Hacking

All articles on hacking.

Hello aspiring hackers. You all know about the meterpreter payload. It is an advanced dynamically extensible payload of Metasploit. Meterpreter architecture migration exploit is a “post” exploit used to migrate from one architecture to another architecture. What is architecture? As we all know there are two main system architectures 32bit and 64bit.

Sometimes we happen to run our exploit from a 32bit machine to hack a 64bit machine or run our exploit from a 64bit machine to hack a 32bit machine. The meterpreter payload spawns a process according to the architecture of the attacking system. If the attacking system is 32bit, the meterpreter process is 32bit and if the attacking system is 64bit the meterpreter process is 64bit.

Sometimes there may be compatibility issues if we get a 32bit meterpreter session on a 64bit machine and vice versa. This is the exact reason why this module has been introduced. For example, in our previous howto, we hacked a 64bit machine from a 32bit Kali Linux. So we have a 32bit meterpreter session on a 64bit target system. To overcome the problems of incompatibility, we need to start a 64bit meterpreter session.

It is exactly in cases like these, this module comes handy. This module checks if the architecture of meterpreter is as same as the architecture of OS and if it is not, spawns a new process with the correct architecture and migrates into that process. Let’s see how this module works.

To use this module, we need to background the current session using command “background”. Then load the exploit as shown below. Type command “show options” to have a look at the options it requires.

We need to only set the session id of the meterpreter session we just sent to background and the exploit is good to go.

If you see in the above image, our exploit failed to run for the first time. This is because in the previous session we had system privileges and if we run this module we may lose the system privileges. But don’t worry we can change the options to overcome this problem.

Set “ignore_system” option to true and you should be fine to go. This time the exploit ran successfully. As you can see in the above image, our target is a 64bit machine and our meterpreter migrated to a 64bit process successfully. Lets check by typing command “session s -l” to see the available sessions. You can see we have a 64bit meterpreter now. Job performed.

Hello aspiring hackers. Today we will learn about an exploit to hack a Serviio media server. This exploit works on Serviio Media Server from versions 1.4.0 to 1.8.0 (1.8 is the present version, by the way). Serviio media server is a free media server which allows users to stream media files (music, video or images) to renderer devices like a TV set, Bluray player, gaming console or mobile phone on your connected home network. It is used by a number of organizations.

This media server has a console component which runs on port 23423 by default. This module exploits an unauthenticated remote command execution vulnerability in this console component. This is possible because the console service exposes a REST API whose endpoint does not sanitize user-supplied data in the ‘VIDEO’ parameter of the ‘checkStreamUrl’ method. This parameter is used in a call to cmd.exe which results in execution of arbitrary commands. Now let’s see how this exploit works.

So imagine a hacker while port scanning a specific port on multiple machines as shown below gets one positive result.

On performing a  verbose scan with OS detection enabled to probe further, it is indeed clear that a Serviio Media Server is running on this specific port and our target OS is Windows, so we can use our exploit.

Start Metasploit and load the module as shown below.

He sets the target IP and checks if the target is vulnerable (Remember we know the target is using Serviio Media server but have no idea if it is a vulnerable version).

Once the “check” command confirms that the target is vulnerable,  the other required options are set and the module is executed with “run” command. We directly get a meterpreter session with system privileges on our target.

HOW TO STAY SAFE:

The exploit only works when the console of serviio media server is enabled. Just disable it to stay safe.

Hello aspiring hackers. Today we will see an exploit  which helps us in Windows 10 Privilege escalation. Till now, there was no exploit for privilege escalation in Windows 10. Recently we got one. This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched.

Once the UAC flag is turned off, this module will spawn a second shell with system privileges. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS.

Imagine we have a scenario where we got meterpreter access to a Windows 10 system ( See how to hack Windows 10 with Hercules and see how to hack Windows 10 with hta exploit).

To use the fodhelper module to escalate privileges, we need to background the current session.

Search for fodhelper module using the search command.

Load the module and set the session ID as shown below.

Run the module as shown below.

As you can see, we successfully got a meterpreter session. When I check privileges, its still user privileges but when I run “getsystem” command, I get system privileges on Windows 10.

Happy HAcking.

HOW TO STAY SAFE: 

Microsoft had already released patches. Just make sure your system is updated.

Password cracking plays a very important role in hacking. We are not always lucky to get credentials during enumeration. There are two types of password cracking.

  1. Online password cracking
  2. Offline password cracking

In this tutorial we will learn about online password cracking. There are many techniques used in online password cracking. Some of them are,

Dictionary Attack: Dictionary password attack is a password cracking attack where each word in a dictionary (or a file having a lot of words) is tried as password until access is gained. This method will be successful when simple passwords are set. By simple, I mean common passwords which can be found in a dictionary like password, iloveyou etc. This type of attack consumes less time but is not bound to be successful always especially if the password is not present in the dictionary.

Brute force Attack: Brute Force attack is a password cracking attack similar to dictionary attack. The only differ ence is in this attack, each and every possible combination is tried until the password is successfully cracked. For example, if there are two words say “abc” and “123” in a wordlist, other combinations like “abc1”, “abc2” and “abc3” a re also tried. Brute force attack will definitely succeed even if it means it will take years to do that.

Hybrid Attack: As the name suggests, it uses a combination of both dictionary and brute force password attacks to crack the password.

Rainbow Table Attack: Rainbow Table password cracking technique uses pre -computed hashes to crack the encrypted hashes.

Kali Linux has various tools in its arsenal for both online and offline password cracking. Some of the online password cracking tools are Acccheck, John The Ripper, Hydra and Medusa etc.

We have already seen the working of the tool Accheck during SMB enumeration. In this tutorial, we will see how to crack passwords with a tool called Hydra. THC-Hydra is a password cracker which uses brute forcing to crack the passwords of remote authentication services. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb , several databases and much more.

On our target Metasploitable2, we have many services which allow remote authentication like telnet, ftp and SSH. We also have rlogin available. We will use Hydra on one of these services. Hydra can be accessed from the applications menu of Kali Linux. It is available both in GUI and command line utility. For this tutorial, I’m using the graphical one.

Once opened, Hydra will look like shown below.

Change the target IP to that of Metasploitable’ s IP.There are many protocols to choose from Here I am choosing ftp. Change the port to 21 as ftp is running on port 21. I selected options “Be Verbose” and “show attampts” to see the cracking process.

Click on “passwords” tab. We can give a single username and password or a file containing a number of usernames and passwords. Here I am giving the same dictionary or wordlist for both username and password. This dictionary is big.txt. I selected the options “Try Login as password” , “Try empty password” and “Try reverse login”. These options are self explanatory.

The tuning tab is used to configure proxy and number of simultaneous tries. I left it as default.

I left even “specific” tab to default. When all the settings are set, go to “Start” tab. To start the attack, click on “Start” button.

The attack is displayed as shown below.

The time of the attack depends on the number of words present in the dictionary or the wordlist we specified. The password is cracked if the phrase is present in the dictionary. If the password is not there in the wordlist, we need to use another dictionary. The big.txt dictionary I used failed to crack the password. So I used another wordlist we made during enumeration “pass.txt”. After some time, Hydra found three valid passwords.

Scroll up to see what are those passwords.

Apart from Hydra, Kali Linux also has command line tools to use for password cracking. One such tool is Medusa. Open a terminal and type medusa to see the options of that tool. Below is the command in medusa to crack ftp using a wordlist.

Once medusa cracks a password, it will be sh own as below. Once again we got three credentials we found also with Hydra.

We have used the same dictionary in both methods, but where do we find this dictionary or wordlist. Most wordlists of Kali Linux are present in /usr/share directory. Given below are different dictionaries in the “wordlists” folder.

These wordlists are named accordingly. For example, “common.txt” contains most common passwords used by users. But what if none of the dictionaries are helpless in cracking the password. Kali Linux also has tools to create our own dictionary or wordlist. Crunch is one such tool. The syntax is given below.

Here’s an example of how to create a wordlist with crunch.

We can also save the wordlist to a  file as shown below.

 

We have performed two types of enumeration till now. Before we perform further enumeration, let us see whether these credentials we acquired can help us in gaining access to the remote system. When we performed a scan with Nmap during scanning and enumeration stage, we have seen that ports 21,22,23 are open and running FTP, Telnet and SSH services respectively.

FTP

FTP stands for File Transfer Protocol. As the name implies, it is used to share or transfer files. This service runs on port 21 by default. Although not quite popular now, it was the most popular way of sharing files in yesteryears. It was quite popular as torrents now, only that FTP is a client-server architecture. Since FTP is used for sharing files, it has a option to enable anonymous downloads. Anonymous download is a type of download where anyone can download the file by logging in with the username of “anonymous” and password as anything. But it a was courtesy to give your email address as password in those days. Enabling anonymous account on FTP server is considered a high security risk especially if the account given not only read but also write permissions. Another disadvantage with FTP is that it uses clear text authentication. So if any hacker is sniffing on your LAN, he can see the username and password in plain text. Ok, Since our target is running FTP service, let us first check if anonymous account is enabled on the server.We can connect to FTP server through terminal by using commad “ftp target address” as shown below.

I try to login with the anonymous account with anonymous as the password and the login is successful. Good, anonymous account is enabled on the target. It’s time to check the permissions given to anonymous user.

I type command “pwd” to see the current ftp directory. It’s root directory. Next I use “put” command to upload a random file to the FTP server. As you can see in the above image, file could not be created. So anonymous account has only “read” permissions. Enabling write permissions to the anonymous account may result in propagation of malware, pirated software etc. So anonymous account is secure in this case. Next I decided to try the credentials I got during enumeration. I decided to try with “msfadmin” first. Login successful. I first checked the contents of the ftp directory. It seems this account has admin rights on the FTP server.

I once again try to upload the “shell.php” into the FTP directory. This time it’s successful.

Now I can upload any malicious file to the server and can use it for any nefarious purpose. or propagation.

TELNET

Telnet is a network protocol used to remotely administer a system. It is bi-directional and interactive communication protocol.Using telnet we can remotely communicate with a system far away. It runs on port 23. We can coonect to a telnet server from terminal just as we connected to a FTP server using command “telnet IP address”. Anyone who successfully logs into telnet will get a shell on the remote system. When I connected to the telnet server of our target system, I didn’t even need any enumeration as the username and password were displayed in the banner.

When I logged in with the credentials msfadmin/msfadmin, as you can see in the below image, I got a normal shell.

Although getting a shell on a remote system is good, we can perform limited operations with this type of shells. But don’t worry, we can get a meterpreter session on the remote system with the help of Metasploit, of course by exploiting telnet.

Start Metasploit and load the telnet module as shown below. Set all the options we need and execute the module by typing command “run”.

You can see that we successfully got a shell just like before. Type command “sessions” to display the sessions we have.

Metasploit provides a wonderful option to upgrade a command shell to meterpreter shell. Load the following post module and the set the session id as that of telnet shell. Run the module.

As you can see in the above image, we successfully got a meterpreter session on the metasploitable system. We can see all the sessions we have using command “sessions”.

We can interact with the session we want by using command “sessions -i id” where id is the session id number. We will see more about meterpreter in our later issues. For the first time, we gained access to the metasploitable system, although with limited privileges.

SSH

SSH stands for a secure shell. It was designed as a replacement for telnet and intended to be secure unlike telnet. SSH is a cryptographic network protocol which encrypts the data during remote communication. Thus it provides security and authentication also takes in encrypted format. Thus even if any hacker is sniffing on the local LAN, he still can’t any SSh credentials. SSH by default runs on port 22. Just like it has a telnet module, Metasploit also has a SSH login module. We will use the same credentials msfadmin/msfadmin to login. Load the SSH login module as shown below and configure required options.

Once all the options are set, run the module as shown below.

We have a successful login. Same as above, we can use “sessions” command to view the available sessions. We can also upgrade this SSH shell to meterpreter just as we did in the case of telnet. That was about how to hack telnet, ftp and SSH.

What We Achieved:

Using the details we gathered during enumeration, we have hacked some serrvices on the Metasploitable system. We have also gained shell and meterpreter session on the system.

 

NOTE: This howto is part of a series “Metasploitable tutorials”.

Enumeration is the process of collecting information about user names, network resources, other machine names, shares and services running on the network. Although a little bit boring, it can play a major role in the success of the pentest. In the previous howto, we saw how to perform SMB enumeration and got some usernames on our target. So we don’t need to perform SMTP enumeration. But we may not be so lucky that SMB enumeration will be successful on every network. For networks like these, we may need to enumerate other services like SMTP.

First let me give you a basic introduction of SMTP. SMTP stands for Simple Mail Transfer Protocol. As the name implies, it is used to send email. It uses port 25 by default. If you ever sent an email, you have definitely used SMTP. SMTP servers talk with other SMTP servers to deliver the email to the intended recipient. Luckily this all happens behind the scenes and we don’t have to break our heads to understand this. But there are some things we have to understand about SMTP that will help us in enumeration.

As the term “simple” implies, SMTP server can only understand simple text commands. Sender of the mail communicates with a mail receiver by issuing these command strings and supplying necessary data. Some of the important commands are

1. HELO – sent by a client to introduce itself.

2. EHLO – another way of client introducing itself to server

3. HELP – used to see all commands.

4. RCPT – to identify message recipients.

5. DATA – sent by a client to initiate data transfer.

6. VRFY – verify if the mailbox exists.

7. QUIT – to end the session.

SMTP enumeration can be performed in many ways. The easiest way to do this is by connecting to the SMTP service port of the target with telnet (we have seen this in scanning and banner grabbing).

As you can see, we got successfully connected. From here, we can verify manually if each user exists or not. If you remember the article on SMB enumeration, we already have some usernames available. Lets use the VRFY command to check if users “user”, “msfadmin” and “root” exist in this system.

Yes, they exist. Similarly, let us test if user kalyan exists. As you can see in the above image, the user kalyan doesn’t exist. Nmap also has a script to perform SMTP enumeration. We can use the script as shown below.

By default, Nmap uses RCPT method to check if a particular user exists. Unfortunately for me, it gave unhandled status code here. This Nmap script can be modified to use different methods. Here I changed it to use VRFY method to enumerate users. I have only scanned port 25 to remove the clutter. But still it gave me the same error.

There is another tool in the arsenal of Kali Lin -ux which is built specifically for SMTP enumeration. Its called smtp-user-enum. Here let us test if a user called “root” exists on the target system as shown below.

Since user “root” exists, I’m assuming other users like “msfadmin” and “user” also exist. While performing SMB enumeration, we created a wordlist which can be users on the target system. Now let’s enumerate if all the users in that wordlist exist. It can be done as shown below.

All the users we got during SMB enumeration exist. That’s good. In this case, we already have the wordlist of usernames (we got during SMB enumeratin). What if we don’t have the exact wordlist. We can use different wordlists present in Kali Linux. These wordlists are present in /usr/share/dirb directory.

What We Achieved?

We got some usernames which may be useful to us while exploiting the system in future. All these usernames have a recipient email address to them.

During a pen test, it  sometimes becomes necessary to change Windows password. Although we have a hashdump feature to dump the password hashes of all users in a remote Windows system, this exploit directly changes the password of the user we want in the registry. Thus it saves the trouble of cracking the password hashes altogether.

This works on a local user account. This can be pretty useful if we need credentials but can’t crack the hashes. Mind that you need to have system privileges on the remote system to use this exploit (See how to escalate privileges). Let’s see how this exploit works.

First acquire system privileges on the system. Background the session (note the meterpreter session id) and load the hashcarver exploit as shown below.

 Type command  “show options” to see the options required. Session is the meterpreter session id, user is the user in the remote system whose password you want to change and “pass” is the password you want to set for the user.

My session id is 2, Kanishka is the username for which I want to change the pasword and I want the new password to be “hacked”.

When all the options are set, execute the exploit using command “run.  The exploit runs as shown and successfully changes the password. Happy hacking.

Here I bring you a fictional account of a Real Time Hacking Scenario originally published in Hackercool Magazine Feb 2017 Issue. This knowledge is strictly for education purposes and should be used only in pen testing.

Hi,everyone. I’m hackercool, allegedly a black hat hacker for some people but I still consider myself a script kiddie. The month of February was jampacked with parties for me. Most important of them was a get together with my scho- ol friends (none of my friends know about my hacker identity). With the ubiquitous smart phones nowadays, many photographs were taken. It was a very good opportunity to test my new digital camera.

I took numerous photographs of my friends in various poses but I didn’t pose for even a single photograph. None of my friends even took note of my absence but it’s a wonderful feeling to get lost in the crowd. You don’t know it. When I began to forget about the party, some of my friends requested me for the photos I took with my digital camera. They asked me to whatsapp them but I informed them I would send them my USB.

By now, my hacker instinct became active. I decided to hack my friends (or atleast try to hack them). I wanted to test how many would fall for it. Stage set. Plan in motion. Most of my friends (or for that matter many computer users in India) prefer Windows as their operating system. So I started my attack assuming my friends are using a Windows OS.

The channel of my attack was sending a USB drive to them which would have not only the party photos but also a specific  malware to hack them. There was one problem though. Even normal computer users would have both Windows Firewall ON and antivirus installed (I’m assuming all my targets are latest Windows 10). So I can’t use any renown malware or RATS since their signatures would be easily detected by many Antivirus.

So I decided to create a customised payload that would bypass most antivirus. Many people just assume antivirus cannot be bypassed but as you will see now, it’s a reality only hackers know about. For this attack, I decided to use Hercules customized payload generator.(More about this payload generator was discussed in Dec 2016 issue of Hackercool magazine and also on this blog). I have used this program a couple of times before and I am loving it.

It almost bypasses all antivirus, ofcourse until now. There’s a reason why I say that. Remember that the battle between malware and anti-malware is like that of between Newt and Garter snake, they continuously evolve. Hercules can be installed in Kali Linux which is my attacker system. (As already told, its installation is given in Dec 2016 issue of Hackercool magazine).

Open Hercules as shown below. It has three options : generate payload, bind payload and update. The first option will just generate a payload we want while the second option will bind the payload with another program’s executabl -e. The second option would have been excellent to me but Hercules seems to be under revamp and this op-tion is not added yet now. So I had no other option but to generate just a payload now. So I chose option 1.

Next, I need to select the type of payload. I had four payloads to select ; meterpreter reverse tcp, meterpreter reverse http, meterpreter reverse https and a Hercules reverse shell. I was not in the mood to try something new. Since I am well accustomed with the meterpreter reverse tcp payload, I decided to choose that option.

Next, I entered some options required for the hack to work.

LHOST= IP of my attacker machine

LPORT= the local port on which the reverse connection is to be sent.

persistence, migration and UPX functions are explained in the NOT JUST ANOTHER TOOL in the Dec 2016 issue of Hackercool magazine. I have not enabled all these options as it would attract the attention of anti-malware.

I named the payload “sunny_leone_unseen”. I hope you already know why but if you don’t know, you will know soon. The payload is saved at the location shown below.

Generating the payload is the easiest part of the hack. Now begins the difficult part. Convincing our victims to click on our payload. I just can’t ask them to click on the payload although that has worked for me sometimes. First I checked the payload if it was indeed undetectable by antivirus. Success there.

After thinking for sometime, I decided to do it in two ways. First one, by binding. Binding is a process of combining two exe files or other files into one. It is the age old way of sending the virus to victims. I chose love calculator as the other program to bind my payload to. Since most of my victims were on the younger side I expect that this will have more probability of being clicked on. The Love calculator is shown below.

Come on, the love between us is only 58.5%.

We have many binders available. A quick Google search should give you enough options. But I used Rakabulle binder for my job. Just add the files to compile as shown below and click on “Build Raka”. That will bind the two programs into one.

But there is a problem with binding. As I already told you, binding has been there for a long time. So even if we bind two genuine programs together, antivirus may flag it off as malware. I wanted to play smart. I also used the second method as backup.

Second method is a bit popular on the internet. It’s changing the icon of the exe file we generated. First, I created a shortcut for my file and changed the icon of the shortcut as shown below. Then I hid the payloa d. Now let me tell you about the name of my payload. My intention is to maximise the chances of my victim’s clicking on my payload. So I gave that name (Just Google sunny leone for more info).

All done. Now before I passed mu USB drive to my friends, I started a listener on Metasploit as shown below.

I have set the required options and typed command “run” to start the listener as shown below.

After starting the listener, I passed on the USB drive to my first victim. I was not expecting very quick results as all of them were employees. To quicken my chances, I gave it to my first victim on Friday evening. I thought the weekend would give them enough time to become my victim. My system was continuously on. It was a horrendous wait but it finally happened.  One victim fell for the trap. I got one meterpreter session. I quickly checked the OS info. It was a Windows 7. I was encouraged.

I was expecting atleast three connection on the same day. So I quickly backgrounded the session and started the handler again to rece- ive more connections. Very soon I got the second meterpreter session.

I sent even that session to background and waited, but there was no third connection. I waited for some more time and went out to do some errand. Even after returning, I had only two connections. So I thik I would have to be  content with them.

 

Hello aspiring hackers. There’s been a loooong (forgive the grammatical error) gap  in updating the blog. Well, blame it on 70% hectic schedule and 30% procrastination. But today we will see how to hack windows with HTA web server.

First things first. What is HTA web server? HTA stands for HTML application. So this server hosts a HTA file, which when opened will execute a payload via powershell. Ofcourse, the browser warns the user before executing the payload.

Now let’s see how this works. We will use this exploit to hack Windows 10. Start Metasploit and load the module as shown below.

Set the reverse meterpreter payload as it is a local exploit.

Type command “show options” to see the options we need to set for this exploit. Set the required options and type command “run” to start the exploit.

As you can see, it has generated an url. We need to make the victim click on this particular url for our exploit to work. We have already seen in our previous howto’s, how to make that happen. When the victim clicks on the url we sent him as shown below

the browser prompts a warning about the payload as shown below.

When the user ignores the user and clicks on “run”,  a meterpreter session is opened as shown below.

This session can be viewed and opened as shown below.

Hello aspiring hackers. Till now we have seen various ways of hacking windows, escalating privileges and creating a persistent backdoor for later access. After we have successfully created a backdoor, it’s time to perform further reconnaissance. Windows post exploitation recon helps us in gathering further info about our target network. This can be helpful to us in finding more vulnerable systems to hack and pivot.

If you have observed carefully while starting Metasploit, it has number of modules specified as “post”. Some of these are useful in recon. For us to do post recon we need to first hack the system and get metertpreter session on it. Now let us see how to perform this recon with Metasploit.

The first module useful in reconnaissance in the arp scanner. Arp scanner helps us to identify any hidden devices in the network. Hidden devices are those devices which don’t respond to normal requests like ping etc. For example, some firewalls intentionally don’t respond to ping requests. ARP scanning can detect these devices.

winpostexrc1

The checkvm module helps us to find out if the machine we hacked is a virtual machine, which in this case is true.

winpostexrc2

The dumplinks module will parse .lnk files from a user’s Recent Documents folder and Microsoft Office’s Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

winpostexrc4

In some cases, we need to know what are the applications installed in the system we hacked. For example, in a case where we cannot escalate privileges and maybe a vulnerable program installed in the target can help us in privilege escalation. The enum_applications module exactly does that.

We can see in this specific case, there are only two programs installed.

winpostexrc5

The enum_logged_on_users module helps us in finding out the users logged in.  This may help us in knowing the usernames of the system.

In our case, we go to know the username as “admin”.

winpostexrc6

The enum_shares module will list the shares of both configured and recently used shares on the compromised system. My target doesn’t have any shares.

winpostexrc7

The enum_snmp module will enumerate the SNMP service on the target, if installed. It will also enumerate its community strings.

In our case, there’s no SNMP service installed.

winpostexrc8

The hashdump module does exactly what it says. It dumps the password hashes from the target system as shown below. May I remind you that meterpreter already has this hashdump function.

winpostexrc9

The usb_history module retrieves the history of usb devices connected to the target system. In my case, no USB devices were connected to the target.

winpostexrc10

The most interesting of all these is the lester script. The lester script suggests local exploits for the target system. This script automatically searches and lists exploits for the targeted system. Now you may question why do we need exploits for the system we already hacked. Well maybe to escalate privileges or find an exploit which gives us more power on the system.

winpostexrc11

That’s all for today folks. I will be back soon.