PRUTOR

ETHICAL HACKING TASK REPORT

BY Ujjawal Keshri

United College of Engineering and Research , Noida

1st Year

 1. Bypass this login page [Link]

email=abc&password=123

 For bypassing this login page we are going to use BURP in our Kali Linux System.
These are the steps required for this purpose:

 Step 1 : Open Burpsuite in Kali and start a new project.

 Step 2 : Open the login page in Mozilla firefox (or any browser) and start FoxyProxy
and set it to Burpsuite.
 Step 3 : Now enter given username ( given in hint ) and random password, then you
will be redirected to Burpsuite ( Proxy )
 Step 4 : Now right click on statement and send it to intruder, now go to Go to
Intruder then positions and select email and clear it
 Step 5 : Go to Payloads and load wordlist which you wanna use ( use crunch to make
one by using given hints )
 Step 6 : Go to options then Grep-match and add ‘Failed! Please try again!’
 Step 7 : Start the Attack and then look out for the passwords.
  2. Install metasploitable and exploit 21 ftp open port and write a report

 FTP is a service that is commonly used in Web Servers from Webmasters

for accessing the files [Link] it is almost impossible not to find this
service in one of our clients systems during an engagement.
For that reason we will try to cover in this article a scenario of a possible attack against the
FTP Server.

The first thing that we need to do is of course to identify which systems are running the
FTP service (for the needs of this tutorial I have put only one system). We can do a simple
scan with Nmap in order to find the open ports.

We can see that the FTP port is open. Now the next logical step that we have to do is to
identify which version the FTP application is running by using a method which called FTP
banner grabbing

Of course we can use the Nmap for the discovery of the remote operating system and the
service fingerprinting but in this tutorial we will not take advantage of that.

Banner Grabbing is a technique that someone can use in order to extract information from
application [Link] example if the remote host is a web server,we can try to connect
through [Link] banner results will give us an indication about the operating system
and the type of the web server (Apache or IIS).

Command: telnet target_IP 80

In order to do a banner grabbing in the FTP service we will just try to connect through our
console to the FTP server
From the above image we can see that the version is 1.3.1 and the operating system is
[Link] are many things that we can do from [Link] we can try to find if there is
any public exploit for the ProFTPD 1.3.1 [Link] there is then we can launch it against the
FTP Service.

If there is not any public exploit for the specific version then we can try to find a valid
username and password by using a dictionary [Link] can use any tool like THC Hydra
for this job but in this article we will see how it could be achieved through metasploit.

Metasploit Framework has a specific module for attacking FTP [Link] we will search on
the metasploit for the module ftp_login.

Now that we have found the FTP scanner it is time to configure [Link] course we will need
some good wordlists for the usernames and the [Link] we don’t have then there is
no problem because metasploit has a folder with various [Link] we will use the
wordlists that contains Unix usernames and passwords.

We are setting the scanner according to the following image and we type run in order to
the scanner to start:

The scanner has discovered 3 valid login credentials as you can see from the next 3 images
So now we have three valid logins to choose in order to connect to the FTP [Link] try
the last one which is the user as username and user as password.

We can see that we have successfully managed to login to the FTP [Link] we can
execute the command ls -lat to the server in order to display the list with the current
directories and subdirectories and the permissions that we have on the directories.

There are two directories that are important [Link] SSH because it may contain
private SSH keys and the bash_history because it keeps a history of all the commands
that the user has [Link] example you can find information about user
ID,passwords,confidential file names,locations,server names and shared folders.
We will download the bash_history file to our computer with the command get as you see
it in the image below:

Except of the console for the connection to the FTP server we can use also our
[Link] will try to login with the same credentials user/user

After some searching in the directories we have found a directory which contained the
following:

We can see that there are 4 folders.A folder named user, a folder named service and a
folder named msfadmin.
This is an indication that another account exists under the username msfadmin which probably is an
administrator’s account and has more [Link] reason that we assumed that is because the folders
names are the same with the usernames that we have discovered previously.
The previous accounts had passwords same with the [Link] we will try to login
with the following credentials:

Username: msfadmin

Password: msfadmin

The image above is showing that our try to login with the username/password msfadmin
was [Link] the password was different then we could have tried another dictionary
attack against the FTP server in order to find and the password.

So we have managed to login to the FTP server with an administrator’s account.

Conclusions :

There are some conclusions that we can make regarding this [Link] of all the
banner grabbing allow us to discover valuable information about the FTP server and the
target operating [Link] means that if the administrator had changed the FTP banner
then it would be much harder for us to disclose these information

In addition we have noticed the weak credentials of the 3 accounts that we

[Link] the administrator’s account password is the same with the [Link]
account policy is unacceptable in most of the companies and probably you will not meet
something [Link] even large organizations are suffering from weak passwords
so eventually it can [Link] is important for that reason to have a good password
policy.

On the other hand if a malicious user was trying brute force or dictionary attacks (like this
scenario) against the FTP server then it would probably flooded the log files.A security
solution that would block the IP address after 3 unsuccessful logins would be the most
effective.
  3. Perform blind SQL injection on [Link] and write a
report along with screenshot.

 In Union Based SQL Injections, we try to modify the existing SQL Query, in order to
retrieve sensitive information from the database.

STEPS:

 1. Find a vulnerable parameter to break out of the existing SQL Query. Enter a
closing quote— ”or’. Look out for unexpected behavior of the application. If the
application throws some error, then it might be vulnerable to SQLi.
We will be testing for SQLi’s on a vulnerable demo site by Acunetix:
[Link]

Log in to the application & examine the interface for any misbehavior on placing an
extra ”or’.

Try inserting a quote in the parameter cat.

We get an error on injecting a ’, thus parameter cat could be vulnerable to SQLi.

  2. Let’s try inserting an always true condition as ‘+OR+1=1 -- or ‘ OR 1=1 --in the
parameter cat. Look if we can get anything interesting.

Sadly, we did not get any interesting information.

Or If you know the table_names (say, username & password)that are used in the
database, you can directly use query ‘ UNION SELECT username, password FROM users --
to select all the users in the database.

 3. But here, as we don’t know the table_names, we will start by guessing the
number of columns in the database. Use query order by 10--. Depending on the
quote used in the DB, modify the request accordingly. Here, we are not getting any
error, this confirms that at least 10 columns exist.

Modify the query as order by 15-- .

We get a SQL error, therefore 15 is not the right value.

Now, this says that 10 < no. of columns < 15.

Keep on reducing the value to 14..13..12, we still get SQL error & as soon as we reach 11,
the error disappears. This concludes that no. of columns =11.

Note: Depending on the value accepted by the DB, you may get an error for a number 10
(Integer), if the DB accepts a String value. Therefore, you can use NULLornull, which will be
accepted as a valid argument. So, the query for 3 columns will become order by null, null,
null--. Here, to simplify the query, I’m using numbers, as we know it’s a valid argument.

 5. Now, we know that number of columns in the DB is 11. We will look for the
vulnerable columns that can be read. Use the query union select
1,2,3,4,5,6,7,8,9,10,11--. This will retrieve the details from the vulnerable columns.

Refer to the image below, we got numbers: 2, 7 & 9. Thus, column 2, 7 & 9 are vulnerable
to SQLi.
  6. Now, as we got the vulnerable columns(2, 7, 9). We will use them to retrieve other
info. Firstly, the database name. Use the query union select
1,database(),3,4,5,6,7,8,9,10,11 --. This will reflect the DB name in place of 2. Or use
the query union select 1,2,3,4,5,6,database(),8,9,10,[Link] will reflect the DB name
in place of 7.

We got the database name — acuart.

• 7. Now, we will try to get our hands on the table_name from the DB acuart. Use query
union select 1,table_name,3,4,5,6,7,8,9,10,11 from information_schema.tables where
table_schema=database()--. Modify the columns accordingly.

We got the table_names in place of 2.

We will be going after the table_name users, you know why

 10. If in case only 1 parameter (here, value 2) was retrievable. Use a group_concat to
concatenate
• 8. Now the values
that we have together. As: union
our database(acuart) select
& table 1,
name(users). We will go for the
group_concat(email,’:’,uname,’:’,pass),3,4,5,6,7,8,9,10,11 from
column_names. Use query union select 1,column_name,3,4,5,6,7,8,9,10,11 users –
from
information_schema.columns where table_name='users' –

Voila! we got the columns uname & pass.

Huh! SQL Injections are all about guess & try. It could take a lot of trial & error to get that
perfect query.

 9. Finally, we got the table_name & column_name. Time to dump the credentials. Use
query union select 1,uname,3,4,5,6,pass,8,9,10,11 from users --. As value 7 is also
vulnerable, we can retrieve details over there. Scroll down to bottom to view the results.

Finally, we got the credentials of the user where — uname: test & pass: test.
 Perform Footprinting on Amazon website using different information
gathering online websites like whois/netfcraft/dnsdumpster etc and write a
report of what information you found

 Footprinting is the process of collecting as much information as possible about a

target network, for identifying various ways to intrude into an organization's network
system

 Footprinting is the first step of any attack on information systems; attacker gathers
publicly available sensitive information, using which he/she performs social
engineering, system and network attacks, etc. that leads to huge financial loss and
loss of business reputation

For this Task we are going to these following steps :

 Step 1: Go to google and search for [Link]

 Step 2: Download and Installsuitable version

  Step 3: Now after installing ,Open the software and do as shown in below figures

Give Project Name and type Next

Now Paste the web address which u want to do footprinting on

 Step 4: Now Select which which information u want from website

Now Click Ok and click next to start footprinting

In Progress…..

After it is Finished Click Browse Mirror Website, there we will see a same to same mirrored
website