28/06/2019 Hacking notes - Google Docs

Motivations
Don’t let the skill of someone (younger) deter you from quitting or taking a break from hacking.
Like everything, it takes a lot of practice in time to be good and hacking is not an exception. If
someone looks clearly better than you it’s because they have put a lot of time in, talent is just a
motivator. Don’t suffer from imposter syndrome, you can do it if you just keep doing it! Several
people were successful only later in life.
https://medium.com/the-mission/9-late-bloomer-success-stories-who-prove-its-never-too-late-to-
achieve-your-dreams-b036688da6f (it’s a really good motivator as well)
There are many talented young people who accomplished a lot but that’s mostly because they
started very early or had a great environment or maybe had someone experienced in the field
who helped him start out.
I, besides my big brother have absolutely no one to rely and ask help. If I can do it on my own
then that means I’m successful already!

DarkNet Security and Privacy Precautions

Deep web constitutes about 96% of the entire internet, and it’s essentially anything that’s not
indexed by search engines (private accounts, corporate portals, illegal sites, or anything that
they don’t want or can’t index).
Darknet (a subset of Deep Web) is a place intended mostly for illegal activities. They are
monitored by many organizations, LE and other hackers looking for easy targets.
Others types of deep (or dark) web systems exist like: I2P, Freenet, GNUnet, and ZeroNet but
the most common one is Tor (The Onion Router).

Hidden wikis:
https://thehiddenwiki.com/Tor
https://torhiddenwiki.com/
https://thehiddenwiki.pw/hidden-wiki-url-directory/
https://www.deepwebsiteslinks.com/
https://darkwebnews.com/deep-web-links/
http://dnstats.com/

Generally, servers can never know your true location unless your explicitly gave them or the
server is compromised in some way. So for most server owners, an IP is not very useful. LE can
use IP addresses to their advantage tho.

Darknet is watched by many law enforcement agencies all over the world, be careful what
information you reveal, this includes explicitly stated information (real world address, login and

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 1/11
28/06/2019 Hacking notes - Google Docs

password) and implicit (typing habits, if you capitalize or not the beginning of the sentences,
grammar mistakes, use many exclamation/question marks, etc; time when you visit the content
which can be correlated to a time zone and profession).
You never want to use identifying nicknames or locations, or anything else that is related to
yourself online when you post or create usernames.

Also everything that the user does, clicking, amount of time spent, can be tracked, analysed and
be used to guess someone’s identity. There are even full replay scripts which exactly mimic the
user’s interaction with the website.
Photos can leave Exif data (GEO location) which can be used by a tool like exiftool to reveal a
precise geolocation.

It’s a good idea to use VPN on top of the TOR, this provides really good anonymity because the
only points of direct access to the user is the VPN’s servers or the node’s database.
Anyone can setup tor nodes around the world for any purpose. Hackers, spies, feds and of
course just normal tor users. They all can see the traffic openly.

Do-s:

- Creating fake personalities, or changing browsing/typing habits and usage hours is a pretty
good way to avoid getting correlation attacked.
- Use a Linux VM for Tor, don’t use Windows.
- Use bridges and/or find company.

Don’t-s:

- Never fullscreen the Tor Browser, this can be used to fingerprint you.
- Never open .onion sites with a normal browser, this can leak your IP.
- Don’t enable macros and javascript because javascript can be nasty.
- Don’t download or open files off untrusted or unknown sites.
- Never torrent over Tor.
- Don’t enable or install browser plugins.
- Avoid unsecured sites, always use HTTPS ones.
- Never reveal personal details to strangers even in PMs.

Correlation Attack or end-to-end confirmation attack:

Measuring the volume and timing of traffic at both ends of nodes to determine a user using a
specific site. This can be used to de-anonymize a user and reveal its IP address.

Analysis time: 3 months for 50% of certainty and 6 months for 80% certainty of the identity of a
user.

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 2/11
28/06/2019 Hacking notes - Google Docs

Linux
Tools:
TheFuck: https://github.com/nvbn/thefuck
TL;DR: https://github.com/tldr-pages/tldr

man page vs the help command — help is a feature of bash shell, it documents some bash
commands, and is available in bash only. Whereas man is more general, and is a native feature
of all Unix or Unix-like operating systems.

We can use dash (-) in Linux as an alias of stdin or stdout, whereas the standard way to do
it would be using /dev/stdin and /dev/stdout. To use files named dash, either of the
following can be used.
Specify the filename relative to current directory. $ cat ./-
Bash redirection. $ cat < -

Some interesting Unix commands.

file, find, xargs, grep and piping between them to look for interesting files.
sort and uniq, for getting unique lines in a text file.
strings for searching for strings in binary files.
base64 to encode or decode Base64.
tr 'A-Za-z' 'N-ZA-Mn-za-m' for ROT13, or any suitable variation of the command for
any form of the ROT encryption. Obviously, it can be used for other sorts of substitution, such as
tr '[:upper:]' '[:lower:] will convert uppercase to lowercase.
gzip, bzip2 and the tar are the standard compression formats used in Linux, and there
are corresponding programs with the same names.
xxd for creating hexdumps and reverse hexdumps.
nc host port for arbitrary TCP // UDP connection.
openssl s_client -connect host:port for connecting to SSL services.
nmap for port scanning.
diff for diffing, obviously.
scp to copy stuff over the SSH protocol.
Unix job control — jobs, fg, bg and CTRL+Z
Listen on a port using netcat — nc -l -p port
Split by space and take first element from each line — cut -d ' ' -f 1
md5sum for MD5 checksum (duh!)
More commands! — seq and tee. Seq produces a sequence of numbers, which can in turn
be used in for loops in bash. Format strings can be used with with seq, like %04g. Tee can be
used to put data from stdin into a file.
echo -e is to be used when we’d want bash to interpret escaped characters as they are.
getent passwd — for checking /etc/passwd file.

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 3/11
28/06/2019 Hacking notes - Google Docs

Immensely useful for checking the history of a git repository — git log --graph
--decorate --all --oneline
You have to have 400 as the permission for the SSH private key.
setuid, setgid, sticky and the corresponding chmod commands. These bits control which
user the executable would be run as. Kind of similar to setting the “Run as administrator” flag in
Windows, only here in Linux it’s much more flexible and versatile.
crontabs are in the /etc/cron.d/ directory, and cronjobs are run as the user that owns that
crontab file.
Sometimes you can’t ls or cd into a directory, but still can write inside that directory….
strange but useful.
There should be no spaces around the equal sign while assigning variables in Bash.
You can trigger more to go into a command mode by making the terminal small enough. And
while you’re in that mode, pressing v will open up an editor, by default vim. And then you can
use vim commands to access the files, such as :e filename to open a file and :set
shell=/bin/bash and then :shell to open a shell.
Finding info leak in git repos.
Check git log and git tags and look for any interesting commit // tag. And then checkout
to it using git checkout commit and grab that info.
Check .git/packed-refs for all refs. And then, if checking out to a ref doesn’t work, use git
show ref or git cat-file -p ref on it to directly read the contents.

cut command to cut or select certain words from an array of strings.

IP sweeper example:

ipsweeper.sh
#!/bin/bash
if [ “$1” == “” ] then
echo “You forgot an IP Address”
echo “Syntax: ./ipsweeper 192.168.1

for ip in `seq 1 254`; do

ping -c 1 $1.$ip | grep “64 bytes” | cut -d “ ” -f 4 | tr -d “:” &
done
fi

Dash Operator (-)

Using dash “-” is a short way of going back. You can do these commands to refer to the
previous instance.

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 4/11
28/06/2019 Hacking notes - Google Docs

cd - will go back to the previous folder, not the folder above.

u - will switch to the previous user. For example, root@linux$# su bob (with username) and
then su - will switch back to root.

And | which chains various results of the commands for the next one

ps | grep “important process”

history | grep ping

History command outputs the history of commands used and can be used in conjunction with
grep for a specific one.

More on chaining operations:

https://www.tecmint.com/chaining-operators-in-linux-with-practical-examples/

Logs:

Important log files.

/var/log/auth.log - stores information about authentication of users. Also logs if users attempt to
use sudo to do some stuff they shouldn’t.

System commands.

ifconfig - information on network adapters

iwconfig - information on wireless adapters
arp - a - lists LAN addresses associated with their MAC addresses (unique identifiers for
network adapters)
netstat (-ano)

The $? operator:

if [[ ! “$?” -eq 0 ]] means if the exit code of the previous command is 0.

Exit codes: Generally 0 means exited the command successfully, anything else means that it
has errors.

Networking
Started researching networking on 23/04/2019 and roughly finished at 01/05/2019 roughly 3
days of actual research were done.
OSI model:

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 5/11
28/06/2019 Hacking notes - Google Docs

IP Address - (Internet Protocol address) unique identifier of a device within a network. Think of it
as a street address. Requires a host and a subnet. Consists of 32 bits or 4 groups of 8 bits, or 4
octets in the form of 123.80.118.47
It consists of 2 parts, the Network Address and Host Address. Let’s say we have this address
172.18.230.127 /29
Network Address - A network address is known as the numerical network part of an IP address.
This is used to distinguish a network that has its own hosts and addresses. The first address in
the subnet, 178.18.230.120 is the network address.

Broadcast Address - 172.18.230.127 is the Broadcast Address in the above example because
it’s the last one, each subnet in this example only has 8 hosts.
When the network ID or host ID bits are replaced by a set of all ones, this has the special
meaning of “all”. So replacing the host ID with all ones means the IP address refers to all hosts
on the network. This is also used as a broadcast address for sending a message to “everyone”.

Host Address - Host address can range anywhere between the Network Address and Broadcast
Address. It’s usually the important bit we need.

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 6/11
28/06/2019 Hacking notes - Google Docs

Global / Public IP - Your internet ip that is visible by internet servers or your ISP. Ex:
212.83.134.152 / 29

Private IP - IP address that is visible only on subnets like a LAN Ex. 192.168.1.10 / 24

Physical address - Addresses that belong to individual network interfaces attached to a device.
For example, the Wi-Fi radio and the Bluetooth radio of a mobile device possess their own
physical network addresses.

Virtual address - Addresses that are assigned to devices according to the kind of network they
are attached to. The virtual addresses of a mobile device, for example, change as it migrates
from one network to another, while its physical addresses remain fixed.

127.0.0.1 - Special address. Redirects any network traffic back to itself as if it was an outside
source. Called localhost or the loopback address. Used for local testing purposes by many
programs.

0.0.0.0 - It’s a non-routable address that describes an invalid or unknown target. It has many
uses depending on the situation. Devices usually show an address of 0.0.0.0 when they’re not
connected to any network. For route entry it means a default route for a server. In the context of
servers it means that it listens to all IPv4 addresses. More on this:
https://www.howtogeek.com/225487/what-is-the-difference-between-127.0.0.1-and-0.0.0.0/

Subnet - A small network inside a larger network. Setting up subnets in conjunction to physical
proximity between devices increases network speed and security.

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 7/11
28/06/2019 Hacking notes - Google Docs

Method to determine all these addresses.

Subnet Mask - By default: 255.255.255.0 Let’s say that our private IP address is 192.168.1.10
Essentially what a subnet mask is, is how devices know what other devices they can
communicate with if they are within the subnet. If the ip addresses of another device is within
that mask 0-255 in this case, e.g. 192.168.5 they can be peers.
If the IP address is 192.168.0.12, it isn’t possible because the subnet mask restricts to only the
last octet.

CIDR - Classless inter domain routing. It’s a compact representation of an IP address and its
associated routing prefix / subnet mask(/24 or /10)

Network classes:

Class A 1.0.0.1 to 126.255.255.254 Supports 16 million hosts on each of 127 networks.

Class B 128.1.0.1 to 191.255.255.254 Supports 65,000 hosts on each of 16,000 networks.
Class C 192.0.1.1 to 223.255.254.254 Supports 254 hosts on each of 2 million networks.
Class D 224.0.0.0 to 239.255.255.255 Reserved for multicast groups.
Class E 240.0.0.0 to 254.255.255.254 Reserved for future use, or research and development
purposes.

Host - (also known as "network host") is a computer or other device that communicates with
other hosts on a network. Usually an end system which can host / run applications, such as a
PC, printer or a server. Hosts on a network include clients and servers -- that send or receive
data, services or applications.
More on hosts: https://searchnetworking.techtarget.com/definition/host

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 8/11
28/06/2019 Hacking notes - Google Docs

Node - (also known as “network node”) In IP routing it means a point where source traffic has to
go through in order to reach the end destination.

NIC - The network interface card is a hardware component, typically a circuit board or chip,
which is installed on a computer so that it can connect to a network. Usually in the name of
wlan0 eth0 if checking network interfaces.

Network gateway - A network gateway joins two networks so the devices on one network can
communicate with the devices on another network. Can be a device like a router, hub or even a
computer.

Default gateway - All the clients on a network point to a default gateway that routes their traffic
from the subnet to the internet.

IP routing - IP routing uses IP addresses to forward IP packets from their sources to their
destinations. A - x - y - z - w - B. To get traffic from A to B, A must find the closest node to pass
the traffic using routing tables each time. When destination IP is equal to machine IP the traffic
gets consumed by the end machine.

Routing Table - A table where each device knows the ip addresses of their peers in order to
correctly route the incoming traffic.
You can use route command both on linux or windows machines. Any new line of IP address is
called a route entry.

Routable - Meaning that traffic can be sent outside the current subnet.

Unicast - communication between a single sender and a single receiver on a network.

Anycast - IPv6 protocol where there’s communication between a single sender and any nearby
multiple receivers on a network.

Multicast - It’s communication between a single sender and multiple receivers on a network. A
good example of this mechanism is live streaming where a server sends the same traffic to
multiple IP addresses at the same time.

NetBIOS is an API that provides communication services on local networks most typically used
by Windows machines.

DHCP - Dynamic Host Configuration Protocol. It’s a server that typically resides in a router that
auto configures the IP address from any (new) devices on a local network. Doesn’t make sense
to use when there’s a printer or on a server. And also for remote access machines which can
break if a lease is reassigned during a session.

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 9/11
28/06/2019 Hacking notes - Google Docs

NAT network - Network Address Translation is the process where a network device, usually a
firewall, assigns a public address to a computer (or group of computers) inside a private
network.
Imagine your house with 10 devices on the internet (laptops, desktops, game consoles, etc).
Those don't have their own external IP address (the one on the internet). You only have 1 for
your modem/router, and your router then forwards a packet to each device based on the port #
and internal IP address. This is why you need to set up port forwarding if you've ever played an
online game, so that when a packet hits your router on a certain port, it knows which computer
to send it to.

Hosts file - A hosts file is a list of computer names and their associated IP addresses. It’s a file
that appears on Windows or UNIX machines that can do 2 things:
-To prevent access to undesirable web servers (such as those offering tacky advertising or
inappropriate content).
-To set up private, easy-to-remember "shortcut" names for servers on a local network.
Windows path: C:\Windows\system32\drivers\etc\hosts
Linux path: /etc/hosts

Ipconfig release / renew - Both /renew and /release options only work on clients configured for
dynamic (DHCP) addressing.
/release terminates any active TCP/IP connections on all network adapters and releases those
IP addresses for use by other applications. Can be specified with a target connection. The
command accepts either full connection names or wildcard names. Examples:
ipconfig /release "Local Area Connection 1"
ipconfig /release *Local*
/renew re-establishes TCP/IP connections on all network adapters.

Services / Common Vulnerabilities

LLMNR/NBT-NS Security:
Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) are two
components of Microsoft Windows machines. LLLMNR was introduced in Windows Vista and is
the successor to NBT-NS.

Both use ports UDP. 5355 (LMMNR) and 137 (NBT-NS).

If a user mistypes the name of a server (f.e pintserver instead of printserver) the DNS server
can't determine the address. So if these systems are turned on they get activated and try to look

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 10/11
28/06/2019 Hacking notes - Google Docs

for something named pintserver. Essentially anytime the DNS can’t resolve the address it
resorts to these systems if they are available.

An attacker can pretend to know the mistyped location and learn the information from the other
machine and discover the hash which can be cracked and if it's a weak one it will be instantly
known.

Breaking LLMNR:
Insert tool and commands...

Protective measures:
Disabling LLMNR and NBT-NS.
Prevent inter-Vlan communication. Also limits the success of most local network attacks.
Use limited user accounts. An attacker has to do more work if he has an account with limited
power.

what is inter-vlan communication? communication between hosts on the same network?

Pentesting/Penetration
Tools:
Responder:
PSExec:

Reverse Engineering / Assembly

https://docs.google.com/document/d/1zjxozVTp9Z24_wdEwehNv8BapOhNhojMiEnfsnX3oW0/edit 11/11