Posted on by 1 Comment

Testing CVE 2018 17456 with Metasploit

Hello aspiring ethical hackers. In our previous blogpost, you learnt how to use Metasploit framework. In this article, you will learn what is CVE-2018-17456 vulnerability and how to test this vulnerability with Metasploit.

What is CVE-2018-17456 vulnerability?

CVE-2018-17456 is a vulnerability affecting submodules of Git. A Git submodule is a repository that is included within another Git repository. The vulnerability arises when a submodule URL which starts with a dash e.g “-u./payload” is passed as an argument to git clone, the file “payload” inside the repository is executed. This vulnerability affects Git versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower.

This Metasploit module creates a fake git repository which contains a submodule containing the payload. The vulnerability is triggered when the submodules are initialized or cloned. (e.g git clone –recurse-submodules URL)

This module is a local exploit module and works on Git versions 2.7.5 and lower. Now let us see how this module works. Start Metasploit and load the exploit module as shown below. Type command “show options” to see all the options we need for this module to run.

Git1
Git2

Set the options LHOST, git_uri and LPORT options as shown below. The git_uri option sets the URL malicious git submodule. Use command “run” to start our Git HTTP server.

Git3

All we need to do now is send the URL of the Git repository we created to target users. This requires social engineering. As the user clones this URL, we will get a command session on the target. Here we are testing this on KaIi Linux 2016 machine which has the vulnerable version of Git installed. Let’s see what happens on the target machine.

Git4

As this happens on our target system, we will get a command shell on our attacker system as shown below.

Git5

We can see the active sessions using the command “sessions”.

Git6

That is how you can test for CVE 2018 17456 vulnerability. Learn about PrintNightmare vulnerability.

Posted on by 1 Comment

Vulnerability assessment (VA) for beginners

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about vulnerability scanning. In this article you will learn about vulnerability assessment.

What is vulnerability assessment?

Vulnerability assessment (VA) is sometimes interchangeably used with vulnerability scanning but is entirely different form vulnerability scanning. VA is a systematical review of vulnerabilities or weaknesses in a system or a network or even in an entire company. While vulnerability scanning is just scanning for vulnerabilities, Vulnerability assessment also assigns security levels to the vulnerabilities identified and suggests remediation or mitigation if needed.

Types of vulnerability assessments

As vulnerability assessment has a larger scope, there are different types of vulnerability assessments. They are,

1. Host assessment:

When a single host or a system (which can include server or client) is assessed for vulnerabilities, it is called host assessment.

2. Network assessment:

When vulnerabilities in an entire network are assessed, it is known as network VA. This can include all the devices, gateways and servers in the entire network.

3. Database assessment:

When vulnerabilities of a database are assessed, it is known as a database assessment.

Stages of a vulnerability assessment

VA consists of four stages. They are,

1. Vulnerability identification:

The first stage of the VA is to identify the vulnerabilities in a host network or any other resources. This involves scanning for vulnerabilities using automated tools.

2. Vulnerability analysis:

The second stage is to analyze the vulnerability identified. This includes identifying the source of and cause of the vulnerabilities.

3. Risk assessment:

The third stage in VA includes assessing the risk of the vulnerability. In this stage, a rank or security level is given to each vulnerability detected. This rank depends on the severity of the vulnerability, how simple it is to exploit this vulnerability, ease of access, and what a hacker can get if he is successful in exploiting it.

4. Remediation:

The final step of VA is to fix or remediate the vulnerability. This stage can include developers, operation teams and cybersecurity professionals.

Some of the tools that can be used to perform vulnerability assessment are Nessus, OpenVAS, Burp suite, Nikto, Wireshark etc.

Posted on by

Meterpreter archmigrate module

Hello aspiring ethical hackers. In our previous blogpost, you learnt all about the meterpreter payload. In this blogpost, you will learn about the archmigrate module of Metasploit. This module checks if the meterpreter architecture is the same as the Operating System architecture (OS) and if it’s incompatible it spawns a new process with the correct architecture and migrates into that process. It is a POST module.

What is architecture? As we all know there are two main system architectures 32bit and 64bit. Sometimes, we happen to select a 32bit meterpreter payload for a 64bit target system.

Sometimes there may be compatibility issues if we get a 32bit meterpreter session on a 64bit machine and vice versa. This is the exact scenario in which this module is helpful. To overcome the problems of incompatibility, we need to get a new 64bit meterpreter session or just use the archmigrate module to create a new process with the same architecture as the target OS and migrate to that process. Let’s see how this module works.

To use this module, we need to background the current meterpreter session using command “background”. Then load the archmigrate exploit as shown below. Type command “show options” to have a look at the options it requires.

meterpreter architecture migration from 32bit to 64bit and vice versa

We need to only set the session id of the meterpreter session we just sent to background and the exploit is good to go.

Archmigrate2

If you see in the above image, our exploit failed to run for the first time. This is because in the previous session we had system privileges and if we run this module we may lose the system privileges. But don’t worry, we can change the options to overcome this problem.

Set “ignore_system” option to true and you should be fine to go. This time the exploit ran successfully. As you can see in the above image, our target is a 64bit machine and our meterpreter migrated to a 64bit process successfully. Lets check by typing command “sessions -l” to see the available sessions. You can see we have a 64bit meterpreter session now. Job performed.

Archmigrate3
Posted on by 1 Comment

Beginners guide to UAC bypass

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about various techniques used for Windows privilege escalation. In this blogpost, you will learn about UAC bypass, one of the techniques used for privilege escalation in Windows. To understand UAC bypass, you need to first understand what is UAC.

What is UAC?

User Account Control (UAC) is a mandatory access control feature of Windows operating system that helps in improving the security of the operating system. It was introduced in Window Vista and Windows Server 2008 and has ben improved since then. User Account Control works by limiting a software or program to run with standard user privileges (low privileges) until and unless a user with administrator privileges authorizes it by giving permission. This way, only applications trusted by the user can be run on the system. This helps to prevent malware infection as malware and virus need administrator privileges to infect the system wholly.

How can UAC be bypassed?

Now, you have a question. How can UAC be bypassed. There are various UAC bypass methods. They are,

1. Registry key manipulation:

This technique works by hijacking the normal execution flow of an auto elevated application. What are auto-elevated applications? In Microsoft windows, if a binary is trusted (i.e. it has been signed with a MS certificate or the binary is in a trusted directory), the UAC prompt will not be presented. This can be exploited using a registry key.

The fodhelper privilege escalation method is an example of this. Fodhelper.exe is a trusted binary in Windows operating systems that is used to manage features in Windows settings. We can exploit this binary by hijacking a special key in the Registry under the current user hive and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched.

Once the UAC flag is turned off, we will spawn a second shell with SYSTEM privileges. Metasploit has a module for this. Let’s see it practically using Metasploit. Imagine we have a scenario where we have gained access to a Windows system using any Windows hacking technique.

Bypassuac Fodhelper0

To use the fodhelper module to elevate privileges, we need to background the current session.

Bypassuac Fodhelper00

Search for fodhelper module using the search command.

Image explaining about Windows privilege escalation with fodhelper module

Load the module and set the session ID as shown below.

Bypassuac Fodhelper2

Run the module as shown below.

Bypassuac Fodhelper3

As you can see, we successfully got a meterpreter session. When I check privileges, its still user privileges but when I run “getsystem” command, I get system privileges on the target Windows system.

2. DLL hijacking:

In this method, the execution of an elevated program is hijacked using DLL Search order hijacking, DLL loading, redirection or other DLL vulnerability.

3. Elevated COM interface method:

COM stands for Component Object Model. It acts as a binary interface between various processes of different programming languages. In Windows, is is the basis for several other Microsoft technologies like OLE, OLE Automation, Browser Helper Object, ActiveX, COM+, DCOM, Windows shell, DirectX and Windows runtime. In this method, the COM handler is bypassed while it references registry when a high integrity process is being loaded. These DLLs contain the payloads that result in elevated sessions.

Let’s demonstrate this using Metasploit. As for every privilege escalation exploit, we need to already have a meterpreter session on target. This can be achieved using one of the Windows hacking techniques. Once we have it, search for the bypassuac_comhijack module as shown below.

Comhijack1

Load the bypassuac_comhijack module and check its options by using the “show options” command as shown below.

Comhijack2

Set the session id and execute the exploit using “run” command as shown below. If everything went right, we will have another meterpreter session as shown below.

Comhijack3

Check the privileges using the “getuid” command. If you still don’t have system privileges, run command “getsystem” and even if it results in an error, check your privileges once again using command “getuid“. You should definitely have system privileges by now.

Comhijack4
Posted on by 1 Comment

Install Parrot OS in Vmware

Kali Linux is the most popular and also my favorite pen testing distro. Its regular updates and stability accord it the top spot. Apart from Kali Linux, there are many other pen testing distros available. One of them is Parrot Security distro. Parrot Security sports many more tools than Kali Linux which includes software for cryptography, cloud, anonymity, digital forensics and of course programming. One of our readers has requested us to make a guide on how to install Parrot Security OS in Vmware. So be it.

Download the Parrot Security OS . Unlike the makers of Kali Linux, Parrot Security have not yet provided a Vmware image to download. So we have to download a iso image (depending on your architecture yo- u can download a 32bit or 64 bit iso file). Once the download is finished, open Vmware Workstation (Version 12 used for this article). Hit “CTRL+N”. The below window should open.

Parrotvm1

Make sure the “Typical” option is selected, and click on “Next”. That takes us to the next window. Initially, the “installer disc image file” field should be empty. Click on “browse” and browse to location of the iso file we just downloaded and select it. Now the window should look like below. Click on “Next”.

Parrotvm2

The Guest operating system should be automatically selected for you, if not select Linux as OS and version as Debian 8.x (since I am installing a 32bit, make it Debian 8.x64 if installing 64bit). Click on Next.

Parrotvm3

Choose the name of virtual machine and its location as you like. I named it Parrot. Click on “Next”.

Parrotvm4

Allocate the hard disk memory for your virtual machine. Keep the minimum as 20GB. Click on Finish.

Parrotvm5

It will show you a summary of all the selections you made. If you want to make any changes, click on Customize hardware or else click on Next.

Parrotvm6

The virtual machine is created with the name you gave it. Power on the virtual machine. It will boot and take you to the interface shown below. Choose the “Install” option. In the next window select “Standard Installer”. You can select these options using “tab” button.

Parrotvm7

Select the language in which you want to continue the installation process.

Parrotvm9

Select your country. For this article, I chose location as India.

Parrotvm10

Select the keyboard configuration you want.

Parrotvm11

It is important to set the root password (no need to tell it is Linux’s most powerful account) for the machine before we do anything. Set a complex password. Read the suggestions before you set the root password.

Parrotvm12

Re-enter the root password again to confirm it.

Parrotvm13

It is a good practice to use the system as a no -n root user. The system will prompt you to create a new user account for non-administrative activities. I am creating a user with name kalyan. I am giving the same name as username.

Parrotvm15

Create a password for the user account you just created. Make it a good password for security reasons.

Parrotvm16

Re-type the password again to confirm the password you have assigned.

Parrotvm17

The next step is partitioning the hard disk. Unless you are an expert or want to try something different, use the entire disk.

Parrotvm18

The system will warn you before partitioning. Select the disk for partitioning.

Parrotvm19

It will ask you to choose the partitioning scheme. Choose the first one. It is also recommended for users.

Parrotvm20

Next, it will show you changes you have configured before writing the changes to the disk. Select “Finish partitioning and write changes to the disk”.

Parrotvm21

Confirm for one last time that you want to writ-e changes to the disk. Select “Yes”.

Parrotvm22

The installation process will start and may take some time. You can have snacks and come back. After installation finishes, it will prompt whether you want to install GRUB boot loader.

Parrotvm25

Select Yes. Then it will ask you where to install the boot loader. Select the /dev/sda disk.

Parrotvm26

After the installation is finished, it will show you a message as shown below. It’s time to boot into your new system.

Parrotvm27

As the system boots, it will ask present you a login screen. You can login as either root or the new user you created it. Once you login, your new pen testing distro should look as below.

Parrotvm29