Kali Linux

Kali LInux Tutorials

Hacking Castle

Hacking Castle


Ethical Hacking and Cybersecurity Tutorials


Hacking with Metasploit


Hacking in android in termux using sqlmap

Wednesday, July 15, 2020

Complete Metasploit Guide (part-4 Bruteforcing Tomcat with msf Auxiliary)

 Hello everybody and welcome back. And now let us perform another scan or another attack on our OWASP virtual machine. So, start off your Metasploit framework console. We will perform once again Nmap on this OWASP virtual machine in order to see the available services running.

we will attack the Tomcat server. But let us first run the Nmap. So is my OWASP IP address

metasploit Nmap Bruteforcing Tomcat with msf Auxiliary

 we will attack the Apache Tomcat funding on port 8080. Now there is an auxiliary module that is in this Metasploit framework that can be used to attack it. So here it is, and we can see on Port 8080/tcp there is Apache Tomcat running. So what we will basically do is we will actually brute force the Tomcat server. 

So let us actually search for Tomcat and see what kind of available exploits and auxiliary modules we have. So, right now we are only interested in the auxiliary part.
so type 

#search tomcat

metasploit Tomcat msf Auxiliary

So, what we want to use is 


Tomcat application manager log in utility. As we can see, this one doesn't have the date of when it came into the Metasploit as well. It is ranked as normal. So, let us use that one. now if you do not want to copy the module you can just type it. So, auxiliary and then tab to complete, scan, and then tab to complete, http, and then tomcat_mgr_login. 

#use auxiliary/scanner/http/tomcat_mgr_login

So once you click enter on that one you can just check it with show options. 

metasploit auxiliary options

So we can see what are the available options that we have here. Now this one has even more options  So let us see what we can do with this. 

BRUTEFORCE_SPEED, now brute force speed we will leave on five which is max.
We can try to set threads to more so it actually goes faster. 
The other options: DB_ALL_CRED, DB_ALL_PASS, DB_ALL_USERS are not required and we will not put them. Password we do not need since we want to specify the password file list and the user name file list. 
As we can see by default, this auxiliary module has a PASS_FILE already listed. It is in usr/share/metasploit- framework/data/wordlists and then tomcat_mgr_default_users.txt. So this is a file containing passwords one per line. 
 we have it split in a password list and in a user list. So we will stick with this one since it is by default. I guess it has some good Tomcat default passwords and users. 
Proxies we do not need. 
What we do need, and what we will always need, is the RHOSTS. So we need to select the RHOSTS which is our targets IP address. So it is one, press enter. 
So we selected the RPORT is 8080 unless it is running on some other port. Now since we did the Nmap scan on our OWASP virtual machine we know that it indeed is the port 8080. So we will leave it on that. It is also a required thing. So these two things will always be required. You cannot perform scan without this. So that's important to know. 
The next thing SSL is not required. 
Stop on success. 
Now stop on success we want to set to true since we do not need to continue brute-forcing it after we find the user name and password. So let us change that. So set STOP_ON_SUCCESS from false to true,  

The next thing TARGETURI is manager/html, which is good. So this is a good path, but let's just check. So if we go to the browser, this is basically the path to the login page of the Tomcat server. We go right here and we go to We need to specify the port since Tomcat is running on port 8080, and then we go manager/html 

Metasploit framework tomcat login page

Let's see. Yeah, of course, it does prompt us with a user name and password. So basically what we are brute-forcing Is this right here. Once we find the user name and password for this we will be able to change the settings on the Tomcat server, web server. So let us close this for now. we got the error 401 unauthorized since we didn't specify the user name and password. But, that is soon about to change, hopefully, if we find the correct user name and the correct password. 
The next thing that we need is verbose which is set to true. 
So everything is set. 

Metasploit framework tomcat scanner options

And now what we want to do is click here run or exploit. So you can use both of those words and just press your enter. 

Metasploit framework tomcat login bruteforce

We can see it goes relatively fast. It actually went faster than I thought. we did find the user name and password as we can see a plus sign right here. 
It says login successful, root and owaspbwa. Root is the user name and password is owaspbwa, which we will soon check. But let me just try to run this, it went too fast. 
And now let's actually use this username and this password to log in to the webserver. So we reload this page. It will ask us for user name which is root, and the password which is owaspbwa. We press here OK, and we can see that we successfully logged into Tomcat web application manager, where we can now change all of these settings if we want to. And this shouldn't be available to us at all as a user of the website. So that'll be about it for this attack. We covered the Tomcat auxiliary module.

Metasploit framework tomcat login

We used scanner/http/tomcat_mgr_login, which we used to brute force the Tomcat on port 8080, and we successfully did it. So that would be it for this tutorial. In the next tutorials we will start off with some of the exploit modules and we will try to exploit some of the more advanced things, such as PHP injection, command injection, we want to get the Meterpreter shell back. So that would be about it for this tutorial and I hope I see you in the next one.

Happy Hacking..

Tuesday, July 14, 2020

Complete Metasploit Guide (part-3 Bruteforcing SSH with Auxiliary)

 Bruteforcing SSH login with Metasploit Auxiliary

right now what we want to do is basically just start with some of the auxiliary modules that are in the Metasploit framework. So we want to basically scan the machine with msfconsole. Now let us, first of all, start the MSF console. Now if you did start the Postgresql before this started, so this can run faster. 

But while this is starting I also want to start my OWASP virtual machine. whether it is Metasploitable one or Metasploitable two, you can also run that one as well.

I am using OWASP. I will show you some of the attacks you can perform on owasp broken web application. But some of the attacks are also similar for OWASP and for the Metasploitable. So just start any of those two machines.as we remember this is a virtual machine. It will prompt us with entering our user name and password, which is the user name is a root and the password is owaspbwa. 

We get the standard command-line tool. Let us just first check the IP address of this so we know it. So the IP address of our OWASP virtual machine is can run a bunch of different commands, or basically all the commands we run from our regular terminal you can also run from the Metasploit framework command line. 

First what we want to do is let's first take a good scan of the OWASP virtual machine. Now we covered Nmap before, so what we want to do right now is 
Nmap -sV
so we can get the version from the services running on certain ports, and then we specify the IP address of our OWASP virtual machine. Or in your case, if you're using Metasploitable, of your Metasploitable machine. To execute this. And now we wait for this to finish. It should prompt us with all of the open ports. 

Metasploit framework Nmap

It should prompt us with the services running on the open ports. And it should prompt us with the version of those services running, which can be useful especially when you use the Metasploit framework. So what we will do is we will try some of the certain attacks on this. Now we can see that the scan has finished in 33.9 seconds. 
So we get the open ports, and let's start off with the SSH port. Now here are a bunch of these other ports such as 139 and 445 running Samba smbd versions 3 to 4, which is also a vulnerable software. You also have it on Metasploitable, I believe, the same version. I will show you how you can exploit it later on. But for now, let us start off by trying to get in over the SSH. 

So we can see that the service running is  SSH on Port 22, and the version is OpenSSH 5.3p1 Debian 3ubuntu4. So what we will do is we will use the auxiliary module that is in the Metasploit framework, and we will try to brute force the SSH on Port 22 from our OWASP virtual machine. Or if you're running Metasploitable, once again, from your Metasploitable the process is the same. So let us try with searching SSH. 

search auxiliary/scanner

Metasploit framework auxiliary SSH

Now this will print us all of the available exploits auxiliary modules, post exploit modules for the SSH. What we are searching for is a scanner, and the scanner has to be the login. So here it is
 Now it does not have the date when it came out and is it is ranked as normal, and it says the SSH login check scanner. Which basically means the SSH bruteforcer. Now you can also, for example, check the SSH version before you start that. So auxiliary scanner SSH version, SSH version scanner, 

let's, first of all, start with that one. I believe it will give us the same thing that the Nmap gave us, which is the version of the SSH. Now you can use this instead of Nmap since sometimes Nmap won't give you the version, and I believe this one is actually more detailed. 

So as we saw in the previous article, in order to pick any of these, you just type use and then the name of the module itself.  And what we want to do is show our available options. So we can see that we have four different options and they are all required. Most of them are already selected for us. So the RPORT, for example, is selected as 22 which is good. SSH is most likely always, and also by default, is running on Port 22. If it is not you would want to change this. 

Thread is the number of threads basically running during this process. Now the more threads, the faster this process will go. So depending on the power of the virtual machine you can select, for example, Now we also covered the set command, so you set basically all of these options with just set command, and then the name of the option you want, and then the number.

Metasploit framework SSH version

The only thing that we need to select right now is the RHOSTS. So the RHOSTS is basically the target address for our OWASP virtual machine. It is basically an IP address of your target. So set RHOSTS, we know it is, and now if we show our options again in order to check if everything is good, we will be able to run this. Now if you just run this, so just type in run, this will probably... here it is. This will print out the SSH version that it is running on the target software, or on target port 22. As we can see, SSH version this one, and it gives a bunch of other options as well that could be potentially useful to you. 

Now, this is a simple scan that we did for the first one, but now let's actually try to brute force this SSH on Port 22. So let us go to our available auxiliary modules, and what we want to use is the SSH to log in one. So just select the 
  copy, paste it, and then we can see that it changed the module., and let's show our options. Now you can see unlike the last one, this one has a lot of different options that we need to specify.

Metasploit framework SSH login option

Now some of them are required and some of them are not. 
For example, BLANK_PASSWORDS are not required. The next things we need, these are all not required. 
Password to authenticate with, no. Well basically you would use this if you already knew the password side, you see the point of this option right here. 
What we do want is the RHOSTS, the same as in the previous scan. So just type your set RHOSTS and then the IP address of our target machine. So,. 
And also what you would want to set, basically let's set threads to be 3 So 
 RPORT is correct and it is 22, 
stop on success false, stop guessing when a credential works for a host. So you want to set this to true since there is no real point in continuing the brute force, unless you want to on multiple accounts after you find hosts that actually work. So on credentials that are useful. So we type in 
 so you can just press tab in order for it to fill the rest of the name, and you can set this from false to true. And we can see that stop on success is now set to true for both. 
You also want to set to true so you can see all of the attempts that they're running. Now you do not need to, basically, I always set it to true so I can see the attempts of a brute force that we covered already. 
we should have all of our options set and ready to go. Now I believe there is something else we need to use which is the password list since this doesn't have a password list pre-specified I believe. 
So what we want to use is basically...let us try to find our simple password list. So let's open up a second terminal. So new window, and we know that there are some passwords in the usr/share/wordlists. 
we won't use like the rockyou.txt. It would take forever. These large passwords are most likely the best choice for the Wi-Fi cracking. For the brute-forcing, it's really not that good of a choice since it's not as fast as the Wi-Fi cracking. It's not nearly as fast. 
If you dont have these wordlists in /usr/share folder then simply get them by using cammand

apt install wordlists

So what we want to do is go to the Metasploit, type here ls, and we will see some of the password lists that are in Metasploit. 
So we do not need to really crack the SSH, we just need to show you the process of cracking it, and we will choose any password list we want. So let's say we choose this one, 
 Now what that means, I believe, is that it also has both user and password. Yeah, it has both user and password separated with the space. So we will use that and we will see the available option for that right here, which would be the user pass file. So file containing users and password separated by a space, one pair per line, which is exactly what we selected. 
So we need to set this option right here. So let us set that option. 
and then we specify the path to the word list. So it was 
usr/share/wordlists/metasploit and then mirai_ user_ pass.txt
 So we set the path to our brute force list, or basically password and user name list. And now if we show options once again, I believe now now we should really be good to go. 

Metasploit framework SSH login option

So let us run this. We press here run and it should start brute forcing the SSH on port 22. As we can see it is starting different types of the usernames and passwords. It is going by that list that we specified. So these are all failed ones. And if it reaches one that actually exists it will stop and it'll prompt us with a success. So here we can see root:admin, admin:admin, root:root, and some of the other passwords.

Metasploit framework SSH login bruteforce

Metasploit framework SSH login

I just wanted to show you some of the different types of SSH auxiliary modules that you can use. So we saw how we can actually scan the version of SSH. We also saw how we can brute force the SSH. Now you can actually try this both on Metasploitable and on the OWASP machine. I'm not really sure if this password list has a username and password for those machines, so I added them in the list to show you how it works. 

So now you can use any password list you want and actually hope that you will brute force the SSH. So, that would be it for this tutorial. In the next tutorial,, we will cover another auxiliary module that we will use to attack another service running on our OWASP virtual machine. So that'll be it for this tutorial, and I hope I see you in the next one.

Happy Hacking..

Sunday, July 12, 2020

Complete Metasploit Guide (Part-2 Understanding all Modules)

 In this article, we will be going to see all types of modules in the Metasploit framework. basically an understanding of each module in detail.
So let us actually we going to take a better look at the structure of the Metasploit framework itself. and the first thing you want to know is where are all the modules, encoders, payloads, exploits actually stored. So they are stored in the user. 


 just cd user, share, and then you go to the Metasploit framework. Once you change directory to that, you can just type ls and you will see a bunch of these files

Metasploit framework module

 and I will show you what are the more important ones and the ones that we will use. 

Now, let's see, first of all. So the first one is the 
It is used as a program to run the console itself and actually perform the attacks. 
Now one of the also important ones is the msfvenom
Now, this program we will use in order to create our payloads, our meterpreter shells, and back doors. So we do that with this command line right here. 
And also you can update your Metasploit framework with the msfupdate command. 
Most of the others are not so important at the moment. Now if you want, it's good to know that the Metasploit framework and all of the exploit are written in Ruby, which is a programming language similar to Python. So if you know that language it is also a plus.

Now in order for you to find all of the exploits and payloads you need to go to the modules directory. Everything is stored in there. 

Metasploit framework  modules

So if you go into the modules, and type ls here, you will see that we have all of the things we want to understand. 
So we have auxiliary, encoders, evasion, exploits, nops, payloads, post
Now let us explain all of those in detail. 


exploits are basically used to target vulnerable software running on a remote machine. these are some of the exploits which can help us to take advantage of vulnerable systems to gain access to it. 

So let's actually change our directory to exploits, and cd exploits, and type ls, and you will notice that you have different exploits for different types of operating systems and different types of platforms such as browsers. 

So for example you have Linux, Windows, Unix, Solaris Android, Apple exploits. Also, browser exploits as we see Firefox. There are a bunch of these separated directories for different types of exploits.

Metasploit framework  exploits

 So let's actually try to find the exploit that I talked about in the previous article. The one for the Windows 7 and Windows 8 machine, I believe, it is the Eternal Blue exploit from 2017. It is a Windows exploit. So we go to Windows, and we type in ls, there is a future division between all of these exploits, as we can see in  image up. Some of them are mostly divided by the port number or the servers that they're running on a certain port. 

For example, we can see HTTP, it is running on port 80. We can see ssh, port 22. Ftp, port 21. We can see SMB, port 445 I believe. So let us go to the smb since there is the Eternal Blue exploit. If I type here ls, you will see a bunch of these different exploits used for the SMB. Now here it is, the eternalblue_win8.py exploit. We also have the regular Eternal Blue exploit. 

Metasploit framework  exploits smb

And most of these are .rb which basically stands that they are Ruby files. And the ruby exploits are just written in Ruby, as I said before. 

So if you wanted to you could actually nano some of them in order to see what they look like. So ms1let's see what Eternal Blue looks like. So .rb, and we can see the code of the exploit itself. So it is written in Ruby as I said. You can check out a bunch of these things right here. 

Metasploit framework  exploits smb code

Now I do not know Ruby, so I will not be actually explaining what all of this does. It is similar to Python. You can actually understand it if you did learn some of the programming languages before. But from now on, I just wanted to show you the simple code behind this exploit. 

So let's close this, and let's actually go back to the module. So change our directory back to the modules, and let's talk about, the payload. 


Payloads are files that can allow us to take access or control of the system. payloads are simply owns attackers a system that they are injected in.
for example- rootkits.

So for the payload directory, lets change first of all the directory to payloads, and type ls in order to see what we have. And here we have different types of payloads.

 As I said before, those are files that we send to the victim. For example, back doors. Now as we can see there are three types right here, singles, stagers, and stages.

Metasploit framework  payloads

Now singles are basically used to, they are smaller payloads and they're used to actually perform only one action.
for example - single keylogging payload

Stagers right there, they can be used to deliver another payload. also, use to communication between attacker and target.

 And these stages are some of the larger payloads, which given almost full control of the target. 
For example, the outer shell that we will use in most of our attacks which consist of meterpreter shells. 

Now, what is a meterpreter shell
That is basically a shell with a bunch of different options that we can use after we exploit the remote system. So we can actually screenshot the desktop, we can run a keylogger, we can bypass antivirus, and we can do a bunch of this stuff with the meterpreter shell. So it gives us a bunch of options to use. We can upload the other payload as well with meterpreter. We can download files, upload files and some of the other things that we will cover in the next tutorials. So that'll be about it for the payload. 

Let us check what else we have. So we have an auxiliary.


the auxiliary is a collection of different functionalities that is widely used while hacking. it gives variety of functions to enumeration, scanning, and brute force target.

Metasploit framework  auxiliary

 So let us go to the auxiliary modules and just type here ls, and you will see that they're divided also in different types. 
So we have fuzzers, spoofers, sniffers, different types of auxiliary modules. But most likely auxiliary will only be scanners that you'll perform on a target. 

So for example you can scan if your target is vulnerable to some type of attack. And sometimes auxiliary modules are also used to brute force, for example, SSH, Tomcat, and other different stuff that we will also cover in the next article. 

You can check out all of these other subdirectories, if you want to, and see what does it have in them. some of the auxiliary modules written in the Ruby language. 
So that'll be about it for the auxiliary. 

Now let's talk about the encoders. 


As the name suggests encoders are used to encode exploits and payloads so that they can bypass the security system.

So if I type here ls you will have the encoders. Let's go to that directory. 

Metasploit framework  encoders

these are the encoders for different types of machines. So encoders are mostly used to bypass antiviruses. Now you can change how the code looks with the encoder, or you can scramble the code and then the antivirus database can't recognize it. 

Now how the antivirus databases work, or basically how does most of the antivirus work, is they have a huge database where they have all of the known exploits. All of the known viruses, Trojans and malware, basically, that they have in their database. And once you run one of the programs on your PC which is malware, and it is also known to that database, your antivirus will prevent it from running and it will delete it. 
But if you for example change the code a little bit and scramble the code, or even better write the malware yourself, most likely most of the antivirus won't be able to detect it since it is the first time that they see code like that. And that code is not in their database, so therefore they cannot really detect that code. And then they run it as a normal program and not as malware. 
That's why, ... that's why coding your own malware is a big advantage. So that would be about it for the encoders. We will also show how to use them later on. 


So the post right here is basically some of the tools or programs that you will use after you exploit the target.  which normally called post-exploitation.

Metasploit framework  posts

in the post you will find capture, escalating privileges, gathering information, manage, recon and WLAN.
For example, you send meterpreter which is a reverse shell that we will use. You can upload from the meterpreter other post-exploitation programs that you can use together, 
password gathering, or basically any other information gathering you want. You can gather cookies etc. if you want to from the certain browser. 


It is short for no operation. It is basically a command in the assembly language and it just performs no operation. nop causes a system or processor to do nothing at the entire clock cycle.
which is very useful in buffer overflow attack.

Metasploit framework  nops

Well, basically if you have ever encountered an assembly code, or if you're an assembly programmer as well, you will most likely know what nops are.  

Now, this is most popularly known for on X86 chips at 0 x 90 bytes. So this is the byte are not instruction. When a processor loads this instruction it simply doesn't do anything. It basically just keeps the instructions until it comes to the next useful instruction. It doesn't, it just does nothing for one cycle, and then advances the register to the next instruction. 

Now, why are these nops useful? 

Well, basically the nops keep the payload size consistent. The practical importance of this has to do with writing instruction jumps. Now if you do not know what instruction jumps it doesn't really matter that much. but jumps can either be relative or absolute. Basically, if you move data around at all with an absolute jump, you must recode an absolute jump to it. If you move one instruction around relative to another, you must also recode the relative jump. Putting nops basically simplifies the problem because a jump that lands anywhere in a series of nops will continue on the first executable instruction, and prevent the processor from reading an invalid code that could stop execution and crash the software. 

So basically from all of this you just need to remember that nops is an instruction which is referred to as a byte zero, or a byte 90, and basically doesn't do anything. So, that's what you need to know. 
We will probably use it later on in some other section. 

these are all modules of the Metasploit framework.
now on this would be enough for you to understand the basic structure of the Metasploit framework in the next Article, 

we will actually start covering some of these scanners and exploits that we can use on our vulnerable targets. So that would be it for this tutorial and I hope I see you in the next one.

Saturday, July 11, 2020

Complete Metasploit guide ( Part 1- Introduction and preparation of exploits and payloads)

 This Complete Guide of Metasploit-Framework will help you in penetration testing and bug-bounty,
let's familiarize ourselves with the Metasploit framework.

What is the Metasploit Framework

Now the Metasploit framework is basically a tool and it comes pre-installed in Kali Linux. It is used for exploitation most of the time. Sometimes you can use it for scanning. Now there are some of the modules, and payloads, and nops and all the other stuff that we will talk about that come already with the Metasploit framework.

 But before we begin using them, let's try to actually make them understandable. And after that, we will execute our first exploit.

 So as I said, the Metasploit framework is a tool for developing and executing code against a remote target machine. Basically, for Metasploit, you actually have the MSF payload creator. We have the Metasploit framework which is the tool that we will use. You can start it up with a simple command called msfconsole.

  Now the main two things that you will hear most of the time while we are in this section are exploits and payload. Now I already believe that most of you know what those two are. But just in case the exploit is the main action type of the attack. For example, if we have on a target vulnerable software running we can take advantage of it and exploit it. And run our reverse shell or rootkit on it.
 for example. Now I'll explain what reverse shells and rootkits are. But basically the exploitation process, there is something that you should know, a term, it's called a zero-day. Now a zero-day for the exploitation is basically an exploit for a vulnerable system that hasn't been discovered previously. That's why it's called zero-days, it hasn't been fixed yet. It's still vulnerable, there is still vulnerable software out there. Now those are types of the attack that you will not encounter the most likely since discovering zero-days only happens a few times during the year. There are different types of zero-day. Some can be more dangerous than others. 

one of the Zero Day found in 2017. An exploit that basically allowed anyone to access a Windows 7 machine, and I think also think a Windows 8 machine, without the user clicking on anything. So you could just connect to the same network and basically exploit the Windows 7 machine if it is running a 445 open port or SMB open port. It was discovered by some hackers, it was an NSA exploit called the Eternal Blue. 
 I will also show it to you in the Metasploit framework later on, but that is the basic meaning behind the zero-day attack. Now we will not be discovering zero-days attacks because most of those attacks if ever discovered, can be costly. They can cost from above $100,000. So if you were too. for example. discover a zero-day. you can sell it for one hundred thousand dollars or more. I believe for the iPhone, if you were to find for the iPhone a zero-day, you would get paid by Apple thousands of dollars! 

We will be exploiting targets with already known exploits and with our reverse shells that we will run on the target. So there is something called payload which is basically the reverse shell. So that is something that after we exploit the vulnerable software we deliver its payload. Now we can deliver it to the machine in order for it to give us success or some information back. Now we will cover all of them in detail in the next Articles, but for now, let us actually start up the Metasploit framework and see the environment.

 Installing Metasploit-Framework

If Metasploit is not installed in your Linux system then  use a command 

apt install metasploit-framework

 Now I would advise you before you actually type msfconsole which is the command for starting up the Metasploit framework. let's run these service PostgreSQL start. So 

service postgresql start

This will make your Metasploit run faster since it is using the database. Now you do not need to do this if you don't want to, but as I said it will only make your Metasploit run faster. So now that we run this we can finally open our Metasploit framework. In order to do that you just need to type


Metasploit Framework

 Click enter and wait for this to open. Now since this is a virtual machine this might take a few seconds to open depending on your P.C. speed. And once it does we will actually cover some of the most basic commands that you will use in order to navigate to the Metasploit framework. 

 The first thing you notice is this banner right there. it is most of the time different, they change many times. The next thing you see is the available things on the Metasploit framework currently at this time, which is July 2020. 
We have 2004 available exploits. We have 1049 auxiliary modules. Post exploitation modules 343, 562 payloads, 45 encoders, 10 nops, 7 evasion. 

Now we will cover what all of these are in the next articles, but from now on let us actually see how we can navigate through this framework. 
Now as we can see our command line is right here, 

msf5 >

and here we type our commands. So the first logical thing that we should do is type 


Metasploit Framework  help

 Now help will give us the available commands that we can run right now. So we can see some of the useful ones would be to use command. You will be going to use it a lot. 
It's basically you just type here use and then the name of the actual exploit that you want to use. Selects a module by name. But in order for you to select the module, you need to know its name. 
So since we are beginners we do not know the name of any module. So we can also use the search command in order to find out the modules, 

Search modules in Metasploit

search modules names, and descriptions. If you just type here search and let's say we want to find Windows exploits. So just type here 

search windows

 It will give you all of the available windows exploits and payloads on the Metasploit framework.

Metasploit Framework  search

 So these are all of the available modules available for Windows exploits. As we can see for example payload Windows reverse TCP query, and you can also select that and see more details about it.
 this command shows all exploits, payloads, and post related to windows but if you want to just search for exploit search

search exploit/windows

Metasploit Framework  search exploits

 Now there are lots of them. As I said there are over 1800 exploits in the Metasploit framework. 
We will cover only a few of them since if we were to cover all of them we would make this course thousands of hours long. 

 Options of exploits in Metasploit

Now let's say we want to use, for example, let's select random exploit.  for understanding 
So generic smb DLL injection. 
So in order to pick that exploit we simply just type
and then paste the name of the exploit itself, and just press here enter. And you can see that you type the correct name for the exploit once there is red letters in these brackets. So it means this exploit exists.
 Now this selected exploit we can see its options with the show command. So 

show options

 will give us all of the options for this exploit and what it requires in order to run.

Metasploit Framework exploits options

sometimes required field so you need to specify if it is not specified. Description for that field, the local host to listen on. This must be an address on the local machine or Now the server port is 445. The current setting is also a required field for the local port to listen on, 
 Now down here we want to see the exploit target. So in order to check out your available targets, you can just type 
show targets

Metasploit Framework exploits target

and it will print out a list of all of the targets available for this exploit. So we can see this exploit is for Windows x86 and Windows x64 So basically it can run on Windows platform. 

 All Information about the exploit in Metasploit

If you didn't know much about this exploit you would want to find out more about it. You can do that with 

show info

Metasploit Framework exploits info

 options. So this will print out what exactly is this exploit. So you just type here show info. It will say name, module, platform. It will basically give us the output of this command before. So available targets, check supported. Basic options are also something that we saw with the previous commands. Payload information and description. Now description is most likely something that you will find with this command. 

Metasploit Framework exploits target info

You can see some of the other references right here. So if you were to copy this link, let us copy the link and open the link in the browser . And it will lead you to a page where you can read more about this exploit.
it should take us to a page where this exploit is in greater detail.

Metasploit Framework exploits info

 You can read it if you want to. You can also try to visit other sites as well that also explain this exploit in great detail.

Payloads for exploits in Metasploit

Now if you want to deliver a payload with this exploit, you would see your available payloads with 

show payload

Metasploit Framework payloads

So show payloads will give you your available payload for this exploit. So for example you cannot use our reverse TCP exploit payload in here since it is not specified in show payload options. You can only use all these other options available, or payloads available. In order, once you check out all of these payloads, and once you choose one, in order to set it you would have to type here

 set payload (payload)

Metasploit Framework payloads set

As we can see we successfully set the payload with this command. If you were to mistype it, it would say no such payload available. Now after we select payload you want to show options once again, and you will see that we also have some of the additional options for our payload. Now, most of the time you will see these two options one of them is LHOST, and LPORT. Now the LHOST is basically the listen address. So it is basically your Kali Linux machine since you are listening for the connection back from the target machine.

The out port is the listening port on which you're listening, which is most likely by default on Metasploit it is 4444.
for example. you can configure fields by command 

  And now you would be able to run this payload or exploit against your target if you find a vulnerable one. Now I will not be running this exploit since I don't really have a vulnerable target, but I just wanted to show you some of the commands that you will use in order to select your exploits. And we will actually exploit and run some scanners in the next sections right after we actually cover the basic structure of the Metasploit framework itself. I will explain what nops, encoders, payloads, exploits, post-exploitation tools

you can actually run the system commands from this command tool. So you can run all of the commands that you can run from a simple terminal in the Metasploit framework command line. So you can also run Nmap or netstat,

 and you can also run anything from this command tool as well. So you do not need to call Metasploit while performing the attack or any other scan that you want to perform. 

Saturday, June 13, 2020

Burp Suite Complete Tutorial ( Part-3 Target Tab)

Burp Suite Target tab

 Burp Suites Target Tab gives us all vital information about our target functionalities and content. a site map shows the content of target neatly and easy to access by applying scopes to target.

Target Tab is all about discovering target applications content with functionality with the site map and with the scope we can only focus on things we want to test.

Now we will see about the sub-tabs of Target Tab

  • Site Map
  • Scope
  • Issue Definitions. 

Burp Suite Target Site Map 

In Burp Suite we can see target application thoroughly and with this application, we can see we can find many juicy things about the target (parameters, status code, length, MIME type etc.)

Burp Suite Target Site Map

 Discovering Target Manually

  • First Set up burp proxy with browser.
  • After intercepting the first request turn off Intercept but keep proxy running.
  • Now go in a browser and manually browse every page, fill in all forms, login in where it requires ( basically explore application) 
  • After manually mapping in the browser you will see content and functionality we browsed in is showing in Burp suites target site map.

After completing this step you will see that new pages and contents are filling up in our burp suite site maps with lots of information in it like Hosts, URL, Status code, length, MIME type, and also when looking in Requests and responses sub-tabs you can see a whole lot of information about that webpage such as raw requests, parameters, headers and Hex.

Pro Tip - Always pay your attention to parameters because sometimes comes with very confidential login admin pages or restricted webpages for other users. (those can be great find)


Burp Suite Site Map Display Filters

Many times website has a very large amount of content in them (Found more that lacks pages in some) so it can be so time-consuming to evaluate them all by one. so if we found tons of content on the site then we will filter that website with the things we want.

Click on the filter and it looks like this.

 Burp Suite Site Map Display Filters

  • Filter by request type - 
This filter is for sampling requests with some parameters like in-scope items, only requested items, parameterized requests only, and hide not found items.
If you working on a website that gives you a fixed scope to work with then you check that box to stop wasting your time in other stuff around there.
 burp suite crawls on the website more than you requested sometimes so checking out show only requested items can help you here. Also, I told you above that parameterized requests can sometimes be great find so check out show only parameterized requests if you want to find them.
keep checked up hide not found items till you don't want to fill up your site map with garbage pages.

  • Filter by MIME Type

     MIME - (Multipurpose Internet Mail Extensions)
    This Filter can be very useful when you need to find some given ready to in burp suites extensions like HTML or Image

Along with that, we have a script, XML, Other texts, Flash, and other binary extensions.
This filter can be used as per requirement for extensions shown in the list but be can also do a broad search we will see it in the filter by extension

  • Filter by Status Code

    Status Codes are HTTP response codes that help us to understand the webpage's response in codes. there are lots of codes present but here I will show you some important ones.

    1. 200 - OK.  Simply means the webpage is up and responds the correct way it should be.
    2. 301 - Moved Permanently. a webpage is redirected permanently to another URL.
    3. 404 - Not Found. webpage not found that URL.
    4. 500 - Internal Server error. The server encountered a several conditions where requests which is preventing it to fulfilling requests. 
    There are lots of them you can check them here.
  • Also always check for Hide empty folders. you surely don't want to waste your time there. 
  •  Filter by Extensions - 

    Very important filter to sort out site map for extensions we specifically want to test for.
    Unlike MIME type we can specify here what extensions we want to search for which gives us very good information about target  
    HTML, PHP, JS, ASPX and CSS are common extentions.
    Check out for more

    Pro Tip -  While exploiting file upload vulnerabilities it's sometimes difficult to find where it is saved in the server so using these extensions to filter can save lots of time.

    Also, we have two checkboxes here, Show only and hide.
    use them accordingly. 

  • Filtering by comment or annotations can also be useful if you need to find them in thousands of webpages. (obviously, you need to comment and annotate first)

Target tab Testing Workflow

Target tab and tools in it act like sorting our attack scopes and other important in scope items and also working as a bridge in between other burp suite tools and functionalities.
we will be going to see all the important functions used for penetration testing and bug bounty.

  • Add to or remove from Scope.

 The scope is a specific website or part of a web server or something that client wants you to test only. other than that will be out of scope means we are not authorized to test on that part.

After discovering what we want to test then right-click on it (also called context) and you will see the second option is add to the scope.

Similarly, if you want to remove from scope right click and hit remove from a scope. (if you added in scope)

  • Send to ___  Functionality.

 Another very important function of the Burp Suite site map that helps us to interact and send requests to burp suites different powerful tools such as intruder and repeater.

 Now, using site map you found out some parameters which can be fuzz using dictionary then you can directly send that request to burp suite intruder tool using this context.
also, you can send it to test manually using a burp suite repeater.

similarly to test request or response using comparer and sequencer.

  • Show Response in Browser

 After right-clicking on request and clicking on show responses in the browser will give you a URL to copy and paste in your browser.
But the catch here is instead of interacting with web server it interacts with burp proxy and gives us render response like original web server. all additional requests are handled bu browser itself.
This feature works better than burp suites inbuilt HTML renderer and also browser makes additional requests for CSS or images etc.

  •  Request in Browser

you can use this to open requests in your browser which is already configured to burp proxy before.
 you can use two types of options here.

  • In original Session - In this type exact cookie header is used while issuing the request which appeared in original request sent by a burp.
  • In current browser session - this feature works as it cookie header is used issuing requests which supplied by your browser. 
this feature is widely used when testing for access control vulnerability.
like you are logged in as an ordinary user in web server but you can reissue that request with cookies to different user contexts such as administrator which is very easy to do by using this so you don't have to modify and process cookies over and over using the proxy. 

  • Compare Site Maps

you can use compare site maps function to find difference between two site maps.

Compare Site Maps
This powerful feature of the burp suite can be used for many different purposes. best works with access control vulnerability.
you can simply compare two site maps with all information between them like request, response, and headers. gives us wide overview to find and the difference that can be exploitable. 

  • Annotations in Site Map

 In the Site map, you can annotate URLs using highlights and comments. use this when you find something interesting to use further or sort the URL for different types of testing.

You can highlight URL using two ways.
  • simply using host column which is rightmost column use dropdown menu from there to use various colours to highlight.
  • Right-click on URL and select highlight and also which colour you want.
 you can use the comment also in two ways.
  • Double click on empty space in comment column and type whatever you want to comment in there.
  • right-click and hit on add comment on URL you want to comment on.
You can filter your annotation in-display filter the topic we covered above.

  • Burp Suite Target Scope

Burp suite Target scope is exactly those hosts and URL's you want to work with as target. you can say the scope is items that you are currently interested in and willing to attack.

Adding a scope configuration can affect other functionality of burp, like:
  • setting up display filters and site map using a scope.
  • set proxy to intercept only in scope responses.
  • configuring burp suites Repeater and Intruder for in scope URL's only. 
 You can use Advance scope control also as below.

Burp Suite Target Scope

 Here you can specify protocol, port, IP ranges, and files also.

You can add or exclude host or URL within scope using exclude from scope to exclude something.

  •  Issue Definition

 Issue definitions are a list of all issues that can be detected by the burp suit. you can call these issues as bugs, vulnerabilities and exploits.

burp suite  Issue Definition

These issues can be used for gaining more information about that topic and also gives out some links to help in further exploiting those vulnerabilities.
this gives a description, remediation, and reference resources about those issues.
Also helpful to understand the severity of that issue.


Popular Posts