Programming and Exploitation: Top Hakin9 Tutorials

Dear readers,

Welcome to another “Best of” edition of Hakin9. This time we gathered some of our best articles and tutorials about programming and exploitation. With these step by step guides you will uncover the secrets of PowerShell, Python, and Scapy. For those of you that are not interested in programming, we prepared the section about vulnerabilities. Together with our authors you can learn how to exploit vulnerabilities, how to find them and how to create them, and how to protect your system against that. This and more can be found in our newest edition!

Enjoy the issue,

Hakin9 Team

---

>>Download Free Preview<<

>>If you are a subscriber, download your magazine here<<

---

PROGRAMMING: GUIDE FOR HACKERS

---

Play Around the Network With Scapy

Rupali Dash

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs a lot of other specific tasks very well that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining techniques (VLAN hopping +ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.

---

Web Scraping with Python

Sam Vega

Hopefully most of you have heard of Python by now. If not, where have you been hiding? Like seriously! If you're into infosec, programming, hacking, etc you should have heard of Python. If you don't know it, what are you waiting for? As for me, I love coding. It nice having a vast tool set to choose from. If I am on a Windows box, I'll code in PowerShell. If I am on a Linux or OS X box, Python is my choice. Nothing against Ruby but Python has gain more popularity in the community. Ruby enthusiasts will beg to differ. But seriously, it's even the language of choice for Elliot (Mr. Robot). ;-)

---

Python: Hacker’s Swiss Army Knife

Kaisar Reagan

Finding a vulnerability in a software system is one of the fields where Python acts like a Boss. Python based Immunity Debugger has many design features in place to make this journey a little easier on the exploit developer. Python can be used to speed up the process of getting a working exploit, including a way to find specific instructions for getting EIP into shellcode and to determine what bad characters we need to filter out when encoding shellcode, even for delivering payload.

---

PowerShell: Enumeration, compliance or post-explotation

Pablo Viera  M

When conducting pentests focused on the internal network, in companies which desires a realistic vision of internal attacks possibilities, the pentester must use the available tools and resources available within this limited scenario. The objectives may be diverse, from analyzing employee’s possibilities of abusing access rights or existing software to disrupt operations or exploit organizational assets, to specific industrial espionage cases.

---

PowerShell Pentesting with Nishang

Maurício Harley

For the sake of this article, I’ll focus on showing some of the possible uses of this framework. I have two VMs on my lab environment. One of them is running Windows 10 with no updates. Let’s call it the attacker machine (or attacker, for short). The second VM is running Windows Server 2012 R2 with the latest updates. Let’s call it the target machine (or target, for short). It’s important to understand that some antivirus programs can interpret Nishang’s code as some kind of malware. So, the general advice in this case is: disable or even better, uninstall any antivirus you may have on your attacker system. I ensured mine had none.

---

PowerShell Pentesting in Six Steps

Petter Anderson Lopes

The purpose of this article is to provide an overview of the application of penetration testing using Powershell. As such, the presentation is not overly technical in scope, instead, it covers what penetration testing is, what benefits stakeholders in a secure system receive from a test, and how Powershell can be used to conduce some steps of penetration testing. The presentation goes into an example procedure for penetration testing, explain some steps in reconnaissance, scanning, gaining access, maintaining access, covering tracks and reporting. These represent the steps that hackers use in common attacks. Finally, this presentation briefly discusses some techniques involving non-conventional devices such as Smartphone bootable and the dangers of an unprepared team.

---

Python for hackers: Extract gold from systems

Adrian Rodriguez Garcia

First, we’re going to talk about what kind of information it’s useful to extract from a system and why it’s important. Then, with Python language and the enormous power of its libraries, we will demonstrate how to extract basic information from a system and how to monitor and extract data from the file system, processes, network connections and keyboard. Finally, we will talk about a possible way to manage the data extracted using Big Data technologies, like Apache Kafka

---

The dangers of metadata

Verónica Berenguer

Metadata is, simply, a set of descriptive information about the files to which they are related. Although this information is transparent to the user, it exists and can be a dangerous weapon in the wrong hands. Metadata can be found in documents, audios, images, videos, etc. In the example that we talked about at the beginning about social networks, a user could upload images that compromised his privacy, since it could be geolocated from where the upload was made; model, brand, version and operating system of the device that made the photograph, the date, and much more information an attacker could use to enrich and prepare his attack. For example, if the attacker gets the type and version of the user's device, he could investigate which exploits are appropriate to exploit the device’s vulnerabilities and, thus, achieve its purpose.

---

EXPLOITATION AND VULNERABILITIES

---

Exploitation Techniques and Tools

Washington Almeida

Let us be straightforward: The process by which a person searches for an exploit is called Hacking. Obviously, due to the intense mass of documented exploits, where vulnerabilities can be exploited in a variety of systems, has brought the need for information security analysts to deal with the issue. So, quite simply, today we have two vectors of action involving the exploits. On the one hand, hackers who search intensively for failures in the most varied systems, and on the other, digital security experts who deal with the challenge of anticipating the actions of hackers. In this article, we will present some exploitation techniques and tools that must be at the top of the list of cyber security analysts' concerns, as well as some features that can provide a more secure environment within corporations.

---

Exploitation of Software Vulnerabilities (Pentesting using Metasploit)

Brahimi Zakaria

The objective of this lab is to provide a comprehensive coverage of the Metasploit Framework. We will see how to do pentesting, vulnerability assessment, information gathering, etc., with Metasploit.

---

Hunting Vulnerabilities That Affect Your API

Mahmoud Reda

Web applications, as well as mobile applications, are becoming more complex and that is exposing new threats, which places your company and your customers at risk. API became part of that complexity which facilitate talking between the client and the server But API is overlooked in term of security, so we will shine some light on API and how to test your API for vulnerabilities, also how to secure them.

---

The Life of A Vulnerability

Louay Saleh

The cyber domain has become the battlefield of our modern times. Organizations heavily depend on information systems to process their businesses. The larger the organization is, the more complex its information system is. The more an organization depends on information systems, the larger its chance is to be exposed to a cyber attack. Nowadays, it is not necessary to rob a bank by physically breaking in, using weapons, and stealing the money or the gold reserve. This can be achieved using a keyboard, a mouse, and logging to an online electronic banking application that has technical ‘vulnerabilities’. It is not also necessary to wage a war against a country by sending an army, or perform a terrorist attack by exploding a bomb. It is enough to launch cyber attacks against the target’s network infrastructure by running some commands and mouse clicks and the attack will definitely succeed if the target is absolutely ‘vulnerable’.

---

Implementing a One-Time-Pad-Based Password Vault: A Poor Person’s Solution

Mark Bishop

This article presents one way of encrypting personal password lists, an alternative where we can know all of the details of the very simple implementation. It relies on a powerful, intrinsically simple encryption method: the Vernam Cipher or one-time pad (OTP). I have used the solution discussed here, implemented on a Linux platform, to protect my personal password lists. The author provides no warranty for the approach, not even any implied warranty of merchantability or fitness for a particular purpose. I hope readers will not infer a sinister promotion of fear, uncertainty, and doubt. I find this topic interesting and fun, and part of my enjoyment is an imaginary conflict with a hypothetical adversary, a mind experiment familiar to all information security enthusiasts. All will agree that keeping passwords safe is a good practice and that having a list of them available in a couple mouse clicks is convenient and conducive to the use of multiple, strong passwords.

---

Beating ASLR Protection Using Brute Force

Khaled Sakr

ASLR is an abbreviation for Address Space Layout Randomization. It’s a memory-protection process for an operating system that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory. I don’t intend to talk about the math involved in ASLR, but quickly, the effectiveness of ASLR is limited by the amount of entropy assigned (number of random bits that the stack and heap can be offset by) so obviously, the amount of randomization differs from 32 to 64 bit systems and that’s why 64 bit systems are harder to exploit when ASLR is enabled.

---

How To Use OWASP ZAP Proxy for Pentesting Web Based Applications

Cory Miller

The Open Web Application Security Project (OWASP) releases the top ten vulnerabilities found in web applications every year. Some of the items on the list are Cross-Site Scripting (XSS), SQL Injections, and Cross-Site Forgery(CSRF). These vulnerabilities continue to plague our web applications today. In order to protect against these vulnerabilities, Penetration Testers rely on tools which provide automated testing on web applications. To gain better visibility into web applications, a Penetration Tester can leverage the OWASP Zed Attack Proxy (ZAP).

---

Phishing and Persistence: Innocent Email to System Compromise

Shane Rudy

Senior Security Consultant

Today, phishing attacks against organizations are at an all-time high and with good reason. Attackers know that performing a phishing attack is one of the easiest ways to gain access to an organization’s systems and data because, as humans, we are curious and can be fooled without seeing the hidden dangers of what appears to be a legitimate email message. Attackers have used phishing campaigns to gain access to sensitive data and hold it for ransom, make financial transactions, spread malware and gain entry and persist on the network. As a penetration tester, I have successfully carried out many phishing campaigns. One of the campaigns I performed allowed me to get into the customer’s network, take over their domain controllers and stay hidden for over two weeks until I arrived on site to perform their internal penetration test.

---

HACKING IN PRACTICE

---

Cybersecurity in Software-Defined Networking (SDN)

Santiago Hernández Zambrano

José Manuel Postigo Aguilar

Carlos Rodríguez Hernández

In this sense, the increasing implementation of Software-Defined Networking (SDN) combined with Network Functions Virtualization (NFV) has allowed for the sensible reduction of costs in the deployment of network infrastructure, especially in the case of mobile communication networks, but they have simultaneously introduced new modes of attack. Thus, a new focus and the use of cybersecurity and analytical tools that are different from those that have traditionally been used are necessary to adapt to this new scenario.

---

Wireless Hacking with Aircrack-ng

Anthony Caldwell

Given our increasing need to stay connected via social media, email and, therefore, have access to the Internet, the availability of free, open WiFi access points in institutions, shops and in some areas, city-wide access points has become the norm. We don’t give a second thought to accessing a free WiFi spot in a coffee shop or otherwise since it enables us to maintain access. But, what about our home? While you may have followed our best advice to select a password for your router, implemented WPA/WPA2 encryption, it is possible, with help, to access these also. In this article, we outline the use of a tool called ‘Aircrack-ng’ used by security professionals to access secured WiFi.

---

Open Source Tools for Hackers

Tom Madsen

Welcome to this overview of open source tools, which must be part of any self-respecting hacker’s toolbox. In this article, I will be going through a short list of tools, their functionality and the scenarios where these tools can make a difference in a penetration test. Some of these tools are undoubtedly already known to some of you, but for the beginning hacker, this overview can be just what the doctor ordered in terms of getting started down the path to becoming a professional hacker. The tools I will be going through here are: Kali Linux, NMAP, WireShark, John the Ripper, HPING, w3af and THC Hydra. If you are already a discerning hacker, you undoubtedly have your own favorites, which may or may not, be part of this list. If you are a beginning hacker, then I highly recommend that you try out these tools, and become familiar with them. When you have developed experience, then spread out and try the recommendations of others, to develop a favorite toolset of your own. But let’s get started.

---

Restricted Linux Shell Escaping Techniques

Felipe Martins

The focus of this article is on discussing and summarizing different techniques to escape common Linux restricted shells, as well as simple recommendations for administrators to protect against it. This article is not focused on hardening shells, however some hints will be given to the reader as proof of concept. Additionally, this article is focused on Linux shells only, not windows. It is also important to note that not all techniques presented here will work in every restricted shell, so it is up to the user to find which techniques will suit them, depending on the environment in use. This is not intended to be a definite guide for escaping shell techniques, but a basic introduction to the subject.

---

Reverse Engineering the Android OS

Tom Updegrove

The Android OS is a popular open-source mobile platform based on the Linux 2.6 kernel. It was first developed by a company called Android, Inc. and later acquired by Google in 2005. Presently, there are many versions of the Android OS starting with the 2.6 kernel.

---

Get Kali Linux Running on Cloud

Carlos Rombaldo Jr

This technique consists of installing Kali by launching two virtual machines, one for Kali itself and another to provide the resources required to install from network boot using the PXE technology. These machines are referred to here as KALI VM and PXE VM respectively. Initially, it will be described, step by step, how to setup the PXE VM manually and later, how to do the same using an automation script provided here.

---

Elastix: An Open Source Unified Communications Server:

Understanding real-world scenarios…and how to minimize security risks

Sergio Hernandez Rodriguez, Amelia Araneo

In today’s world, VoIP technology is vital to the success of any organization in order to support communications, minimize costs, reduce disruptions to operations and increase profitability. Besides, VoIP is the keystone in new emerging technologies including, but not limited to, “IoT” (Internet of Things), “UC” (Unified Communications), “M-2-M” (Machine-to-Machine) systems, among others. Attacks on networks using VoIP could degrade performance, steal important information, and generate large expenses in any organization, if it does not have the correct security mechanisms. If you are reading this, then you might know that VoIP inherited some security issues from the existing layers and protocols. Different signaling protocols have been proposed for VoIP. Currently, SIP is one of the most used because it is standard and presents advantages. As any other Internet protocol, it is susceptible in terms of security, and thus it is prone to receive different kinds of attacks. This article proposes three basic scenarios, representing common network architectures, VoIP supported. A set of general guidelines is established in terms of the aforementioned architectures, in order to provide effective solutions to minimize existing security risks.