Simplifying cyber security since a August 2020 Edition 3 Issue 8 A Unique Cyber Security Magazine aie HACKING A TARGET ON ANOTHER NETWORK WITH YOUR ATTACKER SYSTEM BEHIND A ROUTER PRIVATE BROWSING : WHAT IT DOES AND WHAT IT DOESN'T TOOL OF THE MONTH : LINUX SMART NUL Sa reUele)N| PAV UN) nT terete Tm ete] getsThen you will know the truth and the truth will set you free. John 8:32 Editor's Note Hello aspiring ethical hackers. Hoping you are all awesome and safe. We jare releasing our August 2020 Issue with lot of excitement. Since our May 2020 issue, Our readers have been learning about hacking in different Real World Sc} -enarios. In our May 2020 Issue, we covered a real world scenario where a web) \server is behind the router with port 80 accessible to external network. In our \June 2020 Issue we covered a real world scenario which involves lateral move- \ment over the hacked network. In our July 2020 Issue, we have covered how a \simple router mis configuration can expose the internal network to the internet jand can be hacked. In this Issue, our readers will see a most common real world scenario. \Many a times we find our attacker system behind a router. So in this month's IRWHS, we will place the attacker system behind a router in a LAN and hack a \system that is on a different network (internet). It is very simple to configure a \reverse shell when while both attacker and target system are on the same netw -ork but when the target is on a different network and the attacker system is be- bye a router, configuration changes. This is one of our favorite scenario as ma- y of the cyber security students have this doubt as how to hack when they are ehind a router. With this scenario, we will be covering full circle some of the most common \real world scenarios. We will be moving over to other scenarios from the next Issue. Apart from this, other regular features are present. We are sure our read-| lers will like this Issue. That's all we have for now. Until the next issue, Good |Bye. Thank You. Stay Home, Stay Safe. chchakrauanthe “tt HACKER IS SOMEONE WHO USES A COMBINATION OF HIGH-TECH CYBERTOOLS AND ‘SOCIAL ENGINEERING TO GAIN ILLICIT ACCESS TO SOMEONE ELSE'S DATA.” ~ JOHN MCAFEEINSIDE See what our Hackercool Magazine August 2020 Issue has in store for you 1. Real World Hacking Scenario : When Attacker system is behind a router. 2. What's New : Kali Linux 2020.3 and Parrot OS 4.10. 3. Metasploit This Month : Drag & Drop Upload RF, Xshell and XFtp password gather & more modules 4. Capture The Flag : Green Optic : 1. 5. Tool Of The Month : Linux Smart Enumeration. 6. Installit : Install Z shell in Kali. 7. Hacking Q&A: Answers to some of the questions our readers ask about ethical hacking. 8. Online Security : Private Browsing : What does it do and what it doesn't. Some Useful ResourcesREAL WORLD HACKING SCENARIO i, 'm Hackercool. Today | am gonna show you a scenario where our attacker system is beh ind a router and obviously the target is on another network. My router is an ipfire router with RED+GREEN configuration and the administrator credentials are "admin:iloveyou' . Just like any common router configuration, this configuration allows all the devices in the LAN to acce ks internet while protecting them from external connections. Needless to say, my attacker achine is Kali Linux. Let me check the internal IP address of my machine. Pree yy eaten Ce eee eee eee oe Be ecco) oo Link/Loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 Mera Rey eee rat) theories RU er inet6 ::1/128 scope host valid_lft forever preferred_1ft forever Pa ae Cos com at te a eC Reem eae eer cee ROT re er 3: eth1: mtu 1500 qdisc pfifo_fast state UP group defau tater) COU a rere ee Rr inet 192.168.66.6/24 brd 192.168.66.255 scope global dynamic noprefixroute eth1 Riscecet cca cor meotrs Aree Pe rune eer rae) Pitre rer rm eee he IP of my machine is 192.168.66.6. | am interested in one target IP 172.28.12.22. | chang ed the /etc/hosts as following before | start the hack.GNU _nane ra psu 127.0.1.1 pave! Pct eres CTT Cette set crn Coreetreytrry ee teat iet sy ll perform a Nmap scan on the target kaliakaliz~$ nmap ~sV 172.28.128.22 Starting Nmap 7.80 ( https: //nmap.org ) at 2020-08-27 10:48 EDT ce eee eter Host is up (@.011s Latenc eae est esd a eo ei a Ae CUCL SUP mC crcl aD) Ce eons ee ete at ee RC STS) A Uns ss eee) 8080/tcp open http Apache httpd 2.4.38 ((Debian)) Ct ues est eR SEL) Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:1inux:linux_kernel Service detection performed. Please report any incorrect results at https: //nmap.org/subm ny] ee eae RUE eee cor PAE Ses | [There are four web services running on ports 80,8000,8080 and 8081 along with a SSH serv er on the target. | opened all these webpages in the browser. |The website on port 80 is displaying a simple text "HELLO User!" lit seems the site on port 8000 is also being redirected there. [The site on port 8080 is displaying a plain page@-ce = ite running on 1 is displaying a these rabbit holes? | eed to run nikto on all the four ports. Perce eure ee Pee ee) Pca Piper erred Sra ee Cet ier ea Poet art? 55:38 (GMT-4) Server: Apache/2.4.38 (Debian) eset ear te ees kee ee UO Ue ee) Pee ee ed eee a On ar eee CC Rien emo Cae eeu erro eres noes sr No CGI Directories found (use '-C all’ to force check all possible dirs) CO eee nae re eee Pt oer On week Trier ers crest PU ree Ce eer) 1 host(s) tested tunning nikto on port 80 gave me noth Tee eee) Pre ee) ieee Peet erry cre eect ier) be tiiaadd cr Peraaetd pote eral Server: Apache/2.4.38 (Debian) eeeestcs Rage Ce ees eee ee tr ee ees ee ee eon eer eee ee cd ee meee Ce eee eR CC Re ee Cae Ue ere ee stier ee ary + Root page / redirects to: http: //typo.local +°Wo CGY Directories found (use '-C all” to force check all possible dirs) emcees rc st herman Co err or) Sname=Members_Listéfilesindex: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scri pting (xSS). http://w .cert.org/advisories/CA-2000-02.html. + 7917 requests: @ error(s) and 4 item(s) reported on remote host crestor 2020-08-27 11:01:13 (GMT-4) (104 seconds) arene Running nikto on port 8000 confirmed that this was redirecting to http:/typo.local. Nikto also caught a xss vulnerability. | am not a big fan of XSS so | decided to move further by scanning port 8080 and 8081SMD tree etl ree Pree ee) lee oa Pee ee ies) re trier eer ier) ccriiaasas cor) Pretest Prot e eLte reer mC) Pensa) ieusestC seer cc Oe as becom ee Re Ue Cua) poee ee ec ee cy + The X-Content-Type-Options header is not set. This could allow the user agent to render Ca et eee erm ee sry + No CGI Directories found (use '-C all’ to force check all possible dirs) re ae ee as RS) + /phpinfo.php: Output from the phpinfo() function was found. pS SEU a CeCe Re RCC CL eng found. This gives a lot of system information. COC ee eae + 7917 requests: 0 error(s) and 7 item(s) reported on remote host + Sete mC rr) eee ee eer Nikto v2.1.6 Le ae a Pierre Ley Ss re USEC Ie) Lerma crs rim pote rte ees) Server: Apache/2.4.38 (Debian) esse ear eee ees eer ee tr men oe eee eo) ey ie ere cd + The X-Content-Type-Options header is not set. This could allow the user agent to render Cae eure tote rst Roma airy ecg strstr Cr meaner erate wie eet) a ea eas) ee eee eres oreo ae reser eee rr myc te rete mart re Terr CURR ee oe ecm ketenes Pe ere eee rita Ce + /phpmyadmin/: phpMyAdmin directory found el eT ty aa Une era meee eee ene) etme st nes PHP Version 7.3.14-1-deb10u15 dengine ‘IS of Information But frst Tet me check the phpmyadmin. As you already know, Php myadm in is used to manage databases and database means credentials. Mypacrmin [The ports 8080 and 8081 appeared interesting to me so | ran dirb on both these ports. ere eae) Creer CRC a START_TIME: Thu Aug 27 11:14:36 2020 PCAs ers et BOM SEA Tey eee. ued Cee me sed eT U a eM St refs 7c Corte Tease Bummer Tati pseaat)) SV AsTemersie ue mcrae eet) Est ee/AsTemtrslet erat este ovis ee] sti a5 12)