What is Unicode attack?
here is quick rough description about Unicode attack, lets say you want to pass space into a URL. If you put a space in URL, webserver will not take your URL, webserver will consider the url is invalid. Thus, if you want to put spaces among the URL, you should put the number 20 in a place of the space(number 20 represents the space), so when the URL goes to the webserver, the webserver says Ok! thats a valid URL, lets process it and so it does. Unicode attack uses this technique in a non-standard(bad way) way to attack the webserver. Thats a quick explaination about unicode attack.
I'm already about to finish this tutorial, i will just talk about popular tools in a brief manner. I will start with namp.
Nmap is the most popular hacker tool outhere. Linux command line nmap works better and is supported better. Nmap comes with ping utility, port scanning utility, service enumeration & OS fingerprinting.
SuperScan is a windows based tool developed by foundstone Inc. Its easy to use it & a good tool for Windows.
Nessus is used for vulnerability assessment. It is an open source software kit, with commercial version available as well. Nessus uses client/server architecute. Server will be installed on a central location. Nessus comes in GUI & command line interface. Nessus uses database that carries latest current exploits for all types of OS & application. Databases in nessus are called plug-ins, hundrends of vulnerability plug-ins exist and are updated daily to include latest exploits. Nessus requires high level of knowledge to use the tool very effeciently. You can go out to the web and download an exploit and then add it to the database. Nessus can take quite long time to do vulnerability assessment.
Finally, the information in this tutorial have been gathered from various types of sources, and then i wrote the tutorial in an organized manner from scratch as well as i added some stuff & clarified many parts.
After you have read this tutorial, i recommend you to search and learn about Windows Null Sessions, it is the most critical flaws associated with Windows OS, and google about DNS zone transfers!
This tutorial is a good guide for you that gives you an insight on how to start & different techniques that hackers use and how they are used. I hope you have enjoyed this tutorial & helped you in someway or another. I'm not supporting any illegal activities. This tutorial for people who wants to know how hackers think, what steps they take to break into systems & how they do it, so people can have an insight on how to protect themselves against intruders.***This tutorial is made for educational purposes only***
These questions and answers might clear some misconceptions you have...
Q. Is nmap been made to spy on others servers? After that, webmasters started to test nmap against their systems and fix the weak points, so attackers can not get a chance to penetrate?
A. No. As nmap's man page describes it, it is a "Network exploration tool and security / port scanner". It is just a tool. Now, what purpose you put that tool to, that makes all the difference.
Q. If i have a server, and an attacker scanned my server remotely to fetch all system information & get the open ports. How can i know it?
A. use a firewall that will report all attempts to access ports that have no public services running on them. Another solution, you can watch all traffic coming down the wire with something like wireshark. With the right filters you would be able to see pings and so on. Alternatively, you need either a host-based IDS (Intrusion detection system), or a network IDS (Intrusion detection system). They'll pick up host and network scans, watch for the "signature" of nmap scans, etc. Some popular opensource tools are "portsentry" for the host, "snort" for the network.
Google about "portsentry" software & "snort" software.
Q. If the attacker uses UDP, is it impossible for the webmaster to know where this attacker is coming from? Why?
A. No. UDP and TCP both contain source and destination addresses in the packet. The attacker can set nmap to run in promiscuous mode, which does not alert the victim. It basically just listens to the packets the victim is sending and gathers info that way. It doesn't send info to the victim. There are tools out now that can detect nmap in promiscuous mode. Furthermore, any communications, whether TCP, UDP, or ICMP, will have a source IP address and MAC address, used to identify the source. Having said this, both can be forged (faked). Tools like nmap do contain the options to fake the source, both for TCP and UDP. There are various ways to avoid hide yourself from being detected, such as hiding behind proxies, etc.
Q. There are many options in nmap, some use UDP and others uses TCP. How can i know what kind of connection (TCP or UDP) a certain option is using?
A. use the man pages for nmap its a really flexible tool For certain protocols like DNS you'd be interested in UDP, others like HTTP use TCP.
Q. Is nmap & dig set to establish communication over TCP by default? or UDP?
A. Basically, nmap scans are TCP scans unless you specify the -sU switch, which does UDP scans. Dig uses UDP by default, since DNS is built on UDP, except that long replies may use TCP.
Q. Do you have any general advice about nmap?
A. Like any tool, it's a double-edged sword. Once you understand how nmap works, move on to some of the other security tools, like metasploit, any of the web vulnerability testing tools, etc. If you're responsible for a system, you'll be glad you did.
Q. Can netcat be used to hack?
A. most important thing it does is that it can be set to listen on a desired port and allows the attacker to telnet into the computer and send the command prompt with to the victom with the same rights of the admin. Once netcat is installed its game over, complete control. Netcat would be detected by any virus scanners nowadays.
Q. What is netstat? Tell me briefly
A. netstat is used for tracking detailed information about what connections are currently established, closed, and many more on your system.
Q. There are multiple attack vectors(directions). In other words, there are different kind of server attacks. What are they?
A. SQL-Injection, RCE, xss (Cross-site scripting), buffer overflow, deface, and denial-of-service attack (DoS attack). Thats all i can think of, you need to search more about these different attacks. Once you penetrate the system, try to get the root so you can have all the admin privilages.
Q. What is a blackbox? What is a whitebox?
A. Black box testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis.
White box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information.
Black box testing simulates an attack from someone who is unfamiliar with the system.
White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords.
Black box penetration testing is useful in the cases where the tester assumes the role of an outside hacker and tries to intrude into the system without adequate knowledge of the system.
Q. What are the professional ways to do hacking test to your system in a blackbox point of view?
A. The proper way to do penetration test is to:
1. Do reconnaissance of the site
3. Scan and Enumerate Ports and services of those ips gathered by #2
4. Gain Access - If you are not the root, try to get it
5. Maintain Access
6. Cover Tracks
google ISSAF or OSSTMM
Lets break it down:
1. explore and obtain information of the site as much as you can - use nmap.
2. determine the operating system (OS) used by a remote target. Knowing the Operating System provides a clue as to what sort of tools or attacks a hacker can use.
3. scan and count the ports. See what service(application) is running on the ports. You get the kind of applications that are running on the ports by doing fingerprinting.
4. at this point, you already have enough information, so start attacking and penetrating the system.
5. maintain access - i don't have to explain it, its understandable
6. make sure you clean up your tracks, so when the admin checks the log he does not find any changes since he last logged in. Do not leave any sign to the admin that an intruder hacked the system.
If you need to secure your server, you have to put yourself in a black hat hacker shoes! You have to think in a hacker set of mind. If you run a network & do not know how to hack it, somebody else will take care of it, you won't be too happy Bebe-pleure
Hacker == Security Person
You will find that most serious hackers do not have time to play around, they are very busy in securing corporation networks, things like - they are more mature than doing the kiddie stuff....
Hacking is like a knife, you can use it for good stuff or misuse - a murder can use a knife to kill Pinch & another person can use it to cut an orange Roflmao .... Knife got nothing to do with being good or bad, it is both...
This is just for educational purposes....
Q. What is Whois? Does it serve attackers to achieve what they want?
A. Whois (Who is) allows you to request domain registration information. In other words, an Internet utility that returns information about a domain name or IP address. For example, if you enter a domain name such as microsoft.com, whois will return the name and address of the domain's owner (in this case, Microsoft Corporation). By performing a simple WHOIS search you can discover when and by whom a domain was registered, contact information, and more. The original purpose of the WHOIS database was to provide a directory for domain owners, domain administrators could use to look up information to contact other IP address or domain name administrators (almost like a "white pages").
A hacker cannot hack your server based on environment variables alone. Environment variables are required by many programs to ensure that they communicate properly with your Web server. In other words, your server must expose the information it exposes in order for Web browsers to properly communicate with it. Web sites are exploited when their network admins run bad code on them. Period.
The information Whois gives you are talking about is public domain and not supposed to be hidden. If you do not want the information to be public, you can usually have the contact information point to your hosting company instead.
environment variables: variables that is there for the environment, remember the environment variables of PHP, etc! You can know the environment the server is running on by calling one of the environments available around. Google it to learn more about it. Example:[You must be registered and logged in to see this link.]
Whois gives public information, nothing really privacy.
Most services by default, generously give out their name and version when you connect to them. With Apache, I usually always set (in httpd.conf)
The first one, ServerSignature Off tells Apache not to display the server version on error pages, or other pages it generates.
The second one ServerTokens Prod tells Apache to only return Apache in the Server header, returned on every page request.
hm, so it is wrong for a webmaster to leave ServerSign. On & ServerTokens not Prod?! It's not a matter of what's wrong or right, it more a question of what level of information you wish to reveal to the outside world. By default, most software will report its name and version number unless you specifically change it's configuration.
Q. Somebody told me making software name and version number explicit to the public can make your server easy to be hacked! So why many webmasters do not care and reveal them?
A. Security is never a single measure, it requires multiple lines of defence. Revealing your software versions, can be useful to hackers and potentially make it a little easier for them to target your systems, but it is only a very, very small part of the whole security equation.
Q. What is environment variables?
A. There are three types of environment variables:
User-defined internal. Variables that you define within the
test. They are saved with the test and accessible only
within the test in which they were defined.
User-defined external. Variables that you predefined in the
active external environment variables file. These variables
are read-only in this context.
Built-in. Variables that represent information about the
test and the computer on which the test is run, such as
Test path and Operating system. These variables are
accessible from all tests, and are designated as read-only[You must be registered and logged in to see this link.]