Kali Linux

Kali LInux Tutorials

Hacking Castle

Hacking Castle

Hacking

Ethical Hacking and Cybersecurity Tutorials

Metasploit

Hacking with Metasploit

SQLMAP

Hacking in android in termux using sqlmap

Sunday, December 29, 2019

Enumeration | ethical hacking enumeration techniques

Enumeration | ethical hacking enumeration techniques

Enumeration


Enumeration is defined as the process of extracting user names, machine names, network resources, shares and services from a system. 


In this phase, the attacker creates an active connection to the system and performs directed queries to realize more information about the target. 


The gathered information is employed to spot the vulnerabilities or weak points in system security and tries to take advantage of within the System gaining phase.


Types of information enumerated by an attacker: 

  • Network Resource and shares
  • Users and Groups
  • Routing tables
  • Auditing and Service settings
  • Machine names
  • Applications and banners
  • SNMP and DNS details 


Services and Ports to Enumerate:

DNS Zone Transfer: TCP 53:

It depends on TCP 53 port rather than of UDP 53.DNS Zone transfer always uses a TCP protocol to communicate with a DNS server. TCP protocol helps make a consistent DNS database with the DNS server.


NetBIOS Name Service TCP 137:  (NBNS):

NBNS, also referred to as WINS  (Windows Internet Name Service), maintains a database of the NetBIOS names for hosts and therefore the IP addresses host is using in correspondence.

Simple Network Management Protocol (SNMP): UDP 161:

SNMP protocol used in many applications and devices, use for logging and maintaining information in Remote application and also used in routers and switches to maintain communications.

Lightweight Directory Access Protocol (LDAP):  TCP/UDP 389:

It is used to enumerate contact information about the server.
it can be used with Microsoft active directory and some other email programs.

Simple Mail Transfer Protocol (SMTP): TCP 25:

SMTP allows email to maneuver across the web and across the local internet.TCP provides connection-oriented services to make communication of SMTP.

We will see each of these ports running the service and how to get information out of it and find any vulnerability and exploits..
.Enumeration,DNS Zone Transfer: , DNS Enumeration,dnsenum , dnsrecon, NetBIOS Enumeration, SNMP Enumeration,LDAP Enumeration
Enumeration in Hacking

1)DNS Enumeration-


        In the process of DNS Enumeration, we can find Very useful data such as usernames, computer names and IP addresses as you can see it in practice using DNSenum.
DNS records are stored in a zone file are have resource records (database) in them.

DNS Zone transfer is the process used to get all of the store's data.
DNS zone transfer sends a request to the DNS server to transferring DNS data if the DNS server allows it all the data will send by it, this data is in a readable format.


There are lots of tools for DNS enumeration but today I will show you my personal fav.

•dnsenum


DNS subdomain brute-forcing
DNS subdomain brute-forcing

DNS enumeration using dnsenum
DNS enumeration using dnsenum


  • dnsrecon

dnsrecon
dnsrecon


Countermeasures: 

  1.  using premium registration services can minimize the risk.
    Zone transfer requests from untrusted hosts must be disabled.
  2. In publicly assessed DNS server does not reference IP addresses in reference files.

NetBIOS Enumeration

NetBIOS represents Network Basic Input and Output System used widely. It Allows PC correspondence over the LAN and enables them to share printers and files.


 It must be interesting on a system, constrained to 16 chars where 15 chars are utilized for the gadget name and the sixteenth character is held for recognizing the sort of administration running or name record type. NetBIOS names are used to identify network devices over TCP/IP connection on windows



Aggressors utilize the NetBIOS list to acquire: 



  • Rundown of PCs that have a place with a domain
  • Rundown of offers on the individual has on the system 
  • Strategies and passwords

Tools to NetBIOS Enumeration- nbtscan, nbtstat and all in one Nmap.. 

Here in image Nmap nbtstat NSE script is used to enumerate NetBIOS.. 



Nmap NetBIOS script
Nmap NetBIOS script

prevention measure for scanning of shared NetBIOS resources

there is a very easy solution for preventing scanning of NETBIOS credentials and resources is to keep it shut down.
shutting it down might cause some problems but it is worth it from losing credentials to an attacker.
if it's really necessary to use then do not use default names in NETBIOS ( Any application using default names and password is 100% chances of getting hacked)


  • SNMP Enumeration

SNMP is quite a common protocol used in many operating systems like Linux, Ubuntu and Microsoft servers. it is enabled in them as well as network devices such as switches and routers.
SNMP use UDP protocol connect and manage with switches routers and hubs on the IP network.
By using SNMP Enumeration number credentials cam be extracted like users, passwords, devices on the system, system names and groups, etc.



for SNMP enumeration best thing to use is Metasploit framework 
need to use snmp_enum module.

msf > use auxiliary/scanner/snmp/snmp_enum msf auxiliary(snmp_enum) > show actions ...actions... msf auxiliary(snmp_enum) > set ACTION < action-name > msf auxiliary(snmp_enum) > show options ...show and set options... msf auxiliary(snmp_enum) > run

 

Countermeasures:


  1. use a more secure version (SNMPv3).
    in perimeter network access devices we can block port 161 to avoid it getting scanned.
    use policy such as ' additional restrictions for anonymous connections' which is a user policy security option.
    do not allow fishy IP addresses to access.
    disable or remove SNMP agents on hosts.


LDAP Enumeration

The Lightweight Directory Access Protocol (LDAP) may be a protocol wont to locate directory listings inside Active Directory both from different Directory Services. LDAP points to be attached to the domain name System to permit combined fast lookups and quick analysis of queries.  It is plausible to question the LDAP assistance, seldom anonymously to work out a much data that would put a smile on the face of a tester,  brute force or social engineering attack. can extract valid usernames, user  details, addresses
LDAP generally runs on port 389
 A directory is typically compiled during a hierarchical and logical format, rather just like the levels of management and employees during a company.

Tools: 

LDAP Browser editor
JXplorer

Countermeasures: 

  •  lockout after certain entries.
  • using SSL encryption technology for the traffic.
  • It's very easy to find username with the help of email addresses, so keep in mind that use different username and Email names.
  • Use NTLM or Basic authentication to limit access to known users only so no one makes unauthorized access.

Conclusion 


In Scanning, we did scan all ports and found out whats services and its versions are working out there and in this post, we have seen how to enumerate those services and get the information we want to exploit and vulnerability analysis..
So the point here is it's not scanning and enumeration it is scanning with enumeration.

these enumeration techniques used by ethical hackers, bug bounty and cybersecurity experts..

Happy hacking..

Share:

Thursday, December 26, 2019

Scanning in Hacking | Scanning tools and techniques


Scanning in Hacking


Scanning plays a very important role in information gathering in hacking. information gathering itself has four main types scanning, fingerprinting, enumeration and Vulnerability analysis.. in this post, we'll cover the topic Scanning. how to scan target and get the information we need for exploitation and hacking..

so let's get started with it..

Scanning - 

         Scanning is a process in which we can identify the architecture of target, ports, services, OS, live hosts and much more.
also find threats and vulnerabilities in the target network.
scanning makes a profile to target and we can get so much information about target using scans.


we'll do it one by one.. going to use Nmap for it..



NMAP ( The Network Mapper)


NMAP is a widely accepted tool in scanning and Enumeration, if you really want to be a good hacker then mastering NMAP will be your priority.
I already made an article about How to use NMAP so check it also.


Port states

Closed -In the Target machine application is not listening for connections/packets on the port. though this port can open any time


Open – Port Open means in the target machines applications are listening for connections and packets.


Filtered – Filtered ports are those which NMAP cant distinguish between open or close port because network obstacles are working to block NMAP requests so it cannot tell whether its closed or open port.

Basic NMAP options

-O: Enable OS detection
-6: Enable IPv6 scanning
-T1 to -T5: Really slow port scan to Really fast and noisy port scan 
-V: Print version number
-sU: UDP scan (scanning UDP port)
-p: Ports scanning
-p-: Scanning all ports
-p 22,8080: Scan port 22 and8080.
--resume <filename>: Resume an aborted scan
 -sV: Service Detection-Tx: Set scan speed
-S <IP_Address>: Spoof source address
-sS: Stealth scan ( less detectable and noisy)
-v: Increase verbosity level (use -vv or more for greater effect)
-A: OS and version detection, script scanning, and traceroute

 

  OS detection, service detection in ports

-A is all in one command we can use to detect OS, Services, script scanning and traceroute with ports status..
there are many vulnerabilities and exploits you can find for system services and use them in exploitation.


nmap -A (target IP)

nmap
Nmap os and other services detection


Port Scanning Techniques:

There are various port scanning techniques available. The well-known tools like Nmap and Nessus have made the port scanning process automated. The scanning technique includes:

NMAP ping sweeps

 NMAP ping sweeps scan sends ICMP requests to all IP addresses in a given range and sends ICMP reply to host if the host is alive and responds to ping requests.


Nmap ping sweep


ARP scan (Address Resolution Protocol) :


In this method, a progression of ARP communication is sent, and the incentive for the objective IP address field is increased in each communicate parcel to find dynamic gadgets on the neighborhood organize section. This sweep encourages us to outline the whole system.
 Use this command in nmap

nmap --arp-type ARP (target IP)


ARP scan

 TCP connect scan:


TCP connect scan is the basic scanning technique that uses the connect system call of an OS to open a connection to all port that is available.

this image shows how it works..
working of TCP protocol

to find TCP ports in Nmap use command..


nmap -sT (IP address)

     
TCP ports scan in Nmap

Half-open scan:


  while TCP connection it does not connect with the server so it's stealthy scan

like TCP scan we send syn packet first.

then server sends syn/ack packet to us..
but in the last instead of ack we send the server a reset packet in Half-open scan that's why its called stealth scan. the server didn't connect instead it resets and makes it undetectable..


nmap -sS  (target Ip)
    

TCP XMAS Scan




It is practiced to distinguish listening ports on the targeted system.  it transfers reset acknowledgment when ports are close and do not reply when a port is open.
The scan handles the FIN flags URG, PSH and of the TCP header.

use this Nmap command..

nmap -sX  (target Ip)

TCP FIN Scan



This port scan can stay undetected through most of Scan detection programs, and other Scan IDS and Firewalls. It sends FIN bundles to the focused on the framework and readies a report for the reaction it got

In FIN flag  while closed ports send a reset response and

TCP packets transmitted to the victim open ports don't reply.

nmap -sF (target Ip)

TCP ACK Scan:

 sometimes active websites also do not send ICMP ping in answer.

by using TCP ACK Scan attacker can see the port situation by an acknowledgment received

use command in Nmap
nmap -sA (target Ip)


Null Scan: 


Works by transmitting TCP packets with no flags fixed to the target. Open ports do not reply while closed ports reply with a RESET packet


nmap -sN (target Ip)


Conclusion

This is the type of scanning used in hacking for information gathering..By using port scanning, we can explore information such as: What services are running, what users own those services, is anonymous login is supported, whether certain network services require authentication and other related details.

Preventions

One approach to narrow the knowledge obtained from port scans is to close nonessential services on the targeted systems. Another way to restrict the information provided to port scanners is to apply TCP Wrappers, where appropriate. Whereas, TCP Wrapper delivers the flexibility to the administrator to allow or deny access to the setting's approved domain names or IP addresses.

Additionally, otherwise to restrict the loss of data within port scanning is to employ PortSentry offered by Psionic. PortSentry discovers connection requests on a variety of decided ports. It is customizable and may be configured to neglect a selective number of tries. The administrator can choose what ports PortSentry will listen for connection requests and different types of unreasonable requests. The administrator will arrange ports that their system isn't sustaining.

this is it for scanning I covered lots of scanning techniques here and these are mainly used for hacking pen-testing and bug bounty hunting and also in red teaming..

further posts are on enumeration, fingerprinting and vulnerability assessment coming soon..
till then.


Happy Hacking..😊


Share:

Monday, December 23, 2019

Recon and Footprinting in hacking

Recon and Footprinting in hacking

Recon and Footprinting in hacking 

the first step toward hacking



Reconnaissance plays a very important role in a successful hack. recon and footprinting are so important that all bug bounty hunters and ethical hackers spent almost 30% to 40% of the time in it. It is all about gaining valuable information from the target such as open ports what services they running, vulnerabilities in system and network, operating systems and so on.. this information can further be used in hacking and exploitation,
Reconnaissance is processing to getting to know our target throughout.

Types of Reconnaissance

There are two types of recon which are Passive recon and Active recon. they both have their advantages and disadvantages.

Passive Recon -  passive recon is like watching target without interacting with it and that's why its undetectable and stealthy to use.
because of not interacting approach it gives less valuable information and slow than active recon but its undetectable to really helps in cases where anonymity for attacker is a must.
not making active connections and gather information in recon is done by lots of tools and programs which we will see in this tutorial further.

 Active Recon -  In Active recon, we can use many tools and programs to interact with target sending requests and gain information about a target system thoroughly.
we can get maximum information of target but the disadvantage is firewalls, IDS and other intrusion detection system can catch us with this increasing requests made by us that make it so noisy and not good for stealthy attack but we can use some of the tricks to make attacks stealthy like NMAP stealth scan.
but in many cases, it's ok to be noisy and get information fast and active recon works perfect here.

 We have seen types of recon now its time to introduce you with common terms used in recon.

  • Discovery: First of all we need to know who are our possible target are and getting to know all about our target to know who are our target and what they have to introduce.

  • Port Scanning: ports are used to connect with applications and services and manage the connection with them. open ports are something that needs to be avoided because they can be exploited very easily. there are lots of services and applications can run trough ports and scanning ports gives information about them all.
  • OS Fingerprinting: while the hacking targets operating system can play a very important role lots of attacks and exploits are works only for the specific operating system and their version so make sure to know OS while recon. just like windows servers attacks not work on Linux based server.
Now we'll see how it works.


1) Whois lookup

WHOIS mainly called 'who is' is an internet-based query and response time domain search which can provide lots of information about the domain name, servers in the domain, owners' information like location and services they use and much more information that can be made use of.
also, domains IP block, anonymouse systems, and other information is given by WHOIS in a human-readable format.
just search whois in google open it and type website name you want to know about.



whoislookup
whois lookup


2)censys.io

Censys does a good job of scanning IP addresses and gathering information from a set of different ports. it gives us an overview of what lives on a system with the help of TLS handshakes, using certificates, DNS configuration and many more things,
Censys gives detailed data od scans of ports and services used in target and gives a freshest and thorough results.
it gives actionable security insights about your attack surface..

 

 
Censys.io

Censys.io
Censys.io

 

 3)Shodan.io

Shodan is a search engine used to information gathering and recon which gives tons of data about a target that can be categorized by ports, services,  hostnames, etc.
 we can also search by-product used by a target such as Nginx server we can give it queries to find that product and search with its instance.
shodan is also very good for finding IoT devices connected with network who are using them and mush more, which is best about it.
it let us understand digital footprints of target and uncover which is directly accessible from the internet.



shodan.io
Shodan.io



4)Archive.org

 Archive.org ( or Wayback machine ) gives us all the data website have in past although it is deleted or removed some times,
all we have to do is visit archive.org and search for our target it gives us a timeline from where website started and posts are updated etc. just select a date and year you wanted to see and uncover the lost sensitive data.
 simple but effective sometimes


Archive.org sitemap
Archive.org sitemap



Archive.org
Archive.org



5)Google Hacking Database

google can be normally used for searching for different websites and give us a simple result.
but using GHDB is set of search queries ( usually call them dorks) are give us publicly available but not given normally by google search.
for example if we searched dork like, intitle: and keyword you can get all sites who have keyword in there title same with inurl:


Google Hacking Database




Google Hacking Database
Google Hacking Database


6)nmap


All above are passive recon but Nmap is active one.. and the only one you need. it can gather all information about DNS, Servers, IP addresses and much more.. 

I already posted tutorial about nmap check it out..
Recon and Footprinting is the process of collecting as much information as possible about a target network, this gives us blueprint of our attack to be done, information gathered by recon and footprinting can be very useful in further attacks and exploitation,
the term blueprint is used because it makes detail structure of target to be attacked and makes it more easy to attack vulnerable point instead of trying everything and getting frustrated
Footprinting is done to:
  1. Decreased attack area for faster attacking
  2. Get to know the security of the target.
  3. An information database will be used in an attack.
  4. Network maps can be generated.

Others methods of recon foot-printing include:

  1. By using Social Networking Sites
  2. communicating to target directly (Social Engineering )
  3. Through Job Portals
  4. email footprinting


 Why it is necessary

let's assume the scenario you want to hack someone's bank account with phishing.
rather than throwing any bank account scam page will alarm the person that its fraud and he can complain in cybersecurity our get more furious about security.. but if you recon and footprinted the target carefully you can gain information so the target can really trust your mail and fill info in it..

this is my technique you can use your there are lots of things out there..
so this is it for recon and footprinting stay tuned for next steps..

till then..

Happy Hacking..😊
Share:

Thursday, December 19, 2019

SQL injection penetration testing using sqlmap

SQL injection penetration testing using sqlmap

 SQL injection penetration

    testing using    sqlmap.



sqlmap is an automated Linux and windows based tool to find SQL injection vulnerability.
Sqlmap gives vulnerable HTTP request URL, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables, etc.

Sqlmap is a powerful hacking python tool that works well in all the Linux distros such as parrot, kali Linux, etc.


SQL map is preinstalled in kali Linux if you want to install it manually use GitHub. Simply use command 




git clone https://github.com/sqlmapproject/sqlmap

now sqlmap will download in few minutes..



Sqlmap in linux
Sqlmap in Linux




Sqlmap in kali linux
Sqlmap in Kali Linux



If its not worked install python packages and try again. It works well with python2 in my case.. see the above image..

  Usage

Sqlmap has hell lots of usages, you can see it by using -h and -H command.

now we'll see the practical use of sqlmap using a live example. for this, I am using android because of public demand. using termux.

for this, we'll need termux



we are using kali nethuner in termux for better usage..

simply click on a link to learn it how to install if you still don't know..

now hit kali nethunter in termux and use the command
startkali
ls
cd sqlmap
ls
python2 sqlmap.py

now sqlmap interface will be shown in there.

for the target we are using accunetic vulnhub website for understanding.

the login page looks like this..


accunetix vulnerability login page


now copy the URL page and paste in front of --url in command.

python2 sqlmap.py --url "http://testphp.vulnweb.com/listproducts.php?cat=1," -o --threads 8 --dbms mysql -dbs

if id is not present there use 1 or crowl it to see pages with id and use URL of it.

now we can see database name accuart is presented over there so we'll further want to see what's in it.

accunetix database
database


database contains tables and columns to feed information in it. that what we going to extract now..

first, we need to see what tables are inside this database to see it use command.

python2 sqlmap.py --url "http://testphp.vulnweb.com/listproducts.php?cat=1," -o --threads 8 --dbms mysql -dbs --current-db acuart --tables

current-db use for whats in the current database we are seeking here tables which are looks like this..

tables in database
tables in database

now we can see lots are tables over there contain information and credential.
but we need username and password so we'll see what's in table name 'Users'
use this command to see columns of table 'Users'


python2 sqlmap.py --url "http://testphp.vulnweb.com/listproducts.php?cat=1," -o --threads 8 --dbms mysql -dbs --current-db acuart --tables users --columns

 now the result will show us what columns in table users.

tables and columns in database
tables and columns in database


now as we can see the email, cc,uname, pass, etc

lots of juicy stuff over here..

need to dump it now..

python2 sqlmap.py --url "http://testphp.vulnweb.com/listproducts.php?cat=1," -o --threads 8 --dbms mysql -dbs --current-db acuart --tables users --dump


this command will dump all credentials in termux. for the sake of security admin use hashes to encrypt it but sqlmap will also decrypt it using a wordlist.

but for us now it is in plaintext.😊

database credentials
database credentials


just see separators very carefully you'll see

uname-test
pass-test

to test it use it in the login page..

user credential
users credential


we got a login successful and success in attack..😉


that it with sqlmap and SQL injection.


I used termux for android because lots of tutorials for other Linux platforms but android users have very little information about how to use it in.. but it works the same in all the platforms and works like charm to find SQL injection...



stay blessed and happy hacking..

Share:

Popular Posts