Post Exploitation in Windows using dir Command

In this article you will learn how to use Windows Command Line Command “dir” and extract files, get information about Number of files of a particular extension and much more using Metasploit framework. 

dir Command: It displays a list of a directory's files and subdirectories.

Syntax

dir [:] [] [] [/p] [/q] [/a [[:] ]] [/s] [/b]

[/p]: Displays one screen of the listing at a time.

[/q]: Displays file ownership information.

[/s]: Lists every occurrence of the specified file name within the specified directory and all subdirectories.

[/b]: Displays a bare list of directories and files, with no additional information.

[/a]: Attributes (Additional Options).

It is usually attached with options such as

[/ad]:  Directories

[/ah]:  Hidden files

[/as]:  System files

[/a-attribute]: Not (It is used when opposite of the attribute is to be obtained)

Now to use dir for Post Exploitation, we will need an Administrator Privileged shell, which can be found here.

Now we will use different combinations of the attributes and parameters to extract data from victim’s system.

Find Directories using a search string

Here, we are using following options with dir command:

[/b] to get a bare search,

[/s] to get a verbose result,

[/ad] to get the list of directories,

Containing string *sales* in their name.

Syntax: dir /b /s /ad [directory]\*string*

Example:  dir /b /s /ad d:\*sales*

Find the Number of Files/Directories in a Directory

If we need the Number of files, i.e. no. of files we have to add find command by piping [|] it with dir.

 Example: dir /b | find /c /v “”

Here [/b] to get a bare search and [/c] switch tells the find tool to Number how many lines contain your search terms, and [/v] switch will show any lines that don’t contain the string of words which you have specified in this case “”. As a file name cannot be nothing (“”) so it will Number all the file names.

Here, we are using

Above command return number of files in the Directory you are currently in. In my case it returns 22, which means victim has 22 files in his D:\ directory.

Find the Number of files

Here, we are using

Example: dir /b /s /a-d d:\*sales* | find /c /v “”

[/ad] is for Directories.

[-] is used as NOT so [/a-d] is for not directories i.e. files

Also find /c /v “” is used to get the Number. From given below image you can observe here it found 5 files inside sales folder.

Find the Number of directories

Syntax: dir /b /s /ad [directory]\*string* | find /c /v “”

Example: dir /b /s /ad d:\*sales* | find /c /v ””

Here we need to get the Number of directories named *sales* It can be anything mentioned in *string*.

[/ad] is for Directories

Here find /c /v ”” is used to get a Number and from given below image you can observe here it found 5 subdirectories inside sales folder.

Find Files of a particular extension

In the given example, I searched for .xlsx files which are MS-Excel Files, but we can use it for any extension file like pdf, png, exe, docs etc.

Syntax: dir /b /s [directory]\*extension*

Example: dir /b /s d:\*.xlsx*

From given below image you can read name of excel files inside D: drive.

Find the Number of Files of a particular Extension

If we add find /c /v”” we will get the Number of files of a particular extension as shown below.

Example: dir /b /s d:\*.xlsx* | find /c /v “”

 From given below image you can observe here it found 4 excel files inside D: drive.

Find the Number of Hidden Files/Directories

To get hidden files we will use the attribute [/ah].

And when combined with find /c /v “”, we will get the Number of the hidden files/directories in the given directory as shown below.

Syntax: dir /b /ah [directory] | find /c /v “”

Example: dir /b /ah d:\ | find /c /v “”

From given below image you can observe here it found 3 hidden files inside D: drive.

Find the Hidden Files/Directories in a Directory

To view the Hidden Files in the give directory we will use attribute [/ah] with [/b] to get a bare result of the hidden files.

Syntax: dir /b /ah [directory]

Example: dir /b /ah d:\

From given below image you can read name of hidden files inside D: drive.

Find the System Files Stored in a Directory

To get the System Files we will use another attribute which is [/as], combined with [/b] it will give the names of the system files stored in the given directory.

Example: dir /b /as d:\

From given below image you can read name of system files inside D: drive.

Forensic Data Carving using Foremost

Foremost is a program that is used to carve data from disk image files, it is an extremely useful tool and very easy to use.

For the purpose of this article we have used an Ubuntu disk image file and the process has been repeated twice. The purpose of doing so was to see if Foremost can carve data out of incomplete disk images as well. We have used Kali Linux but if you want you can install Foremost on pretty much any distro of Linux.

Here’s how it was done:

Navigate to the Applications menu in Kali, Forensics is option 11. The fifth option from top in the Forensics menu is Foremost. Click on it and let’s get to carving some data!!

Foremost starts and shows you the options you have at your disposal.

In order to keep things simple, you first want to navigate to the Desktop using “cd Desktop”.

Next, make a folder on the desktop by the name of “recov”. This isn’t a mandatory step, it just makes things easier to access by making a new folder where the carved data will be stored.

We will be dealing with the disk image of a flash drive partition, so let’s make one using the “dd” command. The dd command can be used to copy files and with the option of converting the data format in the process.

In the interest of thoroughness we have copied .docx, .jpeg, .png, .zip, .pdf and .avi files onto the partition from which we will be making our disk image.

Now let’s make a disk image.

In a new terminal window, type the following “fdisk –l | grep /dev/”. This command will show you the disk partitions available to you without any clutter.

The partition we are concerned with is /dev/sbd2, this was specially allocated 10 MB of space so that the imaging process is quick.

The command to create the disk image is “dd if=/dev/sdb2 of=disk.img”. Here, “dd” is the utility we are using, “if=” is to denote the input destination and “of=” is to denote the output destination and name of the image file we are creating.

We have not specified any output destination, but, just the name for the image file. The image file will be created in the Home directory by default. Copy the disk image file from here and place it on the desktop.

Let’s navigate back to the terminal where we have Foremost running and start the file carving process.

This disk image file will be carved for .jpeg, .png, .zip, .pdf and .avi  file formats. We will not be instructing Foremost to carve the .docx but, since one exists in the .zip we have placed inside the disk image, it will do so automatically.

Type the following “foremost -t jpeg,png,zip,pdf,avi -i disk.img -o recov –v”.

To break this down “-t” is setting the file types we want to carve out of the disk image, here those are .jpeg and .png.

“-i” is specifying the input file, the "disk.img” that is placed on the desktop.

“-o” is telling Foremost where we want the carved files to be stored, for that we have the “recov” folder on the desktop that we made earlier.

“-v” is to tell Foremost to log all the messages that appear on screen as the file is being carved into a text file in the output folder (recov) as an audit report.

That’s all it takes for Foremost to start digging into the disk image. The process looks like this.

Once Foremost is done carving the disk image, it shows you the result: that’s is, how many of which file types have been carved. All It took was a second, to get the job done.

Now open the output (recov) folder and you will see an audit report and six folders which will be named by the file types we invoked Foremost to carve for us.

First, the audit report. It shows us the particulars of the scan, which file types were carved, from which image file, the size of the image file, where it was located, where the output folder was located, etc. Let’s have a look.

The end of the report contains shows the total files extracted with more particulars.

We will open one file from the jpg folder to see what we have.

One from the png folder.

Inside the docx folder.

Inside the pdf folder. 

Now the avi folder

And finally the zip folder.

As you can see, Foremost was successfully able to carve files out of the disk image file and give us the results. Let’s put it to the test.

This a very interesting tool and its simplicity is what makes it stand out.

The only issue I could see with this is that the file names are not recovered, which can make the search process very tedious unless the option of automation and a frame of reference are available.

That being said, in forensics, just being able recover the files without opening or extracting disk image itself is a huge advantage, the reason for saying so is that, if you do extract or open the disk image you never know what might be waiting for you inside, this way you have more control over the entire investigation process. Enjoy using this tool.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

How to Configure Suricata IDS in Ubuntu

Suricata is developed by the Open Information Security Foundation. Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.

Features

IDS / IPS

Suricata implements a complete signature language to match on known threats, policy violations and malicious behaviour. Suricata will also detect many anomalies in the traffic it inspects. Suricata is capable of using the specialized Emerging Threats Suricata ruleset and the VRT ruleset.

High Performance

A single Suricata instance is capable of inspecting multi-gigabit traffic. The engine is built around a multi threaded, modern, clean and highly scalable code base. There is native support for hardware acceleration from several vendors and through PF_RING and AF_PACKET.

Automatic protocol detection

Suricata will automatically detect protocols such as HTTP on any port and apply the proper detection and logging logic. This greatly helps with finding malware and CnC channels.

NSM: More than an IDS

Suricata can log HTTP requests, log and store TLS certificates, extract files from flows and store them to disk. The full pcap capture support allows easy analysis. All this makes Suricata a powerful engine for your Network Security Monitoring (NSM) ecosystem.

From: https://suricata-ids.org/

Lets Begin!!

We had chosen ubuntu operating system for installation and configuration of suricata. Earlier than installing suricata in your machine, you should need to install necessary dependencies of ubuntu. Therefore open the terminal and type given below command to install pre-requisites by a making update.

apt-get update

It is an easiest way to install and configure the suricata in your system because it’s entire requirement whether it is suricata rules directory or logging directory every packages is are stored by apt repository. Enter given below command to begin the suricata installations. 

apt-get install suricata -y

Now we need to create an empty text document file for our local rules inside rule folder of suricata

touch /etc/suricata/rules/local.rules

After then open the configuration file using gedit for making some changes inside.

gedit /etc/suricata/suricata-debian.yaml

The two most important steps we need to perform here:

1.       Comment all others available file of rules so that only yours local rule file will be in priority.

2.       Mention the local.rules under the rule files list.

Now add the network CIDR for which IDS will filter the incoming and outgoing traffic as shown in given below image.

Here we had set HOME_NET 192.168.1.0/24

Now open the local rule file to add your own network filtering rules in side it

gedit /etc/suricata/rules/local.rules

Now if you are not much aware about its rule configuration then you need not to be worry about it because implementing rule in suricata is as similar as in snort. For help open this Link to get details of IDS rule implementation.

alert icmp any any -> 192.168.1.111 any (msg: “ICMP detected”; sid:10000001;)

The above rule will generate an alert when found any network IP sending ICMP packets in our network by pinging IP 192.168.1.111.

Now execute following command to make GRO (Generic receive offload) disable on specific interfaces with help of Ethtool.

ethtool -K ens33 gro off

Then again turn On NIDS mode of surictata using given below command.

suricata -c /etc/suricata/suricata-debian.yaml -i ens33

Now let’s ping the IP: 192.168.1.111 from another system to test whether our NIDS will generate alert for ICMP packet or not. From given image you can read the command: ping 192.168.1.111 where you can observe it has sent 3 ICMP request packets.  

Basically suricata alert logs are generated under var/log and you can use given below command to read the captured logs.

tail -f /var/log/suricata/

As result suricata with NIDS mode had capture only 3 ICMP packets from IP 192.168.1.102 which you can observe from given below image that generated alert for “ICMP Detected”, this happens because in above rule we had applied “->”one-directional operators which mean it will only capture traffic coming from source IP to destination IP.

Here you can perceive that both two packets of ICMP is coming from 192.168.1.102 to 192.168.1.111 which means it has only captured ICMP Echo-request packets form source IP. 

Detect SQL Injection Attack using Snort IDS

Hello friends!! Today we are going to discuss how to “Detect SQL injection attack” using Snort but before moving ahead kindly read our previous both articles related to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

Basically In this tutorial we are using snort to capture the network traffic which would analysis the SQL Injection quotes when injected in any web page to obtain information of database system of any web server. Snort will generate the alert for malicious traffic when caught those traffic in its network and network administers will immediately get attentive against suspicious traffic and could take effective action against the attacking IP. 

Requirement

IDS: Snort (Ubuntu)

Web application: Dhakkan

You can configure your own web server by taking help of our article “Configure Web server for penetration testing”

Let’s Begin!!

Identify Error Based SQL injection

As we know in Error based SQL injections the attacker use single quotes (‘) or double quotes (“) to break down SQL query for identify its vulnerability. Therefore be smart and add a rule in snort which will analyst Error based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database.

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

Now add given below line which will capture the incoming traffic coming on any network IP via port 80.

alert tcp any any -> any 80 (msg: “Error Based SQL Injection”; content: “%27” ; sid:100000011; )

alert tcp any any -> any 80 (msg: “Error Based SQL Injection”; content: “22” ; sid:100000012; )

If you read above rule you can notice that I had applied filter for content “%27” and %22 are URL encoded format use in browser for single quotes(‘) and double quotes (“)  respectively at the time of execution of URL.

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now test your above rule by making Error based sql injection attack on web application “Dhakkan”, therefore open the server IP in web browser and use single quotes (‘) for identify SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-1/?id=1’

For more detail on Error Based SQL injection read our previous article.

Now when attacker will execute malicious quotes in browser for testing Error Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for Error Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Testing Double Quotes

Now again open the server IP in web browser and use double quotes (“) for identify SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-4/?id=1”

Now when attacker will execute malicious quotes in browser for testing Double quotes SQL injection then the IDS of the network should also capture this content and will generate the alert.

From given image you can observe the snort has gerenated alert for Error Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming from 192.168.1.21 on port 80.

Boolean Based SQL injection

As we know in Boolean based SQL injections the attacker use AND /OR  operators  where attacker will try to confirm if the database is vulnerable to Boolean SQL Injection by evaluating the results of various queries which return either TRUE or FLASE.

Now add a rule in snort which will analyst Boolean based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here I had applied filter for content “and” & “or” to be captured. Here nocase denotes not case sensitive it can be as AND/and, OR/or.

alert tcp any any -> any 80 (msg: “AND SQL Injection”; content: “and” ; nocase; sid:100000060; )

alert tcp any any -> any 80 (msg: “OR SQL Injection”; content: “or” ; nocase; sid:100000061; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again open the server IP in web browser and use AND operator for identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-8/?id=1’ AND 1=1 --+

For more detail on Boolean Based SQL injection read our previous article.

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

Testing OR Operator

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content AND.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Again open the server IP in web browser and use OR operator to identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-8/?id=1’ OR 1=1 --+

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content OR.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Encoded AND/OR

Similarly in given below rule I had applied filter for content “%26%26” and “%7c%7c” are URL encoded format use in browser for && and || respectively at the time of execution of URL.

alert tcp any any -> any 80 (msg: “AND SQL Injection”; content: “and” ; nocase; sid:100000008; )

alert tcp any any -> any 80 (msg: “OR SQL Injection”; content: “or” ; nocase; sid:100000009; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Again open the server IP in web browser and use && operator for identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-25/?id=1’ %26%26 1==1 --+

For more details read our previous article

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content %26%26.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Testing Encoded OR Operator

Again open the server IP in web browser and use || operator for identify Boolean SQL injection vulnerability as shown below.

192.168.1.20/sqli/Less-25/?id=1’ %7C%7C 1==1 --+

Now when attacker will execute malicious quotes in browser for testing Boolean Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our calculation from given image you can observe the snort has gerenated alert for Boolean Based sql injection when captured content %7C %7C.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Identify Form Based SQL injection

The Form Based SQL injection also known as “Post Error based SQL injection” because the attacker executes malicious quotes inside Login form of a web page that contains text field for username and password to login inside web server.

Therefore now add a rule in snort which will analyst Form based SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database.

alert tcp any any -> any 80 (msg: “Form Based SQL Injection”; content: “%27” ; sid:1000003; )

 If you read above rule you can notice that I had applied filter for content “%27” to be captured; turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

I had used single quotes (‘) to break the query inside the text field of username then click on submit.

Username:      ’

From the given screenshot you can see we have got error message (in blue colour) which means the database is vulnerable to SQL injection. 

For more detail on Form Based SQL injection read our previous article.

Now when attacker will execute malicious quotes in browser for testing Form Base SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for Form Based sql injection when capture malicious quotes.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Identify Order by SQL injection

In order to identify number of column in database the un-trusted user may use order by clause which will arrange the result set in ascending or descending order of the columns used in the query.

Now add a rule in snort which will analyst order by SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here again that I had applied filter for content “order” to be captured.

alert tcp any any -> any 80 (msg: “Order by SQL Injection”; content: “order” ; sid:1000005; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now again open the server IP in web browser and use string order by for identify column of database as shown below.

192.168.1.20/sqli/Less-1/?id=1′ order by 1,2,3 --+

Now when attacker will execute malicious string in browser for testing order by SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for order by sql injection when capture malicious string.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Identify UNION SELECT SQL injection

We all know in Error base SQL injection attacker may use the UNION operator to combine the result-set of two or more SELECT statements. Therefore add a rule in snort which will analyst Union select SQL injection on the server when someone try to execute SQL query in your network for unprivileged access of database. Here again that I had applied filter for content “union” to be captured.

alert tcp any any -> any 80 (msg: “UNION SELECT SQL Injection”; content: “union” ; sid:1000006; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

Now again open the server IP in web browser and use string order by for identify column of database as shown below.

192.168.1.20/sqli/Less-1/?id=-1′ union select 1,2,3 --+

Now when attacker will execute malicious string in browser for testing Union select SQL injection then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for union select sql injection when capture malicious string.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.

Identify Group_concat SQL injection

We know that using Group concat statement along with union select is quite dangerous query used extracting details of records of database such as username and password of admin panel. Therefore to capture such suspicious activity in your network add given below rule in local rule file. Here I had applied filter for content: “group_concat” to be captured.

alert tcp any any -> any 80 (msg: “Group Concat SQL Injection”; content: “group%20concat” ; sid:1000007; )

Turn on IDS mode of snort by executing given below command in terminal:

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0

So when un-trusted user will execute something as given below in web browser for retrieving information from inside the database.

192.168.1.21/sqli/Less-1/?id=-1’ union select 1,group_concat(username),group_concat(password) from users –+

Then the IDS of the network should also capture this content and will generate the alert.

As per our prediction from given image you can observe the snort has gerenated alert for Group Concat sql injection when capture malicious string.

So when the network admin get alert from IDS on the basis of it  he can take action against attacking IP, as shown in given image the malicous traffic is coming form 192.168.1.21 on port 80.