Moses' Security
  • Blog
  • Linux
  • Windows
  • Networking
  • About

Blog Posts

The Importance Of Layer 2 Security

9/28/2018

0 Comments

 
Layer two, in accordance to the OSI model, is an innately insecure layer. We have to understand that within our networks, security is only as strong as our weakest link and if a layer is compromised since it is at the lower end, it may never be detectable, making layer two security crucial.  Popular attacks that can arise on this layer are, VLAN Hopping, ARP spoofing, STP attacks, CAM table overflows, DHCP spoofing, and CDP/LLDP Reconnaissance. Here, we are going to examine what each attack is and certain counter measures you can take to prevent them.

1. VLAN Hopping:
      Now, the goal of VLAN Hopping is to send traffic to a different VLAN from your own and we can accomplish this by one of two methods, switch spoofing or by double tagging. Switch spoofing is the idea of connecting to a switch within the network and setting up a trunk. Thus allowing the hacker to analyze the traffic and possibly alter it if the switch receives traffic from multiple VLANs. This attack takes advantage of the default enabled dynamic trunking. To prevent this, disabling dynamic trunking on all non-trunk ports should do the trick.
Double tagging however is a bit different. VLANs offer security by isolating traffic, this is done through tagging. However since tags can be nested, meaning that you can have a tag on-top of another tag, if the traffic being received by a switch has the tag of the native VLAN for that switch, then the switch will remove the outer tag and forward the traffic to the VLAN of the second tag, thus hopping a VLAN.

2. ARP Spoofing:
        The goal of ARP Spoofing is to attempt to impersonate a computer within the same network. This can be done because ARP is an innately insecure protocol because it does not have a check operation. Therefore, if Bob's computer wants to communicate with Alice's and asks for her MAC address, but instead Susan replies, then all of the traffic sent from Bob that is supposed to go to Alice will instead be sent to Susan. You can counteract this by allowing Dynamic ARP Inspection, which verifies all ARP requests and responses sent across the network, segmenting out LANs to be as small as possible, and always keeping 802.1x in mind.

​3. STP Attacks:
      Spanning Tree Protocol is used to prevent loops within a network, thus making it an extremely crucial protocol. Because STP attempts to always find the best paths throughout the network, if an attacker, connects a device that triggers the optimization operation it can affect how traffic flows and can possibly re-route traffic through the newly connected switch. Due to the pause of STP, this can create a Denial of Service, greatly reducing the flow of traffic if repeated. You can counteract this by enabling Root Guard on the switches ports that should not become root ports and using BPDU Guard on all ports that have PortFast enabled.

4. CAM Table Overflows:
     The CAM table is responsible for learning which MAC addresses are connected to which interfaces on the switch and sending the traffic in accordance to this table. This is a highly effective mechanism as the more addresses are learned the less broadcasts are needed, thus saving bandwidth. However each table can only be so large, therefore if this limit is reached, all traffic from unknown MAC addressed gets flooded throughout every interface. This leads to a Denial of Service as the switch, along with the network, eventually crawls to a halt. However, this can be counteracted by enabling Port Security to limit the number of MAC addresses that can be learned per-interface. 

5. DHCP spoofing:
     Similar to ARP spoofing, the goal of DHCP spoofing is to attempt to impersonate a computer. However in this case the computer is the DHCP server within the network. If the attacker connects a malicious DHCP server to the network, whenever a client requests an IP address the server that responds the fastest gets to assign the client an address and can control the gateway seen by that device. If the attack works perfectly, the hacker can re-route the traffic to his or herself and then send all of the traffic to the correct gateway, thus creating a MITM attack. The best way to counteract this attack is to use DHCP snooping, where you can configure ports to be either trusted on un-trusted.

6. CDP/LLDP Reconnaissance:
   Link Layer Discovery Protocol and the Cisco propriety, Cisco Discovery Protocol, do essentially the same thing, they attempt to discover what type of device is connected to a particular port mainly for troubleshooting purposes. The issue however is that this information is available for anyone on the network, so if an attacker is able to listen in, he or she can gain this information as well. The best countermeasure is to simply disable the default enabled Cisco Discovery Protocol on your routers.
0 Comments

Performing Scans Using Nmap

9/22/2018

0 Comments

 
Nmap is one of the most important and versatile tools in any hacker's toolbox. It's powerful engine along with it's ease of use allows people who have no prior command line experience to pick it up fairly quickly. Personally, I have used nmap to help exploit systems but also to tell me what ports are open on a printer so I can access the web portal. Overall it is an extremely useful tool and below I am going to explain the 10 most useful Nmap commands you should learn.

At number 10: Traditional Scan (mostly checks to see if host is alive)
# nmap [IP address]

Example 9: A ping scan of the network:
# nmap -sP [network ID/subnet CIDR] 

Number 8: SYN TCP port scan from ports 1 to 65535
# nmap -sS -p1-65535 [IP address]
 
Number 7: UDP port scan from ports 1 to 65535
# nmap -sU -p1-65535 [IP address]

Number 6: Skip the ping, scan specific ports for activity
# nmap -sn -p22,80,443 [IP address]
 
Number 5: OS detection with an aggressive scan
# nmap -O -A [IP address]

Number 4: Conducts an ACK TCP scan and attempts to find the versions of what is running on the ports
# nmap -sV -sA -p22,80,8080 [IP address]

Number 3: Spoofs the IP address on interface eth0, while fragmenting the packets, and conducting an ACK scan
# nmap -S [Spoof source IP address] -e eth0 -f -p20,21,22,2380,143,443,589,8080 -sA [IP address]

Number 2: Incorporating Nikto into your Nmap Scan
# nmap -p80,443 [IP address] -oG - | nikto -h -

Number 1: Nmap Scripting engine
# nmap --script-help=
Example script: http-brute, sshv1, smb-vuln-ms10-054,...

The nmap scripting engine is an incredibly useful tool, that I recommend everyone to learn.

0 Comments

Common Networking Interview Questions

8/14/2018

0 Comments

 
Network administration is a complex field that requires an immense amount studying and dedication. Below are ten common entry-level interview questions. Now I must add that you should not memorize these questions, but instead should use them as a basis for your level of understanding. (Questions 5 through 7 may very depending on the job, but this is the general layout.)

  1. What is an IP address? An IP address is a logical address mapped to a MAC address that then helps to identify a computer across a network.
  2. What is DNS? DNS, which stands for Domain Name Service, is the act of converting URL names into IP addresses.
  3. What is the main difference between POP3 and IMAP? Both of these are responsible for the delivery of emails, however POP3 does not update the central mail server whenever an email has been read or deleted. IMAP on the other hand directly updates the server.
  4. What is a VLAN? A VLAN, which stands for Virtual Local Area Network, is directly correlated to the size of the broadcast domain, it provides connectivity for a subnet. This is great as it allows devices on different switches to be within the same domain.
  5. You are trying to setup an IMAP and SMTP email account on a client's desktop, the ports 993 and 587 for TLS encryption do not work, however the defaults 143 and 25 do, what are the two things you check? The first thing I would check is the TLS/SSL encryption, if that is establishing correctly and the certification is valid, I would then check to see if the firewall is blocking any of the ports.
  6. You have a network that has all statically assigned IP addresses, after connecting a computer to the network and assigning it, another desktop drops connectivity every few minutes. What is the issue? The issue is more than likely an IP address conflict, I would check the IP table on the router and assign the next available address to the computer.
  7. You have a switch that randomly stops forwarding all traffic, what is your troubleshooting steps? First I would make sure that it has power, after power cycling, I would then check to make sure all of the ports allow traffic. If all of the ports allow traffic I would then check to make sure that the router is forwarding traffic. If I can isolate the issue to be with the switch, I would look into updating the firmware next.
  8. What is the difference between TCP and UDP? The main difference is that TCP is connection-orientated, whereas UDP is connection-less.
  9. What is the difference between a Domain and a Workgroup? The difference is how resources are allocated and sorted. A Workgroup is great for a small business or home environment, however falls short whenever it grows past 15 computers. Here, all computers act as peers, with each user requiring a local account on the computer, and all computers must be within the same network. Lastly, a Workgroup is not password protected, meaning that anyone can connect. A Domain on the other hand is a useful way of managing the permissions and security policies within a network as certain computers act as servers allowing for scalability. Here, a Domain can easily exceed over a hundred computers, however can be extremely complex to maintain and requires oversight.
  10. What is a router? A router is device that connects networks together, it is responsible for forwarding the traffic in and out of a network.
0 Comments

Exploiting JSON Web Token Vulnerability

8/9/2018

0 Comments

 
This exercise can be found on PentesterLab Pro, underneath JSON Web Token.
Before we can begin exploiting JSON Web Token (JWT) authentication, we have to understand how it behaves. Now this vulnerability was discovered in 2015 and has since evolved over the years. This exploit works because of the design flaw in how the signature and header interact. In order to sign the header, you need the header to verify the signature, but at the same time you also need the signature to verify the header. If an attacker receives as JWT where the header is not signed, it allows the attacker to alter both the header and the algorithm for the signature and the server will still verify the signature, this is possible because JWT supports an option to have the algorithm as None within a signature. This can allow an attacker to alter the token to give a user administrative access to a particular website. Now given, this vulnerability can now be prevented by disabling the None option within the signature.
 To begin the exploitation, first you have to access the website.
Picture
After clicking on the Register tab in the navigation bar we can insert in a username and password. I personally chose user1 and letmein. The reason we have to do this is that right now, we don't have a user's cookie, after we create a user, we can then intercept the cookie and decode it to figure out the format.
Picture
I personally used the tool Burpsuite Community Edition to proxy the traffic coming from the browser, that way I could grab and modify the requests. Below we see a request being sent from our computer to the web-server.
Picture
After the user was successfully registered we were forwarded to the welcome site. Within the request in the Cookie: category next to auth= we can see the header and signature separated by periods. Now this cookie is encoded in base64, which we can decode in the Decoder tab of Burpsuite.
Picture
After pasting the cookie into the Decoder tab, we then have to decode, in base64, the parts separated by the periods. We can do this by highlighting which parts to decode per segment. After we decode we can then change "HS256" to "None" and "user1" to "admin" and delete everything following the last period. This changes the signature algorithm from HS256 to None, our logged in user from user1 to admin, and deletes the string signature. After this we have then have to encode in base64 both sections. Once again, remember to keep the parts separated. 
Picture
From here, we can go back to the Proxy tab and send the request that contained the cookie to Repeater. We can then send several requests using Repeater and the original cookie just to see the Response from the web-server. After doing this, we can then delete the cookie and paste our own that we re-encoded.
Picture
 After sending the request, we notice that the login was successful, as we were able to login as an admin! We can then go back to the website, refresh the page, change the cookie in the Proxy tab request to the one of the admin and below the following page should display.
Picture
If you've reached this page then congratulations, you've successfully exploited JWT!
0 Comments

How to Hack Into Windows OS Using Sticky Keys

8/1/2018

0 Comments

 
Now, this is of course only works if you have physical access to the computer and a re-installation or repair disc of preferably Windows 10. 
First you must create a bootable USB of the Windows ISO, which can be done here: Rufus Download
After the repair bootable has been created, boot from the USB and arrive at the Windows set up screen. From here, you will press the shift+F10 to open up the command prompt. This prompt has administrative privileges and will allow you to access the files in the already installed Windows OS. 
Note: Please make sure that UEFI secure boot is disabled, if needed please change the boot sequence.


Now from here, you have to find the drive letter of the installed OS, normally it remains the C: drive, but every once in a while this changes. You can use the dir command to search through each letter and see if the directory displays. However, you can also use the diskpart utility with the command list volume to get a sense of the volumes and the letters attached.

X:\Sources> dir a:

or

X:\Sources>diskpart

DISKPART> list volume


After you find the operating system, you then want to copy over the sticky keys file as a backup, then replace the sticky keys file in System32 with the command prompt, this will allow you to access the command prompt from the login screen. This can be done with the two following commands:

X:\Sources > copy c:\windows\system32\sethc.exe c:\
X:\Sources > copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe


From here, you can exit out of the command prompt and Windows Setup to cancel the installation.
Now, in Windows 10 version 1803, a patch was released that removed accessing sticky keys from the login screen, however if you press "Forgot Password" and press the shift key five times, the sticky keys prompt will display, but because we replaced sticky keys with the command prompt, we should now be greeted with an Administrator privileged command prompt.

From here you can add an account as an administrator or change the password of an existing one. Below are the commands to both change the password and create an administrator.

To create an administrator account:

C:\Windows\System32 > net user [ new username] [new password]

C:\Windows\System32 > net localgroup administrators /add [new username]


To change the password of an existing account:

C:\Windows\System32 > net user [old username] [new password]

Hopefully the process was successful. After logging in, we now have to undo what we just did. 
​The best way to revert the changes is through the re-installation USB. 

After you have booted the USB and gotten the command prompt again, all of the changes can be undone through the following two commands:

X:\Sources > copy /y c:\sethc.exe c:\windows\system32\sethc.exe
X:\Sources > del c:\sethc.exe


Success! Hopefully everything has worked properly, now I must add that sometimes this method does not work because sticky keys has been disabled on the installed operating system, if that is the case then this process will fail.
0 Comments

HackTheBox The Cartographer WalkThrough

7/25/2018

0 Comments

 
Some underground hackers are developing a new command and control server. Can you break in and see what they are up to?
​

Now please note that every time you start the instance to attempt to CTF it gives you a new port and probably will give a different flag as well. In the spirit of Hack The Box, please do not read this until you have attempted the challenge, thanks!
Picture
After accessing the IP address provided by Hack The Box, the first thing I decided to do was send an SQL injection attack on the username and password login. The injection was: 'or'1'='1
Picture
This brought me to this screen, to which I noticed the URL change. I decided to test and see if this URL was vulnerable to injections as well and thankfully it is!
Picture
From here, I decided to type in flag for the info=' ', in the hopes that I would get lucky.
Picture
And low and behold I got lucky! The flag is HTB{Map_Th3_Pl4n3t}, congratulations!
0 Comments

HackTheBox CTF Lernaen WalkThrough

7/24/2018

0 Comments

 
What you will need: Windows 10 or Kali Linux, Burpsuite
Your target is not very good with computers. Try and guess their password to see if they may be hiding anything!
Now please note that every time you start the instance to attempt to CTF it gives you a new port and probably will give a different flag as well. In the spirit of Hack The Box, please do not read this until you have attempted the challenge, thanks!
Picture
The first thing I did was set up a proxy on my Firefox browser to automatically redirect to the Burpsuite application. From here, I went to the IP address and port number provided by Hack The Box and received this interception in the Proxy tab. After examining it, I didn't find anything special. I then forwarded all of the traffic and then decided to inspect the website itself. 
Picture
After examining the webpage's surface, I didn't find anything that showed an immediate vulnerability. I even tried manual XSS attacks and SQL injections in the password submission box, but it didn't get me anywhere, so I turned back to Burpsuite.
Picture
I then began to examine the Target tab and realized that a POST and GET message is sent with every request. I didn't quite understand what this meant though at the time, so I decided to send the Raw data to Repeater, in the hopes of examining the data more thoroughly. 
Picture
After sending the request to Repeater, I realized that the password submission is sending POST requests and that the cookies are not changing, meaning that I could possibly send as many requests as I pleased. So my next thought was to just brute force the password. I decided to use the following password list, as it contains the top 10,000 most common passwords of 2017.
Side note: I did edit the password list, placing some passwords higher than others and some lower than others in accordance to what I thought would get me the fastest results.
Picture
From here, I sent the request to Burpsuite's Intruder functionality and because we don't need to edit the cookies, I changed the attack to only target the password.
Picture
 Next, I uploaded the password list  in the Payloads tab under the Payload Options and then began the attack.
Now please note that if you do not have Burpsuite Pro, it will throttle the requests made thus slowing it down dramatically.
Picture
After waiting for quite some time, as I do not have Burpsuite Pro, I realized that the Status and Length for each request seemed exactly the same, so I kept my eye out for any abnormal activity.  Finally, the payload leonardo was the change, with an extended Length.
Picture
Finally, it turns out that the password was not just leonardo, but that the response from the noooooooope.html webpage actually contained the flag HTB{l1k3_4_b0s5_s0n}! 
0 Comments

HackTheBox Invitation Code Walkthrough

7/17/2018

0 Comments

 
The link to start the invitation challenge is here.
Now to keep true to the HackTheBox spirit, I must ask that you only read this WalkThrough after to compare notes. But regardless of your stance, here is my method.
Utilities needed: Kali VM, web browser, internet access, luck
Picture
The first thing I did was access the website: https://hackthebox.eu/invite and press F12 (if you are using Chrome) to bring up the developer tools. From here if we scroll down a bit we notice the script https://www.hackthebox.eu/js/htb-fronted.min.js and right below that is /js/inviteapi.min.js. Curious I decided to type this extension, so the link looked like this:
https://www.hackthebox.eu/js/inviteapi.min.js
That link takes us directly to here and this is where I got a bit lost. At first it didn't make much sense to me until I thought about functions. And my thought process was that the words between | must be functions.
Picture
That link takes us to this page and this is where I got a bit lost. At first it didn't make much sense to me until I thought about functions. And my thought process was simple, the words between | must be functions.
Picture
I decided to test this theory with the verifyInviteCode, because if I can just verify myself, I would not have to grab any type of code. However, knowing that if console finds an available function it will tab-complete, I soon realized that verifyInviteCode was not going to work.
Picture
So instead I tried the makeInviteCode function and two options arose, makeInviteCode and makeInviteCode().
Picture
I went back to the website: https://hackthebox.eu/invite and tried out both, the first one gave me an error, but it did drop a hint letting me know that the second one does exist.
Picture
After running the function, it then appears that a string of data appears that is encoded in Base64, thankfully I know of a website that can help.

Picture
After copying the message and decoding it, I realize that I have to access another link.
From here I realize that I need to send a POST request to the following link:
https://hackthebox.eu/api/invite/generate  in order to advance, so I find this webpage that sends POST requests to help test websites.
Picture
Picture
And success! The response, encoded in Base64, I paste it into the website we used earlier and receive the invite code.
Picture
However, this process sadly fails. And the reason why is because the API that HackTheBox uses to generate the invite codes are unique to your IP address, meaning that sharing codes is not an option. I minor security tactic, but one I think is necessary.
Picture
To overcome this we can quickly send a POST packet using the wget tool in Kali Linux, from here the code is received once again.
Picture
Picture
And after decoding the Base64 string, we arrive at our invite screen once again.
Picture
Success! We can now sign up and use HackTheBox.
0 Comments

Wep Trace WalkThrough

7/14/2018

0 Comments

 
The following CTF can be found at: Contextis WEP Trace I did not create this CTF.
You have sniffed out a wireless network stream. Can you determine the encryption key used and identify any sensitive data?
wep_trace.zip
File Size: 3727 kb
File Type: zip
Download File

Before starting this challenge I advise spinning up a Kali Virtual Machine as it will make this process much more fluid. After you download the file and unzip it, the following should display.
Picture
The first thing I notice is that it is a *.pcapng file extension, which I have never worked with. So I begin to do a bit of research and discover that it stands for pcap Next Generation. Now normally I wouldn't care too much, but after I tried to attack the file I received this error:
Picture
After doing some more research I discover a tool called editcap that whenever using the libpcap library allows you to convert *.pcapng file types back to *.pcap. After I converted the file, aircrack-ng was happy to begin the PTW attack and below is the deciphered key: [DE:AD:BE:EF:01]
Picture
Next, I began to decrypt the WEP packets with airdecap-ng.
Picture
I then opened up the file, set the expression to follow the TCP stream and low and behold the username and password were displayed!
Picture
Picture
0 Comments

Password Reset Walkthrough

7/12/2018

0 Comments

 
The following CTF can be found at: Contextis Password Reset. I did not create this CTF.
You have identified a source code leakage vulnerability. Can you identify any other vulnerabilities?

<?php
include 'config.php';
echo "<html><title>Password Recovery</title></html>";
if(isset($_GET['name']) && $_GET['name']!='' && !preg_match('/and|or/i',$_GET['name'])) {
$res = mysql_query("SELECT name,email FROM user where name='".$_GET['name']."'");
#echo "SELECT name,email FROM user where name='".$_GET['name']."'";
if(mysql_fetch_object($res)) {
// Generation of new password
//<topsecure content>
// removed in phps file :)
//</topsecure content>
die("A new password was generated and sent to your email address!");
} else {
$res = mysql_query("SELECT name,email FROM user where name sounds like '".$_GET['name']."'");
if(mysql_fetch_object($res)) {
echo "We couldn't find your username, but it sounds like this user:<br>";
} else {
$name = $_GET['name'];
$name = str_replace('on','',$name);
$name =  str_replace('On','',$name);
$name = str_replace('ON','',$name);
$name = str_replace('oN','',$name);
$name = str_replace('<script','',$name);
die("We couldn't find your username!<br>Are you sure it is $name?");
}
        $res = mysql_query("SELECT name,email FROM user where name sounds like '".$_GET['name']."'");
#echo "SELECT name,email FROM user where name sounds like '".$_GET['name']."'";
while($row = mysql_fetch_object($res)) {
  echo $row->name;
  echo "<br>";
}
}
} else {
echo "Dear users,<br>We had a security breach! Please use this site to generate your new password.<br><br><br>";
echo '<form action="#" method="get">Please enter your username: <br><input type="text" name="name"><br><input type="submit" name="submit" value="submit"></form>';
echo '<!-- .phps?-->';
}
?>
After analyzing the code and doing some research it appears that this code is vulnerable to SQL injections, specifically with the lines:
($_GET['name']) and
mysql_query("SELECT name,email FROM user where name='".$_GET['name']."'");.

This arises because the code itself does not filter any inputs and instead trusts that the requests sent are valid. After doing more in-depth research I discovered that the statement mysql_query() and ($_GET['name']) whenever used together are usually vulnerable, and should instead be replaced by using prepared statements and parameterized queries. Instead you should use prepare('SELECT ...'); and execute(array('name' => $name)); or prepare('SELECT ...'); and bind_param('variable_type', $name);. This allows for a speed boost if the statement is executed more than once in a session as it will only be compiled once.

0 Comments
<<Previous
Forward>>

    Archives

    January 2020
    June 2019
    April 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018

    Categories

    All
    Cisco
    CTF
    Firewalls
    Linux
    Networking
    Penetration Testing
    Security Defense
    VulnHub
    Windows

Hope you have enjoyed your stay! Come back again!
​This site is under constant (slow) construction. Thank you for your patience.
Created by Moses J. Arocha ©
  • Blog
  • Linux
  • Windows
  • Networking
  • About