Dirb is a web content scanner

Dirb is a web content scanner, it’s principal features are scanning and attacking folder that is hidden within websites, Dirb makes this possible using dictionary based attacks against the servers mostly HTTP requests.

Dirb comes with default wordlists to easy the process of the attacks, the main purpose of Dirb is to be used in web application auditing, it helps the professional’s to test the security parameters included to protect websites, Dirb occasionally coves some holes that are not covered by the classic tools used to scan website vulnerabilities, the reason is that Dirb looks for specific objects located on the website. it doesn’t look for general vulnerabilities, it’s purpose is to look for web content that can be vulnerable.

How Dirb works:

Dirb has an internal wordlist file that by default has around 4000 words for brute force attacks. There are also a lot more updated wordlists available over the internet that can be used as well. Dirb makes a search of the words in its wordlist in each directory or object of a server or a website. It might be an admin panel or a subdirectory that is vulnerable to attack. The most fundamental thing is to find the objects as they are hidden.

How to acquire it?

Download Dirb via Sourceforge: https://sourceforge.net/projects/dirb/

Using Dirb:

First, you need to download Dirb.

To uncompress the compressed Dirb file, you can use the next command:

sudo tar -xvzf dirb222.tar.gz

The Dirb folder is now uncompressed, and you can see it with ls command:

Go to the dirb directory and make executable configure with next command:

chmod u+x configure

Run configure and then type make:

Dirb is now installed, and you can use it with next command:

./dirb URL

Testing for Special Vulnerable list:

Dirb can be used to test for specific vulnerable objects within particular types of web technologies. Every web technology has its unique vulnerabilities. They are NOT all the same. Dirb can help one search for specific vulnerable objects specific to the particular technology. Also, we should mention that these tests are often performed over the TCP ports that handled the web services, these ports are:

  • TCP/80 – HTTP
  • TCP/443 – HTTPs, SSL

Also by the time of an attack, these ports must be opened to host the web services so the firewalls cannot do much about it to prevent attacks directed to these ports.

Dirb has specific wordlists to search for these vulnerable often hidden objects. You can find them at:

cd  wordlists/vulns

Then list the contents of that directory:

ls -l

There are some files listed for each of the specific vulnerabilities to test. If your web server is Apache and you want to test it use apache.txt

To run

./dirb http://webscantest.com  wordlists/vulns/apache.txt

Bash Scripting. Shebang

Introduction:

The command interpreter or shell is a program that allows users to interact with the system, processing the orders that are indicated. The commands that can be invoked from the shell can be classified as internal (actually correspond to commands interpreted by the shell itself) and external (correspond to executable files external to the shell). In addition to commands, the shells offer other elements to improve their functionality, such as variables, functions or control structures. The set of internal commands and available elements, as well as their syntax, will depend on the concrete shell used.

In addition to using the shell from the command line (based on the prompt as the indication of the shell to announce waiting for a command from the user), it can be used to interpret shell-scripts. A shell-script or “command script” is a text file that contains a set of commands and commands interpretable by the shell.

In the S.O.’s Unix, there are multiple shell implementations (in Windows, the equivalent would be the “command.com” or “cmd.exe” programs). Attending the shell from which they come and their syntactic similarity (including their internal commands), the Unix shells can be classified into two large families (there are some additional shell, residual use and within the shells of the same family there are also differences, but much of its syntax is common).

What’s a bash script? What they are and what they do?

Simple, a bash script, allows you to execute commands from a “file”. What do we need to understand this? We need to understand that the “interpreter” is the shell. What do we mean when we say that the interpreter is the shell? Well, with a bash script, you can have unlimited functionality when it comes down to the Unix toolset, for example, if you are performing Python scripting, the whole idea of “modules” comes to mind, but, if we use bash scripting to create a script, it’s more convenient, because you won’t have to install dependencies, additional extensions or “modules”.

Is bash scripting better than Python scripting? Well, this point, depends on the background and perception of the programmer, but if you ask any system administrator, they will prefer bash scripting over Python, why?, because by comparing them, Python is less “reliable”
when it comes to “bashing”, on the other hand, in Unix, (remember, because the bash use the shell as an interpreter), the shell its build in on Unix, and will enable you to use the entire Unix toolset which means that you’ll be able to control sockets, just by typing each command on each line, this makes this process, very intuitive and easy to understand.

Running Bash scripts

Running a Bash script is fairly easy. Another term you may come across is “executing the script” (which means the same thing). Before we can execute a script it must have the execute permission set (for safety reasons this permission is generally not set by default). If you forget to grant this permission before running the script you’ll just get an error message telling you as such and no harm will be done.

Bash Scripting. Is the best… But, for what exactly?

Bash scripting allows system administrators to copy, update, and do backups of files, almost automatically. You can create bash scripts to do many tasks, that go from doing queries of data in an excel sheet file, up to compiling data, getting figures, and producing massive amounts of data. Of course, nothing is perfect, because when it comes to huge calculations that involve statistics and merging all the data types, it comes off short, Why? because the Shell its focus in running the system itself, but still is really useful for managing files, running scripts, programs, and especially, for automating tasks.

Lest create a simple bash script, as an example, and to understand the syntax and what do we mean by interpreting a file.

HELLO!

You can do this using any Unix/Linux operating system, and the editor (shell) of your choosing. Lest create a bash script that will display the word HELLO

echo hello

“echo” essentially is used to display the text “echoing” the tex back to you. This is basically a shell script. This is a command, that the shell will interpret when you press enter.

hello

You can see it interprets and the shell “understand” what you are trying to do. We can complicate things a little bit, for example, by scripting, essentially allowing you to execute a lot of this commands from a file, using the shell, a thing that, sometimes, many people forget, and how powerful this possibility is.

As we know, you can create the script on any text editor of our choosing.

Remember that the file that we are going to create must be saved as a Shell extension (.sh) and we can locate it, on any place we want. Lest create a file called Simple.sh and save it in our Desktop.

Now the first thing we must do it’s to declare what is the interpreter that we are going to use, in the file we just created.

Shebang

#!

This is called the “Shebang”, the reason it is called like this? because, this “#” is a “sharp” and this “!” is the bang, like the annotations you find in music sheets.
This characters #! are at the beginning of interpretable executable programs or scripts.
So, anything after the shebang line will essentially be used as the interpreter.

#!/bin/bash

In this case, the bash is going to be used as the interpreter of the script that we are going to create. Remember you can use any interpreter after the shebang:

#!/bin/python

For example, to create a reverse scripting for reverse shells on a client or the Shell when you want to perform a privilege escalation:

#!/bin/sh

The shell, remember, is different from the bash, given that the bash is considered a terminal instance, which will give you much more streamline experience when it comes down to using Unix/Linux operating systems, as for the shell, it is simply the interpreter of commands, and you know that this, won’t give you full access in terms of functionality.

We will use the bash.

In the following line we type the text we want to display between quotation marks, to make sure that everything in them, is printed out, but before we use our text editor to create the file Simple.sh, this can be visualized in the picture below:

Then we proceed to paste the following sentence into the new file

#!/bin/bash
echo “Hello world! This is the first shell script”

We save the script, now, let’s execute it.

We open our terminal and go to the location of the script we just created

cd root/Desktop

Lest make sure that we can execute the script giving to it “execute” permissions, using the chmod command:

/Desktop# chmod +x Simple.sh

Now to execute, we select the interpreter

/Desktop# ./

Where ./ is “telling” the terminal that he must use the specified interpreter indicated after the “Shebang” of the script we want to run.

Now we run it like this:

/Desktop# ./simple.sh

Getting the following result:

Hello world! This is the first shell script

This is a very simple example to explain the syntax behind this procedure. What do we mean with this? that now we can understand how we can execute a script (series of commands and bashes) from a file (in this case “Simple.sh”), how when we build a script we “instruct” it to be used by an interpreter.  To be able to know, by the Shebang present in a script, what is the interpreter you must use to run  it (if the script you are about to use was not created by you), or if you are creating one, leave the “instructions” for another user that will use the bash, to run it using the interpreter present in the Shebang with this command (./) without reviewing it. You can also set permissions in the script to be used only by certain users with the chmod command.

Easy HoneyPots – Canary Tokens:

Introduction:

The familiarity of web bugs maybe some image that tracks some users when they open an email, these features work using unique embedding URL in a page image which creates a TAG and generates an incoming GET request.

Those are the principles of Canary Tokens, the application of the previously described aspect applied to file reads or queries database, the execution of queries or maybe to detect a pattern within log files. Canary tokens can be used to implant traps in every area located within your structure or production system which is more efficient than just setting separate honeypots as a beacon.

Technical details:

Network breaches happen more often nowadays, this problem can affect small businesses even large mega-corps, what is trying to be protected and be avoided with the implementation of these tokens is to found out immediately which kind of users are attempting to break out into our system.

Canary tokens are available for free in http://canarytokens.org you can download your own token to send a notification to your personal email whenever someone is trying to reach or open any specific file that you put into your network.

How tokens work:

  1. You visit the website mentioned before and get a free token which can be used like an URL or a hostname depending in the type of Honeypot that you have selected
  2. If an unauthorized user or an attacker uses the token that you have placed into your network, Canary will give you an out of band email that the token has been opened.
  3. At last, Canary provides a variety of tools and hints that increase the possibility of an attacker to trip over the token.

Demonstration of Usage:

As we mentioned before you can visit the site: http://canarytokens.org and select which type of Honeypot you want to add into your workspace they can vary the options available from different options as it can be seen in the picture shown below:

After you select the type of toke you want to use, you can add a description for the notification that is going to be sent to your email and you can click into “Create my CanaryToken” for the token to be created. This process can be seen in the picture below:

After we click on Create my Canarytoken the page is going to show you the address for the token, in this case, we selected a Microsoft Word Document, the page will allow you download the file and change the name to be more appealing for any attacker which may access into our computer. The download page can be visualized in the picture below:

Now we download the file and change the name of the file to a name that represents the store of delicate data like the one shown in the picture below:

We open the file and see that’s empty but the token was already activated. We check into the email address that we selected to receive the notification to see if canary send a notification for unauthorized access to our token.

As we can see CanaryToken represents a free and easy solution to set Honeypots across your work environment and control the execution of some features within your network, it represents a helpful defensive tool against possible threats and helpful framework to keep a record of possible threats that may affect your data integrity or the privacy of your files.

 

 

Hydra

Hydra is a password cracking tool that is supported only on Linux systems. The tool comes as a pre-installed feature on Kali Linux and Parrot versions. The installation process is very simple it only requires the utilization of a command to get the installation. In case that hydra doesn’t show up as a pre-installed gadget is necessary to use the following command which assures the installation of hydra in our machine:

Installing Hydra:

The installation process of Hydra is quite simple, it can be performed with the following command, that will install all the necessary packets that will be required to use hydra.

apt-get install hydra

Hydra Options:

The syntax handled by the tool is simple it calls the name of the tool followed by options, host and the service where it’s going to be directed as is shown in the example below:

hydra (options) host (service)

The main functions of hydra  are mostly focused on the utilization of two flags:

  • – l: Which can be used for the representation of the users selected to look for
  • -P: Which represents the password list that is going to be used as a dictionary to perform the attack

These two flags call a specific file that is going to be used as a guide to direct the attacks, an example of the syntax can be seen on the sentence shown below:

hydra -l user1 -P wordlist.txt smb 

The declaration of the service can be avoided from the syntax but it may help the cracking process if we require the information seeking process on a specific file. It may also be useful to be specific on the folders that contain the file that we want to crack so it will ease the process.

Creating your own wordlist:

The generation of wordlist to serve as a dictionary for the attack can be accomplished using a program called crunch, which generates several combinations of letters and numbers depending on the options you use for its configuration. This process is essential for the attacking process because it will serve as the key to the attack, testing different wordlist will improve the capacity of the brute-force attack.

Crunch installation process:

The process of installation for crunch can be performed by typing the following command:

sudo apt-get install crunch

After the process is finished we can use crunch to generate our text file or insert the character into another program, an example of this can be visualized on the picture shown below:

After the process is finished we can look for the file into the folder we have selected:

Testing Hydra:

Now we have explained the different characteristics involving hydra, we are going to show a few examples of attacks over servers using hydra, The first is an attack over an FTP server, once we have created the wordlist and we possess the IP address assigned to the server. The attack can look like this:

As can be seen on the picture above, we managed to get the password for one of the users configured on the FTP server.  On the example below, we repeat the process over an SMB service with the same results.

hydra -l user1 -P wordlist.txt smb://45.76.60.202 

Other methodologies:

The next step is directed to the possibility to crack the password of an email account. Usually, the email services are referred to an SMPT service. The SMPT services are where the email services are handled. Using hydra we can specify the port where this service handles the email as is showed using hydra to direct the attack to the port 565 of smtp.gmail.com.server which will serve as an example for the following command:

hydra -l jdoe@gmail.com -P /root/Desktop/wordlist.txt -S 565 smtp.gmail.com smtp 

The last Hydra flag that is going to be presented is the (-x) flag. At times, a user can possess a ridiculously long and complicated password that direct attacks cannot crack, however, there’s one method that all passwords fall victim to, brute-force attacks. In a brute-force attack, every combination is used to determine the password. The CPU processor determines the speed, but in the long run, the password will be cracked. Here’s how the brute force option is invoked in hydra:

hydra -l John Doe -x Shortest length: longest length: combinations host

All, but the latter are executable by use of a software called THC-Hydra (Hydra).

Final Considerations:

Passwords are indeed the most commonly used mode of authentication. Of course, the attacks could be directed to exploit the system itself but as personal experience, it is much easier to hack a specific account that is password protected or is located on a server.

This can compromise the whole system itself. There is a wide range of methods that can be applied to crack passwords.  Another tool that can be used to fulfill this purpose is John the ripper which resembles the scope of Hydra but focused on the test the integrity of passwords. However, the ones discussed previously include Bruteforce, Dictionary, and direct attacks on the people (Phishing, Social Engineering and users lack of knowledge). All, but the latter are executable by use of a software called THC-Hydra (Hydra). Hydra can be merged with a tool called Nessus which is used for vulnerability scanning and often calls Hydra to complete the process. Below is an example video of hydra used to perform different attacks: