Tools of the trade

There are a huge num­ber of FOSS tools avail­able to help pro­fes­sional and bud­ding hack­ers alike — we show you our favourites…

APC Australia - - Feature / Hacker Secrets -

Asea­soned hacker will use a huge num­ber of tools to per­form re­con­nais­sance, pen­e­tra­tion test­ing, ex­ploita­tion and data ex­fil­tra­tion. They might have ac­cess to ex­ploits for which no patch ex­ists, or spend time cod­ing their own cus­tom pay­loads. They could have ac­cess to a huge net­work of com­pro­mised ma­chines (a bot­net) that they could use to DDoS a tar­get, or as a se­ries of prox­ies to hide be­hind.

At the other end of the spec­trum there are your script kid­dies, who search the In­ter­net for off-the-shelf ex­ploits (a process that, de­pend­ing on your search terms and where you click, can be pretty risky), even­tu­ally man­age to get Kali Linux run­ning, and then indis­crim­i­nately bom­bard ma­chines with ex­ploits. Don’t be a script kid­die: it’s not a good look and it might land you in a whole heap o’ trou­ble. Do get fa­mil­iar with the tool­ing, though — here’s a se­lec­tion of com­monly em­ployed soft­ware to help you learn the ropes.


Wireshark cap­tures pack­ets “off the wire” so you can study them from the com­fort of a nice GUI. Ob­vi­ously, if you’re on a busy net­work there will be a lot of traf­fic, so Wireshark al­lows you to fil­ter by ma­chine or pro­to­col. Peo­ple of­ten run into dif­fi­cul­ties get­ting started with Wireshark (and other packet cap­tur­ing tools) since spe­cial priv­i­leges are re­quired to sniff net­work traf­fic. Don’t run it as root, this is a bad idea. In­stead add your user to the wireshark group with gpasswd -a you­ruser wireshark , then log out and log in again. Wireshark uses priv­i­lege sep­a­ra­tion to run the dump­cap with se­tuid root in the back­ground. Much safer than run­ning the whole ap­pli­ca­tion as root.

Net­work new­bies may be slightly un­set­tled to see that all traf­fic con­nected to the same switch is vis­i­ble, but this is how net­works work. Traf­fic not in­tended for a par­tic­u­lar host is silently ig­nored, but with Wireshark we can ex­am­ine it. Pass­words and credit card num­bers en­tered into web­sites should al­ways be en­crypted via HTTPS — in fact, most web traf­fic nowa­days should be. But you never know what a sim­ple packet cap­ture can turn up. If you’re feel­ing nosey and want to see which web­sites your net­work peers are vis­it­ing, then go to the Name Res­o­lu­tion sec­tion and check the “Re­solve net­work ad­dresses” op­tion.

Wireshark is piv­otal in at­tacks on Wi-Fi net­works, for ex­am­ple set­ting up a rogue Wi-Fi hotspot in a cof­fee shop and run­ning an SSL strip­ping at­tack. Old-style at­tacks on WEP en­cryp­tion of­ten de­pended on cap­tur­ing and re­play­ing ARP re­quest pack­ets, but no one should be us­ing WEP en­cryp­tion any­more. Wireshark is also use­ful for study­ing the be­hav­iour of pro­pri­etary ap­pli­ca­tions to see who they’re talk­ing to and (in some cases) what they’re say­ing.


A long time ago a six-char­ac­ter pass­word was con­sid­ered se­cure, all the more so if it con­tained mixed case, some kind of punc­tu­a­tion and wasn’t based on a dic­tionary word. That guid­ance has not aged well (eight char­ac­ters is al­most ac­cept­able if sym­bols are used), and many still peo­ple use hope­lessly weak pass­words to pro­tect their data. John the Rip­per is a pass­word-crack­ing tool that can bring this fact to stark clar­ity.

It would be fool­ish to store pass­words in the clear, so what usu­ally hap­pens is that the pass­word is passed through a suit­able hash func­tion (for ex­am­ple, SHA256) and the out­put of that func­tion is stored. The hash func­tion is cho­sen to have cer­tain math­e­mat­i­cal prop­er­ties (it shouldn’t be eas­ily re­versible) and when a pass­word is en­tered it’s hashed and the out­put checked against what is stored. It should be in­cred­i­bly un­likely that two pass­words have the same hash, so if these match ac­cess is granted.

When a com­pany gets hacked their data­bases are of­ten stolen and sold or given away for free. This pro­vides a bounty of hashes that a pass­word cracker like John the Rip­per can get stuck into. Some sys­tems will lock you out af­ter a hand­ful of failed pass­word at­tempts, but these rules don’t ap­ply when you have a stolen database (for ‘on­line’ pass­word crack­ing check out Hy­dra). John the Rip­per can also make use of GPU power to test many thou­sands of pass­words per sec­ond.

Be­sides ran­dom char­ac­ter com­bi­na­tions, John the Rip­per can make use of wordlists that can vastly aid the pass­word crack­ing process. Not only that, but John the Rip­per can use rules to com­bine dic­tionary words with each other as well as ran­dom sym­bols, mim­ick­ing the process by which the crafty come up with their pass­words. For ex­am­ple, it’s pop­u­lar to use a cap­i­tal let­ter at the be­gin­ning of a word and put a num­ber at the end. In John’s syn­tax, this rule is writ­ten cAz”[0-9]”. Sim­ple. The modern ap­proach to pass­word gen­er­a­tion is to com­bine dic­tionary words to make a long pass­word, and not try and be smart with ran­dom cap­i­tals and sym­bol sub­sti­tu­tions. A sim­i­lar ap­proach is spec­i­fied by the BIP39 stan­dard to gen­er­ate passphrases for

Bit­coin wal­lets, ex­cept there each word is uniquely iden­ti­fied by its first four let­ters.


Crack­ing wire­less keys is either triv­ially easy if the long-dep­re­cated WEP en­cryp­tion is used, or gen­er­ally quite hard ev­ery­where else. How­ever, some­times we can get what we need with­out hav­ing the key. In Oc­to­ber 2017 an at­tack on WPA2 (used by most home routers) was an­nounced that en­abled traf­fic to be in­ter­cepted by a third party in close prox­im­ity to the tar­get. Sen­si­tive data should all be en­crypted over HTTPS, so this shouldn’t be so much of a con­cern, but the fact that vir­tu­ally all Wi-Fi equip­ment was vul­ner­a­ble (and prob­a­bly a lot still is) cer­tainly was.

Be­fore we worry about break­ing into Wi-Fi net­works, it’s use­ful to scope them out first. Map­ping out wire­less net­works over a geo­graph­i­cal area is known as ‘wardriv­ing’ and Kismet is the tool to help you with that. To be a war driver you need a GPS mod­ule and a wire­less de­vice that plays nice with Linux (it needs to sup­port ‘mon­i­tor mode’). You pos­si­bly will need a ve­hi­cle too, de­pend­ing on the area you’re in­ves­ti­gat­ing. We just made Jonni wan­der around APC Tow­ers with a Rasp­berry Pi. Once enough sig­nal data is gath­ered it can be con­verted to a .kmz file and im­ported into Google Earth. A GUI client, Kis­mon, is also avail­able.


More of­ten than not, the first step in scop­ing out a tar­get ma­chine is to see which ports are open and which ser­vices are run­ning on them. There are many port scan­ning tools avail­able but Nmap is one of the most highly re­garded. It’s a com­mand line af­fair, but a GUI (Zen­map) is bun­dled on most dis­tri­bu­tions, which is great for vis­ually map­ping out net­works. Nmap re­sults can also be saved as XML and im­ported to other tools for fur­ther anal­y­sis. They can also be im­ported di­rectly into the Me­tas­ploit database, for ex­am­ple, so that dif­fer­ent at­tacks can be tried on dif­fer­ent hosts.

Nmap has enough op­tions that its man pages span 3,000 lines, so we won’t cover them all here. How­ever, in the spirit of Kali Linux’s motto, “The qui­eter you be­come, the more you are able to hear”, let’s talk in hushed voices about portscan­ning.

A stan­dard TCP port scan in­volves a three-way hand­shake (we send a SYN flag, if the port is open the tar­get re­sponds with SYN-ACK and then we send an ACK), which means that (mo­men­tar­ily) a TCP ses­sion is es­tab­lished be­tween the scan­ner and the tar­get. If the ad­min­is­tra­tor of the tar­get ma­chine wanted to, they could pour over fire­wall logs and the mul­ti­tude of TCP con­nec­tions from a portscan would be easy to spot.

Nmap’s de­fault scan is slightly dif­fer­ent. It aborts the scan af­ter the server’s re­sponse, so leaves less in the way of foot­prints. This scan crafts pack­ets di­rectly, rather than us­ing the sock­ets API, so it re­quires root priv­i­leges. You can see the dif­fer­ence be­tween a TCP scan and a SYN scan in the screen­shot (left). The SYN scan isn’t in­vis­i­ble, but fewer pack­ets are trans­ferred to ob­tain the same in­for­ma­tion (whether a packet is open, closed or blocked).

A quick scan of the APC Tow­ers net­works found a few ser­vices that some­one less scrupu­lous might try and ex­ploit (if they weren’t al­ways on dead­line).

A full TCP scan (left) is much nois­ier than Nmap’s de­fault SYN scan (right). Also, Wireshark’s fil­ters are pretty use­ful.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.