Category Archives: Pentesting

There’s a lot that is involved with penetration testing. I want to learn more about what is, and I’ll record what I learn here. If you want offensive techniques, they’re here.

Installing Kali and Metasploitable on VirtualBox

Have you ever wanted to be a 1337 hacker like you see in the movies? Metasploit automates some of the harder tasks related to penetration testing. This blog post is quick setup to install two virtual machines that will allow you to explore how to use Metasploit.

Step 1: Get files needed to create the VMs

Step 2: Setup Kali

Open VirtualBox, click File > Import Appliance. Choose the kali.ova file that you downloaded from the link above. Click continue to review the VM settings. Hit import, none of the settings should require changing. The import will take a few minutes to complete depending on your machine.

If the VM fails to start after import, read the details of the failure. If it’s related to USB emulation then change the settings. Open the VM settings by right clicking the VM. Click settings. Find the ports tab and click USB. Change the emulation from 2.0 to 1.1 and everything will be good to go.

The default credentials are u: root / p: toor to log in. To use Metasploit for the first time there’s some setup required. Using terminal, start a postgres database by running service postgressql start. Initalize the database by running msfdb init. Check Metasploit by running msfconsole.

Step 3: Setup Metasploitable2

We will need to create a linux machine and use the virtual hard drive from the .zip folder that was downloaded earlier. First step is to unzip the folder and find the Metasploitable.vmdk file.

Next go to VirtualBox and create a new 64bit ubuntu machine. Name it whatever you’ll remember. I used Metasploitable2. Click continue once everything looks correct.

Change the memory size to at least 512mb and click next. There select “Use existing hard drive” and select the .vmdk file we found earlier. Last step is to click create.

Start the box and confirm everything is working as expected. The default credentials are msfadmin/msfadmin. Type ifconfig to see what the boxes IP address is. This will come in handy when trying to scan for the machine from Kali. My machine is at 10.0.2.15.

Step 4: Double check networking

Metasploitable is one of those VMs that are intentionally vulnerable for you to attack. To ensure that no one else attacks your box, make sure it can’t access the internet by confirming in VirtualBox that the network type is set to NAT.

Host-Only would work if we weren’t using another VM to use Metasploit. This is still an option if you want to install Metasploit on your base host and skip the Kali install.

Step 5: Attack

Now play around with Metasploit! Get on Kali, ping the Metasploitable2 machine to make sure it’s in reach. Run msfconsole for a CLI interface or open armitage for a GUI. A lot of walkthroughs are online that can be a good place to start playing with Metasploit.

More info

For more information on how to use Metasploit, check out Offensive Security’s free course. Look for some articles such as the series from null-byte. Read a book about it, buy now from No Starch Press. My motive for posting this is a lightning talk I gave at #misec this month. The IntroToMSF slides are hosted here for those who are interested.

Breaking My Blog with WPscan

One of the tools offered by default in Kali and many other hacking related distros is WPscan, a black box WordPress vulnerability scanner. I wanted to learn how to use this tool because it would help with recon on CTF challenges, practice boxes from vulnhub, and even trying to keep my own blog vulnerability free.

Disclaimer

Before I tell you more about the tool and how it can be used, I have to throw out the usual disclaimer. Do not use this tool on any WordPress site you don’t own or have permission to scan. I ran WPscan on my own blog and brought the whole site to it’s knees. If you did that to a professional blog or your company’s blog then you could have major problems when you get caught.

Setup

If you don’t have a personal WordPress instance to test, then look at getting OWASP’s Broken Web App installed. It has a vulnerable instance of WordPress included that you can scan against and even try to harden. When things break, just reinstall the VM and start over from scratch.

I have a Kali VM installed on most of my computers. By opening a terminal and typing wpscan -h you can learn about all of the options and possibilities for how to scan a WordPress instance. If you want to avoid all the “bells and whistles” then just run wpscan –url <target> –enumerate p to scan and try to find vulnerable plugins.

The scan and the results

WPscan scans the site looking for version numbers and other exposed information that can be compared to a database of vulnerabilities. While running the scan against my site, there was one vulnerability found. There was also a small issue because the WordPress version was public. I was able to research the vulnerability using the links provided from the scan output. While the “fix” isn’t a perfect patch, it’s better than ignoring the vulnerability until the next update is ready. The version was easy enough to hide by deleting the stock readme.html file.

The issue wasn’t removed on the next scan. The scanner is a quick tool to find some vulnerabilities based on version numbers and other information from the site. There’s no proof of concepts or attempts to validate if a vulnerability is a false positive.

Unexpected fun with WPScan

While running the scanner the –enumerate p option will brute force the website with requests to gather information about plugins. This crippled my site when over 20 simultaneous database connections made the site unresponsive. This wasn’t solely due to the scanner, but to the fact that I created this blog in college. Which means I took the cheap and easy route. Digital Ocean’s one click solution on the smallest VM made that possible.

The reason I’m not afraid to tell all you hackers about this is because I was able to resolve the issue with some help from friends at #misec. They told me about adding a swapfile that could help boost some power to my little VM. Since then I’ve been able to run WPscan multiple times without a single fatal performance issue.

Edit: A swapfile is NOT recommended for preventing DoS resulting from scans or a spike in traffic. This is a quick fix and a cheap band aid. If your company uses WordPress or you have a personal blog thats getting a lot of traffic, upgrade the VM or migrate to a better server that can handle the requirements. This was pointed out to me when I first heard of using a swapfile and again on Twitter after posting this.

Twitter reply

Converge 2017

May 11-12th was the Converge conference. If you’re in Michigan and are curious about information security, then I suggest you look at attending next year. For those that missed this year, Irongeek recorded all the talks and posted them online for you! Watch some of the talks and then put an alert on your phone to buy tickets for next year.

Converge is a great conference. I’ll admit I’m partial because it’s in my backyard. However that isn’t the only reason I like it. The talks cover great content, the speakers are friendly, and it’s not so big that guests feel like they’re lost in a see of other attendees.

Volunteering

On Thursday, I spent the morning volunteering with Irongeek recording talks for track 2. Helping with A/V is great because I get to volunteer and watch talks with a front row seat. In the afternoon I networked with people in the halls, after all that’s the most important part of a conference, right?

Friday was a lot of fun. I started off by playing with a new toy. A nexus phone loaded with Kali NetHunter. I’m still exploring the tools on it but one of them is called the Mana wireless toolkit that allows me to broadcast a wireless network. This makes for excellent trolling, especially for those who get the inside joke.. There was some evidence at GrrCON a few years ago.

I know at least one person noticed because they had a screenshot for me to share!

Learning how to pen test

The rest of the day, I was in training for web application pen testing. Kevin Johnson from SecureIdeas offered a 1 day version of his week long training course. We went over a lot of great topics, like his recommended methodology and the tools that pen testers can use.

While the training was amazing, it’s still something that Kevin offers others, so I don’t want to spill too many secrets. I do suggest that if you’re interested that you take a look at his site, secretideas.com.

I’ve said it before on these blog posts and I’ll say it again. Conferences are a great center for networking, learning, and growing if you’re looking at getting into the information security industry. Hopefully my stories from this year’s Converge has convinced you to attend the next conference in your area!

OverTheWire: Leviathan

Hello everyone, thanks for looking at my last post about OverTheWire: Bandit. Since my traffic is about x10 my average consistently for the last four days, I wanted to write a follow up post about the next wargame offered by OverTheWire, Leviathan.

All over the exercises, they say to not post walkthroughs or writeups, so I won’t. I will do my best to promote the project without giving away the important stuff. If you’ve done the Bandit challenge already with or without a group, I suggest trying Leviathan on your own. Leviathan only has 7 levels, which by myself, took me just under 2 hours.

Leviathan Lv7 end messafe
Just to prove I made it through the lessons!

Shh, don’t tell, here are some tips

Now the site does say it’s 1/10  for difficulty so it should not be hard right? Well… it is if you have no idea what you’re doing, so you should definitely start with Bandit if you’ve never used bash before.

Remember what you learned from bandit. Cat files, ls directories, and don’t forget that passwords are stored in /etc/leviathan_pass/. There is two commands that you should read the manual for: ltrace and ln. You might need to find a website to convert combinations of only 2 numbers (well, 10 😉 ) to readable letters.

That is all the help I am willing to give you guys, otherwise you would not learn anything. There is only six levels and you should be able to figure most of it our. Trust me, there are walk throughs you can google (BUT SHOULD NOT)… I will admit that I did that for the second level but that does not make it ok. It is a cheap way to get to the next level and you do not learn  as much. Definitely try to do as much as possibly without looking up the password or how to get it.

OverTheWire: Bandit

Hey everyone, this post about Bandit is NOT a walkthrough of the greatest (only) “learn bash hacking” programs I’ve completed. This is NOT going to give you an advantage if you’re looking for cheat codes. This post will hopefully make you click on OverTheWire and want to try it out for yourself.

Why you should try Bandit

Do you work with Linux, bash shells, scripts, or ever have to deal with the command line? If you are a developer, network admin, forensic analyst, incident responser, pentester… or any other IT job, the answer is most likely yes (unless you have some serious automation or “a guy” for that). Whether you’re entering into a new field or you need a refresher course, Bandit is the first of many war games offered by the good looking hackers of OverTheWire. Start at Lesson 0 and work your way through them all.

Last night, I met up with a group of fellow hackers from #Misec and we tackled it. We went from 4pm to 12am, only stopping for a taco/wings run. We had a wide range of skill levels from 15 years of experience to a recent college grad, but we were able to go through the tasks at a pretty even pace. Doing this training in a open group where everyone discusses their tactics was really cool because there are multiple ways to do the same lesson, there’s never one right answer. I highly suggest you do the same. Get a group of 4-10 people, grab a six-pack and hunker down somewhere.

Helpful Hints

By the end of the night, I had expanded on the bash commands I already knew like ls, cat, chmod, mkdir, touch, openssl, and vi/nano/vim. I looked at the man page (help documentation) for the first time for other commands I heard of but didn’t use: grep, file, diff, gzip, tar, and so much more. Seriously guys and gals, you will not complete this course unless you type <cmd> –help or man <cmd>.

There was only really tricky lesson in Bandit for those unfamiliar with development or python. So to assist but not give the answer away, I’d like to point a few things out about python. Please note this is one specific way to beat this level, @jadedtreebeard found a faster way to beat this level without even touching python.

  • Run python scripts by writing: python filename.py
  • Variables have type, so numbers (30002) are integers and words are strings (“words”)
    • Change integers to strings: str(myVariable)
    • Change strings to integers: int(myString)
  • Importing packages are the first thing to do in a .py file
    • I suggest you look at socket *COUGH COUGH*
  • range(x, y) will give you a list starting at x going to y
  • For loops will loop through every object in a list
    • Syntax: for something in list:
    • Indent under that line and it’ll be included in the list
  • If statements are powerful
    • What would happen if you only did something when a variable contained a certain substring
      • if only “Correct” was in someString: then I could print someString only when it has the right values instead of every incorrect one as well… 😉

There are 27 lessons in Bandit, it took our group 8 hours to casually and thoroughly go through every lesson. A few are very tricky. I suggest you a) read cmd manuals b) read the associated links from OverTheWire for each lesson c) brainstorm and bounce ideas around your group. The only thing you should not do is google the answer, this is a public activity and other people have already done this. I suggest you stay away from googling “how to complete Bandit”…. It’s not cool, you can learn so much more by following a-c.

Lastly, I want to give a shout out to @Ashioni of @CBI_IT, @JadedTreeBeard, @bigryanb, @EquinchOcha and the other hackers in my group who’s twitter handles I do not know… It’s because of them I had such a fun time instead of pulling my hair out when I got stuck on lesson 28. If you are in the Michigan area, you seriously need to look up #Misec, it’s a great group of people. Reach out to @Ashioni, he is trying to set up a workshop at @CBI_IT to go over these exercises.

After you’ve conquered Bandit, move on to the next level: Leviathan. I suggest trying Bandit in a group with other people, but Leviathan should be pretty tame and is a good way to test your individual skills.

Exploiting BWA (Broken Web App)

Two posts ago, I wrote a quick post about installing OWASP’s Broken Web App. This post will be about exploiting the BWA and by that I mean I’m posting a few comments on how to do some reported vulnerabilities from sourceforge and irongeek.com. This post assumes you have the OWASP BWA virtual machine up and running and that your VM IP address is mapped to owaspbwa.com in /etc/hosts (in your testing machine, not the VM).

I’ll do my best to give a complete list of information for each hack. Including where to go, what to do, how to exploit, and why the exploit is a thing. (If there’s interest, I might come back later and add a how to fix section for exploits I know how to fix)

List of exploiting vulnerabilities by type

XSS

  1. Reflected XSS
    • goto: owaspbwa.com/peruggia/index.php
    • action:  Click on Learn in the navbar. The click on one of the Papers listed on that page.
    • description: This loads a new page.  In your URL look after the ? symbol, you will see “parameters” and their values. What happens if you modify the values right from the URL? What if you injected some nice javascript?
    • exploit: Change a value to <script>alert(1)</script> so the url might look like http://owaspbwa.com/peruggia/index.php?action=learn&type=<script>alert(1)</script>&paper=…
  2. Moar reflected XSS
    • goto: owaspbwa.com/getboo/
    • action: Search for something like “foobar”.
    • description: Variables stored in the url can be modified like above
    • exploit: Replace your keyword with the XSS script from 1.
  3. Stored XSS
    • goto: owaspbwa.com/wackopacko
    • action: Log in, view an image, and leave a comment.
    • description: If there is a lack of validation, you can write code and leave that in your comment.
    • exploit: Use a script while writing your comment. A fun one is <script>x=prompt(“Question”);document.write(x);</script>

SQL Injection

  1.  Login Bypass
    • goto: owaspbwa.com/peruggia
    • action: Log in
    • description: If users are stored in a database, a query is comparing the existing users to the parameters you give. This can be manipulated into whatever you need, even logic that overrides a password
    • exploit: Leave the password blank and use  ‘ or 1=1– -&password=aaa as the username
  2. Display useful information for more hacks
    • goto: owaspbwa.com/peruggia
    • action: View a picture
    • description: URLs sometimes contain parameters that become SQL queries. These can be manipulated as well
    • exploit: Replace the value of the pic id in the URL and make it -1 union all select 1,2,3,@@version

Directory Browsing

  1. View directory contents, not webpages
    • goto: owaspbwa.com/peruggia
    • action: Try to find common directories that are used in web apps like images/ css/ or config/
    • description: Most web apps do not expect you to go directly to browsers using the URL. They aren’t properly configured to stop a user from viewing all the contents in that folder
    • exploit: Append to the end of the URL a directory you want to travel to. such as images/

Broken Authentication

  1. Add or remove accounts (without admin credentials)
    • goto: owaspbwa.com/peruggia
    • action: Log in to admin (admin/admin), view the account tab and add a new user foo. Re-log in as user (user/user)
    • description: Without proper authorization, a regular user could act as an admin
    • exploit: Append index.php?action=account&deleteuser=someoneiwanttodelete to the end of the url
  2. View “your uploads” of other people
    • goto: owaspbwa.com/wackopacko
    • action: Log in to a user (bryce/bryce) and click the link “view your uploaded pics”
    • description: The action describes the intended use of the functionality. However look in the url, the only thing making sure you are viewing your pictures is the id. What if you changed that id?
    • exploit: Modify userid to a different value to see someone else’s uploaded images

Direct Object Reference

  1. View any user like they were your friend.
    • goto: owaspbwa.com/AppSensorDemo/home.jsp
    • action: Log in and view some on your friends
    • description: An account may only be friends with 20 or so other users. They don’t have direct links to users who aren’t friends, so that user can’t see non-friends right? Wrong. Each user is directly referenced by their ID
    • exploit: Change the ID in the URL to any number you like, most likely you won’t find a user because it’s random, but if you wrote a script, it could iterate through all the IDs and find every user

Feel free to add a comment below if you find another exploit I didn’t include. I’d be happy to add it to the post if you follow the format bellow!

  • goto:
  • action:
  • description:
  • exploit:

Enumeration Part 1

Following my post from two weeks ago about Scanning, enumeration is a Network Hackers next step. Enumeration is when you probe services (that was identified from scanning) for vulnerabilities. Now, up to this point we were able to keep a anonymous veil around us. However, enumeration requires active connections or direct queries to your target, which could be logged or capture and then used against you. Typically you are looking for usernames (that you can use for brute force guessing), email addresses (used for phishing attempts), or misconfigured/outdated systems with known vulnerabilities. The majority of information is gathered from services on FTP (port 21), Telnet (port 23), and Simple Mail Transfer Protocol or SMTP (port 25).

Banner Grabbing is hitting remote services and gathering the output for more information. Most operating systems have a telnet tool you can use in terminal to access those. Try nudging to netcat to grab more information as well. Read this article all about using netcat.

FTP enumeration is an exploit easy access file transfer protocols. There are terminal ftp tools and even graphical ones like Filezilla that you can use to try to connect to a servers FTP. Servers that allow open FTP are at risk of buffer overflow which will ensure complete compromise of that system.

SMTP enumeration using the same telnet commands vrfy (verify) and expn (explain) to get info about how the servers users are set up. i.e. an  example of e-mail layouts or what account is in use. vrfy.pl is a tool that automates this process to make it a little easier.

DNS zone transfers are where servers dump mapping information to a remote user. This can happen if the server is misconfigured and allows any user to dump that information. DNS Cache snooping is similar, where any user can read the DNS cache and get information like frequently used URLs.  An automated way to grab this information is dnsenum from google.

There’s a lot more about Enumeration which is why this post is only part one. There’s a lot more I want to research before trying to explain it any more. So look forward to my next post where I continue to explain Enumeration!

Scanning

One you’ve found a target and it’s time to dig in a little more to find a way in, start with scanning.

Try to Follow these steps:

  • Determine if the system alive
    • Try using ping sweeps, nmap offers this with the -sP option
    • ICMP Queries offer  a wide range of information about a target
  • Determine which services are running/listening
    • Sending packets to TCP / UDP ports to see what is listening
    • There are a variety of tools, nmap, netcat, and strobe are examples
  • Determine the Operating System
    • Get content info from FTP, HTTP, or others. I’ll discuss that in a later blog
    • Google Active Stack Fingerprinting, it’s basically a way to statistically guess the operating system info.

The information you collect is critical to finding an attack that will actually work, so be sure you find out everything you can.
The links in the steps above will help you learn about each part more specifically, they’re links to external articles.

Footprinting

Footprinting is gathering information about a target before attempting to hack them. There are a few ways to do it but the important part is getting the right details, What kind of servers are in use, What kind of operating system is in use, What is the deployment and version control systems in place… Things like these will lead you to what vulnerabilities to use to get into the system

It’s a good idea to have a complete idea of who your victim is before you try to attack them. The last thing you want is a surprise, picture trying to break into a bank and not knowing the security guards had guns.

Footnote: I’m not promoting anyone to do anything illegal, there is a reason why we set up an environment with our own victims. They aren’t physical entities like the bank example, but it’s not illegal to track your own system.

Who Are You?

Something pretty basic that I didn’t cover early on is anonymity. Do bank robbers wear masks? Unless you want the police knocking on your door the next day. I suggest you look up the Tor project. It’s a proxy network that divides your data into packets and sends each one randomly through different bots on the network.

While some may say Tor isn’t secure. You need to realize that nothing is perfectly secure. Driving a get away car after removing the license plate might make it hard to be caught but police can still catch you using the color, make, etc of the car.

If you dont want to use your home IP address or you are doing something thst you don’t want others to find then I suggest you find Tor.