Learning Linux is Fun!

My Cisco Ethical Hacker badge: https://www.credly.com/badges/8a1e5011-5eaa-49db-8d66-b5ffface18d0
My SRE Specialist certificate from VK?headquarters: https://education.vk.company/curriculum/certificates/download/45985/5d4f0ba3-c7e6-423e-8fde-91234d52e656/

Who told you Linux Server Administration, Site Reliability Engineering, or Ethical Hacking is boring? With all the tools and modifications that come for free straight out of the box, Linux is fun!!!

Time to Learn Ethical Hacking

??????????Y?????????????O?????????????????U?????????????????? ??????????????????????H????????????????A??????????V????????????????E????????????????? ?????B?????????????????E????????????????E???????N????????????? ????????????????????H?????????????????A????????????C?????????????K?????????E???????????????D????????????????? ??????????????????

Drop everything what you have been doing and start learning Ethical Hacking now!

Who or What Makes Learning Linux Fun?

Kali Linux.
Cisco “Ethical Hacker” courses.
Bug Bounty programs from Intigriti and others, that allow practising on live targets and make payouts in case of proving their cyberflaws and vulnerabilities.
M365Princess theme for command line interface from Oh My Posh.
Customized GPTs from the ChatGPT store (see the list with links at the end of the article).

There is a lot you can do to make your experience of Linux, Hacking, SRE, and Server Administration enjoyable. Just think of it, all of it comes free of charge and helps make money!

Kali Linux

Kali Linux to do the hacking with tons of pre-ready scripts and automation tools. All you have to do, is to type in a command into a console! Kali Linux is freely available as a standard Windows installation (or WSL, that is, Windows System Linux). What does it mean for you? No need to run a Virtual Machine or install a separate system to learn hacking, just use your old Windows laptop, install WSL Kali, and you are good to go!

Cisco “Ethical Hacker” Courses with a Free Certificate

Cisco “Ethical Hacker” courses With free Cisco courses on “Ethical Hacking”, every world control is at your fingertips!

What is an Ethical Hacker?

The Ethical Hacker is almost the same as the penetration tester, but there are major differences: 1) a company publicly posts it needs to test its public facing services for cybersecurity threats, 2) an ethical hacker sees the post and agrees to do the testing. The monetary and non-monetary (reputation points) rewards usually depend on the amount and deepness of flaws in the software, hardware, and people setup of the organization the hacker was able to demonstrate and actually PROVE with his/her skills.

The penetration tester provides general recommendations, but the ethical hacker is concentrated on finding the actual flaws and must PROVE they impact the company negatively if someone with malicious intent repeats his/her actions.

“Ethical Hacker” is a good certificate to have for any web developer, software developer, and, of course, cybersecurity professional. Some ethical hackers get hired as penetration testers or cybersecurity officers full-time or even organize their own cybersecurity companies specializing in cybersecurity penetration testing of the physical sites, software, and people. The term “ethical” means the organization sets boundaries and limits for a hacker and writes the allowed tests down into contract terms which a hacker cannot cross. Or a hacker registers at ethical hacker websites, such as Intigriti, and picks a test challenge from there with all the terms of testing allowed and not allowed specified.

Comprehensive scan command is absolutely one technique you must memorize if you are on the testing premises, and are provided with a black-box network layout (only some IPs are given for testing) with no other limitations. If you forget everything else, this is the only command you must remember from this article. You might be surprised with the list of classified locations you find:

nmap -A -T4 55.155.0.0/16

Replace 55.155 with the real network address you are to scan.

Command Line Interface Beautification

Who told you the console, or command line interface is boring? There are tons of customizations for the console, for example M365Princess theme for “Oh My Posh” that runs both on Linux and on Windows.

Hacking and Slashing

Provided for educational purposes only, for you to know what your kid is doing at nights! Do not try it. Be good. And if you can't be good, be careful (at least use --tor or a VPN)!

Web Reconnaissance

Although there are many automated scan tools, for example, three commands like…

nikto -h target.com

nmap -sV --script vulners --script-args mincvss=4 target.com

theHarvester -d target.com -b all -f results

nothing can substitute the manual crawling with hands and eyes, especially when it comes to sifting through a more advanced tool like theHarvester. A variant for manually testing a web app is to try to check if its default admin panel was left at its default address, i.e.

https://target.com/admin

Depending on the output, sometimes just typing /admin is enough to find out that the website is actually WordPress-based. And if it is WordPress, nothing prevents you from trying to discover the usernames with:

wpscan --url https://target.com --enumerate u --random-user-agent --force

And if the users were actually found, like user1, user2, user3, you could attempt to brute force a password (just by setting out to try out ALL the possible passwords automatically) or try the most common passwords' list against those usernames with:

wpscan --url https://target.com --passwords /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt --usernames user1,user2,user3 --random-user-agent

Directory Brute-Forcing

Next, Brute-forcing the directories addresses with many freely available tools, as well as basic reconnaissance tools, may further expose that the website actually uses MySQL database to store user data, articles, and password hashes.

Improper Neutralization of Input During Web Page Generation: A Critical Vulnerability

"Improper Neutralization of Input During Web Page Generation" refers to the failure to properly handle or sanitize user input during the generation of web pages, leading to various security risks (OWASP Top 10).

In simple terms, this vulnerability occurs when an application does not adequately validate, sanitize, or escape user-supplied input before incorporating it into dynamically generated web pages. As a result, malicious user input can be interpreted as code or executable content by the application, leading to potential security issues.

Example: PHP Vulnerability

// Vulnerable PHP code
$username = $_GET['username']; // User-supplied input

// Generating the web page without proper input validation
echo "<h1>Welcome, " . $username . "!</h1>";

In this code snippet, the application directly incorporates the value of the username parameter from the URL query string without any validation or sanitization. This can enable an attacker to exploit the vulnerability by manipulating the input.

Potential Consequences of the Vulnerability:

Cross-Site Scripting (XSS): If the user-supplied input contains malicious scripts or HTML tags, they may be executed by the victim's browser, leading to the execution of unauthorized code and potential attacks like session hijacking or defacement.
Code Injection: If the input is treated as code by the application, an attacker may inject arbitrary code or commands, leading to server-side code execution and unauthorized access or control over the system.
SQL Injection: If the input is used in database queries without proper validation, an attacker may manipulate the input to execute unauthorized database queries, potentially exposing or modifying sensitive data.

Session Hijacking

Session hijacking refers to unauthorized access or control of a user's session on a website. In the given example, if an attacker successfully exploits the vulnerability by injecting malicious scripts or code through the username parameter, they may be able to execute cross-site scripting (XSS) attacks. With XSS, the attacker can steal the user's session cookies, which are used to authenticate and maintain the user's session on the website. By gaining access to the session cookies, the attacker can impersonate the user, potentially leading to unauthorized actions, data theft, or privilege escalation.

Defacement

Defacement refers to unauthorized modification or manipulation of a website's appearance or content. If an attacker exploits the vulnerability by injecting code or scripts that are interpreted as HTML, they can modify the generated web page. This could lead to defacement, where the attacker alters the content, layout, or visual appearance of the web page, displaying unauthorized or malicious content to website visitors. Defacement can harm the reputation of the website, impact user trust, and potentially lead to other malicious activities.

SQL Injection Attack Samples

Since we found that the website is WordPress and uses MySQL, test the databases for a potential screw up based on the two most basic web interaction methods, GET and POST.

GET interaction is usually the search field and every field that outputs its input into the website URL as URL parameters, for example search boxes, where the URL usually looks like https://target.com/?search=<search-query>

Once you found such an input field that is reflected in the URL, plus you know already that the website uses MySQL (you might need to change the command for other type of database you gathered during reconnaissance), you can run the following command to test for SQL injection vulnerabilities, replace the <search-query> with the word test:

sqlmap -u "https://target.com/?search=test" --batch --random-agent --dbs --users --passwords --technique=BEUSTQ --level=5 --risk=3 --tor --threads=10 --crawl=10 --dbms=mysql --current-user --current-db --hostname --is-dba --dump-all --os-shell --tamper=space2comment,between,randomcase --drop-set-cookie

Another popular method for testing for SQL injection is utilizing the POST method on web forms, that do not display any user input information in the URL. From the aforementioned https://target.com/admin panel, send the form with any username and any password. Then open your browser Developer panel, navigate to the Network, find the POST request there, and press “copy as HAR”. Transform it via ChatGPT into plain text post.txt, it would probably look like this:

POST /login/?login_only=1 HTTP/1.1
Host: target.com:1234
User-Agent: <change to something different from your standard browser>
Content-Type: application/x-www-form-urlencoded
Cookie: webmailsession=<some data>; roundcube_cookies=enabled; timezone=USA/NewYork
Referer: https://target.com:1234/

[email protected]&password=test123

Now run the SQL injection test with these new settings and the post.txt file:

sqlmap -r post.txt --batch --random-agent --dbs --users --passwords --technique=BEUSTQ --level=5 --risk=3 --tor --threads=10 --crawl=10 --dbms=mysql --current-user --current-db --hostname --is-dba --dump-all --os-shell --tamper=space2comment,between,randomcase --drop-set-cookie

After the reconnaissance phase, if you know a website uses MySQL, and you found out the URLs that accept parameters, you can automise the process to store your progress and the commands you've already tried.

This is why initial reconnaissance and initial manual browsing and testing is important, to target the entry points you've found in later phases. Now it is like using millions of different types of keys against different keyholes to get as many entries as possible. Remember, the ultimate goal, after the training is completed, is Bug Bounty Hunting and the monetary rewards for security breaches found, the more serious the breach, the bigger the reward.

Attack Automation with Bash Scripts

When you do some manual testing, it is time to move to testing automation. Learn Bash, PowerShell, Python — whatever is up to your liking! Use libraries and other automation tools

sqlmap for SQL injection attacks automation.
xxstrike for XSS atacks automation.
feroxbuster for directory brutforcing automation.
metasploit for open server ports vulnerabilities search.
smbclient for SMP vulnerabilities scanning and exploitation.
larger suites for web-testing, like OWASP ZAP and Burp Suite.

Docker in WSL Kali

Why do you need to be concerned about Docker containers in WSL Kali? Because many modern attack tools require PostgreSQL or other databases to be running to store, analyse, and display the huge amount of data they find with automation scripts, for example a tool to analyse cloud servers, BloodHound

You might also want to use GVM vulnerability scanner, that one also comes with its Docker setup, PostgreSQL databases, and even Redis! (note: Redis is a smaller database that runs in RAM to accelerate read-write database processes and to enable caching).

If you test your web application in WSL before hosting it on a real Linux server, avoid installing Docker Desktop, use Podman Desktop instead. Podman Desktop is integrated into WSL much, much better than Docker Desktop. Installing Podman Desktop alone will save you a lot of time and effort when you work with your Docker containers in WSL.

Post-Exploitation: Reverse Shell vs Bind Shell

You did it, you are finally in! But what to do now? You are concerned with the two most important things:

Staying undetected, since getting into the system the second time could be much more difficult due to patches.
Maintaining access even after system reboot, called Persistence.

You have at least two options to maintain access:

Reverse Shell:

Imagine Veronica is visiting a strict, highly secure community where visitors are not allowed to initiate contact with the residents. However, the residents can make outgoing calls.

Lili (the attacker) wants to talk to Veronica (the compromised system). She instructs Veronica to call her when she gets into the community. So, Veronica (the compromised system) initiates the call (connection) to Lili (the attacker), who is waiting by her phone (listener). Once the call is connected, Lili can start giving instructions to Veronica. This setup helps bypass the community's restrictions since the community only cares about incoming calls, not outgoing ones.

In this analogy:

Veronica's outgoing call represents the compromised system establishing a reverse shell connection to the attacker's system.
Lili's phone waiting for the call represents the attacker's listener waiting for a reverse shell connection.

Bind Shell:

Now, imagine that instead, Lili wants to have an open channel to Veronica without Veronica initiating the contact. Lili somehow manages to place a mobile phone with an open line in Veronica's room (the compromised system). Whenever Lili wants to talk, she can dial that number, and the phone will automatically pick up, allowing her to give instructions to Veronica.

In this analogy:

The mobile phone in Veronica's room with an open line represents the compromised system listening for an incoming connection.
Lili dialing the number represents the attacker connecting to the bind shell.

LOLBins (Living Off The Land Binaries)

LOLBins (Living Off The Land Binaries) are legitimate executables and scripts that are part of the operating system or installed software but can be abused by malicious actors to perform unintended actions, often bypassing security controls. These tools are already present on most systems, which makes them highly attractive for use in various cyberattacks.

How LOLBins Work:

Legitimate Binaries: They are built-in executables, which means they don’t raise immediate suspicion.
No New Malware: Since the attacker uses what’s already on the system, there’s no need to download or create new files, making detection harder.
Bypass Controls: Many of these binaries are trusted by default (whitelisted), so they often bypass endpoint security solutions like antivirus or EDR.
Versatile Use: They can be used for anything from downloading files, executing scripts, escalating privileges, and lateral movement across a network.

Common LOLBins Examples:

PowerShell (powershell.exe): A versatile scripting language that can be used to download malicious payloads, execute commands, or manipulate files.
CertUtil (certutil.exe): A command-line tool for managing certificates, but it can be abused to download files from remote servers.
MSHTA (mshta.exe): Used to execute HTML applications (.hta files) and can be leveraged to run malicious scripts.
BitsAdmin (bitsadmin.exe): A tool used for managing Background Intelligent Transfer Service (BITS) jobs, but it can download malicious files.
Rundll32 (rundll32.exe): A legitimate binary that can load and run dynamic link libraries (DLLs), but can also be used to execute arbitrary code.
WMI (wmic.exe): Windows Management Instrumentation can be abused to run scripts remotely and move laterally across the network.

When and How to Utilize LOLBins for Profit:

Using LOLBins can be particularly effective in a post-exploitation scenario or during initial compromise, allowing you to operate stealthily without needing to drop custom malware on a target. Below are ways in which you could leverage LOLBins, especially in the context of ethical hacking and penetration testing:

1. Data Exfiltration:

Use LOLBins like certutil.exe or bitsadmin.exe to download files from the target machine or upload them to a remote server.
Example:
You can script the exfiltration of sensitive data like credentials or internal documents without triggering alerts.

2. Persistence:

Tools like rundll32.exe can be used to run DLLs that will persist across reboots, making your access to the target more durable.
Example:

3. Privilege Escalation:

Abusing tools like schtasks.exe (for scheduled tasks) or PowerShell scripts for privilege escalation by adding malicious tasks that run with elevated privileges.
Example:

4. Lateral Movement:

WMIC (WMI Command-Line): can be used to execute commands on other machines in the network.
Example:
This is useful for moving between machines stealthily in larger network engagements.

5. Remote Code Execution:

MSHTA.exe can be used to execute malicious JavaScript or VBScript hosted on a remote server.
Example:

6. Downloading Malware Without Detection:

bitsadmin.exe allows you to download files over HTTP or HTTPS.
Example:

Ethical and Practical Use:

In ethical hacking, you can use these techniques during Red Team operations, penetration tests, or adversary emulation. It's important to have the right permissions, as misuse of these techniques can lead to severe legal consequences.
Blue Teams (defenders) should be aware of these tactics to harden their systems and detect suspicious use of these binaries.
From a profit standpoint, companies pay good money to ethical hackers who are able to find vulnerabilities and recommend solutions using these techniques. Properly leveraging LOLBins in legal engagements can boost your reputation as a skilled penetration tester.

If you're looking for long-term profit in this space, becoming a proficient Red Teamer or penetration tester specializing in LOLBins tactics can make you a sought-after expert in the field!