Hello aspiring ethical hackers. In this blogpost, you will learn about Nessus vulnerability scanner. Nessus is an open-source network vulnerability scanner that uses Common Vulnerabilities and Exposures (CVE) architecture. It is widely used for vulnerability assessment and penetration testing.
Nessus server can be installed on Unix, Linux and FreeBSD whereas Nessus client is available for Unix and Windows based operating systems. For this tutorial, we will be installing Nessus on Kali Linux. Nessus can be downloaded from here. It can also be downloaded using curl as shown below (version may change).
Once the latest version of Nessus is downloaded, it can be installed as shown below.
Once the installation is finished, enable nessus as shown below.
Then start nessus as shown below.
Nessus runs on port 8834 by default. It can be viewed in browser.
Click on “Accept the risk and continue”.
Click on “Continue”. Select the type of Nessus install you want. Since we are using a Free version of Nessus for this tutorial we select “Register for Nessus Essentials”. Click on “continue”.
To run Nessus Essentials, you need an activation code. Get the activation code by entering the following details.
You need a user account to login into Nessus. Create an account and most importantly remember the user account information.
Then, Nessus will download all the required plugins. This may take some time (a bit long time sometimes).
Once all the plugins are finished downloading, you should see this.
The installation is finished. Now, it’s time to start scanning with Nessus. Click on “New scan”. A new popup opens. Assign a target.
The vulnerabilities are classified into five categories by Nessus. They are Critical, High, Medium, Low and Information. You can view detailed information about the detected vulnerabilities by clicking on them.
All the scans you perform are located in “My scans” section.
Nessus allows different types of scans. All the scans that can be performed using Nessus can be viewed from “All scans” section.
Hello aspiring Ethical Hackers. In this article you will learn about a Windows POST Exploitation tool named Koadic. Koadic, or COM command and control is a Rootkit tool that is used for Windows POST exploitation. It is similar to Meterpreter and Powershell Empire except that it performs most of its operations using Windows Script Host. i.e JScript and Visual Basic Script.
The good thing about Koadic is that it is compatible with almost all the versions of Windows from Windows 2000 to windows 10. It also has the ability to serve payloads in memory and is updated to run with newly released Python 3. Koadic can be cloned from Github as shown below.
Once the repository is cloned, we can navigate into that directory and install the requirements needed for using koadic.
Once the requirements are all installed, koadic can be started. It can be started using the command shown below.
./koadic
Koadic has two important components. They are,
Stagers
Implants.
Stagers are used to get initial sessions which are called as Zombies. Once Koadic is started, we can have a look at various stagers of koadic using command shown below.
use stager
Let’s use the Java script mshta stager. This stager serves payloads in memory using MSHTA.exe Html applications.
Set the SRVHOST, SRVPORT and ENDPOINT (name of the stager we create) options and execute the stager using run command.
As you can see in the above image, the payload is ready. Once victims visit this link, the virus_scanner.hta payload starts downloading on the target machine. Once the victim executes it, we get a ZOMBIE on a attacker machine as shown in the image below. Zombie in Koadic is just like a session in Metasploit.
The “zombies” command can be used to view all the sessions we have.
Every zombie session is given a session id starting from 0 which can be used for interacting with it. For example, the zombie session I got has been assigned ID “0”. Let’s interact with it.
Readers will learn more about this tool in Part 2 of this article.
Hello aspiring Ethical hackers. In this article, you will learn about a new tool named Name That Hash. Name That Hash is a hash identifying tool that can identify over 300 types including MD5 and SHA256. The other features of this tool include displaying summaries for the hashes identified, colored output and displaying in the order of their popularity etc. This tool can be installed from the repository of Kali as shown below.
Once this tool is installed, it can be started using command nth. To test a single hash, we can use “nth” with option “-t” as shown below. Let’s first give a MD5 hash.
nth -t
Just like hashid and hash-identifier, this tool also got it right but it is giving us some additional information like where the hash is actually used. For example, Md5 is used in Linux shadow files. What about SHA-1 hash?
It got this right too. Next, let’s give it a LM hash.
It put this in the Least likely section. Next, let’s give it a NTLM hash.
It failed to get spot on NTLM too. Just like its predecessors, it correctly detected the SHA-512 and SHA-256 hashes.
The good thing about name-that-hash is that instead of being blank, it gives us more information about actually where the hash is used. This can be useful when you grab a collection of hashes from a target network. You can easily decide which hashes to crack and which not to crack. If you have more number of hashes, giving it one by one can be cumbersome. Luckily, you can give them all at once by saving these hashes in a text file as shown below.
and using “-f” option to specify the file.
nth -f
The output which is not shown here is same as above.
Name-That-Hash is only designed to identify hashes unlike the other two but if you have a base64 encoded string, it can be decoded by nth using the “-b64” option.
nth -b64 -t
It correctly decoded it as “hackercool” All the above are also encrypted hashes of the text “hackercool”. Suppose you want the result to only display the most likely result, you can get this by using the “-a” option as shown below.
nth -a -t
If you observe the above images, you can see the banner of name-that-hash occupying lot of space. Just like me if this is putting you off, you can view result without banner using the “–no-banner” option.
nth –no-banner
Once go to the image above the above image, the one where we used the “-a” option. Once, carefully observe the result. It correctly detected the hash as SHA-512. Next to it, you can see the text “HC 1700 JtR: raw-sha512”. This is HashCat (HC stands for HashCat) and John (JtR stands for John The Ripper) information being displayed by the tool because the next thing you will do after identifying the hash is to crack it using Hashcat or John. This requires what you need to put into these tools to crack it. For example, let’s take a simpler hash.
John The Ripper says its raw-md5. We need to just supply this format as shown below in JTR to crack this.
Similarly, the HC number given is “0”. Let’s supply it as shown below in HashCat.
However, if you are an experienced ethical hacker with too much details hurting your ego, you can just view the result without the information of John The Ripper using “–no-john” option.
nth –no-john -t
This is the difference.
You can do the same with HashCat information using “–no-hashcat” information.
Hello aspiring ethical hackers. In this article you will learn how to setup a phishing campaign. Readers have learnt what is phishing and various phishing techniques in our previous blog posts. It is a fitting conclusion that the next article in our phishing series should be about creating a phishing campaign. Phishing campaign or Email phishing campaign or Spear Phishing campaign is the campaign that sends emails to the victims to lure them to the Phishing site.
Although, this tutorial is similar to phishing campaigns run by malicious hackers, this campaign can also be used to test the security of a company by assessing how vulnerable are the employees of the company to a phishing attack. There are many tools to simulate phishing attacks which are used by Red Team professionals. Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training. It is available for both Windows and Linux operating systems.
I will be using a Windows version of Gophish as I want to install it on Windows. Installing Gophish on Windows is damn easy. Just download Gophish for Windows, extract the contents of the zip archive. open Windows command line and navigate into the extracted directory and execute the Gophish executable as shown below. This executes some commands as shown below.
If you observe the CMD window, you will find the username and password for the Gophish dashboard. This part is highlighted in the image above. These credentials are needed to login into the Gophish dashboard. Keep the CMD window open, Open Browser and enter address https://127.0.0.1:3333. This is the default port on which Gophish runs. If you get any certificate error, click on advanced to bypass it and then enter submit the above mentioned credentials.
The first thing you will see after logging in is that the system prompts you to reset your password. Reset the password.
Now, you can access the Gophish dashboard.
The first thing we need to do is create a sender profile. This is the mail address from which the spear phishing email comes from.
Click on “Sending profiles” tab and then click on “New profile” to create a new Sending Profile. Set the options for the sending profile. For example, we set the name for this as “phishing campaign 1”. To send any type of email, we’ll need a SMTP server. For this tutorial, I will be using the SMTP server of Gmail as I will be sending an email from Gmail. In Real world phishing attacks and even in many phishing simulations, a new domain is created and the email is sent from that domain’s mail to make the phishing email appear genuine. The username is the Gmail username and password is Gmail password.
Save the changes. Send a test email to the email of your choice to see if the Phishing email appears as you want it to be.
The username we specify is very important here as it will be displayed. So it has to be made as convincing as possible. Once you are satisfied with the sending profile, you can save it.
Next, we need to create Users and Groups. This is where we assign target users for of our phishing campaign.
Click on “New Group” to create a new batch of recipients. I have named this group as Target_ 1.
For this tutorial, I’ll add only a single recipient.
If you want to add a large number of users, you can save them in a CSV file and just import those users with the “bulk import users option”.
It’s time to create an email template. This is the most important part of a phishing email since it has the email body that convinces a victim to click or take any other action.
But before we compose the spear phishing email, let’s create a phishing website. For this tutorial, we will be capturing some credentials. Hence we will be using a fake website created using Social Engineering Toolkit in Kali Linux. We can also create a phishing website with Weeman.
The phishing site is ready and will display any captured credentials on this terminal. Go back to Gophish. Click on “New Template” to create a new email.
Remember what I said. This part is the most important and the content of the email should convince the user take whatever action you want him to take. We are just showing the age-old account suspension mail. Let’s have a look at some of the spear phishing emails used in real world hacking attacks.
The above mail is sent to Godaddy customers. The Logo, Customer support number etc almost convince even me but just look at the Sender Email. The domain of Godaddy is godaddy.com but sender email is really phishy.
This above phishing email is a must read. Everything looks so convincing. Even I think I have a account at Suntrust. Only when we hover over the link that we can see it is suspicious.
The above mail is directed towards Instagram users. Although sender email is phishy, have a look at the message of the mail. It says your Instagram password has been changed and if it is not you that changed the password, you are asked to click on the link they have provided to reset your password. It even provides a link to the Instagram Help Center to appear trustworthy.
I am sure readers got an idea about how phishing emails look like. If you find an email suspicious, just hover over the links instead of clicking on them. Once, the body of the email is complete, let’s add a hyperlink to the email content. Click on “source”.
I want the users to be redirected to my Kali Linux attacker machine.
The Email template is ready. It’s time to set the landing page. Landing page in Gophish is the page where users will be redirected to after clicking a link in the email.
Click on “New Page”. You can create a new landing page or you can import an already created landing page. Let me import the phishing site I created in SE Toolkit on Kali Linux. After capturing credentials,
Just like any phishing website, we can redirect the users to another webpage after capturing credentials. I want the victims to be redirected to the genuine site of Facebook.
Save the landing page.
Everything is ready. It’s time to start the phishing campaign. Go to campaigns and click on “New Campaign”.
Specify all the options like URl, the recipients etc and click on “Launch campaign”. You can set the date and timing for the phishing campaign.
In the dashboard you can view result of the campaign. You can see how many victims read your email and how many fell to your phishing campaign.
This is how the spear phishing email I created looks in Email Inbox.
Here is how the content of the email looks.
Here is the phishing site the user is redirected to once he clicks on the link.
Once the victim fails to notice the signs of a phishing email, he enters his credentials.
These credentials are captured in SETOOLKIT as shown below.
Credentials captured and our phishing campaign is successful. This is how a successful campaign is run.
Hello aspiring Ethical Hackers. In this article you will learn about Tomcat War Deployer a tool used to pen test a Apache Tomcat system.
In the Real World Hacking Scenario of our HackercoolMag May2020 Issue, you will see how Hackercool exploits a Apache Tomcat system that is placed behind a Router. In that scenario, once Apache Tomcat credentials are compromised, he makes a war payload with Metasploit. Once the payload executes, he gets a shell on the target.
However, Metasploit is not the only tool that is used to make malicious WAR payloads. The Tomcat War Deployer is another tool that can be used to make WAR payloads which can be used for penetration testing. A WAR stands for Web Archive. It can include servlet, xml , jsp, image, html, css and js files etc. This files are created in Java. The Tomcat War Deployer can be used from Kali Linux and can be cloned from this Github link as shown below.
Once the cloning is done, you should see a new directory named tomcatWarDeployer in the directory from which you cloned. Move into that directory and type the command highlighted in the image given below. The “-h” option is help and it displays all the commands that can be used with this tool.
The “-H” option is used to specify the host IP address to which we want our shell to be connected (i.e the attacker system’s IP address). The “-p” option specifies the port on which the shell should connect to (we specified port 4646 here). The “-G” option is used to specify the name of the output file. We named it tomcat_shell for this article.
Let’s upload this shell to the target. We are using the same target that we have used in the Real World Hacking Scenario of the Hackercool Magazine May 2020 Issue.
Before executing it, let’s start a Netcat listener on port 4646.
When you click on the payload on the target, you will see something as shown below. Your payload is protected with a password to prevent its misuse from others (read hackers). However this password is randomly generated and even you will lose access if you don’t know it.
The “-X” option is used to set the password for our payload. Setting it to “None” as shown below will not set any password for our payload.
You can set any password you want as shown below. Here, we set it to “hcool”.
The “-v” option is used to set the verbose mode. This gives more clear details about the creation of payloads. You can see it below.
Now, let’s create a payload named “tomcat_shell.war” without any password.
Here’s how its looks.
Let’s create the payload with password “123456”. It is wise to generate a payload with a password while penetration testing to avoid misuse.
The “-s” option simulates the breach without performing any offensive actions.
Simulation helps us to verify if the attack works without changing anything on the target system. The “-U” option is used to set the username and “-P” option is used to set the password. These are the credentials we need to login into the target.
In the above image, the simulations says that it reached the target, validated the credentials and did everything to prove that the attack works. But it did not deploy the payload. The “-C” option specifies not to connect to the spawned shell immediately. By default, it connects to the spawned shell immediately. This option stops that letting us use other handlers like Metasploit or Netcat. Since we already started a Netcat listener, we will use this option for now. We can specify the target IP address and port at the end of the command as shown below.
At our Netcat listener, we already have a shell as you can see in the image below.
If you don’t specify the “-C” option, shell will be automatically spawned as shown below.
Finally, after the penetration test is completed, you can delete the uploaded payload using the “-R” option. You need to specify the name of the payload with the “-n” option. The example is shown below.
