Comprehensive Guide to Dirb Tool

In this article, we are focusing on transient directory using Kali Linux tool DIRB and trying to find hidden files and directories within a web server.

A path traversal attack is also known as “directory traversal” aims to access files and directories that are stored outside the web root folder. By manipulating variables with reference files with “dot-dot-slash (…/)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code, configuration and critical system files.

Source: https://www.owasp.org/index.php/Path_Traversal

Requirements

Target- BWAPP Labs, DVWA Labs, webscantest.com

Attacker – Kali Linux

Table of content

  • Introduction to DIRB
  • Utilizing Multiple Wordlist for Directory Traversing
  • Default working of Dirb
  • Enumerating Directory with Specific Extension List
  • Save Output to Disk
  • Ignore Unnecessary Status-Code
  • Default Working Vs Not stop on WARNING messages Working
  • Speed delay
  • Not recursively (-r)
  • Show NOT Existence Pages
  • Extension List (-X parameter) Vs Extension Header (-H parameter)
  • Not forcing an ending ‘/’ on URLs (-t)
  • HTTP Authentication (-u username: password)

What is DIRB?

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary-based attack against a web server and analyzing the response.

It comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also, DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.

The main purpose is to help in professional web application auditing. Especially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerable.

Source: https://tools.kali.org/web-applications/dirb

Tool DIRB is built in Kali Linux. Open the terminal and type the following command to get an overview of the tools included in the package:

dirb

 -a <agent_string> : Specify your custom USER_AGENT.
 -c <cookie_string> : Set a cookie for the HTTP request.
 -f : Fine tunning of NOT_FOUND (404) detection.
 -H <header_string> : Add a custom header to the HTTP request.
 -i : Use case-insensitive search.
 -l : Print “Location” header when found.
 -N <nf_code>: Ignore responses with this HTTP code.
 -o <output_file> : Save output to disk.
 -p <proxy[:port]> : Use this proxy. (Default port is 1080)
 -P <proxy_username:proxy_password> : Proxy Authentication.
 -r : Don’t search recursively.
 -R : Interactive recursion. (Asks for each directory)
 -S : Silent Mode. Don’t show tested words. (For dumb terminals)
 -t : Don’t force an ending ‘/’ on URLs.
 -u <username:password> : HTTP Authentication.
 -v : Show also NOT_FOUND pages.
 -w : Don’t stop on WARNING messages.
 -X <extensions> / -x <exts_file> : Append each word with this extensions.
 -z <milisecs> : Add a miliseconds delay to not cause excessive Flood.

Utilizing Multiple Wordlist for Directory Traversing

The above attack works by using the default wordlist_files common.txt, but we can change this word list and could select other wordlist for directory traversal. You must follow the following path to view all available wordlists.

You can see from the image below that there are so many text files as wordlist; we can use them as required.

Default working of Dirb

In this attack the common.txt is set as a default word list for directory traversal, the protester can use the following command. Open the terminal and type the following command to start the Brussels Directory attack.

Using the common.txt file, the DIRB returns the enumerated directories found within the target URL as shown in the below image.

Enumerating Directory with Specific Extension List

There are a lot of situations where we need to extract the directories of a specific extension over the target server, and then we can use the -X parameter of the dirb scan. This parameter accepts the file extension name and then searches the given extension files over the target server or machine.

The above command will extract all directory path related to php extension as shown the following image.

Save Output to Disk

For the purpose of the record maintenance, better readability and future references, we save the output of the dirb scan onto a file. To this we will use the parameter -o of the dirb scan we can save the output of the dirb scan in a text file.

The above command will generate an output.txt file at the desktop of the enumerated directories.

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root/Desktop/output.txt.

Ignore Unnecessary Status-Code

The Status-Code element is a 3-digit integer where first digit of the Status-Code defines the class of response and the last two digits do not have any categorization role. In this attack we are using –N parameter on code 302 as shown below.

As you can grasp form the given screenshot that the dirb scan is ignoring the NOT FOUND code that is., 302.

Default Working Vs Not stop on WARNING messages Working

During the normal dirb scan as show below, some of the pages generate warnings; the dirb scan skips those directories where it encounters any warnings.

While doing a scan that is to be done very deeply and verbosely, we want that the dirb scan to not avoid these warnings and do an in-depth scan, hence we use the -w parameter of the dirb scan.

As you can observe the highlighted directory /dev/shell is enumerated even after warning message which is missing in the default scan.

Speed delay

While working in different scenarios, there are some environment we come across that cannot handle the flood created by the dirb scan, so in those environments it is important that we delay the scan for some time. This can be done easily with the -z parameter of the dirb scan. In this parameter, the time is provided on the scale of milliseconds. Like as shown in our given example, we have given 100 seconds delay to dirb.

Not recursively (-r)

The dirb scan, by default scans the directories recursively. It means it scans a directory and then traverses inside that directory to scan for more sub directories. But in some scenarios, where time is insufficient, we set the dirb to not scan recursive. This can be achieved using the -r parameter.

Show NOT Existence Pages

A 404 error is an HTTP status code that means that the page you were trying to reach on a website couldn’t be found on their server. 404 Not Found error messages are frequently customized by individual websites. In some scenarios we need to find the 404 pages too, which dirb skips by default. To find those pages we will use -v parameter.

From given below the image you can observe it has also extract all those directories are relevant to 404 errors.

Extension List (-X parameter) Vs Extension Header (-H parameter)

By using –X parameter along with target URL with a specific extension, for example .php, it enumerates all file or directory with .php extension, but by using –H parameter with specific extension, for example .php along with target URL it will enumerate all files or directories named with php as shown in the given below image.

Not forcing an ending ‘/’ on URLs (-t)

From the attacks used in the previous situations, in order to run the dirb tool we will have to add a forward slash (/) at the end of the URL to be accepted in dirb. In order to check that we need try one attack on url ending without any forward slash.

You will observe that the scan doesn’t get executed successfully because of the lack of the forward slash, the importance of which we discussed earlier in this article.

Try this attack once again with the same command with some changes so in order to run that command we have to add –t in the previous command.

As now we can observe that the even in the absence of the forward slash, we still have successfully executed the dirb scan.

 

HTTP AUTHORIZATION (-u username: password)

HTTP Authentication/Authentication mechanisms are all based on the use of 401-status code and WWW-Authenticate response header. The most widely used HTTP authentication mechanisms are Basic. The client sends the user name and password as unencrypted base64 encoded text.

So, in order to bypass this kind of authentication with the help of dirb we have used the command below:

As a result it is shown Status –code 200 for the test: test and authorized credential on target URL.

 

Hack the Box: DevOops Walkthrough

Today we are going to solve another CTF challenge “DevOops”. DevOops is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of DevOops is 10.10.10.91

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

From Nmap scanning, we have enumerated port 22 and 5000 are only open ports on the target’s network, therefore firstly, let’s navigate to port 5000 through a web browser. By exploring given URL, it puts up following web page as shown in the below image.

Since we didn’t get any remarkable clue from the home page, therefore, we have opted Dirb tool for directory enumeration thus execute the following command.

Hmm!! Here I received HTTP response 200 for /feed and /upload directories.

So we explore http://10.10.10.91:5000/upload in the URL and further welcomed by following web Page given below. The following web page lets you upload an XML file, including XML elements Author, Subject and content. For that reason, we have created an XML file with the help of following code and saved as 1.xml.

Then browse the xml file, which you have created and intercept the browser request with the help of burp suite while uploading.

Now send the intercepted data to the repeater.

Inside XXE file, we have injected malicious code to make call for /etc/passwd file, thus, we need to analysis its result in the repeater.

And as you can observe from the given below image, the xml code is working wonderfully and throwing the content of /etc/passwd file to us.

Similar, we extract the SSH RSA key by modifying XXE entry as show in the below image. Now copy the whole key and save in a text file.

Since we have copied RSA Private KEY in a text file named as “key” , then set permission 600 and try to login with the help of following command.

Boom!! We have spawn a shell of target machines, let’s go for user.txt file.

Great!!! We have completed the first task but for obtaining root.txt file we need to escalate the root privilege and to do so we traversed so many directories and files to get next clue.

 

so we found .git directory here, lets check git with the following command.

And we obtain so many string as shown in the following image which may perhaps SSH key for root login.

So we try some key along git show command to demonstrate the output result. And obtain RSA Private Key which was not working properly.

And finally obtain original RSA Key which is highlighted in Red text, now copy the red color text a file and remove ‘’ used in each line instead add “—–END RSA PRIVATE KEY—–”

Since we have copied RSA Private KEY in a text file named as “rootkey” then set permission 600 and try to login with the help of following command.

Congrats!! We have found root.txt and from the image below you can see we have obtained the value of root.txt.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Hacking with Empire – PowerShell Post-Exploitation Agent

Hello everyone and welcome to this beginner’s guide to Empire. According to their official website:

“Empire is a pure PowerShell post-exploitation agent” built on cryptologically-secure communications and a flexible architecture.

Empire – PowerShell post-exploitation agent

Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.”

In this tutorial we will be covering everything you need to know about this software, straight from installation to getting a shell and even getting admin access without letting the antivirus know!

Before starting with the action you need to know these four things:

Listener: listener is a process which listens for a connection from the machine we are attacking. This helps Empire send the loot back to the attacker’s computer.

Stager: A stager is a snippet of code that allows our malicious code to be run via the agent on the compromised host.

Agent: An agent is a program that maintains a connection between your computer and the compromised host.

Module: These are what execute our malicious commands, which can harvest credentials and escalate our privileges as mentioned above.

Methodology:

  1. Creating a listener.
  2. Starting a listener.
  3. Launching a PowerShell code using launcher.
  4. Executing code on victim’s machine.
  5. Interacting with agent.
  6. Executing various modules.
  7. Bypassing UAC to get admin access.

To get started, clone the following git repo using git clone:

Now move into the installed directory and run install.sh file.

Wait for it to complete installation. This might take a few seconds. It will prompt you for a password, enter anything.

In my case, my password was toor.

Once the installation is done, move back a directory and run empire using ./empire

Help command opens up all the essential options required initially.

As our methodology states, we will be creating a listener for our local machine first.

It will say that “no listeners are currently active” but don’t worry, we are into the listener interface now.

Creates a listener on the local port 80. If port 80 is already busy by a service like apache, please make sure you stop that service.

Note: Whenever you double click on tab, all the available options will appear, just like in all of Linux.

Hence, uselistener <tab><tab> shows me all the listenersand so on like that.

Above command will execute the listener. Then go back and use powsershell listener as shown in the below image.

All we have to do now is copy this powershell code into victim’s command prompt using social engineering. Let’s assume we have access of victim’s command prompt and we copied our code into his cmd.

As soon as you hit enter you will see an agent being active on your empire screen. After executing the malicious powershell code, go back again to the main menu with the command:

Here you will see 1 agent active.

You can also rename the agent’s name to a rather simple one using the rename command.

Now, to get an admin shell, run bypassuac command with help of following command.

List command can be used anywhere to see the list in current interface. Here it displayed a list of agents in agent’s interface.

Let’s rename the agent’s name to a rather simpler one, once again.

Now you can see that we got a new admin shell using bypassuac and we renamed it to adminraj

Let’s interact with adminraj now.

<tab><tab>helps us view all the options in the shell. There are several options which is quite helpful to for post exploitation. Such as info, job, list and etc as shown in the image.

Info: for all the basic details like IP, nonce, jitter, integrity etc.

Let’s try and run mimikatz to get the password of the user. Since, mimikatz won’t run on a normal guest user shell and will only run on admin shell; this also proves that we have to achieve admin access so that we can use mimikatz.

Hmmmm!! And the password is “123”for user raj.

Above command will dump the credentials or password of any user in both plaintext and its hash as well.

Another important command is the shell command.

To use the shell of the victim to run proper microsoft windows commands, we use this feature.

Eg: one such window’s cmd only command is netstat

As expected, it showed us all the ports in work currently on the machine!

 Now, since the default shell directory in windows is “C:/windows/system32”; let’s try and move into another directory and try to download some file from there and also we can upload something at that location, for example we can upload a backdoor.!

Above command will download an image called 6.png from the window’s desktop to the “downloads directory of Empire”

Here we can upload any backdoor, with help of above command we are uploading a php backdoor from Kali’s desktop to victim’s desktop and we can even invoke this file since we have the shell access!

This is where the downloaded files will go:

Above command proves that we indeed have uploaded revshell.php

And there it is! Revshell.php on the desktop of victim’s machine which our backdoor file.

Happy Hacking!!!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Why should an organization hire an Information Security professional?

Every business organization seeks safety and security of its internal information. It is essential to ensure that the data is protected from malicious attackers who easily breach into the network through use of unfair practices. Maintaining a secure information security policy and hiring the right bunch of qualified professionals is of prime importance to any organization who intend to prevent their internal servers and systems from being compromised. Such professionals ensure that the software installations are up-to-date and build in security layers which become difficult for cyber attackers to intrude into the network.

What is CISSP?

The full form of CISSP is Certified Information Systems Security Professional. This certification is conferred by the International Information Systems Security Certification Consortium (ISC)², which is a global non-profit organization specializing in IT security. (ISC)² is rendered as one of the world’s largest Information Security organization which offers a variety of security certifications like CISSP, CSSLP, and CAP.

As an Information Security aspirant, there are multiple benefits of obtaining a CISSP certification which you simply cannot ignore. Let’s discuss some of the topmost reasons to earn such a certification and discover how a CISSP is integral for any business organization and act as a key component in the selection procedure for managerial-level information security positions.

  • Global Recognition

Obtaining a CISSP certification is a good move for a flourishing IT career. Reason being, CISSP provides industry-wide recognition  and considered as the “Best Professional Certification Program” by SC Magazine. This certification is highly endorsed and recognized by well-known global MNCs like Google, IBM etc. It is ascertained that there is a projected requirement of about 56% of cyber experts in the current job market.

  • (ISC)² Membership

You are eligible to earn an (ISC)² membership once you complete the CISSP certification. This membership offers a wide array of resources and advantages which help you to improve your knowledge area and network. You just need to invest on some maintenance fees annually to retain the membership. As a member, you also stand a chance to earn discounts on industry seminars and conferences and have free access to certain online events. Your credentials are available online through digital badges. The scope of benefits of a member are immense and opens a world of possibilities for you to stay connected with the latest findings and resources.

  • Job Competency

The core content of CISSP provides a wide range of understanding of the security field to the information security professionals and creates an awareness of the latest security threats. This certification encompasses knowledge transfer of control devices and the network architecture to maintain the integrity and confidentiality of public and private networks. The course content is designed in such a way that it involves the application of security concepts and the best practices for software development, enterprise computing solutions in the production and operation environment.

  • Increased Earning Potential

Getting a CISSP certification under your belt not only assures you of advanced knowledge and skill-sets but also command higher remuneration. In 2017, there were around 1 million job openings in cybersecurity which is likely to go beyond 1.5 million by 2019. Organizations are continuously competing to hire the best security talent in the market and are ready to pay handsome salaries to the prospective candidates. On an average, a CISSP earns 25% more than the non-certified counterparts.

  • High Demand for Security Experts

On a global scale, companies are investing more on hiring CISSP certified experts. With the ever-increasing intensity of hacker activities across the world, organizations are struggling to keep at bay such security breaches which hamper their internal security fabric. For this reason, employers are recruiting certified cybersecurity experts to prevent such network intrusion by building stronger security layers thereby protecting their internal servers and systems from malicious attacks.

Takeaway

Considering all these factors that has been discussed in this article, we can safely connote that obtaining a CISSP certification can certainly propel your IT career to a great extent. CISSP is thus, a very well-performing certification and once you are through the certification, it provides you a rewarding, lucrative and satisfying career path in the long run.

Author Bio: I am Maria Thomas, Content Marketing Manager and Product Specialist at GreyCampus with eight years rich experience on professional certification courses like PMI- Project Management Professional, PMI-ACP, Prince2, ITIL (Information Technology Infrastructure Library), Big Data, Cloud and Six Sigma.

Related Posts Plugin for WordPress, Blogger...