Posted on 1 Comment

How to hide an exe file in a Jpeg

I have been searching for a way to send an executable file to someone and make him to execute it. Sending the exe directly is not feasible. So let’s see how to hide an exe file in a jpeg and test its feasibility. First of all, create a new directory namedtestand download some images and name them similarly. I downloaded images of a popular Tollywood actress. The plan is to lure the victim into falling in the trap. I did this on a Windows 7 machine.

Expeg1

Go to Folder Options”, go to View tab”,deselect ‘ Hide extensions for known file types‘ and select option Show hidden files, folders and drives. This will allow us to see the extensions of the files we are working with.

Expeg2

Open Notepad, type the following text and save it with the extension .bat”. What the following code does is it creates a new user named “hacker” with password “abc123″ in the Windows machine this code gets executed.

Expeg3

Download BAT to EXE converter and convert the batch file we just created to an exe.

Expeg4
Expeg5

Rename the file “samy.exe” to “samy_3.jpg”. Windows will prompt a warning. Ignore it.

Expeg6

Right click on the file “samy_3.jpg”, drag it a little and leave. Select ‘Create Shortcuts here’. We are creating a shortcut for the file samy_3.jpg.

Expeg7

Rename the shortcut to “samy_0.jpg”.Whatever the name you give make sure that the shortcut is clicked first and not the exe file.

Expeg8

Right click on “samy_0.jpg” and select Properties. In the “Start in” column delete the entire text. In the “Target:” column type “C:Windowssystem32cmd.exec samy_3.jpg.” This will run the file samy_3.jpg when clicked on the samy_0.jpg.

Expeg9

Click on “Change Icon” tab. Replace the text inside with “%SystemRoot%system32SHELL32.dll”and click on “OK”.

Expeg10

Compress all files into zip archive with the name “samy unseen.zip”. Remember that name should be attractive enough to lure the victim into clicking the images.

how to hide an exe file in a jpeg

OK, package is ready. Now the bigger challenge is to send the package to the victim’s computer. I tried to mail the package to the victim but it didn’t work out.

Expeg12

So I suggest you to find your own way of sending it to the victim. To test if the package will work on the victim’s system or not openCMD” and type the command “net user” before executing the image. It will show us all the users on the system.

Expeg13

Then click on the image samy_0.jpg. Open “CMD” and type the “net user” command again.

Expeg14

A new user named hacker has been created. So the trick worked.

Posted on 2 Comments

Virtual pentesting lab : Step by Step guide

Virtual pentesting lab is a lab created on a single system using any virtualization software. It can be very helpful for people practicing for CEH or similar certification. Any penetration testing lab has two machines, attacker and victim. In this lab we will set up Kali Linux as the attacker and Windows XP( most favorite victim machine ) as the victim. I am going to set up this lab in Vmware Workstation 9. Hope this will be helpful.

First of all install Kali Linux and Windows XP in Vmware Workstation.

Vpl1
Vpl2

Shut them down. In the Vmware Workstation menu, Select Edit”and click on Virtual Network editor.

Vpl3

The window below will open showing the virtual network adapters. Click on “Add network”.

Vpl4

Vmware provides nine virtual networks from 0 to 9. Vmnet0, Vmnet1 and Vmnet8 are automatically assigned for bridged, Host-only and NAT types of network respectively. Select the network “Vmnet3″.

Vpl5

We can see that our network is added as Host-Type with a automatically assigned subnet IP.

virtual pentesting lab

Click on our network. We can see its settings below.

Vpl7

Deselect the option ‘Connect a host virtual adapter to thenetwork’. This’. This‘.This will make our network a custom type. Change the subnet IP to 10.10.10.0( choice is yours). Select the ‘Use local DHCP service to distribute IP address to VMs‘ option. This will automatically assign IP addresses to our machines. Click on ‘DHCP settings‘.

Vpl8

You will see the below window. Make changes if you like. I am going to leave it default. Click OK twice to exit.

Vpl9

We have successfully created our custom network. Now let’s add our machines to the network. Open the tab of Kali Linux and click on ‘network adapter‘ setting.

Vpl10

In the settings, select the ‘custom radio button and select the network Vmnet3 from the dropdown menu. Click on OK.

Vpl11

Do the same for Windows XP. Then let’s boot up our victim machine and check it’s IP address by typing ‘ipconfig‘ in the command line. The DHCP server has automatically assigned it the IP address 10.10.10.129.

Vpl12

Boot the attacker machine and check it’s IP address by typing ‘ifconfig’in the terminal. It has been assigned the address 10.10.10.128.

Vpl13

Ping the victim IP machine (10.10.10.129) to see whether the two machines can communicate.

Vpl14

We have successfully created a virtual pentesting lab. Happy testing.

Posted on 2 Comments

Complete guide to Nmap port scanner

Hello, aspiring ethical hackers. This blogpost is a complete guide for using Nmap (Network Mapper). It is a popular and open source utility used for port scanning and network discovery by network administrators and pen testers. It uses real IP packets in novel ways to determine the LIVE hosts on the networks, open ports, the services they are running, type of firewalls in use etc. It is available for all major operating systems like Linux, Windows and Mac OSX.

We are using it on Kali Linux where it is installed by default. Let’s begin with how to specify targets while scanning.

Target specification

1. Provide input through a list:

nmap -iL <input filename>

This option reads targets from a specific file. Let’s create a file named alpha with a few newline separated or tab-limited or space separated IP addresses using vi on Desktop.

Nt1

Then, move to Desktop directory and type the command as shown below. It scans the four IP addresses listed in our file.

Nts2

2. Specify random hosts to scan:

nmap -iR <number of hosts>

This option is used to specify random hosts to scan. Nmap generates its own targets to scan. The <number of hosts>argument tells nmap the number of IP’s to generate. Let’s type command as shown below.We can see that it generated five random targets to scan. The scan failed to determine route to the generated IP addresses because my system is not connected to Internet. Why didn’t it generate any internal IP addresses? Because in this scan private, multicast and unallocated address ranges are automatically skipped.

Nts3

3. Scan the entire subnet:

nmap <IP address/dir>

This option is used to scan the entire subnet. Assuming you know CIDR let’s type the command as shown below to scan eight IP addresses from 10.10.10.1 to 10.10.10.8 and see the result below.

Nts4

4. Exclude some hosts and networks:

nmap [targets] -exclude [targets]

This option specifies a comma separated list of targets to be excluded from the scan even if they are part of overall network range we specify. For example, in our previous scan we saw that one host 10.10.10.2( which is the system I am working on) is alive. Now I decided to exclude that host and another host from the scan. So I type the command as shown in the image given below and press “Enter”. We can see that nmap has only scanned six IP addresses.

Nts5

5. Take the exclusion list from a file:

nmap [targets] -excludefile [file name]

Now what if the subnet was very big and there are more number of hosts to be excluded from the scan. The above option helps us to achieve this. Remember the file “alpha”( with four IP addresses) we created. Now let’s specify nmap to quit scanning the hosts listed in the file. Type the command as shown below. We can see that it scanned only four hosts in the subnet.

Nts6

6. Scan specific targets:

nmap [target1 target2 target3]

This option specifies nmap to scan multiple targets separated by space. Type the command shown below . We can see the result below.

Nts7

Scan types

Nmap is equipped with a variety of scans to detect open ports and services on the target system. Learn about Nmap’s various port scan techniques here.

Scan results

Nmap classifies the ports it scans into six categories. They are open, closed, filtered, unfiltered, open/filtered and closed/unfiltered. In which cases does Nmap classify a port as one of the above. Learn in port scan results of Nmap.

Posted on 30 Comments

Beginners guide to phishing

Hello, aspiring ethical hackers. In our previous article, you learnt what is social engineering. In this article, you will learn in detail about Phishing. Phishing is one of the most popular social engineering techniques. What exactly is phishing? Phishing is an act of presenting a fake page resembling the original webpage you intend to visit with the sole intention of stealing your credentials. This post demonstrates phishing tutorial for beginners. Although we make a phishing page of Facebook in this tutorial, it can be used to make a phishing page of any website. So now let’s phish.

Open your browser, go to the Facebook website, Right click on the webpage and click on “view page source”.

Phish1

The source of the web page is displayed in the browser. Right click on the page and click on “Save As”. Save the page as “index.html”on your computer.

Phish2

Now open index.html using notepad and hit CTRL+F”.In the Find box opened, type “action” and click on “Find Next”. Look at the value of action. This “action” specifies the website what to do after users enter credentials and submit those.

Phish3

Now change the value of action to “phish.php”. We are doing this so when the user enters his credentials the page that loads will be “phish.php” and not the usual page Facebook loads.

Phish4

Now let’s create the page phish.php. Open Notepad and type the following script into it and save it as “phish.php”. What this script does is it logs the user credentials and saves it to a file named “pass.txt”.

Phish5

Now our files are ready. Next step is to upload these files to any free web hosting site available on the internet. Google for free web hosting sites, select any one of them(I selected bytehost7), create an account with username as close to Facebook as possible and delete the index.html file available in the htdocs folder. Then using Online File Management upload your own index.html and phish.php files to the htdocs folder. Your htdocs folder will look like below.

Phish6

Let’s check if our phishing page is ready by typing the address of our site. If the page is like below, then our phishing page is working.

Phish7

The next thing we have to do is to send address of our fake website to the victim. We will do this through sending him an email but in order for the victim not to smell something fishy, we will obfuscate the URL of the fake page we are about to send him. The sending email address should be as convincingly close to Facebook as possible.

Phish8

When the victim clicks on the obfuscated URL, it will bring him to our fake site.

Phish9

If the victim is not cautious enough as to observing the URL and enters his username and password, our attempt is a success. To show this, I will enter random values in both username field and password field and hit Enter.

phishing tutorial

Now a txt file with name pass.txt will be created in the htdocs folder containing both the username and the password.

Phish11

Click on the file. We can see both the email and the password i have entered. The email is “don’t get hacked” and the password is “like me”.

Phish12

See how to phish with Weeman HTTP Server and GoPhish.

Posted on

Understanding port scanning results of Nmap

Hello aspiring Ethical Hackers. In this blogpost you will learn how to analyze port scanning results of Nmap. Scanning plays a very important role in hacking a system. Scanning is a phase in which we find out the ports which are open and the services listening on those ports. NMap is the most popular port scanner being used security guys nowadays. Read complete guide to Nmap. It is very important to understand results of Nmap port scan. Nmap classifies ports into six states. They are, open, closed, filtered, unfiltered, open | filtered and closed | filtered.

Port Scanning Results 0

Let us find out when Nmap classifies ports into specific states. To demonstrate the results of port scanning performed my Nmap, I use two virtual machines,

1. Kali Linux as attacker system.

2. Windows 10 as target system.

On the target system, I enable or install a SSH server. You can learn how to install a SSH server here. For this tutorial, I will be scanning this SSH port with Nmap.

1. Closed:

Nmap classifies a port as closed when the port is accessible but there is no application listening on it. When I perform a default Nmap scan from the Kali system of port 22 of the target machine, I get a “closed” result as shown below.

nmap -sT –p22 <target ip>

Port Scanning Results 1

Note that on our target machine, we have installed the SSH server but not yet started it.

2. Filtered:

Nmap classifies a port as filtered when it can’t determine whether the port is open or closed because packet filtering prevents its probes from reaching the port. Let’s now start the SSH server and scan again. This time when we scan the same port again, we get a “filtered” result as shown below.

nmap -sT -Pn –p22 <target ip>

Port Scanning Results 2

This is because although we have started the SSH service on the target system, Windows Defender Firewall, which is turned ON by default, is blocking our connection to the target port. When Nmap classifies a port as filtered, it is most likely that a firewall is blocking our probes.

3. Open:

Nmap classifies a port as open when the port is accessible and if an application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. On our target system, let’s change the Windows Defender Firewall settings to allow the SSH service through the Firewall as shown below and scan the service again.

Port Scanning Results 3
Port Scanning Results 4

The result I get is “open”. This is because the SSH server is actively accepting connections.

4. Unfiltered:

Nmap classifies a port as unfiltered when a port is accessible but it can’t determine whether it is open or closed. A port is classified as unfiltered only with the ACK scan. Learn about different scans that can be performed with Nmap.

nmap -sA –p22 <target ip>

Port Scanning Results 5

This scan cannot determine if the port is open or closed and is generally used to find out rules of the firewall.

5. Closed | filtered:

Nmap gives this result when it can’t find out whether a port is closed or filtered. A port is classified this way by Nmap only when we perform IDLE scan. Now what is IDLE scan? Idle scan is a scan in which we use a zombie host to scan the victim. In our example, we use another host with IP 192.168.40.1 as a zombie to perform IDLE scan on our victim.

nmap -sI <zombie_host> -p22 <target ip>

Port Scanning Results 6

6. Open | filtered:

A port is classified as open | filtered when Nmap is unable to determine whether a port is open or filtered. This happens for scan types in which open ports give no response. The UDP, IP protocol, FIN, NULL and XMAS scans classify ports this way.

Port Scanning Results 8
XMAS scan
Port Scanning Results 9
FIN scan
Port Scanning Results 10
NULL scan

The port is classified as “open | filtered” in above cases because Nmap can’t determine whether the port is open or filtered.