John the Ripper, Password Cracker tool

John the Ripper is free and Open Source software,its the most famous and one of the best password cracker in the real time world.
its most widely used tool to crack the passwords in the unix  environment.Its distributed primarily in source code form.

If you would rather use a commercial product tailored for your specific operating systemJohn the Ripper is a program that decyrpts Unix passwords using DES (Data Encryption Standard). 

Step 1: Download JTR.

Step 2: Extract JTR. using the command

##--tar -xzf john-1.6.tar.gz

The filename must include the .txt extension. This is the regular crack that file with .txt extension will be used as a dictionary 

user name to use the john the ripper

##--User:gyuJo098KkLy9

Save the file as crackme.txt (just an example) and go to the prompt and type 'john crackme.txt'if you know the streanth of the password  the you can use Single crack mode. This is only recommended for weak passwords as it includes only a few rules and a small wordlist

##--john -single crackme.txt

Wordfile: Uses a wordlist (basically a dictionary attack). What this does is tries every word in the list until it finds a match or you reach the end of the list. This is quicker than the default (bruteforce) attack, but I don't recommend this because it doesn't always find a match. More notes on wordlists below.

##--john -wordfile:password.lst crackme.txt

Restore: Ok, let's say that you need to stop the crack in the middle. Press crtl+break.A file will be created in the JTR directory named 'restore' (no quotes doofus, and yes, no file extention). You can start the crack back up from that restore point

##--john -restore:restore

Session: Use this if you know that you will have to stop JTR in the middle of a crack. It allows you to create a new file that holds the data of your session. You can then restore your session later.

##--john -session:[save to filename] crackme.txt

Shows how fast JTR will work on your computer

##- john -test

hacking with Snort IDS/IPS

Snort
Snort is a free lightweight network intrusion detection system for both UNIX and Windows.
Snort Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide
in the blog i am gonna show you how to install snort from source, write rules, and perform basic testing.

Download and Extract Snort

# cd /usr/src
# wget -O snort-2.8.6.1.tar.gz http://www.snort.org/downloads/116
# tar xvzf snort-2.8.6.1.tar.gz

Install Snort

Before installing snort, make sure you have dev packages of libpcap and libpcre.
these are the essential to build a good ids

#apt-get install snort-mysql
#apt-get install libpcap0.8-dev
#apt-get install libnet1-dev
#apt-get install build-essential
#apt-get install checkinstall
#apt-get install libpcre3-dev
#apt-get install libmysqlclient12-dev


# cd snort-2.8.6.1
# ./configure
# make
# make install

Create the required files and directory
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /var/log/snort

Copy two files inside our new /etc/snort/rules directory:
- classification.config: defines URLs for the references found in the rules.
- reference.config: includes information for prioritizing rules.


#cp snort-2.6.1.3/etc/classification.config /etc/snort_inline/rules/
#cp snort-2.6.1.3/etc/reference.config /etc/snort_inline/rules/


Create a user called snort to launch Snort:
#useradd snort -d /var/log/snort -s /bin/false -c SNORT_IDS

Create a log directory owned by the snort user:

You need first to use the "configure" command to check the dependancies and prepare Snort to be compiled for MySQL.
#cd snort_inline-2.6.1.3
#./configure --with-mysq

Create the following snort.conf and icmp.rules files:

# cat /etc/snort/snort.conf
include /etc/snort/rules/icmp.rules
# cat /etc/snort/rules/icmp.rules
alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;)

Execute snort

Execute snort from command line, as mentioned below.
# snort -c /etc/snort/snort.conf -l /var/log/snort/
Try pinging some IP from your machine, to check our ping rule
# head /var/log/snort/alert
[**] [1:477:3] ICMP Packet [**]
[Priority: 0]
07/27-20:41:57.230345 > l/l len: 0 l/l type: 0x200 0:0:0:0:0:0
pkt type:0x4 proto: 0x800 len:0x64
209.85.231.102 -> 209.85.231.104 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:24905   Seq:1  ECHO


Alert Explanation
# snort -dev -i ppp0 -c /etc/snort/snort.conf -l /var/log/snort/

configure database

Add a password for the MySQL root user:
#mysqladmin -u root password new_root_password
Create the MySQL database and tables Create the MySQL database
#mysql -u root -p
>create database snort;


 Packaged installation
Find the tables: dpkg -L snort-mysql
We are looking for the create_mysql.gz file, it is normally located in the /usr/share/doc/snort-mysql folder.

#gzip –d /usr/share/doc/snort-mysql/create_mysql.gz
Import the MySql tables:

#mysql -u root -p snort < /usr/share/doc/snort-mysql/create_mysql

 CONFIGURE SNORT FOR SQL

We now have to forward the logs into the MySql database:
This is already done by installing the snort-mysql package, we just need only to configure the username and password to access the snort database.
In the /etc/snort/snort.conf file, we have to change the line between (#DBSTART#) and (#DBEND#):

output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost

 uncomment the following lines:

ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG ALERT
output database: log, mysql, user=snortuser password=snortpassword dbname=snort host=localhost
}
Start Snort !!

snort –u snort –c /etc/snort/snort.conf

Snort is started under the snort user and will load the config stored in the /etc/snort/snort.conf file


We have to add a line inside the /etc/crontab file to start Snort automatically after a reboot:

@reboot root snort -u snort -c /etc/snort/snort.conf >> /dev/null

NMAP : Enumeration

To start learn hacking you are going to need these Operating system and tools. if you too good in programming then you may not need these tool, but for effective and quick response you are gonna need this setup.
As i list some tool in my previous blog the very first tool is Nmap. Nmap is 
a network security scanning tool, basically used for information gathering. you can collect all the essential information about the victim.like which operating system he/she is using.its freely available to everyone. its provides services like
1-Traceroute
2-Operating system detection
3-Detail expression of port scanning
4-Nmap scripting engine (it can check like wheather the proxy server can be accessed without password and many more things )
5-Packet tracing
6-Port scanning
7-Fragmanting
8-Ftp bounce
9-RPC and List scan
 ---------------------------------------------------------------------------------------------------------------------
A-Tcp Port Scanning
root@bt:~# nmap -sS 192.168.1.88

Starting Nmap 6.01 ( http://nmap.org ) at 2012-12-02 16:51 IST
Nmap scan report for 192.168.1.88
Host is up (0.00028s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: XX:XX:XX:XX:XX:XX (Intel) mac address of victim

Nmap done: 1 IP address (1 host up) scanned in 5.66 seconds.

we can use -sU to check for udp port that are opened. 

  nmap -sU 192.168.1.188
-----------------------------------------------------------------------------------------------------------------------
B-FIN packet scan 
root@bt:~# nmap -sF 192.168.1.88

Starting Nmap 6.01 ( http://nmap.org ) at 2012-12-02 16:57 IST
Nmap scan report for 192.168.1.88
Host is up (0.00017s latency).
All 1000 scanned ports on 192.168.1.88 are open|filtered
MAC Address: XX:XX:XX:XX:XX:XX
Nmap done: 1 IP address (1 host up) scanned in 21.15 secon 
---------------------------------------------------------------------------------------------------------------------
C-IP Protocol Scan

D-Version Detection

E-Idle Scanning

here we have an example of all the above
 ----------------------------------------------------------------------------------------------------------------
root@bt:~# nmap -sS -P0 -A -v 192.168.1.88

Starting Nmap 6.01 ( http://nmap.org ) at 2012-12-02 17:03 IST
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 17:03
Scanning 192.168.1.88 [1 port]
Completed ARP Ping Scan at 17:03, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:03
Completed Parallel DNS resolution of 1 host. at 17:03, 0.00s elapsed
Initiating SYN Stealth Scan at 17:03
Scanning 192.168.1.88 [1000 ports]
Discovered open port 912/tcp on 192.168.1.88
Discovered open port 5357/tcp on 192.168.1.88
Discovered open port 902/tcp on 192.168.1.88
Completed SYN Stealth Scan at 17:03, 8.64s elapsed (1000 total ports)
Initiating Service scan at 17:03
Scanning 3 services on 192.168.1.88
Completed Service scan at 17:04, 11.02s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.88
NSE: Script scanning 192.168.1.88.
Initiating NSE at 17:04
Completed NSE at 17:04, 30.03s elapsed
Nmap scan report for 192.168.1.88
Host is up (0.00031s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE         VERSION
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth     VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
5357/tcp open  http            Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
|_http-title: Service UnavailableMAC Address: XX:XX:XX:XX:XX:XX (Intel)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2008|7|Vista
OS CPE: cpe:/o:microsoft:windows_server_2008::beta3 cpe:/o:microsoft:windows_7::professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
OS details: Microsoft Windows Server 2008 Beta 3, Microsoft Windows 7 Professional, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2 or Windows Server 2008
Uptime guess: 0.121 days (since Sun Dec  2 14:10:12 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE
HOP RTT     ADDRESS
1   0.31 ms 192.168.1.88

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.00 seconds
           Raw packets sent: 2041 (92.356KB) | Rcvd: 11 (568B
-------------------------------------------------------------------------------------------------------------------------- 
             Trace-route example

nmap –packet-trace -p80 dmiessler.com
 SENT (0.1160s) TCP 204.11.219.126:40117 > 204.11.219.126:80 S ttl=40
     id=52313 iplen=44  seq=2829670227 win=1024
RCVD (0.1160s) TCP 204.11.219.126:40117 > 204.11.219.126:80 S ttl=40
     id=52313 iplen=44  seq=2829670227 win=1024
RCVD (0.1160s) TCP 204.11.219.126:80 > 204.11.219.126:40117 SA ttl=64
     id=0 iplen=44  seq=2909000595 win=32792 ack=2829670228
Interesting ports on dmiessler.com (204.11.219.126):
PORT   STATE SERVICE
80/tcp open  http



Nmap done: 1 IP address (1 host up) scanned in 0.13 second
   --------------------------------------------------------------------------------------------------------------------------
           Guys as we know the most important part of hacking is to gather information about the information about the victim.using nmap we can gather all possible information about the victim computer.