Friday, September 30, 2016

Pwning Metasploitable 2: Accessing Backdoor on Port 1524 running Root Shell Service

From our previous articles we scanned all 65535 ports on metasploitable 2. And we found that among many open ports, port 1524 was open.

Google search “port 1524 ingreslock” and you see that it is a known backdoor.

Scan the port and service version


Enter the command: nmap -sV -p 1524 <<target IP address>>



Metasplotable root shell is running.

We just simply need to talk to that port via telnet, or netcat or ncat and should be able to gain root access because there is no authentication. 

Telnet to port 1524


Enter the command: telnet <<target IP address>> 1524



Netcat to port 1524


Enter the command: nc <<target IP address>> 1524



We have our root access to our target machine.


'Moral of the article': Scanning is key to pwning the target. You can at times discover useful information that will help you get access to that system without going through much trouble. 


-Jayesh Kerai(@secjay)

Pwning Metasloitable 2: Exploiting PHP v5.2.4 Vulnerability using PHP CGI Argument Injection

In our previous articles we have looked at exploiting the vsFTPd service both manually and automatically. Now let’s look at weaknesses on the web server being hosted by our target machine.

Scan port 40 and 443


Enter the command: nmap -sV -p 80,443 <<target IP address>>

We scan port 80 and 443 specifically because they are ports for HTTP and HTTPS.



Results show that there is an active Apache server running on port 80 (HTTP). We can browse our target machine through the web browser.

Looking for information on the web server


There are lots of ways to gather info about and from web servers. We will get to that in our later articles. For this article you need to know one important thing – installed PHP usually have a “phpinfo.php” page for use by the developers. However often it is forgotten to be deleted before going live.

Open your web browser and go to: <<target IP address>>/phpinfo.php



As you can see from that page, there is a lot of information. Take a look at the PHP version. After googling that version for any vulnerabilities, we can find that it is vulnerable to a PHP CGI Argument Injection.


Using the PHP CGI Argument Injection Exploit Module


Enter the command: msfconsole

Now let’s search for that exploit: Enter the command: Search php_cgi



Use the exploit and show options:



RHOST is empty, set the RHOST by using command:  set RHOST <<target IP address>>
You’re good to go. Exploit.


You got a session. 

What can you do with this? I leave that up to you to do some quick research on commands you can use on the meterpreter shell


-Jayesh Kerai (@secjay)

Thursday, September 29, 2016

Pwning Metasploitable 2: Exploiting the Vulnerable vsFTPd 2.3.4 service (Automatically)

On our previous article we learnt how to exploit the service manually. You can find that article here

Now let’s check out how exploit it without having to do it manually. We will exploit it using the vsFTPd 2.3.4 Backdoor Command Execution exploit module. 

Metasploit is a penetration testing application. It can run scans with nmap, check for vulnerabilities on target host, and allows for easy exploit execution. It holds a database of exploits which are ready to load and execute on the target host.

Starting Metasploit Console


Enter the command: msfconsole



The “msf> ” shows that you are now interacting with the metasploit console.

Searching for vsFTPd exploits


Enter the command: search vsftpd

This command tells metasploit to search any exploits for vsftpd



The results show that we have an exploit for it in our metasploit database. From the description we can learn that the exploit is meant for the vsFTPd v2.3.4. And from the name we know that the exploit is located in the “exploit/unix/ftp/” directory.

Using the exploit


Enter the command: use /exploit/unix/ftp/vstfpd_234_backdoor

This command gets the exploit ready for you.We now need to give it a target to execute on. 



Setting target on the exploit


Enter the command: show options

This command opens up all the options you can give to the exploit.



We can see 2 options; RHOST and RPORT. Both of them are required but the RHOST is empty. RHOST is short for Remote Host a.k.a target address. We need to give it the target address.

Enter the command: set RHOST <<target IP address>>



Enter the command: show options

To see whether the target is set and any other remaining required options that need to be set.



Looks like all is set. We now just need to execute the exploit. We can do that by entering the command: exploit (or run).

Running the set exploit





This now gives you your backdoored shell :)


-Jayesh Kerai (@secjay)

Pwning Metasploitable 2: Exploiting the Vulnerable vsFTPd 2.3.4 service (Manually)

I assume from the previous article that you did some research on the vulnerable FTP service (vsFTPd 2.3.4).

A quick intro to what is an exploit:

An exploit is a piece of code that takes advantage of a security gap in an application code. In the case of vsFTPd 2.3.4, an intruder modified the source code of the original vsFTPd 2.3.4 code to open a backdoored version if the username entered ended with “:)” characters. The backdoored version will open a listening connection on port 6200.

Lets check it out for ourselves.

Fire up your Kali and Metaploitable 2.

We will skip the host discovery part as we have covered it almost twice and want to avoid repetition. You can find it here.


Check the status of port 6200


Enter the command: nmap -p 6200 <<target IP address>>

This command with the “-p” flag tells nmap to scan port 6200 on the given target IP address.




The results show that the port is closed and there is no service running on it.

Activating the backdoored vsFTPd 2.3.4


Enter the command: telnet <<target IP address>> 21

Note that “21” in the above command references to the port number the FTP service is running on. After the command is executed, you are prompt to enter a username and password to access the system.



You can type anything as the username as long as it has the 2 characters “:)” at the end, and you will activate the backdoor.

Check the current status of port 6200


Let’s now check the current status of the port 6200 with command: nmap -p 6200 <<target IP address>>



Voila! The port is now open.


Telnet into port 6200


Enter command: telnet <<target IP address>> 6200
After command execution, type in “id” to see what user you are running as.



With root access you can do lots of havoc.

I will leave it up to you to research on telnet commands and how to use those commands. 


-Jayesh Kerai (@secjay)

Wednesday, September 28, 2016

Pwning Metasploitable 2: Scoping out Target

Fire up your Kali attacker machine and your new metaploitable 2 machine.

Seeing a black screen with white text when firing up metasploitable 2? You are in the right place. Metaploitable 2 has no GUI for you to click around. Its full CLI which will help you improve your command line skills.

Here’s how your screen should look like:



Switch to your attacker machine. Let’s start a host discover scan to find out metaploitable's IP address.

Ping Sweep to discover Live Hosts


Enter command: nmap -sP -PI <<your network address/24>



4 hosts show up on the result. Let’s analyze this, it can’t be the address with “.1” and “.254” and it can’t also be the “.133” because that’s your attacker machine. We have a host with “.128” and we know there is no other machine running which means it is the metasploitable machine. Your IP addresses may vary but the logic still applies.

So we now know where our target is. Lets look for open ports, services and operating system that is running on our target.

Open Ports, Services and OS discovery


Enter command: nmap -sV -O -p 0-65535 <<target IP address>>

This command with the “-p” flag tells nmap to scan all 65535 ports on the target. Remember a normal scan only scans 1000 ports. And a full port scan makes more noise than a normal scan because it attempts to establish connections with much more ports.



Now we can see all open ports, what services are running on them, their versions and the operating system.

Carefully look at the services that are open. For example, FTP is open. FTP (File Transfer Protocol) is used to send and receive files over a network.

We could potentially use this protocol and maybe retrieve some local files from that host, or send in a keylogger to record the user's keyboard activity to gather passwords and other information.

Questions to ask yourself:-

1. Can I interact with the FTP service on port 21?
2. Can I access the service using any default credentials?
3. What version is the service? Is it the latest?
4. Google any known exploits for that service version?

Activate your google searching skills and try to answer these questions by yourself first. In our next tutorial we will dig deeper on the FTP service. 


-Jayesh Kerai (@secjay)

Adding More Machines to Your Virtual Hack Lab

There are intentionally vulnerable virtual machines that security professionals use to practice penetration testing trainings, conduct security trainings and test out tools and exploits. These virtual machines are best for honing your skills as the most basic vulnerabilities are available for you to discover and exploit giving you confidence and experience at finding them.

Metaploitable 2


Metasploitable is am Ubuntu Linux virtual machine. This is number 1 on my list because it allows you to learn from basics to advance on both infrastructure penetration testing and web penetration testing with Mutillidae and DVWA pre-installed.

You can find the VM here 

Good thing about Metaploitable is that it will use the least amount of your computer’s resources with 512MB of RAM and 8GB of HDD leaving you more room for more VMs’ running at the same time.

Go ahead download the VM and get it ready to run.

Note that, by default, there are 2 network adapters installed on the VM. Remove the 2nd network adapter and change the first one from NAT to VMNet1 (Host Only) so that it is in the network as your attacker machine.

Hackxor


This is designed as a game where you have to gain root access to the system through the progressing the game story. This is focused on web application hacking.

You can find the VM here

There are hundreds of other vulnerable VMs available out there which have not been mentioned. Because all you need to get started is Metaploitable and Hackxor. After mastering these two, you will have enough experience to go on and pwn machines solo :) 


-Jayesh Kerai (@secjay)

Tuesday, September 27, 2016

Simple Guide to Network Scanning with Nmap

Nmap is a popular open source network exploration tool. It is a ton of features that are very useful to anyone trying to scan, even enumerate and look for vulnerabilities on a host or network.

Starting with the very basics; when scanning you are usually looking for the ports that are open on the live hosts and the services that are running on them.

There are 6 states a port can be but we will look only at the 2 main states: Open and Closed.

Open port: This means that an application is listening for connections on the is port. This is good, as it tells you that you can interact with it.

Closed port: This means that there is no application listening on this port. And you cannot talk to a closed port.

Let’s start looking at open ports on our victim machines.

From previous articles you learnt about a ICMP ping sweep scan with Nmap. Here we look at a TCP SYN ping scan.

TCP SYN Ping Scan


Input the command: nmap -PS <<target IP address>>

This command with the “-PS” flag tells nmap to send a SYN packet to the target and listen for a response. This command comes in handy for when your target system is configured to block ICMP ping sweeps.


Stealth Scan


Input the command: nmap -sS <<target IP address>>

This command with the “-sS” flag tells nmap to initiate a three-way handshake with the target but do not complete the hand shake.


This was useful in the past when firewalls dint used to log incomplete handshakes with the computer’s port. However with the latest firewalls, even an incomplete handshake is logged and thus not so stealth anymore.

Full Nmap Scan


Input the command: nmap -sV -O<<target IP address>>

With this command nmap scans the first 1000 ports on the target, with the “-sV” flag to find out the version of the services running on the open ports and with the “-O” flag to find out the operating system running on the target.

Look through the results and see if you can locate the OS details and the version numbers of any services discovered.


Now you must be wondering why put all different flags while you can just run a full scan and get the same results? The answer is noise. 

Running a full scan over the network makes too much noise and the network admins can get alerted and can even blacklist your attacker machine. So we resort to running specific scans to find out specific bits of information while make less noise. 


-Jayesh Kerai (@secjay)

Monday, September 26, 2016

Scanning Network using Netdiscover, ARP-Scan & ARP to Find Live Hosts

ICMP ping sweep is one way to discover live hosts in a network. It may sometimes be blocked on the network. You then resort to using an ARP scan to discover live hosts. Like ICMP, ARP can also be blocked on the network. 

ARP scans have an advantage of finding hidden devices on the network. 

The Address Resolution Protocol (ARP) is a protocol that maps MAC addresses on the network with IP Addresses and keeps it on a list for reference.

How does it work?

ARP requests are broadcasted to all the MAC addresses on the network to request them to respond with their assigned IP addresses. Each received IP address means a live host.

ARP Scan using Netdiscover


Open up your attacker machine terminal and type in the following command: netdiscover -r 192.168.221.0/24

Make sure you change the IP range/subnet to yours. This command with the “-r” flag tells netdiscover to send out ARP requests to the given subnet. All responds will be displayed on the screen.


As you can see it has found 4 hosts.

ARP Scan using arp-scan


Type the following command on your terminal: arp-scan --interface=eth0 192.168.221.0/24

This command tells arp-scan to scan on the eth0 interface with which you are connected to the network and scan the given subnet.


The results match Netdiscover, as they both used the same fundamental network scanning tactic. 


-Jayesh Kerai (@secjay)

Scanning Network using Fping, Nmap & ICMP to Find Live Hosts

It goes without saying that you need to first know your target before you can attack one.
Knowing your target is one of the most important things a security professional has to do. You should spend a good amount of time here. 

Basic objectives of network scanning:

  • Discover live hosts (IP address) and their OS
  • Discover open ports on live hosts
  • Discover services running on open ports

Let’s do this! :) 

Fire up your Kali, Windows 7 and XP (if you got one). Make sure they are all on VMNet1 (Host Only) network. 

Go to your attacker machine, open up the terminal and type: ifconfig


You should see your IP address start with 192.168.x.x. Mine is 192.168.221.133. With the net-mask of 255.255.255.0, it means I am on the 192.168.221.0/24 network giving me the privilege to talk to any other hosts on my network directly.

Since this series is not meant for experts, we will not go through the rest of the information that is displayed. We cover it all in-depth with our advanced hacking course. More info on this at the bottom of the page.

A ping sweep is a fundamental system scanning tactic to discover live hosts on the network.

How does it work?

It uses the ICMP protocol. Send ICMP Echo requests to hosts. If host is alive, you will receive an ICMP Echo response else you will not receive anything.

Ping sweep using Fping


Type the following in the terminal: fping -g 192.168.221.0/24 

Replace my network address with yours. You should know yours by now. What this command does with the “-g” flag is it tells fping to generate a target list on the given subnet. 


You should now be able to discover your Windows 7 and/or XP machines on the virtual lab. As you can see above, 3 hosts are found alive. 1 is my attacker machine and the remaining 2 are the victim machines. 


Ping sweep using Nmap


Nmap is a popular network scanning tool. It holds more functionality over Fping.

Type the following in the terminal: nmap -sP -PI 192.168.221.0/24

Make sure to replace my network address with yours. What this command does with the "-sP" flag is it tells nmap to run a ping scan and with the "-PI" to run ICMP scan.


Fping discovered 3 hosts are also discovered with Nmap. However there are 2 more extra "hosts" that are discovered with nmap, 192.168.221.1 and 192.168.221.254. Can you guess what they are? Tell us in the comments below. 

That’s it for now. Take your time to play around with fping and nmap and see what else you can do with it. We will continue with further network scanning on the next article. One step at a time.

I mentioned about an advanced hacking course earlier. We at Bitcrack are offering a course that is 110% hands on and technical. For example, from what we demonstrated today we go in-depth into what other information of “ifconfig” command and mastering fping and nmap.
For info on this, send us a tweet @bitcrack_cyber.  


-Jayesh Kerai (@secjay)

Friday, September 23, 2016

Building Your Own Hack Lab

Getting started in the intricate world of Security & Hacking? 

A virtual hack lab is an environment of operating systems that security professionals use to test out new attack techniques, create exploits, debug, reverse engineer, developing malware, and all the cyber security related stuff.

You can host a virtual hack lab using just 1 computer. The only downside being you need to have at least a moderate level of specs in the hosting computer.

Virtual hack labs can contain hundreds of ‘virtual machines’ (VMs) but these require high resources that off-the-shelf personal computers don’t have. So in our virtual hack lab we will start with only 2 virtual machines, which is more than enough to test out and apply basic concepts.

What you will need:
  • Host Machine with a minimum of 6GB of RAM and 80GB of available hard disk space.
  • Virtualization Software: VMware Workstation Player
  • Virtual Attack Machine: Kali Linux
  • Virtual Victim Machine: Windows XP and Windows 7

Setting up the attack machine:


1. Install VMware Workstation for Free from here
2. Download Kali Linux 32 bit VM PAE from here
3. Unzip the downloaded virtual machine
4. Start your VMware and go to File > Open
5. Using the Open dialog box, go to the folder where you unzipped the virtual machine. It should look like this on VMware:



6. Select the “Kali-Linux-2016.1-vm-i686” file and select Open.
7. Now you should see a window similar to this:



Let’s first take a quick look at the important settings displayed.

  • Memory: This is the amount of RAM that you will give to the VM. The more the better, however you should make sure to have at least 2GB for the host computer (your computer). And the remaining amount of RAM can be divided between your attack and victim machine
  • Hard disk: This is the amount of space you will give to the VM. A preset of 30GB will do just fine for now. If you are running low on your total HDD space, you can reduce this to 20GB.
  • Network Adapter: THIS IS IMPORTANT. A “NAT” setting on the adapter means that it shares the internet connection of your host computer, meaning it can talk over the internet. You should only choose NAT when updating the machine or downloading new tools. You should change this to – Custom: Specific Virtual Network: VMnet1 (Host Only). This will ensure that your attack machine cannot talk to the internet and you don’t mistakenly attack a live machine over the internet


For now, leave it at NAT. Because you will be updating the machine in later stages.

8. Power on the virtual machine and you will see the following window.



9. Leave the highlighted entry at “*Kali GNU/Linux” and press enter.


10. You will now see a grey screen with a username input box.



CHALLENGE: Find out the username and password to login to the attack machine.
One of the key traits of a hacker is research and an eye to detail.

HINT: The credentials are already somewhere in this article.


Welcome to your attack machine!



11. We will not do a tour of the machine yet.  Open up the Terminal by clicking on the black box with an “$_” sign on the right panel.

12. And type in the following command from the picture below.



This command will update and upgrade your attack machine so that you have the latest versions of tools and exploits.

It is going to take a while. So minimize the main VMware window and let’s get our victim machines installed.

Quick Steps to installing windows 7 and windows XP.


1. Download the IE8 on Win 7 machine for the VMware Platform from here.

2. As for the Win XP machine, Microsoft has ended distribution of test machines. (You can still find lots of XP machines from the internet, ill leave that to you)

3. Extract them both on separate folders and open them up with your VMware.

4. Allocate 1GB of RAM and change the Network Adapters to Custom VMNet1 (Host Only) for both of the machines. With HDD space of at least 30GB for Windows 7 and 15GB for Windows XP.

That’s it.

Feel free to poke around your brand new attack machine after the update is completed and you have SWITCHED the network adapter to custom VMNet1 (Host Only).
On our next article we will start with using the attack machine to talk to our victim machines.  




-Jayesh Kerai (@secjay)

People in Cyber Security and You


Cyber security is one of the fastest growing industries out there. Thanks to the bad guys ;)

But first!  I have to give you a disclaimer before we go on:-

Anything demonstrated on this article series is purely for educational purposes ONLY. Do not test on live computers over the internet unless you have an official authorization to do so. We are relying solely on your good ethics to utilize skills learnt from this series to help make the cyber space a more secure place.

Now that we have a thumbs up from our legal team, let’s move on.

The 3 Hats


You will come across '3 hats' in cyber security. The White, the black, and the grey. Think of them as the 60’s movie title “The good, the bad and the ugly”.

  • White Hats – These are the good people. They make your anti-virus, they help secure networks in companies, test software to look for bugs that can be exploited, and so on. All the good things. 
  • Black Hats – These people are the not so good people. They target whoever they like then spend countless hours to look for security weakness and exploit them to hack into networks for malicious intent and profit.
  • Grey Hat – Think of them as the hybrids. They are the people who have good ethics like the white hats and sometimes break the rules but don’t have dangerous intent as black hats. These are basically the cool guys who know how to bend rules, without breaking the laws. 


All three types of people are continuously honing their skills to outsmart the other. The black hats tirelessly look for weaknesses in software and networks to hack into while the white hats constantly develop patches, best policies and practices to prevent black hats from exploiting weaknesses.

Being part of the cyber security industry, there are new threats every day and new techniques on how to prevent and stop those threats. The key is to constantly practice, practice, practice and read, read, read. 

So what do you need to be a security expert?


Let’s get one thing straight. There is no 100% expert in all aspects of cyber security. Nada. Naught. None. You simply cannot be an “expert” in a field that is ever-growing and evolving immensely. But what you can be is one of the best out there. Below are a fundamental skills that every pro hacker needs;

  1. A very good understanding of different types of operating systems.
  2. A good understanding of networking and its concepts.
  3. Have good programming skills.
  4. And the most crucial of them all, have a mind curious enough to want to break things and see what’s going on behind the curtains.

If you feel you are weak in any or all of the first three, fear not, for you shall only need the curiosity to get better at them.

It’s about time we go hands-on. Stay tuned for our next article where we will help you on create your own hack lab in which you can safely put the theories to test. 


-Jayesh Kerai (@secjay)