When the browser requests an SSL connection with the website, it actually requests from the web server to identify itself. The server to identify itself, responds with SSL Certificate. The browser checks the certificate to make sure that the site is the real site and not someone intercepting.

The browser has public keys from root certificate authorities. If the received key from a web server is signed by one of the root CA’s stored in the browser’s database, then the website can be verified as trustworthy automatically and SSL session can be established.

if the browser trusts the SSL Certificate, it sends a unique code to the server encrypted with SSL public key. The server responds with a digitally signed acknowledgement and an SSL encrypted session is established. After this step the browser and the web server start exchanging encrypted messages.

1. Open your BackTrack VM.

2. Goto Applications->BackTrack->Information Gathering->Web Application Analysis->Web Crawlers->webshag-cli

3. Execute the following command to uscan a host on port 80:

python webshag_cli.py targethostname.com

4. Options:
–version show program’s version number and exit

-h, –help show this help message and exit

-U Update the URL scanner databases and exit

-m MODULE Use MODULE [pscan|info|spider|uscan|fuzz]. (default: uscan)

-p PORT Set target port to PORT. For modules uscan and fuzz PORT can
be a list of ports [port1,port2,...]. (default: 80)

-r ROOT Set root directory to ROOT. For modules uscan and fuzz ROOT
can be a list of directories [/root1/,/root2/,...].
(default: /)

-k SKIP *uscan only* Set a false positive detection string

-s SERVER *uscan only* Bypass server detection and force server as
SERVER

-i SPIDER_INIT *spider only* Set spider initial crawling page (default: /)

-n FUZZ_MODE *fuzz only* Choose the fuzzing mode [list|gen]. (default:
list)

-e FUZZ_CFG *fuzz / list only* Set the fuzzing parameters for list mode.
11 = fuzz directories and files; 01 = fuzz files only; 10 =
fuzz directories only; 00 = fuzz nothing. (default: 11)

-g FUZZ_GEN *fuzz / gen only* Set the filename generator expression.
Refer to documentation for syntax reference. (default: )

-x Export a report summarizing results.

-o OUTPUT Set the format of the exported report. [xml|html|txt].
(default: html)

-f OUTPUT_FILE Write report to FILE. (default: webshag_report.html)

A network of zombie computers (botnet) are used to launch denial-of-service (DDOS/DOS) attacks, send spam, attack websites, compromise other computers etc. Because most of the owners of zombie computers are unaware that their system has been compromised and is being used in this way, these computers are compared to zombies.

Infection Strategies – Viruses types

Nonresident viruses – this type of virus search for other files to infect. When a nonresident virus finds a new healthy executable file it replicates itself into healthy executable file.

Resident viruses -  this type of virus loads a replication mechanism into memory and ensures that this mechanism is executed each time the operating system is called to perform a certain operation. The replication mechanism-module can be called each time the operating system executes a file, etc. In this case the virus infects every suitable program that is executed on the computer.

Code injection – can be used to infect operating system files, make antivirus programs unable to detect the virus etc. File hashes stored in Windows, to identify altered Windows files, can also be overwritten so that the System File Checker will report that system files are originals.

Worms

A worm is a standalone malware computer program that replicates itself in order to spread to other computers. A worm can exploit security vulnerabilities to spread itself automatically to other computers through networks. It does not need to attach itself to an existing program like virus does.

Trojan Horses

A Trojan horse is a program that appears harmless but hides malicious functions. When the user executes a Trojan horse, the program performs the expected task for ex. a calculator or an mp3 music converter etc, however, the program is also performing actions unknown to the user. The term is derived from the Trojan Horse story in Greek mythology because Trojan horses employ a form of “social engineering,” presenting themselves as harmless, freeware software tools, in order to persuade victims to install them on their computers.

Spyware

Spyware is a type of malicious software installed on computers that collects information about users without their knowledge. The presence of spyware is hidden from the user and can be difficult to detect. Keyllogers are a type of spyware.

Adware

Adware (advertising-supported software) is a computer software which shows advertisements. These advertisements can be in the form of a pop-up, embedded in the user interface of the main software or on a screen presented to the user during the installation process. Adware is harmless but some adware may come with integrated spyware software such as keyloggers.

To find your router in Windows open cmd and issue the following command:

ipconfig

in Linux type:

route -n

ifconfig

Locate the ip address under Gateway. All you need to do in most situations is to enter this ip address into your favorite web browser.

Change default Admin password

Change the name of yout SSID

Service Set Identifier (SSID) is the name of your wireless access point. Change it to something else, for example myownet.

Use encryption

Use WPA2 or WPA2-PSK because these are the latest wireless encryption protocols that provide the best encryption.

Filter MAC addresses

Almost every router has the feature to allow specific devices-mac addresses to access the network. Find all your machines mac addresses and add them to router’s white list.

For Windows users, to find your mac address:

ipconfig

For Linux users:

ifconfig

Enable router’s firewall

Firewall will help you to protect your network and your computers from unauthorized access.

Hide your SSID

Hiding your SSID from public is not a strong security measure but it is an extra layer of security for defense-in-depth.

Let’s see some countermeasures we can take to prevent this sort of vulnerability.

* Generate a new session identifier whenever the user log in.

* Generate a new session identifier whenever the user must re-authenticate.

* Generate a new session identifier on each request.

* Generate a new session identifier every 3-5 minutes.

* Perform an extra check by matching the User-Agent.

* Perform an extra check by matching the IP.

* Store the session identifier in HTTP cookies.

* The logout mechanism must destroy all session data.

* Generate your own random, unpredictable session identifier.

2. Goto Applications->BackTrack->Information Gathering->Network Analysis->Identify Live Hosts->netdiscover

3. Execute the following command to scan the local network:

netdiscover -i eth1 -r xxx.xxx.x.0/24

to get a response similar to this:

Currently scanning: Finished!   |   Screen View: Unique Hosts                 
 
 8 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 480               
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                   
 ----------------------------------------------------------------------------- 
 xxx.xxx.x.x     yy:yy:yy:yy:yy:yy    02    120   Unknown vendor               
 xxx.xxx.x.x     aa:aa:aa:aa:aa:aa    01    060   DIGITAL EQUIPMENT CORPORATION
 xxx.xxx.x.xx    00:00:00:00:00:00    01    060   Vixen Co., Ltd.              
 xxx.xxx.x.xx    cc:cc:cc:cc:cc:cc    01    060   Unknown vendor               
 xxx.xxx.x.x     ee:ee:ee:ee:ee:ee    03    180   Unknown vendor

Usage
netdiscover [-i device] [-r range | -l file | -p] [-s time] [-n node] [-c count] [-f] [-d] [-S] [-P] [-C]
-i device: your network device
-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
-l file: scan the list of ranges contained into the given file
-p passive mode: do not send anything, only sniff
-F filter: Customize pcap filter expression (default: “arp”)
-s time: time to sleep between each arp request (miliseconds)
-n node: last ip octet used for scanning (from 2 to 253)
-c count: number of times to send each arp reques (for nets with packet loss)
-f enable fastmode scan, saves a lot of time, recommended for auto
-d ignore home config files for autoscan and fast mode
-S enable sleep time supression betwen each request (hardcore mode)
-P print results in a format suitable for parsing by another program
-L in parsable output mode (-P), continue listening after the active scan is completed

2. Goto Applications->BackTrack->Information Gathering->Network Analysis->OS Fingerprinting->xprobe2.

3. Execute the following command:

xprobe2 xxx.xxx.xxx.xxx

or

xprobe2 -v -r xxx.xxx.xxx.xxx

-v verbose
-r show route to target (traceroute)

You will get a response similar to this:

..
..
[+] Primary Network guess:
[+] Host xxx.xxx.xxx.xxx Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 93%)
[+] Other guesses:
[+] Host xxx.xxx.xxx.xxx Running OS: "Microsoft Windows NT 4 Server Service Pack 6a" (Guess probability: 93%)
[+] Host xxx.xxx.xxx.xxx Running OS: "Microsoft Windows 2000 Workstation SP2" (Guess probability: 93%)
[+] Host xxx.xxx.xxx.xxx Running OS: "Microsoft Windows NT 4 Server Service Pack 4" (Guess probability: 93%)
[+] Host xxx.xxx.xxx.xxx Running OS: "Microsoft Windows 2000 Workstation" (Guess probability: 93%)
[+] Host xxx.xxx.xxx.xxx Running OS: "Microsoft Windows NT 4 Workstation Service Pack 4" (Guess probability: 93%)
[+] Host xxx.xxx.xxx.xxx Running OS: "Microsoft Windows NT 4 Workstation Service Pack 6a" (Guess probability: 93%)
[+] Host xxx.xxx.xxx.xxx Running OS: "Microsoft Windows 2000 Workstation SP1" (Guess probability: 93%)
[+] Host xxx.xxx.xxx.xxx Running OS: "Microsoft Windows NT 4 Server Service Pack 5" (Guess probability: 93%)
[+] Host xxx.xxx.xxx.xxx Running OS: "Microsoft Windows 2000 Workstation SP3" (Guess probability: 93%)
..
..

happy xprobing..!

2. Goto Applications->BackTrack->Information Gathering->Network Analysis->Network Scanners->lanmap2.

3. After lanmap2 finishes loading open a new terminal tab.

4. Issue the following command in the new tab:

nmap -vv -A xxx.xxx.xxx.*

5. When nmap scanning has finished, stop-terminate lanmap2, change directory to /pentest/enumeration/lanmap2 and paste the following command:

cd graph && ./graph.sh && cd -

to generate the graph.

6. Open File browser, select File System from Devices on the right and goto pentest->enumeration->lanmap2->graph and open file net.png to see your network!!

To install it in Ubuntu:

sudo apt-get install nbtscan

How to use it:

Scan just one machine:

nbtscan 192.168.2.15

You will get an answer like this:

Doing NBT name scan for addresses from 192.168.1.15
 
IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.1.15      GEORGE-XXXXXXXX  <server>  <unknown>        XX:XX:XX:XX:XX:XX

Scan a whole network:

nbtscan 192.168.2.0/24

You will get an answer like this:

Doing NBT name scan for addresses from 192.168.2.0/24
 
IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
192.168.2.0	Sendto failed: Permission denied
192.168.2.11     XXXXXXXXX                  <unknown>        XX:XX:XX:XX:XX:XX
192.168.2.15      GEORGE-YYYYYYYY  <server>  <unknown>        YY:YY:YY:YY:YY:YY
192.168.2.255	Sendto failed: Permission denied

Other arguments:
-v verbose output. Print all names received
from each host

-d dump packets. Print whole packet contents.

-e Format output in /etc/hosts format.

-l Format output in lmhosts format.
Cannot be used with -v, -s or -h options.

-t timeout wait timeout milliseconds for response.
Default 1000.

-b bandwidth Output throttling. Slow down output
so that it uses no more that bandwidth bps.
Useful on slow links, so that ougoing queries
don’t get dropped.

-r use local port 137 for scans. Win95 boxes
respond to this only.
You need to be root to use this option on Unix.

-q Suppress banners and error messages,

-s separator Script-friendly output. Don’t print
column and record headers, separate fields with separator.

-h Print human-readable names for services.
Can only be used with -v option.

-m retransmits Number of retransmits. Default 0.

-f filename Take IP addresses to scan from file filename.