Simplifying cyber security since a
August 2020 Edition 3 Issue 8 A Unique Cyber Security Magazine
aie
HACKING A TARGET ON ANOTHER NETWORK
WITH YOUR ATTACKER SYSTEM BEHIND A
ROUTER
PRIVATE BROWSING : WHAT IT DOES AND
WHAT IT DOESN'T
TOOL OF THE MONTH : LINUX SMART
NUL Sa reUele)N|
PAV UN) nT terete Tm ete] getsThen you will know the truth and the truth will set you free.
John 8:32
Editor's Note
Hello aspiring ethical hackers. Hoping you are all awesome and safe. We
jare releasing our August 2020 Issue with lot of excitement. Since our May 2020
issue, Our readers have been learning about hacking in different Real World Sc}
-enarios. In our May 2020 Issue, we covered a real world scenario where a web)
\server is behind the router with port 80 accessible to external network. In our
\June 2020 Issue we covered a real world scenario which involves lateral move-
\ment over the hacked network. In our July 2020 Issue, we have covered how a
\simple router mis configuration can expose the internal network to the internet
jand can be hacked.
In this Issue, our readers will see a most common real world scenario.
\Many a times we find our attacker system behind a router. So in this month's
IRWHS, we will place the attacker system behind a router in a LAN and hack a
\system that is on a different network (internet). It is very simple to configure a
\reverse shell when while both attacker and target system are on the same netw
-ork but when the target is on a different network and the attacker system is be-
bye a router, configuration changes. This is one of our favorite scenario as ma-
y of the cyber security students have this doubt as how to hack when they are
ehind a router.
With this scenario, we will be covering full circle some of the most common
\real world scenarios. We will be moving over to other scenarios from the next
Issue. Apart from this, other regular features are present. We are sure our read-|
lers will like this Issue. That's all we have for now. Until the next issue, Good
|Bye. Thank You. Stay Home, Stay Safe.
chchakrauanthe
“tt HACKER IS SOMEONE WHO USES A COMBINATION OF HIGH-TECH CYBERTOOLS AND
‘SOCIAL ENGINEERING TO GAIN ILLICIT ACCESS TO SOMEONE ELSE'S DATA.”
~ JOHN MCAFEEINSIDE
See what our Hackercool Magazine August 2020 Issue has in store for you
1. Real World Hacking Scenario :
When Attacker system is behind a router.
2. What's New :
Kali Linux 2020.3 and Parrot OS 4.10.
3. Metasploit This Month :
Drag & Drop Upload RF, Xshell and XFtp password gather & more modules
4. Capture The Flag :
Green Optic : 1.
5. Tool Of The Month :
Linux Smart Enumeration.
6. Installit :
Install Z shell in Kali.
7. Hacking Q&A:
Answers to some of the questions our readers ask about ethical hacking.
8. Online Security :
Private Browsing : What does it do and what it doesn't.
Some Useful ResourcesREAL WORLD HACKING SCENARIO
i, 'm Hackercool. Today | am gonna show you a scenario where our attacker system is beh
ind a router and obviously the target is on another network. My router is an ipfire router with
RED+GREEN configuration and the administrator credentials are "admin:iloveyou' . Just like
any common router configuration, this configuration allows all the devices in the LAN to acce
ks internet while protecting them from external connections. Needless to say, my attacker
achine is Kali Linux. Let me check the internal IP address of my machine.
Pree yy
eaten Ce eee eee eee oe Be ecco)
oo
Link/Loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
Mera Rey eee rat)
theories RU er
inet6 ::1/128 scope host
valid_lft forever preferred_1ft forever
Pa ae Cos com at te a eC Reem eae eer
cee
ROT re er
3: eth1: mtu 1500 qdisc pfifo_fast state UP group defau
tater)
COU a rere ee Rr
inet 192.168.66.6/24 brd 192.168.66.255 scope global dynamic noprefixroute eth1
Riscecet cca cor meotrs
Aree Pe rune eer rae)
Pitre rer rm eee
he IP of my machine is 192.168.66.6. | am interested in one target IP 172.28.12.22. | chang
ed the /etc/hosts as following before | start the hack.GNU _nane
ra psu
127.0.1.1 pave!
Pct eres CTT
Cette set crn
Coreetreytrry
ee teat iet sy
ll perform a Nmap scan on the target
kaliakaliz~$ nmap ~sV 172.28.128.22
Starting Nmap 7.80 ( https: //nmap.org ) at 2020-08-27 10:48 EDT
ce eee eter
Host is up (@.011s Latenc
eae est esd
a eo
ei a Ae CUCL SUP mC crcl aD)
Ce eons ee ete at ee RC STS)
A Uns ss eee)
8080/tcp open http Apache httpd 2.4.38 ((Debian))
Ct ues est eR SEL)
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:1inux:linux_kernel
Service detection performed. Please report any incorrect results at https: //nmap.org/subm
ny]
ee eae RUE eee cor
PAE Ses |
[There are four web services running on ports 80,8000,8080 and 8081 along with a SSH serv
er on the target. | opened all these webpages in the browser.
|The website on port 80 is displaying a simple text "HELLO User!"
lit seems the site on port 8000 is also being redirected there.
[The site on port 8080 is displaying a plain page@-ce =
ite running on 1 is displaying a these rabbit holes? |
eed to run nikto on all the four ports.
Perce eure ee
Pee ee)
Pca Piper erred
Sra ee Cet ier
ea
Poet art? 55:38 (GMT-4)
Server: Apache/2.4.38 (Debian)
eset ear te ees
kee ee UO Ue ee)
Pee ee ed
eee a On ar eee CC Rien emo
Cae eeu erro eres noes sr
No CGI Directories found (use '-C all’ to force check all possible dirs)
CO eee nae re eee
Pt oer On week Trier ers
crest PU ree Ce eer)
1 host(s) tested
tunning nikto on port 80 gave me noth
Tee eee)
Pre ee)
ieee Peet erry
cre eect ier)
be tiiaadd cr
Peraaetd pote eral
Server: Apache/2.4.38 (Debian)
eeeestcs Rage Ce ees
eee ee tr ee ees ee ee eon
eer eee ee cd
ee meee Ce eee eR CC Re ee
Cae Ue ere ee stier ee ary
+ Root page / redirects to: http: //typo.local
+°Wo CGY Directories found (use '-C all” to force check all possible dirs)
emcees rc st herman Co err or)
Sname=Members_Listéfilesindex: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scri
pting (xSS). http://w .cert.org/advisories/CA-2000-02.html.
+ 7917 requests: @ error(s) and 4 item(s) reported on remote host
crestor 2020-08-27 11:01:13 (GMT-4) (104 seconds)
arene
Running nikto on port 8000 confirmed that this was redirecting to http:/typo.local. Nikto also
caught a xss vulnerability. | am not a big fan of XSS so | decided to move further by scanning
port 8080 and 8081SMD tree etl ree
Pree ee)
lee oa Pee ee ies)
re trier eer ier)
ccriiaasas cor)
Pretest Prot e eLte reer mC)
Pensa)
ieusestC seer cc Oe as
becom ee Re Ue Cua)
poee ee ec ee cy
+ The X-Content-Type-Options header is not set. This could allow the user agent to render
Ca et eee erm ee sry
+ No CGI Directories found (use '-C all’ to force check all possible dirs)
re ae ee as RS)
+ /phpinfo.php: Output from the phpinfo() function was found.
pS SEU a CeCe Re RCC CL eng
found. This gives a lot of system information.
COC ee eae
+ 7917 requests: 0 error(s) and 7 item(s) reported on remote host
+ Sete mC rr)
eee ee eer
Nikto v2.1.6
Le ae a Pierre
Ley Ss re USEC Ie)
Lerma crs
rim pote rte ees)
Server: Apache/2.4.38 (Debian)
esse ear eee ees
eer ee tr men oe eee eo)
ey ie ere cd
+ The X-Content-Type-Options header is not set. This could allow the user agent to render
Cae eure tote rst Roma airy
ecg strstr Cr meaner erate wie eet)
a ea eas)
ee eee eres
oreo ae reser
eee rr myc te rete mart
re Terr CURR ee oe
ecm ketenes
Pe ere eee rita Ce
+ /phpmyadmin/: phpMyAdmin directory found
el eT ty aa Une era meee eee ene)
etme st nes
PHP Version 7.3.14-1-deb10u15 dengine
‘IS of Information But frst Tet me check the phpmyadmin. As you already know, Php myadm
in is used to manage databases and database means credentials.
Mypacrmin
[The ports 8080 and 8081 appeared interesting to me so | ran dirb on both these ports.
ere eae)
Creer
CRC a
START_TIME: Thu Aug 27 11:14:36 2020
PCAs ers et
BOM SEA Tey eee. ued
Cee me sed
eT U a eM St refs 7c Corte
Tease Bummer Tati pseaat))
SV AsTemersie ue mcrae eet)
Est ee/AsTemtrslet erat este ovis ee] sti a5 12)