Free Advanced Network Penetration Testing webinar

network penetration testingIn this FREE webinar Joe McCray will cover the fundamentals of the network penetration testing, and how to perform basic penetration testing tasks. This webinar is designed for people with little to no network penetration testing experience.

About Joe McCray:

Joe McCray has been teaching IT Security since 2005 and it finally hit him. While he was helping by offering hands-on labs, and no death by PowerPoint in his classes. He realized that in order for him to be a good teacher he needed a more compact and complete training program.

This webinar will be held on the 1st of February at 1pm EST

Click the link below to sign up for this webinar:

network penetration testing

Try Certified Ethical Hacker for FREE!!!


What is PuTTY?


Let’s get some background on the topic first of all. PuTTY on its own has no meaning. However, it is a free and open-source software. In fact, it is a terminal emulator, serial console, and network file transfer application. A plenty of network protocols are supported through such application such as Secure Copy (SCP), Secure Shell (SSH), Telnet, rlogin, and raw socket connection. Moreover, a serial port could be connected by PuTTY.

It works fine on Microsoft Windows, which was originally intended to be served by such software. However, Unix-Like operating system has the ability to run some specific releases on them as well. Operating systems like Symbian, Windows Mobile, and Windows Phone are capable of running it as well yet there are no official ports for such platforms. Classic Mac OS and macOS are still worked on to provide a release to them as well.

What does PuTTY have as features?


In fact, there are several features offered by PuTTY such as:

  • Secure remote terminal is up for variations
  • SSH encryption key and the version of the used protocol could be managed and controlled by the user
  • Alternate ciphers such as 3DES, Arcfour, Blowfish, DES, and Public-key authentication are also available.
  • Control sequences could also be emulated xterm, VT102 or ECMA-48 terminal emulation
  • Port forwarding with its diverse types: local, remote, and dynamic are all supported with SSH.
  • IPv6 is supported through the network communication layer
  • The scheme of delayed compression of [email protected] is also supported.
  • Connections with serial ports which are local are also allowed.
  • SSH File Transfer Protocol (SFTP) and SCP clients are specified for the command line. They are referred to as “pscp” and “psftp” respectively.
  • Sessions which are non-interactive depend on another connection tool of command line called plink. 

What is SSH?


Here comes the point of Secure Shell (SSH). It is actually a cryptographic network protocol. What is used for then? It is mainly used for operation over a network which is not secured. Computer systems, for example, could be accessed remotely by users through such network protocol.

The architecture utilized by SSH protocol has the form of a client-server basis. An SSH server is connected to through an SSH client. While login through command-line and remote command execution are supported by most of the applications, SSH has the ability to work for any network service as long as one of the two versions are used: SSH-1 and SSH-2.

Windows is okay for SSH usage but with limited integrations. Unix-like operating systems can get an access to shell accounts using SSH. Protocols like Telnet, Rlogin, rsh, and rexec was intended to get replaced by SSH when first came into existence. The reason is that such protocols send valuable information such as passwords in a plain text format, which is completely insecure. Any packet analyzer has the ability to get such packets sniffed and the password becomes easily accessible then.

On the other hand, SSH offers a secure means of communication. Here, data is encrypted with no meaningful interpretation if sniffed and analyzed. Still, US Central Intelligence Agency relies on some security tools in order for them to get the SSH protocol cracked and the files decrypted at the end of the day. WikiLeaks is the government transparency organization which revealed such vital news last month.

Public or Private Keys


Authenticating a remote computer and further authenticating the user on such computers depends on public-key cryptography used by SSH. Generated pairs of public-private keys automatically could be used for the sake of getting a network connection encrypted, then logging on could be authenticated via a password.

On the other hand, authentication could depend on generating pairs of public-private keys. This way, logging on by a user or a program does not require a password thereafter. While all computers should have the public key, a matching private key is solely owned by one computer or owner who already has access to these computers. The private key stays on its own location without being transferred through the network when the authentication process is performed.

So, what does SSH do at this moment? To elaborate, SSH only makes sure that both the public key and its matching private key exist on whoever offering the public key. Therefore, the authentication is accepted if they both existed. Unknown public keys could be verified in the same manner through knowing the identities such that any attacker could be identified prior to accepting a connection from him.

How does the key get managed?


It is important to get to know the methodology in which a key is stored and checked when using SSH protocol for authentication. A file named ~/.ssh/authorized_keys contains the allowed public keys listed altogether inside the home directory on Unix-like systems.

In order to accomplish the authentication process perfectly, the public key is checked on the remote machine whereas the private key gets checked on the local machine. What happens next is that basically no passwords become needed for the competition of the authentication. Still, locking the private key with a passphrase is also an added layer of security to get the connection established. Some software such as Message Passing Interface (MPI) makes use of the nonexistence of password compliance when the public-private key authentication occurs.

Standard places could have the private key, while the command line setting (the option –i for ssh) can get the full path of the private key specified. Producing public and private keys in pairs could be done using the utility of SSH-keygen.

On the other hand, authentication processes depending on passwords are also supported by SSH protocol. Passwords are encrypted using some automatically generated keys by SSH. This aspect opens a door for an attacker to perform an attack of type man in the middle. In this attack, a fake server could manipulate the client and ask for the password and then get it instead of the legitimate server. Nevertheless, this could only be attained if it is the first time for the two sides never happened to get authenticated before since once they become authenticated, the public key of a server is remembered by SSH.

How could this attack be avoided? This is simply done by the fact that a warning gets displayed when a new, or a previously unknown server attempts to connect. Or, disabling the password authentication is another valid option to avoid the hassle of such attacks.

OpenSSH and OSSH


For the sake of making the software free and available to get used without any cost, the older 1.2.12 release of the original SSH program was the starting point when it was an open source software version. In 1999, using the codebase of such version, Björn Grönvall’s OSSH got released.

OpenBSD developers then worked on developing and improving the code of Grönvall. The result was the successful OpenSSH, which shipped with the 2.6 release of OpenBSD. OpenSSH was then able to get ported onto other operating systems through what is referred to as a portability branch.

OpenSSH supported a plenty of operating systems to the extent that back in 2005 it was the only SSH implementation running on several platforms. OSSH, on the other hand, came to vanish at the same time when OpenSSH got much more viral and popular.

Try Certified Ethical Hacker for FREE!!!


Kismet Wireless

What is Kismet?

It is very important for specialists in the domain of computer security or particularly information security to know about Kismet and what it can do. Fundamentally, Kismet is a software. It is utilized to detect network traffic, sniff the packets, and also as an intrusion prevention system. It is also important to know that it is an open source security tool.This means that it is a free software, which is a plus.

All platforms which are compliant with Portable Operating System Interface (POSIX) can have Kismet software running on them perfectly. This includes Microsoft Windows, Mac OS X, and BSD. Nevertheless, it works the best on Linux operating systems. This is because monitoring devices for such systems are unencumbered.

Now, it is essential for Kismet to work under the monitoring mode. But why is that? Basically, this aspect is attributed to the fact that any packet which Kismet is capable of hearing could be read and further examined. Yet, when there is no monitor mode capability, there is a certain access point (AP) you are currently associated with from which packets could be sniffed.

Radio Frequency MONitor (RFMON) mode is a critical mode for Kismet in order to be able to use it efficiently to the maximum. A driver supporting RFMON — monitor mode is the first step to use Kismet. Such driver should get configured on the used wireless network interface card (NIC).

What are the configuration models of Kismet?


In fact, there are a plenty of models in which Kismet could be configured. While it is essentially a client-server application, it is allowable to harness it as a standalone application. Moreover, it could operate as a server which supports several clients. Elsewhere, installations of drone Kismet inside the network could make Kismet work as a server. This is where all the captured packets of individual wireless hardware pieces are gathered for analysis and monitoring of the server afterward. The built-in client is used whenever the standalone Kismet is run, although there are several other third-party clients which could work for Kismet as well.

How do Kismet drones work?


Let’s now discuss how Kismet drones are capable of reporting the captured network packets into their own server at the end of the day. Well, this feature is pretty simple since each Kismet drone forwards the captured packets of its own configured wireless card source into one integrated server for all the captured packets. A single log file the combines all of such captured packets in order to execute one unified wireless intrusion alerts for the entire network. Via this way, any LAN having one or two APs can have a wireless intrusion detection system (IDS) represented by Kismet drones.

It is advisable to note that a particular configuration file is required for using each of these components. The rationale beyond this feature is to have a great performance when running Kismet. Such files include Kismet.conf, kismet_ui.conf, and kismet_drone.conf files.

What about the User Interface?


Although there is not anything new or creative about the user interface, it allows a great speed and speed for operating such software. When running Kismet, it first opens the Autofit where all the detected networks are displayed in a list. Some details about each network are displayed as well, but no further details could be viewed other than the ones which are already displayed on the user interface.

So what details are displayed in the first place? Well, there is the decay indicator, network name, network type, WEP status, channel used, packets seen, flags, IP range, and the size of a capture file. All of these details are accessible by the user interface. Nonetheless, there are three cases for the decay indicator:

  • A recent activity could be indicated by an exclamation mark (!)
  • A less recent activity could be on the other hand indicated through a period (.)
  • The non-existence of a recent activity is displayed through a blank, though.

But a good question to ask is: what determines if an activity is actually recent or not? Fundamentally, this is decided by decay variable included inside kismet_ui.conf. Usually, it is around 3 seconds passed and an activity is considered as a recent one.

How can I get help when using Kismet?

It is very vital to seek help when using a software especially if you are pretty new to it. Entering an “h” is the solution to get help from the software; it will pop-up a window from where the Page Up and Page Down could be utilized for navigation through the window. Also, entering “x” simply terminates the window.

How can changing modes have their effect?


The following could be seen all in capital letters at the end of the help window. They include – ALL NETWORK SELECTION, TAGGING, GROUPING, SCROLLING, AND SO ON IS DISABLED IN AUTOFIT MODE. Let’s change this mode and know the Kismet’s reaction regarding such change.

First of all, we need to get the help screen closed. Then, the network list could have its own order changed through entering a simple “s”. The network’s AP’s MAC address could be the means to have the list sorted depending on them in the first place, this can be attained by simply entering “b” now which represents the first letter of the word BSSID, meaning such MAC addresses.

The arrow key of up and down on the keyboard could be relied on for the sake of selecting a specific network. Entering on “i” would yield on getting another window with all the details of this particular AP.

Moreover, Statistics of a channel’s traffic could be shown by entering “a”. In addition, all the MAC addresses interacting with a particular AP could be recognized with a simple “c”. The client list will appear right now. Changing the way in which such addresses are ordered could be done the same way used before as well. For instance, they can be viewed in an order according to the last seen. On the other side, such order could be reversed by a simple “L”.

This aspect, in general, is pretty important to get any AP protected. This is through knowing all the MAC addresses of devices talking to it. In order to view the details of a particular client, we get it highlighted and then selected by a simple “i”. This would show the type of connection in which the client is involved. It also shows the MAC address, and much more information about the client.

Entering an “h” now will display another help window which is more specific than the previously generic one displayed before. Various connection types: From DS, To DS, Intra DS, Established, Sent To, and Unknown is now explained by the help window in this case.

How to get the log files edited?

While a log file gets stored by default inside the directory where Kismet started running, this could be easily manipulated. Inside Kismet.conf, the logtemplate directive could be edited and changed. The created logs will be by default dump, network, CSV, XML, weak, Cisco, and GPS logs. This, however, could be changed through editing the logtypes directive inside kismet.conf as well. The created dump file could be used for analysis by Wireshark and Aircrack-ng if preferred afterward. More information about such security tools could be found on this website as well.


Try Certified Ethical Hacker for FREE!!!


How to understand SSH perfectly?

Throughout the following lines, I will be walking through some of the main steps which have to be necessarily followed for someone new to the field of security administration to be able to excel at such domain. Following the steps will definitely grant a great result by getting to know the different aspects of the topic and fully grasp its concept.

  1. Understand what is meant by a tunneling protocol?


A network user has the ability to access a network service which is not supported directly by the underlying network. Or a user can further offer such service to a network of the same sort. What could this notion be used in practice? Well, there are actually three main benefits of such protocol given in the following list:

  • Running a protocol on a network which actually does not allow for such protocol or merely does not support it. This way, IPv6 can run over IPv4 for instance.
  • A remote user has the potential to access the network through this method as well. Though it is not a safe choice, an critical user or employee within a corporation can get an internal IP address for his machine when working from his home or when traveling. No matter what his machine’s physical IP address is, the machine will have the company’s network address to work as if being inside the company already.
  • Hiding the nature of network traffic going through a network is an unusual usage of protocol tunneling as well. But how and why is that? Basically, encryption can be a standard to get a traffic data repackaged when transferring between two networks. Data will not be easily visible when captured by any sniffer because it will be in the form of encryption.

Talking in general, tunneling is considered as a means of sharing data between two different networks. Through such method data of the private network gets encapsulated along with the protocols used in the broadcast of a public network.  The public network thereby conceives such protocol information as mere pieces of data.

  1. Get to know SSH Tunneling


A Secure Shell (SSH) tunnel is essentially an encrypted channel which allows for all the traffic to go through it whether such traffic is encrypted initially or not encrypted. It depends on SSH network protocol. Here, the network protocol of a private network gets encapsulated into another protocol which is SSH, making all the communication between them become encrypted.

To illustrate, transferring files between Windows machines over a remote connection utilizes the protocol of Server Message Block (SMB). Because such protocol does not offer an encrypted means of getting the data transferred, meaning that transferring data using this method is ultimately prone to get attacked and exploited by a good attacker.

Mounting a Windows file system which is of SMB type of traffic could be performed securely accordingly by an encryption channel between the client and the file server through using an SSH tunnel.

Establishing a local SSH tunnel mainly requires setting up –configuring– an SSH client on a machine where a port is being forwarded to another local one on a remote machine. When it becomes established, such specified local port could be connected to by the user to get the network service accessed thereafter. It is important to note the two ports can be different as desired.

One good thing about SSH tunnels is that firewalls could be simply bypassed by mainly making use of them. To elaborate on this point, let’s consider that a device is connected to a network which does not essentially allow for getting any access to the internet. This basically means that port number 80 is closed on any connection to get established through it. One way to play around this restriction is to fundamentally forward a local port on the machine into port number 80 on another computer outside the network where the internet is accessible.

There will be however one remaining obstacle that could be faced despite using SSH tunneling. It is a problem of whether a site allows users to establish outgoing connections or not. If yes, then the method will work perfectly while an organization’s proxy filter will not even notice such bypassing and accordingly will not be capable of prohibiting the access of internet on the machine.

One more benefit of such bypassing is that an organization cannot get to know the traffic going from and into the internet on this machine because it is supposed to be not connected to an internet connection anymore. A remote web server could be accessed by pointing the browser on the original engine to local port at http://localhost/.

  1. Identify the types of SSH tunneling

There are three main categories of SSH tunneling. Each could be used in a different situation and network. They are given by the following list:

  1. Know what OpenSSH is?

For the sake of making the software free and available to get used without any cost, the older 1.2.12 release of the original SSH program was the starting point when it was an open source software version. In 1999, using the codebase of such version, Björn Grönvall’s OSSH got released.

OpenBSD developers then worked on developing and improving the code of Grönvall. The result was the successful OpenSSH, which shipped with the 2.6 release of OpenBSD. OpenSSH was then able to get ported onto other operating systems through what is referred to as a portability branch.

OpenSSH supported a plenty of operating systems to the extent that back in 2005 it was the only SSH implementation running on several platforms. OSSH, on the other hand, came to vanish at the same time when OpenSSH got much more viral and popular.

Try Certified Ethical Hacker for FREE!!!