Week 10 (Phishing a Website)

In this post, I will be demonstrating on how to conduct a website phishing using a tool in Kali Linux called SET (The Social-Engineer Toolkit). The usage of this tool is that we are able to clone a website in order to get the information such as their username and password from our target, for example instagram, facebook, and even banking websites.

First, all we have to do is open your terminal and type “setoolkit” as shown below.

At the bottom of the terminal, there will be a list of choices as shown here. Proceed by choosing Social-Engineering Attacks by typing “1”.

Next, choose Website Attack Vectors by typing “2”.

Choose Credential Harvester Attack Method by typing “3”.

Then, there will be more choices like shown below. If we choose web templates, we are not required to type in the url of the site that we wish to clone as its template is already available. However, there are not many varieties of site which are available. In this case, I will be using the site cloner. 

Once we are inside the Site Cloner option, we will be asked for the IP address which we wish to use as the clone website. In this case, my IP address is 10.0.2.15 and I will be cloning instagram.com

If your terminal appears the same as this, it means that you are ready to get all the information from our target.

This is what we will get if we enterred our local address. It shows the same page as the real site of instagram.com

If the user falls to our trap, he/she will input their information in the username and password fields. Once they pressed enter, an error message will appear which states that there was a problem in logging into the site. However, this event actually saves the input to our terminal which is shown earlier.

These are the information which we get from the user’s input. His/her username and password.

In the real world, people will not be visiting our local ip address to log into their instagram account. In order to attract people to the trap, usually hackers will send their target an email which tells them that they are required to sign in to solve the problems. If the target is not careful, he/she will fall into the trap and the hackers will get their target’s vital information.

Differences Between Phishing and Spam

Phishing

This kind of attack is designed to steal a person’s information such as username/login and password or even bank accounts. Besides ordinary phishing, there is also a similar attack called vishing (Voice Phishing) which used voice as their media, for example through phone.

Spam

It is mainly consists of email messages which is sent by where its content is usually unwanted by the recipients. It is mostly used for commercial advertisements. Fortunately, email services such as yahoo mail and google mail are able to separate between “real” emails and spam. Therefore, we should be less worried in terms of receiving emails. However, we should never let our guard down as attacks may come anytime and anywhere using anything without us noticing.

Posted in Multimedia & HCI Final Project | Comments Off on Week 10 (Phishing a Website)

Week 9 (Using DVWA)

In this session, we are shown a tutorial on how to operate DVWA. DVWA is used in order to test our skills as well as the tools legally. There are different security levels which we can set on DVWA in order to test our skills on the vulnerabilities.

In order to use the DVWA, we must first start the apache and MySQL services by typing “service apache2 start: service mysql start” and “ps awux | egrep “apache|mysql”” in the /var/www/html directory like shown below. However, if you have started the services before, you can go straight to type in your local ip address in kali’s browser.

Then, log into dvwa by typing your local ip address with the account you made earlier.

Once you are logged in, you will be directed to the main DVWA page as shown.

In order to start with practicing with DVWA, we must first set the security level to our need under “DVWA Security”.

Command Injection

  • Security Level: Low

Next, go to command injection and the following page will appear.

In the field, type any address that you like. In this session, I used google.com.

Here are the results that we got from DVWA and terminal respectively.

We can see that in DVWA, it only shows 4 ping results, whereas in the terminal, we can get endless results until we press ctrl+c. In order to get the ID of the current user, we can add the keyword “id” separated by a semicolon like shown below.

As the command in DVWA is similar to the terminal, we can get the similar information by inserting the same command in DVWA. The screenshot below shows the result of the similar command, and that the information we got for the current user is that its user ID is 33.

We can view the result from the inserted code by clicking on the “View Source” button. From the source code, we can see that the results shown in Windows and Unix is different. In windows, we will only get 4 ping results if we enter the “ping” command, where in Unix, we can get endless numbers of ping results until the user stops it manually.

  • Security Level: Medium

Once the security level is set to medium, I tried to insert the same command as before, however it did not give any result. It turns out that it will remove inputs like ‘&&’ and ‘;’.

If we check the command in the terminal, it shows that the command is cannot be executed.

In order to solve this problem, try using other characters beside ‘&&’ and ‘;’ which are blacklisted. It turns out that symbol ‘|’ has the same function as symbol ‘;’. If we change the command to “ping google.com | id”, it will show the ID of the current user.

  • Security Level: High

From the list of blacklisted character, there is one vulnerability which can be exploited, which is the ‘| ‘ symbol. However, blank space after symbol “|” will be removed. To surpass this limitation, we can simply write the similar command “ping google.com |id”. The only difference is that we should not add space after the “|” symbol.

By using the “ping google.com |id” command, we have surpassed the limitation and the following result is given.

 

Posted in Multimedia & HCI Final Project | Comments Off on Week 9 (Using DVWA)

Week 8 (Social Engineering)

The topic of today’s presentation is social engineering. The goal behind social engineering is to obtain all possible information which can be obtained through communication such as telephone call or simply by talking. Processes such as interview and interrogation can be used to achieve this goal of gathering information. Interview is the process of gathering information from a person with his/her own will, without any coercion, and also with agreement between the interviewer and interviewee. On the other hand, interrogation is a different method of information gathering as it is conducted against the will of the person and sometimes violence is included in the process. Other method of social engineering is called vishing (voice phishing) where this social engineering uses the voice media through phone calls.

Impersonation: pretending to be a particular person, reciprocation: exchanging favors, and influential authority: using the role of authority to get information, are methods which are used in “attacking” a certain target.

virustotal.com is a site which can be used to determine whether the url that you get is real.

 

One of the most famous figures known for social engineering is Kevin Mitnick, which spent approximately 4 years in prison for his hacking activity.

Posted in Ethical Hacking and Penetration Test | Comments Off on Week 8 (Social Engineering)

Week 7 (DVWA installation)

In brief, DVWA or Damn Vulnerable Web Application is a web application whose goal is to provide a place for security professionals or also students like us to practice our skills and tools without having to worry about getting caught by the authorities for conducting an illegal activity.

First of all, we need to go to the /var/www/html directory by using the cd command “cd /var/www/html”, followed by a wget command to retrieve a zip file from a github repository and to unzip the zip file itself.

Then, move the DVWA-master file to a root directory by using the “mv DVWA-master/* /var/www/html”. Once we have moved the file, change the owner the /var/www/html directory by typing the chown (change owner) command as such “chown -R www-data:www-data /var/www/html”.

Then, the apache and MySQL  services should be set first by using the “service apache2 start: service mysql start” and “ps awux | egrep “apache|mysql”” command. Once completing setting the services, secure the MySQL installation by using the “mysql_secure_installation” command.

Once typing in the “mysql_secure_installation” command, you will be asked whether the root password wants to be set. Set the root password and type “Y/y” in all fields.

Once completing all the steps in the installation, change the config.inc.php.dist file in config directory to config.inc.php.

Then, create a database in the terminal by typing the “mysql -u root -p” command, then enter your root password, followed by the query to create the database.

We should edit the config/config.inc.php file by using the “nano config/config.inc.php”.

Change the ‘db_user’ to ‘user’ and ‘db_password’ to the previous root password that you set previously.

In order to get the reCAPTCHA keys, you can search in google for the keyword “google recaptchca” or you can simply type in the url “https://www.google.com/recaptcha/admin”. Then, type on the label field any name you want to label your reCAPTCHA, followed by selecting the reCAPTCHA v2 and filling the domain with your local ip address like follows.

We will get the site key and the secret key which need to be filled in the recaptcha_public_key and recaptcha_private_key.

If we type in our local ip address, which in my case is 127.0.0.1, and the following page is shown, it means that the dvwa installation which we did earlier has succeeded.

Posted in Ethical Hacking and Penetration Test | Comments Off on Week 7 (DVWA installation)

Week 6 (Port Scanning)

In this session, both classes were combined and the topic we learned is about port scanning. Port Scanning is a process which involves scanning of different port in order to find opened ones. The purpose of port scanning is to find vulnerability which can only be found if a port is open. In this process, we should not only scan for only well-known ports (Port 0-1023) but also the Ephemeral Ports (Port 1024+). We can get information regarding which port is open, closed, filtered (Port behind a firewall), and also guesses about which OS is running in the machine. There are some types of scan in port scanning such as:

  • SYN Scan: Scan which is not known by the machine.
  • Connect Scan: Involving SYN, SYN-ACKnowledge, and ACK.
  • NULL Scan: Sending no response.
  • FIN Scan: Finish Scan (Terminate Connection).

 

At the end of the session, we conducted a practice on port scanning by using a tool such as the Nmap and Zenmap (GUI version of Nmap) in our Linux Virtual Machine. We were assigned to find the detail services of the 2 given hosts. Firstly, we used bash shell scripting method to look for open port(s) and the best guess about the OS the machine is using. In order to confirm the type of OS the machine is working, we used both Nmap and Zenmap to do so. Other than port scanning, Nmap also add the OS detection capability & provide vulnerability scanning (only if the port is open). In addition, we can also use p0f and nikto (nikto -host). To know what nmap is doing in the virtual machine, you can run nmap and turn on wireshark at the same time to see every packet that nmap is sending.

There are different types of sending packets from T0-T5. Higher the number, faster it will be. However, the reason behind using the T0 is to prevent suspicion which may result in yourself from being blocked as it send only a small number of packets, unlike T4 or T5.

Nmap help command (nmap -h)

 

Testing nmap on pentest.id (nmap -O pentest.id)

 

Results of nmapping

nikto (Double check the information)

Posted in Ethical Hacking and Penetration Test | Comments Off on Week 6 (Port Scanning)

Week 5 (Enumerating Target)

In this week’s session, we were introduced to enumeration. It is the phase which allows us to extract useful information from users such as the usernames, passwords, last login time, resources or materials shared on the network and etc from a network. It is later continued with the exercise by using linux to install the NBT application which is used for enumeration. In order to make our job easier, it is advised to study the operating system history of your target as attacks which work on the older OS version may still work on the newer version.

We also practiced on using the NetBIOS Enumerating Tools. Commands in NetBIOS such as the “nbstat” and “net view” commands are used for displaying the NetBIOS table and shows whether any resources or materials have been shared on the network respectively. By using the “net use” command, we can connect to a computer with shared files or folders. Furthermore, we are also introduced to other enumeration tools such as the NetScanTools Pro, Hyena, and etc.

Before we are dismissed, we are given an exercise on enumeration and also a quiz at the end of the session.

Below is a demonstration of target enumeration using wpscan which can be used only for wordpress site.

Firstly, we use wpscan to enumerate the list of user(s) of the wordpress site. However, the site refused as it sees us as a threat, therefore it returns a 403 error code. In order to overcome this problem, we can add “–user-agent” or “–random-agent” in our command to outsmart our target to think that we are a random user of the site.

Once the process is finished, we will get the username of the user.

 

Then create a text file containing of the list of possible password which can be possibly used along with the username. To create .txt file, use the “nano” command followed by the name of the .txt file.

Once we are done with creating the .txt file, To get the correct password from the wordlist, we should type “wpscan –url jo1.pentest.id –wordlist /root/Desktop/possiblePswd –username adminjo –random-agent”. The reason behind stating “–wordlist” in the command is to let kali linux to choose the word from the wordlist regarding the correct password, it is also followed with the path to the txt file and the username of the corresponding password.

Posted in Ethical Hacking and Penetration Test | Comments Off on Week 5 (Enumerating Target)

Week 4 (Target Discovery)

On this week, the session was begun with a trial to retrieve one’s information in the laptop by using a website. One of the students was told to click on a link and to surf it. As a result, some information was retrieved. Then, we are told on how to use dnstrails.com in order to find the old useful information such as the script, admin page, and the server which might be useful if we wish to get the vital information from the website. We were also shown about the old appearance of BiNus’ website as well as the other websites such as tokopedia from archive.org.

One of the most interesting activity in this session is how we could retrieve one’s social media or any information such as his/her username and password by duplicating an exactly same html code in our own server to do so. As the duplicated site resembled the original site, which in this case we used one of the famous internet banking websites, the target will not suspect that they are being targeted for their personal information. Once the target has inserted his/her login information on the given fields, and in order to prevent suspicion from the target, he/she is later redirected to the actual banking website. Therefore, the target will assume that he/she must have inserted the wrong login details which caused him/her to be “redirected” back to the banking site.

To prevent such scam, one must be very careful before clicking on a certain link. Make sure that the given link is exactly the same as the link of your choice. If you ever get a link from someone you both know or not, always recheck that the link that you are about to click is legit. By being careful, you can prevent yourself from getting scammed.

 

DNSTrails on Tokopedia.com (securitytrails.com)

We can also see whois command from securitytrails.com to search the information of tokopedia such as the registar, admin, and etc.

Posted in Ethical Hacking and Penetration Test | Comments Off on Week 4 (Target Discovery)

Week 3 (Tool Engine)

In this session, we continued the previous slide with the explanation about Domain Name Service (DNS) and how it works and how are they vulnerable. With the help of command prompt in Paros Proxy, we can explore the DNS zone transfer using commands such as “dnsenum” and “dig”. These zone transfers are further used to obtain network topologies which is useful for analyzing the internal information of a server. There are also several tools which can determine the devices info such as archive.org and alexa.com. Tools such as pipl.com, tineye.com, and sec.gov/edgar/shtml can be used to access information regarding people, image, and public listed companies respectively.

Tools in Kali Linux such as goorecon, theharvester, Maltego can also be used to gather necessary information about the target. We are also taught that Google can also be used for hacking by using certain strings such as “inurl” and “intitle”. Google Hacking Database such as the Google Dorks can be used to extract sensitive documents, information and even passwords which are known to be leaking from their respective servers.

One cannot determine whether their information is safely kept unless they realize that their information is leaked and “roaming around” in the internet. Therefore, there should be an annual check to prevent information leak which can be a threat to the company or organization.

At the end of the session, we are given a quiz which involved gathering information by using Paros Proxy and command prompt to access the information of a certain site.

 

inurl

 

dnsenum on pentest.id

dig command

host command

 

archive.org (display of Tokopedia back in Aug 20th, 2015)

Posted in Ethical Hacking and Penetration Test | Comments Off on Week 3 (Tool Engine)

Week 2 (Information Gathering)

On the second meeting (Week 2), we began our course with the explanation about target scoping. Most of the components in target scoping such as preparing test plan, gathering client information and etc. are checklists for the preparation of penetration testing. Penetration Testing are further divided into different types such as adopting fake identity, investigating employee’s background, and penetrating business partner systems.

In analyzing a company’s web site, tools such as Paros Proxy can be used. However, some methods of gathering information, involving this Paros Proxy may consume some time. Other Footprinting Tools such as Whois, Host command, SamSpade, and Greenwich can also be used to gather information as well. By the use of Whois, we can reveal the name of the registrant and other important information. E-mail addresses and HTTP Basics are other methods which can also be used to gather information, where E-mail addresses can be used to help retrieve more information compared to previous commands.

 

whois command on pentest.id (whois pentest.id)

Posted in Ethical Hacking and Penetration Test | Comments Off on Week 2 (Information Gathering)

Week 1

On the first week of this “Ethical Hacking and Penetration Test” course, we are introduced on what are the basic components in Ethical Hacking. In addition, we are also told about the different kind of groups of people who are involved in hacking and cracking.

In penetration test itself, there are 3 types of methodologies such as white box, black box, and grey box model. In White Box Model, the tester is told about the topology and technology, whereas in the Black Box Model, the tester is not told anything about either the topology and technology.  On the other hand, Grey Box Model is the combination of both Black and White Box Model. In addition to that, we are explained about the process, as well as the techniques involved in Penetration Testing.

In penetration test itself consists of 2 groups, Red and Blue team, which have their own role in penetration testing such as attacking and defending. However, there are also some advantages of the testers to acquire certifications such as CEH, CISSP, OPST, and etc.

At the end of the day, the class was given an assignment to go through the UU ITE No. 11 2008 rev. UU ITE No. 19 2016, in order to prepare ourselves for week 2.

Posted in Ethical Hacking and Penetration Test | Leave a comment