Comment