Multiple Ways to Detect HTTP Options

Hi Friends, today we will walk through various HTTP Protocol methods and the tools used to extract those available HTTP methods in a web server. As we are already aware that the HTTP protocol comprises of a number of methods that can be utilized to not only gather the information from the web server but can also perform specific actions on the web server. These techniques and methods are helpful for the web application developers in the deployment and testing stage of web applications.

GET and POST is the most well-known methods that are used to access and submit information provided by a web server, respectively. HTTP Protocol allows various other methods as well, like PUT, CONNECT, TRACE, HEAD, DELETE. These methods can be used for malicious purposes if the web server is left misconfigured and hence poses a major security risk for the web application, as this could allow an attacker to modify the files stored on the web server.

OPTIONS: The OPTIONS method is used to request the available HTTP methods on a web server.

GET: GET request is the most common and widely used methods for the websites. This method is used to retrieve the data from the web server for a specific resource. As the GET method only requests for the data and doesn’t modify the content of any resources, it’s considered to be safe.

POST: POST requests are used to send (or submit) the data to the web server so as to create or update a resource. The information sent is stored in the request body of the HTTP request and processed further. An example illustrating the same is “Contact us” form page on a website. When we fill a form and submit it, the input data is then stored in the response body of the request and sent across to the server.

PUT: The PUT method allows the end-user (client) to upload new files on the web server. An attacker can exploit it by uploading malicious files or by using the victim’s server as a file repository.

CONNECT: The CONNECT method could allow a client to use the web server as a proxy.

TRACE: This method echoes back to the client, the same string which has been sent across to the server, and is used mainly for debugging purposes.

HEAD: The HEAD method is almost similar to GET, however without the message-body in the response. In other words, if the HTTP request GET /products return a list of products, then the HEAD /products will trigger a similar HTTP request, however, won’t retrieve the list of products.

DELETE: This method enables a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to perform a DoS attack.

Now let us use some tools to identify the HTTP methods enabled or supported by the web server

Metasploit

Metasploit Framework is a well-known platform for developing, testing, and executing exploits. It is an open source tool for performing various exploits against the target machines.

Metasploit has in-built auxiliary modules dedicated to scanning HTTP methods. Through the Metasploit framework command line (CLI), we can identify the HTTP Options available on the target URL as follows:

cURL

cURL is a command line tool to get or send the data using the URL syntax and is compatible with various well-known protocols (HTTPS, FTP, SCP, LDAP, Telnet etc.) along with command line (CLI) options for performing various tasks (Eg: User authentication , FTP uploading , SSL connections etc). The cURL utility by default comes installed in most of the distributions. However if in case, cURL is not installed, then we can install the same via apt-get install curl command. For more details refer the below URL

//www.hackingarticles.in/web-application-penetration-testing-curl/

Through the cURL command we can identify the HTTP Options available on the target URL as follows :

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from other server-specific information (Server response, version details etc)

Nikto

Nikto is a Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other issues. It performs generic and server types of specific checks.

Through the Nikto command we can identify the HTTP Options available on the target URL as follows :

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from another detailed server specific information (Server response, version details etc)

Nmap

Nmap is a free and open-source security scanner, used to discover hosts and services on the network. This is another method of checking which HTTP methods are enabled by using an NMAP script called http-methods.nse, which can be obtained from //nmap.org/nsedoc/scripts/http-methods.html .

Let us use NMAP command to enumerate all of the HTTP methods supported by a web server on the target URL as follows :

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE) along with highlighting the potential risk methods (i.e TRACE) out of them.

Netcat

Netcat is a utility tool having the capability to write and read data across TCP and UDP network connections, along with features like in-built port scanning, network debugging and file transfer etc.

Through the Netcat command we can identify the HTTP Options available on the target URL as follows :

Press enter and the following options appear in the command line. Enter the server details as follows (and as highlighted in red )

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from other server-specific information (Server response, version details etc)

 

Burpsuite

Burp Suite is a platform for performing various security testing for web applications, from initial mapping and analysis to identifying and exploiting application vulnerabilities.

As we are aware that the HTTP OPTIONS method provides us with the most effective way to discover the different methods allowed on an HTTP server. So, let us capture the URL request in Burpsuite GUI and change the HTTP method type in the Request section to OPTIONS, as seen below.

As shown, the RESPONSE from the web server not only displays the list of HTTP methods allowed, however also highlights the server version details (Eg: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL 1.0.0/k DAV/2 PHP/5.4.3)

Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing. Contact Here

Multiple ways to Connect Remote PC using SMB Port

In this article, we will learn how to connect with victim’s machine via SMB port 445, once you have collected username and password to your victim’s PC. To know how collect username and passwords to your remote host via SMB protocol click here and to understand what is SMB protocol, click here

Table of Content

Exploiting Windows Server 2008 R2 via SMB through Metasploit inbuilt exploits:

  • Microsoft Windows Authenticated User Code Execution
  • Microsoft Windows Authenticated Powershell Command Execution
  • Microsoft Windows Authenticated Administration Utility
  • SMB Impacket WMI Exec

Third-party Tools

  • Impacket (psexec)
  • Impacket (exec)
  • Psexec exe
  • Atelier Web Remote Commander

Exploiting Windows 2007 via SMB through Metasploit inbuilt exploits:

  • MS17-010 EternalRomance SMB Remote code execution
  • MS17-010 EternalRomance SMB Remote command execution

Let’s Begin

Tested on: Windows Server2008 R2

Attacking Machine: Kali Linux

Microsoft Windows Authenticated User Code Execution

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the “psexec” utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description.

Here,

rhost –> IP of victim PC

smbuser –> username

smbpass –> password

Once the commands run you will gain a meterpreter session of your victim’s PC and so you can access it as you want.

Microsoft Windows Authenticated Powershell Command Execution

This module uses a valid administrator username and password to execute a PowerShell payload using a similar technique to the “psexec” utility provided by SysInternals. The payload is encoded in base64 and executed from the command line using the –encoded command flag. Using this method, the payload is never written to disk, and given that each payload is unique, is less prone to signature-based detection. A persist option is provided to execute the payload in a while loop in order to maintain a form of persistence. In the event of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection. In order to avoid interactive process notifications for the current user, the psh payload has been reduced in size and wrapped in a PowerShell invocation which hides the window entirely.

Once again as the commands run you will gain a meterpreter session of victim’s PC. And therefore, you can do as you wish.

Microsoft Windows Authenticated Administration Utility

This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the “psexec” utility provided by SysInternals. Daisy chaining commands with ‘&’ do not work and users shouldn’t try it. This module is useful because it doesn’t need to upload any binaries to the target machine.

Thus, in a new Metasploit framework we had used web delivery module to get malicious dll code which we can use as an arbitrary command on the host.

Copy the highlighted text for malicious dll code.

As soon as we run psexec auxiliary we will get a meterpreter session with as an administrator.

SMB Impacket WMI Exec

This module is a similar approach to psexec but executing commands through WMI.

Impacket for Psexec.py

Psexec.py lets you execute processes on remote windows systems, copy files on remote systems, process their output and stream it back. It allows execution of remote shell commands directly with the full interactive console without having to install any client software.

Now let’s install the Impacket tools from GitHub. You can get it from here. Firstly, clone the git, and then install the Impacket and then run psexec.py to connect the victim’s machine.

Syntax: ./psexec.py [[domain/] username [: password] @] [Target IP Address]

Impacket for Atexec.py

This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.

Syntax: /atexec.py [[domain/] username [: password] @] [Target IP Address] [Command]

As you can see below that a remote connection was established to the server and the command systeminfo was run on the Target server with the output of the command delivered on the Kali terminal.

PsExec.exe

Psexec.exe is software that helps us to access other computers in a network. This software directly takes us to the shell of the remote PC with the advantage of doing nothing manually. Download this software from –> //download.sysinternals.com/files/PSTools.zip.

Unzip the file once you have downloaded it. Go to your command prompt and type:

Here,

192.168.1.104 –> is the IP of the remote host

-u –> denotes username

-p –> denotes password

cmd –> to enter victim’s command prompt

Atelier Web Remote Commander

This is graphical software that let us gain control of the victim’s PC that too quite easily.

Once you have open the software give the IP address of your victim’s PC in remote host box along with the username and password in their respective boxes. And then click on connect; the whole victim’s PC’s screen will appear on your Desktop and you will have a pretty good view of what your victim is doing.

As you can observe we are having Screen of victim’s machine in front of us.

MS17-010 EternalRomance SMB Remote Code Execution

Tested on: Windows 2007 ultimate

Attacking Machine: Kali Linux

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type of confusion between Transaction and write and requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit but requires a named pipe.

MS17-010 EternalRomance SMB Remote Command Execution

This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type of confusion between Transaction and write and requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit but requires a named pipe.

Thus, in a new Metasploit framework we had used web delivery module to get malicious dll code which we can use as an arbitrary command on the host.

Copy the highlighted text for malicious dll code.

As soon as we run psexec auxiliary we will get a meterpreter session with as an administrator.

In this way, we can compromise a victim’s machine remotely if we have login credential.

Happy Hacking!!!!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contachere

Generate Metasploit Payload with Ps1encode

In this article, we will learn the Ps1Encode tool and how to use it by generating malware in different file formats such as HTA, EXE, etc.

Introduction

The working code of Ps1Encode is developed by Piotr Marszalik, Dev Kennedy with few others. Ps1Encode is used to generate a malicious payload in order to generate a meterpreter session. While generating the payload, it will encode it too. It is a different way to bypass Whitelisting and security on the target system. It’s developed in ruby and allows us to create a series of payloads which are based on Metasploit but can be prepared in any format we desire. The final aim is to get a PowerShell running and execute our payload through it.

There are various formats for our malware that are supported by Ps1Encode are the following :

  • raw (encoded payload only – no powershell run options)
  • cmd (for use with bat files)
  • vba (for use with macro trojan docs)
  • vbs (for use with vbs scripts)
  • war (tomcat)
  • exe (executable) requires MinGW – x86_64-w64-mingw32-gcc [apt-get install mingw-w64]
  • java (for use with malicious java applets)
  • js (javascript)
  • js-rd32 (javascript called by rundll32.exe)
  • php (for use with php pages)
  • hta (HTML applications)
  • cfm (for use with Adobe ColdFusion)
  • aspx (for use with Microsoft ASP.NET)
  • lnk (windows shortcut – requires a webserver to stage the payload)
  • sct (COM scriptlet – requires a webserver to stage the payload)

You can download Ps1Encode from here using git clone command as shown in the image below :

Once it’s downloaded, let’s use the help command to check the syntax that we have to use. Use the following set of commands for that :

Following are the syntaxes that we can use :

-i : defines localhost IP

-p : defines localhost port value

-a : defines payload value

-t : defines the output format

Now, we will generate a malicious raw file using the following command :

Copy the code generated using the above command in the file with the extension.bat. and then share it by using the python server. You can start the server using the following command :

Simultaneously, start the multi handler to have a session with the following set of commands :

Once the file is executed in the victims’ PC, you will have your session as shown in the image above. Now we will generate our malware in the form of HTA file. Use the following command to generate the HTA file :

Following script will be created due to the above command, send this file to the victim’s PC using python server like before.

Simultaneously, start the multi handler to have a session with the following set of commands :

Once the file is executed in the victims’ PC, you will have your session as shown in the image above. Now we will try and generate an EXE file with the following :

Send this file to the victim’s PC using python server like before a shown in the image above. Simultaneously, start the multi handler to have a session with the following set of commands :

This way, you can use Ps1Encode to generate files in any format. As you can see, it’s pretty simple and convenient along with being user-friendly. Possibilities with Ps1Encode are endless.

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Comprehensive Guide on SSH Tunneling

Basically, tunneling is a process which allows data sharing or communication between two different networks privately. Tunneling is normally performed through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

SSH Tunnel:  Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication is encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

Types of SSH Tunneling:     

  1. Dynamic SSH tunneling
  2. Local SSH tunneling
  3. Remote SSH tunneling

Let’s Begin!!

Objective:  To establish an SSH connection between remote PC and the local system of the different network.

Here I have set my own lab which consists of three systems in the following network:

SSH server (two Ethernet interface) 

IP 192.168.1.104 connected with the remote system

IP 192.168.10.1 connected to local network system 192.168.10.2

SSH client (local network) holds IP 192.168.10.2

Remote system (outside the network)

In the following image, we are trying to explain the SSH tunneling process where a remote PC is trying to connect to 192.168.10.2 which is on INTRANET of another network. To establish a connection with an SSH client (raj), remote PC will create an SSH tunnel which will connect with the local system via SSH server (Ignite).

NOTE: Service SSH must be activated

Given below image is describing the network configuration for SSH server where it is showing two IP 192.168.1.104 and another 192.168.10.1

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Dynamic SSH Tunneling through Windows

Remote Pc is trying to connect to SSH server (192.168.1.104) via port 22 and get successful login inside the server. Here we had used putty for establishing a connection between SSH server (Ubuntu) and remote user (Windows).

Similarly now Remote PC trying to connect with Client PC (192.168.10.2) via port 22, since they belong to the different network, therefore, he receives network error.

Step for Dynamic SSH tunneling

  • Choose option SSH >Tunnel given in the left column of the category.
  • Give new port forwarded as 7000 and connection type as dynamic and click on ADD at last.

Now connect to SSH server 192.168.1.104 via port 22 and then click on open when all things get set.

First, it will connect to the SSH server as you can see we are connected with SSH server (Ignite).

Now login into putty again and give IP of client system as Host Name 192.168.10.2 and Port 22 for SSH then click on open.

The open previous running window of putty choose Proxy option from the category and follow given below step:

  • Select proxy type as SOCKS 5
  • Give proxy hostname as 127.0.0.1 and port 7000
  • Click on open to establish a connection.

Awesome!! We have successfully access SSH client (raj) via port 7000

Dynamic SSH Tunneling through Kali Linux on Port 80

Now we are employing Kali Linux for SSH tunneling and demonstrating how an attacker or Linux user can take the privilege of Tunneling and can establish an SSH connection with client systems.

Enter the user’s password for login and get access to the SSH server as shown below.

Next, we need to set a network proxy for enabling socksv5 and for that follow below steps.

  • In your web browser “Firefox” go to option for general setting tab and open Network Proxy.
  • Choose No Proxy
  • Enable socksv5

Add localhost, 127.0.0.1 as Manual proxy

So from given below image, you can perceive that now we able to connect with the client: 192.168.10.2 via port 80.

Dynamic SSH Tunneling through Kali Linux on Port 22

Now connect to client machine through given below command:

Install tsocks through apt repository using the command:

tsocks – Library for intercepting outgoing network connections and redirecting them through a SOCKS server. 

Open the tsocks.conf file for editing socks server IP and port, in our case we need to mention below two lines and then save it.

Server = 127.0.0.1

Server_port = 7000

Now connect to SSH client with the help tsocks using given below command.

Enter the password and enjoy the access of SSH client.

Local SSH Tunneling through Windows

Local tunneling is a process to access a specific SSH client machine for communication. It let you establish the connection on a specific machine which is not connected from the internet.

The only difference between dynamic tunneling and local tunneling is that dynamic tunneling requires socks proxy for tunneling all TCP traffic and local tunneling only required destination IP address.

Step for SSH Local tunneling

  • Use putty to connect SSH server (192.168.1.104) via port 22 and choose option SSH >Tunnel given in the left column of the category.

  • Give new port forwarded as 7000 and connection type as local 
  • Destination address as 198.168.10.2:22 for establishing a connection with the specific client and click on ADD at last.
  • Click on open when all things get set.

First, this will establish a connection between the remote pc and SSH server.

Open a new window of putty and follow given below step:

  • Give hostname as localhost and port 7000 and connection type SSH.
  • Click on open to establish a connection.

Awesome!! We have successfully access SSH client via port 7000 

Local SSH Tunneling through Kali Linux

Now again we switch into Kali Linux for local tunneling which is quite easy as compared to dynamic. Execute given below command for forwarding port to the local machine.

Now open a new terminal and type below command for connecting to SSH client.

Awesome!! We have successfully access SSH client via port 7000 

Remote SSH Tunneling through Putty

Remote tunneling is functional when a client machine wants to access a remote system which is outward from its network.

First, need to install putty in our SSH server (ignite) and then follow given steps.

Step for remote tunneling

  • Enter remote system IP 192.168.1.108
  • Mention port 22
  • Go to SSH>tunnel options

  • Give new port forwarded as 7000 and connection type as Remote
  • Destination address as 198.168.10.2:22for establishing a connection with the specific client and click on ADD at last.
  • Click on open when all things get set.

Now the server will get connected to Remote system as shown in below image.

Come back to the remote system and enter the following command to with SSH client machine.

From given below image you can observe that we had successfully connected with SSH client machine via port 7000.

Remote SSH Tunneling through Ubuntu

If you are not willing to use putty for remote tunneling then you can execute the following command

Here 192.168.1.10.2 is our local client (raj) IP and 192.168.1.108 is our remote system IP.

Come back to the remote system and enter the following command to with SSH client machine.

From given below image you can observe that we had successfully connected with SSH client machine via port 7000.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here