Dictionary attack For Cracking passwords using Cain and Abel

Dictionary attack

From Wikipedia: “A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values). In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack). Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily predicted variations on words, such as appending a digit. However these are easy to defeat. Adding a single random character in the middle can make dictionary attacks untenable.”

Cracking passwords by Dictionary attack using Cain and Abel:

To perform dictionary attack for cracking passwords by using cain and abel first you will import the NTLM hashes. Then in cracker tab you find all imported username and hashes. Select desired user and follow the steps

Right click on the user
Select dictionary attack
NTLM hashes
New window will be popup
1. Right click on top blank area.
2. Add to list
3. Browse dictionary or wordlist file
Click on the start

it checks all the entries into dictionary when hashes matched it will stop the attack. You will find your result. If pass phrase is not into dictionary then you will be unable.

Nessus scan policies and report Tutorial for beginner

MODULE 5:- Scanning Network and Vulnerability

Getting Start Nessus Scan and finding Vulnerability

When you have finished installation and configuration of Nessus How to Install Nessus on Kali Linux 2.0, then you have ready to scan and finding vulnerability of local, network, window and Linux machine. In this note I will guide you to find vulnerability of network and system step by step.

Getting Start finding Local Vulnerability by Nessus

Local vulnerability depends on what system you are using local if you are using windows operating system then you will find windows vulnerability and if you are using Linux operating system then you will find vulnerability of linux.

How to Nessus scan policies and report

Let’s start the process of find out Kali Linux vulnerabilities with Nessus by opening the Iceweacel web browser:

Open Nessus at http://127.0.0.1:8834. And login with credential.
Click on the Policies on the bar at the bottom.
Click on New Policy button at the left side bar.
Select desired templates. In policy wizard has following Scanner templates:

Advanced Scan: Scan template for users who want total control of their policy configuration.

Audit Cloud Infrastructure: For users who want to audit the configuration of cloud-based services such as Amazon Web Services (AWS) and Salesforce.com.

Bash Shellshock Detection: Remote and credentialed checks for the Bash Shellshock vulnerability.

Basic Network Scan: For users scanning internal or external hosts.

Credentialed Patch Audit: Log in to systems and enumerate missing software updates.

GHOST (glibc) Detection: Credentialed checks for the GHOST vulnerability.

Host Discovery: Identifies live hosts and open ports.

Internal PCI Network Scan: For administrators preparing for a Payment Card Industry Data Security Standards (PCI DSS) compliance audit of their internal networks.

Mobile Device Scan: For users of Apple Profile Manager, ADSI, MobileIron, or Good MDM.

Offline Config Audit: Upload and audit the config file of a network device.

PCI Quarterly External Scan: An approved policy for quarterly external scanning required by PCI. This is offered on Nessus Enterprise Cloud only.

Policy Compliance Auditing Audit system configurations against a known baseline provided by the user.

SCAP Compliance Audit: Audit systems using Security Content Automation Protocol (SCAP) content.

Web Application Tests: For users performing generic web application scans.

Windows Malware Scan: For users searching for malware on Windows systems.

Policy Settings: Every policy has five sections under settings:

Basics
Discovery
Assessment
Report
Advanced

These sections allow user to make changes in the policy setting and refine the settings.

Basics: Basic section has two parts

General : There are two section instide the general section:
- Name: Provide the policy name like “Local vulnerability scan”
- Description: Here user can provide the description about the policy
Permission : In this section there are two option:
- Private : this policy is used only by you.
- Share: This policy is available for other users.

Discovery section: This section under policy settings control the following option used by policy.
1. Host discovery
2. Port scanning.
3. Service Discovery.
Assessment: Under this section User configure “Web Application scanning” setting and SMB enumeration perform if required. If the “scan web application” is not enabled these option will not visible.
Report: as the name of this policy shows, that this section is used to configures the appereance of scan report and where It will be show and deliver after complete scan.
Advance: The Advanced section allows configuration of more advanced features, such as performance settings, additional checks, and logging features.

As you see there are two tab on top side one is setting and another is credential about setting I have described everything. Next, describe about credential tab

Policy Credentials: Nessus is very effective scanner against vulnerability, checked large veriety of vulnerability, which could be exploited remotely. For remote scanning, nessus log into the system and check for vulnerability on targeted host. Following type of credential are required for policy.

Cloud Services, which includes Amazon Web Services (AWS) and Salesforce.com
Database, this section used to give the information about Username, password, Databse type which includes Oracle, MySQL, DB2, PostgreSQL, and SQL Server, Databse port, Authentication type, and SID. This is also include MongoDB Databse.
Host, which includes Windows logins, SSH, and SNMPv3
Mobile Device Management
Patch Management servers
VMware, Red Hat Enterprise Virtualization (RHEV), IBM iSeries, Palo Alto Networks PAN-OS, and directory services (ADSI and X.509)
Plaintext authentication mechanism including FTP, HTTP, POP3, and other services

When you enter all the required field then save the policy. Policy has been saved you can use at the time of Scan.

SCAN After creating the policy next step to create a New scan.

Creating, launching and Scheduling Scan

At the top near policies you will find another option scan click on scan and in the left side bar you find New Scan button click on it, you can create new policy, scanner templates, or you can select user created policies that you have created earlier.

There are three sections under scan setting

General :
1. Name : Provide any name for scan to remember later.
2. Description: Enter the short description about scan
3. Folder: My scanner by default
4. Scanner: Type of scanner local or remote
5. Targets: most important section, targets. You can enter single IP addres (192.168.1.10) or hostname (Kali System) or enter multiple target at time every targets should be separated by comma example ( 192.168.1.10, 192.168.1.14, 192.168.1.28, 192.168.1.36,test.com), or you can provide entire network for scan (192.168.1..0/24)
6. Upload Targets: In this section you can upload file consist targets list.
Schedule: you scan schedule your scan to perform scanning time to time, by default it is disabled so enable it. Once enabled you can find out following options;
1. Launch: you can select you launch option once, daily, weekly, monthly or yearly.
2. Starts on: Select here start scanning data and time
3. Time zone: Select time Zone
4. Summary: summary will be display
Email Notification: Here you should enter the email address single or multiple where you want to send notification. To proper work of this section your SMTP should be configure.

Scan Results and Reports

Nessus allow user to view the scan results and generate reports

View Scan Result : Scan results are displayed with name of scan, and date of last scan. When you click on the completed scan you will find the results. Above the scan results, there are four buttons for working with the scan result:

Configure Navigates you back to the scan settings.

Audit Trail Pulls up the audit trail dialogue. Audit trails are covered later in this section.

Launch Pulls up two choices to launch a scan: Default and Custom. The custom option allows you to define different targets for the scan, where default will run the scan with the predefined targets.

Export Allows you to save the scan result in one of four formats: Nessus (.nessus), HTML, CSV, or Nessus DB. Exporting scan results is covered later in this section.

Here Nessus allow user to export and download the report in five formats nessus, pdf, html, CSV and Nessus DB.

For example if you want to download report in PDF format click on export then PDF, New window will be popup there are two option select Executive summary for default and custom for changes. Click in the export. Download will be ready save the file. And Analyze the report

How to Install Nessus on Kali Linux 2.0 step by step

MODULE 5:- Scanning Network and Vulnerability

How to Install Nessus on Kali Linux 2.0

Hello friends, Welcome again !

We are studying of Penetration Testing Tutorial This article will cover how to downlad, install, activate and access web interface of Nessus on kali Linux. This post is origin How to Install Nessus on Kali Linux 2.0 Move forward and start your tutorial. In previous post you have completed Nessus Vulnerability Scanner Tutorial If you did not read, please read it.

Step 1: Access activation code and Download Nessus for Kali Linux 2.0

Now as you know Nessus is pwerfull vulnerability scanner tool, And we are using kali linux for penetration testing. If you think, Is it not installed Kali Linux? Yes, Nessus is not inbuilt in Kali Linux so if you want to take test of Nessus just go on this link https://www.tenable.com/products/nessus-home

And Fill the form and register yourself for activation. When you finished you will be redirect on Nessus downloading page. Click download button you will be there for downloading, just Click on Linux Menu will be open click on Debian option for Kali Linux. Agreement window will be appear, read terms and condition carefully and accept and save file

Step 2: Installation of Nessus on Kali Linux 2.0:

By default Nessus file is downloaded in the Download directory so first go inside the Download directory and run following command to install Nessus on Kali Linux.

#cd Downloads/

#dpkg -i Nessus_package.deb

And after complete installation run another command to start service.

#/etc/init.d/nessusd start

Step 3: Accessing Web Interface of Nessus:

Nessus provide web interface for work, it can be accessed with Iceweasel browser by making https connection. Iceweasel browser does not have ssl certificate you will get untrusted connection error, you can resolve this error to add this site as exception. https://locatlhost:8834 or https://192.168.0.102:8834

Nessus Vulnerability Scanner Tutorial For beginner

MODULE 5:- Scanning Network and Vulnerability

Hello Friends, Welcome again !

You are here to study of Penetration Testing Tutorial Nessus vulnerability scanner is a part of Scanning This Article will cover what is vulnerability, what is nessus, and key features includes in Nessus. We will cover full nessus vulnerability scanner tutorial in next two posts. How to Install Nessus on Kali Linux 2.0 and

What is Vulnerability?

Vulnerability is loop holes and weakness in computer Security, which allow attacker (hacker) to get into the System and reduce a System’s information assurance. There are three flaws of vulnerability:

System suspicious flaw.
Attacker find out vulnerability.
Attacker exploit System by this vulnerability a very critical flaw.

It is also known as security bugs. Computer users and network personnel can protect computer systems from vulnerabilities by keeping software security patches up to date. These patches can remedy flaws or security holes that were found in the initial release. Computer and network personnel should also stay informed about current vulnerabilities in the software they use and seek out ways to protect against them.

More Detail : http://en.wikipedia.org/wiki/Vulnerability_(computing)

What is Nessus Vulnerability Scanner?

Nessus is one of the most popular an capable vulnerability scanner, available for Linux, Microsoft Windows, Mac Os X, FreeBSD, GPG Keys.

Nessus is the most trusted vulnerability scanning platform for auditors and security analysts. Users can schedule scans across multiple scanners, use wizards to easily and quickly create policies, schedule scans and send results via email. Nessus supports more technologies than any other vendor, including operating systems, network devices, hypervisors, databases, tablets/phones, web servers and critical infrastructure.

Key features include:

High-Speed Asset Discovery
Vulnerability Assessment
Malware/Botnet Detection
Configuration & Compliance Auditing
Scanning & Auditing of Virtualized & Cloud Platforms

The Home edition of Nessus is available free of cost for students and small organization. Nessus® Home allows you to scan your personal home network (up to 16 IP addresses per scanner) with the same high-speed, in-depth assessments and agentless scanning convenience that Nessus subscribers enjoy. Enterprises version available as trail for 7 days.

For More detail visit: http://www.tenable.com/

Video Tutorial: https://www.youtube.com/user/tenablesecurity

Secure Socket Layer SSL analysis with sslstrip in Kali Linux

MODULE 6:- Enumeration

Secure Socket Layer SSL analysis with sslstrip in Kali Linux

SNMP Enumeration Kali by snmpwalk tool and snmpenum

nbtscan and nmap “nbtstat -s” For SMB scanning

What is SSL (secure socket layer)?

SSL analysis (Secure Socket Layer) is a standard security technology which used for establishing an encrypted channel between a server and a client. For example a web server (website) and a browser; or a mail server and a mail client.

SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept (capture) all data being sent over the internet between a browser and a web server they can see and use that information. Http is sent data in plain text over network. https protocol used for establishing scure channel between browser (client) and web server.

More specifically, SSL is a security protocol. Protocols describe how algorithms should be used; in this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

More detail https://www.digicert.com/ssl.htm

What sslstrip?

Sslstrip is tool used to downgrade HTTPS to HTTP. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, and then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.

How does sslstrip work?

First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send attacker all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).

Running sslstrip

Step 1: Enable port forwarding

echo “1” > /proc/sys/net/ipv4/ip_forward

Step 2: Findout network gateway

netstat –r

Step 3: Spoof MAC address with gateway MAC address using arpspoof

arpspoof -i <interface> -t <targetIP> <gatewayIP>

arpspoof -i eth0 -t 192.168.1.5 192.168.1.1

Open new terminal and run following command

arpspoof -i eth0 -t 192.168.1.1 192.168.1.5

Step 4: Setup iptables to redirect HTTP traffic to sslstrip.

iptables -t nat -A PREROUTING -p tcp –destination-port 8080 -j REDIRECT –to-port <listenPort>

iptables -t nat -A PREROUTING -p tcp –destination-port 8080 -j REDIRECT –to-port 1000

Step 5: Write the results to a file (-w sslstrip.log), listening on port 1000 (-l 1000):

Sslstrip –w sslstrip.txt –l 1000

nbtscan and nmap nbtstat For SMB scanning

nbtscan and nmap “nbtstat -s” For SMB scanning

MODULE 6:- Enumeration

Secure Socket Layer SSL analysis with sslstrip in Kali Linux

SNMP Enumeration Kali by snmpwalk tool and snmpenum

nbtscan and nmap “nbtstat -s” For SMB scanning

SMB network scans by nbtscan scanner

nbtscan is a free network scanning software it is find out vulnerability after scanning network. it generate scanning files, contains the IP Address and other information of netbios block. it is amazing network scanning tools in kali Linux used for network security auditing and finding out vulnerability.

SMB enumeration

SMB enumeration is a technique to get all entities related NetBIOS, If the pentester is working at windows environment then he reveal the NetBIoS information through the nbtscan.

nbtscan for Linux

The nbtscan tool will generate a report that contains the IP address, NetBIOS computer name, services available, logged in username, and MAC address of the corresponding machines. The NetBIOS name is useful if you want to access the service provided by the machine using the NetBIOS protocol that is connected to an open share. Be careful as using this tool will generate a lot of traffic and it may be logged by the target machines. (Kali Linux- Assuring Security by Penetration Testing – Allen, Lee)

Nbtscan Usages

To see the available options for nbtscan just type nbtscan –h in the command line console.

Following options are available with nbtscan

-v verbose output. Print all names received from each host

-d dump packets. Print whole packet contents.

-e Format output in /etc/hosts format.

-l Format output in lmhosts format. Cannot be used with -v, -s or -h options.

-t timeout wait timeout milliseconds for response. Default 1000.

-b bandwidth Output throttling. Slow down output, it uses no more that bandwidth bps.

Useful on slow links, so that ougoing queries don’t get dropped.

-r use local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option on Unix.

-q Suppress banners and error messages,

-s separator Script-friendly output. Don’t print column and record headers, separate fields with separator.

-h Print human-readable names for services. Can only be used with -v option.

-m retransmits Number of retransmits. Default 0.

-f filename Take IP addresses to scan from file filename. -f – makes nbtscan take IP addresses from stdin.

<scan_range> what to scan. Can either be single IP like 192.168.1.1 or range of addresses in one of two form

xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.

Examples How to use nbtsccan

nbtscan -r 192.168.1.0/24

Scans the whole C-class network.

nbtscan 192.168.1.25-137

Scans a range from 192.168.1.25 to 192.168.1.137

nbtscan -v -s : 192.168.1.0/24

Scans C-class network. Prints results in script-friendly format using colon as field separator

nbtscan -f iplist

Scans IP addresses specified in file iplist.

Enumerate smb by nbtstat script in nmap

User Summary

Attempts to retrieve the target’s NetBIOS names and MAC address.

By default, the script displays the name of the computer and the logged-in user; if the verbosity is turned up, it displays all names the system thinks it owns.

Example Usage

sudo nmap -sU –script nbstat.nse -p137 <host>