How to Hack Computers

                                 A Guide to Hacking Computers for Beginners


Contents

Continuation of ........ previous notes

Chapter 6 - The Hacker’s Tool Belt
    1. Vulnerability Scanners
    2. Port Scanners
    3. Layer 4 Scanners
    4. Packet Sniffers
    5. Password Cracking Utilities
Chapter 7 – Utilizing VMWare
Chapter 8 – Introduction to Ping Sweeps, Port Scanning, and NMAP
    1. Ping Sweeps
    2. Operating System Identification
    3. Port Scanning
    4. NMAP Footprinting Procedures: Installing NMAP
    5. NMAP Footprinting Procedures: Ping Sweeps
    6.NMAP Footprinting Procedures: Port Scanning
    7. NMAP Footprinting Procedures: Operating System Identification
In Summary


Chapter 6 - The Hacker’s Tool Belt

Hackers have a lot of tools in their tool belt that the average user hasn’t even heard of. These tools aren’t incredibly special or secretive, but most people simply don’t understand what they are or how to use them. The honest truth is that there are boatloads of different tools out there that can be used to break into a system or be used to identify vulnerabilities.


Oh, and guess what? Surprisingly enough, many of them are completely free to use. Part of the reason many of these tools are free to use stems from the fact that many of the tools were written for Linux, and the vast majority of Linux software is free of charge because it is protected by the GNU license.

Some of the most popular types of hacking tools that we’ll take a hands-on look at in this guide include:

- Vulnerability scanners - we’ll take a look at one called OpenVAS later in this book

- Port scanners – we’ll also see how to use a port scanner called NMAP

- Packet sniffers – this software listens to and records all of the information flowing over your network, and we’ll use one later for a man-in-the-middle attack -demonstration

- Password crackers – these tools are used to uncover the password to a system


While this certainly isn’t a comprehensive list of the tools a hacker has in their tool belt, these are certainly some of the most popular and most important tools you need to be aware of. Let’s take a closer look at each one of these types of tools in detail.


1. Vulnerability Scanners

Vulnerability scanners were originally designed to help white hat hackers find potential security holes in their computing systems to plug up the security holes before a black hat hacker could find a way to penetrate the system. However, these scanners can be used for both good and evil.

Black hat hackers can easily leverage a vulnerability scanner to find a weakness in a network, server, or host to facilitate an attack. And these scanners are pretty easy to use, too. Though some of the fine-tuning and tweaking of the scan you want to perform can get a little complex, by and large all you need to do is point the scanner at a target and click a button. But a vulnerability scanner on its own isn’t very dangerous. A black hat hacker will then need to use other types of software in order to take advantage of the vulnerabilities found with the scanner.Vulnerability scanners are really only used to identify weaknesses, plain and simple.

Pros of Vulnerability Scanners:

-  Help make systems more secure by identifying weaknesses that an
administrator or security expert can then address and take care of

-  Mitigates the risk of hackers taking advantage of a system.

- They are fun to use!


Cons of Vulnerability Scanners:

-  Sometimes they are not perfect and have the potential to miss the latest system
vulnerabilities

-  They rely partially on a database of vulnerabilities that needs to be continuously
updated

-  Hackers can take advantage of them to find ways to break into a system.


2. Port Scanners

A port scanner is basically a software utility that can be used to determine which ports a host is accepting connections on. For example, if I wanted to see if I could pull up a web page from any hosts on my network, I would scan my subnet to see if any hosts have port 80 open. But this is a basic example.


The information obtained from a port scanner can help attackers read between the lines and determine the purpose of a host on their network. For example, if a port scanner showed that a host had port 9100 open, you could reasonably assume that the host you scanned is either a printer or a print server since port 9100 is used for printing. I know, I know, printers are boring. But it is amusing to think that you could send print jobs to your neighbor’s printer and print anything you wanted to after identifying their printer with a port scanner (don’t actually do that, it’s just funny to think about).


But think how far an attacker could take this concept. By identifying the services that are running on a host, they can determine what type of server they are dealing with, whether or not they have found an infrastructure device like a router, switch, or firewall, or find ways to attack end user computers by making connections on their active ports.


Now take a moment to consider things from a white hat perspective. An ethical hacker could use a port scanner to verify that all of the ports on a network that should be closed are actually closed. It is a useful verification tool that can be used to prevent vulnerabilities.


3. Layer 4 Scanners

Remember how important I told you the OSI model is? Well there is a whole class of scanners that targets layer four (the transport layer) of the OSI model specifically. These scanners look for minute details in the operation of layer 4 protocols such as TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) to find weaknesses in hosts. The inner workings of these protocols are actually quite complex, but realize that there is a process called a handshake that two hosts make before they form a connection. By tricking and manipulating the handshake process, attackers can cause serious harm to systems in the form of a DoS (Denial of Service) whereby an attacker breaks the logic in these protocols to cause a host or service to stop functioning or severely underperform.


4. Packet Sniffers

Packet sniffers are invaluable tools that are able to capture, store, and display all of the information that is flowing over a cable or transmission medium such as a wireless interface. By using a packet sniffer, you’ll be able to see in great detail all of the conversations that computers are having with each other.

You can see connection attempts, file transfers, and even Google searches. Packet sniffers are especially dangerous when data is being sent in plain text, which is another way of saying that the data isn’t encrypted before it is sent to another host. So, for example, if your username and password weren’t encrypted before being sent to a server, and attacker can leverage a packet sniffer to capture that data and steal your username and password.


5. Password Cracking Utilities

Hackers frequently use tools called password crackers to gain unauthorized access to computer systems. Cracking is basically a term used to describe the process of obtaining a password that is hidden or stored in a protected format. For example, there are wireless password cracking tools that allow an attacker to gain the password to a Wi-Fi network without needing to know the security key
upfront.

But there are many other types of passwords and methods used by these utilities. Some people have heard of a brute force password attack before, and these can a long time to perform. In the brute force process, a computer will try to guess every conceivable password to gain access to a system by trying every unique combination of characters.


Chapter 7 – Utilizing VMWare

One of the easiest ways for you to build different environments that you can learn to hack in is by using VMWare. But what does this software actually do? VMWare allows you to run code called ‘virtual machines.’ Essentially it has the power to virtualize entire operating systems so you don’t have to wipe the operating system off your host computer and install a completely new one to get started hacking. Sometimes newbies who want to get started hacking may try to install an operating system such as Kali Linux in addition to their host operating system such as Windows. The only problem is that one configuration mistake with the installation could cause a user to lock themselves out of their Windows operating system completely.

Other times they may even accidentally repartition their hard drive and wipe out all of their old files. This is a huge headache, but installing VMWare will solve these problems and allow you to run multiple operating systems simultaneously. The good news is that VMWare Player is free to use and easy to install. You can find the release notes and download link for VMWare Player on VMWare’s  website, and you will want to download and install this program for some of the demos later in this book. It is assumed that you have the ability to install basic software, so we won’t get into the VMWare installation process. It’s pretty darn simple, and all you need to do is follow the installation wizard. Also you could be installing this software on different platforms, and the installation steps would change. If you need help installing this software, you can find help on the VMWare website for your given operating system.

Once the image has been successfully downloaded and you install it in VMWare, the VMWare application will go through the installation procedure exactly as ifyou were trying to install that operating system on your computer, but it will install it within your host environment. As you proceed through the installation process, portions of the procedure will ask you if you want to install a variety of packages. Make sure that you select all of the packages that are described as ‘security’ or ‘penetration testing’ packages. If you fail to install these packages, you will need to go through the installation processes individually for the demonstrations that I walk you through later such as NMAP. If you have any trouble installing your operating system in VMWare, all you need to do is follow the guide on the Kali Linux or Ubuntu sites.

You should also have an idea of the intended uses for each operating system. Ubuntu is designed to be an easy to use replacement for other desktop operating systems such as Windows. It is well-suited for everyday use, and you don’t need to be a Linux expert to use it. As such, it is a great environment to expand your Linux skills and it offers plenty of different penetration testing tools, scanners, and hacking programs. However, you should also know about Kali Linux. Kali was specifically designed with hacking in mind, and the security packages contained in the VMWare image are mostly geared towards providing users with tools that facilitate hacking. However, it is a little more challenging to use if you haven’t been exposed to Linux already, and much of its power is found at the command line.


Chapter 8 – Introduction to Ping Sweeps, Port Scanning,
and NMAP

It’s finally time to dig into the good stuff! In this chapter I will walk you through how to perform network scanning and reconnaissance techniques using a program called NMAP. This is the program that the hackers in the movies like to flaunt, and it is fairly easy to use. The whole point of NMAP is to feel out a network and scan it to discover active devices, open ports, and other vital information such as which operating system the host is running. In the network penetration and hacking world, this is referred to as network mapping, footprinting, or reconnaissance.

Once an attacker has gained access to a network, there are a lot of things they can do to prepare an attack. The following are some of the more common footprinting goals:

- Gather information
- Find the local subnet’s IP address structure
- Search for networking devices such as a router, switch, or firewall
- Identify active hosts on the network such as end user workstations
- Discover open ports and access points -Find out detailed information regarding
  the operating systems on active machines
- Discover the type of device such as a laptop, tablet, smartphone, or server
- Map the local network
- Capture network traffic


1. Ping Sweeps

The first and easiest technique you need to understand is called a ping sweep. A ping sweep is a useful way to identify active machines on a given subnet. If you aren’t familiar with a ping operation, let’s take a moment to explain this concept. A ping is a command from ICMP (Internet Control Message Protocol), and it is frequently used to determine if two hosts have an end-to-end connection. The host that initiates the ping sends small packets of information via what’s called an ICMP echo request. If the target host is online and has a connection, it will reply to the host who initiated the ping. This will show you that the host is online and that it isn’t suffering from connection problems over the network between the two hosts.

These are the exceptions, though, and not the rule. It is rare that a host would not respond to a ping, and the vast majority of active hosts will show up in a ping sweep. This is especially true if you are performing a ping sweep on the subnet that your computer is directly connected to.


2. Operating System Identification

Yet another useful feature of the NMAP utility is the ability to identify the operating systems that active hosts are using. Though you may not think so at first, this is actually some critical information. After you know what operating system and code version a host is using, you can then search databases using tools such as Metasploit to identify weaknesses and vulnerabilities. Furthermore,
NMAP will be able to tell you the model of device a host is using. This is also critical because it will help you discern what type of devices are present such as host computers, tablets, phones, infrastructure devices, hardware appliances, printers, routers, switches, and even firewalls.


3. Port Scanning

Port scanning is a little different from a ping sweep. With port scanning, the goal is to find what port(s) are open on a whole subnet or a single host. For example, you could perform a port scan on your local subnet to see if any hosts are accepting connections on port 80 (HTTP). This is a great way to see if you can access any networking devices such as a wireless router, printer, or a firewall. Because these types of devices typically have web configuration interfaces, any hosts that are accepting connections on port 80 (HTTP) will show you a login prompt if you type their IP address into a web browser.


It is likely that the administrator changed the default username and password for that device, but you would be surprised how frequently people fail to do this because they are inexperienced, lazy, or just plain ignorant of the massive security risk they encounter by leaving the username and password set to default values. If you wanted to, you could even use NMAP to find what type of firmware the networking device is running as well as the model number. Then all you need to do is perform a quick Google search to find the default values and attempt to login to the device. But this is just one simple example of port scanning. You could even scan a single host to see all of the ports that are accepting connections. And port scanning goes well outside the realm of scanning port 80 to see if you can pull up a web interface.


4. NMAP Footprinting Procedures: Installing NMAP:

Before we begin, there is one last thing we need to do to configure VMWare connectivity. VMWare uses the idea of virtualized network adapters, and the default setting won’t put your virtual machine in the same subnet as your host operating system. Simply click on the ‘settings’ tab of the VMWare application and find the configuration option for your ‘network interface.’ Now select the option to put it in bridged mode.

To verify that your host operating system and VMWare operating system are on the same subnet, just run the ipconfig command from the Windows commandline or the ifconfig command on Linux and Mac systems. Then, just make sure they match and belong to the same subnet.

To begin these demonstrations, you are going to want to fire up VMWare and boot your virtual Linux system. NMAP should already be installed if you selected the security packages as recommended earlier, but if you failed to do this there is good news. It is pretty darn simple to install NMAP.


5. NMAP Footprinting Procedures: Ping Sweeps

Now that you have a good idea of what ping sweeps do, it’s time for a demonstration! Though you can download it for Windows, I would personally recommend you heed my advice and try your hand at installing VMWare to get used to a Linux environment.

The following is the quick and easy 4 step process you need to run a ping sweep in Linux using NMAP.

Step 1 – Run VMWare and boot to your Linux operating system.

Step 2 – Open the terminal (a.k.a. the shell). This can be found by performing a
                search for ‘terminal’ after clicking the start button. If you failed to install  the GUI (Graphical User Interface) during your installation, you would  have booted to a black screen with a blinking cursor.

Step 3 – Run the following command:
                          - sudo nmap -sP 192.168.1.0/24

Step 4 – Read the results. After the operation completes, NMAP will return a list
                of IP addresses that successfully responded to the ping sweep.

6. NMAP Footprinting Procedures: Port Scanning

Now it’s time to learn how to identify which ports are open on a target network or device. Just think how useful this is for ethical white hat penetration testers. This tool will essentially let them verify that hosts aren’t accepting connections on dangerous ports that should be blocked by a firewall, but realize this tool is a double-edged sword. Black hat hackers can use this tool to find open ports in an
effort to find a way to break the system. Because you should have already run a ping sweep, I won’t list the steps in this demo. Just test out the command from the terminal that you already have open. The syntax of this command is as
follows:
            
               - sudo nmap -p [PORT] [TARGET]

In the command syntax, [PORT] is a numeric value representing the port you want to scan. If you wanted to scan for hosts accepting HTTP connections, you would set this value to ’80.’ The [TARGET] field specifies which host or subnet you want to scan. If you wanted to scan a single host, you would omit the subnet mask. If you wanted to scan your entire subnet, you would include the subnet
mask. Consider the following two examples:

    a. sudo nmap -p 80 192.168.113.21 (this scans the host with the address
        192.168.113.21)

    b. sudo nmap -p 80 192.168.113.0/24 (this scans the entire 192.168.113.0/24
        subnet)


7. NMAP Footprinting Procedures: Operating System Identification

we’re going to learn how to use NMAP to identify a host’s operating system. The syntax for the command is extremely simple and follows a similar structure compared to the previous examples. The only difference is that you use the ‘-O’ option in the command. Consider the following example where we scan a target host to uncover what operating system is running on the target:
               
                                       - sudo nmap -O 192.168.113.21


In Summary

Using NMAP, you can easily map a local network topology, identify active hosts with a ping sweep, scan for open ports, and identify operating systems. Note how short and sweet these commands are. These commands provide a high amount of leverage for an attacker because they are so simple to use and NMAP will do all of the dirty work for you.

The next time you see a hacker in a movie, take a glance at their computer screen. More often than not, they are going to be using NMAP. Now you can actually decipher the cryptic text on their monitor!