Blog - Page 22 of 50 - Hackercool Magazine

Posted on November 24, 2023January 5, 2024 by kanishka10

Malware guide for absolute beginners

Hello, aspiring ethical hackers. This blogpost is intended to be a beginner’s guide to malware. This blogpost will teach you what is malware, its purpose, types of malware and functions of malware.

What is Malware?

Malware stands for malicious software. So, any software that performs malicious actions on a computer or mobile is called as malware. These malicious actions include showing persistent popups, encrypting data, stealing data, deleting data, capturing sensitive information and making the target system completely unusable etc. Based on its functions, and purpose malware can be classified into various types.

Types of Malware

VIRUS

Often used interchangeably with malware, virus is the most popular malware you may encounter in cyber security. Just like its pathological namesake, virus attaches itself to an executable or program to propagate or infect computer. Virus always requires human action to infect system.

According to Discovery, the first virus is the Creeper program. It was created by Bob Thomas in 1971. It was actually designed as a security test to see if a self-replicating program will be successful. The function of Creeper was to just display a simple message on computer if infected.

The most popular (or should I say unpopular) virus should be ILOVEYOU virus. Released in 2000, ILOVEYOU infected over ten million Windows computers. It started spreading as an email message with subject line “I LOVE YOU” and contained an attachment with name “LOVE-LETTER-FOR-YOU.TXT.VBS. When the recipient clicked on this attachment, a Visual Basic script activated and over writes files on the infected system. Then, it sent itself to all the email addresses in the Windows Address Book. It is estimate that the cost of this simple virus was at least $15 billion.

WORM

A computer worm is a type of malware that unlike virus doesn’t need any human action or interaction to infect target systems. Usually a computer worm spreads by exploiting vulnerability on the target systems. They also have no need to attach themselves to any program or executable.

Morris worm is considered to be the first worm to spread over the internet. It was created by Robert Tappan Morris and it caused a loss of over $100,000 and $10,000,000. It infected over 2000 computers within 15 hours. Morris worm spread by exploiting vulnerabilities like holes in the debug mode of the Unix send mail program, a buffer overflow vulnerability in finger network service. Rexec and Rsh accounts with weak or no password at all.

The most unpopular worm should definitely be Stuxnet. Released in 2010 and accused of sabotaging nuclear program of Iran, Stuxnet was designed to target programmable logic controllers (PLCs). These PLC’s allow automation of electromechanical process used by control machines and industrial processes (for example, gas centrifuge that are used to separate nuclear material). Stuxnet spread by exploiting 4 Zero-day vulnerabilities in Siemens setup7 software installed on Windows systems. Stuxnet infected almost over 2,00,000 computers and destroyed at least 100 machines.

TROJAN

A Trojan acts as some other file (usually benign, genuine and harmless) but performs malicious actions. The name is a reference to the Trojan horse (the large wooden horse) assumed by Trojans as gift given by Greeks to Troy. However, when the horse was let into the kingdom, Greek soldiers hiding inside the horse came out and ransacked Troy. (you should watch Troy movie).

Just like viruses, Trojans also need victims to click on Trojan to be activated and most users fall victim to trojans thinking that they are genuine files. ANIMAL, a program released in 1975 is generally considered the world’s first Trojan. It fooled victims by presenting itself as a simple game of 20 questions. When user clicked on it, it copied itself to shared directories to be found by other victims.

According to me, the most dangerous Trojan was Zeus. Zeus is a banking Trojan used to steal banking information. It is spread by drive by downloads and phishing in 2003. It is estimated that Zeus infected over 74,000 FTP accounts.

ADWARE

Adware stands for Advertising malware. Have you ever experienced you are viewing something in your favorite browser and you are being incessantly bombarded with ads, especially ads which you did not and never wanted? If you had that experience you have encountered adware and if you didn’t it is thanks to ad blockers enabled by almost all browsers. Note that Adware is sometimes genuine too.

SPYWARE

Spyware is short for spying software and now you know what it does. It spies and gathers information about a user or organization. Spyware may be present in even legitimate software. The first recorded spyware is considered to be a freeware game called “Elf Bowling” as it came bundled with tracking software.

The most popular spyware seen recently should be Pegasus spyware. This spyware developed by Israeli cyber arms firm NSO Group installs not just covertly but remotely on mobile phones running IOS and Android and that too using a Zero-click exploit. Once installed on a device, Pegasus can read text messages, snoop on calls, collect credentials, track location of the device, access device’s cameras and microphone and harvest information from apps installed on the target device.

KEYLOGGER

Keylogger is a malicious software that records keystrokes a user types into computer on mobiles. The first keylogger used in real world was allegedly distributed with Grand Theft Auto V mod in 2015. Recently, a keylogger named Snake keylogger was detected being distributed with Microsoft Excel sample. Snake keylogger first appeared in late 2020.

ROOTKIT

Rootkit is a malicious software that is designed to enable access to a computer in a way that is not usually possible to an authorized user. Simply put, Rootkit gives SYSTEM level access. As if this is not enough, Rootkit is undetectable once installed, unlike other types of malware. The term “Rootkit” is a combination of root (the most privileged account on Unix system and “kit”. This is because rootkits usually give ‘root’ level access to the target system.

The first malicious rootkit appeared in 1999 and it affected Windows NT OS. In 2012, a rootkit named Flame was detected. Flame affected over 80 servers around the world and is considered one of the dangerous rootkits.

BACKDOOR

A backdoor is a type of malware that provides access to a system bypassing normal security measures that usually prevent access. For example, if you can access a system without providing any login or need of credentials, you have a Backdoor access. Usually, hackers install backdoor after gaining complete access to the system to have unhindered and continuous access in future.

In 1998, a U.S hacker group “Cult of the Dead cow” designed a backdoor named “Back Orifice” that enables a user to control a computer remotely. In 2014, multiple backdoors were detected in WordPress. These backdoors were WordPress plugins with an obfuscated JavaScript code.

BOT

A BOT is a shortcut for Robot and it is an automated piece of code that performs predefined tasks. Malicious Bots as normally used to infect a system and make them a part of a Botnet which can then be used to perform DDOS attacks.

In 2007, all botnet attack called Cutwail attacked Windows systems using a trojan named Pushdo which infected Windows systems to make them part of the Cutwail botnet. This botnet had over 1.5 to 2 million computers. The most famous BOT malware should be MIRAI. MIRAI is designed to infect smart devices that run on ARC processes.

RANSOMWARE

Ransomware is a malicious software that locks victim’s computers or encrypts the victim’s files or permanently block access to the victim’s system. Its called ransomware as the key to decrypt the data or access the system is not provided unless a ransom is paid.

The first known ransomware was AIDS Trojan. It’s payload hid the files on the victim’s hard drive and encrypted their names. The most dangerous & popular ransomware attack was WannaCry in 2017. WannaCry ransomware spread by exploiting EternalBlue vulnerability and it infected over 2,30,000 computers within one day.

This score depends on the additional work that has to be put by attacker to exploit the vulnerability. For example, exploiting EternalBlue does not need any additional work by attacker whereas to performing a Man-In middle attack requires additional work from the attacker. Usually, the additional work the attacker puts depends on factors which are out of control of the attacker.

CRYPTO MINER

Crypto mining malware or cryptojacker is a malicious software that targets computer sources and mines crypto currencies like Bitcoin. Cryptominers are rather new in the evolution of malware. Their growth directly grew with the growth in popularity of crypto currencies.

Posted on November 9, 2023November 9, 2023 by kanishka10

Nikto vulnerability scanner: Complete guide

Hello, aspiring ethical Hackers. This blogpost is a complete guide to Nikto vulnerability scanner. Nikto is a free command line web vulnerability scanner that scans web servers and detects over 6700 potentially dangerous files/CGIs, outdated server software, other vulnerabilities and misconfigurations. Nikto can also detect the installed software on the target web server. We will be running Nikto on Kali Linux as it is installed by default in Kali Linux. So let’s start.

Let’s start with a version check (-Version)

The “version” option of Nikto checks for the version of the software, plugins and database versions.

Checking Database (-dbcheck)

It’s always a good thing to check for any errors in the scan database before scanning. The “-dbcheck” option of Nikto checks the scan databases for any errors.

The Host option (–host) (-h)

To scan a target using Nikto, first we need to specify a target. To set the target, we need to use the “host” option. This is shown below.

Nikto Vulnerability Scanner 23456ab 481x1024

The target can be IP address of the webserver or URL of the website. This scan took 45 seconds to finish.

The Host option (–ssl)

To scan a website with HTTPS enabled with nikto, we can use the “SSL” option.

The Port option (–port)

By default, Nikto scans the default HTTP and HTTPS ports when specified. However, if the target web server is running on a custom port you can set Nikto to scan a different port by using the “port” option.

Scanning for CGI directories (–Cgidirs)

To scan for the presence of all CGI directories on the target webserver, the “cgidirs” option can be used.

You can specify a specific CGI directory to search or you can use “all” value to scan for all CGI directories on the target.

What output you want Nikto to show? (–Display)

To control the type and amount of output Nikto shows after finishing the scan, we can use the “Display” option. Here are the values that can be set for the Display option.

How much time you want Nikto to spend on a scan? (–maxtime)

Using the “maxtime” option, we can specify the maximum time to spend for scanning a target. This time can be specified in seconds.

As you can see, the scan ended in 2 seconds while earlier the same scan took 45 seconds.

Don’t look for names (-nolookup)

The “nolookup” option specifies Nikto to not query for names when an IP address is specified.

Don’t look for pages that are not there (–no404)

The “no404” option specifies Nikto to disable “file not found” checking. This will reduce the total number of requests made to the target.

Just discover the ports (–findonly)

If you want to just find the HTTP(S) ports of a target without performing any security scan, you can use the “–findonly” option. Specifying this option allows Nikto to connect to HTTPS or HTTP ports and report the server header.

The Timeout option (–timeout)

The “–timeout” option specifies time to wait before timing out a request. The default timeout of Nikto is 10 seconds.

The Pause option (–Pause)

By using “–Pause” option of Nikto, we can specify delay between each test Nikto performs.

What if we have to authenticate? (–id)

With the “-id” option you can use Nikto to perform basic authentication to the target.

The tuning option (–tuning)

With the “-Tuning” option, we can control the test that Nikto will use against a target. It can take the following values.

For example, this is how we test for misconfigured files on the target.

See all Nikto plugins (–list-plugins)

Nikto has lot of plugins that can be used against various targets. To view all these plugins, we can use the “–list-plugins” option.

Use a particular plugin (–Plugins)

To use a particular plugin, we can use the “Plugins” option. For example, let’s use the robots plugin as shown below.

Can Nikto evade detection? (–evasion)

While scanning, Nikto can use various techniques to evade Intrusion Detection System (IDS). The evasion techniques of Nikto are given below.

Saving output (-o)

Nikto can save the output of the scan in a file with the “output(-o)” as shown below.

Formats in which you can save output (-Format)

You can save in different formats you like using the “-Format” option. Valid formats are csv, htm, txt and xml.

That is the complete guide for Nikto vulnerability scanner. If you have any questions bring them in the comments section.

Posted on November 6, 2023November 6, 2023 by kanishka10

Nessus vulnerability scanner: Beginner’s guide

Hello aspiring ethical hackers. In this blogpost, you will learn about Nessus vulnerability scanner. Nessus is an open-source network vulnerability scanner that uses Common Vulnerabilities and Exposures (CVE) architecture. It is widely used for vulnerability assessment and penetration testing.

Nessus server can be installed on Unix, Linux and FreeBSD whereas Nessus client is available for Unix and Windows based operating systems. For this tutorial, we will be installing Nessus on Kali Linux. Nessus can be downloaded from her e. It can also be downloaded using curl as shown below (version may change).

Once the latest version of Nessus is downloaded, it can be installed as shown below.

Once the installation is finished, enable nessus as shown below.

Then start nessus as shown below.

Nessus runs on port 8834 by default. It can be viewed in browser.

Click on “Accept the risk and continue”.

Click on “Continue”. Select the type of Nessus install you want. Since we are using a Free version of Nessus for this tutorial we select “Register for Nessus Essentials”. Click on “continue”.

To run Nessus Essentials, you need an activation code. Get the activation code by entering the following details.

You need a user account to login into Nessus. Create an account and most importantly remember the user account information.

Then, Nessus will download all the required plugins. This may take some time (a bit long time sometimes).

Once all the plugins are finished downloading, you should see this.

The installation is finished. Now, it’s time to start scanning with Nessus. Click on “New scan”. A new popup opens. Assign a target.

Click on “Run scan”.

The scan will start and take some time to finish. For this tutorial, we are using “Metasploitable 2” as target. See how to install Metasploitable 2 in VirtualBox.

Nessus Vulnerability Scanner 15 1024x618

The vulnerabilities are classified into five categories by Nessus. They are Critical, High, Medium, Low and Information. You can view detailed information about the detected vulnerabilities by clicking on them.

Nessus Vulnerability Scanner 16 1024x618

All the scans you perform are located in “My scans” section.

Nessus Vulnerability Scanner 17 1024x520

Nessus allows different types of scans. All the scans that can be performed using Nessus can be viewed from “All scans” section.

Nessus Vulnerability Scanner 18 1024x615

Nessus Vulnerability Scanner 1920 1024x893

Nessus Vulnerability Scanner 21 1024x349

Posted on September 25, 2023September 25, 2023 by kanishka10

Vulnerability scoring for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost, you studied what is a vulnerability and different types of vulnerability scanning. In this blogpost, you will learn how is vulnerability scoring given and how are vulnerabilities scored.

What is vulnerability scoring?

Every time a vulnerability is identified or detected, its severity is needs to be estimated to understand the impact of this vulnerability after it is exploited. Based on this severity, a score is given to it.

How is this score given?

To give this scoring, an open framework named Common Vulnerability Scoring System (CVSS) is used. CVSS provides a numerical representation (ranging from 0 to 10) to the security vulnerability.

CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST), which is a USA based nonprofit organization. Members of this organization come from all around the globe. Cybersecurity professionals of any organization use CVSS scores for vulnerability management and remediating them.

How CVSS scoring works?

A CVSS score is assigned to a vulnerability by considering three metrics. They are:

A. Base
B. Temporal and
C. Environmental.

A. CVSS Base Metrics

The base metrics of CVSS represent the characteristics of the vulnerability itself. These characteristics never change with time or any protection put in place by any organization to prevent its exploitation. CVSS base metrics comprise of three sub score elements. They are, 1) Exploitability 2) Scope and 3) Impact.

1. Exploitability

The sub-score exploitability is made up of four sub-components.

i). Attack Vector:

The score of attack vector is based on the level of access that is required to exploit the vulnerability. If the vulnerability can be exploited remotely, the score is higher and if local access is required to exploit the vulnerability, the score is lower. For example, ms08-67 has higher score than malicious USB attack.

ii). Attack Complexity:

iii). Privileges required:

This score depends on the privileges required to exploit the particular vulnerability. If the exploitation doesn’t need any credentials or privileges, its score is high and if he needs privileges or authentication, the score is low. For example, Spring4shell vulnerability has higher score then Dirtypipe vulnerability

iv). User Interaction:

This score depends on the level of user interaction needed to exploit the vulnerability. If the attacker can exploit a vulnerability without user interaction, the score is high whereas if attacker needs user interaction the score is low. For example, Heartbleed has higher score than ms14-100, Follina or Macro attack.

2. Scope

The second base metric of CVSS is “Scope” which relates to the reach of the vulnerability. In simple words, when a vulnerability in a component is exploited, does it affect other components? If exploitation of vulnerability in one component affects the operating system or a database, the CVSS score is higher and in the opposite case, it is lower. For example, SQL injection has higher score than Cross Site scripting.

3. Impact

Impact is the actual affect that occurs when a vulnerability is exploited. The sub metric “Impact” has three sub-components. They are: Confidentiality, Integrity and Availability.

i). Confidentiality:

This score depends on the amount of data the attacker gains access to after exploiting the vulnerability. The score is higher if all the data on the exploited system is accessed by attacker and lower if little to no data is accessed.

ii). Integrity:

This score depends on the ability of attacker to make changes on the system by exploiting a particular vulnerability. If the attacker can completely alter the exploited system, this score is high and if he can make few or no changes at all, this score is low.

iii). Availability:

This score depends on the availability of the system to authorized users after being exploited. If a system is not accessible to authorized users after exploitation, the score is high.

B. CVSS Temporal Metrics

The meaning of English word “Temporal” is temporary or constantly changing. Similarly, the CVSS temporal metrics of a vulnerability constantly change.

When a vulnerability is just disclosed, the chances of some one exploiting it are there but a little low. When a Proof-Of-Concept (POC) exploit is released, the chances increase, sometimes exponentially, As the POC exploit is further improved, the chances increase more. As patches and fixes are released, the exploitation attempts fall. As you can see the exploitation of a vulnerability constantly changing with time. CVSS Temporal metrics have three sub-components. They are, Exploit code maturity, Remediation level and Report Confidence.

1. Exploit code maturity

As the code of the exploit of the vulnerability becomes more stable and widely available, this score will increase.

2. Remediation Level

This score is more when the vulnerability is discovered, but as fixes and patches are applied this score keeps decreasing. If the vulnerability is fixed completely, this score decreases further.

3. Report confidence

This sub metric measures the level of validation that demonstrates that a vulnerability is valid and can be exploited by attackers.

C. CVSS Environmental Metrics

Environmental metrics of CVSS are used to allow an organization to modify the base CVSS score based on security Requirements and modification of Base metrics.

1. Security requirements

Security Requirements are used to characterize the asset in which a vulnerability is reported. For example, a vulnerability affecting the database server gets higher score that a vulnerability in a software being used on one of the workstations by an employee of the organization.

2. Modified Base Metrics

An organization or company changes the values of the Base CVSS metrics after putting some fixes, mitigations or patches. For example, we have discussed some vulnerabilities above which can be exploited remotely. If the system having that vulnerability is disconnected from the internet, the score can be decreased.

That’s how vulnerability scoring is assigned to vulnerabilities.

Posted on September 18, 2023September 18, 2023 by kanishka10

Vulnerability scanning for beginners

Hello aspiring Ethical Hackers. In this blogpost, you will learn about vulnerability scanning. Before you learn what a vulnerability scan is, you need to know what a vulnerability is? A vulnerability is a weakness, flaw, error or a misconfiguration in a software or network that allows hackers to gain unauthorized access to the organization by exploiting it.

What is vulnerability scanning?

Now that you have understood what is a vulnerability, let’s see what is scanning. Vulnerability scanning is the process of identifying the security vulnerabilities in a software or a network of the organization. Vulnerability scanning is usually performed to protect the organization from hackers although it is also performed by hackers to gain access to the organization.

Types of vulnerability scans

Vulnerability scanning can be categorized into different types. They are,

External Vulnerability Scan
Internal vulnerability scan
Environmental scans
Intrusive Scans
Non-Intrusive scan.
Credentialed scan
Non-credentialed scan

1. External vulnerability scan:

In an external vulnerability scan, the external facing resources of an organization are scanned. These include, websites, systems, ports and services.

2. Internal vulnerability scan:

In this type of scan, the vulnerability scan is performed on the internal network of the organization or on resources to which the users or employees of the organization have access to. This scan is performed to get information about the vulnerabilities which employees or malware which gained access to the network can exploit.

3. Environmental scan:

Environmental vulnerability scans are performed based on the target environment. For example, target environment can be cloud based, IOT, mobile devise, websites etc.

Vulnerability scans can also be classified as either Intrusive or Non-Intrusive.

4. Non- Intrusive scan:

In a non-intrusive vulnerability scan, vulnerabilities are just identified and reported.

5. Intrusive scan:

In an intrusive vulnerability scan, vulnerability is not just identified but also exploited.

Apart from these categorizations, vulnerability scan is also classified as credentialed scans and non-credentialed scans.

6. Credentialed scan:

Also known as authenticated scan, this vulnerability scan in performed using a set of credentials. This type of scan gives the trusted users view of the organization.

7. Non-credentialed scan:

Also known as non-authenticated scan, this vulnerability scan gives the external user’s view of the network or revenue of organization.

Uses of vulnerability scans

Vulnerability scanning can help cyber security personnel of the organization to get an idea about the vulnerabilities in the organization beforehand and to prevent them from being exploited by attackers. As hackers also perform vulnerability scans, vulnerability scanning gives an idea to the organization as to what hackers can see.

How are vulnerability scans performed?

Vulnerability scans can be performed manually or using tools (vulnerability scanner). See how to perform vulnerability scanning with Nikto and Nessus.

Vulnerability scan vs Vulnerability assessment

In vulnerability scanning, vulnerabilities are scanned and reported whereas in vulnerability assessment, apart from identifying vulnerabilities the impact of the vulnerabilities when exploited is also assessed. Learn more about vulnerability assessment.