Scribd
Upload
118 views24 pages

04 - Useful Tools

This document discusses useful tools for ethical hacking, including Tor (The Onion Router) for hiding one's IP address, Nmap for host and port scanning, and the Metasploit Framework for vulnerability exploitation. Tor uses encryption and tunnels to protect sensitive information. Nmap can perform various port scans and service detection. Metasploit contains exploits, payloads, and auxiliary modules that can be used against targets once vulnerabilities are identified with tools like Nmap and Searchsploit.

Uploaded by

Matheus Biagini Pereira
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
118 views24 pages

04 - Useful Tools

This document discusses useful tools for ethical hacking, including Tor (The Onion Router) for hiding one's IP address, Nmap for host and port scanning, and the Metasploit Framework for vulnerability exploitation. Tor uses encryption and tunnels to protect sensitive information. Nmap can perform various port scans and service detection. Metasploit contains exploits, payloads, and auxiliary modules that can be used against targets once vulnerabilities are identified with tools like Nmap and Searchsploit.

Uploaded by

Matheus Biagini Pereira
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Dipartimento di Informatica

Sapienza Università di Roma

Ethical Hacking
Useful Tools
Fabio De Gaspari
[email protected]

1
Useful Tools
• Penetration testing/hacking requires good tools
• No need to reinvent the wheel, many good open
source tools available
• Some fundamental ones:
– ToR, The Onion Router
– Nmap
– Metasploit

2
The Onion Router (Tor)
• We don’t want to leave information that can be
traced back to us
– First and foremost, hide your IP
– ToR uses tunnels and encryption to hide sensitive info

3
https://it.wikipedia.org/wiki/File:Wat_is_Tor_(The_onion_routing)%3F.png
The Onion Router (Tor)

https://2019.www.torproject.org/about/overview.html.en

4
The Onion Router (Tor)

https://2019.www.torproject.org/about/overview.html.en

5
The Onion Router (Tor)

https://2019.www.torproject.org/about/overview.html.en

6
The Onion Router (Tor)
• ToR layered encryption
– Messages encrypted multiple times, with different encryption keys

Node1 Node2

7
NMAP
• Great tool to discover hosts and services
– used for scanning, enumeration
• First Steps, determine if hosts are online: ping scan
– nmap -sn <192.168.1.*> performs host discovery using
ICMP echo request, TCP SYN@443, TCP ACK@80and
ICMP timestamp request. Suppresses port scan
– Use also option PE for ICMP echo request scan only. ICMP
is sometimes filtered, so plain -sn is more reliable
• Bruteforce scanning generates lots of noise
– Use “stealth” syn scan options (-sS) to make it harder to
spot

https://linux.die.net/man/1/nmap 8
NMAP
• Many different variants of port scan are supported
– Full TCP connect scans: -sT
– UDP scans: -sU
– TCP ack scan: -sA (useful for probing firewall filtering
rules)
• Can restrict port scan range with -P <start-end>
option
– nmap -sS 192.168.1.202 -P 0-1024

https://linux.die.net/man/1/nmap 9
NMAP
• Nmap can be easily used for service enumeration
• If no additional options are specified, nmap guesses
which service is behind an open port
– E.g., 25/tcp = SMTP; 80/tcp = HTTP
– This is done comparing port number and protocol against
a list of well-known services, meaning it’ static
• Version detection is used to gather information on
the specific service behind an open port
– -sV option enables version detection (-O for O.S.)
– Generates more queries and creates more network noise
https://linux.die.net/man/1/nmap 10
Searchsploit
• How to use nmap information on open ports and
service version?
– Searchsploit is a cmd line tool that allows to search exploit-
db.com for vulnerabilities related to specific
services/versions
• Save nmap output as xml:
– nmap -sV 192.168.1.202 -oX result.xml
• Use searchsploit to match service/version with
knowk vulnerability
– searchsploit -x --nmap result.xml
– You can also search for individual versions of services as
easily: searchsploit vsftpd 2.3.4
11
The Metasploit Framework

■ The Metasploit Framework provides the infrastructure, content


and tools to perform penetration tests and extensive security
audits
■ Comprises reconnaissance, exploit development, payload
packaging, and delivery of exploits to vulnerable systems
■ It is open source and extendable
■ Exploits can be easily shared amongst the community
■ Available in Windows, UNIX, Linux, and Mac OSX

12

Hacking Unix
Metasploit Architecture

13

Hacking Unix
Metasploit terms

■ Module: A standalone piece of code or software that extends


the functionality of the Metasploit Framework
■ A module can be an exploit, escalation, scanner, or information
gathering unit of code that interfaces with the framework to
perform some operation.
■ It is like a discrete job that you would assign to a co-worker:
“Exploit the FTP Server on Windows 2003” or “Find me a list of
all credentials stored by Firefox on this server.”

14

Hacking Unix
Metasploit terms

■ Session: A session is a connection between a target and the


machine running Metasploit.
■ Sessions allow for commands to be sent to and executed by the
target machine.

15

Hacking Unix
Metasploit Modules

■ Exploits: Exploits are the code and commands that Metasploit


uses to gain access.
■ Payloads: Payloads are what are sent with the exploit to
provide the attack a mechanism to interact with the exploited
system.
■ Auxiliary: The Auxiliary modules provide many useful tools
including wireless attacks, denial of service, reconnaissance
scanners, and SIP VoIP attacks.

16

Hacking Unix
Metasploit Modules

■ NOPS: No OPeration. NOPs keep the payload sizes consistent


■ Post-exploitation: can be run on compromised targets to
gather evidence, pivot deeper into a target network, etc.

■ Encoders: are used to successfully remove unwanted bytes

17

Hacking Unix
Metasploit Interfaces

Metasploit has multiple interfaces including;

■ msfconsole – an interactive command-line like interface


■ msfcli – a literal Linux command line interface
■ Armitage – a GUI-based third party application
■ msfweb – browser based interface

18

Hacking Unix
Metasploit Console

■ The Metasploit Console is a simple interface


■ Allows the user to search for modules, configure those
modules, and execute them against specified targets with
chosen payloads
■ Provides a management interface for opened sessions, network
redirection, and data collection
19

Hacking Unix
Starting Metasploit

■ Start the PostgreSQL database for Metasploit


# service postgresql start

■ Launch Metasploit Framework


Console
# msfconsole

20

Hacking Unix
Metasploit Core Commands

■ msf > show exploits


■ msf > show payloads
■ msf > search <x>
■ msf > show options
■ msf > set Variable
■ msf > info
■ msf > exploit
21

Hacking Unix
Metasploit Sample Operation

■ Open Metasploit Console


■ Select Exploit
■ Set Target
■ Select Payload
■ Set Options
■ exploit

In this example, we create a reverse_tcp exploit to


run on a victim machine, that will connect back to
our system through tcp and give us an open 22

meterpreter session
Hacking Unix
Metasploit Sample Operation
• Once an exploitable vulnerability is found with
searchsploit, we can use metasploit to exploit it
• E.g., service vsftpd 2.3.4 from earlier in
metasploit console:
– Search for an exploit: search vsftpd 2.3.4
• you can also search by CVE: search cve:2011-2523
– Setup the exploit: use <exploit id>
– Set required parameters (e.g., target host RHOST)
– Run the exploit: exploit
23

Hacking Unix
Additional Resources

Metasploit tutorial:
https://youtu.be/SdSeZ3GuvNI
Metasploitable tutorial:

https://www.exploit-db.com/docs/english/44040-the-easiest-
metasploit-guide-you%E2%80%99ll-ever-read.pdf

24

Hacking Unix

You might also like