Hack To Learn: Vulnerability Scanning

Hello World and welcome to HaXeZ, today I’m going to be covering Vulnerability Scanning. This post is continuing the Hack To Learn series where I cover the basics of the different phases of hacking or penetration testing. So far we have covered Environment Setup, Hacking Legally, and Open Source Intelligence Gathering.

Vulnerability Scanning

Once you have completed the open source intelligence gathering phase, it’s time to start looking for vulnerabilities. Vulnerability scanning is the process of using tools to scan your target for vulnerabilities. There are many different tools that can perform vulnerability scans and the type of target you are scanning will determine what tools you use. For example, if you’re looking for vulnerabilities that affect services on the host then you could use Nmap, Nessus, OpenVAS, and many others. However, if you’re attacking a web application then you would likely use Nikto, Burp Suite, OWASP ZAP, or some other tool.

Nmap Vulnerability Scanning

If you haven’t seen my post on Nmap then I would recommend giving it a read. It covers Nmap in more detail than I intend to do here. With that said, Nmap is a fantastic vulnerability scanner. Early in my IT career, I had many misconceptions about Nmap. I thought it was merely a network scanner used to identify what hosts were online and what services were running. How naive, Nmap is a comprehensive network auditing tool that can identify and exploit vulnerabilities. I use it on almost every project I’m on. I highly recommend reading more about the different flags and scripts before recklessly running them like I’m about to do.

The image below shows the output of a Nmap scan configured to find vulnerabilities. You can see from the results that it has found some CVEs. I first specified the ‘-g’ flag to set the source port to 53. This is useful for firewall evasion as some firewalls may be configured to allow DNS traffic in from any source. I then specified the ‘-f’ flag to fragment the packets. This works by splitting the packets into multiples of 8 which can also be beneficial for firewall evasion. Then, I specified ‘-sV’ to get the service versions and ‘-p0-‘ for all ports. Next, I specified the ‘–script’ argument followed by various categories of scripts to execute. Finally, I added the IP address and the ‘-T5’ to speed it up.

This configuration is incredibly reckless and you should never use it against production environments. I’m merely using it to demonstrate the power of Nmap. Do NOT do this.

sudo nmap -g 53 -f -sV -p0- -O --script vuln,auth,exploit 10.0.2.5 -T5
Nmap Vulnerability Scanning
Nmap Vulnerability Scanning

Nessus Vulnerability Scanning

Where to start! Nessus from Tenable is a powerful multifunctional vulnerability scanning and auditing solution. It can be used to scan entire ranges of IP addresses or perform audits from uploaded configuration files. Whether you’re on team red or blue, chances are you’ve used it or at least heard of it. Nessus is likely going to be your tool of choice when performing vulnerability assessments or full-on penetration tests. I will probably create a separate article and video focusing on Nessus as part of the Hacker Tools series. All you need to know for the moment is that it is an effective vulnerability scanner. They offer an essential version for you to play around and I highly recommend giving it a go. However, the professional version has many more cool toys.

The image below is of an advanced scan that I performed against the Metasploitable 2 virtual machine. I configured it to scan all ports (0-65535) and turned off the Denial of Service plugin. Other than that I only changed the reporting to report as much as possible. As you can see it has found a bunch of issues (as expected).

Nessus Vulnerability Scanning
Nessus Vulnerability Scanning

Nikto Web Application Scanning

Nikto is a free CLI web application vulnerability scanner. It will search for interesting directories and files, analyze response headers, check for outdated software, and look for vulnerabilities. It’s a good place to start when performing web application security assessments. Granted, it won’t hack into the website for you, but it will give you a good idea of things to look at during the early stages of the assessment. Nikto can be intrusive and I have seen web applications suffer performance issues when scanning them. However, the hardware that those apps were hosted on wasn’t fit for purpose. I’ve also found that Nikto can be tricked by web application firewalls. It will report a 200 response for every directory that it brute forces, even though it doesn’t exist. Or it will misidentify a vulnerability or some other incorrect server-side configuration.

Nikto
Nikto

Burp Suite Web Application Scanning

No vulnerability scanning article would be complete without Burp Suite from Portswigger. This is the Bugatti Veyron of web application vulnerability scanners. Unfortunately, I only have the community version installed in my home lab but I use the pro version almost daily. The pro version has many more features that allow for automated scanning and vulnerability detection. You still need to manually go through and verify those findings but Burp takes out a lot of the guesswork. It also has an extensive list of additional plugins that you can install to increase the functionality. If you’re looking to get a job in cybersecurity then knowing how to use Burp Suite will probably improve your chances once it comes to that technical test.

Burp Suite
Burp Suite

Conclusions

I know I have only scraped the surface on the different vulnerability scanners that are available. However, to cover them all would take forever and I only wanted to cover the ones that you are likely to come across first. Granted there are some amazing alternatives out there. Where you have Nessus, you also have OpenVAS. Where you have Burp Suite, you also have OWASP Zap. I’m not saying that one is better than the other, I suppose that comes down to personal preference and these tools are my personal preference. I know a guy who almost refuses to touch anything that isn’t command line based. Archie, I salute you. Anyway, definitely give these tools a try against your own test virtual machines. They are a lot of fun.

Hack To Learn: OSINT and Passive Reconnaissance

Dear Friend, welcome to HaXeZ where I want to talk about Open-source intelligence and passive reconnaissance. Passive Reconnaissance is one of the most important phases for successful hacking. Passive Reconnaissance uses Open Source Intelligence (OSINT) techniques to gather information about the target. To explain, we attempt to gather information about the target without interacting with it. For this reason, this article is going to cover a number of Passive Reconnaissance tools but there are plenty more out there.

Google Passive Reconnaissance

Google is an extremely powerful search engine. They didn’t become the number one search engine by luck. Usually, most people use google by popping in word and looking through the results. However, with a few modifications to your search terms, Google can be a powerful Passive Reconnaissance tool. In essence, using specific search operators can retrieve a wealth of information from google. Additionally, the Exploit Database has a whole section dedicated to “Google Dorks” which can return potentially sensitive information about a target. Below are just a few examples.

Google Passive Reconnaissance
Google

Maltego Passive Reconnaissance

Maltego is an open-source intelligence gathering application that allows you to gather information about a target domain. In short, it has a number of transforms that will automatically perform passive reconnaissance techniques. Furthermore, these transforms include various DNS record look-ups from various sources. Email addresses and telephone numbers and various other bits of information. Overall, the interface provides an intuitive and friendly method of viewing the information retrieved. Within a few clicks, you can have a wealth of information that could allow you to find weaknesses in your target. Simply right an entity and chose from the list of transforms.

https://www.maltego.com/

Maltego Passive Reconnaissance
Maltego

Have I Been Pwned?

Have I been Pwned? is a web application that allows you to check whether the credentials of a mailbox have been compromised. Notably, It utilizes known database leaks and checks whether your email address was part of those leaks. These leaks are from various sources including public leaks such as the Linked In database leak. Have I Been Pwned? was created for you to check your own email address but there is nothing stopping you from checking other peoples too.

https://haveibeenpwned.com/

Have I Been Pwned Passive Reconnaissance
Have I Been Pwned

MXToolbox Passive Reconnaissance

MXToolBox is a web application that has a great number of tools. I initially discovered this tool while working in Technical Support for a hosting provider. It can be used to gather information about a domain’s DNS records. Furthermore, it has tools like ping so if you want to see whether an IP is blocking you, you can check on here rather than switching VPN locations. To cover all the tools would require an entire article but this is a great tool to perform passive reconnaissance against a target.

https://mxtoolbox.com/

Mx Toolbox
Mx Toolbox

Shodan Passive Reconnaissance

Shodan is a search engine for internet-connected devices. It can be used to find specific devices with specific operating systems with specific ports open. It has also indexed the various banners that those ports display when connecting to them. Furthermore, it also checks to see whether those devices are using weak credentials. You can filter devices by country, city, organization, and domain, the list of flags is endless. If you wanted to find all FTP servers owned by a certain organization that supports anonymous login then you can.

https://www.shodan.io/

Shodan
Shodan

OSINT Framework

The OSINT Framework is a web application that catalogs everything you could want to know about Open Source Intelligence Gathering. It has a horizontal hierarchical structure and clicking one category will provide other categories and eventually a link to a resource. The resource will usually provide instructions or a tool for you to perform that specific type of OSINT. This web application has a lot to explore, more than can be covered in a single article.

https://osintframework.com/

OSINT Framework

Whois

The Whois is a tool that can gather information about the registration of a domain. In some cases, it may tell you who registered it and include their contact details but this will depend on the domain privacy settings. This information could include the domain owners’ telephone number as well as their addresses. Furthermore, the owner information, domain registration date, and expiry date can also be provided by the tool.

whois google.com
Whois
Whois

NSlookup

You can use the nslookup tool to retrieve information about a domain. The information can include the domains name servers, the IP address, the mail servers, and various other records. It can tell you how the domain is configured, provide certain records, and may identify potential targets.

nslookup
nslookup

theHarvester

A tool that combines all of these techniques into one great command-line tool is the Harvester. The Harvester is a wrapper for other tools and can perform passive and active reconnaissance. It can use search engines to find subdomains and URLs. Additionally, It can use social media websites to find employee names and email addresses. To find the full list of tools utilized by theHarvester, head over to the developer’s GitHub page.

https://github.com/laramies/theHarvester

theHarvester
theHarvester

Conclusion

Passive reconnaissance can provide a wealth of information about a target that you are testing. While some of the information may be beyond the scope of the engagement, it can give you a good insight into their organization. The tools I’ve talked about above barely scrape the surface of the iceberg that is OSINT tools. Perhaps one day someone will create an and all in one, web-based OSINT scanner and it will become what Nessus is to vulnerability scans. I’m fond of Maltego and theHarvester and think they do a fantastic job but would love more functionality and a simpler interface. Input your domain, tick the boxes of what information you want to discover and then wait for the report.

Hack To Learn: Hacking Legally

Dear Friend, as discussed in the HaXeZ part 1 Hack To Learn video, there are many laws associated with computer misuse that will ensure you’re punished were you violate them. This means you’re not allowed to explore the internet hacking everything you see. So how do hackers hack without getting in trouble? Well there are a number of online communities that provide digital playgrounds for hackers to level up their hacking skills. These playgrounds offer a wide variety of hacking challenges including web applications, coding challenges, forensic challenges, steganography challenges and general machine challenges.

Hack This Site

The first community that I would like to talk about is Hack This Site. Hack This Site is a website that offers a number of challenges including basic and realistic web applications. Although Hack This Site has been around for a long time, there is still a lot of valuable information to be learned. The realistic web application challenges are a lot of fun as the themes and stories surrounding them are immersive.

Hack This Site Website
Hack This Site Website

Hack The Box

This is by far my favourite community. Hack The Box offers a lot of challenges ranging from single machines to entire networks that can explore and compromise. There are also other challenges like on Hack This Site that include programming and other challenges. Furthermore, it has a great community, the forums are full of people nudging you on your path to success. It also has a great Discord community. Hack The Box has also launched an academy where you can get to grips with the basics before diving in. Before the academy was released I did feel that Hack The Box had one of the steepest learning curves.

Hack The Box Website
Hack The Box Website

VulnHub

VulnHub is slightly different from the previous two websites. While it does offer great machines for you to hack. It requires you to download and run the virtual machines locally rather than spinning them up in their own cloud. With that said, there are a lot of Virtual Machine that will teach you something different about hacking. Whether a vulnerability or a misconfigured service, VulnHub will have a Virtual Machine that you can attack to simulate a real world encounter.

VulnHub Website
VulnHub Website

Try Hack Me

Try Hack Me is the one that I have spent the least amount of time on. I’m hoping to change that going forward as I’ve heard great things from colleagues and friends. It too has an academy which provides a number of learning paths starting from beginner to an elite ethical hacker. From what I know, it appears to be cloud based too, you don’t need a powerful computer to get started. Simply sign up and start following a learning path.

Try Hack Me Website
Try Hack Me Website

Conclusion

There are many other sites out there like Over The Wire which have great challenges. However, the four I’ve listed above are in my opinion, the best learning resources for aspiring hackers. These sites will have you hacking websites, popping shells on servers and owning active directory in no time. Some of them will be difficult at first, especially if you don’t have any prior knowledge. However, there are lots of guides and forum posts out there to help you on your way. Just be prepared to read a lot, fiddle with your syntax. Then give up for an hour only to then realise that your single quotation mark was in the wrong place. Hacking the scoped targets on this hacker playgrounds is legal and encourage.

You don’t need to worry about the long arm of the law when practising your skills on these battlefields. So give them a go, I’m sure you will enjoy them.

Kind Regards

Jonobi

Hack To Learn: Environment Set Up

Hello and welcome to HaXeZ. In order to start hacking you will first need some tools. If you’re running a Windows based Operating System then you can install tools locally. However, a better solution might be to use a Virtual Machine. A virtual machine is an operating system that runs on top of your base Operating System. Furthermore, it is unlikely to affect your local Operating System. With this in mind, you can download all sorts of malicious software without worrying about it damaging your local Operating System. Although, there are attacks that can break out of your Virtual Machine but that’s something we can worry about later.

Choosing an Operating System

There are many different OS’s built specifically for penetration testing or hacking. However, I’m not going to discuss each one individually but feel free to check out any of the following; Kali, Parrot, Backbox and BlackArch. There are others out there but I believe these to be the main distributions. For the purposes of this article I’m going to be using Kali Linux.  

GET an Operating System

Firstly, head over to https://www.kali.org/get-kali/ and have a look around. There you will see a number of options including Virtual Machines.

Kali Linux Website
Kali Linux Website

If you click on the Virtual Machines option then it should take you to the part of the page where you have the option to download either a VMware or VirtualBox image. With this in mind, we need to make a decision about which hypervisor we want to use. To explain, a Hypervisor is the software that is going to run our Virtual Machine. Feel free to google the pros and cons of both VMWare and VirtualBox and make your own decision. However, I’m going to be using VirtualBox for the purposes of this demonstration.

Virtual Machines
Virtual Machines

Compatibility

Now it is important to download the correct version. If you’re on a modern version of Windows then you will likely need the 64 bit version. However, you can check which version you need by running the following command in an elevated Command Prompt (right click, run as administrator).

wmic os get osarchitecture
Operating System Architecture
Operating System Architecture

As shown above, my OSArchitecture is 64-bit which means I should download the 64-bit version. You can perform a direct download by clicking on the download arrow or if you’re feeling generous you can leach and seed the torrent file by using a torrent client.

GET a Hypervisor

While your Virtual Machine OS is downloading, head over to https://www.virtualbox.org/ and click the big blue button that says download VirtualBox. Once the file has finished downloading, locate it, double click it and install it.

VirtualBox Website
VirtualBox Website

Import Your Operating System

Once your Virtual Machine has finished downloading, open VirtualBox and click File > Import Appliance.

Import Operating System
Import Operating System

This will then spawn another window, if you click the file icon it should open a Windows Explorer Window and allow you to navigate to your Virtual Machine Appliance. Select it.

Select Your Appliance File
Select Your Appliance File

You should then see the configuration of the virtual machine. Don’t worry about this too much as most of it can be changed later. For now just make sure the installation file path is correct and click import.

Virtual Machine Operating System Settings
Virtual Machine Operating System Settings