Category: Hacking

Posted on by

Cewl wordlist generator: Complete guide

Hello, aspiring ethical hackers. This blogpost is a complete guide to Cewl wordlist generator. Cewl stands for Custom Word List generation. It is written in ruby language. Unlike crunch that takes input from us to generate a wordlist, this tool spiders a given website to the depth specified by us and then creates a dictionary or wordlist from it. This wordlist can then be used for password cracking with tools the Brutus, Hydra, Medusa and John The Ripper. It was designed by Robin Wood based on a discussion on PaulDotCom about creating wordlists by spidering a target website.

Cewl can be downloaded from here. Kali Linux has cewl installed by default and for this tutorial we are using the same. Metasploitable 2will be used as target since it has lot of applications installed that can be used for testing it.

To use cewl, all we have to do is simply supply the URL you want to spider for as shown below.

Then it will create the wordlist for you as shown below.

Keeping the downloaded file (-k)

Specifying the ‘-k’ option the downloaded file can be saved.

Depth of spidering (-d)

When you specify a target to Cewl, it spiders to the dept of 2 by default. You can change it using this option. For example, let’s set the depth to 1.

Or 3 may be.

Minimum word length (-m)

This option can be used to set the minimum length of the passwords cewl creates. For example, nowadays, most services set the minimum length of the password to at least 5. So there’s no use creating passwords with length less than the minimum length your target has set, If you have noticed the above results, the default minimum length for cewl is 3. Let’s set it to 5 for example.

As you can see in the above image, there are no longer passwords of length less than 5.

Spidering other sites (-o)

Setting this option allows cewl to spider another external sites during spidering of the target.

Don’t scan specified paths (–exclude)

If the target website is too large, you may want to skip some paths or maybe you just want to skip some paths as they may not have any passwords. You can use this option what cewl to exclude the paths you don’t want to scan. Then paths should be supplied in a file.

–allowed

This option is used to specify regex patterns of the path to be followed. If the pattern doesn’t match, it drops the scan.

No wordlist please (-n)

If you don’t want the wordlist to be printed, you can use the “-n” option.

Saving the output (-w)

Till now, you have seen that Cewl has been printing the wordlists it creates to the terminal. The output can be copied and pasted in another file to be saved from using as a wordlist. But why take all this effort when we can just save the output to file, using the ‘-w’ option.

Use User agent (-u))

A user agent is a characteristic string that allows web server to identify the browser and operating system and we are using. You can see your user agent here. Using the (-u) option, cewl allows you to be get a specific user agent while spidering the website.

Groups of words (-g)

Setting this option allow cewl to return group of words along with single words.

Turn all generated passwords to lowercase (–lowercase)

Setting this option allows us to 16 turn all the passwords cewl generates into lower case.

Here is the result.

Include words with numbers too (–with-numbers)

While spidering, if cewl finds any words with numbers in them, it just ignores them. But many passwords contain numbers too. By setting this option, cewl collects numbers as well.

–convert-umlauts

Setting this option to while using cewl converts common ISO-8859-1 umlauts.

Include meta data too (-a)

When we set this option, Cewl includes metadata found while spidering the website apart from the words.

This metadata found is included at the end of the output files as shown below.

Save metadata found to a different file (–meta-file)

You can even save all the metadata found on the target site to a different file as shown below using the “–meta-file” option.

In the above image, you can see that cewl, while processing metadata creates a temporary file. This file known as cewl-temp.pdf is created in the /tmp directory by default. We can change the location of this file by using the “—meta-temp-dir” option as shown below.

Gather emails too (-e)

Not just metadata, you can even process emails using cewl with the ‘-e’ option.

Save collected emails in another file (–email-file)

These collected emails can also be saved in another file using the “–email-file” option.

Show the count for each word (-c)

Setting this option shows the count for each word.

Verbose mode (-v)

Just like every other tool, this tool to has verbose mode that gives detailed information.

Debug mode (–debug)

Similarly, the “–debug” option gives detailed debugging information too.

Authentication

Some sites need authentication to spider it. Cewl allows authentication of websites too.

It supports both basic authentication and digest authentication. The “auth_type” option is used to set the type of authentication. The “–auth _user” and “–auth_pass” option can be used to set username and passwords respectively.

Here’s the output.

Spidering through proxy

Spidering, no matter what the purpose is very noisy. Cewl has an option to spider through a proxy using the “–proxy_host” option.

You can even specify the port of the proxy using the “–proxy-port” option.

Cewl even has feature of authenticating to the proxy server using the “–proxy_username” and “–proxy_password” options.

Posted on by

Hydra password cracker: Complete guide

Hello, aspiring ethical hackers. This blogpost is a complete guide to Hydra password cracker. Hydra password cracker runs on Linux, Windows, Solaris, FreeBSD/openBSD, QNX and macOS. Using Hydra, we can crack passwords of various protocols like Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Hydra can be downloaded from here. This guide uses Hydra installed on default in Kali Linux and Metasploitable2 as target.

Single username (-l) and Password (-P)

If you want to check a single username and password with Hydra, the syntax is given below. Here we are testing the credentials on target system’s FTP server. This is normally useful when we have a general idea about at least one credential pair.

Hydra will test this credential and come with a result. Here it is found this credential accurate.

What if you can’t guess a password or have no knowledge about at least one credential pair. Then we need to test a large list of credentials using brute forcing by using a wordlist.

Specifying wordlist for usernames (-L) and passwords (-P)

You can specify wordlist containing usernames using the (-L) option and specify the wordlist containing passwords using the (-P) option as shown below.

Here, I am suing the same wordlist for both username and passwords. “Metsaploitable.txt”. These wordlists are normally created or obtained during the enumeration stage. For example, we obtained this during SMB enumeration of the target. Hydra found three credentials valid from this wordlist.

Restore a cancelled session (-R)

Sometimes we may need to test a large wordlist, with thousands of credentials in it. This may obviously take a lot of time and we may have to hit “CTRL+C” sometimes to cancel the session or maybe a power cut ended our scan abruptly.

Do we have to start from the beginning again? Don’t worry. You can restore the session from where you stopped in Hydra as shown below.

RIgnore the previous session (-I)

What if we don’t want to restart that session and to start a session afresh. We can just use the ignore (-I) command which asks it to ignore the previous session.

Scanning unconventional ports (-s)

You know every service has a default port on which it runs. For example, FTP (21), Telnet (23), and HTTP (80) etc. Sometimes administrators configure this service to run on unconventional ports to make them less conspicuous. Using Hydra we can even run password attack on these ports using the (-s) option. For example, imagine FTP is running on the port 2121 and not 21.

Target has SSL enabled (-S)

Using Hydra, we can connect using SSL with this option.

If the service has an old version of SSL, we can use the “-O” option.

Additional checks (-e)

Using this option, you can check accounts for null passwords (n), using username as password (-s) and using password as username and vice versa (-r).

Combo (-C)

Sometimes, instead of an usual wordlist, we have wordlists that have credentials in “login:pass” format as shown below.

If we want to use this type of wordlist, you can use this option.

-U

When you are using a wordlist with Hydra, by default it checks all passwords for the first username and then tries the next username. Using this option, we can loop around the passwords. The first password is checked for all the usernames and then it moves to next password and does the same.

Stop after getting the first successful pair of credentials (-f)

This option (-f) makes Hydra stop password cracking as soon as one successful pair of credentials are found.

Target multiple servers (-M)

Hydra allows us to perform password cracking on multiple servers at once. We need to provide a file containing IP addresses of the targets.

Stop after getting once successful pair on multiple servers (-F)

Setting the ‘-F’ option, Hydra stops after getting the first successful pair of credentials on multiple servers.

Saving the output (-o)

Till now, we have seen Hydra showing output on stdout. However, with the “-o” option, we can save the output of the tool to a file.

Format of the output file (-b)

Hydra allows you to save output in three formats, although the default format is text. It also allows you to save output in Json and Json v2 format.

Number of tasks (-t)

Tasks are number of persistent connections Hydra makes while testing. By default, it makes 16 tasks, but this can be changed using this option. For example, let’s set it to 19.

Module specific options (-m)

This option allows us to set module specific options. For example, FTP module in Hydra doesn’t have any module specific options. But other modules like HTTP have it. All the options for a specific module can be seen using the -U option. For example, lets change the option for http-get.

Waiting time (-w)

Hydra waits for 32 seconds for receiving responses for it queries. This option can be used to change this time. For example, let’s set it to 10 seconds.

Waiting time for login attempts (-c)

This option can be used set the waiting time for login attempts Hydra performs. It is useful only when a low task time is used.

Verbose mode (-v) (-V)

Hydra has two verbose mode. The lowercase verbose mode is the default verbose mode in any other tool.

If you want to see each login attempt Hydra makes, you need to use the (-V) option.

That’s all about Hydra password cracker.

Posted on by

Google Dorking for hackers – Part 2

Hello, aspiring ethical hackers. This blogpost is Part 2 of Google Dorking. In our Part 1 of Google hacking, you learnt what Google hacking or Google Dorking is, what google operators are and different Google operators. In this Part 2. You will learn how hackers use Google Dorking for gathering whatever they want. If someone is a Black Hat Hacker, you will definitely not use Google to show different google operators. They will be looking for information that can make their hack successful. what could that information be?

Google dorking

This information can be credentials, login pages, backup files, database dumps, email lists, various types of files, open FTP servers & SSH servers etc. How nice it would be for hackers if they got passwords and credentials file by using just a simple google dork instead of using password cracking. In real world, we do get them. All we have to do is combine some of the Google dorks you have learnt about in Part 1 of Google hacking.

allintext:password filetype:log

allintext:username filetype:log

In the above dork, we are searching for log files with passwords in them. You will be surprised how many results you get.

Well, what is the next thing you do once you successfully get credentials. You search for a page where you can use those credentials. I mean login pages. We can search for login pages using the Google dork below.

intitle:login

You can even search specifically for WordPress login pages using the dork below.

intitle: “Index of” WP-admin

Sometimes, not just single passwords, you can also get files which are a collection of credentials. These are files where passwords are collected and stored. For example, this Google dork.

intext:”Index of” intext:”password.zip”

You learnt about the functions of a database while learning web server hacking. Sometimes users make a backup of their databases for safety purpose and unfortunately store that backup on the web server only. What if we can find this database. It can be found using the Google dork as shown below.

“index of” “database.sql.zip”

Or by using this query.

inurl: backup filetype:sql

We can find other backups too.

intitle: “index of” “backup.zip”

We can also find email lists of an organization using Google dorking. Most of the organizations make and save a list of emails as excel files. They can be found using the Google dork as shown below.

filetype:xls inurl:”email.xls”

Once we have the list of emails, we can perform social engineering attacks on them. Websites don’t just have credentials, emails and backups stored on them. They have different types of files like PDF’s, word documents, images etc. Sometimes they are not meant for viewers of the website but they are nonetheless on web server. Even these files can be found by Google dorking.

site: <> f iletype:pdf

site: <> f iletype: doc

These files can be used to find any metadata that can reveal more information. What if you are trying to hack a particular software and need its source code to find if it has any vulnerabilities. We have a dork for that too.

intitle: “index of” “sourcecode”

A software has a specific vulnerability disclosed and hackers work to find it. For example, take a particular version of Power CMS V2. This can be done using the below query.

intitle: “Installation Wizard – PowerCMS v2”

You know how many websites still use FTP and how many of them are still expose to internet. They can be found using below Google dork.

intitle: “index of” inurl:ftp

site:sftp.*.*/ intext:”login” intitle:”server login”

inurl:/web-ftp .cgi

You can also find specific database managers like for example, phpmyadmin

“index of” inurl:phpmyadmin

Posted on by

Dirty Cow vulnerability: Beginners guide

Hello, aspiring ethical hackers. This blogpost is a beginner’s guide to Dirty COW vulnerability. Assigned CVEID, CVE-2016-5195, this vulnerability affects Linux kernel version 2.6.21 since 2007. To exploit this vulnerability, the hackers need to first gain initial access on the target system.

What is this Dirty COW vulnerability?

Dirty COW is a Linux privilege escalation vulnerability which is caused due to a race condition in the way the Linux kernel handled copy-on-write functions. The name Dirty COW came from this Copy-On-Write (COW). By exploiting this vulnerability, an unprivileged user can gain access to the read-only memory mapping subsequently elevating their privileges on the system.

Which kernels are vulnerable?

All the Linux kernels from versions 2.x to 4.x before 4.8.7 are vulnerable to this Dirty COW vulnerability. Let’s demonstrate this vulnerability on a Ubuntu 12 system. To exploit this vulnerability, the hackers need to first gain initial access on the target system.

Download this exploit from Github and extract its contents. It is a C program as shown below.

Compile this code using inbuilt GCC compiler in Ubuntu system. This exploit creates a new user named ‘firefart’ with root privileges on the target system by writing to the /etc/passwd file. Usually, creating an user with root privileges in not possible for low privileged users on Linux systems. But this is a privilege escalation vulnerability.

Now, let’s execute the exploit as shown below. It will prompt you to create a new password for the new user “firefart” it is creating.

Login as the newly created user to see if the exploit was successful in exploiting the vulnerability and creating the news user “firefart”.

As you can see, a new user named “firefart” has been created on the target system with root privileges.

Posted on by

Complete guide to DNSrecon

Hello, aspiring ethical hackers. This is a complete guide to dnsrecon tool. In our previous blogpost on DNS enumeration, you read what DNS is, what are the various types of DNS records, what is the information about the network can DNS enumeration reveal to a pen tester or a Black Hat Hacker. DNSrecon is one such tool used for enumerating DNS.

DNSrecon is written by Carlos Perez. He wrote it initially in Ruby to learn about that programming language and about DNS way back in 2007. As time passed by, he wanted to learn python and he posted dnsrecon tool to python.

The features of DNSrecon tool are,

  1. Checks all NS Records for Zone Transfers.
  2. Enumerates general DNS Records for a given domain (MX, SOA, NS, A, AAAA, SPF and TXT).
  3. Performs common SRV Record enumeration.
  4. Top Level Domain (TLD) expansion.
  5. Checks for Wildcard resolution.
  6. Brute forces subdomains and host A and AAAA records given in a domain and a wordlist.
  7. Performs PTR record lookup for a given IP Range or CIDR.
  8. Checks a DNS server’s cached records for A, AAAA and CNAME.
  9. Records provided a list of host records in a text file to check.

Let’s see how to enumerate DNS with DNSrecon. DNSrecon is installed by default in Kali Linux. To use DNSrecon, all we have to do is use the command below.

dnsenum -d <domain>

–name_server (-n)

By default, DNSrecon will use SOA of the target server to enumerate DNS. You can use a different server, you can use it using this option.

-a

This option is used to do a zone transfer along with standard enumeration performed above.

As expected it failed.

-y, -b, -k

Similarly, you can perform yandex (-y), bing(-b), crt.sh (-k) enumeration along with standard enumeration.

-w

This option is used to perform deep whois record analysis and reverse lookup of IP ranges found when doing standard enumeration.

-z

This option is used to perform a DNSSEC zone walk along with standard enumeration.

–dictionary (-d)

This option is used to use a dictionary file containing subdomains and hostnames to use for brute force.

–range (-r)

Specify a IP range to perform reverse lookup.

–type (-t)

This option is used to perform a specific type of enumeration only. The various possible types of enumeration that can be performed using dnsrecon are,

  • Std: all SOA, NS, A, AAAA, MX and SRV.
  • rvl: reverse lookup
  • brt: brute force using a given dictionary
  • srv: SRV records.
  • axfr: zone transfer from NS server.
  • bing: Bing search for hosts and subdomains.
  • Yand: Yandex search for hosts and subdomains.
  • Crt: crt.sh enumeration for subdomains and hosts.
  • Snoop: cache snooping argument at NS server.
  • tld: test against all TLD’s registered with IANA.
  • Zonewalk: perform DNS sec Zone using NSEC records.

Saving results

You can save the results of the found records to a database (-db), XML (-X), CSV (-c) and Json(-j) files.

–lifetime

This option is used to set the time the tool has to wait until the target server responds. The default time is 3 seconds.

–threads

This option is useful to specify the number of threads to be used while performing reverse lookup, forward lookup, brute force and SRV record enumeration.

That’s all about DNSrecon.