Csi5208 Ethical Hacking And Defence Assessment Answers

Answer:

Project Objective

Main goal of this project is to penetrate the provided case study to provide the ethical hacking report. This project generally divided into five flags. The flags are used for following aspects such as examine the web server contents, learn web shell, crack the password by using the password cracking tool, determine the user wrongly enter password by using the port scan techniques and learn the basic Linux privilege escalation. These flags are will be proceed and discussed in detail. In crack the password flag, we are using the web shell password cracking by deobfuscate a web shell and show how the affirmation can be evaded when you have the source code yet not the secret word. In port scanning technique, we are using the Nmap port scanning tool to scanning the TCP port on the system. These processes are will be demonstrated and discussed in detail.

Methodology and Testing Log

User requires to do flag by follows the below steps.

First, user requires to install and configure the provided the case study on virtual machine. This process is demonstrated as below.

Examine the web server contents

The web server needs records of the site to store all the HTML reports alongside proper assets, this could likewise incorporate the accompanying (Makan, 2014):

• CSS formats
• Textual Styles
• Documents Of JavaScript
• Recordings
• Images or pictures et cetera.

It is likewise conceivable that all the previously mentioned records could be put away in a PC. It is additionally a covered practice to store the records on a submitted web server. Since, it benefits with the accompanying advantages such as web server is constantly connected to Internet, Web server always contains same IP address, Web server is effectively running, Web server can be shielded from the outside providers and Web server is tried and true ("Privilege Escalation on Linux with Live examples", 2018).

Learn web shells

A web-shell is a malicious substance used by an attacker with the reason to uplift and keep up consistent access on a starting at now negotiated web application. Web-shells can't strike or experience a remote defencelessness, so it is constantly the second step of a surprise attack. An attacker can abuse general vulnerabilities, for instance, SQL, RFI, FTP, or even use XSS as a part of a social outlining surprise attack with a particular true objective to exchange the malicious substance (Prodromou, 2018). The typical convenience consolidates anyway isn't confined to shell arrange execution, code execution, and database check and record organization. Web shells are an ignored part of cybercrime and don't draw in the level of consideration of either phishing or malware. At the point when web shells originally showed up, the cut-off of their utility was to exchange documents and execute flexible shell directions. Be that as it may, the best built web shells currently give top score, modern toolboxes for differing crimes, with offices for phishing, spamming and DDoS, not exclusively accessible through an online User interface yet in addition tolerating directions as a major aspect of a botnet. The initial step with a web shell is transferring it to a server, from which the aggressor would then be able to get to it. This establishment can occur in a few different ways, however the most well-known methods include exploiting a weakness in the server's product, getting access to a manager entrance, or Taking preferred standpoint of an inappropriately designed host ("Web Shell Archive | PHP & ASP & ASPX Web Root Backdoors", 2018).

Zombie

Another use of web-shells is to make servers part of a botnet. A botnet is an arrangement of exchanged off structures that an attacker would control, either to use themselves, or to lease to various criminals. The web-shell or indirect access is related with a Client and communication server from which it can take headings on what rules to execute. This setup is normally used in DDoS attack, which require clearing proportions of transmission limit. For this circumstance, the attacker does not have any energy for harming, or taking anything off-of the system whereupon the web shell was passed on. Or maybe, they will fundamentally use its benefits for at whatever point is required.

Escalation of Privilege

But on the off chance that a server is misconfigured, the web shell will hold running under the web server's customer approvals, which are confined. Using a web-shell, an attacker can attempt to perform advantage speeding up strikes by mishandling neighbourhood vulnerabilities on the system to acknowledge root benefits, which, in Linux and other UNIX-based working structures is the super-customer. With access to the root account, the attacker can essentially do anything on the system including presenting programming, developing assents, including and ousting customers, taking passwords, examining messages and anything is possible from that point ("Web Shells 101: Detection and Prevention", 2018).

Steady Remote Access

A web-shell generally contains an unusual access which empowers an attacker to remotely get to and possibly, control a server at whatever point. This would save the attacker the trouble of mishandling a weakness each time access to the exchanged off server is required. An assailant may in like manner settle the shortcoming themselves, remembering the ultimate objective to ensure that no one else will push that weakness. Consequently the attacker can remain under the locating system and avoid any coordinated effort with a director, while up till now securing a comparable result. It is furthermore worth determining that few surely understood web shells use unknown key approval and distinctive procedures to ensure that simply the attacker exchanging the web-shell approaches it. Such techniques join securing the substance to a specific custom HTTP header, specific treat regards, specific IP addresses, or a mix of these frameworks. Most web shells in like manner contain code to perceive and square web lists from posting the shell and, therefore, boycotting the zone or server the web application is encouraged on in a manner of speaking, stealth is essential ("Web Shells – Threat Awareness and Guidance", 2018).

Propelling and Pivoting Attacks

A web-shell can be used for turning inside or outside a framework. The aggressor should need to screen the framework development on the structure, check the inner framework to discover live has, and list firewalls and switches inside the framework. This methodology can take days, even months, commonly in light of the way that an attacker ordinarily attempts to remain under the detector, and draw negligible proportion of thought possible. Once an assailant has decided access, they can peacefully make their moves. The exchanged off structure can in like manner be used to attack or breadth centres around that abide outside the framework. This incorporates an additional layer of lack of clarity to the attacker since they are using an untouchable structure to dispatch an attack. Well beyond is turn through various systems to make it generally hard to pursue an attack back to its source ("Web Shells: The Criminal’s Control Panel | Netcraft", 2018).

Crack Password on Web shell

Right when a website is hacked, the attacker consistently leaves an auxiliary section or web shell to have the ability to viably get to the webpage later on. These are routinely confused to avoid distinguishing proof, and need check so simply the attacker can get to the site. In this task, I am going to deobfuscate a web shell and show how the affirmation can be evaded when you have the source code yet not the unknown word ("What are web shells – Tutorial", 2018).

Web shell Deobfuscating

The preg_replace has three disputes, the regex, the substitution and the subject. Since the regex has the e modifier, it will evaluate anything in the substitution as PHP code. This is along these lines like the going with code:

Directly we understand that the second parameter is evaluated, anyway regardless of all that it doesn't look like PHP code. That is because of it is hex encoded. A string in twofold proclamations can contain some break courses of action that are interpreted by PHP, and one of them is x to put a character in the string using hexadecimal documentation. For example, x65 would be an e since it says so in the ASCII table. Physically changing over this string would be a pinch of work, so we let PHP do it:

Sidestepping check

The $auth_pass in the main code starting at now suggested there would be approval on the web shell. The plan of $auth_pass, 32 hexadecimal characters, recommend that it is a MD5 of the plaintext unknown word. Since we have the wellspring of the web shell, we can assert that:

It finishes a MD5 over the posted pass parameter, and watches that against $auth_pass. Plain MD5s are commonly not an incredibly secure way to deal with store passwords. In particular, MD5 is speedy and you can join billions of hashes for each second to endeavour to gentle power the unknown expression. Also, the MD5 total for a few, weak passwords is starting at now on the web and can be found by a active Google look. In any case, our developer has picked a very OK unknown key, and I was not capable part it. Regardless, there is another way to deal with access the web shell now that we have the source code. As ought to be clear in the code it sets a specific treat when you get the unknown word right. It checks the treat and if you have it wrong it considers wsoLogin to show to you a login page and leave the substance. Else it continues with the web shell code. The treat expected have the MD5 of the hostname as key, and the $auth_pass substance as substance. Luckily, we know both these characteristics and can make our very own treat to get to the web shell.

Update

Finally, below passwords are cracked.

Port Scanner

Port filtering is a strategy used to perceive if a port on the target have is open or close; a port can be open if there is an organization that uses that specific port to talk with various systems. This is the inspiration driving why if a port is open it is possible to over the long haul perceive what kind of organization uses it by sending phenomenally made packages to the goal. When we know the target IP address we can dispatch the port checking attack. Obviously, if no decision is picked, Nmap runs a TCP SYN Scan generally called Stealth Scan ("Advanced Port Scanner – free and quick port scanner", 2018). The majority of the sweep composes are just accessible to advantaged clients. This is on account of they send and get raw parcels, which requires root access on UNIX frameworks. Utilizing an executive record on Windows is suggested, however Nmap in some cases works for unprivileged clients on that stage when Nmap has just been stacked into the OS ("Nmap Cheat Sheet and Pro Tips | HackerTarget.com", 2018). Requiring root benefits was a genuine constraint when Nmap was discharged in 1997, the same number of clients just approached shared shell accounts. Presently, the world is extraordinary. PCs are less expensive, undeniably individuals have dependably on direct Internet access, and work area UNIX frameworks (counting Linux and Mac OS X) are pervasive. A Windows adaptation of Nmap is currently accessible, enabling it to keep running on much more work areas. For every one of these reasons, clients have less need to run Nmap from constrained shared shell accounts. This is blessed, as the favoured choices make Nmap unquestionably ground-breaking and adaptable. To appreciate this kind of breadth it has a tendency to be useful to restore the TCP 3-way handshake theory which addresses the way in which a TCP affiliation starts.

TCP Scan

A TCP SYN Scan works thusly: framework A, which speaks to our assaulting machine, sends to the objective framework B the SYN and sits tight for the SYN-ACK. In the event that B reacts, which implies the port is open, A does not send the last ACK. On the off chance that A does not get the SYN-ACK the port can be either shut or separated (this can show the nearness of a Firewall). Along these lines we have played out a TCP port sweep without setting up a full association with the objective.

Continuing and specifying:

• Open port: A sends SYN to B and B reacts with SYN-ACK;
• Closed port: A sends SYN to B and B reacts with RST-ACK;
• Filtered port: A sends SYN to B, yet does not get a reaction or gets an ICMP port inaccessible blunder message.

Regardless of whether this kind of output is the default one, we can set it up with the "- sS" parameter pursued by the IP address of the objective ("TCP Port Scan with Nmap | Pentest-Tools.com", 2018):

Nmap, if not decided in a surprising way, sets the yield to test the most broadly perceived more than 950 ports and encounters them irregularly. As ought to be evident from the results, we have analysed more than 950 ports in 0.30 seconds and 937 of them are represented as closed and opened ones. Nmap gives us information about the organization that is running on them ("Tcp Port Scanner (Free)", 2018).

For every one of these reasons, clients have less need to run Nmap from constrained shared shell accounts. This is blessed, as the special alternatives make Nmap unquestionably ground breaking and adaptable. While Nmap endeavours to create precise outcomes, remember that the majority of its bits of knowledge depend on packets returned by the objective machines. Such has might be corrupt and send reactions proposed to confound or misdirect Nmap. Substantially more typical are non RFC consistent hosts that don't react as they ought to Nmap tests. FIN, NULL, and Xmas checks are especially helpless to this issue. Such issues are particular to certain output composes as are talked about in the individual sweep compose passages.

TCP SYN check

SYN check is the default and most famous sweep alternative for valid justifications. It tends to be performed rapidly, checking a large number of ports every second on a quick system not vulnerable by prohibitive firewalls. It is likewise generally unaffected and stealthy since it never finishes TCP associations. SYN check deactivates any consistent TCP stack instead of relying upon behaviours of particular stages as Nmap's FIN, NULL and Xmas and sit without moving outputs do. It likewise permits clear, dependable separation between the open, shut, and sifted states. This system is frequently mentioned to as half open checking, in light of the fact that you don't open a full TCP association. You send a SYN packet, as though you will open a genuine association and after that sit tight for a reaction. A SYN/ACK demonstrates the port is tuning in, while a RST is characteristic of a non-audience. On the off chance that no reaction is gotten after a few retransmissions, the port is set apart as separated. The port is likewise stamped separated if an ICMP unreachable mistake is gotten. The port is likewise viewed as open if a SYN packet is gotten accordingly. This can be because of a greatly uncommon TCP highlight known as a synchronous open or split handshake association.

TCP associate sweep

TCP associate sweep is the default TCP examine type when SYN filter isn't an alternative. This is the situation when a client does not have raw packet benefits. Rather than composing raw packets as most other output composes do, Nmap asks the basic working framework to set up an association with the objective machine and port by issuing the interface framework call. This is a similar abnormal state framework call that internet browsers, P2P customers, and most other system empowered applications use to set up an association. It is a piece of a programming interface known as the Berkeley Sockets API. Instead of read raw packet reactions off the wire, Nmap utilizes this API to acquire status data on every association endeavour.

Learn basic Linux Privilege 

This flag is used to provide the gain knowledge about basic Linux privilege escalation. These are listed in below ("Basic Linux Privilege Escalation", 2018),

• Operating System
• File Systems
• Preparation & Finding Exploit Code
• Applications & Services
• Communications & Networking
• Confidential Information & Users

Results and Recommendations

This project is successfully penetrated the provided case study to provide the ethical hacking report. This project generally divided into five flags. The flags are used for following aspects such as examine the web server contents, learn web shell, crack the password by using the password cracking tool, determine the user wrongly enter password by using the port scan techniques and learn the basic Linux privilege escalation. These flags are successfully demonstrated and discussed in detail. In crack the password flag, we are used web shell password cracking by deobfuscate a web shell and show how the affirmation can be evaded when you have the source code yet not the secret word. In port scanning technique, we are used the Nmap port scanning tool to successfully scanned the TCP port on the system. These processes are demonstrated and discussed in detail.

Source code for tools used

NMAP – TCP port Scanner

To scan the TCP port on Nmap by using the under command or source code ("Port Scanning Techniques | Nmap Network Scanning", 2018).

nmap ip address

nmap 192.168.1.1

It deliver the below results.

Password Cracker

Source code is attached here.

Run the PHP code on Kali Linux (Valentino, 2018). It is provide the hidden password.

References

Advanced Port Scanner – free and fast port scanner. (2018). Retrieved from https://www.advanced-port-scanner.com/

Basic Linux Privilege Escalation. (2018). Retrieved from https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Makan, K. (2014). Penetration Testing with the Bash shell. Packt Publishing.

Nmap Cheat Sheet and Pro Tips | HackerTarget.com. (2018). Retrieved from https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/

Port Scanning Techniques | Nmap Network Scanning. (2018). Retrieved from https://nmap.org/book/man-port-scanning-techniques.html

Privilege Escalation on Linux with Live examples. (2018). Retrieved from https://resources.infosecinstitute.com/privilege-escalation-linux-live-examples/

Prodromou, A. (2018). An Introduction to Web-shells - Part 1 | Acunetix. Retrieved from https://www.acunetix.com/blog/articles/introduction-web-shells-part-1/

TCP Port Scan with Nmap | Pentest-Tools.com. (2018). Retrieved from https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

Tcp Port Scanner (Free). (2018). Retrieved from https://www.mylanviewer.com/port-scanner.html

Valentino, V. (2018). PHP Web Shell and Stealth Backdoor : Weevely 2. Retrieved from https://www.hacking-tutorial.com/hacking-tutorial/php-web-shell-and-stealth-backdoor-weevely/

Web Shell Archive | PHP & ASP & ASPX Web Root Backdoors. (2018). Retrieved from https://webshell.co/

Web Shells 101: Detection and Prevention. (2018). Retrieved from https://blog.rapid7.com/2016/12/14/webshells-101/

Web Shells – Threat Awareness and Guidance. (2018). Retrieved from https://www.us-cert.gov/ncas/alerts/TA15-314A

Web Shells: The Criminal’s Control Panel | Netcraft. (2018). Retrieved from https://news.netcraft.com/archives/2017/05/18/web-shells-the-criminals-control-panel.html

What are web shells – Tutorial. (2018). Retrieved from https://www.binarytides.com/web-shells-tutorial/