DAY 11 OF 75 DAYS ETHICAL H4CKING COURSE

26 April 2024 20:09

DAY 11 OF 75 DAYS
ETHICAL H4CKING
COURSE

Processes
Processes are the programs that are running on your machine. They are managed by the kernel, where each process will have an ID associated with it, also known as its PID. The PIDincrements for the order In which
the process starts. I.e. the 60th process will have a PIDof 60.

Viewing Processes

We can use the friendly ps command to provide a list of the running processes as our user's session and some additional information such as its status code, the session that is running it, how much usage time of the
CPUit is using, and the name of the actual program or command that is being executed:

Note how in the screenshot above, the second process ps has a PIDof 204, and then in the command below it, this is then incremented to 205.
To see the processes run by other users and those that don't run from a session (i.e. system processes), we need to provide aux to the ps command like so: ps aux

Note we can see a total of 5 processes -- note how we now have "root" and "cmnatic"
Another very useful command is the top command; top gives you real-time statistics about the processes running on your system instead of a one-time view. These statistics will refresh every 10 seconds, but will also
refresh when you use the arrow keys to browse the various rows. Another great command to gain insight into your system is via the top command

Managing Processes
You can send signals that terminate processes; there are a variety of types of signals that correlate to exactly how "cleanly" the process is dealt with by the kernel. To kill a command, we can use the appropriately
named kill command and the associated PID that we wish to kill. i.e., to kill PID 1337, we'd use kill 1337.
Below are some of the signals that we can send to a process when it is killed:

• SIGTERM - Kill the process, but allow it to do some cleanup tasks beforehand
• SIGKILL - Kill the process - doesn't do any cleanup after the fact
• SIGSTOP - Stop/suspend a process

How do Processes Start?

Let's start off by talking about namespaces. The Operating System (OS) uses namespaces to ultimately split up the resources available on the computer to (such as CPU, RAMand priority) processes. Think of it as
splitting your computer up into slices -- similar to a cake. Processes within that slice will have access to a certain amount of computing power, however, it will be a small portion of what is actually available to every
process overall.

Namespaces are great for security as it is a way of isolating processes from another -- only those that are in the same namespace will be able to see each other.
We previously talked about how PID works, and this is where it comes into play.

The process with an ID of 0 is a process that is started when the system boots. This process is the system's init on Ubuntu, such as systemd, which is used to provide a way of managing a user's processes and sits in
between the operating system and the user.

introduction Page 1
Namespaces are great for security as it is a way of isolating processes from another -- only those that are in the same namespace will be able to see each other.
We previously talked about how PID works, and this is where it comes into play.

The process with an ID of 0 is a process that is started when the system boots. This process is the system's init on Ubuntu, such as systemd, which is used to provide a way of managing a user's processes and sits in
between the operating system and the user.

For example, once a system boots and it initialises, systemd is one of the first processes that are started. Any program or piece of software that we want to start will start as what's known as a child process of
systemd. This means that it is controlled by systemd, but will run as its own process (although sharing the resources from systemd) to make it easier for us to identify and the likes.

Getting Processes/Services to Start on Boot

Some applications can be started on the boot of the system that we own. For example, web servers, database servers or file transfer servers. This software is often critical and is often told to start
during the boot-up of the system by administrators.
In this example, we're going to be telling the apache web server to be starting apache manually and then telling the system to launch apache2 on boot.
Enter the use of systemctl -- this command allows us to interact with the systemd process/daemon. Continuing on with our example, systemctl is an easy to use command that takes the following formatting: systemctl
[option] [service]
For example, to tell apache to start up, we'll use systemctl start apache2. Seems simple enough, right? Same with if we wanted to stop apache, we'd just replace the [option] with stop (instead of start like we
provided)
We can do four options with systemctl:
• Start
• Stop
• Enable
• Disable

\\

Maintaining Your System: Logs

We briefly touched upon log files and where they can be found in Linux Fundamentals Part 1. However, let's quickly recap. Located in the /var/log directory, these files and folders contain logging information for
applications and services running on your system. The Operating System (OS) has become pretty good at automatically managing these logs in a process that is known as "rotating".
I have highlighted some logs from three services running on a Ubuntu machine:

• An Apache2 web server

• Logs for the fail2ban service, which is used to monitor attempted brute forces, for example
• The UFW service which is used as a firewall

introduction Page 2
These services and logs are a great way in monitoring the health of your system and protecting it. Not only that, but the logs for services such as a web server contain information about every single request - allowing
developers or administrators to diagnose performance issues or investigate an intruder's activity. For example, the two types of log files below that are of interest:

• access log
• error log

There are, of course, logs that store information about how the OSis running itself and actions that are performed by users, such as authentication attempts.

introduction Page 3
introduction Page 4
Day 12 network security
27 April 2024 21:31

Day 12 of
75 days Ethical
Hacking Course
Network Scanning - Discovering systems on the network (can be hosts, switches, servers, routers, firewalls and so on) and looking at what ports are open as well as
applications/services and their respective versions that may be running.

In general network scanning have three main objectives:

1. Scanning for live devices, OS, IPs in use.

○ Server at 192.168.60.30
2. Looking for Ports open/closed.
○ The server 192.168.60.30 have TCP port 23 (Telnet) running
3. Search for vulnerabilities on services scanned.
○ The Telnet service is cleartext and have many vulnerabilities published
Connectionless Communication - UDP packets are sent without creating a connection. Examples are TFTP, DNS (lookups only) and DHCP (in wired networks)

Connection-Oriented Communication - TCP packets require a connection due to the size of the data being transmitted and to ensure deliverability(in wireless
networks)

Scanning Methodology

• Check for live systems - Ping or other type of way to determine live hosts
• Check for open ports - Once you know live host IPs, scan them for listening ports
• Scan beyond IDS - If needed, use methods to scan beyond the detection systems; evade IDS using proxies, spoofing, fragmented packets and so on(means
bypassing their farewall etc whoever is stopping us to scan that system)
• Perform banner grabbing - Grab from servers as well as perform OS fingerprinting (versions of the running services(means running apps and os)
• Scan for vulnerabilities - Use tools to look at the vulnerabilities of open systems
• Draw network diagrams - Shows logical and physical pathways into networks
• Use proxies - Obscures efforts to keep you hidden
• Pentest Report - Document everything that you find

Identifying Targets

• The easiest way to scan for live systems is through ICMP.

• It has it's shortcomings and is sometimes blocked on hosts that are actually live.

Network security Page 1

 Port Discovery - Basic Concepts

Knocking the door:

• The hacker above sends a SYN packet to port 80 on the server.

○ If server returns SYN-ACK packet = the port is open
○ If server returns RST (reset) packet = the port is closed

Checking if Stateful Firewall is present:

namp
• The hacker above sends an ACK segment/packet on the first interaction (without three-way handshake).
○ If server returns no response means that might have a stateful firewall handling proper sessions
○ If server returns RST packet means that have no stateful firewall

Nmap
➢ For scanning any ip address or domain name

Nmap ip addrr(192.168.84.129)
Nmap domain name(howshorts.com)

If you have multiple ip addr[ 192.168.84.129 , 192.168.84.130 , 192.168.84.131, 192.168.84.132 etc

Nmap 192.168.84.129,130,131,132
If you have range
Then
Nmap 192.168.84.129.* astrek ke use se is subnet m jitne bhi ip hai sbki information merko dega

➢ If you want to do random scan means jitni bhi internet p machine on h sbka scan karega or open ports batayega illegal h y

Network security Page 2

 If you have range
Then
Nmap 192.168.84.129.* astrek ke use se is subnet m jitne bhi ip hai sbki information merko dega

➢ If you want to do random scan means jitni bhi internet p machine on h sbka scan karega or open ports batayega illegal h y
➢ Nmap -iR 100(you can write the maxhines number you want now I want just 100 machines should be scanned)
➢ If know the service name only and don’t rember port numver then you scan by writing service name see
➢ Namp -p telnet 192.168.43.129

We can change our interface means if we want scan wireless

Like wifi and etc but wireless

So -e se interface change ho saktaa h
see
Nmap -e wlan0 ip addr of wlan0

➢ Passive os fingerprinting and banner grabbing

➢ If we wan to scan ipv6

➢ Nmap -6 ip addr

Timing & Performance

Why we use this, suppose we a wide network and in that network there 1000-2000 systems and they have their firewall and ids and ips etc

So will use t5 insane scan its offers highest speed means it can scans in just no time but there some disadvantge of it sometimes shows us incorrect result because the firewall and ids and ips device will detect frm
where this much req are coming in no time then we use T0 Paranoid it’s a slow scan and it dcrease the speed of flags however now a days technology can detect this too but in some cases this works

• Paranoid
○ Paranoid (0) Intrusion Detection System evasion
○ nmap <target> -T0
• Sneaky
○ Sneaky (1) Intrusion Detection System evasion
○ nmap <target> -T1
• Polite
○ Polite (2) slows down the scan to use less bandwidth and use less target machine resources
○ nmap <target> -T2
• Normal
○ Normal (3) which is default speed(what ever scans we do in nmap that’s is T3 So wedont need to set this)
○ nmap <target> -T3
• Agressive
○ Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
○ nmap <target> -T4
• Insane
○ Insane (5) speeds scan; assumes you are on an extraordinarily fast network
○ nmap <target> -T5

List of Switches

Switch Description
-sA ACK scan
-sF FIN scan
-sI IDLE scan(firewall se bachne ke liye humara ip address nhi jayega)
-sL DNS scan (list scan)
-sN NULL scan(y hume anonymous rakhta h achha output deta ha)
-sO Protocol scan (tests which IP protocols respond)
-sP or -sn Ping scan

-sU UDP scan

-sR RPC scan
-sS SYN scan(half open scan means half part of tcp we use it when firewall is blocking us means ek ip address se itni req kyu then hum connection stablish
na karke adha scan hi karte h)
-sT TCP connect scan(nmap -sT ip)
-sW Window scan
-sX XMAS scan
-A OS detection, version detection, script scanning and traceroute(all in one scan )
-sV Determine only service/version info of system and ports
-PI ICMP ping
-Pn No ping
-Po No ping
-PS SYN ping
-PT TCP ping

Network security Page 3

 -PI ICMP ping
-Pn No ping
-Po No ping
-PS SYN ping
-PT TCP ping
-oN Normal output
-oX XML output
-n Never do DNS resolution/Always resolve
-f --mtu : fragment packets (optionally w/given MTU)
-D IP address Decoy: <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-T0 through - Serial scans. T0 is slowest
T2
-T3 through - Parallel scans. T3 is slowest
T5
-F Fast mode - Scan fewer ports than the default scan
Notes:

➕ More Useful Information about Nmap: ➕

Switch Example Description

-p nmap -p 21 192.168.1.1 Port scan for port x
-p nmap 192.168.1.1 -p 21-100 Port range ( nmap -p 21-100 192.168.1.1)
-p nmap 192.168.1.1 -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports
-p- Nmap -p- 192.168.1.1 Port scan all ports
-p nmap 192.168.1.1 -p http,https Port scan from service name
-F nmap 192.168.1.1 -F Fast port scan (100 ports)
--top-ports nmap 192.168.1.1 --top-ports 2000 Port scan the top x ports
-p-65535 nmap 192.168.1.1 -p-65535 Leaving off initial port in range

makes the scan start at port 1

-p0- nmap 192.168.1.1 -p0- Leaving off end port in range

makes the scan go through to port 65535

Network security Page 4

Day 13 recon
28 April 2024 20:35

1. Passive Reconnaissance
2. Active Reconnaissance
In passive reconnaissance, you rely on publicly available knowledge.

Passive reconnaissance activities include many activities, for instance:

• Looking up DNSrecords of a domain from a public DNSserver.

• Checking job ads related to the target website.
• Reading news articles about the target company.

Active reconnaissance, on the other hand, cannot be achieved so discreetly. It requires direct engagement with the target. Th ink of it like you check the locks on the doors and windows, among other potential entry points.

Examples of active reconnaissance activities include:

• Connecting to one of the company servers such as HTTP, FTP, and SMTP.
• Calling the company in an attempt to get information (social engine

Who is
WHOIS is a request and response protocol that follows the RFC3912 specification. A WHOIS server listens on TCPport 43 for incoming requests. The domain registrar is responsible for maintaining the WHOIS r ecords for the
domain names it is leasing. The WHOIS server replies with various information related to the domain requested. Of particular interest, we can learn:

• Registrar: Via which registrar was the domain name registered?

• Contact info of registrant: Name, organization, address, phone, among other things. (unless made hidden via a privacy service)
• Creation, update, and expiration dates: When was the domain name first registered? When was it last updated? And when does it need to be renewed?
• Name Server: Which server to ask to resolve the domain name?

NSLOOKUP

Find the IP address of a domain name using nslookup, which stands for Name Server Look Up. You need to issue the command nslo okup DOMAIN_NAME,

DNSDumpster
DNSlookup tools, such as nslookup and dig, cannot find subdomains on their own. The domain you are inspecting might include a different subdomain that can reveal much information about the targe

SHODAN/CENSYS

Network security Page 5

 SHODAN/CENSYS

ACTIVE
• If it is saying host seems down means there is firewall active then
• Nmap -p 21( port number you want to scan) 192.168.84.129 -Pn ( it will scan port not the host and will tell us the host it up but it will show port filttered then we will use wire sha rk to determaine wheather its
open and close
• We will use half or stealth scan through linux
• Nmap -sS -p 21 172.20.10.2
• Then we will go to wire shark and after that is we are getting syn -ack packet from another machine then the port is open
• And if we getting rst flag then the port is closed and if we are getting nothing then the there is firewall on on the system that is block our requests and there can be ips and ids device too

Spoofing
It fw r ’t w tt r rt t r tw f t r t r spoofing number 3rd

• Decoy:
○ nmap -Pn -D <spoofed IP> <target> (we can send packets from multiple ip addr)
○ There are two methods
○ 1] we will use RND means it will send packet from random ip from internet suppose if we want to send packet from 4 random ip then we use RND:4 AND IF we want send from 20 then RND:20 > nmap -sS -D RND:4 192.168.84.129
○ 2] WE will use custom ip addr it will profit us like there are many device connect with one system (10.10.0.1) then can send packet from its own ip means we can create custom ip see > nmap -sS -D 10.10.0.2,10.10.0.3,10.10.0.9
192.168.84.129
▪ This will perform a spoofed ping scan.
• Source Address Spoofing:
○ nmap -e <network interface> -S <IP source> <target>
▪ Example --> nmap -e eth0 -S 10.0.0.140 10.0.0.165
• MAC Address Spoofing:(In this case we actually hav three options
• 1] we can write 0 and it will generate random mac addr
• Nmap --spoof-mac 0 -p 21( or your choice) 192.168.46.129
• 2] we can write our own mac addr
• Nmap --spoof-mac mac addr here 192.168.43.129
• 3] we can write company name so it will make addr itself
• Nmap --spoof-mac dell -p 24 192.168.84.131

Service and Version Detection

Switch Example Description
-sV nmap -sV 192.168.1.1 Attempts to determine the version of the service running on port(ports ki services of versions btata )
-sV --version- nmap -sV --version- Intensity level 0 to 9. Higher number increases possibility of correctness(as we know highest intesity is 9 means it will give deep info about
intensity intensity 8 192.168.1.1 versions of port or target ip)
-sV --version-light nmap 192.168.1.1 -sV -- Enable light mode. Lower possibility of correctness. Faster
version-light
-sV --version-all nmap 192.168.1.1 -sV -- Enable intensity level 9. Higher possibility of correctness. Slower
version-all
-A nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute

3. OS Detection

Switch Example Description

-O Nmap -O 192.168.1.1 Remote OS detection using TCP/IP

stack fingerprinting( we can find target os )

-O --osscan-limit nmap 192.168.1.1 -O --osscan-limit If at least one open and one closed

TCP port are not found it will not try

OS detection against host

-O --osscan-guess nmap 192.168.1.1 -O --osscan-guess Makes Nmap guess more aggressively(more accurate result only os detection)

-A nmap -A 192.168.1.1 Enables OS detection, version detection, script scanning, and traceroute(litterally is tells everything avout the target)

Network security Page 6

Network security Page 7