Sunday, 5 May 2013

[Gyan/ Knowledge] Practicing Pentesting Skills

If you are interested in Info Sec like me, you would be needing a wide play ground to test and improve your skills. So, here is a nice offline hacking game, called Damn Vulnerable Web App.
There are other games like mutillidae, Damn Vulnerable Linux, etc (look for more).
To make the installation process easier on a linux machine, I put up a bash script here.
This script uses "root" as user and "toor" as password.
After downloading and saving a copy(on your desktop) of this script you will have to open your terminal, traverse to the Desktop directory and execute (you might need to change the permissions of the script first) the script (follow the below commands).

root@bt~:# cd /root/Desktop
root@bt~:# chmod +x
root@bt~/Desktop:# sh

Now sit back till it is installed, and keep watching.
Once it is done, Open http://localhost/dvwa or on your browser.
The login credentials could be found in the script or you could just bruteforce it :)
Happy Hacking :)

Saturday, 4 May 2013

Choosing your Linux

Myself, not being much of a Windows fan (I use it only for my Steam Games, cuz they are not available for Linux), I recommend Linux based distributions for all necessities. Another thing I'd like to say is that, there is no such a computer having 100% security. If you think Linux doesn't have malware but windows does, guess again. Linux is hackable, just that malware writer do not write on Linux as much as Windows because Windows is way more used than Linux/Mac and hence more profit would come off them. Also, Android which is a distro on linux, definitely has malwares. Here are a few hacking tool equipped distributions that I recommend using for those interested in InfoSec field(like me):

BackTrack, the highest rated and acclaimed Linux security distribution. It is a Linux Based pen testing distro that aids security pros in the ability to perform assessments in a purely native environment dedicated to hacking!
The latest BackTrack version (now known as Kali OS) can be downloaded from here.

There are a few other known pen testing distro(s) loaded with the whole hacker's arsenal

Tails(Live OS): A part of Tor Project, made not for pen testing but for maintaining the anonymity of the users online in this age of insecure internet. Equipped with Crypto tools, leaves almost no trace on a computer unless you ask it explicitly.

Remember to chose your distribution wisely. Always check reviews of any item you are about to download. There are a lot of distros like the infamous Anonymous OS which was released with a security hole for the attacker to gain more slave computers.

Also, always remember to update and upgrade.

For the normal coders and developers with "0" interest in hacking, you could go on with your normal Ubuntu, Fedora, or other well known Linux distro(s). I always use Debian Lenny based systems. But hey guys, come on... I am sure, some day, everyone of you coders and developers would come across getting your codes hacked by powerful minds of the hackers. So get prepared on how to tackle them and avoid such situations :)
A lot of tools are available in this world of script kiddies, how ever, as your experience grows, you would like to have your own custom distro, loaded with the tools you know you are going to use only!
You can add on more packages as and when you require them.
To build your custom distro, you can use SuseStudio, or just try making LinuxFromScratch.
 A Few more Linux Distros:
Debian 7.0 "Wheezy" (uses Debian kernel 3.2.41 and gnome 3, released on 4th May, 2013)
Ubuntu(Best Linux Gaming Distro)
Puppy Linux (Lightweight Linux)
Arch Linux (Best Multimedia Linux Distro)
Red Hat Enterprise Linux (Best Enterprise Linux Distro)
Fuduntu (Just for the heck of it)
Gentoo (Something awesome if you have enough time)
I'd recommend Debian based distros how ever!

Ok, all this should help you zero in on your desirable operating system and further on you could install it. I would love to make a tutorial and show you how to install it as well.
I prefer installing them on my virtual box, even though I am not a very big Windows fan... As I said previously, make sure (if you are using an Ethernet cable to connect to the internet) to set your Network Adapter as PCnet-FAST III. Also, if u use wifi, then its better to install Linux on a dual boot basis and then install Virtual Box on that!
Virtual Box is a necessary tool, so that you can test run/exploit on other OS(s) from your computer. Also Virtual Box has the cool feature of taking a screenshot, so that you can keep taking your machine to the prev. state when you are testing.