Reconnaissance and Footprinting

Reconnaissance and Footprinting   Reconnaissance and footprinting is the primary phase of the ethical hacking process. Although this phase does not constitute breaking into a network or system, it is still fun and quite possibly the most important. I will discuss some of the tools and techniques I use for actively and passively footprinting a target during the reconnaissance phase of a penetration test. Of course, this will be very top level and not inclusive of all the techniques used to recon and footprint a target.

Scan and Fix Unquoted Service Path Vulnerability with PowerShell

As many security experts and system administrators are aware, Microsoft has really dropped the ball at addressing a decade old flaw in the way the Windows API handles service paths… What amazes me is how prevalent this issue still is and how easy it is for any common script kiddie to elevate privileges and gain a foothold in your system. I will discuss the vulnerability and how I scanned for and remediated vulnerable systems using Windows PowerShell.

Part I: Powershell Multithreading: Asynchronous Network and Host Discovery Scanner

Part I of my Get-SecNetMap “Mini-Module”: Get-SecNetMap. (This Post) Get-SecPortScan Get-SecIPRange Convert-SecIPAddress Get-SecArpTable A Quick Word about Powershell + Multithreading At the time of this post, it has been just over a year since I started using Powershell as my “go-to” scripting language. As my skills developed and my scripts became more robust, I now see that what has been lacking in my Powershell journey was true performance metering.

Part II: PowerShell Multithreading – Asyncronous Network and Host Discovery Scanner

Part II of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan (This Post) Get-SecIPRange Convert-SecIPAddress Get-SecArpTable Get-SecPortScan You can download the module source files here: http://securekomodo.net/files/Get-SecNetMap.zip Get-SecPortScan is unique in that it can scan a target host for many ports at once. This is done so by using .NET runspaces in PowerShell. This script will target a host and throw many asyncronous TCP socket connections over various ports either specified by the user, or using default top ports.

Part III: Powershell Multithreading – Asynchronous Network and Host Discovery Scanner

Part III of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan Get-SecIPRange (This Post) Convert-SecIPAddress Get-SecArpTable You can download the module source files here: http://securekomodo.net/files/Get-SecNetMap.zip Get-SecIPRange Get-SecIPRange is designed to enumerate all IP addresses within a given range. I have intentionally coded this to support a max range of 65534 addresses or a (/16 CIDR) because seriously, who needs to scan such a large range like that. Anyway, this function will loop through only the third and fourth octets of an IP address range to determine each address in the range for scanning.

Part IV: PowerShell Multithreading – Asyncronous Network and Host Discovery Scanner

Part III of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan Get-SecIPRange Convert-SecIPAddress (This Post) Get-SecArpTable You can download the module source files here: http://securekomodo.net/files/Get-SecNetMap.zip Convert-SecIPAddress The Convert-SecIPAddress function is actually pretty cool. I was able to use mathematics learned from my cryptography courses during my undergrad to convert an IP address to an integer and vice-verse. It is performance optimized and has support for long integers which was where most of the errors I had during development were.

Part V: PowerShell Multithreading – Asyncronous Network and Host Discovery Scanner

Part V of my Get-SecNetMap “Mini-Module”: Get-SecNetMap Get-SecPortScan Get-SecIPRange Convert-SecIPAddress Get-SecArpTable (This Post) You can download the module source files here: http://securekomodo.net/files/Get-SecNetMap.zip Get-SecArpTable The Get-SecArpTable is more or less a framework surrounding the already existing executable ARP.exe. The only issue with simply calling ARP.exe in your scripts is that the output is all strings. This function is designed to parse the output of the ARP table and return a PSObject so that it can be used in scripts and other functions more easily.

Hacking WPA / WPA2 Encrypted Networks

Before we begin The methods and tools used in this WPA / WPA2 hacking tutorial can be utilized without any previous knowledge, however it is best for the attacker to have an understanding of what is going on behind the scenes. My job with this tutorial is to break down each step of the attack process and explain it in a simplified manner. Assuming that the reader of this guide has no previous knowledge with hacking, Linux, or Network Security, I will take it slow (one step at a time).

Droidsheep

Method of Attack: ARP Poisoning/Spoofing Tools Required: Android device with ROOT access. DroidSheep APK A Wireless Network Time to Complete: Less than 10 Minutes The app can be downloaded at: http://www.box.com/s/ipsluzrbotp6is01aj2b I am going to give a simple but effective demonstration on how to hijack an internet session over a wireless network using an android smartphone. This is just one of many ways to perform an ARP spoofing attack but I wanted to show just how trivial this technique has become, and how to better protect yourself from malicious attacks.