Hacking Notes
Hacking Notes
Motivations
Don’t let the skill of someone (younger) deter you from quitting or taking a break from hacking.
Like everything, it takes a lot of practice in time to be good and hacking is not an exception. If
someone looks clearly better than you it’s because they have put a lot of time in, talent is just a
motivator. Don’t suffer from imposter syndrome, you can do it if you just keep doing it! Several
people were successful only later in life.
https://medium.com/the-mission/9-late-bloomer-success-stories-who-prove-its-never-too-late-to-
achieve-your-dreams-b036688da6f (it’s a really good motivator as well)
There are many talented young people who accomplished a lot but that’s mostly because they
started very early or had a great environment or maybe had someone experienced in the field
who helped him start out.
I, besides my big brother have absolutely no one to rely and ask help. If I can do it on my own
then that means I’m successful already!
Hidden wikis:
https://thehiddenwiki.com/Tor
https://torhiddenwiki.com/
https://thehiddenwiki.pw/hidden-wiki-url-directory/
https://www.deepwebsiteslinks.com/
https://darkwebnews.com/deep-web-links/
http://dnstats.com/
Generally, servers can never know your true location unless your explicitly gave them or the
server is compromised in some way. So for most server owners, an IP is not very useful. LE can
use IP addresses to their advantage tho.
Darknet is watched by many law enforcement agencies all over the world, be careful what
information you reveal, this includes explicitly stated information (real world address, login and
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 1/11
28/06/2019 Hacking notes - Google Docs
password) and implicit (typing habits, if you capitalize or not the beginning of the sentences,
grammar mistakes, use many exclamation/question marks, etc; time when you visit the content
which can be correlated to a time zone and profession).
You never want to use identifying nicknames or locations, or anything else that is related to
yourself online when you post or create usernames.
Also everything that the user does, clicking, amount of time spent, can be tracked, analysed and
be used to guess someone’s identity. There are even full replay scripts which exactly mimic the
user’s interaction with the website.
Photos can leave Exif data (GEO location) which can be used by a tool like exiftool to reveal a
precise geolocation.
It’s a good idea to use VPN on top of the TOR, this provides really good anonymity because the
only points of direct access to the user is the VPN’s servers or the node’s database.
Anyone can setup tor nodes around the world for any purpose. Hackers, spies, feds and of
course just normal tor users. They all can see the traffic openly.
Do-s:
- Creating fake personalities, or changing browsing/typing habits and usage hours is a pretty
good way to avoid getting correlation attacked.
- Use a Linux VM for Tor, don’t use Windows.
- Use bridges and/or find company.
Don’t-s:
- Never fullscreen the Tor Browser, this can be used to fingerprint you.
- Never open .onion sites with a normal browser, this can leak your IP.
- Don’t enable macros and javascript because javascript can be nasty.
- Don’t download or open files off untrusted or unknown sites.
- Never torrent over Tor.
- Don’t enable or install browser plugins.
- Avoid unsecured sites, always use HTTPS ones.
- Never reveal personal details to strangers even in PMs.
Analysis time: 3 months for 50% of certainty and 6 months for 80% certainty of the identity of a
user.
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 2/11
28/06/2019 Hacking notes - Google Docs
Linux
Tools:
TheFuck: https://github.com/nvbn/thefuck
TL;DR: https://github.com/tldr-pages/tldr
man page vs the help command — help is a feature of bash shell, it documents some bash
commands, and is available in bash only. Whereas man is more general, and is a native feature
of all Unix or Unix-like operating systems.
We can use dash (-) in Linux as an alias of stdin or stdout, whereas the standard way to do
it would be using /dev/stdin and /dev/stdout. To use files named dash, either of the
following can be used.
Specify the filename relative to current directory. $ cat ./-
Bash redirection. $ cat < -
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 3/11
28/06/2019 Hacking notes - Google Docs
Immensely useful for checking the history of a git repository — git log --graph
--decorate --all --oneline
You have to have 400 as the permission for the SSH private key.
setuid, setgid, sticky and the corresponding chmod commands. These bits control which
user the executable would be run as. Kind of similar to setting the “Run as administrator” flag in
Windows, only here in Linux it’s much more flexible and versatile.
crontabs are in the /etc/cron.d/ directory, and cronjobs are run as the user that owns that
crontab file.
Sometimes you can’t ls or cd into a directory, but still can write inside that directory….
strange but useful.
There should be no spaces around the equal sign while assigning variables in Bash.
You can trigger more to go into a command mode by making the terminal small enough. And
while you’re in that mode, pressing v will open up an editor, by default vim. And then you can
use vim commands to access the files, such as :e filename to open a file and :set
shell=/bin/bash and then :shell to open a shell.
Finding info leak in git repos.
Check git log and git tags and look for any interesting commit // tag. And then checkout
to it using git checkout commit and grab that info.
Check .git/packed-refs for all refs. And then, if checking out to a ref doesn’t work, use git
show ref or git cat-file -p ref on it to directly read the contents.
IP sweeper example:
ipsweeper.sh
#!/bin/bash
if [ “$1” == “” ] then
echo “You forgot an IP Address”
echo “Syntax: ./ipsweeper 192.168.1
Using dash “-” is a short way of going back. You can do these commands to refer to the
previous instance.
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 4/11
28/06/2019 Hacking notes - Google Docs
And | which chains various results of the commands for the next one
History command outputs the history of commands used and can be used in conjunction with
grep for a specific one.
Logs:
System commands.
The $? operator:
Networking
Started researching networking on 23/04/2019 and roughly finished at 01/05/2019 roughly 3
days of actual research were done.
OSI model:
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 5/11
28/06/2019 Hacking notes - Google Docs
IP Address - (Internet Protocol address) unique identifier of a device within a network. Think of it
as a street address. Requires a host and a subnet. Consists of 32 bits or 4 groups of 8 bits, or 4
octets in the form of 123.80.118.47
It consists of 2 parts, the Network Address and Host Address. Let’s say we have this address
172.18.230.127 /29
Network Address - A network address is known as the numerical network part of an IP address.
This is used to distinguish a network that has its own hosts and addresses. The first address in
the subnet, 178.18.230.120 is the network address.
Broadcast Address - 172.18.230.127 is the Broadcast Address in the above example because
it’s the last one, each subnet in this example only has 8 hosts.
When the network ID or host ID bits are replaced by a set of all ones, this has the special
meaning of “all”. So replacing the host ID with all ones means the IP address refers to all hosts
on the network. This is also used as a broadcast address for sending a message to “everyone”.
Host Address - Host address can range anywhere between the Network Address and Broadcast
Address. It’s usually the important bit we need.
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 6/11
28/06/2019 Hacking notes - Google Docs
Global / Public IP - Your internet ip that is visible by internet servers or your ISP. Ex:
212.83.134.152 / 29
Private IP - IP address that is visible only on subnets like a LAN Ex. 192.168.1.10 / 24
Physical address - Addresses that belong to individual network interfaces attached to a device.
For example, the Wi-Fi radio and the Bluetooth radio of a mobile device possess their own
physical network addresses.
Virtual address - Addresses that are assigned to devices according to the kind of network they
are attached to. The virtual addresses of a mobile device, for example, change as it migrates
from one network to another, while its physical addresses remain fixed.
127.0.0.1 - Special address. Redirects any network traffic back to itself as if it was an outside
source. Called localhost or the loopback address. Used for local testing purposes by many
programs.
0.0.0.0 - It’s a non-routable address that describes an invalid or unknown target. It has many
uses depending on the situation. Devices usually show an address of 0.0.0.0 when they’re not
connected to any network. For route entry it means a default route for a server. In the context of
servers it means that it listens to all IPv4 addresses. More on this:
https://www.howtogeek.com/225487/what-is-the-difference-between-127.0.0.1-and-0.0.0.0/
Subnet - A small network inside a larger network. Setting up subnets in conjunction to physical
proximity between devices increases network speed and security.
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 7/11
28/06/2019 Hacking notes - Google Docs
Subnet Mask - By default: 255.255.255.0 Let’s say that our private IP address is 192.168.1.10
Essentially what a subnet mask is, is how devices know what other devices they can
communicate with if they are within the subnet. If the ip addresses of another device is within
that mask 0-255 in this case, e.g. 192.168.5 they can be peers.
If the IP address is 192.168.0.12, it isn’t possible because the subnet mask restricts to only the
last octet.
CIDR - Classless inter domain routing. It’s a compact representation of an IP address and its
associated routing prefix / subnet mask(/24 or /10)
Network classes:
Host - (also known as "network host") is a computer or other device that communicates with
other hosts on a network. Usually an end system which can host / run applications, such as a
PC, printer or a server. Hosts on a network include clients and servers -- that send or receive
data, services or applications.
More on hosts: https://searchnetworking.techtarget.com/definition/host
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 8/11
28/06/2019 Hacking notes - Google Docs
Node - (also known as “network node”) In IP routing it means a point where source traffic has to
go through in order to reach the end destination.
NIC - The network interface card is a hardware component, typically a circuit board or chip,
which is installed on a computer so that it can connect to a network. Usually in the name of
wlan0 eth0 if checking network interfaces.
Network gateway - A network gateway joins two networks so the devices on one network can
communicate with the devices on another network. Can be a device like a router, hub or even a
computer.
Default gateway - All the clients on a network point to a default gateway that routes their traffic
from the subnet to the internet.
IP routing - IP routing uses IP addresses to forward IP packets from their sources to their
destinations. A - x - y - z - w - B. To get traffic from A to B, A must find the closest node to pass
the traffic using routing tables each time. When destination IP is equal to machine IP the traffic
gets consumed by the end machine.
Routing Table - A table where each device knows the ip addresses of their peers in order to
correctly route the incoming traffic.
You can use route command both on linux or windows machines. Any new line of IP address is
called a route entry.
Routable - Meaning that traffic can be sent outside the current subnet.
Anycast - IPv6 protocol where there’s communication between a single sender and any nearby
multiple receivers on a network.
Multicast - It’s communication between a single sender and multiple receivers on a network. A
good example of this mechanism is live streaming where a server sends the same traffic to
multiple IP addresses at the same time.
NetBIOS is an API that provides communication services on local networks most typically used
by Windows machines.
DHCP - Dynamic Host Configuration Protocol. It’s a server that typically resides in a router that
auto configures the IP address from any (new) devices on a local network. Doesn’t make sense
to use when there’s a printer or on a server. And also for remote access machines which can
break if a lease is reassigned during a session.
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 9/11
28/06/2019 Hacking notes - Google Docs
NAT network - Network Address Translation is the process where a network device, usually a
firewall, assigns a public address to a computer (or group of computers) inside a private
network.
Imagine your house with 10 devices on the internet (laptops, desktops, game consoles, etc).
Those don't have their own external IP address (the one on the internet). You only have 1 for
your modem/router, and your router then forwards a packet to each device based on the port #
and internal IP address. This is why you need to set up port forwarding if you've ever played an
online game, so that when a packet hits your router on a certain port, it knows which computer
to send it to.
Hosts file - A hosts file is a list of computer names and their associated IP addresses. It’s a file
that appears on Windows or UNIX machines that can do 2 things:
-To prevent access to undesirable web servers (such as those offering tacky advertising or
inappropriate content).
-To set up private, easy-to-remember "shortcut" names for servers on a local network.
Windows path: C:\Windows\system32\drivers\etc\hosts
Linux path: /etc/hosts
Ipconfig release / renew - Both /renew and /release options only work on clients configured for
dynamic (DHCP) addressing.
/release terminates any active TCP/IP connections on all network adapters and releases those
IP addresses for use by other applications. Can be specified with a target connection. The
command accepts either full connection names or wildcard names. Examples:
ipconfig /release "Local Area Connection 1"
ipconfig /release *Local*
/renew re-establishes TCP/IP connections on all network adapters.
LLMNR/NBT-NS Security:
Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) are two
components of Microsoft Windows machines. LLLMNR was introduced in Windows Vista and is
the successor to NBT-NS.
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 10/11
28/06/2019 Hacking notes - Google Docs
for something named pintserver. Essentially anytime the DNS can’t resolve the address it
resorts to these systems if they are available.
An attacker can pretend to know the mistyped location and learn the information from the other
machine and discover the hash which can be cracked and if it's a weak one it will be instantly
known.
Breaking LLMNR:
Insert tool and commands...
Protective measures:
Disabling LLMNR and NBT-NS.
Prevent inter-Vlan communication. Also limits the success of most local network attacks.
Use limited user accounts. An attacker has to do more work if he has an account with limited
power.
Pentesting/Penetration
Tools:
Responder:
PSExec:
https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 11/11