Author: kanishka10

Posted on by

SMTP enumeration for beginners

Enumeration is the process of collecting information about user names, network resources, other machine names, shares and services running on the network. Although a little bit boring, it can play a major role in the success of the pentest. In the previous howto, we saw how to perform SMB enumeration and got some usernames on our target. So we don’t need to perform SMTP enumeration. But we may not be so lucky that SMB enumeration will be successful on every network. For networks like these, we may need to enumerate other services like SMTP.

First let me give you a basic introduction of SMTP. SMTP stands for Simple Mail Transfer Protocol. As the name implies, it is used to send email. It uses port 25 by default. If you ever sent an email, you have definitely used SMTP. SMTP servers talk with other SMTP servers to deliver the email to the intended recipient. Luckily this all happens behind the scenes and we don’t have to break our heads to understand this. But there are some things we have to understand about SMTP that will help us in enumeration.

As the term “simple” implies, SMTP server can only understand simple text commands. Sender of the mail communicates with a mail receiver by issuing these command strings and supplying necessary data. Some of the important commands are

1. HELO – sent by a client to introduce itself.

2. EHLO – another way of client introducing itself to server

3. HELP – used to see all commands.

4. RCPT – to identify message recipients.

5. DATA – sent by a client to initiate data transfer.

6. VRFY – verify if the mailbox exists.

7. QUIT – to end the session.

SMTP enumeration can be performed in many ways. The easiest way to do this is by connecting to the SMTP service port of the target with telnet (we have seen this in scanning and banner grabbing).

Smtpenum1

As you can see, we got successfully connected. From here, we can verify manually if each user exists or not. If you remember the article on SMB enumeration, we already have some usernames available. Lets use the VRFY command to check if users “user”, “msfadmin” and “root” exist in this system.

Image explaining about SMTP enumeration

Yes, they exist. Similarly, let us test if user kalyan exists. As you can see in the above image, the user kalyan doesn’t exist. Nmap also has a script to perform SMTP enumeration. We can use the script as shown below.

Smtpenum3

By default, Nmap uses RCPT method to check if a particular user exists. Unfortunately for me, it gave unhandled status code here. This Nmap script can be modified to use different methods. Here I changed it to use VRFY method to enumerate users. I have only scanned port 25 to remove the clutter. But still it gave me the same error.

Smtpenum4

There is another tool in the arsenal of Kali Linux which is built specifically for SMTP enumeration. Its called smtp-user-enum. Here let us test if a user called “root” exists on the target system as shown below.

Smtpenum5

Since user “root” exists, I’m assuming other users like “msfadmin” and “user” also exist. While performing SMB enumeration, we created a wordlist which can be users on the target system. Now let’s enumerate if all the users in that wordlist exist. It can be done as shown below.

Smtpenum6
Smtpenum7

All the users we got during SMB enumeration exist. That’s good. In this case, we already have the wordlist of usernames (we got during SMB enumeratin). What if we don’t have the exact wordlist. We can use different wordlists present in Kali Linux. These wordlists are present in /usr/share/dirb directory.

What We Achieved?

We got some usernames which may be useful to us while exploiting the system in future. All these usernames have a recipient email address to them.

Posted on by 2 Comments

HTA attack for beginners

Hello aspiring hackers. In our previous blogpost, you learnt about Windows hacking. In this article, you will learn about HTA attack, an attack that helps in gaining access to Windows systems. In this attack, HTA file are used to hack the target system.

What is a HTA file?

What is HTA file? HTA stands for HTML application. An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. A HTA file gets executed without the constraints of the internet browser security model. In simple words, it gets executed as a “fully trusted” application.

Let’s see an example of how to create this attack. For this, we will be using Metasploit’s windows/misc/hta_server module. In this module, the server hosts a HTA file, which when opened on the target system, will execute a payload via PowerShell. Of course, the browser warns the user before executing the payload. But social engineering can be used to convince the target users to execute the HTA file.

Now let’s see how this attack works. We will use this exploit to gain access to Windows 10 target. Start Metasploit and load the module as shown below.

Htawebserver1 300x164 1

Set the reverse meterpreter payload.

Htawebserver2

Type command “show options” to see the options we need to set for this exploit. Set the required options and type command “run” to start the exploit.

Image explaining about usage of hta web server exploit

As you can see, it has generated an URL where the payload is being hosted. We need to make the target user click on this URL. When the target user clicks on this URL as shown below.

Htawebserver4

The browser opens and prompts a warning about the file as shown below.

Htawebserver5

When the user ignores the warning and clicks on “run”, a meterpreter session is opened as shown below.

Htawebserver6

This session can be viewed and opened as shown below.

Htawebserver7

That’s how HTA attack works.

Posted on by

Windows Post exploitation recon with Metasploit

Hello aspiring hackers. Till now we have seen various ways of hacking Windows, elevating privileges and creating a persistent backdoor for later access. After we have successfully created a backdoor, it’s time to perform further reconnaissance. Windows post exploitation recon helps us in gathering further info about our target network. This can be helpful to us in finding more vulnerable systems to hack and pivot.

If you have observed carefully while starting Metasploit, it has number of modules specified as “post”. Some of these are useful in recon. For us to do post recon we need to first hack the system and get metertpreter session on it. Now let us see how to perform this recon with Metasploit.

The first module useful in reconnaissance in the arp scanner. Arp scanner helps us to identify any hidden devices in the network. Hidden devices are those devices which don’t respond to normal requests like ping etc. For example, some firewalls intentionally don’t respond to ping requests. ARP scanning can detect these devices.

Winpostexrc1

The checkvm module helps us to find out if the machine we hacked is a virtual machine, which in this case is true.

The dumplinks module will parse .lnk files from a user’s Recent Documents folder and Microsoft Office’s Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

In some cases, we need to know what are the applications installed in the system we hacked. For example, in a case where we cannot escalate privileges and maybe a vulnerable program installed in the target can help us in privilege escalation. The enum_applications module exactly does that.

We can see in this specific case, there are only two programs installed.

Image explaining about windows post exploitation reconnaissance

The enum_logged_on_users module helps us in finding out the users logged in. This may help us in knowing the usernames of the system.

In our case, we go to know the username as “admin”.

Winpostexrc6

The enum_shares module will list the shares of both configured and recently used shares on the compromised system. My target doesn’t have any shares.

Winpostexrc7

The enum_snmp module will enumerate the SNMP service on the target, if installed. It will also enumerate its community strings.

In our case, there’s no SNMP service installed.

Winpostexrc8

The hashdump module does exactly what it says. It dumps the password hashes from the target system as shown below. May I remind you that meterpreter already has this hashdump function.

Winpostexrc9

The usb_history module retrieves the history of usb devices connected to the target system. In my case, no USB devices were connected to the target.

Winpostexrc10

The most interesting of all these is the lester script. The lester script suggests local exploits for the target system. This script automatically searches and lists exploits for the targeted system. Now you may question why do we need exploits for the system we already hacked. Well maybe to escalate privileges or find an exploit which gives us more power on the system.

Winpostexrc11

That’s all for today folks. I will be back soon.

Posted on by 1 Comment

Upgrade command shell to meterpreter

Hello aspiring ethical hackers. In our previous blogpost, you learnt everything about the power of meterpreter. However, in real-world, you are not so lucky to get a meterpreter session every time. Most of the times, you will get a normal command shell. Don’t worry. you can upgrade command shell to meterpreter. The good thing is we can do it from Metasploit only.

In this blogpost, we will be showing you how to do this. First thing we need to do after getting a normal command shell is to background the current command shell by hitting CTRL+Z. Be careful not to press “CTRL+C”. That will completely abort the session altogether. If it happened by mistake ( like it happened to me below), select “no” when it asks whether to abort a session. Then hit CTRL+Z and select Yes. Your session has been sent to background. Remember the session number. In our case, this is 3.B

Shell To Meterpreter1 300x136 1

Next, load the shell_to_meterpreter module as shown below. We need only one option for this module to work. The session id of the session we just sent to background and I told you to remember.

Image explaining about upgrading command shell to meterpreter

Specify the session id and run the exploit as shown below. We will get the meterpreter session.

Shell To Meterpreter3

Type command “sessions -l” to see all our sessions as shown below.

Shell To Meterpreter4

We can load the meterpreter session as shown below.

Shell To Meterpreter5

If you found that helpful. Please check out my monthly magazine. That is how we upgrade normal shell to meterpreter. Learn how to change x86 meterpreter to x64 and vice versa.

Posted on by 5 Comments

PDF analysis for beginners

Hello, aspiring Ethical Hackers. In this blogpost you will learn how to perform PDF analysis on PDF files. In recent times, PDF files are back as initial attack vector. Many APT’s and cyber criminal groups have been seen using PDF files to gain initial access. So, I thought it is a good idea to make an article on PDF analysis. By the end of this article, you will be able to tell whether the PDF file you want to analyze is harmless or malicious.

For this howto, I will create a malicious PDF with Metasploit using the following exploit.

Pdf_analysis_1

As is well known, this exploit hides an exe within a PDF file. This PDF file can be sent to our target using any social engineering technique. When the target user clicks on it, we will get reverse_tcp connection. Another file we will be analyzing is a normal PDF file. Both of the files are shown below.

Pdfforensics1a

The first tool will be using is pdfid. Pdfid will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened. It will also handle name obfuscation.

Let us first analyze the pdf we created with Metasploit as shown below. As we can see below, the evil.pdf has JavaScript, Open action and launch objects which are indeed malicious.

Image explaining about Pdf forensics

Now let us analyze my monthly magazine as shown below.

Pdfforensics3

As you have seen above, it’s totally clean. No JavaScript, nothing. That should calm my magazine readers.

Now coming to the malicious PDF, we can disable the malicious elements of the file using pdfid as shown below. Now the file is clean.

Pdfforensics3a

Now if we want to do further analysis on the malicious PDF, we can use another tool called pdf-parser. It will parse a PDF document to identify the fundamental elements used in the analyzed file.

Type command “pdf-parser /root/Desktop/evil.pdf” without quotes.

That will parse the entire PDF and its objects (We saw earlier that our malicious pdf contains 12 objects). On observation, objects 10 and 9 evoke some interest. We can also parse each object of the pdf file. Let us parse the object 10 as shown below.

We can see it has a launch action which launches the cmd.exe.

Pdfforensics4

Similarly in object 9 we can see a JavaScript action.

Pdfforensics5

Using pdf-parser with the ‘c’ option will display the content for objects without streams or with streams without filters.

Pdfforensics6

On observation we can see a stream that looks like shellcode present in object 8.

Pdfforensics7

That’s how we perform PDF analysis of a PDF file.