Multiple Ways to Install Kali

In this article, we will learn how to open the magic box of ethical hacking. Can you guess the name of that box? Ok, I tell you the name is KALI the magic box of ethical hacking. Through this article, you will learn the installation of Kali  Linux on different platforms along with the features.

Table of Content

  • Introduction of kali Linux
  • Features of kali Linux
  • Prerequsities for kali Linux installtion
  • Kali installation on VM (Virtual machine)
  • Kali installation on Virtual Box
  • Kali installation on AWS
  • Kali installation on Respberry pi

Introduction of Kali Linux

“The quieter you become, the more can to hear”—Kali Linux

As per my definition, Kali Linux is a magic box that contains multiple magic tools to play the magic. In technical terms, Kali Linux is an open-source, Debian based Linux distribution mainly for penetration testing, security auditing, computer Forensic, Security research, etc. it contains over 600 tools of information gathering(Amap, arp-scan, APT2, etc.), vulnerability analysis (Nmap, sqlmap, BBQSQL, etc., ), wireless attack( Airbase-ng, Air crack-ng, airplay-ng, etc.), web applications(BrupSuite, zaproxy, Web Scarab), exploitation (Metasploit, Armitage, crackle), forensics (DFF, Capstone, Binwalk, etc.), etc.
It is developed, maintained and funded by Offensive Security, a leading information security training company.

Features of Kali Linux

Free of cost –it is completely free of cost, you will never have to pay for it. All the development source code are freely available to you.

Over 600 tools available for different functionality e.g computer forensics, penetration testing, etc

Completely customizable – it is easy to customize based on your needs and preferences.

Usable on a wide range of ARM devices.

Prerequisites for Kali Linux Installation

Kali OS software package required a minimum of 10 GB hard disk space for installation.

  •        Minimum 512MB Ram is required for i386 and amd64 architectures.
  •        A bootable CD-DVD Drive or a USB stick.

Give me six hours to chop down a tree and I will spend the first for four sharpening the axe.—Abraham Lincoln

Installation of Kali on Vmware

Vmware Workstation enables users to set up virtual machines on a single physical machine and use them simultaneously along with the actual machine. A Virtual machine can be downloaded from www.vmware.com.

Download kali from  http://kali.org/downloads/ 64 bit or 32 bit as per your computer capability.

Click on create a new virtual machine by selecting the Installer disc image file (ISO), and review the configured virtual machine and then powered on the created kali virtual machine.

 At the boot menu, many options are available so I am going to describe all boot menu options briefly:

Live (amd64)

Probably the one you’re searching for. This one will boot you into Kali, but only in the Live mode. That means, that when you terminate/shutdown your laptop everything you’ve saved/edited in Kali is lost. So if you make a file on your desktop, that file will be lost when you restart.

This is possible because Kali only writes to RAM and not your HDD.

Live (forensic mode)
This is a special and interesting mode. In this mode, the internal HDD is never touched, and the auto-mounting of devices is disabled. You’ll use this when performing forensics on a device (e.g. recovering sensitive files, getting evidence in crime scenes.)

Live USB Persistence
Use this if you want to install Kali on the USB you booted from, this way you can save what you’ve done, etc. If you now place a file on your desktop, it’s saved on your USB and is again accessible when you boot from it.

Live USB Encrypted Persistence
Same as above. Alone with this option, your USB is also encrypted with LUKS. If you choose USB Persistence, choose this one!

(Graphical) Install                                                                                        
If you want to install it on your HDD.

Install with speech synthesis
Install it, the text from the installation-menu is read out to you

But through the down arrow key, you can select Graphical install.

After selection of Graphical install, you will get the multiple next windows of

Preferred language selection- English (select as per your choice) then click continue

Location – United States (select as per your choice) click continue

Standard keymap –  American English (select as per your choice) click on continue

On the next screen you will ask to configure the network, select Do not configure the network at this time and hit the continue.

Now in a single word, you can provide the hostname e.g. Kali (any name as per your choice). Then click on continue.

Set the password for the root account. Don’t forget the password you have set for the root account otherwise you have to install kali again.

On the next screen, select the time zone and click continue.

 

Kali detects the disk partitions. Select guided-use entire disk then click continue.

 

Installer confirms that partition you are going to use. Click continue.

 

Select the All files in one partition and click on continue.

Selection of disk partition has been done, you can see the overview of partition disk you currently configured, and select the Finish partitioning and write changes to disk. After that click on continue.

Click on yes to make the changes to disk as per the selected partition changes. Then click on continue.

After partition, now Kali will start installing, you have to around 30 minutes for installation.

After Kali installation, on the next screen, you will get the network mirror option. You need to select No and click on continue.

You get the option to install the GRUB boot loader as it should be safe to install it to the master boot record of your first hard drive. Select yes and click on continue.

Select the boot loader device for GRUB installation. Select /dev/sda and click Continue.

Now you will see the installation complete dialog box. Click to continue to finalize the installation and wait for the VM to reboot. After reboot, you will see the login screen. Log in with your username or root user and provide your password. You will then see the Kali Linux desktop.

Once the VM reboots, you will see the Kali Linux login screen.

Login with username: root, Password: toor, what you entered during the installation process earlier.

 

Successfully, Kali installation has been done, now you can start working on Kali Linux.

Installation of Kali Linux on Virtual Box

VirtualBox is a software system for virtualizing the x86 computing design. It acts as a hypervisor, making a VM (virtual machine) within which the user will run another OS (operating system).

The OS within which VirtualBox runs is named the “host” OS. The OS running within the VM is named the “guest” OS. VirtualBox supports Windows, Linux, or macOS as its host OS.

 If you have already got put in VirtualBox then well smart otherwise install the newest version and install it from https://www.virtualbox.org/wiki/Downloads.

Prerequisites

  • VirtualBox installed in your Linux system
  • the image of Kali Linux present in your system
  • at least 4GB of RAM
  • at least 20-30GB of free disk space
  • network to have a system updated
  • a processor with the virtualization features enabled (often activated by default)

In virtualization, the guest OS is the virtualized system (so our Kali Linux) and the host OS is our Linux system. You can summarize the configuration that was created by you. Then launch the installation  click on the green arrow button to start .

On the next screen, you will see the installer options, select Graphical install.

After the selection of Graphical install, you have to follow all the steps the same as you have done at the time of installation of Kali Linux on VMware.

Installation of Kali Linux On AWS

Amazon Web Services (AWS) is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. In aggregate, these cloud computing web services provide a set of primitive abstract technical infrastructure and distributed computing building blocks and tools. One of these services is Amazon Elastic Compute Cloud, which allows users to have at their disposal a virtual cluster of computers, available all the time, through the Internet.

For more detail description refer https://en.wikipedia.org/wiki/Amazon_Web_Services.

Prerequisites

  • An Aws account
  • Minimum 2 GB RAM (to run Metasploit)

Login to  https://aws.amazon.com/console/ to navigate web services. From the compute services, select EC2 (Elastic Compute Cloud) and click on Launch Instance.

Click on AWS Marketplace, to search  the AMI (Machine Image of Kali Linux)

In the search, tab writes Kali Linux, to the Kali AMI  and then click on select.

After selection, you can see the summary of all the instances types, software, amount available for Kali Linux. (As per your requirement you can choose, also free tier instance is also available).Then click on continue.

Now you can choose instance type as per your budget, you can select t2micro along with vcpu 1,2.5GHz, Intel Xeon Family,1GiB memory, EBS only). But to run the Metasploit to need minimum of 2 GB RAM, you can opt t2 small or t2 medium.

Review the selected instance and click on the launch.

Here, you need to create a new key pair and give a name to the key . Click on download key pair as you will not be able to download the file again after it’s created. Then click on Launch Instances.

Save the Downloaded .pem file.

Click on Launch Instances

After Launch instance, you can see the instance is running even you can provide the name to your created instance. Click on connect to get access to SSH with other information on public DNS.

For a Linux user:

You can access the Kali AWS from a linux machine. Set the permissions and connect the SSH server:

Login with username ec2-user.

For Window Users:

Open the puttygen and load the previously downloaded private key to convert it into a putty supported format.

Save the private key and close the Puttygen program. Open the Putty program to connect it with Kali Linux, in hostname put the public DNS details and load the private key in the Auth tab under the SSh navigation.

Then click on open

Login with username ec2-user and your kali Linux from the cloud is ready. As this is minimal installation, to get all the tools run the command apt-get install kali-linux-full

Note: You should not go over the usage limit otherwise you will be charged and need to pay the bill.

Installation of Kali on Raspberry Pi

The Raspberry Pi is a low-cost, credit-card-sized ARM computer. Despite being a good bit less powerful than a laptop or desktop PC, its affordability makes it an excellent option for a tiny Linux system and it can do far more than act as a media hub.

The Raspberry Pi provides an SD card slot for mass storage and will attempt to boot off that device when the board is powered on.

By default, the Kali Linux Raspberry Pi image has been streamlined with the minimum tools, similar to all the other ARM images. If you wish to upgrade the installation to a standard desktop installation, you can include the extra tools by installing the kali-Linux-full meta-package.

For more details please refer https://github.com/thehackingsage/HackPi.

Prerequisites

  • Kali Linux Raspberry 2,3, 4 ARM images.
  • SD card (minimum size 8 GB but can use 16GB 0r even 32 Gb)
  • Bootable Kali

First, download the Kali Linux 2 or more image file for a raspberry file from the https://www.offensive-security.com/kali-linux-arm-images/#1493408272250-e17e9049-9ce8.

I need to write it to the SD card. Choose the Kali Linux ISO file to be imaged with “select image” and verify that the USB drive to be overwritten is the correct one. Click the “Flash!” button once ready.

Once Etcher alerts you that the image has been flashed, you can safely remove the USB drive and proceed to boot into Kali with it.

Now, you can have a plugged raspberry pi device with the bootable SD card into the monitor. After powering up the raspberry pi 3 b, it will go through a bootup process and the screen will go blank for a few seconds.

For the final step, a login prompt will appear asking for a username and a password. The default should be ‘root’ and ‘toor’ respectively.

Thank you

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

In Plain Sight:1: Vulnhub Walkthrough

In today’s article, we will face an Intermediate challenge. Introducing the In Plain Sight:1 virtual machine, created by “bzyo_” and is available on Vulnhub. This is another Capture the Flag challenge where we have to escalate privileges to find the root flag to complete the challenge.

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

  • Network Scanning
    • netdiscover
    • nmap port scan
  • Enumeration
    • FTP Enumeration
    • Browsing HTTP Service
    • Enumerating the wordpress
  • Exploitation
    • Get a meterpreter session
  • Post Exploitation
    • Reading passwords from file
    • Login into MySQL to find hashes
    • Using john to crack the hashes
  • Privilege Escalation
    • Using su command
    • Finding password
    • Checking for SUID

Walkthrough

Network Scanning

The first step is to identify the target. So, to identify our target we will use the following command:

Now we will use Nmap to gain information about the open ports and the services running on the target machine and for this, type the following command :

From the nmap scan, we can see that Port 21, 22, 80 are open, it means we have the FTP, SSH and HTTP services running simultaneously. Firstly, let’s try enumeration with an anonymous login on FTP.

After logging in anonymously, we can see that there is a file todo.txt. Download this file using the get command. The content of todo.txt file doesn’t seem to be useful. You can read the file by using cat command.

As FTP wasn’t useful to us, we can now browse the website to see if we can find some information. And for this, open the IP address in our browser.

This is an Apache2 Ubuntu Default page but after exploring it carefully we can see a line hinting to “/var/www/html/index.htnl”. So, let’s explore this page.

This page looks like a normal page but when we click anywhere on the page then it will lead us to the following new webpage :

As we can see that this webpage lets you upload any image. So here we tried to upload the image and we succeed but when we try to upload a .php file the webpage give us an error. Upon exploring more, the URL of the webpage caught our attention and you can see that it looks like a hash so we copied it and tried to crack it by using the john.

It was “goodluck”. At this point, we were just being trolled.

We then tried to upload a simple .php file and when uploading a .php file we come across the following error :

But this error leads us to a new page “upload.php”. Let’s check the source code of this page.

Yes! There is a comment at the end of the source code. And this is a base64 encoded text, so let’s try to decode it by using the following command :

When the text is decoded, it looks like a directory or a webpage. But before exploring it let’s see if there are more pages or not. Hence, use dirbuster.

There are many pages and as the result shows us that CMS is wordpress, therefore, we can use wpscan to plow through the two specified pages that mentions wordpress. And for that use the following command :

Similarly, let’s enumerate the other page.

As you can see in the above image there are three users. And we have their usernames, we can simply use bruteforce to find their respective passwords and for that type :

Alas, we couldn’t find any password but not to worry as we can run the same command for the other page, let’s try it by typing :

And so, we finally found the password for the user admin. So now, let’s try to upload a shell using msfconsole. And through Metasploit we will use exploit/unix/webapp/wp_admin_shell_upload.

Once the exploit is initiated, type the set of following commands :

As you can see, we are successful in getting our session, let’s move onto shell of the target system and for that type shell and hit enter. And the next thing you know is you are in the shell of the target system. Now to get a proper authenticated session of shell type the following command :

As we have managed to get a shell. So now, we will explore the system more to find some useful files.

Upon changing the directory, we found wp-config.php. as it is a config file, there’s bound to be useful information. Thus, we will try to read it’s content using the cat command :

These credentials are of MySQL as you can see the prefix DB used which probably stands for the database. So, we can try to login into mysql using these credentials and therefore, use the following commands :

Yes, we are in! Let’s try and explore it further.

We found a database “sodevwp” and hence, to change the database type :

Once the above commands are used successfully, you will find the following two hashes :

$P$BD/ZmfBIhgjHKtkLpPKfhr2t5EDgZA. (for user admin)

$P$B3halPOgh4jqI1tDelkv5TGAHnaOC01 (for user mike)

We will now use john the riper with rockyou wordlist to crack these hashes and for that type :

As you can see in the image above that we found our passwords to the two major users and those are :

admin:admin1

mike: skuxdelux

Now, try and switch the user to mike and you can observe in the image below that you can successfully do that; which means cracking the passwords was successful.

Let’s move on for privilege escalation. Now, when you change your directory to /home and there you found a new user “joe”

And without wasting any time we traversed through etc/passwd.

With etc/passwd we found out that password to ‘joe’ is SmashMouthNoThanks. So now, let’s switch the user to joe with the foretold password.

And just like that, we have access to the user ‘joe’.

Now to move forward the only thing we have to do is to get the last flag of the target. And to get it we check for SUID using the command find. -perm /4000. Before executing this command, we will change our directory to “/” and after running the command we find the following useful binaries.

And in /bwrap we found our last flag which you can observe from the image below :

Read the flag using cat command as shown in the image below :

VOILA!! We have completed the challenge.

Author: Yash Saxena an undergraduate student pursuing B. Tech in Computer science and engineering with a specialization in cybersecurity and forensics from DIT University, Dehradun. Contact here.

Windows for Pentester: Certutil

In this article, we are going to describe the utility of Certutil tool and how vital it is in Windows Penetration Testing.

TL; DR

Certutil is a preinstalled tool on Windows OS that can be used to download malicious files and evade Antivirus. It is one of the Living Off Land (LOL) Binaries.

Disclaimer

The main objective of publishing the series of “Windows for Pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any Pentester while solving CTF challenges or OSCP labs which are based on Windows Operating System. Here, we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any kind of programs/binaries/files & etc.”

Table of Content

  • Introduction
    • What is certutil?
    • What is Living off Land?
    • Working with certutil?
    • What is Alternative Data Stream (ADS)?
  • Configurations used in Practical
  • Working with certutil
    • Encoding
    • Decoding
    • Hashing
    • Downloading
    • Reading Error Code
  • Penetration Testing using certutil
    • Compromising using Malicious Executable
    • Compromising with Encoded Malicious DLL
    • Compromising with Malicious Executable inside ADS
  • Mitigation
  • Conclusion

Introduction

What is Certutil?

Certutil is a CLI program that can be used to dump and display certificate authority (CA), configuration information, configures Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. It is installed as a part of Certificate Services.

What is Living off Land?

In simple words, it is an attack that works on the idea of using system tools as backdoors. File-less attack is another example of LOL attack. Attackers who use this tactic works with trusted, in most cases, preinstalled system tools to carry out their attack. Attackers use these tactics to hide their malicious activity in plain sight among the other general activity inside the network or system. As these kinds of attacks operate without triggering any alerts, it is almost impossible for investigators to determine who is behind the said malicious activity even if they discover it.

What is Alternative Data Stream (ADS)?

The NTFS file system consists of the ADS feature. This is an inconspicuous feature that was included, to provide compatibility with files in the Macintosh file system. ADS enable files to incorporate more than one stream of data. In any instance, each file consists of at least one data stream. This default data stream in Windows is recognized as :$DATA.

Windows Explorer can’t see what ADSs are in a file (or a way to erase them without actually discarding the original file) but they can be created and accessed with ease. Because they are challenging to detect, thus often used by hackers to hide files on machines that they’ve compromised. Executables in ADSs can be executed from the command line but without showing up in Windows Explorer.

Some of the CTF Challenges over HackTheBox where certutil can be used are:

Access, Arctic, BigHead, Conceal, Ethereal, Fighter, Giddy, Hackback, Jerry, Rabbit.

Configurations used in Practical

Attacker:

  • OS: Kali Linux 2019.4
  • IP:192.168.1.10

Target:

  • OS: Windows 10 (Build 18363)
  • IP: 192.168.1.11

Working with certutil

Practical #1: Encoding

Certutil contains an encode parameter. It could help to encode file content into Base64. This is a Windows equivalent to the base64 command in Linux.

When working with an executable file, we came across a scenario. In it, the uploading of the executable file was not smooth. We can use certutil to encode the executable file. Then transfer the encoded data, then decode it on the recipient machine.

In the following practical, we first created a text file named “file.txt” and wrote the “This is a plain text” line in it. We did this with Add-Content cmdlet in PowerShell. We can see that it worked when we checked the file using type command. To convert, we will use certutil with encode parameter. We will provide the text file and the file that it should write the encoded data.

Certutil adds two segments “BEGIN CERTIFICATE” and “END CERTIFICATE”. The converted contents of the file are between these two segments. We can check the encoded text using the type command.

We can use the parameter -encodehex to convert data into Hex encoded files.

Practical #2: Decoding

Certutil can decode the data encoded in Base64. Let’s show you a quick method from which you can decode the data. We will be using the file that we encoded in the previous practical. We will use certutil with -decode parameter. Then provide the encoded file and the file it should write the decoded data. We can check the decoded text using the type command.

We can use the parameter -decodehex to decode the Hex encoded files.

Practical #3: Hashing

Hashing means taking data and giving out an output string of a fixed length. Using the cryptography hashing algorithms — e.g., MD5, SHA-1, SHA-256, you can verify if two files are identical or not. The checksum is a hash value used for performing data integrity checks. It’s a kind of signature for a file. By comparing checksum, we can identify duplicate files.

Time to generate some hashes. We will use the file.txt we created earlier. First, we will generate the MD5 hash using certutil parameter -hashfile. With the parameter, file path and algorithm we can hash the file.

NOTE: While working with Systems like Windows 7, keep in mind that the hash algorithms are case-sensitive. Be sure to type, for example, “MD5”, not “md5”.

Practical #4: Downloading

In scenarios, where wget, BITSAdmin or any other convention method is blocked. Certutil can be used to download files from the internet. We will be downloading 7zip.exe from the 7zip server as shown in the image.

-URLCache Display or delete URL cache entries
-split Split embedded ASN.1 element & Save to files
-f Force Overwrite

Practical #5: Reading Error Code

Suppose you got a system error code without any message. You don’t have any source to look up the meaning of the error. This is a common scenario. Certutil can help to look up the message text for system error codes.

NOTE: Certutil can perform many more functions related to CA Certificates but we will be focusing on Penetration Testing for now.

Penetration Testing using certutil

Practical #6: Compromising using Malicious Executable

During our initial assessment, we saw that the certutil was actively downloading files from the internet without any kind of verification or assessment. This is an instance that is part of the MITRE | ATT&CK Remote File Copy Tactic.

Certutil can be used to copy a file from one system to another to stage some attacking tools or other files throughout an attack. Files can also be transferred from an outer attacker-controlled system through a Command and Control Channel to bring tools or scripts into the target network to support Lateral Movement.

In the previous practical, we downloaded a file from a remote server. Let’s see how we can compromise a Windows System using a Malicious Executable.

We started our attack with Exploit Development. We used the msfvenom tool to generate a Payload for a Reverse TCP Connection to our attacker machine. We provided the msfvenom with the appropriate LHOST and LPORT. The format of the payload was set to an Executable(.exe) File. We named it “shell.exe”. After successful execution, the file was created in our “/root” directory. Now to transfer the newly generated we decided to use the HTTP Server generated by a Python One-liner.

Now that the payload is hosted on the server, before executing the payload on the Target Machine, we need to start a Listener on Attacker Machine to capture the meterpreter session that would be generated after the execution of the payload.

After successfully starting a listener on the Attacker, its time to move to Target Machine. Here, we have a PowerShell Terminal. We need to download the payload to this machine. We will use certutil to fetch it. Certutil will make two connections to the remote web server using two different User-Agents. They will be named “Microsoft-CryptoAPI” and “Certutil URL Agent”.

NOTE: During our assessment, we found that upon execution the above command an Access Denied Error is notified. Using -verifyCTL instead of -URLCache will let you bypass this error.

After the successful transfer of the Payload to Target Machine. We executed the payload as shown in the image.

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System.

We have successfully Compromised the Target Machine using a combination of Certutil and a Malicious Executable.

Practical #7: Compromising with Encoded Malicious DLL

As seen earlier Certutil encodes file content into Base64. This opens up a lot of possibilities. This is an instance that is part of MITRE | ATT&CK Deobfuscate/Decode Files or Information Tactic.

Attackers can use Obfuscated (Difficult to detect/find) Files to conceal evidence of an attack from the analysis. Afterward, they may Deobfuscate (Unhide) those files. This is where certutil comes into the picture. It can decode the data and help bypass Antivirus, IDS/IPS Software. Certutil can also be used to decode a portable executable file that has been hidden inside a certificate file.

Payloads may be compressed, archived, or encrypted to avoid detection. These payloads may be used with Obfuscated Files or Information during Initial Access or later to mitigate detection. Sometimes a user’s action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the attacker. Now onto our Practical.

We started our attack with Exploit Development. We used the msfvenom tool to generate a Payload for a Reverse TCP Connection to our attacker machine. We provided the msfvenom with the appropriate LHOST and LPORT. The format of the payload was set to a Dynamic-Link Library(.dll) File. We named it “dll.txt”. We can name it any other name which is less suspicious. We use the text file so that it doesn’t rise any unnecessary flags. After successful execution, the file was created in our “/root” directory. Now to transfer the newly generated we decided to use the HTTP Server generated by a Python One-liner.

Now that the payload is hosted on the server, before executing the payload on the Target Machine, we need to start a Listener on Attacker Machine to capture the meterpreter session that would be generated after the execution of the payload.

After successfully starting a listener on the Attacker, it times to move to Target Machine. Here, we have a PowerShell Terminal. We need to download the payload to this machine and we need to do this discreetly. We run certutil with a combination of URLCache and encode separated by the pipe (|). Now the file will be downloaded as a text file and gets encoded as another text file which we named “edll.txt” for encoded DLL.

Now to execute the payload to compromise the target, we need to decode it. We use the decode parameter in certutil to decode the payload and saved it as “exploit.dll”. Now to execute this DLL we decide to use regsvr32. It executes DLL directly into memory.

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System. We have successfully Compromised the Target Machine using a combination of Certutil and an Encoded Malicious Executable.

As we talked about evading Antivirus Software. Let’s inspect the files that we generated and used in the attempt to compromise the target. We use VirusTotal for this analysis. We first inspect the “dll.txt”. Upon successful upload and analysis of the dll.txt, we see that it was detected by 54 out of 67 Antivirus Engines. That can’t be good.

So, the inspection of the dll.txt file was not acceptable. Now let’s test the file we encoded using certutil. We uploaded the edll.txt. Upon analysis of the edll.txt, we see that it was detected by 4 out of 56 Antivirus Engines. It is not perfect but it is a huge difference. 

Another flavour of this attack can be as depicted below:

We create a payload in the form of an executable(payload.exe). Then we use certutil to encode it to a specific binary. For example, “payload.enc”. Then post the output of the encoding process on Github, Pastebin or other alternative services. The purpose of this procedure is to separate the encoded payload from the stager to avoid detection. Now use the certutil on the target machine to download the content from the remote server (Github/Pastebin). Finally, decode the malicious payload into an executable extension using Certutil and execute it to compromise the Target.

Practical #8: Compromising with Malicious Executable inside ADS

We started our attack with Exploit Development. We used the msfvenom tool to generate a Payload for a Reverse TCP Connection to our attacker machine. We provided the msfvenom with the appropriate LHOST and LPORT. The format of the payload was set to an Executable(.exe) File. We named it “virus.exe”. After successful execution, the file was created in our “/root” directory. Now to transfer the newly generated we decided to use the HTTP Server generated by a Python One-liner. 

Now that the payload is hosted on the server, before executing the payload on the Target Machine, we need to start a Listener on Attacker Machine to capture the meterpreter session that would be generated after the execution of the payload.

This time we will use a different approach altogether. We are going to use the Alternative Data Stream. Alternative Data Stream (ADS) was created by Microsoft to supporting compatibility with Apple McIntosh’s file system. In the Mac, files have a huge amount of metadata in addition to regular data. To save the exe file into ADS, we need to specify the name of the file in whose ADS we want to save another file, then (:) followed by name and extension of another file. As shown, we saved the virus.exe inside the ADS of harmless.txt file.

Here, it can be observed that there is no file named virus.exe in the directory and the size of harmless.txt is 0 as well as it contains nothing as it was an originally an empty text file.

Now to execute the file that we put in the ADS; we will be using wmic. We will use the create flag followed by the path of the payload as shown in the image. It says that the Execution was successful.

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System.

We have successfully Compromised the Target Machine using a combination of Certutil and a Malicious Executable concealed in Alternative Data Stream.

Mitigation

As tools like certutil can be used by an attacker with physical access to the machine or by malicious code unknowingly downloaded by a user after a phishing or other social engineering attack.

Certutil usage should be monitored, particularly if detected it being used with -decode or -decodeHex options where that would not normally be expected in your network. It is paramount not to depend on tools that simply whitelist built-in or signed code as obviously these will be bypassed by such Living Off the Land (LOL) techniques.

Conclusion

This kind of attack is very much happening in real life. There have been multiple incidents targeted to different office environments as well as banks. It was a fun learning experience working with certutil. We are going to write more articles about other LOLS that we could find. Stay Tuned.

Certutil Operations

Living Off Land binaries

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Web Application Pentest Lab Setup on AWS

Isn’t it going to be nice if you can reach your pen-testing lab from all over the world? As we all know, this is a digital age that makes life easier than our expectations, thus anyone can access their information/data from the cloud. Similarly, a Pentester can design its pen-testing environment for the vulnerable machine on the cloud that can be accessed from anywhere. AWS is probably the most popular cloud service available in today’s date, with most companies taking a cloud or hybrid approach towards their infrastructure.

This article is about setting up a vulnerable lab for web penetration in Amazon Web Services (AWS) to perform pen-testing on.

Table of Content

  • Prerequisite
  • Setup & Configuration of AWS Instance
  • Deployment & Connectivity
  • Install Dependencies
    • Apache
    • MySql – server
    • PHP
    • Configuring MySql
    • Phpmyadmin
  • Lab Setup
    • DVWA
    • SQL Injection – Dhakkan
    • OWASP Mutillidae II

Prerequisite

To set up your own pen-testing environment, you must have AWS account or if not then create an AWS account and login your account.

Setup & Configuration of AWS Instance

Let’s walk through the process of setting up the lab, we will be making an EC2 instance with Ubuntu Server 18.04 LTS on it. An EC2 instance is referred to as a virtual server in Amazon’s Elastic Compute Cloud (EC2) for running applications on the AWS infrastructure. The good thing is that this will not cost you anything to build as AWS has options to setup instances within a certain computing level that are not charged for.

  1. Open the EC2 console in AWS.

     2. Navigate to “Launch Instance” and click on “Launch Instance”.

  1. Choose the Amazon machine image (AMI), this is basically similar to finding the iso file of the OS that you want on your instance. AWS has you covered with most of the popular OS’s available in its inventory.
  2. Here we looked for ubuntu.
  3. Now that we see the OS that we want running on our instance, we need to choose the “64-bit (x86)”.

  1. We now need to choose our instance type, to basically define the amount of hardware this instance will have, we choose the “t2.micro”. This gives us I virtual CPU and 1 GB of RAM.

For most general-purpose workloads, T2 Unlimited instances will provide ample performance without any additional charges.

Features:

  • High-frequency Intel Xeon processors
  • Burstable CPU, governed by CPU Credits, and consistent baseline performance
  • Lowest-cost general purpose instance type, and Free Tier eligible*
  • Balance of compute, memory, and network resources

Read more from here

  1. Once we click on “Review and Launch”, the rest of the options are left as they are, and we click on “launch”.

8. Now let’s launch the instance which will create a key pair to your instance and complete the launch process.

This is a very important step, this is what makes it possible for you to connect to your instance over SSH, the key pair.

  1. Choose “Create a new key pair”, give it a name, them download and save the .pem file somewhere where you can keep it safe.

AWS gives you the launch status, tells you about the launch process and shows you that your instance is now launching.

  1. Now click on “View Instances” to see what’s happing with our Ubuntu server. Note that it takes a few minutes for the server to be fully deployed, so be patient. Now we see under “Status check” that we have our 2/2 checks, this essentially means that our instance is fully deployed and ready for us to connect to.

Deployment & Connectivity

This is the good part, where we get to deploy and connect to our instance in AWS.

  1. We choose our instance and click on “Connect”, this takes us to a page with options that defines how we want to connect to our instance, and we choose to connect using a standalone SSH client.

  1. Enter the name for your Instance ID, so that you can easily identify the instance ID from its name.

AWS is very helpful in giving us the particulars for our connection, like the commands to use.

There are many applications you can choose from to connect to the instance, we are connecting to it from Kali Linux.

  1. We first make sure that the .pem file that we saved has the right permissions assigned to it, in this case, it needs to be only ‘read’. Once that is done, we put in the SSH particulars provided by AWS.

  1. The .pem file is defined so that the SSH operation knows where the keys are located and that’s it, we are in!!. We connect and get to root.

Install Dependencies required for Pentest-lab

Ubuntu is up and running now, let’s start it for our pentest purposes, in order to do that we need to have the basic dependencies installed so that we can access web application like DVWA, etc.

Apache

First, we will install the Apache. Apache is the most commonly used Web server on Linux Systems. Web servers are used to serve web pages requested by the client computers.

  1. So, let’s first install Apache in the ubuntu by the following command.

We have successfully installed apache2, by default apache runs on port 80

 

For Apache to function properly we need to open port 80, so let’s get to it. We need to edit the security group in order for the Apache service to work. Ports are closed by default in AWS, so we can define what we want open.

  1. Go to your instance and launch the security groups wizard-1.
  2. Edit the inbound rules and add HTTP, using TCP protocol over port 80.

  1. The rule has been added, now click on save.

  1. Now to validate that Apache is running on our Ubuntu server, we access the IP of the instance in a browser.

MySQL – Server

The next step is to install MySql-server. This is fairly simple, just type in the command and let Ubuntu do the rest.

PHP

Installing PHP 7.2, simply type the following command.

Configuring MySQL

Let’s configure MySQL so we have the right kind of credentials for our setup. After it gets logged in you will grant all the privileges to the user of Ubuntu as in our case we have given all the privileges to user raj which will be identified with the password of ubuntu which is 123 in our case and after which we will reset all the previous privileges so that it can start the service with the new changes. For this, the commands are the following.

PHPMyAdmin

We need to install phpMyAdmin as well, here is how you do it.

Phpmyadmin needs to be configured, it needs to know that we want to use apache2 as our web server.

Next, we need to give it the password that we kept while setting up MySQL.

Lab Setup

We are done with installing all the dependencies for our setup and are now ready to install our pentest labs.

DVWA

let’s navigate to the “html” folder to download and install DVWA. Once that is done, we need to move the config.inc.php.dist file for further configurations.

Open the config.inc.php file in a text editor and put in the database credentials that we had set up earlier. We only need to modify 2 fields: db_user and db_password.

Now we open DVWA in our web browser and click on “Create/Reset Database”.

Time, to login to our DVWA!

SQL Injection – Dhakkan

Our vulnerable web app is up and running, now we want to install a lab for SQL injections, we will be using the Dhakkan sqli lab.

Here’s how to set it up. We download it into the html folder to host it, next we move the “sqlilabs” folder to the “sqli”. Next, we need to edit the database credentials so that the lab can function properly. Open the db-creds.inc file in a text editor.

Now that the file is open, we put in the username and password.

Now browse this web application from through this Public-DNS/sqli and click on Setup/reset Databases for labs. Now the sqli lab is ready to use.

Success! Sqli is up and running.

OWASP Mutillidae II

Last but not least, we will install OWASP Mutillidae II and that will conclude our setup for now.

So, let’s start by navigating to the “html” folder and downloading Mutillidae. Once downloaded, we navigate to the “includes” folder.

Once in, modify the database access file to prove the credentials we had set up earlier.

Now we will open this our local browser by the following URL: Public-DNS/mutillidae where we will find an option of reset database. Just click on it to reset the database. Let’s launch Mutillidae using our browser.

Voila!! Your Ubuntu instance is ready for you to start your AWS pentest journey. You have your connectivity, dependencies and labs all configured and ready to go.

We at Hacking Articles always try to bring you the most industry-relevant content. Since the cloud is now the thing most companies are moving towards and raising curiosity about ways to keep the cloud secure, this is article is just to get you ready for our new articles on cloud penetration testing, so stay tuned.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here