Hacking

Mostly Harmless Weekend Hacking
with Raspberry PI and Kali Linux

1. Raspberry PI Installation.
2. Cheap Hacker's Lab.
3. Diving into Bash. 
4. WHOIS?
5. Passive Reconnaissance - Flowers in Corp Web Page.
6. Ping Used as an OS Fingerprinting Tool.
7. 'Hello World' Under the Hood.
  

Passive Reconnaissance - Flowers in Corp Web Page

Previous | Hacking | Next

This week could not be busier so in order to relax this evening another small problem. All towards ultimate goal: hacking systems like a pro ;).

Find a few Cisco servers that could be out target for ... hmm... closer inspection, should we choose learn about their vulnerabilities

How about we try to look at in the company's web page?
Can we find any interesting target IP addresses there?

Raspberry PI to the rescue!

First let's create a working directory and download the index.html page:

pi@clu:~ $ mkdir playground
pi@clu:~ $ cd playground
pi@clu:~/playground $ wget www.cisco.com
--2016-07-13 21:37:53--  http://www.cisco.com/
Resolving www.cisco.com (www.cisco.com)... 23.38.210.91, 2a02:26f0:71:185::90, 2a02:26f0:71:18d::90
Connecting to www.cisco.com (www.cisco.com)|23.38.210.91|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                  [ <=> ]  66.06K  --.-KB/s   in 0.005s 

2016-07-13 21:37:53 (12.5 MB/s) - ‘index.html’ saved [67641]

pi@clu:~/playground $

Okay. Let's search for hyperlinks inside html code. See what we can find.

grep "href=" index.html

WOW! The output is huge! Calling 'cut' for help now.

I am going to match on slash (/) as a delimiting character (-d). Third field (-f3) is going to extract links. Hopefully...

pi@clu:~/playground $ grep "href=" index.html | cut -d "/" -f3

It is beginning to shape up a bit. But the output still has lines of text that are not DNS names. Another grep matching on a dot should clean the output (to match on a dot character it must be escaped with a backslash).

pi@clu:~/playground $ grep "href=" index.html | cut -d "/" -f3 | grep "\."

There is still some text I don't need. A few DNS names are followed by double quote and characters. Another 'cut' will fix it. Also it would be good idea to get rid of the duplicate names and save the whole "discovery" to file 'links.txt'.

pi@clu:~/playground $ grep "href=" index.html | cut -d "/" -f3 | grep "\." | cut -d '"' -f1 | sort -u > links.txt 
pi@clu:~/playground $

Reading the content...

pi@clu:~/playground $ cat links.txt 

Sweet!
Now, just for fun, a bash 'for loop' will convert those into IP addresses. That's thanks to 'host' utility that comes with every Linux.

pi@clu:~/playground $ for url in $(cat links.txt); do host $url | grep "has address" | cut -d " " -f4; done > ip.txt
pi@clu:~/playground $ cat ip.txt

Who would think that so many corporate server IPs can be found on the main page?

And that is just a beginning of our fun!

Now, after this quick mental exercise I feel a bit more relaxed. I will be able to face tomorrow. And tough meeting with the suits I am NOT looking forward to.

Previous | Hacking | Next

Diving into Linux Bash

Previous | Hacking | Next

Linux operating system has everything any hacker needs. Bash with all the tools that can be combined to create beautiful pyramid of fast actions will be the core of this blog. Let's log on to Raspberry PI and begin the adventure.

Send 10 ping packets to www.cisco.com. Using bash tools extract the slowest and fastest response. 

Ping uses ICMP echo (type 8) and echo reply (type 0) messages. As long as firewall between the sender and the receiver do not block those messages, using ping utility we can check if the target system is alive (at least at the layer 3 of OSI model). 

First how to send just 10 ping packets using Linux Bash?

pi@tron:~ $ ping -c10 www.cisco.com > ping.txt

Linux sends ping until you stop it with CTRL-C. In order to send a number of ping packets option -c (count) followed by number 10 will send only 10 packets. Then it stops. 

The result of the ping is going to be sent to a file called 'ping.txt'

Let's see the results:

pi@tron:~ $ cat ping.txt

The output is nicely placed in columns separated by a 'space' character. There are 9 columns of output. This can be used to our advantage.

First I am going to get rid of the output that does NOT have 'ms' leaving only what I want:

pi@tron:~ $ grep "ms" ping.txt

Then, using 'awk' utility I will print out the last two columns (awk breaks each line into variables $1 = 64, $2 = bytes $3 = from, etc.).
 

pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}'

There is some garbage left at the end of the output now. So, let's get rid of it:

pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}' | grep "ms"

Now, I am only interested in displaying the number and ms:

pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}' | grep "ms" | cut -d "=" -f2

Sort them from lowest to highest delay:

pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}' | grep "ms" | cut -d "=" -f2 | sort -n

And finally using 'head -1', display the lowest delay value and 'tail -1' display the highest delay value:
 

pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}' | grep "ms" | cut -d "=" -f2 | sort -n | head -1
5.30 ms
pi@tron:~ $ grep "ms" ping.txt | awk '{ print $8,$9}' | grep "ms" | cut -d "=" -f2 | sort -n | tail -1
5.68 ms
pi@tron:~ $

Previous | Hacking | Next 

Cheap Hacker's Lab

Previous | Hacking | Next

If you want to play the piano, you must get yourself a piano.

It is fun to learn Cisco stuff but without access to their proprietary toys, you can learn the basics but you can't become a virtuoso, can you? 

So what's the alternative for my restless mind? 

OPEN SOURCE SYSTEMS BABY!

Quick assessment of the situation:

I have two Raspberry PI computers running Raspbian OS, and a salvaged old Dell Optiplex 745 tower that was being decommissioned and doomed to be scrapped. It has 4 GB of RAM memory and 80GB HD. It's enough to install ... KALI LINUX.

Previous | Hacking | Next

Raspberry PI Installation

Previous | Hacking | Next

Download the Linux image for Raspberry Pi (I use Raspbian) 

Image Download

Then follow the installation instructions:

Windows users
Click here for Installation instructions

Linux Users
Click here for installation instructions

Since I use Linux to image the SD card, so this is what it is going to look like:

1. Checksum check if the file is intact.

$ sha1sum 2015-05-05-raspbian-wheezy.zip

$ cb799af077930ff7cbcfaa251b4c6e25b11483de

Compared with the number on 'download' page and the digest value is the same.

2. Check how my system detects sd card. 

First 'df -h' without sd card installed

Output without SD Card

Then insert sd card and  repeat the same command:

Output with SD Card Inserted

My system mounts sd card as: /dev/mmcblk0p1.

3. Unzip the image downloaded:

$ unzip 2015-05-05-raspbian-wheezy.zip 

4. Unmount sd card

$ umount /media/jaro/D681-1D95

5. Using 'dd' copy the image onto the sd card (make sure you use the whole partition of the card - here: /dev/mmcblk0)

$ sudo dd bs=4M if=2015-05-05-raspbian-wheezy.img of=/dev/mmcblk0

It will take a while to copy image and nothing shows on the screen during that time. Just give it a time.

6. Insert sd card into Raspberry PI and connect to your TV set.

Once my Raspberry PI is hooked up to the TV set

A tool called 'raspi-config' is the first thing that is greeting me. It can be invoked at any point from CLI (command line interface) using the following command: 

$ sudo raspi-config

all information on raspi-config can be found at: http://elinux.org/RPi_raspi-config

Avoiding too much deliberation I arrive with the following settings:

Option 1: Expand Filesystem

This allows system to see and use the whole SD Card.

Option 2: Change User Password.

I have changed default password (defaults: user=pi, password=rasbberry)

Option 3: Enable Boot to Desktop/Scratch

Console Text console, requiring login (default)

In case I wanted Graphical User Interface (GUI) I can always type:

$ startx

Graphical User Interface is pretty and makes simple task simple. But my goal is to discover the full power of this little computer and Linux. This is why I will be using SHELL most of the time.

Option 8: Advanced Options

A3: Memory Split

(How much memory should the GPU have)? 32

Since I don't use GUI, 32 MB should do.

A4: SSH (in order to be able to log on to PI from other computers (putty etc.)

If I don't like them I can change them anytime I want by invoking the tool again. 

The last thing I want to do is to make sure that IP address of my Raspberry PI has a static IP address rather than using DHCP server. It will make my ssh access much easier later.

I edit the file in which system keeps the information about IP settings (I'm choosing IP address that is not part of DHCP in my network (A.B.C.D are values used in my home network):

$ sudo nano /etc/network/interfaces

iface eth0 inet static

 address A.B.C.D

 netmask 255.255.255.0

 network A.B.C.0

 broadcast A.B.C.255

 gateway A.B.C.254

Content saved with CTRL-x / save
(Note: learn VIM text editor. It's usage is more difficult but gives more power as well).

And...

IT'S ALIVE

Previous | Hacking | Next

Raspberry PI

Hacking with Raspberry PI
and Kali Linux

1. Raspberry PI Installation.
2. What to do with Raspberry PI?

Raspberry PI Installation

Previous | Home | Next

Download the Linux image for Raspberry Pi (I use Raspbian) 

Image Download

Then follow the installation instructions:

Windows users
Click here for Installation instructions

Linux Users
Click here for installation instructions

Since I use Linux to image the SD card, so this is what it is going to look like:

1. Checksum check if the file is intact.

$ sha1sum 2015-05-05-raspbian-wheezy.zip

$ cb799af077930ff7cbcfaa251b4c6e25b11483de

Compared with the number on 'download' page and the digest value is the same.

2. Check how my system detects sd card. 

First 'df -h' without sd card installed

Output without SD Card

Then insert sd card and  repeat the same command:

Output with SD Card Inserted

My system mounts sd card as: /dev/mmcblk0p1.

3. Unzip the image downloaded:

$ unzip 2015-05-05-raspbian-wheezy.zip 

4. Unmount sd card

$ umount /media/jaro/D681-1D95

5. Using 'dd' copy the image onto the sd card (make sure you use the whole partition of the card - here: /dev/mmcblk0)

$ sudo dd bs=4M if=2015-05-05-raspbian-wheezy.img of=/dev/mmcblk0

It will take a while to copy image and nothing shows on the screen during that time. Just give it a time.

6. Insert sd card into Raspberry PI and connect to your TV set.

Once my Raspberry PI is hooked up to the TV set

A tool called 'raspi-config' is the first thing that is greeting me. It can be invoked at any point from CLI (command line interface) using the following command: 

$ sudo raspi-config

all information on raspi-config can be found at: http://elinux.org/RPi_raspi-config

Avoiding too much deliberation I arrive with the following settings:

Option 1: Expand Filesystem

This allows system to see and use the whole SD Card.

Option 2: Change User Password.

I have changed default password (defaults: user=pi, password=rasbberry)

Option 3: Enable Boot to Desktop/Scratch

Console Text console, requiring login (default)

In case I wanted Graphical User Interface (GUI) I can always type:

$ startx

Graphical User Interface is pretty and makes simple task simple. But my goal is to discover the full power of this little computer and Linux. This is why I will be using SHELL most of the time.

Option 8: Advanced Options

A3: Memory Split

(How much memory should the GPU have)? 32

Since I don't use GUI, 32 MB should do.

A4: SSH (in order to be able to log on to PI from other computers (putty etc.)

If I don't like them I can change them anytime I want by invoking the tool again. 

The last thing I want to do is to make sure that IP address of my Raspberry PI has a static IP address rather than using DHCP server. It will make my ssh access much easier later.

I edit the file in which system keeps the information about IP settings (I'm choosing IP address that is not part of DHCP in my network (A.B.C.D are values used in my home network):

$ sudo nano /etc/network/interfaces

iface eth0 inet static

 address A.B.C.D

 netmask 255.255.255.0

 network A.B.C.0

 broadcast A.B.C.255

 gateway A.B.C.254

Content saved with CTRL-x / save
(Note: learn VIM text editor. It's usage is more difficult but gives more power as well).

And...

IT'S ALIVE

Previous | Home | Next