Sep 262014
The type and scope of the penetration test will determine the need for being stealthy during a penetration test. The reasons to avoid detection while testing are varied; one of the benefits would include testing the equipment that is supposedly protecting the network, another could be that your client would like to know just how long it would take the Information Technology team to respond to a targeted attack on the environment.

Not only will you need to be wary of the administrators and other observers on the target network, you will also need to understand the automated methods of detection such as web application, network, and host-based intrusion detection systems that are in place to avoid triggering alerts.

NOTE:-When presented with the most opportune target, take the time to validate that it is not some sort of honeypot that has been set up to trigger alerts when abnormal traffic or activity is detected! No
sense in walking into a trap set by a clever administrator. Note that if you do find a system like this it is still very important to ensure it is set up properly and not inadvertently allowing access to critical
internal assets due to a configuration error!

Lab preparation:-

BackTrack, pfSense, and Metasploitable virtual machines should be configured in the following manner:

Kali Linux guest machine:-

This machine will need to be connected to the subnet. In the Oracle VM VirtualBox Manager console highlight the Kali Linux instance and select the Settings option from the top navigation bar. Ensure that only one network adapter is enabled. The adapter should use the Vlan1 internal network option.

Now power on your Kali machine and configure IP address manually as follow:
#ifconfig eth0 netmask 

As the pfSense machine will need to be our router as well, we need to set it up as the default gateway. This can be accomplished as follows:
# route add default gw 

Metasploitable guest machine:-

The Metasploitable machine will be used as the target. It needs to be configured to connect to VLAN2, which is a new internal network we have not used before.To create an internal network you will need to manually type VLAN2 into the network configuration screen in the Oracle VM VirtualBox Manager. Your settings should be similar to the following:

pfSense network setup:-

Configuring our firewall is a bit more work. It needs to be able to route restrictive traffic from the VLAN1 network to the VLAN2 subnet. There are several configuration changes we will need to make to ensure this works properly.

Our firewall guest machine will use two network adapters. One will be used for the VLAN1 segment and the other for the VLAN2 segment. VLAN1 will be treated as an untrusted wide area network for the examples within this chapter. Network Adapter 1 should resemble the following screenshot:

Network Adapter 2 should be similar to the following:

Pfsense WAN IP configuration:-

The remaining networking setup will need to be performed from within the guest machine.

1. Boot up your pfSense virtual instance. There may be an additional delay as pfSense attempts to configure the WAN adapter. Allow it to fully load until you see the following menu:

2. The WAN and LAN interfaces will need to be configured properly.Select option 2) Set interface(s) IP address.

3. Select option 1 – WAN.

4. When asked to configure the WAN interface via DHCP type n for no.
5. The IP for the WAN adapter should be
6. Subnet bit count should be set to 24. Type 24 and press Enter.
7. Next is set default gateway in our case
8.Next will ask about IPv6 in our type n and press enter.
9. Finally you got bellow screen:

10. Press Enter again to return to the configuration menu.

Your LAN and WAN IP ranges should match the following:

Pfsense LAN IP configuration:-

We can set up the LAN IP information from the configuration menu as well. One benefit of configuring the LAN here is that we can have a DHCP server configured for VLAN2 at the same time.

1. Select option 2 from the configuration menu to start the LAN IP Configuration module.
2. Choose the LAN interface (Option 2).
3. When prompted to enter the IP address type
4. The bit count should be set to 24.

5. Next is set default gateway in our case 
6. When asked if you would like a DHCP server to be enabled on LAN choose y for yes.
7. DHCP Client IP range start will be
8. DHCP Client IP range stop will be

 9. Press Enter again to return to the configuration menu.Your LAN and WAN IP ranges should match the following:

 Firewall configuration:-

pfSense can be configured using its intuitive web interface. Boot up the Kali Linux machine with VLAN2, open a terminal and perform a sudo dhclient to pick up an address from the pfSense DHCP server on VLAN2 (

In a web browser on the Ubuntu machine type to access the configuration panel. If you have reset to factory defaults you will need to step through the wizard to get to the standard console.

Note:-The default username and password combination for pfSense is: admin/pfsense

To view the current firewall rules choose Firewall | Rules and review the current configuration. By default the WAN interface should be blocked from connecting internally as there are not preestablished rules that allow any traffic through. 

For testing purpose, we will enable ports 80, 443, 21, and allow ICMP. Add the rules as follows:
1. Click on the add a new rule button displayed in the preceding screenshot.
2. Use the following rule settings to enable ICMP pass-through:

  • Action: Pass 
  • Interface: WAN
  • Protocol: ICMP
  • All others: Defaults

3. Click on the Save button at the bottom of the screen.
4. Click on the Apply Changes button at the top of the screen.
5. Use the Interface | WAN navigation menu to enter the WAN interface configuration menu and       uncheck Block private networks. Apply the changes and return to Firewall | Rules.

6. Click on the add new rule button.

7. Use the following rule settings to enable HTTP pass-through.

  • Action: Pass 
  • Interface: WAN
  • Protocol: TCP
  • Destination port range: HTTP

8. Continue adding ports until the configuration matches the following:

At this point any machine connected to VLAN1 can communicate through the open ports as well as ping machines on the VLAN2 segment as can be seen in the following screenshot

Finding out if the firewall is blocking certain ports:-

There is a firewall; now what? The next step is to determine which ports are being blocked by the firewall, or more importantly which are open.


 Hping2 and Hping3 are included as part of the Kali Linux distribution. It can be accessed via the GUI navigation bar Applications | Kali Linux | Information Gathering | Live Host Identify Live Hosts | Hping3. It can also be invoked at the command line by simply typing: hping2. Hping2 is a powerful tool that can be used for various security testing tasks. The following syntax can be used to find open ports while remaining fully in control of your scan:
# hping3 -S -c 80 -p ++1

 This command allowed us to perform a SYN scan starting at port 1 and incrementing for 80 steps.

Depending on the firewall configuration it may also be possible to send spoofed packets. During a test it is beneficial to ensure that the configuration does not allow for this behavior to occur. Hping is perfectly suited for this task. The following is an example of how you may test if the firewall allows this traffic to pass:
#hping3 -c 10 -S –spoof -p 80

This command will spoof 10 packets from to port 80 on This is the basis for an idle scan and if successful would allow you to hping the machine to look for an increase in the IP sequence number. In this case we could enable monitoring on the pfSense machine to emulate what this traffic looks like to a network administrator reviewing the logs.

Challenge yourself to create and monitor different packets and uses of Hping so that you can gain a good understanding of the traffic flow. The best means of remaining undetected while testing is to fully understand the technology that is being used. Take a look at the logs generated from a successful scan and keep in mind that due to the amount of traffic involved even secured networks will sometimes only log and trigger events based on denied traffic.

 Note:-Logging per rule will need to be enabled on the firewall to see allowed traffic. Not logging permitted traffic is fairly standard practice as it reduces the firewall log size. Educate your clients that proactively monitoring allowed traffic can also be beneficial when attempting to truly secure a network.

Nmap firewalk script:-

One of the easiest methods to test open ports on a firewall is to simply use the firewalking script for Nmap. To test the open firewall ports you will need a host behind the firewall as the target:
#nmap –script=firewalk –traceroute

The command sequence is straightforward and familiar: we invoke nmap, use the script option, and choose the firewalk script. We then provide the input that firewalk needs by performing a traceroute to which we know is behind our target firewall. 

 Although we were able to determine which ports on the firewall were open (21, 80, and 443), if you take a look at the firewall denies it quickly becomes apparent that this is not a quiet test and should only be used when stealth is not needed. What this boils down to is that stealth requires patience and a well made plan of action. It may be easier to manually verify if there are any common ports open on the firewall and then try to scan using one of the well-known ports.

Avoiding IDS:-

In a secured environment you can count on running into IDS and IPS. Properly configured and used as part of a true defense in depth model increases their effectiveness tremendously. This means that the IDS will need to be properly updated, monitored, and used in the proper locations. A penetration tester will be expected to verify that the IDS’s are working properly in conjunction with all other security controls to properly protect the environment.

The primary method of bypassing any IDS is to avoid signatures that are created to look for specific patterns. These signatures must be fine-tuned to find only positively malicious behavior and should not be so restrictive that alerts are triggered for normal traffic patterns. Over the years, the maturity level of these signatures has increased significantly, but a penetration tester or knowledgeable attacker will be able to use various means to bypass even the most carefully crafted signatures. In this section, we review some of the methods that have been used by attackers in the wild.

Canonicalization Technique:-

Canonicalization refers to the act of substituting various inputs for the canonical name of a file or path. This practice can be as simple as substituting hexadecimal representations ASCII text values. Here is an example of an equivalent string:

• String A in Hex: “54:68:69:73:20:69:73:20:61:20:73:74:72:69:6e:67”
• String A in text: “This is a string”
• String A in ASCII: “084 104 105 115 032 105 115 032 097 032 115 116 114 105 110 103” 

By taking advantage of the fact there are sometimes literally thousands of combinations possible for a single URL. To put this into perspective, let’s take a look at the address we can use to get from our browser to our local Apache server:

Luckily, this address confuses our Apache server and we receive the following message:

 The previous request attempted to load the local page at Let’s see what occurs when we try to load the remote pfSense administration console in the same manner:

Here we are warned by the web server hosti
ng the pfSense administrative console that a potential DNS Rebind attack occurred:

 Let’s try something else that actually works properly:

In the console, ping one of the addresses we listed above:

 #ping 3232240651

As we can see, the IP address resolved properly and we receive our replies as expected. This very same concept is key when trying to bypass an IDS rule. If the type of IDS can be determined, then it should be possible to get the signatures. When reviewing these signatures you would look for opportunities to obscure the URLs, filenames, or other path information enough that it is able to bypass the existing ruleset. Registered & Protected  PEFP-9CI3-OR05-ELXG

August 26, 2014

Hacking – Operating System Fingerprinting using Different Tools & Techniques

Hacking – Operating System Fingerprinting using Different Tools & Techniques

After we know that the target machine is a live, we can then find out the operating system used by the target machine. This method is commonly known as Operating System (OS) fingerprinting.
There are two methods of doing OS fingerprinting:

  • active
  • passive

In the active method, the tool sends network packets to the target machine and then determines the operating system of the target machine based on the analysis done on the response it has received. The advantage of this method is that the fingerprinting process is fast. However, the disadvantage is that the target machine may notice our attempt to get its operating system’s information.

To overcome the active method’s disadvantage, there exists a passive method of OS fingerprinting. This method was pioneered by Michal Zalewsky when he released a tool called p0f. The disadvantage of the passive method is that the process will be slower than the active method.

In this section, we will describe a couple of tools that can be used for OS fingerprinting.


The p0f tool is used to fingerprint an operating system passively. It can be used to identify an operating system on the following machines:

Machines that connect to your box (SYN mode; this is the default mode)
Machines you connect to (SYN+ACK mode)
Machines you cannot connect to (RST+ mode)
Machines whose communications you can observe

The p0f tool works by analyzing the TCP packets sent during the network activities. Then, it gathers the statistics of special packets that are not standardized by default by any corporations.

An example is that the Linux kernel uses a 64-byte ping datagram, whereas the Windows operating system uses a 32-byte ping datagram; or the Time To Live (TTL ) value. For Windows, the TTL
value is 128, while for Linux this TTL value varies between the Linux distributions. These information are then used by p0f to determine the remote machine’s operating system.

To use new version of p0f, just download the file from
Download and extract that file and relocate that folder Now Let’s use p0f to identify the operating system used in a remote machine we are connecting to. Just type the following command in your console:
#p0f -f p0f.fp -o log.log

This will read the fingerprint database from the /root/p0f-3.07b/p0f.fp file and save the log information to the log.log file. It will then display the following information:

Next, you need to generate network activities involving a TCP connection, such as browsing to the remote machine or letting the remote machine to connect to your machine.
I use Netcat in another terminal for do that
#nc 80

If p0f has successfully fingerprinted the operating system, you will see information of the remote machine’s operating system in the console and in the log file.

Based on the preceding result, we know that the target is a Linux 2.6.x machine.

The following screenshot shows the information from the target machine:

By comparing this information, we know that p0f got the OS information correctly. The remote machine is using Linux Version 2.6.You can stop p0f by pressing the Ctrl + C key combination.


Nmap is a very popular and capable port scanner. Besides this, it can also be used to fingerprint a remote machine’s operating system. It is an active fingerprinting tool. To use this feature, you can give the -O option to the nmap command.

For example, if we want to fingerprint the operating system used on the machine, we use the following command:
#nmap –O

Nmap was able to get the correct operating system information after fingerprinting the operating system of a remote machine. Registered & Protected  PEFP-9CI3-OR05-ELXG

August 19, 2014

Identifying the Target Machine using Different Tools & Technique

Identifying the Target Machine using Different Tools & Technique 

The tools included in this category are used to identify the target machines that can be accessed by a penetration tester. Before we start the identification process, we need
to know our client’s terms and agreements. If the agreements require us to hide pen-testing activities, we need to conceal our penetration testing activities. Stealth technique may also be applied for testing the Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) functionality. If there are no such requirements, we may not need to conceal our penetration testing activities.


 The ping tool is the most famous tool that is used to check whether a particular host is available. The ping tool works by sending an Internet Control Message Protocol (ICMP) echo request packet to the target host. If the target host is available and the firewall is not blocking the ICMP echo request packet, it will reply with the ICMP echo reply packet.

Note:-The ICMP echo request and ICMP echo reply are two of the available ICMP control messages.

Although you can’t find ping in the Kali Linux menu, you can open the console and type the ping command with its options.

To use ping, you can just type ping and the destination address as shown in the following screenshot:

In Kali Linux, by default, ping will run continuously until you press Ctrl + C.

The ping tool has a lot of options, but the following are a few options that are often used:

• The -c count: This is the number of echo request packets to be sent.
• The -I interface address: This is the network interface of the source address. The argument may 

                                          be a numeric IP address (such as or the name of the  
                                          device (such as eth0). This option is required if you want to ping the 
                                          IPv6 link-local address.
• The -s packet size: This specifies the number of data bytes to be sent. The default is 56 bytes, 

                                 which translates into 64 ICMP data bytes when combined with the 8 bytes of 
                                 the ICMP header data.

Let’s use the preceding information in practice.

Suppose you are starting with internal penetration testing work. The customer gave you access to their network using a LAN cable. And, they also gave you the list of target servers’ IP addresses.
The first thing you would want to do before launching a full penetration testing arsenal is to check whether these servers are accessible from your machine. You can use ping for this task.
The target server is located at, while your machine has an IP address of To check the target server availability, you can give the following command:
#ping -c 1
The following screenshot is the result of the preceding ping command:
Note:-ping also accepts hostnames as the destination.
From the preceding screenshot, we know that there is one ICMP echo request packet sent to the destination (IP address: Also, the sending host (IP address: received one ICMP echo reply packet. The round-trip time required is 1.326 ms, and there is no packet loss during the process.
Let’s see the network packets that are transmitted and received by our machine. We are going to use Wireshark, a network protocol analyzer, on our machine to capture these packets, as shown in the following screenshot:
From the preceding screenshot, we can see that our host ( sent one ICMP echo request packet to the destination host ( Since the destination is alive and allows the ICMP echo request packet, it will send the ICMP echo reply packet back to our machine.
If your target is using an IPv6 address, such as fe80::20c:29ff:fee1:96df, you can use the ping6 tool to check its availability. You need to give the -I option for the command to work against the link-local address:
The following screenshot shows the packets sent to complete the ping6 request:
From the preceding screenshot, we know that ping6 is using the ICMPv6 request and reply.
Security Tip:-To block the ping request, the firewall can be configured to only allow the ICMP echo request packet from a specific host and drop the packets sent from other hosts.


The arping tool is used to ping a host in the Local Area Network (LAN) using the Address Resolution Protocol (ARP) request. You can use arping to ping a target machine using its IP, host, or Media Access Control (MAC) address.
The arping tool operates on Open System Interconnection (OSI) layer 2 (network layer), and it can only be used in a local network. Moreover, ARP cannot be routed across routers or gateways.

To start arping, you can use the console to execute the following command:
# arping

This will display brief usage information on arping.
You can use arping to get the target host’s MAC address:
# arping -c 1
From the previous command output, we can see that the target machine has a MAC address of 00:0c:29:e1:96:df.
Let’s observe the network packets captured by Wireshark on our machine during the arping process:
From the preceding screenshot, we can see that our network card (MAC address: Vmware_e1:96:df) sends an ARP request to a broadcast MAC address (Vmware_46:15:dc), looking for the IP address If the IP address exists, it will send an ARP reply mentioning its MAC address (Vmware_46:15:dc), as can be seen from packet number 2.
However, if the IP address is not available, there will be no ARP replies, informing the MAC address of the IP address, as can be seen from the following screenshot:
Another common use of arping is to detect duplicate IP addresses in a local network. For example, your machine is usually connected to a local network using an IP address of; one day, you would like to change the IP address. Before you can use the new IP address, you need to check whether that particular IP address has already been used.
You can use the following arping command to help you detect whether the IP address of has been used:
# arping -d -i eth0 -c 2
# echo $?
If the code returns 0, it means that the IP address is available.Whereas, if the code returns 1, it means that the IP address of has been used by more than one machine.


The difference between ping and fping is that the fping tool can be used to send a ping (ICMP echo) request to several hosts at once. You can specify several targets on the command line, or you can use a file containing the hosts to be pinged.

In the default mode, fping works by monitoring the reply from the target host. If the target host sends a reply, it will be noted and removed from the target list. If the host doesn’t respond for a certain time limit, it will be marked as unreachable.

By default, fping will try to send three ICMP echo request packets to each target.

To access fping, you can use the console to execute the following command:
# fping -h

This will display the description of usage and options available in fping.

The following scenarios will give you an idea of the fping usage:

If we want to know the alive hosts of, and at once, we can use the following command:

The following is the result of the preceding command:

We can also generate the host list automatically without defining the IP addresses one by one and identifying the alive hosts. Let’s suppose we want to know the alive hosts in the network; we can use the -g option and define the network to check, using the following command:
# fping -g

The result for the preceding command is as follows:

If we want to change the number of ping attempts made to the target, we can use the -r option (retry limit) as shown in the following command line. By default, the number of ping attempts is three.
#fping -r 1 -g

The result of the command is as follows:

Displaying the cumulative statistics can be done by giving the -s option (print cumulative statistics) as follows:
#fping -s

The following is the result of the preceding command line:


The hping3 tool is a command-line network packet generator and analyzer tool. The capability to create custom network packets allows hping3 to be used for TCP/IP and security testing, such as port scanning, firewall rule testing, and network performance testing.

• Test firewall rules
• Test Intrusion Detection System (IDS)
• Exploit known vulnerabilities in the TCP/IP stack

To access hping3, go to the console and type hping3. You can give commands to hping3 in several ways, via the command line, interactive shell, or script.

Without any given command-line options, hping3 will send a null TCP packet to port 0.

In order to change to a different protocol, you can use the following options in the command line to define the protocol:

When using the TCP protocol, we can use the TCP packet without any flags (this is the default behavior) or we can give one of the following flag options:

 Let’s use hping3 for several cases as follows:

Send one ICMP echo request packet to a machine. The options used are -1 (for the ICMP protocol) and -c 1 (to set the count to one packet):
#hping3 -1 -c 1

The following is the output of the command:

From the preceding output, we can note that the target machine is alive because it has replied to our ICMP echo request. To verify this, we captured the traffic using tcpdump and the following screenshot shows the packets:

We can see that the target has responded with an ICMP echo reply packet.

Besides giving the options in the command line, you can also use hping3 interactively. Open the console and type hping3. You will then see a prompt where you can type your Tcl commands.

For the preceding example, the following is the corresponding Tcl script:
hping send {ip(daddr=,code=0)}

Open a command-line window and give the following command to get a response from the target server:
#hping recv eth0

After that, open another command-line window to input the sending request.

The following screenshot shows the response received:

• You can also use hping3 to check for a firewall rule. Let’s suppose you have the following firewall rules:
                  ° Accept any TCP packets directed to port 22 (SSH)
                  ° Accept any TCP packets related with an established connection
                  ° Drop any other packets

To check these rules, you can give the following command in hping3 in order to send an ICMP echo request packet:
#hping3 -1 -c 1

The following code is the result:

We can see that the target machine has responded to our ping probe.


The nping tool is a tool that allows users to generate network packets of a wide range of protocols (TCP, UDP, ICMP, and ARP). You can also customize the fields in the protocol headers, such as the source and destination port for TCP and UDP. The difference between nping and other similar tools such as ping is that nping supports multiple target hosts and port specification.

It can be used to send an ICMP echo request just like in the ping command. nping can also be used for network stress testing, Address Resolution Protocol (ARP) poisoning, and the denial of service attacks.

In Kali Linux, nping is included with the Nmap package.The following are several probe modes supported by nping:

You need to open a console and type nping. This will display the usage and options’ description.
In order to use nping to send an ICMP echo request to the target machines,, and, you can give the following command:

#nping -c 1
The following screenshot shows the command output:

From the preceding screenshot, we know that only the machine is sending back the ICMP echo reply packet.
If the machine is not responding to the ICMP echo request packet ,you can still find out whether it is alive by sending a TCP SYN packet to an open port in that machine.For example, to send one (-c 1) TCP packet (–tcp) to the IP address port 22 (-p 22), you can give the following command:

#nping –tcp -c 1 -p 22

Of course, you need to guess the ports which are open. We suggest that you try with the common ports, such as 21, 22, 23, 25, 80, 443, 8080, and 8443.

The following screenshot shows the result of the mentioned example:

From the preceding result, we can see that the remote machine ( is alive because when we sent the TCP packet to port 22, the target machine responded.


If you want to discover which machines are alive in an IPv6 environment, you can’t just ask the tool to scan the whole network. This is because the address space is very huge. You may find that the machines have a 64-bit network range. Trying to discover the machines sequentially in this network will require at least 264 packets. Of course, this is not a feasible task in the real world.
Fortunately, there is a protocol called ICMPv6 Neighbor Discovery. This protocol allows an IPv6 host to discover the link-local and autoconfigured addresses of all other IPv6 systems on the local network. In short, you can use this protocol to find a live host on the local network subnet.
To help you do this, there is a tool called alive6, which can send an ICMPv6 probe and is able to listen to the responses. This tool is part of the THC-IPv6 Attack Toolkit developed by van Hauser from The Hackers Choice group.
Suppose you want to find the active IPv6 systems on your local IPv6 network, the following command can be given with the assumption that the eth0 interface is connected to the LAN:

#alive6 -p eth0


This tool can be used if you want to detect the new IPv6 address joining a local network. This tool is part of the THC-IPv6 Attack Toolkit developed by van Hauser from The Hackers Choice group.
To access detect-new-ipv6, go to the console and type detect-new-ipv6. This will display the usage information.
Following is a simple usage of this tool; we want to find the new IPv6 address that joined the local network:

#detect-new-ip6 eth0


This tool can be used if you want to sniff out the local network to look for the IPv6 address. This tool is part of the THC-IPv6 Attack Toolkit developed by van Hauser from The Hackers Choice group. Getting the IPv6 address without being detected by an IDS can be useful.

To access passive_discovery6, go to the console and type passive_discovery6. This will display the usage information on the screen.The following command is an example of running this tool:
#passive_discovery6 eth0
This tool simply waits for the ARP request/reply by monitoring the network, and then it maps the answering hosts. The following are the IPv6 addresses that can be discovered by this tool on the network:

• fe80::539:3035:77a4:dc68

• fe80::20c:29ff:fee1:96df


If you are doing an internal penetration testing on a Windows environment, the first thing you want to do is get the NetBIOS information. One of the tools that can be used to do this is nbtscan.
The nbtscan tool will produce a report that contains the IP address, NetBIOS computer name, services available, logged in username, and MAC address of the corresponding machines. The NetBIOS name is useful if you want to access the service provided by the machine using the NetBIOS protocol that is connected to an open share. Be careful as using this tool will generate a lot of traffic and it may be logged by the target machines.

To access nbtscan, you can open the console and type nbtscan. As an example, I want to find out the NetBIOS name of the computers located in my network ( The following is the command to be used:


From the preceding result, we are able to find three NetBIOS names, METASPLOITABLE.

Let’s find the service provided by these machines by giving the following command:

#nbtscan -hv

Option -h will print the service in a human-readable name. While, option -v will give more verbose output information.

From the preceding result, we can see that there are many services available on METASPLOITABLE: Workstation,Messanger,File Server etc. In our experience, this information is very useful because we know which machine has a file sharing service. Next, we can continue to check whether the file sharing services are open so that we can access the files stored on those file sharing services.