Most Important Network Penetration Testing Checklist

Network Penetration Testing determines vulnerabilities in the network posture by discovering Open ports, Troubleshooting live systems, services and grabbing system banners.

 

The pen-testing helps administrator to close unused ports, additional services, Hide or Customize banners, Troubleshooting services and to calibrate firewall rules.You should test in all ways to guarantee there is no security loophole.

Let’s see how we conduct a step by step Network penetration testing by using some famous network scanners.

1.HOST DISCOVERY

Footprinting is the first and important phase were one gather information about their target system.
DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, CNAME) resolving to the target domain.

• A – A record is used to point the domain name such as gbhackers.com to the IP address of it’s hosting server.
•  MX – Records responsible for Email exchange.
• NS – NS records are to identify DNS servers responsible for the domain.
• SRV – Records to distinguish the service hosted on specific servers.
• PTR – Reverse DNS lookup, with the help of IP you can get domain’s associated with it.
• SOA – Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
• CNAME – Cname record maps a domain name to another domain name.

We can detect live hosts, accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, NESSUS.

Ping&Ping Sweep:

root@kali:~# nmap -sn 192.168.169.128
root@kali:~# nmap -sn 192.168.169.128-20 To ScanRange of IP
root@kali:~# nmap -sn 192.168.169.* Wildcard
root@kali:~# nmap -sn 192.168.169.128/24 Entire Subnet

Whois Information 

To obtain Whois information and name server of a webiste

root@kali:~# whois testdomain.com

1. http://whois.domaintools.com/
2. https://whois.icann.org/en

Traceroute

Network Diagonastic tool that displays route path and transit delay in packets

root@kali:~# traceroute google.com
 
Online Tools

1. http://www.monitis.com/traceroute/
2. http://ping.eu/traceroute/

2.PORT SCANNING

Perform port scanning using tools such as Nmap, Hping3, Netscan tools, Network monitor. These tools help us to probe a server or host on the target network for open ports.
Open ports are the gateway for attackers to enter in and to install malicious backdoor applications.

root@kali:~# nmap –open gbhackers.com             To find all open ports
root@kali:~# nmap -p 80 192.168.169.128           Specific Port
root@kali:~# nmap -p 80-200 192.168.169.128   Range of ports
root@kali:~# nmap -p “*” 192.168.169.128          To scan all ports

Online Tools

1. http://www.yougetsignal.com/
2. https://pentest-tools.com/information-gathering/find-subdomains-of-domain

3.Banner Grabbing/OS Fingerprinting

Perform banner Grabbing/OS fingerprinting such as Telnet, IDServe, NMAP determines the operating system of the target host and the operating system.
Once you know the version and operating system of the target, we need to find the vulnerabilities and exploit.Try to gain control over the system.

root@kali:~# nmap -A 192.168.169.128
root@kali:~# nmap -v -A 192.168.169.128 with high verbosity level

4.Scan for Vulnerabilities

Scan the network using Vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.
These tools help us in finding vulnerabilities with the target system and operating systems.With this steps, you can find loopholes in the target network system.

GFILanguard

It acts as a security consultant and offers patch Management, Vulnerability assessment, and network auditing services.

Nessus

Nessus a vulnerability scanner tool that searches bug in the software and finds a specific way to violate the security of a software product.

• Data gathering.
• Host identification.
• Port scan.
• Plug-in selection.
• Reporting of data.

5.Draw Network Diagrams

Draw a network diagram about the organization that helps you to understand logical connection path to the target host in the network.
The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, Network view.

6.Prepare Proxies

Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.
With proxy servers, we can anonymize web browsing and filter unwanted contents such as ads and many other.
Proxies such as Proxifier, SSL Proxy, Proxy Finder..etc, to hide yourself from being caught.

6.Document all Findings

The last and the very important step is to document all the Findings from Penetration testing.
This document will help you in finding potential vulnerabilities in your network. Once you determine the Vulnerabilities you can plan counteractions accordingly.
You can download rules and scope Worksheet here – Rules and Scope sheet 
Thus, penetration testing helps in assessing your network before it gets into real trouble that may cause severe loss in terms of value and finance.

Important Tools used for Network Pentesting

Frameworks

Kali Linux, Backtrack5 R3, Security Onion

Reconnaisance

Smartwhois, MxToolbox, CentralOps, dnsstuff, nslookup, DIG, netcraft

Discovery

Angry IP scanner, Colasoft ping tool, nmap, Maltego, NetResident,LanSurveyor, OpManager

Port Scanning

Nmap, Megaping, Hping3, Netscan tools pro, Advanced port scannerService Fingerprinting Xprobe, nmap, zenmap

Enumeration

Superscan, Netbios enumerator, Snmpcheck, onesixtyone, Jxplorer, Hyena,DumpSec, WinFingerprint, Ps Tools, NsAuditor, Enum4Linux, nslookup, Netscan

Scanning

Nessus, GFI Languard, Retina,SAINT, Nexpose

Password Cracking

Ncrack, Cain & Abel, LC5, Ophcrack, pwdump7, fgdump, John The Ripper,Rainbow Crack

Sniffing

Wireshark, Ettercap, Capsa Network Analyzer

MiTM Attacks

Cain & Abel, Ettercap

Exploitation

 Metasploit, Core Impact

These are the Most important checklist you should concentrate with Network penetration Testing .

XAttacker Tool – Scan and Auto Exploit Web Vulnerabilities

XAttacker is a perl tool capable of scanning and auto-exploiting vulnerabilities in web applications. By providing a target website to the tool, it auto detects its’ architecture if using a Content Management Service (CMS) and tries to find vulnerabilities based on the detected CMS. Currently supported CMS include WordPress, Joomla, Drupal, PrestaShop, and LokoMedia.

 

How to Install the Tool?

 

XAttacker can be installed by cloning the setup from Github repository using the following command.

git clone https://github.com/Moham3dRiahi/XAttacker.git

The cloning process may ask for a username and password to proceed. Another option to get the tool is to download the ZIP file from the github repository and extract the files. The unzipped files can be viewed by following the XAttacker’s downloaded folder path and list the folder items using the following command. The folder must contain the XAttacker.pl file.

cd XAttacker-master
ls 

 

Scan and Exploit with XAttacker

Using XAttacker is pretty simple. First of all, save the target website(s) in a text file. In the next step, run the tool using the following command.

perl XAttacker.pl

The above command runs the tool and asks to select one of two options regarding the target website list. Select the appropriate option and provide the path to the file containing the target website(s) created earlier. For demonstration purposes, we have added the target website in a file named as ‘mylist’, saved on the desktop.

 

If the target website contains the supported CMS, the tool starts exploring the possibilities of exploiting the website based on vulnerabilities in the pre-defined set of resources. For instance, in a WordPress website, the tool searches for vulnerabilities in resources like plugins, forms, php code, and specific themes. Similarly, in Drupal, the tool looks for Admin panel vulnerabilities. If there is no vulnerability found in the targeted website, the tool returns to the initial step.

 

However, if XAttacker finds a vulnerability, it exploits that automatically if the attacker chooses to do so. XAttacker could be useful for red team exercises in particular.

 

Adobe Patches 11 Vulnerabilities Including Two Critical Code Execution Flaws

Besides Microsoft patches, this Tuesday also witnessed bug fixes from Adobe. While Microsoft managed to fix 60 vulnerabilities in one batch, Adobe has also patched 11 different vulnerabilities with its latest update. The fixes address two critical code execution vulnerabilities in Adobe Reader and Acrobat.

 

Adobe Patches Two Critical Vulnerabilities In Adobe Acrobat And Reader

On Tuesday, Adobe released patch updates for different Adobe products. Reportedly, Adobe patches 11 different vulnerabilities, including two critical code execution flaws in Reader and Acrobat.
These two critical vulnerabilities include two arbitrary code executions, described as out-of-bounds write (CVE-2018-12808), and untrusted pointer dereference (CVE-2018-12799). With critical severity levels, both vulnerabilities affected multiple versions of Adobe Reader DC and Adobe Acrobat DC. This includes software versions for both Windows and Mac OS.

Vulnerabilities In Other Adobe Products Also Fixed

Besides the two critical flaws, Adobe has also released fixes for 9 other vulnerabilities in different Adobe Products. This includes patching five different bugs in Adobe Flash Player: three information disclosure outbound read flaws (CVE-2018-12824, CVE-2018-12826, and CVE-2018-12827), security mitigation bypass (CVE-2018-12825), and a privilege escalation vulnerability (CVE-2018-12828). All these bugs received an “important” severity level.
Besides, three moderately severe flaws were patched in Adobe Experience Manager: Reflected Cross-site Scripting (CVE-2018-12806), Input Validation Bypass (CVE-2018-12807), and Cross-site Scripting (CVE-2018-5005). Moreover, one important DLL hijacking privilege escalation flaw (CVE-2018-5003) in Adobe’s Creative Cloud Desktop Application also received a patch.

New Man-in-the-Disk attack leaves millions of Android phones vulnerable

Security researchers at Check Point Software Technologies have discovered a new attack vector against the Android operating system that could potentially allow attackers to silently infect your smartphones with malicious apps or launch denial of service attacks.

Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize 'External Storage' system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.

It should be noted that apps on the Android operating system can store its resources on the device in two locations—internal storage and external storage.

 

Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android's built-in sandbox, to store their sensitive files or data.

However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.

How Android Man-in-the-Disk Attack Works?

Similar to the "man-in-the-middle" attack, the concept of "man-in-the-disk" (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative "would lead to harmful results."

For instance, researchers found that Xiaomi web browser downloads its latest version on the external storage of the device before installing the update. Since app fails to validate the integrity of the data, the app's legitimate update code can be replaced with a malicious one.

"Xiaomi Browser was found to be using the External Storage as a staging resource for application updates," the researchers said in a blog post.

"As a result, our team was able to carry out an attack by which the application’s update code was replaced, resulting in the installation of an alternative, undesired application instead of the legitimate update."

In this way, attackers can get a man-in-the-disk position, from where they can monitor data transferred between any other app on the user's smartphone and the external storage and overwrite it with their own malicious version in order to manipulate or crash them.

The attack can also be abused to install another malicious app in the background without the user's knowledge, which can eventually be used to escalate privileges and gain access to other parts of the Android device, like camera, microphone, contact list, and more.

“Open Sesame” Vulnerability That Let Users Hack Windows 10 Was Demonstrated at Black Hat Conference

Microsoft works continually to improve the security of its Windows 10 operating system. Although the tech giant has certainly made its software much harder to hack into, there are still  flaws in some of its features. “Open Sesame” is a vulnerability that gives hackers the ability to execute arbitrary code on a computer running Windows 10 just by using their voice.

 

The flaw originates in Cortana, the digital assistant, according to a group of security experts. The info was presented at the Black Hat USA conference held in Las Vegas, NV. The researchers also discovered that any individual could gain the rights to access files containing sensitive data, download and run files that have been infected, connect to malicious sites, and also get prominent privileges on a computer that has been locked.
All of this is possible because the Windows 10 UI lets apps continue to run in the background. Also, tasks can still be run by Cortana even while the machine is locked for keyboard and mouse utilization.

A ThreatPost report stated that this flaw was uncovered and reported to Microsoft in April of this year by a group of security researchers. These experts were Yuval Ron and Ron Marcovich from the Israel Institute of Technology and Tal Be’ery and Amichai Shulma from Kzen Networks.
The flaw has been documented under CVE-2018-8140. Microsoft has made it known that no exploit was uncovered in the wild. An important security rating was assigned to it.
Microsoft had this to say regarding the matter:

“An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status. An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. To exploit the vulnerability, an attacker would require physical/console access and the system would need to have Cortana assistance enabled. The security update addresses the vulnerability by ensuring Cortana considers status when retrieves information from input services.”

This bug exists in the Windows 10 operating system’s Fall Creators Update (version 1709) as well as in the April 2018 Update (version 1803). It also exists in newer versions as well. Installation of the most recent updates can help keep Windows 10 protected from this exploit.

Russians could be hacking your Instagram account

Instagram users are getting caught up in a mysterious hacking epidemic that appears to be linked to Russia.
A growing number of frustrated users report being locked out of their accounts — and no one seems to know why.
There’s been a spike in reports of cyber-attacks on Instagram across various social sites.

A report by Mashable reveals that Twitter users tweeted Instagram’s account with the word “hack” 798 times in August — compared to just 40 times during the same period in July.
The article notes a similar jump in hack reports on Reddit.
And search traffic tracker Google Trends highlights some curious jumps in searches for the term “Instagram hacked” on Aug. 7 and 11.
One user called Krista, who has more than 4,500 followers, discovered she had been logged out of her account.
When she tried to get back in, she soon learned that her username and photo had been changed, as well as the email address and phone number linked to her account.
A bid to reset her password revealed that her account was now linked to a .ru Russian domain email address.
Mashable spoke to half a dozen Instagrammers, all of whom had been hacked — and had their accounts linked to Russian email addresses.
Speaking to The Sun, Andy Norton, director of threat intelligence at Lastline, said: “There are many choices for email service providers and there are quite a few .ru providers. Possibly the attacker is comfortable in the Cyrillic language as list.ru has been used in one example.”
What’s concerning is that hackers are gaining access to accounts that are technically secure.
Some of the hacked accounts have two-factor authentication: This means you not only need a password to log on, but a unique code sent over email or text message, too.
This is to prevent hackers who guess your password from getting into your account.
But it seems some digital crooks have found a way to skirt these safeguards.
“Although most of the accounts that have been taken over do not use 2FA, there have been anecdotal reports that some of the accounts were using this security option,” Rob Shapland, principal cybersecurity consultant at Falanx Group, told The Sun.
“Although this is an excellent security control and should always be used, it’s not foolproof and can be defeated if someone is either able to take control of the mobile phone number that receives the text message code, or if they can trick the account holder into visiting a fake version of the real website, which interacts with the real website and prompts the user to enter the two-factor code. It’s also possible the users’ computers have already been hacked, which would then allow the hackers easy control over any accounts they are using.”
This means it becomes very difficult to regain access to your account because Instagram typically uses your email address or phone number to let you change your password.
“The maze that Instagram sends you on to get your account back is laughable and leads to broken/dead links and emails from robots which lead nowhere,” said Abagail Nowak, who was caught up in an Instagram hack.
Another described the process of regaining account access as “extremely stressful.”
We spoke to one Brit who had been hacked, who told us she had been left locked out of her account for three days — and still doesn’t have access.
Jordan, 19, from Wiltshire, said: “I reported my account as hacked and then was sent the same automated email everyone else has got telling me to write a description of what happened and then a photo of me holding a sign with my @ and a code.”
“But it seems Instagram is slow at responding to this if they even respond at all,” she told The Sun.
The Sun found a large number of tweets from users complaining about their Instagram accounts had been nabbed by crooks.
One moaned: “Hi Instagram your help center is so unhelpful.
“How am I supposed [to] gain access to my hacked account if all you want to do is send an email asking me to reset my password and that email has been changed to theirs?”
Another said: “Someone hacked my Instagram account and Instagram won’t help me.”
That same person shared images revealing that her account email had been changed to a Russian address.
The pictures included on the tweet also showed that the user’s phone number had been removed from her account.
In any case, it’s still worth keeping two-factor authentication on your account, as it gives potential attackers another hurdle to get over.

How to Hack WiFi Password Easily Using New Attack On WPA/WPA2

Looking for how to hack WiFi password OR WiFi hacking software?

Well, a security researcher has revealed a new WiFi hacking technique that makes it easier for hackers to crack WiFi passwords of most modern routers.

Discovered by the lead developer of the popular password-cracking tool Hashcat, Jens 'Atom' Steube, the new WiFi hack works explicitly against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

The attack to compromise the WPA/WPA2 enabled WiFi networks was accidentally discovered by Steube while he was analyzing the newly-launched WPA3 security standard.

This new WiFi hacking method could potentially allow attackers to recover the Pre-shared Key (PSK) login passwords, allowing them to hack into your Wi-Fi network and eavesdrop on the Internet communications.

 

According to the researcher, the previously known WiFi hacking methods require attackers to wait for someone to log into a network and capture a full 4-way authentication handshake of EAPOL, which is a network port authentication protocol.

Whereas, the new attack no longer requires another user to be on the target network to capture credentials. Instead, it is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point.

Robust Security Network is a protocol for establishing secure communications over an 802.11 wireless network and has PMKID, the key needed to establish a connection between a client and an access point, as one of its capabilities.

Step 1 — An attacker can use a tool, like hcxdumptool (v4.2.0 or higher), to request the PMKID from the targeted access point and dump the received frame to a file.

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 --enable_status

Step 2 — Using the hcxpcaptool tool, the output (in pcapng format) of the frame can then be converted into a hash format accepted by Hashcat.

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Use Hashcat (v4.2.0 or higher) password cracking tool to obtain the WPA PSK (Pre-Shared Key) password, and Bingo!

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

That's the password of the target wireless network, cracking which may take time depending on its length and complexity.

"At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers)," Steube said.

Since the new WiFi hack only works against networks with roaming functions enabled and requires attackers to brute force the password, users are recommended to protect their WiFi network with a secure password that's difficult to crack.

This WiFi hack also does not work against next-generation wireless security protocol WPA3, since the new protocol is "much harder to attack because of its modern key establishment protocol called "Simultaneous Authentication of Equals" (SAE)."

Researchers Developed Artificial Intelligence-Powered Stealthy Malware

Artificial Intelligence (AI) has been seen as a potential solution for automatically detecting and combating malware, and stop cyber attacks before they affect any organization.

  

However, the same technology can also be weaponized by threat actors to power a new generation of malware that can evade even the best cyber-security defenses and infects a computer network or launch an attack only when the target's face is detected by the camera. 

To demonstrate this scenario, security researchers at IBM Research came up with DeepLocker—a new breed of "highly targeted and evasive" attack tool powered by AI," which conceals its malicious intent until it reached a specific victim.

According to the IBM researcher, DeepLocker flies under the radar without being detected and "unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition."

Describing it as the "spray and pray" approach of traditional malware, researchers believe that this kind of stealthy AI-powered malware is particularly dangerous because, like nation-state malware, it could infect millions of systems without being detected.

The malware can hide its malicious payload in benign carrier applications, like video conferencing software, to avoid detection by most antivirus and malware scanners until it reaches specific victims, who are identified via indicators such as voice recognition, facial recognition, geolocation and other system-level features.

"What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer," the researchers explain. "The malicious payload will only be unlocked if the intended target is reached."

To demonstrate DeepLocker's capabilities, the researchers designed a proof of concept, camouflaging well-known WannaCry ransomware in a video conferencing app so that it remains undetected by security tools, including antivirus engines and malware sandboxes.

With the built-in triggering condition, DeepLocker did not unlock and execute the ransomware on the system until it recognized the face of the target, which can be matched using publicly available photos of the target.

So, all DeepLocker requires is your photo, which can easily be found from any of your social media profiles on LinkedIn, Facebook, Twitter, Google+, or Instagram, to target you.

Trustwave has recently open-sourced a facial recognition tool called Social Mapper, which can be used to search for targets across numerous social networks at once.

The IBM Research group will unveil more details and a live demonstration of its proof-of-concept implementation of DeepLocker at the Black Hat USA security conference in Las Vegas on Wednesday.