Application hacking

Password cracking plays a very important role in hacking. We are not always lucky to get credentials during enumeration. There are two types of password cracking.

  1. Online password cracking
  2. Offline password cracking

In this tutorial we will learn about online password cracking. There are many techniques used in online password cracking. Some of them are,

Dictionary Attack: Dictionary password attack is a password cracking attack where each word in a dictionary (or a file having a lot of words) is tried as password until access is gained. This method will be successful when simple passwords are set. By simple, I mean common passwords which can be found in a dictionary like password, iloveyou etc. This type of attack consumes less time but is not bound to be successful always especially if the password is not present in the dictionary.

Brute force Attack: Brute Force attack is a password cracking attack similar to dictionary attack. The only differ ence is in this attack, each and every possible combination is tried until the password is successfully cracked. For example, if there are two words say “abc” and “123” in a wordlist, other combinations like “abc1”, “abc2” and “abc3” a re also tried. Brute force attack will definitely succeed even if it means it will take years to do that.

Hybrid Attack: As the name suggests, it uses a combination of both dictionary and brute force password attacks to crack the password.

Rainbow Table Attack: Rainbow Table password cracking technique uses pre -computed hashes to crack the encrypted hashes.

Kali Linux has various tools in its arsenal for both online and offline password cracking. Some of the online password cracking tools are Acccheck, John The Ripper, Hydra and Medusa etc.

We have already seen the working of the tool Accheck during SMB enumeration. In this tutorial, we will see how to crack passwords with a tool called Hydra. THC-Hydra is a password cracker which uses brute forcing to crack the passwords of remote authentication services. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb , several databases and much more.

On our target Metasploitable2, we have many services which allow remote authentication like telnet, ftp and SSH. We also have rlogin available. We will use Hydra on one of these services. Hydra can be accessed from the applications menu of Kali Linux. It is available both in GUI and command line utility. For this tutorial, I’m using the graphical one.

Once opened, Hydra will look like shown below.

Change the target IP to that of Metasploitable’ s IP.There are many protocols to choose from Here I am choosing ftp. Change the port to 21 as ftp is running on port 21. I selected options “Be Verbose” and “show attampts” to see the cracking process.

Click on “passwords” tab. We can give a single username and password or a file containing a number of usernames and passwords. Here I am giving the same dictionary or wordlist for both username and password. This dictionary is big.txt. I selected the options “Try Login as password” , “Try empty password” and “Try reverse login”. These options are self explanatory.

The tuning tab is used to configure proxy and number of simultaneous tries. I left it as default.

I left even “specific” tab to default. When all the settings are set, go to “Start” tab. To start the attack, click on “Start” button.

The attack is displayed as shown below.

The time of the attack depends on the number of words present in the dictionary or the wordlist we specified. The password is cracked if the phrase is present in the dictionary. If the password is not there in the wordlist, we need to use another dictionary. The big.txt dictionary I used failed to crack the password. So I used another wordlist we made during enumeration “pass.txt”. After some time, Hydra found three valid passwords.

Scroll up to see what are those passwords.

Apart from Hydra, Kali Linux also has command line tools to use for password cracking. One such tool is Medusa. Open a terminal and type medusa to see the options of that tool. Below is the command in medusa to crack ftp using a wordlist.

Once medusa cracks a password, it will be sh own as below. Once again we got three credentials we found also with Hydra.

We have used the same dictionary in both methods, but where do we find this dictionary or wordlist. Most wordlists of Kali Linux are present in /usr/share directory. Given below are different dictionaries in the “wordlists” folder.

These wordlists are named accordingly. For example, “common.txt” contains most common passwords used by users. But what if none of the dictionaries are helpless in cracking the password. Kali Linux also has tools to create our own dictionary or wordlist. Crunch is one such tool. The syntax is given below.

Here’s an example of how to create a wordlist with crunch.

We can also save the wordlist to a  file as shown below.

 

NOTE: This howto is part of a series “Metasploitable tutorials”.

Enumeration is the process of collecting information about user names, network resources, other machine names, shares and services running on the network. Although a little bit boring, it can play a major role in the success of the pentest. In the previous howto, we saw how to perform SMB enumeration and got some usernames on our target. So we don’t need to perform SMTP enumeration. But we may not be so lucky that SMB enumeration will be successful on every network. For networks like these, we may need to enumerate other services like SMTP.

First let me give you a basic introduction of SMTP. SMTP stands for Simple Mail Transfer Protocol. As the name implies, it is used to send email. It uses port 25 by default. If you ever sent an email, you have definitely used SMTP. SMTP servers talk with other SMTP servers to deliver the email to the intended recipient. Luckily this all happens behind the scenes and we don’t have to break our heads to understand this. But there are some things we have to understand about SMTP that will help us in enumeration.

As the term “simple” implies, SMTP server can only understand simple text commands. Sender of the mail communicates with a mail receiver by issuing these command strings and supplying necessary data. Some of the important commands are

1. HELO – sent by a client to introduce itself.

2. EHLO – another way of client introducing itself to server

3. HELP – used to see all commands.

4. RCPT – to identify message recipients.

5. DATA – sent by a client to initiate data transfer.

6. VRFY – verify if the mailbox exists.

7. QUIT – to end the session.

SMTP enumeration can be performed in many ways. The easiest way to do this is by connecting to the SMTP service port of the target with telnet (we have seen this in scanning and banner grabbing).

As you can see, we got successfully connected. From here, we can verify manually if each user exists or not. If you remember the article on SMB enumeration, we already have some usernames available. Lets use the VRFY command to check if users “user”, “msfadmin” and “root” exist in this system.

Yes, they exist. Similarly, let us test if user kalyan exists. As you can see in the above image, the user kalyan doesn’t exist. Nmap also has a script to perform SMTP enumeration. We can use the script as shown below.

By default, Nmap uses RCPT method to check if a particular user exists. Unfortunately for me, it gave unhandled status code here. This Nmap script can be modified to use different methods. Here I changed it to use VRFY method to enumerate users. I have only scanned port 25 to remove the clutter. But still it gave me the same error.

There is another tool in the arsenal of Kali Lin -ux which is built specifically for SMTP enumeration. Its called smtp-user-enum. Here let us test if a user called “root” exists on the target system as shown below.

Since user “root” exists, I’m assuming other users like “msfadmin” and “user” also exist. While performing SMB enumeration, we created a wordlist which can be users on the target system. Now let’s enumerate if all the users in that wordlist exist. It can be done as shown below.

All the users we got during SMB enumeration exist. That’s good. In this case, we already have the wordlist of usernames (we got during SMB enumeratin). What if we don’t have the exact wordlist. We can use different wordlists present in Kali Linux. These wordlists are present in /usr/share/dirb directory.

What We Achieved?

We got some usernames which may be useful to us while exploiting the system in future. All these usernames have a recipient email address to them.

Hello everybody. Today we will see about Zabbix toggleids sql injection exploit. First things first, what’s Zabbix. It is an enterprise open source monitoring software for networks and applications designed to monitor and track the status of various network services, servers, and other network hardware.

Zabbix uses MySQL, PostgreSQL, SQLite, Oracle or IBM DB2 to store data. Its backend is written in C and the web frontend is written in PHP. It has a web based interface and can be installed in both Linux and Windows. It boasts of over 13,000 downloads per week.

Zabbix version 3.0.3 suffers from SQL injection which can be exploited to steal the credentials. Let’s see how this exploit works. Start Metasploit and load the module as shown below.

zabbix_toggleids1

As you can see, we need to set only one option “RHOST” which is the IP address of the target running Zabbix. Once you set the target, check whether its vulnerable or not using the “check” command.

zabbix_toggleids2

Once we know target is vulnerable, executing the exploit using command “run” downloads the current usernames and password hashes from database to a JSON file. We can crack these password hashes and login into the Zabbix instance. See how to crack hashes with Kali Linux.

How to stay safe?

There are patches available. Please update.

Hello aspiring hackers. In many hacking scenarios, we encounter hashes. To those newbies who have no idea what hashes are, they are encrypted text ( literarlly we can’t call it text ). Normally they are used to encrypt passwords for website users, operating system users etc. Today our tutorial is about cracking hashes.

For this howto, we will use NewsP Free News Script 1.4.7 which had a credential disclosure vulnerability as shown below. Imagine we got the username and password hash as shown below. The only thing that stops me from accessing the website is password in encrypted format.

findmyhash1

The first step in cracking hashes is to identify the type of hash we are cracking. Kali Linux has an inbuilt tool to identify the type of hash we are cracking. It’s hash-identifier. Open a terminal and type command hash-identifier.

hash-identifier1

Enter the hash we need to crack as shown above and hit ENTER. It will show the possible hash type as shown below. In our case, it is MD5 or a variant of it.

hash-identifier2

We can also use another tool hashid for similar purpose. It’s syntax is as shown below.

hashid1

We know what the type of hash is. Now, it’s time to crack the hash.We will use a tool called ‘findmyhash’. To use this tool, we need to specify the hash type ( which we already know ) and hash after it as shown below. This tool tries to crack the hash by using various online hash crackers available.

findmyhash2

After successfully cracking the hash, it will display us the corresponding password as shown below. In our case, the password is admin.

findmyhash3

 

 

Hello friends. Today we will see two exploits: credential disclosure and arbitrary text file download in WebNMS Framework server 5.2. To those newbies who don’t know what WebNMS Framework Server is, it is an industry-leading framework for building network management applications and has over 25,000 deployments worldwide.Its latest version consists two vulnerabilities : credential disclosure and arbitrary text file download.

First let us see the credential disclosure exploit. Start Metasploit and load the exploit as shown below. Type command “show options” to check its options. This server runs on port 9090.

webnms1

Set the target and run the exploit. It will download the credentials and store it in a file as shown below.

webnms2

The next vulnerability is arbitrary text file download. Load the exploit and see its options. It is automatically set to download shadow file in Linux.

webnms3

Before running the exploit type command “info” to see the information about this exploit. As you can see below, it can only download text files and if it is a Windows instance the file should be in the same directory of WebNMS.

webnms4

Since we are running WebNMS framework server on a Windows machine, I have created a text file called secret.txt in the same directory. Let us try the exploit now. Set the target address, file path as shown below and run the exploit. We can see that the file has benn successfully downloaded and saved in a directory.

webnms5

Good Evening friends. Today we will see how to hack a remote Windows system using a vulnerability in a RAT. RAT stands for Remote Access Trojan and is a type of malware. It works when a hacker sends a malicious file to the victim and he clicks on it. When victim clicks the malicious file, it sends a  connection back to the hacker’s machine. The Hacker can control the victim’s machine using command & control server.  Using RAT’s, the hacker can

  • Block mouses and keyboards
  • Change the desktop wallpapers
  • Downloads, uploads, deletes, and rename files
  • Destroys hardware by overclocking
  • Drop viruses and worms
  • Edit Registry
  • Use your internet connection to perform denial of service attacks (DoS)
  • Format drives
  • Steal passwords, credit card numbers
  • Alter your web browser’s homepage
  • Hide desktop icons, task bar and file

(Data from Wikipedia )

The picture given below should explain the scenario. More about RATs later.

RAT

You can see the command and control server of Poison Ivy RAT below . Poison Ivy is one of the popular RAT’s and many variants of it are still active. It was used in RSA SecureID attack. Poison Ivy RAT  2.1.x versions suffer from a stack buffer overflow vulnerability. Using this vulnerability, the machines running C&C server can be hacked. So here, its a case of hacker getting hacked.

ivybof0

We will learn more about RATS in our next howtos. But now let us see how to hack a Windows machine running a PoisonIvy C&C server with PoisonIvy buffer overflow exploit. Open Metasploit and load the exploit as shown below. The only option necessary is RHOST. As shown below, this RAT runs on port number 3460. Set the RHOST and check whether the target is vulnerable.

ivybof1

Now, as the target is vulnerable, set the payload and hit on Run. You should get the meterpreter on the remote machine as shown below.

ivybof2

Good afternoon friends. Today we will see hacking Advantech Webaccess Dashboard 8.0 with Metasploit. Advantech WebAccess is a 100% web based SCADA software. It is a cross-platform, cross-browser data access experience and a user interface based on HTML5 technology. With WebAccess, users can build an information management platform and improve the effectiveness of vertical markets development and management.

       SCADA (Supervisory Control And Data Acquisition) is a system for remote monitoring and control that operates with coded signals over communication channels.  Vulnerabilities in  SCADA systems are considered very serious as they are used in monitoring various industrial and infrastructure processes like power generation, water treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms and large communication systems.

The version 8.0 of this Adavantech Webaccess suffers from arbitrary file upload vulnerability. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess and that too without the need of authentication. Start Metasploit and load the exploit as shown below.

advantech1

Set the target IP address and check whether the target is vulnerable.

advantech2

If the target is vulnerable a shown above, set the required payload. We are trying to get a shell in our target.

advantech3

Execute the exploit by typing command “run”. The exploit will run and …………

advantech4

a command shell will be opened on our target as shown below. See it was very easy to get into a SCADA system.

advantech5

Good evening friends. “PCMan’s FTP Server is a free software mainly designed for beginners not familiar with computer, hoping that it can make setting up a basic FTP server very easily. Functionality and security are not the major concern. Usability, however, is the most important concern” according to their makers. However version 0.7 of this software has a Buffer Overflow vulnerability for which exploit has been released by Metasploit. First of all, we need to perform enumeration to find services in our targets. To know more about enumeration, read this.  Now let’s see Hacking PCMAN FTP Server with Metasploit.

pcmanf1

Start Metasploit and load the exploit. as shown below.

pcmanf2

Set the IP address of our target as shown below. Check the payloads by typing command “show payloads”.

pcmanf3

Choose any payload you require. I am choosing the meterpreter payload. Check if our target is vulnerable using the “check” command.

pcmanf4

Next execute our exploit by typing command “run”. You will successfully get the meterpreter session on the target. The only downfall with this exploit is it is only working on Windows XP. Happy hacking.

pcmanf5


Good morning friends. Today we will see how to hack Easy File sharing HTTP Server 7.2 with Metasploit. Easy File Sharing HTTP server is a is a Windows program that allows you to host a secure peer-to-peer and web-based file sharing system without any additional software or services. It doesn’t require additional HTML page design. It allows you to run a web site on your own PC, share photos, movies, videos and music/MP3 files securely. It also allows visitors to upload/download files easily through web-based interfaces. A recent version of this software i.e 7.2 has a SEH overflow vulnerability which can be exploited by crackers to spawn a shell in the target system. If you have gone through my previous howto’s you should be well aware how to find the vulnerable targets but in some cases we may require enumeration of our target machines. Read this to know more about enumeration.                                                   Now let’s see hacking Easy File Sharing HTTP Server 7.2 with Metasploit. Start Metasploit and load the module as shown below.

efs1

The only option it requires is the RHOST. Needless to say it is the IP address of our target. Set the target and check the payloads this exploit supports.

efs2

Set the payload you want. I have set the below payload.

efs3

Type command “show options” to check whether all options are set.

efs4

It’s time to run the exploit. Type command “run” and if all goes well, you will get a shell in the remote system. Happy hacking.

efs5

Good Evening friends. Today we will see how to exploit a vulnerability in the recent version of a popular program Atutor with Metasploit. This vulnerability exists in the most recent version released, i.e Atutor 2.2.1. For those newbies who don’t know what is atutor, it is an Open Source Web-based Learning Content Management System (LCMS) designed with accessibility and adaptability in mind.  It boasts of  216 downloads per week from Sourceforge itself. There are two vulnerabilities present in the version mentioned above. We will exploit a SQL injection vulnerability in this howto. So let’s get onto hacking atutor 2.2.1 with Metasploit. Start Metasploit and load the exploit as shown below.

atutorsql1

Set the required options. For present, we will only need the target IP address. Check if your target is vulnerable or not as shown below.

atutorsql2

Type command “show payloads” and choose the required payload. I chose the payload below. Once again, type command “show options” and set the attacker system’s( i.e our system’s ) IP address which I am not gonna show below.

atutorsql3

Run the exploit by typing command “run”. The exploit will run and a command shell will be opened into the target system as shown below. ( Watch out for the easter egg which we will use in our future howto’s).

atutorsql4

To know about the target system, type commands as shown below. Happy hacking.

atutorsql5