Posted on

How to create a payload

Hello, aspiring ethical hackers. In this blogpost, you will learn what is a payload and how to create a payload manually. Note that it is only for educational and knowledge purposes and not for performing any malicious actions. The aim of this article is to give you a basic understanding on how to create a payload. Let’s start with defining what exactly is a payload.

What is a payload?

A payload in cyber security is a piece of code that is executed after successfully running an exploit to take advantage of a vulnerability. When a Proof Of Concept (POC) for a vulnerability is disclosed, this allows most hackers around the world to execute their chosen payloads. This payload can be anything from malware, reverse shell, RAT, ransomware etc or their own custom payload.

For example, ms08_067 vulnerability was exploited in real-world to deploy Conficker worm payload, but while pen testing with Metasploit, meterpreter is used as payload. Although payloads can be created using payload generators simply, it would be very thrilling and educative to create manually.

Creation of a computer payload consists of six steps. They are,

  1. Decide the function you want your payload to perform.
  2. Select a programming language in which you want to code your payload.
  3. Code the payload.
  4. Compiling the payload.
  5. Testing.
  6. Sharing the payload.

Let’s learn about each step in detail.

1. Function of a payload:

Before you even start coding a payload, you need to decide what exactly you want your payload to do. In real-world, payloads perform many functions that include downloading and installing additional payloads, wiping data from the infected system and even taking complete control of the system. For example, I decide that my payload should open a Firefox browser when executed.

2. Choose your language:

After deciding the function you want your payload to perform, next thing you have to do is choose a programming language to code this payload. Payloads can be written in many programming languages like C, Delphi, Visual Basic, C#, C++, Cobol, Ruby, Python etc. They can also be created using scripting languages like JavaScript, Batch script, Bash, PowerShell etc. Choose the programming or scripting language of your choice. For example, I want to write my payload in Batch scripting.

3. Write code:

Once you select the programming language or scripting language, you need to code the payload. To code a batch script, all I have to do is open a notepad, add the code shown below and save the file as Batch file (with extension .bat)

How To Create A Virus 1
@echo off
start firefox.exe
How To Create A Virus 2
How To Create A Virus 3

4. Compile (if necessary):

Compile the payload. Compiling is a process of converting source code into machine-readable code so that a computer can execute it. Since we have written our code in Batch, it doesn’t need any compilation. But programs written in C,C++, Python need compiling. Compiled programs are usually fast.

5. Test the payload:

Once you have finished coding the virus and compiling it, test its working by executing the virus. I execute the Batch virus I created and it open Firefox browser as shown below.

How To Create A Virus 4

6. Share the virus:

The last step is to share the payload to make your target user execute it. Normally hackers use social engineering or phishing schemes to spread the paylaod.

Posted on

Complete guide to sherlock tool

Hello aspiring ethical hackers. In our previous blogpost, you learnt what is OSINT and its importance in ethical hacking, different types of OSINT etc. In this blogpost, you will learn about Sherlock, a OSINT tool.

Sherlock’s role in OSINT comes while gathering information from social media. It works by hunting for a particular username across various social networks. It does this by relying on social media site’s design feature to provide a URL with the username when a user registers an account on the social network.

Sherlock queries that URL and determines if the user has an account on that particular social network. It works by querying that URL and then uses that response to determine if there is a username. Sherlock can search for users on over 300 social networks that include Apple Developer, Arduino, Docker Hub, GitHub, GitLab, Facebook, Bitcoin Forum, CNET, Instagram, PlayStore, PyPi, Scribd, Telegram, TikTok, Tinder etc.

Let’s see how this tool works. For this I will be using Kali Linux which has Sherlock in its repository. You can install sherlock on Kali as shown below.

Sherlock 1

The simplest way to query a username with sherlock is by just supplying a username.

Sherlock 2
Sherlock 3
Sherlock 4

Searching on a particular social media site

Instead of searching for a username on all the social media accounts, you can search for a username’s presence even on a single site as shown below. For example let’s search for a username on site Twitch.

Sherlock 5

Searching for similar usernames

Sometimes, a username can be slightly different to a person we are searching for. We can also search for similar usernames with this tool as shown below.

Sherlock 11

Here, {?} will be replaced with – or hyphen or period (.).

Searching for multiple usernames at once

You can even search for multiple usernames with this tool as shown below. For example, let’s search for “hackercoolmagazine” and “hackercool” on Instagram.

Sherlock 6

Using a proxy while searching

You can even route your query through a proxy to remain anonymous.

Sherlock 7

Dump the entire HTTP response

We can even see the HTTP response of the site while searching using this option.

Sherlock 8
Sherlock 9

Time to call

By default, while querying for usernames, this tool waits for 60 seconds for response to the request it made. With this timeout option, this time can be changed as shown below. The value should be set in seconds.

Sherlock 12

Print all the output

By default, Sherlock only prints out the social network where the username was found. Using the option, we can see all the social networks this tool queries for and also the reason why it was not found.

Sherlock 13
Sherlock 14

Print only positives found

This option prints out all the social networks on which the username is found.

Sherlock 15

Browse

By setting this option, we can use Sherlock to view the job result page on browser.

Sherlock 16
Sherlock 17

Search NSFW sites too

By default, sherlock doesn’t query NSFW sites while searching for a username. When we set this option, it even queries NSFW sites for the particular username.

Sherlock 18

Writing the output to a file

Like any other tool, we can use Sherlock too to save the output to a file of our choice using the “-o” option as shown below.

Sherlock 20
Sherlock 21

Posted on

Beginners guide to Hping3

Hello, aspiring ethical hackers. In this blogpost, you will learn about a tool named Hping 3. Hping3 is a network tool that can be used to send custom ICMP/TCP/UDP packets and to display target’s replies like ping does with ICMP. This tool can be used to perform echo requests, port scanning, test network performance using different protocols, perform traceroute, fingerprint target operating systems, test firewalls and even perform DOS attack.

Let’s see some of the uses of the this tool. For this we will be using Kali Linux on which hping3 is installed by default. As target, we will be using Metasploitable 2 set in our virtual hacking lab. So let’s begin with.

The simple way to use hping3 to specify a target IP address as shown below.

Hping 1

You can see that hping3 sends echo request messages and displays the replies.

Modes

Hping3 supports many modes and protocols. By default, it uses TCP protocol to send TCP header file to target system’s host port 0 with a window size of 64 without any TCP flags on.

The above image is of that only. However, hping3 supports more modes.

Raw IP mode:

In this mode, hping 3 will send IP headers with data appended to it.

ICMP mode:

In this mode, hping 3 will send ICMP echo requests which can also be modified.

Hping 6

UDP mode:

In this mode, hping 3 sends UDP to targets host’s port 0.

Listen mode:

In this mode, hping3 waist for incoming connections acting as a listener (waits for packets of a specified signature).

Scan mode:

In this mode, the tool expects as argument that describes groups of ports to scan. Port groups can also be specified using comma separated notation.

Hping 2

Detailed output (-V)

To get more detailed output while using this tool, verbosity level can be specified using “-v” option as shown below.

Hping 3 1
Hping 4
Hping 5 1

Spoofing your address (–spoof)

Hping 3 also allows you to spoof your address while using it as shown below.

Hping 8 2

Send data to a specific port (-p)

If you want to see how different ports on the target system are reacting to different packet, you need to send the packet using the ‘-p’ option. With this option, we can specify the destination port as shown below.

Hping 9 1

Number of packets to send (-c)

In the above example, hping 3 will continously send packets. You can even limit the number of packets to be sent using the ‘-c’ option. Let’s send only one packet to target port 80.

Hping 10 1

You can set the any number of packets you want.

Hping 11 1

In the above image, you can see that there are no replies from target port 80 to above request. That’s because we are sending a ping request to port 80 which belongs to HTTP. Let’s send the same packet to port 8 (echo request) and see the difference.

Hping 12

Now, we have a reply. Let us send a SYN request to port 80 of our target system and see the reply.

Hping 13 1

As you can see, we are getting SYN-ACK reply as expected. Let’s see how it reacts to ACK scan.

Hping 14

It’s replying with a RST flag. Just like this, we can perform all the scans that can be perform using NMap.

Denial of Service (DoS) attack

We can also perform DOS attack with hping3. Here are various options of sending a large number of packets to the target system or resource.

Fast:

With this option, hping3 will send 10 packets for second to the target. For example, let’s send SYN packets to target port 80.

Hping 15

Faster:

When we specify this option, it sends packet faster than the earlier option (fast).

Flood;

The name itself implies that it will send packets faster than the earlier option without taking care even to display incoming replies.

Hping 17 1

Posted on

Complete guide to fcrackzip

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about various methods of password cracking. In this blogpost, you will learn about fcrackzip, a tool that can crack passwords of zip archives. Frackzip is a fast password cracker written in assembler. It can crack password protected zip archives using brute forcing or dictionary based attacks.

This tool is useful for pen testers while doing pen tests, ethical hackers and even cyber forensic experts. Sometimes in the course of a pen test or a cyber forensic investigation, you encounter password protected zip archives. They may be backups or confidential files. Cracking the password of the password protected archives can reveal information that can be helpful further in a pen test. That’s where fcrackzip comes real handy.

Let’s see how fcrackzip works. For this article, I will be using Kali Linux on which this tool is installed by default. We also need a password protected zip archive as shown below.

Fcrackzip 1

All you have to do to crack the passwords of the zip archive using fcrackzip is to give the below command.

fcrackzip <password protected zip archive>
Fcrackzip 2

This will bruteforce the password of the zip archive. This is same as using the brute force option which is set with ‘-b’ option.

Fcrackzip 3

Set the initial password to test or specify a dictionary(-p)

The ‘-p’ option of fcrackzip does two things. It can set initial password for brute forcing or it can be used to specify a wordlist while dictionary cracking.

Fcrackzip 4
Fcrackzip 5
Fcrackzip 6

Dictionary Cracking (-D)

You can set dictionary cracking by using option ‘-b’ as shown below.

Fcrackzip 7

Get a more detailed output (-v)

If you want a detailed and verbose output you can get it using the ‘-v’ option as always.

Fcrackzip 8

Characterset specification

You can also specify a character set you want to use while brute forcing with fcrackzip using the “-c” option as shown below. Here’s how we can set fcrackzip to use only numbers while brute forcing.

Fcrackzip 9

Here are the options you can set with ‘-c’.

a: Include all lowercase character.

A: Include all uppercase charcater.

I: Include digits (0-9)

!: Include symbols !:$%&/()=?{[]}+*^#

Verifying the cracked password

Till now you have seen that fcrackzip found many passwords. Well, all of them are not the correct passwords. Just like any password cracker there will be false positives while using this tool. We can weed out this false positives using unzip to extract the archive using the password fcrackzip claims to be found.

Fcrackzip 10

Specify the length of the password to use for cracking (-l).

Using this option, you can set the length of the password to use for brute forcing as shown below.

Fcrackzip 11

That’s how you use fcrackzip to crack password protected zip archives.

Posted on

Beginners guide to fuzzing

Hello, aspiring ethical hackers. In this blogpost, you will learn everything about fuzzing as an ethical hacker.

What is Fuzzing?

Fuzzing or fuzz testing is a term that comes from the domain of programming . It is a software testing technique in which invalid, unexpected or random data is provided to a computer program or a system to see how it responds.

It is usually checked if the program results in any crash, memory leaks or buffer overflows. Fuzz testing is usually performed to see if the software results in any vulnerability that can be exploited by hackers.

Types of Fuzzing

Fuzzing 1024x478

There are different types of fuzz tests. They are application fuzzing, protocol fuzzing and file format fuzz testing. Let’s learn about them in detail.

1. Application fuzzing:

In this type of fuzz test, options of a command line program or UI features such as buttons and input fields in forms are tested for any vulnerability by providing random inputs.

2. Protocol fuzzing:

Just like its name says, in this type of fuzz testing, protocols are tested to see how they react when random data is sent as input to them.

3. File format fuzzing:

In file format fuzz test, a different type of file format or a corrupted file is provided as input to the programs to see how they react. For example, let’s say a web application has file upload feature that takes docx files as input from users. This is the usual practice. But how does it react when a exe file or a exe file masquerading as docx file is uploaded to that application? This type of fuzz test intends to check this.

    What is a Fuzzer?

    A Fuzzer is a tool that tests software, operating systems or networks for security vulnerabilities. A Fuzzer is a program that automatically infects random data and detects vulnerability

    Importance of fuzzing

    Fuzz testing works on the concept that it is generally assumed that users will provide proper input to the web application or program or application. But what happens if random and unexpected input is provided to the same application. How does it behave? Does it pose a security threat that hackers can exploit? etc.