Arjun - HTTP Parameter Discovery Suite

Arjun is a web application security tool that can help to find query parameters for URL endpoints. Query parameters are used by an attacker to hunt various vulnerabilities. For Example, XSS (Cross-Site Scripting), SQL Injection, LFI, RFI, and etc. With the help of this tool, you will understand what type of parameter is vulnerable. Then you can try payloads on those parameters.

Consider the following example of how parameters (or queries) are used in web applications to accept user input: Here the parameter is id.

http://www.hackhunt.in/userinfo?id=92577488

Explanation: A parameter termed admin, whenever set to true, will cause the endpoint to give extra information about a user whenever the URL is accessed. So we need to identify these kinds of valid HTTP arguments and this is exactly what Arjun performs.

Installation

There are two ways to install the Arjun tool in the Kali Linux system:
  • One: This tool comes as pip repository.
    Already installed on the machine

    • Two: You can clone it from Github. Command: git clone https://github.com/s0md3v/Arjun.git
    via GitHub Repository
    • To install, command: sudo python3 install setup.py
    Manual Installation
    • After installing, you can check the tool capability with --help or -h command: arjun -h.
    Help Command / All Options
    • For Example, we are taking a vulnerable website called testphp.vulnweb.com. Here, search anything in the search box and it will give parameters in the URL. To run the Arjun tool, it needs parameters from which it will find that it is vulnerable or not, so copy the URL.
    Get URL with Parameter
    • -u: With this argument, you can specify the URL. In this scenario, $ arjun -u http://testphp.vulnweb.com/search.php?test=query.
    Search for Parameters
    • It reflects that the goButton and searchFor input will reflect. So from attacker point of view, these parameters are not sanitized. We can try any payload for example in this case with a basic XSS payload: <script>alert(“HackHunt”)</script>.
    • We can try the above payload in the search box.
    Basic XSS Payload
    XSS Payload executed means this parameter is vulnerable. Similarly you can find parameters with the help of this tool and try to hunt with the payload.
    Now, 
    • -t: This argument is used to pass the threads.
    • -c: This argument is used to put the chunks which basically by default taken by Arjun tool but we can also minimize and maximize the chunk size with this argument.
    • --stable: This argument is used to prefer stability as compare to faster speed, because sometime faster speed will doudge some sensitive information.
    If all of these arguments, used collectively then it will give you better output but it will take time to get back to it.
    Result with the Options
    • After adding some argument in the search parameter URL. We tried on signup page on the same website (testphp.vulnweb.com) with -t (thread) = 100, and it found more parameters which maybe vulnerable like uname & pass along with searchFOR & goButton.
    With 100 Thread
    • --passive: This argument will help, when there is no parameter found. Still it give outputs, means it collects possible vulnerable parameters points by passive sources like wayback, gau, otx etc.
    With Passive
    Note: Some arguments by default take their own suitability (for example -w which is used for wordlist but by default arjun have their own wordlist). So, it’s better to not change those argument with some instance because arjun already known how to run with their default values. It is also shown in the help command that which argument is taken as default and where you have to type something.
    If you want to know the whole argument working you can refer to this document: https://github.com/s0md3v/Arjun/wiki/Usage
    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    Arjun is a web application security tool that can help to find query parameters for URL endpoints. Query parameters are used by...

    Brute Force Attack v/s Dictionary Attack

    Password Cracking is basically getting unauthorized access to a victim account using different methods from which two are discussed below. There are many other ways of getting credentials the most used one is phishing attack. Below we discuss two types of cracking attacks.

    Brute-Force Attack 

    It’s a type of attack in which the attacker tries to do a trial-and-error attack on victim machine with either a predefined wordlist or create his own wordlist using crunch in which words might not make sense. 

    This kind of attack is most often used in cracking of WEP/WPA/WPA2 cracking. The probability of getting password via Brute-Force attack is low. Also, if the attacker uses the same trick against a website, it might not work as the website may have a maximum attempt rule. 

    The tools that can be used for brute forcing are:
    • aircrack-ng: used for WiFi password. Command - aircrack-ng -w (wordlist File) -b (MAC of the network) xyz.cap(cap file or the handshake file)
    • hyrda: used in web apps, SSH, FTP, etc. Command - hydra -l(for single username)/-L(wordlist of usernames) -p/-P(single/list of password) <target-url> <module-name(post/get)> <parameters>

    Dictionary Attack

    In a dictionary attack the wordlist is created using some basic information of the target like name, DOB, etc. In case of website CeWL is the best tool as it searches the website for the keywords of the length that is specified and collect those names in a file and store is as a wordlist. 

    The dictionary attack is similar to brute-force as in both wordlist is used but the words used in dictionary attack are meaningful words just like in dictionaries.  

    One that can be used is rockyou.txt which is available in “/usr/share/wordlist” 

    CeWL command - cewl -m 5(min_length of word) -w (name of file in which words should be stored) “URL”
    These are the most commonly used tool and there are many more like Medusa, Ncrack, Wpscan, etc.
    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    Password Cracking is basically getting unauthorized access to a victim account using different methods from which two are discusse...

    Phishing v/s Vishing v/s SMShing


    PHISHING

    According to Wikipedia, Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, and credit card details, or other sensitive details, by impersonating oneself as a trustworthy entity in digital communication.

    In a nutshell, phishing is a type of attack that typically attempts to trick the victim into clicking on a link or executing malware. It is typically carried out by sending fake emails or instant message about a fake website looks like legitimate to enter credentials. Also, it is a form of social engineering.

    SMiShing

    • SMS Phishing uses text messages to deliver the bait to divulge their personal information. 
    • Smishing attacks typically invite the user to click a link, call a phone number, or contact an email address provided by the attacker via SMS message. 
    • The victim is then asked to provide sensitive information. Moreover, URLs may not be displayed properly on mobile browsers. Results in making it difficult to identify a genuine webpage.
    • As the use of mobile phones increased in past few years, a malicious link sent via SMS can yield the same result as it would have via email.

    VISHING

    • Vishing is phishing over a voice call.
    • Not all attacks require a fake login website.
    • Text Messages that claimed to be from a bank tell users to dial a number, if they want to resolve the issue with their bank account or need a discount on their credit card number.
    • When the phone number is dialed, it asks users to enter their account number and PIN.
    • It may sometimes give a fake caller-ID data to make it look like a legitimate one (in this case using Truecaller or any other application will work as bait).
    If you encounter and number or email with these malicious activities, please report that email id or phone number using our contact us form.

    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    PHISHING According to Wikipedia, Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, pass...

    Stabilize Shell in netcat

    netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. We can use netcat to get the reverse shell from the remote machine. 


    A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the localhost.


    A bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection.

    Netcat is a very good tool to receive connections and enumerate further. After connecting to a device, netcat does not provide a lot of shell commands like shell history or shortcuts. To use those commands and stabilize the connection, follow the below steps;


    •  Connecting to the remote shell.
    nc <IP> <PORTt>
    • Spawn a remote pseduoterminal.
    python -c "import pty; pty.spawn('/bin/bash')"
    • Background your raw shell.
    C-z (Ctrl + Z)
    • Set local terminal to raw mode.
    stty raw -echo
    • Foreground your remote shell. 

    fg


    This will give you a full terminal that will not exit on C-c

    The added steps to get a reverse shell is repetitive after a while. There is also a danger of losing your remote shell by accidentally pressing “C-c” prior to gaining raw access. 

    Pwncat rectifies the problem by running a script on the target machine, which contains all the commands soon after it starts a connection.


    CLICK HERE TO KNOW MORE ABOUT PWNCAT


    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. We can use netcat t...

    Detect ARP Attacks via XArp Tool



    XArp is a security application that uses advanced techniques to detect ARP based attacks. Using active and passive modules XArp detects hackers inside your network. ARP attacks allow an attacker to silently eavesdrop or manipulate all your data that is sent over the network.
    **NOTE - This is only available for Windows and Ubuntu users only.
    • Download the XArp tool (Official Website).
    • Alternative link (from Mediafire)

    • Install the Tool.
      • Windows: Simple Installation
      • Ubuntu: In the terminal, redirect to the file and type, dpkg -i <File_Name>.
    • If the system is not under attack you will see something like this.
    • If the system is under attack you will see something like this.

    **NOTE - Check our personalized-made tool or other ways. CLICK HERE!


    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    XArp is a security application that uses advanced techniques to detect ARP based attacks. Using active and passive modules XArp d...

    Network Scanner v1.0



    Network Scanner is free open-source tool that can be use to scan the whole Internal Network.

    The Source code is written in Python and can be further use. This tool is licensed under GNU, General Public License v3.0. Make sure you read the license before using its source code.

    Network Scanner supports Linux/Debian Platform only.

    How to use:

    • Convert the setup.sh into the executable.
      • chmod 755 setup.sh
    • Run setup.sh
      • ./setup.sh
    • Run the python script with root privileges.
      • sudo python3 network_scanner.py

    Available Arguments:

    • -h or --help: Displays all the available options.
    • -i or --interface: This option needs to be used to define for which interface you want to scan the network. Example: sudo python3 network_scanner.py -i <interface_name>
    • -r or --range: This option needs to be used to define the network IP and the subnet mask. Example: 192.168.0.1/24 or 10.0.0.0/8 or 172.16.0.0/12. Command: sudo python3 network_scanner.py -i <interface_name> -r <range/mask>.

    **NOTE -
    • You need to be connected to the network for scanning, as the program is based on ARP Request Protocol.
    • Check the video at the bottom, for a full tutorial on How to Use.

    Color Significance:

    • Green: Successful.
    • Yellow: In process.
    • System Color: Result.
    • Red: Unsuccessful or Errors.

    To download the tool:

    • In terminal type, git clone https://github.com/hackhunt/network-scanner/, or click here
    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    Network Scanner is free open-source tool that can be use to scan the whole Internal Network. The Source code is written in P...

    ARP Spoofer v1.0



    ARP Spoofer is a free open source tool that can be used to do Man in the Middle Attack.

    The Source code is written in Python and can be further use. This tool is licensed under GNU, General Public License v3.0. Make sure you read the license before using its source code.

    ARP Spoofer supports Linux/Debian Platform only.

    Easier to use than arpspoof (in-built Kali Linux tool).

    How to use:

    • Convert the setup.sh into the executable.
      • chmod 755 setup.sh
    • Run setup.sh
      • ./setup.sh
    • Run the python script with root privileges.
      • sudo python3 arp_spoofer.py

    Available Arguments:

    •     -h or --help: Displays all the available options.
    •     -i or --interface: Required. Define the interface you want to start spoofing.
    •     -r or --router: Required. Define the router’s IP address.
    •     -t or --target: Required. Define the target’s IP address.
     **Note:
    • You need to be connected to the same network as this program is based on ARP Request Protocol.
    • Check the video at the bottom, for a full tutorial on How to Use.

    Color Significance:

    • Green: Successful.
    • Yellow: In process.
    • System Color: Result.
    • Red: Unsuccessful or Errors.

      To download the tool:

      • In terminal type, git clone https://github.com/hackhunt/arp-spoofer/, or click here
      We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

      ARP Spoofer is a free open source tool that can be used to do Man in the Middle Attack. The Source code is writt...

      Concept of XSS

      Cross-site scripting is also known as XSS where X stands for CROSS and SS stands for SITE SCRIPTING (just our assumption). It is an injection-based attack where the attacker submits a malicious code that is accepted by the server and has the ability to harm the company’s infrastructure or leak the PII (Personal identification information) of their users.


      XSS is the most common type of vulnerability. It is always placed in OWASP's top 10. Using the popular and modern frameworks while developing the website might reduce the risk of cross-site scripting but it won't eradicate the risk completely. So, XSS will always be there no matter what.


      XSS can be found in the places where the user input is required; in the Web application like username, address, and profile field or even in an image file name uploaded to the server.

      TYPES OF XSS:

      There are mainly three types of XSS:
      • Reflected XSS
      • Stored XSS
      • DOM XSS

      Reflected XSS

      Reflected XSS arises when the malicious code supplies by the attacker are immediately shown in the response of the site. An attacker could only exploit the Reflected XSS by tricking the user into opening the vulnerable page in a website and then the attacker can gain the session cookies, impersonate the user and gain full access over their account, which can also virtually deface the website.

      Reflected XSS arises when the user input is sanitized properly and then executed by the server.

      For Example:

      There is an online shopping portal that has a search functionality and its URL for the search term KNOWLEDGE will be
      https://vulnerable-website.com/search?term=knowledge

      and when the attacker searches for a JavaScript code instead of the item he wishes to the URL will be like
      https://vulnerable-website.com/search?term=<script>alert(1)</script>

      Reflected XSS Example
      Here, JavaScript treats the malicious code injected by the attacker as a legit one coming from the source and executes the code and it will result in a pop-up alert box.

      An attacker could only exploit this vulnerability by tricking the user into opening the link. It can be done by placing the unsafe links in an attacker-controlled websites or sending them through messages or emails.

      Ways to find reflected XSS:
      • Find every parameter on the website.
      • Try injecting the simple payloads like <script>alert(1)</script>.
      • Monitor the website carefully if the website is accepting the code and you see a pop-up. Congrats you have found an XSS and if it doesn’t know what is stopping it from being fired, ask yourself whether is it the firewall or the sanitization or use BurpSuite to check and play around.
      • If the website doesn’t allow some characters like “, >, <, /, or tags like a script. Try their alternatives or try encoding them, who knows the developer might allow encoding to process.
      • Try different payloads and know which characters are allowed and which are blocked. This will give you a lot of insight into the working of web applications.

      STORED XSS

      As you might have guessed by name the stored XSS, is a type of XSS where the malicious code supplied by the attacker is stored in the server and would execute whenever the user visits the page. It is also referred to as a persistent XSS.

      Generally, this type of XSS can be found in the comments section or post section of a website where the user input is stored in the server. Sometimes, XSS can even be stored in the username of a user or even as their profile display, and whoever visits the profile of the user the payload will fire.

      Blind Cross-site Scripting is a form of persistent XSS. It generally occurs when the attacker’s payload is saved on the server and reflected back to the victim from the backend application. For example in feedback forms, an attacker can submit the malicious payload using the form, and once the backend user/admin of the application will open the attacker’s submitted form via the backend application, the attacker’s payload will get executed. Blind Cross-site Scripting is hard to confirm in the real-world scenario but one of the best tools for this is XSS Hunter.

      DOM-Based XSS

      This type of XSS occurs when the javascript supplied by the user is taken into the sources and given back by the sinks.

      This is one of the hardest types of XSS to find.

      If the web application is using any of the below-mentioned functions. In its JavaScript code and within that function if there is a call to a variable then we could inject our own javascript code into it.
      document.url
      document.referrer()
      location()
      location.href()
      location.search()
      location.hash()
      location.pathname()
      sinks:
      element.innerHTML()
      element.outerHTML()
      setinterval()
      eval()
      setTimeout(
      document.write( document.writeln()
      If the JavaScript code we supplied passes through any of the sources which get executed in the sinks then we will have our XSS pop-up.

      Let's see an example
      DOM Based Example
      Here we could see that there is a source location.href(“”) which has a variable of # if we could inject our payload into the #. It would get executed in the third line divElement.innerHTML = source; //sink and we would get our XSS popped up.

      POLYGLOT: The King Payload

      An XSS Polyglot is a mixture of different injections and payloads. These are generally made by bug hunters having a lot of experience. 

      These Polyglots are used to break the HTML and all the blacklists and whitelists which are placed to prevent the poping of alert boxes.

      Some of the examples for XSS polyglots are:


      CHECK HUNTER'S VIEWS ON XSS EXPLOIT

      We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

      Cross-site scripting is also known as XSS where X stands for CROSS and SS stands for SITE SCRIPTING (just our assumption). I...

      Intercept Request using BurpSuite to use in SQLMap


      SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. BurpSuite is an automated web vulnerability scanner.

      USING REQUEST TO FIND SQLI

      • Intercept the POST request using BurpSuite.
      • If the request is not POST, like if it is a GET request
      • Right-Click > Change request method. The method will be changed to POST as shown above.
      • After you intercepted the POST request. Save the request to a file. To do that, right-click > Copy to file. Choose a name and location to store the file. 
      • Fire-up the terminal, parse the file into SQLMap using -r switch.
        • Syntax: sqlmap -r <file_location> 
      sqlmap -r post_req_file -p “name” --dbs --threads 5
      • The switches used in the above example are:
        • -r: Request File
        • -p: Parameters
        • --dbs: Enumerate Database
        • --thread: Number of threads to run.
      You might also be interested in, 
      We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

      SQLMap   is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws ...

      SQLMap


      SQLMap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches lasting from database fingerprinting, over data fetching from the database to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

      Features of SQLMap

      • It is highly compatible 
      • Could bypass WAF(web application firewall) with tamper scripts
      • Ease to use, beginner-friendly
      • Could test thousands of payloads automatically without user interaction.

      Use of SQLMap

      • Fire-up the terminal and type, sqlmap --help.
      • There are many different ways to use it, such as:
        • Using the URL of the target website.
        • Using the Request (can be captured using BurpSuite) of the website.
      SQLMap Help

      Understanding different options

      • -v (verbose): gives you the details about the current process which is going on.
      • -u (URL): This is the most important option, it is used to specify the target URL on which we want to hunt.


      REQUEST

      Alternatively, you can paste the entire request in a text file and could scan that in the SQLMap using the -r flag. It is quite intelligent to identify the parameters automatically and scan for SQLi.
      • --data: It tests the SQL injection on the post parameter.
      • --cookie: Let sqlmap use cookies.
      • --random-agent: Automatically change the user-agent after a specified period of time to a randomly selected one, thus hiding the real user-agent.
      • --proxy: This would let us connect to a proxy and stay anonymous.


      INJECTION

      • -p: A URL can contain more than 2 to 3 parameters, in that case, we can use this option to target a specific parameter.
      • --dbms: If the database is known for the application, you could specify that and sqlmap will use the payloads according to that database.


      DETECTION

      • --level: level of the tests to perform, it ranges from 1-5 (default 1).
      • --risk: risks of the test to perform, it ranges from 1-3 (default 1). This would give the sqlmap permission to use some heavy SQL queries.


      GENERAL

      • --batch: This would automate the sqlmap and never asks for user input, it uses the default behavior. 

      ENUMERATION CHEATSHEET

      TAMPER SCRIPTS

      Tamper Scripts are used to Bypass WAF

      FEW EXAMPLES

      • sqlmap -u “https://www.example.com?productId=1” --random-agent --dbs --level=5 --risk=3
      • sqlmap -u “https://www.example.com?productId=1” --threads=10
      • sqlmap -u “https://www.example.com?productId=1” -v 3
      • sqlmap -u “https://www.example.com?productId=1” –batch
      • sqlmap -u “https://www.example.com?productId=1” --risk=3 --level=5
      • sqlmap -u “https://www.example.com?productId=1” --crawl=5 --crawl-exclude="logout" --forms

      You might also interested in, 
      We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

      SQLMap   is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws ...

      Concept of SQL Injection


      SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.

      In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure or perform a denial-of-service attack.


      Impact of a successful SQL injection attack:

      A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. According to OWASP Top 10, injection vulnerability such as this is the most used and dangerous vulnerability. 


      Types of SQL injection attacks:

      • Error-based: This type of SQL injection relies on the error messages being thrown by the database server, which might provide us some useful information regarding the database structure.
      • Union-based: This technique uses the SQL UNION operator to combine the results of two SELECT queries and return a single table. It allows an attacker to extract information from other tables by appending the results to the original query made to the database.
      • Blind Injection: This happens when the application is vulnerable to SQL Injection but the results of the SQL query are not returned in the HTTP response. In this case, we query the database for any true/false statement and see the changes for both true and false conditions. It is of two types:
        • Content-based: In this technique, the database server is queried with any conditional statement and the response from the server is analyzed for any difference while sending a true condition and a false condition.
        • Time-based: This technique relies on injecting an SQL query that makes the database wait for a specific time based on the specified condition. The time taken by the server to send back a response determines if the query is true/false.
      • Out-of-band injection (uncommon): This is not a very common type of SQL Injection as it depends on the features being enabled on the database server. It relies on the database server's capability to make a web request like HTTP, DNS, and FTP to send data to the attacker.
      You might also interested in, 
      We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

      SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to ...