قالب وردپرس درنا توس
Home / Tips and Tricks / Detecting and Attacking Services in Web Apps or Networks Using Sparta «Null Byte :: WonderHowTo

Detecting and Attacking Services in Web Apps or Networks Using Sparta «Null Byte :: WonderHowTo



Automating port scanners, directory crawlers, and education tools can be tricky for beginners just starting Kali Linux. Sparta solves this problem with a user-friendly graphical interface that simplifies the tasks of a penetration tester.

Sparta, authored by Antonio Quina and Leonidas Stavliotis is a Python tester. based GUI application that automates scanning, gathering information and evaluating vulnerabilities with tools such as Nikto, WhatWeb, Nmap, Telnet, Dirbuster and Netcat. Designed with a simple point-and-click interface, it displays detected services in an easy-to-navigate and intuitive way.

Apart from a few minor updates, Sparta has not been added any significant changes or features since the beginning. Still, it's an excellent educational tool worth learning. This article goes well with Kody's zero-byte video below, focusing on Sparta's brute-force module and Nikto web crawler and combining it with other tools to its usefulness for pen testing and white-hat To maximize efforts.

Step 1: Installing and Starting Sparta

Sparta is preinstalled in most versions of Kali Linux. However, Kali users must install it with the following command:

  ~ # apt-get update && apt-get install sparta python requests

Read package lists ... Done
Create dependency tree
Status information is read ... Done
The following additional packages will be installed:
avahi-daemon cutycapt finger firebird3.0-common firebird3.0-common-doc geoclue-2.0 iio-sensor-proxy javascript-common ldap-utils libapr1 libaprutil1 libaudio2 libavahi-core7 libavahi-glib1 libbrotli1
libdaemon0 libdouble-conversion1 libfbclient2 libhyphen0 libjs-jquery libmng1 libnss-mdns libpcre2-16-0 libpq5 libqt4-dbus libqt4-declarative libqt4-designer libqt4-help libqt4-network libqt4-script
libqt4-scripttools libqt4-sql libqt4-sql-mysql libqt4-svg libqt4-test libqt4-xml libqt4-xmlpattern libqt5core5a libqt5dbus5 libqt5gui5 libqt5network5 libqt5positioning5 libqt5
libqt5quick5 libqt5sensors5 libqt5svg5 libqt5webchannel5 libqt5webkit5 libqt5widgets5 libqtassistantclient4 libqtcore4 libqtdbus4 libqtgui4 libserf-1-1 libssh-4 libsvn1 libtommath1 libwoff1
libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-randr0 libxcb-render-util0 libxcb-xinerama0 libxcb-xkb1 libxkbcommon-x11-0 libxslt1.1 python-asn1crypto python-python-python
python-colorama python-crypto python-cryptography python-elixir python-enum34 python-flask python-impacket python-ipaddress python-itsdangerous python-jinja2 python-ldap3 python-markupsafe python-openssl
python-pkg-resources python-pyasn1 python-pycryptodome python-pyinotify python-qt4 python-simplejson python-sip python-six python-sqlalchemy python-sqlalchemy-ext python-tool qdbus qt-at-at-at
qt5-gtk-platformtheme qtchooser qtcore4-l10n qttranslations5-l10n rwho rwhod sparta xsltproc
0 updated, 109 reinstalled, 0 removed and 0 not updated.
Requires 57.8 MB of archives.
After this process, you will use 227 MB of additional space.
Would you like to continue? [Y/n]

From here Sparta can be started from any terminal with the command sparta .

  ~ # sparta

[+] Create temporary files
[+] Wordlist created / opened: /tmp/sparta-9AE08J-tool-output/sparta-usernames.txt
[+] Wordlist created / opened: /tmp/sparta-9AE08J-tool-output/sparta-passwords.txt
[+] Settings file is loaded. 

After initializing the command, Sparta's graphical user interface appears. Alternatively, you can open the Sparta user interface in Kali directly from the "Acquire Information" section in applications or through a quick search for the app. However, the terminal window will continue to open, indicating where the temporary files are located.

Step 2: Scan Networks, Devices, or Web Apps

Sparta can scan a range of IP addresses on a network, as well Scan domain names of websites. If you know the range of IP addresses on the network or in the web app that you want to review, on the Scan tab, click "Click to add hosts to the scope."

If you select a network, and if you do not know the network range, use ifconfig in a new terminal window to retrieve your IP addresses on the network, and ipcalc YourIPAddress determine the area next to the "network". Result. If you only want to scan the router, use the IP address "HostMin". Enter the IP address or IP range in the IP Range box at the Sparta prompt. Click the "Add to Area" button when you are ready to scan.

To scan a web app instead, enter its URL or IP address. Click the "Add to Area" button when you are ready to scan.

An Nmap scan runs immediately and checks the default ports to determine if something is open and available. Afterwards, Nmap and Nikto perform a series of additional scans, examining less frequently used ports, and taking screenshots. When you open the Services tab, you can view services such as HTTP, HTTPS, and UPnP. The Tools tab lets you view the results of the target scans performed by Nikto and others.

Step 3: Analyze Results

After scanning a web application, several interesting services are reported within seconds of the scan. Watch the video above to see what subnet devices look like when scanning a router on a network or across an entire network. Otherwise we will do a web app scan here.

The SSH service is best located in the Web App Scan on port 22222 shown above. The system administrator has probably changed the default SSH port from 22 to hide the SSH service is called " security." Darkness "and is always a poor safety practice. The administrator believes that attackers find it harder to find the service if the port number is changed to a non-default value. As we can see, this is not true – Sparta has still recognized the SSH service.

If you want to take more action, such as You can right-click on the service. Depending on which service or destination you have right-clicked on, you will find the following options:

  • Portscan
  • Marked as Enabled
  • Open with Telnet
  • Open with SSH Client (as Root)
  • Open with Netcat
  • Send to Brute
  • Open in Browser
  • Create Screenshot
  • Whatweb run
  • run nmap (scripts) on port
  • execute nikto
  • start dirbuster [19659022] start dirbuster
  • Grave Banner

On the Hosts tab, you can also select the other tabs that will be displayed on the right for a selected host. Apart from "Services" there may be options for "Notes", "Scripts" and "Information". The latter option gives you more detailed information about the selected system, such as: For example, to the operating system of the destination. The results of the Tools tab can also be displayed here as additional tabs for each target. However, on the Tools tab, you can see other compatible tools that may not have been used yet.

You can also add more destinations by clicking File on the menu bar and then Add Hosts to Area.

Step 4: Target SSH Services

SSH is a highly popular remote administration protocol. In my case, if you right-click on a discovered service, Port 22222, and select "Open with SSH Client", Sparta opens a new terminal and tries to authenticate itself to the service.

  The authenticity of the host & # 39; [███.███.███.███]: 22222 ([███.███.███.███]: 22222) & # 39; can not be determined.
The fingerprint of the ECDSA key is SHA256: f94dIlgg2kDtCK4ahtN5 / iAZxY9D6v + FtNTLK03uTr4.
Do you really want to continue the connection (yes / no)? Yes
Warning: The list of known hosts has become permanent & # 39; [███.███.███.███]: 22222 & # 39; (ECDSA) added.

This is a private system managed by the ██████████ Corporation.
All connections are logged and monitored. Problems accessing this server should be reported to ████████@████████.org.

root @ ███████████s password: 

Some SSH services have login banners configured to prompt clients with a message or alert. In my example, the server displays a warning message when someone attempts to authenticate and displays an e-mail address. The SSH banner passes more information than is necessary because an attacker performing a reconnaissance can use the identified email address in targeted phishing attacks.

Right-click the SSH service again, but this time click Send to Brute, and then click the Brute tab in the upper left corner of the Sparta window.

On this tab, the SSH service can be brutally enforced by selecting a username and word list to attack Word lists in Kali Linux are located in the / usr / share directory / wordlists / The SecLists repository and the Hashes.org website also provide great phrases for penetration testers.

When the options are configured, just click the Run button and Sparta calls the Hydra Brute Force

If you are familiar with the Hydra command-line options, you can check the Additional Options check box a & Enable. A successful login is displayed as follows.

Realistically, without knowing anything about the system administrators who set up the server, brute force attacks are likely to fail and result in numerous Authentication errors in the logs (see below).

  sshd [18614]: Password error for root from 11.22.33.44 port 42046 ssh2
sshd [18614]: Error: Maximum authentication attempts for root exceeded 11.22.33.44 port 42046 ssh2 [preauth]
sshd [18614]: Disconnecting from the authenticating user root 11.22.33.44 Port 42046: Too Many Authentication Errors [preauth]
sshd [18614]: PAM 4 more authentication errors; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 11.22.33.44 user = root
sshd [18614]: PAM service (sshd) ignores maximum retry attempts; 5> 3
sshd [18616]: Password for root failed from 11.22.33.44 port 42050 ssh2
sshd [18616]: The connection was closed by the authentication of user root 11.22.33.44 port 42050 [preauth].
sshd [18616]: PAM 4 more authentication errors; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 11.22.33.44 user = root
sshd [18616]: PAM service (sshd) ignores maximum retry attempts; 5> 3
sshd [18615]: Password for root of 11.22.33.44 port 42048 ssh2 failed
sshd [18615]: The connection was closed by the authentication of the user root 11.22.33.44 port 42048 [preauth].
sshd [18615]: PAM 4 more authentication errors; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 11.22.33.44 user = root
sshd [18615]: PAM service (sshd) ignores maximum retry attempts; 5> 3
sshd [18618]: Password for root failed from 11.22.33.44 port 42054 ssh2
sshd [18618]: The connection was closed by the authentication of the user root 11.22.33.44 port 42054 [preauth].
sshd [18618]: PAM 4 more authentication errors; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 11.22.33.44 user = root
sshd [18618]: PAM service (sshd) ignores maximum retry attempts; 5> 3 

Step 5: HTTP Destination Services

Nikto is a vulnerability scanner that performs various tests on web servers. Among its many scanning features, it looks for outdated software, server misconfiguration, directory checks, weak HTTP headers, and many plug-ins available to further enhance its capabilities.

It will crawl the web app and try to find thousands of files together in the root and subdirectories found. On the server side, the system administrator will receive the following error messages.

  [2019-05-27 00:28:14] ERROR `/ wls-wsat / RegistrationPortTypeRPC11 & # 39; not found.
[2019-05-27 00:28:14] ERROR `/ wls-wsat / ParticipantPortType11 & # 39; not found.
[2019-05-27 00:28:14] ERROR `/ common / about & # 39; not found.
[2019-05-27 00:28:14] ERROR `/master.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/masters.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/connections.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/connection.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/passwords.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/PasswordsData.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/users.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/conndb.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/conn.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/security.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/accounts.xml & # 39; not found.
[2019-05-27 00:28:14] ERROR `/db.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/userdata.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/login.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/master.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/masters.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/connections.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/connection.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/passwords.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/PasswordsData.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/users.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/conndb.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/conn.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/security.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/accounts.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/package.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/redis_config.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/credis/tests/redis_config.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/redis/config.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/config/redis.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/firebase.json & # 39; not found.
[2019-05-27 00:28:14] ERROR `/ws.asmx & # 39; not found.
[2019-05-27 00:28:14] ERROR `/ws/ws.asmx & # 39; not found.
[2019-05-27 00:28:14] ERROR `/.gitignore & # 39; not found.
[2019-05-27 00:28:14] ERROR `/.hgignore & # 39; not found.
[2019-05-27 00:28:14] ERROR `/.env & # 39; not found. 

There are some noteworthy results in the Nikto edition. As we can see in the following report, Nikto has tried 7,889 different directories and filenames. The "/ key" file is probably worth a first look.

Accessing the / key file is accomplished by opening a terminal in Kali and using the following steps ] wget command.

  ~ # wget -qO- # http: //target.com/key'

# qbittorrent password in case you forget it
password: Hunter432 

The / key file seems to be a note for someone who has a password. System administrators often leave confidential files in home directories. This is best illustrated by a quick search for "passw" in the exploit DB Google Hacking database.

19659005] Sparta handles recognized web servers on non-default ports (ie, port 8080) like any other, automating nikto scans, banner grabbing, and screenshots ,

Step 7: Save Your Sparta Advance.

It may be desirable to save the scan results for a given range. In Sparta, on the menu bar, click "File" and then "Save As." Select a location, name it, and click Save. All Nikto, Nmap, screenshots and successful brute-force credentials can be reviewed later (see below). With the supplied * .sprt file, the results can also be reopened in Sparta at any time.

Conclusion

Sparta's graphical interface simplifies this to navigate between different services and ports discovered by Nikto, Nmap, and Hydra. Anyone who does not know these tools will appreciate how Sparta brings them together in an intuitive and easy way. Sparta is essential for beginners who want to automate and extend their toolset.

Follow me until next time on Twitter @tokyoneon_ . And as always, leave a comment below or write me a message on Twitter if you have questions.

Do not miss: Generate hundreds of phishing domains

Cover photo and screenshots of tokyoneon / Null Byte


Source link