Vulnos2 CTF Solution
Now here is solution of vulnos2 ctf. Please watch ang give your review
Thanks
Now here is solution of vulnos2 ctf. Please watch ang give your review
Thanks
Here is video solution of Spydersec CTF
Please watch this and give review to what i do change in my next video. Because i am not good in making video solution
Thanks
Please watch this and give review to what i do change in my next video. Because i am not good in making video solution
Thanks
Hello friends. I am CodeNinja a.k.a. Aakash Choudhary.
I am learning CTF these days and solving it. I am not much expert but i tried to learn. I also saw other's writeup to gain knowledge.
I know there are bunch of writeups of same ctf but i also want to contribute myself
NOTE :-> My next Writeup will be base on video. mean video solution
Hello friends. I am CodeNinja a.k.a. Aakash Choudhary.
Now we will learn all about nmap which is friend for pentester. In my upcoming post i will post solution of CTF and their we will learn practical usage of nmap.
So lets start :->
<====================NMAP Tutorial =======================>
Nmap is a network scanning and host detection tool that is very useful during several steps of penetration testing. Nmap is not limited to merely gathering information and enumeration, but it is also powerful utility that can be used as a vulnerability detector or a security scanner.
NMAP can be use for :->
1. host discovery
2. port discovery
3. service discovery
4. os,software version discovery
5. detect vulnerability and security holed etc
Techniques uses by nmap :->
1. TCP Connect Scanning
2. TCP Reverse ident Scanning
3. FTP Bounce Scanning etc etc
Some time during testing of website we dnt get any vulneability but still might be it vulnerable in case of might be important port might be open and vulnerable which can lead to serious problem
So nmap is the best tool and friend of PENTESTER which can be help to find ports and others uses etc.
<========= Practical USAGE of NMAP ========>
NOTE :-> For starting use virtual machine's ip. In my case i use OWASP Broken Web App VM
1. Simple scan :-> nmap 192.168.56.101
2. If want to scan entire subnet or range [0-255]
nmap 192.168.1.*
or
nmap 192.168.1.0-255
NOTE :-> We can also use netdiscover :->
netdiscover -i vboxnet0 -P -r 192.168.56.0/24
Where
-i interface like eth0,wlan,vboxnet0
-P send no packets out the network
-r range to scan
Why to use ?
When i solving vulnos2 CTF VM then i see that i can't see ip address then i use netdiscover to find ip address of vulnerable machine vulnos2
3. nmap 192.168.56.0/cidr ===> nmap 192.168.56.0/24
24 is cidr
CIDR ? => Classless Inter-Domain Routing => https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
4. Multiple Target Scan =>
nmap 192.168.56.100 192.168.56.101 etc
or
nmap 192.168.56.100-101
5. Suppose you have some lists of IP for testing then save them in txt files and then use this command :->
nmap -iL targetip.txt
or
nmap -iL /home/ninja/AAKASH/nmap/targetip.txt
This will scan entire list of ip you saved in that text file
SCENARIO :->
Suppose i have a site for testing. I use knockknock python file to scan subdomains of this site.I got some subdomains and their ip addresses. I saved those ip in file and then scan using above command " -iL "
6. Scanning lists of all hosts => -sL
nmap -sL 192.168.56.101/24
7. Suppose if during scanning entire subnet i want to not scan a specific ip address then use this command
nmap 192.168.56.101/24 --exclude 192.168.56.102
For exclude files which you not want to scan :-> --exclude file target.txt
8. Scanning of some known PORTS like HTTP , FTP, TELNET
nmap -p80,21,23 192.168.56.101
NMAP SCANNING TECHNIQUES
======================================
1. -sS [SYN Scan] => also called half-open scanning
It get information from the remote host without the complete TCP handshake process, Nmap sends SYN packets to the destination, but it does not create any sessions.
nmap -sS 192.168.56.101
2. -sT [Connect Scan]
It completes the normal TCP three way handshake process.
It find out the TCP ports, not the UDP ports.
nmap -sT 192.168.56.101
3. -sU [ UDP Scan ]
It is used to find an open UDP port of the target machine.
UDP scans send the UDP packets to the target machine, and waits for a response—if an error message arrives saying the ICMP is unreachable, then it means that the port is closed; but if it gets an appropriate response, then it means that the port is open.
nmap -sU -sS 192.168.56.101
I use -sS along with -sU because to make it more effective
4. -sF [ FIN Scan ]
Sometimes a normal TCP SYN scan is not the best solution because of the firewall. IDS and IPS scans might be deployed on the target machine, but a firewall will usually block the SYN packets. A FIN scan sends the packet only set with a FIN flag, so it is not required to complete the TCP handshaking.
nmap -sF 192.168.56.101
We can also perform xmas scan (-sX) and Null scan (-sN)
Differences between FIN Scan & XMAS Scan & Null Scan
the FIN scan sends the packets containing only the FIN flag
the xmas sends FIN, PSH, and URG flags
the Null scan does not send any bit on the packet
What is FIN Flag , PSH Flag , URG Flag ?
Better to learn some networking concepts to know better about them.
http://stackoverflow.com/questions/9153566/difference-between-push-and-urgent-flags-in-tcp
I can't give answer in detail as much like that above link give :P
5. -sP [Ping Scan]
Just like we do ping google.com we can do Ping Scan using nmap
it is only used to find out whether the host is alive or not
nmap -sP 192.168.56.101
6. -sV [ Version Detection]
It is used to find out what software version is running on the target computer and on the respective ports.
nmap -sV 192.168.56.101
7. -sI [Idle Scan]
Advance scan which provide completely anonymity.
In idle scan, Nmap doesn’t send the packets from your real IP address—instead of generating the packets from the attacker machine, Nmap uses another host from the target network to send the packets
nmap -sI zombieHost targetHost
nmap -sI 192.168.56.1 192.168.56.101
zombie host :-> 192.168.56.1
target host :-> 192.168.56.101
8. -O [OS Detection]
Use to find out OS
nmap -O 192.168.56.101
Nmap OS fingerprinting technique discovers the:
Device type (router, work station, and so on)
Running (running operating system)
OS details (the name and the version of OS)
Network distance (the distance in hops between the target and attacker)
If target system use IDS IPS then use -PN
nmap -O -PN 192.168.56.101/24
We can also guess operating system using :-> --oscan-guess
9. To scan faster use :-> -T option like
nmap -T5 192.168.56.101/24
and for depth scan :-> -v
nmap -v 192.168.56.101
=======================================================================
<=== NSE [ Nmap Script Engine ] ===>
================================================
NSE is the most powerfull feature of Nmap Scanner.
The Nmap scripting engine allows us to write scripts that we can use with Nmap to automate any task
The Nmap main page contains the following regarding the Nmap scripting engine commands:
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=: is a comma separated list of directories, script-files or script-categories
--script-args=: provide arguments to scripts
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-trace command is used for debugging purposes to show all sent and received data
SCRIPT CATEGORIES :->
1. -auth : scripts that work with authentication credentials
2. -broadcast : scripts that discover active hosts by broadcasting on a local network
and adding them to a target list.
3. -brute : scripts that bruteforce the credentials of the remote hosts
4. -default : scripts that automatically run with -sC or -A options
5. -discovery : try to get more information about the target network
6. -dos : that may crash the target application and therefore cause a denial of service to the target.
7. -exploit :scripts that may be able to exploit the target application
8. - external: scripts that send data to a third party server over the network (whois)
9. - fuzzer: scripts that send invalid random data to the target to find undiscovered bugs
10. - intrusive: scripts that can cause the target to fail
11. - malware: scripts that test whether the target is infected by malware or backdoors
12. - safe: scripts that can be run safely, so they will not crash a server
13. - version: scripts that can determine the version of the application running on a target (they are run only when -sV option is specified)
14. - vuln: scripts that can check whether the target is vulnerable to specific attacks
======================================================================
Hello Friends. I am CodeNinja a.k.a. Aakash Choudhary
If you want to increase your knowledge in web pentesting and finding bugs then i am sharing some important blogs and slides to read which can make your knowledge increase.
I will update this lists time to time.
Thanks
[BLOGS]
[SLIDES]
[Youtube]
Hi friend I am CodeNinja a.k.a. Aakash Choudhary
Today i am sharing tips related to bug hunting which i learned from my brother "Shawar Khan" so full credits to him.
Browse Testing Site which you want to test the site and then try to find all APPLICATION ENTRY POINTS.
Example :
- GET
- POST
- COOKIE
- SEARCH BOX
- Comment Section
- Contact Us Section
- Hidden POST in FORMS
- LOGIN
After finding User Input Field or can say Application Entry Fields try to testing those fields.
Try to understand the Mechanism of those fields like what those fileds do actions.
Check JAVASCRIPT Validation and try to understand them.
Next thing to remember during TESTING is always try to test both CLIENT SIDE Request & SERVER SIDE Request
Try to intercept Request/Response through Burpsuite to understand them.
Example :->
A PASSWORD Change Field i am going to test.
Three Fields i see :->
- Current Password
- New Password
- Confirm New Password
So in this MECHANISM we have to use current password.
As for testing Intercept this reuqest and using burpsuite remove the parameter :-> Current Passwod and then Forward Request and if we see
200 OK Response then its mean We Bypass Server Side Request Validation
Note that first input any text on current password and input our new password in next two fields and then intercept it.
About to understand MECHANISM see another MECHANISM example :-
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
Once the attacker have successfully stolen the Session Token of the user, the attacker is able to log into the victim’s session by using the cookies which he have stolen.
Conclusion :->
Check both Client Side Request & Server Side Request. Find Application Entry Points and then testing on them
I will give more tips on this in future
CREDIT :-> My brother [Shawar Khan]
Thanks
Career in Pentesting Field
To become a successfull hacker if you are totally new/beginner then here is my guidance for you.
It took more than 3 years and you can say there is no time limit to become a successfull hacker because everytime we learn new things and everysecond new hacker discover new stuffs.
If you ask pentester then they will tell you to start with learning coding.
Yes because coding is the key to success.
I heard this from a hacker :->
"try to write your own code, rather than using someone else's code and exploits.This will help you to gain whatever you want and before doing things, know every stuffs and how those things work.Hacking is all about Knowledge and skills"
<=== So start from scratch ===>
You should familiar with programming language.
For Starting ->
1. Learn Fundamental of Programming Language from Lynda
2. Then move to Python Language as your first language [1.Automate The Boring Stuff With Python great resource & 2.Python for Pentesters & then 3. Black Hat Python]
- 1. Download Here
- 2. Download Here
- 3. Download Here
3. Understand basics of C/C++ language.
[Again use torrent]
4. Be familiar with Bash Scripting Language
5. Web Programming Language -> html,css,js,php,mysql
- Start with codecademy
Please use torrent to find udemy course related to learn web programming language.
====================================
Now start with Linux
1. LINUX UTILITIES COOKBOOK
2. Linux Bible 9th Ed (2015)
====================================
Then Kali linux Books :->
1. pwk.1.0 [google it]
2. Kali Linux Cookbook
3. Kali Linux Web Penetration Testing Cookbook [Latest]
I specially like pwk ebook
====================================
To familiar with commands for both Windows & Linux please read this ebook :->
RTFM [Red Team Field Manual ]
====================================
Now read these following ebooks to start your journey in hacking :->
1. ethical hacking and penetration testing guide
2. Mastering Wireshark - Charit Mishra
3. the-web-application-hackers-handbook
4. The Hacker Playbook 2 Practical Guide To Penetration Testing
====================================
Friends to learn Linux with practical you should use virtualbox or vmware which is virtual machine and you can use many Operating System in this machine.
Please don't think to use Linux as main OS for starting.
Use Window OS as main O and then use Linux under Window using Virtual Machine.
For starting Use Ubuntu to learn Basics of linux using those ebooks which i mentioned above.
And Either Kali or Backbox or Parrot OS as your attacker Machine in Virtual Machine.
===================================
Friends i am not telling you here to make your pentesting lab because when you read those ebooks then you already learn to make your own Pentesting Lab
===================================
Best Tools for Pentester :->
1. Burpsuite
2. Owasp Zap
3. Nikto
4. Nmap
5. Seclists as Fuzzdb
6. Webscarab
7. recon-ng
8. Netcat
9. Dirbuster
Mostly pentester use above tools.
And you should mostly relies on your Brain not on tools but you must use above tools which really help pentesters.
In my this blog i will make tutorials on using those tools like using NMAP ,NetCat, Burpsuite etc
===================================
Some awesome Youtube Channel Collection :->
(I will add time to time)
1. SSTec Tutorial
2. aakash choudhary
3. Pentesting With Spirit
4. Penetration Testing in Linux [highely Suggested]
5. Amir Muzaffar
6.webpwnized [Highely Suggested]
===================================
Hello friends i also want to say that if you are reading ebooks and want to also learn practically then start with war game because it also make your knowledgee increase
Here is link :->
overthewire.org/wargames/
Also friends stay tune with vulnhub.com
as this provide many vulnerable machine to practice.
When you stuck in practicing then see Walkthrough either in google or youtube or in vulnhub.com
===================================
For Bug hunting :->
1.https://forum.bugcrowd.com/t/researcher-resources-tutorials/370
2. h1.nobbd.de
In last i want to say just PRACTICE PRACTICE PRACTICE PRACTICE & JUST PRACTICE
Thanks for reading. Stay tune with my blog
THANKS
regards : CodeNinja a.k.a. Aakash Choudhary
Hello Friends, I am CodeNinja a.k.a. Aakash Choudhary.
I started this blog for me and for those who want to make their career in penetration testing.
I will tell many resources for beginners and my guidance for beginners so that you guys make your career in right direction.
Also I will include some CTF Solutions and i will share my web hacking/pentesting skills to my friends.
Next PostNewer Posts
Home
