Category: Hacking

Posted on by 2 Comments

HTA attack for beginners

Hello aspiring hackers. In our previous blogpost, you learnt about Windows hacking. In this article, you will learn about HTA attack, an attack that helps in gaining access to Windows systems. In this attack, HTA file are used to hack the target system.

What is a HTA file?

What is HTA file? HTA stands for HTML application. An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. A HTA file gets executed without the constraints of the internet browser security model. In simple words, it gets executed as a “fully trusted” application.

Let’s see an example of how to create this attack. For this, we will be using Metasploit’s windows/misc/hta_server module. In this module, the server hosts a HTA file, which when opened on the target system, will execute a payload via PowerShell. Of course, the browser warns the user before executing the payload. But social engineering can be used to convince the target users to execute the HTA file.

Now let’s see how this attack works. We will use this exploit to gain access to Windows 10 target. Start Metasploit and load the module as shown below.

Set the reverse meterpreter payload.

Type command “show options” to see the options we need to set for this exploit. Set the required options and type command “run” to start the exploit.

Image explaining about usage of hta web server exploit

As you can see, it has generated an URL where the payload is being hosted. We need to make the target user click on this URL. When the target user clicks on this URL as shown below.

The browser opens and prompts a warning about the file as shown below.

When the user ignores the warning and clicks on “run”,  a meterpreter session is opened as shown below.

This session can be viewed and opened as shown below. 

That’s how HTA attack works.

Posted on by

Windows POST exploitation with Metasploit

Hello aspiring hackers. In our previous blogpost, you learnt in detail about POST exploitation. In this blogpost, you will learn how to perform Windows POST exploitation with Metasploit. Metasploit has many modules that help us in POST exploitation activities on a Windows system after gaining access. Let’s learn about some of the modules.

Reconnaissance

The first module you will learn about in reconnaissance in the arp scanner module. ARP scanner helps us to identify any hidden devices on the network. Hidden devices are those devices which don’t respond to normal requests like ping etc. For example, some firewalls intentionally don’t respond to ping requests. ARP scanning module can detect these devices.

The checkvm module helps us to find out if the machine we hacked is a virtual machine, which in this case is true.

The dumplinks module will parse .lnk files from a user’s Recent Documents folder and Microsoft Office’s Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

In some cases, we need to know what are the applications installed in the system we hacked. For example, in a case where we cannot escalate privileges and maybe a vulnerable program installed in the target can help us in privilege escalation. The enum_applications module exactly does that. We can see in this specific case, there are only two programs installed.

Image explaining about windows post exploitation reconnaissance

The enum_logged_on_users module helps us in finding out the users logged in.  This may help us in knowing the usernames of the system. In our case, we go to know the username as “admin”.

The enum_shares module will list the shares of both configured and recently used shares on the compromised system. My target doesn’t have any shares.

The enum_snmp module will enumerate the SNMP service on the target, if installed. It will also enumerate its community strings.

In our case, there’s no SNMP service installed.

The hashdump module does exactly what it says. It dumps the password hashes from the target system as shown below. May I remind you that meterpreter already has this hashdump function.

The usb_history module retrieves the history of usb devices connected to the target system. In my case, no USB devices were connected to the target.

The enum_powershell_env module helps us to find out the version of PowerShell running on the target system. Windows PowerShell is a task automation and configuration management framework designed by Microsoft which consists of a command line shell and associated scripting language built on the .NET Framework and .NET Core.

PowerShell provides full access to COM and WMI, enabling administrators to perform administrative tasks on both local and remote Windows systems. Just like any Metasploit POST module, we need to have a valid meterpreter session to run this module. Background the current meterpreter session and load the PowerShell environment enumeration module as shown below. Type command “info” to view the information about this module as shown below.

Type command “show options” to view the options to be configured. Set the session ID of the meterpreter session we just sent to background and execute the module using command “run”.

powershell enumeration

As you can see in the image above, PowerShell version 2.0 is installed on our target system an there are no PowerShell snap-ins are installed.

The most interesting of all these is the lester script. The lester script suggests local exploits for the target system. This script automatically searches and lists exploits for the targeted system. Now you may question why do we need exploits for the system we already hacked. Well maybe to escalate privileges or find an exploit which gives us more power on the system.

That’s all for today folks. I will be back soon.

Posted on by 6 Comments

Beginners guide to hash cracking

Hello aspiring ethical hackers. In our previous blogpost on cryptography, apart from learning the uses of encryption in cybersecurity, you learnt about various encryption techniques. One such method is hashing. In this article, you will learn about hash cracking.

The process of cracking a password hash is known as hash cracking. In ethical hacking, you will definitely encounter password hashes. You will have to learn how to crack these hashes to be able to move forward in pen testing or Red teaming. For example, let’s say you encounter NewsP Free News Script 1.4.7 software in the target network. This particular version of software had a credential disclosure vulnerability as shown below. The only thing that stops me from accessing the website is the password in encrypted format.

Image explaining how to crack hash es with kali linux

The first step in cracking hashes is to identify the type of hash we are trying to crack. We can identify a hash type using a tool named hash-identifier. This tool is installed by default on Kali. Open a terminal and type command given below.

hash-identifier

Enter the hash we need to identify as shown above and hit ENTER. It will show the possible hash type as shown below. In our case, it is MD5 hash or a variant of it.

We can also use another tool “hashid” for hash identification. It’s syntax is as shown below.

hashid <hash>

Since now we know that the hash type is Md5, it’s time to crack the hash. We will use a tool called ‘findmyhash’. This tool tries to crack the hash by using various online hash crackers available. To use this tool, we need to specify the hash type ( which we already know ) and hash after it as shown below. 

findmyhash <hash type> -h <hash>

After successfully cracking the hash, it will display us the password as shown below. In our case, the password is admin.

Posted on by 3 Comments

Webshell attack with msfvenom

Hello aspiring hackers. In our previous howtos, we saw about different shells like the infamous c99 shell,  web shells in Kali Linux and Weevely. In this howto, we will see how to perform webshell attack with Metasploit. We will be getting a meterpreter shell on the website.

One of the wonderful features of Metasploit is creating payloads as per requirement. Using msfvenom, we can create binaries for Windows, MAC and Linux.  We can also create shell payloads for websites in different formats like php, asp , javascript and asp. In future howto’s we will definitely learn more about msfvenom but for this howto, we will create a php payload.

As you can see below, I have created a php payload named “shell.php” with the metasploit payload option “php/meterpreter_reverse_tcp”. This gives us a reverse php meterpreter shell. The “lhost” option is our attacker system’s IP address and “lport” the port on which we want php meterpreter shell back.

Image explaining webshell attack with metasploit

After the shell is successfully created, let’s start a listener with Metasploit as shown below. Remember to set the same payload we set while creating the payload.

Set the lhost and lport as shown below. They should match with the values in the shell we created. Type command “run” to start the listener.

Now you need to find a site vulnerable to file upload. For this howto, I’m using my own vulnerable webapp “Vulnerawa”. To know more about Vulnerawa go here. Vulnerawa has a file upload vulnerability in its careers page.

Go to its file upload page and upload the shell. That shouldn’t be a big problem.

Now go to the shell we just uploaded through the website. Normally its located in the uploads directory ( In real websites, you need to locate it ). The shell will look like below.

In the listener we started an the attacker system, we should have already got the meterpreter shell. Happy hacking.

That is how we perform webshell attack with Metasploit.

Posted on by

WAPT with HPWebinspect : Part 2

Good evening friends. Today we will see the second part of WAPT with HPWebinspect. If you didn’t go through the first part, we ended it by scanning a website for vulnerabilities. The results have given us vulnerabilities categorized as critical, high, medium and low. That was the easiest part. Now we will go through analysis of these vulnerabilities.

Wait, but why do we need this analysis? Just because we have used an automated tool doesn’t mean it is cent percent effective. There may be lot of false positives and in the worst case false negatives. The threat it shows as critical may not be really that dangerous or a threat it shows as medium may be critical depending on the situation.

The analysis part is very important part of the WAPT. Let us see how to perform this analysis . We will take our previous scan report.

Before we do the analysis, let us have a look at the interface of HPWebinspect.  To the down left, we have view options of the scan ( site and sequence ). The “site view” shows us the hierarchical structure of website we just scanned with vulnerabilities found highlighted as shown below to the left. We can see that in account part of the website there is a critical vulnerability.

Image explaining about hpwebinspect

The sequence view shows us the order in which WebInspect scanned the URLs. It is shown below.

Occupying large area of the interface is the Scan dashboard with a pictorial representation of vulnerabilities. It also has vulnerabilities classified into its attack types ( how exactly these vulnerabilities will be used ).To its left, we have sections called scan info, session info and host info. The scan info has four options : dashboard, traffic monitor, attachments and false positives. We have already seen dashboard and others are self explanatory.

Below scan info we have have session info. It is empty because we didn’t include any sessions in our scan.

Below session info, we have the host info which is obviously information about the host we scanned. It will provide us info like P3P info ( protocol allowing websites to declare their intended use of information they collect about users) , AJAX, certificates etc, etc, etc. Let us look at the cookies collected by the scan.

It also shows us the emails we found during scan.

Also the forms.

Now we come to the most important part of the interface which is right down below. These are the vulnerabilities found during the scan. As already said, these are classified according to the dangers posed by them but there may be false positives. We need to analyze each vulnerability for this exact reason.

In this howto, we will cover analysis of one or two vulnerabilities. Expand the “critical” section of vulnerabilities. We can see that there is a XSS vulnerability in the search page. We will analyze this vulnerability.

Click on the vulnerability. The dashboard of HPWebinspect will show information about the particular vulnerability ( in our case XSS ) and how hackers might exploit this.

Scroll down the dashboard to get more info about the vulnerability. We can see the exact query used by the tool to get the result. In this case, our target is using tag removal to prevent XSS but we can bypass using the query given below. ( We will learn more about XSS and its evasion filters in a separate howto)

Now right click on the vulnerability we are analyzing. In the menu that opens, click on “View in Browser” to see this exploit practically in the browser.

We can see the browser result below. In this case, it is displaying a messagebox with a number but hackers can use it to display cookies and session ids. Hence this is definitely a critical vulnerability.

Right click on the vulnerability and select the option “Review vulnerability”. This is helpful in knowing more precisely about the vulnerability.

Another window will open as shown below. It will automatically show you the browser view.

We can click on “Request tab”to see the request sent by our tool.

Similarly the response tab shows us the response given by the target.

We already saw this before in the dashboard. The “vulnerability tab” give us information about the vulnerability and how hackers might exploit it. There are also options like “Retest” and “Mark as”. The Retest option allows us to test the vulnerability again. We shall see the “mark as” option below.

Close the window. Once again right click on the vulnerability. You can see the option “change severity”.

For instance, the vulnerability detected is not that critical, we can change its severity suitably to high or medium or low.

Now what if the vulnerability detected  is not an actual vulnerability. This is known as false positive. For example, we have this send feedback page of the target website. Let us assume it is just a false positive. In that scenario, just below the “review vulnerability” option we have “Mark as” option.

We can also access this option from the “review vulnerability” window as already shown above.

When we click on that option, we get two sub-options to mark it either as false positive as shown below

or to completely ignore the vulnerability. We can only ignore the vulnerability if it doesn’t pose any valid threat. We can also provide some description about why we are marking it as false positive or ignoring.

When we have successfully finished reviewing each vulnerability, it’s time to write the penetration testing report. To automatically generate a report, click on “Reports” tab. Select the scan for which you want to generate the report and click on “Next”.

Select whatever you want to include in your report as shown below and click on Finish.

The report generation takes some time depending on the options you selected. The report generated would be in the format as shown below. That’s all for now and in our next howto, we will see more about the tool.

That’s how we do WAPT with HPwebinspect. Want to learn Ethical Hacking with Real World Scenarios.? Subscribe to our digital magazine.