Posted on

JoomScan: Joomla vulnerability scanner

Hello, aspiring ethical hackers. In this blogpost, you will learn about JoomScan, a vulnerability scanner designed for Joomla. Joomla is one of the most popular CMS which is widely used for its flexibility, user-friendliness and extensibility. Popularity has its own cost in cyber world. It would be pretty helpful if the pen testers know the vulnerabilities in their Joomla CMS before any hacker takes advantage of them.

JoomScan is one such tool which will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

The features of JoomScan include,

  • 1. Exact version probing
  • 2. Common Joomla! based web application firewall detection
  • 3. Searching known vulnerabilities of Joomla! and its components
  • 4. Reporting to Text & HTML output
  • 5. Immediate update capability via scanner or svn.

    JoomScan is open source and is installed by default in almost all pen testing distros. We will be using Kali Linux for this tutorial. Now let’s see how to use this tool. Open a terminal and type command “joomscan update” first. We will update the tool first.

    joomscan

    Once the tool is updated as shown above, type command “joomscan” to see the options as shown below.

    Joomscan2

    Next, give the target joomla website as shown below. In this howto, I’m using my own Joomla website.

    Joomscan3

    The result would seem like below. Below we see that our target doesn’t have any firewall, it’s server is apache and it is powered by PHP version 5.3.10. Unfortunately it didn’t detect the version. Hmm, no probs.

    Joomscan4

    Next it will scan for vulnerabilities and check whether if this site is vulnerable for a particular vulnerability as shown below.

    Joomscan6

    At the end, it will show us the number of vulnerabilities present in our target.

    Joomscan7

    We can see that our target has 2 vulnerabilities as shown in the above image. We will see how to exploit those vulnerabilities in our future howtos. But for now we have successfully performed a vulnerability assessment of our target. Learn about WPscan, a tool used for WordPress vulnerability scanning.

    Posted on 1 Comment

    Hacking Metasploitable 2: Port scan output

    This howto is part of a series called Hacking Metasploitable. So it would be good if you follow this as part of that series. Today we will see scanning and banner grabbing of Metasploitable. Scanning is the second stage of hacking where we gather more information about our target. Imagine a scenario where we got the IP address range of our target and we want to check how many live systems are there. This is network scanning. There are many tools in our attacker system but we will use Zenmap. Open a terminal and type command “zenmap”. It would open a GUI tool as shown below. Give the IP address range as shown below. (192.168.25.100-130, it may differ for you ) and select “ping scan” . Then click on “scan”. It will show all the live systems. In our case, only Metasploitable.

    Metasps1

    Now let’s do port scanning of the live system. Now in target field, specify only the IP address of Metasploitable. In Profile, select “slow and comprehensive scan” and click on “scan”. It will show all the open ports as shown below.

    Metasps2

    But there is another tool which is widely used for port scanning. Enter nmap. Nmap is a versatile port scanner. (Zenmap is the GUI version of Nmap). The default way to use Nmap is shown below. It would list all the open ports.

    Metasps3
    Metasps4

    Next we will see how to grab banners. Banners display information about the type of service running at the open ports of our target. This can reveal some important information about our target which can be used for hacking. The Nmap command for banner grabbing and its results are shown below. We got a lot of banners.

    hacking metasploitable
    Metasps6

    Next we will use Nmap to find out the operating system of our target. The command is given below.

    Metasps7

    The OS details are given below.

    Metasps8

    There is another way of grabbing banners. It is telnetting to each port as shown below. The results can also be seen.

    Metasps9
    Metasps10

    That’s all in Hacking Metasploitable : information Gathering stage.

    Posted on

    Beginners guide to Veil framework

    Hello, aspiring ethical hackers. In our previous blogpost, you learnt about some Antivirus bypass techniques used by hackers to keep their payloads undetected. In this blogpost, you will learn about Veil Framework, a tool to generate Metasploit payloads that can bypass common anti-virus solutions.

    Veil framework is officially supported by Debian 8 and Kali Linux rolling 2018+. It may also be run on Arch Linux, Manjaro Linux, Black Arch Linux, Deepin 15+, Elementary, Fedora 22+, Linux Mint, Parrot Security, Ubuntu 15.10+ and Void Linux.

    For this tutorial, we will be using Kali Linux. Veil framework can be installed either directly or can be downloaded from Github. Veil can be installed on Kali using apt as shown below.

    Veil Framework 1
    Veil Framework 2

    This simple command will install all the dependencies and software Veil requires like Wine etc.

    Veil Framework 3
    Veil Framework 4
    Veil Framework 5

    After successful installation, Veil can be started using the command shown below.

    Veil Framework 6
    Veil Framework 7
    Veil Framework 8

    As you can see, Veil has two tools installed: Evasion and Ordnance. Let’s focus on the evasion part for this article. We can use the command shown below to the evasion tool.

    Veil Framework 9
    Veil Framework 10
    Veil Framework 11

    As you can see, Veil is saying that 41 payloads have been loaded and it is displaying the commands available in Veil Evasion menu. To see all the payloads veil can create, use command “list” as shown below.

    Veil Framework 12
    Veil Framework 13
    Veil Framework 14
    Veil Framework 15
    Veil Framework 16
    Veil Framework 17

    You can select the payload you want to create as shown below. For example, here I want to create powershell/meterpreter/rev_tcp.py payload. So, I use its number as shown below.

    Veil Framework 18
    Veil Framework 19

    Along with payload information, the options required for this payload are also displayed along with the available commands.

    Veil Framework 20
    Veil Framework 21
    Veil Framework 22
    Veil Framework 23

    The required options can be set just like Metasploit. For example, set lhost using command

    Set lhost <attacker ip>
    

    After all the options are set, we can create the payload using “generate” command.

    Veil Framework 24
    Veil Framework 25
    Veil Framework 26

    You will be prompted to give a name to your output payload. Click Enter to continue. The payload is successfully created as shown below.

    Veil Framework 27
    Posted on

    Complete guide to meterpreter: Part 1

    Hello aspiring hackers. In this article we present you a meterpreter cheat sheet. Since I am writing many howtos on how to exploit different vulnerabilities in both web and operating systems using Metasploit, I thought may be it would be very helpful for beginners to make a guide to Meterpreter since it is the most widely used payload for our exploits. That begs the question as what is a payload which further begs the question of what is an exploit. See how to upgrade normal command shell to meterpreter.

    To be put clearly, exploit is “a defined way in which to take advantage of the given vulnerability”. Imagine a house ( containing lots and lots of money ) is locked with a complex number lock decoding which is almost impossible, but the lock has a weakness. If you hit it very hard, the lock may break. This is its vulnerability. Now to take advantage of this vulnerability, we need something like HAMMER to hit it very hard. Here, hammer is our exploit.

    Now let us define payload. A payload defines what exactly we want to do after a system is exploited. And here, meterpreter is our payload. Meterpreter has lot of advantages over other payloads. It is powerful, extensible and most importantly stealthy. It uses encrypted communication, writes nothing to disk and doesn’t create any new processes. Ok, Ok, Ok. That’ s lot of theory. Now let’s get to the main concept of this howto. For this howto, I have exploited a Windows system with Kali Linux and acquired a meterpreter session. As soon as you get the meterpreter session, type “?” or “help”. This will give all the commands available with meterpreter. In this Part 1. we will see all the file system commands. As the name implies these commands are used in filesystem manipulation.

    Mepe1

    1. pwd

    The first command we will see is “pwd” which stands for “print working directory”. It shows the current working directory in the remote system as shown below.

    Mepe2

    2. cd

    “cd” stands for “change directory”. This command is used to change our working directory in the remote machine. The command “cd ..” means going one directory back. Here we did it twice to go to the “C:\” directory.

    Mepe3

    3. ls

    The “ls” command is used to list files and directories. For example, I want to see the contents of Desktop in my remote system. Navigate to that directory and type command “ls”. As shown below, we can see the files and directories on Desktop in remote machine.

    Mepe4

    4. cat

    The “cat” command allows us to create single or multiple files, see contents of file, concatenate files and redirect output in terminal or files as we require. Here, we will use the “cat” command to view the contents of the file h323log present on the remote system as shown below.

    Mepe5
    Mepe6

    5. edit

    “edit” command is used to edit the file. It will open the file in Vi editor in which we can make changes as shown below.

    Mepe7

    Here I have deleted two lines in the file.

    Mepe8

    6. mv

    The “mv” command is used to move the files to another directory as shown below. Here, we have moved the file h323log.txt to another directory called “cracked”.

    Mepe9

    7. search

    The “search” command is used to search for specific files in the remote system as shown below.

    Mepe10
    Mepe11

    8. download

    The “download” command is used to download any files from the remote system to our system. For example, let us download the samspade file present on the Desktop of remote system to our system as shown below.

    Mepe12

    9. lpwd, getlwd, getwd

    The “lpwd” and “getlwd” commands are used to print local working directory i.e the working directory of attacker system. The “getwd” command is used to get the working directory of remote system.

    Mepe13

    10. lcd

    The “lcd” command is used to change the local working directory as shown below.

    Mepe14

    11. upload

    The “upload” command is used to upload any files to the remote system from our local system. Here, we have to give the exact path of the remote system where we want to upload our file as shown below.

    Mepe15

    12. rm

    The “rm” command is used to delete files in the remote system. We use this command generally to delete any executable files we have uploaded so that our victim doesn’t get any suspicion.

    Mepe16

    13. rmdir

    The “rmdir” command is used to delete directories since “rm” command cannot do it. Its usage is shown below.

    meterpreter cheat sheet

    14. mkdir

    The “mkdir” command is used to create new directories or folders on the remote system as shown below.

    Mepe18

    Hope this meterpreter cheat sheet was helpful. I will be back with “part 2” of meterpreter cheat sheet soon.

    Want to learn how Black Hat hackers hack? Subscribe to our Digital Magazine Now.

    Posted on

    Beginners guide to mdk3

    Good Evening friends. Today we will learn how to perform Wifi DOS attack on Wifi networks. We will use a tool called mdk3 which is inbuilt in Kali Linux and we need a compatible wifi adapter for this attack. A Dos attack stands for Denial Of Service attack. If all is set, open a terminal and type command “mdk3” to see various attacks available in this tool as shown below.

    wifi dos

    Scroll down to see more options. We can see the various testing modes available in this tool. We will use the deauthentication attack for this Wifi DOS. As the name implies, this attack disconnects all clients connected to the wifi network.

    Mdk2

    Before we start our attack, we have to start our adapter in monitor mode. Type command “airmon-ng start wlan0“. (where wlan0 is your wifi interface and may differ for you).

    Mdk3

    Then type command “mdk3 mon0 d -i <ESSID name>” and you will see the tool disconnecting all the clients connected to the Wifi network you are targeting. Here,

    “mon0” – is the interface where monitor mode has been started. This can be different for you.

    d – is the de authentication mode

    ESSID – is the name of the Wifi network.

    Mdk4a

    Hope this was helpful. Learn how to crack wifi passwords.