findmyhash

Introduction:

Through different online services, findmyhash is a command line utility which cracks a specified hash. Reversing a one way hash can be challenging, but this tool comes in handy to help with this problem.

It sends the specified hash to web services and matches against the database of those services for the string which generates the provided hash. The original string will be returned as a result

It can be used quickly from the commandline

Usage example:

  • -h <hash value> : Specifies how many hashes to be cracked
  • -f <file> : if several hashes are present, a file can be specified with one hash per line. All of the hashes has to be of the same type.
  • -g: Hashes that cannot be cracked will be searched in google, showing all the results. It only works with only 1 hash option.

Hash functions supported:

  • MD4 – RFC 1320
  • MD5 – RFC 1321
  • SHA1 – RFC 3174 (FIPS 180-3)
  • SHA224 – RFC 3874 (FIPS 180-3)
  • SHA256 – FIPS 180-3
  • SHA384 – FIPS 180-3
  • SHA512 – FIPS 180-3
  • RMD160 – RFC 2857
  • GOST – RFC 583
  • LM – Microsoft Windows hash NTLM – Microsoft Windows hash
  • MYSQL – MySQL 3, 4, 5 hash
  • CISCO7 – Cisco IOS type 7 encrypted passwords
  • JUNIPER – Juniper Networks $9$ encrypted passwords
  • LDAP_MD5 – MD5 Base64 encoded
  • LDAP_SHA1 – SHA1 Base64 encoded
Figure 1: findmyhash help page
Figure 2: Results of an example command line

Conclusion:

By comparing a hash or multiple hashes against online databases, this simple command line is used as a helping tool to crack hashes. The obtained password can then be used to gain access to a targeted system, continued by the next step towards penetration testing.

Ncrack

Introduction:

It is a high-speed network authentication cracking tool. It is utilised by companies to secure their networks by actively testing all their hosts and networking devices for poor passwords.

It’s command-line syntax is similar to Nmap.

Protocols supported by Ncrack:

  • SSH
  • RDP
  • FTP
  • Telnet
  • HTTPS
  • MySQL
  • MongoDB

Example:

Type ncrack -h to open its help tab. This is a screenshot of some of the help included in the results.

Figure 1: Ncrack help results

Usage example using verbose mode (-v), reading a list of IP addresses, attempting to login using username of victim (-user victim) with passwords listen in a dictionary (-P passes.txt) using RDP protocol (-p rdp) with one connection at a time (CL=1)

Figure 2: Results of the command line

Conclusion:

Ncrack is one of the tools which can be used to exploit the Remote Desktop Protocol (RDP). By using remote brute-force password guessing attack, ncrack is an effective tool to gain access to the victim system by obtaining a valid credential information.

Crunch

Introduction

When cracking passwords, an attacker always needs a wordlist. Gathered information about the target such as birthday dates, spouse names, pet names, significant others, etc. can be used to create custom wordlists by an ethical hacker.

Crunch is a tool to generate this custom wordlist. It is used to specify a standard character set, used to generate all possible combinations and permutations.

Features:

  • crunch generates wordlists
  • it can breakup output by number of lines or file size
  • adds a status report when generating multiple files
  • new -l option for literal support of @,%^

Example:

type crunch in the command line

Its usage goes as: crunch <min> <max> [options], where min and max are numbers

For example, to create a text file containing words with a minimum and maximum length of 6 (6 6) using the characters (0123456789abcdef), this is the screenshot of what should be written in the command line. It outputs the text file with the filename: 6chars.txt

Figure 1: Crunch generating password data into an output file

Weevely

Introduction

Backdoors are convenient to be used when access to a server has been gained. They are good for developers to have quick access into the server they’re working on, and for administrators. It is utilised by an ethical hacker. Weevely uses PHP code to create this backdoor. It is a stealth PHP web shell which simulates telnet connection.

Uses:

  • Web application post exploitation
  • Stealth backdoor
  • Web shell to manage web accounts
  • Privilege escalation

Example:

type in weevely help in kali linux command line to open its help menu

Figure 1: Weevely help tab

To generate a PHP backdoor protected with a custom password: type in the following:

Figure 2: Weevely generating a backdoor file with custom password
Figure 3: Insert weevely script into a website’s IP adddress

Conclusion:

Weevely is used to slip in a backdoor on a targeted system by creating a terminal and allowing remote code actions through a PHP agent. It is a great tool used to create a backdoor in order to maintain access and even escalate privileges.

Netcat

Introduction

Netcat is a network analysis tool. Netcat has its newest version created by nmap, called ncat. It consists of the same tools as netcat needed to do port scanning.

Uses:

  • Port forwarding
  • Proxying
  • Simple web servers
  • Leave an open backdoor

Screenshots:

type nc -h to open up its help screen

Figure 1: nc help screenshot

Using NetCat to carry out Banner Grabbing for OS Fingerprinting

type in nc (IP address) to do banner grabbing. This screenshot shows the server Microsoft-HTTPAPI/2.0, a common reading of Microsoft-IIS version of the sever.

Figure 2: Screenshot of nc results for a website IP address

This is another example but using ebay.com’s IP address instead. It shows the server, date, connection, and other details to do fingerprinting.

Figure 3: E-bay capture results of nc

Conclusion:

Netcat is a very powerful little program which can accomplish many things when combined with other skills such as scripting. It also can listen to connections (ports) by connecting to remote systems.

Social Engineering attack

Background

Social engineering is putting into benefit the social interactions with other people. The attacker often deals with the victim directly. It plays with human behaviour by manipulating and abusing their trust to gain access to confidential information such as social media, credential information, etc.

Tool: Social engineering toolkit

Type in setoolkit in the terminal to launch the tool

Figure 1
Figure 2: Select social engineering attack, then select 3
Figure 3: Select 2
Figure 4: Enter the website to clone
Figure 5: After entering the code below, it will be opened up in a text editor
Figure 6: Change the default values into 0
Figure 7: Edit the default values into the website to be cloned, with the IP address
Figure 8: Click on host list to show all devices connected to your network
Figure 9: Select dns_spoof from the available list of plugins
Figure 10: Select MITM tab, then ARP Poisoning
Figure 11: Use a second VM to browse facebook.com
Figure 12: Enter an example of a login and password, shown in the terminal of attacker VM
Figure 13: Ping facebook.com in the victim VM to ensure successful spoofing

Web Applications

Web application vulnerabilities involve a system flaw or weakness in a web-based application. They have been around for years, largely due to not validating or sanitizing form inputs, misconfigured web servers, and application design flaws, and they can be exploited to compromise the application’s security. These vulnerabilities are not the same as other common types of vulnerabilities, such as network or asset. They arise because web applications need to interact with multiple users across multiple networks, and that level of accessibility is easily taken advantage of by hackers.

Types of attacks:

  • SQL Injection Attacks

SQL is a programming language used to communicate with databases. Many of the servers that store critical data for websites and services use SQL to manage the data in their databases. Hackers try different methods to slip their own SQL commands into the database. These commands may change, steal or delete data, and they may also allow the hacker access to the root system.

  • Cross-Site Scripting (XSS) 

An XSS attack is opted when an attacker wants to directly access the targets’ credential information. It injects malicious code into a website or a web app. Their credential information can be hijacked via an XSS attack.

  • Cross-Site Request Forgery (CSRF)

A CSRF attack is when a victim is forced to perform an unintended action on a web application they are logged into. The web application will have already deemed the victim and their browser trustworthy, and so executes an action intended by the hacker when the victim is tricked into submitting a malicious request to the application. This has been used for illicit money transfers. 

Tools:

  • sqlmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

  • WPScan

WPScan is a WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Screenshots:

Figure 1
Figure 2 shows the web server information
Figure 3 shows the WordPress version and the used theme
Figure 4
Figure 5 shows the identified users through bruteforcing

Conclusion:

Web applications has different types of vulnerabilities both in the front-end and back-end areas. These vulnerabilities usually show up due to old versions of applications which haven’t been updated. By understanding the different technologies used in making a website or web app, hackers can utilise different tools to identify their vulnerabilities for further exploitation.

Metasploit

Introduction

Metasploit is a platform for penetration testing which allows the penetration testers to search, exploit and validate vulnerabilities present in target systems. It consists of the required infrastructure, contents and tools to perform penetration tests necessary for exploiting vulnerabilities. It has many executable and ready to use modules which is updated consistently.

Lab / Exercise

Background

In this lab, we utilize Metasploit tool in our Kali Linux VM to penetrate and exploit vulnerabilities of a target system.

Procedure

Firstly, set up the two VMs which both runs Kali Linux. One of them is used to execute Metasploit, attacking the other VM which is the target. Set both settings of the VMs to NAT network. Then, run both VMs.

Run ifconfig command in the command line of both VMs to find the IP of each VM.

Figure 1: IP of attacker VM
Figure 2: IP of target VM

Attacker VM commands

Run msfconsole in the attacker VM and these results below will be shown

Figure 3

Run search shellshock to display the matching modules in which one of them will be used.

Figure 4

Next, run the following code which enters the target’s IP

Figure 5

Enter show payloads to show the available payloads shown below

Figure 6

Run the following code to set the payload which will be used, the target IP address, check its vulnerability status, and run the code. The reverse TCP payload will execute on the target system.

Figure 7

Enter the following code to find out if you have successfully entered or penetrated into the target system. It will show the target’s system name. After entering ifconfig, it will show that the attacker has successfully hacked into the target system as the IP shown is the attackers’ IP.

Figure 8

Conclusion

By utilizing the modules in Metasploit, it is very convenient and useful for penetration testers to exploit and validate vulnerabilities of a target system. Metasploit still consists of many other modules and contents to aid a penetration tester. Just by knowing the target’s IP address, many vulnerabilities can be scanned and validated, which helps in the next step of penetration testing, which is privilege escalation.

Burp Suite

Burp Suite is a sophisticated platform to carry out security testing against web applications. It consists of many different tools which has great coordination with one another, supporting the testing process. The process goes from mapping, analysis, to discovering and exploiting security vulnerabilities.

Lab / Exercise

Introduction

OpenSSL: Is a software to secure computer networks or devices from eavesdropping, providing need of identification of the party from the other side of the connection.

CSR: Stands for Certificate Signing Request. It is created on the server which shows the installed certificate, containing information such as Name of organisation, domain name, locality, country, including the public key. A private key is also generated when creating the CSR, creating a key pair.

Aim

Bypass and display a secure connection in target’s browser with fabricated details of a fake CSR using BurpSuite.

Procedure

Firstly, enter the following command lines. It creates an RSA private key, and fills in the details about the fabricated CSR.

Figure 1

These are some descriptions of the options used while typing the OpenSSL command line:

  • Open ssl req – generate certificate request
  • Nodes – creates unencrypted private key
  • Newkey – creates certificate request and a new private key
  • Rsa: 2048 – generates an RSA key in 2048 bits size
  • Outform – outputs file in a file format
  • Keyout – filename of newly created private key
  • Out – filename of certificate

These are the remaining linux command lines to write the RSA key and the Public Key in form of PKCS #8.

Figure 2
Figure 3

The next step is to open BurpSuite and go to the proxy settings. Select import CA certificate. Select the option to import certificate and private key in DER format.

Figure 4

­­After that, click Next and upload the corresponding files stored in the Home folder. The files uploaded are both in DER format.

Figure 5

Lastly, go to the browser’s proxy settings and set it to the one specified in the BurpSuite application. It is usually under host port 8080. The final result is a CA generated on the target’s side.

Figure 6

Conclusion

BurpSuite consists of different components which works well together to test the security of websites. By combining command lines which utilises the BurpSuite, this exercise shows how a connection which is not secure can be manipulated, showing a safe connection under a fake certificate.

Google Dorks

Google Dorking or Google hacking is a useful tool for hacking when the appropriate queries are used. Although Google is just a search engine for browsing images, text, files, videos, and news for everyone else, it can be helpful for a penetration tester.

Google cannot directly hack a target system, but it’s very valuable to penetration testers due to its vast web-crawling capabilities. Any information such as usernames, passwords, technological specifications, etc, is indexed by Google. This is utilised to find unprotected or vulnerable web applications.

Google Dork operators:

  • cache: shows the cached version of a website.
  • allintext: searches for a specified text in a web page.
  • allintitle: searches for a specified title.
  • allinurl: fetches results with specified characters in their URL.
  • filetype: finds any specified file extension format.
  • link: shows web pages with the specified link to another website.
  • site: shows all URLs for the specified domain and subdomains.

Lab / Practical examples:

Log files

Log files consists of error logs, access logs and other types of logs which are found within the public HTTP area of websites. PHP versions can be exposed, including CMS details or frameworks.

Use allintext and filetype = allintext:username filetype:log

The outcome will be results of all usernames inside log files. Similarly, instead of username, password can also be used to search for people’s sensitive information.

Figure 1

Vulnerable web servers

By using the following Google dork, vulnerable or hacked web servers can be detected.

inurl:/proc/self/cwd

In the following screenshot, the results will show vulnerable server results and their exposed directories which can be surfed from our browser.

Figure 2

PUTTY SSH Vulnerability

PUTTY is an SSH and Telnet terminal software. It allows users to access computers on the Internet remotely. It is designed for Windows and Unix systems. Logging in into a server via PUTTY authenticates you to the server, allowing you to run commands in encrypted form.

The usernames of users’ SSH connections are always logged for Windows users. This can be exposed via a google dork which is:

filetype:log username putty

Figure 3

Conclusion

There are still many other combinations of Google Dorks to utilise and experiment on. Google’s web crawling capabilities can be a tool for a penetration tester to gather information by using its search queries, exposing different vulnerabilities of websites.