Beginner Guide to SSH Tunneling (Dynamic Tunneling)

Basically tunneling is process which allows data sharing or communication between two different networks privately. Tunneling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

SSH Tunnel:  Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication are encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

Types of SSH Tunneling:

  1. Dynamic SSH tunneling
  2. Local SSH tunneling
  3. Remote ssh tunneling

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

  1. SSH server (two Ethernet interface)
  2. IP 192.168.1.22 connected to remote system 192.168.1.21
  3. IP 192.168.10.2 connected to local network system 192.168.10.2
  4. SSH client (local network) holds IP 192.168.10.2
  5. Remote system (outside network) holds IP 192.168.1.21

In following image we are trying to explain SSH tunneling procees where a remote PC of IP 192.168.1.21 is trying to connect to 192.168.10.2 which is on INTRANET of another network. To establish connection with SSH client, remote Pc will create SSH tunnel which will connect with the local system via SSH server.

NOTE: Service SSH must be activated on server as well as client machine.

Given image below is describing the network configuration for SSH server where it is showing two IP 192.168.1.22 and another 192.168.0.1 as explain above.

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Remote Pc (192.168.1.21) is trying to connect to SSH server (192.168.1.22) via port 22 and get successful login inside server.

Similarly now Remote PC (192.168.1.21) trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for SSH tunneling

  • Use putty to connect SSH server (192.168.1.22) via port 22 and choose option SSH >Tunnel given in the left column of category.
  • Give new port forwarded as 7000 and connection type as Dynamic and click on ADD at last.
  • Click on open when all things are set.

This will establish connection between remote pc and SSH server.

Open previous running window of putty choose Proxy option from category and follow given below step:

  • Select proxy type as SOCKS 5
  • Give proxy hostname as 127.0.0.1 and port 7000
  • Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

 

Fuzzing SQL,XSS and Command Injection using Burp Suite

From Portswigger

Hello friends!! Today we are going to perform fuzzing testing on bwapp application using burp suite intruder, performing this testing manually is a time consuming and may be boring process for any pentester.

The fuzzing play a vital role in software testing, it is a tool which is use for finding bugs, errors, faults and loophole by injecting a set of partially –arbitrary inputs called fuzz into a program of the application to be tested. Fuzzer tools take structure input in file format to differentiate between valid and invalid inputs. Fuzzer tool are best in identifying vulnerability like sql injection, buffer overflow, xss injection and OS command injection and etc.

Let’s start!!

Fuzzing XSS

 Start burp suite in order to intercept the request and then send intercepted data into Intruder

Many input-based vulnerabilities, such SQL injection, cross-site scripting, and file path traversal can be detected by submitting various test strings in request parameters, and analyzing the application’s responses for error messages and other anomalies.

Considered following as given below:

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: test (user input for first name)

Attack type: Sniper (for one payload)

Set payload which will be placed into payload positions during the attack. Choose payload option to configure your simple list of payload for attack. Configure the payload list using one of Burp’s predefined payload lists containing common fuzz strings.

Burp suite intruder contain fuzzing string for testing xss injection, therefore choose fuzzing –xss and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains random string to test xss vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 1 having length equal to 13926.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Bravo!!  Fuzzing test is completed and it found that application have bug which lead to xss vulnerability. From screenshot you can see it is showing an xss alert prompt.

Fuzzing OS command injection

Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions.

Payload position: www.nsa.gov (user input for target)

Attack type: Sniper (for one payload

Burp suite intruder contain fuzzing string which will test for os command injection, therefore choose fuzzing full and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

It will start attack by sending request which contains arbitrary string to test OS command injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 34 having length equal to 13343.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Great Job!!  Fuzzing test is completed and it found that application have bug which lead to OS command vulnerability. From screenshot you can see application is showing ID as per the request of the selected payload.

Fuzzing SQL

Similarly repeat the same process in order to intercept the request and then send intercepted data into Intruder.

Configure the position where payload will be inserted, the attack type determine the way in which payloads are assigned to payload positions. It is much similar like brute force attack.

Payload position: 1:1 (user input for login: password)

Attack type: Cluster bomb (for two payloads)

Burp suite intruder contain fuzzing string which will test for SQL injection, therefore choose fuzzing –SQL Injection for first payload postion and click on ADD tab to load this string into simple list as shown in screenshot and at final click on start attack.

Similarly repeat the same process to set payload option for second payload position.

It will start attack by sending request which contains arbitrary string to test SQL injection vulnerability in the target application. Now from given list of applied string select the payload which has highest length as output as shown in given image, we have select request 168 having length equal to 13648.

Insert selected payload into intercepted request and then forward this request as you can see in given image.

Wonderful!!  Fuzzing test is completed and it found that application have bug which lead to SQL injection vulnerability. From screenshot you can see we had login into Neo’s account without valid input this happens only as per the request of the selected payload.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Time Scheduling on SSH Port

This article is related to network securities which help the network administrator to secure running service on any server through scheduling task.  We are going to schedule task for SSH service in order to add another layer in security in network , in simple word we are going to set timing limit for SSH service on the server .

Cron is a UNIX like computer utility which schedules a command or script on your server to run automatically at a specified time and date. A cron job is the scheduled task itself. 

Service ssh start

Service ssh status

As you can see from given below image the service SSH is running.

We are going to schedule SSH services using crontab, crontab is built in service of linux to schedule task.

User required root permission to open the crontab, now type following command:

sudo crontab -e

We had open crontab using nano, the given below image shows crontab interface.

Crontab uses the format of “m h dommondow [command]”, Following table will help you in writing schedule for crontab:

Field value
’m’ stands for minute 0-59
h’ for hour 0-23
‘dom’ for date 1-31
‘mon’ stands for month 1-12
‘dow’ stands for day of week 1-7[1 stands for Monday]
command the required command to be

Now if we need to schedule a task at 8:00 am on Monday we will write the command as following:

0 8 * * 1 [command]

 Now we are going to use crontab to schedule “ssh service”. We are going to schedule ssh service for 3 minutes and get stop after 4 minutes of use when it is activated.

We use the command for scheduling task:

* * * * * sleep 180;/usr/sbin/service ssh start

Above command will schedule the task for only 3 minutes where 180 is equal to 3 minute and to stop this service ssh after that, type given below command where 240 is equal to 4 minute.

* * * * * sleep 240;/usr/sbin/service ssh stop

Let’s check whether above command is working or not.

Wait for service to reboot. Using nmap we scan port 22

nmap  -p 22 127.0.0..1

After scanning you will observe that ssh service is running port 22 is open.

Nmap  -p 22 127.0.0..1

Now if our command is working properly it should stop itself after 4 minutes get finished, we again check using nmap.

The port is now closed at 4th minute.

Now if I want to schedule a task at a particular time, let’s say I want to schedule my ssh service to start at 5:00 am and close at 5 pm, we use this command:

0 5 * * * /usr/sbin/service ssh start

0 17 * * * /usr/sbin/service ssh stop

This command schedules the ssh service to start every day at 5:00 am and stop the ssh service at 5:00 pm.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast.

Beginner Guide to Website Footprinting

In our previous article we have discussed a brief introduction of footprinting for gathering information related to the specific person. As we had discussed that there are so many type of footprinting and today we are going to talk about DNS footprinting, website footprinting and whois footprinting.

Browsing the target Website may Providing

Whos is Details

Software used and version

OS Details

Sub Domains

File Name and File Path

Scripting Platform & CMS Details

Contact Details

Let’s start!!

From Wikipedia 

Whois footprinting

WHOIS (pronounced as the phrase who is) is a query and response protocol and whois footprinting is a method for glance information about ownership of a domain name as following:

  • Domain name details
  • Contact details contain phone no. and email address of owner
  • Registration date for domain name
  • Expire date for domain name
  • Domain name servers

Whois Lookup

It is broadly used in support of querying databases that store the registered users or assignees of an Internet resource, such as domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format.

Browse given URL http://whois.domaintools.com/in browser and type any domain name.

For example: let’s search pentestlab.in

Now you can see it has created a whois record for pentestlab.in where it contains details like: email address,IP, registrant Org. From given record anyone can guess that this domain have some connection to raj chandel. Then attacker needs to perform footprinting on raj chandel taking help from previous article.

There is so many other tools use for whois footprinting for example:

  • Caller IP
  • Whois Analyzer pro
  • Whois lookup multiple address

DNS Footprinting

Attacker performs DNS footprinting in order to enumerate DNS record details and type of servers. There are 10 type of DNS record which provide important information related to target location.

  1. A/AAAA
  2. SVR
  3. NS
  4. TXT
  5. MX
  6. CNAME
  7. SOA
  8. RP
  9. PTR
  10. HINFO

Domain Dossier: it is an online tool use for complete DNS footprinting as well as whois footprinting.

There are so many online tool use for DNS footprinting , using domain dossier we will check for DNS records of penetstlab.in, select the check box for DNS records and traceroute  and then click on go.

You can observe that, the data which we received from whois lookup and from domain dossier is same in some extent. It has given same email ID as above i.e. rrajchandel@gmail.comand moreover details of DNS records TXT, SOA, NS, MX, A and PTR.

DNS Dumpster: it is also an online use for DNS footprinting.

DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Enumerate a domain and pull back up to 40K subdomains, results are available in a XLS for easy reference.

Repeating same process for pentestlab.in, it will search for its DNS record. From given screenshot you can observe we have received same details as above. More it will create a copy as output file in from XLS. 

You get signal: it is also an online tool use for DNS footprinting as well as for Network footprinting

A reverse IP domain check takes a domain name or IP address pointing to a web server and searches for other sites known to be hosted on that same web server. Data is gathered from search engine results, which are not guaranteed to be complete

Hence we get the IP 72.52.229.111 for pentestlab.inmoreover it dumped the name of 14 other domain which are hosted on same web server.

Website Footprinting

It is technique use for extracting the details related to website as following

  1. Archived description of website
  2. Content management system and framework
  3. Script and platform of the website and webserver
  4. Web crawling
  5. Extract meta data and contact details from website
  6. Website and web page monitoring and analyzer

Archive.org: It is an online tool use for visiting archived version of any website.

Archive.org has search option as wayback machine which is like a time machine for any website. It contains entire information from past till present scenario of any website either their layout or content everything related to website is present inside. In simple words it contains history of any website.

For example I had search for hackingarticles.in archived record of 2012.

 

Built With: It is an online tool use for detecting techniques and framework involved inside running website.

BuiltWith.com technology tracking includes widgets, analytics, frameworks, content management systems, advertisers, content delivery networks, web standards and web servers to name some of the technology categories.

 Taking example of hackingarticles.in again we found following things:

  • Content Management system: wordPress
  • Framework: PHP

Whatweb

Whatweb can identify all sorts of information about a live website, like: Platform, CMS platform, Type of Script, Google Analytics, Webserver Platform, and IP address Country. A pentester can use this tool as both a recon tool & vulnerability scanner.

Open the terminal in kali Linux and type following command

Whatweb www.pentestlab.in

As result we receive same information as above

Web crawling

HTTrack is a free and open source Web crawler and offline browser, developed by Xavier Roche

It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. 

 Give target URL for copy the web site as www.pentestlab.in which starts downloading the website.

http://www.hackingarticles.in/5-ways-crawl-website/

 Web Data Extractor

Web Data Extractor Pro is a web scraping tool specifically designed for mass-gathering of various data types. It can harvest URLs, phone and fax numbers, email addresses, as well as meta tag information and body text. Special feature of WDE Pro is custom extraction of structured data.

Start new project Type target URL as ignitetechnologies.in and select folder to save the output and click on ok.

Now this tool will extract meta data, email contact no. and etc from inside the target URL.

From given screenshot you can see it found 40 meta tags1 email 84-phone number from ignitetechnologies.in website.

Similarly there other tool use as web data extractor:

Web spider

Competitive Intelligence

Website-Watcher is a powerful yet simple website-monitoring tool, perfectly suited to the beginner and advanced user alike.  You can download it from here.

Using new tab and enter target URL which start monitoring the target website.

For example I enter URL hackingarticles.in for monitoring this website.

Similarly there are some other tool uses for monitoring:

On web change

Follow that page

Informinder

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...