Penetration testing with Metasploit

Penetration testing is one of the ways to identify the security holes of your system and Metasploit is great free and open source tool to launch your attack.

Here I have two machines in my virtual environment and I am using my favorite Kali to launch the attack. We will use browser_autopwn2 which is a hack packaged within Metasploit.

Before doing anything, please ensure that firewall in your windows system is disabled and then ping from both systems.

Great!! Now launch your “weapon” Metasploit framework from kali Linux. It is one with “M” icon on the sidebar. To start any exploit, we use keyword “use”. Since we are using browser_autopwn2 we start typing path for it which is auxiliary/server/browser_autopwn2

Then hit enter to move to next step. To find LISTENER address, type run next.

After a number of lines, we will see the address and this is the address which we have to copy down and type into the browser of victim system (WindowsXP).

Go to internet explorer of Window XP, and type the URL. You will notice changes on your terminal in kali. This opened two sessions which can be used to interact with the victim system.

Type “sessions –i 1” to use ‘meterpreter’ DLL. Type help to see all the fun stuff you can do with this.

The ‘help’ command will introduce you to a number of commands with their functions. You can use hashdump to collect usernames and hashes.

This is one of the commands, I used here to shutdown the Victim System.Try other commands too and  Enjoy your hack!! 😉

BruteForce Attack with BurpSuite #Intruder

BurpSuite is indeed a great tool for testing vulnerability in web applications. I am using its free-version which has limited capabilities but works well for learning!  Below is the process to brute force the webpage. Make sure that you don’t try it on any of the webpages from internet!

So, I’ll be using my VM  setup, with Kali and Bee-Box as a Web Server which is victim. The process for setting up the Burp Suite and proxy in browser is explained here. Make sure you have set up your proxy to your localhost.

STEP1 : Intercepting the login Request

To capture the HTTP request, try entering the username and password on the logon form of Bee-Box. [With the Intercept ON] Once you hit the login button, Burp Suite will intercept the request and then forward the request or turn it off.

Now, right click on the request and send it to the intruder.

STEP2:

Once on your Intruder Tab, you will see the IP and the port you want to attack gets fill in automatically. In case, if you did not made the request (as in step 1), you can manually put the information here under “target” tab.

Now turn to the “position” tab. This is the same request (or information of raw packet) that you made before. The highlights here are the “potential injection” points marked by the BurpSuite.

Here we know the username and just wanted to get though the password. For now, other things like sessionsIDs or security level or login are not required. Hit the “clear” as shown.

And then highlight the parameter “password” and click Add. You would be able to see those little markers around the “password”. This means, that we will be passing list of letters, which will go through each of those and send request to the server.

As only one parameter needs to be replaced, select the “Sniper” attack. Sniper attack uses only one payload set and replaces all the marked positions one by one.

If you are trying both for the username and password, then select “cluster Bomb”. It puts first payload at the first position, and the second at other, and uses all the possible combinations.

Now, we are going to go forward and set payload. Since, we just working on finding the password, select 1. You can load the word list from Kali from the path- /usr/share/wordlists.

In here, I am manually adding the words, I want to test against the parameter password. And then hit “Start Attack”.

In the “result” window, you will notice that one word has different values for “length” and “status”. All others will have same as base request.

Perfect!! You now have the password! Happy Hacking! Happy Learning! 🙂

 

 

Top Nmap commands that you need to know!!

Nmap is a great tool for network scanning and is ofcourse open source!! With running nmap, you can find the devices on the network, their MAC addresses, Open Ports, Operating System and much more. Here are some of those basic and wonderful commands of this great information gathering tool. I would recommend you to take a look of this as well for more in-depth understanding of the amazing tool.

During the tutorial, I’ll be scanning “http://scanme.nmap.org/”. This is provided by Nmap Security Scanner Project and we are authorized to run our scans on it for test purposes!

#1 To scan the entire subnet

chahal@ubuntu:~$ sudo nmap 192.168.2.*

chahal@ubuntu:~$ sudo nmap 192.168.2.0/24

Note that output for the command will be different if run with unprivileged user, i.e. when sudo is not used, only SYN packets are sent to target, unlike with privileged user where ARP requests are sent.

Sample Output:

#2 Scanning Specific Targets

chahal@ubuntu:~$ nmap 192.168.2.1
chahal@ubuntu:~$ nmap scanme.nmap.org
chahal@ubuntu:~$ nmap 192.168.2.1-20

These commands scan for 1000 ports by default.

#3 Scans for Host Discovery

List Scan (-sL)

root@ubuntu:~# nmap -sL scanme.nmap.org/28 

This scan is unobtrusive and does not attract much attention as it scans for all the available hosts (while performing reverse DNS resolution) in the specified target network without sending them any ping requests.

root@ubuntu:~# nmap -sP 192.168.2.*

This is ping scan which simply sends ping requests to see the hosts which are up in the target network and doesn’t scan for the ports.

Below is the output of it.

#4 To scan particular port

nmap -p [portNumber or Port Range] [target]

#5 –reason flag

This gives you the reason why a particular port was marked open, closed or filtered.

Here in the sample output, port 22 was marked open because it returned the SYN-ACK packet.

#6 Skipping The Ping Scan and DNS resolution

chahal@ubuntu:~$ nmap -Pn -n scanme.nmap.org

-Pn —skips the initial ping scan.

Nmap, by default, sends the ping sweep first to discover the machines that are online, and then run detailed scan on those Ips. So, now, you will not be able to discover the devices that are hidden behind the firewall or that blocks the ping request.

And this command, skips the initial pings and runs a complete scan against all Ips (even if it doesnt exist). Imagine the time, it is going to take if the network has large number of Ips.

Also, NMAP perferforms the DNS resolution by default and -n skips it. So, not doing the DNS resolution can a help to speed up the scan a little!

#7 TCP Scans:

TCP connect scans (-sT)

This is default scan in nmap which follows the three way handshake process for detecting open ports.

chahal@ubuntu:~$ nmap -sT -p1-1000 scanme.nmap.org

SYN stealth scan (-sS)

chahal@ubuntu:~$ sudo nmap -sS scanme.nmap.org

This scan is considered as stealth Scan or half open scan. This scan is little difficuilt to detect by Intrusion Detection Systems. This scan requires root priviledges to run. The difference between -sT and -sS scan is that stealth scan does not form the complete connection with target.

As an example, nmap will send the SYN request (as in three way TCP handshake process), and scanme will reply with its SYN/ACK if the port is open. And now nmap, instead of sending ACK packet, will send RST packet!!

#8 UDP Scan

To invoke UDP scan, -sU is used. UDP scan requires root privileges.

chahal@ubuntu:~$ sudo nmap -sU scanme.nmap.org 

#9 Decoy scan

As a penetration tester, you would always want to hide the IP from where the attack is launched. Nmap uses Decoy to launch a scan that seems to be coming from multiple hosts and thus the target would have difficulty in determing the real host behing the attack. Options to launch decoy scan are:

1. nmap -D RND:10 [target]
2. nmap -D decoy1,decoy2,decoy3

#10 Version and OS Detection

OS and version detection are one of the most important features of nmap. These scans can be launched by following commands:

$ nmap -sV <target>  

$ nmap -O <target>

Nmap stores its probe and response matches in file “nmap-os-db”. Each OS respond differently to probes, which helps in determining the Operating System. Following options sumarises the various options:

–osscan-limit: This options limits the scan. Nmap wouldnot even try the detection against targets where at least one port is not open.

–osscan-guess: If scan is unable to detect OS, it matches the near possibilities.

–max-os-retries <number>: It gives the option to set up the maximum number of tries to detect the OS.

Remote Code Execution Vulnerability in GoAhead Servers

Another Big Flaw!! Researchers at Elttam  recently discovered a security flaw in GoAhead Web servers with versions running below 3.6.5. GoAhead is embedded Web Servers originally from Embedthis that is deployed in millions of devices including printers, IP phones, networking devices and many more. Among list of its clients, some of the famous ones are Avaya, Siemens, Canon, IBM, D-Links, Kodak, HP.

The vulnerability can be tracked using CVE-2017-17562 and exits in the “CGI handler” function in all versions prior to 3.6.5. Based on the Elttam report,

“The vulnerability is a result of Initialising the environment of forked CGI scripts using untrusted HTTP request parameters, and will affect all user’s who have CGI support enabled with dynamically linked executables (CGI scripts). This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LD_PRELOAD”.

This vulnerability provides the ability to the remote attacker to send malicious HTTP CGI request that can POST payload in the request and the exploitation could lead to any arbitrary code execution on the server.

Shodan search reveals large number of devices (approx. more that 500,000) employing GoAhead server. So, as per now, number of these could be vulnerable.

A patch has been released regarding the vulnerability and all the users have been advised to upgrade to GoAhead 3.6.5 if dynamically linked CGI programs are being used on Linux Machines.

Elttam has also released POC that could be used to check if your GoAhead version is prone to attack and to ensure security against the attack. The test scripts by Elttam can be found here.

With large number of devices affected by this vulnerability, this seems to be a big trouble as large pool of affected devices is now prone to malicious attackers.

Deobfuscating the PowerShell Code to get IOCs

Malicious Actors often obfuscate the code to bypass the antivirus or to make the reverse engineering harder. Here I got a samples from Hybrid Analysis and will show you how to deobfuscate it. I’ve been enjoying these a lot and hope you will love it as well.
The sample that I got is of the document that has a hash: 7cb3fa5500d7ddbfa9631df5d3dff5.
You can get the sample of it from here. I’ll be using Notepadqq for my Ubuntu, but you can use Notepad++ if you are using Windows.

1. Get the base64 of the code from here and decode it using https://www.base64decode.org/
2. I copied the decoded base64 stream to my notepad, but it doesn’t seem to be clear much.
3. Now delete some of those redundant characters to deobsuate the stream. Here I am replace those alphabets in ‘’ by ‘single space’, using “Replace all”.
4. Not readable yet! But atleast we can see clear decimal format. So, I’ll be using rapidtables.com to convert this piece into readable format.
5. Now you have those malicious links from where the payload will be downloaded.

This is just a way to deofsucate the Malware code, you can do the same for others as well or you can use the available tools as well!!
Enjoy the fun stuff!! 🙂

Phishing with KALI – Social Engineering Toolkit

“There is no need to penetrate a network when you can breach the people who run it” – Unknown

Whoever said that is so right! Isn’t it? And this Phishing has become so common these days. Anyways here, I am going to show you another wonderful tool from my favorite Kali.

To launch this tool you can just type “setoolkit” in terminal or you can go to Application ->social engineering toolkit, which will take you the tool [as in screen shot 2]

Select 1 (Social-Engineering Attacks) from the options.
And after selecting “Website Attack Vectors” , choose “Credential Harvestor Attack Method”.

So, here you have a option – Web Template or Site Cloner. If you are planning to clone any of those from the facebook, gmail or yahoo, you can always go with the first or if you want to clone a different site then choose second option.

Before going any further, open another terminal and check the IP of your machine.

Enter your IP when asked and remember not to close your terminal.

 

Go to browser and enter your IP, you can also change your IP to look like URL by using any of the tinyURL services available.

Wow! Now its a time to harvest those credentials. 🙂 Go to the directory – /var/www/html
Now, enter a command to list all the files in the directories.

Copy the one that you want to see and enter the command below to display the contents of the file and here we go:

So, this was one of things you can do with this tool. To make it work over internet, you need to use your Public IP and  port forward it over  port 80. Enjoy your Hack and make sure not to use it for wrong purposes or you will be in trouble. 🙂

Burp Suite for Web Application Security

Setting Up Burp

BurpSuite is another tool that comes bundled with Kali. It is great tool for testing web application Security. So, as always, I have set up my tools in Virtual Environment. I am using Kali VM and a Bee-Box, which is Ubuntu Web Server, made for us to test 🙂 . You can download Bee-Box VM from here. Make sure you are not testing BurpSuite on any internet website, unless you want to get into trouble 😉 Another similar application to Bee-Box is DVWA. The installation process of DVWA is defined here.

Once done, in Kali, type the IP address of your Bee-Box in browser.

Configuring browser to work with BurpSuite

The first thing that you need to do is to configure your browser to work along with Burp, which acts as a proxy.

Firefox sends the request to Burpsuite, and Burp then talks to the website. In this way, every packet goes through the Burp and this is where, you would be able to see the raw packet information, even if it is https. This information can be manually edited before forwarding the information to the website.

Below are few steps to Configure firefox browser to work with the proxy:

1. Open the browser and Click the setting menu on the right side of your browser. Click “options”. In the “network” tab, click “settings”. 
2. In the new Configuration window, Select “Manual proxy Configuration” as your computer (localhost). Make sure to delete anything in box “No proxy for”.

Setting up a Burp as a Proxy

Proxy tap in BurpSuite is used to intercept the traffic. For this, Go to Proxy -> Intercept, and turn the intercept ON. Note that, when intercept is on, the Burp wont forward the request to the browser, until it is turned off. This is where you can make changes or edit session cookies. To forward the request, turn the intercept off by clicking “intercept is On” or “forward”. If you wish to drop the packet, you can drop it by clicking “drop”.

Once done with set up, lets move forward doing more fun stuff with Burp. 🙂 Happy Learning!!

 

Fix Errors and Set up DVWA on Windows 7

DVWA is for infoSec Enthusiast like us, where you can test your tools and applications in safer and of course legal way.
For setting up DVWA, download XAMP and DVWA .

Note : It is recommended that you set  it up and test it in Virtual Environment which is completely isolated (by selecting Host-only network).

1. Download and Install XAMP on your machine. Once installed, start “MySQL” and “Apache” services.

2. Now Download the DVWA from here and Extract the dvwa folder to this location C:\xampp\htdocs\dvwa

 

Once done, go to your browser and enter localhost/dvwa
In my case, I got the following error which is quite descriptive in itself. If you get it too, follow the steps below to resolve it.

Error: dvwa system error – config file not found. copy config/config.inc.php.dist to config/config.inc.php and configure to your environment.

Go to the folder C:\xampp\htdocs\dvwa\config and rename the file to .php extension. In my case, after renaming the file, extension remained the same.

 

So, to display the file extensions , Go to “Folder Options”.
For viewing this option, go to Start Menu, type “Folder Option” and then click to open it. Select the “View” option on the top of the tap. In the Window, uncheck the box “Hide extensions for known file types” and then click OK.

Now, you should be able to see the extension and rename the file to change its extension to php.

 MySql Error:

Now, in the browser, if you are seeing DVWA setup page, and if you click “Create/Reset Database”, it fails because php cannot connect to MySql Database.

To resovle the error, open the config file with notepad and change the default password and leave it blank and save the file.

Returning to the broser, click “Create/Reset Database” and you would see everything seems to be alright this time.

 

Enable Allow URL:

Once you are logged in DVWA, you will find that “allow_url” is not enabled.

To enable it, go to XAMP -> Apache. Right Click “Configure” and click
“PHP”.

Find “allow_url_include” and make it ON. Save the file. This must resolve the error.

Happy Hacking 🙂

 

Group policy precedence and inheritance in Active Directory

Applying group policies on users makes our task easier. There is the order of how these policies get applied on a user. Group policies on OU (organizational units) have more precedence than domain GPOs which have higher priority than site GPOs and Local GPOs.Policies are applied in

Policies are applied in following order:

1.   Local GPOs
2.   Site GPOs
3.   Domain GPOs
4.   OU GPOs
5.   Enforced GPOs

When new GPO is applied, it overrides the previous one. So, the last one has highest precedence and first one has least. To make it clearer, I’ll explain it with an example.

1 . In the picture below, you can see my Group policy management console, where my site is my Forest and my domain is college.local. In my domain, I have one OU as “nocontrolpannelaccess”. and I have linked it to “nocontrolpannelacessGPO”. I have edited nocontrolpannelaccessGPO in such a way that it will prohibit users to access control panel and other GPO “controlpannelaccess” allows users to use control panel.

This GPO for the OU overrides other GPOs linked to Domain (Default Domain Policy and controlpannelaccess). Thus, the users in OU “nocontrolpannelacessGPO” will not be able to access control panel.

2. If you block inheritance on any OU, then any group policy above this OU doesn’t get applied. As you can see, the container “nocontrolpannelaccess” just has now only one policy on it.

3. If on the other hand, I enforce “controlpannelaccess” policy on domain, then no matter what policy is applied on any OU, enforced policy (controlpannelaccess) will have more precedence. So even users in “nocontrolpannelaccess” OU will now be able to access their control panel.

Upgrade Cisco Router IOS via TFTP Server

Upgrading IOS in routers is quite easy. For this, we need to install TFTP server. There are many free TFTP servers available on the internet and you can download one from http://tftpd32.jounin.net/   Before doing the upgrade, make sure that you either have backed up your IOS image or you have a newer one.

• Okay, now first things first. Disable other networks and set up a static IP address on your computer on which TFTP server is installed. I am giving my computer a static IP address of 192.168.1.1 with subnet mask 255.255.255.0
• Open your TFTP server, browse it to the folder where your IOS image is kept.

• Now, open your hyper terminal. Before upgrading the IOS, make sure that you have deleted the older one by typing the command:

  Router# delete flash:

It will then ask you for the file name, type  correctly the name of your file. You can look for the file name with command “show version”.

• Now type in the following commands in rommon mode: (make sure you connected a cable to your g0/0 port of your router.)

IP_ADDRESS=192.168.1.2

IP_SUBNET_MASK=255.255.255.0

DEFAULT_GATEWAY=192.168.1.1

TFTP_SERVER=192.168.1.1

TFTP_FILE=c1841-ipbase-mz.124-3i.bin

Tftpdnld

Type ‘yes’ when it asks if you want to continue and then type reset to restart.

So  you just upgraded your IOS. Enjoy!