Posted on

Cewl wordlist generator: Complete guide

Hello, aspiring ethical hackers. This blogpost is a complete guide to Cewl wordlist generator. Cewl stands for Custom Word List generation. It is written in ruby language. Unlike crunch that takes input from us to generate a wordlist, this tool spiders a given website to the depth specified by us and then creates a dictionary or wordlist from it. This wordlist can then be used for password cracking with tools the Brutus, Hydra, Medusa and John The Ripper. It was designed by Robin Wood based on a discussion on PaulDotCom about creating wordlists by spidering a target website.

Cewl can be downloaded from here. Kali Linux has cewl installed by default and for this tutorial we are using the same. Metasploitable 2will be used as target since it has lot of applications installed that can be used for testing it.

Cewl 1

To use cewl, all we have to do is simply supply the URL you want to spider for as shown below.

Cewl 2

Then it will create the wordlist for you as shown below.

Cewl 3
Cewl 4

Keeping the downloaded file (-k)

Specifying the ‘-k’ option the downloaded file can be saved.

Cewl 5

Depth of spidering (-d)

When you specify a target to Cewl, it spiders to the dept of 2 by default. You can change it using this option. For example, let’s set the depth to 1.

Cewl 6

Or 3 may be.

Cewl 7

Minimum word length (-m)

This option can be used to set the minimum length of the passwords cewl creates. For example, nowadays, most services set the minimum length of the password to at least 5. So there’s no use creating passwords with length less than the minimum length your target has set, If you have noticed the above results, the default minimum length for cewl is 3. Let’s set it to 5 for example.

Cewl 8
Cewl 9

As you can see in the above image, there are no longer passwords of length less than 5.

Spidering other sites (-o)

Setting this option allows cewl to spider another external sites during spidering of the target.

Cewl 10

Don’t scan specified paths (–exclude)

If the target website is too large, you may want to skip some paths or maybe you just want to skip some paths as they may not have any passwords. You can use this option what cewl to exclude the paths you don’t want to scan. Then paths should be supplied in a file.

Cewl 11
Cewl 12

–allowed

This option is used to specify regex patterns of the path to be followed. If the pattern doesn’t match, it drops the scan.

Cewl 13

No wordlist please (-n)

If you don’t want the wordlist to be printed, you can use the “-n” option.

Cewl 17

Saving the output (-w)

Till now, you have seen that Cewl has been printing the wordlists it creates to the terminal. The output can be copied and pasted in another file to be saved from using as a wordlist. But why take all this effort when we can just save the output to file, using the ‘-w’ option.

Cewl 14
Cewl 15

Use User agent (-u))

A user agent is a characteristic string that allows web server to identify the browser and operating system and we are using. You can see your user agent here. Using the (-u) option, cewl allows you to be get a specific user agent while spidering the website.

Cewl 16

Groups of words (-g)

Setting this option allow cewl to return group of words along with single words.

Cewl 18

Turn all generated passwords to lowercase (–lowercase)

Setting this option allows us to 16 turn all the passwords cewl generates into lower case.

Cewl 19

Here is the result.

Cewl 20

Include words with numbers too (–with-numbers)

While spidering, if cewl finds any words with numbers in them, it just ignores them. But many passwords contain numbers too. By setting this option, cewl collects numbers as well.

Cewl 21
Cewl 22

–convert-umlauts

Setting this option to while using cewl converts common ISO-8859-1 umlauts.

Cewl 23

Include meta data too (-a)

When we set this option, Cewl includes metadata found while spidering the website apart from the words.

Cewl 24

This metadata found is included at the end of the output files as shown below.

Cewl 25

Save metadata found to a different file (–meta-file)

You can even save all the metadata found on the target site to a different file as shown below using the “–meta-file” option.

Cewl 26

In the above image, you can see that cewl, while processing metadata creates a temporary file. This file known as cewl-temp.pdf is created in the /tmp directory by default. We can change the location of this file by using the “—meta-temp-dir” option as shown below.

Cewl 27

Gather emails too (-e)

Not just metadata, you can even process emails using cewl with the ‘-e’ option.

Cewl 28
Cewl 29

Save collected emails in another file (–email-file)

These collected emails can also be saved in another file using the “–email-file” option.

Cewl 30
Cewl 31

Show the count for each word (-c)

Setting this option shows the count for each word.

Cewl 32
Cewl 33

Verbose mode (-v)

Just like every other tool, this tool to has verbose mode that gives detailed information.

Cewl 34
Cewl 35

Debug mode (–debug)

Similarly, the “–debug” option gives detailed debugging information too.

Cewl 36
Cewl 37

Authentication

Some sites need authentication to spider it. Cewl allows authentication of websites too.

Cewl 38

It supports both basic authentication and digest authentication. The “auth_type” option is used to set the type of authentication. The “–auth _user” and “–auth_pass” option can be used to set username and passwords respectively.

Cewl 39

Here’s the output.

Cewl 40

Spidering through proxy

Spidering, no matter what the purpose is very noisy. Cewl has an option to spider through a proxy using the “–proxy_host” option.

Cewl 41

You can even specify the port of the proxy using the “–proxy-port” option.

Cewl 42

Cewl even has feature of authenticating to the proxy server using the “–proxy_username” and “–proxy_password” options.

Cewl 43
Posted on

Beginners guide to Firewalls

Hello, aspiring ethical hackers. In this blogpost, you will learn about Firewalls. A firewall is a software or a hardware device that acts as a wall between the internet and the internal networks or between any two networks. The main purpose of the firewall is to prevent malicious traffic from entering the internal network.

Based on the delivery method, a firewall can be classified into three types. They are,

  1. Hardware
  2. Software
  3. Cloud based
Firewalls 1

There are two types of firewalls based on the method of operation. They are, Host-based and Network based firewalls.

Firewalls 2
  1. A host-based firewall is a software that is installed on a computer or network. Ex: Windows Firewall.
  2. Network based firewall is a software or hardware firewall that acts as a barrier for the entire network.
Firewalls 3

Types of Firewalls

Firewalls 4

Different types of firewalls use different methods of operation to block malicious traffic. Before you learn about how firewalls operate, let’s first see how network traffic travels from one computer to another computer.

When one computer (let’s say computer A) sends data to another computer (let’s say computer B), the data is first split into differ parts which are known as packets. These packets are sent to computer B. Before being transmitted, a header is added at the beginning of each packet. This header contains information like source IP address, destination IP address, source and destination ports, network ports etc. Once these packets reach the computer B, they are reassembled. Now, let’s learn about the different types of firewalls.

1. Circuit level gateway:

The simplest types of firewall, it operates at the session layer of the OSI model. This type of firewall monitors TCP handshakes between two machines.

Port Scanning Techniques 2

Based on the configured settings of the firewall, it accepts or blocks traffic. Circuit level gateways don’t inspect the packets. So as long as there is a handshake, even malware laden requests are allowed.

2. Packet filtering firewalls:

As the name of the firewall says, this firewall inspects the packet’s header for information about source and destination IP address, port etc. It operates on the network layer of OSI model. Note that it doesn’t inspect the actual payload.

3. Stateful Inspection firewall:

Stateful Inspection firewalls work on network and transport layer of the OSI models. It uses both TCP handshakes and packet filtering to detect malicious traffic. It specifies traffic as malicious after observing the traffic for a particular period of time which is known as state. Then it compares the network traffic to the observed state to classify traffic as malicious or not.

4. Proxy firewall:

A proxy firewall is mostly used to hide or make the IP address of the client’s system or network IP. It operates at the application layer and checks both header of the payload and the payload to classify traffic as malicious.

5. Next Generation firewall:

A next-generation firewall uses the features of all the above-mentioned firewalls to classify traffic as malicious or not.

Posted on

Beginners guide to IP spoofing

Hello, aspiring ethical hackers. In this blogpost, you will learn about IP spoofing or IP address spoofing. To understand IP spoofing, you need to first understand what is an IP address?

What is an IP address?

Every house has an address no matter in which nation it is around the world. This address helps in identifying the location of the house. Just like physical houses, every computer too has an address. This address is known as Internet Protocol (IP) address. This IP address is used to identify the computer, laptop or any digital device around the internet.

I wouldn’t go all about IP addresses here, but I think this blogpost is a good start. To stick with basics, you can view the IP address of your device using the command “ipconfig” in Windows and “ip a” in Linux.

IP Spoofing 1
IP Spoofing 2

The IP address is needed for communication between various devices over internet. If your computer or mobile device doesn’t have the IP address, it cannot communicate over internet.

What is IP spoofing?

IP Spoofing 3

Well, let’s now get to the original topic of this blogpost. IP spoofing is the process of spoofing your IP address over the internet. It means changing the IP address of your device to something else other than assigned to your computer.

Why is IP spoofing needed?

How many times have we seen getting meterpreter session on our blog and in our magazine Well, in these cases, attackers IP address can be easily identified by viewing logs on the target system. In hacking, Black Hat Hackers spoof IP addresses to hide the source of their attack. IP spoofing is also used for genuine purposes like to protect their privacy.

Methods of IP spoofing

There are various method by which IP address can be spoofed.

1. Black Hat Hacker’s technique:

Black Hat Hackers often source their hacking attack through other IP addresses to hide their identity and to prevent tracking their hacking activity. Many computers in Fortune 200 companies are provided for sale on the dark web with access. Hackers buy access to these computers and source their hacking attacks from these systems. So, even if cybersecurity investigators detect the hacking attack, they can’t track the source to the original IP address of the hacker.

2. Proxy server:

A proxy server is a system or server that acts as a gateway between users and the internet. When they visit a website through a proxy, the IP address of the source computer is not shown and the IP address of the proxy server is logged on the target server. This is often used to bypass internet censorship.

3. Virtual Private Networks (VPNs):

A virtual private network (VPN) is a mechanism that creates a secure connection between the source and target system. It uses encryption to create this secure connection.

Hacking attacks that use IP spoofing

1. DDOS attacks:

While performing a DDOS attack, attackers often use spoofed IP addresses to overwhelm the target server or website with requests.

2. Man in the Middle attacks (MiTM):

Packet sniffing attacks or Man in the middle (MiTM) attacks also use IP spoofing.

See how to spoof your IP address in Kali Linux.

Posted on

Hydra password cracker: Complete guide

Hello, aspiring ethical hackers. This blogpost is a complete guide to Hydra password cracker. Hydra password cracker runs on Linux, Windows, Solaris, FreeBSD/openBSD, QNX and macOS. Using Hydra, we can crack passwords of various protocols like Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Hydra can be downloaded from here. This guide uses Hydra installed on default in Kali Linux and Metasploitable2 as target.

Single username (-l) and Password (-P)

If you want to check a single username and password with Hydra, the syntax is given below. Here we are testing the credentials on target system’s FTP server. This is normally useful when we have a general idea about at least one credential pair.

Hydra Password Cracker 1 1

Hydra will test this credential and come with a result. Here it is found this credential accurate.

Hydra Password Cracker 2

What if you can’t guess a password or have no knowledge about at least one credential pair. Then we need to test a large list of credentials using brute forcing by using a wordlist.

Specifying wordlist for usernames (-L) and passwords (-P)

You can specify wordlist containing usernames using the (-L) option and specify the wordlist containing passwords using the (-P) option as shown below.

Hydra Password Cracker 3

Here, I am suing the same wordlist for both username and passwords. “Metsaploitable.txt”. These wordlists are normally created or obtained during the enumeration stage. For example, we obtained this during SMB enumeration of the target. Hydra found three credentials valid from this wordlist.

Hydra Password Cracker 4

Restore a cancelled session (-R)

Sometimes we may need to test a large wordlist, with thousands of credentials in it. This may obviously take a lot of time and we may have to hit “CTRL+C” sometimes to cancel the session or maybe a power cut ended our scan abruptly.

Hydra Password Cracker 5

Do we have to start from the beginning again? Don’t worry. You can restore the session from where you stopped in Hydra as shown below.

Hydra Password Cracker 6

RIgnore the previous session (-I)

What if we don’t want to restart that session and to start a session afresh. We can just use the ignore (-I) command which asks it to ignore the previous session.

Hydra Password Cracker 7

Scanning unconventional ports (-s)

You know every service has a default port on which it runs. For example, FTP (21), Telnet (23), and HTTP (80) etc. Sometimes administrators configure this service to run on unconventional ports to make them less conspicuous. Using Hydra we can even run password attack on these ports using the (-s) option. For example, imagine FTP is running on the port 2121 and not 21.

Hydra Password Cracker 8

Target has SSL enabled (-S)

Using Hydra, we can connect using SSL with this option.

Hydra Password Cracker 9

If the service has an old version of SSL, we can use the “-O” option.

Hydra Password Cracker 10

Additional checks (-e)

Using this option, you can check accounts for null passwords (n), using username as password (-s) and using password as username and vice versa (-r).

Hydra Password Cracker 11

Combo (-C)

Sometimes, instead of an usual wordlist, we have wordlists that have credentials in “login:pass” format as shown below.

Hydra Password Cracker 12

If we want to use this type of wordlist, you can use this option.

Hydra Password Cracker 13
Hydra Password Cracker 14

-U

When you are using a wordlist with Hydra, by default it checks all passwords for the first username and then tries the next username. Using this option, we can loop around the passwords. The first password is checked for all the usernames and then it moves to next password and does the same.

Hydra Password Cracker 15

Stop after getting the first successful pair of credentials (-f)

This option (-f) makes Hydra stop password cracking as soon as one successful pair of credentials are found.

Hydra Password Cracker 16
Hydra Password Cracker 17

Target multiple servers (-M)

Hydra allows us to perform password cracking on multiple servers at once. We need to provide a file containing IP addresses of the targets.

Hydra Password Cracker 19

Stop after getting once successful pair on multiple servers (-F)

Setting the ‘-F’ option, Hydra stops after getting the first successful pair of credentials on multiple servers.

Hydra Password Cracker 18

Saving the output (-o)

Till now, we have seen Hydra showing output on stdout. However, with the “-o” option, we can save the output of the tool to a file.

Hydra Password Cracker 20
Hydra Password Cracker 21

Format of the output file (-b)

Hydra allows you to save output in three formats, although the default format is text. It also allows you to save output in Json and Json v2 format.

Hydra Password Cracker 22
Hydra Password Cracker 23

Number of tasks (-t)

Tasks are number of persistent connections Hydra makes while testing. By default, it makes 16 tasks, but this can be changed using this option. For example, let’s set it to 19.

Hydra Password Cracker 24

Module specific options (-m)

This option allows us to set module specific options. For example, FTP module in Hydra doesn’t have any module specific options. But other modules like HTTP have it. All the options for a specific module can be seen using the -U option. For example, lets change the option for http-get.

Hydra Password Cracker 25
Hydra Password Cracker 26
Hydra Password Cracker 27

Waiting time (-w)

Hydra waits for 32 seconds for receiving responses for it queries. This option can be used to change this time. For example, let’s set it to 10 seconds.

Hydra Password Cracker 28
Hydra Password Cracker 29
Hydra Password Cracker 30

Waiting time for login attempts (-c)

This option can be used set the waiting time for login attempts Hydra performs. It is useful only when a low task time is used.

Hydra Password Cracker 31

Verbose mode (-v) (-V)

Hydra has two verbose mode. The lowercase verbose mode is the default verbose mode in any other tool.

Hydra Password Cracker 32

If you want to see each login attempt Hydra makes, you need to use the (-V) option.

Hydra Password Cracker 33
Hydra Password Cracker 34

That’s all about Hydra password cracker.

Posted on

Beginners guide to OWASP ZAP

Hello, aspiring ethical hackers. This blogpost is a complete guide to OWAS ZAP tool also known a zaproxy. OWASP ZAP stands for Zed Attack Proxy. OWASP ZAP is a widely popular web app scanner that is maintained by a volunteer. It is used by both novices in web security and professional pen testers. The features of OWASP ZAP include.

  1. Traditional & AJAX web crawler.
  2. An automated scanner.
  3. Passive Scan.
  4. Forced browsing.
  5. Fuzzer.
  6. Scripting language etc.

Let’s see how to use OWASP ZAP to scan a website. Zaproxy can be downloaded from here. OWASP ZAP is installed by default on Kali Linux. If it is not installed, it can be installed using the command shown below.

OWASP ZAP 1

Once the installation is finished, it can be stored using the command “Zaproxy”.

OWASP ZAP 2
OWASP ZAP 3

Everytime it starts, it asks you whether to save the current session or not. Make your choice and click on “Start”.

OWASP ZAP 4

This is the interface of OWASP ZAP. Let’s perform an automated scan of a website. As target, I will be using mutillidae web app installed on Metasploitable 2. See how to install Metasploitable 2.

OWASP ZAP 5

To perform as automated scan, click on “Quick start” and give the URL to attack and then click on “Attack”.

OWASP ZAP 6

The time taken to scan the entire website depends on the size of the target website. The good thing about OWASP ZAP is that it displays results as soon as it finds them. Any vulnerability can be found on the alerts tab highlighted in the image given below.

OWASP ZAP 7

When you click on the “alerts” tab, all the vulnerabilities are displayed based on their severity. The one that interests you should by the one in red flags.

OWASP ZAP 8

For example, here Zaproxy detected a path traversal or local file inclusion vulnerability. When you click on the vulnerability, it displays the URL where the vulnerability was detected.

OWASP ZAP 9

When you double click on the alert, a new window opens with an elaborate description of the vulnerability detected and with a POC to be see it in action and even the solution to the vulnerability.

OWASP ZAP 10

Copy the URL and paste it in a browser. Here as suggested by Zaproxy, the /etc/passwd/ of the target system can be seen.

OWASP ZAP 12