Review #4_Maintaining Access with Weevely

*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)

Chapter 6 : Maintaining Access
This chapter described how to make backdoor to access the target easily for later. Originally, backdoor is used for engineers or administrators when they need a quick access to the systems for maintenance. For the point of hacker’s view, stealth backdoor can help hackers to main the access because sometimes hacker lost his/her access to a target, if there’s parameter changes or vulnerabilities patched.

Weevely uses a snippet of PHP code to create a terminal on the target server and allow remote code action via PHP agent. I had some issue with weevely on my backbox, so I use Kali linux for weevely. I use two Kali linux to test weevely. Kali#1 is a victim which has DVWA set up as a web service. Kali#2 is an attacker which will create weevely code and put it into Kali#1 to run a backdoor.

First of all, Kali#2 (Attacker) generates weevely.php on /root/Desktop path which has a password as ‘skyvenom’ and move this file to Kali#1(Victim), you can move the file via e-mail or upload etc. I put weevely.php file in ‘var/www/DVWA-master’ folder.

14

Secondly, make sure a victim pc runs web service well, in this case, set up DVWA and start apache2 and mysql service and type localhost or 127.0.0.1/DVWA-master/login.php over the browser FYI, the victim’s IP address is 192.168.247.132.

15

Thirdly, once you set up the victim environment and placing the backdoor file (weevely.php) on the target server, come back to attacker and type victim’s address and backdoor php file with password. Like below. You will successfully accessed the target machine after that.

16
Chapter 7 : Penetration Testing Methodologies with BackBox
This chapter is about penetration testing step by step based on what we learned from previous chapters 1)Information gathering: collecting information about the target with ‘host -a target.com’, whatweb command, ‘whois target.com’ command.
2)Scanning : getting more useful information like OS environment, application, services etc with Nmap(Zenmap, GUI) and OpenVAS to find vulnerability.
3)Exploitation: exploit vulnerability found on previous step with MSF(Metasploit Framework)

Chapter 8 : Documentation and Reporting
Documentation and reporting, creating human-readable contents is also necessary. It’s helpful to make BCP/DRP plan or verify important asset or set up security rules for f/w and IPS. MagicTree is designed to allow data consolidation, external command execution and report.

*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)

Review #3_Privielge Escalation with sslstrip and John the Ripper

*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)

Chapter 5 : Eavesdropping and Privilege Escalation

Eavesdropping is overhearing the network flow between two devices by intercepting the traffic and capturing sensitive data. Just listening the network flow is passive technique like sniffing, but interfering or intercepting data is active attack(spoofing). MITM(man in the middle) attack is popular attack among other active skills. Privilege escalation is the act of gaining extra access based on a bug, design flaw and etc. Vertical privilege escalation is gaining higher privileges and horizontal privilege escalation is accessing another account which is same level of privileges of the account that has gained access.

*FYI: The difference between HTTP and HTTPS is ‘SSL’. SSL(Secure Socket Layer) is the security protocol to establish an encrypted link between the web server and browser.

As an example, the book shows MITM attack with sslstrip tool, which automate exploitation process where the HTTPS URLs are changed into HTML URLs ,so it can be captured as a clear text. I practice this sslstrip attack with Kali linux not backbox.

Environment
1. Victim : VM, Windows XP, 192.168. 247.133
a. Default gateway : 192.168.247.2
2. Attacker : VM, Kali Linux, 192.168.247.131

0607

1. Kali Linux (Attacker) turn on packet forwarding function, packet forwarding is sending packet to its destination based on its header information. After that, initialize the NAT table with iptables command and set default port as 10000 to listen. The reason why it’s set –dport 80 is because it will be based on the internet (80 port)

08

After setting up packet forwarding, start sslstrip with ‘sslstrip -a’ command and check whether it’s running or no with netstat command.

09

By typing arpspoof -t [Victim’s IP] [Gateway IP], attacker is sending arp-reply packet to disguise attacker’s MAC address as gateway’s MAC address(Attacker is pretending ‘I am the gateway’) to Victim. It changes Victim’s ARP cache table.

10

By typing another arpspoof -t [Gateway IP] [Attacker’s IP], attacker is pretending ‘I’m the victim pc’ by sending arp-reply packet to change ARP cache table.

11

You can check Victim’s MAC table with ‘arp -a’ command and check Attacker’s MAC address over there. After you check the ARP spoofing is working, Victim goes to the website (gmail) and sign in.

12

12-2  12-3

Once you sign in, you can see there will ‘http’ not ‘https’ because sslstrip function forces to change https into http(this is why we can see the password in clear text not encrypted). You can see the packet destination on Kali attacker’s packet forwarding (fragrouter -B1 command) terminal, and see sslstrip.log on root directory. You can check the password with ’ | grep’ command or open the file with texteditor and search for Passwd to get a password information.

You can protect your device by checking URL(https/http) or certificate/cookie error. Also you can set ARP address with arp -s.

12.4.png

For horizontal privilege escalation, the book described ‘password cracking’ technique. There’s offline password cracking tool, named ‘John the Ripper’. There’s three different modalities of cracking password in John(John the Ripper),  ‘Wordlist(trying words from wordfile database)’, ‘Single crack mode(using login/GECOS information for cracking)’ and ‘Incremental mode’. ‘Incremental mode’ is  the most effective one which includes lots of complicated passwords like the symbols, lower/uppercase, and numbers.

12.5.png

By typing this unshadow command, I can chain the password and shadow files contents into ‘crack.password.db’ database for John program.  The command like below #john /tmp/crack.password.db requires lot of CPU processing(that means it will cause CPU-time consuming) because it’s bruteforce attack. John the ripper is actually used for security check for password. There are lot of tools to gain root except John the ripper, if you use John the ripper, it would be easy to be caught by detecting tools(NMS) because it consumes lot of CPU power.

12.6.png

*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)

Review #2_OpenVAS and SQLmap

*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)

Chapter 3 : Vulnerability Assessment and Management

Backbox’s OpenVAS isn’t working for some reasons, so i use Kali linux for vulnerability assessment practice with OpenVAS. I set up OpenVAS following this instruduction, http://www.hackingtutorials.org/scanning-tutorials/installing-openvas-kali-linux/. If you haven’t added new user, the default will be ‘admin’ and password will be the long characters and numbers that showed up on ‘openvas-setup’

01.png02

Based on the OpenVAS scanning result, you can see  the severity and search more vulnerability on CVE or NIST or other reference. Sometimes the results are false positive, so you can try to exploit that false positive vulnerability and see whether it’s working as a legitimate vulnerability or not.

Chapter 4 : Exploitations

Once we learned how to gather information and vulnerability of target system from information gathering and vulnerability assessment steps (sniffing, scanning). Next step is exploitation, which means you will use this information (vulnerabilities) ,that we found earlier, to manipulate /exploit the target. There are various different ways when it comes to attack/exploit like SQL injection, XSS attack, DDoS, fuzzing etc. In this chapter, the author described ‘SQL injection’.

SQL injection is inserting SQL query as a input data from the client(attacker) to the application. I assume lot of people is familiar inputting (ID: ‘or 1=1– and PW :anything ) as a SQL query.

For testing enviroment, I download and upznip DVWA-master from www.dvwa.co.uk/ and turn on apache2 and Mysql service after deleting password on config.inc.php file.

03

This VM ware’s IP(Victim) is ‘192.168.247.131’ and I test whether the apache is running well by typing localhost and localhost/DVWA-master/. (sometimes you need to unzip DVWA-master file on /var/www or /var/www/html , it depends on which Kali or OS version you are using)

Once the victim environment is setup, you can go to Backbox vm(attacker) and start sqlmap on terminal. Since the DVWA website is requesting for authentication, you might want to capture the login cookie value with burp suite or cookies manager and put the PHPSESSID value with sqlmap command.

“sqlmap -u “http://192.168.247.131/DVWA-master/vulnerabilities/sqli/?id=1&Submit=Submit#” –cookie=”security=low; PHPSESSID=gc9747lh3krqd65554vnjj85e5″ –string=”Surname” –dbs”

04.png05.png

*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)

Review #1_Information Gathering with whatweb and recon-ng

*Book Review, Penetration Testing with BackBox: Stefan Umit Uygur (Author)

Since I read a book about Kali Linux recently, I wonder is there any other penetration testing tools exist like Kali. I came across with a BackBox, which is based on Ubuntu and has black& white-hat hackers features. Like a Kali linux, Backbox also comes with lots of security tools like web application analysis and stress test etc with a light desktop manager named XFCE. Since BackBox designed to use very low memory and resources to function with pretty old and obsolete hardware for normal audition platform. Unlike the book that i recently read about Kali linux, this book doesn’t describe how to download and setup environment for vmware or other way, so I had to search and installed it by myself. (maybe it’s pretty easy to install ios to vmware)

01.png

Chapter 1 : Starting Out with BackBox Linux

This chapter is summary of security features and tools installed on a Backbox starting with Information Gathering tools, Vulnerability Assessment and Miscellaneous tools. Most of feature seems pretty similar with Kali linux tools, but I find in a Backbox, there’s documentation & reporting tools and reverse engineering tools. Also it’s pretty cool that there’s anonymous on the main menu, which helps the user invisible to the network.

Chapter 2 : Information Gathering

On Chinese The Art of War, there’s term  ‘知彼知己 百戰不殆’, which has similar meaning with ‘Know your enemy and who you are then you will never lose’. Information gathering is very basic step yet very important step of ethical hacking / security assessment. Collecting lot of information about a target is useful to plan the assessment further.

Whatweb is an effective tool to figure out what kind of apps for target side. You can find hatweb menu on [Auditing] > [Information Gathering] > [Web Application], and easy to use just type ‘whatweb target web address’. I find there’s warning message with “duplicated key with 2nd_level_registration”, which caused by ruby issue. But you can still see the target’s IP address and other information after three warning messages.

02.png

*If you have any trouble with finding tools on menu, you might want to check whether your backbox has that tools or not. If there’s no command related to the program then you might want to install it, for example, type ‘sudo apt-get recon-ng’ (it might ask you type a password), if it shows with E: Unable to lock directory or E: Could not get lock / errors, then you need to type
‘sudo -rm -rf /var/lib/apt/lists/* ‘
‘sudo apt-get clean’
‘sudo apt-get update’ or ‘sudo apt-get whatweb’
For more details, https://www.maketecheasier.com/fix-ubuntu-update-errors/

03.png

Recon-ng is well-known tool for information gathering, like the book described, one of its relevant feature is modularity, which means you can download the useful module or build your own to narrow it down the information. To install recon-ng on backbox, you need to type ‘git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git’ For more information, https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide

04.png

05.png

*FYI :Since I download the recon-ng module somewhere else, I type ‘cd ~/recon-ng’ to find a recon-ng and type ‘./recon-ng’ command to start, you can also type a workspace name, if you want to make separate workspace ‘./recon-ng -w workspacename’. If you just type without workspace it will be assigned to a [default] workspace.

There’s 4 modules on Recon-ng, ‘Discover’, ‘ Experimental’, ‘ Recon’ and ‘Reporting’. There’s first example with ‘recon/hosts/gather/http/web/google_site’ module ,that i couldn’t find on updated version of recon-ng. Also another module, described on the book as ‘recon/contacts/gather/http/api/whois_pocs’ is now ‘recon/domains-contacts/whois_pocs’ (I use search key to find ‘whois_pocs’ module). Without searching a module on google, you can easily guess what this module does by checking out module’s name. This module collects domain-contacts like e-mail with whois method. So you have to load the module and set the domain by ‘add domains target.com’ and run.

0606-.png

0708

 

Nmap

Nmap is also a well-known tool for information gathering, I’ve already learn few function on Kali linux book, but nmap is quite useful if you know the command with a port number and service. You can also get details of the application installed or running on the target machine , which means you can detect vulnerabilities from nmap.

09.png