Author: Anamar Taknev

Posted on by

Beginners guide to msfpc

Hello, aspiring ethical hackers. In our previous blogpost, you learnt how to create payloads with msfvenom. In this blogpost, you will learn about MSFPC (MSFvenom payload creator), a tool that simplifies generation of Metasploit payloads with msfvenom.

MSFvenom payload creator (MSFPC) is a wrapper to generate multiple types of payloads based on users choice. The concept of this tool is to be as simple as possible while generating a payload.

Let’s see how to use this tool. For this, we will be using Kali Linux, as msfpc is installed by default on Kali Linux.

The simplest way to create a payload using MSFPC is to specify the type of payload you want. MSFPC can generate APK, ASP, ASPx, bash (-sh), Java (.jsp), Linux (.elf), OSX (macOS), Perl (.pl), PHP, PowerShell (.ps1), Python, Tomcat (.war) and Windows (.exe or dll) payloads.

For example, let’s see how to generate an exe payload.

The only option we need to set to create a payload with msfpc is the attacker system’s IP address or the listener address which can be selected from the given options. All other options are automatically set.

By default, this tool creates a reverse shell payload. We can also create a bind shell payload as shown below.

By default the listening port of the generated payload is set to 443. This can be changed as shown below.

We can also create payloads with this tool by specifying the target operating system.

MSFPC creates staged payloads by default. We can also create stageless payload as as shown below.

Posted on by

Complete guide to Wapiti

Hello, aspiring ethical hackers. In our previous blogpost on web application hacking and web server hacking, you learnt about various web vulnerabilities. In this blogpost, you will learn about Wapiti a web vulnerability scanner.

It is a very good practice to learn about the vulnerabilities and weaknesses in a website or web application before they hackers find bout them. Web vulnerability scanners play a very important role in detecting vulnerabilities. Wapiti is one such vulnerability scanner thats written in Python.

Unlike other vulnerability scanners, Wapiti works as a “Black Box” vulnerability scanner that instead of studying source code of the target web application, works by fuzzing and scanning the pages of web application, extract link forms, attacking the scripts, sending payloads, finding out error messages, special strings and other abnormal behaviours.

Let’s see how to find vulnerabilities using Wapiti. For this, we will be using Kali Linux as this tool is installed by default on Kali Systems. As target, we will be using Mutillidae web application on Metasploitable 2. See how to setup this virtual hacking lab.

The simplest way to use Wapiti is to just supply it with the target URL as shown below.

Then, Wapiti starts scanning the target as shown below.

Scope

Scope option of wapiti specifies it to what to scan. The scope option of wapiti takes four values: URL, page, folder, domain and punk. Here is the detailed explanation about these values.

  1. URL: Setting this will only scan and attack the exact base URL given with -u option.
  2. PAGE: Setting this as scope value will attack every URL matching the path of the base URL.
  3. FOLDER: This will scan and attack every URL starting with the base URL value. This base URL should have a trailing slash (no file‐name).
  4. DOMAIN: Setting this as scope value will scan and attack every URL whose domain name matches the one from the base URL.
  5. PUNK: Setting this value will scan and attack every URL found whatever the domain. Think twice before using this for scope.


Let’s set the scope to “page” for now.

View all the modules (

Wapiti has many modules that help in vulnerability scanning. You can view all the modules using the “list modules” option.

Select a single module

You can select just a single module using the “-n” option. For example, let’s load the file module.

As you can see in the above image, a include vulnerability has been detected in the target web app.

Don’t resume the scan (–skip-crawl)

Sometimes, we abort a scanning session before it gets completed. When you start a new scan with Wapiti again, by default it resumes the aborted session by crawling the URLs again. If you don’t want to resume the previous scan from URL crawling, you can use this option. By using this option, Wapiti will attack only currently known URLs.

Resume from crawling

This option us useful in cases where the scan was previously aborted after wapiti started attacking. When a session is restored, the default behavior is to skip crawling. However, we can use this option to continue the scan process.

Flush attacks

This option specifies wapiti to forget everything about discovered vulnerabilities and which URL got attacked by which modules. Only the crawling information of the scan will be kept.

Flush session

This option specifies wapiti to forget everything about the target for the given scope.

Saving the output to a directory

Like many tools, you can save the output of the scan of wapiti in a report. This option enables you to specify a directory for saving the report of the scan.

Format of the reports (-f)

You can use this option to specify the format of the report. The reports can be saved in json, HTML, txt and xml. formats. For example, let’s set the report to be txt format.

Posted on by

Complete guide to Subfinder

Hello, aspiring ethical hackers. In our previous blogpost, you learnt what is footprinting and various techniques used for footprinting. In this blogpost, you will learn about subfinder, a tool that helps us in footprinting.

Subfinder is a sub domain discovery tool that queries and retrieves valid sub domains for a given domain or website. It is a simple tool that uses passive subdomain enumeration for this purpose.

Let’s see how to use this tool to perform subdomain enumeration. For this, we will be using Kali Linux as our attacker machine. Subfinder can be installed on Kali as shown below.

The simplest method to use subfinder to query a sub domain of a particular domain is as shown below.

Specify multiple domains at once (-dL)

This tool can also query multiple domains at once. You can supply these domains using a file. For example, let’s create a new file “Domains.txt” and add a domain as shown below.

This file can be provided as input to subfinder as shown below.

View all the sources of this tool (-ls)

Subfinder collects information from a number of sources like AlienVault, Anubis, Censys, Shodan etc. You can view all the sources the subfinder tool queries using the command given below.

Query a single source (-s)

You can specify subfinder to query just one source using (-s) option as shown below. For example, let’s just specify GitHub and Anubis as sources.

Query all the sources (-all)

We can also specify this tool to query all the sources using the “-all” option.

Exclude some sources (-es)

We can even exclude some sources as shown below. For example, let’s exclude GitHub.

Display the source this tool queried in results (-cs)

We can even display source information to be displayed in output using the “-cs” option as shown below.

Saving output (-o)

You can save the output of this tool to a file as shown below.

Silent mode

In this mode, sub finder just displays the sub domains it found and nothing else.

Posted on by

Beginners guide to ARP scan

Hello, aspiring ethical hackers. In our previous blogpost, you have learnt about network scanning and enumeration. In this blogpost, you will learn about a tool named arp scan, a command line tool used for scanning and fingerprinting on the local network.

ARP scan is available for Linux and BSD systems and uses ARP protocol to scan the network. Let’s see how to use this tool. For this, we will be using Kali Linux as this tool is available for download by default in Kali repositories.

It is good to run arp scan tool as root user in order not to face some errors. You can simply scan a network using arp-scan as shown below.

If you want to scan your local network, you can simply specify the “-r” option to do it as shown below.

If your device is connected to multiple networks and you want to scan a particular network, you can specify the network interface using the “-I” option. By default if the “-I” option is not specified, arp-scan will search the system interface list for the lowest numbered configured up interface, excluding Loopback and scan that network.

Quiet mode (-q)

If you want minimal output to be displayed for each responding host, while scanning with arp-scan, you can use quiet mode. While using this mode, only the target IP address and MAC address are displayed.

Plain mode (-x)

If you want more less details like just the responding host details, you can use the plain mode. While using this mode, arp scan suppresses the header and footer text in output as shown below.

Ignore duplicates (-g)

By default, arp scan displays duplicate packets by flagging them with (DUP.n) where “n” is the number of times the target host responded. By specifying the option, these duplicate packets can be ignored by arp-scan.

Calculate and display round trip time (-D)

Network Packet round trip time (RTT) is the time it takes for a data packet to travel from a source to a destination and back again. It is a key matric to measure network latency and is usually measured in milliseconds. Setting this option, allows us to measure the round trip time.

Retry attempts (-r)

This option can be used to specify the number of retry attempts to make per host. By default arp-scan makes 2 retry attempts. For example let’s set it to 3.

timeout (-t)

By default, 500ms is the timeout for this tool. This option can be used to change it however.

Interval (-i)

If you have limited bandwidth to use for scanning with this tool, you can use this option to control the outgoing bandwidth by limiting the packet rate. For example, let’s set the interval between each packet to 400 milliseconds. It can also be set to micro seconds by appending the “u” option.

Bandwidth (-B)

This option is useful when you want to control the outbound bandwidth to a specific value. By default, bandwidth is 2,46,000 bits per second.

Resolve responding addresses to hostnames (-d)

This option is used to resolve the hostnames for addresses detected by this tool. The default output format will display the hostnames instead of the IPv4 address.

Limit the number of hosts to scan (-M)

By default, arp-scan scans all the hosts on the network that are LIVE. You can limit the number of hosts to scan using this option.

Posted on by

JPS Virus maker: Beginners guide

Hello, aspiring ethical hackers. In our previous blogpost, you learnt how to create a virus from scratch. However, not always viruses are created from scratch in real-world. There are many virus makers available to easily create viruses. In this blogpost, you will learn about one such tool named JPS Virus maker.

Why we chose this tool particularly? There are numerous virus makers available on internet and for sale on dark web. We chose this tool because our intention is not to create a virus but just show you how easy it is to create a virus. An also because since its popular and harmless (because it is easily detected by even basic AV’s. Note that this is for education purpose only.

JPS virus maker runs on Windows. Once you download JPS virus maker to the Windows system, clicking on the executable opens a window as shown below. (Note that JPS virus maker is portable and needs to installation. Also note that Antivirus needs to be disabled while creating a virus with JPS virus maker. Otherwise Antivirus will flag it as malicious software.

Here, you can see all the functions of the virus maker. You can specify any or all functions you want to perform on the targets system. You can select a single function or multiple functions at once.

But first let us click on the “About” button to learn more about its creator.

You can see that it is written in Delphi. With the “server name” option, you can select the name for the virus you want to create from the given values. Let’s name it “sender.exe”.

Similarly, you can also set the name for your virus after successful installation on the system.

Below all the functions given for you to set for your virus, you can select the option to restart, log off, turn off and hibernate the target system. You can find additional functions for your virus by clicking on the button next to “Exit”.

You can even convert your virus into a worm. To understand the difference between virus and a worm, read our guide on malware. You can even select a icon for your virus. Let’s select PDF icon, for example.

After you select all the functions you want your virus to have, click on “Create Virus” and the virus will be created.

The virus is ready. Now all we need to do is to send it to the target and convince them to execute it. For this, you need to learn social engineering.