Posted on Leave a comment

Hydra password cracker: Complete guide

Hello, aspiring ethical hackers. This blogpost is a complete guide to Hydra password cracker. Hydra password cracker runs on Linux, Windows, Solaris, FreeBSD/openBSD, QNX and macOS. Using Hydra, we can crack passwords of various protocols like Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Hydra can be downloaded from here. This guide uses Hydra installed on default in Kali Linux and Metasploitable2 as target.

Single username (-l) and Password (-P)

If you want to check a single username and password with Hydra, the syntax is given below. Here we are testing the credentials on target system’s FTP server. This is normally useful when we have a general idea about at least one credential pair.

Hydra will test this credential and come with a result. Here it is found this credential accurate.

What if you can’t guess a password or have no knowledge about at least one credential pair. Then we need to test a large list of credentials using brute forcing by using a wordlist.

Specifying wordlist for usernames (-L) and passwords (-P)

You can specify wordlist containing usernames using the (-L) option and specify the wordlist containing passwords using the (-P) option as shown below.

Here, I am suing the same wordlist for both username and passwords. “Metsaploitable.txt”. These wordlists are normally created or obtained during the enumeration stage. For example, we obtained this during SMB enumeration of the target. Hydra found three credentials valid from this wordlist.

Restore a cancelled session (-R)

Sometimes we may need to test a large wordlist, with thousands of credentials in it. This may obviously take a lot of time and we may have to hit “CTRL+C” sometimes to cancel the session or maybe a power cut ended our scan abruptly.

Do we have to start from the beginning again? Don’t worry. You can restore the session from where you stopped in Hydra as shown below.

RIgnore the previous session (-I)

What if we don’t want to restart that session and to start a session afresh. We can just use the ignore (-I) command which asks it to ignore the previous session.

Scanning unconventional ports (-s)

You know every service has a default port on which it runs. For example, FTP (21), Telnet (23), and HTTP (80) etc. Sometimes administrators configure this service to run on unconventional ports to make them less conspicuous. Using Hydra we can even run password attack on these ports using the (-s) option. For example, imagine FTP is running on the port 2121 and not 21.

Target has SSL enabled (-S)

Using Hydra, we can connect using SSL with this option.

If the service has an old version of SSL, we can use the “-O” option.

Additional checks (-e)

Using this option, you can check accounts for null passwords (n), using username as password (-s) and using password as username and vice versa (-r).

Combo (-C)

Sometimes, instead of an usual wordlist, we have wordlists that have credentials in “login:pass” format as shown below.

If we want to use this type of wordlist, you can use this option.

-U

When you are using a wordlist with Hydra, by default it checks all passwords for the first username and then tries the next username. Using this option, we can loop around the passwords. The first password is checked for all the usernames and then it moves to next password and does the same.

Stop after getting the first successful pair of credentials (-f)

This option (-f) makes Hydra stop password cracking as soon as one successful pair of credentials are found.

Target multiple servers (-M)

Hydra allows us to perform password cracking on multiple servers at once. We need to provide a file containing IP addresses of the targets.

Stop after getting once successful pair on multiple servers (-F)

Setting the ‘-F’ option, Hydra stops after getting the first successful pair of credentials on multiple servers.

Saving the output (-o)

Till now, we have seen Hydra showing output on stdout. However, with the “-o” option, we can save the output of the tool to a file.

Format of the output file (-b)

Hydra allows you to save output in three formats, although the default format is text. It also allows you to save output in Json and Json v2 format.

Number of tasks (-t)

Tasks are number of persistent connections Hydra makes while testing. By default, it makes 16 tasks, but this can be changed using this option. For example, let’s set it to 19.

Module specific options (-m)

This option allows us to set module specific options. For example, FTP module in Hydra doesn’t have any module specific options. But other modules like HTTP have it. All the options for a specific module can be seen using the -U option. For example, lets change the option for http-get.

Waiting time (-w)

Hydra waits for 32 seconds for receiving responses for it queries. This option can be used to change this time. For example, let’s set it to 10 seconds.

Waiting time for login attempts (-c)

This option can be used set the waiting time for login attempts Hydra performs. It is useful only when a low task time is used.

Verbose mode (-v) (-V)

Hydra has two verbose mode. The lowercase verbose mode is the default verbose mode in any other tool.

If you want to see each login attempt Hydra makes, you need to use the (-V) option.

That’s all about Hydra password cracker.

Posted on Leave a comment

Beginners guide to OWASP ZAP

Hello, aspiring ethical hackers. This blogpost is a complete guide to OWAS ZAP tool also known a zaproxy. OWASP ZAP stands for Zed Attack Proxy. OWASP ZAP is a widely popular web app scanner that is maintained by a volunteer. It is used by both novices in web security and professional pen testers. The features of OWASP ZAP include.

  1. Traditional & AJAX web crawler.
  2. An automated scanner.
  3. Passive Scan.
  4. Forced browsing.
  5. Fuzzer.
  6. Scripting language etc.

Let’s see how to use OWASP ZAP to scan a website. Zaproxy can be downloaded from here. OWASP ZAP is installed by default on Kali Linux. If it is not installed, it can be installed using the command shown below.

Once the installation is finished, it can be stored using the command “Zaproxy”.

Everytime it starts, it asks you whether to save the current session or not. Make your choice and click on “Start”.

This is the interface of OWASP ZAP. Let’s perform an automated scan of a website. As target, I will be using mutillidae web app installed on Metasploitable 2. See how to install Metasploitable 2.

To perform as automated scan, click on “Quick start” and give the URL to attack and then click on “Attack”.

The time taken to scan the entire website depends on the size of the target website. The good thing about OWASP ZAP is that it displays results as soon as it finds them. Any vulnerability can be found on the alerts tab highlighted in the image given below.

When you click on the “alerts” tab, all the vulnerabilities are displayed based on their severity. The one that interests you should by the one in red flags.

For example, here Zaproxy detected a path traversal or local file inclusion vulnerability. When you click on the vulnerability, it displays the URL where the vulnerability was detected.

When you double click on the alert, a new window opens with an elaborate description of the vulnerability detected and with a POC to be see it in action and even the solution to the vulnerability.

Copy the URL and paste it in a browser. Here as suggested by Zaproxy, the /etc/passwd/ of the target system can be seen.

Posted on Leave a comment

Google Dorking for hackers – Part 2

Hello, aspiring ethical hackers. This blogpost is Part 2 of Google Dorking. In our Part 1 of Google hacking, you learnt what Google hacking or Google Dorking is, what google operators are and different Google operators. In this Part 2. You will learn how hackers use Google Dorking for gathering whatever they want. If someone is a Black Hat Hacker, you will definitely not use Google to show different google operators. They will be looking for information that can make their hack successful. what could that information be?

Google dorking

This information can be credentials, login pages, backup files, database dumps, email lists, various types of files, open FTP servers & SSH servers etc. How nice it would be for hackers if they got passwords and credentials file by using just a simple google dork instead of using password cracking. In real world, we do get them. All we have to do is combine some of the Google dorks you have learnt about in Part 1 of Google hacking.

allintext:password filetype:log

allintext:username filetype:log

In the above dork, we are searching for log files with passwords in them. You will be surprised how many results you get.

Well, what is the next thing you do once you successfully get credentials. You search for a page where you can use those credentials. I mean login pages. We can search for login pages using the Google dork below.

intitle:login

You can even search specifically for WordPress login pages using the dork below.

intitle: “Index of” WP-admin

Sometimes, not just single passwords, you can also get files which are a collection of credentials. These are files where passwords are collected and stored. For example, this Google dork.

intext:”Index of” intext:”password.zip”

You learnt about the functions of a database while learning web server hacking. Sometimes users make a backup of their databases for safety purpose and unfortunately store that backup on the web server only. What if we can find this database. It can be found using the Google dork as shown below.

“index of” “database.sql.zip”

Or by using this query.

inurl: backup filetype:sql

We can find other backups too.

intitle: “index of” “backup.zip”

We can also find email lists of an organization using Google dorking. Most of the organizations make and save a list of emails as excel files. They can be found using the Google dork as shown below.

filetype:xls inurl:”email.xls”

Once we have the list of emails, we can perform social engineering attacks on them. Websites don’t just have credentials, emails and backups stored on them. They have different types of files like PDF’s, word documents, images etc. Sometimes they are not meant for viewers of the website but they are nonetheless on web server. Even these files can be found by Google dorking.

site: <> f iletype:pdf

site: <> f iletype: doc

These files can be used to find any metadata that can reveal more information. What if you are trying to hack a particular software and need its source code to find if it has any vulnerabilities. We have a dork for that too.

intitle: “index of” “sourcecode”

A software has a specific vulnerability disclosed and hackers work to find it. For example, take a particular version of Power CMS V2. This can be done using the below query.

intitle: “Installation Wizard – PowerCMS v2”

You know how many websites still use FTP and how many of them are still expose to internet. They can be found using below Google dork.

intitle: “index of” inurl:ftp

site:sftp.*.*/ intext:”login” intitle:”server login”

inurl:/web-ftp .cgi

You can also find specific database managers like for example, phpmyadmin

“index of” inurl:phpmyadmin

Posted on Leave a comment

Dirty Cow vulnerability: Beginners guide

Hello, aspiring ethical hackers. This blogpost is a beginner’s guide to Dirty COW vulnerability. Assigned CVEID, CVE-2016-5195, this vulnerability affects Linux kernel version 2.6.21 since 2007. To exploit this vulnerability, the hackers need to first gain initial access on the target system.

What is this Dirty COW vulnerability?

Dirty COW is a Linux privilege escalation vulnerability which is caused due to a race condition in the way the Linux kernel handled copy-on-write functions. The name Dirty COW came from this Copy-On-Write (COW). By exploiting this vulnerability, an unprivileged user can gain access to the read-only memory mapping subsequently elevating their privileges on the system.

Which kernels are vulnerable?

All the Linux kernels from versions 2.x to 4.x before 4.8.7 are vulnerable to this Dirty COW vulnerability. Let’s demonstrate this vulnerability on a Ubuntu 12 system. To exploit this vulnerability, the hackers need to first gain initial access on the target system.

Download this exploit from Github and extract its contents. It is a C program as shown below.

Compile this code using inbuilt GCC compiler in Ubuntu system. This exploit creates a new user named ‘firefart’ with root privileges on the target system by writing to the /etc/passwd file. Usually, creating an user with root privileges in not possible for low privileged users on Linux systems. But this is a privilege escalation vulnerability.

Now, let’s execute the exploit as shown below. It will prompt you to create a new password for the new user “firefart” it is creating.

Login as the newly created user to see if the exploit was successful in exploiting the vulnerability and creating the news user “firefart”.

As you can see, a new user named “firefart” has been created on the target system with root privileges.

Posted on

Complete guide to cryptography

Hello, aspiring ethical hackers. In this blogpost, you will learn about cryptography or in the cybersecurity sense about encryption. The word cryptography came from a Greek word kryptos which means “hidden secret” and it plays a very important role in cybersecurity.

What is cryptography?

Cryptography is the study of secure communication techniques. It is closely associated with encryption which is an act of taking an ordinary text and scrambling it to transform it in to cipher text. The aim of this encryption is to make sure that the message is only understood by someone which it is intended to.

Types of Cryptographic techniques

There are three types of cryptographic techniques. They are,

  1. Single key cryptographic system (Symmetric encryption)
  2. Public key cryptographic system (Asymmetric encryption)
  3. Hash Functions.

What is a cryptographic key?

A cryptographic key is a string of characters used with an encryption algorithm to transform data into a scrambled form or cipher text.

What is an encryption algorithm?

An encryption algorithm is the method used to transform plain text to cipher text.

1. Symmetric encryption (Single key cryptographic system)

In symmetric encryption, a single key is used to both encrypt and decrypt data.

Hence it is known as single key cryptographic system. Symmetric encryption is very fast and hence used wherever speed is required for encryption. For example, it is used for encrypting credit card information and other confidential information, making malware and virus Fully Undetectable (FUD) etc. There are various encryption algorithms. The most popular encryption algorithms are DES, 2DES, 3DES, AES, IDEA, RC4, RC5, RC6, Blowfish etc.

2. Public key cryptographic system or asymmetric encryption (PKCS):

Also known as asymmetric encryption, Public key cryptographic system (PKCS) uses two keys: Public key and Private key. The data is encrypted with the Public key and can only be decrypted with private key or vice versa.

Since two different keys are used for encryption and decryption, even if any attacker knows about the key used for encryption there is no threat to any data. It is more secure than the single key cryptographic system but a bit slow. This is used in online communications like HTTPS, digital signatures etc. Example of Public key cryptography system algorithms are RSA, Diffie-Hellman etc.

3. Hash Functions or Message Digests:

A hash function is a versatile one-way cryptographic algorithm that converts plain text to a fixed length of encrypted text which is known as a message digest or simply a hash. A hash is known as a one-way function since once it encrypted it cannot be decrypted but (or decrypting it is very complex and difficult). Hash functions and message digests are used whenever the decrypting is not needed like hashing the passwords etc. Example of hash functions are MD5, SHA-1, SHA-512, RIPEMD etc.