Retina: A Network Scanning Tool

In this article, we will learn how to use retina, “a vulnerability scanner” to our best of advantage. There are various network vulnerability scanners, but Retina is the industry’s most powerful and effective vulnerability scanners. This network vulnerability scanning tool gives vulnerability assessment experience and generates full brief network vulnerability report.

Table of content

  • Introduction to Retina
  • Scanning process
  • Working of Retina
  • Network scanning with retina
  • Conclusion

Introduction to Retina

Retina network scanner allows you to scan multiple platforms. It also provides you with automatic fixes and the ability to create your own audits. It works against all the critical vulnerabilities hence, allowing you to secure your network properly. As it keeps updating its database at the beginning of every session, it is pretty reliable. Retina permits you to scan parallelly by using its queuing system to scan up to 256 targets at the same time. You can also execute the majority of scans without administrative rights. It also allows you to perform custom audit scans to enhance your internal security policies. Retina Network Security Scanner is an outstanding solution designed to discover profile and assess all assets deployed on an organization’s network. With Retina Network Security Scanner, customers can efficiently identify, prioritize and remediate vulnerabilities such as missing patches and configuration weaknesses.

Scanning Process

For a scan to begin the specific details to the retina through its GUI. As soon as the scanner will receive the scanning details, it will begin the auditing process. An audit scan covers the following :

  • Targeting : builds a scan list from the address group and discovery options
  • Port scanning : finds out all the open, closed and filtered ports
  • Detecting OS : lets you know about the OS on the target system
  • Auditing : accesses vulnerabilities of each port and their respective services.

Working of Retina

First Retina recovers the list of IPs that need to be filtered then it builds and composes its target list to the eeye_ groups table. The worklist contains the work to begin and halt data. Retina at that point starts running the scan. Once targets are filtered, then the completed passages are evacuated from the line record. In case it’s powered down for any reason, this guarantees that a filter will total. At the conclusion of the check, the scanner composes Completed to the eeye_groups table within the filter comes about the database (RTD). Suppose the client prematurely ends the work, then the scanner composes Prematurely ended to that table.

Network scanning with Retina

We have downloaded the Retina Vulnerability Scanner from the Offical Site. After Downloading the correct version with respect to our machine, we have installed the scanner through the setup. It is a fairly simple setup to install. After installation, we will run the application which results us by providing 3 tabs, i.e. “Audit, Remediate and Report”. First, we will work upon the Audit tab, inside which we have selected “Single-use” after that we are scanning an individual target in Target Type. We will use the IP Address for the target. In the case of “Multiple-use”, we can use a specific IP range too.

After selecting the Target, we must select the port that we want to scan, we have multiple options like, all ports, Common Ports, Discovery Ports, and others. In our scenario, we have selected “All ports”.

After selecting the ports, it’s time to select the type of audit, which we want to perform on our target machine. This includes many types with an option to modify. We can craft a personalized audit with the help of options provided. We selected “All Audits”. This took more time in performing the scan, but the personalized scan will take less time.

Now, we got the Options. Here, we have a choice to select some additional functionality that we can include in our scan. This includes OS Detection, Reverse DNS, NetBIOS Name, MAC Address and others. We can also provide the number of users that we want to enumerate.

Now, we run the scanner, by clicking on the “Scan” button. After hitting the Scan button, the scan starts running and we can see the details of the Scan in Active tab of the Scan Job Section. Here we can see that name of the server “Metasploitable” and the Operating System is “Ubuntu 8.04”. We also can see other details of the scan.

Now we move on to the “Remediate Tab”, here in the Configuration Section we can see the Vulnerabilities that were found and we have the option to sort out the Vulnerabilities based on the Name, Category and other criteria. Also, in the case of multiple devices, we can generate report sorted by the individual IP address

Next, we will move towards the “Report Tab”.  In this, we can select more option to refine our report. This includes sections like Scan Summary, Vulnerabilities by Category, Top Vulnerabilities, Top Open Ports etc. Apart from this, we can also select the type of report that we want. In the below image I have chosen an “Executive Report”.

As you can see from below image we have gained with multiple choices to choose from the Report Type that listed us with many options such as: “Summary Report, Vulnerability Export Report, Access Report, Dashboard Report, etc.” This is one of the most vital features that give Retina an edge in the market of Vulnerability Scanners.

Here, in our practical, we have chosen the ‘Executive’ report type as it is the one which is most commonly used in the IT industry. You can see in the above image that, the report will cover all the major sections which are scan summary, top vulnerabilities, and open ports and all the important information that is required.

Once the report is generated, you can open it in the browser as shown in the image below. It will record the date and time of the scans and report for you too.

Everything in the report will be catalogued for your convenience and the title will be shown in the index as shown below. It will start by showing all the top vulnerabilities in all the way to the bottoms ones.

First in the report is “scan metrics” which gives a brief overview of the scan. This overview will inform you about how many vulnerabilities are exploitable and will also rate the vulnerabilities for you from low to high. It will also show you the time taken by the scan with the exact start and end time.

And further, it will categorise all the vulnerabilities with their basic information just as it’s shown in the image below:

Then it will show you the top 20 vulnerabilities with their name, rise and information along with their count.

Further, it will show you the bottom 20 vulnerabilities with their names and other information.

Then, as catalogued it will go on to showing you the top twenty open ports with their names, port number and service. It also includes count which helps to tell the total no. of ports that are running in the same service.

And then it tells you about the operating system on the target machine. Which is quite necessary information as it helps you to formulate attack or security policy.

Conclusion

Since the launch of Retina Vulnerability Scanner in 1998, the Beyond Trust Network states that it has sold over 10,000 copies of the Scanner. The Retina Vulnerability Scanner is one of the scanners that have an edge over other scanners as it continuously monitors and improves their scanner with the enterprise security posture. It is the most sophisticated vulnerability assessment solution on the market that is available as a standalone application, a host-based option, or as part of the Retina CS enterprise vulnerability management solution, Retina Network Security Scanner enables you to efficiently identify IT exposures and prioritize remediation enterprise-wide

Author: Shubham Sharma is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Shellphish: A Phishing Tool

Shellphish is an interesting tool that we came across that illustrates just how easy and powerful phishing tools have become today. The tool leverages some of the templates generated by another tool called SocialFish. The tool offers phishing templates for 18 popular sites, the majority are focused on social media and email providers. There is also an option to use a custom template if so desired.

Declarations: This article is posted only for educational purpose to spread awareness among people from being trapped in Phishing attack. 

Table of Content

Phishing and Social Engineering

Installation

Exploring Templates

  • Instagram
  • Netflix
  • Twitter

Weaponization

Phishing Attack

Phishing and Social Engineering

Phishing is probably one of the biggest issues for most organizations today, with network and endpoint defensive technology getting better and better, the bad guys aren’t trying to go after the though route and instead of going for the low hanging fruit. Phishing is one of those issues where training the employees is your best defence – try your best to make sure they can spot a malicious email and make sure that they can report it easily so that appropriate action can be taken as quickly as possible. The train of thought behind saying this is that – it’s beneficial to depend on multiple nodes of human intelligence to spot a potential threat, because even if one person spots and reports a phishing mail, it’s possible to run mass searches and find who all were targeted by a campaign.

Social engineering is a very interesting subject to think about, in this context, it is basically using the victim’s familiarity and habits against them. Human beings are creatures of habit, we are so used to certain things in our life that when faced with them, we don’t think twice before acting on them.

As an example; we are aware that there are a lot of attempts to by hackers to compromise social media accounts, so if one receives an email from your preferred social media site that there was an attempt to break into your account or an email to review your accounts security settings, most people will click on the link and log into their account to check what’s going on. A hacker will use this against a victim, all they need to do is swap a real link with a malicious one. Shellphish is probably one of the easiest ways to generate that malicious link. Let’s have a look.    

Installation

Shellphish is fairly straight forward to install. It can be done on your Linux of choice, we will be using Kali. We fire up our Kali Linux and use the terminal to navigate to the desktop.

We need to clone the ShellPhish from GitHub, the download link is provided below.

This makes a folder named “shellphish” on our desktop. Let’s check the folder and its contents.

The next step is to change the permissions of the shellphish.sh file so that we as the admin can use it. We don’t want everyone to have open access to it.

And that’s it, now we can launch our phishing tool

Exploring Templates

ShellPhish offers us 18 prebuilt templates, we will look through 3 of them to get an idea of what someone on the receiving end looks at when they get a link generated by this tool.

Get the Instagram page. The platform needs no introduction. We can see what the malicious link leads to, the page it shows is very convincing and might easily fool someone who isn’t paying attention.

Similarly, you can generate another duplicate page i.e NETFLIX as shown below.

Weaponization for Twitter

Now we will see what the process of weaponizing a phishing link looks like.

Once again, let’s start ShellPhish.

ShellPhish gives us a multitude of templates to choose from, all we need to do is follow the prompts the tool gives us.

We will choose the “Twitter template” for this demonstration.

4

We will be choosing option 2 here and using the Ngrok service to host our phishing link, this is what gives us the HTTPS on our phishing pages. Just by choosing this option, the tool starts a php and Ngrok server and we have our phishing link presented to us.

2

Now that we have our link, what do we do? What would a malicious actor do?

We won’t put in too much work into what is about to happen next, it’s more so to demonstrate a process that is commonly used. The first thing we need is an email sent by Twitter to a user to make them aware of a suspicious attempt to log in to their account and that they should secure their account by resetting their password. The catch here is that the user will first have to log into their account to reset their password.

Here is our email that conveys good intentions. Notice the “Reset Password” button.

We delete the “Reset Password” button, highlight where it says “password” in the “Secure your account by resetting your password now.”.

Click on the “Insert Hyperlink” function given in the formatting bar. We copy the link given to us by ShellPhish in the Kali terminal. See the section in the terminal that says, “Send this link to the victim: https://f9935ff7.ngrok.io”. This link is pasted in the section that says, “Web address (URL)” and we click OK.

That’s it, we now have our weaponized email, ready to be sent to our victim

Phishing Attack

The victim has received the weaponized email, The moment the “password” link is clicked, the ShellPhish tool starts showing signs of activity. We can see that the tool gives us certain details like the IP of the victim, the browser they are using, the country and the city they reside in, etc.

Once the link is clicked, the victim is presented with a twitter page where they can enter their credentials to access their account so that they may change their password. We have volunteered to be the victim in this demonstration and are entering our account email “[email protected]” and password “12345wetrtt”

The moment we click on the “Log in” button, we are redirected to the actual Twitter site. Seems harmless right?

Now for the scary part, the credentials the victim entered have been ferried away to the malicious actor in plain text. Lo and behold! The tool proudly announces, “Credentials Found!”.

You can see the account name and password in plain text. The thing that really stood out was the line that tells us the currency used in the country the victim resides in, we’ll leave it to you to figure out why that is.

Declarations: This article is posted only for educational purpose to spread awareness among people from being trapped in Phishing attack. 

This tool shows us how easy phishing attacks have become to execute and depending on how determined a malicious actor is, there is a lot of creativity that they can put into making the email look as legitimate as possible. Just to give you an idea of how serious the issue of phishing is, according to a recent report – 3.4 billion fake emails are sent out daily!

Email firewalls mostly depend on threat intel or on the strength of their filters which dictate how much scrutiny they exercise on each email that hits a domain and how quick they can be to deem an email malicious.

The problem is that, if you don’t set the strength of these filters to a balanced setting, they will flag and block more emails than you would want, making the email firewall admins phone blow up. Not to mention the amount of business that will be hindered.

So, that’s why internal human intelligence is a big tool at our disposal when it comes to spotting malicious emails. There are many free resources to educate your employees and peers on how to spot a malicious email, this is one of those resources and probably one of the best ones around – https://phishingquiz.withgoogle.com/      

As always, we at Hacking Articles hope you enjoyed this article and share it with your collogues.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Beginner’s Guide to Nexpose

In this article, we’ll learn about Nexpose, which is used to scan a vulnerability network. There are various vulnerability scanners but the part that keeps it special is its smooth user interface and robust reporting options it offers, from the most common to the advance.

Table of Content

  • Introduction to Nexpose
  • Nexpose Virtual Appliance Installation
  • Running Vulnerability Scans
  • Generating Reports

Introduction to Nexpose

Nexpose is one of the leading vulnerability assessment tools. It operates across physical, virtual, cloud and mobile environments to discover the active services, open ports, and running applications on each machine, and it tries to identify vulnerabilities that may exist based on the attributes of the known services and applications. Though Nexpose discloses the results into scan reports, which helps to prioritize the vulnerabilities based on the risk factor and determine the most effective solution to be implemented.

Some Important Nexpose terminologies

  • Assets – A host on a network.
  • Site – A logical group of assets that has a dedicated scan engine.
  • Scan Template – A template that defines the audit level that Nexpose uses to perform a vulnerability scan.
  • Local Scan Engine – Scan Engines are responsible for performing scan jobs on your assets.

Nexpose Virtual Appliance Installation

Let’s start the Nexpose installation over our Virtual Machine. From here we’ve downloaded the Nexpose VM. Firstly, we’ll add Nexpose in our VMware Workstation and power it ON.

As soon as it boots up, we’ll see our default login credentials – Username ( nexpose) and Password (nexpose). Furthermore, we have to set a new password according to the requirements (i.e it should be at least 14 characters long, at least one uppercase and a lowercase letter, a numeric number, and a special character.)

Afterwards, use the ifconfig command in your Nexpose to check our machine’s IP address so that we can log into the Nexpose’s web interface.

Now armed with the IP we need to set the HTTPS (i.e Hypertext Transfer Protocol over Secure Socket Layer) and the port 3780 is the Nexpose’s default port.

URL :  https://<Nexpose_IP>:3780

Though we’ll be greeted with a warning about a Security Certificate, therefore, to use Nexpose, we’ll have to get through this warning.  Click on Advanced, followed by Accept the Risk and Continue.

You will then be redirected to a login page, given the default username (nxadmin) and password (nxpassword), as shown in the image below.

Further, you’ll be asked for an activation Key, as shown in the image, provide the license key that you’ve received at your email address.

As soon as you’ve logged in and completed all the essential activations, the Nexpose Security Web Console page will activate and we’ll be able to perform any scan which we desire for, as shown:

Running Vulnerability Scans

In order to start with a new scan, go to the home page, click the Create dropdown and select Site. The Security Console will display the “Site Configuration” screen.

On the General tab, we have to give the name and describe our site, as in the above image. We can even set its importance from Very Low to Very High.

The Assets configuration page comprises of two sections: Include and Exclude.

In the Include section, we’ve provided our target IP address (i.e. 192.168.0.59) or if we want to scan the entire network, then we will have to provide the complete IP range (i.e. 192.168.0.1-254).

The section Exclude is used to exclude the IP from scanning. If we’re scanning the entire IP range and want to exclude some of the IPs from the scan, we just need to put them in the exclude assets section.

Now in the Authentication section, if we need to put any credentials, we can do that here. Basically, we conduct a credential-based scan by providing the system with a username and a password.

Afterwards, setup a particular Scan Template, as shown above, we’ve used the default Scan Template i.e. full Audit without Web Spider.

So now we have to select an engine for our scan, although we’re selecting the Local Scan Engine, as shown in the picture above.

Now since we’ve completed all the required information to setup our site for a scan. To begin scanning, Click the Save and Scan button at the upper right corner of our Nexpose console panel.

Once the scan is completed, the result clearly indicates the number of possessed vulnerabilities, the risk score, and the duration of the scan.

Now we can see all the vulnerabilities mentioned along with their Common Vulnerability Scoring System (CVSS) score from the highest to the lowest over the Vulnerabilities tab. The exciting part is that one or more of these exploits have been published throughout the Exploit database and are vulnerable to many Metasploit.

When we click on a particular vulnerability, for an instance here we’ve clicked on MySQL default account which is a critical threat, it will give us the information about the vulnerability such as its severity, whether it is password protected or not, its version, etc. as shown in the image below.

Generating Reports

Now we can generate the new records in the Reports tab by simply giving it a title, selecting the scan along with the template and the format in which we want our reports to be in.

Conclusion

This was the comprehensive guide of the usability of Nexpose a vulnerability scanner. Due to its GUI, it is user-friendly and convenient. Therefore, it has become one of the best tools as it makes its place in the corporate world with Nessus and retina.

Author: Chiragh Arora is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant. Contact here

Penetration Testing on Splunk

In this article, we are going to exploit SPLUNK using the reverse shell. One can find this beneficial in exploiting and do penetration testing of SPLUNK environment of their respective IT infrastructure.

Table of Content

  • Introduction to SPLUNK
  • Deploying SPLUNK on UBUNTU
  • Exploiting SPLUNK using a reverse shell

What is SPLUNK?

Splunk Enterprise Security (ES) is a security information and event management (SIEM) solution that provides insight into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information. It is a premium application that is licensed independently from Splunk core.

Splunk (the product) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

For more information read from here.

Deploying SPLUNK on UBUNTU

Now we will continue with penetration testing of SPLUNK on LINUX platform (here we are using UBUNTU), the same can be performed on the windows platform as well.

Visit https://www.splunk.com and register there for downloading the free trial version of SPLUNK. Since we are going to continue with UBUNTU we have downloaded the Splunk for Linux 64 bit (.tgz file).

Once it gets downloaded on your UBUNTU machine, follow the process below for creating an instance of SPLUNK:

Open terminal, go to downloads and extract file using

Now follow these commands for installing splunk:

When asked enter the username and password you need to configure for Splunk.

Once done you should see the following screen with URL of your Splunk GUI

Go to http://ubuntu:8000 (URL of your Splunk GUI) and enter the user id and password you configured earlier:

Exploiting SPLUNK using a reverse shell

In the first phase, we have discussed how we can deploy Splunk in our local machine (Ubuntu) and in this phase, we will go with Splunk penetration testing where we will try to exploit Splunk for obtaining reverse shell of the machine.

For exploiting Splunk first now download the latest released shell from the following the link:

Now login to Splunk GUI from your kali machine visiting the IP of Ubuntu server: 8000 (192.168.0.37:8000) and login

Navigate to the “App: Search & Reporting” option and click on “Search & Reporting

Click on the “Install app from file” option.

For installing any app slunk provides upload form to browse any .spl or .tar.gz for uploading. Taking advantages of functionality we will try to upload our Splunk shell that we had downloaded previously.

After uploading restart your Splunk instance.

Once restarted, go to apps tab again, Find your installed archive (weaponize Splunk for red teaming and pen testing)

We scroll down to find our shell file as shown below. Before we can run, it we need to click on the “Permissions” option to change its permissions.

Click on permissions and change to all apps as shown below:

Now to execute the shell. We navigate to the search option in Splunk and type in our command defining that we want a reverse shell of standard type to talk to out attach machines IP on the listening port.

Now go to Kali Linux and open a terminal:

Start netcat using following command on any port you wish (here I have used 1234)

Hmmm!! As you can observe that by executing id command we show root uid and gid information but for obtaining proper tty shell we need to break jail.

We used Msfvenom to create a python payload.

The payload is uploaded through our existing Netcat session, all that needed to be done was the payload to be pasted into the terminal and executed but do not forget to run netcat listener inside a new terminal.

A new Netcat session is started on the port (4444) that we defined in our payload and we see the execution occur flawlessly. Once this netcat session is started run following command:

And after executing the command we can see that shell is gained.

Meterpreter Session

If you are hoping for a meterpreter session then you can use a multi handler for obtaining reverse connection of victim’s machine.

Type following to execute a reverse shell

Boooom!! We got the meterpreter session.

And in this way saw Splunk penetration testing 

Author: Shivendu Vikram Singh Cybersecurity engineer Working in TCS as a Pentester Contact Here