Posted on

Name-That-Hash: A tool to identify hashes

Hello aspiring Ethical hackers. In this article, you will learn about a new tool named Name That Hash. Name That Hash is a hash identifying tool that can identify over 300 types including MD5 and SHA256. The other features of this tool include displaying summaries for the hashes identified, colored output and displaying in the order of their popularity etc. This tool can be installed from the repository of Kali as shown below.

Name That Hash 15 1024x536

Once this tool is installed, it can be started using command nth. To test a single hash, we can use “nth” with option “-t” as shown below. Let’s first give a MD5 hash.

nth -t <hash>

name that hash

Just like hashid and hash-identifier, this tool also got it right but it is giving us some additional information like where the hash is actually used. For example, Md5 is used in Linux shadow files. What about SHA-1 hash?

Name That Hash 1819 870x1024

It got this right too. Next, let’s give it a LM hash.

Name That Hash 20

It put this in the Least likely section. Next, let’s give it a NTLM hash.

Name That Hash 21
Name That Hash 22

It failed to get spot on NTLM too. Just like its predecessors, it correctly detected the SHA-512 and SHA-256 hashes.

Name That Hash 23
Name That Hash 24
Name That Hash 25
Name That Hash 26

The good thing about name-that-hash is that instead of being blank, it gives us more information about actually where the hash is used. This can be useful when you grab a collection of hashes from a target network. You can easily decide which hashes to crack and which not to crack.
If you have more number of hashes, giving it one by one can be cumbersome. Luckily, you can give them all at once by saving these hashes in a text file as shown below.

Name That Hash 27

and using “-f” option to specify the file.

nth -f <path to the file that has saved hashes>

Name That Hash 28

The output which is not shown here is same as above.

Name-That-Hash is only designed to identify hashes unlike the other two but if you have a base64 encoded string, it can be decoded by nth using the “-b64” option.

nth -b64 -t <base64 encoded string>

Name That Hash 29

It correctly decoded it as “hackercool” All the above are also encrypted hashes of the text “hackercool”. Suppose you want the result to only display the most likely result, you can get this by using the “-a” option as shown below.

nth -a -t <hash>

Name That Hash 31

If you observe the above images, you can see the banner of name-that-hash occupying lot of space. Just like me if this is putting you off, you can view result without banner using the “–no-banner” option.

nth –no-banner <hash>

Name That Hash 32

Once go to the image above the above image, the one where we used the “-a” option. Once, carefully observe the result. It correctly detected the hash as SHA-512. Next to it, you can see the text “HC 1700 JtR: raw-sha512”. This is HashCat (HC stands for HashCat) and John (JtR stands for John The Ripper) information being displayed by the tool because the next thing you will do after identifying the hash is to crack it using Hashcat or John. This requires what you need to put into these tools to crack it. For example, let’s take a simpler hash.

Name That Hash 31a

John The Ripper says its raw-md5. We need to just supply this format as shown below in JTR to crack this.

Name That Hash 31b

Similarly, the HC number given is “0”. Let’s supply it as shown below in HashCat.

Name That Hash 31c31d 895x1024

However, if you are an experienced ethical hacker with too much details hurting your ego, you can just view the result without the information of John The Ripper using “–no-john” option.

nth –no-john -t <hash>

Name That Hash 33

This is the difference.

Name That Hash 34

You can do the same with HashCat information using “–no-hashcat” information.

nth –no-hashcat -t <hash>

Name That Hash 35

The difference can be seen below.

Name That Hash 36

That was all about this tool.

Posted on

Gophish: Setup a Phishing Campaign

Hello aspiring ethical hackers. In this article you will learn how to setup a phishing campaign. Readers have learnt what is phishing and various phishing techniques in our previous blog posts. It is a fitting conclusion that the next article in our phishing series should be about creating a phishing campaign. Phishing campaign or Email phishing campaign or Spear Phishing campaign is the campaign that sends emails to the victims to lure them to the Phishing site.

Although, this tutorial is similar to phishing campaigns run by malicious hackers, this campaign can also be used to test the security of a company by assessing how vulnerable are the employees of the company to a phishing attack. There are many tools to simulate phishing attacks which are used by Red Team professionals. Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training. It is available for both Windows and Linux operating systems.

I will be using a Windows version of Gophish as I want to install it on Windows. Installing Gophish on Windows is damn easy. Just download Gophish for Windows, extract the contents of the zip archive. open Windows command line and navigate into the extracted directory and execute the Gophish executable as shown below. This executes some commands as shown below.

Gophish 1

If you observe the CMD window, you will find the username and password for the Gophish dashboard. This part is highlighted in the image above. These credentials are needed to login into the Gophish dashboard. Keep the CMD window open, Open Browser and enter address https://127.0.0.1:3333. This is the default port on which Gophish runs. If you get any certificate error, click on advanced to bypass it and then enter submit the above mentioned credentials.

Gophish 2 1024x545
gophish

The first thing you will see after logging in is that the system prompts you to reset your password. Reset the password.

Gophish 4 1024x548

Now, you can access the Gophish dashboard.

Gophish 5 1024x544

The first thing we need to do is create a sender profile. This is the mail address from which the spear phishing email comes from.

Gophish 6 1024x545

Click on “Sending profiles” tab and then click on “New profile” to create a new Sending Profile. Set the options for the sending profile. For example, we set the name for this as “phishing campaign 1”. To send any type of email, we’ll need a SMTP server. For this tutorial, I will be using the SMTP server of Gmail as I will be sending an email from Gmail. In Real world phishing attacks and even in many phishing simulations, a new domain is created and the email is sent from that domain’s mail to make the phishing email appear genuine. The username is the Gmail username and password is Gmail password.

Gophish 7 1024x548

Save the changes. Send a test email to the email of your choice to see if the Phishing email appears as you want it to be.

Gophish 8 1024x548

The username we specify is very important here as it will be displayed. So it has to be made as convincing as possible. Once you are satisfied with the sending profile, you can save it.

Gophish 9 1024x542

Next, we need to create Users and Groups. This is where we assign target users for of our phishing campaign.

Gophish 10 1024x547

Click on “New Group” to create a new batch of recipients. I have named this group as Target_ 1.

Gophish 11 1024x545

For this tutorial, I’ll add only a single recipient.

Gophish 12 1024x547

If you want to add a large number of users, you can save them in a CSV file and just import those users with the “bulk import users option”.

Gophish 13 1024x543
Gophish 14 1024x544

It’s time to create an email template. This is the most important part of a phishing email since it has the email body that convinces a victim to click or take any other action.

Gophish 15 1024x545

But before we compose the spear phishing email, let’s create a phishing website. For this tutorial, we will be capturing some credentials. Hence we will be using a fake website created using Social Engineering Toolkit in Kali Linux. We can also create a phishing website with Weeman.

Se Toolkit 7

The phishing site is ready and will display any captured credentials on this terminal. Go back to Gophish. Click on “New Template” to create a new email.

Gophish 16 1024x543

Remember what I said. This part is the most important and the content of the email should convince the user take whatever action you want him to take. We are just showing the age-old account suspension mail. Let’s have a look at some of the spear phishing emails used in real world hacking attacks.

Gophish 16bb

The above mail is sent to Godaddy customers. The Logo, Customer support number etc almost convince even me but just look at the Sender Email. The domain of Godaddy is godaddy.com but sender email is really phishy.

Gophish 16cc

This above phishing email is a must read. Everything looks so convincing. Even I think I have a account at Suntrust. Only when we hover over the link that we can see it is suspicious.

Gophish 16aa

The above mail is directed towards Instagram users. Although sender email is phishy, have a look at the message of the mail. It says your Instagram password has been changed and if it is not you that changed the password, you are asked to click on the link they have provided to reset your password. It even provides a link to the Instagram Help Center to appear trustworthy.

I am sure readers got an idea about how phishing emails look like. If you find an email suspicious, just hover over the links instead of clicking on them. Once, the body of the email is complete, let’s add a hyperlink to the email content. Click on “source”.

Gophish 17 1024x544

I want the users to be redirected to my Kali Linux attacker machine.

Gophish 18 1024x544
Gophish 19 1024x545

The Email template is ready. It’s time to set the landing page. Landing page in Gophish is the page where users will be redirected to after clicking a link in the email.

Gophish 20 1024x544

Click on “New Page”. You can create a new landing page or you can import an already created landing page. Let me import the phishing site I created in SE Toolkit on Kali Linux. After capturing credentials,

Gophish 22 1024x546
Gophish 23 1024x546

Just like any phishing website, we can redirect the users to another webpage after capturing credentials. I want the victims to be redirected to the genuine site of Facebook.

Gophish 25 1024x541

Save the landing page.

Gophish 26 1024x544

Everything is ready. It’s time to start the phishing campaign. Go to campaigns and click on “New Campaign”.

Gophish 27 1024x474

Specify all the options like URl, the recipients etc and click on “Launch campaign”. You can set the date and timing for the phishing campaign.

Gophish 29 1024x543
Gophish 30 1024x245
Gophish 31 1024x544

In the dashboard you can view result of the campaign. You can see how many victims read your email and how many fell to your phishing campaign.

Gophish 32 1024x545

This is how the spear phishing email I created looks in Email Inbox.

Gophish 33 1024x141

Here is how the content of the email looks.

Gophish 34 1024x327

Here is the phishing site the user is redirected to once he clicks on the link.

Gophish 35 1024x423

Once the victim fails to notice the signs of a phishing email, he enters his credentials.

Gophish 36 1024x467

These credentials are captured in SETOOLKIT as shown below.

Gophish 37

Credentials captured and our phishing campaign is successful. This is how a successful campaign is run.

Posted on

Nim Malware and AV Evasion

Hello aspiring ethical hackers. In this article, you will learn about Nim malware and how hackers are using it to bypass Antivirus solutions.

“Cyber Security researchers at ProofPoint were tracking a hacking operation they named as TA800. TA800 had a common mode of operation. They send personalized phishing emails containing a link to a supposed PDF document. Users who visited that link, downloaded malware with a fake PDF icon. This Malware is a loader which once opened provides attackers control of victim’s Windows Systems. These hackers have been using a loader named Baz Loader since 2020. However, researchers noticed a new loader being used by these hackers on February 3, 2021. This loader which researchers named as Nimza Loader was built in Nim programming language.”

Nim is a programming language designed and developed by Andreas Rumpf. Originally named as nimrod (it was renamed Nim in 2008), Nim was created to be a language as fast as C, as expressive as Python and as extensible as Lisp.

Often, the most common programming languages used to make malware are C, C++, Java and Visual Basic. But Malware authors often use a new programming language to beat Anti-Malware. Python Inspired syntax and a feature to compile directly to C , C++ etc makes Nim easy to use for developers and malware authors alike. It also has cross platform support. By writing malware in Nim, hackers can make it difficult for Anti-Malware to be able to detect their payloads since they have no updated detection systems for these new programming languages.

In this tutorial readers will learn the process of creating Nim malware and test this malware to see if Anti Malware can detect these payloads or not. Unlike other popular programming languages, Nim is not installed by default in Kali Linux. It can be installed using the apt package manager as shown below.

sudo apt install nim

Nim 1
Nim 2

Nim is successfully installed. Just like any other programming language, Nim needs a compiler. Although it is compatible with many compilers, let’s install mingw-64 compiler as shown below.

sudo apt-get install mingw-w64

Nim 3

As Nim is installed, nimble will be available on the Kali Linux system. Nimble is the package manager of Nim language. To create malware using Nim we need some more libraries. Important among them is the Winim library, which contains Windows api, struct and constant definitions for Nim. This is important while creating Windows based malware. Zippy is used for compressing and decompressing payloads. Nimcrypto is Nim’s cryptographic library used to perform several cryptographic functions.

nimble install winim zippy nimcrypto

Nim 45

Since all the necessary libraries are installed, it’s time to create a payload using Nim. A Github repository named Offensive Nim has many Nim payloads. We will download one Nim payload from there and compile it. We download the keylogger.nim payload from the Git repository and use the syntax below to compile it.

The “-c” option specifies compiling the “-d” option is used to specify compiler. The “—app” option is used to specify the type of app to create. We can create four types of applications here: console, GUI, lib and staticlib. We will create a console app here. The “—cpu” option is used to specify the target processor. Since our target is a Windows system, we are specifying i386 option which can run on both 64bit and 32bit systems.

nim c -d=mingw –app=console –cpu=i386 <path to Nim payload>

Nim 78

This will create a Windows executable file with the same name as the .nim file. The payload is ready. Now lets test it. We copy it to the target system (Windows 7) running a third party Antivirus. As you can see, all the protection shields are active and the AV is updated.

Nim 9 1024x576

As the payload is successfully copied to the target system, the Antivirus failed to detect it.

nim malware

Let’s try executing our payload and see the response of the Anti Virus. Even as our payload is running, the Antivirus failed to detect it.

Nim 12 1024x576

This is good. But let’s try something meaningful. Let’s try to get a reverse shell on the target system. We downloaded a simple Nim reverse shell from here.

Nim 13

We change its LHOST and LPORT values and compile it in the same manner as above.

Nim 15
Nim 14

We start a Netcat listener on the Attacker system and execute the reverse shell payload on the target system.

Nim 16

As readers can see, we got a successful reverse shell connection and the Antivirus didn’t even blink.

Nim 17181920
Posted on

MiTM Attack: Sniffing Images In a Network

Hello aspiring ethical hackers. In this article you will learn how to sniff images in a network using MiTM attack. In our previous article, readers have learnt how plaintext credentials passing through the network can easily be captured by attackers using Wireshark.

In this article, readers will learn about a different type of sniffing. i.e capturing images being transmitted through the network. As good as Wireshark is, it cannot be used to sniff images being sent through the network.

For this tutorial, we will be needing any program that requires images to be transferred in a network. For this purpose, we will use Netop Vision Pro Classroom Management Software (https://www.codework-systems.com/products/netop/netop-vision-pro/). As its name implies, this is a classroom management software used for distance learning. It has two modules: the Teacher module and Student module. The Teacher module is installed on one system and the student module is installed on all the student systems. The computer running the Teacher module has complete control over the computer running the student module and the student has no or very small limited role. The Teacher can view the Desktop of the Student’s Desktop to make sure the student is on track.

Remember the sniffing lab we used in one of our previous article. In the same Sniffing Lab, we will add three systems: two Windows 7 systems with Netop Vision Student Module installed on one system and Netop Vision Teacher Module installed on another Windows 7 system. The third system is Kali Linux which is the attacker system and used for sniffing images. Let’s setup the Lab first. Download the Netop Vision Pro software onto the first Windows 7 system and click on it. Select the “Run Installer” and click on “Next”.

TAOS 1 1024x527

Click on “I Accept The Terms in the license agreement” and click on “Next”.

TAOS 2

Select the Vision Student Module and click on Next.

TAOS 3

Select the option as a Windows Startup Service and click on Install.

TAOS 4

Check the IP address of this system and restart it.

TAOS 19
TAOS 5

Here’s the Student’s Windows system. There is some program running on it.

TAOS 20 1024x576

Now, in the second Windows 7 system, install the Teacher module of Netop Vision.

TAOS 6

When it prompts for the license key, click on “Next”.

TAOS 7
TAOS 8

Click OK to restart the computer.

TAOS 9

After the computer (on which Netop Vision’s Teacher Module) reboots, open the Netop Vision application. This should open the class room manager window automatically. If that did not happen, open it from the File menu. Create a new classroom. Click on “New”.

TAOS 10 1024x529

Click on “Next”.

TAOS 11

Add the student system. Click on “Add” and add the IP address of the student system as shown below. Then click on “translate addresses”. You will get the IP address translated to the name of the computer. Click “OK”.

TAOS 12
TAOS 13
TAOS 14

Click “Next”.

TAOS 15

Click on “Finish” to finish the installation.

TAOS 16

We have set up a new classroom. From the classroom manager, open the new classroom you just created.

TAOS 17

We can see the Desktops of connected Student computers. Since we have connected only one student computer, only one system is shown.

TAOS 18

The target is ready. On the Kali Linux system, install the Driftnet tool as shown below.

mitm attack

Check the name of the network interface.

TAOS 21

Now all we have to do is to start the driftnet tool on that interface.

TAOS 22

A small window will open as shown below.

TAOS 23

When you maximize the window, you can see the live capture of the images of the Student’s Desktop. These images of the student computer are being captured by the teacher module. As already said, the feature is available in Netop Vision classroom management software to monitor student computers. These images are captured at regular short intervals and transmitted in real time to the Teacher computer.

TAOS 24 1024x576

But how are these images being sniffed by Driftnet? Just like in the case of plain text protocols, these images are being transmitted in the network without any encryption. Hence, driftnet has been able to capture them by sniffing on the network.

Posted on

WPS pin is cracked but WPA key is not shown

Hello aspiring ethical hackers. In this article, you will learn how to solve a problem that you experience while cracking WPS pin. We have seen how to retrieve WPA key by cracking WPS pin with both Bully and Wifite. Well, If you get WPA key as soon as you crack WPS pin, you are lucky. However, sometimes the WPS pin is cracked but the WPA-PSK key is not shown. For example, see the image below.

Wifi Wps 9

In the above image, we can clearly see that the Wifite cracked WPS pin successfully but failed to get the WPA key. To get the WPA key in such cases, open a new terminal and type the command shown below.

sudo systemctl stop NetworkManager

Wifi Wps 10

Then using your favorite text editor open the file wpa_supplicant.conf located in /etc directory.

Wifi Wps 12 1024x78

You should see the contents of the file as shown below.

Wifi Wps 11

If there is any data more than this, delete it and just leave the above three lines. Then, run the command shown below.

sudo wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf

Wifi Wps 13

Leave this terminal open and open another new terminal window and run the command as shown below.

sudo wpa_cli

Wifi Wps 14

It goes into interactive mode.

Wifi Wps 15

While interactive mode is active, type the following command as shown below.

status

Wifi Wps 16
Wifi Wps 17

Many events will take place but what we are looking for is an event that says “connected”. Once that happens, check the wpa_supplicant.conf file and you should be seeing WPA-PSK key of the wireless network as shown below.

wps pin