We’re here to try and make sense of it all. Presented below is important information that everyone from a beginner to a hardened expert will need for offensive or defensive hacking. The most common tools, the stages, the process, the quick cheats and more. We’ll often go back and forth between the point of view of a malicious adversary and that of a defensive hacker (pentester). This will help us understand the big picture. So let’s get started.
Your hacking toolset is your everything
Your toolkit is your weapon and your shield. It’s the most critical asset you possess, second only to actual hands-on experience. In cyber security, you have to be a master of all trades. Below are all the different kinds of tools you must have in your toolbox and a few examples:
Password cracking software: ophcrack, Proactive Password Auditor
Network scanners: Nmap, NetScanTools
Network vulnerability scanning software: LanGuard, Nexpose
Network analyzing: Cain & Abel, CommView
Wireless network analyzers: Aircrack-ng, CommView for WiFi
File search utility: FileLocator
Web application vulnerability scanning software: Acunetix Web Vulnerability Scanner, AppSpider
Database security scanners: SQLPing3
Exploit software: Metasploit
Remember, this is not an exhaustive list, but a guideline . These were the most common tools that I find myself returning to over and over. Your journey may be different, but all our goals are aligned.
Common Attack Vectors
All experienced hackers and penetration testers have their own way of doing things, but they’re largely different flavors of the same process. Check for open ports, vulnerable services, outdated software etc. and attack. Over time, a pattern emerges…
People get lazy and choose weak passwords
People get annoyed and close the frequent update notifications (Adobe Reader, I’m looking at you), leaving them with potentially vulnerable software
People never expect that they may be open to attack. “Surely, it can’t happen to me. That’s just something you read about in the news”. They let down their guard and then it does happen to them.
It makes sense to begin your testing with the most common vulnerabilities. The following physical and digital security flaws should be at the top of your checklist when carrying out a penetration test:
~Gullible and overly-trusting users
~Unsecured building and computer room entrances
~Discarded documents that have not been shredded
~Storage devices (hard disks, pen drives) that have not been securely erased of sensitive data
~Network perimeters with no firewall protection
~No intrusion detection systems
~Default passwords
~Poor, inappropriate, or missing file and share access controls
~Unpatched systems that can be exploited easily using popular tools such as Metasploit
~Online access portals with weak authentication mechanisms
Insufficient or outdated password storage methods (eg: MD5 hash)
~Insecure routers
~Guest wireless networks that allow the public to connect into the corporate network environment
~Employee hardware lacking full disk encryption
~Mobile devices with little to no mandatory protection
~Weak or no application, database, and operating system passwords
COMMONLY HACKED PORTS
Everyone knows to secure common ports, such as TCP port 80 (HTTP) – but other ports may get overlooked and hence be open to attack. In your security testing, be sure to check these commonly hacked TCP and UDP ports:
TCP port 21 — FTP (File Transfer Protocol)
TCP port 22 — SSH (Secure Shell)
TCP port 23 — Telnet
TCP port 25 — SMTP (Simple Mail Transfer Protocol)
TCP and UDP port 53 — DNS (Domain Name System)
TCP port 443 — HTTP (Hypertext Transport Protocol) and HTTPS (HTTP over SSL)
TCP port 110 — POP3 (Post Office Protocol version 3)
TCP and UDP port 135 —
Windows RPC
TCP and UDP ports 137–139 —
Windows NetBIOS over TCP/IP
TCP port 1433 and UDP port 1434 — Microsoft SQL Server
And some general advice when it comes to dealing with ports:
Avoid using default ports (such as 22 for SSH) whenever possible.
The server should ideally flag and block attempts for bulk port scanning . A legitimate user is almost never going to sequentially ping every single port one at a time. It may not be enough to prevent an attack (A smart hacker could query ports in a random order from different IP addresses), but at the very least you will be alerted and prepare.
As a rule of thumb, nearly all ports except 80 and 443 (HTTP and HTTPS) must require authentication to allow connection unless there’s a very good reason not to (there usually isn’t).
General Tips For All Hacking Endeavors
For all hackers:
Have well defined goals and develop a plan before you get started.
You do have permission to do what you’re doing, right? Permission is pretty much the only difference between legal and illegal.
Know the right tools to use for the task at hand
Understand that it’s not possible to detect every security vulnerability on every system. This is where having a plan pays off.
Don’t overlook nontechnical security issues; they’re often exploited first (e.g: Social Engineering or simply waltzing in an unsecure server room)
Treat other people’s confidential information as well as you would treat your own. Violation of privacy is not a game.
For professional security analysts:
If you’re pentesting for a client, do make sure that what you’re doing doesn’t interfere with their work.
Be aware that attacks can come from inside and outside.
Keep the key players in the loop during your testing.
Report critical vulnerabilities as soon as possible
Study malicious hacker and rogue insider behaviors and blackhat tactics. The more you know about how the bad guys work, the better you’ll be at testing your systems for security vulnerabilities.
Make sure that all your testing is aboveboard.
Don’t treat every vulnerability discovered in the same manner. Not all weaknesses are bad. Evaluate the context of the issues found before you declare that the sky is falling.