Installing BackTrack 5 R1

What is BackTrack5

• BackTrack is an operating system based on the Ubuntu GNU/Linux distribution aimed at digital forensics and penetration testing use. It is named after backtracking, a search algorithm. The current version is BackTrack 5, code name "Revolution."

• BackTrack provides users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to password crackers. Support for Live CD and Live USB functionality allows users to boot BackTrack directly from portable media without requiring installation, though permanent installation to hard disk is also an option

• BackTrack includes many well known security tools including
  • Metasploit integration
  • RFMON Injection capable wireless drivers
  • Aircrack-NG
  • Kismet
  • Nmap
  • Ophcrack
  • Ettercap
  • Wireshark (formerly known as Ethereal)
  • BeEF (Browser Exploitation Framework)
  • Hydra
• BackTrack Download
  • Download BackTrack5R1 
   
  
  

Create a New Virtual Machine. (See Below)

 New Virtual Machine Wizard

• Instructions:
  1. Select the radio button "Installer disc image file (iso):"
  2. Click the Browse Button.
  3. Navigate to where you BT5 iso is located.
  4. Select the BT5 iso
  5. Click Next
   
   

New Virtual Machine Wizard

• Instructions:
  1. Guest operating system:  Linux
  2. Version: Ubuntu
  3. Select Next

New Virtual Machine Wizard

• Instructions:
  1. Virtual machine name: BackTrack5R1
  2. Location: In my case, I saved it to my USB drive, located in H:\BackTrack5R1\
  3. Select Next
    

    

New Virtual Machine Wizard

• Instructions:
  1. Maximum disk size (GB): For our purposes use 20GB.
  2. Radio Button:  Store virtual disk as an single file
  3. Select Next 
   

New Virtual Machine Wizard

• Instructions:
  1. Click on the "Customize Hardware..." button

New Virtual Machine Wizard

• Instructions:
  1. Click on Memory (which is highlighted in blue)
  2. Click on 512 MB. (Recommended is 1024 MB, but not really needed for lab purposes).
  3. Do not click on OK
   

 New Virtual Machine Wizard

• Instructions:
  1. Click on Network Adapter
  2. Click on "Bridged: Connected directly to the physical network"
  3. Click OK. 

Click on the Finish button.

• Instructions:
  1. Click the Customize Hardware... button
   

Start the Boot Process

• Instructions:
  1. Press Enter

BackTrack Live CD

• Instructions:
  1. Select "BackTrack Text - Default Boot Text Mode"
  2. Press <Enter>
   

Bring up the GNOME

• Instructions:
  1. Type startx

 

Install BackTrack to Harddrive

Install BackTrack to Harddrive

• Instructions:
  1. Option 1: Double Click on the icon labeled "Install BackTrack"
     • OR
  2. Option 2: System --> Administration --> Install BackTrack Live 
   

2. Select Language
   • Instructions:
     1. In my case: English.
     2. Click Forward
3. Select Language
   • Instructions: (In my case)
     1. Region: English
     2. Time Zone: United States (Chicago)
     3. Click Forward
4. Select Language
   • Instructions: (In my case)
     1. Suggested option: USA
     2. Click Forward
5. Select Language
   • Instructions:
     1. Select "Erase and use the entire disk"
     2. Select Forward
   • OR Note (This is optional)
     1. If you select "Specify partitions manually", then you can create you own file systems layout.
        • /     - 2000 MB
        • /boot - 500  MB
        • swap  - 1280 MB (Double Memory)
        • /tmp  - 1000 MB
        • /home - 2000 MB
        • /var  - 2000 MB
        • /usr  - 3000 MB
        • Then use the rest as needed using volume management.
   
   
6. Select Language
   • Instructions:
     1. Click on Install
7. Informational
   • Note(FYI):
     • The installation process will take between 10 and 45 minutes depending on your systems resources.
8. Consistency Reboot
   • Instructions:
     1. Click on Restart Now

Section 3. Login to BackTrack

1. Edit Virtual Machine Settings
   • Instructions:
     1. Virtual Machine --> Virtual Machine Settings...
2. Edit CD/DVD (IDE)
   • Instructions:
     1. Select CD/DVD (IDE)
     2. Click on Use physical drive:
        • Select Auto detect
     3. Click the OK Button
3. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor
   
   
4. Bring up the GNOME
   • Instructions:
     1. Type startx
5. Bring up a console terminal
   • Instructions:
     1. Click on the Terminal Console Icon
6. Change root's password
   • Instructions:
     1. passwd root
     2. Use our standard class password
7. Create a student account and set password
   • Instructions:
     1. useradd -m -d /home/student -c "Security Student" -s /bin/bash student
     2. passwd student
     3. Use our standard class password

 

All about VPN- little explanation

We must know there are three VPN protocols: PPTP, L2TP y SSL.

It must be clear an idea: the three VPN protocols are used to same target which is to encapsulate the PPP protocol. PPP protocol is network protocol stack uses to do a direct connection between two networking hosts. Therefore PPTP, L2TP y SSL have the common features of PPP, for example authentication schemes, Ipv4, Ipv6 and others. But this is another story.

So we have:

PPTP (Point-to-Point Tunneling Protocol):
It is very old, then it can be supported by old and new clients such as Windows 98, Windows NT, Windows 2000, etc.
This uses Encryption Method called MPPE.
It is very easy in his configuration, very firewall compatibility but hasn’t integrity. Besides it cannot use certificates.

L2TP (Layer 2 Tunneling Protocol):
This use encryption method called Ipsec, so this can use certificates or a preshared key but It needs new clients such as Windows XP, and Windows Vista,etc. His configuration is difficult and we have a lot of problems in firewall configurations. However it is very secure as it has remote computer and user authentication.

SSTP (Secure Socket Tunneling Protocol ):
It is the newest VPN protocol therefore it needs the newest clients and servers (Windows Vista SP1… and Windows Server 2008 …). It is very secure and easy in his configuration as this uses the well know protocol SSL (port TPC 443) therefore it needs a server certificate and we must also configure IIS (Internet Information Services). In general, it is configured easily in firewalls.
IKEv2:( Internet Key Exchange Version 2):
It is the newer VPN protocol used for Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012. Actually, this protocol is based on Ipsec but without complexity the others as L2TP.
This protocol uses UDP port 500 and it can use machine certificate or preshared key as the authentication method for IPsec.
It is very interesting as we can use in two important novelties respect to newer Microsoft’s operating systems as such DirectAccess or automatic reconnection.

To sum up:

When we have to choose a VPN protocol in an answer in a certification exam or in real cases if we work as IT Administrators we must take into account: client versions, firewall compatibility, security grade and if we are goint to have PKI.
Besides, we could use Ipsec only to configure VPN but this is very complex and these VPN,s which are based on Ipsec only are configurated by communication companies, however we can use IKE v2 if we’ve got newer Microsoft’s operating systems, this allows to configure easily DirectAccess and the automatic reconnection in the new mobile networks based on 3G, 4G or Wifi.  +

stay connected  and happy hacking with way2hackintosh and if you want to contact us  E-mail us on way2hackintosh@gmail.com

How long would it take to brute force 256 bit AES passwords

The issue with AES-256 isn't in brute forcing strong passwords.  If you password is strong (not on any dictionary, longer than 8 char, mixed symbols, uses a large random salt) it can't be bruted forced at any reasonable cost.  If it is 12+ char includes all 4 symbol classes or simply is a random string it can't be brute forced at any cost.

The issue with AES-256 is it is a very faster cipher.  For weak (or marginal) passwords it can be bruted forced.  How complex of a password is vulnerable depends on the resources available to the attacker and how long they are willing to to wait.

So if we consider a weak password to be one that (at least in theory) could be compromised by a dictionary, modified dictionary, or brute force attack using a computing on the magnitude available:
1) anything found in a standard dictionary or leaked/common password list (various lists usually in the tens of millions of pwd range).
2) anything with less than 8 characters.
3) anything all lower case with less than 10 characters.
4) anything not encrypted using 64bit or larger salt.
5) anything which has less than 3 substitutions from something listed above (p@ssword! vs password)

The reality is end users likely don't know if their password is strong or not. So developers should prevent users from hurting themselves.  As a developer you can implement a large salt and could require a minimum of 8 characters (don't impose special char requirements).  At that point brute force and precomputation are off the table; so the largest risk comes from dictionary or modified dictionary attacks.  There are lists of millions of previously compromised passwords.  If the password used is on one of those lists it can be found in a matter of minutes.  If you are paranoid about your user's security you could check their password against a list of known compromised passwords.  An alternative would be for someone to develop a webservice which took a hash (HMAC) or all known/weak/compromised passwords.  Users could send a HMAC hash of their potential password and get a "known" or "good" response.

One further step you could take is key stretching using a key derivative function. The bitcoin wallet does this.  Rather than simply use the passphrase it takes multiple iterative hashes of the password (generally thousands of tens of thousands).   So instead of key = passphrase it is key = SHA256(SHA256(SHA256(passphrase))). This increases the length of time necessary to try one key and thus reduces the throughput of the attacker.   Understand that if user's password is very weak (under 6 char or on a dictionary list) this is unlikely to help because even 2000x a 1 sec search is unlikely to stop an attacker.

The key stretching function (hash) used by the wallet is SHA-256 which is well optimized due to this thing called mining.  Security could be enhanced by replacing the key strengthening function with another one (say bcrypt of even PBKDF2 using SHA-512 or RIPEMD).

http://en.wikipedia.org/wiki/Key_derivation_function
http://en.wikipedia.org/wiki/Key_stretching
http://en.wikipedia.org/wiki/PBKDF2
http://en.wikipedia.org/wiki/Bcrypt

TL/DR:
It depends. Using a combination of:
a) require at least 8 digits (makes brute force prohibitively expensive)
b) use a large (64bit+) random salt (prevents precomputation attacks)
c) check password against known/compromised password list that hackers are likely to be using (prevent quick dictionary based attacks)
d) use key strengthening (reduces the attackers throughput by a couple orders of magnitude).
e) use an algorithm other than SHA-256 in the KDF to prevent "re-use" or mining research

Shutdown/restart computer using command prompt(cmd) part-6

Shutdown/restart computer using command prompt(cmd) part-6

Access Folder and Setting Using Command Prompt (part-5)

Access Folder and Setting Using Command Prompt (part-5)

How to see command prompt History (part 4)

How to see command prompt History (part 4)

How to Find IP Address using command prompt (part-3)

How to Find IP Address using command prompt (part-3)

How to Open Command Promt/cmd In a Folder Directly (part 2)

How to Open Command Promt/cmd In a Folder Directly (part 2)

How to Change Color of Command Prompt/cmd (part 1) video tutorial

Command Prompt For Beginners
How to Change Color of Command Prompt/cmd (part 1)  video tutorial
 

Secure yourself by identifying shortened URLs

URL shortening:

URL shortening is a technique on the World Wide Web in which a Uniform Resource Locator (URL) can be made substantially shorter in length and still direct to the required page.

The URL shortening service was first launched by TinyURL. Later on many websites like google are also providing this service.

Why do we need it?

URL shortening is to disguise the underlying address. This can be used by some business services.
But This URL shortening service is open to abuse. Hackers can easily use it for malicious purposes. So Short URLs can also unexpectedly redirect a user to scam pages or pages containing malware or XSS attacks.

Some people use it to access blocked sites.

So it is needed to be able to identify the original form of suspected URL.

How to shorten your long URL:


You can simply go to www.tinyurl.com and enter your long URL. And click on "make tiny url"

you can also use google's service from here.


How to find out the real link of shortened URL?

Sucuri is nice little web based tool to let you see the destination of a shortened URL. The tool will also check the destination URL in two different ways to find out if it’s safe for you to go to the site.

Hope you liked it. Be the first to make a comment.

where to begin with hacking ? [how-to]

"where to begin with hacking".
So here is my opinion about how they should get around starting.

There are three types of hackers:

White Hats:

The White Hat hacker has dedicated himself to fight malware and help others with their computer problems. He is a person you can trust, and he will most likely end up in a good paying job as a computer programmer or a security consultant. He will most certainly not end up in jail.

Grey Hats:

The Grey Hat hacker are in between white Hats and Black Hats. He will most likely commit pranks at people that he thinks is harmless, but it can also be illegal. He can at one time be helpful and help you with a computer problem, but at the same time infect you with his own virus. There is a chance that the grey hat will end up in prison.

Black Hats:

The Black hat hacker also known as a cracker is the one who deface websites, steal private information and such illegal activity. It is very time consuming to become a black hat. It can be very hard for them to get a job because of the illegal activity. If law enforcements gets you, you can expect jail time.

So where to start?

You should know the answer to these questions before you start your hacking career.


Which type of hacker do you want to be (white hat, grey hat or black hat)?
Which type of hacking do you want to work with (website hacking, system exploits, pen testing etc.)?
What is your end-goal?

You should meet these requirements to become a successful hacker.

You shall be patient.
You shall dedicate a lot of time to hacking. You will never stop learning, since hacking is a lifestyle.
You should have a computer (I expect you to have one since you are reading this).
You shall be interested in how the different computer systems works, and how to control them.


Now that you have an idea of what kind of hacker, you want to be we will look closer into the different topics you can work with as a hacker.


Website Hacking:

You properly already guessed it, but website hacking is about hacking websites. You use your skills to find exploits and vulnerabilities in websites and web applications. Almost all major hacking stories in the news are about websites and databases that have been hacked. Once you have enough experience in website security you will be amazed about how easy it is to find vulnerabilities in websites. However, it will take a lot of effort and time to reach that level of skills. You will need to know a large amount of server-side languages and website construction languages like PHP, HTML, JavaScript, SQL, ASP, ASP.NET and Perl. This was just some of the languages you should know about. I will recommend you to take JavaScript, SQL and PHP very serious since it is in those languages you will find the most vulnerabilities.


Pen testing and Forensics:

Pen testing and forensics can earn you big money. It is these guys the company’s call when they have been hacked. They are experts in operating systems, wireless connections and exploiting computers. This way will take A LOT of time and effort since there is so much you should know about. You shall know about how the different operating systems works, which exploit there is to them, how to exploit them, routers, encryption, malware etc. the list is almost endless.


Code exploiting:

Not many people know about this. This will require you to be a complete expert at programming. You shall be at least as good at these programming languages as your main language like English. This kind of hacking is taking a lot of time, and will require you to be patient. Do not get me wrong, every company that releases software like Symantec, Google, Microsoft, Adobe, and Oracle have hackers with these skills employed to check their software for vulnerabilities. Sadly, they cannot find every security hole and therefore some very smart black hat hackers are able to find them, and exploit them before the companies get the vulnerability patched. You should know the most popular languages like C++, Java and C etc.

Computer security:

The work these people do looks a lot like the pentesters. These people is able to detect and analyze new viruses and malware. They are working for companies like Symantec, KasperSky and Avira etc. Some of them are also working on labs that tests AV’s and new viruses. They are experts in how viruses works and how they infect systems.

You should now have an idea on where to start and in which direction you want to go. If you found any errors or typos feel free to contact me, and I will look into it. I will be updating this thread recently and add more details. I will soon add a dictionary, which explains the most basic hacking terms. I have putted a lot of effort in this tutorial and my goal with this tutorial is to give computer-interested people an idea of where they should start.

To the so-called “noobs”, who reads this:

I hope I have inspired you to begin at hacking. I hope that I have cleared things up a little bit, so it does not seem so messy anymore. If you have any questions or something you did not understand, I would gladly explain it to you again. Welcome to the hacker’s world, a new world will open up for you and you will never regret that you chose to become a hacker.

Nmap (Network Mapper) - introduction

Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. 

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. 

It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are avalable for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).

Nmap is ...

* Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS 

detection, version detection, ping sweeps, and more.
 
* Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
 
* Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
 
* Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
 
* Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
 
* Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book!
 
* Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
 
* Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series.
 
* Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Installing nMap:
http://nmap.org/book/install.html

Changelog:
http://nmap.org/changelog.html

How To Use:
http://nmap.org/book/man.html

Download
http://nmap.org/download.html

Best Android Apps Free Download

Many People are using the Android mobiles only due to its unique and attractive features than other mobile devices at a Reasonable price.The main thing that attracted the Mobile customers are the Apps which was really in thousands for the users of Android.

So we are interested to give some Top rated Android Apps for free to you, i given about 6 apps here, Please download and enjoy

1) Facebook Messenger

 Facebook is regarding the king of Social networking, even for the kids also Facebook is an Mouth-watering word.So people are trying to get always in touch with the Facebook,Regarding their Needs we are giving the Facebook Messenger which has this unique features

• Get Started Quick with your friends , just log in with single app
• Instant chat and Receive Messages
• Tell your Location that where you are
• Group chat and Send voice messages

Please download this app from here

 

 

2) SMS , GPS , and CALL Tracker

Yes the name says it all, The app will track the users SMS and Call details Remotely for the Android Phones, It is Absolutely free of Cost, the features are

• The Call logging includes Missed calls, Received Calls and Phone Number all details 
• GPS tracking of their Location update for every 30 Minutes
• SMS Tracking like Their inbox, Outbox and their Phone Numbers
• It is very useful when your Mobile Phone was lost or Theft
• Install the app on your mobile using an Email and Password,then log into the site Mobitrack

Note- It is illegal to Install this software on the Phone that you don't own it, So use the software on the Phone which you have all the Rights

You can Download this app from here

 

3) Gmail

The Biggest Email Service Provider was Gmail, So all of them are in very much of need in the Mail Checking regularly, the Gmail app will satisfy all your Needs and it has some cool Features

• One Touch Checking of Mails
• Save the attachments 
• Managing the Multiple Accounts

You can download this app from here

 

4) Dictionary

 

The Dictionary is very useful for the people who are willing to Speak the English Fluently, and it will be Helpful for the Phrases you need when in need for the check, Some features are given below

• More than 2.5 Lakhs words, Phrases
• More than 50,000 usage examples
• The Intelligent Word entry will correct eh Spelling Mistakes as you type if any error was found
• Search results which filters in categories like Noun, verb etc
• Good Spelling Suggestions

Please download this app from here

5) Galaxy S4 Live Wallpaper

 

The Wallpapers are very cool and attractive if it suits our phone, so i am presenting an Awesome Live wallpaper for your Android phone , the features are

• Water Drop ripple Effect type with the Light particles in Floating
• Tested on Lot of Devices, it works fine

If the wallpaper came to reset after reboot mode, change your live wallpaper location from phone to SD card, If the app does not work on your phone feel free to contact me

Please download this app from here

6) Battery Left Widget

The Battery is soul of the Phone, so there is a more care on the battery of the phones, for this the app called Battery Left widget is presented, it is an Notification app having Features

• Estimated battery of the Phone
• Top Status Bar icon shows the battery remaining
• Temperature 
• Clock time of the Battery that when it will die

.Please download this app from here

 

How to: Play Android Games on Computer/PC/laptop [software]

 It is not very tough to Run Android games on your Computer, but not that much easy too, The Android is releasing several applications day by day, it is very difficult to test each and everyone in your mobile. It costs lot of battery and time.

There is a Solution for this, you can test your applications in your Computer by following my tips, the windows environment was user friendly to the Android platform

It is not easy regarding all application testing as each app differs in their usage, some needs Camera, some Needs Bluetooth and some WiFi, i am giving this mainly for the apps that is available on the Outside of Android Market

Let us know how to play android games on your Computer

1) BlueStacks

The best user friendly software that runs your android games on your computer is BlueStacks, which is yet Beta version.

Download the Bluestacks officially from here

Features

• You can download any game in your market by single click
• View all the apps and games in full HD Screen
• Option for installing external .apk android files directly and testing in bluestacks
• Very user friendly for the beginners in android testing 

2) Android SDK

The SDK refer to the Software Development kit which says it is an tool for the Android Developers, Users also use this for Testing their apps and games, but set up is not easy, and there are lot of to do for running this app on this kit

Download this Android SDK software here

3) Android live

The android live is similar to the first one mentioned above, it is for X86 Windows based systems.

For downloading Android live click here

How to Hide files inside a picture using Command Prompt - video

How to Hide files inside a picture using Command Prompt in windows easy way to hide files inside an image file (without any software)

First create a new folder in C:\ drive and name it anything i'm gonna name it "Hide"

Now move the files you want to hide and the picture in which you want to hide to the folder.

Select the files you want to hide and right click select "Add to archive..." and give the compressed file a name for example: Compressed.rar

Now open command prompt.
type cd\ to go to your root directory


Then type
copy /b yourimage.jpg+Compressed Files.rar xyz.jpg

your files will be hidden inside the image. To get your files back right click
on the image(xyz.jpg) and open it with Winrar you will see your files
you can extract the files anywhere you want on your computer.

SSH Tunneling Explained

Recently I wanted to set up a remote desktop sharing session from home pc to my laptop. While going through the set up guide I came across ssh tunneling. Even though there are many articles on the subject still it took me a considerable amount of googling, some experimenting and couple of Wireshark sessions to grasp what’s going under the hood. Most of the guides were incomplete in terms of explaining the concept which left me desiring for a good article on the subject with some explanatory illustrations. So I decided to write it my self. So here goes…

Introduction

A SSH tunnel consists of an encrypted tunnel created through a SSH protocol
connection. A SSH tunnel can be used to transfer unencrypted traffic over a
network through an encrypted channel. For example we can use a ssh tunnel to
securely transfer files between a FTP server and a client even though the FTP
protocol itself is not encrypted. SSH tunnels also provide a means to bypass firewalls that prohibits or filter certain internet services. For example an organization will block certain sites using their proxy filter. But users may not wish to have their web traffic
monitored or blocked by the organization proxy filter. If users can connect to
an external SSH server, they can create a SSH tunnel to forward a given port on
their local machine to port 80 on remote web-server via the external SSH
server. I will describe this scenario in detail in a little while.

To set up a SSH tunnel a given port of one machine needs to be forwarded (of
which I am going to talk about in a little while) to a port in the other
machine which will be the other end of the tunnel. Once the SSH tunnel has been
established, the user can connect to earlier specified port at first machine to
access the network service.

Port Forwarding

SSH tunnels can be created in several ways using different kinds of port forwarding
mechanisms. Ports can be forwarded in three ways.

1. Local port forwarding
2. Remote port forwarding
3. Dynamic port forwarding

I didn’t explain what port forwarding is. I found Wikipedia’s definition more explanatory.

Port forwarding or port mapping is a name given to the combined technique of

1. translating the address and/or port number of a packet to a new destination
2. possibly accepting such packet(s) in a packet filter(firewall)
3. forwarding the packet according to the routing table.

Here the first technique will be used in creating an SSH tunnel. When a client application connects to the local port (local endpoint) of the SSH tunnel and transfer data these data will be forwarded to the remote end by translating the host and port values to that of the remote end of the channel.

So with that let’s see how SSH tunnels can be created using forwarded ports with an examples.

Tunnelling with Local port forwarding

Let’s say that yahoo.com is being blocked using a proxy filter in the University.
(For the sake of this example. :d   . Cannot think any valid reason why yahoo would be blocked). A SSH tunnel can be used to bypass this restriction. Let’s name my machine at the university as ‘work’ and my home machine as ‘home’. ‘home’ needs to have a public IP for this to work. And I am running a SSH server on my home machine. Following diagram illustrates the scenario.

 

To create the SSH tunnel execute following from ‘work’ machine.

ssh -L 9001:yahoo.com:80 home

The ‘L’ switch indicates that a local port forward is need to be created. The switch syntax is as follows.

-L <local-port-to-listen>:<remote-host>:<remote-port>

Now the SSH client at ‘work’ will connect to SSH server running at ‘home’ (usually running at port 22) binding port 9001 of ‘work’ to listen for local requests thus creating a SSH tunnel between ‘home’ and ’work’. At the ‘home’ end it will create a connection to ‘yahoo.com’ at port 80. So ‘work’ doesn’t need to know how to connect to yahoo.com. Only ‘home’ needs to worry about that. The channel between ‘work’ and ‘home’ will be encrypted while the connection between ‘home’ and ‘yahoo.com’ will be unencrypted.

Now it is possible to browse yahoo.com by visiting http://localhost:9001 in the web browser at ‘work’ computer. The ‘home’ computer will act as a gateway which would accept requests from ‘work’ machine and fetch data and tunnelling it back. So the syntax of the full command would be as follows.

ssh -L <local-port-to-listen>:<remote-host>:<remote-port> <gateway>

The image below describes the scenario.

Here the ‘host’ to ‘yahoo.com’ connection is only made when browser makes the
request not at the tunnel setup time.

It is also possible to specify a port in the ‘home’ computer itself instead of
connecting to an external host. This is useful if I were to set up a VNC session
between ‘work’ and ‘home’. Then the command line would be as follows.

ssh -L 5900:localhost:5900 home (Executed from 'work')

So here what does localhost refer to? Is it the ‘work’ since the command line is executed from ‘work’? Turns out that it is not. As explained earlier is relative to the gateway (‘home’ in this case) , not the machine from where the tunnel is initiated. So this will make a connection to port 5900 of the ‘home’ computer where the VNC client would be listening in.

The created tunnel can be used to transfer all kinds of data not limited to web browsing sessions. We can also tunnel SSH sessions from this as well. Let’s assume there is another computer (‘banned’) to which we need to SSH from within University but the SSH access is being blocked. It is possible to tunnel a SSH session to this host using a local port forward. The setup would look like this.

As can be seen now the transferred data between ‘work’ and ‘banned’ are encrypted end to end. For this we need to create a local port forward as follows.

ssh -L 9001:banned:22 home

Now we need to create a SSH session to local port 9001 from where the session
will get tunneled to ‘banned’ via ‘home’ computer.

ssh -p 9001 localhost

With that let’s move on to next type of SSH tunnelling method, reverse tunnelling.

Reverse Tunnelling with remote port forwarding

Let’s say it is required to connect to an internal university website from home.
The university firewall is blocking all incoming traffic. How can we connect from ‘home’ to internal network so that we can browse the internal site? A VPN setup is a good candidate here. However for this example let’s assume we don’t have this facility. Enter SSH reverse tunnelling..

As in the earlier case we will initiate the tunnel from ‘work’ computer behind the firewall. This is possible since only incoming traffic is blocking and outgoing traffic is allowed. However instead of the earlier case the client will now be at the ‘home’ computer. Instead of -L option we now define -R which specifies
a reverse tunnel need to be created.

ssh -R 9001:intra-site.com:80 home (Executed from 'work')

Once executed the SSH client at ‘work’ will connect to SSH server running at home creating a SSH channel. Then the server will bind port 9001 on ‘home’ machine to listen for incoming requests which would subsequently be routed through the created SSH channel between ‘home’ and ‘work’. Now it’s possible to browse the internal site

by visiting http://localhost:9001 in ‘home’ web browser. The ‘work’ will then create a connection to intra-site and relay back the response to ‘home’ via the created SSH channel.

As nice all of these would be still you need to create another tunnel if you need to connect to another site in both cases. Wouldn’t it be nice if it is possible to proxy traffic to any site using the SSH channel created? That’s what dynamic port forwarding is all about.

Dynamic Port Forwarding

Dynamic port forwarding allows to configure one local port for tunnelling data to all remote destinations. However to utilize this the client application connecting to local port should send their traffic using the SOCKS protocol. At the client side of the tunnel a SOCKS proxy would be created and the application (eg. browser) uses the SOCKS protocol to specify where the traffic should be sent when it leaves the other end of the ssh tunnel.

ssh -D 9001 home (Executed from 'work')

Here SSH will create a SOCKS proxy listening in for connections at local port
9001 and upon receiving a request would route the traffic via SSH channel
created between ‘work’ and ‘home’. For this it is required to configure the
browser to point to the SOCKS proxy at port 9001 at localhost.

thats all hope you enjoy this tutorial   :>)   

DNS poisoning - EXPLANATION | hacking trick

DNS poisoning is a technique that tricks a DNS
server into believing that is has received authentic
inforamtion when, in reality, it has not. It results in
substitution of a false Ineternet provider address at
the domain name service level where web addresses
are converted into numeric internet provider
addresses. It allows attacker to replace IP address
DNS entries for a target site on a given DNS server
with IP addresses of the server he/she controls.
Attacker can create fake DNS entries for files with
same names as that of target server.
The DNS provides a way for computers to translate
the domain names we see to the physical IPs they
represent. When you load a webpage, your browser
will ask its DNS server for the IP of the host you
requested, and the server will respond. Your browser
will then request the webpage from the server with
the IP address that the DNS server supplied.
To launch a DNS poisoning attack, follow these
steps:
+ set up a fake website on your computer
+ Install treewalk and modify the file mentioned in
the readme.txt to your IP address. Treewalk will
make you the DNS server.+ Modify the file dns-spoofing.bat and replace the IP
address with your IP address.
+ Trojanize the dns-spoofing.bat file and send it+ When the host clicks the Trojanned file, it will
replace DNS-entry in her TCP/IP properties to that of
your machine.+ You will become the DNS server and her DNS
requests will go through you
There are four types of DNS poisoning attacks using
which you can compromise the target system:+ Intranet DNS spoofing (local network)
When an attacker performs DNS poisoning on a locl
area network (LAN), it is called intranet DNS
spoofing. An attacker can perform intranet DNS
spoofing attack with the help of the ARP poisoning
technique. THis is usually conducted on a swithced
LAN. To perform this attack, you must be connected
to the LAN and be able to sniff the traffic or packets.
Once the attacker succeds in sniffing the ID of the
DNS request from the intranet, he or she can send a
malicious reply to the sender before the actual DNS
server.+ Internet DNS spoofing (remote network)
Internet DNS poisoning is also known as remote
DNS poisoning. This attack can be performed either
on asingle or multiple victims anywhere in the world.
In order to perform this attack, you need to set up a
rouge DNS server with a static IP address.
Internet DNS spoofing is performed when the
victim's system is connedted to the Internet. It is
done with the help of Trojans. It is one of the MITM
types of attacks, where the attacker changers the
primary DNS entries of the victim's computer. The
attacker replaces the victim's DNS IP address with
the fake IP address that refers t the attacker's
system; thus all traffic will be redirected to the
attacker's machine. Now the aatcker can easily sniff
the victim's confidential information.+ Proxy server DNS poisoning
In the proxy server DNS posoning technique, tha
taattacker changes the proxy server setting of the
victim to that of the attacker. This is done with the
help of a Trojan. This redirects the victim's request
to the attacker's fake website where the attacker can
sniff the confidential information of the victim.+ DNS cache poisoning
The DNS system uses cache memory to hold the
recently resolved domain names. It is populated
with recently used domain names and respective IP
address entries. When the user request comes, the
DNS resolver first checks the DNS cache; if the
domain name that the user requested is found in the
cache, then the resolver sends its respective IP
address quickly. Thus, it redueces the traffic and
time of DNS resolving.
Attacker target this DNS cache and make changes or
add entries to the DNS cache. The attacker replaces
the user-requested IP address with the fake IP
address. Then, after when user requests that domain
name, the DNS resolver checks the entry in the DNS
cache and picks the matched entry. Thus, the victim
is rediirected to the attacker's fake server instead of
the authorized server.
How to defend against DNS spoofing:
Resolve all DNS queries to local DNS servers
Block DNS requests from going to external severs
Implement DNSSEC
Configure the DNS resolver to use a new random
source prot from its available range for each
outgoing query
Configure the firewall to restrict external DNS lookup
Restrict the DNS recuring service, either full or
partial, to authorized users
Use DNS Non-Existent Domain rate limitng
Secure your internal machines
Implement IDS and deploy it correctly
Use static ARP and IP table
Use SSH encryption
Use sniffing detection tools
Do not open suspicious files
Always use trusted proxy sites
Audit your DNS server regularly to remove
vulnerabilities

Botnets - full Explanation

Botnets 

A botnet or robot network is a group of computers running a computer application controlled and manipulated only by the owner or the software source. The botnet may refer to a legitimate network of several computers that share program processing among them.

Usually though, when people talk about botnets, they are talking about a group of computers infected with the malicious kind of robot software, the bots, which present a security threat to the computer owner. Once the robot software (also known as malicious software or malware) has been successfully installed in a computer, this computer becomes a zombie or a drone, unable to resist the commands of the bot commander.

A botnet may be small or large depending on the complexity and sophistication of the bots used. A large botnet may be composed of ten thousand individual zombies. A small botnet, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers’ resources are being remotely controlled and exploited by an individual or a group of malware runners through Internet Relay Chat (IRC)

There are various types of malicious bots that have already infected and are continuing to infect the internet. Some bots have their own spreaders – the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses) – while some smaller types of bots do not have such capabilities.

Different Types of Bots

Here is a list of the most used bots in the internet today, their features and command set.

XtremBot, Agobot, Forbot, Phatbot

These are currently the best known bots with more than 500 versions in the internet today. The bot is written using C++ with cross platform capabilities as a compiler and GPL as the source code. These bots can range from the fairly simple to highly abstract module-based designs. Because of its modular approach, adding commands or scanners to increase its efficiency in taking advantage of vulnerabilities is fairly easy. It can use libpcap packet sniffing library, NTFS ADS and PCRE. Agobot is quite distinct in that it is the only bot that makes use of other control protocols besides IRC.

UrXBot, SDBot, UrBot and RBot

Like the previous type of bot, these bots are published under GPL, but unlike the above mentioned bots these bots are less abstract in design and written in rudimentary C compiler language. Although its implementation is less varied and its design less sohisticated, these type of bots are well known and widely used in the internet.

GT-Bots and mIRC based bots
These bots have many versions in the internet mainly because mIRC is one of the most used IRC client for windows. GT stands for global threat and is the common name for bots scripted using mIRC. GT-bots make use of the mIRC chat client to launch a set of binaries (mainly DLLs) and scripts; their scripts often have the file extensions .mrc.
Malicious Uses of Botnets

Types Of Botnet Attack

Denial of Service Attacks
A botnet can be used as a distributed denial of service weapon. A botnet attacks a network or a computer system for the purpose of disrupting service through the loss of connectivity or consumption of the victim network’s bandwidth and overloading of the resources of the victim’s computer system. Botnet attacks are also used to damage or take down a competitor’s website.

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
Any Internet service can be a target by botnets. This can be done through flooding the website with recursive HTTP or bulletin-board search queries. This mode of attack in which higher level protocols are utilized to increase the effects of an attack is also termed as spidering.

Spyware
Its a software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet.

Adware
Its exists to advertise some commercial entity actively and without the user's permission or awareness, for example by replacing banner ads on web pages with those of another content provider.

Spamming and Traffic Monitoring
A botnet can also be used to take advantage of an infected computer’s TCP/IP’s SOCKS proxy protocol for networking appications. After compromising a computer, the botnet commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet (robot network) to harvest email addresses or to send massive amounts of spam or phishing mails.

Moreover, a bot can also function as a packet sniffer to find and intercept sensitive data passing through an infected machine. Typical data that these bots look out for are usernames and passwords which the botnet commander can use for his personal gain. Data about a competitor botnet installed in the same unit is also mined so the botnet commander can hijack this other botnet.

Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim's phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).

Keylogging and Mass Identity Theft
An encryption software within the victims’ units can deter most bots from harvesting any real information. Unfortunately, some bots have adapted to this by installing a keylogger program in the infected machines. With a keylogger program, the bot owner can use a filtering program to gather only the key sequence typed before or after interesting keywords like PayPal or Yahoo mail. This is one of the reasons behind the massive PayPal accounts theft for the past several years.

Bots can also be used as agents for mass identity theft. It does this through phishing or pretending to be a legitimate company in order to convince the user to submit personal information and passwords. A link in these phishing mails can also lead to fake PayPal, eBay or other websites to trick the user into typing in the username and password.

Botnet Spread
Botnets can also be used to spread other botnets in the network. It does this by convincing the user to download after which the program is executed through FTP, HTTP or email.

Pay-Per-Click Systems Abuse
Botnets can be used for financial gain by automating clicks on a pay-per-click system. Compromised units can be used to click automatically on a site upon activation of a browser. For this reason, botnets are also used to earn money from Google’s Adsense and other affiliate programs by using zombies to artificially increase the click counter of an advertisement.

DNS - FULL EXPLANATION

Enumerating DNS records with DNSenum Tool in Kali Linux

DNS stand for Domain Name System (or Service or Server), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they’re easier to remember.

The Internet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address.

For example, the domain name www.way2h.blogspot.com might translate to 74.125.236.67 which is google DNS ip  this is my blog so the domain name was given by google and so this ip is google dns IP

One of the most important stages of an attack is information gathering. To be able to launch an attack, we need to gather basic information about our target. So, the more information we get, the higher is the probability of a successful attack.

Enumeration is a process that allows us to gather information from a network. We will examine DNS enumeration and SNMP enumeration techniques.

DNS enumeration is the process of locating all DNS servers and DNS entries for an organization. DNS enumeration will allow us to gather critical information about the organization such as usernames, computer names, IP addresses, and so on. To achieve this task, we will use DNSenum. For SNMP enumeration, we will use a tool called SnmpEnum. SnmpEnum is a powerful SNMP enumeration tool that allows users to analyze SNMP traffic on a network.

Navigate to Application > Kali Linux > Information Gathering > DNS Analysis > Open dnsenum

and enter the following command:

root@Kali:~# dnsenum – - enum example.com

It Will Show you Host address , Name Servers address , Mail (MX) Server and Zone Trabsfer Information.

If you want to More Powerful scan with Sub-domain, then use the following syntax.

root@Kali:~# dnsenum – - enum -f -r example.com

There are some additional options we can run using DNSenum:

- threads [number] allows you to set how many processes will run at once
-r allows you to enable recursive lookups
-d allows you to set the time delay in seconds between WHOIS requests
-o allows us to specify the output location
-w allows us to enable the WHOIS queries






Hope you enjoyed reading this tutorial! and remember this tut is only for educational purpose dont try to use again any restricted server  do it only if u awn the domain or u have rights to do so....   happy hacking hope u learn something if u have any question related to this then  do comment i will reply you :)