Author: kanishka10

Posted on by 1 Comment

Install Parrot OS in Vmware

Kali Linux is the most popular and also my favorite pen testing distro. Its regular updates and stability accord it the top spot. Apart from Kali Linux, there are many other pen testing distros available. One of them is Parrot Security distro. Parrot Security sports many more tools than Kali Linux which includes software for cryptography, cloud, anonymity, digital forensics and of course programming. One of our readers has requested us to make a guide on how to install Parrot Security OS in Vmware. So be it.

Download the Parrot Security OS . Unlike the makers of Kali Linux, Parrot Security have not yet provided a Vmware image to download. So we have to download a iso image (depending on your architecture yo- u can download a 32bit or 64 bit iso file). Once the download is finished, open Vmware Workstation (Version 12 used for this article). Hit “CTRL+N”. The below window should open.

Make sure the “Typical” option is selected, and click on “Next”. That takes us to the next window. Initially, the “installer disc image file” field should be empty. Click on “browse” and browse to location of the iso file we just downloaded and select it. Now the window should look like below. Click on “Next”.

The Guest operating system should be automatically selected for you, if not select Linux as OS and version as Debian 8.x (since I am installing a 32bit, make it Debian 8.x64 if installing 64bit). Click on Next.

Choose the name of virtual machine and its location as you like. I named it Parrot. Click on “Next”.

Allocate the hard disk memory for your virtual machine. Keep the minimum as 20GB. Click on Finish.

It will show you a summary of all the selections you made. If you want to make any changes, click on Customize hardware or else click on Next.

The virtual machine is created with the name you gave it. Power on the virtual machine. It will boot and take you to the interface shown below. Choose the “Install” option. In the next window select “Standard Installer”. You can select these options using “tab” button.

Select the language in which you want to continue the installation process.

Select your country. For this article, I chose location as India.

Select the keyboard configuration you want.

It is important to set the root password (no need to tell it is Linux’s most powerful account) for the machine before we do anything. Set a complex password. Read the suggestions before you set the root password.

Re-enter the root password again to confirm it.

It is a good practice to use the system as a no -n root user. The system will prompt you to create a new user account for non-administrative activities. I am creating a user with name kalyan. I am giving the same name as username.

Create a password for the user account you just created. Make it a good password for security reasons.

Re-type the password again to confirm the password you have assigned.

The next step is partitioning the hard disk. Unless you are an expert or want to try something different, use the entire disk.

The system will warn you before partitioning. Select the disk for partitioning.

It will ask you to choose the partitioning scheme. Choose the first one. It is also recommended for users.

Next, it will show you changes you have configured before writing the changes to the disk. Select “Finish partitioning and write changes to the disk”.

Confirm for one last time that you want to writ-e changes to the disk. Select “Yes”.

The installation process will start and may take some time. You can have snacks and come back. After installation finishes, it will prompt whether you want to install GRUB boot loader.

Select Yes. Then it will ask you where to install the boot loader. Select the /dev/sda disk.

After the installation is finished, it will show you a message as shown below. It’s time to boot into your new system.

As the system boots, it will ask present you a login screen. You can login as either root or the new user you created it. Once you login, your new pen testing distro should look as below.

Posted on by

SMTP enumeration for beginners

Enumeration is the process of collecting information about user names, network resources, other machine names, shares and services running on the network. Although a little bit boring, it can play a major role in the success of the pentest. In the previous howto, we saw how to perform SMB enumeration and got some usernames on our target. So we don’t need to perform SMTP enumeration. But we may not be so lucky that SMB enumeration will be successful on every network. For networks like these, we may need to enumerate other services like SMTP.

First let me give you a basic introduction of SMTP. SMTP stands for Simple Mail Transfer Protocol. As the name implies, it is used to send email. It uses port 25 by default. If you ever sent an email, you have definitely used SMTP. SMTP servers talk with other SMTP servers to deliver the email to the intended recipient. Luckily this all happens behind the scenes and we don’t have to break our heads to understand this. But there are some things we have to understand about SMTP that will help us in enumeration.

As the term “simple” implies, SMTP server can only understand simple text commands. Sender of the mail communicates with a mail receiver by issuing these command strings and supplying necessary data. Some of the important commands are

1. HELO – sent by a client to introduce itself.

2. EHLO – another way of client introducing itself to server

3. HELP – used to see all commands.

4. RCPT – to identify message recipients.

5. DATA – sent by a client to initiate data transfer.

6. VRFY – verify if the mailbox exists.

7. QUIT – to end the session.

SMTP enumeration can be performed in many ways. The easiest way to do this is by connecting to the SMTP service port of the target with telnet (we have seen this in scanning and banner grabbing).

As you can see, we got successfully connected. From here, we can verify manually if each user exists or not. If you remember the article on SMB enumeration, we already have some usernames available. Lets use the VRFY command to check if users “user”, “msfadmin” and “root” exist in this system.

Image explaining about SMTP enumeration

Yes, they exist. Similarly, let us test if user kalyan exists. As you can see in the above image, the user kalyan doesn’t exist. Nmap also has a script to perform SMTP enumeration. We can use the script as shown below.

By default, Nmap uses RCPT method to check if a particular user exists. Unfortunately for me, it gave unhandled status code here. This Nmap script can be modified to use different methods. Here I changed it to use VRFY method to enumerate users. I have only scanned port 25 to remove the clutter. But still it gave me the same error.

There is another tool in the arsenal of Kali Linux which is built specifically for SMTP enumeration. Its called smtp-user-enum. Here let us test if a user called “root” exists on the target system as shown below.

Since user “root” exists, I’m assuming other users like “msfadmin” and “user” also exist. While performing SMB enumeration, we created a wordlist which can be users on the target system. Now let’s enumerate if all the users in that wordlist exist. It can be done as shown below.

All the users we got during SMB enumeration exist. That’s good. In this case, we already have the wordlist of usernames (we got during SMB enumeratin). What if we don’t have the exact wordlist. We can use different wordlists present in Kali Linux. These wordlists are present in /usr/share/dirb directory.

What We Achieved?

We got some usernames which may be useful to us while exploiting the system in future. All these usernames have a recipient email address to them.

Posted on by

Windows Local user hash carver exploit

Hi aspiring ethical hackers. In this article you will learn about the Windows Local user hash carver exploit. During a pen test, it sometimes becomes necessary to change Windows password.

Although we have a hashdump feature to dump the password hashes of all users in a remote Windows system, this exploit directly changes the password of the user we want in the registry. Thus it saves the trouble of cracking the password hashes altogether.

This works on a local user account. This can be pretty useful if we need credentials but can’t crack the hashes. Mind that you need to have system privileges on the remote system to use this exploit (See how to escalate privileges). Let’s see how this exploit works.

First acquire system privileges on the system. Background the session (note the meterpreter session id) and load the hashcarver exploit as shown below.

Image explaining about usage of hash carver exploit

Type command “show options” to see the options required. Session is the meterpreter session id, user is the user in the remote system whose password you want to change and “pass” is the password you want to set for the user.

My session id is 2, Kanishka is the username for which I want to change the password and I want the new password to be “hacked”.

When all the options are set, execute the exploit using command “run. The exploit runs as shown and successfully changes the password. That’s all in windows Local User Hash Carver exploit. Learn how to upgrade from Command shell to Meterpreter session

Posted on by 2 Comments

HTA web server exploit for hacking Windows

Hello aspiring hackers. There’s been a loooong (forgive the grammatical error) gap in updating the blog. Well, blame it on 70% hectic schedule and 30% procrastination. But today we will learn how to use HTA web server exploit for hacking windows.

First things first. What is HTA web server? HTA stands for HTML application. So this server hosts a HTA file, which when opened will execute a payload via powershell. Ofcourse, the browser warns the user before executing the payload.

Now let’s see how this works. We will use this exploit to hack Windows 10. Start Metasploit and load the module as shown below.

Set the reverse meterpreter payload as it is a local exploit.

Type command “show options” to see the options we need to set for this exploit. Set the required options and type command “run” to start the exploit.

Image explaining about usage of hta web server exploit

As you can see, it has generated an url. We need to make the victim click on this particular url for our exploit to work. We have already seen in our previous howto’s, how to make that happen. When the victim clicks on the url we sent him as shown below

the browser prompts a warning about the payload as shown below.

When the user ignores the user and clicks on “run”, a meterpreter session is opened as shown below.

This session can be viewed and opened as shown below.

That’s all in HTA web server exploit. Learn how to hack windows with Hercules.

Posted on by

Windows Post exploitation recon with Metasploit

Hello aspiring hackers. Till now we have seen various ways of hacking Windows, elevating privileges and creating a persistent backdoor for later access. After we have successfully created a backdoor, it’s time to perform further reconnaissance. Windows post exploitation recon helps us in gathering further info about our target network. This can be helpful to us in finding more vulnerable systems to hack and pivot.

If you have observed carefully while starting Metasploit, it has number of modules specified as “post”. Some of these are useful in recon. For us to do post recon we need to first hack the system and get metertpreter session on it. Now let us see how to perform this recon with Metasploit.

The first module useful in reconnaissance in the arp scanner. Arp scanner helps us to identify any hidden devices in the network. Hidden devices are those devices which don’t respond to normal requests like ping etc. For example, some firewalls intentionally don’t respond to ping requests. ARP scanning can detect these devices.

The checkvm module helps us to find out if the machine we hacked is a virtual machine, which in this case is true.

The dumplinks module will parse .lnk files from a user’s Recent Documents folder and Microsoft Office’s Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

In some cases, we need to know what are the applications installed in the system we hacked. For example, in a case where we cannot escalate privileges and maybe a vulnerable program installed in the target can help us in privilege escalation. The enum_applications module exactly does that.

We can see in this specific case, there are only two programs installed.

Image explaining about windows post exploitation reconnaissance

The enum_logged_on_users module helps us in finding out the users logged in. This may help us in knowing the usernames of the system.

In our case, we go to know the username as “admin”.

The enum_shares module will list the shares of both configured and recently used shares on the compromised system. My target doesn’t have any shares.

The enum_snmp module will enumerate the SNMP service on the target, if installed. It will also enumerate its community strings.

In our case, there’s no SNMP service installed.

The hashdump module does exactly what it says. It dumps the password hashes from the target system as shown below. May I remind you that meterpreter already has this hashdump function.

The usb_history module retrieves the history of usb devices connected to the target system. In my case, no USB devices were connected to the target.

The most interesting of all these is the lester script. The lester script suggests local exploits for the target system. This script automatically searches and lists exploits for the targeted system. Now you may question why do we need exploits for the system we already hacked. Well maybe to escalate privileges or find an exploit which gives us more power on the system.

That’s all for today folks. I will be back soon.