Sunday, July 24, 2016

Cisco: Beginner Level



How to install and Use IOS on Linux.
 
Mostly Harmless Weekend Hacking
with Raspberry PI and Kali Linux


'Hello World' Under the Hood (new!)
Ping Used as an OS Fingerprinting Tool
Passive Reconnaissance - Flowers in Corp Web Page
Whois?
Diving into Bash
Cheap Hacker's Lab
Raspberry PI Installation.
CCNA Packet Tracer Labs:

Cisco Exercises: Lab 3-3: Using ACLs to filter IP based traffic

Cisco Exercises: Lab 3-2: Device Hardening 
Cisco Exercises: Lab 3-1: Improving Device Security 
Cisco Exercises: Lab 2-2: Port Address Translation (PAT) 
Cisco Exercises: Lab 2-2: Internet Connections - Dynamic NAT 
Cisco Exercises: Lab 2-2: Internet Connections - Static NAT 
Cisco Exercises: 
Lab 2-1: Router Startup and Initial Configuration

Cisco Exercises: Lab 1-2: Troubleshooting Switch Media Issues 
Cisco Exercises: Lab 1-1: Switch Startup and Initial Configuration 
Cisco Exercises: CDP - Building Topology Diagram
Cisco Exercises: Router and Switch Initial Configuration in Packet Tracer
Cisco Exercises: Installing Free Cisco Simulator - Packet Tracer


CCNA Lessons:
01 - Connecting to Cisco Console Port with MINICOM
02 - Navigating in Cisco IOS
03 - Initial Configuration of Cisco Switch and Router
04 - Introduction to TCP/IP Layers
05 - Encapsulation and De-enapsulation Process
06 - Example of TCP/IP Traffic Flow
07 - Building a Home Network
08 - Ethernet and Hub Operations
09 - Bridging/Switching Learning Process
10 - Cisco Discovery Protocol
11 - Layer 2 Connectivity Troubleshooting Part 1
12 - Layer 2 Connectivity Troubleshooting Part 2
13 - Layer 2 Connectivity Troubleshooting Part 3
14 - NTP and Syslog Services
15 - VLANs Overview
16 - VLANs In Practice
17 - Inter VLAN Traffic Flow Analysis
18 - VTP and VLAN Quiz
19 - Spanning-Tree Protocol Overview
20 - Spanning-Tree Protocol Operation
21 - Spanning-Tree Protocol in Practice
22 - Spanning-Tree Cisco Enhancements
23 - Introduction to Rapid STP (802.1w)
24 - Layer 2 Etherchannel
25 - Switch Port Security
26 - Binary World
27 - IPv4 Address Dissected - Part 1
28 - IPv4 Address Dissected - Part 2
29 - IPv4 Subnetting - The Rules
30 - IPv4 Subnetting - Practice
31 - What is a Router?
32 - Route Selection Process Demistified
33 - Static Routing
34 - Dynamic Routing Protocols Introduction
35 - Routing Information Protocol Part 1
36 - Routing Information Protocol Part 2
37 - Routing Information Protocol Part 3
38 - OSPF Fundamentals Part 1 - Terminology
39 - OSPF Fundamentals Part 2 - Hello Packets
40 - OSPF Fundamentals Part 3 - RouterID and DR/BDR
41 - OSPF Fundamentals Part 4 - Implementation
42 - OSPF Fundamentals Part 5 - The Lab
43 - EIGRP Fundamentals Part 1 - Overview
44 - EIGRP Fundamentals Part 2 - Implementation
45 - EIGRP Fundamentals Part 3 - The Lab
46 - EIGRP Fundamentals Part 4 - Troubleshooting
47 - Packet Filtering with Standard ACL
48 - Standard ACL Examples
49 - Packet Filtering with Extended ACLs
50 - Extended ACL Examples
51 - Network Address Translation Part 1 - Terminology
52 - Network Address Translation Part 2 - Principles of Operation
53 - Network Address Translation Part 3 - Overloading Addresses
54 - Network Address Translation Part 4 - Configuration Examples
55 - Introduction to IPv6 Part 1 - Addresses
56 - Introduction to IPv6 Part 2 - Address Structure
57 - Introduction to IPv6 Part 3 - Address Configuration
58 - Introduction to IPv6 Part 4 - Migration 


How to install and Use IOS on Linux.


Disclaimer!
This is a personal weblog. The opinions expressed here represent my own and not those of my employer. Also the stupidity is mine and mine alone. Some post content might be rude, offensive or borderline obnoxious (anything marked with label 'Ranting' is not suitable for people under 18 years old). Since, I try to have an open mind you can expect that my opinions may and probably will change in time. You may leave some comments but I reserve the right to ignore them completely. 


The technical content of this blog is a product of weekend/sleepless-and-or-hotel night/after-work technical struggle. Despite all efforts, it may be inaccurate and reflects the author's knowledge as of the time of writing the posts. The author of the posts will not assume any liability or responsibility to any person or entity with respect to loss or damages incurred from information contained in this blog. Any resemblance to some other training materials and/or CCNA/CCNP/CCIE exams is completely coincidental.

Hacking

Mostly Harmless Weekend Hacking
with Raspberry PI and Kali Linux

1. Raspberry PI Installation.
2. Cheap Hacker's Lab.
3. Diving into Bash. 
4. WHOIS?
5. Passive Reconnaissance - Flowers in Corp Web Page.
6. Ping Used as an OS Fingerprinting Tool.
7. 'Hello World' Under the Hood.
  

Hello World under the Hood




Previous | Hacking | Next
 
A simple code everybody starts with is a “hello world!” program.  Here, using the ‘for’ loop, I make my computer display hello twice. Looking at the code it is easy to figure out what it does.

But it is not exactly how hackers look at it. There is some magic happening there.

What do computers really do? They obediently follow the program (step by step defined recipe). The same way we humans do things. Listen to master’s orders.
But the difference is that they can do the same thing over and over again without breaking sweat (loops) and without being bored don’t complain because they are machines. Dumb without a program, but boy are they fast if you provide a program to run!
But how do they do that? What’s under the hood.

#include 

int main(void) {

    int i;
    for (i = 0; i < 2; ++i) 
        printf("Hello, world!\n");    

    return 0;
}

The source code (like the one above) is set of instructions that must be translated (compiled) into a machine language that the CPU understands. All instructions are in fact strings of ones and zeros. Those form something called machine code. CPU can decode them as instructions and compute stuff, which means they operate on data.
Here is what my first program does.

A look into Computer Guts
Compile and run the code. See what it does.
pi@tron:~/dh $ gcc -g -o hello hello.c 
pi@tron:~/dh $ 
pi@tron:~/dh $ ./hello
Hello, world!
Hello, world!
pi@tron:~/dh $
Compilation -g allows gdb to read the code and step through it.
Inside the computer the code operates at a different level.
First GDB lesson courtesy of beej.us and few other places on the net.
My first program up close looks like this:
$ objdump -M intel -D hello | grep -A20 main.:
000000000040052d 
: 40052d: 55 push rbp 40052e: 48 89 e5 mov rbp,rsp 400531: 48 83 ec 10 sub rsp,0x10 400535: c7 45 fc 00 00 00 00 mov DWORD PTR [rbp-0x4],0x0 40053c: eb 0e jmp 40054c
40053e: bf e4 05 40 00 mov edi,0x4005e4 400543: e8 c8 fe ff ff call 400410 400548: 83 45 fc 01 add DWORD PTR [rbp-0x4],0x1 40054c: 83 7d fc 01 cmp DWORD PTR [rbp-0x4],0x1 400550: 7e ec jle 40053e
400552: b8 00 00 00 00 mov eax,0x0 400557: c9 leave 400558: c3 ret
400559: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0] 0000000000400560 : 400560: 41 57 push r15 400562: 41 89 ff mov r15d,edi 400565: 41 56 push r14 400567: 49 89 f6 mov r14,rsi
It is beautiful. Looking at the code like that.
I want gdb to debug code using Intel representation rather than default AT&T. Here’s my file that is going to take care of it:
$ cat ~/.gdbinit 
set disassembly intel
CPU registers are sort of like quick access variables. Here they are:
$ gdb -q hello
Reading symbols from hello...done.
(gdb) break main
Breakpoint 1 at 0x400535: file hello.c, line 6.
(gdb) run
Starting program: /home/jaro/Desktop/Jun-Dec-2016/14.Code/aoh/hello 

Breakpoint 1, main () at hello.c:6
6     for(i = 0; i < 2; ++i)
(gdb) info registers
rax            0x40052d 4195629
rbx            0x0 0
rcx            0x0 0
rdx            0x7fffffffe178 140737488347512
rsi            0x7fffffffe168 140737488347496
rdi            0x1 1
rbp            0x7fffffffe080 0x7fffffffe080
rsp            0x7fffffffe070 0x7fffffffe070
r8             0x7ffff7dd4e80 140737351863936
r9             0x7ffff7dea530 140737351951664
r10            0x7fffffffdf10 140737488346896
r11            0x7ffff7a36e50 140737348070992
r12            0x400440 4195392
r13            0x7fffffffe160 140737488347488
r14            0x0 0
r15            0x0 0
rip            0x400535 0x400535 
eflags 0x202 [ IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb)
Program listed in gdb:
(gdb) list
1 #include 
2 
3 int main(void) {
4 
5     int i;
6     for(i = 0; i < 2; ++i)
7         printf("hello, world.\n");
8 
9     return 0;
10 }
(gdb)
Now time to disassemble the code:
(gdb) disassemble main
Dump of assembler code for function main:
   0x000000000040052d <+0>: push   rbp
   0x000000000040052e <+1>: mov    rbp,rsp
   0x0000000000400531 <+4>: sub    rsp,0x10
=> 0x0000000000400535 <+8>: mov    DWORD PTR [rbp-0x4],0x0
   0x000000000040053c <+15>: jmp    0x40054c 
0x000000000040053e <+17>: mov edi,0x4005e4 0x0000000000400543 <+22>: call 0x400410 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 0x0000000000400550 <+35>: jle 0x40053e
0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb)
The arrow points to the firs instruction to be executed as per address in rip (program counter register). The command x is for examine.
(gdb) info register rip
rip            0x400535 0x400535 
(gdb)
Funny thing is that I am no programmer. Not at all. I am just starting. But I do know the music when I hear one. Just like this one below:
Move value 0 to the memory location (here in hex) minus 4 bytes.


=> 0x0000000000400535 <+8>: mov    DWORD PTR [rbp-0x4],0x0
   0x000000000040053c <+15>: jmp    0x40054c 
0x000000000040053e <+17>: mov edi,0x4005e4 0x0000000000400543 <+22>: call 0x400410 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 0x0000000000400550 <+35>: jle 0x40053e
0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb)
And next instruction (nexti). Once executed it will jump to the memory location: 0x40054c where the next command must be executed. The rip register (instruction pointer is always incremented to point to the next instruction.


(gdb) nexti
0x000000000040053c 6     for(i = 0; i < 2; ++i)
(gdb) disassemble main
Dump of assembler code for function main:
   0x000000000040052d <+0>: push   rbp
   0x000000000040052e <+1>: mov    rbp,rsp
   0x0000000000400531 <+4>: sub    rsp,0x10
   0x0000000000400535 <+8>: mov    DWORD PTR [rbp-0x4],0x0
=> 0x000000000040053c <+15>: jmp    0x40054c 
0x000000000040053e <+17>: mov edi,0x4005e4 0x0000000000400543 <+22>: call 0x400410 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 0x0000000000400550 <+35>: jle 0x40053e
0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb)
Here we go. Jump baby, jump!


(gdb) disassemble main
Dump of assembler code for function main:
   0x000000000040052d <+0>: push   rbp
   0x000000000040052e <+1>: mov    rbp,rsp
   0x0000000000400531 <+4>: sub    rsp,0x10
   0x0000000000400535 <+8>: mov    DWORD PTR [rbp-0x4],0x0
   0x000000000040053c <+15>: jmp    0x40054c 
0x000000000040053e <+17>: mov edi,0x4005e4 0x0000000000400543 <+22>: call 0x400410 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 => 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 0x0000000000400550 <+35>: jle 0x40053e
0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb)
Is the value what variable i points to still lower than 2 (our loop condition)? Next instruction jle says: if less or equal/not greater. It relies on flags: SF<>OF or ZF == 1.
Let’s see those CPU flags after we executed comparison. Here SF is set but there is no OF (not set) if I understand it correctly.


(gdb) nexti
0x0000000000400550 6     for(i = 0; i < 2; ++i)
(gdb) disassemble main
Dump of assembler code for function main:
   0x000000000040052d <+0>: push   rbp
   0x000000000040052e <+1>: mov    rbp,rsp
   0x0000000000400531 <+4>: sub    rsp,0x10
   0x0000000000400535 <+8>: mov    DWORD PTR [rbp-0x4],0x0
   0x000000000040053c <+15>: jmp    0x40054c 
0x000000000040053e <+17>: mov edi,0x4005e4 0x0000000000400543 <+22>: call 0x400410 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 => 0x0000000000400550 <+35>: jle 0x40053e
0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb) info register eflags eflags 0x297 [ CF PF AF SF IF ] (gdb)
Jumping to the location pointed then!
(gdb) nexti
7         printf("hello, world.\n");
(gdb) disassemble main
Dump of assembler code for function main:
   0x000000000040052d <+0>: push   rbp
   0x000000000040052e <+1>: mov    rbp,rsp
   0x0000000000400531 <+4>: sub    rsp,0x10
   0x0000000000400535 <+8>: mov    DWORD PTR [rbp-0x4],0x0
   0x000000000040053c <+15>: jmp    0x40054c 
=> 0x000000000040053e <+17>: mov edi,0x4005e4 0x0000000000400543 <+22>: call 0x400410 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 0x0000000000400550 <+35>: jle 0x40053e
0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb)
What is at this location? String to be printed of course. It is placed into Destination Index (EDI) register.
Let’s read what is at the location 0x4005e4. The gdb instruction x/12x means: examine 12 bytes in hex at the location (here: 0x4005e4).


(gdb) x/12x 0x4005e4
0x4005e4: 0x68 0x65 0x6c 0x6c 0x6f 0x2c 0x20 0x77
0x4005ec: 0x6f 0x72 0x6c 0x64
(gdb) 
Hex 0x68 is lower case ‘h’, 0x65 is lower case ‘e’ etc. It gets ready to be used by C standard library function printf(). Calling the function and magic happens.
(gdb) nexti
0x0000000000400543 7         printf("hello, world.\n");
(gdb) disassemble main
Dump of assembler code for function main:
   0x000000000040052d <+0>: push   rbp
   0x000000000040052e <+1>: mov    rbp,rsp
   0x0000000000400531 <+4>: sub    rsp,0x10
   0x0000000000400535 <+8>: mov    DWORD PTR [rbp-0x4],0x0
   0x000000000040053c <+15>: jmp    0x40054c 
0x000000000040053e <+17>: mov edi,0x4005e4 => 0x0000000000400543 <+22>: call 0x400410 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 0x0000000000400550 <+35>: jle 0x40053e
0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb)
Go baby! Display it! Procedure Linkage Table (PLT) locates the library code to use (libc.so.x).
Next instruction goes back to for loop and adds 1 to variable i.
(gdb) nexti
hello, world.
6     for(i = 0; i < 2; ++i)
(gdb) disassemble main
Dump of assembler code for function main:
   0x000000000040052d <+0>: push   rbp
   0x000000000040052e <+1>: mov    rbp,rsp
   0x0000000000400531 <+4>: sub    rsp,0x10
   0x0000000000400535 <+8>: mov    DWORD PTR [rbp-0x4],0x0
   0x000000000040053c <+15>: jmp    0x40054c 
0x000000000040053e <+17>: mov edi,0x4005e4 0x0000000000400543 <+22>: call 0x400410 => 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 0x0000000000400550 <+35>: jle 0x40053e
0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb)
Now the variable i is 1 (0 + 1) so the same process is repeated. In order to jump out of the loop the variable i must not be less than 2. One more loop and we finish the job.
=> 0x0000000000400550 <+35>: jle    0x40053e 
0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb) info register eflags eflags 0x202 [ IF ] (gdb)
Now, neither SF<>OF or ZF == 1 are seem to show to be the case. We do NOT jump but follow to the next instruction that puts value 0 into the accumulator register.
(gdb) nexti
9     return 0;
(gdb) disassemble main
Dump of assembler code for function main:
   0x000000000040052d <+0>: push   rbp
   0x000000000040052e <+1>: mov    rbp,rsp
   0x0000000000400531 <+4>: sub    rsp,0x10
   0x0000000000400535 <+8>: mov    DWORD PTR [rbp-0x4],0x0
   0x000000000040053c <+15>: jmp    0x40054c 
0x000000000040053e <+17>: mov edi,0x4005e4 0x0000000000400543 <+22>: call 0x400410 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 0x0000000000400550 <+35>: jle 0x40053e
=> 0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb)
We clean stuff up (exit status 0 is success I guess). And we leave the party and return to operating system.


(gdb) nexti
10 }
(gdb) disassemble main
Dump of assembler code for function main:
   0x000000000040052d <+0>: push   rbp
   0x000000000040052e <+1>: mov    rbp,rsp
   0x0000000000400531 <+4>: sub    rsp,0x10
   0x0000000000400535 <+8>: mov    DWORD PTR [rbp-0x4],0x0
   0x000000000040053c <+15>: jmp    0x40054c 
0x000000000040053e <+17>: mov edi,0x4005e4 0x0000000000400543 <+22>: call 0x400410 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 0x0000000000400550 <+35>: jle 0x40053e
0x0000000000400552 <+37>: mov eax,0x0 => 0x0000000000400557 <+42>: leave 0x0000000000400558 <+43>: ret End of assembler dump. (gdb) nexti 0x0000000000400558 10 } (gdb) disassemble main Dump of assembler code for function main: 0x000000000040052d <+0>: push rbp 0x000000000040052e <+1>: mov rbp,rsp 0x0000000000400531 <+4>: sub rsp,0x10 0x0000000000400535 <+8>: mov DWORD PTR [rbp-0x4],0x0 0x000000000040053c <+15>: jmp 0x40054c
0x000000000040053e <+17>: mov edi,0x4005e4 0x0000000000400543 <+22>: call 0x400410 0x0000000000400548 <+27>: add DWORD PTR [rbp-0x4],0x1 0x000000000040054c <+31>: cmp DWORD PTR [rbp-0x4],0x1 0x0000000000400550 <+35>: jle 0x40053e
0x0000000000400552 <+37>: mov eax,0x0 0x0000000000400557 <+42>: leave => 0x0000000000400558 <+43>: ret End of assembler dump. (gdb)
Music's over and it's midnight on Saturday. Time to go to bed.

Previous | Hacking | Next

Saturday, July 16, 2016

Ping as an OS Fingerprinting Tool


What does PING utility do?
It sends an ICMP 'echo message' (type 8) and if firewalls don't block it, the sender gets ICMP 'echo reply' (type 0) back. If it works we can get an estimate round-trip time of a target host and we will know it's alive!

But there is more to it than that ;-)

Using ping utility venture a guess of what operating system it runs (Windows, Linux, or IOS).

Let's look at this ping results:


pi@tron:~ $ ping -c3 -n www.cisco.com
PING e144.dscb.akamaiedge.net (23.200.96.126) 56(84) bytes of data.
64 bytes from 23.200.96.126: icmp_seq=1 ttl=58 time=5.64 ms
64 bytes from 23.200.96.126: icmp_seq=2 ttl=58 time=7.03 ms
64 bytes from 23.200.96.126: icmp_seq=3 ttl=58 time=5.50 ms

Based on this output we can venture a guess regarding OS of target and how many routers away it is! The 'tell' is the TTL value of the responder. 

We know that the default values of TTL are as follows:

  • MS Windows: TTL = 128.
  • Linux: TTL = 64.
  • Cisco IOS: TTL = 255.
Based on the above output I think www.cisco.com most likely runs on Linux system. It is also 6 hops (routers) away from my Raspberry PI computer. Systems on the Internet are rarely farther than 20 hops. So, if we assume that it is Linux, it uses the TTL value of 64, Response comes with ttl=58. That would be six hops away.

Let's verify that last fact using traceroute (if not installed use: apt-get install traceroute).


ppi@tron:~ $ traceroute -n www.cisco.com
traceroute to www.cisco.com (23.200.96.126), 30 hops max, 60 byte packets
 1  192.168.0.1  0.623 ms  0.726 ms  0.767 ms
 2  193.95.131.7  5.557 ms  5.915 ms  5.829 ms
 3  193.95.138.1  6.519 ms  6.548 ms  6.462 ms
 4  193.95.129.100  6.477 ms 193.95.129.104  6.577 ms 193.95.129.100  6.791 ms
 5  193.95.129.127  6.804 ms  6.975 ms  6.889 ms
 6  193.242.111.55  8.546 ms  8.142 ms  8.046 ms
 7  23.200.96.126  6.145 ms  5.620 ms  5.577 ms
pi@tron:~ $

Six routers and the seventh number is the target host.


Wednesday, July 13, 2016

Passive Reconnaissance - Flowers in Corp Web Page

Previous | Hacking | Next

This week could not be busier so in order to relax this evening another small problem. All towards ultimate goal: hacking systems like a pro ;).

Find a few Cisco servers that could be out target for ... hmm... closer inspection, should we choose learn about their vulnerabilities

How about we try to look at in the company's web page?
Can we find any interesting target IP addresses there?

Raspberry PI to the rescue!

First let's create a working directory and download the index.html page:


pi@clu:~ $ mkdir playground
pi@clu:~ $ cd playground
pi@clu:~/playground $ wget www.cisco.com
--2016-07-13 21:37:53--  http://www.cisco.com/
Resolving www.cisco.com (www.cisco.com)... 23.38.210.91, 2a02:26f0:71:185::90, 2a02:26f0:71:18d::90
Connecting to www.cisco.com (www.cisco.com)|23.38.210.91|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                  [ <=> ]  66.06K  --.-KB/s   in 0.005s 

2016-07-13 21:37:53 (12.5 MB/s) - ‘index.html’ saved [67641]

pi@clu:~/playground $

Okay. Let's search for hyperlinks inside html code. See what we can find.


grep "href=" index.html


WOW! The output is huge! Calling 'cut' for help now.

I am going to match on slash (/) as a delimiting character (-d). Third field (-f3) is going to extract links. Hopefully...


pi@clu:~/playground $ grep "href=" index.html | cut -d "/" -f3

It is beginning to shape up a bit. But the output still has lines of text that are not DNS names. Another grep matching on a dot should clean the output (to match on a dot character it must be escaped with a backslash).


pi@clu:~/playground $ grep "href=" index.html | cut -d "/" -f3 | grep "\."

There is still some text I don't need. A few DNS names are followed by double quote and characters. Another 'cut' will fix it. Also it would be good idea to get rid of the duplicate names and save the whole "discovery" to file 'links.txt'.


pi@clu:~/playground $ grep "href=" index.html | cut -d "/" -f3 | grep "\." | cut -d '"' -f1 | sort -u > links.txt 
pi@clu:~/playground $

Reading the content...

pi@clu:~/playground $ cat links.txt 

Sweet!

Now, just for fun, a bash 'for loop' will convert those into IP addresses. That's thanks to 'host' utility that comes with every Linux.


pi@clu:~/playground $ for url in $(cat links.txt); do host $url | grep "has address" | cut -d " " -f4; done > ip.txt
pi@clu:~/playground $ cat ip.txt

Who would think that so many corporate server IPs can be found on the main page?

And that is just a beginning of our fun!

Now, after this quick mental exercise I feel a bit more relaxed. I will be able to face tomorrow. And tough meeting with the suits I am NOT looking forward to.


Previous | Hacking | Next

Sunday, July 10, 2016

WHOIS


Let's tackle another small problem. 

I would like to find out what are the names (and IP addresses of Microsoft DNS servers. 

There are many ways of accomplishing this goal. Let's try the easiest one first.


pi@tron:~ $ host -t ns microsoft.com
microsoft.com name server ns2.msft.net.
microsoft.com name server ns4.msft.net.
microsoft.com name server ns1.msft.net.
microsoft.com name server ns3.msft.net.
pi@tron:~ $

The 'host' utility is the equivalent of 'nslookup' in MS Windows. It resolves names to IP addresses. If I use option '-t' followed by 'ns' I am asking for DNS record entry releted to DNS servers. Simple enough.

Now, let's convert them into IP addresses. In order to do that, I am going to extract DNS server names and save them into a file.

pi@tron:~ $ host -t ns microsoft.com | cut -d " " -f4 > servers.txt 
pi@tron:~ $ 
pi@tron:~ $ cat servers.txt 
ns4.msft.net.
ns2.msft.net.
ns3.msft.net.
ns1.msft.net.
pi@tron:~ $ 

Now, let's learn what IP addresses represent each one of them. One way of doing it is to use 'for' loop available in bash like that:
 
pi@tron:~ $ for name in $(cat servers.txt); do host $name | grep "has address" | cut -d " " -f4; done > ms.dns.ip.txt
pi@tron:~ $ 
pi@tron:~ $ cat ms.dns.ip.txt 
208.76.45.53
208.84.2.53
193.221.113.53
208.84.0.53
pi@tron:~ $

Another way could be to use 'whois' to get more information about Microsoft domain. Raspberry PI does not come with 'whois' installed by default:

pi@tron:~ $ whois microsoft.com
-bash: whois: command not found
pi@tron:~ $ 
pi@tron:~ $

No big deal! Let's install it:

pi@tron:~ $ sudo apt-get install whois
 
Now, repeat test:

pi@tron:~ $ whois microsoft.com > microsoft.txt
pi@tron:~ $ 

File 'microsoft.txt' contains all output provided by 'whois' command. 

Since we already figured out what IP addresses of Microsoft servers are, let's try to obtain all other IPs that belong to that domain.

'Cat' on the file shows that entries are in blocks that look like this:

Server Name: MICROSOFT.COM.IS.NICE.WHEN.TOASTED.COMKAL.NET
   IP Address: 210.8.201.142
   Registrar: SYNERGY WHOLESALE PTY LTD
   Whois Server: whois.synergywholesale.com
   Referral URL: http://synergywholesale.com

 

Server Name: MICROSOFT.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
   IP Address: 217.148.161.5
   Registrar: HOSTING CONCEPTS B.V. D/B/A OPENPROVIDER
   Whois Server: whois.registrar.eu
   Referral URL: http://www.openprovider.com


I can use 'Server Name' string to extract the IP addresses of their servers. Let's try this:

pi@tron:~ $ grep -A1 'Server Name' microsoft.txt

I used it like that to show -A1 (after 1 line) option of grep. It comes in handy every now and then.

Now, I have two lines and will now grep for just 'IP Address:' string and save it in file 'server.ips.txt:

  
pi@tron:~ $ grep -A1 'Server Name' microsoft.txt | grep "IP Address:" | awk '{print $3}' | grep -v 8.8.8.8 > server.ips.txt
pi@tron:~ $


In the output I find server 8.8.8.8 (Google Public DNS server address which I get rid of using:
grep -v 8.8.8.8 command). The option -v means: not including what follows it (here 8.8.8.8)

The last thing I am going to do is to use bash sort command to sort them based on 1st byt of IP address, second, third and fourth to get a nice output:

pi@tron:~ $ cat server.ips.txt | sort -t . -k1,1n -k2,2n -k3,3n -k4,4n

It's only a reconnaissance, a passive enumeration. Just getting warmed up!

Diving into Linux Bash


Linux operating system has everything any hacker needs. Bash with all the tools that can be combined to create beautiful pyramid of fast actions will be the core of this blog. Let's log on to Raspberry PI and begin the adventure.

Send 10 ping packets to www.cisco.com. Using bash tools extract the slowest and fastest response. 

Ping uses ICMP echo (type 8) and echo reply (type 0) messages. As long as firewall between the sender and the receiver do not block those messages, using ping utility we can check if the target system is alive (at least at the layer 3 of OSI model)

First how to send just 10 ping packets using Linux Bash?


pi@tron:~ $ ping -c10 www.cisco.com > ping.txt

Linux sends ping until you stop it with CTRL-C. In order to send a number of ping packets option -c (count) followed by number 10 will send only 10 packets. Then it stops. 

The result of the ping is going to be sent to a file called 'ping.txt'

Let's see the results:

pi@tron:~ $ cat ping.txt


The output is nicely placed in columns separated by a 'space' character. There are 9 columns of output. This can be used to our advantage.



First I am going to get rid of the output that does NOT have 'ms' leaving only what I want:

pi@tron:~ $ grep "ms" ping.txt

Then, using 'awk' utility I will print out the last two columns (awk breaks each line into variables $1 = 64, $2 = bytes $3 = from, etc.).
 

pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}'

There is some garbage left at the end of the output now. So, let's get rid of it:

pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}' | grep "ms"

Now, I am only interested in displaying the number and ms:

pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}' | grep "ms" | cut -d "=" -f2


Sort them from lowest to highest delay:


pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}' | grep "ms" | cut -d "=" -f2 | sort -n

And finally using 'head -1', display the lowest delay value and 'tail -1' display the highest delay value:
 

pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}' | grep "ms" | cut -d "=" -f2 | sort -n | head -1
5.30 ms
pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}' | grep "ms" | cut -d "=" -f2 | sort -n | tail -1
5.68 ms
pi@tron:~ $