Deep Web

You all know what is website and people usually use it anywhere and anytime. It all based from Internet. But did you know that anything that we explore is not 100%? Because there is another web that we not explore everyday and it is located deeper than our usual website. It is called "Deep Web". What we explore is called surface web and it is actually less than 10%!

Deep web or Dark Web is a network that is encrypted and usually use Tor if you want to open it. Generally it is used for any illegal activities, like drugs selling, hire hitman and so on. But before that, remember to open it with your risk and always use Tor to hide your identity or you will be trouble.

Why use Tor? Because Tor allow user to publish website without reveal their location. Also if you notice they website usually use encrypted link.

The Hidden Wiki

From that picture, we cannot know what is the name of the website from the link until we see more detail like above and guess it and Tor can access it with .onion in the end.

It is very important when we explore deep web. Using normal browser will end up to lose some of your account, money, exposed and get virus and so many bad things will happen to you. So if you want to explore deep web, explore it with your own risk and do not do anything that ridiculous.

Reference:

https://www.quora.com/What-is-the-deep-web-and-how-do-you-access-it

Ransomware

Ransomware is a type of malware that has unique things. It will encrypt our data and we cannot access it unless the user pay the ransom to get the data into original again. But, by paying the ransom doesn't guarantee that we will get the data back, it's depend from the attacker. If the ransom attack the system's hard drive, it will be very hard or impossible to decrypt it.

This is what the file looks like when the user attacked by ransomware.

.cerber (Ransomware)

.crypt (Ransomware)

There are 2 types of ransomware: encrypting and non-encrypting. 

Encrypting ransomware starts in 1989 and known as "AIDS" Trojan at that time. The attack is similar like nowadays, encrypt the data and need to pay some money in order to receive back the data. But, the first one use a license reason to attack by saying the licence is expired. The malware still going on and evolve until now. One of the well known ransomware attack is CryptoLocker, 

CryptoLocker

The way CryptoLocker attack is from email attachment and usually targeting Windows user. When the user click that malicious attachment, the malware will encrypt the file and show a message that if the user want to decrypt the data, they must do the payment using bitcoin or voucher in limited time. If they cannot do it, the key for decrypt will be deleted by the attacker and the file cannot be recover anymore.

Non-encrypting ransomware starts in 2010 and at that time it known as WinLock. From the type of attack, we know that the attack did not encryp the data, it restrict access to the system and show pornographic stuff. To get the access to the system again, they must send a SMS that cost more than normal price to get the decrypt key.

WinLock

Nowadays, the ransomware evolve into one of the most dangerous malware and luckily, we actually can recover some type of ransomware attack,like HitmanPro.Alert, BitDefender Anti Crypto Vaccine and Anti-Ransomware and so on. 

It is not really hard to prevent it, but sometimes human can make mistake and not suspicious enough for any suspicious things like email attachment that looks promising but actually contain some malware and so on.

To prevent your data from ransomware, always back up your data frequently. So if one day your pc get attacked by ransomware, you already have the back up data and no need to worry about the data that already encrypted. Also use some software to recover any data from ransomware even though it only works for some type of ransomware.

Reference:

http://www.trendmicro.com/vinfo/us/security/definition/Ransomware

https://www.techsupportall.com/best-anti-ransomware-software/

Unicornscan and Comparison with nmap

Unicornscan is another port scanner tools and it works similar to nmap. Let's take a look.

The syntax for unicornscan is: unicornscan [option] [target host]. First, i use unicornscan to my laptop as the target (192.168.1.100) and this is what i got.

To ensure what i get is same, i use nmap and compare the result.

From the result, there is some difference between nmap and unicornscan. nmap is show more complete result rather than unicornscan (not as complete as nmap) and for nmap, there are one filtered port shown and unicornscan didn't. 

For next one i will use TCP scan and this is the result.

And i compare it with nmap too.

The result still same like the previous example so next i will use UDP scan for next example.

Using UDP scan, this is the result for unicornscan.

Using -v (verbose) will show all the ports that will be scanned, network interface and some info and time. The result shows 2 UDP open ports and some error message. From what i get, it is defunc, means it is not supported anymore.

Now i will compare it using nmap -v -sU (UDP scan) and this is the result.

For nmap, using -v not shows the list of scanned port and from the result, there is a different. unicornscan get 2 open ports (69 and 137) while nmap only 1 open port (137). 

We also can use some specified port to be scanned, for the example, i use TCP scan for port 21,25,80,100,443 and this is the result.

Another option that i use is sniff (--sniff). For the last, i will do sniff to my laptop as the target.

Using sniff we can get the packet information like window size, packet length, checksum and others.

In conclusion, i can say that nmap is better choice for port scanning. unicornscan actually can be better but there is no update after 2007 until now. For the speed, unicornscan is faster than nmap because based from UDP scan, nmap takes about 11 seconds and unicornscan takes about 7 seconds or more.

For port scanning, always make sure to use more than one tool because from my result unicornscan UDP scan gives complete result than nmap.

Reference:

https://www.aldeid.com/wiki/Unicornscan
https://thewhitecathacker.wordpress.com/2014/05/09/nmap-vs-unicornscan/

https://sourceforge.net/p/osace/mailman/message/27025022/(the error message)

Wireshark

Wireshark is a free and open source packet analyzer and used for network troubleshooting, analysis, software and communications protocol development, and education. It is used to see what happen to the packet that we send and receive to and from the target host.

To open the wireshark, turn on your Kali Linux and go to application > 09 - Sniffing and Spoofing > Wireshark.

When you open your Wireshark, it will look like this.

Wireshark

It will show error message but just click ok to continue. There are eth0, any,Loopback: lo, bluetooth0, nflog, nfqueue, usbmon1 and usbmon2. To see the packet info, double click on eth0 (because my connection is on eth0) and it will show like this.

If you want it to run, you must do internet communication thing, like browsing, using terminal or other. For my example, i use terminal and do ping detik.com.

ping detik.com

The result become like this.

Result ping detik.com in wireshark

Now wireshark fills with information of your packet sends to detik.com. If you want to stop the capture, press the stop button.

button for stop capturing packets

Now it's done capturing packet and you can see some information there. One of the example is ICMP info that says "echo (ping) request" means we send packet to the host.

For another example, i use nmap to my laptop as the target.

And the result in wireshark is like this.

You can see there are some red lines and there is "[RST]" means we cancel our communication. But for second picture, there are lots of [RST, ACK]. It means the port is close. For the example, i choose this one.

From this one, it says 22 -> 54295 [RST, ACK] means it sends the RST, ACK packet back to me because the port is closed. If you not sure about that, see again list of my open port below when i use nmap to target my laptop.

Here i give you a video to learn more about wireshark (windows version)

Reference:

https://en.wikipedia.org/wiki/Wireshark

http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/

Download:

https://www.wireshark.org/download.html

Utilizing Search Engine

In general, when we search any information, we usually use google. Maybe others using bing, yahoo or any search engine. But when we search for hacking, we will search with different method. But sometimes when you search for an information, can you ensure that the website or a file that you need to download is safe?

To prevent you from anything that can harm your computer, you need to know is it safe or no. Using virustotal.com, metadefender.com and malwaredomainlist.com, you can know is any site you visit or any file you download is save or no.

This is what virustotal.com looks like. Usually virustotal used for checking if any website is safe or no, check if any file you download is safe or no with max upload 128 MB and check the ip address information.

For example, i search "spesifikasi hp xiaomi mi4, kelebihan dan kekurangannya" and copy that link to virustotal.

virustotal then will analyze the link that i give and give the result like this.

The result shows that the link is safe from any virus. If you can see, below the information there is list of URL scanner and the result. 

Also there is additional information like website category, IP address resolution, HTTP response code and so on.

This is what metadefender.com looks like. Metadefender has similar function like virustotal, but metadefender has "LOOK UP A HASH" which is use for detecting is the has if the hash has been compromised and "SCAN AN IP ADDRESS" which check if the ip address is already compromised or no. For metadefender i will focus at the hash.

For example i put d131dd02c5e6eec4 693d9a0698aff95c 2fcab58712467eab 4004583eb8fb7f89 (MD5) and check is it compromised or no.

The result shows that the MD5 is not compromised, means that hash is safe.

You can try using SHA1 or SHA256, but i only use MD5 for this example.

This is what malwaredomainlist.com looks like. Malwaredomainlist used for checking any ip address, is it dangerous or no. Also if you want to check is website you want to visit is dangerous or no, you can search through it and if it showing the website you enter it means the website is dangerous to visit.

You can see the list of domain that is dangerous. Also you can try to search any domain that you think it's dangerous.

I try to use a save link because i kinda afraid to use dangerous link 

And this is the result if the link is safe. And again, i kinda afraid to use dangerous link.

Sometimes you might want to visit any website or government website and suddenly you get something like this.

hacked website

It means that the website you visit have been hacked by someone and we can see that the website is hacked by wlingigetar.

If you want to know what website is hacked, you can use google to do "Google Hacking". "Google hacking is the use of a search engine, such as Google, to locate a security vulnerability on the Internet." (searchsecurity.techtarget.com). 

When you try to do Google Hacking, for example using site:.go.id "hacked by", it will show some website that using .go.id that hacked by hacker.

some hacked website list

To sum up, everything that you think is save is not 100% save and always check if you have a doubt about the website you want to visit.

Reference link:

https://en.wikipedia.org/wiki/Google_hacking

http://searchsecurity.techtarget.com/definition/Google-hacking

https://www.ethicalhacker.net/features/book-reviews/google-hacking-ten-simple-security-searches-that-work

Information Gathering

Information gathering basically you gather any information from anywhere. Basically we gather any information that we want to search. For example, if you want to know about 9gag or someone for example, you can search it from google and it is the most basic thing to do. If you want to get more detail about it, you can search using who.is, pipl.com or alexa.com.

This is the display of pipl.com and usually pipl.com used for search any information about a person.

This is the display of alexa.com and it used for see any information from how popular the website until who visit the website.

This is the display of who.is and it usually for search any information like website info, history, DNS record and else.

If you want to get any information from any host, you can use some command in terminal and command prompt (i suggest to use terminal because terminal have more command than command prompt), which is nslookup, host, dig and dnsenum command. Those 3 basically used to get any information from the domain host that we enter.

host and nslookup command

dig command

dnsenum command

The difference between their 4 is:

nslookup : give your name server and address and target name server and address. It can translate a domain name into ip address and vice versa.

host : give you information like ip address IPv4 and IPv6 and mail server. It can translate a domain name into ip address and vice versa.

dig : give you information like ip address, name server, time and date, version number.
dnsenum : give you information like host address, name server, mail server, zone transfer

Related link:

http://www.computerhope.com/unix/unslooku.htm

http://www.computerhope.com/unix/host.htm

http://www.computerhope.com/unix/dig.htm

http://kalilinuxtutorials.com/dnsenum/

VMware Workstation

VMware Workstation is a software to run other OS in your computer or we can say it a virtual machine. VMware can run more than one OS at the same time and makes it practical to use. Also we can setting the machine, like add or decrease the ram, change the network adapter and else.

This is how VMware workstation looks like.  

This is the setting of my virtual machine. To access it, just click at edit virtual machine setting button below the power on this virtual machine button.

When i run my Kali Linux, this is what it looks like.

Also you can make it bigger (full screen).

The UI (User Interface) is different with windows and to remind you, all the application inside Kali Linux used for hacking. If you want to browse, use Iseweasel (red circle), located above terminal (blue circle).

This is all the information that i can give to you for now and maybe i will show some application inside Kali Linux later.

Link to access and download VMware Workstation:

https://www.vmware.com/products/workstation