Hacking Articles|Raj Chandel's Blog

Generating Scan Reports Using Nmap (Output Scan)

at 7:17 AM Tuesday, March 6, 2018 0 comments

Hello friends, several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but there are sometimes where we want to save the nmap scan. Nmap output scan is used to save the result of nmap scan in different formats.

Let’s Begin

Requirement

Attacker: Kali Linux

Target’s IP: 192.168.1.113

Normal Output Format

-oN (normal output)

Nmap supports different formats for saving scan results. Depending on your needs, you can choose between a normal, XML, and grepable output. Normal mode saves the output as you see it on your screen, minus the runtime debugging information. This mode presents the findings in a well structured and easy-to-understand manner.

nmap192.168.1.113 -oN /root/Desktop/nmap

Now the scan is saved on desktop and we can access it using cat or text editor.

cat Desktop/nmap

XML Output Format

-oX (XML output)

XML stands for Extensible Markup Language is a usually known, tree-structured file format supported by Nmap.To save the scan results to a file in the XML format; add the option -oX , as shown in the following command:

nmap –p80 192.168.1.113 -oX ~/Desktop/nmap.xml

Nmap also consist of additional debugging information when you save the scan results in this format.

An XML file, when generated, will contain the following information:

· Host and port states

· Services

· Timestamps

· Executed command

· Nmap Scripting Engine output

· Run statistics and debugging information

You can view the output in Gedit, It will look as shown below

We can also convert the Nmap scan which we saved in the xml format earlier to a portable html format using the given command:

xsltproc Desktop/nmap.xml –o nmap.html

Now open the nmap.html file in your favourite browser. Here is a screenshot depicting the converted html report. As you can see that it is very simply formatted and Easy to Read and Understand.

Script kiddie output

-oS (ScRipT KIdd|3 oUTpuT)

Script kiddie output is like interactive output, except that it is post-processed to better suit the l33t HaXXorZ, this option was made to make fun of script kiddies.

nmap 192.168.1.113 -oS /root/Desktop/nmap

Now we can see that the file is saved on desktop which is as similar as normal scan output result.

cat Desktop/nmap

Grepable Output Format

-oG (grepable output)

The grepable format was included to help users extract information from logs without having to write a parser, as this format is meant to be read/parsed with standard UNIX tools. To save the scan results to a file in the grepable format, add the option -oG , as shown in the following command:

nmap 192.168.1.113 -oG /root/Desktop/nmap

In grepable mode, each host is placed on the same line with the format :

,and each field is separated by tabs (\t). The number of fields depends on what

Nmap options were used for the scan.

There are eight possible output fields:

· Host: This field is always included, and it consists of the IP address and reverse DNS name if available

· Status: This field has three possible values—Up, Down, or Unknown

· Ports: In this field, port entries are separated by a comma and a space character, and each entry is divided into seven fields by forward slash characters (/)

· Protocols: This field is shown when an IP protocol (-sO) scan is used

· Ignored: This field shows the number of port states that were ignored

· OS: This field is only shown if OS detection (-O) was used

· Seq Index: This field is only shown if OS detection (-O) was used

· IP ID Seq: This field is only shown if OS detection (-O) was used

cat Desktop/nmap

Saving Output in ALL Format

-oA (Output to all formats)

Nmap supports the alias option -oA , which saves the scan results in all of the available formats—normal, XML, and grepable. The different files will be generated with the extensions .nmap, .xml, and .gnmap

nmap 192.168.1.113 -oA /root/Desktop/nmap

Now we check the directory and find all the 3 types of file available to us.

Port scanning using Metasploit with IPTables

at 10:39 PM Sunday, March 4, 2018 0 comments

Scanning port is a technique used by penetration tester for identifying state of computer network services associated with particular port number. For example port 80 is available for HTTP service and port 22 is available for FTP service. We suggest using Nmap for enumerating port state, for best practice click here and learn Nmap working in detail.

Moreover Metaspolite also serves port scanning for enumerating computer network services and make it easier as compare to Nmap.

Let’s start!!

Requirement

Attacker: Kali Linux (192.168.1.103)

Target: Ubuntu (192.168.1.105)

Open the terminal and add given below iptables rules for incoming packet traffic in target’s network which will drop the tcp ACK packet on port 80 and SYN packet on port 22 respectively.

sudo iptables -I INPUT -p tcp --tcp-flags ALL ACK --dport 80 -j DROP

sudo iptables -I INPUT -p tcp --tcp-flags ALL SYN --dport 22 -j DROP

ACK Scan

Now open the terminal in your Kali Linux and type msfconsole to load metasploit framework and execute given below auxiliary command to run specific module.

This module will Map out firewall rulesets with a raw ACK scan. Any unfiltered ports found means a stateful firewall is not in place for them.

Now as specified in given below command this module will send ack packet on port 21, 22, 80,443 to enumerate state of firewall for these ports. If it receives reset packet as reply from destination port then it will display unfiltered state for that particular port and if does not received reset packet from destination port then it will not show any comment for that particular port which means the port is protected by firewall.

use auxiliary/scanner/portscan/ack

msf auxiliary(ack) > set rhosts 192.168.1.105

msf auxiliary(ack) > set ports 21,22,80,443

msf auxiliary(ack) >exploit

From given below image you can observed that it is showing TCP unfiltered for port 21,22,443 and did not comment for port 80 hence port 80 is filtered . This scan can be only used for identifying state of firewall in terms of port filter or unfiltered.

We had used wireshark for demonstrating ack scan and here you can observe that port 80 doesn’t reply with RST packet which means ack packet for port 80 has been blocked by network administrator.

SYN Scan

This module enumerates open TCP services using a raw SYN scan, here syn packet will be sent on port 21, 22, 80,443 to enumerate state open/closed for these ports. If it receives syn,ack packet as reply from destination port then it will display OPEN state for that particular port and if does not receives syn,ack packet from destination port then it will not show any comment for that particular port which indicates filtered or Closed state for that particular port.

use auxiliary/scanner/portscan/syn

msf auxiliary(syn) > set rhosts 192.168.1.105

msf auxiliary(syn) > set ports 21,22,80,443

msf auxiliary(syn) >exploit

From given below image you can observed that it is showing TCP OPEN for port 21,80,443 and did not comment for port 22 hence port 22 is filtered or closed .

Again we had used wireshark for demonstrating syn scan and here you can observe that port 22 doesn’t reply with SYN, ACK packets which mean SYN packet for port 22 has been blocked by network administrator.

Moreover you can observe following packet communication between source and destination port.

· Source port sends SYN packet to destination port

· Source port receives SYN, ACK packet from destination port

· Source port sends RST packet to destination port

TCP Scan

Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set rhosts 192.168.1.105

msf auxiliary(tcp) > set ports 21,22,80,443

msf auxiliary(tcp) >exploit

This scan is similar as SYN scan only the difference is that it follows TCP full communication i.e. 4-way handshake and SYN scan is follows half TCP communication.

From given below image you can observed that it is showing TCP OPEN for port 21,80,443 and did not comment for port 22 hence port 22 is filtered or closed .

Here you can observe that port 22 doesn’t reply with SYN, ACK packets which mean SYN packet for port 22 has been blocked by network administrator.

Moreover you can observe following packet communication between source and destination port.

· Source port sends SYN packet to destination port

· Source port receives SYN, ACK packet from destination port

· Source port sends ACK packet to destination port

· Source port sends FIN, ACK packet to destination port

XMAS Scan

Enumerate open|filtered TCP services using a raw "XMas" scan; this sends probes containing the FIN, PSH and URG flags.

Instead of using TCP 3-way handshake communication this scan uses other tcp flags for TCP communication for enumerating state of ports.

use auxiliary/scanner/portscan/xmas

msf auxiliary(xmas) > set rhosts 192.168.1.105

msf auxiliary(xmas) > set ports 21,22,80,443

msf auxiliary(xmas) >exploit

From given below image you can observed that, this time it has shown TCP OPEN| FILTERED for all ports i.e. 21,22,80,443

If you notice given below image here source port sends FIN, PUSH and URG packets to destination and destination port didn’t sent any reply to source port which indicates above specified port are open and if any destination port sends RST, ACK packet to source port then it indicated that particular port is closed.

Understanding Guide to Mimikatz

at 11:12 PM Tuesday, February 27, 2018 0 comments

What is Mimikatz?

Mimikatz is a Tool made in C Language by Benjamin Delpy. It is a great tool to extract plain text passwords, hashes and Kerberos Tickets from Memory. It can also be used to generate Golden Tickets.

You can get Mimikatz In ZIP from here. Or you can build it for git from here.

Mimikatz comes in 2 architectures: x32 and x64. Here is a screenshot of the x64 mimikatz bash.

Generate Skeleton Key with Mimikatz

Victim: Windows Server 2012 R2 (Domain Controller)

Attacker: Mimikatz (On Windows Server 2012 R2)

In this attack, what mimikatz installs the patch on the Domain Controller to accept “mimikatz” as a new logon password? It can be thought as a Master Key which will open the Active Directory to the attacker. This attack can be performed as shown below.

First, I will try to logon on my Server using mimikatz as a password.

As you can see clearly that we cannot logon into server using ‘mimikatz’ as a password.

Now I will login the server using its password which is ‘T00r’.

And as you can see below I have logged in the Server using the correct password.

If you ever are logged in on a server or have a server unlocked, you can create a skeleton key to be stored inside the memory of the Server by using Mimikatz.

Launch the Mimikartz Terminal according to the architecture of the server (x32, x64). Now first we will get the Debuging privilege in Mimikatz using

Command: privilege::debug

And then we will inject the mimikatz skeleton key in the memory of server using

Command: misc::skeleton

With this we have our skeleton key successfully injected on the server.

Note: You will have to open mimikatz with Administrative Privilege to create a Skeleton Key.

Now I will try to login the server using the skeleton key “mimikatz” we just injected in the memory. Remember last time we tried to login the server using mimikatz as a password we were unsuccessful.

But this time ‘mimikatz’ was accepted as a password. This does not mean that we reset the original password ‘T00r’. The server will continue to login using ‘T00r’ but now it will also accept ‘mimikatz’ as a password too.

Now, remember that we injected the skeleton key in the memory, not in storage so the next time that admin restarts the server we will lose the access. So the best way to protect your Domain Controller from Skeleton Key is a practice of restarting the Server Frequently or prevents mimikatz from accessing the memory.

Blue Screen of Death(bsod) with Mimikatz

Attacker: Mimikatz (on Windows 7)

Victim: Windows 7

We can perform a Blue Screen of Death or bsod attack using mimikatz. This shows how powerful this tool is. To perform the bsod on a System follow the steps mentioned below:

· Run mimikatz with Administrator Privilege.

· Start mimidrv service

Command: !+

Now Initiate the Bsod as given below in the following command.

Command: !bsod

As you can see below we have the Blue Screen of Death Error

Note: This attack can corrupt data and potentially harm the system. Use Carefully !!

Display Hostname

You can extract hostname of the Victim System by typing hostname in the mimikatz Terminal.

Command: hostname

We have extracted the hostname of system as Pavan-pc

Golden Ticket Genration with Mimikatz

Attacker: Mimikatz on Windows Server 2012 R2

Victim: Windows Server 2012 R2

To Generate a Golden Ticket, we will require the following information:

1. Domain

2. SID

3. NTLM Hash

Let’s get the Domain First.

To get the Domain we will run the ipconfig /all from the Command Line or PowerShell

· Domain on my Server is Pavan.local

· Now to get SID we will use whoami /user command as shown in given below image.

Now we will mimikatz itself to extract the ntml hash required to generate the Ticket.

First we will get the Debugging Privilege using following command given below.

Command: privilege::debug

And now to extract hashses we will run following command given below.

Command: selurlsa::logonpasswords

And now we have it all that we need to generate the Ticket.

Syntax: kerbros::golden /domain:[Domain] /sid:[SID] /rc4:[NTLM Hash] /user:[Username To Create] /id:500 /ptt

Command: kerbros::golden /domain:PAVAN.LOCAL /sid:S-1-5-21-1118594253-693012904-2765600535 /rc4:9a7a6f22651d6a0fcc6e6a0c723c9cb0 /user:hacker /id:500 /ptt

Here I am creating the golden key for a user named ‘hacker’; you can use any of the existing users of the Domain or create a new one.

I am using [/ppt] option to pass the ticket in the current session.

Now run command prompt to the access of Share Folder and execute given below command:

pushd \\WINSERVER01\c$

Now we are in Z: drive execute given below command for NT directory services

cd WINDOWS\NTDS

DIR

As you can see that we get the access to the share folder which cannot be accessed without Admin Access but we had obtained it without using CMD as administrator. From given below image you can observe that it is showing 8 file and 2 folder.

Remotely Generating Golden Ticket

Attacker: Kali

Victim: Windows Server 2012 R2

Firstly get a Meterpreter Access of the Server which you can learn from here

Once gaining the meterpreter upload the mimikatz folder to the victim system using the command

Command: upload -r /root/Desktop/mimi c:\

Remember to use -r so that upload command uploads recursively.

Open the shell and extract Domain using ipconfig /all

And SID using the whoami /user

Now go to the location where we uploaded the mimikatz earlier and run mimikatz.exe as shown below

Now let’s extract the krbtgt NTLM hash using the following command

Command: lsadump::lsa /inject /name:krbtgt

Now using all the information extracted lets generate a golden ticket in the same way we did above.

Command: kerberos::golden /domain:pavan.loc /sid:S-1-5-21-97841242-3460736137-492355079 /rc4:e847d2e54044172830e3e3a6b8438853 /user:Hacker /id:500 /ptt

Now let’s take the access of Share Folder and as you can see that we get the access to the share folder which cannot be accessed without Admin Access.

Hence we successfully generated a golden ticket in a Windows Server Remotely via Kali

Hack the Minesweeper Game

We all have played Minesweeper Game, and it is tough to get all the mines right but those days of worry are over. To show that the Mimikatz is a powerful but a playful Tool, here I will hack the minesweeper game using Mimikatz.

Firstly open Mimikatz of your respective architecture.