Introduction to Cyber Security
“It was the storm that would forever change the course of human destiny”
RSA is an asymmetric encryption
Encryption: In encryption, we try to encrypt a data in such a way that only the person having the key can decrypt it. If it is symmetric, in that case public and private both keys are same else for assymetric, the public and private keys are different.AWS KMS supports symmetric and asymmetric CMKs. Symmetric CMK: Represents a single 256-bit secret encryption key that never leaves AWS KMS unencrypted. To use your symmetric CMK, you must call AWS KMS.
Hashing: Hashing is basically done to ensure the data reliability. So if we have created hash of a file and some data on the file changes, in that case the hash would change indicating that the file has been changed or compromised.
A firewall generally works at layer 3 and 4 of the OSI model. Layer 3 is the Network Layer where IP works and Layer 4 is the Transport Layer, where TCP and UDP function. Many firewalls today have advanced up the OSI layers and can even understand Layer 7 – the Application Layer.
Common types of cyber attacks
Malware
Malware is a term used to describe malicious software, including spyware, ransomware, viruses, and worms. Malware breaches a network through a vulnerability, typically when a user clicks a dangerous link or email attachment that then installs risky software. Once inside the system, malware can do the following:
- Blocks access to key components of the network (ransomware)
- Installs malware or additional harmful software
- Covertly obtains information by transmitting data from the hard drive (spyware)
- Disrupts certain components and renders the system inoperable
Phishing
Phishing is the practice of sending fraudulent communications that appear to come from a reputable source, usually through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine. Phishing is an increasingly common cyberthreat.
Man-in-the-middle attack
Man-in-the-middle (MitM) attacks, also known as eavesdropping attacks, occur when attackers insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they can filter and steal data.
Two common points of entry for MitM attacks:
1. On unsecure public Wi-Fi, attackers can insert themselves between a visitor’s device and the network. Without knowing, the visitor passes all information through the attacker.
2. Once malware has breached a device, an attacker can install software to process all of the victim’s information.
Denial-of-service attack
A denial-of-service attack floods systems, servers, or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfill legitimate requests. Attackers can also use multiple compromised devices to launch this attack. This is known as a distributed-denial-of-service (DDoS) attack.
SQL injection
A Structured Query Language (SQL) injection occurs when an attacker inserts malicious code into a server that uses SQL and forces the server to reveal information it normally would not. An attacker could carry out a SQL injection simply by submitting malicious code into a vulnerable website search box.
Learn how to defend against SQL injection attacks.
Zero-day exploit
A zero-day exploit hits after a network vulnerability is announced but before a patch or solution is implemented. Attackers target the disclosed vulnerability during this window of time. Zero-day vulnerability threat detection requires constant awareness.
DNS Tunneling
DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic over port 53. It sends HTTP and other protocol traffic over DNS. There are various, legitimate reasons to utilize DNS tunneling. However, there are also malicious reasons to use DNS Tunneling VPN services. They can be used to disguise outbound traffic as DNS, concealing data that is typically shared through an internet connection. For malicious use, DNS requests are manipulated to exfiltrate data from a compromised system to the attacker’s infrastructure. It can also be used for command and control callbacks from the attacker’s infrastructure to a compromised system.
CIA triad:
Confidentiality
integrity
availability
confidentiality: it ensures that access is only given to intended individuals, ex: using Iam policies
integrity: we need to make sure that the data integrity is maintained and it is not tempered with. Ex: file permissions and policies
availability: data should be available when needed
Risk: the total loss that can occur due to cyber attack is the risk
vulnarebility: the issue or bug that makes something more prone to attacks
threat: something that can cause harm to our data/network etc
Sha : hashing
rsa: encryption/encoding
ddos mitigation: use scrubbing severs to clean the data before hitting the servers
tcp 3 way handshake:
syn
syn+ack
ack
tracecert/traveroute : this helps us understand what path a packet takes and shows all the modems and other devices in its path and if it is being discarded
Cross site Scripting or XSS
In this a malicious user injects a code into a website which causes the users of the website to be prone to attack
ARP: address resolution protocol : it is a protocol for mapping lp address of a machine to physical address of the machine
When a packet comes in to the network, at the gateway, the arp program looks for the physical address of the ip address being mentioned so that the packet can go the expected machine. It first looks into the ARP cache and if not found then arp will send a request packet to all the machines to verify if any of these machines recognises the mentioned ip address
DORA process in DHCP (discovery, offer, request, and acknowledgement)
The DHCP operates based on the client–server model. When a computer or other device connects to a network, the DHCP client software sends a broadcast query requesting the necessary information. Any DHCP server on the network may service the request. The DHCP server manages a pool of IP addresses and information about client configuration parameters such as default gateway, domain name, the name servers, and time servers. On receiving a request, the server may respond with specific information for each client, as previously configured by an administrator, or with a specific address and any other information valid for the entire network and for the time period for which the allocation (lease) is valid. A client typically queries for this information immediately after booting,
DHCP process goes through 4 stages while assigning an IP address to the client. These stages are often abbreviated as DORA for discovery, offer, request, and acknowledgement.
DHCP discovery
The client sends a broadcasts messages on the network subnet using the destination address 255.255.255.255 or the specific subnet broadcast address.
DHCP offer
When a DHCP server receives a DHCPDISCOVER message from a client, which is an IP address lease request, the server reserves an IP address for the client and makes a lease offer by sending a DHCPOFFER message to the client. This message contains the client’s MAC address, the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer.
DHCP options
1 (subnet mask): 255.255.255.0
3 (Router): 192.168.1.1
51 (IP address lease time): 86400s (1 day)
54 (DHCP server): 192.168.1.1
6 (DNS servers):
9.7.10.15,
9.7.10.16,
9.7.10.18
DHCP request
In response to the DHCP offer, the client replies with a DHCP request, broadcast to the server, requesting the offered address. A client can receive DHCP offers from multiple servers, but it will accept only one DHCP offer. Based on required server identification option in the request and broadcast messaging, servers are informed whose offer the client has accepted. When other DHCP servers receive this message, they withdraw any offers that they might have made to the client and return the offered address to the pool of available addresses.
DHCP acknowledgement
When the DHCP server receives the DHCPREQUEST message from the client, the configuration process enters its final stage. The acknowledgement stage involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the IP configuration process is completed.
Blogs and Docs to remain updated
What is a threat?
A threat refers to a new or newly discovered incident that has the potential to harm a system or your company overall
What is a vulnerability?
A vulnerability refers to a known weakness of an asset (resource) that can be exploited by one or more attackers. In other words, it is a known issue that allows an attack to succeed.
For example, when a team member resigns and you forget to disable their access to external accounts, change logins, or remove their names from company credit cards, this leaves your business open to both intentional and unintentional threats. However, most vulnerabilities are exploited by automated attackers and not a human typing on the other side of the network.
What is risk?
Risk is defined as the potential for loss or damage when a threat exploits a vulnerability. Examples of risk include:
- Financial losses
- Loss of privacy
- Damage to your reputation Rep
- Legal implications
- Even loss of life
Risk can also be defined as:
Risk = Threat x Vulnerability
Reduce your potential for risk by creating and implementing a risk management plan. Here are the key aspects to consider when developing your risk management strategy:
- Assess risk and determine needs. When it comes to designing and implementing a risk assessment framework, it is critical to prioritize the most important breaches that need to be addressed. Although frequency may differ in each organization, this level of assessment must be done on a regular, recurring basis.
- Include a total stakeholder perspective. Stakeholders include the business owners as well as employees, customers, and even vendors. All of these players have the potential to negatively impact the organization (potential threats) but at the same time they can be assets in helping to mitigate risk.
- Designate a central group of employees who are responsible for risk management and determine the appropriate funding level for this activity.
- Implement appropriate policies and related controls and ensure that the appropriate end users are informed of any and all changes.
- Monitor and evaluate policy and control effectiveness. The sources of risk are ever-changing, which means your team must be prepared to make any necessary adjustments to the framework. This can also involve incorporating new monitoring tools and techniques.
New Types of Threats
- Scareware: These are threats that are actually not threats but they make us believe they are malicious so that we can install specific software to tackle the threat and end up paying for software.
- Potentially Unwanted Programs(PUPs): These are program that user mostly intentionally downloads or they come bundled with some other apps and can be used to steal info. Antivirus and others software might not detect them as threats since they tend to pose legitimate purpose and hence highly unsecure.
- Doxing: Making private information public by researching the person and looking into their history, IP address, location, Browser history or any other method to get the information.
- CryptoCurrency Miners: These miners can be sent through multiple mediums to systems such as mobile and PCs and then these miners use the computation of PC to mine bitcoins and profit from that. Even telegram messages can put in such scripts, even youtube was caught doing this.
Five Eyes
Governments of below countries have an agreement between them to collect and share intelligence which basically means gov actively looks into personal info/pc and they are agreement to share this intel with other countries: (CAN-US-UK)
- Australia
- Canada
- New Zealand
- United Kingdom
- United States of America
So countries monitor each other citizens and share intel with each other. The five eyes group also work with Nine Eyes group and Fourteen Eyes group
Nine Eye:
- Denmark
- France
- Netherlands
- Norway
Fourteen Eyes
- Belgium
- Germany
- Italy
- Spain
- Sweden
Encryption
- Encryption consists of 2 parts, algorithm and key.
- Encryption is like a padlock to lock the data and key is like key to use the padlock.
- Encryptions are 256 bit-AES, 128 bit-AES and legacy (Zip 2.0). The bigger the number infront of these algo, the better is the encryption and better the encryption, slower it gets. So more secure algo will take more time.
- AES (Advanced Encryption Standard) is symmetric algorithm, password becomes the key and higher the bits ie 128 or 256, so 128, 256 etc is called bit rate or key space.
- If you encrypt the files with public key you will need private key for decryption and vice versa.
Asymmetric Vs Symmetric Encryption
- If you ServerA sends data to ReceiverA, then ServerA can use the public key of ReceiverA to encrypt the data, and then only receiverA with its own private key will be able to decrypt the files and since only ReceiverA has the private key, only receiverA will be able to decrypt/. This ensures confidentiality but not Authentication since the receiver will send public key to all and so receiver will not know which particular server has encrypted this data since all had the public key of receiver. Using Private key to decrypt data allows confidentiality and privacy since no one else can decrypt the data.
- However, when we use Receiver’s Private key to encrypt the data, this time only specific server will get the private key and no one else will be able to encrypt the data which can be decrypted with public key since only specific server has the private key to encrypt the data. So in this case although authentication happens of the sender that only serverA can send this encrypted data however since the public key at the receiver end is public, anyone can use that public key to decrypt the data hence confidentiality is compromised.
- Crypto Systems can provide with diff number of securities by combining power of above two. So the data is confidential, Authenticated, NonRepudiational and Integrity of the data is maintained. PDP is kinda like this.
- Assymetric algos are slower. requires more compute and are highly secure, due to this reason even the numbers infront of these algos are higher ex 1024-bit RSA is equal in strength to 80 bit symmetric keys.
- Asymmetric: better key distribution, Scalability, Authentication and nonrepudiation, slow and mathematically intensive
- symmetric: Fast, Strong
- HTTPS using TLS is example of hybrid systems
Hash Functions
- Hash functions and digital signatures allows us to ensure the legitimacy of the keys being sent since a little change in the data will result in a change in the output hash confirming tempered data.
- The returned has strings of the data are fixed length and are called hashed, data digest or digest.
- One way hash function: In this case the output of the hash function ie the digest/hashes cannot be converted back into the original data and this is called one way hash function since the data cannot be obtained using the digest and hence digest will only make sure to ensure data integrity since any change in the original data will change the output hash digest.
- Hash Functions: MD2, MD4, MD5, HAVAL, SHA, SHA-1, SHA-256, SHA-384, SHA-512, Tiger
- MDA is weakest, use sha 256 or sha 512 instead.
Digital Signatures
- in digital signatures, the sender of the digital signature first uses a hashing algo to create a hash and then the sender lets say google will encrypt this hash value using its own sender’s private key. Now the encrypted hash value is the digital signature.
- At the receiving end, you will end to receive this digital signature, then use sender’s public key to decrypt the data and get the expected unencrypted hash value. Now this hash value is cross checked for integrity of the certificate and the sender.
- So if we have chrome setup file, then the certificate will ensure that there has been no change in the software after it was published and also it will ensure that the software is actually from the mentioned software publisher.
SSL and TLS
- SSL is older than TLS and SSL is less secure than TLS so both should not be said together and are different technologies
- TLS can be used is https, VPC and FTP etc
- TLS is most used encryption method on internet
- It provides privacy since it encrypts data and data integrity because it uses message authentication codes (MACs) when communicating between applications.
- TLS creates end to end encryption of the connection between applications
- The connection is encrypted because a symmetric algo such as AES is used to encrypt the data being transferred. The keys are uniquely generated at the start of the session for the connection
- We can enable authentication of the connection between the two parties, this is done using public key cryptography, certificates and digital signatures.
- If there is a communication going on in TLS 1.2 or lower and the session key being used is compromised, then all the communication happening will be decrypted by that threat. However, TLS 1.3 uses Diffie-Holman (DHE-RSA (forward secrecy)) which has forward secrecy and this forward secrecy enables the connection to be encrypted with a new unique for all the sessions so if a key is compromised in one session, since this would be a short term key(temp key), the next session will implement new session and so connection is more secure.
- SSL 1-> SSL3.0->TLS 1.0 ->TLS2.0 ->TLS 3.0
- Cipher suites are sets of instructions on how to secure a network through SSL (Secure Sockets Layer) or TLS (Transport Layer Security). As such, cipher suites provide essential information on how to communicate secure data when using HTTPS, FTPS, SMTP and other network protocols.
- Each protocol and version has vulnerabilities to different attacks hence always be on update system and browser, and try to connect to servers offering higer TLS version (TLS 2 or 3)
SSL Stripping (Man in the middle attacks)
- In SSL stripping, a the attacker acts as a proxy between the actual server and you which were connected through https. This attacker changes https to http connection.
- Basically when we request fb.com, an http request goes to the server. Lets assume the attacker is between our browser and the server. So the request goes from our browser to the server as http, this time the attacker in between just passes this request to the server. The server then responds as https connection but the connection is established for https was actually established by the server and the attacker, So all the request from the browser goes through attacker to the server owning a website. And then when the website responds, this info is first received by the attacker in the middle. now attacker can choose to manipulate or copy this data before sending that data to us on our browser. This is SSL stripping, a kind of man in the middle attack. if this is happening, the client ie us, we will observe the connection to be http instead of https since it is being stripped in the middle. To avoid this use VPNs.
- These type of attacks are generally when we use public wifi since there are people in the middle managing the network.
- ARP Poisoning (also known as ARP Spoofing) is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN in order to change the pairings in its IP to MAC address table. ARP Protocol translates IP addresses into MAC addresses. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. … Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address. So basically the packets that were coming in for a my pc are now being sent to this ARP attacker because the router thinks that the attackers MAC address is the real mac address and hence will map the requests to the attacker MAC address so basically your public IP is now owned by the attacker.
- To avoid this use tunneling such as SSH, or use VPN which uses IPSec or any end to end encryption.
Digital Certificates
- X.509 is a standard that defines the format of public key certificates
- Digital Signature basically approves the public key and the certificate being used in the https connection are valid and original.
- Digital Signature is a hash value that has been encrypted (the issue private key)
- The RSA public key that is provided by the CA is first used to decrypt the digital signature and obtain the unencrypted hash value
- digital certificate with SSL not clear
Working of SSL and Https
- ServerA ex: google.com will have 2 keys, one public and one private. ServerA which owns the website being requested will send its public key to us but we need proof that the server than has sent this public key is actually that server.
- For verifying the public key of the server, we need SSL certificates. Basically the server will reach out to a CA lets say digicert to sign its public key and give a SSL certificate for the same. So after verification using email/DNS method, a certificate is given by the CA authority that the presented public key is indeed of google.
- The SSL certificate is basically the public key being changed to its hash. Now this hash is encrypted by CA’s own private key and since our browser has the CA’s public key, our browser will be able to decrypt the SSL certificate using CA’s public which is prestored on browsers.
- After decrypting the SSL certificate, browser will obtain our hash to verify the integrity and also will get the expected public key.
- Now our own browser and computer will have a pair of symmetric keys that will be used for communication. But our own key is very private and so we use the server’s public key recieved to encrypt customer’s key and send this encrypted customer’s key to the server. Now since server has its onw private key, the server will use the private key to decrypt the customer’s public key and now use customer’s public key to encrypt the data and send.
- https://www.youtube.com/watch?v=33VYnE7Bzpk&ab_channel=SunnyClassroom
- These Ca’s can issue certificate for google which might not actually be google.com and this has happend with Symantec in 2015 causing is t sell to digicert in 2018 due to mistrust by google and mozilla.
- Certificate pinning is a process in which we pin specific certificate’s public key and any other public key presented ie any new certificate if given, is shown not secured. used in banking sites.
- one solution is to use a VPN since that will route the traffic out of the scope of compromised network and the man in the middle is skipped. So if someone was earlier giving a fake certificate, this time they wont be encountered.
- The best way here is to use end to end encryption. In that case everyone’s traffic looks same in transit and hence gives high security such as Signal app.
Steganography
- IN steganography, the message is hidden in some other form not visible to eyes. Such as a hidden message in a Dog’s pic.
- The agent that carries the message is called carrier. A carrier can be a pic, or audio or video anything.
- the data in not encrypted but just hidden, they do this by comparing the new message with old message.
- If we do use these agents for hidden messages, then we cannot upload these message were they are compressed since that will cause loss of message. Rather send by email to avoid compression.
- Some tools use steganography with encryption, which is better. Openpuff is used for creating such messages on windows.
- in OpenPuff, we can use decoy password to show fake results instead of actual text.
Security works on weekest link phenomenon, so basically the weakest aspect of your connection is where you’ll be attacked, so the stronger is your weakest link, stronger will be your security. Attackers rather just do key logging than brute force password since they
Hardware Address
- Every hardware has a hardware identifier number that can be traced to the actual hardware on the network such as 08:00:27:2e:5b:59
- MAC address is one of these unique number which can be used to trace back our hardware, So MAC should be kept safe
- aa:bb:cc:dd:ee:ff -> aa:bb:cc => this part gives the Identity of the manufacturer, so apple laptop will have ID of apple. However, the last 3 dd:ee:ff will be the unique identifier of your device. These last 3 digts are imp of keep safe.
- We can use MacChanger to change the mac address of our device and save our identity.
Isolation
- Isolation is a technique through which we ensure that our actual details such as MAc add, motherboard/HDD serial number etc remains undisclosed to adversaries
- There are be hardware and software based isolation
- We can use software isolation by installing software which changes our Mac Address ie physical address
- Id hardware serial number is compromised, then it is a big issue since we can change everything else but if someone knows the hardcoded device serial numbers, then he will always be able to track back to your device.
- however, there are tools to change these hardware IDs
- A better solution is to use the virtual machines since they can spoof these serial numbers.
- Sandboxing is an excellent isolation technique. Basically you can use an onprem or cloud based app to lunch files/softwares in a sandbox env. This will allow your file to work as expected and after you delete the sandbox, no risk reaches your system from the sandbox.
- Mac has an inbuilt sand box called SeatBelt. It was introduced in 2006. For using seatbelt, you will have to create a configuration file for the apps that are to be run. These configuration files will mention all the things that are permissible by the app to do.
Kali
Kali/ Linux shortcuts
- Kill : Ctrl + C
-
Stop / Suspended: Ctrl + Z (this doesnt kill but just suspendes the process, this can be brought to front ground and resumed again). Use ‘Fg 1’ command to bring it to foreground.
- Tab: to autocomplete the commands
- Cut the line : Ctrl + K
- Paste the Link : Ctrl + Y
- Cursor to End : Ctrl+e
- Cursor to Begining : Ctrl + a
Directories in Linux/Kali
- / is the ‘root’ directory from where all the rest of the directories span out. Below / ‘root’ comes :
- ‘/bin‘ : this contains all the programs that we execute from commands such as bash, cat, grep,echo etc ie all the linux commands since they are actually just programs
- /etc: file folder contains all the configurations that we set such as ssh configurations. So to make changes in someone’s ssh configuration, get to this folder/directory to do it.
- /home : this contains all the users and user related information
- /sbin: this directory also contains binaries but these are system binaries and usually making changes to these requires root priviledges and the files that reside here are generally used to configure/make changes to the system/OS.
- /temp: contains temporary files and folders, we can dump data here and later on come here and delete these files
- /root: This is the ‘root home’ directory inside ‘/’ ie main directory. This is home for the root user since root does not have folder inside ‘/home’ and only if you have root access you will be able to access ‘/root’ inside ‘/’.
- mkdir -p : Use mkdir -p /tmp/folder1/folder2/folder3, this will make 3 folders one inside another so we dont have to execute mkdir 3 times, this is advantage of using ‘-p’ option which refers to parent.
- ls -al: -a means to show hidden and ‘l’ is for long listing
- cp -r [files] [destination]: This is paste all the files from [files] to [destination] with the directories since -r is being used for recursive copying.
- cp -i : this will prompt if files are being overwritten otherwise it doesnt ask. -i means interactive.
- mv [source] [destination]: Since linux doesnt have command to renames a folder, we use move ie mv command.
- rm -rf : remove files recursively and forcefully
- apt-cashe Search: to search for specific package
- apt-cashe show: shows information about the package
- apt-get install: install package
- apt-get remove : removes the package
- dpkg -l : list all the packages installed on server
- apt autoremove: removes any installed/broken packages
- tar c: tar is archive tool. tar c is used to create archive
- tar r: append to archive
- tar t : list contents of archive
- tar x : extract archive
- tar v : verbose
- tar f file : file to use
- tar cf backup.tac * : this will create an archive names backup.tar from all the files in current directory
- netstat -antp: -a is for all results, -n is to use numerical address, -t is for tcp and -p is for name of program. This command will fetch you all the pragrams running on your machine and communicating with diff IPs
- cat /etc/passwd: see a list if users
- cat /etc/shadow: see encrypted passwords
- w: show who is logged in and what they’re doing
-
adduser tom: adds a user by the name tom along with home directory for tom. All while creating user, a group by the same name is created. So when we use this command , 3 entities are created, one is the user, then the group and the user’s home folder inside /home dir.userdel tom : deletes user by the name tom
- useradd tom: doesn’t create home dir for tom only the user and group is created
- addgroup cats: creates a new group cat
- delgroup cats: deletes group
Linus user permissions
- + : add permissions
- – : remove permissions
- = : make this the only permission
- u : user
- g : group
- o : other
- a : all
- chmod ugoa + – = rwx filename: this is syntac of chmod which used to give permissions to users and make file executable. ugoa part decides user/group, +-= decides permissions conditions and rwx is permissions to be given.
- chmod u+x file1 : make file1 executable for owner
- chmod a+rw file1: means makes file1 open to all [a] add permissions [+] of read [r] and write [w].
Process
- ps: list of process
- ps -f : list process with full formatting
- ps -e : list all process
- kill [pid] : kills process whose pid you mentioned.
- command & : run command in backgroud
- jobs: lit of jobs running in background
- fg [n] foreground job number [n]
- ctrl + d: detach from shell and run in background. so even though if you close the teminal, the process will still be running in the background.
- nohup command & : run command in background even if sessions/shell is terminated
Bind Shell
In this case we upload a script via upload options of the website. Now that the script is inside, we try to locate it on the server and send commands to it ex: http://192.168.0.100/files/uploads/?cmd:start nmap
The above command will be run on a file inside uploads folder of the webserver which we hope will have out script and out script will allow us to run commands in this way. We try to start a service on webserver which would allows us to run commands.
We use netcat with -e to attach a shell to a port and let it listen to commands on that port, we then connect to the port and sends commands remotely.
The problem is any firewall will detect the connection and end it since it was started from outside to inside.
Reverse Shell
- Reverse shell is solution to the issue with bind shell, it actually starts the shell connection from the attacked device so that firewall would think it is genuine since it was the device that started the connection.
- instead of netcat listening on port on attacked machine, a shell connection was established from attacked device to attacker.
Backdoor and Command Execution
- Some websites allows to enter some commands and hit enter such as check of pings or convert a file into something. We can send a command and see if it accepts commands other than the one it is meant to return resutls.
Ex: “convert this to english” && ping google.com
Ideally ping google.com should not work but if not configured correctly, then even ping google will work. We will now exploit this by making commands to upload payload from our kali machine and this payload will be configured in such a way that once uploaded, another command will make it run and this will open a backdoor on the machine. Now our kali machine will establish connection with this backdoor and perform malicious tasks.
We can upload this upload in other-ways or maybe find a way for user to run it, so many ways to get the payload inside machine and have it executed which opens a backdoor and kali uses this backdoor for malicious activities.
Working with Payloads
- Usually after using the exploit on a particular service, even though Nessus shows a service vulnerable and exploitable, the exploit doesnt work. It shows “Exploit completed but no session was created”. this happens since our payload might have failed. So in such case, after selecting the exploit, choose “show payloads”, and from the option, we can choose a simple one such as “cmd/unix/reverse”.
-
“cmd/unix/reverse” usually works well and is able to create a sessions when the exploit completes. This uses reverse shell binding as explained above which is not blocked by firewalls since in case of reverse shell, the shell connection is started from the attacked machine to the attacker machine.
- Make command ‘$ set payload “cmd/unix/reverse” ‘, now if you show options of the exploits, this time configurable option would be different since we are using a different payload.
- Once this new payload is selected, this time after configuring the exploit when you ‘run’, a connection will be established after exploit completes.
After Gaining access
-
After exploit works and gives us the reverse shell, there are certain post exploit activities that needs to be done.
- We can start with priviledge escalation by trying to hack into other roles and users on that system
- or we can run service scan and this scan will give us service running localy also since from outside local running service is not shown. Now one by one scan/search for packages and find vulnerable once or maybe the once which can be made public and exploit it.
- we can exploit python package to create a reverse session with our kali machine