Posted on Leave a comment

Beginners guide to Payload generators

Hello, aspiring ethical hackers. In our previous blogpost, you have learnt about types of Metasploit payloads, what is a payload etc. In this blogpost you will learn what is a payload generator and popular payload generators.

What is a payload?

A payload in cyber security is a piece of code that is executed after successfully running an exploit to take advantage of a vulnerability. When a Proof Of Concept (POC) for a vulnerability is disclosed, this allows most hackers around the world to execute their chosen payloads. This payload can be anything from malware, reverse shell, RAT, ransomware etc or their own custom payload.

For example, ms08_067 vulnerability was exploited in real-world to deploy Conficker worm payload, but while pen testing with Metasploit, meterpreter is used as payload. Although payloads can be created manually, it would be very simple to make payloads with payload generators.

What is a payload generator?

Any software or application that helps us to automatically create a payload to be used in a pen test is known as a payload generator. Payloads can be a simple one liner or multiple lines of complex code. Whatever it is, it is payload generator makes our work very simple. Let’s learn about some of the popular payload generators.

1. MSF venom:

MSF venom is a payload generator fromMetasploitframework that can be pretty useful in generating payloads forwindows hacking,Linux hacking, web applicationhackingand even mobile hacking. MSF venom is a replacement to MSF payload earlier. Learn more about msfvenom.

2. Veil-Framework:

Veil-Framework is a tool that can generateMetasploit payloadsthat bypass common anti-virus solutions. Veil-framework is officially supported by Debian 8 and Kali Linux rolling 2018+. It may also be run on Arch Linux, Manjaro Linux, Black Arch Linux, Deepin 15+, Elementary, Fedora 22+, Linux Mint, Parrot Security, Ubuntu 15.10+ and Void Linux. Learn more about Veil Framework.

3. Msfpc:

MSFvenom Payload Creator (MSFPC) is a wrapper that can generate multiple types of payloads, based on users choice. The idea is to be assimple as possible(only requiring one input) to produce their payload.

4. WinPayloads:

This tool can generate undetectable Windows payloads.

5. Arcanus Framework:

ARCANUS is a customized payload generator/handler for penetration testing that can generate both Linux and Windows payloads. Learn more about Arcanus Framework.

6. Hercule’s Framework:

HERCULES is a customizable payload generator to generate Windows and Linux payloads that bypass antivirus software.

Posted on Leave a comment

Metasploit Framework: Beginners guide

Hello, aspiring ethical hackers. In our previous blogpost, you learnt in detail about Pen testing. In this blogpost you will learn about the perhaps the most popular penetration testing software suite, Metasploit Framework. Metasploit Framework (MSF) is free, open-source pen-testing suite that is used to execute exploits and develop code against a remote target machine. Although it sis made for penetration testers, it is also used by Black Hat Hackers around the world.

History

Metasploit was originally written by H.D.Moore, an American network security expert, open-source programmer and hacker. He has been the chief Architect of Metasploit Framework until his departure from Rapid7 company in 2016. Originally written in Perl, Metasploit was rewritten in Ruby programming language by 2007. In 2009, it was acquired by Rapid7. Metasploit is available for Windows, Mac and Linux. Metasploit is so widely used that it is included in every ethical hacker os like Kali and Parrot Security.

Structure of Metasploit

Metasploit Framework is the name given to the free version of Metasploit. The role of Metasploit in penetration testing comes after the stage of port scanning and vulnerability scanning (Information from tools such as NMap, Nessus and OpenVAS etc can even be imported into Metasploit). Metasploit is built with a modular approach. For beginners, Metasploit can be complex and a bit difficult to understand. Let’s learn in detail how to run Metasploit.

Let’s start with Metasploit modules. The most important modules of Metasploit are Exploit, Payloads, POST, Auxiliary, Evasion and Encoder modules. Let’s learn about each one of them now.

1. Auxiliary modules:

Auxiliary modules in Metasploit perform simple functions like scanning, enumeration, gathering information, logging in into services etc. They have single function. At the time of writing this article, there are over 1267 auxiliary modules in Metasploit.

2. Exploit modules:

Exploit modules are exploit codes written in Ruby. They exploit the vulnerabilities to execute arbitrary code on the target system. At the time of writing this article, there are over 2461 exploit modules in Metasploit.

3. Payload modules:

The arbitrary code that is executed by the exploit modules of Metasploit is known as payload. At the time of writing this article, there are over 1468 payload modules in Metasploit.

4. Encoder modules:

As the name of the module suggests, Encoder modules of Metasploit take raw bytes of a payload as input and run some sort of a encoding algorithm like XOR, Bitwise XOR on the payload code. At the time of writing this article, there are over 49 encoder modules in Metasploit.

5. Evasion modules:

Evasion modules are used to generate payloads that evade Antivirus. At the time of writing this article, there are over 9 evasion modules in Metasploit.

6. POST modules:

POST modules are those modules of Metasploit that are useful during POST exploitation phase of the pen test. At the time of writing this article, there are 431 POST modules in Metasploit.

How to use Metasploit Framework?

Let’s see how to use Metasploit for beginners. We will be using Metasploit in Kali Linux as it is already installed. To start Metasploit, open a terminal and type command shown below.

msfconsole

To see all the auxiliary modules of Metasploit, use the command shown below.

show auxiliary

Similarly all the exploits in Metasploit can be seen using the command shown below,

show exploits

To view all the payloads in Metasploit, you can use the “show payloads” command.

show payloads

The same commands can be used to view all the encoder, evasion and POST modules of Metasploit respectively.

Now, let’s come to the realistic use of Metasploit. As I already told you at the beginning of this blogpost that the use of Metasploit comes after the stage of footprinting and scanning. As part of vulnerability scanning, we happen to find that one of the devices in the target network is vulnerable to Bluekeep vulnerability.

Now, let’s see how to exploit this vulnerability with Metasploit. The first to do after starting Metasploit is to use the search function of Metasploit to search for the exploit we need. For example, “bluekeep” as shown below.

Metasploit has a very versatile search function. You can also search using the CVE ID of vulnerability as shown below.

No matter how you search, Metasploit will show all the modules related to particular vulnerability you searched for. Since, I already know the target machine is vulnerable to Bluekeep vulnerability, I select the exploit module for this vulnerability. To load this module, we can use (literally) and load the module using the entire name of the module or its serial number given at the begining.

A payload most probably METERPRETER payload is assigned by default as soon as you load the exploit module. If you want to set a different payload other than the default one, you can use “show payloads” command to see all the payloads supported by the selected module. Unlike earlier this will not show all the payloads of Metasploit but only the ones supported by this exploit module.

To assign a new payload, we use the “set” command in the same way as we used the “USE” command earlier.

Then we use the “show options” command to see all the options required for this module to work after selecting the payload. The required options are marked with “yes” in the required column.

This module required the RHOSTS option which is the IP address of the target system. All the required options can be set with the SET command as shown below.

After all the required options are set, all we need to do is execute the module using “run” command or “execute” command. You can see Metasploit module in action in our blogpost on exploiting ms08_067 vulnerability.

Posted on Leave a comment

Beginners guide to MAC spoofing

Hello, aspiring ethical hackers. In our previous blogpost on data link layer attacks, you learnt what is a hub, What is a switch, how they both work, what is a MAC address, what is a CAM table and different types of LAN attacks etc. In this blogpost, you will learn about one of the LAN attacks, MAC Spoofing.

What is MAC spoofing?

MAC Spoofing is a technique in which a factory assigned Media Access Control (MAC) address of a network interface is changed or altered. As communication between devices in a single LAN takes place using the MAC address of the device, changing the MAC address to that of another device will make all the traffic belonging to that device visible to the attacker.

For example, let’s say there are two devices A and B. An attacker changed the MAC address of the device “A” to that of “B”. Then all the traffic belonging to “B” will be coming to “A” and the attacker can sniff this traffic. MAC spoofing attack can be performed after gaining access on the target network.

How can MAC address be changed?

MAC address of a network interface card can be changed either manually or using a tool. Let’s see how to change the MAC address of a Linux machine manually. For this, I will be using Kali Linux. The first method we can use to change MAC address in a Linux machine is the “ifconfig” command. Ifconfig is a command line tool in UNIX operating systems that is used to configure network interfaces.

To change the MAC address of the network interface, we need to first disable the network interface. This can be done with “ifconfig” using the command below.

sudo ifconfig <network interface> down

Then we can change the MAC address using the command shown below.

sudo ifconfig <network interface> hw ether <new MAC address>

For example, let’s assign a MAC address ee:12:ee:ff:45:54 to the interface eth0.

Then all we have to do is enable the network interface as shown below.

Let’ see use the ifconfig command again to see if the MAC address has changed.

It has changed. There is another way in which we can change the MAC address using ip command of Linux too. Even for this, you have to disable the network interface. This can be done with “ip” as shown below.

To change the MAC address with ip utility, the command is given below.

sudo ip link set <network interface> address <new MAC address>

For example,

Then all we have to do is enable the network interface as shown below.

We can also use tools to change MAC addresses. one such tool is mac changer. See the complete guide to change MAC addresses with macchanger tool.

Learn how to change the MAC address of a Windows machine manually here.

Posted on

Beginners guide to Image steganography

Hello, aspiring ethical hackers. In our previous blogpost, you learn what is steganography, its significance and types of steganography to cybersecurity. In this blogpost you will learn in detail about image steganography. But first, let’s see its significance in cybersecurity.

In April 2024, a hacker group being tracked as TA558 has widely used image steganography to deliver malware such as Agent Tesla, FormBook, Remcos RAT, LokiBOT, GuLoader, Snake keylogger and Xworm etc. The malware code embedded in the images contained VBS, PowerShell.

Now that you have understood the importance of image steganography, its time to learn about various images steganography techniques. In cybersecurity, It is a very good thing to learn about various image steganography techniques used to hide data in an image.

Types of image steganography

Image steganography techniques can be primarily divided into Spatial Domain techniques and Transform Domain techniques.

Spatial Domain techniques

Let’s study about various Spatial Domain steganography techniques first.

1. Least Significant Bit (LSB) steganography technique:

In this type of steganographic technique, the secret data is stored in pixels of an image. This is done by replacing the least significant bit of the image.

2. Pixel Value Differencing (PVD) steganography technique:

Pixel Value Differencing (PVD) is a steganography techniques in which secret data is embedded into images using the differences in pixel Value between adjacent pixels.

3. Exploiting Modification Direction (EMD) steganography technique:

In this type of steganographic technique, the secret data is embedded into a group of pixels of an image.

Transform Domain techniques

Now let’s learn about various Transform Domain image steganography techniques. In Transform Domain image steganography techniques, secret data is hidden in the transform domain coefficient of an image.

1. Discrete Cosine Transform (DCT) steganography technique:

In this steganographic technique, 8*8 blocks of an image are transformed into 64 DCT coefficients. Then, the LSB of each DCT coefficient is replaced with a bit of secret data.

2. Discrete Wavelet Transform (DWT) steganography technique:

In this steganographic technique, secret data is hidden by modifying the wavelet coefficient of the image.

3. Fast Fourier Transform (FWT) steganography technique:

In this steganography technique, the secret data is expressed as a Fourier series and then coefficients are added to the images.

Learn how to hide secret data in an image using steghide.

Posted on

Beginners guide to MAC flooding

Hello, aspiring ethical hackers. In our previous blogpost on data link layer attacks, you learnt what is a hub, What is a switch, how they both work, what is a MAC address, what is a CAM table and different types of LAN attacks etc. In this blogpost, you will learn about one such attack, MAC flooding attack.

What is MAC flooding?

MAC flooding attack is an attack on the network switch that floods the network switch with fake MAC addresses. The purpose of this attack is to consume memory of the network switch. Once the CAM table of the network switch becomes full, the MAC addresses of the legitimate devices are purged out of the CAM table.

The network switch can no longer save new MAC addresses sent to the switch and it soon falls into a fail-open mode in which it will broadcast the incoming data to all the ports of the switch instead of transferring it to the intended device. Typically, the switch here functions like a network hub.

Since the data is now being broadcast to all the devices connected to the network, hackers can sniff on data belonging to all the devices in the network.

There are many ways to perform MAC flooding. One such method is to using a too named macof. Macof is a tool that comes with dsniff package. macof is used to flood the local network with random MAC addresses. It is installed by default in Kali Linux. The default way to flood the switch with macof is to specify the interface as shown below.

sudo macof -i eth0

This will create multiple random MAC addresses. You can even specify the number of packets you want to create as shown below.

sudo macof -i <interface> -n <number of packets to create>

You can even specify the source IP address from where these random MAC address should originate from.

sudo macof -i <interface> -s <IP address> -n <number of packets to create>

You can also specify the MAC address or physical address of the target device you want to flood with random MAC addresses.

sudo macof -i <interface> -e <Physical address of target>