Category: Hacking

Posted on by

Cross-Site Request Forgery for Beginners

Hello, aspiring Ethical Hackers. In this article, you will learn about Cross-Site Request Forgery (CSRF) vulnerability. CSRF attacks can have serious consequences, including unauthorized money transfers, identity theft, and other forms of data theft or manipulation.

What is Cross-Site Request Forgery (CSRF)?

Cross-Site Request Forgery is a type of web application security vulnerability that allows an attacker to execute unauthorized actions on behalf of a victim user.

How CSRF Attacks Work?

CSRF attacks work by exploiting the trust that a website or web application has in a user’s browser. When a user is logged into a website, the website creates a session for that user, which includes a unique session ID. This session ID is stored in a cookie on the user’s browser, and is sent to the website with every subsequent request made by the user.

An attacker who wants to execute a CSRF attack needs to trick the victim user into submitting a request to the target website that includes the victim’s session ID. This can be accomplished in a number of ways, including by embedding a malicious form or link on a third-party website, or by sending a malicious email or message to the victim user.

Once the victim user submits the request with their session ID, the website will process the request as if it came from the user directly. This can allow the attacker to execute actions on behalf of the victim user, such as changing their account information, making purchases, or transferring funds.

cross site request forgery

Examples of CSRF attacks include changing a user’s password or email address, making purchases or subscriptions without the user’s knowledge or consent, and performing unauthorized actions on social media accounts.

Real World Examples of CSRF Attacks

CSRF attacks are a serious threat to web applications and might have been responsible for numerous hacking attacks. In this section, we will discuss some real-world examples of this attacks.

1. Twitter Bug Bounty Program:

In 2018, a security researcher discovered a CSRF vulnerability in the Twitter Ads platform. The vulnerability allowed an attacker to create and launch an advertising campaign on behalf of the victim without their knowledge. The researcher reported the vulnerability to Twitter, who promptly patched the issue and awarded the researcher a $3,000 bounty.

2. Starbucks Gift Card Theft:

In 2015, security researchers discovered a vulnerability in the Starbucks gift card registration process that allowed attackers to steal gift card balances. The vulnerability was caused by a lack of CSRF protection, which allowed attackers to change the email address associated with a gift card and then transfer the balance to their own account. The researchers notified Starbucks of the vulnerability, and the company promptly patched the issue.

3. Google Drive CSRF Attack:

In 2016, security researchers discovered a CSRF vulnerability in Google Drive that allowed attackers to steal sensitive user data, including email addresses and contact lists. The vulnerability was caused by a lack of anti-CSRF tokens, which allowed attackers to execute unauthorized actions on behalf of the user. Google was notified of the vulnerability and quickly patched the issue.

These are just a few examples of the devastating consequences of command injection attacks.

Mitigation and Prevention

There are several techniques that can be used to prevent CSRF attacks, including token-based prevention, SameSite cookies, and double-submit cookies.

Token-based prevention involves generating a unique token for each user session, and requiring that this token be included in every form submission or request made by the user. When a user submits a form or request, the website checks to make sure that the token included in the submission matches the token associated with the user’s session. If the tokens do not match, the request is rejected.

SameSite cookies are another technique that can be used to prevent CSRF attacks. SameSite cookies restrict the scope of cookies to the domain that set them, preventing them from being sent in cross-site requests. This can prevent attackers from using the victim user’s session ID to execute unauthorized actions.

Double-submit cookies involve setting a cookie that includes a random value, and requiring that this value be included in both the request header and the request body. When a request is submitted, the website checks to make sure that the value in the header matches the value in the body. If the values do not match, the request is rejected.

While all of these techniques can be effective in preventing CSRF attacks, token-based prevention is generally considered to be the most secure and reliable method.

To protect against CSRF attacks, developers can implement various measures, including:

1. Anti-CSRF Tokens:

One effective method of mitigating CSRF attacks is by using anti-CSRF tokens. These tokens are unique to each user session and are included in all requests that modify data or state. The server can then verify that the token is valid before processing the request, thereby ensuring that the request is legitimate.

2. SameSite Cookies:

Developers can also use SameSite cookies to mitigate CSRF attacks. SameSite cookies prevent cookies from being sent in cross-site requests, making it more difficult for attackers to launch CSRF attacks.

3. CSRF Protection Frameworks:

Many web application frameworks, such as Django, Ruby on Rails, and ASP.NET, provide built-in CSRF protection features. These features can include automatic generation of anti-CSRF tokens and enforcing the use of SameSite cookies.

4. Input Validation:

As with all web application security, input validation is essential to protect against CSRF attacks. Developers should validate all user input on the server side to ensure that it is safe and does not contain any malicious code.

5. Multi-Factor Authentication:

Implementing multi-factor authentication can also help protect against CSRF attacks. By requiring users to provide an additional form of authentication, such as a one-time password, attackers will have a more difficult time launching CSRF attacks.

That’s all about Command Injection. We will be back with a new vulnerability vey soon. Until then, Good Bye.

Posted on by

Command Injection for Beginners

Hello aspiring Ethical hackers. In this blogpost, you will learn about another hacking attack Command Injection. This vulnerability can be found in a wide range of web applications, from small personal websites to large corporate applications.

What is Command Injection?

Command Injection is a security vulnerability that allows an attacker to execute arbitrary commands on a target system. It occurs when an attacker can inject malicious code into a vulnerable application, which the application then executes with the privileges of the application itself.

How Command Injection Attacks Work?

Command Injection attacks work by exploiting vulnerabilities in an application that accepts user input and then passes that input directly to a shell or command interpreter. This allows attackers to inject arbitrary commands into the input that are executed with the same privileges as the application.

Attackers can use various techniques to exploit this vulnerability, such as appending commands to existing commands or using shell metacharacters to execute multiple commands in sequence. The impact of a successful attack can be significant, ranging from unauthorized access to sensitive data to full system compromise.

Command Injection

Command Injection is a serious threat to web applications because it can allow attackers to bypass application-level security measures and gain unauthorized access to sensitive data or systems. Moreover, these attacks can be difficult to detect and can lead to serious consequences, such as data breaches, system compromise, and financial loss.

Common vulnerable points for Command Injection

Common entry points for Injection attacks include web application forms, user input fields, and API endpoints. Any input that is passed to a shell or command interpreter without proper validation and sanitization can be vulnerable to Command Injection attacks.

For example, vulnerabilities can be introduced in code through improper input validation and sanitization, as well as through the use of system commands that are not properly escaped or sanitized. Examples of vulnerable code include:

perl
$command = $_GET[‘command’];
system(‘ls ‘ . $command);

In the above code, an attacker could inject arbitrary commands into the $command variable, which would then be executed by the system function. Examples of command Injection payloads and techniques include using shell metacharacters to execute multiple commands, appending commands to existing commands, and using the $(…) syntax to execute subcommands. An example of payload using shell metacharacters might look like this:

bash
; cat /etc/passwd

This would execute the cat command to display the contents of the /etc/passwd file.

Real World Examples

Command injection attacks are a serious threat to web applications and have been responsible for numerous security breaches in the past. In this section, we will discuss some real-world examples of this attacks.

1. Shellshock Bash vulnerability:

In 2014, a critical vulnerability was discovered in the Bash shell, which is used on many Unix-based systems. The vulnerability allowed an attacker to execute arbitrary commands by exploiting the way that Bash processed environment variables. This vulnerability affected millions of servers and devices worldwide, including many web servers.

2. EquiFax Data Breach:

In 2017, Equifax suffered a massive data breach that exposed the personal information of over 140 million people. The breach was the result of a command injection attack that targeted a vulnerability in the company’s web application framework. The attackers were able to execute arbitrary commands on the server and steal sensitive data.

These are just a few examples of the devastating consequences of command injection attacks. In each case, the attackers were able to gain unauthorized access to sensitive data by exploiting vulnerabilities in web applications.

Detection and Prevention

To identify Command Injection vulnerabilities, developers should thoroughly review their code for any input that is passed to a shell or command interpreter without proper validation and sanitization. There are several strategies that organizations can use to detect command injection vulnerabilities, including:

1. Manual Code Reviews

Developers should review code for any instances where user input is passed to a command shell or operating system.

2. Automated Testing:

Organizations can use tools like Burp Suite, OWASP ZAP, and Nikto to scan for command injection vulnerabilities automatically.

3. Web Application Firewalls:

WAFs can be configured to detect and block command injection attacks before they reach the server.

There are several techniques that can be used to mitigate Command Injection attacks. Some of these techniques are:

  1. Input Validation: One of the most effective techniques to mitigate Command Injection attacks is to validate all user input. This includes validating the length, format, and type of input. Input validation can be done on the client-side, server-side, or both. It is essential to ensure that the input is sanitized to remove any characters that could be used for injection attacks.
  2. Restricted Shell Access: To prevent attackers from executing arbitrary commands on the server, it is recommended to restrict shell access. This can be achieved by using a chroot jail, a containerization technology like Docker, or by limiting the commands that can be executed by the user.
  3. Principle of Least Privilege: The principle of least privilege is a security best practice that recommends limiting the access and permissions of users to only what is required to perform their tasks. This means that the user should not have unnecessary access to the server or application.
  4. Update and Patch Software: It is essential to keep all software updated and patched to prevent known vulnerabilities that can be exploited by attackers. This includes the operating system, web server, database server, and any other software used in the application.
  5. Use Security Libraries and Frameworks: Using security libraries and frameworks can help in mitigating Command Injection attacks. These libraries and frameworks are designed to handle input validation, encryption, and other security-related tasks.
  6. Monitor and Log Activity: Monitoring and logging activity can help in detecting Command Injection attacks. By monitoring the application and server logs, it is possible to identify suspicious activity and take appropriate action.

That’s all about Command Injection. We will be back with a new vulnerability vey soon. Until then, Good Bye.

Posted on by

Server Side Request Forgery For Beginners

Hello aspiring Ethical Hackers. In this blogpost, you will learn about Server Side Request Forgery. Server Side Request Forgery (SSRF) is a web application vulnerability that can allow attackers to send unauthorized requests from a server. This can lead to a wide range of security issues, such as unauthorized access to sensitive information, system compromise, and data exfiltration and it is one of the most common web application vulnerabilities.

In this article, we’ll discuss what SSRF is, how it works, types of SSRF attacks, examples of SSRF attacks, how to prevent and detect SSRF attacks, and case studies of notable SSRF attacks.

What is Server Side Request Forgery?

Server Side Request Forgery (SSRF) is a web application vulnerability that occurs when an attacker can manipulate a web application into sending unauthorized requests to other servers. In an SSRF attack, an attacker can exploit a web application to send requests to other internal or external servers, bypassing access controls and security mechanisms.

Server Side Request Forgery

SSRF attacks differ from other web application vulnerabilities, such as Cross-Site Scripting (XSS) or SQL Injection (SQLi), in that they do not rely on injecting malicious code into a web page. Instead, SSRF attacks exploit the application’s ability to send requests to other servers.

How SSRF Attacks Work?

  1. The attacker sends a request to the vulnerable web application, often by manipulating a user-controlled input field such as a URL parameter.
  2. The web application processes the request and sends a request to another server, typically based on the user’s input.
  3. The attacker intercepts the request and modifies it to send a request to a different server, often an internal server that is not accessible from outside the network.
  4. The vulnerable web application sends the unauthorized request to the attacker’s desired server, bypassing access controls and security mechanisms.

Common use cases for SSRF attacks include accessing sensitive information on internal servers, bypassing authentication mechanisms, and sending requests to cloud infrastructure providers to obtain credentials or perform other malicious actions.

Types of SSRF attacks

SSRF attacks can be classified into three main categories:

  1. Basic SSRF attacks,
  2. Advanced SSRF attacks, and
  3. Blind SSRF attacks.

Basic SSRF Attacks:

Basic SSRF attacks are the simplest form of SSRF attacks and involve manipulating user-controlled input to send unauthorized requests to other servers. These attacks can be prevented by validating and sanitizing input, limiting the scope of the request, and restricting the types of URLs that can be accessed.

Advanced SSRF Attack:

Advanced SSRF attacks are more complex and involve chaining together multiple vulnerabilities to achieve the desired result. These attacks can involve exploiting logic flaws, race conditions, or other vulnerabilities to bypass security mechanisms and gain access to sensitive information.

Blind SSRF Attack:

Blind SSRF attacks are a type of SSRF attack where the attacker does not receive a direct response from the target server. Instead, the attacker can use timing or error messages to determine whether the request was successful. Blind SSRF attacks can be more difficult to detect and prevent as the attacker is not receiving a direct response.

Real World Examples of SSRF Exploitation

SSRF attacks can have a wide range of consequences, from accessing sensitive information to system compromise and data exfiltration. Here are some examples of real-world SSRF attacks.

1. Yahoo Data Breach:

In 2016, Yahoo suffered a massive data breach that exposed the personal information of over 500 million users. The attack was carried out using an SSRF vulnerability that allowed the attacker to access Yahoo’s internal systems and steal the user data. The attacker used a common vulnerability in Yahoo’s image processing system that allowed users to submit URLs to be resized or cropped. By submitting a specially crafted URL that included instructions to access Yahoo’s internal systems, the attacker was able to gain access to sensitive information and cause widespread damage.

2. CapitalOne Data Breach:

In 2019, when Capital One suffered a massive data breach that exposed the personal information of over 100 million customers. The attack was carried out by exploiting an SSRF vulnerability in Capital One’s web application firewall, which allowed the attacker to access the company’s AWS server and steal sensitive information. The attacker was able to use the SSRF vulnerability to obtain AWS credentials and gain access to the server, which contained sensitive information such as names, addresses, credit scores, and Social Security numbers.

3. Shopify:

In 2018, a security researcher discovered an SSRF vulnerability in Shopify that allowed an attacker to obtain the API keys for the company’s payment gateway. By exploiting the vulnerability, the attacker was able to obtain sensitive information and perform unauthorized transactions.

4. Tesla Cloud Credential Theft:

In 2018, a researcher discovered an SSRF vulnerability in Tesla’s cloud infrastructure that allowed them to obtain access tokens for the company’s AWS account. The attacker was able to use the access tokens to launch instances in the company’s AWS account and perform other malicious actions.

5. Jenkins CI Server Compromise:

In 2017, a vulnerability in the Jenkins CI server allowed an attacker to compromise the server and gain access to sensitive information. The vulnerability was caused by an SSRF vulnerability that allowed the attacker to access internal servers.

Prevention and Detection

Preventing and detecting SSRF attacks requires a combination of secure coding practices, network security measures, and security testing. Here are some best practices for preventing and detecting SSRF attacks:

1. Secure Coding Practices

Using secure coding practices can help prevent SSRF vulnerabilities from being introduced into the application. Developers should validate and sanitize user input, limit the scope of requests, and restrict access to sensitive information and systems.

2. Restricting External Requests:

Restricting external requests can help prevent unauthorized requests from leaving the network. Applications should only be able to send requests to approved external servers, and any user input should be validated and sanitized before being used in a request.

3. Network Security Measures:

To prevent SSRF attacks, it’s essential to implement network security measures that restrict unauthorized requests from leaving the network. Best practices include using a Firewall and implementing access controls.

A firewall can help restrict incoming and outgoing traffic, preventing unauthorized requests from leaving the network. Firewalls can be configured to block requests to specific IP addresses or ranges, limiting the scope of potential SSRF attacks. Implementing access controls can help prevent unauthorized users from accessing sensitive information or systems. Access controls can be used to restrict access to internal servers and APIs, limiting the scope of potential SSRF attacks.

Posted on by

Beginners guide to Koadic

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about Windows POST exploitation. In this article, you will learn about Koadic, a Windows POST exploitation toolkit.

Koadic is similar to other pen testing tools like Empire and meterpreter in its functioning but performs most of its operations using Windows Script host (JScript/VBScript). It also has the capability to serve payloads in memory and also has encrypted communication over SSL and TLS.

Let’s see how this tool works. For this, we will be using Kali Linux as attacker machine as Koadic is available by default in its repositories. As target system, we will be using Windows 10 as part of the virtual hacking lab (just replace Metasploitable 2 with Windows 10).

Koadic can be started with the command shown below.

koadic

Here’s how the interface of koadic looks.

There are three important things you need to understand about koadic. They are,

1. Stagers,
2. Zombies and
3. Implants.

Stagers are the methods through which you gain access to the target system. You can view all stagers of Koadic by using command shown below.

use stager/js/ <TAB> <TAB>

For the purpose of this article, let’s select mshta stager. This stager creates a HTA attack to gain initial access. To view the information about this stager, you can use “info” command.

All the options are automatically set (including Attacker IP address). If you want to change any option, you can do that using the “set” command (Set SRVHOST <attacker IP> etc). After setting all the options, you can execute the module using “run” command.

It creates an URL with a command. This command needs to be executed on the target system. Just because it is an URL, don’t make the mistake of executing in a browser as shown below.

You will get a zombie but it will time out immediately as shown below.

Open a CMD (remember, you are in Post-exploitation stage after already gaining access) and execute the command as shown below.

You will get a LIVE zombie as shown below.

It’s time to define a Zombie in koadic. Zombies in koadic are like a shell back or a session (similar to meterpreter in Metasploit). You can view all the zombies you got using “zombies” command.

You can interact with a specific zombie using command as shown below.

zombies <id of the zombie>

Next come implants. Implants in koadic is a name for all Post-exploitation operations or operation modules. You can view all the implants just like you viewed stagers.

use implant <TAB> <TAB>

They are divided into sections based on the purpose they fulfill. For example, let’s see all gather modules. Gather implants help in gathering information about the target system.

For example, let’s see the “enum_users” implant. This implant as its name implies enumerates all users on the target Windows system.

All you have to do to use the implant is to set the ID of the Zombie and execute it.

As you can see, there is only one user on the target system. His name is ADMIN.

Manage implants help us to enable features that help in managing target system. These features include remote desktop, killing AV or executing a command on the target system.

Let’s use the “exec_cmd” implant that executes a command we want on the target system.

By default, it is set to execute the command “hostname” on the target system and display its result. As you can see, we got the hostname displayed successfully.

The “phish” implants do what they do. They phish the target users. For example. let’s use it to capture passwords.

When executed, it pops up a window on the target system asking for his/her password as shown below.

If the target user falls for it, his password is captured. This implant can be used to get any password with a bit of social engineering of course.

The “fun” section of implants has implants related to having fun like sending a voice message to target user, thunderstruck etc.

The inject implants inject code into processes.

The ‘util’ implants are useful for uploading and downloading files to and from the target system.

Koadic has implants that are used for establishing persistence.

Similarly, there are even implants that help in privilege escalation.

The zombie we got at the beginning of this blogpost is a low privileged zombie. Let’s use fod helper implant to get a zombie with elevated privileges on the target system.

Set the payload as ‘0’ and set the zombie ID.

After all the options are set, execute the implant as shown below.

We have a new zombie (id 4). Let’s check its privileges.

As you can see, we now have an elevated session. That’s all about Koadic – Windows post exploitation framework. Learn how to use Nishang and PowerSploit for Windows post-exploitation.

Posted on by

Password cracking for beginners

Hello aspiring Ethical hackers. In this article, you will learn what is password cracking and various types of password cracking. In Ethical hacking, password cracking is recovering passwords from data that has been stored in or transmitted by a computer system. Hackers use password cracking to grab credentials which can be helpful in further exploiting of the system. There are various password cracking techniques. They are,

1. Shoulder Surfing
2. Password Guessing
3. Dictionary Attack
4. Brute Force Attack
5. Rainbow Table Attack  
6. Phishing
7. Sniffing
8. Malware

Let’s learn in detail of each attack.

1. Shoulder Surfing

Shoulder Surfing is one of the easiest password cracking techniques that doesn’t require use of any technology. In shoulder surfing, the hacker stands behind (or sits behind, position is not really important) the victim when he is entering his credentials and captures the credentials by simple observation. As you can see, this is the easiest way to capture credentials of the target.

2. Password Guessing

Another password cracking technique that doesn’t require any technology. In this technique, hacker tries to guess the password of the victim using his own mind. You may be surprised but this technique yielded me results at least 20% of the total attempts made.

3. Dictionary Attack

In a dictionary attack, a hacker uses a dictionary to crack passwords. A dictionary or wordlist has a huge list of words (possible passwords), each one of which is tried as a password. In Kali Linux, the dictionary or wordlists are present in /usr/share/dirb/wordlists directory.

4. Brute Force Attack

In a brute force attack, hackers use every possible criteria or password to crack the credentials. A brute force attack may be slow but it will eventually crack the password. A brute force attack works by calculating the hash function of every password string it has and compares it with one on the target system or victim.

5. Rainbow Table Attack

To understand Rainbow Table Attack, you need to first understand what is a Rainbow Table. A Rainbow Table is a database that contains huge list of plaintext passwords and their precompiled hashes. Unlike a Brute Force attack, Rainbow table attack bypasses calculation of a hash for every password string as it already has a pre compiled list of hashes.

6. Phishing

Phishing is one of the easiest methods to crack passwords. You have already learnt about phishing in our previous blogposts.

7. Sniffing

Sniffing or Man In The Middle (MITM) attack can also be used to crack passwords while they are on transit in a network.  Learn more about sniffing here.

8. Malware

Malware is another way hackers capture credentials of their victims. Once hackers gain initial access to a system, they install malware which allows hackers to not only perform further malicious actions but also capture user credentials from the target system.