Author: Hacking Tutorials

On Tuesday, November 1 2022 between 1300-1700 UTC, the OpenSSL project announced the release of a new version of OpenSSL (version 3.0.7) that will patch a critical vulnerability in OpenSSL version 3.0 and above. Only OpenSSL versions between 3.0 and 3.0.6 are affected at the time of writing. At this moment the details of this vulnerability are not yet disclosed, only that it is rated as critical (CVSS v3.0 Rating 9.0-10.0) and the affected versions. Due to the high CVSS score, which is not easily assigned to a CVE, it is very possible that the vulnerability is remote exploitable with a low attack complexity and a high impact. OpenSSL describes a critical vulnerability as follows: CRITICAL Severity. This affects common configurations which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to…

Following the previous tutorial in which we looked at the log4j vulnerability in VMWare vSphere server, I got some questions about how to set up a malicious LDAP server on Linux. The attacker controlled LDAP server is required to provide the malicious java class (with a reverse shell for example) in response to the forged LDAP request from the server running a vulnerable version of Log4j. There are quiet a few solutions out there that provide this functionality and one of them is Rogue-jndi. Rogue-jndi is a malicious LDAP server for JNDI injection attacks. In the next section I will give a short demonstration of how to install rogue-jndi on the latest version of Kali Linux. along with the required dependencies. To build rogue-jndi, Java v1.7+ and Maven v3+ are required on the system. Java is already installed by default so we only have to install Maven. Maven can be…

Log4Shell is a critical vulnerability with the highest possible CVSSv3 score of 10.0 that affects thousands of products running Apache Log4j and leaves millions of targets potentially vulnerable. CVE-2021-44228 affects log4j versions 2.0-beta9 to 2.14.1. Log4j is an incredibly popular logging library used in many different products and various Apache frameworks like Struts2, Kafka, and Druid. So far, many different commercial products have been confirmed vulnerable, including iCloud, Steam, Minecraft, AWS, VMware and many others. The critical Log4J vulnerability was privately disclosed to the Apache Software Foundation by a security researcher who initially discovered the issue but got public when the popular video game Minecraft published an update to resolve a security issue that allowing hackers to take over the server. After further investigation by the security community, it turned out that the vulnerability resided in a common package; Log4j. Minecraft server 18.1 uses a vulnerable version of Log4j. The…

Recently a “design flaw” in the Microsoft Exchange’s Autodiscover protocol was discovered by researchers that allowed access to 372,072 Windows domain credentials and 96,671 unique sets of credentials from applications such as Microsoft Outlook and third-party email clients. According to Amit Serper , the person who discovered the flaw, the source of the leak is comprised of two issues; the design of the Autodiscover protocol, more specifically the “back-off” algorithm, and the poor implementation of the protocol in some applications. This severe security issue allows an attacker that is able to sniff the network or control specific domains to capture domain credentials in plain text (HTTP basic authentication). In addition, when attackers have the ability to conduct large-scale DNS poisoning attacks, they could collect valid domain credentials on a large scale compromising the security of many businesses. The AutoDiscover service constructs a list of endpoints using the provided domain name…

A week before the 2019 holidays Citrix announced that an authentication bypass vulnerability was discovered in multiple Citrix products. The affected products are the Citrix Application Delivery Controller (formerly known as NetScaler AD), Citrix Gateway NetScaler ADC (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP appliance. Exploiting the vulnerability could allow an unauthenticated attacker to perform arbitrary code execution on the Citrix appliance. In the initial advisory, Citrix did not mention many details about the vulnerability which let many system administrators wondering if they are affected and how to identify attacks. At that time, over 80.000 organizations were affected by the vulnerability, including government organizations and many Fortune-500 companies. The vulnerability has been assigned CVE ID CVE-2019-19781 and affects the following supported product versions on all supported platforms: Citrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24NetScaler ADC and NetScaler Gateway version 12.1 all supported builds…

For all scans so far, we’ve only used the default scan configurations such as host discovery, system discovery and Full & fast. But what if we don’t want to run all NVTs on a given target (list) and only test for a few specific vulnerabilities? In this case we can create our own custom scan configuration and select only the NVTs that we want to test for. Please note that this is totally optional and I’d recommend against creating your own scanning configurations in most cases. The ‘Full and Fast’ and the ‘Full and Fast Ultimate’ are both fast and intelligent. These types of scans do not test SMB vulnerabilities on FTP ports while slow scans might test every single NVT on every single port. In the next section we will create a custom scan configuration that will only test for vulnerabilities present on printer devices. Vulnerability Scanning with OpenVAS…

In the previous parts of the Vulnerability Scanning with OpenVAS 9 tutorials we have covered the installation process and how to run vulnerability scans using OpenVAS and the Greenbone Security Assistant (GSA) web application. In part 3 of Vulnerability Scanning with OpenVAS 9 we will have a look at how to run scans using different scan configurations, review the results and also learn how to run credentialed scans. Finally, we will set up schedules that periodically fire up scanning tasks to automatically scan the network for hosts and vulnerabilities. For demonstration purposes I have booted up several random virtual machines and networked devices in my private lab which will be scanned throughout this tutorial. If you want to follow along with this tutorial, please make sure that you replace all environment specific variables such as IP addresses to match your own environment. Vulnerability Scanning with OpenVAS 9 Tutorials Vulnerability Scanning…

Is the previous tutorial Vulnerability Scanning with OpenVAS 9.0 part 1 we’ve gone through the installation process of OpenVAS on Kali Linux and the installation of the virtual appliance. In this tutorial we will learn how to configure and run a vulnerability scan. For demonstration purposes we’ve also installed a virtual machine with Metasploitable 2 which we’ll target with OpenVAS. If you don’t know how to install Metasploitable you can check out the installation tutorial for Metasploitable 2 (scroll down a bit) or Metasploitable 3. Before we can actually start vulnerability scanning with OpenVAS 9, we have to complete the following tasks: Create and configure a target. Create and configure a scan task. Run the scan. At this point of the tutorial you need to have OpenVAS 9.0 installed and configured. If you haven’t done this at this point I recommend to follow part 1 of vulnerability scanning with OpenVAS…

A couple years ago we did a tutorial on Hacking Tutorials on how to install the popular vulnerability assessment tool OpenVAS on Kali Linux. We’ve covered the installation process on Kali Linux and running a basic scan on the Metasploitable 2 virtual machine to identify vulnerabilities. In this tutorial I want to cover more details about automated vulnerability scanning starting with the installation process followed by setting up targets, running internal and external scans and finally define custom scanning configurations. Due to the length of the full tutorial we’ll split it into 2 or 3 parts that will be published in the upcoming weeks. In part 1 of this tutorial I want to cover the installation of the most recent version of OpenVAS 9.0, which was released in 2017. The latest version 9.0 introduces a new web interface which offers end users better ways to manage scanning options, assets and…

One of the most popular and most asked questions since I’ve started this blog is if I can recommend some good hacking books to read for beginners and more experienced hackers and penetration testers. In this article I want to highlight some hacking books and InfoSec books that I personally liked that cover subjects such as ethical hacking, penetration testing, web application penetration testing and other InfoSec related subjects. In addition to college degrees, certifications, hacking courses, taking up challenges and practical training, books are an invaluable source of information to keep your knowledge up-to-date and acquire new skills. Whether you’re a beginner in the field of InfoSec or a seasoned professional, mastery of new skills will open up many doors and allow you to progress in your career faster. The secret of becoming a (better) penetration tester, bug bounty hunter or IT professional is to not only focus on penetration testing books but also read books on related subjects such…