JOK3R – UNA HERRAMIENTA DE HACKING MULTIFUNCIONAL

En la mayoría de los casos, las pruebas de penetración se realizan manualmente, es aquí donde el pentester utiliza todas las herramientas disponibles en Internet para encontrar errores o vulnerabilidades en las aplicaciones web. Hoy en día, el pentesting se realiza en herramientas automatizadas. Estas herramientas están recibiendo tanta atención, pues ahorran mucho tiempo, los pentesters puede hacer otras tareas desafiantes en su labor de hacking. Hoy estamos hablando de la herramienta JOK3R.

Expertos en seguridad en redes del Instituto Internacional de Seguridad Cibernética afirman que JOK3R es muy útil en la fase inicial de pruebas de penetración.

JOK3R es un marco de pentesting muy popular que se construye utilizando muchas herramientas populares. El objetivo principal de esta herramienta es ahorrar tiempo en el análisis del sistema objetivo. Entonces el pentester puede disfrutar la mayor parte del tiempo en otras labores de hacking. Esta herramienta ha sido probada en Kali Linux 2017.3.

INSTALACIÓN DE DVWA PARA EL OBJETIVO

• En el lado del atacante estamos utilizando DVWA para probar la herramienta. Para descargar DVWA iso vaya a: https://www.vulnhub.com/entry/damn-vulnerable-web-application-dvwa-107,43/
• Después de descargar iso, abra iso en virtual box o vmware workstation. Entonces empieza iso
• Para obtener DVWA ip escriba ifconfig

INSTALACIÓN DE JOK3R PARA EL ATACANTE

• Para la clonación, escriba git clone https://github.com/koutto/jok3r.git
• Luego escriba cd jok3r
• Escriba pip install -r requirements.txt
• El permiso install-all.sh y install-dependencies.sh necesita ser cambiado. Para eso, teclee chmod u + x install-dependencies.sh y luego escriba chmod u + x install-all.sh
• Para verificar si el permiso ha cambiado, escriba ls -ltr

root@kali:/home/iicybersecurity/Downloads/jok3r# ls -ltr
 total 176
 -rw-r--r--  1 root root 35149 Jan 24 00:02 LICENSE
 -rw-r--r--  1 root root   348 Jan 24 00:02 Dockerfile
 -rw-r--r--  1 root root   461 Jan 24 00:02 CHANGELOG.rst
 -rw-r--r--  1 root root  2519 Jan 24 00:02 TODO.rst
 -rw-r--r--  1 root root 41498 Jan 24 00:02 README.rst
 -rw-r--r--  1 root root  1934 Jan 24 00:02 jok3r.py
 -rwxr-xr-x  1 root root  3126 Jan 24 00:02 install-dependencies.sh
 -rwxr-xr-x  1 root root   129 Jan 24 00:02 install-all.sh
 drwxr-xr-x  2 root root  4096 Jan 24 00:02 docker
 drwxr-xr-x  3 root root  4096 Jan 24 00:02 doc
 -rw-r--r--  1 root root   249 Jan 24 00:02 requirements.txt
 drwxr-xr-x  2 root root  4096 Jan 24 00:02 pictures
 drwxr-xr-x  3 root root  4096 Jan 24 00:02 webshells
 drwxr-xr-x  5 root root  4096 Jan 24 00:02 wordlists
 drwxr-xr-x 10 root root  4096 Jan 24 00:24 lib
 drwxr-xr-x  2 root root  4096 Jan 24 00:25 settings
 -rw-r--r--  1 root root 32768 Jan 24 00:25 local.db
 drwxr-xr-x  5 root root  4096 Jan 24 00:25 toolbox

• Ahora escriba ./install-all.sh
• Escriba ./install-dependencies.sh
• Esta herramienta puede tardar en instalar dependencias, ya que algunos de los archivos tardan en ser descargados
• Si install-all.sh y install-dependencies.sh no funcionan correctamente o muestran un error al instalar las dependencias, considere el uso de la ventana acoplable para instalar todas las dependencias
• Durante la instalación se muestra la actualización de pip para eso, teclee sudo apt-get install python3-pip. Luego escriba pip –upgrade install pip
• Si la ventana acoplable no está instalada, escriba sudo apt-get update y luego escriba sudo apt-get install docker-ce o escriba sudo apt-get docker.io
• Escriba docker – version

root@kali:/home/iicybersecurity/Downloads/jok3r# docker --version
 Docker version 18.06.1-ce, build e68fc7a

• Después de instalar el docker escriba cd docker
• Escriba sudo docker pull koutto / jok3r. Este comando instalará todas las dependencias o herramientas que necesita JOK3R
• Una vez instaladas las herramientas de JOK3R, escriba python3 jok3r.py –help

Atacante

vroot@kali:/home/iicybersecurity/Downloads/jok3r# python3 jok3r.py --help

     ____.       __    ________              `Combine the best of...
    |    | ____ |  | __\_____  \______           ...open-source Hacking Tools`
    |    |/  _ \|  |/ /  _(__  <_  __ \
/\__|    (  (_) )    <  /       \  | \/
\________|\____/|__|_ \/______  /__|      v2.0
                     \/       \/

          ~ Network & Web Pentest Framework ~

[ Manage Toolbox | Automate Attacks | Chain Hacking Tools ]
 
usage:
 python3 jok3r.py  [] 
 
Supported commands:
    toolbox    Manage the toolbox
    info       View supported services/options/checks
    db         Define missions scopes, keep tracks of targets & view attacks results
    attack     Run checks against targets 
 
optional arguments:
   -h, --help  show this help message and exit

• Escriba python3 jok3r.py toolbox –show-all
• toolbox  es la lista de herramientas que se han instalado
• –Show-all mostrará todas las herramientas instaladas

root@kali:/home/iicybersecurity/Downloads/jok3r# python3 jok3r.py toolbox --show-all

     ____.       __    ________              `Combine the best of...
    |    | ____ |  | __\_____  \______           ...open-source Hacking Tools`
    |    |/  _ \|  |/ /  _(__  <_  __ \
/\__|    (  (_) )    <  /       \  | \/
\________|\____/|__|_ \/______  /__|      v2.0
                     \/       \/

          ~ Network & Web Pentest Framework ~

[ Manage Toolbox | Automate Attacks | Chain Hacking Tools ]  
Toolbox content - all services 
+--------------------------------+----------+-----------------+-------------------------------------------------------------------------------------------------------------+
 | Name                           | Service  | Status/Update   | Description                                                                                                 |
 +--------------------------------+----------+-----------------+-------------------------------------------------------------------------------------------------------------+
 | ajpy                           | ajp      | OK | 2019-01-24 | AJP requests crafter in order to communicate with AJP connectors                                            |
 | ftpmap                         | ftp      | OK | 2019-01-24 | FTP Scanner detecting vulns based on softs/versions                                                         |
 | halberd                        | http     | OK | 2019-01-24 | HTTP load balancer detector                                                                                 |
 | wafw00f                        | http     | OK | 2019-01-24 | Identify and fingerprint WAF products protecting a website                                                  |
 | whatweb                        | http     | OK | 2019-01-24 | Identify CMS, blogging platforms, JS libraries, Web servers                                                 |
 | optionsbleed                   | http     | OK | 2019-01-24 | Test for the Optionsbleed bug in Apache httpd (CVE-2017-9798)                                               |
 | clusterd                       | http     | OK | 2019-01-24 | Application server attack toolkit (JBoss, ColdFusion, Weblogic, Tomcat, Railo, Axis2, Glassfish)            |
 | wig                            | http     | OK | 2019-01-24 | Identify several CMS and other administrative applications                                                  |
 | fingerprinter                  | http     | OK | 2019-01-24 | CMS/LMS/Library versions fingerprinter                                                                      |
 | cmsexplorer                    | http     | OK | 2019-01-24 | Find plugins and themes installed in a CMS (WordPress, Drupal, Joomla, Mambo)                               |
 | nikto                          | http     | OK | 2019-01-24 | Web server scanner                                                                                          |
 | iis-shortname-scanner          | http     | OK | 2019-01-24 | Scanner for IIS short filename (8.3) disclosure vulnerability                                               |
 | davscan                        | http     | OK | 2019-01-24 | Fingerprint servers, finds exploits, scans WebDAV                                                           |
 | shocker                        | http     | OK | 2019-01-24 | Detect and exploit web servers vulnerable to Shellshock (CVE-2014-6271)                                     |
 | loubia                         | http     | OK | 2019-01-24 | Exploitation tool for Java deserialize on t3(s) (Weblogic)                                                  |
 | exploit-tomcat-cve2017-12617   | http     | OK | 2019-01-24 | Exploit for Apache Tomcat (<9.0.1 (Beta), <8.5.23, <8.0.47, <7.0.8) JSP Upload Bypass RCE (CVE-2017-12617)  | | exploit-weblogic-cve2017-3248  | http     | OK | 2019-01-24 | Exploit for Weblogic RMI Registry UnicastRef Object Java Deserialization RCE (CVE-2017-3248)                | | exploit-weblogic-cve2017-10271 | http     | OK | 2019-01-24 | Exploit for Weblogic WLS-WSAT RCE (CVE-2017-10271)                                                          | | exploit-weblogic-cve2018-2893  | http     | OK | 2019-01-24 | Exploit for Weblogic Java Deserialization RCE (CVE-2018-2893)                                               | | struts-pwn-cve2017-9805        | http     | OK | 2019-01-24 | Exploit for Apache Struts2 REST Plugin XStream RCE (CVE-2017-9805)                                          | | struts-pwn-cve2018-11776       | http     | OK | 2019-01-24 | Exploit for Apache Struts2 CVE-2018-11776                                                                   | | domiowned                      | http     | OK | 2019-01-24 | Fingerprint/Exploit IBM/Lotus Domino servers                                                                | | cmsmap                         | http     | OK | 2019-01-24 | Vulnerability scanner for CMS WordPress, Drupal, Joomla                                                     | | cmseek                         | http     | OK | 2019-01-24 | Detect and bruteforce CMS                                                                                   | | drupwn                         | http     | OK | 2019-01-24 | Fingerprint Drupal 7/8 and exploit CVE                                                                      | | dirhunt                        | http     | OK | 2019-01-24 | Find web directories without bruteforce                                                                     | | photon                         | http     | OK | 2019-01-24 | Fast we crawler that extracts urls, emails, files, website accounts, etc.                                   | | angularjs-csti-scanner         | http     | OK | 2019-01-24 | Angular Client-Side Template Injection scanner                                                              | | wpforce                        | http     | OK | 2019-01-24 | WordPress attack suite                                                                                      | | wpscan                         | http     | OK | 2019-01-24 | WordPress vulnerability scanner                                                                             | | wpseku                         | http     | OK | 2019-01-24 | WordPress vulnerability scanner                                                                             | | joomscan                       | http     | OK | 2019-01-24 | Joomla vulnerability scanner by OWASP                                                                       | | joomlascan                     | http     | OK | 2019-01-24 | Joomla vulnerability scanner                                                                                | | joomlavs                       | http     | OK | 2019-01-24 | Joomla vulnerability scanner                                                                                | | droopescan                     | http     | OK | 2019-01-24 | Drupal & Silverstripe plugin-based vulnerability scanner                                                    | | magescan                       | http     | OK | 2019-01-24 | Magento CMS scanner for information and misconfigurations                                                   | | vbscan                         | http     | OK | 2019-01-24 | vBulletin vulnerability scanner by OWASP                                                                    | | liferayscan                    | http     | OK | 2019-01-24 | Liferay vulnerability scanner                                                                               | | xbruteforcer                   | http     | OK | 2019-01-24 | CMS bruteforce tool                                                                                         | | dirsearch                      | http     | OK | 2019-01-24 | Web path scanner                                                                                            | | wfuzz                          | http     | OK | 2019-01-24 | Web application fuzzer                                                                                      | | barmie                         | java-rmi | OK | 2019-01-24 | Java RMI enumeration and attack tool                                                                        | | jmxbf                          | java-rmi | OK | 2019-01-24 | Bruteforce program to test weak accounts configured to access a JMX Registry                                | | jmxploit                       | java-rmi | OK | 2019-01-24 | JMX (post-)exploitation tool in Tomcat environment                                                          | | sjet                           | java-rmi | OK | 2019-01-24 | JMX exploitation tool for insecure configured JMX services                                                  | | twiddle                        | java-rmi | OK | 2019-01-24 | CLI-based JMX client                                                                                        | | jdwp-shellifier                | jdwp     | OK | 2019-01-24 | Exploitation tool to gain RCE on JDWP                                                                       | | msdat                          | mssql    | OK | 2019-01-24 | Microsoft SQL Database Attacking Tool                                                                       | | changeme                       | multi    | OK | 2019-01-24 | Default credentials scanner                                                                                 | | impacket                       | multi    | OK | 2019-01-24 | Collection of Python classes for working with network protocols                                             | | jexboss                        | multi    | OK | 2019-01-24 | Exploitation tool for JBoss, Jenkins, Struts2, JMX (Tomcat)                                                 | | jok3r-scripts                  | multi    | OK | 2019-01-24 | Various small stand-alone scripts and dependencies for other tools                                          | | metasploit                     | multi    | OK | 2019-01-24 | Metasploit framework                                                                                        | | nmap                           | multi    | OK | 2019-01-24 | Nmap port scanner                                                                                           | | patator                        | multi    | OK | 2019-01-24 | Multi-purpose brute-forcer, with a modular design and a flexible usage                                      | | testssl                        | multi    | OK | 2019-01-24 | TLS/SSL encryption checker                                                                                  | | tls-prober                     | multi    | OK | 2019-01-24 | Tool to fingerprint SSL/TLS servers                                                                         | | vuln-databases                 | multi    | OK | 2019-01-24 | Vulnerabilities databases from Vulners.com, vuldb.com (NSE scripts) and exploit-db.com                      | | ysoserial                      | multi    | OK | 2019-01-24 | Tool for generating payloads that exploit unsafe Java object deserialization                                | | odat                           | oracle   | OK | 2019-01-24 | Oracle database attacking tool                                                                              | | nullinux                       | smb      | OK | 2019-01-24 | Enumeration tool for SMB on Windows                                                                         | | smbmap                         | smb      | OK | 2019-01-24 | SMB Shares enumeration tool                                                                                 | | smtp-user-enum                 | smtp     | OK | 2019-01-24 | Enumerate valid users on SMTP via EXPN, VRFY or RCPT TO                                                     | | snmpwn                         | snmp     | OK | 2019-01-24 | SNMPv3 User enumerator and Attack tool                                                                      | | snmp-check                     | snmp     | OK | 2019-01-24 | SNMP enumerator                                                                                             | | ssh-audit                      | ssh      | OK | 2019-01-24 | SSH server auditing tool (banner, key exchange, encryption, mac, compression, compatibility, security, etc) | | osueta                         | ssh      | OK | 2019-01-24 | Exploit for OpenSSH (versions <= 7.2 and >= 5.*) user enumeration timing attack                             |
 | libssh-scanner                 | ssh      | OK | 2019-01-24 | Exploit for authentication bypass (CVE-2018-10933) in libssh 0.6+ (fixed in 0.7.6 and 0.8.4)                |
 +--------------------------------+----------+-----------------+-------------------------------------------------------------------------------------------------------------+

• Esta herramienta ofrece opciones donde puede guardar todos los servicios escaneados en el destino. También puede ver qué servicio se ha ejecutado en el destino
• Para guardar primero tienes que crear la base de datos. Para eso escriba python3 jok3r.py db
• Para guardar primero tiene que crear la base de datos. Para eso teclee python3 jok3r.py db
• Para abrir más opciones en db, teclee help

root@kali:/home/iicybersecurity/Downloads/jok3r# python3 jok3r.py db

     ____.       __    ________              `Combine the best of...
    |    | ____ |  | __\_____  \______           ...open-source Hacking Tools`
    |    |/  _ \|  |/ /  _(__  <_  __ \
/\__|    (  (_) )    <  /       \  | \/
\________|\____/|__|_ \/______  /__|      v2.0
                     \/       \/

          ~ Network & Web Pentest Framework ~

[ Manage Toolbox | Automate Attacks | Chain Hacking Tools ]

The local database stores the missions, targets info & attacks results.
 This shell allows for easy access to this database. New missions can be added and
 scopes can be defined by importing new targets.

 
ok3rdb[default]> help 

Documented commands (type help ):
 Attacks results
 results             Attacks results
 Import
 nmap                Import Nmap results
 Missions data
 creds               Credentials in the current mission scope
 hosts               Hosts in the current mission scope
 mission             Manage missions
 services            Services in the current mission scope
 Other
 alias               Manage aliases
 help                Display this help message
 history             View, run, edit, save, or clear previously entered commands
 macro               Manage macros
 quit                Exit this application
 set                 Set a settable parameter or show current settings of parameters
 shell               Execute a command as if at the OS prompt

• Luego escriba missionproproject
• Después de crear la misión, presione ctrl + c
• Luego escriba python3 jok3r.py attack -t http://192.168.1.105/ –add testproject
• attack se usa para comprobar el objetivo
• -t se utiliza para entrar en destino.
• –add se utiliza para guardar los resultados en la base de datos de JOK3R

root@kali:/home/iicybersecurity/Downloads/jok3r# python3 jok3r.py attack -t http://192.168.1.105/ --add testproject

     ____.       __    ________              `Combine the best of...
    |    | ____ |  | __\_____  \______           ...open-source Hacking Tools`
    |    |/  _ \|  |/ /  _(__  <_  __ \
/\__|    (  (_) )    <  /       \  | \/
\________|\____/|__|_ \/______  /__|      v2.0
                     \/       \/

          ~ Network & Web Pentest Framework ~

[ Manage Toolbox | Automate Attacks | Chain Hacking Tools ]

 
[] URL given as target, targeted service is HTTP [] Check if target is reachable and grab banner using Nmap…
 [+] Target URL http://192.168.1.105/ is reachable
 [] Results from this attack will be saved under mission "testproject" in database [] A matching service has been found in the database
 [+] Updated: host 192.168.1.105 | port 80/tcp | service http 
 
+----+---------------+----------+------+-------+---------+-------------------------------------------------------------------+-----------------------+
 | id | IP            | Hostname | Port | Proto | Service | Banner                                                            | URL                   |
 +----+---------------+----------+------+-------+---------+-------------------------------------------------------------------+-----------------------+
 | >1 | 192.168.1.105 | dvwa     | 80   | tcp   | http    | product: Apache httpd version: 2.2.14 extrainfo: (Unix) DAV/2     | http://192.168.1.105/ |
 |    |               |          |      |       |         | mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 |                       |
 |    |               |          |      |       |         | mod_perl/2.0.4 Perl/v5.10.1                                       |                       |
 +----+---------------+----------+------+-------+---------+-------------------------------------------------------------------+-----------------------+ 
 
[?] Start attack ? [Y/n] Y 
 
[*] HTTP Response headers:
 Date: Thu, 24 Jan 2019 09:55:41 GMT
 Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
 X-Powered-By: PHP/5.3.1
 Set-Cookie: PHPSESSID=c03n54d2gciu1rh9niscqmij67; path=/
 Set-Cookie: security=high
 Expires: Tue, 23 Jun 2009 12:00:00 GMT
 Cache-Control: no-cache, must-revalidate
 Pragma: no-cache
 Content-Length: 1224
 Content-Type: text/html;charset=utf-8 
 
[] Context-specific options set for this target: +----------+-------+ | option   | value | +----------+-------+ | language | php   | +----------+-------+ [] [SMART] Running initialization method…
 {'Perl', 'Apache'}
 [] [SMART] Wappalyzer fingerprinting returns: ['apache', 'mod_ssl', 'mod_perl', 'unix', 'php', 'perl', 'openssl'] [] [SMART] Detected option (no update): language = php

• Después de ejecutar la consulta anterior, JOCK3R ha iniciado el escaneo de nmap en todos los servicios. Esta herramienta escaneará todos los servicios
• El servicio anterior ha detectado el idioma y el servidor del sitio web de destino
• La información anterior se puede utilizar en otras actividades de hacking
• Para escanear todos los servicios, simplemente escriba Y cuando se le solicite escanear otro servicio. Hacer específico al escanear

[>] [Recon][Check 13/14] crawling-fast > Crawl website quickly, analyze interesting files/directories
 [?] Run command #01 ? [Y/n/t/w/q] Y
 cmd> dirhunt http://192.168.1.105/
 Welcome to Dirhunt v0.6.0 using Python 2.7.15+
 Starting…
 [302] http://192.168.1.105/  (Redirect)
     Redirect to: http://192.168.1.105/
 [200] http://192.168.1.105/login.php  (HTML document)
     Index file found: index.php
 [200] http://192.168.1.105/dvwa/css/  (Index Of) (Nothing interesting)
 [200] http://192.168.1.105/dvwa/  (Index Of) (Nothing interesting)
 [200] http://192.168.1.105/dvwa/images/  (Index Of) (Nothing interesting)
 [200] http://192.168.1.105/dvwa/js/  (Index Of) (Nothing interesting)
 [200] http://192.168.1.105/dvwa/includes/  (Index Of)
     Interesting extension files: dvwaPage.inc.php (13K), dvwaPhpIds.inc.php (2.5K)
 [200] http://192.168.1.105/dvwa/includes/DBMS/  (Index Of)
     Interesting extension files: DBMS.php (2.4K), MySQL.php (2.9K), PGSQL.php (3.4K)
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 Starting…
 http://192.168.1.105/login.php
 (200) (  154B) http://192.168.1.105/dvwa/includes/dvwaPage.inc.php     [13K ] 
 Warning: define() expects at least 2 parameters,
 (200) (  156B) http://192.168.1.105/dvwa/includes/dvwaPhpIds.inc.php   [2.5K] 
 Warning: define() expects at least 2 parameters,
 (200) (  154B) http://192.168.1.105/dvwa/includes/DBMS/MySQL.php       [2.9K] 
 Fatal error: Call to undefined function dvwaMessa
 (200) (  626B) http://192.168.1.105/dvwa/includes/DBMS/DBMS.php        [2.4K] 
 Notice: Undefined variable: DBMS in /opt/lampp (200) (  154B) http://192.168.1.105/dvwa/includes/DBMS/PGSQL.php       [3.4K] 
 Fatal error: Call to undefined function dvwaMessa
 [>] [Recon][Check 14/14] crawling-fast2 > Crawl website and extract URLs, files, intel & endpoints

• El servicio anterior utilizado es el rastreo donde esta herramienta intenta analizar archivos y directorios que se pueden usar en futuros ataques de hacking
• Mientras se rastrean algunas de las páginas, el directorio dvwa denominado como incluye tiene páginas como mysql.php, dbms.php, pgsql que se pueden usar en otras actividades de hacking
• El escaneo muestra las vulnerabilidades mencionadas en CVE

[>] [Vulnscan][Check 01/29] vuln-lookup > Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !)
 [?] Run command #01 ? [Y/n/t/w/q] Y
 cmd> sudo nmap -sT -sV -T5 -Pn -p 80 --script nmap-vulners/vulners.nse --script-args vulscandb=scipvuldb.csv 192.168.1.105 -oX /tmp/nmaptmp.xml; ./exploit-database/searchsploit --nmap /tmp/nmaptmp.xml; sudo rm -f /tmp/nmaptmp.xml
 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-24 06:02 EST
 Nmap scan report for dvwa (192.168.1.105)
 Host is up (0.00046s latency).
 PORT   STATE SERVICE VERSION
 80/tcp open  http    Apache httpd 2.2.14 ((Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1)
 |http-server-header: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 | vulners: |   cpe:/a:apache:http_server:2.2.14: |       CVE-2010-0425           10.0            https://vulners.com/cve/CVE-2010-0425 |       CVE-2011-3192           7.8             https://vulners.com/cve/CVE-2011-3192 |       CVE-2013-2249           7.5             https://vulners.com/cve/CVE-2013-2249 |       CVE-2017-7679           7.5             https://vulners.com/cve/CVE-2017-7679 |       CVE-2017-7668           7.5             https://vulners.com/cve/CVE-2017-7668 |       CVE-2017-3167           7.5             https://vulners.com/cve/CVE-2017-3167 |       CVE-2017-3169           7.5             https://vulners.com/cve/CVE-2017-3169 |       CVE-2012-0883           6.9             https://vulners.com/cve/CVE-2012-0883 |       CVE-2009-3555           5.8             https://vulners.com/cve/CVE-2009-3555 |       CVE-2013-1862           5.1             https://vulners.com/cve/CVE-2013-1862 |       CVE-2014-0098           5.0             https://vulners.com/cve/CVE-2014-0098 |       CVE-2007-6750           5.0             https://vulners.com/cve/CVE-2007-6750 |       CVE-2013-6438           5.0             https://vulners.com/cve/CVE-2013-6438 |       CVE-2011-3368           5.0             https://vulners.com/cve/CVE-2011-3368 |       CVE-2012-4557           5.0             https://vulners.com/cve/CVE-2012-4557 |       CVE-2014-0231           5.0             https://vulners.com/cve/CVE-2014-0231 |       CVE-2010-0408           5.0             https://vulners.com/cve/CVE-2010-0408 |       CVE-2010-1452           5.0             https://vulners.com/cve/CVE-2010-1452 |       CVE-2010-2068           5.0             https://vulners.com/cve/CVE-2010-2068 |       CVE-2012-0031           4.6             https://vulners.com/cve/CVE-2012-0031 |       CVE-2011-3607           4.4             https://vulners.com/cve/CVE-2011-3607 |       CVE-2012-0053           4.3             https://vulners.com/cve/CVE-2012-0053 |       CVE-2011-3348           4.3             https://vulners.com/cve/CVE-2011-3348 |       CVE-2016-4975           4.3             https://vulners.com/cve/CVE-2016-4975 |       CVE-2010-0434           4.3             https://vulners.com/cve/CVE-2010-0434 |       CVE-2011-4317           4.3             https://vulners.com/cve/CVE-2011-4317 |       CVE-2013-1896           4.3             https://vulners.com/cve/CVE-2013-1896 |       CVE-2011-0419           4.3             https://vulners.com/cve/CVE-2011-0419 |       CVE-2012-4558           4.3             https://vulners.com/cve/CVE-2012-4558 |       CVE-2012-3499           4.3             https://vulners.com/cve/CVE-2012-3499 |       CVE-2011-3639           4.3             https://vulners.com/cve/CVE-2011-3639 |       CVE-2016-8612           3.3             https://vulners.com/cve/CVE-2016-8612 |       CVE-2012-2687           2.6             https://vulners.com/cve/CVE-2012-2687 |      CVE-2011-4415           1.2             https://vulners.com/cve/CVE-2011-4415
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 7.72 seconds
 [i] SearchSploit's XML mode (without verbose enabled).   To enable: searchsploit -v --xml…
 [i] Reading: '/tmp/nmaptmp.xml'
 [i] ./exploit-database/searchsploit -t apache httpd 2 2 14

• Después de ejecutar la consulta anterior, se muestran las vulnerabilidades CVE que se pueden usar en futuros ataques de hacking
• Se muestran muchas vulnerabilidades en las que figuran CVE los últimos años
• Más escaneo utiliza nikto para escanear en busca de vulnerabilidades web

[>] [Vulnscan][Check 03/29] vulnscan-multi-nikto > Check for multiple web vulnerabilities/misconfigurations
 [?] Run command #01 ? [Y/n/t/w/q] Y
 cmd> cd program; perl ./nikto.pl -host dvwa -port 80
 - Nikto v2.1.6
 Target IP:          192.168.1.105
 Target Hostname:    dvwa
 Target Port:        80 
 + Start Time:         2019-01-24 06:14:56 (GMT-5)
 Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
 Retrieved x-powered-by header: PHP/5.3.1
 The anti-clickjacking X-Frame-Options header is not present.
 The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 Cookie PHPSESSID created without the httponly flag
 Cookie security created without the httponly flag
 Root page / redirects to: login.php
 Server leaks inodes via ETags, header found with file /robots.txt, inode: 9210, size: 26, mtime: Tue Aug 24 15:45:32 2010
 Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var
 Perl/v5.10.1 appears to be outdated (current is at least v5.14.2)
 mod_ssl/2.2.14 appears to be outdated (current is at least 2.8.31) (may depend on server version)
 Apache/2.2.14 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
 PHP/5.3.1 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
 mod_perl/2.0.4 appears to be outdated (current is at least 2.0.7)
 OpenSSL/0.9.8l appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
 OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
 OSVDB-112004: /cgi-bin/printenv: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
 OSVDB-112004: /cgi-bin/printenv: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
 OSVDB-3268: /config/: Directory indexing found.
 /config/: Configuration information may be available remotely.
 OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
 OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
 OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
 OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environment variables. All default scripts should be removed. It may also allow XSS types of attacks. http://www.securityfocus.com/bid/4431.
 OSVDB-3233: /cgi-bin/test-cgi: Apache 2.0 default script is executable and reveals system information. All default scripts should be removed.
 OSVDB-3268: /icons/: Directory indexing found.
 OSVDB-3268: /docs/: Directory indexing found.
 OSVDB-3092: /CHANGELOG.txt: A changelog was found.
 OSVDB-3233: /icons/README: Apache default file found.
 /login.php: Admin login page/section found.
 /phpmyadmin/: phpMyAdmin directory found
 OSVDB-3092: /.svn/entries: Subversion Entries file may contain directory listing information.
 OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
 /CHANGELOG.txt: Version number implies that there is a SQL Injection in Drupal 7, can be used for authentication bypass (Drupageddon: see https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html).
 /server-status: Apache server-status interface found (pass protected)
 8167 requests: 0 error(s) and 39 item(s) reported on remote host 
 + End Time:           2019-01-24 06:15:35 (GMT-5) (39 seconds)
 1 host(s) tested

• La herramienta anterior muestra que muchas de las configuraciones no se realizan correctamente, por eso los ataques de fuerza bruta se pueden hacer fácilmente
• Algunas de las versiones de apache, perl están desactualizadas. Hay ciertas solicitudes HTTP que pueden generar información confidencial
• Esta información puede ser utilizada en otras actividades de hacking
• También ejecuta herramienta como changme

cmd> python3 changeme.py -v  --protocols http 192.168.1.105:80
 #####################################################
 _
 | |_   _ _ _ _   _ _   _ _    _
 / _| ' \ / | '_ \ / _ |/  \ '_ ` _ \ / _ \
| (| | | | (| | | | | (| | / | | | | | __/
___|| ||__,|| ||_, |___|| || ||__|
|_/
v1.1
Default Credential Scanner by @ztgrace
#####################################################
Loaded 113 default credential profiles
Loaded 324 default credentials
[06:28:15] Configured protocols: http
[06:28:15] Loading creds into queue
[06:28:15] Fingerprinting completed
[06:28:15] Scanning Completed
No default credentials found
[*] [SMART] Running post-check method "changeme_valid_creds" …
[*] [Vulnscan][Check 05/29] webdav-scan-davscan > Skipped because target's context is not matching
[*] [Vulnscan][Check 06/29] webdav-scan-msf > Skipped because target's context is not matching
[*] [Vulnscan][Check 07/29] webdav-internal-ip-disclosure > Skipped because target's context is not matching
[*] [Vulnscan][Check 08/29] webdav-website-content > Skipped because target's context is not matching

• Después de explorar más el destino, muestra que el contexto de destino no coincide porque esta herramienta detecta las credenciales de puerta trasera predeterminadas
• Ahora está escaneando con otra herramienta de choque de shell que muestra si el objetivo es vulnerable a la explotación

[>] [Vulnscan][Check 11/29] shellshock-scan > Detect if web server is vulnerable to Shellshock (CVE-2014-6271)
 [?] Run command #01 ? [Y/n/t/w/q] Y
 cmd> python2.7 shocker.py --Host 192.168.1.105 --port 80
 .-. .            .
   (   )|            |
    -. |--. .-.  .-.|.-. .-. .--.   (   )|  |(   )(   |-.'(.-' | -' ' --' -''-`--'' v1.1
Tom Watson, tom.watson@nccgroup.trust
https://www.github.com/nccgroup/shocker
Released under the GNU Affero General Public License
(https://www.gnu.org/licenses/agpl-3.0.html)
[+] 402 potential targets imported from ./shocker-cgi_list
[+] Checking connectivity with target…
[+] Target was reachable
[+] Looking for vulnerabilities on 192.168.1.105:80
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[+] 3 potential targets found, attempting exploits
[+] The following URLs appear to be exploitable:
[1] http://192.168.1.105:80/cgi-bin/printenv
[2] http://192.168.1.105:80/cgi-bin/test-cgi

• La herramienta Shell Shocker muestra que el objetivo puede ser explotado usando los 2 enlaces anteriores. Esta información puede ser utilizada en otras actividades de hacking
• Algunas veces, si la herramienta se bloquea durante el funcionamiento, presione ctrl + c para iniciar un nuevo escaneo
• El escaneo muestra que algunas de las herramientas no son compatibles como se muestra a continuación

Category > Exploit
 [*] [Exploit][Check 01/11] jboss-deploy-shell > Skipped because target's context is not matching
 [*] [Exploit][Check 02/11] struts2-rce-cve2017-5638 > Skipped because target's context is not matching
 [*] [Exploit][Check 03/11] struts2-rce-cve2017-9805 > Skipped because target's context is not matching
 [*] [Exploit][Check 04/11] struts2-rce-cve2018-11776 > Skipped because target's context is not matching
 [*] [Exploit][Check 05/11] tomcat-rce-cve2017-12617 > Skipped because target's context is not matching
 [*] [Exploit][Check 06/11] jenkins-cliport-deserialize > Skipped because target's context is not matching
 [*] [Exploit][Check 07/11] weblogic-t3-deserialize-cve2015-4852 > Skipped because target's context is not matching
 [*] [Exploit][Check 08/11] weblogic-t3-deserialize-cve2017-3248 > Skipped because target's context is not matching
 [*] [Exploit][Check 09/11] weblogic-t3-deserialize-cve2018-2893 > Skipped because target's context is not matching
 [*] [Exploit][Check 10/11] weblogic-wls-wsat-cve2017-10271 > Skipped because target's context is not matching
 [*] [Exploit][Check 11/11] drupal-cve-exploit > Skipped because target's context is not matching

• Las herramientas anteriores no son compatibles ya que las herramientas son de contexto diferente y el objetivo tiene diferentes funcionalidades
• Usando otra herramienta wfuzz. Wfuzz es una aplicación web de fuerza bruta

cmd> ./wfuzz -c -u http://192.168.1.105//FUZZ -w /home/iicybersecurity/Downloads/jok3r/wordlists/services/http/discovery/opendoor-paths.txt --hc 400,404,500,000
 Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 
 Wfuzz 2.3.4 - The Web Fuzzer                         * 
 
 Target: http://192.168.1.105//FUZZ
 Total requests: 36942
 ==================================================================
 ID   Response   Lines      Word         Chars          Payload

000431:  C=200    101 L      135 W         1480 Ch        ".svn/all-wcprops"
 000432:  C=200    572 L      151 W         2726 Ch        ".svn/entries"
 000434:  C=200     12 L       61 W          803 Ch        ".svn/prop-base/"
 000435:  C=200     11 L       52 W          667 Ch        ".svn/props/"
 000436:  C=200     25 L      175 W         2455 Ch        ".svn/text-base/"
 000437:  C=200      4 L       39 W          538 Ch        ".svn/text-base/index.php.svn-base"
 000438:  C=200     14 L       76 W         1010 Ch        ".svn/tmp/"
 001959:  C=200    129 L      594 W         5066 Ch        "CHANGELOG.txt"
 001973:  C=200    622 L     5214 W        33107 Ch        "COPYING.txt"
 002936:  C=200    119 L      706 W         4934 Ch        "README.txt"
 004298:  C=302      0 L        0 W            0 Ch        "about.php"
 004948:  C=404     46 L      113 W         1118 Ch        "admin/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector005061:  C=404     46 L      113 W         1118 Ch        "admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector005062:  C=404     46 L      113 W         1118 Ch        "admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connecto005063:  C=404     46 L      113 W         1118 Ch        "admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector006673:  C=404     46 L      113 W         1118 Ch        "all/modules/ogdi_field/plugins/dataTables/extras/TableTools/media/swf/ZeroC007150:  C=404     46 L      113 W         1118 Ch        "apps/trac/pragyan/browser/trunk/cms/modules/article/fckEditor/editor/filema010085:  C=403     44 L      109 W         1122 Ch        "cgi-bin/"
 010087:  C=403     44 L      108 W         1108 Ch        "cgi-bin/awstats.pl"
 011523:  C=200     12 L       61 W          776 Ch        "config/"
 013659:  C=200     11 L       52 W          650 Ch        "docs/"
 013930:  C=404     46 L      113 W         1118 Ch        "dreamedit/includes/FCKEditor_/editor/filemanager/browser/mcpuk/browser.html014071:  C=200     15 L       84 W         1101 Ch        "dvwa/"
 015076:  C=403     44 L      109 W         1122 Ch        "error/"
 015477:  C=200     12 L       60 W          772 Ch        "external/"
 015653:  C=200      1 L        6 W         1549 Ch        "favicon.ico"
 015697:  C=404     46 L      113 W         1118 Ch        "fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx016920:  C=404     46 L      113 W         1118 Ch        "galeria/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder016925:  C=404     46 L      113 W         1118 Ch        "galerie/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder016955:  C=404     46 L      113 W         1118 Ch        "gallery/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder018593:  C=200    167 L     1300 W        18876 Ch        "icons/"
 018642:  C=302      0 L        0 W            0 Ch        "ids_log.php"
 019087:  C=404     46 L      113 W         1118 Ch        "includes/fckeditor/editor/filemanager/browser/default/connectors/asp/connec019088:  C=404     46 L      113 W         1118 Ch        "includes/fckeditor/editor/filemanager/browser/default/connectors/aspx/conne019089:  C=404     46 L      113 W         1118 Ch        "includes/fckeditor/editor/filemanager/browser/default/connectors/php/connec019142:  C=302      0 L        0 W            0 Ch        "index.php"
 019762:  C=404     46 L      113 W         1118 Ch        "ispcp/browser/trunk/gui/tools/filemanager/plugins/fckeditor/editor/filemana020212:  C=404     46 L      113 W         1118 Ch        "js/fckeditor/editor/filemanager/browser/default/connectors/php/connector.ph021551:  C=200     65 L      108 W         1224 Ch        "login.php"
 021667:  C=302      0 L        0 W            0 Ch        "logout.php"
 025961:  C=404     46 L      113 W         1118 Ch        "photo/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.p026010:  C=404     46 L      113 W         1118 Ch        "photos/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.026053:  C=200      4 L       20 W          148 Ch        "php.ini"
 026339:  C=302      0 L        0 W            0 Ch        "phpinfo.php"
 026390:  C=200      0 L        0 W            0 Ch        "phpmyadmin/phpinfo.php"
 026389:  C=200     72 L      206 W         2726 Ch        "phpmyadmin/"
 026673:  C=404     46 L      113 W         1118 Ch        "plugins/fckeditor/fckeditor/editor/filemanager/browser/default/browser.html026675:  C=404     46 L      113 W         1118 Ch        "plugins/p_fckeditor/fckeditor/editor/filemanager/browser/default/browser.ht026676:  C=404     46 L      113 W         1118 Ch        "plugins/p_fckeditor/fckeditor/editor/filemanager/connectors/uploadtest.html028932:  C=200      1 L        4 W           26 Ch        "robots.txt"
 029580:  C=404     46 L      113 W         1118 Ch        "script/jqueryplugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.s029817:  C=302      0 L        0 W            0 Ch        "security.php"
 029987:  C=200     51 L      292 W         2787 Ch        "server-status/"
 029986:  C=200   1253 L     8719 W        120232 Ch       "server-info/"
 030080:  C=404     46 L      113 W         1118 Ch        "servlet/Oracle.xml.xsql.XSQLServlet/soapdocs/webapps/soap/WEB-INF/config/so030101:  C=404     46 L      113 W         1118 Ch        "servlet/oracle.xml.xsql.XSQLServlet/soapdocs/webapps/soap/WEB-INF/config/so030182:  C=200     80 L      227 W         3549 Ch        "setup.php"
 036787:  C=404     46 L      113 W         1118 Ch        "zenphoto/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folde

 Total time: 110.2424
 Processed Requests: 36942
 Filtered Requests: 36874
 Requests/sec.: 335.0979

• La consulta anterior intenta encontrar directorios, archivos que no están vinculados directamente. Después de ejecutar la consulta anterior, wfuzz ha encontrado ajax, servlets y algunos complementos
• Estos datos pueden ser utilizados en otros ataques de hacking

Como puede ver, esta herramienta comprende muchas herramientas pequeñas que muestran mucha información vital. Para seguir escaneando puedes seguir otros tutoriales.

Read More

VULNERABILIDADES CRÍTICAS EN ENRUTADORES CISCO AFECTAN MILES DE EMPRESAS EN LATINOAMÉRICA

Read More

JAPÓN PLANEA HACKING MASIVO DE EQUIPOS IOT DE SUS CIUDADANOS

El gobierno japonés intentará proteger los dispositivos IoT antes de las olimpiadas de Tokio 2020 para prevenir ciberataques

El pasado viernes el gobierno de Japón aprobó una enmienda que otorga a sus empleados públicos la facultad para hackear cualquier dispositivo de Internet de las Cosas (IoT) de sus ciudadanos, acorde a especialistas en seguridad en redes del Instituto Internacional de Seguridad Cibernética, esta medida forma parte de una inusual y muy invasiva investigación sobre equipos IoT vulnerables.

Esta investigación será realizada por empleados del Instituto Nacional de Tecnología de la Información y Comunicaciones de Japón (NICT), con la supervisión del Ministerio de Asuntos Internos, informó el gobierno japonés.

La legislación establece que los empleados del NICT podrán utilizar diccionarios de contraseñas predeterminados para intentar acceder a los dispositivos IoT de los consumidores. Con esto se pretende reunir una lista de equipos IoT poco seguros (con contraseñas predeterminadas o fáciles de adivinar) para que el gobierno, en colaboración con importantes empresas de telecomunicaciones, puedan tomar decisiones y alertar a los propietarios de estos equipos para lograr reforzar la seguridad en redes.

La investigación comenzará en los próximos días, enfocándose principalmente en enrutadores y cámaras web. El gobierno japonés espera analizar alrededor de 200 millones de dispositivos IoT en hogares y organizaciones.

Informes de especialistas en seguridad en redes afirman que los ciberataques dirigidos a dispositivos IoT en Japón equivalen a la tercera parte de todos los ciberataques reportados al año en el país, lo que podría incrementar durante los próximos Juegos Olímpicos de Tokio 2020, pues el gobierno japonés sabe que grupos de hackers están siempre a la expectativa de esta clase de eventos para atacar importantes infraestructuras de TI.

Durante los Juegos Olímpicos de Invierno de 2018 en PyeongChang, Corea del Sur, grupos de hackers auspiciados por el gobierno ruso desplegaron el malware “Olympic Destroyer” contra la infraestructura informática sudcoreana, todo como represalia por la decisión del Comité Olímpico Internacional (COI) de expulsar a cientos de atletas rusos de la competencia.

Además, los mismos hackers construyeron VPNFilter, una gigantesca botnet, usando equipos IoT domésticos con la que planeaban cortar la transmisión de la final de la Liga de Campeones de la UEFA de 2018 en Kiev, acorde a informes de las agencias de inteligencia de Ucrania.

Tal como se anticipaba, la decisión del gobierno japonés ha provocado indignación entre los ciudadanos y grupos de activistas de la privacidad. Los inconformes argumentan que esta es una medida innecesaria, pues basta con que el gobierno japonés implemente una campaña de concientización sobre la seguridad de estos dispositivos.

Por su parte, el gobierno de Japón considera que esta es una medida legítima, debido a que la mayoría de las botnets IoT son creadas por los hackers gracias a la poca seguridad con la que cuentan esta clase de dispositivos. Además, aunque una botnet también puede ser creada explotando vulnerabilidades en los enrutadores, la forma más utilizada es corrompiendo los equipos sin medidas de seguridad.

Read More

DEPARTAMENTOS DE POLICÍA ENCRIPTAN SUS RADIOCOMUNICACIONES; PRENSA Y CRIMINALES ESTÁN PREOCUPADOS

Reporteros locales verán entorpecida su labor debido a esta medida de la policía de Colorado

Especialistas en seguridad en redes del Instituto Internacional de Seguridad Cibernética reportan que al menos diez de las agencias policiales de Colorado, E.U., han decidido implementar cifrado en todas sus comunicaciones de radio, medida que antes aplicaba solamente a las operaciones consideradas ‘sensibles’. Debido a esta nueva política, los periodistas ya no podrán utilizar escáneres o aplicaciones móviles para rastrear las llamadas policiales.

“Aplicar encriptación a nuestras comunicaciones mejorará la seguridad y la efectividad de los departamentos de policía”, mencionan funcionarios del estado de Colorado. “No sólo los periodistas usaban esta clase de tecnología, también criminales y sospechosos sacaban ventaja de escuchar nuestras llamadas”, añadieron los funcionarios.

Sin embargo, expertos en seguridad en redes consideran que esto afecta principalmente a los periodistas, pues les resultará más complicado acudir a los lugares donde se presentan los hechos relevantes para su trabajo, causa razonable para argumentar que las agencias de policía están limitando la transparencia en su actuar.

Aún así, esto no es algo que los activistas de la privacidad o alguna firma de ciberseguridad consideren intrínsecamente malo; la encriptación de las comunicaciones es, de hecho, algo deseable en la actualidad. El cifrado protege la información sensible de individuos y organizaciones contra los hackers maliciosos, como datos financieros, compras en línea o incluso nuestras identidades, consideran expertos en seguridad en redes.

Además, en estos días se ocurren múltiples incidentes de seguridad de datos que involucran a organizaciones de cualquier tamaño que carecen de los protocolos y medidas de seguridad de la información adecuadas, actores maliciosos de toda clase siempre se encuentran al acecho de las debilidades que permiten acceder a información de millones de personas.   Las personas en verdad deben ser conscientes de la importancia de la privacidad de su información, del mismo modo que alguien cierra las puertas de su casa con llave antes de salir, los usuarios de servicios en línea deben proteger sus datos con medidas como contraseñas seguras o autenticación multi factor. Por lo tanto, aunque esta medida de la policía de Colorado puede ser polémica, también podría resultar benéfica para muchos.

Read More

DISTRIBUTED DENIAL OF SECRETS: UN NUEVO COMPETIDOR PARA WIKILEAKS

Read More

JOK3R, ONE TOOL TO DO ALL HACKING.

In most of the cases pentesting is done manually. Where pentester uses all the tools available over the internet to find bugs or vulnerabilities in web applications. Nowdays most often pentesting is done on automated tools. These tools are getting so much attention as these tools save lot of time. Pentester can do another challenging tasks in pentesting work. Today we are talking about jok3R.

Ethical hacking researcher of international institute of cyber security says that jok3r comes handy in initial phase of pentesting.

Jok3r is an popular pentesting framework which is build using many popular tools used in pentesting. This tool main goal is to save time on analyzing of the target. So the pentester can enjoy most of the time in another challenging part. This tool has been tested on Kali Linux 2017.3

ON TARGET WE WILL USE DVWA:-

• On Attacker side we are using DVWA to test the tool. For downloading DVWA iso go to : https://www.vulnhub.com/entry/damn-vulnerable-web-application-dvwa-107,43/
• After downloading iso, open iso in virtual box or vmware workstation. Then start iso.
• For getting DVWA ip type ifconfig

ON ATTACKER WE WILL DO JOK3R INSTALLATION :-

• For cloning type git clone https://github.com/koutto/jok3r.git
• Then type cd jok3r
• Type pip install -r requirements.txt
• install-all.sh and install-dependencies.sh permission needs to be change. For that type chmod u+x install-dependencies.sh and then type chmod u+x install-all.sh
• For checking if the permission has changed type ls -ltr

root@kali:/home/iicybersecurity/Downloads/jok3r# ls -ltr
 total 176
 -rw-r--r--  1 root root 35149 Jan 24 00:02 LICENSE
 -rw-r--r--  1 root root   348 Jan 24 00:02 Dockerfile
 -rw-r--r--  1 root root   461 Jan 24 00:02 CHANGELOG.rst
 -rw-r--r--  1 root root  2519 Jan 24 00:02 TODO.rst
 -rw-r--r--  1 root root 41498 Jan 24 00:02 README.rst
 -rw-r--r--  1 root root  1934 Jan 24 00:02 jok3r.py
 -rwxr-xr-x  1 root root  3126 Jan 24 00:02 install-dependencies.sh
 -rwxr-xr-x  1 root root   129 Jan 24 00:02 install-all.sh
 drwxr-xr-x  2 root root  4096 Jan 24 00:02 docker
 drwxr-xr-x  3 root root  4096 Jan 24 00:02 doc
 -rw-r--r--  1 root root   249 Jan 24 00:02 requirements.txt
 drwxr-xr-x  2 root root  4096 Jan 24 00:02 pictures
 drwxr-xr-x  3 root root  4096 Jan 24 00:02 webshells
 drwxr-xr-x  5 root root  4096 Jan 24 00:02 wordlists
 drwxr-xr-x 10 root root  4096 Jan 24 00:24 lib
 drwxr-xr-x  2 root root  4096 Jan 24 00:25 settings
 -rw-r--r--  1 root root 32768 Jan 24 00:25 local.db
 drwxr-xr-x  5 root root  4096 Jan 24 00:25 toolbox

• Now type ./install-all.sh
• Type ./install-dependencies.sh
• This tool might take time to install dependencies as its an big tool some of the files takes time to download.
• If install-all.sh and install-dependencies.sh are not working properly or showing error while installing dependencies. Consider using docker to install all the dependencies.
• While installation it shows to upgrade pip for that type sudo apt-get install python3-pip. Then type pip –upgrade install pip
• If docker is not installed type sudo apt-get update Then type sudo apt-get install docker-ce or type sudo apt-get docker.io
• Type docker–version

root@kali:/home/iicybersecurity/Downloads/jok3r# docker --version
 Docker version 18.06.1-ce, build e68fc7a

• After installing docker type cd docker
• Type sudo docker pull koutto/jok3r This command will install all the dependencies/ tools that are needed by jok3r.
• Once the jok3r tools are installed type python3 jok3r.py –help

ATTACKER :-

vroot@kali:/home/iicybersecurity/Downloads/jok3r# python3 jok3r.py --help

     ____.       __    ________              `Combine the best of...
    |    | ____ |  | __\_____  \______           ...open-source Hacking Tools`
    |    |/  _ \|  |/ /  _(__  <_  __ \
/\__|    (  (_) )    <  /       \  | \/
\________|\____/|__|_ \/______  /__|      v2.0
                     \/       \/

          ~ Network & Web Pentest Framework ~

[ Manage Toolbox | Automate Attacks | Chain Hacking Tools ]
 
usage:
 python3 jok3r.py  [] 
 
Supported commands:
    toolbox    Manage the toolbox
    info       View supported services/options/checks
    db         Define missions scopes, keep tracks of targets & view attacks results
    attack     Run checks against targets 
 
optional arguments:
   -h, --help  show this help message and exit

• Type python3 jok3r.py toolbox –show-all
• toolbox is the list tools that have installed.
• –show-all will display all installed tools.

root@kali:/home/iicybersecurity/Downloads/jok3r# python3 jok3r.py toolbox --show-all

     ____.       __    ________              `Combine the best of...
    |    | ____ |  | __\_____  \______           ...open-source Hacking Tools`
    |    |/  _ \|  |/ /  _(__  <_  __ \
/\__|    (  (_) )    <  /       \  | \/
\________|\____/|__|_ \/______  /__|      v2.0
                     \/       \/

          ~ Network & Web Pentest Framework ~

[ Manage Toolbox | Automate Attacks | Chain Hacking Tools ]  
Toolbox content - all services 
+--------------------------------+----------+-----------------+-------------------------------------------------------------------------------------------------------------+
 | Name                           | Service  | Status/Update   | Description                                                                                                 |
 +--------------------------------+----------+-----------------+-------------------------------------------------------------------------------------------------------------+
 | ajpy                           | ajp      | OK | 2019-01-24 | AJP requests crafter in order to communicate with AJP connectors                                            |
 | ftpmap                         | ftp      | OK | 2019-01-24 | FTP Scanner detecting vulns based on softs/versions                                                         |
 | halberd                        | http     | OK | 2019-01-24 | HTTP load balancer detector                                                                                 |
 | wafw00f                        | http     | OK | 2019-01-24 | Identify and fingerprint WAF products protecting a website                                                  |
 | whatweb                        | http     | OK | 2019-01-24 | Identify CMS, blogging platforms, JS libraries, Web servers                                                 |
 | optionsbleed                   | http     | OK | 2019-01-24 | Test for the Optionsbleed bug in Apache httpd (CVE-2017-9798)                                               |
 | clusterd                       | http     | OK | 2019-01-24 | Application server attack toolkit (JBoss, ColdFusion, Weblogic, Tomcat, Railo, Axis2, Glassfish)            |
 | wig                            | http     | OK | 2019-01-24 | Identify several CMS and other administrative applications                                                  |
 | fingerprinter                  | http     | OK | 2019-01-24 | CMS/LMS/Library versions fingerprinter                                                                      |
 | cmsexplorer                    | http     | OK | 2019-01-24 | Find plugins and themes installed in a CMS (WordPress, Drupal, Joomla, Mambo)                               |
 | nikto                          | http     | OK | 2019-01-24 | Web server scanner                                                                                          |
 | iis-shortname-scanner          | http     | OK | 2019-01-24 | Scanner for IIS short filename (8.3) disclosure vulnerability                                               |
 | davscan                        | http     | OK | 2019-01-24 | Fingerprint servers, finds exploits, scans WebDAV                                                           |
 | shocker                        | http     | OK | 2019-01-24 | Detect and exploit web servers vulnerable to Shellshock (CVE-2014-6271)                                     |
 | loubia                         | http     | OK | 2019-01-24 | Exploitation tool for Java deserialize on t3(s) (Weblogic)                                                  |
 | exploit-tomcat-cve2017-12617   | http     | OK | 2019-01-24 | Exploit for Apache Tomcat (<9.0.1 (Beta), <8.5.23, <8.0.47, <7.0.8) JSP Upload Bypass RCE (CVE-2017-12617)  | | exploit-weblogic-cve2017-3248  | http     | OK | 2019-01-24 | Exploit for Weblogic RMI Registry UnicastRef Object Java Deserialization RCE (CVE-2017-3248)                | | exploit-weblogic-cve2017-10271 | http     | OK | 2019-01-24 | Exploit for Weblogic WLS-WSAT RCE (CVE-2017-10271)                                                          | | exploit-weblogic-cve2018-2893  | http     | OK | 2019-01-24 | Exploit for Weblogic Java Deserialization RCE (CVE-2018-2893)                                               | | struts-pwn-cve2017-9805        | http     | OK | 2019-01-24 | Exploit for Apache Struts2 REST Plugin XStream RCE (CVE-2017-9805)                                          | | struts-pwn-cve2018-11776       | http     | OK | 2019-01-24 | Exploit for Apache Struts2 CVE-2018-11776                                                                   | | domiowned                      | http     | OK | 2019-01-24 | Fingerprint/Exploit IBM/Lotus Domino servers                                                                | | cmsmap                         | http     | OK | 2019-01-24 | Vulnerability scanner for CMS WordPress, Drupal, Joomla                                                     | | cmseek                         | http     | OK | 2019-01-24 | Detect and bruteforce CMS                                                                                   | | drupwn                         | http     | OK | 2019-01-24 | Fingerprint Drupal 7/8 and exploit CVE                                                                      | | dirhunt                        | http     | OK | 2019-01-24 | Find web directories without bruteforce                                                                     | | photon                         | http     | OK | 2019-01-24 | Fast we crawler that extracts urls, emails, files, website accounts, etc.                                   | | angularjs-csti-scanner         | http     | OK | 2019-01-24 | Angular Client-Side Template Injection scanner                                                              | | wpforce                        | http     | OK | 2019-01-24 | WordPress attack suite                                                                                      | | wpscan                         | http     | OK | 2019-01-24 | WordPress vulnerability scanner                                                                             | | wpseku                         | http     | OK | 2019-01-24 | WordPress vulnerability scanner                                                                             | | joomscan                       | http     | OK | 2019-01-24 | Joomla vulnerability scanner by OWASP                                                                       | | joomlascan                     | http     | OK | 2019-01-24 | Joomla vulnerability scanner                                                                                | | joomlavs                       | http     | OK | 2019-01-24 | Joomla vulnerability scanner                                                                                | | droopescan                     | http     | OK | 2019-01-24 | Drupal & Silverstripe plugin-based vulnerability scanner                                                    | | magescan                       | http     | OK | 2019-01-24 | Magento CMS scanner for information and misconfigurations                                                   | | vbscan                         | http     | OK | 2019-01-24 | vBulletin vulnerability scanner by OWASP                                                                    | | liferayscan                    | http     | OK | 2019-01-24 | Liferay vulnerability scanner                                                                               | | xbruteforcer                   | http     | OK | 2019-01-24 | CMS bruteforce tool                                                                                         | | dirsearch                      | http     | OK | 2019-01-24 | Web path scanner                                                                                            | | wfuzz                          | http     | OK | 2019-01-24 | Web application fuzzer                                                                                      | | barmie                         | java-rmi | OK | 2019-01-24 | Java RMI enumeration and attack tool                                                                        | | jmxbf                          | java-rmi | OK | 2019-01-24 | Bruteforce program to test weak accounts configured to access a JMX Registry                                | | jmxploit                       | java-rmi | OK | 2019-01-24 | JMX (post-)exploitation tool in Tomcat environment                                                          | | sjet                           | java-rmi | OK | 2019-01-24 | JMX exploitation tool for insecure configured JMX services                                                  | | twiddle                        | java-rmi | OK | 2019-01-24 | CLI-based JMX client                                                                                        | | jdwp-shellifier                | jdwp     | OK | 2019-01-24 | Exploitation tool to gain RCE on JDWP                                                                       | | msdat                          | mssql    | OK | 2019-01-24 | Microsoft SQL Database Attacking Tool                                                                       | | changeme                       | multi    | OK | 2019-01-24 | Default credentials scanner                                                                                 | | impacket                       | multi    | OK | 2019-01-24 | Collection of Python classes for working with network protocols                                             | | jexboss                        | multi    | OK | 2019-01-24 | Exploitation tool for JBoss, Jenkins, Struts2, JMX (Tomcat)                                                 | | jok3r-scripts                  | multi    | OK | 2019-01-24 | Various small stand-alone scripts and dependencies for other tools                                          | | metasploit                     | multi    | OK | 2019-01-24 | Metasploit framework                                                                                        | | nmap                           | multi    | OK | 2019-01-24 | Nmap port scanner                                                                                           | | patator                        | multi    | OK | 2019-01-24 | Multi-purpose brute-forcer, with a modular design and a flexible usage                                      | | testssl                        | multi    | OK | 2019-01-24 | TLS/SSL encryption checker                                                                                  | | tls-prober                     | multi    | OK | 2019-01-24 | Tool to fingerprint SSL/TLS servers                                                                         | | vuln-databases                 | multi    | OK | 2019-01-24 | Vulnerabilities databases from Vulners.com, vuldb.com (NSE scripts) and exploit-db.com                      | | ysoserial                      | multi    | OK | 2019-01-24 | Tool for generating payloads that exploit unsafe Java object deserialization                                | | odat                           | oracle   | OK | 2019-01-24 | Oracle database attacking tool                                                                              | | nullinux                       | smb      | OK | 2019-01-24 | Enumeration tool for SMB on Windows                                                                         | | smbmap                         | smb      | OK | 2019-01-24 | SMB Shares enumeration tool                                                                                 | | smtp-user-enum                 | smtp     | OK | 2019-01-24 | Enumerate valid users on SMTP via EXPN, VRFY or RCPT TO                                                     | | snmpwn                         | snmp     | OK | 2019-01-24 | SNMPv3 User enumerator and Attack tool                                                                      | | snmp-check                     | snmp     | OK | 2019-01-24 | SNMP enumerator                                                                                             | | ssh-audit                      | ssh      | OK | 2019-01-24 | SSH server auditing tool (banner, key exchange, encryption, mac, compression, compatibility, security, etc) | | osueta                         | ssh      | OK | 2019-01-24 | Exploit for OpenSSH (versions <= 7.2 and >= 5.*) user enumeration timing attack                             |
 | libssh-scanner                 | ssh      | OK | 2019-01-24 | Exploit for authentication bypass (CVE-2018-10933) in libssh 0.6+ (fixed in 0.7.6 and 0.8.4)                |
 +--------------------------------+----------+-----------------+-------------------------------------------------------------------------------------------------------------+

• This tool gives an options where you can save all the scanned services on the target. You can also see which service has been run on the target.
• For saving first you have to create database. For that type python3 jok3r.py db
• db will open jok3r database.
• For opening further options in db. Type help

root@kali:/home/iicybersecurity/Downloads/jok3r# python3 jok3r.py db

     ____.       __    ________              `Combine the best of...
    |    | ____ |  | __\_____  \______           ...open-source Hacking Tools`
    |    |/  _ \|  |/ /  _(__  <_  __ \
/\__|    (  (_) )    <  /       \  | \/
\________|\____/|__|_ \/______  /__|      v2.0
                     \/       \/

          ~ Network & Web Pentest Framework ~

[ Manage Toolbox | Automate Attacks | Chain Hacking Tools ]

The local database stores the missions, targets info & attacks results.
 This shell allows for easy access to this database. New missions can be added and
 scopes can be defined by importing new targets.

 
ok3rdb[default]> help 

Documented commands (type help ):
 Attacks results
 results             Attacks results
 Import
 nmap                Import Nmap results
 Missions data
 creds               Credentials in the current mission scope
 hosts               Hosts in the current mission scope
 mission             Manage missions
 services            Services in the current mission scope
 Other
 alias               Manage aliases
 help                Display this help message
 history             View, run, edit, save, or clear previously entered commands
 macro               Manage macros
 quit                Exit this application
 set                 Set a settable parameter or show current settings of parameters
 shell               Execute a command as if at the OS prompt

• Then type mission testproject
• After creating mission. press ctrl + c
• Then type python3 jok3r.py attack -t http://192.168.1.105/ –add testproject
• attack is used to check the target.
• -t is used to enter target.
• –add is used to save the results in jok3r db.

root@kali:/home/iicybersecurity/Downloads/jok3r# python3 jok3r.py attack -t http://192.168.1.105/ --add testproject

     ____.       __    ________              `Combine the best of...
    |    | ____ |  | __\_____  \______           ...open-source Hacking Tools`
    |    |/  _ \|  |/ /  _(__  <_  __ \
/\__|    (  (_) )    <  /       \  | \/
\________|\____/|__|_ \/______  /__|      v2.0
                     \/       \/

          ~ Network & Web Pentest Framework ~

[ Manage Toolbox | Automate Attacks | Chain Hacking Tools ]

 
[] URL given as target, targeted service is HTTP [] Check if target is reachable and grab banner using Nmap…
 [+] Target URL http://192.168.1.105/ is reachable
 [] Results from this attack will be saved under mission "testproject" in database [] A matching service has been found in the database
 [+] Updated: host 192.168.1.105 | port 80/tcp | service http 
 
+----+---------------+----------+------+-------+---------+-------------------------------------------------------------------+-----------------------+
 | id | IP            | Hostname | Port | Proto | Service | Banner                                                            | URL                   |
 +----+---------------+----------+------+-------+---------+-------------------------------------------------------------------+-----------------------+
 | >1 | 192.168.1.105 | dvwa     | 80   | tcp   | http    | product: Apache httpd version: 2.2.14 extrainfo: (Unix) DAV/2     | http://192.168.1.105/ |
 |    |               |          |      |       |         | mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 |                       |
 |    |               |          |      |       |         | mod_perl/2.0.4 Perl/v5.10.1                                       |                       |
 +----+---------------+----------+------+-------+---------+-------------------------------------------------------------------+-----------------------+ 
 
[?] Start attack ? [Y/n] Y 
 
[*] HTTP Response headers:
 Date: Thu, 24 Jan 2019 09:55:41 GMT
 Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
 X-Powered-By: PHP/5.3.1
 Set-Cookie: PHPSESSID=c03n54d2gciu1rh9niscqmij67; path=/
 Set-Cookie: security=high
 Expires: Tue, 23 Jun 2009 12:00:00 GMT
 Cache-Control: no-cache, must-revalidate
 Pragma: no-cache
 Content-Length: 1224
 Content-Type: text/html;charset=utf-8 
 
[] Context-specific options set for this target: +----------+-------+ | option   | value | +----------+-------+ | language | php   | +----------+-------+ [] [SMART] Running initialization method…
 {'Perl', 'Apache'}
 [] [SMART] Wappalyzer fingerprinting returns: ['apache', 'mod_ssl', 'mod_perl', 'unix', 'php', 'perl', 'openssl'] [] [SMART] Detected option (no update): language = php

• After executing the above query jok3r has started the nmap scan on all services. This tool will scan all the services.
• The above service has detected the language and the server of the target website.
• The above information can be used in other hacking activities.
• For scanning all services simply type Y whenever it prompt to scan another service. Do specific while scanning

[>] [Recon][Check 13/14] crawling-fast > Crawl website quickly, analyze interesting files/directories
 [?] Run command #01 ? [Y/n/t/w/q] Y
 cmd> dirhunt http://192.168.1.105/
 Welcome to Dirhunt v0.6.0 using Python 2.7.15+
 Starting…
 [302] http://192.168.1.105/  (Redirect)
     Redirect to: http://192.168.1.105/
 [200] http://192.168.1.105/login.php  (HTML document)
     Index file found: index.php
 [200] http://192.168.1.105/dvwa/css/  (Index Of) (Nothing interesting)
 [200] http://192.168.1.105/dvwa/  (Index Of) (Nothing interesting)
 [200] http://192.168.1.105/dvwa/images/  (Index Of) (Nothing interesting)
 [200] http://192.168.1.105/dvwa/js/  (Index Of) (Nothing interesting)
 [200] http://192.168.1.105/dvwa/includes/  (Index Of)
     Interesting extension files: dvwaPage.inc.php (13K), dvwaPhpIds.inc.php (2.5K)
 [200] http://192.168.1.105/dvwa/includes/DBMS/  (Index Of)
     Interesting extension files: DBMS.php (2.4K), MySQL.php (2.9K), PGSQL.php (3.4K)
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 Starting…
 http://192.168.1.105/login.php
 (200) (  154B) http://192.168.1.105/dvwa/includes/dvwaPage.inc.php     [13K ] 
 Warning: define() expects at least 2 parameters,
 (200) (  156B) http://192.168.1.105/dvwa/includes/dvwaPhpIds.inc.php   [2.5K] 
 Warning: define() expects at least 2 parameters,
 (200) (  154B) http://192.168.1.105/dvwa/includes/DBMS/MySQL.php       [2.9K] 
 Fatal error: Call to undefined function dvwaMessa
 (200) (  626B) http://192.168.1.105/dvwa/includes/DBMS/DBMS.php        [2.4K] 
 Notice: Undefined variable: DBMS in /opt/lampp (200) (  154B) http://192.168.1.105/dvwa/includes/DBMS/PGSQL.php       [3.4K] 
 Fatal error: Call to undefined function dvwaMessa
 [>] [Recon][Check 14/14] crawling-fast2 > Crawl website and extract URLs, files, intel & endpoints

• The above service used is crawl where this tool tries to analyze files and directories which can be used in further hacking attacks.
• While crawling some of the pages shows the dvwa directory named as includes has pages like mysql.php, dbms.php, pgsql which can be used in other hacking activities.
• Scanning further shows vulnerabilities mentioned in CVE.

[>] [Vulnscan][Check 01/29] vuln-lookup > Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !)
 [?] Run command #01 ? [Y/n/t/w/q] Y
 cmd> sudo nmap -sT -sV -T5 -Pn -p 80 --script nmap-vulners/vulners.nse --script-args vulscandb=scipvuldb.csv 192.168.1.105 -oX /tmp/nmaptmp.xml; ./exploit-database/searchsploit --nmap /tmp/nmaptmp.xml; sudo rm -f /tmp/nmaptmp.xml
 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-24 06:02 EST
 Nmap scan report for dvwa (192.168.1.105)
 Host is up (0.00046s latency).
 PORT   STATE SERVICE VERSION
 80/tcp open  http    Apache httpd 2.2.14 ((Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1)
 |http-server-header: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 | vulners: |   cpe:/a:apache:http_server:2.2.14: |       CVE-2010-0425           10.0            https://vulners.com/cve/CVE-2010-0425 |       CVE-2011-3192           7.8             https://vulners.com/cve/CVE-2011-3192 |       CVE-2013-2249           7.5             https://vulners.com/cve/CVE-2013-2249 |       CVE-2017-7679           7.5             https://vulners.com/cve/CVE-2017-7679 |       CVE-2017-7668           7.5             https://vulners.com/cve/CVE-2017-7668 |       CVE-2017-3167           7.5             https://vulners.com/cve/CVE-2017-3167 |       CVE-2017-3169           7.5             https://vulners.com/cve/CVE-2017-3169 |       CVE-2012-0883           6.9             https://vulners.com/cve/CVE-2012-0883 |       CVE-2009-3555           5.8             https://vulners.com/cve/CVE-2009-3555 |       CVE-2013-1862           5.1             https://vulners.com/cve/CVE-2013-1862 |       CVE-2014-0098           5.0             https://vulners.com/cve/CVE-2014-0098 |       CVE-2007-6750           5.0             https://vulners.com/cve/CVE-2007-6750 |       CVE-2013-6438           5.0             https://vulners.com/cve/CVE-2013-6438 |       CVE-2011-3368           5.0             https://vulners.com/cve/CVE-2011-3368 |       CVE-2012-4557           5.0             https://vulners.com/cve/CVE-2012-4557 |       CVE-2014-0231           5.0             https://vulners.com/cve/CVE-2014-0231 |       CVE-2010-0408           5.0             https://vulners.com/cve/CVE-2010-0408 |       CVE-2010-1452           5.0             https://vulners.com/cve/CVE-2010-1452 |       CVE-2010-2068           5.0             https://vulners.com/cve/CVE-2010-2068 |       CVE-2012-0031           4.6             https://vulners.com/cve/CVE-2012-0031 |       CVE-2011-3607           4.4             https://vulners.com/cve/CVE-2011-3607 |       CVE-2012-0053           4.3             https://vulners.com/cve/CVE-2012-0053 |       CVE-2011-3348           4.3             https://vulners.com/cve/CVE-2011-3348 |       CVE-2016-4975           4.3             https://vulners.com/cve/CVE-2016-4975 |       CVE-2010-0434           4.3             https://vulners.com/cve/CVE-2010-0434 |       CVE-2011-4317           4.3             https://vulners.com/cve/CVE-2011-4317 |       CVE-2013-1896           4.3             https://vulners.com/cve/CVE-2013-1896 |       CVE-2011-0419           4.3             https://vulners.com/cve/CVE-2011-0419 |       CVE-2012-4558           4.3             https://vulners.com/cve/CVE-2012-4558 |       CVE-2012-3499           4.3             https://vulners.com/cve/CVE-2012-3499 |       CVE-2011-3639           4.3             https://vulners.com/cve/CVE-2011-3639 |       CVE-2016-8612           3.3             https://vulners.com/cve/CVE-2016-8612 |       CVE-2012-2687           2.6             https://vulners.com/cve/CVE-2012-2687 |      CVE-2011-4415           1.2             https://vulners.com/cve/CVE-2011-4415
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 7.72 seconds
 [i] SearchSploit's XML mode (without verbose enabled).   To enable: searchsploit -v --xml…
 [i] Reading: '/tmp/nmaptmp.xml'
 [i] ./exploit-database/searchsploit -t apache httpd 2 2 14

• After executing above query shows the cve vulnerabilities which can be used in further hacking attacks.
• It show many vulnerabilities in which are listed CVE recent years.
• Further scanning it uses nikto to scan for web vulnerabilities.

[>] [Vulnscan][Check 03/29] vulnscan-multi-nikto > Check for multiple web vulnerabilities/misconfigurations
 [?] Run command #01 ? [Y/n/t/w/q] Y
 cmd> cd program; perl ./nikto.pl -host dvwa -port 80
 - Nikto v2.1.6
 Target IP:          192.168.1.105
 Target Hostname:    dvwa
 Target Port:        80 
 + Start Time:         2019-01-24 06:14:56 (GMT-5)
 Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
 Retrieved x-powered-by header: PHP/5.3.1
 The anti-clickjacking X-Frame-Options header is not present.
 The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 Cookie PHPSESSID created without the httponly flag
 Cookie security created without the httponly flag
 Root page / redirects to: login.php
 Server leaks inodes via ETags, header found with file /robots.txt, inode: 9210, size: 26, mtime: Tue Aug 24 15:45:32 2010
 Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var
 Perl/v5.10.1 appears to be outdated (current is at least v5.14.2)
 mod_ssl/2.2.14 appears to be outdated (current is at least 2.8.31) (may depend on server version)
 Apache/2.2.14 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
 PHP/5.3.1 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
 mod_perl/2.0.4 appears to be outdated (current is at least 2.0.7)
 OpenSSL/0.9.8l appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
 mod_ssl/2.2.14 OpenSSL/0.9.8l PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
 OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
 OSVDB-112004: /cgi-bin/printenv: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
 OSVDB-112004: /cgi-bin/printenv: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
 OSVDB-3268: /config/: Directory indexing found.
 /config/: Configuration information may be available remotely.
 OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
 OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
 OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
 OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
 OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environment variables. All default scripts should be removed. It may also allow XSS types of attacks. http://www.securityfocus.com/bid/4431.
 OSVDB-3233: /cgi-bin/test-cgi: Apache 2.0 default script is executable and reveals system information. All default scripts should be removed.
 OSVDB-3268: /icons/: Directory indexing found.
 OSVDB-3268: /docs/: Directory indexing found.
 OSVDB-3092: /CHANGELOG.txt: A changelog was found.
 OSVDB-3233: /icons/README: Apache default file found.
 /login.php: Admin login page/section found.
 /phpmyadmin/: phpMyAdmin directory found
 OSVDB-3092: /.svn/entries: Subversion Entries file may contain directory listing information.
 OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
 /CHANGELOG.txt: Version number implies that there is a SQL Injection in Drupal 7, can be used for authentication bypass (Drupageddon: see https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html).
 /server-status: Apache server-status interface found (pass protected)
 8167 requests: 0 error(s) and 39 item(s) reported on remote host 
 + End Time:           2019-01-24 06:15:35 (GMT-5) (39 seconds)
 1 host(s) tested

• The above tool shows that many of the configuration is not done properly thats why bruteforce attacks can be done easily.
• Some of the versions of the apache, perl are outdated. There are certain HTTP request which can generate sensitive information.
• This information can be used in other hacking activities.
• It also run tool like changme.

cmd> python3 changeme.py -v  --protocols http 192.168.1.105:80
 #####################################################
 _
 | |_   _ _ _ _   _ _   _ _    _
 / _| ' \ / | '_ \ / _ |/  \ '_ ` _ \ / _ \
| (| | | | (| | | | | (| | / | | | | | __/
___|| ||__,|| ||_, |___|| || ||__|
|_/
v1.1
Default Credential Scanner by @ztgrace
#####################################################
Loaded 113 default credential profiles
Loaded 324 default credentials
[06:28:15] Configured protocols: http
[06:28:15] Loading creds into queue
[06:28:15] Fingerprinting completed
[06:28:15] Scanning Completed
No default credentials found
[*] [SMART] Running post-check method "changeme_valid_creds" …
[*] [Vulnscan][Check 05/29] webdav-scan-davscan > Skipped because target's context is not matching
[*] [Vulnscan][Check 06/29] webdav-scan-msf > Skipped because target's context is not matching
[*] [Vulnscan][Check 07/29] webdav-internal-ip-disclosure > Skipped because target's context is not matching
[*] [Vulnscan][Check 08/29] webdav-website-content > Skipped because target's context is not matching

• After scanning target further it shows target context is not matching because this tool detects default backdoor credentials.
• Now scanning with another tool shell shocker which shows if target is vulnerable to exploit.

[>] [Vulnscan][Check 11/29] shellshock-scan > Detect if web server is vulnerable to Shellshock (CVE-2014-6271)
 [?] Run command #01 ? [Y/n/t/w/q] Y
 cmd> python2.7 shocker.py --Host 192.168.1.105 --port 80
 .-. .            .
   (   )|            |
    -. |--. .-.  .-.|.-. .-. .--.   (   )|  |(   )(   |-.'(.-' | -' ' --' -''-`--'' v1.1
Tom Watson, tom.watson@nccgroup.trust
https://www.github.com/nccgroup/shocker
Released under the GNU Affero General Public License
(https://www.gnu.org/licenses/agpl-3.0.html)
[+] 402 potential targets imported from ./shocker-cgi_list
[+] Checking connectivity with target…
[+] Target was reachable
[+] Looking for vulnerabilities on 192.168.1.105:80
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[+] 3 potential targets found, attempting exploits
[+] The following URLs appear to be exploitable:
[1] http://192.168.1.105:80/cgi-bin/printenv
[2] http://192.168.1.105:80/cgi-bin/test-cgi

• The tool shell shocker shows that the target can be exploited using above 2 links. This information can be used in other hacking activities.
• Some times if the tool gots hanged while running press ctrl+c to start further scanning.
• Scanning further shows some of the tools are not supported as shown below.

Category > Exploit
 [*] [Exploit][Check 01/11] jboss-deploy-shell > Skipped because target's context is not matching
 [*] [Exploit][Check 02/11] struts2-rce-cve2017-5638 > Skipped because target's context is not matching
 [*] [Exploit][Check 03/11] struts2-rce-cve2017-9805 > Skipped because target's context is not matching
 [*] [Exploit][Check 04/11] struts2-rce-cve2018-11776 > Skipped because target's context is not matching
 [*] [Exploit][Check 05/11] tomcat-rce-cve2017-12617 > Skipped because target's context is not matching
 [*] [Exploit][Check 06/11] jenkins-cliport-deserialize > Skipped because target's context is not matching
 [*] [Exploit][Check 07/11] weblogic-t3-deserialize-cve2015-4852 > Skipped because target's context is not matching
 [*] [Exploit][Check 08/11] weblogic-t3-deserialize-cve2017-3248 > Skipped because target's context is not matching
 [*] [Exploit][Check 09/11] weblogic-t3-deserialize-cve2018-2893 > Skipped because target's context is not matching
 [*] [Exploit][Check 10/11] weblogic-wls-wsat-cve2017-10271 > Skipped because target's context is not matching
 [*] [Exploit][Check 11/11] drupal-cve-exploit > Skipped because target's context is not matching

• The above tools are not supported as the tools are of different context and target has different functionalities.
• Using another tool wfuzz. Wfuzz is a bruteforcing web application.

cmd> ./wfuzz -c -u http://192.168.1.105//FUZZ -w /home/iicybersecurity/Downloads/jok3r/wordlists/services/http/discovery/opendoor-paths.txt --hc 400,404,500,000
 Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 
 Wfuzz 2.3.4 - The Web Fuzzer                         * 
 
 Target: http://192.168.1.105//FUZZ
 Total requests: 36942
 ==================================================================
 ID   Response   Lines      Word         Chars          Payload

000431:  C=200    101 L      135 W         1480 Ch        ".svn/all-wcprops"
 000432:  C=200    572 L      151 W         2726 Ch        ".svn/entries"
 000434:  C=200     12 L       61 W          803 Ch        ".svn/prop-base/"
 000435:  C=200     11 L       52 W          667 Ch        ".svn/props/"
 000436:  C=200     25 L      175 W         2455 Ch        ".svn/text-base/"
 000437:  C=200      4 L       39 W          538 Ch        ".svn/text-base/index.php.svn-base"
 000438:  C=200     14 L       76 W         1010 Ch        ".svn/tmp/"
 001959:  C=200    129 L      594 W         5066 Ch        "CHANGELOG.txt"
 001973:  C=200    622 L     5214 W        33107 Ch        "COPYING.txt"
 002936:  C=200    119 L      706 W         4934 Ch        "README.txt"
 004298:  C=302      0 L        0 W            0 Ch        "about.php"
 004948:  C=404     46 L      113 W         1118 Ch        "admin/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector005061:  C=404     46 L      113 W         1118 Ch        "admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector005062:  C=404     46 L      113 W         1118 Ch        "admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connecto005063:  C=404     46 L      113 W         1118 Ch        "admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector006673:  C=404     46 L      113 W         1118 Ch        "all/modules/ogdi_field/plugins/dataTables/extras/TableTools/media/swf/ZeroC007150:  C=404     46 L      113 W         1118 Ch        "apps/trac/pragyan/browser/trunk/cms/modules/article/fckEditor/editor/filema010085:  C=403     44 L      109 W         1122 Ch        "cgi-bin/"
 010087:  C=403     44 L      108 W         1108 Ch        "cgi-bin/awstats.pl"
 011523:  C=200     12 L       61 W          776 Ch        "config/"
 013659:  C=200     11 L       52 W          650 Ch        "docs/"
 013930:  C=404     46 L      113 W         1118 Ch        "dreamedit/includes/FCKEditor_/editor/filemanager/browser/mcpuk/browser.html014071:  C=200     15 L       84 W         1101 Ch        "dvwa/"
 015076:  C=403     44 L      109 W         1122 Ch        "error/"
 015477:  C=200     12 L       60 W          772 Ch        "external/"
 015653:  C=200      1 L        6 W         1549 Ch        "favicon.ico"
 015697:  C=404     46 L      113 W         1118 Ch        "fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx016920:  C=404     46 L      113 W         1118 Ch        "galeria/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder016925:  C=404     46 L      113 W         1118 Ch        "galerie/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder016955:  C=404     46 L      113 W         1118 Ch        "gallery/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder018593:  C=200    167 L     1300 W        18876 Ch        "icons/"
 018642:  C=302      0 L        0 W            0 Ch        "ids_log.php"
 019087:  C=404     46 L      113 W         1118 Ch        "includes/fckeditor/editor/filemanager/browser/default/connectors/asp/connec019088:  C=404     46 L      113 W         1118 Ch        "includes/fckeditor/editor/filemanager/browser/default/connectors/aspx/conne019089:  C=404     46 L      113 W         1118 Ch        "includes/fckeditor/editor/filemanager/browser/default/connectors/php/connec019142:  C=302      0 L        0 W            0 Ch        "index.php"
 019762:  C=404     46 L      113 W         1118 Ch        "ispcp/browser/trunk/gui/tools/filemanager/plugins/fckeditor/editor/filemana020212:  C=404     46 L      113 W         1118 Ch        "js/fckeditor/editor/filemanager/browser/default/connectors/php/connector.ph021551:  C=200     65 L      108 W         1224 Ch        "login.php"
 021667:  C=302      0 L        0 W            0 Ch        "logout.php"
 025961:  C=404     46 L      113 W         1118 Ch        "photo/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.p026010:  C=404     46 L      113 W         1118 Ch        "photos/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.026053:  C=200      4 L       20 W          148 Ch        "php.ini"
 026339:  C=302      0 L        0 W            0 Ch        "phpinfo.php"
 026390:  C=200      0 L        0 W            0 Ch        "phpmyadmin/phpinfo.php"
 026389:  C=200     72 L      206 W         2726 Ch        "phpmyadmin/"
 026673:  C=404     46 L      113 W         1118 Ch        "plugins/fckeditor/fckeditor/editor/filemanager/browser/default/browser.html026675:  C=404     46 L      113 W         1118 Ch        "plugins/p_fckeditor/fckeditor/editor/filemanager/browser/default/browser.ht026676:  C=404     46 L      113 W         1118 Ch        "plugins/p_fckeditor/fckeditor/editor/filemanager/connectors/uploadtest.html028932:  C=200      1 L        4 W           26 Ch        "robots.txt"
 029580:  C=404     46 L      113 W         1118 Ch        "script/jqueryplugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.s029817:  C=302      0 L        0 W            0 Ch        "security.php"
 029987:  C=200     51 L      292 W         2787 Ch        "server-status/"
 029986:  C=200   1253 L     8719 W        120232 Ch       "server-info/"
 030080:  C=404     46 L      113 W         1118 Ch        "servlet/Oracle.xml.xsql.XSQLServlet/soapdocs/webapps/soap/WEB-INF/config/so030101:  C=404     46 L      113 W         1118 Ch        "servlet/oracle.xml.xsql.XSQLServlet/soapdocs/webapps/soap/WEB-INF/config/so030182:  C=200     80 L      227 W         3549 Ch        "setup.php"
 036787:  C=404     46 L      113 W         1118 Ch        "zenphoto/zp-core/plugins/tiny_mce/plugins/ajaxfilemanager/ajax_create_folde

 Total time: 110.2424
 Processed Requests: 36942
 Filtered Requests: 36874
 Requests/sec.: 335.0979

• The above query tries to find directories, files which are not linked directly. After running above query wfuzz has found ajax, servlets and some plugins.
• This data can be used in other hacking attacks.

As you can see that this tool comprises many small tools which shows many vital information. For scanning further you can following other tutorials

Read More