Hello aspiring hackers. In many hacking scenarios, we encounter hashes. To those newbies who have no idea what hashes are, they are encrypted text ( literally we can’t call it text ). Normally they are used to encrypt passwords for website users, operating system users etc. Today our tutorial is about cracking hashes.
For this howto, we will use NewsP Free News Script 1.4.7 which had a credential disclosure vulnerability as shown below. Imagine we got the username and password hash as shown below. The only thing that stops me from accessing the website is password in encrypted format.
The first step in cracking hashes is to identify the type of hash we are cracking. Kali Linux has an inbuilt tool to identify the type of hash we are cracking. It’s hash-identifier. Open a terminal and type command hash-identifier.
Enter the hash we need to crack as shown above and hit ENTER. It will show the possible hash type as shown below. In our case, it is MD5 or a variant of it.
We can also use another tool hashid for similar purpose. It’s syntax is as shown below.
We know what the type of hash is. Now, it’s time to crack the hash. We will use a tool called ‘findmyhash’. To use this tool, we need to specify the hash type ( which we already know ) and hash after it as shown below. This tool tries to crack the hash by using various online hash crackers available.
After successfully cracking the hash, it will display us the corresponding password as shown below. In our case, the password is admin.
Hello aspiring hackers. In our previous howtos, we saw about different shells like the infamous c99 shell, web shells in Kali Linux and Weevely. In this howto, we will see about hacking a website by uploading shell made with Metasploit. We will be getting a meterpreter shell on the website.
As you can see below, I have created a php payload named “shell.php” with the metasploit payload option “php/meterpreter_reverse_tcp”. This gives us a reverse php meterpreter shell. The “lhost” option is our attacker system’s IP address and “lport” the port on which we want php meterpreter shell back.
After the shell is successfully created, let’s start a listener with Metasploit as shown below. Remember to set the same payload we set while creating the payload.
Set the lhost and lport as shown below. They should match with the values in the shell we created. Type command “run” to start the listener.
Now you need to find a site vulnerable to file upload. For this howto, I’m using my own vulnerable webapp “Vulnerawa”. To know more about Vulnerawa go here. Vulnerawa has a file upload vulnerability in its careers page.
Go to its file upload page and upload the shell. That shouldn’t be a big problem.
Now go to the shell we just uploaded through the website. Normally its located in the uploads directory ( In real websites, you need to locate it ). The shell will look like below.
In the listener we started an the attacker system, we should have already got the meterpreter shell. Happy hacking.
Good evening friends. Today we will see the second part of WAPT with HPWebinspect. If you didn’t go through the first part, we ended it by scanning a website for vulnerabilities. The results have given us vulnerabilities categorized as critical, high, medium and low. That was the easiest part. Now we will go through analysis of these vulnerabilities.
Wait, but why do we need this analysis? Just because we have used an automated tool doesn’t mean it is cent percent effective. There may be lot of false positives and in the worst case false negatives. The threat it shows as critical may not be really that dangerous or a threat it shows as medium may be critical depending on the situation.
The analysis is very important part of the WAPT. Let us see how to perform this analysis with HPWebinspect. We will take our previous scan report.
Before we do the analysis, let us have a look at the interface of HPWebinspect. To the down left, we have view options of the scan ( site and sequence ). The “site view” shows us the hierarchical structure of website we just scanned with vulnerabilities found highlighted as shown below to the left. We can see that in account part of the website there is a critical vulnerability.
The sequence view shows us the order in which WebInspect scanned the URLs. It is shown below.
Occupying large area of the interface is the Scan dashboard with a pictorial representation of vulnerabilities. It also has vulnerabilities classified into its attack types ( how exactly these vulnerabilities will be used ).To its left, we have sections called scan info, session info and host info. The scan info has four options : dashboard, traffic monitor, attachments and false positives. We have already seen dashboard and others are self explanatory.
Below scan info we have have session info. It is empty because we didn’t include any sessions in our scan.
Below session info, we have the host info which is obviously information about the host we scanned. It will provide us info like P3P info ( protocol allowing websites to declare their intended use of information they collect about users) , AJAX, certificates etc, etc, etc. Let us look at the cookies collected by the scan.
It also shows us the emails we found during scan.
Also the forms.
Now we come to the most important part of the interface which is right down below. These are the vulnerabilities found during the scan. As already said, these are classified according to the dangers posed by them but there may be false positives. We need to analyse each vulnerability for this exact reason.
In this howto, we will cover analysis of one or two vulnerabilities. Expand the “critical” section of vulnerabilities. We can see that there is a XSS vulnerability in the search page. We will analyse this vulnerability.
Click on the vulnerability. The dashboard will show information about the particular vulnerability ( in our case XSS ) and how hackers might exploit this.
Scroll down the dashboard to get more info about the vulnerability. We can see the exact query used by the tool to get the result. In this case, our target is using tag removal to prevent XSS but we can bypass using the query given below. ( We will learn more about XSS and its evasion filters in a separate howto)
Now right click on the vulnerability we are analysing. In the menu that opens, click on “View in Browser” to see this exploit practically in the browser.
We can see the browser result below. In this case, it is displaying a messagebox with a number but hackers can use it to display cookies and session ids. Hence this is definitely a critical vulnerability.
Right click on the vulnerability and select the option “Review vulnerability”. This is helpful in knowing more precisely about the vulnerability.
Another window will open as shown below. It will automatically show you the browser view.
We can click on “Request tab”to see the request sent by our tool.
Similarly the response tab shows us the response given by the target.
We already saw this before in the dashboard. The “vulnerability tab” give us information about the vulnerability and how hackers might exploit it. There are also options like “Retest” and “Mark as”. The Retest option allows us to test the vulnerability again. We shall see the “mark as” option below.
Close the window. Once again right click on the vulnerability. You can see the option “change severity”.
For instance, the vulnerability detected by HPwebinspect is not that critical, we can change its severity suitably to high or medium or low.
Now what if the vulnerability detected is not an actual vulnerability. This is known as false positive. For example, we have this send feedback page of the target website. Let us assume it is just a false positive. In that scenario, just below the “review vulnerability” option we have “Mark as” option.
We can also access this option from the “review vulnerability” window as already shown above.
When we click on that option, we get two sub-options to mark it either as false positive as shown below
or to completely ignore the vulnerability. We can only ignore the vulnerability if it doesn’t pose any valid threat. We can also provide some description about why we are marking it as false positive or ignoring.
When we have successfully finished reviewing each vulnerability, it’s time to write the penetration testing report. To automatically generate a report, click on “Reports” tab. Select the scan for which you want to generate the report and click on “Next”.
Select whatever you want to include in your report as shown below and click on Finish.
The report generation takes some time depending on the options you selected. The report generated would be in the format as shown below. That’s all for now and in our next howto, we will see more about the tool.
Web application penetration testing refers to evaluating the security of websites and web applications. Websites evolved from being simple static HTML pages to incorporate complex dynamic features with bells and whistles. These bells and whistles also brought with them lot of vulnerabilities and thus websites became common targets for hackers. So web application penetration testing is considered very important nowadays.
WAPT could be performed manually or through automatic tools. Automated tools provide lot of advantages over manual testing most importantly the speed. HP Webinspect is one such tool.
It is an automated web application security scanning tool from HP. It helps the security professionals to assess the potential vulnerabilities in the web application. It is basically an automated dynamic application security testing (DAST) tool that mimics real-world hacking techniques and attacks, and provides comprehensive dynamic analysis of complex web applications and services. See how to install HPwebinspect in Windows.
Today we will see how to perform website vulnerability assessment with HPWebinspect. Open the program and click on basic scan. We will see other scan options in the following parts of this tutorial. As its name implies, this option performs a basic security scan on a website.
As we select the basic scan option, the “scan wizard” opens as shown below. As I am using a trial version of HPWebinspect I am only allowed to scan the website deliberately provided by HP for this purpose. This website simulates a bank ( named zero bank ) and this will be our target from now on.
I allot the given name. Below the scan name option, we have features with radio buttons. Let’s see these options.
crawl:- This process makes a list of all the pages on the entire website and builds its structure.
auditing:- Auditing is the process in which HPwebinspect will attack the website to find out the vulnerabilities.
I have selected the “crawling and auditing” option. HP Webinspect provides four types of scans.
Standard scan:- Normal scan. List Driven scan:- You can specify the list of urls for the tool to scan. It will only scan those urls. Workflow Driven scan:- Similar to list driven scan. You can scan a port of your website by specifying a macro. Manual scan:- You can specify each link you want to scan. step by step.
Next specify the website you want to scan and click on “Next”.
In the next window, you will be prompted for authentication. If your website or network requires authentication, provide them . Choose if you want network proxy or not and click on “Next“.
The profiler automatically samples the website and recommends best configuration for the scan. You can select the option. We will see more about profiler later. There are some other settings. Leave them to their default settings and click on “Next”.
You will get a congrats message telling about the successful configuration of scan settings. It’s time to start the scan. Click on “scan”.
The scan will start as shown below. It will take some time dependent on the size of the website you are scanning.
After the scan is finished, it will show the results as shown below. This tool classifies vulnerabilities into critical, high, medium, low and info. That was about basic scanning of website with HPWebinspect.
In our next part, we will see analyzing these vulnerabilities.
Hello aspiring hackers. It would be completely unfair to discuss about web shells without discussing about Weevely.
Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote administration and penetration testing or bad things. It provides a ssh-like terminal just dropping a PHP script on the target server, even in restricted environments. The best thing about Weevely is its stealth functionality. So today we will see how Weevely functions.
It is inbuilt installed in Kali Linux although here I have downloaded from Github. So let us first generate a shell as shown below. “tadada” is the famous ( or rather infamous ) password we have assigned for our shell and the name assigned to our shell is backdoor. Now let us upload this shell to our target. In this howto, I have uploaded it into both Wamp server and Linux web server. Go here to see how to upload the shell.
After uploading the shell, we can connect to our shell using the command shown below. Well we made a connection.
Now let us type command “:help” to see all the commands weevely provides. We will see usage of each command.
This command, as the name implies is used to audit the file system of the remote web server. The below screenshot shows the result of this command on a Linux web server.
This command needs no explanation. It is used to view the passwd file of our target and obviously will work only on Linux.
This command lets us have a look at the php configuration on the remote web server as shown below. We can get lot of information which can be useful in further hacks.
This command is used to know the whole system information. Below we can see lot of info about our target system.
This command shows us the system extensions enabled on the web server. Here are the apache_modules
and the php_extensions enabled on the web server.
If you have gone through the above link, you already know what is a backdoor. We can create a backdoor on the web server as shown below. Here we have created a shell backdoor using netcat on port 80.
Now open another terminal and type the command shown below. The IP address is our target’s address. It directly provides us a connection to port 80 of the target. You can also use other ports to connect to but the port should be open on our target.
We also saw the reverse backdoors in our previous howtos. Here, we are creating a backdoor to our attacker machine on port 1122. The IP address should be our attacker machine’s.
Once we create a reverse backdoor, we just need to listen on the port we specified above using netcat as shown below.
This is akin to “ls” command in Linux. It is used to see the contents of the directory.
It is used to delete any file from the directory. For example, I deleted the file c99.php.c999jpg as shown below. If our command has worked successfully, the terminal will return a true as shown below.
What if file upload doesn’t work? We can download any files from the internet. Suppose imagine we want to download a virus into our target and file upload doesn’t function ( in rare case ). We can host the virus on any free uploading site and download it using command shown below.
Now this one is important. This command is used to change time stamps. Let us change time stamps for files we have just uploaded. This is useful in raising less suspicions on the other side.
As we can see, time stamps of our files have been successfully changed.
This command is used to see if a file exists as shown below.
To enumerate the permissions of the files.
To make a copy of a file.
To edit a file not only in this directory but also other directories. For example, let us edit a file in the home directory with the name virus.
This are the contents of the file. Oh bad english.
Let’s correct it. Actually this is used to edit files and change their script.
For example, we can edit the index page to deface the website.
To change directories.
To search for files with specific properties. For example, we have searched for all writable files in the directory. Similarly we can also search for executable files.
Weevely provides us many functions to compress and decompress files. These include tar,bzip, gzip and zip. Here I am showing you an example of compressing two files into a zip archive.
Used to connect to the sql console.
We are not always lucky to have an unprotected sql connection. In that case, this command can be used to bruteforce the credentials.
After we get the credentials, we can dump the database we want using this command.
In this howto itself, we saw how to create a backdoor and we also discussed that an open port is required for creating this backdoor. We can scan for open ports using this command. We can see just port 80 is open.
Used to check all the network interfaces of the system.
This command is used to execute any shell command on the system.
Shell_php command is used to execute php commands on the target server. Here I have executed phpinfo() command.
Once we get a shell, we can also execute all the standard commands of the shell like whoami, uname and hostname etc..etc.
Well that was weevely for you. Hope that was helpful.
Good morning everybody. In Part 1 of this series, we saw how one of the most popular shells can be used to hack a website. However popularity has its own disadvantages, at the least in the field of cyber security. The C99 php shell is very well known among the antivirus. Any common antivirus will easily detect it as malware. Although it is unlikely that web servers will be installed with antivirus, still it is good to stay one step ahead. So today we will see some of the least popular but still effective web shells.
As you all know, Kali Linux is one of the best pen testing distros available. It would be very disappointing if it didn’t have web shells in its arsenal. Open a terminal and navigate to the directory “/usr/share/webshells” as shown below. As you can see, web shells are classified according to the language of the website we are trying to hack. Today we will see about PHP shells. So go into that directory and do an “ls”. You can see the shells below.
As the name clearly tells, the functioning of this shell is very simple. It is used to execute some commands on the target web server. Let us go to the shell’s link after uploading and execute the “net user” command as shown below. As already used in Part 1, this command gives us all the users present on the Window’s system.
Similarly let us execute another powerful command “systeminfo” to get the web server’s whole information as shown below. Sorry about the censor.
The php-backdoor, as the name implies is file upload shell just used to add more backdoors. It helps us in the case where we can’t easily upload any additional files we want.
I works akin to file upload function in our Part 1. As you can see below, it has upload form and a function to execute commands. We can also connect to the database.
Every shell doesn’t require us to visit the web server. In fact we can make the webserver visit us. Enter the php-reverse-shell. As its name says, it makes a reverse connection to our attacker system. In order for this shell to make a reverse connection, it needs an IP address. So before uploading this shell we need to change the IP address in the script to our IP address ( Kali Linux ) as shown below. Save it and close it.
Next, let us start a netcat listener in one of the terminal. If you are new to netcat the command “nc -v -n -l -p 1234” tells netcat to listen verbosely on port 1234. Remember the port number should be same as we specified above.
Now when we upload the shell, On kali linux we will get a terminal as shown below. Hit “ls” to see the contents of the directory.
The qsd-php-backdoor is compatible with both Linux and Windows web servers. As we upload it, it will detect whether the web server is Windows or Linux and then acts accordingly. The screenshot is shown below. As you can see we can move to the root directory of web server and come back, execute shell commands and SQL queries.
You already know what happens when we execute “systeminfo” command as shown below.
That’s about web shells in Kali Linux. Hope it was helpful.
WARNING: This is strictly for educational purpose. Please don’t misuse this.
Good Evening friends. In our previous tutorial RFI hacking for beginners we saw what is remote file inclusion vulnerability and how hackers use this vulnerability to upload files into the web server. In that tutorial, we uploaded a C99 php shell, which is the most popular shell used in RFI hacking. Today we will see further on how hackers upload shell and hack a website. We have successfully uploaded a shell in the above post.
Let us go to the path where we uploaded our shell as shown below. You should see something as shown below. This is our PHP shell. As you can see, it already shows lot of information about our target system like OS, the web server software, version etc. It also shows all the files in our folder or directory where we uploaded our shell as shown below.
Let us see some of the features of the shell. The first, second and third tabs are the Home, backward and forward buttons and need no explanation. The fourth tab is the “Go one directory back”. This can be useful in navigating the web server. I have gone one directory back as shown below.
Imagine there are a lot of files in the directory/folder we navigated into. We can search for a specific file as shown below using the search function.
Using the Tools option, we can open ports on the target server to bind shells. This can be useful in making remote connections using netcat or any other program.
We can also see the processes running on the web server using the proc function, but this depends on the privileges we acquire on our target. As you can see I didn’t get any processes to see on my target.
Many web servers have FTP server installed. The “FTP brute” option is used to brute force the password of the FTP server if it is available.
The “Sec” option shows the server security information. We can download winnt passwords and crack them using any cracking software. Once again this depends on the privileges we are running as.
The “PHP-code” option is used to execute any PHP code on the web server.
The “SQL” option is very crucial. It allows us to get access to the all important database. We don’t need to crack any credentials. Just click on “Connect” to connect to the database.
As connection is established to the database, we can see all the databases present on the server.
Click on the databases to view all the databases present on the server. Remember we can view all the databases present on the server, not just the database of this website.
Since I have DVWA installed on my server, I have selected that database. As it can be seen, it has two tables. You can select any table and can delete or edit that table. Hackers can even create new databases and delete the entire databases if you want. There is also a “self remove” option in this shell. So after doing whatever he wants, hacker can remove the shell from the web server.
Command Execute :
Now let us see some more tricks of this shell. Scroll down and you will see something called “command execute”. As the name implies, it is used to execute commands on the target OS.
For example, since I already know the target operating system is Windows, let me execute “net user ” command to see all the users on the Windows system.
We can see the result as shown below.
We can also see opened ports on the web server using the command below.
These are the open ports on our target.
Just below our “command execute”, we have Shadow’s tricks. These have all the tricks that can be performed on the Linux server’s shadow file. You can see all the commands below. Since we are on Windows we will skip this one.
Below Shadow’s tricks, on further scrolling down we have Preddy’s tricks. This can be used to bypass PHP Safe Mode if it is enabled and execute PHP commands. Enabling Safe Mode imposes several restrictions on PHP scripts. These restrictions are mostly concerned with file access, access to environment variables and controlling the execution of external processes. We don’t have PHP Safe Mode enabled in our case.
The most common thing hackers ( there’s still a lot of debate whether to call them hackers or not ) do after shell upload is defacing websites. What is website defacement? In simple terms, it is changing the index page of any website. Now what the hell is this index page? It is the first page or default page that loads when we visit a website. It can be either index.php, default.php or home.php ( the extension can even be .html ).
But why is the defacing done? Mostly it can be done to leave a message. For more information on defacing just Google “Anonymous hacking group” or “defacing groups”. Now let us see clearly how websites are defaced using file upload.
Here, to make it more dramatic, I have navigated to the Vulnerawa directory installed on the same server as shown below. To know more about Vulnerawa, go here.
As you can see below, we are in the Vulnerawa directory and we can see the index.php page below.
Now before defacing, this is the page that loads when we go to Vulnerawa.
Now, open the index page or search for the page as shown below.
As we can see below, we have the index page. Normally it is deleted and a new index page is uploaded. But here, we will edit the index.php page.
This is the content of the index page.
Now I have edited the script as shown below. To the newbies, I am just including an image named “anon.jpg”.
Now upload the “anon.jpg” image as shown below. I am gonna leave my own message dedicated to my favorite superhero.
Once we click on upload, the image is uploaded into the directory as shown below. That’s it we are done.
Now when user goes to the website, he will see this message.
These are some of the things we can do with an uploaded shell. By now you should have understood how dangerous a file upload vulnerability can be for a website.
How to stay safe?
If you are a website admin, always keep a backup of your website as hackers can sometimes delete the entire website and databases. It is also a good thing to scan your web server for any malicious files since I have seen in many instances that people often restore the website deleted but still keep the shell intact.
In our next howto, we will see more about the shells.
Good Evening friends. In our previous howto, we have seen about Local file inclusion hacking. Today we will see another file inclusion attack known as Remote File Inclusion or File upload Injection. In LFI hacking, we can just view files locally present on the web server. Only watching, no touching. In RFI hacking, we can upload remote files into the web server.
So if the website is vulnerable to RFI, we can upload any files we want into the web server. But before we see this practically, take out ten seconds and just imagine if you had an opportunity to upload a file into a remote server what type of file would it be? It should be something which can take complete control of the web server, right.
There enters the PHP shell. It is a shell wrapped in a PHP script. As you will see later, we can use this shell to execute commands or browse the filesystem of the remote web server. Now let us see it practically. Recently, a file upload vulnerability was detected in Roxyman file manager. It is a free open source file browser for .NET and PHP. I have installed this on a remote server for testing. I am trying to upload the infamous c99 php shell into this file manager.
The c99 shell is a notorious PHP malware. More about what it can do later. Ok, now let’s see how file upload works. Go to file manager and click on Add file as shown below.
Another window opens. Now browse to the file we want to upload. In our case, the C99 shell.
But when we click on “upload”, it shows us an error as shown below. Don’t worry, that’s normal. RFI injection has been so notorious that even a noob like me wouldn’t allow a php or any other malicious upload.
Normally developers use a white list or black list to prevent specific file uploads. Black list is a list of file extensions to be blocked. White list is a list of file extensions to be allowed. Our specific application here uses a black list as shown below. As you can see files with extensions php,php3,php4,php5 and many more are blocked.
But it doesn’t mean this type of restrictions cannot be bypassed. One way to do this is to rename our file to something like c99.php.c999jpg to fool the filters that this is a jpeg file. As I already said, this is one of the many ways to bypass the filters. You can just google for more ways to bypass this restrictions. Now the upload is successful as shown below.
Now you can view the upload file by going to the uploads directory as shown below. See we have successfully uploaded our php shell into the web server.
In our next howto, we will see what we can do with our uploaded php shell.
Good morning friends. Today we will learn about LFI hacking. LFI stands for Local File Inclusion. According to OWASP,
“Local File Inclusion (also known as LFI) is the process of including files, that are locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.”
Simply put, it is a vulnerability in a web server or website which allows a hacker to view files on the remote system ( where the web server is setup) which ought not to be seen. LFI is also known as directory traversal as folders are generally referred to as directories in Linux.
Now let us see it practically. A wordpress plugin called “WP Mobile edition” suffers from lfi vulnerability. I have installed this vulnerable plugin on my wordpress site for testing. Now at the end of the url given below, let’s add files=../../../../wp-config.php as shown below. Boom, we get a file listed on our browser. I am trying to view the wp-config file of the website.
Wp-config file is an important WordPress file. It contains information about the database, like it’s name, host (typically localhost), username, and password. This information allows WordPress to communicate with the database to store and retrieve data (e.g. Posts, Users, Settings, etc). The file is also used to define advanced options for WordPress.
But wait, what is that dot dot slash notation we used. The “../” we used below is similar to “cd..” we use in Windows and Linux to go one directory back and serves the same function here. We have gone four directories back to access the wp-config.php file which is located in WordPress root directory.
Similarly we can view another file: wp-settings.php as shown below. It is located in the same directory as wp-config.php.
Ok, now let’s view something out of the web server’s context. The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The hosts file is a plain text file, and is conventionally named hosts. It is like a DNS in our OS. We have encountered the hosts file in our previous howto of Desktop phishing. Now let’s view that file in Windows. After going seven directories back, we have to go forward to the hosts file path as shown below.
Now let’s see this vulnerability in Linux. The juiciest file most hackers want to see in Linux is the passwd file. The /etc/passwd file is a text-based database of information about users that may log in to the system. We can see the file as shown below.
Since we normally have minimal knowledge about the target OS we should use trial and error to view the file we want. That was local file inclusion for you. In our next howto, we will see another file inclusion vulnerability. Until then good bye.
Good Evening Friends. Today we will see how to use Limesurvey Unauthenticated File Download exploit to download files from the remote web server. To those who don’t know what Limesurvey is, it is is a free and open source on-line survey application written in PHP. It enables users using a web interface to develop and publish on-line surveys, collect responses, create statistics, and export the resulting data to other applications.
This exploit works on Limesurvey versions 2.0+ and 2.06+ Build 151014. For this howto, I have installed Limesurvey on a web server as shown below.
Here’s a video version. The textual version is below the video. Please scroll down.
For this howto, I have installed Limesurvey on a web server as shown below.
Given below are the files located in the Limesurvey directory which should not be accessible to anybody. We will try to download the “README” file using the Limesurvey Unauthenticated File Download exploit in Metasploit.
Start Metasploit and load the exploit as shown below. Set the required options also as shown below. The “filepath” option is to set what file you want to download. I have chosen “readme” file as mentioned above. I have set the “traversal_depth” option to zero as the file I want to download is in the current folder only. You can set appropriately.
Once again check the required options. It should be as below.
Type command “run” and the file will be downloaded as shown below. Happy hacking.