Penetration Testing on Splunk

In this article, we are going to exploit SPLUNK using the reverse shell. One can find this beneficial in exploiting and do penetration testing of SPLUNK environment of their respective IT infrastructure.

Table of Content

  • Introduction to SPLUNK
  • Deploying SPLUNK on UBUNTU
  • Exploiting SPLUNK using a reverse shell

What is SPLUNK?

Splunk Enterprise Security (ES) is a security information and event management (SIEM) solution that provides insight into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability and identity information. It is a premium application that is licensed independently from Splunk core.

Splunk (the product) captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

For more information read from here.

Deploying SPLUNK on UBUNTU

Now we will continue with penetration testing of SPLUNK on LINUX platform (here we are using UBUNTU), the same can be performed on the windows platform as well.

Visit https://www.splunk.com and register there for downloading the free trial version of SPLUNK. Since we are going to continue with UBUNTU we have downloaded the Splunk for Linux 64 bit (.tgz file).

Once it gets downloaded on your UBUNTU machine, follow the process below for creating an instance of SPLUNK:

Open terminal, go to downloads and extract file using

Now follow these commands for installing splunk:

When asked enter the username and password you need to configure for Splunk.

Once done you should see the following screen with URL of your Splunk GUI

Go to http://ubuntu:8000 (URL of your Splunk GUI) and enter the user id and password you configured earlier:

Exploiting SPLUNK using a reverse shell

In the first phase, we have discussed how we can deploy Splunk in our local machine (Ubuntu) and in this phase, we will go with Splunk penetration testing where we will try to exploit Splunk for obtaining reverse shell of the machine.

For exploiting Splunk first now download the latest released shell from the following the link:

Now login to Splunk GUI from your kali machine visiting the IP of Ubuntu server: 8000 (192.168.0.37:8000) and login

Navigate to the “App: Search & Reporting” option and click on “Search & Reporting

Click on the “Install app from file” option.

For installing any app slunk provides upload form to browse any .spl or .tar.gz for uploading. Taking advantages of functionality we will try to upload our Splunk shell that we had downloaded previously.

After uploading restart your Splunk instance.

Once restarted, go to apps tab again, Find your installed archive (weaponize Splunk for red teaming and pen testing)

We scroll down to find our shell file as shown below. Before we can run, it we need to click on the “Permissions” option to change its permissions.

Click on permissions and change to all apps as shown below:

Now to execute the shell. We navigate to the search option in Splunk and type in our command defining that we want a reverse shell of standard type to talk to out attach machines IP on the listening port.

Now go to Kali Linux and open a terminal:

Start netcat using following command on any port you wish (here I have used 1234)

Hmmm!! As you can observe that by executing id command we show root uid and gid information but for obtaining proper tty shell we need to break jail.

We used Msfvenom to create a python payload.

The payload is uploaded through our existing Netcat session, all that needed to be done was the payload to be pasted into the terminal and executed but do not forget to run netcat listener inside a new terminal.

A new Netcat session is started on the port (4444) that we defined in our payload and we see the execution occur flawlessly. Once this netcat session is started run following command:

And after executing the command we can see that shell is gained.

Meterpreter Session

If you are hoping for a meterpreter session then you can use a multi handler for obtaining reverse connection of victim’s machine.

Type following to execute a reverse shell

Boooom!! We got the meterpreter session.

And in this way saw Splunk penetration testing 

Author: Shivendu Vikram Singh Cybersecurity engineer Working in TCS as a Pentester Contact Here

Evilginx2- Advanced Phishing Attack Framework

This is the successor of Evilginx 1, and it stays in-line with the MITM lineage. This tool is designed for a Phishing attack to capture login credentials and a session cookie. 

Table of Content

Overview

Setup

  • Perquisites
  • Installation
  • Domain Setup
  • Priming Evilginx

Execution

  • Lure Creation
  • Attack Simulation

Overview

One of the biggest concerns in today’s cyberspace is Phishing, it’s one of those things that uses what a user is familiar with against them. This is a MITM attack framework that sits between the user and site that they are trying to access to potentially steal their credentials. The framework is written in GO and implements its own HTTP and DNS server, making the setup process a breeze.

Setup

Let’s get acquainted with Evilginx2. The first thing we need to do is setup the Evilginx2 application on our attacking machine, let’s get the IP.

Perquisites

Evilginx has a few requirements before it can be installed and start working optimally, let’s take of them first.

We use pscp to upload the go install file to our attacking machine, defining where it can find the file and the credentials and IP of the destination machine. Go is a prerequisite for setting up evilginx. You can get Go 1.10.0 from here.

Once we have to Go in our machine we unpack and install it. Pscp deposited our Go file in the tmp folder. We will now be using the following commands to install Go and check its version:

Go needs to be added to ~/.profieles now, here’s how you do it:

Open the. profiles file in nano or any other text editor and type in the following

Next, install git make by typing the following:

Installation

Now we are ready to install Evilginx, let’s see how.

Let’s launch Evilginx by running the script.

There is multiple built-in options that the attacker can utilize to choose a site template called Phishlets.

Domain Setup

Evilginx works as a relay between the victim and the legitimate website that they are trying to access, to achieve this, the attacker needs a domain of their own. There are plenty of resources on the web from where a free domain can be attained temporarily, we used one such resource. We have setup an attacking domain: userid.cf.

The IP of our attacking machine is used in the IP address for the nameserver, if you recall, we noted it earlier on in the process.

Priming Evilginx

This is the part where we prime Evilginx for the attack. At the Evilginx terminal, we use the help command to see the various general configuration options that it has.

We need to configure Evilginx to use the domain name that we have set up for it and the IP for the attacking machine.

Time to setup the domains. We have used the twitter phishlet with our domain and Evilginx gives us options of modified domain names that we can setup in our hosting site

In our hosting site, we set the A record, which will the IP of the attacking machine and then copy and paste the domain names provided by Evilginx. One thing to note here, we don’t need to copy the “userid.cf” part, we just need the preceding string.

Execution

We now have everything we need to execute a successful attack using Evilginx.

The settings have been put into place, now we can start using the tool for what it is intended

Lure Creation

We now need a link that the victim clicks on, in Evilginx, the term for the link is “Lures”.

The help command shows us what options we must use for setting up the lures.

The lures have to be attached with our desired phishlet and a redirect has to be set to point towards the legitimate website that we are trying to harvest credentials for. Once the lures have been configured, we can see what the configurations yield.

Attack Simulation

When a victim clicks on our created lure, they will be sent to out phishlet, as can be seen below.

The victim enters their credentials and we see Evilginx capturing them and relaying them to the attack machines terminal.

This is a great tool to explore and understand phishing but at the same time, be sure to use it in a controlled setting.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

PowerCat -A PowerShell Netcat

The word PowerCat named from Powershell Netcat which is a new version of netcat in the form of the powershell script. In this article, we will learn about powercat which a PowerShell tool for is exploiting windows machines.

Table of Content

  • Requirement & Installations
  • Testing PowerShell Communication
  • Bind Shell
  • Execute Shell
  • Tunnelling or port forwarding

Introduction & Requirements

PC-1       192.168.1.16

PC-2       192.168.1.19

Powercat PowerShell Script

Powercat brings the usefulness and intensity of Netcat to every ongoing form of Microsoft Windows. It achieves this objective by utilizing local PowerShell form 2 segments. This permits simple organization, use, and minimal possibility of being gotten by customary antivirus arrangements. Furthermore, the most recent adaptations of Powercat incorporate propelled usefulness that goes well past those found in customary types of Netcat.

By default, we cannot run PowerShell scripts in windows. To run PowerShell scripts, we have to first change the execution policy of PowerShell. First, we run PowerShell as an administrator then we run the following command to change the execution policy: –

Now we download powercat in the system. We can either download the powercat script and import it manually or use Invoke-Expression to download the powercat script and import it automatically. In our case, we are using Invoke-Expression to download the powercat script.

Testing PowerShell Communication

Now we are going to test the working of powercat, first we setup our listener in PC-1.

-l is for listen mode

-p is for the port number

-v is for verbose mode

Now in PC-2, we use powercat to connect to PC-1 on port 9000 and send a message through powercat.

Now we switch to PC-1, and we find that we have received the message from PC-2.

Transfer File

We can also transfer the file using powercat, in PC-1 we setup the listener to accept the file from a remote machine inside the particular path and such as save the files as “file.txt” and therefore run the following command to initiate file transferring via port 9000.

-of is for the output file

Now we can use powercat to transfer the file from PC-2 to PC-1. Here we select a file called “1.txt” in PC-2 that will be transferred to PC-1.

-i is for the input file

Now in PC-1, we find that we have received the file from PC-2 inside C drive.

Bind Shell

In PC-1 we start our listener and execute cmd, creating a bind shell so that we can access the terminal of the remote machine, therefore execute below command.

We can connect to PC-1 from PC-2 using powercat and get a shell of PC-1.

Execute Powershell

We can use powercat to execute PowerShell instead of cmd to create a bind or reverse shell. In this case, we are going to create a PowerShell bind shell using powercat in PC-1.

Now we connect PC-2 to PC-1 using powercat and obtain a Powershell of pc-1.

Tunnelling or Port Forwarding

For this practical, we need 3 machines

PC-1 192.168.1.16
PC-2 192.168.1.19
PC-3 10.0.0.10

We can also use powercat for tunnelling. In our case we have the following systems:

We get a session of PC-2 from PC-1 using PSSession.

After giving the username and password for the target machine, we get access to PC-2 where we found another network interface of Class A IP network.

On the target machine, we download powercat using Invoke-Expression.

Now we check for common running services on the gateway and find that port 22 is open.

Now we use powercat for port forwarding so that we can use PC-1 to connect with PC-3.

We now connect to PC-3 using putty.

As seen from the image below we are able to connect to the Ubuntu Machine (PC-3) from the Attacker’s machine(PC-1)

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

Web Server Lab Setup for Penetration Testing

In this post, we will discuss how to set-up our own web server for penetration testing on Ubuntu 18. Ubuntu 18 has updated with the new features.

Table of Content

Requirement

Web Server configuration

  • Apache
  • PHP
  • MySQL
  • phpMyAdmin
  • FTP
  • SSH
  • Nmap

Requirement-ubuntu 18.0

Web Server Configuration

The Web server is a program that uses HTTP to serve users with files forming web pages in response to requests transmitted by their HTTP clients. 

The Web servers can also be called dedicated computers and apparatuses.

Install Apache

First, we will install the Apache. Apache is the most commonly used Web server on Linux Systems. Web servers are used to serve web pages requested by the client computers. So, let’s first install Apache in the ubuntu by the following command-

 We have successfully installed apache2, by default apache runs on port 80.

Install PHP

Now we will install PHP 7modukle for Apache 2 and for all of its dependencies. Earlier we used to install PHP 5 module for Ubuntu 14. But now as it is not compatible in ubuntu 18.so we will install the latest version of php which is php7.2 For this run the following command in ubuntu terminal-

As you can see, we have done with php installation.

Install MySQL Server

Now comes the next step which is the installation of MySQL server. MySQL is the famous open-source database which was very easier to install earlier. But now it requires some changes for Ubuntu 18.

So, let’s go ahead step by step.

First, we will install MySQL server by the following command-

So, we are done with the installation. In Ubuntu 14, MySQL did not need a password as it required only the root user to logged in. But now it needs a password and it won’t allow the root user to log in so we will provide a username and password of ubuntu in MySQL with the following command and as it will ask for the password; you have to use your ubuntu password here. After it gets logged in you will grant all the privileges to the user of Ubuntu as in our case we have given all the privileges to user raj which will be identified with the password of ubuntu which is 123 in our case and after which we will reset all the previous privileges so that it can start the service with the new changes. For this, the commands are the following.

Great we are done with MySQL server installation, by default it runs on port 3306, now restart MySQL service.

Install phpMyAdmin

 Now the next step is the installation of a phpMyAdmin software tool which is written in PHP and which is proposed to handle the administration of MYSQL over the WEB and it also supports a wide range of operations on MYSQL. First, we need to install phpMyAdmin by the following command-

After the installation, it will ask you to choose the web server. Here you need to choose apache2 which will automatically be configured to run phpmyadmin.

Next, you will get a prompt which will be opened to configure a database for phpmyadmin with dbconfig-common. Here you need to click on yes and the enter.

 Again, you will get a prompt which will ask you to submit the password for phpMyAdmin, to register with the database server. Here we have given 123 as the password as it is essential to give it a password now.

The next step is the configuration of phpmyadmin under apache, for this we need to edit apache2 conf file by adding two lines at the end of this file:

At the last, as shown in the image below and then save it and after the editing saves the file and restart apache2 service.

Now open phpmyadmin in the browser as localhost/phpmyadmin as shown in the image below-

Install ftp

 Now we will install FTP server in ubuntu which is used for the transfer of computer files between a client and server on a computer network. For this run the following command in the terminal-

As we can see in the above screenshot that ftp service has been installed in our system which runs on port 21

Install ssh

Now the next is SSh protocol which is method for secure remote login from one computer to another.so lets install this service by the following command. It is installed successfully; by default, it runs on port 22.

Install Nmap

Now in order to check that the above services have been installed properly in our system; we will use nmap which is a scanner for ports and which tells us about the open ports and running services status.

So, let’s install that by the following command-

Once the installation is done, we will scan our own system by the following command and it will scan our system and will come up with the desired results as you can see in the image given below-

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here