Hacking

All articles on hacking.

WARNING: This post is for education purpose only. Misuse this post at your own  risk.

Hello aspiring hackers. Today we will learn how to do Windows hacking with Arcanus Framework. Arcanus is a customized payload generator that can generate payloads which are undetectable by almost all of the antiviruses (till date ). This could be very useful in penetration testing.

Today we will see how to get a shell on a remote Windows system with this tool. Before we do anything, we need to install golang. Install Golang and then clone the Arcanus git as shown below.

arcanus1

Navigate to the ARCANUS directory created and view its contents. We should see a file ARCANUS_x86. We will generate a x_86 payload. First change its permissions as shown below.

arcanus2

Next run this file. You should see an ARCANUS logo as shown below.

arcanus3

You will see five options as shown below. Since we are about to hack windows, we will generate a windows payload by choosing option 2.

arcanus4

It will prompt you for the attacker IP address ( in our case the address of Kali Linux ) and a port on which you to listen for the reverse shell. Enter the values and hit “Enter”.

arcanus5

It will generate the payload and automatically start a listener as shown below.

arcanus6

The payload will be generated with the name “payload.exe” as shown below in the ARCANUS directory.

arcanus7

Next we need to send this payload to the victim. When the victim clicks on the payload we sent, we will get a shell of the victim as shown below. Happy hacking.

arcanus8

Good evening friends. Recently we have seen how to exploit server credential disclosure vulnerability in Webnms framework 5.2. This time around researchers found an arbitrary file upload vulnerability in the Webnms framework 5.2.

The Fileuploadservlet has a directory traversal vulnerability in the “filename” parameter which allows an unauthenticated user to upload a jsp file. We can only upload text files and to achieve RCE , they need to be dropped in ../jsp/ folder with names only as login.jsp or webstartXXX.jsp ( where XXX is string of any length).

Here is the code vulnerable to arbitrary file upload.

webnmsfileupload0Here are the names of the files that are uploaded in the process of exploitation. As you can see, the files are appended with random text.
webnmsfileupload00
Ok. Now let’s see how this exploit works. Start Metasploit and load the exploit as shown below.
webnmsfileupload1
We need to only set the target IP. The “check” command may not give you exact status of vulnerability as shown below.
webnmsfileupload2
 Set the meterpreter payload as shown below.
 webnmsfileupload3
Type “run” command to execute the exploit. You should successfully get meterpreter session as shown below.
webnmsfileupload4
 

 

Hello aspiring hackers. In our previous howtos, we saw about different shells like the infamous c99 shell, web shells in Kali Linux and Weevely. In this howto, we will see about hacking a website by uploading shell made with Metasploit. We will be getting a meterpreter shell on the website.

One of the wonderful features of Metasploit is creating payloads as per requirement. Using msfvenom, we can create binaries for Windows, MAC and Linux.  We can also create shell payloads for websites in different formats like php, asp , javascript and asp. In future howto’s we will definitely learn more about msfvenom but for this howto, we will create a php payload.

As you can see below, I have created a php payload named “shell.php” with the metasploit payload option “php/meterpreter_reverse_tcp”. This gives us a reverse php meterpreter shell. The “lhost” option is our attacker system’s IP address and “lport” the port on which we want php meterpreter shell back.

msfvenomphp1

After the shell is successfully created, let’s start a listener with Metasploit as shown below. Remember to set the same payload we set while creating the payload.

msfvenomphp2

Set the lhost and lport as shown below. They should match with the values in the shell we created. Type command “run” to start the listener.

msfvenomphp3

Now you need to find a site vulnerable to file upload. For this howto, I’m using my own vulnerable webapp “Vulnerawa”. To know more about Vulnerawa go here. Vulnerawa has a file upload vulnerability in its careers page.

msfvenomphp4

Go to its file upload page and upload the shell. That shouldn’t be a big problem.

msfvenomphp5

Now go to the shell we just uploaded through the website.Normally its located in the uploads directory ( In real websites, you need to locate it ). The shell will look like below.

msfvenomphp6

In the listener we startedan the attacker system, we should have already got the meterpreter shell. Happy hacking.

msfvenomphp7

Good evening friends. Today we will see the second part of WAPT with HPWebinspect. If you didn’t go through the first part, we ended it by scanning a website for vulnerabilities. The results have given us vulnerabilities categorized as critical, high, medium and low. That was the easiest part. Now we will go through analysis of these vulnerabilities.

Wait, but why do we need this analysis? Just because we have used an automated tool doesn’t mean it is cent percent effective. There may be lot of false positives and in the worst case false negatives. The threat it shows as critical may not be really that dangerous or a threat it shows as medium may be critical depending on the situation.

The analysis is very important part of the WAPT. Let us see how to perform this analysis with HPWebinspect. We will take our previous scan report.

hpwapt1

Before we do the analysis, let us have a look at the interface of HPWebinspect.  To the down left, we have view options of the scan ( site and sequence ). The “site view” shows us the hierarchical structure of website we just scanned with vulnerabilities found highlighted as shown below to the left. We can see that in account part of the website there is a critical vulnerability.

hpwapt2

The sequence view shows us the order in which WebInspect scanned the URLs. It is shown below.

hpwapt3

Occupying large area of the interface is the Scan dashboard with a pictorial representation of vulnerabilities. It also has vulnerabilities classified into its attack types ( how exactly these vulnerabilities will be used ).To its left, we have sections called scan info, session info and host info. The scan info has four options : dashboard, traffic monitor, attachments and false positives. We have already seen dashboard and others are self explanatory.

Below scan info we have have session info. It is empty because we didn’t include any sessions in our scan.

hpwapt4

Below session info, we have the host info which is obviously information about the host we scanned. It will provide us info like P3P info ( protocol allowing websites to declare their intended use of information they collect about users) , AJAX, certificates etc, etc, etc. Let us look at the cookies collected by the scan.

hpwapt5

It also shows us the emails we found during scan.

hpwapt6

Also the forms.

hpwapt7

Now we come to the most important part of the interface which is right down below. These are the vulnerabilities found during the scan. As already said, these are classified according to the dangers posed by them but there may be false positives. We need to analyse each vulnerability for this exact reason.

hpwapt8

In this howto, we will cover analysis of one or two vulnerabilities. Expand the “critical” section of vulnerabilities. We can see that there is a XSS vulnerability in the search page. We will analyse this vulnerability.

hpwapt9

Click on the vulnerability. The dashboard will show information about the particular vulnerability ( in our case XSS ) and how hackers might exploit this.

hpwapt10

Scroll down the dashboard to get more info about the vulnerability. We can see the exact query used by the tool to get the result. In this case, our target is using tag removal to prevent XSS but we can bypass using the query given below. ( We will learn more about XSS and its evasion filters in a separate howto)

hpwapt10a

Now right click on the vulnerability we are analysing. In the menu that opens, click on “View in Browser” to see this exploit practically in the browser.

hpwapt11

We can see the browser result below. In this case, it is displaying a messagebox with a number but hackers can use it to display cookies and session ids. Hence this is definitely a critical vulnerability.

hpwapt12

Right click on the vulnerability and select the option “Review vulnerability”. This is helpful in knowing more precisely about the vulnerability.

hpwapt13

Another window will open as shown below. It will automatically show you the browser view.

hpwapt14

We can click on “Request tab”to see the request sent by our tool.

hpwapt15

Similarly the response tab shows us the response given by the target.

hpwapt16

We already saw this before in the dashboard. The “vulnerability tab” give us information about the vulnerability and how hackers might exploit it. There are also options like “Retest” and “Mark as”. The Retest option allows us to test the vulnerability again. We shall see the “mark as” option below.

hpwapt17

Close the window. Once again right click on the vulnerability. You can see the option “change severity”.

hpwapt18

For instance, the vulnerability detected by HPwebinspect is not that critical, we can change its severity suitably to high or medium or low.

hpwapt19

Now what if the vulnerability detected  is not an actual vulnerability. This is known as false positive. For example, we have this send feedback page of the target website. Let us assume it is just a false positive. In that scenario, just below the “review vulnerability” option we have “Mark as” option.

hpwapt20

We can also access this option from the “review vulnerability” window as already shown above.

hpwapt20a

When we click on that option, we get two sub-options to mark it either as false positive as shown below

hpwapt21

or to completely ignore the vulnerability. We can only ignore the vulnerability if it doesn’t pose any valid threat. We can also provide some description about why we are marking it as false positive or ignoring.

hpwapt22

When we have successfully finished reviewing each vulnerability, it’s time to write the penetration testing report. To automatically generate a report, click on “Reports” tab. Select the scan for which you want to generate the report and click on “Next”.

hpwapt23

Select whatever you want to include in your report as shown below and click on Finish.

hpwapt24

The report generation takes some time depending on the options you selected. The report generated would be in the format as shown below. That’s all for now and in our next howto, we will see more about the tool.

hpwapt25

 

Web application penetration testing refers to evaluating the security of websites and web applications. Websites evolved from being simple static HTML pages to incorporate complex dynamic features with bells and whistles. These bells and whistles also brought with them lot of vulnerabilities and thus websites became common targets for hackers. So web application penetration testing is considered very important nowadays.

WAPT could be performed manually or through automatic tools. Automated tools provide lot of advantages over manual testing most importantly the speed. HP Webinspect is one such tool.

It is an automated web application security scanning tool from HP. It helps the security professionals to assess the potential vulnerabilities in the web application. It is basically an automated dynamic application security testing (DAST) tool that mimics real-world hacking techniques and attacks, and provides comprehensive dynamic analysis of complex web applications and services. See how to install HPwebinspect in Windows.

Today we will see how to perform website vulnerability assessment with HPWebinspect. Open the program and click on basic scan. We will see other scan options in the following parts of this tutorial. As its name implies, this option performs a basic security scan on a website.

webinspectbasicscan1

As we select the basic scan option, the “scan wizard” opens as shown below. As I am using a trial version of HPWebinspect I am only allowed to scan the website deliberately provided by HP for this purpose. This website simulates a bank ( named zero bank ) and this will be our target from now on.

I allot the given name. Below the scan name option, we have features with radio buttons. Let’s see these options.

crawl:- This process makes a list of all the pages  on the entire website and builds its structure.

auditing:- Auditing is the process in which HPwebinspect will attack the website to find out the vulnerabilities.

I have selected the “crawling and auditing” option. HP Webinspect provides four types of scans.

Standard scan:- Normal scan.
List Driven scan:- You can specify the list of urls for the tool to scan. It will only scan those urls.
Workflow Driven scan:- Similar to list driven scan. You can scan a port of your website by specifying a macro.
Manual scan:- You can specify each link you want to scan. step by step.

Next specify the website you want to scan and click on “Next”.

webinspectbasicscan2

In the next window, you will be prompted for authentication. If your website or network requires authentication, provide them . Choose if you want network proxy or not and click on “Next“.

webinspectbasicscan3

The profiler automatically samples the website and recommends best configuration for the scan. You can select the option. We will see more about profiler later. There are some other settings. Leave them to their default settings and click on “Next”.

webinspectbasicscan4

You will get a congrats message telling about the successful configuration of scan settings. It’s time to start the scan. Click on “scan”.

webinspectbasicscan5

The scan will start as shown below. It will take some time dependent on the size of the website you are scanning.

webinspectbasicscan6

After the scan is finished, it will show the results as shown below. This tool classifies vulnerabilities into critical, high, medium, low and info. That was about basic scanning of website with HPWebinspect.

webinspectbasicscan7

In our next part, we will see analyzing these vulnerabilities.

Good evening friends. Recently we have seen privilege escalation in Windows 7 with bypass uac exploit. Today we will see another exploit ms16-016 mrxdav.sys WEBDAV for privilege escalation in Windows 32bit machines. mrxdav.sys is a Windows driver. It is also called as Windows NT WebDav Minirdr and is used on Windows computers to utilize WebDAV servers. This exploit uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server to escalate privileges.

First hack the system with Metasploit by using one of the methods shown  in Latest hacks. Once you got a meterpreter session, check the privileges by typing command “getuid“.  We don’t have system privileges. Background the session by typing command “background” as shown below.

webdav1

Load the ms16_016_webdav exploit as shown below.

webdav2

We need only one option: session id of the session we just backgrounded. Set the session id as shown below. Run the exploit. The exploit ran successfully.

webdav3

Now verify the privileges by typing “getuid” command once again as shown below.  We successfully got system privileges.

webdav4

 

Hello friends. Today we will see two exploits: credential disclosure and arbitrary text file download in WebNMS Framework server 5.2. To those newbies who don’t know what WebNMS Framework Server is, it is an industry-leading framework for building network management applications and has over 25,000 deployments worldwide.Its latest version consists two vulnerabilities : credential disclosure and arbitrary text file download.

First let us see the credential disclosure exploit. Start Metasploit and load the exploit as shown below. Type command “show options” to check its options. This server runs on port 9090.

webnms1

Set the target and run the exploit. It will download the credentials and store it in a file as shown below.

webnms2

The next vulnerability is arbitrary text file download. Load the exploit and see its options. It is automatically set to download shadow file in Linux.

webnms3

Before running the exploit type command “info” to see the information about this exploit. As you can see below, it can only download text files and if it is a Windows instance the file should be in the same directory of WebNMS.

webnms4

Since we are running WebNMS framework server on a Windows machine, I have created a text file called secret.txt in the same directory. Let us try the exploit now. Set the target address, file path as shown below and run the exploit. We can see that the file has benn successfully downloaded and saved in a directory.

webnms5

Hello aspiring hackers. Today we will see an exploit in Tiki Wiki CMS Groupware version <=15.1. Tiki Wiki CMS Groupware or simply Tiki, originally known as TikiWiki, is a free and open source Wiki-based content management system and online office suite.  It contains a number of collaboration features allowing it to operate as a Groupware. Groupware is an application software designed to help people involved in a common task to achieve their goals.

This exploit takes advantage of a file upload vulnerability in one of the 3rd party components, ELFinder 2.0. This component comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload a PHP file.

Start Metasploit and load the exploit as shown below. Type command “show options” to see the options required to run this exploit.

tiki1

Set the target as shown below and check if it is vulnerable using “check“command.

tiki2

Type command “show payloads” to see the payloads we can set to this exploit. Set the payload as I have set below.

tiki3

Check the options once again after setting the payload. They should look like below.

tiki4

Let’s run this exploit by typing command “run”. We can see that we successfully got the meterpreter shell on the target as shown below.

tiki5

Hello friends. A while ago, we saw Poison Ivy buffer overflow exploit. This exploit is just like the Poison Ivy exploit but this time we target Darkcomet RAT. ( We will learn more about Darkcomet and RAT’s later ). In this case we can just download a file from the system running Darkcomet server.

Start Metasploit and load the exploit as shown below. Type command “show options” to see the options we need.  Look at the options. Although you are familiar with the usual options, there are some new options like NEWVERSION, STORE_LOOT and TARGETFILE.

-NEWVERSION : This exploit works on all darkcomet versions from 3.2 to above. If the version we are targeting is                                       above 5.1, we need to set this option to “true”.

-STORE_LOOT : If you set this option to true, the file we download will be stored in loot. If the option is false, the                                       contents of the file will be outputted to console.

-TARGETFILE : the file to be downloaded from the remote system.

dcometfd1

Set the options as required. I have set store_loot option to false. If you don’t set any targetfile, by default it will download the config file of Darkcomet.

dcometfd2

Let’s see by running the exploit. We can see the contents of Darkcomet configuration file as shown below.

dcometfd3 dcometfd4

Now let’s try to download another file. For this, we need the RC4 key of Darkcomet and the password you got in the config file is useless. But there is high probability that a password has not been set. Then we can just set the DC prefix as key and run the exploit as shown below.

Here I am trying to download the hosts file but encounter an error. It’s probably Windows UAC protecting us.

dcometfd5

Now let’s create a text file in the admin folder called hello.txt with content as “hello hacker”. Now set this as target file and run the exploit. We can see that the text of the file is successfully displayed as shown below.

dcometfd6

Good morning friends. Not all vulnerabilities are unauthenticated, sometimes we require credentials to exploit a vulnerability like the WordPress ajax loadmore Php upload exploit we saw in one of  previous howtos. But how do we get these credentials. Metasploit has an auxiliary module for WordPress user enumeration. Let’s see how this exploit works.

Start Metasploit and load the wordpress user enumeration exploit as shown below. Type command “show options” to see the options we can specify. We can see a variety of options. All the options are self explanatory but let us see some of the options.

The “BLANK_PASSWORDS” option if set will check if any of the users are without any password. The “VERBOSE”option will display more clearly what the module is doing. The “USERNAME” and “PASSWORD” option will check for single username and password respectively. The “USER_AS_PASS” option will check whether the username itself is being used as password. The USER_FILE and PASS_FILE are used to specify file for usernames and passwords to enumerate respectively. The VALIDATE_USERS option will first validate if user exists on the target even before trying to crack his password.

wpuserenum1 wpuserenum2

The “USER_PASS” file option allows us to specify the same file for username and password as shown below. Here I have specified a wordlist consisting of most common passwords as the USER_PASS file. When we execute the module, we can see that it will first validate all the usernames.

wpuserenum3 wpuserenum4

What if we know the username? The first question is how will we know the username. Just go through one of our previous howto : WordPress vulnerability assessment  with WPSCAN. The tool gave use a hint that username is “root”. Now we will set the username as root, specify a common password dictionary as password file as shown below.

wpuserenum5

When I run the script, it confirms that the username is valid and tries all words in the dictionary as password one by one.

wpuserenum6

After some time we can see that we successfully cracked the password for user “root” as “123456”.

wpuserenum7

HOW TO STAY SAFE:

Never use not only common passwords but also common usernames for your websites. Still most of the people tend to use common usernames like admin, administrator etc. and common passwords.