Author: Anamar Taknev

Posted on by

Complete guide to Stegseek

Hello, aspiring ethical hackers. In our previous blogposts, you learnt what is steganography, its uses and how to hide secret data in an image using the tool Steghide. In this blogpost, you will learn about a tool that can retrieve this hidden data from an image. The tool’s name is Stegseek.

Although the working of Stegseek is same as Stegcracker, it is a lightning fast steghide cracker that is thousands of times faster than other crackers and can run through the entirety of rockyou.txt wordlist in under 2 seconds. Let’s see how this tool works. For this article, we will be using Kali Linux as our attacker system as this tool is installed by default on Kali Linux. For performing steganography attack, we will be using same image in which we have hidden data using Steghide, “Volcano_with_Secret,jpg”.

All you need to retrieve the hidden information from the image with this tool is to just supply the path of the image as shown below.

The “-sf” option stands for stego file. A stego file is a file that contains hidden information in it.

As you can see in the above image, Stegseek cracked the password (123456) of this file and successfully retrieved the hidden data. That too in lightning speed pace. The retrieved data from the image is saved in a file named <name of the file.jpg.out>. By default, Stegseek uses rockyou.txt wordlist to brute-force the password.

Specify a different wordlist (-wl)

We can even specify a different dictionary or wordlist if needed as shown below.

Select file name for extracting data (-xf)

As you already read at the beginning of this article, stegseek saves retrieved hidden data to a file named “<name-of-the-file>.out”. To extract the hidden data to a different fie, we can use this option. For example, let’s save the retrieved data to a file named “secret.txt” as shown below.

Overwrite existing file (-f)

In the above image, you can see that when we extracted hidden information to a file named “secret.txt”, we got prompted saying that there is already a file with the same name and if I wanted to overwrite it. Well, using this option, we can force overwrite already existing file.

Get detailed output (-v)

This option gives us detailed output while using Stegseek.

Quiet mode(-q)

On the contrary, you can run Stegseek in quiet mode. Running in this mode will just display the cracked password of the file as shown below and of course retrieve the hidden data. Status updates or other output is not displayed.

Skip defaults (-s)

Specifying this option skips adding default guesses while cracking like using an empty password, the name of the file etc to the wordlist.

Number of threads (-t)

By default, stegseek uses 4 threads while cracking the password. Increasing the number of threads can lead to better performance. Threads can be increased or decreased using this option. For example, let’s increase the number of threads to 10.

Posted on by

Complete guide to Stegcracker

Hello, aspiring ethical hackers. In our previous blogposts, you learnt what is steganography, it’s uses and how to hide secret data in an image using the tool Steghide. In this blogpost, you will learn about a tool that can retrieve hidden data from an image. The tool’s name is Stegcracker.

Stegcracker is a steganography brute-force utility to uncover hidden data inside files. Let’s see how this tool works. For this article, we will be using Kali Linux as our attacker system as this tool is available by default in its repositories. For performing steganography attack, we will be using same image in which we have hidden data using Steghide “Volcano_with_Secret,jpg”.

Check version (-v)

It is a good practice to check the version of the tool first before doing anything with the tool. You can check the version of Stegcracker using this option.

All you need to retrieve the hidden information from the image with this tool is to just supply the path of the image as shown below.

As you can see in the above image, Stegcracker cracked the password (123456) of this file and successfully retrieved the hidden data too. The retrieved data from the image is saved in a file named <name of the file.jpg.out>. By default, Stegcracker uses rockyou.txt wordlist to brute-force the password.

Specify a different wordlist

We can even specify a different dictionary or wordlist if needed as shown below.

Verbose output (-V)

This option can be used to get detailed output from stegcracker.

Quiet mode(-q)

On the contrary, you can run Stegcracker in quiet mode. Running in this mode will just display the cracked password of the file as shown below and of course retrieve the hidden data. Status updates or other output is not displayed.

Number of threads (-t)

By default, stegcracker user 16 threads while running. Increasing the number of threads can lead to better performance. Threads can be increased or decreased using this option. For example, let’s increase the number of threads to 32.

Saving the output (-o)

As you already read at the beginning of this article, stegcracker saves retrieved hidden data to a file named “<name-of-the-file>.out”. However this can be changed using the “-o” option.

For example, let’s save the retrieved data to a file named “secret.txt” as shown below.

Posted on by

Beginners guide to Socat

Hello, aspiring ethical hackers. In our previous blogpost, you learnt how to use netcat for various purposes in ethical hacking. In this blogpost, you will learn about another such tool named Socat.

Socat, shortcut for SOcket CAT is a command line utility that enables bidirectional data transfer between two independent data channels. Actually, it can provide multiple functions. It supports many protocols like TCP, UDP, SOCKS4 and OpenSSL.

Bind and Reverse shells

The use of socat tool comes after you completed gaining access to target network or device. Here, it helps you in maintaining access as channel for communication.

Let’s see how to create bind shells with socat (learn about different types of shells). For this, we will be using Metasploitable2 as target system in our virtual hacking lab. Note that socat should be installed on both target and attacker systems for this to work. To create a bind shell, run this command on the target system as shown below.

Then on the attacker system, we need to run this command.

Here’s our bind shell.

To create reverse shell, the above commands should be run on attacker and target system respectively.

Here’s our reverse shell.

Encrypted bind and reverse shell with socat

The above shells, although they are good, the data between them is transferred in plain text and is susceptible to sniffing and detection. No problems though. Socat can create an encrypted shell using OpenSSL.

To create an encrypted shell, first, we need to create a SSL key as shown below. Two files with extensions “.crt” and “.key” are created as shown below.

Then, we need to join this two files into one file with “.pem” file as shown below.

Now this file should be on the system on which we start our listener. For example, to create a bind shell, the “ssl.pem” should be on the target system. Then we need to run command as shown below.

Then, on attacker system we should run this command shown below.

Here’s the shell.

Similarly, we can also create a reverse shell.

File transfer

Socat can also be used to transfer files between two machines. For example, to transfer that SSL certificate we created above from attacker system to target system, the command to be run on the attacker system is shown below.

Then on the target system, we should run this command.

Posted on by

Beginners guide to msfpc

Hello, aspiring ethical hackers. In our previous blogpost, you learnt how to create payloads with msfvenom. In this blogpost, you will learn about MSFPC (MSFvenom payload creator), a tool that simplifies generation of Metasploit payloads with msfvenom.

MSFvenom payload creator (MSFPC) is a wrapper to generate multiple types of payloads based on users choice. The concept of this tool is to be as simple as possible while generating a payload.

Let’s see how to use this tool. For this, we will be using Kali Linux, as msfpc is installed by default on Kali Linux.

The simplest way to create a payload using MSFPC is to specify the type of payload you want. MSFPC can generate APK, ASP, ASPx, bash (-sh), Java (.jsp), Linux (.elf), OSX (macOS), Perl (.pl), PHP, PowerShell (.ps1), Python, Tomcat (.war) and Windows (.exe or dll) payloads.

For example, let’s see how to generate an exe payload.

The only option we need to set to create a payload with msfpc is the attacker system’s IP address or the listener address which can be selected from the given options. All other options are automatically set.

By default, this tool creates a reverse shell payload. We can also create a bind shell payload as shown below.

By default the listening port of the generated payload is set to 443. This can be changed as shown below.

We can also create payloads with this tool by specifying the target operating system.

MSFPC creates staged payloads by default. We can also create stageless payload as as shown below.

Posted on by

Complete guide to Wapiti

Hello, aspiring ethical hackers. In our previous blogpost on web application hacking and web server hacking, you learnt about various web vulnerabilities. In this blogpost, you will learn about Wapiti a web vulnerability scanner.

It is a very good practice to learn about the vulnerabilities and weaknesses in a website or web application before they hackers find bout them. Web vulnerability scanners play a very important role in detecting vulnerabilities. Wapiti is one such vulnerability scanner thats written in Python.

Unlike other vulnerability scanners, Wapiti works as a “Black Box” vulnerability scanner that instead of studying source code of the target web application, works by fuzzing and scanning the pages of web application, extract link forms, attacking the scripts, sending payloads, finding out error messages, special strings and other abnormal behaviours.

Let’s see how to find vulnerabilities using Wapiti. For this, we will be using Kali Linux as this tool is installed by default on Kali Systems. As target, we will be using Mutillidae web application on Metasploitable 2. See how to setup this virtual hacking lab.

The simplest way to use Wapiti is to just supply it with the target URL as shown below.

Then, Wapiti starts scanning the target as shown below.

Scope

Scope option of wapiti specifies it to what to scan. The scope option of wapiti takes four values: URL, page, folder, domain and punk. Here is the detailed explanation about these values.

  1. URL: Setting this will only scan and attack the exact base URL given with -u option.
  2. PAGE: Setting this as scope value will attack every URL matching the path of the base URL.
  3. FOLDER: This will scan and attack every URL starting with the base URL value. This base URL should have a trailing slash (no file‐name).
  4. DOMAIN: Setting this as scope value will scan and attack every URL whose domain name matches the one from the base URL.
  5. PUNK: Setting this value will scan and attack every URL found whatever the domain. Think twice before using this for scope.


Let’s set the scope to “page” for now.

View all the modules (

Wapiti has many modules that help in vulnerability scanning. You can view all the modules using the “list modules” option.

Select a single module

You can select just a single module using the “-n” option. For example, let’s load the file module.

As you can see in the above image, a include vulnerability has been detected in the target web app.

Don’t resume the scan (–skip-crawl)

Sometimes, we abort a scanning session before it gets completed. When you start a new scan with Wapiti again, by default it resumes the aborted session by crawling the URLs again. If you don’t want to resume the previous scan from URL crawling, you can use this option. By using this option, Wapiti will attack only currently known URLs.

Resume from crawling

This option us useful in cases where the scan was previously aborted after wapiti started attacking. When a session is restored, the default behavior is to skip crawling. However, we can use this option to continue the scan process.

Flush attacks

This option specifies wapiti to forget everything about discovered vulnerabilities and which URL got attacked by which modules. Only the crawling information of the scan will be kept.

Flush session

This option specifies wapiti to forget everything about the target for the given scope.

Saving the output to a directory

Like many tools, you can save the output of the scan of wapiti in a report. This option enables you to specify a directory for saving the report of the scan.

Format of the reports (-f)

You can use this option to specify the format of the report. The reports can be saved in json, HTML, txt and xml. formats. For example, let’s set the report to be txt format.